-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

  • Wireshark Packet Navigation

     


     

     

    Wireshark Packet Navigation


    Packet Numbers


    Wireshark calculates the number of investigated packets and assigns a unique number for each packet. This helps the analysis process for big captures and makes it easy to go back to a specific point of an event.  Wireshark Packet Navigation


     

    Wireshark Packet Navigation

     

     

    Go to Packet


    Packet numbers do not only help to count the total number of packets or make it easier to find/investigate specific packets. This feature not only navigates between packets up and down; it also provides in-frame packet tracking and finds the next packet in the particular part of the conversation. You can use the "Go" menu and toolbar to view specific packets.


    Wireshark - go to packet

     

    Wireshark Packet Navigation

     


    Find Packets


    Apart from packet number, Wireshark can find packets by packet content. You can use the "Edit --> Find Packet" menu to make a search inside the packets for a particular event of interest. This helps analysts and administrators to find specific intrusion patterns or failure traces.

    There are two crucial points in finding packets. The first is knowing the input type. This functionality accepts four types of inputs (Display filter, Hex, String and Regex). String and regex searches are the most commonly used search types. Searches are case insensitive, but you can set the case sensitivity in your search by clicking the radio button.

    The second point is choosing the search field. You can conduct searches in the three panes (packet list, packet details, and packet bytes), and it is important to know the available information in each pane to find the event of interest. For example, if you try to find the information available in the packet details pane and conduct the search in the packet list pane, Wireshark won't find it even if it exists.

     

     

    Wireshark Packet Navigation



    Mark Packets


    Marking packets is another helpful functionality for analysts. You can find/point to a specific packet for further investigation by marking it. It helps analysts point to an event of interest or export particular packets from the capture. You can use the "Edit" or the "right-click" menu to mark/unmark packets.

    Marked packets will be shown in black regardless of the original colour representing the connection type. Note that marked packet information is renewed every file session, so marked packets will be lost after closing the capture file.

     


    Wireshark Packet Navigation


    Packet Comments


    Similar to packet marking, commenting is another helpful feature for analysts. You can add comments for particular packets that will help the further investigation or remind and point out important/suspicious points for other layer analysts. Unlike packet marking, the comments can stay within the capture file until the operator removes them.

     

     

    Wireshark Packet Navigation

     

     

    Export Packets


    Capture files can contain thousands of packets in a single file. As mentioned earlier, Wireshark is not an IDS, so sometimes, it is necessary to separate specific packages from the file and dig deeper to resolve an incident. This functionality helps analysts share the only suspicious packages (decided scope). Thus redundant information is not included in the analysis process. You can use the "File" menu to export packets.

     

     

    Wireshark Packet Navigation

     

     

     

    Export Objects (Files)


    Wireshark can extract files transferred through the wire. For a security analyst, it is vital to discover shared files and save them for further investigation. Exporting objects are available only for selected protocol's streams (DICOM, HTTP, IMF, SMB and TFTP).

     


    Wireshark Packet Navigation


    Time Display Format


    Wireshark lists the packets as they are captured, so investigating the default flow is not always the best option. By default, Wireshark shows the time in "Seconds Since Beginning of Capture", the common usage is using the UTC Time Display Format for a better view. You can use the "View --> Time Display Format" menu to change the time display format.

     

     

    Wireshark Packet Navigation


    Wireshark Packet Navigation

     

     

    Expert Info


    Wireshark also detects specific states of protocols to help analysts easily spot possible anomalies and problems. Note that these are only suggestions, and there is always a chance of having false positives/negatives. Expert info can provide a group of categories in three different severities. Details are shown in the table below.

     

     

    Wireshark Packet Navigation

     

    Frequently encountered information groups are listed in the table below. You can refer to Wireshark's official documentation for more information on the expert information entries.

     


    Wireshark Packet Navigation


     

    You can use the "lower left bottom section" in the status bar or "Analyse --> Expert Information" menu to view all available information entries via a dialogue box. It will show the packet number, summary, group protocol and total occurrence.

     

     

    Wireshark Packet Navigation

     

     

     


    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


     

  • HACK Your Offensive Security Side


    HACK Your Offensive Security Side

     

    HACK Your Offensive Security Side


    In short, offensive security is the process of breaking into computer systems, exploiting software bugs, and finding loopholes in applications to gain unauthorized access to them.


    To beat a hacker, you need to behave like a hacker, finding vulnerabilities and recommending patches before a cybercriminal does.

    On the flip side, there is also defensive security, which is the process of protecting an organization's network and computer systems by analyzing and securing any potential digital threats; learn more in the digital forensics room.

