HOW TO FIX A HACKED DRUPAL WEBSITE 2
Step 5: Begin investigating the attack
Whatever tipped you off to the fact that you were compromised is the first step in investigating the attack. If your page content was changed, spam emails were sent, information stolen and used for some purpose, malware uploaded to the site, whatever the compromise is - consider how the attacker could have achieved that. List out every way you can think of that someone could make that change. There are two goals to this exercise: first, you'll help pin down how you got attacked so you can close that hole. Second, you'll identify other things the attacker could have done based on the means they used to attack your site. Try to be creative and don't throw out any possibilities as "too hard" or "technically impossible" - your attacker was probably creative and your site may not work exactly as you think it does.
Once you have a list of ways, start trying to pin down which is most likely. Which requires the least effort? What evidence would there be for each one? Do you see examples of that evidence? For each method, is the attack a reasonable thing for someone to do if they had that kind of access? Does one require so much effort that it's not worth it?
When in doubt, ask for help from a colleague that may have more experience with IT and web application security. Sometimes the simple excercise of talking it through with another person will surface additional ideas. Additionally, you should review the OWASP Top 10 list to make sure you're aware of all the various types of attacks. Finally, you find it helpful to search the internet to see if there are others experiencing a similar breach. Often times these attacks are performed by bots that scan a large quantity of websites, so there may be some known signatures to look for as well as solutions to correct and/or mitigate the vulnerability.
If you're lucky, one or two of the potential ways to break in will be the obvious choice. So, block that weakness!
Sidebar: Attackers Have Workflows Too
Just like you have a workflow for building a site, attackers have workflows for attacking a site. Loosely speaking, the first step that matters to you is when they have broken into the site. There is often a software bot and/or group of people who are working on this piece and they are not necessarily the people who will exploit the site. Once they have established a foothold, the next step may not come for days or months.
Next is learning about the site and deciding what to do with it. If the site houses a large number of accounts or sensitive data then that is a resource. If it's on a big private network then that becomes something new to explore and exploit. Maybe it's just a clean IP to use to send spam. Maybe it gets a lot of traffic and is a good point to use to distribute malware. If it's got a high search engine rank it can be a place from which to link to other sites and earn search-engine reputation.
Once the potential value of your site is understood it's time to start exploiting it. Attackers may do multiple things at the same time: start by exfiltrating the email/password list and then leave some malware and search-engine links. If your content is particularly sensitive they may copy it and then clean up their tracks so you don't suspect any data was stolen.
If you see signs of a break-in but not of any damage, perhaps you stopped the process early, or perhaps they abused the site in ways that don't leave traces and then haven't done anything else.
Reference-git2020
β β β Uππ»βΊπ«Δπ¬πβ β β β
Step 5: Begin investigating the attack
Whatever tipped you off to the fact that you were compromised is the first step in investigating the attack. If your page content was changed, spam emails were sent, information stolen and used for some purpose, malware uploaded to the site, whatever the compromise is - consider how the attacker could have achieved that. List out every way you can think of that someone could make that change. There are two goals to this exercise: first, you'll help pin down how you got attacked so you can close that hole. Second, you'll identify other things the attacker could have done based on the means they used to attack your site. Try to be creative and don't throw out any possibilities as "too hard" or "technically impossible" - your attacker was probably creative and your site may not work exactly as you think it does.
Once you have a list of ways, start trying to pin down which is most likely. Which requires the least effort? What evidence would there be for each one? Do you see examples of that evidence? For each method, is the attack a reasonable thing for someone to do if they had that kind of access? Does one require so much effort that it's not worth it?
When in doubt, ask for help from a colleague that may have more experience with IT and web application security. Sometimes the simple excercise of talking it through with another person will surface additional ideas. Additionally, you should review the OWASP Top 10 list to make sure you're aware of all the various types of attacks. Finally, you find it helpful to search the internet to see if there are others experiencing a similar breach. Often times these attacks are performed by bots that scan a large quantity of websites, so there may be some known signatures to look for as well as solutions to correct and/or mitigate the vulnerability.
If you're lucky, one or two of the potential ways to break in will be the obvious choice. So, block that weakness!
Sidebar: Attackers Have Workflows Too
Just like you have a workflow for building a site, attackers have workflows for attacking a site. Loosely speaking, the first step that matters to you is when they have broken into the site. There is often a software bot and/or group of people who are working on this piece and they are not necessarily the people who will exploit the site. Once they have established a foothold, the next step may not come for days or months.
