diff --git a/.gitbook/assets/image (15) (1) (1).png b/.gitbook/assets/image (15) (1) (1).png
new file mode 100644
index 00000000..ec5a7ae1
Binary files /dev/null and b/.gitbook/assets/image (15) (1) (1).png differ
diff --git a/.gitbook/assets/image (15) (1).png b/.gitbook/assets/image (15) (1).png
index ec5a7ae1..fed36b16 100644
Binary files a/.gitbook/assets/image (15) (1).png and b/.gitbook/assets/image (15) (1).png differ
diff --git a/.gitbook/assets/image (15).png b/.gitbook/assets/image (15).png
index fed36b16..d5eb069f 100644
Binary files a/.gitbook/assets/image (15).png and b/.gitbook/assets/image (15).png differ
diff --git a/.gitbook/assets/image (16) (1) (1).png b/.gitbook/assets/image (16) (1) (1).png
new file mode 100644
index 00000000..05177f76
Binary files /dev/null and b/.gitbook/assets/image (16) (1) (1).png differ
diff --git a/.gitbook/assets/image (16) (1).png b/.gitbook/assets/image (16) (1).png
index 05177f76..b3a5bfb5 100644
Binary files a/.gitbook/assets/image (16) (1).png and b/.gitbook/assets/image (16) (1).png differ
diff --git a/.gitbook/assets/image (16).png b/.gitbook/assets/image (16).png
index b3a5bfb5..e8b6b213 100644
Binary files a/.gitbook/assets/image (16).png and b/.gitbook/assets/image (16).png differ
diff --git a/.gitbook/assets/image (17) (2).png b/.gitbook/assets/image (17) (2).png
new file mode 100644
index 00000000..af932159
Binary files /dev/null and b/.gitbook/assets/image (17) (2).png differ
diff --git a/.gitbook/assets/image (17).png b/.gitbook/assets/image (17).png
index af932159..feabde2d 100644
Binary files a/.gitbook/assets/image (17).png and b/.gitbook/assets/image (17).png differ
diff --git a/.gitbook/assets/image (18) (1) (1).png b/.gitbook/assets/image (18) (1) (1).png
new file mode 100644
index 00000000..c475e52f
Binary files /dev/null and b/.gitbook/assets/image (18) (1) (1).png differ
diff --git a/.gitbook/assets/image (18) (1).png b/.gitbook/assets/image (18) (1).png
index c475e52f..69f6170c 100644
Binary files a/.gitbook/assets/image (18) (1).png and b/.gitbook/assets/image (18) (1).png differ
diff --git a/.gitbook/assets/image (18).png b/.gitbook/assets/image (18).png
index 69f6170c..3a9cc1bb 100644
Binary files a/.gitbook/assets/image (18).png and b/.gitbook/assets/image (18).png differ
diff --git a/.gitbook/assets/image (19) (2).png b/.gitbook/assets/image (19) (2).png
new file mode 100644
index 00000000..f8b43052
Binary files /dev/null and b/.gitbook/assets/image (19) (2).png differ
diff --git a/.gitbook/assets/image (19).png b/.gitbook/assets/image (19).png
index f8b43052..3305c860 100644
Binary files a/.gitbook/assets/image (19).png and b/.gitbook/assets/image (19).png differ
diff --git a/.gitbook/assets/image (20) (1) (1).png b/.gitbook/assets/image (20) (1) (1).png
new file mode 100644
index 00000000..ce5072c4
Binary files /dev/null and b/.gitbook/assets/image (20) (1) (1).png differ
diff --git a/.gitbook/assets/image (20) (1).png b/.gitbook/assets/image (20) (1).png
index ce5072c4..fc66de85 100644
Binary files a/.gitbook/assets/image (20) (1).png and b/.gitbook/assets/image (20) (1).png differ
diff --git a/.gitbook/assets/image (20).png b/.gitbook/assets/image (20).png
index fc66de85..e5d569d4 100644
Binary files a/.gitbook/assets/image (20).png and b/.gitbook/assets/image (20).png differ
diff --git a/.gitbook/assets/image (21) (1) (1).png b/.gitbook/assets/image (21) (1) (1).png
new file mode 100644
index 00000000..34081bf3
Binary files /dev/null and b/.gitbook/assets/image (21) (1) (1).png differ
diff --git a/.gitbook/assets/image (21) (1).png b/.gitbook/assets/image (21) (1).png
index 34081bf3..4b19a9ee 100644
Binary files a/.gitbook/assets/image (21) (1).png and b/.gitbook/assets/image (21) (1).png differ
diff --git a/.gitbook/assets/image (21).png b/.gitbook/assets/image (21).png
index 4b19a9ee..efd765a7 100644
Binary files a/.gitbook/assets/image (21).png and b/.gitbook/assets/image (21).png differ
diff --git a/.gitbook/assets/image (22) (2).png b/.gitbook/assets/image (22) (2).png