    In a defensive cyber role, you could be investigating infected computers or devices to understand how it was hacked, tracking down cybercriminals, or monitoring infrastructure for malicious activity.


    Practical


    First of for your kind information all kinds of things which is used here all exercises are fake simulations so don't panic and don't go dark side okay!!.


    Find hidden website pages



    Most companies will have an admin portal page, giving their staff access to basic admin controls for day-to-day operations. For a bank, an employee might need to transfer money to and from client accounts. Often these pages are not made private, allowing attackers to find hidden pages that show, or give access to, admin controls or sensitive data.


    HACK Your Offensive Security Side



    Type the following command into the terminal to find potentially hidden pages on FakeBank's website using GoBuster (a command-line security application).


    gobuster -u http://420fakebank.co.uk -w wordlist.txt dir




    HACK Your Offensive Security Side





    In the command above, -u is used to state the website we're scanning, -w takes a list of words to iterate through to find hidden pages.

    You will see that GoBuster scans the website with each word in the list, finding pages that exist on the site. GoBuster will have told you the pages it found in the list of page /directory names (indicated by Status: 200).




    Hack the bank


    You should have found a secret bank transfer page that allows you to transfer money between accounts at the bank (/bank-transfer). Type the hidden page into the FakeBank website on the machine.

     

     

    HACK Your Offensive Security Side
     



    This page allows an attacker to steal money from any bank account, which is a critical risk for the bank. As an ethical hacker, you would (with permission) find vulnerabilities in their application and report them to the bank to fix before a hacker exploits them.

     

     

    HACK Your Offensive Security Side

     

     


    Transfer $2000 from the bank account 2276, to your account (account number 8881).




    HACK Your Offensive Security Side



    How can I start learning?


    People often wonder how others become hackers (security consultants) or defenders (security analysts fighting cybercrime), and the answer is simple. Break it down, learn an area of cyber security you're interested in, and regularly practice using hands-on exercises. Build a habit of learning a little bit each day on differnt types of website, and you'll acquire the knowledge to get your first job in the industry.



    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


     

  • web5 is here

     

    web5 is here web2+web3

     

     

    Currently we are working on web 2 and we are excited about web 3 and then jack dorsey says hey we are coming up with web 5 that is correct but then why do we need web 3 and web 5 when we have web 2.  web5 is here with web2+web3
     
    Now think about this what is happening in the web 2 world now basically it provides you multiple services right so we have so many websites so many applications and they provide you some awesome services the only problem is for every different service you have to provide your information you share your personal information you share your post you share your photos you share your location and all this data is there with that particular website i mean that that is okay right not exactly you're not sure how they are using that data maybe they're using your data for marketing purpose they're using your data to sell to someone or they are using your data to influence you so that's one thing and again you might be thinking when you upload a photo on a website. web2


    When you upload a post somewhere basically you own that data not exactly this company owns your data not just your post and photos your personal data as well so that's one issue the second issue is let's say if you are using a particular service maybe apple music so what you do is if you want to use that service you share information you share your email id phone number and all the details and then you are enjoying that particular service but what if you want to move to some other service again!! web3

    You have to go to that particular website on an app you have to share your information then only you can access that particular service so basically if you want to switch you again have to share the information and this company they actually lock your data with them you can't even delete it and of course with the help of GDPR it may be possible but not in all the countries right so this company actually hold your information so can we do it this way can we just reverse it can we say hey let me hold my information. web2 tech

    I have a box here in this box i will have my information and if you want to give that particular service you have to request for the service you have to request for the data i will give you data and then i'll be there of course when you don't have to share everything you just have to share that you have an identity and maybe a particular key and they can verify this is you what you're claiming to be right so that's the box.

    I want that's the wallet that's the right word in the terms of web three we call it as a wallet which has your identity so that's why we were going for web3 right and that's where jack dorsey the founder of twitter says hey we have a better solution let's go for web 5 which is actually a combination of web 2 all the services and web 3 technology and that's your web 5 and this is actually built on bitcoin blockchain so basically web5 provides you with decentralized identity and the storage for your application to learn more let's go to that particular website so this is basically the company by jack dorsey a blockchain project company and it was formerly called as square and now we have a different name they're coming up with web five it's an extra decentralized web platform and you can see this is actually a combination of web 2 and web3. world wide web



    If you want to learn more about it there's a amazing pdf available you can just explore that pdf in fact i will show you some introduction part as well now what they are providing you is first they are providing you with the wallets they are providing you with a decentralized web application uh in the web3 world we call them as dapps and they are also giving you decentralized web nodes the blockchain nodes actually if you explore this pdf which is an amazing pdf to go through so this is the same thing i've explained right so basically to access any a web you have to share information with each service but how about this can we just have one particular identity and we can share with multiple service and you don't even have to share information basically you will own your data and that's what i actually was talking about from a long time on this channel right basically we need privacy where you need to have a power where you need to have the hold on your own data.

