Add content from: Research Update: Enhanced src/todo/radio-hacking/low-power-w...

2025-10-10 18:36:50 +00:00 · 2025-07-12 10:50:06 +00:00 · 2025-07-12 10:50:06 +00:00 · 92a9bc7b12
commit 92a9bc7b12
parent 3ad9a55c92
47 changed files with 174 additions and 108 deletions
--- a/src/AI/AI-llm-architecture/0.-basic-llm-concepts.md
+++ b/src/AI/AI-llm-architecture/0.-basic-llm-concepts.md
@ -1,6 +1,6 @@
 # 0. Basic LLM Concepts

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## Pretraining

@ -300,4 +300,4 @@ During the backward pass:
 - **Accuracy:** Provides exact derivatives up to machine precision.
 - **Ease of Use:** Eliminates manual computation of derivatives.

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/AI/AI-llm-architecture/1.-tokenizing.md
+++ b/src/AI/AI-llm-architecture/1.-tokenizing.md
@ -1,6 +1,6 @@
 # 1. Tokenizing

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## Tokenizing

@ -99,4 +99,4 @@ print(token_ids[:50])
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)


-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/AI/AI-llm-architecture/2.-data-sampling.md
+++ b/src/AI/AI-llm-architecture/2.-data-sampling.md
@ -1,6 +1,6 @@
 # 2. Data Sampling

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## **Data Sampling**

@ -241,4 +241,4 @@ tensor([[  367,  2885,  1464,  1807],
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)


-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/AI/AI-llm-architecture/3.-token-embeddings.md
+++ b/src/AI/AI-llm-architecture/3.-token-embeddings.md
@ -1,6 +1,6 @@
 # 3. Token Embeddings

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## Token Embeddings

@ -219,4 +219,4 @@ print(input_embeddings.shape) # torch.Size([8, 4, 256])
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)


-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/AI/AI-llm-architecture/4.-attention-mechanisms.md
+++ b/src/AI/AI-llm-architecture/4.-attention-mechanisms.md
@ -1,6 +1,6 @@
 # 4. Attention Mechanisms

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## Attention Mechanisms and Self-Attention in Neural Networks

@ -430,5 +430,4 @@ For another compact and efficient implementation you could use the [`torch.nn.Mu
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)


-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/AI/AI-llm-architecture/5.-llm-architecture.md
+++ b/src/AI/AI-llm-architecture/5.-llm-architecture.md
@ -1,6 +1,6 @@
 # 5. LLM Architecture

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## LLM Architecture

@ -702,4 +702,4 @@ print("Output length:", len(out[0]))
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)


-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/AI/AI-llm-architecture/6.-pre-training-and-loading-models.md
+++ b/src/AI/AI-llm-architecture/6.-pre-training-and-loading-models.md
@ -1,6 +1,6 @@
 # 6. Pre-training & Loading models

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## Text Generation

@ -971,4 +971,4 @@ There 2 quick scripts to load the GPT2 weights locally. For both you can clone t
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)


-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.md
+++ b/src/AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.md
@ -1,6 +1,6 @@
 # 7.0. LoRA Improvements in fine-tuning

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## LoRA Improvements

@ -64,4 +64,4 @@ def replace_linear_with_lora(model, rank, alpha):

 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.md
+++ b/src/AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.md
@ -1,6 +1,6 @@
 # 7.1. Fine-Tuning for Classification

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## What is

@ -117,4 +117,4 @@ You can find all the code to fine-tune GPT2 to be a spam classifier in [https://

 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.md
+++ b/src/AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.md
@ -1,6 +1,6 @@
 # 7.2. Fine-Tuning to follow instructions

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 > [!TIP]
 > The goal of this section is to show how to **fine-tune an already pre-trained model to follow instructions** rather than just generating text, for example, responding to tasks as a chat bot.
@ -107,4 +107,4 @@ You can find an example of the code to perform this fine tuning in [https://gith

