HackTricks-wiki
diff --git a/‎src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md‎
Lines changed: 1 addition & 2 deletions b/‎src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/generic-methodologies-and-resources/pentesting-wifi/README.md‎
Lines changed: 1 addition & 2 deletions b/‎src/generic-methodologies-and-resources/pentesting-wifi/README.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md‎
Lines changed: 3 additions & 4 deletions b/‎src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎src/mobile-pentesting/ios-pentesting/README.md‎
Lines changed: 2 additions & 3 deletions b/‎src/mobile-pentesting/ios-pentesting/README.md‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎src/network-services-pentesting/873-pentesting-rsync.md‎
Lines changed: 1 addition & 2 deletions b/‎src/network-services-pentesting/873-pentesting-rsync.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md‎
Lines changed: 1 addition & 2 deletions b/‎src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/network-services-pentesting/pentesting-ntp.md‎
Lines changed: 19 additions & 19 deletions b/‎src/network-services-pentesting/pentesting-ntp.md‎
Lines changed: 19 additions & 19 deletions
@@ -97,7 +97,7 @@ The partition table header defines the usable blocks on the disk. It also define
 
 | Offset    | Length   | Contents                                                                                                                                                                     |
 | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 0 (0x00)  | 8 bytes  | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID_Partition_Table#cite_note-8)on little-endian machines) |
+| 0 (0x00)  | 8 bytes  | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID_Partition_Table#_note-8)on little-endian machines) |
 | 8 (0x08)  | 4 bytes  | Revision 1.0 (00h 00h 01h 00h) for UEFI 2.8                                                                                                                                  |
 | 12 (0x0C) | 4 bytes  | Header size in little endian (in bytes, usually 5Ch 00h 00h 00h or 92 bytes)                                                                                                 |
 | 16 (0x10) | 4 bytes  | [CRC32](https://en.wikipedia.org/wiki/CRC32) of header (offset +0 up to header size) in little endian, with this field zeroed during calculation                             |
@@ -236,4 +236,3 @@ You may notice that even performing that action there might be **other parts whe
 {{#include ../../../banners/hacktricks-training.md}}
 
 
-
@@ -718,7 +718,7 @@ This method allows an **attacker to create a malicious access point (AP) that re
 
 ### MANA
 
-Then, **devices started to ignore unsolicited network responses**, reducing the effectiveness of the original karma attack. However, a new method, known as the **MANA attack**, was introduced by Ian de Villiers and Dominic White. This method involves the rogue AP **capturing the Preferred Network Lists (PNL) from devices by responding to their broadcast probe requests** with network names (SSIDs) previously solicited by the devices. This sophisticated attack bypasses the protections against the original karma attack by exploiting the way devices remember and prioritize known networks.
+Then, **devices started to ignore unsolid network responses**, reducing the effectiveness of the original karma attack. However, a new method, known as the **MANA attack**, was introduced by Ian de Villiers and Dominic White. This method involves the rogue AP **capturing the Preferred Network Lists (PNL) from devices by responding to their broadcast probe requests** with network names (SSIDs) previously solid by the devices. This sophisticated attack bypasses the protections against the original karma attack by exploiting the way devices remember and prioritize known networks.
 
 The MANA attack operates by monitoring both directed and broadcast probe requests from devices. For directed requests, it records the device's MAC address and the requested network name, adding this information to a list. When a broadcast request is received, the AP responds with information matching any of the networks on the device's list, enticing the device to connect to the rogue AP.
 
@@ -791,4 +791,3 @@ TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
@@ -41,9 +41,9 @@ for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8
 
 **Usable public exploits:**
 
-- https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2
-- https://www.exploit-db.com/exploits/46238
-- https://www.exploit-db.com/exploits/46487
+- [https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2](https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2)
+- [https://www.exploit-db.com/exploits/46238](https://www.exploit-db.com/exploits/46238)
+- [https://www.exploit-db.com/exploits/46487](https://www.exploit-db.com/exploits/46487)
 
 ## Abusing Splunk Queries
 
@@ -52,4 +52,3 @@ for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
@@ -34,8 +34,8 @@ basic-ios-testing-operations.md
 
 Some interesting iOS - IPA files decompilers:
 
-- https://github.com/LaurieWired/Malimite
-- https://ghidra-sre.org/
+- [https://github.com/LaurieWired/Malimite](https://github.com/LaurieWired/Malimite)
+- [https://ghidra-sre.org/](https://ghidra-sre.org/)
 
 It's recommended to use the tool [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) to perform an automatic Static Analysis to the IPA file.
 