     

    web5 is here web2+web3
    image credit prototypr


     


    So, we have talked about this this is actually web 2 and web3 which is creating web 5 and this is interesting so decentralized web application enables developers to write dapps or decentralized web application using the identifiers basically you'll be having your own identities and this identity is actually verifiable on the on the chain or on the network and important thing is they don't have a token here and don't think about the pricing of token or you know the inflation of tokens so that's a different thing.


    We don't have any tokens here and it is decentralized web notes and they are combining everything to give you web five in fact this is just an introduction video of web5 i have not gone through the entire documentation how it will work how what kind of application you can build but this looks a promising start but again my bet is on web3 web5 is just an implementation just an idea so it's not a replacement for web3 in fact on twitter i saw this amazing tweet this is web one is scientists where in the driver's seat web 2 is techno entrepreneurs why the driver said web 3 is vcs because the entire web 3 is funded by vcs again it's a promising start but what about web five and jack dorsey said it is for the people uh people will be driving it and that looks promising so in future for sure we are moving from web 2 to web 3 it doesn't matter or i mean web 2 to web 3 or f5 so it doesn't matter whatever people are claiming about it's a scam or something you know maybe lack of knowledge but blockchain is there blockchain will be coming and then it will disrupt the entire ecosystem most of the companies are using private blockchains because they don't want to share the data with the world they want to use it for their own use cases maybe for supply chain maybe for hospital management or all those use cases and then for the consumer side.

     

     

    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


     

  • Dig Dug DNS Server Enumeration

     

    Dig Dug DNS Server Enumeration

     



    Dig Dug DNS Server Enumeration


    Turns out this machine is a DNS server - it's time to get your shovels out


    Oooh, turns out, this 10.10.5.208 machine is also a DNS server! If we could dig into it, I am sure we could find some interesting records! But... it seems weird, this only responds to a special type of request for a givemetheflag.com domain?
     

    Use some common DNS enumeration tools installed on the AttackBox to get the DNS server on 10.10.5.208 to respond with the flag.

    Click on the link below -




    DNS in detail

    Dig in Networking 

    WHOIS in Networking 

    CEHv10 DNS

     
    Passive Reconnaissance
    DNS Manipulation

     

    First, it is worth checking what ports are open on the machine. but we will jump into directly dns enumeration. If you wanna dns enumeration with dnspython then you can do it but first we will dns tool in linux after that we will make a DNS tool with the help of python programming language.



    Dig


    Dig is a versatile DNS lookup utility that can query domain name server records. Using Dig, we can get the flag by specifying the name server (target host’s address), the domain name, and A at the end to establish we are looking for the A record.


    When you visit a website in your web browser this all happens automatically, but we can also do it manually with a tool called dig . Like ping and traceroute, dig should be installed automatically on Linux systems.


    Dig allows us to manually query recursive DNS servers of our choice for information about domains:
    dig <domain> @<dns-server-ip>

    It is a very useful tool for network troubleshooting.


     


     

     

    dig @10.10.5.208 givemetheflag.com A 

     

     


     

     

    nslookup


    nslookup is another tool excellent for query domain name servers. Using the target host IP as the DNS server, we can query the A record to get the flag.


     


     

     

     

      
      ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python]
    └─$ nslookup -type=A givemetheflag.com 10.10.5.208                                                                                                                  1 ⨯
    Server:         10.10.5.208
    Address:        10.10.5.208#53
    
    givemetheflag.com       text = "flag{0767ccd06e79853318f25aeb08ff83e2}"
    
                                                                                                                                                                            
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python]
    └─$ 
      

     

     

    DNS in python 


    dnspython is a DNS toolkit for Python. It supports almost all record types. It can be used for queries, zone transfers, and dynamic updates. It supports TSIG authenticated messages and EDNS0.

    dnspython provides both high and low level access to DNS. The high level classes perform queries for data of a given name, type, and class, and return an answer set. The low level classes allow direct manipulation of DNS zones, messages, names, and records.

