From 8ab6aee5a1eb9ad06de6da640b814651a31b3a6b Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 11 Jul 2025 08:27:18 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/network-services-pentesting/pe... --- .../reversing-native-libraries.md | 8 +-- .../ios-pentesting-without-jailbreak.md | 2 +- .../pentesting-telnet.md | 60 ++++++++++++++++++- 3 files changed, 64 insertions(+), 6 deletions(-) diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md index 03213da50..ea060841d 100644 --- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md +++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md @@ -61,7 +61,7 @@ Java.perform(function () { }); }); ``` -Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. citeturn5search2turn5search0 +Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. --- @@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) | Year | CVE | Affected library | Notes | |------|-----|------------------|-------| -|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0| +|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| | |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.| When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant. @@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their ### References -- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) citeturn5search0 -- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0 +- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) +- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 004d7bf0e..791da2761 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth ### Automated dynamic analysis with MobSF (no jailbreak) -[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: +[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: ```bash docker pull opensecurity/mobile-security-framework-mobsf:latest diff --git a/src/network-services-pentesting/pentesting-telnet.md b/src/network-services-pentesting/pentesting-telnet.md index 4bc44869f..31ca7a6ae 100644 --- a/src/network-services-pentesting/pentesting-telnet.md +++ b/src/network-services-pentesting/pentesting-telnet.md @@ -77,8 +77,66 @@ Entry_4: ``` +### Recent Vulnerabilities (2022-2025) -{{#include ../banners/hacktricks-training.md}} +* **CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860)**: The built-in Telnet service accepted hard-coded credentials and failed to sanitise input, allowing unauthenticated remote RCE as root via crafted commands on port 23. Fixed in firmware ≥ 1.04B05. +* **CVE-2023-40478 – NETGEAR RAX30**: Stack-based buffer overflow in the Telnet CLI `passwd` command lets an adjacent attacker bypass authentication and execute arbitrary code as root. +* **CVE-2022-39028 – GNU inetutils telnetd**: A two-byte sequence (`0xff 0xf7` / `0xff 0xf8`) triggers a NULL-pointer dereference that can crash `telnetd`, resulting in a persistent DoS after several crashes. + +Keep these CVEs in mind during vulnerability triage—if the target is running an un-patched firmware or legacy inetutils Telnet daemon you may have a straight-forward path to code-execution or a disruptive DoS. + +### Sniffing Credentials & Man-in-the-Middle + +Telnet transmits everything, including credentials, in **clear-text**. Two quick ways to capture them: + +```bash +# Live capture with tcpdump (print ASCII) +sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)' + +# Wireshark display filter + tcp.port == 23 && (telnet.data || telnet.option) +``` +For active MITM, combine ARP spoofing (e.g. `arpspoof`/`ettercap`) with the same sniffing filters to harvest passwords on switched networks. + +### Automated Brute-force / Password Spraying + +```bash +# Hydra (stop at first valid login) +hydra -L users.txt -P rockyou.txt -t 4 -f telnet:// + +# Ncrack (drop to interactive session on success) +ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 + +# Medusa (parallel hosts) +medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f +``` +Most IoT botnets (Mirai variants) still scan port 23 with small default-credential dictionaries—mirroring that logic can quickly identify weak devices. + +### Exploitation & Post-Exploitation + +Metasploit has several useful modules: + +* `auxiliary/scanner/telnet/telnet_version` – banner & option enumeration. +* `auxiliary/scanner/telnet/brute_telnet` – multithreaded bruteforce. +* `auxiliary/scanner/telnet/telnet_encrypt_overflow` – RCE against vulnerable Solaris 9/10 Telnet (option ENCRYPT handling). +* `exploit/linux/mips/netgear_telnetenable` – enables telnet service with a crafted packet on many NETGEAR routers. + +After a shell is obtained remember that **TTYs are usually dumb**; upgrade with `python -c 'import pty;pty.spawn("/bin/bash")'` or use the [HackTricks TTY tricks](/generic-hacking/reverse-shells/full-ttys.md). + +### Hardening & Detection (Blue team corner) + +1. Prefer SSH and disable Telnet service completely. +2. If Telnet is required, bind it to management VLANs only, enforce ACLs and wrap the daemon with TCP wrappers (`/etc/hosts.allow`). +3. Replace legacy `telnetd` implementations with `ssl-telnet` or `telnetd-ssl` to add transport encryption, but **this only protects data-in-transit—password-guessing remains trivial**. +4. Monitor for outbound traffic to port 23; compromises often spawn reverse shells over Telnet to bypass strict-HTTP egress filters. + +## References + +* D-Link Advisory – CVE-2024-45698 Critical Telnet RCE. +* NVD – CVE-2022-39028 inetutils `telnetd` DoS. + + +{{#include /banners/hacktricks-training.md}}