new file mode 100644
index 00000000..670ab5e8
Binary files /dev/null and b/.gitbook/assets/image (22) (2).png differ
diff --git a/.gitbook/assets/image (22).png b/.gitbook/assets/image (22).png
index 670ab5e8..af5dbbe3 100644
Binary files a/.gitbook/assets/image (22).png and b/.gitbook/assets/image (22).png differ
diff --git a/.gitbook/assets/image (23) (2).png b/.gitbook/assets/image (23) (2).png
new file mode 100644
index 00000000..95d6ba32
Binary files /dev/null and b/.gitbook/assets/image (23) (2).png differ
diff --git a/.gitbook/assets/image (23).png b/.gitbook/assets/image (23).png
index 95d6ba32..aa5ce323 100644
Binary files a/.gitbook/assets/image (23).png and b/.gitbook/assets/image (23).png differ
diff --git a/.gitbook/assets/image (24) (1) (1).png b/.gitbook/assets/image (24) (1) (1).png
new file mode 100644
index 00000000..db465b8e
Binary files /dev/null and b/.gitbook/assets/image (24) (1) (1).png differ
diff --git a/.gitbook/assets/image (24) (1).png b/.gitbook/assets/image (24) (1).png
index db465b8e..aa73a32c 100644
Binary files a/.gitbook/assets/image (24) (1).png and b/.gitbook/assets/image (24) (1).png differ
diff --git a/.gitbook/assets/image (24).png b/.gitbook/assets/image (24).png
index aa73a32c..b2681ccd 100644
Binary files a/.gitbook/assets/image (24).png and b/.gitbook/assets/image (24).png differ
diff --git a/.gitbook/assets/image (25) (1) (1).png b/.gitbook/assets/image (25) (1) (1).png
new file mode 100644
index 00000000..60670289
Binary files /dev/null and b/.gitbook/assets/image (25) (1) (1).png differ
diff --git a/.gitbook/assets/image (25) (1).png b/.gitbook/assets/image (25) (1).png
index 60670289..0a10447b 100644
Binary files a/.gitbook/assets/image (25) (1).png and b/.gitbook/assets/image (25) (1).png differ
diff --git a/.gitbook/assets/image (25).png b/.gitbook/assets/image (25).png
index 0a10447b..181a968f 100644
Binary files a/.gitbook/assets/image (25).png and b/.gitbook/assets/image (25).png differ
diff --git a/.gitbook/assets/image (26) (1) (1).png b/.gitbook/assets/image (26) (1) (1).png
new file mode 100644
index 00000000..307f8dd5
Binary files /dev/null and b/.gitbook/assets/image (26) (1) (1).png differ
diff --git a/.gitbook/assets/image (26) (1).png b/.gitbook/assets/image (26) (1).png
index 307f8dd5..d6a565eb 100644
Binary files a/.gitbook/assets/image (26) (1).png and b/.gitbook/assets/image (26) (1).png differ
diff --git a/.gitbook/assets/image (26).png b/.gitbook/assets/image (26).png
index d6a565eb..47f41b21 100644
Binary files a/.gitbook/assets/image (26).png and b/.gitbook/assets/image (26).png differ
diff --git a/.gitbook/assets/image (27) (1) (1).png b/.gitbook/assets/image (27) (1) (1).png
new file mode 100644
index 00000000..12af266f
Binary files /dev/null and b/.gitbook/assets/image (27) (1) (1).png differ
diff --git a/.gitbook/assets/image (27) (1).png b/.gitbook/assets/image (27) (1).png
index 12af266f..90ac6442 100644
Binary files a/.gitbook/assets/image (27) (1).png and b/.gitbook/assets/image (27) (1).png differ
diff --git a/.gitbook/assets/image (27).png b/.gitbook/assets/image (27).png
index 90ac6442..ffea8afb 100644
Binary files a/.gitbook/assets/image (27).png and b/.gitbook/assets/image (27).png differ
diff --git a/.gitbook/assets/image (28) (1) (1).png b/.gitbook/assets/image (28) (1) (1).png
new file mode 100644
index 00000000..d0d8fd1c
Binary files /dev/null and b/.gitbook/assets/image (28) (1) (1).png differ
diff --git a/.gitbook/assets/image (28) (1).png b/.gitbook/assets/image (28) (1).png
index d0d8fd1c..4d56204f 100644
Binary files a/.gitbook/assets/image (28) (1).png and b/.gitbook/assets/image (28) (1).png differ
diff --git a/.gitbook/assets/image (28).png b/.gitbook/assets/image (28).png
index 4d56204f..22eebd98 100644
Binary files a/.gitbook/assets/image (28).png and b/.gitbook/assets/image (28).png differ
diff --git a/.gitbook/assets/image (29) (1) (1).png b/.gitbook/assets/image (29) (1) (1).png
new file mode 100644
index 00000000..d56598b8