     

     

     

    ┌──(test)─(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python]
    └─$ cat dns-find.py                                                                                                                                                 1 ⨯
    #!/usr/bin/python
    #import dnspython as dns
    import dns
    #import dns.resolver
    from dns import resolver
    
    #result = dns.resovler.query('hackingtruth.org', 'A')
    
    result = dns.resolver.resolve('google.com', 'A')
    for ipval in result:
        print('IP', ipval.to_text())
                                                                                                                                                                            
    ┌──(test)─(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python]
    └─$ 
    
    

     

     


     

     

     


    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  • Tryhackme Embedded Marcos in Word Mr. Phisher Walkthrough

     

    Tryhackme Embedded Marcos in Word Mr. Phisher Walkthrough

     

     

    We'll be looking at a tryhackme room called MrPhisher so it says that i received a suspicious email with a very weird looking attachment it keeps on asking me to enable Macros what are those so this straight away gives us a hint that we are going to deal with Macros So, Macros is a type of scripting language that you know you can embed in a excel or a word file so that it can even try to automate things to an extent so nothing challenging it just says that files you need are located in the home ubuntu MrPhisher on virtual machine and i have the vm(virtual machine) open up right here.
     

     

    When we start the machine, we found two files in home directory. “MrPhisher.docm” is a document with the ability to run macros and the zip file has the same file but compressed.

     

     

     

    Tryhackme Embedded Marcos in Word Mr. Phisher Walkthrough
     

     

    If we try to get open the file, we see the document indeed contain macros.

     

    Tryhackme Embedded Marcos in Word Mr. Phisher Walkthrough

     


    The document shows this one image.


    Now, to view and edit macros using Libre Office, go to Tools menu, choose Macros > Edit Macros. This opens a list of macros available in the currently open document.


    Tryhackme Embedded Marcos in Word Mr. Phisher Walkthrough



    Tryhackme Embedded Marcos in Word Mr. Phisher Walkthrough



    This macro contains a visual basic script...

     

    If you want copy this file in your loca;l machine then you can try this with netcat, To make easy the analysis and be able to download needed tools, I transferred the file to my local machine with netcat.

     

    Local machine:


    nc -nlvp <PORT> > MrPhisher.docm


    Remote machine:


    Setting listener and getting file.

    nc <IP> <PORT> < MyPhisher.docm



    As a note, is important to verify the integrity of the transferred file, in previous images you can see I checked MD5 hash, and it’s the same.

    via md5sum

    md5sum MrPhisher.docm
     


    But we will use into vm direct.. this code is here...

     

     

     

    Rem Attribute VBA_ModuleType=VBAModule
    Option VBASupport 1
    
    Sub Format()
    
    Dim a()
    
    Dim b As String
    
    a = Array(102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88)
    
    For i = 0 To UBound(a)
    
    b = b & Chr(a(i) Xor i)
    
    Next
    
    End Sub
    

     

     

     

    Three things are done here:

    •     XOR operation is done with a value and it's index in the array.
    •     The result of this operation is converted to a character.
    •     This character is appended to a string. The resulting string is a flag for this challenge.



    I wrote a Python script to solve this challenge. The code can be found down below.

     

     

    #! /usr/bin/env python3
    
    # Values array
    a = [102, 109, 99, 100, 127, 100, 53, 62, 105, 57, 61, 106, 62, 62, 55, 110, 113, 114, 118, 39, 36, 118, 47, 35, 32, 125, 34, 46, 46, 124, 43, 124, 25, 71, 26, 71, 21, 88]
    
    # Array to store letters
    flag = []
    
    # Do XOR operation with a value and it's index
    for i in range(len(a)):
        flag.append(chr(a[i] ^ int(i)))
    
    # Join letters to a word
    print("".join(flag))
    

     

     

    Lets Run

     

     

    Tryhackme Embedded Marcos in Word Mr. Phisher Walkthrough

     

     

     
    ubuntu@thm-mr-phisher:~/mrphisher$ nano hackingtruth-oledump.py
    ubuntu@thm-mr-phisher:~/mrphisher$ nano hackingtruth-oledump.py
    ubuntu@thm-mr-phisher:~/mrphisher$ nano hackingtruth-oledump.py
    ubuntu@thm-mr-phisher:~/mrphisher$ python3 hackingtruth-oledump.py
    flag{a39a07a239aacd40c948d852a5c9f8d1}
    ubuntu@thm-mr-phisher:~/mrphisher$ #hackingtruth.org
    ubuntu@thm-mr-phisher:~/mrphisher$ #hackingtruth.in
    ubuntu@thm-mr-phisher:~/mrphisher$ 
    
    
    

     

     

    Done.