Next is learning about the site and deciding what to do with it. If the site houses a large number of accounts or sensitive data then that is a resource. If it's on a big private network then that becomes something new to explore and exploit. Maybe it's just a clean IP to use to send spam. Maybe it gets a lot of traffic and is a good point to use to distribute malware. If it's got a high search engine rank it can be a place from which to link to other sites and earn search-engine reputation.
Once the potential value of your site is understood it's time to start exploiting it. Attackers may do multiple things at the same time: start by exfiltrating the email/password list and then leave some malware and search-engine links. If your content is particularly sensitive they may copy it and then clean up their tracks so you don't suspect any data was stolen.
If you see signs of a break-in but not of any damage, perhaps you stopped the process early, or perhaps they abused the site in ways that don't leave traces and then haven't done anything else.
Reference-git2020
β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SCRIPTING UTILITIES :
* [IDC Functions Doc](https://www.hex-rays.com/products/ida/support/idadoc/162.shtml)
* [Using IDAPython to Make your Life Easier](http://researchcenter.paloaltonetworks.com/tag/idapython/)
* [Introduction to IDA Python](https://tuts4you.com/download.php?view.3229)
* [The Beginner's Guide to IDA Python](https://leanpub.com/IDAPython-Book)
* [IDA Plugin Contest](https://www.hex-rays.com/contests/)
* [onehawt IDA Plugin List](https://github.com/onethawt/idaplugins-list)
* [pefile Python Library](https://github.com/erocarrera/pefile)
git resources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SCRIPTING UTILITIES :
* [IDC Functions Doc](https://www.hex-rays.com/products/ida/support/idadoc/162.shtml)
* [Using IDAPython to Make your Life Easier](http://researchcenter.paloaltonetworks.com/tag/idapython/)
* [Introduction to IDA Python](https://tuts4you.com/download.php?view.3229)
* [The Beginner's Guide to IDA Python](https://leanpub.com/IDAPython-Book)
* [IDA Plugin Contest](https://www.hex-rays.com/contests/)
* [onehawt IDA Plugin List](https://github.com/onethawt/idaplugins-list)
* [pefile Python Library](https://github.com/erocarrera/pefile)
git resources
β β β Uππ»βΊπ«Δπ¬πβ β β β
Leanpub
The Beginner's Guide to IDAPython
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
You're finally dying, Flash! You, software serial killer!
#Vulnerabilities
#Vulnerabilities
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦STILL LOOKING FOR THE FASTEST INTERNET DOWNLOAD MANAGER FOR WINDOWS ?
https://jdownloader.org/home/index
http://www.internetdownloadmanager.com/
https://beebom.com/best-windows-10-apps/
https://www.freedownloadmanager.org/
http://www.eagleget.com/
https://ugetdm.com/
http://xdman.sourceforge.net/
https://wordrider.net/freerapid/index.html
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦STILL LOOKING FOR THE FASTEST INTERNET DOWNLOAD MANAGER FOR WINDOWS ?
https://jdownloader.org/home/index
http://www.internetdownloadmanager.com/
https://beebom.com/best-windows-10-apps/
https://www.freedownloadmanager.org/
http://www.eagleget.com/
https://ugetdm.com/
http://xdman.sourceforge.net/
https://wordrider.net/freerapid/index.html
β β β Uππ»βΊπ«Δπ¬πβ β β β
Internetdownloadmanager
Internet Download Manager is a powerful download accelerator
Internet Download Manager (IDM) is a tool to increase download speeds by up to 10 times, resume or schedule downloads and download streaming videos
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
Amazon is transferring $ 30 million to AllCloud to transfer Israeli companies to its cloud.
#international
#international
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦a simple paid apk with great features:
Tracking a set of texts, SMS-messages, online correspondence in chats, history of visiting pages on the Internet, calls, contacts, emails, photos and videos in invisible mode;
Access to the online control panel via a computer for remote viewing of recorded and tracked information;
Support for working with almost any device;
Ability to work with gadgets from "Apple" without breaking the system;
Simple registration of an account on the official website;
The program works in a hidden mode, which prevents its deactivation by your children or inexperienced users;
Mobistealth helps protect your children from various cyber threats associated with fraud and extortion;
The software installation takes a few minutes;
Leaders of organizations get the opportunity to better optimize their workflow by tracking employees using Mobistealth software tools;
The cost of maintaining a single device tracking app starts at just $ 0.50 per day.
A) Contact Tracking:
You will always be aware of who your child is communicating with, and if he tries to make an appointment and enter this event in the electronic calendar on your phone, then you will know about it.