 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/AI/AI-llm-architecture/README.md
+++ b/src/AI/AI-llm-architecture/README.md
@ -1,6 +1,6 @@
 # LLM Training - Data Preparation

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 **These are my notes from the very recommended book** [**https://www.manning.com/books/build-a-large-language-model-from-scratch**](https://www.manning.com/books/build-a-large-language-model-from-scratch) **with some extra information.**

@ -99,4 +99,4 @@ You should start by reading this post for some basic concepts you should know ab
 7.2.-fine-tuning-to-follow-instructions.md
 {{#endref}}

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/binary-exploitation/arbitrary-write-2-exec/README.md
+++ b/src/binary-exploitation/arbitrary-write-2-exec/README.md
@ -1,6 +1,5 @@
 # Arbitrary Write 2 Exec

-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../../banners/hacktricks-training.md}}


--- a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md
+++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md
@ -52,4 +52,4 @@ Successful exploitation results in remote arbitrary code execution at user privi
 - Apple October 2024 Security Update (patch shipping CVE-2024-44236)  
  https://support.apple.com/en-us/121564

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/binary-exploitation/array-indexing.md
+++ b/src/binary-exploitation/array-indexing.md
@ -20,4 +20,4 @@ However he you can find some nice **examples**:



-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
@ -123,4 +123,4 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca



-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../../banners/hacktricks-training.md}}
--- a/src/binary-exploitation/ios-exploiting.md
+++ b/src/binary-exploitation/ios-exploiting.md
@ -1,6 +1,6 @@
 # iOS Exploiting

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}

 ## Physical use-after-free

@ -213,4 +213,4 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) {
 With these primitives, the exploit provides controlled **32-bit reads** and **64-bit writes** to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices).


-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
--- a/src/binary-exploitation/libc-heap/README.md
+++ b/src/binary-exploitation/libc-heap/README.md
@ -1,6 +1,6 @@
 # Libc Heap

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## Heap Basics

@ -531,4 +531,4 @@ heap-memory-functions/heap-functions-security-checks.md
 - [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)


-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/binary-exploitation/libc-heap/use-after-free/first-fit.md
+++ b/src/binary-exploitation/libc-heap/use-after-free/first-fit.md
@ -66,4 +66,4 @@ d = malloc(20);   // a



-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../../banners/hacktricks-training.md}}
--- a/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md
@ -60,4 +60,4 @@ This approach avoids direct file downloads and leverages familiar UI elements to
 - From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery – https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/
 - Discord Custom Invite Link Documentation – https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/generic-methodologies-and-resources/threat-modeling.md
+++ b/src/generic-methodologies-and-resources/threat-modeling.md
@ -1,6 +1,6 @@
 # Threat Modeling

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}

 ## Threat Modeling

@ -113,5 +113,4 @@ Now your finished model should look something like this. And this is how you mak
 This is a free tool from Microsoft that helps in finding threats in the design phase of software projects. It uses the STRIDE methodology and is particularly suitable for those developing on Microsoft's stack.


-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../banners/hacktricks-training.md}}
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
@ -166,11 +166,11 @@ Allow the process to **ask for all the TCC permissions**.

 ### **`kTCCServicePostEvent`**

-{{#include ../../../banners/hacktricks-training.md}}
+

 </details>




-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../../banners/hacktricks-training.md}}
--- a/src/mobile-pentesting/android-app-pentesting/flutter.md
+++ b/src/mobile-pentesting/android-app-pentesting/flutter.md
@ -80,4 +80,4 @@ Flutter itself **ignores device proxy settings**. Easiest options:
 - [https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/)


-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth

 ### Automated dynamic analysis with MobSF (no jailbreak)

-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:

 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
--- a/src/network-services-pentesting/1414-pentesting-ibmmq.md
+++ b/src/network-services-pentesting/1414-pentesting-ibmmq.md
@ -364,4 +364,4 @@ CONTAINER ID   IMAGE                                COMMAND                  CRE



