Requirements
============
- Python 2.6 or later, but not 3.0. http://www.python.org
Some plugins may have other requirements which can be found at:
https://github.com/volatilityfoundation/volatility/wiki/Installation
Quick Start
===========
1. Unpack the latest version of Volatility from
volatilityfoundation.org
2. To see available options, run "python vol.py -h" or "python vol.py --info"
Example:
$ python vol.py --info
Volatility Foundation Volatility Framework 2.6
π¦STARTING
Example:
1) $ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw
Volatility Foundation Volatility Framework 2.6
Determining profile based on KDBG search...
2) Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64)
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw)
PAE type : PAE
DTB : 0x187000L
KDBG : 0xf800016460a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80001647d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2012-03-24 19:30:53 UTC+0000
Image local date and time : 2012-03-25 03:30:53 +0800
3) If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing
Windows 7 or later memory samples, please see the guidelines here:
https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles
4) Run some other plugins. -f is a required option for all plugins. Some
also require/accept other options. Run "python vol.py <plugin> -h" for
more information on a particular command. A Command Reference wiki
is also available on the GitHub site:
> https://github.com/volatilityfoundation/volatility/wiki
as well as Basic Usage:
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage
@uNDERCODEtESTING
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
============
- Python 2.6 or later, but not 3.0. http://www.python.org
Some plugins may have other requirements which can be found at:
https://github.com/volatilityfoundation/volatility/wiki/Installation
Quick Start
===========
1. Unpack the latest version of Volatility from
volatilityfoundation.org
2. To see available options, run "python vol.py -h" or "python vol.py --info"
Example:
$ python vol.py --info
Volatility Foundation Volatility Framework 2.6
π¦STARTING
Example:
1) $ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw
Volatility Foundation Volatility Framework 2.6
Determining profile based on KDBG search...
2) Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64)
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw)
PAE type : PAE
DTB : 0x187000L
KDBG : 0xf800016460a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80001647d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2012-03-24 19:30:53 UTC+0000
Image local date and time : 2012-03-25 03:30:53 +0800
3) If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing
Windows 7 or later memory samples, please see the guidelines here:
https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles
4) Run some other plugins. -f is a required option for all plugins. Some
also require/accept other options. Run "python vol.py <plugin> -h" for
more information on a particular command. A Command Reference wiki
is also available on the GitHub site:
> https://github.com/volatilityfoundation/volatility/wiki
as well as Basic Usage:
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage
@uNDERCODEtESTING
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Python.org
Welcome to Python.org
The official home of the Python Programming Language
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Usefull Mods Android apps :
1) NETFLIX MOD APK
> https://dl.moddroid.com/Netflix/NETFLIX-SV4-BEE-MAY13.apk
> https://dl.moddroid.com/Netflix/NETFLIX-SV2-VIVA-MAY13.apk
> https://dl.moddroid.com/Netflix/NETFLIX_SV3-SOFA-MAY9.apk
> https://spaces.apkmody.io/download/aUN6bXZQMDkxT2g0L0N3L1paU0kxREFpRFEzSzNlS2xjSmczRThEUlI2Tloyc3R6WWJGbVVzdWtsUlVCMko4Ug==
2) SPOOTIFY MODs Premium
> https://dl.moddroid.com/Spotify%20Music/Spotify-v8.5.56.1186_build_58990703-Mod-V1-armeabi-v7a.apk
> https://dl.moddroid.com/Spotify%20Music/Spotify-v8.5.56.1186_build_58990703-Mod-V2-armeabi-v7a.apk
3) WHATSAPP + OFFICIAL BY FOUAD :
> https://www.fouadmods.com/fouad-whatsapp/
π¦ FOR MORE YOU CAN CLICK HERE
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Usefull Mods Android apps :
1) NETFLIX MOD APK
> https://dl.moddroid.com/Netflix/NETFLIX-SV4-BEE-MAY13.apk
> https://dl.moddroid.com/Netflix/NETFLIX-SV2-VIVA-MAY13.apk
> https://dl.moddroid.com/Netflix/NETFLIX_SV3-SOFA-MAY9.apk
> https://spaces.apkmody.io/download/aUN6bXZQMDkxT2g0L0N3L1paU0kxREFpRFEzSzNlS2xjSmczRThEUlI2Tloyc3R6WWJGbVVzdWtsUlVCMko4Ug==
2) SPOOTIFY MODs Premium
> https://dl.moddroid.com/Spotify%20Music/Spotify-v8.5.56.1186_build_58990703-Mod-V1-armeabi-v7a.apk
> https://dl.moddroid.com/Spotify%20Music/Spotify-v8.5.56.1186_build_58990703-Mod-V2-armeabi-v7a.apk
3) WHATSAPP + OFFICIAL BY FOUAD :
> https://www.fouadmods.com/fouad-whatsapp/
π¦ FOR MORE YOU CAN CLICK HERE
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Elaborate on the MAC spoofing process :
youtube.com/Undercode
π¦ππΌπ'π πππΈβπ :
A) Principle:
1) Before we start, let βs briefly understand the switch forwarding process: when a port of the switch receives a data frame, first check the destination MAC address of the changed data frame in the port corresponding to the MAC address table (CAM). If the destination port and the source port are not For the same port, the frame is forwarded from the destination port, and the correspondence between the source port and the source MAC in the MAC address table is updated; if the destination port is the same as the source port, the frame is discarded.
