diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (6) (1).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (7).png
similarity index 100%
rename from .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (6) (1).png
rename to .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (7).png
diff --git a/.gitbook/assets/image (107) (2) (2) (1).png b/.gitbook/assets/image (107) (2) (2) (2) (1).png
similarity index 100%
rename from .gitbook/assets/image (107) (2) (2) (1).png
rename to .gitbook/assets/image (107) (2) (2) (2) (1).png
diff --git a/.gitbook/assets/image (107) (2) (2).png b/.gitbook/assets/image (107) (2) (2) (2) (2).png
similarity index 100%
rename from .gitbook/assets/image (107) (2) (2).png
rename to .gitbook/assets/image (107) (2) (2) (2) (2).png
diff --git a/.gitbook/assets/image (207).png b/.gitbook/assets/image (207) (2) (1).png
similarity index 100%
rename from .gitbook/assets/image (207).png
rename to .gitbook/assets/image (207) (2) (1).png
diff --git a/.gitbook/assets/image (227) (1).png b/.gitbook/assets/image (227) (1) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (227) (1).png
rename to .gitbook/assets/image (227) (1) (1) (1).png
diff --git a/.gitbook/assets/image (25) (1).png b/.gitbook/assets/image (25) (2) (1).png
similarity index 100%
rename from .gitbook/assets/image (25) (1).png
rename to .gitbook/assets/image (25) (2) (1).png
diff --git a/.gitbook/assets/image (25) (2) (2).png b/.gitbook/assets/image (25) (2) (2).png
new file mode 100644
index 000000000..007459da8
Binary files /dev/null and b/.gitbook/assets/image (25) (2) (2).png differ
diff --git a/.gitbook/assets/image (25).png b/.gitbook/assets/image (25).png
index 007459da8..ef6335c0b 100644
Binary files a/.gitbook/assets/image (25).png and b/.gitbook/assets/image (25).png differ
diff --git a/.gitbook/assets/image (253).png b/.gitbook/assets/image (253) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (253).png
rename to .gitbook/assets/image (253) (1) (1).png
diff --git a/.gitbook/assets/image (254).png b/.gitbook/assets/image (254) (1) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (254).png
rename to .gitbook/assets/image (254) (1) (1) (1).png
diff --git a/.gitbook/assets/image (345) (1).png b/.gitbook/assets/image (345) (2) (2) (2).png
similarity index 100%
rename from .gitbook/assets/image (345) (1).png
rename to .gitbook/assets/image (345) (2) (2) (2).png
diff --git a/.gitbook/assets/image (61).png b/.gitbook/assets/image (61).png
new file mode 100644
index 000000000..3637385a2
Binary files /dev/null and b/.gitbook/assets/image (61).png differ
diff --git a/.gitbook/assets/image (67).png b/.gitbook/assets/image (67).png
new file mode 100644
index 000000000..3637385a2
Binary files /dev/null and b/.gitbook/assets/image (67).png differ
diff --git a/.gitbook/assets/image (73).png b/.gitbook/assets/image (73).png
new file mode 100644
index 000000000..b240aa9d1
Binary files /dev/null and b/.gitbook/assets/image (73).png differ
diff --git a/.gitbook/assets/image (95).png b/.gitbook/assets/image (95) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (95).png
rename to .gitbook/assets/image (95) (1) (1).png
diff --git a/1911-pentesting-fox.md b/1911-pentesting-fox.md
index 26c4322e9..d817c8317 100644
--- a/1911-pentesting-fox.md
+++ b/1911-pentesting-fox.md
@@ -10,7 +10,7 @@ dht udp "DHT Nodes"
-
+
InfluxDB
diff --git a/SUMMARY.md b/SUMMARY.md
index 1007e948f..eff60ce14 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -457,8 +457,9 @@
* [Pickle Rick](ctf-write-ups/try-hack-me/pickle-rick.md)
* [1911 - Pentesting fox](1911-pentesting-fox.md)
* [Online Platforms with API](online-platforms-with-api.md)
-* [Phising Documents](phising-documents/README.md)
+* [Phishing Methodology](phising-documents/README.md)
* [Detecting Phising](phising-documents/detecting-phising.md)
+ * [Phishing Documents](phising-documents/phishing-documents.md)
* [Reset/Forgoten Password Bypass](reset-password.md)
* [Stealing Sensitive Information Disclosure from a Web](stealing-sensitive-information-disclosure-from-a-web.md)
diff --git a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
index 7a3322c49..7479cb639 100644
--- a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
+++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
@@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
-
+
Because you will be able to call them
diff --git a/pentesting-web/formula-injection.md b/pentesting-web/formula-injection.md
index b0c0c3fb7..0d931f804 100644
--- a/pentesting-web/formula-injection.md
+++ b/pentesting-web/formula-injection.md
@@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
-
+
diff --git a/pentesting/pentesting-imap.md b/pentesting/pentesting-imap.md
index 17a704093..8fab28bfe 100644
--- a/pentesting/pentesting-imap.md
+++ b/pentesting/pentesting-imap.md
@@ -93,50 +93,58 @@ From [here](https://donsutherland.org/crib/imap)
Basic navigation is possible with [CURL](https://ec.haxx.se/usingcurl/usingcurl-reademail#imap), but the documentation is light on details so checking the [source](https://github.com/curl/curl/blob/master/lib/imap.c) is recommended for precise details.
