▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Analysis of DLink RCE Vulnerability CVE-2019-17621
fb.com/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> Environment construction
Before installing and configuring the operating environment, you must know the version of the Linux system you are using and the version of Qemu, because this directly affects your subsequent choice of installing various dependent packages, mips qemu images, etc., all versions correspond to . The RUN the To correctly & Final System of The Basic Environment for the this IS The Vulnerability Analysis and Machine The Virtual Previous Ubuntu18.04 Qemu Compiled and Runtime Environment based Installed The ON-QEMU 4.0.0 Source code:

1) QEMU Image at The debianmips the Download from Site at The https://people.debian.org/~aurel32/qemu/mips/ . Since at The Virtual Machine IS Ubuntu Linux, download debian_squeeze_mips_standard.qcow2 and vmlinux-2.6.32-5-4kc-malta

🦑 MIPS system network configuration

1) To use QEMU to run a MIPS system, you need to set the ubuntu virtual machine as a bridge, so that the ubuntu system can communicate with the QEMU virtual machine and transmit data (this operation is similar to configuring the VMware Workstation bridge to communicate with the physical machine).

2) To get the installation dependencies, execute the following command:

> sudo apt-get install bridge-utils uml-utilities

> Ubuntu modified host network configuration, the network interface

> ubuntu configuration file / etc / network / interfaces modified as follows and save it, close:
sudo gedit /etc/network/interfaces

3) Modified QEMU network interface startup script, reboot the network configuration to take effect, execute the following command:

sudo gedit /etc/qemu-ifup

🦑Save the file / etc / qemu-ifup later, given executable permissions, and then restart all network configurations take effect:

> sudo chmod a + x / etc / qemu-ifup

> sudo /etc/init.d/networking restart

🦑 QEMU launch configuration
Before Qemu run to start bridging network, execute the following command in the local ubuntu command line terminal (Note: ens33 as the default ubuntu NIC):

> sudo ifdown ens33

> sudo ifup br0

>QEMU MIPS virtual machine starts
Mips into the front of a mirror download directory, execute the following command:

sudo qemu-system-mips -M malta -kernelvmlinux-2.6.32-5-4kc-malta -hda debian_

> Input root / root sign can mips QEMU virtual machine, the operation will be more mips to the virtual machine, it may open a new unbuntu terminal, connected to the SSH qemu mips:

🦑 Firmware simulation run
fb.com/undercodetesting
At The Router Firmware containing at The the Download Vulnerable Version from DLink at The Official Website: ftp://ftp2.dlink.com/PRODUCTS/DIR-859/DIR-859_REVA_FIRMWARE_v1.05B03.zip , to use binwalk-Me Directly at The Firmware to Decompress at The GET file system file:

> The firmware simulation operation can be considered in two ways:

1) upload the file system to the qemu mips virtual machine to run; ② run the firmware with the firmadyne tool (of course, you can also try AttifyOS VM):

2) Use the scp command to upload the squashfs-root directory to the qemu mips virtual machine:

3) chroot / root / squashfs-root sh

4) Run firmware with the help of firmadyne tool

Firmadyne is an automated analytical framework can be cut and firmware for embedded Linux systems, it supports reverse QEMU system firmware embedded system simulation execution, use it to simulate router firmware, perform router. Installation and use methods detailed https://github.com/ firmadyne / firmadyne . Note: Firmadyne Before installation, install firmware-analysis-toolkit, installation methods are detailed in https://github.com/attify/firmware-analysis-toolkit , after the installation is complete directories created firmadyne in firmware-analysis -toolkit directory and download installation Firmadyne.After completion of all of the respective mounting as follows (note that two tools to be installed in full in accordance with the steps, or subsequent firmware will run error):

5) Fat.py first move files in and reset.py firmware-analysis-toolkit firmadyne directory to the directory; proceed to set the path firmadyne.config firmadyne modified as follows:

6) The firmware files copied to the bin directory firmadyne continue to execute the following command:

rm -rf images*

python3 reset.py

sudo -u postgres createdb -O firmadyne firmware

sudo -u postgres psql -d firmware < ./database/schema

./sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np-nk "DIR859Ax_FW105b03.bin" images

./scripts/getArch.sh ./images/1.tar.gz

./scripts/makeImage.sh 1

./scripts/inferNetwork.sh 1

./scratch/1/run.sh

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

2) Remote debugging
At The Router Firmware has been successfully RUN, and the then at The target Program CAN BE debugged. At the this Time, Remote the debugging CAN BE Performed with at The Help of IDA in at The PHYSICAL Machine (of Course,, IDA CAN Also BE Installed in Ubuntu). There are still two ideas for debugging:

3) In the qemu mips virtual machine, use the static gdbserver and remote IDA's "remote GDB debugger" function to dynamically debug the target mips program. It should be noted here that the static gdbserver file format must correspond to the big / small end of the . mips system You can use the file command to view information about the firmware:

4) Therefore, you must first cross-compile to obtain a static gdbserver file in 32-bit MSB format. You can choose Openwrt or Buildroot for cross-compilation, which is omitted here.

