Skip to content

Commit

Permalink
GITBOOK-4371: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Jul 29, 2024
1 parent f3d9d12 commit f3160bc
Show file tree
Hide file tree
Showing 5 changed files with 95 additions and 21 deletions.
3 changes: 2 additions & 1 deletion SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
* [Network Protocols Explained (ESP)](generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md)
* [Nmap Summary (ESP)](generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md)
* [Pentesting IPv6](generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md)
* [WebRTC DoS](generic-methodologies-and-resources/pentesting-network/webrtc-dos.md)
* [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
* [Spoofing SSDP and UPnP Devices with EvilSSDP](generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
* [Pentesting Wifi](generic-methodologies-and-resources/pentesting-wifi/README.md)
Expand Down Expand Up @@ -521,7 +522,7 @@
* [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
* [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
* [Web Vulns List](pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md)
* [2FA/OTP Bypass](pentesting-web/2fa-bypass.md)
* [2FA/MFA/OTP Bypass](pentesting-web/2fa-bypass.md)
* [Account Takeover](pentesting-web/account-takeover.md)
* [Browser Extension Pentesting Methodology](pentesting-web/browser-extension-pentesting-methodology/README.md)
* [BrowExt - ClickJacking](pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md)
Expand Down
63 changes: 63 additions & 0 deletions generic-methodologies-and-resources/pentesting-network/webrtc-dos.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# WebRTC DoS

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

**This issue was found in this blog post:** [**https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webrtc-media-servers/**](https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webrtc-media-servers/)

The described vulnerability in WebRTC media servers arises from a **race condition** during the initialization of media sessions, specifically between the **ICE media consent verification** and the **DTLS traffic initiation**. Here’s a detailed breakdown:

### Vulnerability Origin

1. **UDP Port Allocation:** When a user initiates a WebRTC call, the media server allocates UDP ports for handling the media streams, with the IP and port communicated via signaling.
2. **ICE and STUN Processes:** The user's browser uses ICE for media consent verification, utilizing STUN to determine the connection path to the media server.
3. **DTLS Session:** Following successful STUN verification, a DTLS session starts to establish SRTP master keys, switching to SRTP for the media stream.

### Exploitation Mechanism

* **Race Condition Exploitation:** An attacker can exploit a race condition by sending a DTLS ClientHello message before the legitimate user, potentially using an invalid cipher suite like `TLS_NULL_WITH_NULL_NULL`. This causes a DTLS error at the server, preventing the SRTP session from being established.

### Attack Process

* **Port Scanning:** The attacker needs to guess which UDP ports are handling incoming media sessions, sending ClientHello messages with the null cipher suite to these ports to trigger the vulnerability.
* **Diagram of Attack:** The sequence involves multiple ClientHello messages sent by the attacker to the server, interleaved with legitimate signaling and DTLS messages, leading to a handshake failure due to the erroneous cipher suite.

### Testing and Mitigation

* **Safe Testing:** Using tools like Scapy, attackers replay DTLS ClientHello messages targeting specific media ports. For ethical testing, modifications to Chromium (e.g., `JsepTransport::AddRemoteCandidates`) were used to mimic victim behavior safely.
* **Mitigation Measures:** Solutions involve dropping packets from unverified addresses, as implemented in newer versions of libraries like libnice. The primary solution emphasizes trusting the ICE verification process and only processing packets from validated IP and port combinations.

### Non-Vulnerable Scenarios

* **DTLS Server Configurations:** Instances where the browser acts as a DTLS server or when the media server does not use ephemeral ports for media sessions are not susceptible to this vulnerability.

### Conclusion

This vulnerability highlights the delicate balance in media session initialization processes and the need for precise timing and verification mechanisms to prevent exploitation. Developers are advised to implement recommended security fixes and ensure robust verification processes to mitigate such vulnerabilities.

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
24 changes: 14 additions & 10 deletions ...e-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@

# iOS Custom URI Handlers / Deeplinks / Custom Schemes

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand All @@ -15,11 +15,9 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

This is a sumary from the related information from [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/)

## Basic Information

Custom URL schemes enable apps to communicate using a custom protocol, as detailed in the [Apple Developer Documentation](https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple_ref/doc/uid/TP40007072-CH6-SW1). These schemes must be declared by the app, which then handles incoming URLs following those schemes. It's crucial to **validate all URL parameters** and **discard any malformed URLs** to prevent attacks through this vector.
Custom URL schemes enable apps to communicate using a custom protocol, as detailed in the [Apple Developer Documentation](https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html#//apple\_ref/doc/uid/TP40007072-CH6-SW1). These schemes must be declared by the app, which then handles incoming URLs following those schemes. It's crucial to **validate all URL parameters** and **discard any malformed URLs** to prevent attacks through this vector.

