diff --git a/src/AI/AI-llm-architecture/0.-basic-llm-concepts.md b/src/AI/AI-llm-architecture/0.-basic-llm-concepts.md index 83ce8371c5f..b0d2a60e684 100644 --- a/src/AI/AI-llm-architecture/0.-basic-llm-concepts.md +++ b/src/AI/AI-llm-architecture/0.-basic-llm-concepts.md @@ -1,6 +1,6 @@ # 0. Basic LLM Concepts -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## Pretraining @@ -300,4 +300,4 @@ During the backward pass: - **Accuracy:** Provides exact derivatives up to machine precision. - **Ease of Use:** Eliminates manual computation of derivatives. -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/1.-tokenizing.md b/src/AI/AI-llm-architecture/1.-tokenizing.md index 7e4ae98180a..2c29f7c2b86 100644 --- a/src/AI/AI-llm-architecture/1.-tokenizing.md +++ b/src/AI/AI-llm-architecture/1.-tokenizing.md @@ -1,6 +1,6 @@ # 1. Tokenizing -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## Tokenizing @@ -99,4 +99,4 @@ print(token_ids[:50]) - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/2.-data-sampling.md b/src/AI/AI-llm-architecture/2.-data-sampling.md index 42d43f051bc..658e7a834c9 100644 --- a/src/AI/AI-llm-architecture/2.-data-sampling.md +++ b/src/AI/AI-llm-architecture/2.-data-sampling.md @@ -1,6 +1,6 @@ # 2. Data Sampling -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## **Data Sampling** @@ -241,4 +241,4 @@ tensor([[ 367, 2885, 1464, 1807], - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/3.-token-embeddings.md b/src/AI/AI-llm-architecture/3.-token-embeddings.md index b0d34dc2e90..952b9197e70 100644 --- a/src/AI/AI-llm-architecture/3.-token-embeddings.md +++ b/src/AI/AI-llm-architecture/3.-token-embeddings.md @@ -1,6 +1,6 @@ # 3. Token Embeddings -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## Token Embeddings @@ -219,4 +219,4 @@ print(input_embeddings.shape) # torch.Size([8, 4, 256]) - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/4.-attention-mechanisms.md b/src/AI/AI-llm-architecture/4.-attention-mechanisms.md index 9f73a4eec72..76aa936d72e 100644 --- a/src/AI/AI-llm-architecture/4.-attention-mechanisms.md +++ b/src/AI/AI-llm-architecture/4.-attention-mechanisms.md @@ -1,6 +1,6 @@ # 4. Attention Mechanisms -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## Attention Mechanisms and Self-Attention in Neural Networks @@ -430,5 +430,4 @@ For another compact and efficient implementation you could use the [`torch.nn.Mu - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/5.-llm-architecture.md b/src/AI/AI-llm-architecture/5.-llm-architecture.md index 7e375b6f6cf..dc828838326 100644 --- a/src/AI/AI-llm-architecture/5.-llm-architecture.md +++ b/src/AI/AI-llm-architecture/5.-llm-architecture.md @@ -1,6 +1,6 @@ # 5. LLM Architecture -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## LLM Architecture @@ -702,4 +702,4 @@ print("Output length:", len(out[0])) - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/6.-pre-training-and-loading-models.md b/src/AI/AI-llm-architecture/6.-pre-training-and-loading-models.md index 4ebc737e96d..6f430fd621a 100644 --- a/src/AI/AI-llm-architecture/6.-pre-training-and-loading-models.md +++ b/src/AI/AI-llm-architecture/6.-pre-training-and-loading-models.md @@ -1,6 +1,6 @@ # 6. Pre-training & Loading models -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## Text Generation @@ -971,4 +971,4 @@ There 2 quick scripts to load the GPT2 weights locally. For both you can clone t - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.md b/src/AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.md index 24d1f900d77..3955d432a7c 100644 --- a/src/AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.md +++ b/src/AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.md @@ -1,6 +1,6 @@ # 7.0. LoRA Improvements in fine-tuning -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## LoRA Improvements @@ -64,4 +64,4 @@ def replace_linear_with_lora(model, rank, alpha): - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.md b/src/AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.md index 98df3b5649c..efeba7a4557 100644 --- a/src/AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.md +++ b/src/AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.md @@ -1,6 +1,6 @@ # 7.1. Fine-Tuning