After > in ubuntu solving firmware file system, use the chroot command, with qemu-mips-static run target file (cgibin object files), then Accessories IDA dynamic remote debugging, first perform the following command in ubuntu in:

> chroot ../qemu-mips-static -g 1235./htdocs/cgibin
...

END OF TUTORIAL
WRITTEN BY UNDERCODE
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Fast Tutorial For beginers + Pictures Bugs Wifi
Analysis of DLink RCE Vulnerability CVE-2019-17621

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 2020 Optimize script, High-Performance Monitoring System :
t.me/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) mkdir -p $GOPATH/src/github.com/didi

2) cd $GOPATH/src/github.com/didi

3) git clone https://github.com/didi/nightingale.git

4) cd nightingale

# export env[GOPROXY] if your network is not good

# export GOPROXY=https://mirrors.aliyun.com/goproxy/

5) ./control build

🦑FEATURES :

Scalability
Scalable monitoring system is necessary to support rapid business growth. Each module of Nightingale is super easy to scale horizontally.

Performance
With RRA(Round Robin Archive) mechanism and memory TSDB, the one-year history data of 100+ metrics could be returned in just one second.

High Availability
No critical single point of failure, easy to operate and deploy. The system will not be affected if any machine is hung up.

Flexibility
Nightingale collector is compatible with falcon-agent. Plugin mechanism and log collector are built-in.

Efficiency
Integrated with object tree, Nightingale supports strategy inheritance, multiple alerting method, and callback for recovery.

Easy Deployment
All modules have been rewritten in go, which reduces the number of modules and greatly reduces the difficulty of deployment.

🦑Tested by UnderCode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 2020 TOPIC Flutter makes it easy and fast to build beautiful mobile apps :
twitter.com/UnderCodeNews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> System requirements
To install and run Flutter, your development environment must meet these minimum requirements:

> Operating Systems: Windows 7 SP1 or later (64-bit)
Disk Space: 400 MB (does not include disk space for IDE/tools).
Tools: Flutter depends on these tools being available in your environment.

🦑 Windows PowerShell 5.0 or newer (this is pre-installed with Windows 10)
Git for Windows 2.x, with the Use Git from the Windows Command Prompt option.

> If Git for Windows is already installed, make sure you can run git commands from the command prompt or PowerShell.

🦑 Get the Flutter SDK
Download the following installation bundle to get the latest stable release of the Flutter SDK:

1) For other release channels, and older builds, see the SDK archive page.

2) Extract the zip file and place the contained flutter in the desired installation location for the Flutter SDK (for example, C:\src\flutter; do not install Flutter in a directory like C:\Program Files\ that requires elevated privileges).

3) If you don’t want to install a fixed version of the installation bundle, you can skip steps 1 and 2. Instead, get the source code from the Flutter repo on GitHub, and change branches or tags as needed. For example:

4) content_copy
C:\src>git clone https://github.com/flutter/flutter.git -b stable
You are now ready to run Flutter commands in the Flutter Console!

5) Update your path
If you wish to run Flutter commands in the regular Windows console, take these steps to add Flutter to the PATH environment variable:

6) From the Start search bar, enter ‘env’ and select Edit environment variables for your account.
Under User variables check if there is an entry called Path:

7) If the entry exists, append the full path to flutter\bin using ; as a separator from existing values.
If the entry doesn’t exist, create a new user variable named Path with the full path to flutter\bin as its value.
Note that you have to close and reopen any existing console windows for these changes to take effect.

🦑 Run flutter doctor

1) From a console window that has the Flutter directory in the path (see above), run the following command to see if there are any platform dependencies you need to complete the setup:

2) content_copy

> C:\src\flutter>flutter doctor

3) This command checks your environment and displays a report of the status of your Flutter installation. Check the output carefully for other software you might need to install or further tasks to perform (shown in bold text).

🦑 For example:

content_copy
[-] Android toolchain - develop for Android devices
• Android SDK at D:\Android\sdk
✗ Android SDK is missing command line tools; download from https://goo.gl/XxQghQ
• Try re-installing or updating your Android SDK,
visit https://flutter.dev/setup/#android-setup for detailed instructions.