An example is given where the URI `myapp://hostname?data=123876123` invokes a specific application action. A noted vulnerability was in the Skype Mobile app, which allowed unpermitted call actions via the `skype://` protocol. The registered schemes can be found in the app's `Info.plist` under `CFBundleURLTypes`. Malicious applications can exploit this by re-registering URIs to intercept sensitive information.

Expand Down Expand Up @@ -83,13 +81,21 @@ No logs were moved.
Opened URL: iGoat://?contactNumber=0&message=0
```

## Custom URL scheme hijacking

According to [**this post**](https://evanconnelly.github.io/post/ios-oauth/), malicious apps could **register other apps custom schemes,** then the malicious app can open a browser that has all the cookies of the Safari App with [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/2990952-init#parameters).&#x20;

With the broser the malicious app can load an attackers controlled web page and TCC will ask the mobile user for permissions to open that app. Then, the malicious webpage could redirect to a victim page, for example an OAuth flow with the parameter `prompt=none`. If the user was already logged in the OAuth flow, the OAuth flow will send the secret back to the victim application using the custom scheme of the victim app.\
However, because the malicious app also registered it and because the used browser is inside the malicious app, the custom scheme will be handled in this case by the malicious app which will be able to steal the OAuth token.

## References

* [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0075/)
* [https://evanconnelly.github.io/post/ios-oauth/](https://evanconnelly.github.io/post/ios-oauth/)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand All @@ -101,5 +107,3 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s

</details>
{% endhint %}


9 changes: 5 additions & 4 deletions network-services-pentesting/pentesting-web/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# 80,443 - Pentesting Web Methodology

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand Down Expand Up @@ -256,6 +256,7 @@ Launch some kind of **spider** inside the web. The goal of the spider is to **fi
* [**jsluice**](https://github.com/BishopFox/jsluice) (go): It's a Go package and [command-line tool](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) for extracting URLs, paths, secrets, and other interesting data from JavaScript source code.
* [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForge is a simple **Burp Suite extension** to **extract the paramters and endpoints** from the request to create custom wordlist for fuzzing and enumeration.
* [**katana**](https://github.com/projectdiscovery/katana) (go): Awesome tool for this.
* [**Crawley**](https://github.com/s0rg/crawley) (go): Print every link it's able to find.

### Brute Force directories and files

Expand Down Expand Up @@ -445,8 +446,8 @@ Entry_12:
```

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand Down
17 changes: 11 additions & 6 deletions pentesting-web/2fa-bypass.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# 2FA/OTP Bypass
# 2FA/MFA/OTP Bypass

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand Down Expand Up @@ -139,12 +139,17 @@ A process demonstrating a potential bypass method involves account creation, 2FA

### **Decoy Requests**

Utilizing decoy requests to obfuscate brute force attempts or mislead rate limiting mechanisms adds another layer to bypass strategies. Crafting such requests requires a nuanced understanding of the application's security measures and rate limiting behaviors.
Utilizing decoy requests to obfuscate brute force attempts or mislead rate limiting mechanisms adds another layer to bypass strategies. Crafting such requests requires a nuanced understanding of the application's security measures and rate limiting behaviours.

### OTP Construction errors

In case the OTP is created based on data the user already has or that is sending previous to create the OTP, it's possible for the user to also generate it and bypass it.

## References

* [https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35](https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/%22https:/medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35%22/README.md)
* [https://azwi.medium.com/2-factor-authentication-bypass-3b2bbd907718](https://azwi.medium.com/2-factor-authentication-bypass-3b2bbd907718)
* [https://getpocket.com/read/aM7dap2bTo21bg6fRDAV2c5thng5T48b3f0Pd1geW2u186eafibdXj7aA78Ip116\_1d0f6ce59992222b0812b7cab19a4bce](https://getpocket.com/read/aM7dap2bTo21bg6fRDAV2c5thng5T48b3f0Pd1geW2u186eafibdXj7aA78Ip116\_1d0f6ce59992222b0812b7cab19a4bce)

### [WhiteIntel](https://whiteintel.io)

Expand All @@ -161,8 +166,8 @@ You can check their website and try their engine for **free** at:
P

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand Down

0 comments on commit f3160bc

Please sign in to comment.