-1. Listing mailboxes (imap command `LIST "" "*"`)
- ```sh
- $ curl -k 'imaps://1.2.3.4/' --user user:pass
- ```
-2. Listing messages in a mailbox (imap command `SELECT INBOX` and then `SEARCH ALL`)
- ```sh
- $ curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass
- ```
- The result of this search is a list of message indicies.
-
- Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:
- ```sh
- $ curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass
- ```
-
- A nice overview of the search terms possible is located [here](https://www.atmail.com/blog/imap-commands/).
-3. Downloading a message (imap command `SELECT Drafts` and then `FETCH 1 BODY[]`)
- ```sh
- $ curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass
- ```
-
- The mail index will be the same index returned from the search operation.
-
+1. Listing mailboxes \(imap command `LIST "" "*"`\)
-It is also possible to use `UID` (unique id) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.
-```sh
+ ```bash
+ $ curl -k 'imaps://1.2.3.4/' --user user:pass
+ ```
+
+2. Listing messages in a mailbox \(imap command `SELECT INBOX` and then `SEARCH ALL`\)
+
+ ```bash
+ $ curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass
+ ```
+
+ The result of this search is a list of message indicies.
+
+ Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:
+
+ ```bash
+ $ curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass
+ ```
+
+ A nice overview of the search terms possible is located [here](https://www.atmail.com/blog/imap-commands/).
+
+3. Downloading a message \(imap command `SELECT Drafts` and then `FETCH 1 BODY[]`\)
+
+ ```bash
+ $ curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass
+ ```
+
+ The mail index will be the same index returned from the search operation.
+
+It is also possible to use `UID` \(unique id\) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.
+
+```bash
$ curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SEARCH ALL' --user user:pass
$ curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass
```
-Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages (the `-v` is required to see the subject and sender):
-```sh
+Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages \(the `-v` is required to see the subject and sender\):
+
+```bash
$ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<'
```
Although, its probably cleaner to just write a little for loop:
-```
+
+```text
for m in {1..5}; do
echo $m
curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
done
```
-
## Shodan
* `port:143 CAPABILITY`
diff --git a/pentesting/pentesting-web/wordpress.md b/pentesting/pentesting-web/wordpress.md
index 549537803..7f6434707 100644
--- a/pentesting/pentesting-web/wordpress.md
+++ b/pentesting/pentesting-web/wordpress.md
@@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
```
-
+
diff --git a/phising-documents/README.md b/phising-documents/README.md
index 23d1bb0af..fc7266185 100644
--- a/phising-documents/README.md
+++ b/phising-documents/README.md
@@ -1,42 +1,4 @@
-# Phising Documents
-
-Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
-
-Usually Word files containing macros uses the `.docm` extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.
-For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.
-The same internals and mechanisms apply to all software of the Microsoft Office Suite \(Excel, PowerPoint etc.\).
-
-You can use the following command to check with extensions are going to be executed by some Office programs:
-
-```bash
-assoc | findstr /i "word excel powerp"
-```
-
-DOCX files referencing a remote template \(File –Options –Add-ins –Manage: Templates –Go\) that includes macros can “execute” macros as well.
-
-### Word with external image
-
-Go to: _Insert --> Quick Parts --> Field_
-_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**: http://<ip>/whatever_
-
-
-
-### Macros Code
-
-```bash
-Dim author As String
-author = oWB.BuiltinDocumentProperties("Author")
-With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
- .StdIn.WriteLine author
- .StdIn.WriteBlackLines 1
-```
-
-## Autoload functions
-
-The more common they are, the more probable the AV will detect it.
-
-* AutoOpen\(\)
-* Document\_Open\(\)
+# Phishing Methodology
## Methodology
@@ -82,7 +44,7 @@ The more common they are, the more probable the AV will detect it.
* [https://dnstwister.report/](https://dnstwister.report/)
* [https://www.internetmarketingninjas.com/tools/free-tools/domain-typo-generator/](https://www.internetmarketingninjas.com/tools/free-tools/domain-typo-generator/)
-## GoPhish
+## Configuring GoPhish
### Installation
@@ -237,7 +199,7 @@ ss -l | grep "3333\|443"
service gophish stop
```
-## SPAM filters bypass
+## Configuring mail server and domain
### Wait
@@ -331,6 +293,70 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
You can request your domain/IP to be removed at [https://sender.office.com/](https://sender.office.com/).