🦑 LINUX INSTALL :

System requirements
>To install and run Flutter, your development environment must meet these minimum requirements:

🦑Operating Systems: Linux (64-bit)
Disk Space: 600 MB (does not include disk space for IDE/tools).
Tools: Flutter depends on these command-line tools being available in your environment.
bash
curl
git 2.x
mkdir
rm
unzip
which
xz-utils
zip
Shared libraries: Flutter test command depends on this library being available in your environment.
libGLU.so.1 - provided by mesa packages such as libglu1-mesa on Ubuntu/Debian

1) Get the Flutter SDK

2) Download the following installation bundle to get the latest stable release of the Flutter SDK:

3) For other release channels, and older builds, see the SDK archive page.

4) Extract the file in the desired location, for example:

content_copy
5) cd ~/development

6) tar xf ~/Downloads/flutter_linux_v1.12.13+hotfix.8-stable.tar.xz

7) If you don’t want to install a fixed version of the installation bundle, you can skip steps 1 and 2. Instead, get the source code from the Flutter repo on GitHub, and change branches or tags as needed. For example:

8) content_copy

9) git clone https://github.com/flutter/flutter.git -b stable
Add the flutter tool to your path:

> content_copy
export PATH="$PATH:pwd/flutter/bin"

10) This command sets your PATH variable for the current terminal window only. To permanently add Flutter to your path, see Update your path.

> Optionally, pre-download development binaries:

11) The flutter tool downloads platform-specific development binaries as needed. For scenarios where pre-downloading these artifacts is preferable (for example, in hermetic build environments, or with intermittent network availability), iOS and Android binaries can be downloaded ahead of time by running:

content_copy
flutter precache

🦑Tested by UnderCode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 2020 updated Hatch is a brute force tool that is used to brute force most websites :
fb.com/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1)pip2 install selenium

2) pip2 install requests

3) git clone https://github.com/MetaChar/Hatch

4) cd Hatch

5) python2 main.py

🦑How to use (text)

1). Find a website with a login page

2). Inspect element to find the Selector of the username form

3). Do the same for the password field

4). The the login form

5). When Asked put in the username to brute force

@UnderCodeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 Custom bash scripts used to automate various penetration testing tasks including recon, scanning, parsing, and creating malicious payloads and listeners with Metasploit.
twitter.com/undercodeNews :

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) git clone https://github.com/leebaird/discover /opt/discover/
All scripts must be ran from this location.

2) cd /opt/discover/

3) ./update.sh

API key locations:

recon-ng
show keys
keys add bing_api <value>

theHarvester
/opt/theHarvester/api-keys.yaml


🦑 RECON
1. Domain
2. Person
3. Parse salesforce

🦑 SCANNING
4. Generate target list
5. CIDR
6. List
7. IP, range, or domain
8. Rerun Nmap scripts and MSF aux

🦑WEB
9. Insecure direct object reference
10. Open multiple tabs in Firefox
11. Nikto
12. SSL

🦑MISC
13. Parse XML
14. Generate a malicious payload
15. Start a Metasploit listener



@UnderCodeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 2020 updated A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.
fb.com/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) git clone https://github.com/codingo/Reconnoitre.git
After you have done this run setup.py with the following:

2) python3 setup.py install

3) After setup has run Reconnoitre will now be in your path (as reconnoitre) and you can launch it anywhere using:

reconnoitre <args>

🦑-h, --help Display help message and exit
-t TARGET_HOSTS Set either a target range of addresses or a single host to target. May also be a file containing hosts.
-o OUTPUT_DIRECTORY Set the target directory where results should be written.
-w WORDLIST Optionally specify your own wordlist to use for pre-compiled commands, or executed attacks.
--pingsweep Write a new target.txt file in the OUTPUT_DIRECTORY by performing a ping sweep and discovering live hosts.
--dns, --dnssweep Find DNS servers from the list of target(s).
--snmp Find hosts responding to SNMP requests from the list of target(s).
--services Perform a service scan over the target(s) and write recommendations for further commands to execute.
--hostnames Attempt to discover target hostnames and write to hostnames.txt.
--virtualhosts Attempt to discover virtual hosts using the specified wordlist. This can be expended via discovered hostnames.
--ignore-http-codes Comma separated list of http codes to ignore with virtual host scans.
--ignore-content-length Ignore content lengths of specificed amount. This may become useful when a server returns a static page on every virtual host guess.
--quiet Supress banner and headers and limit feedback to grepable results.
--quick Move to the next target after performing a quick scan and writing first-round recommendations.
--no-udp Disable UDP service scanning, which is ON by default.


@UnderCodeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 ENJOY WITH ALL THOSE 2020 TOOLS - TESTED & Most Populars- Use for Learn..

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 STM32 series BIN file to source code C language by undercode
fb.com/undercodeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) It has always been impossible for all development engineers to convert .BIN or .ASM files into C files. However, from the perspective of the reverse industry of chip decryption, it is completely achievable. However, reverse engineers must have sufficient development experience and sufficient understanding of STM32 series microcontrollers.

