0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 5 pages modified

This commit is contained in:
CPol 2021-04-22 13:58:44 +00:00 committed by gitbook-bot
parent 10e1d60134
commit da8c34e952
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
5 changed files with 64 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
mobile-apps-pentesting/android-app-pentesting/README.md
View File

@ -208,6 +208,11 @@ Or you could use a **physical** **device** \(you need to activate the debugging
Often Developers leave debugging information publicly. So any application with `READ_LOGS` permission can **access those logs** and can gain sensitive information through that.
While navigating through the application use [**pidcat**](https://github.com/JakeWharton/pidcat)_\(Recommended, it's easier to use and read_\) or [adb logcat](adb-commands.md#logcat) to read the created logs and **look for sensitive information**.
{% hint style="warning" %}
Note that from l**ater versions that Android 4.0**, **applications are only able to access their own logs**. So applications cannot access other apps logs.
Anyway, it's still recommended to **not log sensitive information**.
{% endhint %}
**Copy/Paste Buffer Caching**
Android provides **clipboard-based** framework to provide copy-paste function in android applications. But this creates serious issue when some **other application** can **access** the **clipboard** which contain some sensitive data. **Copy/Paste** function should be **disabled** for **sensitive part** of the application. For example, disable copying credit card details.

23
mobile-apps-pentesting/android-app-pentesting/adb-commands.md
View File

@ -1,5 +1,15 @@
# ADB Commands
**Adb is usually located in:**
```bash
#Windows
C:\Users\<username>\AppData\Local\Android\sdk\platform-tools\adb.exe
#MacOS
/Users/<username>/Library/Android/sdk/platform-tools/adb
```
**Information obtained from:** [**http://adbshell.com/**](http://adbshell.com/)\*\*\*\*
## Connection
@ -195,6 +205,19 @@ Execute a command inside the device
adb shell ls
```
### pm
The following commands are executed inside of a shell
```bash
pm list packages #List installed packages
pm path <package name> #Get the path to the apk file of tha package
am start [<options>] #Start an activity. Whiout options you can see the help menu
am startservice [<options>] #Start a service. Whiout options you can see the help menu
am broadcast [<options>] #Send a broadcast. Whiout options you can see the help menu
input [text|keyevent] #Send keystrokes to device
```
## Processes
If you want to get the PID of the process of your application you can execute:

45
pentesting-web/cors-bypass.md
View File

@ -4,10 +4,9 @@
The CORS \(Cross-origin resource sharing\) standard is needed because it **allows servers to specify who can access its assets** and which **HTTP request methods are allowed** from external resources.
In a **same-origin** policy, is needed that both the **server requesting** a resource and the server where the **resource** is located uses the same protocol \(http://\),domain name \(internal-web.com\) and the same **port** \(80\). Then, if the server forces the same-origin policy, only web pages from the same domain and port will be able to access the resources.
In a **same-origin** policy, is needed that both the **server requesting** a resource and the server where the **resource** is located uses the same protocol \([http://\),domain](http://%29,domain) name \(internal-web.com\) and the same **port** \(80\). Then, if the server forces the same-origin policy, only web pages from the same domain and port will be able to access the resources.
The following table shows how the same-origin policy will be applied in `http://normal-website.com/example/example.html`
:
The following table shows how the same-origin policy will be applied in `http://normal-website.com/example/example.html` :
| URL accessed | Access permitted? |
| :--- | :--- |
@ -110,7 +109,7 @@ In other cases, the developer could check that the **domain** \(_victimdomain.co
### The `null` Origin
`null` is a special value for the **Origin** header. The specification mentions it being triggered by redirects, and local HTML files. Some applications might whitelist the `null` origin to support local development of the application.
`null` is a special value for the **Origin** header. The specification mentions it being triggered by redirects, and local HTML files. Some applications might whitelist the `null` origin to support local development of the application.
This is nice because **several application will allow this value** inside the CORS and any **website can easily obtain the null origin using a sandboxed iframe**:
```markup
@ -125,7 +124,7 @@ If you found the domain _victim.com_ to be **whitelisted** you should check if _
Most of the regex used to identify the domain inside the string will focus on alphanumeric ASCII characters and `.-` . Then, something like `victimdomain.com{.attacker.com` inside the Origin header will be interpreted by the regexp as if the domain was `victimdomain.com` but the browser \(in this case Safari supports this character in the domain\) will access the domain`attacker.com` .
The `_` character \(in subdomains\) is not only supported in Safari, but also in Chrome and Firefox!
The `_` character \(in subdomains\) is not only supported in Safari, but also in Chrome and Firefox!