@@ -1180,4 +1180,3 @@ otool -L <application_path>
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
@@ -6,7 +6,7 @@
 
 From [wikipedia](https://en.wikipedia.org/wiki/Rsync):
 
-> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](<https://en.wikipedia.org/wiki/Timestamping_(computing)>)and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
+> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](<https://en.wikipedia.org/wiki/Timestamping_(computing)>)and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
 
 **Default port:** 873
 
@@ -101,4 +101,3 @@ Within this file, a _secrets file_ parameter might point to a file containing **
 {{#include ../banners/hacktricks-training.md}}
 
 
-
@@ -59,7 +59,7 @@ I found that the use of `--break-on 'java.lang.String.indexOf'` makes the exploi
 - [http://www.shodanhq.com/search?q=JDWP-HANDSHAKE](http://www.shodanhq.com/search?q=JDWP-HANDSHAKE)
 - http://www.hsc-news.com/archives/2013/000109.html (no longer active)
 - [http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt](http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt)
-- https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults
+- [https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults](https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults)
 - [http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html](http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html)
 - [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html](http://docs.oracle.com)
 - [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html)
@@ -69,4 +69,3 @@ I found that the use of `--break-on 'java.lang.String.indexOf'` makes the exploi
 {{#include ../banners/hacktricks-training.md}}
 
 
-
@@ -90,12 +90,12 @@ Pay special attention to ``restrict`` lines, ``kod`` (Kiss-o'-Death) settings, `
 
 | Year | CVE | Component | Impact |
 |------|-----|-----------|--------|
-| 2023 | **CVE-2023-26551→26555** | ntp 4.2.8p15 (libntp *mstolfp*, *praecis_parse*) | Multiple out-of-bounds writes reachable via **ntpq** responses. Patch in **4.2.8p16** 🡒 upgrade or back-port fixes. citeturn1search1turn1search2turn1search0|
-| 2023 | **CVE-2023-33192** | **ntpd-rs** (Rust implementation) | Malformed **NTS** cookie causes remote **DoS** prior to v0.3.3 – affects port 123 even when NTS **disabled**. citeturn4view0|
-| 2024 | distro updates | **chrony 4.4 / 4.5** – several security hardening & NTS-KE fixes (e.g. SUSE-RU-2024:2022) citeturn2search2|
-| 2024 | Record DDoS | Cloudflare reports a **5.6 Tbps UDP reflection** attack (NTP among protocols used). Keep *monitor* & *monlist* disabled on Internet-facing hosts. citeturn5search0|
+| 2023 | **CVE-2023-26551→26555** | ntp 4.2.8p15 (libntp *mstolfp*, *praecis_parse*) | Multiple out-of-bounds writes reachable via **ntpq** responses. Patch in **4.2.8p16** 🡒 upgrade or back-port fixes. |
+| 2023 | **CVE-2023-33192** | **ntpd-rs** (Rust implementation) | Malformed **NTS** cookie causes remote **DoS** prior to v0.3.3 – affects port 123 even when NTS **disabled**. |
+| 2024 | distro updates | **chrony 4.4 / 4.5** – several security hardening & NTS-KE fixes (e.g. SUSE-RU-2024:2022) |
+| 2024 | Record DDoS | Cloudflare reports a **5.6 Tbps UDP reflection** attack (NTP among protocols used). Keep *monitor* & *monlist* disabled on Internet-facing hosts. |
 
-> **Exploit kits**: Proof-of-concept payloads for the 2023 ntpq OOB-write series are on GitHub (see Meinberg write-up) and can be weaponised for client-side phishing of sysadmins. citeturn1search4
+> **Exploit kits**: Proof-of-concept payloads for the 2023 ntpq OOB-write series are on GitHub (see Meinberg write-up) and can be weaponised for client-side phishing of sysadmins. 
 