Binary files /dev/null and b/.gitbook/assets/image (29) (1) (1).png differ
diff --git a/.gitbook/assets/image (29) (1).png b/.gitbook/assets/image (29) (1).png
index d56598b8..b817e181 100644
Binary files a/.gitbook/assets/image (29) (1).png and b/.gitbook/assets/image (29) (1).png differ
diff --git a/.gitbook/assets/image (29).png b/.gitbook/assets/image (29).png
index b817e181..44b67923 100644
Binary files a/.gitbook/assets/image (29).png and b/.gitbook/assets/image (29).png differ
diff --git a/.gitbook/assets/image (30) (1) (1).png b/.gitbook/assets/image (30) (1) (1).png
new file mode 100644
index 00000000..8eb90250
Binary files /dev/null and b/.gitbook/assets/image (30) (1) (1).png differ
diff --git a/.gitbook/assets/image (30) (1).png b/.gitbook/assets/image (30) (1).png
index 8eb90250..64b92862 100644
Binary files a/.gitbook/assets/image (30) (1).png and b/.gitbook/assets/image (30) (1).png differ
diff --git a/.gitbook/assets/image (30).png b/.gitbook/assets/image (30).png
index 64b92862..da989026 100644
Binary files a/.gitbook/assets/image (30).png and b/.gitbook/assets/image (30).png differ
diff --git a/.gitbook/assets/image (37) (1).png b/.gitbook/assets/image (37) (1).png
deleted file mode 100644
index 540b55ef..00000000
Binary files a/.gitbook/assets/image (37) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (37).png b/.gitbook/assets/image (37).png
index 22eebd98..540b55ef 100644
Binary files a/.gitbook/assets/image (37).png and b/.gitbook/assets/image (37).png differ
diff --git a/.gitbook/assets/image (38) (1).png b/.gitbook/assets/image (38) (1).png
deleted file mode 100644
index bcf09b80..00000000
Binary files a/.gitbook/assets/image (38) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (38).png b/.gitbook/assets/image (38).png
index 181a968f..bcf09b80 100644
Binary files a/.gitbook/assets/image (38).png and b/.gitbook/assets/image (38).png differ
diff --git a/.gitbook/assets/image (39) (1).png b/.gitbook/assets/image (39) (1).png
deleted file mode 100644
index 32dd042d..00000000
Binary files a/.gitbook/assets/image (39) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (39).png b/.gitbook/assets/image (39).png
index aa5ce323..32dd042d 100644
Binary files a/.gitbook/assets/image (39).png and b/.gitbook/assets/image (39).png differ
diff --git a/.gitbook/assets/image (40) (1).png b/.gitbook/assets/image (40) (1).png
deleted file mode 100644
index 53dd523e..00000000
Binary files a/.gitbook/assets/image (40) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (40).png b/.gitbook/assets/image (40).png
index efd765a7..53dd523e 100644
Binary files a/.gitbook/assets/image (40).png and b/.gitbook/assets/image (40).png differ
diff --git a/.gitbook/assets/image (41) (1).png b/.gitbook/assets/image (41) (1).png
deleted file mode 100644
index 8e8243c5..00000000
Binary files a/.gitbook/assets/image (41) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (41).png b/.gitbook/assets/image (41).png
index da989026..8e8243c5 100644
Binary files a/.gitbook/assets/image (41).png and b/.gitbook/assets/image (41).png differ
diff --git a/.gitbook/assets/image (42) (1).png b/.gitbook/assets/image (42) (1).png
deleted file mode 100644
index 84e0d10e..00000000
Binary files a/.gitbook/assets/image (42) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (42).png b/.gitbook/assets/image (42).png
index e8b6b213..84e0d10e 100644
Binary files a/.gitbook/assets/image (42).png and b/.gitbook/assets/image (42).png differ
diff --git a/.gitbook/assets/image (43) (1).png b/.gitbook/assets/image (43) (1).png
deleted file mode 100644
index 379b82ca..00000000
Binary files a/.gitbook/assets/image (43) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (43).png b/.gitbook/assets/image (43).png
index d5eb069f..379b82ca 100644
Binary files a/.gitbook/assets/image (43).png and b/.gitbook/assets/image (43).png differ
diff --git a/.gitbook/assets/image (44) (1).png b/.gitbook/assets/image (44) (1).png
deleted file mode 100644
index add6a58e..00000000