**Then, using one of those subdomains you could bypass some "common" regexps to find the main domain of a URL.**
@ -144,7 +143,7 @@ if ($_SERVER['HTTP_HOST'] == '*.requester.com')
{
//Access data
else{ // unauthorized access}
}
}
```
Assuming that a user has access to sub.requester.com but not requester.com, and assuming that `sub.requester.com` is vulnerable to XSS. The user can exploit `provider.com` by using cross-site scripting attack method.
@ -153,29 +152,29 @@ Assuming that a user has access to sub.requester.com but not requester.com, and
If the stars are aligned we may be able to use server-side cache poisoning via HTTP header injection to create a [stored XSS](https://portswigger.net/web-security/cross-site-scripting/stored) vulnerability.
If an application **reflects** the **Origin header** without even checking it for illegal characters like **\r**, we effectively have a **HTTP header injection vulnerability against IE/Edge users as Internet Explorer and Edge view \r \(0x0d\) as a valid HTTP header terminator**:`GET / HTTP/1.1
If an application **reflects** the **Origin header** without even checking it for illegal characters like **\r**, we effectively have a **HTTP header injection vulnerability against IE/Edge users as Internet Explorer and Edge view \r \(0x0d\) as a valid HTTP header terminator**:`GET / HTTP/1.1
Origin: z[0x0d]Content-Type: text/html; charset=UTF-7`
Internet Explorer sees the response as:
`HTTP/1.1 200 OK
Access-Control-Allow-Origin: z
`HTTP/1.1 200 OK
Access-Control-Allow-Origin: z
Content-Type: text/html; charset=UTF-7`
This isn't directly exploitable because there's no way for an attacker to make someone's web browser send such a malformed header, but I can **manually craft this request in Burp Suite and a server-side cache may save the response and serve it to other people**. The payload I've used will change the page's character set to **UTF-7**, which is notoriously useful for creating XSS vulnerabilities.
### **Client-Side cache poisoning**
You may have occasionally encountered a page with [reflected XSS](https://portswigger.net/web-security/cross-site-scripting/reflected) in a custom HTTP header. Say a web page reflects the contents of a custom header without encoding:`GET / HTTP/1.1
You may have occasionally encountered a page with [reflected XSS](https://portswigger.net/web-security/cross-site-scripting/reflected) in a custom HTTP header. Say a web page reflects the contents of a custom header without encoding:\`GET / HTTP/1.1
Host: example.com
X-User-id: <svg/onload=alert(1)>
X-User-id: &lt;svg/onload=alert\(1\)&gt;
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: \*
Access-Control-Allow-Headers: X-User-id
Content-Type: text/html
...
Invalid user: <svg/onload=alert(1)>`
Invalid user: &lt;svg/onload=alert\(1\)&gt;\`
With CORS, we can send any value in the Header. By itself, **that's useless** since the response containing our **injected JavaScript won't be rendered**. However, **if Vary: Origin hasn't been specified** the response **may be stored in the browser's cache and displayed directly when the browser navigates to the associated URL**. I've made a fiddle to [attempt this attack on a URL of your choice](https://jsfiddle.net/3gk8u8wu/3/). Since this attack uses client-side caching, it's actually quite reliable.
@ -228,7 +227,7 @@ Proxying is kinda like “passing on" your request, exactly as you sent it. We c
Basically you make the **victim access your page**, then you change the **DNS of your domain \(the IP\)** and make it **points** to your **victims web page**. You make your **victim execute** \(**JS**\) something when the **TLS is** **over** so a new DNS request will be made and then you will be able to gather the information \(as you will always mantains **the user in your domain**, he won't send **any cookie** to the victim server, so this options abuses the speciall privileges of the IP of the victim\).
Also, I don't know why this attack plays with the TLS of the DNS instead of just having a subdomain always pointing to the victims IP.
Also, I don't know why this attack plays with the TLS of the DNS instead of just having a subdomain always pointing to the victims IP.