     

     


    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


  • CVE-2022-26923 A AD Certificate Services

     

    CVE-2022-26923 A AD Certificate Services



    A certificate signing request (CSR) is one of the first steps towards getting your own SSL/TLS certificate. Generated on the same server you plan to install the certificate on, the CSR contains information (e.g. common name, organization, country) the Certificate Authority (CA) will use to create your certificate.



    This website explores CVE-2022-26923, a vulnerability in Microsoft's Active Directory Certificate Service (AD CS) that allows any AD user to escalate their privileges to Domain Admin in a single hop!.



    A brief look at certificate templates


    Windows Active Directory (AD) is not just for identity and access management but provides a significant amount of services to help you run and manage your organisation. Many of these services are less commonly known or used, meaning they are often overlooked when security hardening is performed. One of these services is the Active Directory Certificate Services (AD CS).

    When talking about certificates, we usually only think about the most common ones, such as those used to upgrade website traffic to HTTPS. But these are generally only used for applications that the organisation exposes to the internet. What about all those applications running on the internal network? Do we now have to give them internet access to allow them to request a certificate from a trusted Certificate Authority (CA)? Well, not really. Cue AD CS.

    AD CS is Microsoft's Public Key Infrastructure (PKI) implementation. Since AD provides a level of trust in an organisation, it can be used as a CA to prove and delegate trust. AD CS is used for several things, such as encrypting file systems, creating and verifying digital signatures, and even user authentication, making it a promising avenue for attackers. What makes it an even more dangerous attack vector, is that certificates can survive credential rotation, meaning even if a compromised account's password is reset, that will do nothing to invalidate the maliciously generated certificate, providing persistent credential theft for up to 10 years! The diagram below shows what the flow for certificate requests and generation looks like.

     



    CVE-2022-26923 A AD Certificate Services





    Since AD CS is such a privileged function, it normally runs on selected domain controllers. Meaning normal users can't really interact with the service directly. On the other side, organisations tend to be too large to have an administrator create and distribute each certificate manually. This is where certificate templates come in. Administrators of AD CS can create several templates that can allow any user with the relevant permissions to request a certificate themselves. These templates have parameters that say which user can request the certificate and what is required. What SpecterOps has found, was that specific combinations of these parameters can be incredibly toxic and be abused for privilege escalation and persistent access!



    Before we dive deeper into certificate abuse, some terminology:


    • PKI - Public Key Infrastructure is a system that manages certificates and public key encryption
    • AD CS - Active Directory Certificate Services is Microsoft's PKI implementation which usually runs on domain controllers
    • CA - Certificate Authority is a PKI that issues certificates
    • Certificate Template - a collection of settings and policies that defines how and when a certificate may be issued by a CA
    • CSR - Certificate Signing Request is a message sent to a CA to request a signed certificate
    • EKU - Extended/Enhanced Key Usage are object identifiers that define how a generated certificate may be used





    1) What does the user create to ask the CA for a certificate?

    Ans :- Certificate Signing Request



    2) What is the name of Microsoft's PKI implementation?

    Ans :- Active Directory Certificate Services




    Client Authentication


    As discussed in the overview of Certificate Templates, they are convenient to allow users and systems to enrol for certificates. Certificates have many use cases in the network. For CVE-2022-26923 and the template misconfigurations discovered by SpectorOps, the primary focus is on the Client Authentication use case.


    Client Authentication allows the owner of the certificate to use it to verify their own identity in AD for authentication purposes. For example, a client certificate is used to authenticate against a web application. The authentication process occurs through Kerberos. If we have a valid certificate that has the Client Authentication EKU, we can interface with AD CS and the Key Distribution Centre to request a Kerberos TGT that can then be used for further authentication.


    As an attacker, we can leverage this to generate a TGT to impersonate another user or system, should we have a valid certificate for them. In essence, we want to be able to modify the Subject Alternative Name (SAN) attribute of the certificate request to point to someone or something else, that has more permissions to perform privilege escalation.




    Default Certificate Templates


    By default, when AD CS is installed in an environment, two certificate templates are made available for requests that support Client Authentication:


    User Certificate Template - This certificate template can be requested by any user that belongs to the Domain Users group.

    Machine Certificate Template
    - This certificate template can be requested by any host that belongs to the Domain Computers group.



    The User Template is not vulnerable by default. When we request a certificate based on the User template, the User Principal Name (UPNs) of the user account will be embedded in the SAN that can be used for identification. Since UPNs must be unique, and we usually do not have the ability to modify our UPN, we cannot leverage this template. Furthermore, since we don't have the ability to alter the SAN value in the certificate signing request, we cannot impersonate another user by specifying their UPN.


