Merge branch 'master' of https://git.swrzm.de/msc/cheatsheets

cheatsheets/security/mobile/security-testing-android.md

@@ -0,0 +1,10 @@
+---
+title: Security Testing Android
+categories: [cheatsheets]
+tags: [security, mobile]
+---
+
+# Security Testing Android
+
+Awesome Cheatsheet: [Android Cheatsheet Git](https://nightowl131.github.io/AAPG/)
+

cheatsheets/security/pentesting/network-pivoting.md

@@ -0,0 +1,156 @@
+---
+title: Network Pivoting
+categories: [cheatsheets]
+tags: [pentesting, security]
+---
+
+# Network Pivoting
+
+Example Network:
+
+
+1) Public Network: 10.11.1.0/24
+2) IT Network: 10.1.1.0/24
+3) Own (Attacker) IP: 10
+4) Compromised Host: 10.11.1.251, 10.1.1.248 (two NIC's in both subnets)
+
+**No routing between the subnets**
+
+Goal: Get access to the IT Network, starting from the Attacker PC and using the compromised Host.
+
+
+#### Szenario:
+
+This host was owned via the 10.11.1.0/24 network. Now, the attacker wants to pivot further into the IT Network using the 0wned host.
+
+
+## Method 1: Pivoting using Metasploit
+
+Metasploit has a module for routing network traffic via a exploited meterpreter session: `autoroute`.
+
+Requirement: having a running meterpreter session (Session 1)
+
+```
+msf> use post/multi/manage/autoroute
+msf> set CMD add
+msf> set SUBNET 10.1.1.0
+msf> set NETMASK 255.255.255.0
+msf> run
+```
+
+To print the added routes:
+
+```
+msf> use post/multi/manage/autoroute
+msf> set CMD print
+msf> run
+```
+
+Next, start a metasploit internal socks proxy server with the command:
+
+```
+msf> use auxiliary/server/socks4a
+msf> set RHOSTS SRVHOST 10.11.0.143
+msf> run
+```
+
+the tool `proxychains` can be used to connect to this SOCKS proxy and metasploit will autoredirect the network packets to the created route via the meterpreter.
+For `proxychains` to work, edit the proxy entry in `/etc/proxychains.conf`
+
+```
+sh> vim /etc/proxychains.conf
+
+[ProxyList]
+# add proxy here ...
+# meanwile
+# defaults set to "tor"
+socks4  10.11.0.143 1080  # <- add the IP here
+```
+
+after that, nmap can be used like this:
+
+```
+sh> proxychains nmap -sT -Pn <ip>
+```
+
+## Method 2: Dynamic Port Forwarding with SSH and Proxychains
+
+The `-D` option of SSH is used for that:
+
+```
+ -D [bind_address:]port
+             Specifies a local “dynamic” application-level port forwarding.  This works by allocating
+             a socket to listen to port on the local side, optionally bound to the specified
+             bind_address.  Whenever a connection is made to this port, the connection is forwarded
+             over the secure channel, and the application protocol is then used to determine where to
+             connect to from the remote machine.  Currently the SOCKS4 and SOCKS5 protocols are sup‐
+             ported, and ssh will act as a SOCKS server.  Only root can forward privileged ports.
+             Dynamic port forwardings can also be specified in the configuration file.
+
+             IPv6 addresses can be specified by enclosing the address in square brackets.  Only the
+             superuser can forward privileged ports.  By default, the local port is bound in accor‐
+             dance with the GatewayPorts setting.  However, an explicit bind_address may be used to
+             bind the connection to a specific address.  The bind_address of “localhost” indicates
+             that the listening port be bound for local use only, while an empty address or ‘*’ indi‐
+             cates that the port should be available from all interfaces.
+```
+
+Connect to the compromised host with `ssh -D`:
+
+```
+sh> ssh -D 10.11.0.143:1080 root@10.11.1.251
+```
+
+Again, change the proxychains config to the specified host:port:
+
+```
+sh> vim /etc/proxychains.conf
+
+[ProxyList]
+# add proxy here ...
+# meanwile
+# defaults set to "tor"
+socks4  10.11.0.143 1080  # <- add the IP here
+```
+
+after that, nmap can be used like this:
+
+```
+sh> proxychains nmap -sT -Pn <ip>
+```
+
+
+## Method 3: Port Forwarding using a ssh tunnel
+
+### 3.1 Local Forwarding
+
+With local forwarding, a port of the client is forwarded to another port on the server.
+In this case, the SSH client is listening for a connection and redirect it to another host via the SSH server.
+
+
+Local forwarding can be configured like that:
+
+```
+sh> ssh -L 80:10.1.1.X:80 10.11.1.251
+```
+
+This forwards the local port 80 via the SSH server to a host in the IT network.
+
+
+### 3.2 Remote Forwarding
+
+Remote forwarding works exactly the same, only from the SSH server towards the SSH client.
+
+Remote forwarding can be configured like that:
+
+```
+sh> ssh -R 8080:localhost:80 10.11.1.251
+```
+
+This forwards a incoming connection on the remote host (via port 8080) to localhost port 80 (the SSH client).
+
+
+## Resources:
+
+[pentest.blog](https://pentest.blog/explore-hidden-networks-with-double-pivoting/)
+[ssh.com](https://www.ssh.com/ssh/tunneling/example)