2) There are the following working scenarios:
A 4-port switch with ports Port.A, Port.B, Port.C, and Port.D corresponding to hosts A, B, C, and D, where D is the gateway.
3) When host A sends data to B, host A encapsulates the data frame down according to OSI. During the process, it will find the MAC address of host B according to the IP address and fill it in the destination MAC address in the data frame. Before sending, the MAC layer protocol control circuit of the network card will also make a judgment.
4) If the destination MAC is the same as the MAC of the network card, it will not be sent, otherwise the network card will send this data out. When Port.A receives the data frame, the switch finds that the port number of B's ββMAC address (data frame destination MAC) is Port.B in the MAC address table according to the above-mentioned inspection process, and the port number of the data source is Port.A, then The switch forwards the data frame from Port.B. Host B receives this data frame.
5) This addressing process can also be summarized as IP-> MAC-> PORT, ARP spoofing deceives the IP / MAC correspondence, and MAC spoofing deceives the MAC / PORT correspondence.
6) The earlier attack method is to flood the MAC address of the switch, which will indeed make the switch work in broadcast mode to achieve the purpose of sniffing, but it will cause the switch to be overloaded, the network will be slow, and packet loss or even paralysis. method.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Elaborate on the MAC spoofing process :
youtube.com/Undercode
π¦ππΌπ'π πππΈβπ :
A) Principle:
1) Before we start, let βs briefly understand the switch forwarding process: when a port of the switch receives a data frame, first check the destination MAC address of the changed data frame in the port corresponding to the MAC address table (CAM). If the destination port and the source port are not For the same port, the frame is forwarded from the destination port, and the correspondence between the source port and the source MAC in the MAC address table is updated; if the destination port is the same as the source port, the frame is discarded.
2) There are the following working scenarios:
A 4-port switch with ports Port.A, Port.B, Port.C, and Port.D corresponding to hosts A, B, C, and D, where D is the gateway.
3) When host A sends data to B, host A encapsulates the data frame down according to OSI. During the process, it will find the MAC address of host B according to the IP address and fill it in the destination MAC address in the data frame. Before sending, the MAC layer protocol control circuit of the network card will also make a judgment.
4) If the destination MAC is the same as the MAC of the network card, it will not be sent, otherwise the network card will send this data out. When Port.A receives the data frame, the switch finds that the port number of B's ββMAC address (data frame destination MAC) is Port.B in the MAC address table according to the above-mentioned inspection process, and the port number of the data source is Port.A, then The switch forwards the data frame from Port.B. Host B receives this data frame.
5) This addressing process can also be summarized as IP-> MAC-> PORT, ARP spoofing deceives the IP / MAC correspondence, and MAC spoofing deceives the MAC / PORT correspondence.
6) The earlier attack method is to flood the MAC address of the switch, which will indeed make the switch work in broadcast mode to achieve the purpose of sniffing, but it will cause the switch to be overloaded, the network will be slow, and packet loss or even paralysis. method.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦B)Second, actual combat
( Elaborate on the MAC spoofing process )
The working environment is the above 4 port swith. The software uses cncert's httphijack as an example. The application is to hijack the data of host C from host A.
