Add content from: Research Update: Enhanced src/network-services-pentesting/pe...

2025-10-10 18:36:50 +00:00 · 2025-07-11 08:27:18 +00:00 · 2025-07-11 08:27:18 +00:00 · 8ab6aee5a1
commit 8ab6aee5a1
parent 5c44912c76
3 changed files with 64 additions and 6 deletions
--- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@ -61,7 +61,7 @@ Java.perform(function () {
  });
 });
 ```
-Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  citeturn5search2turn5search0
+Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  

 ---

@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+)

 | Year | CVE | Affected library | Notes |
 |------|-----|------------------|-------|
-|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0|
+|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
 |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|

 When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their

 ### References

- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  citeturn5search0
- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
+- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
+- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) 

 {{#include ../../banners/hacktricks-training.md}}
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth

 ### Automated dynamic analysis with MobSF (no jailbreak)

-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:

 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
--- a/src/network-services-pentesting/pentesting-telnet.md
+++ b/src/network-services-pentesting/pentesting-telnet.md
@ -77,8 +77,66 @@ Entry_4:

 ```

+### Recent Vulnerabilities (2022-2025)

-{{#include ../banners/hacktricks-training.md}}
+* **CVE-2024-45698 – D-Link Wi-Fi 6 routers (DIR-X4860)**: The built-in Telnet service accepted hard-coded credentials and failed to sanitise input, allowing unauthenticated remote RCE as root via crafted commands on port 23. Fixed in firmware ≥ 1.04B05.
+* **CVE-2023-40478 – NETGEAR RAX30**: Stack-based buffer overflow in the Telnet CLI `passwd` command lets an adjacent attacker bypass authentication and execute arbitrary code as root.
+* **CVE-2022-39028 – GNU inetutils telnetd**: A two-byte sequence (`0xff 0xf7` / `0xff 0xf8`) triggers a NULL-pointer dereference that can crash `telnetd`, resulting in a persistent DoS after several crashes.
+
+Keep these CVEs in mind during vulnerability triage—if the target is running an un-patched firmware or legacy inetutils Telnet daemon you may have a straight-forward path to code-execution or a disruptive DoS.
+
+### Sniffing Credentials & Man-in-the-Middle
+
+Telnet transmits everything, including credentials, in **clear-text**. Two quick ways to capture them:
+
+```bash
+# Live capture with tcpdump (print ASCII)
+sudo tcpdump -i eth0 -A 'tcp port 23 and not src host $(hostname -I | cut -d" " -f1)'
+
+# Wireshark display filter
+ tcp.port == 23 && (telnet.data || telnet.option)
+```
+For active MITM, combine ARP spoofing (e.g. `arpspoof`/`ettercap`) with the same sniffing filters to harvest passwords on switched networks.
+
+### Automated Brute-force / Password Spraying
+
+```bash
+# Hydra (stop at first valid login)
+hydra -L users.txt -P rockyou.txt -t 4 -f telnet://<IP>
+
+# Ncrack (drop to interactive session on success)
+ncrack -p 23 --user admin -P common-pass.txt --connection-limit 4 <IP>
+
+# Medusa (parallel hosts)
+medusa -M telnet -h targets.txt -U users.txt -P passwords.txt -t 6 -f
+```
+Most IoT botnets (Mirai variants) still scan port 23 with small default-credential dictionaries—mirroring that logic can quickly identify weak devices.
+
+### Exploitation & Post-Exploitation
+
+Metasploit has several useful modules:
+
+* `auxiliary/scanner/telnet/telnet_version` – banner & option enumeration.
+* `auxiliary/scanner/telnet/brute_telnet` – multithreaded bruteforce.
+* `auxiliary/scanner/telnet/telnet_encrypt_overflow` – RCE against vulnerable Solaris 9/10 Telnet (option ENCRYPT handling).
+* `exploit/linux/mips/netgear_telnetenable` – enables telnet service with a crafted packet on many NETGEAR routers.
+
+After a shell is obtained remember that **TTYs are usually dumb**; upgrade with `python -c 'import pty;pty.spawn("/bin/bash")'` or use the [HackTricks TTY tricks](/generic-hacking/reverse-shells/full-ttys.md).
+
+### Hardening & Detection (Blue team corner)
+
+1. Prefer SSH and disable Telnet service completely.  
+2. If Telnet is required, bind it to management VLANs only, enforce ACLs and wrap the daemon with TCP wrappers (`/etc/hosts.allow`).  
+3. Replace legacy `telnetd` implementations with `ssl-telnet` or `telnetd-ssl` to add transport encryption, but **this only protects data-in-transit—password-guessing remains trivial**.  
+4. Monitor for outbound traffic to port 23; compromises often spawn reverse shells over Telnet to bypass strict-HTTP egress filters.
+
+## References
+
+* D-Link Advisory – CVE-2024-45698 Critical Telnet RCE.  
+* NVD – CVE-2022-39028 inetutils `telnetd` DoS.



+
+
+{{#include /banners/hacktricks-training.md}}