Binary files a/.gitbook/assets/image (44) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (44).png b/.gitbook/assets/image (44).png
index 3305c860..add6a58e 100644
Binary files a/.gitbook/assets/image (44).png and b/.gitbook/assets/image (44).png differ
diff --git a/.gitbook/assets/image (45) (1).png b/.gitbook/assets/image (45) (1).png
deleted file mode 100644
index aaae701f..00000000
Binary files a/.gitbook/assets/image (45) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (45).png b/.gitbook/assets/image (45).png
index 44b67923..aaae701f 100644
Binary files a/.gitbook/assets/image (45).png and b/.gitbook/assets/image (45).png differ
diff --git a/.gitbook/assets/image (46) (1).png b/.gitbook/assets/image (46) (1).png
deleted file mode 100644
index 9c2d7098..00000000
Binary files a/.gitbook/assets/image (46) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (46).png b/.gitbook/assets/image (46).png
index e5d569d4..9c2d7098 100644
Binary files a/.gitbook/assets/image (46).png and b/.gitbook/assets/image (46).png differ
diff --git a/.gitbook/assets/image (47) (1).png b/.gitbook/assets/image (47) (1).png
deleted file mode 100644
index 69f75519..00000000
Binary files a/.gitbook/assets/image (47) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (47).png b/.gitbook/assets/image (47).png
index af5dbbe3..69f75519 100644
Binary files a/.gitbook/assets/image (47).png and b/.gitbook/assets/image (47).png differ
diff --git a/.gitbook/assets/image (48) (1).png b/.gitbook/assets/image (48) (1).png
deleted file mode 100644
index dbc5a377..00000000
Binary files a/.gitbook/assets/image (48) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (48).png b/.gitbook/assets/image (48).png
index 47f41b21..dbc5a377 100644
Binary files a/.gitbook/assets/image (48).png and b/.gitbook/assets/image (48).png differ
diff --git a/.gitbook/assets/image (49) (1).png b/.gitbook/assets/image (49) (1).png
deleted file mode 100644
index c46cb0ac..00000000
Binary files a/.gitbook/assets/image (49) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (49).png b/.gitbook/assets/image (49).png
index ffea8afb..c46cb0ac 100644
Binary files a/.gitbook/assets/image (49).png and b/.gitbook/assets/image (49).png differ
diff --git a/.gitbook/assets/image (50) (1).png b/.gitbook/assets/image (50) (1).png
deleted file mode 100644
index e4156b03..00000000
Binary files a/.gitbook/assets/image (50) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (50).png b/.gitbook/assets/image (50).png
index feabde2d..e4156b03 100644
Binary files a/.gitbook/assets/image (50).png and b/.gitbook/assets/image (50).png differ
diff --git a/.gitbook/assets/image (51) (1).png b/.gitbook/assets/image (51) (1).png
deleted file mode 100644
index 9cc426fc..00000000
Binary files a/.gitbook/assets/image (51) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (51).png b/.gitbook/assets/image (51).png
index 3a9cc1bb..9cc426fc 100644
Binary files a/.gitbook/assets/image (51).png and b/.gitbook/assets/image (51).png differ
diff --git a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
index 496cc977..d19ec147 100644
--- a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
+++ b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
@@ -2,13 +2,13 @@
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -56,13 +56,13 @@ Go to `Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK`
**File --> Attach**
- (1).png>)
+ (1) (1).png>)
**And press START button**
## **Send the exploit and check if EIP is affected:**
- (1).png>)
+ (1) (1).png>)
Every time you break the service you should restart it as is indicated in the beginnig of this page.
@@ -70,7 +70,7 @@ Every time you break the service you should restart it as is indicated in the be
The pattern should be as big as the buffer you used to broke the service previously.
- (1).png>)
+ (1) (1).png>)
```
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
@@ -80,11 +80,11 @@ Change the buffer of the exploit and set the pattern and lauch the exploit.
