GitBook: [#3482] No subject

2024-11-24 21:53:54 +00:00 · 2022-09-12 13:16:59 +00:00 · 2022-09-12 13:16:59 +00:00 · c4351c27a4
commit c4351c27a4
parent 5db43fcda9
13 changed files with 51 additions and 16 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -10,7 +10,7 @@

 * [Pentesting Methodology](generic-methodologies-and-resources/pentesting-methodology.md)
 * [External Recon Methodology](generic-methodologies-and-resources/external-recon-methodology/README.md)
-  * [Github Leaked Secrets](generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md)
+  * [Github Dorks & Leaks](generic-methodologies-and-resources/external-recon-methodology/github-dorks-and-leaks.md)
 * [Pentesting Network](generic-methodologies-and-resources/pentesting-network/README.md)
  * [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
  * [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
--- a/exploiting/linux-exploiting-basic-esp/README.md
+++ b/exploiting/linux-exploiting-basic-esp/README.md
@ -401,7 +401,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**

 Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`

-![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)

 Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:

--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
@ -61,7 +61,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig

 In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command)

-![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (7).png>)
+![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)

 And then use the following code

--- a/forensics/basic-forensic-methodology/windows-forensics/README.md
+++ b/forensics/basic-forensic-methodology/windows-forensics/README.md
@ -148,7 +148,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi

 Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).

-![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>)
+![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (6).png>)

 ### USB Detective

--- a/generic-methodologies-and-resources/exfiltration.md
+++ b/generic-methodologies-and-resources/exfiltration.md
@ -14,7 +14,7 @@

 </details>

-<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (9).png" alt="" data-size="original">\
+<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
 **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!

 {% embed url="https://go.intigriti.com/hacktricks" %}
@ -159,7 +159,7 @@ echo bye >> ftp.txt
 ftp -n -v -s:ftp.txt
 ```

-<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (9).png" alt="" data-size="original">\
+<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
 **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!

 {% embed url="https://go.intigriti.com/hacktricks" %}
@ -371,7 +371,7 @@ Now we just copy-paste the text into our windows-shell. And it will automaticall

 * [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)

-<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (9).png" alt="" data-size="original">\
+<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
 **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!

 {% embed url="https://go.intigriti.com/hacktricks" %}
--- a/generic-methodologies-and-resources/external-recon-methodology/README.md
+++ b/generic-methodologies-and-resources/external-recon-methodology/README.md
@ -559,6 +559,41 @@ With the **domains,** **subdomains**, **** and **emails** you can start looking

 If you find **valid leaked** credentials, this is a very easy win.

+## Secrets Leaks
+
+Credential leaks are related to hacks of companies where **sensitive information was leaked and sold**. However, companies might be affected for **other leaks** whose info isn't in those databases:
+
+### Github Leaks
+
+Credentials and APIs might be leaked in the **public repositories** of the **company** or of the **users** working by that github company.\
+You can use the **tool** [**Leakos**](https://github.com/carlospolop/Leakos) to **download** all the **public repos** of an **organization** and of its **developers** and run [**gitleaks**](https://github.com/zricethezav/gitleaks) over them automatically.
+
+**Leakos** can also be used to run **gitleaks** agains all the **text** provided **URLs passed** to it as sometimes **web pages also contains secrets**.
+
+#### Github Dorks
+
+Check also this **page** for potential **github dorks** you could also search for in the organization you are attacking:
+
+{% content-ref url="github-dorks-and-leaks.md" %}
+[github-dorks-and-leaks.md](github-dorks-and-leaks.md)
+{% endcontent-ref %}
+
+### Pastes Leaks
+
+Sometimes attackers or just workers will **publish company content in a paste site**. This might or might not contain **sensitive information**, but it's very interesting to search for it.\
+You can use the tool [**Pastos**](https://github.com/carlospolop/Pastos) **** to search in more that 80 paste sites at the same time.
+
+### Google Dorks
+
+Old but gold google dorks are always useful to find **exposed information that shouldn't be there**. The only problem is that the [**google-hacking-database**](https://www.exploit-db.com/google-hacking-database) contains several **thousands** of possible queries that you cannot run manually. So, you can get your favourite 10 ones or you could use a **tool such as** [**Gorks**](https://github.com/carlospolop/Gorks) **to run them all**.
+
+_Note that the tools that expect to run all the database using the regular Google browser will never end as google will block you very very soon._
+
+__\
+__**Looking for vulnerabilities**
+
+If you find **valid leaked** credentials or API tokens, this is a very easy win.
+
 ## Recapitulation 1

 > Congratulations! At this point you have already perform **all the basic enumeration**. Yes, it's basic because a lot more enumeration can be done (will see more tricks later).
@ -577,8 +612,8 @@ Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not goin

 ### Github leaked secrets

-{% content-ref url="github-leaked-secrets.md" %}
-[github-leaked-secrets.md](github-leaked-secrets.md)
+{% content-ref url="github-dorks-and-leaks.md" %}
+[github-dorks-and-leaks.md](github-dorks-and-leaks.md)
 {% endcontent-ref %}

 You can also search for leaked secrets in all open repository platforms using: [https://searchcode.com/?q=auth\_key](https://searchcode.com/?q=auth\_key)
--- a/generic-methodologies-and-resources/external-recon-methodology/github-dorks-and-leaks.md
+++ b/generic-methodologies-and-resources/external-recon-methodology/github-dorks-and-leaks.md
--- a/generic-methodologies-and-resources/phishing-methodology/README.md
+++ b/generic-methodologies-and-resources/phishing-methodology/README.md
@ -337,7 +337,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
 * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
 * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors

-![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
+![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (7).png>)

 {% hint style="info" %}
 It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
--- a/mobile-pentesting/ios-pentesting/README.md
+++ b/mobile-pentesting/ios-pentesting/README.md
@ -723,7 +723,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
 5. Reproduce the problem.
 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.

-![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
+![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (8).png>)

 You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:

--- a/network-services-pentesting/pentesting-web/iis-internet-information-services.md
+++ b/network-services-pentesting/pentesting-web/iis-internet-information-services.md
@ -332,7 +332,7 @@ C:\xampp\tomcat\conf\server.xml

 If you see an error like the following one:

-![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (11).png>)
+![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (7).png>)

 It means that the server **didn't receive the correct domain name** inside the Host header.\
 In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
--- a/pentesting-web/formula-doc-latex-injection.md
+++ b/pentesting-web/formula-doc-latex-injection.md
@ -55,7 +55,7 @@ The good news is that **this payload is executed automatically when the file is

 It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**

-![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
+![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)

 ### More

--- a/pentesting-web/saml-attacks/README.md
+++ b/pentesting-web/saml-attacks/README.md
@ -22,7 +22,7 @@

 ## Attacks Graphic

-![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>)
+![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (8).png>)

 ## Tool

--- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
@ -473,7 +473,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w

 First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).

-<figure><img src="../../../.gitbook/assets/image (13) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (3).png" alt=""><figcaption></figcaption></figure>

 Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part.

@ -522,7 +522,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w

 First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).

-<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (3).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (4).png" alt=""><figcaption></figcaption></figure>

 Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part.