-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
--- a/src/network-services-pentesting/pentesting-ntp.md
+++ b/src/network-services-pentesting/pentesting-ntp.md
@ -195,4 +195,4 @@ Entry_2:
 - Khronos/Chronos draft (time-shift mitigation) 
 - chronyc manual/examples for remote monitoring 
 - zgrab2 ntp module docs 
-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
--- a/src/network-services-pentesting/pentesting-web/angular.md
+++ b/src/network-services-pentesting/pentesting-web/angular.md
@ -1,6 +1,6 @@
 # Angular

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## The Checklist

@ -616,5 +616,4 @@ According to the W3C documentation, the `window.location` and `document.location



-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/network-services-pentesting/pentesting-web/django.md
+++ b/src/network-services-pentesting/pentesting-web/django.md
@ -1,6 +1,6 @@
 # Django

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## Cache Manipulation to RCE
 Django's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **If an attacker can gain write access to the cache, they can escalate this vulnerability to RCE on the underlying server**.
@ -76,4 +76,4 @@ Always fingerprint the exact framework version via the `X-Frame-Options` error p
 * Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025. 
 * OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024. 

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/network-services-pentesting/pentesting-web/laravel.md
+++ b/src/network-services-pentesting/pentesting-web/laravel.md
@ -1,6 +1,6 @@
 # Laravel

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ### Laravel SQLInjection

@ -91,7 +91,7 @@ The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.
 * [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
 * [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)

-{{#include ../../banners/hacktricks-training.md}}
+


 ## Laravel Tricks
@ -283,4 +283,3 @@ The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.

 {{#include ../../banners/hacktricks-training.md}}

-
--- a/src/network-services-pentesting/pentesting-web/nodejs-express.md
+++ b/src/network-services-pentesting/pentesting-web/nodejs-express.md
@ -1,6 +1,6 @@
 # NodeJS Express

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## Cookie Signature

@ -39,5 +39,4 @@ cookie-monster -e -f new_cookie.json -k secret
 ```


-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/network-services-pentesting/pentesting-web/spring-actuators.md
+++ b/src/network-services-pentesting/pentesting-web/spring-actuators.md
@ -63,9 +63,9 @@ Host: target.com
 Connection: close
 ```

-    {{#include ../../banners/hacktricks-training.md}}




-{{#include /src/banners/hacktricks-training.md}}
+
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/pentesting-web/dapps-DecentralizedApplications.md
+++ b/src/pentesting-web/dapps-DecentralizedApplications.md
@ -1,6 +1,6 @@
 # DApps - Decentralized Applications

-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}

 ## What is a DApp?

@ -79,6 +79,5 @@ In the scenario **`Mishandling of Asset Classes`**, is explained that the backen
 - [https://www.certik.com/resources/blog/web2-meets-web3-hacking-decentralized-applications](https://www.certik.com/resources/blog/web2-meets-web3-hacking-decentralized-applications)


-{{#include ../../banners/hacktricks-training.md}}
-
+{{#include ../banners/hacktricks-training.md}}

--- a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md
@ -47,13 +47,13 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\

 - [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)

+
+
+```
+
+```
+
+
+
+
 {{#include ../../banners/hacktricks-training.md}}
-
-```
-
-```
-
-
-
-
-{{#include /src/banners/hacktricks-training.md}}
--- a/src/pentesting-web/idor.md
+++ b/src/pentesting-web/idor.md
@ -80,10 +80,10 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces
 * **OWASP ZAP**: Auth Matrix, Forced Browse.  
 * **Github projects**: `bwapp-idor-scanner`, `Blindy` (bulk IDOR hunting).