for Classification -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## What is @@ -117,4 +117,4 @@ You can find all the code to fine-tune GPT2 to be a spam classifier in [https:// - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.md b/src/AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.md index 1398b73d53b..2989068365b 100644 --- a/src/AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.md +++ b/src/AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.md @@ -1,6 +1,6 @@ # 7.2. Fine-Tuning to follow instructions -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} > [!TIP] > The goal of this section is to show how to **fine-tune an already pre-trained model to follow instructions** rather than just generating text, for example, responding to tasks as a chat bot. @@ -107,4 +107,4 @@ You can find an example of the code to perform this fine tuning in [https://gith - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/AI/AI-llm-architecture/README.md b/src/AI/AI-llm-architecture/README.md index 8d18bf89d34..b8da5e21159 100644 --- a/src/AI/AI-llm-architecture/README.md +++ b/src/AI/AI-llm-architecture/README.md @@ -1,6 +1,6 @@ # LLM Training - Data Preparation -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} **These are my notes from the very recommended book** [**https://www.manning.com/books/build-a-large-language-model-from-scratch**](https://www.manning.com/books/build-a-large-language-model-from-scratch) **with some extra information.** @@ -99,4 +99,4 @@ You should start by reading this post for some basic concepts you should know ab 7.2.-fine-tuning-to-follow-instructions.md {{#endref}} -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/arbitrary-write-2-exec/README.md b/src/binary-exploitation/arbitrary-write-2-exec/README.md index 207dbba6453..75076057003 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/README.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/README.md @@ -1,6 +1,5 @@ # Arbitrary Write 2 Exec -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md index bc6d6480acf..e8225d8fd3c 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md @@ -52,4 +52,4 @@ Successful exploitation results in remote arbitrary code execution at user privi - Apple October 2024 Security Update (patch shipping CVE-2024-44236) https://support.apple.com/en-us/121564 -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/array-indexing.md b/src/binary-exploitation/array-indexing.md index 12c30102beb..6c3a37e22ce 100644 --- a/src/binary-exploitation/array-indexing.md +++ b/src/binary-exploitation/array-indexing.md @@ -20,4 +20,4 @@ However he you can find some nice **examples**: -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md index 0ec3de2d388..9a852199dff 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md @@ -123,4 +123,4 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/ios-exploiting.md b/src/binary-exploitation/ios-exploiting.md index d97f353f895..9539509868c 100644 --- a/src/binary-exploitation/ios-exploiting.md +++ b/src/binary-exploitation/ios-exploiting.md @@ -1,6 +1,6 @@ # iOS Exploiting -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} ## Physical use-after-free @@ -213,4 +213,4 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) { With these primitives, the exploit provides controlled **32-bit reads** and **64-bit writes** to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices). -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/libc-heap/README.md b/src/binary-exploitation/libc-heap/README.md index 7ebab0f6923..5fe3757f9b9 100644 --- a/src/binary-exploitation/libc-heap/README.md +++ b/src/binary-exploitation/libc-heap/README.md @@ -1,6 +1,6 @@ # Libc Heap -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## Heap Basics @@ -531,4 +531,4 @@ heap-memory-functions/heap-functions-security-checks.md - [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/libc-heap/use-after-free/first-fit.md b/src/binary-exploitation/libc-heap/use-after-free/first-fit.md index c90112b4207..d74bacb45af 100644 --- a/src/binary-exploitation/libc-heap/use-after-free/first-fit.md +++ b/src/binary-exploitation/libc-heap/use-after-free/first-fit.md @@ -66,4 +66,4 @@ d = malloc(20); // a -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md b/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md index 5fa7203cf86..a7b5f902f74 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md @@ -60,4 +60,4 @@ This approach avoids direct file downloads and leverages familiar UI elements to - From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery – https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/ - Discord Custom Invite Link Documentation – https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/generic-methodologies-and-resources/threat-modeling.md b/src/generic-methodologies-and-resources/threat-modeling.md index 3ed08bd9437..87bf50c2ad9 100644 --- a/src/generic-methodologies-and-resources/threat-modeling.md +++ b/src/generic-methodologies-and-resources/threat-modeling.md @@ -1,6 +1,6 @@ # Threat Modeling -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} ## Threat Modeling @@ -113,5 +113,4 @@ Now your finished model should look something like this. And this is how you mak This is a free tool from Microsoft that helps in finding threats in the design phase of software projects. It uses the STRIDE methodology and is particularly suitable for those developing on Microsoft's stack. -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md index cf4dd992e8b..629d721080e 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md @@ -166,11 +166,11 @@ Allow the process to **ask for all the TCC permissions**. ### **`kTCCServicePostEvent`** -{{#include ../../../banners/hacktricks-training.md}} + -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/flutter.md b/src/mobile-pentesting/android-app-pentesting/flutter.md index 90717665243..20ae431fcf9 100644 --- a/src/mobile-pentesting/android-app-pentesting/flutter.md +++ b/src/mobile-pentesting/android-app-pentesting/flutter.md @@ -80,4 +80,4 @@ Flutter itself **ignores device proxy settings**. Easiest options: - [https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md index 791da2761f0..1f226fae017 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md +++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md @@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth ### Automated dynamic analysis with MobSF (no jailbreak) -[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: +[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB: ```bash docker pull opensecurity/mobile-security-framework-mobsf:latest diff --git a/src/network-services-pentesting/1414-pentesting-ibmmq.md b/src/network-services-pentesting/1414-pentesting-ibmmq.md index 68aab11f2fa..64eef8b2c57 100644 --- a/src/network-services-pentesting/1414-pentesting-ibmmq.md +++ b/src/network-services-pentesting/1414-pentesting-ibmmq.md @@ -364,4 +364,4 @@ CONTAINER ID IMAGE COMMAND CRE -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-ntp.md b/src/network-services-pentesting/pentesting-ntp.md index c330fe2e91b..bfc1e68516a 100644 --- a/src/network-services-pentesting/pentesting-ntp.md +++ b/src/network-services-pentesting/pentesting-ntp.md @@ -195,4 +195,4 @@ Entry_2: - Khronos/Chronos draft (time-shift mitigation) - chronyc manual/examples for remote monitoring - zgrab2 ntp module docs -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/angular.md b/src/network-services-pentesting/pentesting-web/angular.md index ff1648acb4a..9a8042d7cdf 100644 --- a/src/network-services-pentesting/pentesting-web/angular.md +++ b/src/network-services-pentesting/pentesting-web/angular.md @@ -1,6 +1,6 @@ # Angular -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## The Checklist @@ -616,5 +616,4 @@ According to the W3C documentation, the `window.location` and `document.location -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/django.md b/src/network-services-pentesting/pentesting-web/django.md index febaec3448d..90c75a79491 100644 --- a/src/network-services-pentesting/pentesting-web/django.md +++ b/src/network-services-pentesting/pentesting-web/django.md @@ -1,6 +1,6 @@ # Django -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## Cache Manipulation to RCE Django's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **If an attacker can gain write access to the cache, they can escalate this vulnerability to RCE on the underlying server**. @@ -76,4 +76,4 @@ Always fingerprint the exact framework version via the `X-Frame-Options` error p * Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025. * OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024. -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md index ecf2c580d4b..62d5c409790 100644 --- a/src/network-services-pentesting/pentesting-web/laravel.md +++ b/src/network-services-pentesting/pentesting-web/laravel.md @@ -1,6 +1,6 @@ # Laravel -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ### Laravel SQLInjection @@ -91,7 +91,7 @@ The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1. * [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc) * [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce) -{{#include ../../banners/hacktricks-training.md}} + ## Laravel Tricks @@ -283,4 +283,3 @@ The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1. {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/nodejs-express.md b/src/network-services-pentesting/pentesting-web/nodejs-express.md index cd0d1c66be5..f51ed42c62e 100644 --- a/src/network-services-pentesting/pentesting-web/nodejs-express.md +++ b/src/network-services-pentesting/pentesting-web/nodejs-express.md @@ -1,6 +1,6 @@ # NodeJS Express -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## Cookie Signature @@ -39,5 +39,4 @@ cookie-monster -e -f new_cookie.json -k secret ``` -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/spring-actuators.md b/src/network-services-pentesting/pentesting-web/spring-actuators.md index 164be26bf21..1c02371eeea 100644 --- a/src/network-services-pentesting/pentesting-web/spring-actuators.md +++ b/src/network-services-pentesting/pentesting-web/spring-actuators.md @@ -63,9 +63,9 @@ Host: target.com Connection: close ``` - {{#include ../../banners/hacktricks-training.md}} -{{#include /src/banners/hacktricks-training.md}} + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/dapps-DecentralizedApplications.md b/src/pentesting-web/dapps-DecentralizedApplications.md index 6d2e3871b9a..21626d3b2a6 100644 --- a/src/pentesting-web/dapps-DecentralizedApplications.md +++ b/src/pentesting-web/dapps-DecentralizedApplications.md @@ -1,6 +1,6 @@ # DApps - Decentralized Applications -{{#include ../../banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} ## What is a DApp? @@ -79,6 +79,5 @@ In the scenario **`Mishandling of Asset Classes`**, is explained that the backen - [https://www.certik.com/resources/blog/web2-meets-web3-hacking-decentralized-applications](https://www.certik.com/resources/blog/web2-meets-web3-hacking-decentralized-applications) -{{#include ../../banners/hacktricks-training.md}} - +{{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md index 4ba103e4631..8862b2f9399 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md @@ -47,7 +47,7 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\ - [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/) -{{#include ../../banners/hacktricks-training.md}} + ``` @@ -56,4 +56,4 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\ -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/idor.md b/src/pentesting-web/idor.md index 32ef75d5dcf..e0f95bfdf92 100644 --- a/src/pentesting-web/idor.md +++ b/src/pentesting-web/idor.md @@ -80,10 +80,10 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces * **OWASP ZAP**: Auth Matrix, Forced Browse. * **Github projects**: `bwapp-idor-scanner`, `Blindy` (bulk IDOR hunting). -{{#include ../banners/hacktricks-training.md}} + ## References * [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants’ PII](https://ian.sh/mcdonalds) * [OWASP Top 10 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) * [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/xss-cross-site-scripting/README.md b/src/pentesting-web/xss-cross-site-scripting/README.md index d690529aa03..e82d29aba43 100644 --- a/src/pentesting-web/xss-cross-site-scripting/README.md +++ b/src/pentesting-web/xss-cross-site-scripting/README.md @@ -1,6 +1,6 @@ # XSS (Cross Site Scripting) -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## Methodology diff --git a/src/todo/hardware-hacking/fault_injection_attacks.md b/src/todo/hardware-hacking/fault_injection_attacks.md index 96ff08913a2..ab7a47a7cc7 100644 --- a/src/todo/hardware-hacking/fault_injection_attacks.md +++ b/src/todo/hardware-hacking/fault_injection_attacks.md @@ -1,6 +1,6 @@ # Fault Injection Attacks -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} Fault injections attacks includes introducing external distrubance in electronic circuits to influence it's behaviour, resulting to disclose information or even bypass certian restrictions in the circuit. This attacks opens a lot of possibilities for attacking electronic circuits. This attack is also referred as glitching of electronic circuits. @@ -8,4 +8,4 @@ There are a lot of methods and mediums for injecting fault into an electronic ci -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/todo/hardware-hacking/side_channel_analysis.md b/src/todo/hardware-hacking/side_channel_analysis.md index 6ac9fa7412f..b312f8ed152 100644 --- a/src/todo/hardware-hacking/side_channel_analysis.md +++ b/src/todo/hardware-hacking/side_channel_analysis.md @@ -1,6 +1,6 @@ # Side Channel Analysis Attacks -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} Side Channel Analysis Attacks refers to determining the information from a device or entity by some other channel or source that has an indirect influence on it and information can be extracted from it. This can be explained better with an example: @@ -10,4 +10,4 @@ These attacks are very popular in case of leaking data such as private keys or f -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/todo/industrial-control-systems-hacking/README.md b/src/todo/industrial-control-systems-hacking/README.md index a09ea2c1f72..ad736fc4c0b 100644 --- a/src/todo/industrial-control-systems-hacking/README.md +++ b/src/todo/industrial-control-systems-hacking/README.md @@ -1,6 +1,6 @@ # Industrial Control Systems Hacking -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## About this Section @@ -18,5 +18,4 @@ These techniques can also be used to protect against attacks and blue teaming fo -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/todo/industrial-control-systems-hacking/modbus.md b/src/todo/industrial-control-systems-hacking/modbus.md index 9f044e573be..24bea668e10 100644 --- a/src/todo/industrial-control-systems-hacking/modbus.md +++ b/src/todo/industrial-control-systems-hacking/modbus.md @@ -1,6 +1,6 @@ # The Modbus Protocol -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} ## Introduction to Modbus Protocol @@ -34,6 +34,5 @@ Due to it's large scale use and lack of upgradations, attacking Modbus provides -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/todo/investment-terms.md b/src/todo/investment-terms.md index 2added321b9..51e5db7a842 100644 --- a/src/todo/investment-terms.md +++ b/src/todo/investment-terms.md @@ -1,6 +1,6 @@ # Investment Terms -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} ## Spot @@ -71,4 +71,4 @@ However, the buyer will be paying some fee to the seller for opening the option -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} diff --git a/src/todo/radio-hacking/README.md b/src/todo/radio-hacking/README.md index 42011e5a475..3322ace68bb 100644 --- a/src/todo/radio-hacking/README.md +++ b/src/todo/radio-hacking/README.md @@ -1,6 +1,5 @@ # Radio Hacking -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/todo/radio-hacking/fissure-the-rf-framework.md b/src/todo/radio-hacking/fissure-the-rf-framework.md index f9cfc13346d..09dc92b7e16 100644 --- a/src/todo/radio-hacking/fissure-the-rf-framework.md +++ b/src/todo/radio-hacking/fissure-the-rf-framework.md @@ -1,6 +1,6 @@ # FISSURE - The RF Framework -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} **Frequency Independent SDR-based Signal Understanding and Reverse Engineering** @@ -187,5 +187,4 @@ Special thanks to Dr. Samuel Mantravadi and Joseph Reith for their contributions -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/todo/radio-hacking/low-power-wide-area-network.md b/src/todo/radio-hacking/low-power-wide-area-network.md index 5dd51512dfb..e33e95c6278 100644 --- a/src/todo/radio-hacking/low-power-wide-area-network.md +++ b/src/todo/radio-hacking/low-power-wide-area-network.md @@ -4,16 +4,96 @@ ## Introduction -**Low-Power Wide Area Network** (LPWAN) is a group of wireless, low-power, wide area network technologies designed for **long-range communications** at a low bit rate.