2) the binary code BIN file is extracted by chip decryption, and then converted into a C language file. After having the source code, the customer can target Perform secondary development and modification.

3) Usually our operations are, the first step:

> first decrypt, provide the binary code BIN file.


> Step 2: Convert the BIN file into a disassembly file. The assembly file is also a programming file, but few engineers can understand it now.

> Step 3: compiles the C language based on the disassembled file as we do in undercode . This process is edited line by line by the engineer and is also very time consuming. The entire cycle is about 30 days (depending on the file size, normal 100K calculation ).

> Step 4: Debug according to the prototype provided by the customer. After debugging is OK, let the customer confirm.

4) During the entire project development process, customers must provide samples for debugging . After all is completed,

> will generate a BIN face-to-face and burn it into the product for customer testing to ensure that the source code we provide is authentic and reliable. .

written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Detailed DS28E01 typical applications and cracking methods
pinterest.com/undercode_testing

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) DS28E01 is generally used in encryption protection to prevent products from being easily copied and pirated

2) Brief introduction of DS28E01:

> DS28E01 communicates with the MCU through a single bus. There is not much to say about the single bus. The time is very strict and accurate to the us level.

3) DS28E01 has four memory areas:

Data Memory (EEPROM) (4 pages, 32 bytes per page)

Key memory (secret) (8 bytes)

Register page with specific functions and user bytes

Volatile scratchpad (8 bytes)


4) The MCU can only read and write the scratchpad through a single bus, and cannot directly read and write to other storage areas.

5) When writing data to the data memory, loading the initial key, or writing data to the register page, the data is first written to the scratchpad, and then the corresponding command is used to allow the chip to copy the data from the scratchpad to the destination address.

🦑 working principle:

> There is a SHA-160 encryption module inside the chip, which participates in the SHA algorithm for 55 bytes of specific format data.

> The data contains an 8-byte key, a 5-byte user-specified random number, a 32-byte EEPROM content, a 7-byte ROMID, a 2-byte fixed data (0xFF), and a 1-byte EEPROM address TA1.

> The MCU can read the 20-byte hash value of the chip encrypted by SHA, and compare it with the hash value calculated by the MCU using the same algorithm.

> Since the MCU needs to perform the same encryption operation, or it must definitely generate the same 55-byte message as the chip's internal, how can it be obtained?

> The 8-byte key is generated and written by itself.-> OK

> The 5-byte random number is the value written into the scratchpad before the chip performs the SHA.-> OK

> The 32-byte EEPROM data, before reading back the 20-byte hash value, the chip will return the 32-byte content. -> OK

7-byte ROMID, the ROMID of the chip can@undercodeofficial be read at any time.-> OK

2 bytes fixed value, you can see in the manual-> OK

1 byte TA1, write it in yourself.-> OK

🦑 Typical application process:

Process 1: Initialize the DS28E01 key

The initialization key is only operated at the factory before the product is manufactured, and only needs to be operated once.

Procedure flow chart:

1) Read the chip ROMID

2) Generate a unique 64-bit key through a certain algorithm to ensure that the key generated by each motherboard is different.

3) Write the key to the chip temporary storage area and read it back to verify that it is written correctly

4)Execute the chip load key command to let the chip save the 64-bit key in the temporary storage area to the key storage area

5) Done.

🦑 Process 2: Verify DS28E01 key

1) The verification key is performed in the product application. Every time the product is started, the DS28E01 key is verified to be correct.

2) If it passes the verification, it will run normally. If the verification is incorrect, it will make the product work abnormally by some means.

🦑 Procedure flow chart:

1) Read the chip ROMID

2) Generate the 64-bit key through the same algorithm as in the initialization process

3) Write 8-byte random number to the chip temporary storage area (only 5 bytes are used), and read back to verify

4) Send a cryptographic authentication command to the chip, which can read back 32 bytes of EEPROM data and 20 bytes of hash value

5) Use the data read above to generate a 55-byte digest message and perform the SHA1 operation

6) Compare the hash value calculated by yourself with the hash value read back from the chip


🦑Cracking method:

From the above application process, we can see that the key algorithm here is SHA1, and there are two copies of the data participating in the SHA calculation. One is inside the chip, and we cannot read it

However, the other copy is generated inside the MCU, so as long as the process of generating messages inside the MCU is obtained, there is a possibility of cracking.

The key data is an 8-byte key, because the 8-byte key is generally bound to the ROMID and CPUID.

Therefore, the binary code of the program must be able to be read from the chip, and then the algorithm for key generation must be disassembled and analyzed to achieve the purpose of cracking.

However, disassembling and analyzing the algorithm is not easy.

written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Last Two tutorial for hackers with little bit experience :)