+## Create & Launch GoPhish Campaign
+
+### Sending Profile
+
+* Set some **name to identify** the sender profile
+* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
+* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
+
+
+
+### Email Template
+
+* Set some **name to identify** the template
+* Then write a **subject** \(nothing estrange, just something you could expect to read in a regular email\)
+* Make sure you have checked "**Add Tracking Image**"
+* Write the **email template** \(you can use variables like in the following example\):
+
+```markup
+
+
+
+
+
+Dear {{.FirstName}} {{.LastName}},
+
+As you may be aware, due to the large number of employees working from home, the "PLATFORM NAME" platform is being migrated to a new domain with an improved and more secure version. To finalize account migration, please use the following link to log into the new HR portal and move your account to the new site: "PLATFORM NAME" login portal
+
+Please Note: We require all users to move their accounts by 04/01/2021. Failure to confirm account migration may prevent you from logging into the application after the migration process is complete.
+
+Regards,
+
+WRITE HERE SOME SIGNATURE OF SOMEONE FROM THE COMPANY
+
+{{.Tracker}}
+
+
+```
+
+Note that **in order to increase the credibility of the email**, it's recommended to use some signature from an email from the client. Suggestions:
+
+* Send an email to a **non existent address** and check if the response has any signature.
+* Search for **public emails** like info@ex.com or press@ex.com or public@ex.com and send them an email and wait for the response.
+* Try to contact **some valid discovered** email and wait for the response
+
+
+
+### Landing Page
+
+* Write a **name**
+* **Write the HTML code** of the web page. Note that you can **import** web pages.
+* Mark **Capture Submitted Data** and **Capture Passwords**
+* Set a **redirection**
+
+
+
+{% hint style="info" %}
+Usually you will need to modify the HTML code of the page and make some tests in local \(maybe using some Apache server\) **until you like the results.** Then, write that HTML code in the box.
+Note that if you need to **use some static resources** for the HTML \(maybe some CSS and JS pages\) you can save them in _**/opt/gophish/static/endpoint**_ and then access them from _**/static/<filename>**_
+{% endhint %}
+
+{% hint style="info" %}
+For the redirection you could **redirect the users to the legit main web page** of the victim, or redirect them to _/static/migration.html_ for example, put some **spinning wheel \(**[**https://loading.io/**](https://loading.io/)**\) for 5 seconds and then indicate that the process was successful**.
+{% endhint %}
+
## Detecting the detection
Obviously one of the best ways to know if you have been busted is to **search your domain inside blacklists**. If it appears listed, somehow your domain was detected as suspicions.
diff --git a/phising-documents/phishing-documents.md b/phising-documents/phishing-documents.md
new file mode 100644
index 000000000..136e3bbc7
--- /dev/null
+++ b/phising-documents/phishing-documents.md
@@ -0,0 +1,40 @@
+# Phishing Documents
+
+Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
+
+Usually Word files containing macros uses the `.docm` extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.
+For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.
+The same internals and mechanisms apply to all software of the Microsoft Office Suite \(Excel, PowerPoint etc.\).
+
+You can use the following command to check with extensions are going to be executed by some Office programs:
+
+```bash
+assoc | findstr /i "word excel powerp"
+```
+
+DOCX files referencing a remote template \(File –Options –Add-ins –Manage: Templates –Go\) that includes macros can “execute” macros as well.
+
+### Word with external image
+
+Go to: _Insert --> Quick Parts --> Field_
+_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**: http://<ip>/whatever_
+
+
+
+### Macros Code
+
+```bash
+Dim author As String
+author = oWB.BuiltinDocumentProperties("Author")
+With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
+ .StdIn.WriteLine author
+ .StdIn.WriteBlackLines 1
+```
+
+## Autoload functions
+
+The more common they are, the more probable the AV will detect it.
+
+* AutoOpen\(\)
+* Document\_Open\(\)
+
diff --git a/reversing/cryptographic-algorithms/README.md b/reversing/cryptographic-algorithms/README.md
index 850bfed4b..b2ec8d999 100644
--- a/reversing/cryptographic-algorithms/README.md
+++ b/reversing/cryptographic-algorithms/README.md
@@ -145,7 +145,7 @@ You can identify both of them checking the constants. Note that the sha\_init ha
Note the use of more constants
-
+
## CRC \(hash\)
@@ -177,7 +177,7 @@ A CRC hash algorithm looks like:
The graph is quiet large:
-
+
Check **3 comparisons to recognise it**:
diff --git a/windows/active-directory-methodology/password-spraying.md b/windows/active-directory-methodology/password-spraying.md
index 05d513615..0ff6566db 100644
--- a/windows/active-directory-methodology/password-spraying.md
+++ b/windows/active-directory-methodology/password-spraying.md
@@ -74,43 +74,41 @@ apt-get install spray
spray -smb