A new crash should appeard, but with a different EIP address:
- (1).png>)
+ (1) (1).png>)
Check if the address was in your pattern:
- (1).png>)
+ (1) (1).png>)
```
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 39694438
@@ -100,9 +100,9 @@ buffer = 'A'*2606 + 'BBBB' + 'CCCC'
With this buffer the EIP crashed should point to 42424242 ("BBBB")
- (1).png>)
+ (1) (1).png>)
- (1).png>)
+ (1) (1).png>)
Looks like it is working.
@@ -271,12 +271,12 @@ EXITFUNC=thread -e x86/shikata_ga_nai
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/generic-methodologies-and-resources/pentesting-network/README.md b/generic-methodologies-and-resources/pentesting-network/README.md
index 2ed76d69..36b6e74b 100644
--- a/generic-methodologies-and-resources/pentesting-network/README.md
+++ b/generic-methodologies-and-resources/pentesting-network/README.md
@@ -335,7 +335,7 @@ I would like to point out that **Access/Desirable (0x03)** indicates that the DT
By analyzing the STP frames, **we learn about the existence of VLAN 30 and VLAN 60.**
-
+
#### Attacking specific VLANs
@@ -438,7 +438,7 @@ yersinia -G #For graphic mode
To erase the entire VLAN database, select the **deleting all VTP vlans** option
-
+
### STP Attacks
diff --git a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
index 626439ce..1b86b91b 100644
--- a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
+++ b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
@@ -18,7 +18,7 @@
**EIGRP (Enhanced Interior Gateway Routing Protocol)** is a dynamic routing protocol. **It is a distance-vector protocol.** **If there is no authentication and configuration of passive interfaces, an intruder can interfere with EIGRP routing and cause routing tables poisoning.** **Moreover, EIGRP network (in other words, autonomous system) is flat and has no segmentation into any zones.** What could this mean for an attacker? Well, if he injects a route, it is likely that this route will spread throughout the autonomous EIGRP system.
-
+
First and foremost, attacking a standalone EIGRP system requires establishing a neighborhood with a legitimate EIGRP router, which opens up a lot of possibilities, from basic reconnaissance to various injections.
@@ -35,7 +35,7 @@ For this I will use [**FRRouting**](https://frrouting.org/). This is an open-sou
eigrpd=yes
```
-
+
After that, you need to correct the **vtysh.conf** file by adding a line responsible for saving the configuration to one file, so that configurations of different protocols are not scattered into different files **(e.g. eigrpd.conf, staticd.conf).** It is configurable optionally.
@@ -88,7 +88,7 @@ EIGRP Neighborship with GW1 (10.10.100.100):
EIGRP Neighborship with GW2 (10.10.100.200):
-
+
During the establishment and maintenance of the neighborhood between EIGRP routers, routers exchange their routing information. After the neighborhood is established, new routes will appear in our routing table of the attacking system, namely:
@@ -97,7 +97,7 @@ During the establishment and maintenance of the neighborhood between EIGRP route
* **100.100.100.0/24 via 10.10.100.100;**
* **172.16.100.0/24 via 10.10.100.200**
-
+
Thus, after establishing the neighborhood, we know about the existence of these subnets, which makes it easier for us to pentest and save time. We can do without additional subnet scanning. Now we are in the EIGRP routing domain and we can develop some attack vectors. Letβs talk about them.
@@ -117,13 +117,13 @@ Arguments of the script:
~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24
```
-
+
### EIGRP Blackhole
The essence of this attack is a simple injection of a false route that will poison the routing table. Traffic to, **say, the** `10.10.100.0/24` **network will go nowhere, causing a denial of service. Such an attack is called a Blackhole.** The script [**routeinject.py**](https://github.com/in9uz/EIGRPWN/blob/main/routeinject.py) \*\*\*\* will be the tool used to perform it. For this example, I will send traffic destined for host `172.16.100.140/32` to the black hole.
-
+
Arguments of the script:
@@ -137,7 +137,7 @@ Arguments of the script:
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
```
-
+
**Our host seems to be in trouble :)**
@@ -165,7 +165,7 @@ Script arguments:
Dump of traffic during a neighborhood disruption
-
GW1 router endlessly disconnects and reconnects EIGRP
+
GW1 router endlessly disconnects and reconnects EIGRP
**A DoS attack can be carried out in this way. During operation, endless breakups and neighborhood attempts occur, paralyzing part of the EIGRP routing domain.**
@@ -189,7 +189,7 @@ After running the script, the routing table starts overflowing with routes. The
Routing table overflows on GW1 router
-
Overloaded router CPU
+
Overloaded router CPU
diff --git a/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md b/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
index be77d457..238bbdf6 100644
--- a/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
+++ b/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
@@ -16,7 +16,7 @@ Download the APK here:
I am going to upload the APK to [https://appetize.io/](https://appetize.io) (free account) to see how the apk is behaving:
- (1).png>)
+.png>)
Looks like you need to win 1000000 times to get the flag.