B) Voice call tracking tools:
In addition to the fact that with the help of "Mobistealth" you can view the list of outgoing and incoming calls, it is also possible to listen to the voice communication of the interlocutors during regular calls, as well as when talking through various instant messengers.
C) Recording messages:
If your child is actively communicating on social networks, then you can find out every word that he writes to the interlocutor on various popular services, including Skype, Viber, WhatsApp and KiK.
D) Tracking emails:
The Mobistealth program has a built-in keylogger that reads all keystrokes on a smartphone, which can be very useful for obtaining passwords from accounts on various Internet resources.
E) Viewing the history of visits to web pages:
Allows you to find out which sites your child visits frequently in order to further block unwanted web addresses.
F) Taking screenshots of the desktop:
Allows you to see applications that were recently installed, after which the corresponding icons appear on the smartphone. In addition, installed unwanted software can be easily removed using the Mobistealth tools through the control panel.
G) Sound recording via built-in microphone:
With this option, you can use your smartphone as an ordinary "bug", listening to all conversations around the device.
H) Tracking SMS messages:
You can read all text messages received through your mobile operator.
https://www.mobistealth.com/
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦a simple paid apk with great features:
Tracking a set of texts, SMS-messages, online correspondence in chats, history of visiting pages on the Internet, calls, contacts, emails, photos and videos in invisible mode;
Access to the online control panel via a computer for remote viewing of recorded and tracked information;
Support for working with almost any device;
Ability to work with gadgets from "Apple" without breaking the system;
Simple registration of an account on the official website;
The program works in a hidden mode, which prevents its deactivation by your children or inexperienced users;
Mobistealth helps protect your children from various cyber threats associated with fraud and extortion;
The software installation takes a few minutes;
Leaders of organizations get the opportunity to better optimize their workflow by tracking employees using Mobistealth software tools;
The cost of maintaining a single device tracking app starts at just $ 0.50 per day.
A) Contact Tracking:
You will always be aware of who your child is communicating with, and if he tries to make an appointment and enter this event in the electronic calendar on your phone, then you will know about it.
B) Voice call tracking tools:
In addition to the fact that with the help of "Mobistealth" you can view the list of outgoing and incoming calls, it is also possible to listen to the voice communication of the interlocutors during regular calls, as well as when talking through various instant messengers.
C) Recording messages:
If your child is actively communicating on social networks, then you can find out every word that he writes to the interlocutor on various popular services, including Skype, Viber, WhatsApp and KiK.
D) Tracking emails:
The Mobistealth program has a built-in keylogger that reads all keystrokes on a smartphone, which can be very useful for obtaining passwords from accounts on various Internet resources.
E) Viewing the history of visits to web pages:
Allows you to find out which sites your child visits frequently in order to further block unwanted web addresses.
F) Taking screenshots of the desktop:
Allows you to see applications that were recently installed, after which the corresponding icons appear on the smartphone. In addition, installed unwanted software can be easily removed using the Mobistealth tools through the control panel.
G) Sound recording via built-in microphone:
With this option, you can use your smartphone as an ordinary "bug", listening to all conversations around the device.
H) Tracking SMS messages:
You can read all text messages received through your mobile operator.
https://www.mobistealth.com/
β β β Uππ»βΊπ«Δπ¬πβ β β β
Mobistealth
Best Parental Control And Monitoring App | Mobistealth
Best Cell Phone and Computer Monitoring software to monitor all activities. View Text Messages, Track Location, Log Keystrokes and much more!
Forwarded from UNDERCODE NEWS
UNDERCODE COMMUNITY
Lateral Movement β RDP.pdf
some pdfs from git
βWinRM stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP (5985) or HTTPS SOAP (5986) and support Kerberos and NTLM authentication by default and Basic authentication. Usage of this service requires administrator level credentials
βWinRM stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP (5985) or HTTPS SOAP (5986) and support Kerberos and NTLM authentication by default and Basic authentication. Usage of this service requires administrator level credentials
Forwarded from UNDERCODE NEWS
Sberbank and Microsoft have created a robot that carries bags of money and can extract oil.
#Technologies
#Technologies
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Updated Network and Web Pentest Automation Framework
F E A T U R E S :
Many supported Services: Target most common TCP/UDP services (HTTP, FTP, SSH, SMB, Oracle, MS-SQL, MySQL, PostgreSQL, VNC, etc.).
Combine Power of Tools: Each security check is performed by a tool from the toolbox. Attacks are performed by chaining security checks.
Context Awareness: Security checks to run are selected and adapted according to the context of the target (i.e. detected technologies, credentials, vulnerabilities, etc.).