## **Tools**
@ -241,19 +240,19 @@ Also, I don't know why this attack plays with the TLS of the DNS instead of just
## References
{% embed url="https://portswigger.net/web-security/cors" %}
{% embed url="https://portswigger.net/web-security/cors" caption="" %}
{% embed url="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers\#CORS" %}
{% embed url="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers\#CORS" caption="" %}
{% embed url="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties" %}
{% embed url="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties" caption="" %}
{% embed url="https://www.codecademy.com/articles/what-is-cors" %}
{% embed url="https://www.codecademy.com/articles/what-is-cors" caption="" %}
{% embed url="https://www.we45.com/blog/3-ways-to-exploit-misconfigured-cross-origin-resource-sharing-cors" %}
{% embed url="https://www.we45.com/blog/3-ways-to-exploit-misconfigured-cross-origin-resource-sharing-cors" caption="" %}
{% embed url="https://medium.com/netscape/hacking-it-out-when-cors-wont-let-you-be-great-35f6206cc646" %}
{% embed url="https://medium.com/netscape/hacking-it-out-when-cors-wont-let-you-be-great-35f6206cc646" caption="" %}
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CORS%20Misconfiguration" %}
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CORS%20Misconfiguration" caption="" %}
{% embed url="https://medium.com/entersoftsecurity/every-bug-bounty-hunter-should-know-the-evil-smile-of-the-jsonp-over-the-browsers-same-origin-438af3a0ac3b" %}
{% embed url="https://medium.com/entersoftsecurity/every-bug-bounty-hunter-should-know-the-evil-smile-of-the-jsonp-over-the-browsers-same-origin-438af3a0ac3b" caption="" %}

8
pentesting/135-pentesting-msrpc.md
View File

@ -68,17 +68,15 @@ _Note that from the mentioned options all except of **`tcp_dcerpc_auditor`** can
### Identifying IP addresses
Using [https://github.com/mubix/IOXIDResolver](https://github.com/mubix/IOXIDResolver), comes from [Airbus research](https://airbus-cyber-security.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) is possible to abuse the _**ServerAlive2**_ method inside the _**IOXIDResolver**_ interface.
This method has been used to get interface information as **IPv6** address from the HTB box *APT*. See [here](https://0xdf.gitlab.io/2021/04/10/htb-apt.html) for 0xdf APT writeup, it includes an alternative method using rpcmap.py from [Impacket](https://github.com/SecureAuthCorp/impacket/) with *stringbinding* (see above).
Using [https://github.com/mubix/IOXIDResolver](https://github.com/mubix/IOXIDResolver), comes from [Airbus research](https://airbus-cyber-security.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) is possible to abuse the _**ServerAlive2**_ method inside the _**IOXIDResolver**_ interface.
This method has been used to get interface information as **IPv6** address from the HTB box _APT_. See [here](https://0xdf.gitlab.io/2021/04/10/htb-apt.html) for 0xdf APT writeup, it includes an alternative method using rpcmap.py from [Impacket](https://github.com/SecureAuthCorp/impacket/) with _stringbinding_ \(see above\).
References:
* [https://airbus-cyber-security.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://airbus-cyber-security.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/)
* [https://airbus-cyber-security.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://airbus-cyber-security.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
## Port 593
The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.

22
pentesting/pentesting-web/README.md
View File

@ -1,7 +1,7 @@
# 80,443 - Pentesting Web Methodology
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to [https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks) **that will be reflected in this book.
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) **\*\*\[**PEASS & HackTricks telegram group here**\]\(**[https://t.me/peass](https://t.me/peass)**\), or** follow me on Twitter ****[**🐦**](https://emojipedia.org/bird/)**\[**@carlospolopm**\]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**\)**.
**If you want to** share some tricks with the community **you can also submit** pull requests **to \[**[https://github.com/carlospolop/hacktricks\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks]%28https://github.com/carlospolop/hacktricks)\]%28[https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks)\) **that will be reflected in this book.
Don't forget to** give ⭐ on the github to motivate me to continue developing this book.
## Basic Info
@ -124,7 +124,7 @@ whatweb -a 4 <URL>
wapiti -u <URL>
W3af
zarpxy #You can use an API
nuclei -t nuclei-templates
nuclei -t nuclei-templates
```
### CMS scanners
@ -187,7 +187,7 @@ Information about SSL/TLS vulnerabilities:
Launch some kind of **spider** inside the web. The goal of the spider is to **find as much paths as possible** from the tested application. Therefore, web crawling and external sources should be used to find as much valid paths as possible.
* [**gospider**](https://github.com/jaeles-project/gospider) \(go\): ****HTML spider, LinkFinder in JS files and external sources \(Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com\).
* [**gospider**](https://github.com/jaeles-project/gospider) \(go\): _\*\*_HTML spider, LinkFinder in JS files and external sources \(Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com\).
* [**hakrawler**](https://github.com/hakluke/hakrawler) \(go\): HML spider, with LinkFider for JS files and Archive.org as external source.
* [**dirhunt**](https://github.com/Nekmo/dirhunt) \(python\): HTML spider, also indicates "juicy files".
* [**evine** ](https://github.com/saeeddhqan/evine)\(go\): Interactive CLI HTML spider. It also searches in Archive.org
@ -196,9 +196,9 @@ Launch some kind of **spider** inside the web. The goal of the spider is to **fi
* [**gau**](https://github.com/lc/gau) go\): HTML spider that uses external providers \(wayback, otx, commoncrawl\)
* [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): This script will find URLs with parameter and will list them.