@@ -24,7 +24,7 @@ Following the steps from [pentesting Android](./) you can decompile the applicat
Reading the java code:
- (1).png>)
+.png>)
It looks like the function that is going print the flag is **m().**
@@ -44,13 +44,13 @@ to:
if-eq v0, v9, :cond_2
```
- (1).png>)
+.png>)
- (1).png>)
+.png>)
Follow the steps of [pentest Android](./) to recompile and sign the APK. Then, upload it to [https://appetize.io/](https://appetize.io) and lets see what happens:
- (1).png>)
+.png>)
Looks like the flag is written without being completely decrypted. Probably the m() function should be called 1000000 times.
diff --git a/network-services-pentesting/113-pentesting-ident.md b/network-services-pentesting/113-pentesting-ident.md
index fd152d43..05bf03ee 100644
--- a/network-services-pentesting/113-pentesting-ident.md
+++ b/network-services-pentesting/113-pentesting-ident.md
@@ -2,13 +2,13 @@
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -36,11 +36,11 @@ PORT STATE SERVICE
If a machine is running the service ident and samba (445) and you are connected to samba using the port 43218. You can get which user is running the samba service by doing:
- (1).png>)
+ (1) (1).png>)
If you just press enter when you conenct to the service:
- (1).png>)
+ (1) (1).png>)
Other errors:
@@ -87,10 +87,6 @@ ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
identd.conf
-
-
-
-
 (1) (2).png>)
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -121,12 +117,12 @@ Entry_2:
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/network-services-pentesting/49-pentesting-tacacs+.md b/network-services-pentesting/49-pentesting-tacacs+.md
index f799f6b2..bdfbb646 100644
--- a/network-services-pentesting/49-pentesting-tacacs+.md
+++ b/network-services-pentesting/49-pentesting-tacacs+.md
@@ -51,17 +51,17 @@ Now we have to wait for an administrator to log into the device through the TACA
Now click the **CRACK** button and wait for **Loki** to break the password.
-
+
### Decrypt Traffic
Great, we managed to unlock the key, now we need to decrypt the TACACS traffic. As I said, Wireshark can handle encrypted TACACS traffic if the key is present.
-
+
We see which banner was used.
-
+
We find the username of the user `admin`
@@ -69,7 +69,7 @@ We find the username of the user `admin`
As a result, **we have the `admin:secret1234` credentials,** which can be used to access the hardware itself. **I think Iβll check their validity.**
-
+
This is how you can attack TACACS+ and **gain access** to the control panel of network equipment.
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
index 26fce2b5..893f3c65 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
@@ -40,7 +40,7 @@ If `==` is used in PHP, then there are unexpected cases where the comparison doe
PHP comparison tables: [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)
- (1).png>)
+.png>)
{% file src="../../../.gitbook/assets/EN-PHP-loose-comparison-Type-Juggling-OWASP (1).pdf" %}
diff --git a/network-services-pentesting/pentesting-web/put-method-webdav.md b/network-services-pentesting/pentesting-web/put-method-webdav.md
index 68801d18..7ba047dd 100644
--- a/network-services-pentesting/pentesting-web/put-method-webdav.md
+++ b/network-services-pentesting/pentesting-web/put-method-webdav.md
@@ -10,13 +10,13 @@ Get Access Today:
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -80,7 +80,7 @@ This vulnerability is very interesting. The **WebDav** does **not allow** to **u
Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a ".asp;.txt"** file. An accessing that file through the web server, it will be **executed** (cadaver will said that the move action didn't work, but it did).
- (1).png>)
+ (1) (1).png>)
## Post credentials
@@ -122,13 +122,13 @@ wget --user --ask-password http://domain/path/to/webdav/ -O - -q
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/network-services-pentesting/pentesting-web/wordpress.md b/network-services-pentesting/pentesting-web/wordpress.md
index cbe686a7..2f309164 100644
--- a/network-services-pentesting/pentesting-web/wordpress.md
+++ b/network-services-pentesting/pentesting-web/wordpress.md
@@ -304,7 +304,7 @@ Appearance β Theme Editor β 404 Template (at the right)
Change the content for a php shell:
- (1).png>)
+ (1) (1).png>)
Search in internet how can you access that updated page. In this case you have to access here: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
diff --git a/radio-hacking/pentesting-rfid.md b/radio-hacking/pentesting-rfid.md
index b6aafdaf..6f1ecece 100644
--- a/radio-hacking/pentesting-rfid.md
+++ b/radio-hacking/pentesting-rfid.md
@@ -39,7 +39,7 @@ Most RFID **security controls** have mechanisms that **restrict** the **read** o
### Low & High frequency tags comparison
-
+
## Low-Frequency RFID Tags (125kHz)
@@ -74,7 +74,7 @@ It's usually found in bank cards, public transport, and other secure passes.