-{{#include ../banners/hacktricks-training.md}}
+

 ## References
 * [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants’ PII](https://ian.sh/mcdonalds)
 * [OWASP Top 10 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
 * [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
--- a/src/pentesting-web/xss-cross-site-scripting/README.md
+++ b/src/pentesting-web/xss-cross-site-scripting/README.md
@ -1,6 +1,6 @@
 # XSS (Cross Site Scripting)

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## Methodology

--- a/src/todo/hardware-hacking/fault_injection_attacks.md
+++ b/src/todo/hardware-hacking/fault_injection_attacks.md
@ -1,6 +1,6 @@
 # Fault Injection Attacks 

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 Fault injections attacks includes introducing external distrubance in electronic circuits to influence it's behaviour, resulting to disclose information or even bypass certian restrictions in the circuit. This attacks opens a lot of possibilities for attacking electronic circuits. This attack is also referred as glitching of electronic circuits.

@ -8,4 +8,4 @@ There are a lot of methods and mediums for injecting fault into an electronic ci



-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/todo/hardware-hacking/side_channel_analysis.md
+++ b/src/todo/hardware-hacking/side_channel_analysis.md
@ -1,6 +1,6 @@
 # Side Channel Analysis Attacks 

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 Side Channel Analysis Attacks refers to determining the information from a device or entity by some other channel or source that has an indirect influence on it and information can be extracted from it. This can be explained better with an example: 

@ -10,4 +10,4 @@ These attacks are very popular in case of leaking data such as private keys or f



-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/todo/industrial-control-systems-hacking/README.md
+++ b/src/todo/industrial-control-systems-hacking/README.md
@ -1,6 +1,6 @@
 # Industrial Control Systems Hacking 

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## About this Section

@ -18,5 +18,4 @@ These techniques can also be used to protect against attacks and blue teaming fo



-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/todo/industrial-control-systems-hacking/modbus.md
+++ b/src/todo/industrial-control-systems-hacking/modbus.md
@ -1,6 +1,6 @@
 # The Modbus Protocol 

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 ## Introduction to Modbus Protocol 

@ -34,6 +34,5 @@ Due to it's large scale use and lack of upgradations, attacking Modbus provides



-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../../banners/hacktricks-training.md}}

--- a/src/todo/investment-terms.md
+++ b/src/todo/investment-terms.md
@ -1,6 +1,6 @@
 # Investment Terms

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}

 ## Spot

@ -71,4 +71,4 @@ However, the buyer will be paying some fee to the seller for opening the option



-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
--- a/src/todo/radio-hacking/README.md
+++ b/src/todo/radio-hacking/README.md
@ -1,6 +1,5 @@
 # Radio Hacking

-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../../banners/hacktricks-training.md}}


--- a/src/todo/radio-hacking/fissure-the-rf-framework.md
+++ b/src/todo/radio-hacking/fissure-the-rf-framework.md
@ -1,6 +1,6 @@
 # FISSURE - The RF Framework

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 **Frequency Independent SDR-based Signal Understanding and Reverse Engineering**

@ -187,5 +187,4 @@ Special thanks to Dr. Samuel Mantravadi and Joseph Reith for their contributions



-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/todo/radio-hacking/low-power-wide-area-network.md
+++ b/src/todo/radio-hacking/low-power-wide-area-network.md
@ -4,16 +4,96 @@

 ## Introduction

-**Low-Power Wide Area Network** (LPWAN) is a group of wireless, low-power, wide area network technologies designed for **long-range communications** at a low bit rate.\
+**Low-Power Wide Area Network** (LPWAN) is a group of wireless, low-power, wide-area network technologies designed for **long-range communications** at a low bit rate.
 They can reach more than **six miles** and their **batteries** can last up to **20 years**.

-Long Range (**LoRa**) it’s popular in multiple countries and has an open source specification called **LoRaWAN**.
+Long Range (**LoRa**) is currently the most deployed LPWAN physical layer and its open MAC-layer specification is **LoRaWAN**.