 ---
 ## Advanced Attacks
@@ -108,11 +108,11 @@ The legacy Mode-7 ``monlist`` query returns up to **600 host addresses** and is
 - Rate-limit UDP/123 on the edge or enable *sessions-required* on DDoS appliances.
 - Enable *BCP 38* egress filtering to block source spoofing.
 
-See Cloudflare’s learning-center article for a step-by-step breakdown. citeturn5search1
+See Cloudflare’s learning-center article for a step-by-step breakdown. 
 
 ### 2. Time-Shift / Delay attacks (Khronos / Chronos research)
 
-Even with authentication, an on-path attacker can silently **shift the client clock** by dropping/delaying packets. The IETF **Khronos (formerly Chronos) draft** proposes querying a diverse set of servers in the background and sanity-checking the result to detect a shift > 𝚡 ms. Modern chrony (4.4+) already implements a similar sanity filter (``maxdistance`` / ``maxjitter``). citeturn9search1
+Even with authentication, an on-path attacker can silently **shift the client clock** by dropping/delaying packets. The IETF **Khronos (formerly Chronos) draft** proposes querying a diverse set of servers in the background and sanity-checking the result to detect a shift > 𝚡 ms. Modern chrony (4.4+) already implements a similar sanity filter (``maxdistance`` / ``maxjitter``). 
 
 ### 3. NTS abuse & 4460/tcp exposure
 
@@ -126,7 +126,7 @@ nmap -sV -p 4460 --script ssl-enum-ciphers,ssl-cert <IP>
 openssl s_client -connect <IP>:4460 -alpn ntske/1 -tls1_3 -ign_eof
 ```
 
-Look for self-signed or expired certificates and weak cipher-suites (non-AEAD). Reference: RFC 8915 §4. citeturn11search0
+Look for self-signed or expired certificates and weak cipher-suites (non-AEAD). Reference: RFC 8915 §4. 
 
 ---
 ## Hardening / Best-Current-Practice (BCP-233 / RFC 8633)
@@ -139,7 +139,7 @@ Look for self-signed or expired certificates and weak cipher-suites (non-AEAD).
 4. Consider **leap-smear** to avoid leap-second outages, but ensure *all* downstream clients use the same smear window.
 5. Keep polling ≤24 h so leap-second flags are not missed.
 
-See RFC 8633 for a comprehensive checklist. citeturn8search0turn8search1
+See RFC 8633 for a comprehensive checklist. 
 
 ---
 ## Shodan / Censys Dorks
@@ -185,14 +185,14 @@ Entry_2:
 ---
 ## References
 
-- RFC 8915 – *Network Time Security for the Network Time Protocol* (port 4460) citeturn11search0
-- RFC 8633 – *Network Time Protocol BCP* citeturn8search0
-- Cloudflare DDoS report 2024 Q4 (5.6 Tbps) citeturn5search0
-- Cloudflare *NTP Amplification Attack* article citeturn5search1
-- NTP 4.2.8p15 CVE series 2023-04 citeturn1search4
-- NVD entries **CVE-2023-26551–55**, **CVE-2023-33192** citeturn1search1turn1search2turn1search0turn4view0
-- SUSE chrony security update 2024 (chrony 4.5) citeturn2search2
-- Khronos/Chronos draft (time-shift mitigation) citeturn9search1
-- chronyc manual/examples for remote monitoring citeturn3search0turn10search1
-- zgrab2 ntp module docs citeturn7search0
+- RFC 8915 – *Network Time Security for the Network Time Protocol* (port 4460) 
+- RFC 8633 – *Network Time Protocol BCP* 
+- Cloudflare DDoS report 2024 Q4 (5.6 Tbps) 
+- Cloudflare *NTP Amplification Attack* article 
+- NTP 4.2.8p15 CVE series 2023-04 
+- NVD entries **CVE-2023-26551–55**, **CVE-2023-33192** 
+- SUSE chrony security update 2024 (chrony 4.5) 
+- Khronos/Chronos draft (time-shift mitigation) 
+- chronyc manual/examples for remote monitoring 
+- zgrab2 ntp module docs 
 {{#include /banners/hacktricks-training.md}}