**High-frequency 13.56 MHz tags are a set of standards and protocols**. They are usually referred to as [NFC](https://nfc-forum.org/what-is-nfc/about-the-technology/), but that's not always correct. The basic protocol set used on the physical and logical levels is ISO 14443. High-level protocols, as well as alternative standards (like ISO 19092), are based upon it. Many people refer to this technology as **Near Field Communication (NFC)**, a term for devices operating over the 13.56 MHz frequency.
-
+
To put it simply, NFC's architecture works like this: the transmission protocol is chosen by the company making the cards and implemented based on the low-level ISO 14443. For example, NXP invented its own high-level transmission protocol called Mifare. But on the lower level, Mifare cards are based on ISO 14443-A standard.
diff --git a/todo/radio-hacking/flipper-zero/README.md b/todo/radio-hacking/flipper-zero/README.md
index 2a5372ef..38dc418a 100644
--- a/todo/radio-hacking/flipper-zero/README.md
+++ b/todo/radio-hacking/flipper-zero/README.md
@@ -40,7 +40,7 @@ The **Read** option **listens on the configured frequency** on the indicated mod
While Read is in use, it's possible to press the **left button** and **configure it**.\
At this moment it has **4 modulations** (AM270, AM650, FM328 and FM476), and **several relevant frequencies** stored:
-
+
You can set **any that interests you**, however, if you are **not sure which frequency** could be the one used by the remote you have, **set Hopping to ON** (Off by default), and press the button several times until Flipper captures it and give you the info you need to set the frequency.
diff --git a/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md b/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md
index e7d034ae..d013cca1 100644
--- a/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md
+++ b/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md
@@ -37,13 +37,13 @@ Some times, when you get a card you will find the ID (or part) of it written in
For example in this EM-Marin card in the physical card is possible to **read the last 3 of 5 bytes in clear**.\
The other 2 can be brute-forced if you cannot read them from the card.
-
+
* **HID**
Same happens in this HID card where only 2 out of 3 bytes can be found printed in the card
-
+
### Emulate/Write
diff --git a/todo/radio-hacking/flipper-zero/fz-ibutton.md b/todo/radio-hacking/flipper-zero/fz-ibutton.md
index 55b32ff3..26d9c835 100644
--- a/todo/radio-hacking/flipper-zero/fz-ibutton.md
+++ b/todo/radio-hacking/flipper-zero/fz-ibutton.md
@@ -16,7 +16,7 @@
The **blue** part of the following imageis how you would need to **put the real iButton** so the Flipper can **read it.** The **green** part is how you need to **touch the reader** with the Flipper zero to **correctly emulate an iButton**.
-
+
## Actions
@@ -32,6 +32,16 @@ It's possible to **add manually** an iButton of type: **Dallas, Cyfral, and Meta
It's possible to **emulate** saved iButtons (read or manually added).
+{% hint style="info" %}
+If you cannot make the expected contacts of the Flipper Zero touch the reader you can **use the external GPIO:**
+{% endhint %}
+
+
+
+## References
+
+* [https://blog.flipperzero.one/taming-ibutton/](https://blog.flipperzero.one/taming-ibutton/)
+
ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
diff --git a/todo/radio-hacking/flipper-zero/fz-nfc.md b/todo/radio-hacking/flipper-zero/fz-nfc.md
index 28a60f22..93013d78 100644
--- a/todo/radio-hacking/flipper-zero/fz-nfc.md
+++ b/todo/radio-hacking/flipper-zero/fz-nfc.md
@@ -59,7 +59,7 @@ Flipper Zero can **read NFC cards**, however, it **doesn't understand all the pr
#### Reading the UID VS Reading the Data Inside
-
+
In Flipper, reading 13.56 MHz tags can be divided into two parts:
diff --git a/todo/radio-hacking/ibutton.md b/todo/radio-hacking/ibutton.md
index b8bd545e..9c520fcd 100644
--- a/todo/radio-hacking/ibutton.md
+++ b/todo/radio-hacking/ibutton.md
@@ -16,17 +16,29 @@
iButton is a generic name for an electronic identification key packed in a **coin-shaped metal container**. It is also called **Dallas Touch** Memory or contact memory. Even though it is often wrongly referred to as a βmagneticβ key, there is **nothing magnetic** in it. In fact, a full-fledged **microchip** operating on a digital protocol is hidden inside.
