Forwarded from UNDERCODE NEWS
After causing an 18-year-old Russian man to freeze to death, Google Maps announces improvements to navigation routes.
#Updates
#Updates
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦A free real collection of Burpsuite Intruder payloads
> BurpBounty payloads, fuzz list
> malicious file uploads
> web pentesting methodologies and checklists.
Spiders, Robots and Crawlers IG-001
Search Engine Discovery/Reconnaissance IG-002
Identify application entry points IG-003
Testing for Web Application Fingerprint IG-004
Application Discovery IG-005
Analysis of Error Codes IG-006
SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness CMβ001
DB Listener Testing - DB Listener weak CMβ002
Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness CMβ003
Application Configuration Management Testing - Application Configuration management weakness CMβ004
Testing for File Extensions Handling - File extensions handling CMβ005
Old, backup and unreferenced files - Old, backup and unreferenced files CMβ006
Infrastructure and Application Admin Interfaces - Access to Admin interfaces CMβ007
Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb CMβ008
Credentials transport over an encrypted channel - Credentials transport over an encrypted channel AT-001
Testing for user enumeration - User enumeration AT-002
Testing for Guessable (Dictionary) User Account - Guessable user account AT-003
Brute Force Testing - Credentials Brute forcing AT-004
Testing for bypassing authentication schema - Bypassing authentication schema AT-005
Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset AT-006
Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness AT-007
Testing for CAPTCHA - Weak Captcha implementation AT-008
Testing Multiple Factors Authentication - Weak Multiple Factors Authentication AT-009
Testing for Race Conditions - Race Conditions vulnerability AT-010
Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token SM-001
Testing for Cookies attributes - Cookies are set not βHTTP Onlyβ, βSecureβ, and no time validity SM-002
Testing for Session Fixation - Session Fixation SM-003
Testing for Exposed Session Variables - Exposed sensitive session variables SM-004
Testing for CSRF - CSRF SM-005
Testing for Path Traversal - Path Traversal AZ-001
Testing for bypassing authorization schema - Bypassing authorization schema AZ-002
Testing for Privilege Escalation - Privilege Escalation AZ-003
Testing for Business Logic - Bypassable business logic BL-001
Testing for Reflected Cross Site Scripting - Reflected XSS DV-001
Testing for Stored Cross Site Scripting - Stored XSS DV-002
Testing for DOM based Cross Site Scripting - DOM XSS DV-003
Testing for Cross Site Flashing - Cross Site Flashing DV-004
SQL Injection - SQL Injection DV-005
LDAP Injection - LDAP Injection DV-006
ORM Injection - ORM Injection DV-007
XML Injection - XML Injection DV-008
SSI Injection - SSI Injection DV-009
XPath Injection - XPath Injection DV-010
IMAP/SMTP Injection - IMAP/SMTP Injection DV-011
Code Injection - Code Injection DV-012
OS Commanding - OS Commanding DV-013
Buffer overflow - Buffer overflow DV-014
Incubated vulnerability - Incubated vulnerability DV-015
Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling DV-016
Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability DS-001
Locking Customer Accounts - Locking Customer Accounts DS-002
Testing for DoS Buffer Overflows - Buffer Overflows DS-003
User Specified Object Allocation - User Specified Object Allocation DS-004
User Input as a Loop Counter - User Input as a Loop Counter DS-005
Writing User Provided Data to Disk - Writing User Provided Data to Disk DS-006
Failure to Release Resources - Failure to Release Resources DS-007
Storing too Much Data in Session - Storing too Much Data in Session DS-008
WS Information Gathering - N.A. WS-001
Testing WSDL - WSDL Weakness WS-002
FREE :
https://github.com/1N3/IntruderPayloads
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦A free real collection of Burpsuite Intruder payloads
> BurpBounty payloads, fuzz list
> malicious file uploads
> web pentesting methodologies and checklists.