    However, computer accounts do not have a UPN. Instead of using a UPN for authentication, the Machine template uses the DNS Name of the machine for identification and authentication. When a certificate is requested for a machine through the Machine template, AD CS embeds the machine's DNS Name into the SAN, which is then used for authentication.




    Default Domain User Privileges


    By default, any user who is a member of the Authenticated Users group (literally all AD accounts) can enrol up to 10 new machines on the domain. This is often used in organisations to allow users to bring their own device (BYOD) and enrol it for use on the domain. This in itself is not really a vulnerability but has led to some interesting privilege escalation vectors in the path, exactly what we will be exploiting for this CVE.


    When we enrol a new host in AD, we are assigned as the owner of that host. This provides us with certain permissions over the AD Object associated with that host. Two permissions in particular cause an issue here:


    Validate write to DNS hostname - This permission allows us to update the DNS hostname of our AD Object associated with the host.

    Validate write to Service Principal Name (SPN) - This permission allows us to update the SPN of our AD Object associated with the host.


    SPNs are used by Kerberos authentication to associate a service instance with a service logon account. By default, the Computer AD Object receives SPNs associated with their name to allow for Kerberos authentication, which the host requires to perform specific requests against AD. SPNs must be unique, meaning two AD Objects are not allowed to have the same SPN.


    You would think it would be as simple as changing the DNS hostname to another hostname, maybe the hostname of a Domain Controller for privilege escalation? However, if you change the DNS hostname, Microsoft automatically updates the SPN attribute. Since those must be unique, we will get an error if we try to impersonate another host through the DNS hostname attribute. But since we have the ability also to change the SPN, we can bypass this restriction.


    The pieces of the puzzle should now start to come together. If we only had one of the two permissions, we would not have a vulnerability.  However, the combination of having those two permissions allows us to perform privilege escalation.




    Putting it all Together


    Using these configurations, the default AD CS Machine certificate template, the default ability to enrol a new machine, and the default permissions assigned on the created Computer AD Object, we have a privilege escalation vector on our hands. What makes it worse is that this privilege escalation vector requires minimal effort, meaning the attacker's skill level to exploit this issue is quite low. The basic steps are the following:



    1. Compromise the credentials of a low-privileged AD user.
    2. Use those credentials to enrol a new host on the domain.
    3. Alter the DNS hostname attribute of the Computer AD Object to that of a privileged host, such as a Domain Controller.
    4. Remove the SPN attributed to bypass the unique SPN conflict issue.
    5. Request a Machine certificate using the default template.
    6. Perform Kerberos authentication with the received template, now as the privileged machine account instead of our fake machine account.

       
       



    1) Which EKU allows us to use the generated certificate for Kerberos authentication?

    Ans :- Client Authentication



    2) What AD group can request a certificate using the Machine Certificate Template?

    Ans :- Domain Controller



    3) What value in the Machine Certificate is used for identification and authentication?

    Ans :- DNS Hostname



    To Be Continue....Exploitation soon





    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


  • chattr Command with Permissions and Attributes on Linux


     

    chattr Command with Permissions and Attributes on Linux

     

     

    Apart from usual read, write, and execute file permissions, Linux documents (files) have another set of attribute that control other characteristics of the file.


    Permissions and Attributes


    In Linux, who can access a file and what they can do with it is controlled by a user-centric set of permissions. Whether you can read the contents of a file, write new data into the file, or execute a file if it is a script or a program, is all governed by that set of permissions. The permissions are applied to the file, but they define the restrictions and capabilities for different categories of user.

    There are permissions for the owner of the file, for the group of the file, and for others—that is, users who are not in the first two categories. You can use the ls command with the -l (long listing) option to see the permissions on a file or directory.

    We can see that file permissions are user-centeric because they have choices to remove permissions at the user level. By contrast, the attributes of a file system centric. Like persmissions, they're set on the file or directory. But once they're set, they're the same for all users.

    Attrbiutes are a separate collection of settings from permissions. Attributes control characteristics such as immutability and other file system-level behaviors. To see the attributes of a file or directory we use the lsattr command. To set the attributes we use the chattr command.


    Inode File system 


    Permissions and attributes are stored inside inodes. An inode is a file system structure that holds information about file system objects such as files and directories. A file’s location on the hard drive, its creation date, its permissions, and its attributes are all stored within its inode.

    Because different file systems have different underlying structures and capabilities, attributes can behave differently—or be completely ignored—by some file systems. In this article, we’re using ext4 which is the default file system for many Linux distributions.