-### LPWAN, LoRa, and LoRaWAN
+---

-[https://github.com/IOActive/laf](https://github.com/IOActive/laf)
+## LPWAN, LoRa, and LoRaWAN

+* LoRa – Chirp Spread Spectrum (CSS) physical layer developed by Semtech (proprietary but documented).
+* LoRaWAN – Open MAC/Network layer maintained by the LoRa-Alliance. Versions 1.0.x and 1.1 are common in the field.
+* Typical architecture: *end-device → gateway (packet-forwarder) → network-server → application-server*.
+
+> The **security model** relies on two AES-128 root keys (AppKey/NwkKey) that derive session keys during the *join* procedure (OTAA) or are hard-coded (ABP). If any key leaks the attacker gains full read/write capability over the corresponding traffic.
+
+---
+
+## Attack surface summary
+
+| Layer | Weakness | Practical impact |
+|-------|----------|------------------|
+| PHY | Reactive / selective jamming | 100 % packet loss demonstrated with single SDR and <1 W output |
+| MAC | Join-Accept & data-frame replay (nonce reuse, ABP counter rollover) | Device spoofing, message injection, DoS |
+| Network-Server | Insecure packet-forwarder, weak MQTT/UDP filters, outdated gateway firmware | RCE on gateways → pivot into OT/IT network |
+| Application | Hard-coded or predictable AppKeys | Brute-force/decrypt traffic, impersonate sensors |
+
+---
+
+## Recent vulnerabilities (2023-2025)
+
+* **CVE-2024-29862** – *ChirpStack gateway-bridge & mqtt-forwarder* accepted TCP packets that bypassed stateful firewall rules on Kerlink gateways, allowing remote management interface exposure. Fixed in 4.0.11 / 4.2.1 respectively .
+* **Dragino LG01/LG308 series** – Multiple 2022-2024 CVEs (e.g. 2022-45227 directory traversal, 2022-45228 CSRF) still observed unpatched in 2025; enable unauthenticated firmware dump or config overwrite on thousands of public gateways .
+* Semtech *packet-forwarder UDP* overflow (unreleased advisory, patched 2023-10): crafted uplink larger than 255 B triggered stack-smash ‑> RCE on SX130x reference gateways (found by Black Hat EU 2023 “LoRa Exploitation Reloaded”).
+
+---
+
+## Practical attack techniques
+
+### 1. Sniff & Decrypt traffic
+
+```bash
+# Capture all channels around 868.3 MHz with an SDR (USRP B205)
+python3 lorattack/sniffer.py \
+    --freq 868.3e6 --bw 125e3 --rate 1e6 --sf 7 --session smartcity
+
+# Bruteforce AppKey from captured OTAA join-request/accept pairs
+python3 lorapwn/bruteforce_join.py --pcap smartcity.pcap --wordlist top1m.txt
+```
+
+### 2. OTAA join-replay (DevNonce reuse)
+
+1. Capture a legitimate **JoinRequest**.
+2. Immediately retransmit it (or increment RSSI) before the original device transmits again.
+3. The network-server allocates a new DevAddr & session keys while the target device continues with the old session → attacker owns vacant session and can inject forged uplinks.
+
+### 3. Adaptive Data-Rate (ADR) downgrading
+
+Force SF12/125 kHz to increase airtime → exhaust duty-cycle of gateway (denial-of-service) while keeping battery impact low on attacker (just send network-level MAC commands).
+
+### 4. Reactive jamming
+
+*HackRF One* running GNU Radio flowgraph triggers a wide-band chirp whenever preamble detected – blocks all spreading factors with ≤200 mW TX; full outage measured at 2 km range .
+
+---
+
+## Offensive tooling (2025)
+
+| Tool | Purpose | Notes |
+|------|---------|-------|
+| **LoRaWAN Auditing Framework (LAF)** | Craft/parse/attack LoRaWAN frames, DB-backed analyzers, brute-forcer | Docker image, supports Semtech UDP input |
+| **LoRaPWN** | Trend Micro Python utility to brute OTAA, generate downlinks, decrypt payloads | Demo released 2023, SDR-agnostic |
+| **LoRAttack** | Multi-channel sniffer + replay with USRP; exports PCAP/LoRaTap | Good Wireshark integration |
+| **gr-lora / gr-lorawan** | GNU Radio OOT blocks for baseband TX/RX | Foundation for custom attacks |
+
+---
+
+## Defensive recommendations (pentester checklist)
+
+1. Prefer **OTAA** devices with truly random DevNonce; monitor duplicates.
+2. Enforce **LoRaWAN 1.1**: 32-bit frame counters, distinct FNwkSIntKey / SNwkSIntKey.
+3. Store frame-counter in non-volatile memory (**ABP**) or migrate to OTAA.
+4. Deploy **secure-element** (ATECC608A/SX1262-TRX-SE) to protect root keys against firmware extraction.
+5. Disable remote UDP packet-forwarder ports (1700/1701) or restrict with WireGuard/VPN.
+6. Keep gateways updated; Kerlink/Dragino provide 2024-patched images.
+7. Implement **traffic anomaly detection** (e.g., LAF analyzer) – flag counter resets, duplicate joins, sudden ADR changes.
+
+
+
+## References
+
+* LoRaWAN Auditing Framework (LAF) – https://github.com/IOActive/laf
+* Trend Micro LoRaPWN overview – https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
--- a/src/todo/rust-basics.md
+++ b/src/todo/rust-basics.md
@ -1,6 +1,6 @@
 # Rust Basics