Spiders, Robots and Crawlers IG-001
Search Engine Discovery/Reconnaissance IG-002
Identify application entry points IG-003
Testing for Web Application Fingerprint IG-004
Application Discovery IG-005
Analysis of Error Codes IG-006
SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) - SSL Weakness CMβ001
DB Listener Testing - DB Listener weak CMβ002
Infrastructure Configuration Management Testing - Infrastructure Configuration management weakness CMβ003
Application Configuration Management Testing - Application Configuration management weakness CMβ004
Testing for File Extensions Handling - File extensions handling CMβ005
Old, backup and unreferenced files - Old, backup and unreferenced files CMβ006
Infrastructure and Application Admin Interfaces - Access to Admin interfaces CMβ007
Testing for HTTP Methods and XST - HTTP Methods enabled, XST permitted, HTTP Verb CMβ008
Credentials transport over an encrypted channel - Credentials transport over an encrypted channel AT-001
Testing for user enumeration - User enumeration AT-002
Testing for Guessable (Dictionary) User Account - Guessable user account AT-003
Brute Force Testing - Credentials Brute forcing AT-004
Testing for bypassing authentication schema - Bypassing authentication schema AT-005
Testing for vulnerable remember password and pwd reset - Vulnerable remember password, weak pwd reset AT-006
Testing for Logout and Browser Cache Management - - Logout function not properly implemented, browser cache weakness AT-007
Testing for CAPTCHA - Weak Captcha implementation AT-008
Testing Multiple Factors Authentication - Weak Multiple Factors Authentication AT-009
Testing for Race Conditions - Race Conditions vulnerability AT-010
Testing for Session Management Schema - Bypassing Session Management Schema, Weak Session Token SM-001
Testing for Cookies attributes - Cookies are set not βHTTP Onlyβ, βSecureβ, and no time validity SM-002
Testing for Session Fixation - Session Fixation SM-003
Testing for Exposed Session Variables - Exposed sensitive session variables SM-004
Testing for CSRF - CSRF SM-005
Testing for Path Traversal - Path Traversal AZ-001
Testing for bypassing authorization schema - Bypassing authorization schema AZ-002
Testing for Privilege Escalation - Privilege Escalation AZ-003
Testing for Business Logic - Bypassable business logic BL-001
Testing for Reflected Cross Site Scripting - Reflected XSS DV-001
Testing for Stored Cross Site Scripting - Stored XSS DV-002
Testing for DOM based Cross Site Scripting - DOM XSS DV-003
Testing for Cross Site Flashing - Cross Site Flashing DV-004
SQL Injection - SQL Injection DV-005
LDAP Injection - LDAP Injection DV-006
ORM Injection - ORM Injection DV-007
XML Injection - XML Injection DV-008
SSI Injection - SSI Injection DV-009
XPath Injection - XPath Injection DV-010
IMAP/SMTP Injection - IMAP/SMTP Injection DV-011
Code Injection - Code Injection DV-012
OS Commanding - OS Commanding DV-013
Buffer overflow - Buffer overflow DV-014
Incubated vulnerability - Incubated vulnerability DV-015
Testing for HTTP Splitting/Smuggling - HTTP Splitting, Smuggling DV-016
Testing for SQL Wildcard Attacks - SQL Wildcard vulnerability DS-001
Locking Customer Accounts - Locking Customer Accounts DS-002
Testing for DoS Buffer Overflows - Buffer Overflows DS-003
User Specified Object Allocation - User Specified Object Allocation DS-004
User Input as a Loop Counter - User Input as a Loop Counter DS-005
Writing User Provided Data to Disk - Writing User Provided Data to Disk DS-006
Failure to Release Resources - Failure to Release Resources DS-007
Storing too Much Data in Session - Storing too Much Data in Session DS-008
WS Information Gathering - N.A. WS-001
Testing WSDL - WSDL Weakness WS-002
FREE :
https://github.com/1N3/IntruderPayloads
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - 1N3/IntruderPayloads: A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploadsβ¦
A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists. - 1N3/IntruderPayloads
Forwarded from UNDERCODE NEWS
The explanation for the failure of the deal to sell the bank to Yandex was discovered by Tinkov. The $200 million he was underpaid.
#International
#International
Forwarded from UNDERCODE NEWS
A journalist uses a zoom to penetrate a "secret" European meeting of Defense Ministers.
#International
#International
β β β Uππ»βΊπ«Δπ¬πβ β β β
Local DNS caching any linux :
1. apt-get install dnsmasq
2. configure
This will tune dnsmasq to standalone mode, not sort of
plugin of NetworkManager.
vim /etc/dnsmasq.conf
+ resolv-file=/etc/???upstream-of-dnsmasq.conf
+ listen..