    Looking at a File’s Attributes


    The chattr and lsattr commands will already be present on your computer so there’s no need to install anything.

    To check the attributes on the files in the current directory, use lsattr:

    lsattr



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ lsattr 
    --------------e------- ./f.txt
    --------------e------- ./a.txt
    --------------e------- ./e.txt
    --------------e------- ./g.txt
    --------------e------- ./b.txt
    --------------e------- ./atul.txt
    --------------e------- ./hackingtruth.txt
    --------------e------- ./c.txt
    --------------e------- ./d.txt
    --------------e------- ./atulkumar.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ 
     
     
     


     

     The dashed lines are placeholders for attributes that are not set. The only attribute that is set is the e (extents) attribute. This shows that the file system inodes are using—or will use if required—extents to point to all portions of the file on the hard drive.


    If the file is held in one contiguous sequence of hard drive blocks, its inode only has to record the first and last blocks used to store the file. If the file is fragmented, the inode has to record the number of the first and last block of each piece of the file. These pairs of hard drive block numbers are called extents.



    This is the list of the most commonly used attributes.


    a: Append only. A file with this attribute can only be appended to. It can still be written to, but only at the end of the file. It is not possible to overwrite any of the existing data within the file.


    c: Compressed. The file is automatically compressed on the hard drive and uncompressed when it is read. Data written to the files is compressed before it is written to the hard drive.


    A: No atime updates. The atime is a value in an inode that records the last time a file was accessed.


    C: No copy-on-write. If two processes request access to a file, they can be given pointers to the same file. They are only given their own unique copy of the file if they try to write to the file, making it unique to that process.


    d: No dump. The Linux dump command is used to write copies of entire file systems to backup media. This attribute makes dump ignore the file. It is excluded from the backup.


    D: Synchronous directory updates. When this attribute is turned on for a directory, all changes to that directory are written synchronously—that is, immediately—on the hard drive. Data operations can be buffered.


    e: Extent format. The e attribute indicates that the file system is using extents to map the location of the file on the hard drive. You cannot change this with chattr. It is a function of the operation of the file system.


    i: Immutable. An immutable file cannot be modified, including renaming and deleting. The root user is the only person who can set or unset this attribute.


    s: Secure deletion. When a file with this attribute set is deleted, the hard drive blocks that held the file data are overwritten with bytes containing zeroes. Note that this is not honored by the ext4 file system.


    S: Synchronous updates. Changes to a file with its S attribute set are written to the file synchronously.


    u: Deleting a file that has its u attribute set causes a copy of the file to be made. This can be beneficial to file recovery if the file was removed in error.




    Changing a File’s Attributes



    The chattr command lets us change the attributes of a file or directory. We can use the + (set) and - (unset) operators to apply or remove an attribute, similar to the chmod command and permissions.

    The chattr command also has an = (set only) operator. This sets the attributes of a file or directory to only the attributes that are specified in the command. That is, all attributes not listed on the command line are unset.



    Setting the Append Only Attribute



    If you want use a: append attributes then if you want to change the overwrite the file and add something, but it is not possible because A file with this attribute can only be appended to. It can still be written to, but only at the end of the file. It is not possible to overwrite any of the existing data within the file.






    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ echo "Qm9iIC0gIVBAJCRXMHJEITEyMw== | base64 -d" > atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ cat atul.txt      
    Qm9iIC0gIVBAJCRXMHJEITEyMw== | base64 -d
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ sudo chattr +a atul.txt                                   
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ lsattr
    --------------e------- ./f.txt
    --------------e------- ./a.txt
    --------------e------- ./e.txt
    --------------e------- ./g.txt
    --------------e------- ./b.txt
    -----a--------e------- ./atul.txt
    --------------e------- ./hackingtruth.txt
    --------------e------- ./c.txt
    --------------e------- ./d.txt
    --------------e------- ./atulkumar.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ echo "Qm" > atul.txt 
    zsh: operation not permitted: atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$               
    
    
    
    
    

     

    We’ll redirect the output from ls into the file:

    ls -l > text-file.txt

    sudo ls -l > text-file.txt



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ lsattr atul.txt
    -----a--------e------- atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ ls -la > atul.txt 
    zsh: operation not permitted: atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ sudo ls -la > atul.txt                                                                                                                              1 ⨯
    zsh: operation not permitted: atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$                                                                                                                                                     1 ⨯
    
    
    
    






    The operation is not permitted, even if we use the sudo command.