-
+
### What is iButton?
Usually, iButton implies the physical form of the key and reader - a round coin with two contacts. For the frame surrounding it, there are lots of variations from the most common plastic holder with a hole to rings, pendants, etc.
-
+
When the key reaches the reader, the **contacts come to touch** and the key is powered to **transmit** its ID. Sometimes the key is **not read** immediately because the **contact PSD of an intercom is larger** than it should be. So the outer contours of the key and the reader couldn't touch. If that's the case, you'll have to press the key over one of the walls of the reader.
-
+
+
+### **1-Wire protocol**
+
+Dallas keys exchange data using the 1-wire protocol. With only one contact for data transfer (!!) in both directions, from master to slave and vice versa. The 1-wire protocol works according to the Master-Slave model. In this topology, the Master always initiates communication and the Slave follows its instructions.
+
+When the key (Slave) contacts the intercom (Master), the chip inside the key turns on, powered by the intercom, and the key is initialized. Following that the intercom requests the key ID. Next, we will look up this process in more detail.
+
+Flipper can work both in Master and Slave modes. In the key reading mode, Flipper acts as a reader this is to say it works as a Master. And in the key emulation mode, the flipper pretends to be a key, it is in the Slave mode.
+
+### Dallas, Cyfral & Metakom keys
+
+For information about how these keys works check the page [https://blog.flipperzero.one/taming-ibutton/](https://blog.flipperzero.one/taming-ibutton/)
### Attacks
@@ -36,6 +48,10 @@ iButtons can be attacked with Flipper Zero:
[fz-ibutton.md](flipper-zero/fz-ibutton.md)
{% endcontent-ref %}
+## References
+
+* [https://blog.flipperzero.one/taming-ibutton/](https://blog.flipperzero.one/taming-ibutton/)
+
ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
diff --git a/todo/radio-hacking/infrared.md b/todo/radio-hacking/infrared.md
index c4436d9d..f225cfbd 100644
--- a/todo/radio-hacking/infrared.md
+++ b/todo/radio-hacking/infrared.md
@@ -32,19 +32,19 @@ IR protocols differ in 3 factors:
Bits are encoded by modulating the duration of the space between pulses. The width of the pulse itself is constant.
-
+
**2. Pulse Width Encoding**
Bits are encoded by modulation of the pulse width. The width of space after pulse burst is constant.
-
+
**3. Phase Encoding**
It is also known as Manchester encoding. The logical value is defined by the polarity of the transition between pulse burst and space. "Space to pulse burst" denotes logic "0", "pulse burst to space" denotes logic "1".
-
+
**4. Combination of previous ones and other exotics**
@@ -58,7 +58,7 @@ Manufacturers love to use their own unique IR protocols, even within the same ra
The most reliable way to see how the remote IR signal looks like is to use an oscilloscope. It does not demodulate or invert the received signal, it is just displayed "as is". This is useful for testing and debugging. I will show the expected signal on the example of the NEC IR protocol.
-
+
Usually, there is a preamble at the beginning of an encoded packet. This allows the receiver to determine the level of gain and background. There are also protocols without preamble, for example, Sharp.
diff --git a/windows-hardening/windows-local-privilege-escalation/juicypotato.md b/windows-hardening/windows-local-privilege-escalation/juicypotato.md
index bb15987f..416695ce 100644
--- a/windows-hardening/windows-local-privilege-escalation/juicypotato.md
+++ b/windows-hardening/windows-local-privilege-escalation/juicypotato.md
@@ -115,7 +115,7 @@ c:\Users\Public>
### Launch a new CMD (if you have RDP access)
- (1).png>)
+.png>)
## CLSID Problems
.png)
 (1).png)
.png)
 (2).png)
.png)
 (1).png)
.png)
 (1).png)
.png)
 (1).png)
.png)
 (1).png)
.png)
 (1).png)
.png)
 (1).png)
.png)
 (1).png)
 (1).png)
.png)
 (1).png)
 (4).png)
.png)
 (1).png)
.png)
 (2).png)
.png)
 (1).png)
.png)
 (1).png)
.png)
 (2).png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)