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}

 ### Generic Types

@ -320,5 +320,4 @@ fn main() {
 ```


-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../banners/hacktricks-training.md}}
--- a/src/todo/test-llms.md
+++ b/src/todo/test-llms.md
@ -1,6 +1,6 @@
 # Test LLMs

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}

 ## Run & train models locally

@ -52,5 +52,4 @@ It offers several sections like:
 * **API Access:** Simple APIs for running models the enable developers to deploy and scale models effortlessly within their own applications.


-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../banners/hacktricks-training.md}}
--- a/src/windows-hardening/active-directory-methodology/TimeRoasting.md
+++ b/src/windows-hardening/active-directory-methodology/TimeRoasting.md
@ -1,6 +1,6 @@
 # TimeRoasting

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

 timeRoasting, the main cause is the outdated authentication mechanism left by Microsoft in its extension to NTP servers, known as MS-SNTP. In this mechanism, clients can directly use any computer account's Relative Identifier (RID), and the domain controller will use the computer account's NTLM hash (generated by MD4) as the key to generate the **Message Authentication Code (MAC)** of the response packet.

@ -39,4 +39,4 @@ sudo ./timeroast.py 10.0.0.42 | tee ntp-hashes.txt
 hashcat -m 31300 ntp-hashes.txt
 ```

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/windows-hardening/active-directory-methodology/printnightmare.md
+++ b/src/windows-hardening/active-directory-methodology/printnightmare.md
@ -95,7 +95,7 @@ Import-Module .\SpoolFool.ps1 ; Invoke-SpoolFool -dll add_user.dll

 **More reading (external):** Check the 2024 walk-through blog post – [Understanding PrintNightmare Vulnerability](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/)

-{{#include ../../banners/hacktricks-training.md}}
+

 ## References

@ -103,4 +103,4 @@ Import-Module .\SpoolFool.ps1 ; Invoke-SpoolFool -dll add_user.dll
  <https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>
 * Oliver Lyak – *SpoolFool: CVE-2022-21999*  
  <https://github.com/ly4k/SpoolFool>
-{{#include /banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/windows-hardening/cobalt-strike.md
+++ b/src/windows-hardening/cobalt-strike.md
@ -1,6 +1,6 @@
 # Cobalt Strike

-{{#include /src/banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}

 ### Listeners

@ -371,5 +371,4 @@ pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
 ```


-{{#include /src/banners/hacktricks-training.md}}
-
+{{#include ../banners/hacktricks-training.md}}