0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3427] No subject

This commit is contained in:
CPol 2022-08-30 20:54:24 +00:00 committed by gitbook-bot
parent a48e960c55
commit f5268633f3
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
23 changed files with 325 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -64,6 +64,15 @@ Through Security Skills as a Service, we help organizations to **defend against
{% embed url="https://securityhubs.io/" %}
### [SecurityBoat](https://securityboat.in/)
![](<.gitbook/assets/SB logo black\_034525.png>)
**Securityboat** is a cybersecurity company focused on providing top of the line **penetration testing services** and the most comprehensive **automated security testing** solutions based on an extensive **manual security testing methodology** that utilizes various case-specific and **industry-tested** solutions. They are committed to providing clear communication on cybersecurity issues, developing solutions, and prioritizing **business risk**.\
**Make the right choice by contacting us for your security:**
{% embed url="https://securityboat.in/contact-us" %}
### [Intigriti](https://www.intigriti.com)
![](.gitbook/assets/i3.png)

14
forensics/basic-forensic-methodology/linux-forensics.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Initial Information Gathering
### Basic Information
@ -409,6 +416,13 @@ Note that not all diffs can feature all types. For instance, diffs from the inde
* [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf)
* [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
generic-methodologies-and-resources/shells/full-ttys.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Full TTY
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file This incident has been reported`. Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
@ -104,6 +111,13 @@ If for some reason you cannot obtain a full TTY you **still can interact with pr
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
```
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

21
generic-methodologies-and-resources/tunneling-and-port-forwarding.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Nmap tip
{% hint style="warning" %}
@ -264,6 +271,13 @@ victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntl
victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --hashes 9b9850751be2515c8231e5189015bbe6:49ef7638d69a01f26d96ed673bf50c45
```
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## **Socat**
[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
@ -457,6 +471,13 @@ ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.1
* [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy)
* [https://github.com/jpillora/chisel](https://github.com/jpillora/chisel)
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
mobile-pentesting/android-app-pentesting/smali-changes.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
Sometimes it is interesting to modify the application code to access hidden information for you (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it.
@ -199,6 +206,13 @@ move-result-object v12
invoke-virtual {v12}, Landroid/widget/Toast;->show()V
```
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
network-services-pentesting/113-pentesting-ident.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Basic Information
Is an [Internet](https://en.wikipedia.org/wiki/Internet) [protocol](https://en.wikipedia.org/wiki/Protocol\_\(computing\)) that helps identify the user of a particular [TCP](https://en.wikipedia.org/wiki/Transmission\_Control\_Protocol) connection.
@ -105,6 +112,13 @@ Entry_2:
Note: apt install ident-user-enum ident-user-enum {IP} 22 23 139 445 (try all open ports)
```
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