    If we use two angle brackets  “>>” to redirect output it is appended to the existing data in the file. That should be acceptable to our append-only text file.

    sudo ls -l >> text-file.txt


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ lsattr atul.txt     
    -----a--------e------- atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ cat  atul.txt 
    Qm9iIC0gIVBAJCRXMHJEITEyMw== | base64 -d
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ sudo ls -l >> atul.txt 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ cat  atul.txt
    Qm9iIC0gIVBAJCRXMHJEITEyMw== | base64 -d
    total 8
    -rwxrwxrwx 1 root      1006  0 May  2 08:57 atulkumar.txt
    -rw-r--r-- 1 hackerboy root 41 May  3 12:59 atul.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 a.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 b.txt
    -rwxrwxrwx 1 hackerboy root 40 May  3 13:01 c.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 d.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 e.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 f.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 g.txt
    -rwxrwxrwx 1 root      1006  0 May  2 08:57 hackingtruth.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ 
    
    
    
    






    Although we can append data to the file, that is the only change we can make to it. We can’t delete it and neither can root.

    rm text-file.txt

    sudo rm text-file.txt





    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ lsattr atul.txt       
    -----a--------e------- atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ rm atul.txt         
    rm: cannot remove 'atul.txt': Operation not permitted
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ sudo rm atul.txt                                                                                                                                    1 ⨯
    rm: cannot remove 'atul.txt': Operation not permitted
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$                                                                                                                                                     1 ⨯
    
    
    
    






    Don’t Rely on Secure Deletion on ext4



    As we pointed out, some operating systems do not support all of the attributes. The secure delete attribute is not honored by the ext family of file systems, including ext4. Don’t rely on this for the secure deletion of files.

    It’s easy to see that this doesn’t work in ext4. We’ll set the s (secure deletion) attribute on a text file.



    sudo chattr +s atul.txt


    s: Secure deletion. When a file with this attribute set is deleted, the hard drive blocks that held the file data are overwritten with bytes containing zeroes. Note that this is not honored by the ext4 file system.


    What we’re going to do is find out the inode that holds the metadata about this file. The inode holds the first hard drive block occupied by the file. The file contains some lorem ipsum placeholder text.
    Advertisement

    We’ll read that block directly from the hard drive to verify we’re reading the correct hard drive location. We’ll delete the file and then read that same hard dive block once more. If the secure deletion attribute is being honored, we should read zeroed bytes.

    We can find the inode of the file by using the hdparm command with the --fibmap (file block map) option.

    sudo hdparm --fibmap third-file.txt




    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ lsattr atul.txt          
    -----a--------e------- atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ chattr +s atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ lsattr atul.txt   
    s----a--------e------- atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ sudo hdparm --fibmap  atul.txt
    
    atul.txt:
     filesystem blocksize 4096, begins at LBA 872241152; assuming 512 byte sectors.
     byte_offset  begin_LBA    end_LBA    sectors
               0  931425384  931425391          8
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ 
    




    The first hard drive block is 18100656. We’ll use the dd command to read it.

    The options are:
     

    • if=/dev/sda: Read from the first hard drive on this computer. 
    • bs=512: Use a hard drive block size of 512 bytes.
    • skip=18100656: Skip all blocks before block 18100656. In other words, start reading at block 18100656.
    • count=1: Read one block of data.


     

    sudo dd if=/dev/sda bs=512 skip=18100656 count=1


    As expected we see the lorem ipsum placeholder text. We’re reading the correct block on the hard drive.


    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ sudo dd if=/dev/sda bs=512 skip=931425384 count=1
    Qm9iIC0gIVBAJCRXMHJEITEyMw== | base64 -d
    total 8
    -rwxrwxrwx 1 root      1006  0 May  2 08:57 atulkumar.txt
    -rw-r--r-- 1 hackerboy root 41 May  3 12:59 atul.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 a.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 b.txt
    -rwxrwxrwx 1 hackerboy root 40 May  3 13:01 c.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 d.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 e.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 f.txt
    -rwxrwxrwx 1 hackerboy root  0 May  2 08:56 g.txt
    -r1+0 records in
    1+0 records out
    512 bytes copied, 0.0237929 s, 21.5 kB/s
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ 
                      
    



    Now we’ll delete the file.

    rm third-file.txt



    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ lsattr atul.txt
                                                                                                                                       1 ⨯
    s--------------------- atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ 
    
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$ rm atul.txt
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.org]
    └─$                        
    
    
    
    
    

    Again, don’t depend on this for secure deletion on ext4.There are better methods available to delete files so that they can’t be recovered.




    Disclaimer

     

    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.