* [**galer**](https://github.com/dwisiswant0/galer) \(go\): HTML spider with JS rendering capabilities.
* [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) ****\(python\): HTML spider, with JS beautify capabilities capable of search new paths in JS files. It could be worth it also take a look to [**JSScanner**](https://github.com/dark-warlord14/JSScanner), which is a wrapper of LinkFinder.
* [**JSParser**](https://github.com/nahamsec/JSParser) ****\(python2.7\): A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests. Looks like unmaintaned.
* [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) ****\(ruby\): Given a file \(HTML\) it will extract URLs from it using nifty regular expression to find and extract the relative URLs from ugly \(minify\) files.
* [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) **\*\*\(python\): HTML spider, with JS beautify capabilities capable of search new paths in JS files. It could be worth it also take a look to \[**JSScanner\*\*\]\([https://github.com/dark-warlord14/JSScanner](https://github.com/dark-warlord14/JSScanner)\), which is a wrapper of LinkFinder.
* [**JSParser**](https://github.com/nahamsec/JSParser) _\*\*_\(python2.7\): A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests. Looks like unmaintaned.
* [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) _\*\*_\(ruby\): Given a file \(HTML\) it will extract URLs from it using nifty regular expression to find and extract the relative URLs from ugly \(minify\) files.
### Brute Force directories and files
@ -229,10 +229,10 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
* [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): Find broken links inside HTMLs that may be prone to takeovers
* **File Backups**: Once you have found all the files, look for backups of all the executable files \("_.php_", "_.aspx_"...\). Common variations for naming a backup are: _file.ext~, \#file.ext\#, ~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old_
* **Discover new parameters**: You can use tools like [Arjun](https://github.com/s0md3v/Arjun) ****and ****[parameth](https://github.com/maK-/parameth) **to discover hidden parameters. If you can, you could try to search** hidden parameters on each executable web file.
* **Discover new parameters**: You can use tools like [Arjun](https://github.com/s0md3v/Arjun) **and** [parameth](https://github.com/maK-/parameth) **to discover hidden parameters. If you can, you could try to search** hidden parameters on each executable web file.
* **Comments:** Check the comments of all the files, you can find **credentials** or **hidden functionality**.
* If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** \(using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser\). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page.
* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [keyhacks](https://github.com/streaak/keyhacks), ****[zile](https://github.com/xyele/zile.git), ****[truffleHog](https://github.com/dxa4481/truffleHog/), [SecretFinder](https://github.com/m4ll0k/SecretFinder), [RegHex](https://github.com/l4yton/RegHex%29\)
* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [keyhacks](https://github.com/streaak/keyhacks), [**zile**](https://github.com/xyele/zile.git)**,** [truffleHog](https://github.com/dxa4481/truffleHog/), [SecretFinder](https://github.com/m4ll0k/SecretFinder), [RegHex](https://github.com/l4yton/RegHex%29\)
* **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/).
### Special findings
@ -246,7 +246,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
* If you find a _**.env**_ information such as api keys, dbs passwords and other information can be found.
* If you find **API endpoints** you [should also test them](api-pentesting.md). These aren't files, but will probably "look like" them.
* **JS files**: In the spidering section several tools that can extract path from JS files were mentioned. Also, It would be interesting to **monitor each JS file found**, as in some ocations, a change may indicate that a potential vulnerability was introduced in the code. You could use for example [**JSMon**](https://github.com/robre/jsmon)**.**
* You should also check discovered JS files with [**RetireJS**](https://github.com/retirejs/retire.js/) ****to find if it's vulnerable.
* You should also check discovered JS files with [**RetireJS**](https://github.com/retirejs/retire.js/) _\*\*_to find if it's vulnerable.
* **Javascript Deobfuscator and Unpacker** \([https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/)\)
* **Javascript Beautifier** \([http://jsbeautifier.org/](https://beautifier.io/)\)
* **BrainFuck deobfuscation** \(javascript with chars:"\[\]!+" [https://ooze.ninja/javascript/poisonjs/](https://ooze.ninja/javascript/poisonjs/)\)
@ -307,7 +307,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
#### 502 Proxy Error
If any page **responds** with that **code**, it's probably a **bad configured proxy**. **If you send a HTTP request like: `GET https://google.com HTTP/1.1`** \(with the host header and other common headers\), the ****proxy ****will try to **access** _**google.com**_ ****and you will have found a **SSRF**.
If any page **responds** with that **code**, it's probably a **bad configured proxy**. **If you send a HTTP request like: `GET https://google.com HTTP/1.1`** \(with the host header and other common headers\), the **proxy** will try to **access** _**google.com**_ **\*\*and you will have found a** SSRF\*\*.
#### **NTLM Authentication - Info disclosure**