23
network-services-pentesting/2375-pentesting-docker.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Docker Basics
### What is
@ -83,7 +90,7 @@ ctr container delete <containerName>
### Podman
**Info** [**from here**](https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html)
**Info** [**from here**](https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html#:\~:text=What%20is%20Podman%3F,and%20support%20for%20rootless%20containers.)
Podman is an open source, OCI ([Open Container Initiative](https://github.com/opencontainers)) compliant container engine. It is driven by Red Hat and incorporates a few major differences from Docker, such as its daemonless architecture and support for rootless containers. At their core, **both tools do the same thing: manage images and containers**. One of **Podmans objectives is to have a Docker-compatible API**. Hence almost all CLI (command line interface) commands from the Docker CLI are also available in Podman.
@ -216,6 +223,13 @@ msf> use exploit/linux/http/docker_daemon_tcp
nmap -sV --script "docker-*" -p <PORT> <IP>
```
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Compromising
In the following page you can find ways to **escape from a docker container**:
@ -349,6 +363,13 @@ falco-probe found and loaded in dkms
You can use auditd to monitor docker.
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
network-services-pentesting/5353-udp-multicast-dns-mdns.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Basic Information
Multicast DNS (mDNS) is a **zero-configuration protocol** that lets you perform **DNS-like operations** on the local network in the absence of a conventional, unicast DNS server. The protocol uses the **same** API, **packet formats**, and operating semantics as DNS, allowing you to resolve domain names on the local network. **DNS Service Discovery (DNS-SD)** is a protocol that allows clients to **discover a list of named instances of services** (such as test.\_ipps.\_tcp.local, or linux.\_ssh.\_tcp.local) in a domain using standard DNS queries. DNS-SD is most often used in conjunction with mDNS but isnt dependent on it. Theyre both used by many IoT devices, such as network printers, Apple TVs, Google Chromecast, Network-Attached Storage (NAS) devices, and cameras.\
@ -106,6 +113,13 @@ For more information check:
* [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://books.google.co.uk/books/about/Practical\_IoT\_Hacking.html?id=GbYEEAAAQBAJ\&redir\_esc=y)
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
network-services-pentesting/554-8554-pentesting-rtsp.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Basic Information
> The **Real Time Streaming Protocol** (**RTSP**) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording).
@ -100,6 +107,13 @@ Cameradar allows you to:
* Print a summary of all the informations Cameradar could get
* [https://github.com/Ullaakut/cameradar](https://github.com/Ullaakut/cameradar)
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
network-services-pentesting/873-pentesting-rsync.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## **Basic Information**
> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File\_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File\_synchronization) [files](https://en.wikipedia.org/wiki/Computer\_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer\_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping\_\(computing\))and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating\_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta\_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data\_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite\_note-man\_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure\_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
@ -111,6 +118,13 @@ find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
Inside the config file sometimes you could find the parameter _secrets file = /path/to/file_ and this file could contains usernames and passwords allowed to authenticate to rsyncd.
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
network-services-pentesting/pentesting-finger.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## **Basic Info**
**Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number (if known), login time, idle time, time mail was last read, and the user's plan and project files.
@ -80,6 +87,13 @@ finger user@host@victim
finger @internal@external
```
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
network-services-pentesting/pentesting-rpcbind.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Basic Information
Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
@ -124,6 +131,13 @@ Entry_3:
Command: nmap -sSUC -p 111 {IP}
```
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
network-services-pentesting/pentesting-vnc.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Basic Information
In computing, **Virtual Network Computing** (**VNC**) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical-screen updates back in the other direction, over a network.\
@ -64,6 +71,13 @@ I save the tool here also for ease of access:
* `port:5900 RFB`
{% hint style="danger" %}
<img src="../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
network-services-pentesting/pentesting-web/nginx.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Missing root location <a href="#missing-root-location" id="missing-root-location"></a>
```
@ -282,6 +289,13 @@ Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulne
* [**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)
* [**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
### Localhost
```bash
@ -212,6 +219,13 @@ Both of them describe a way of parsing URI/URLs, with one slight difference. The
image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md
View File

@ -1,5 +1,12 @@
# Pentesting Kubernetes Services
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
Kubernetes uses several **specific network services** that you might find **exposed to the Internet** or in an **internal network once you have compromised one pod**.
## Finding exposed pods with OSINT
@ -223,6 +230,13 @@ For example, a remote attacker can abuse this by accessing the following URL: `h
{% embed url="https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet" %}
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

11
radio-hacking/low-power-wide-area-network.md
View File

@ -1,4 +1,4 @@
# Low-Power Wide Area Network
<details>
@ -16,17 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# Introduction
## Introduction
**Low-Power Wide Area Network** (LPWAN) is a group of wireless, low-power, wide area network technologies designed for **long-range communications** at a low bit rate.\
They can reach more than **six miles** and their **batteries** can last up to **20 years**.
Long Range (**LoRa**) its popular in multiple countries and has an open source specification called **LoRaWAN**.
## LPWAN, LoRa, and LoRaWAN
### LPWAN, LoRa, and LoRaWAN
[https://github.com/IOActive/laf](https://github.com/IOActive/laf)
<details>
@ -43,5 +42,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

14
reversing/reversing-tools-basic-methods/README.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Wasm decompiler / Wat compiler
Online:
@ -396,6 +403,13 @@ So, in this challenge, knowing the values of the buttons, you needed to **press
* [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering)
* [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
windows-hardening/active-directory-methodology/asreproast.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## ASREPRoast
The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute (**[_**DONT\_REQ\_PREAUTH**_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_**)**_.
@ -69,6 +76,13 @@ Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbos
[**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

10
windows-hardening/active-directory-methodology/kerberos-authentication.md
View File

@ -16,6 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
**This information was extracted from the post:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)
## Kerberos (I): How does Kerberos work? Theory
@ -212,6 +217,11 @@ After that, if user privileges are rigth, this can access to service. If is the
* Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft: [https://www.microsoft.com/en-us/download/details.aspx?id=36036](https://www.microsoft.com/en-us/download/details.aspx?id=36036)
* Fun with LDAP, Kerberos (and MSRPC) in AD Environments: [https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58)
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
windows-hardening/ntlm/smbexec.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## How does it works
**Smbexec works like Psexec.** In this example\*\*,\*\* **instead** of pointing the "_binpath_" to a malicious executable inside the victim, we are going to **point it** to **cmd.exe or powershell.exe** and one of they will download and execute the backdoor.
@ -56,6 +63,13 @@ It errors out because our service doesn't respond, but if we look at our Metaspl
All the info was extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

21
windows-hardening/stealing-credentials/README.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Credentials Mimikatz
```bash
@ -159,6 +166,13 @@ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet
```
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
## Stealing SAM & SYSTEM
This files should be **located** in _C:\windows\system32\config\SAM_ and _C:\windows\system32\config\SYSTEM._ But **you cannot just copy them in a regular way** because they protected.
@ -316,6 +330,13 @@ Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco
[**Learn about some credentials protections here.**](credentials-protections.md)
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

14
windows-hardening/windows-local-privilege-escalation/rottenpotato.md
View File

@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
The info in this page info was extracted [from this post](https://www.absolomb.com/2018-05-04-HackTheBox-Tally/)
Service accounts usually have special privileges (SeImpersonatePrivileges) and this could be used to escalate privileges.
@ -99,6 +106,13 @@ Server username: NT AUTHORITY\SYSTEM
Success! We have our SYSTEM shell and can grab the root.txt file!
{% hint style="danger" %}
<img src="../../.gitbook/assets/SB logo black_034525.png" alt="" data-size="original">\
_A **digital transformation** tailored to your organization is unique. It also comes with its **risks**. **Defend yourself against hackers**. Get protection before it's too late. **Talk to the professionals at Securityboat**:_
{% embed url="https://securityboat.in/contact-us" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>