+ port
+ ...
vim /etc/???upstream-of-dnsmasq.conf
+ nameserver 8.8.8.8
+ nameserver 8.8.4.4
+ nameserver 2001:4860:4860::8888
vim /etc/resolv.conf
ONLY THESE TWO LINE
nameserver 127.0.0.1
nameserver ::1
3. service ... start OR systemctl ... start ..
HINT
WHAT if dnsmasq faild to start ?
/sbin/dnsmasq --test
then check the error message.
Ref: apach
β β β Uππ»βΊπ«Δπ¬πβ β β β
Local DNS caching any linux :
1. apt-get install dnsmasq
2. configure
This will tune dnsmasq to standalone mode, not sort of
plugin of NetworkManager.
vim /etc/dnsmasq.conf
+ resolv-file=/etc/???upstream-of-dnsmasq.conf
+ listen..
+ port
+ ...
vim /etc/???upstream-of-dnsmasq.conf
+ nameserver 8.8.8.8
+ nameserver 8.8.4.4
+ nameserver 2001:4860:4860::8888
vim /etc/resolv.conf
ONLY THESE TWO LINE
nameserver 127.0.0.1
nameserver ::1
3. service ... start OR systemctl ... start ..
HINT
WHAT if dnsmasq faild to start ?
/sbin/dnsmasq --test
then check the error message.
Ref: apach
β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
TikTok showed stable progress in 2020, with US-China tension still creating anxiety in 2020.
#Updates
#Updates
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
ddos for beginers, videos, tools,tutorials :
R-U-Dead-Yet(RUDY)HTTP DoS attack https://en.wikipedia.org/wiki/R-U-Dead-Yet https://sourceforge.net/projects/r-u-dead-yet/
R-U-Dead-Yet, RUDY DDoS Attack Tool----a low and slow DoS attack tool https://www.youtube.com/watch?v=k1o9Ya8qxlU
THC-SSL-DOS Attack Tool https://www.youtube.com/watch?v=Ex2xz0ZOKKs
Slowloris DOS/DDOS attack tool https://www.youtube.com/watch?v=8Yl1ddOp3wM Slowloris--Powerful DOS attack perl program https://github.com/hackerimranahmed/Slowloris https://en.wikipedia.org/wiki/Slowloris_(computer_security)
Top 15 DDoS Tools https://www.youtube.com/watch?v=zflrijcVYcg
HULK 2. LOIC 3. XOIC 4. DDOSIM 5. RUDY
Torβs Hammer 7. PyLoris 8. Slowloris
OWASP DOS HTTP POST 10. DAVOSET
GoldenEye 12. Hyenae 13. Hping3
Apache BenchMark Tool 15. Thc-ssl-dos
ZAmbIE is a Toolkit(not finished yet) Made By Lunatic2 for DDoS Attacks https://github.com/zanyarjamal/zambie https://www.youtube.com/watch?v=wJOdtG3r3J8
xerxes website ddos tool on kali linux 2017.1 https://www.youtube.com/watch?v=qMjYDoqG13Y https://github.com/zanyarjamal/xerxes
β β β Uππ»βΊπ«Δπ¬πβ β β β
ddos for beginers, videos, tools,tutorials :
R-U-Dead-Yet(RUDY)HTTP DoS attack https://en.wikipedia.org/wiki/R-U-Dead-Yet https://sourceforge.net/projects/r-u-dead-yet/
R-U-Dead-Yet, RUDY DDoS Attack Tool----a low and slow DoS attack tool https://www.youtube.com/watch?v=k1o9Ya8qxlU
THC-SSL-DOS Attack Tool https://www.youtube.com/watch?v=Ex2xz0ZOKKs
Slowloris DOS/DDOS attack tool https://www.youtube.com/watch?v=8Yl1ddOp3wM Slowloris--Powerful DOS attack perl program https://github.com/hackerimranahmed/Slowloris https://en.wikipedia.org/wiki/Slowloris_(computer_security)
Top 15 DDoS Tools https://www.youtube.com/watch?v=zflrijcVYcg
HULK 2. LOIC 3. XOIC 4. DDOSIM 5. RUDY
Torβs Hammer 7. PyLoris 8. Slowloris
OWASP DOS HTTP POST 10. DAVOSET
GoldenEye 12. Hyenae 13. Hping3
Apache BenchMark Tool 15. Thc-ssl-dos
ZAmbIE is a Toolkit(not finished yet) Made By Lunatic2 for DDoS Attacks https://github.com/zanyarjamal/zambie https://www.youtube.com/watch?v=wJOdtG3r3J8
xerxes website ddos tool on kali linux 2017.1 https://www.youtube.com/watch?v=qMjYDoqG13Y https://github.com/zanyarjamal/xerxes
β β β Uππ»βΊπ«Δπ¬πβ β β β
Wikipedia
R-U-Dead-Yet
R.U.D.Y., short for R U Dead Yet, is an acronym used to describe a Denial of Service (DoS) tool used by hackers to perform slow-rate a.k.a. βLow and slowβ attacks by directing long form fields to the targeted server. It is known to have an interactive consoleβ¦
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
The digital taxes on Facebook, Google and other technology firms has resumed in France.