cheatsheets/security/windows/exploiting-vulnerable-windows-services.md

@@ -0,0 +1,82 @@
+---
+title: Exploiting Vulnerable Windows Services
+categories: [cheatsheets]
+tags: [topic, windows, security]
+---
+
+# Exploiting Vulnerable Windows Services
+
+## Resources on Windows Service Exploitation
+
+* [Steam Client 0day](https://amonitoring.ru/article/onemore_steam_eop_0day/)
+* [Task Scheduler RPC Vulnerability](https://www.exploit-db.com/exploits/45280)
+
+
+## Inter Process Communication (IPC)
+
+1) Named Pipes
+2) Advanced Procedure Calls (APC)
+3) ...
+
+### Named Pipes
+
+* Named Pipes communicate via SMB
+* For every Named Pipe, the process maintains a handle which can be seen in ProcessExplorer (Sysinternals).
+    * Can be recognized by the name: `\Device\NamedPipe\<name>`
+
+* Creating a basic Named Pipe:
+
+```
+#include "pch.h"
+#include <Windows.h>
+#include <iostream>
+
+int main() {
+	LPCWSTR pipeName = L"\\\\.\\pipe\\mantvydas-first-pipe";
+	BOOL isPipeOpen;
+
+	HANDLE serverPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, 1, 2048, 2048, 0, NULL);
+
+	BOOL isPipeConnected = ConnectNamedPipe(serverPipe, NULL);
+	if (isPipeConnected) {
+		std::wcout << "Incoming connection to " << pipeName << std::endl;
+	}
+}
+```
+* -> Check the inputs for CreateNamedPipe() or ConnectNamePipe() while reversing.
+
+* For tasks without elevated privileges, the server can impersonate the clients token when communicating using `ImpersonateNamedPipeClient()`.
+
+
+
+### (Advanced/Local/Remote-) Procedure Calls
+
+* ALPC's are not directly available via the Windows API
+    * But used by Remote Procedure Calls and Local Procedure Calls internally (available via Windows API)
+* Used for fast inter-process communication
+
+#### Possible Vulnerabilities:
+
+1) Enumerate LPC/RPC calls from elevated services
+2) Reverse the LPC interfaces/endpoints
+3) Issue: Service should impersonate before executing something sensitive
+4) Check for changed ACL rules, executed files, read/write operations etc.
+
+
+## DLL Load Ordner Hijacking
+
+* Can be detected by using ProcMon.exe (Sysinternals)
+* Set Filters to:
+    * Path endswith ".dll"
+    * Path endswith ".DLL"
+    * Result contains "NOT FOUND"
+    * Operation is "CreateFile"
+    * Operation is "OpenFile"
+* **Required:** Writable directory in the %PATH% variable.
+
+
+
+
+
+
+

cheatsheets/security/windows/pentesting-windows.md

@@ -0,0 +1,9 @@
+---
+title: Pentesting Windows
+categories: [cheatsheets]
+tags: [topic]
+---
+
+# Pentesting Windows
+
+Ref: https://m0chan.github.io/2019/07/30/Windows-Notes-and-Cheatsheet.html