\ +**Low-Power Wide Area Network** (LPWAN) is a group of wireless, low-power, wide-area network technologies designed for **long-range communications** at a low bit rate. They can reach more than **six miles** and their **batteries** can last up to **20 years**. -Long Range (**LoRa**) it’s popular in multiple countries and has an open source specification called **LoRaWAN**. +Long Range (**LoRa**) is currently the most deployed LPWAN physical layer and its open MAC-layer specification is **LoRaWAN**. -### LPWAN, LoRa, and LoRaWAN +--- -[https://github.com/IOActive/laf](https://github.com/IOActive/laf) +## LPWAN, LoRa, and LoRaWAN -{{#include ../../banners/hacktricks-training.md}} +* LoRa – Chirp Spread Spectrum (CSS) physical layer developed by Semtech (proprietary but documented). +* LoRaWAN – Open MAC/Network layer maintained by the LoRa-Alliance. Versions 1.0.x and 1.1 are common in the field. +* Typical architecture: *end-device → gateway (packet-forwarder) → network-server → application-server*. + +> The **security model** relies on two AES-128 root keys (AppKey/NwkKey) that derive session keys during the *join* procedure (OTAA) or are hard-coded (ABP). If any key leaks the attacker gains full read/write capability over the corresponding traffic. + +--- + +## Attack surface summary + +| Layer | Weakness | Practical impact | +|-------|----------|------------------| +| PHY | Reactive / selective jamming | 100 % packet loss demonstrated with single SDR and <1 W output | +| MAC | Join-Accept & data-frame replay (nonce reuse, ABP counter rollover) | Device spoofing, message injection, DoS | +| Network-Server | Insecure packet-forwarder, weak MQTT/UDP filters, outdated gateway firmware | RCE on gateways → pivot into OT/IT network | +| Application | Hard-coded or predictable AppKeys | Brute-force/decrypt traffic, impersonate sensors | + +--- + +## Recent vulnerabilities (2023-2025) + +* **CVE-2024-29862** – *ChirpStack gateway-bridge & mqtt-forwarder* accepted TCP packets that bypassed stateful firewall rules on Kerlink gateways, allowing remote management interface exposure. Fixed in 4.0.11 / 4.2.1 respectively . +* **Dragino LG01/LG308 series** – Multiple 2022-2024 CVEs (e.g. 2022-45227 directory traversal, 2022-45228 CSRF) still observed unpatched in 2025; enable unauthenticated firmware dump or config overwrite on thousands of public gateways . +* Semtech *packet-forwarder UDP* overflow (unreleased advisory, patched 2023-10): crafted uplink larger than 255 B triggered stack-smash ‑> RCE on SX130x reference gateways (found by Black Hat EU 2023 “LoRa Exploitation Reloaded”). + +--- + +## Practical attack techniques + +### 1. Sniff & Decrypt traffic + +```bash +# Capture all channels around 868.3 MHz with an SDR (USRP B205) +python3 lorattack/sniffer.py \ + --freq 868.3e6 --bw 125e3 --rate 1e6 --sf 7 --session smartcity + +# Bruteforce AppKey from captured OTAA join-request/accept pairs +python3 lorapwn/bruteforce_join.py --pcap smartcity.pcap --wordlist top1m.txt +``` + +### 2. OTAA join-replay (DevNonce reuse) +1. Capture a legitimate **JoinRequest**. +2. Immediately retransmit it (or increment RSSI) before the original device transmits again. +3. The network-server allocates a new DevAddr & session keys while the target device continues with the old session → attacker owns vacant session and can inject forged uplinks. +### 3. Adaptive Data-Rate (ADR) downgrading +Force SF12/125 kHz to increase airtime → exhaust duty-cycle of gateway (denial-of-service) while keeping battery impact low on attacker (just send network-level MAC commands). + +### 4. Reactive jamming + +*HackRF One* running GNU Radio flowgraph triggers a wide-band chirp whenever preamble detected – blocks all spreading factors with ≤200 mW TX; full outage measured at 2 km range . + +--- + +## Offensive tooling (2025) + +| Tool | Purpose | Notes | +|------|---------|-------| +| **LoRaWAN Auditing Framework (LAF)** | Craft/parse/attack LoRaWAN frames, DB-backed analyzers, brute-forcer | Docker image, supports Semtech UDP input | +| **LoRaPWN** | Trend Micro Python utility to brute OTAA, generate downlinks, decrypt payloads | Demo