Reconnaissance: Automatic fingerprinting (product detection) of targeted services is performed.
CVE Lookup: When product names and their versions are detected, a vulnerability lookup is performed on online CVE
databases (using Vulners & CVE Details).
Vulnerability Scanning: Automatically check for common vulnerabilities and attempt to perform some exploitations (auto-pwn).
Brute-force Attack: Automatically check for default/common credentials on the service and perform dictionnary attack if necessary. Wordlists are optimized according to the targeted services.
Post-authentication Testing: Automatically perform some post-exploitation checks when valid credentials have been found.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone https://github.com/koutto/jok3r.git
2) cd jok3r
3) Show all the tools in the toolbox:
python3 jok3r.py toolbox --show-all
4) Install all the tools in the toolbox (already done in Docker container):
python3 jok3r.py toolbox --install-all --auto
5)Update all the tools in the toolbox and prompt each time to check update:
6) python3 jok3r.py toolbox --update-all
Update all the tools in the toolbox without any prompt:
python3 jok3r.py toolbox --update-all --auto
7) Security Testing
Create a new mission in local database:
python3 jok3r.py db
jok3rdb[default]> mission -a mayhem
[+] Mission "mayhem" successfully added
[*] Selected mission is now mayhem
jok3rdb[mayhem]>
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Updated Network and Web Pentest Automation Framework
F E A T U R E S :
Many supported Services: Target most common TCP/UDP services (HTTP, FTP, SSH, SMB, Oracle, MS-SQL, MySQL, PostgreSQL, VNC, etc.).
Combine Power of Tools: Each security check is performed by a tool from the toolbox. Attacks are performed by chaining security checks.
Context Awareness: Security checks to run are selected and adapted according to the context of the target (i.e. detected technologies, credentials, vulnerabilities, etc.).
Reconnaissance: Automatic fingerprinting (product detection) of targeted services is performed.
CVE Lookup: When product names and their versions are detected, a vulnerability lookup is performed on online CVE
databases (using Vulners & CVE Details).
Vulnerability Scanning: Automatically check for common vulnerabilities and attempt to perform some exploitations (auto-pwn).
Brute-force Attack: Automatically check for default/common credentials on the service and perform dictionnary attack if necessary. Wordlists are optimized according to the targeted services.
Post-authentication Testing: Automatically perform some post-exploitation checks when valid credentials have been found.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone https://github.com/koutto/jok3r.git
2) cd jok3r
3) Show all the tools in the toolbox:
python3 jok3r.py toolbox --show-all
4) Install all the tools in the toolbox (already done in Docker container):
python3 jok3r.py toolbox --install-all --auto
5)Update all the tools in the toolbox and prompt each time to check update:
6) python3 jok3r.py toolbox --update-all
Update all the tools in the toolbox without any prompt:
python3 jok3r.py toolbox --update-all --auto
7) Security Testing
Create a new mission in local database:
python3 jok3r.py db
jok3rdb[default]> mission -a mayhem
[+] Mission "mayhem" successfully added
[*] Selected mission is now mayhem
jok3rdb[mayhem]>
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - koutto/jok3r: Jok3r v3 BETA 2 - Network and Web Pentest Automation Framework
Jok3r v3 BETA 2 - Network and Web Pentest Automation Framework - koutto/jok3r
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦FULL METASPLOIT COURSES :
https://www.youtube.com/watch?v=hJEzf3DPRvc
18 MIN
https://www.youtube.com/watch?v=cqxEXqizcHc
https://youtu.be/_C7nRJ6WsmI
4 HOURS
https://null-byte.wonderhowto.com/how-to/hack-like-pro-evade-av-software-with-shellter-0168504/
42 min
https://youtu.be/Zx9Jy7z0zCM
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦FULL METASPLOIT COURSES :
https://www.youtube.com/watch?v=hJEzf3DPRvc
18 MIN
https://www.youtube.com/watch?v=cqxEXqizcHc
https://youtu.be/_C7nRJ6WsmI
4 HOURS
https://null-byte.wonderhowto.com/how-to/hack-like-pro-evade-av-software-with-shellter-0168504/
42 min
https://youtu.be/Zx9Jy7z0zCM
β β β Uππ»βΊπ«Δπ¬πβ β β β
YouTube
Hacking Tutorial 3: Metasploit Framework introduction and first attack
This video shows how to harness the power of Metasploit Framework - the ultimate penetration testing tool. Metasploit has a modular structure supporting thousands of auxiliary tools (e.g. scanning), exploits, payloads and so forth.
The video demonstratesβ¦
The video demonstratesβ¦