#International
#International
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦CENTOS SECURITY TIPS :
1) Disable unnecessary commands SUID and SGID
If the setuid and setgid bits are set in binaries, these commands can run tasks with other user or group privileges, such as root privilege, which can lead to serious security problems.
Often, buffer overflow attacks can exploit these executables to run unauthorized code as root.
# find / -path / proc -prune -o -type f \ (-perm -4000 -o -perm -2000 \) -exec ls -l {} \;
To clear the setuid bit, run the following command:
# chmod us / path / to / binary_file
To clear the setgid bit, run the following command:
# chmod gs / path / to / binary_file
22. Check for unknown files and directories
Files or directories not owned by an existing account must be removed or user and group rights assigned.
Run the find command below to get a list of files or directories without users and groups.
# find / -nouser -o -nogroup -exec ls -l {} \;
2) List of files available for recording
Keeping a writable file on the system can be dangerous because anyone can change it.
Run the command below to display writable files other than symbolic links which are always writable to everyone.
# find / -path / proc -prune -o -perm -2! -type l βls
3) Create strong passwords
Create a password that is at least eight characters long.
Password must contain numbers, special characters and capital letters.
Use pwmake to generate a 128-bit password from / dev / urandom.
# pwmake 128
25. Implement a strong password policy
Force the system to use strong passwords by adding the following line to the /etc/pam.d/passwd file:
password required pam_pwquality.so retry = 3
By adding this line, you are entering a policy where the entered password cannot contain more than 3 characters in a monotone sequence, for example abcd, and more than 3 identical consecutive characters, for example 1111.
To force users to use a password of at least 8 characters, including all character classes, sequential character checking, add the following lines to /etc/security/pwquality.conf:
minlen = 8
minclass = 4
maxsequence = 3
maxrepeat = 3
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦CENTOS SECURITY TIPS :
1) Disable unnecessary commands SUID and SGID
If the setuid and setgid bits are set in binaries, these commands can run tasks with other user or group privileges, such as root privilege, which can lead to serious security problems.
Often, buffer overflow attacks can exploit these executables to run unauthorized code as root.
# find / -path / proc -prune -o -type f \ (-perm -4000 -o -perm -2000 \) -exec ls -l {} \;
To clear the setuid bit, run the following command:
# chmod us / path / to / binary_file
To clear the setgid bit, run the following command:
# chmod gs / path / to / binary_file
22. Check for unknown files and directories
Files or directories not owned by an existing account must be removed or user and group rights assigned.
Run the find command below to get a list of files or directories without users and groups.
# find / -nouser -o -nogroup -exec ls -l {} \;
2) List of files available for recording
Keeping a writable file on the system can be dangerous because anyone can change it.
Run the command below to display writable files other than symbolic links which are always writable to everyone.
# find / -path / proc -prune -o -perm -2! -type l βls
3) Create strong passwords
Create a password that is at least eight characters long.
Password must contain numbers, special characters and capital letters.
Use pwmake to generate a 128-bit password from / dev / urandom.
# pwmake 128
25. Implement a strong password policy
Force the system to use strong passwords by adding the following line to the /etc/pam.d/passwd file:
password required pam_pwquality.so retry = 3
By adding this line, you are entering a policy where the entered password cannot contain more than 3 characters in a monotone sequence, for example abcd, and more than 3 identical consecutive characters, for example 1111.
To force users to use a password of at least 8 characters, including all character classes, sequential character checking, add the following lines to /etc/security/pwquality.conf:
minlen = 8
minclass = 4
maxsequence = 3
maxrepeat = 3
β β β Uππ»βΊπ«Δπ¬πβ β β β