released 2023, SDR-agnostic | +| **LoRAttack** | Multi-channel sniffer + replay with USRP; exports PCAP/LoRaTap | Good Wireshark integration | +| **gr-lora / gr-lorawan** | GNU Radio OOT blocks for baseband TX/RX | Foundation for custom attacks | + +--- + +## Defensive recommendations (pentester checklist) + +1. Prefer **OTAA** devices with truly random DevNonce; monitor duplicates. +2. Enforce **LoRaWAN 1.1**: 32-bit frame counters, distinct FNwkSIntKey / SNwkSIntKey. +3. Store frame-counter in non-volatile memory (**ABP**) or migrate to OTAA. +4. Deploy **secure-element** (ATECC608A/SX1262-TRX-SE) to protect root keys against firmware extraction. +5. Disable remote UDP packet-forwarder ports (1700/1701) or restrict with WireGuard/VPN. +6. Keep gateways updated; Kerlink/Dragino provide 2024-patched images. +7. Implement **traffic anomaly detection** (e.g., LAF analyzer) – flag counter resets, duplicate joins, sudden ADR changes. + + + +## References + +* LoRaWAN Auditing Framework (LAF) – https://github.com/IOActive/laf +* Trend Micro LoRaPWN overview – https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/todo/rust-basics.md b/src/todo/rust-basics.md index 5f78a915462..4340a663a18 100644 --- a/src/todo/rust-basics.md +++ b/src/todo/rust-basics.md @@ -1,6 +1,6 @@ # Rust Basics -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} ### Generic Types @@ -320,5 +320,4 @@ fn main() { ``` -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../banners/hacktricks-training.md}} diff --git a/src/todo/test-llms.md b/src/todo/test-llms.md index 751db9fd97d..63b8eb6d43b 100644 --- a/src/todo/test-llms.md +++ b/src/todo/test-llms.md @@ -1,6 +1,6 @@ # Test LLMs -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} ## Run & train models locally @@ -52,5 +52,4 @@ It offers several sections like: * **API Access:** Simple APIs for running models the enable developers to deploy and scale models effortlessly within their own applications. -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/TimeRoasting.md b/src/windows-hardening/active-directory-methodology/TimeRoasting.md index d92f0064b69..8d142baebd2 100644 --- a/src/windows-hardening/active-directory-methodology/TimeRoasting.md +++ b/src/windows-hardening/active-directory-methodology/TimeRoasting.md @@ -1,6 +1,6 @@ # TimeRoasting -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} timeRoasting, the main cause is the outdated authentication mechanism left by Microsoft in its extension to NTP servers, known as MS-SNTP. In this mechanism, clients can directly use any computer account's Relative Identifier (RID), and the domain controller will use the computer account's NTLM hash (generated by MD4) as the key to generate the **Message Authentication Code (MAC)** of the response packet. @@ -39,4 +39,4 @@ sudo ./timeroast.py 10.0.0.42 | tee ntp-hashes.txt hashcat -m 31300 ntp-hashes.txt ``` -{{#include /src/banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/printnightmare.md b/src/windows-hardening/active-directory-methodology/printnightmare.md index 212f04ab1fd..52d308aae2d 100644 --- a/src/windows-hardening/active-directory-methodology/printnightmare.md +++ b/src/windows-hardening/active-directory-methodology/printnightmare.md @@ -95,7 +95,7 @@ Import-Module .\SpoolFool.ps1 ; Invoke-SpoolFool -dll add_user.dll **More reading (external):** Check the 2024 walk-through blog post – [Understanding PrintNightmare Vulnerability](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/) -{{#include ../../banners/hacktricks-training.md}} + ## References @@ -103,4 +103,4 @@ Import-Module .\SpoolFool.ps1 ; Invoke-SpoolFool -dll add_user.dll * Oliver Lyak – *SpoolFool: CVE-2022-21999* -{{#include /banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/cobalt-strike.md b/src/windows-hardening/cobalt-strike.md index 94e4cf8a34e..16f733a3777 100644 --- a/src/windows-hardening/cobalt-strike.md +++ b/src/windows-hardening/cobalt-strike.md @@ -1,6 +1,6 @@ # Cobalt Strike -{{#include /src/banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} ### Listeners @@ -371,5 +371,4 @@ pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe . ``` -{{#include /src/banners/hacktricks-training.md}} - +{{#include ../banners/hacktricks-training.md}}