The following is the hijacking process (da is the destination MAC, sa is the source MAC)
1) A sends any data packets with da = gateway.mac and sa = B.mac to the gateway.
This shows that b.mac corresponds to port.a. In a period of time, the switch will send all the data frames sent to b.mac to the host a. This time continues until host b sends a data packet, or another data packet with da = gateway.mac and sa = b.mac is generated.
2) The host A receives the data sent by the gateway to B, and then forwards it to B after recording or modification. Before forwarding, it sends a broadcast requesting B.MAC. This packet is normal
MAC information: da = FFFFFFFFFF, sa = a.mac.
This data frame indicates that a.mac corresponds to port.a, and at the same time it will stimulate the host b to respond to a response packet.
MAC information is: da = a.mac, sa = b.mac
This data frame indicates that b.mac corresponds to port.b
At this point, the correspondence has been restored, the host A can successfully forward the hijacked data to B
3) Forward the hijacked data to B to complete a hijacking
C) Attack characteristics
1) Due to the time segmentation characteristics of this attack method, the greater the traffic of the other party, the lower the frequency of hijacking and the more stable the network.
2) Strong concealment, based on the particularity and working essence of 1, it can work in the environment of ARP firewall and two-way binding.
Fourth, how to protect
Advanced switches can use ip + mac + port binding to control automatic learning of CAM tables. There is currently no software to protect against such attacks
π¦Five, use tools
1)httphijack beta 2 Description: http session hijacking
2)ssclone Description: Session replication software in exchange environment (gmail, qqmail, sohumail ...)
3)skiller Description: under flow control
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦B)Second, actual combat
( Elaborate on the MAC spoofing process )
The working environment is the above 4 port swith. The software uses cncert's httphijack as an example. The application is to hijack the data of host C from host A.
The following is the hijacking process (da is the destination MAC, sa is the source MAC)
1) A sends any data packets with da = gateway.mac and sa = B.mac to the gateway.
This shows that b.mac corresponds to port.a. In a period of time, the switch will send all the data frames sent to b.mac to the host a. This time continues until host b sends a data packet, or another data packet with da = gateway.mac and sa = b.mac is generated.
2) The host A receives the data sent by the gateway to B, and then forwards it to B after recording or modification. Before forwarding, it sends a broadcast requesting B.MAC. This packet is normal
MAC information: da = FFFFFFFFFF, sa = a.mac.
This data frame indicates that a.mac corresponds to port.a, and at the same time it will stimulate the host b to respond to a response packet.
MAC information is: da = a.mac, sa = b.mac
This data frame indicates that b.mac corresponds to port.b
At this point, the correspondence has been restored, the host A can successfully forward the hijacked data to B
3) Forward the hijacked data to B to complete a hijacking
C) Attack characteristics
1) Due to the time segmentation characteristics of this attack method, the greater the traffic of the other party, the lower the frequency of hijacking and the more stable the network.
2) Strong concealment, based on the particularity and working essence of 1, it can work in the environment of ARP firewall and two-way binding.
Fourth, how to protect
Advanced switches can use ip + mac + port binding to control automatic learning of CAM tables. There is currently no software to protect against such attacks
π¦Five, use tools
1)httphijack beta 2 Description: http session hijacking
2)ssclone Description: Session replication software in exchange environment (gmail, qqmail, sohumail ...)
3)skiller Description: under flow control
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ The common VLAN attacks are as follows:
instagram.com/UndercodeTesting
π¦ππΌπ'π πππΈβπ :
1) VLAN attack 1.802.1Q and ISL tag attack
A tag attack is a malicious attack. With it, users on one VLAN can illegally access another VLAN. For example, if the switch port is configured as DTP (DYNAMIC TRUNK PROTCOL) auto to receive fake DTP (DYNAMIC TRUNK PROTCOL) packets, it will become a trunk port and may receive traffic to any VLAN. Thus, malicious users can communicate with other VLANs through the controlled ports. Sometimes even if only receiving ordinary packets, the switch port may violate its original intention and operate like an all-round trunk port (for example, receiving packets from other VLANs than the local one). This phenomenon is often referred to as "VLAN leakage."
> For this kind of attack, simply set the DTP (DYNAMIC TRUNK PROTCOL) on all untrusted ports (not meeting the trust condition) to "Off" to prevent this kind of attack. The software and hardware running on the Cisco Catalyst 2950, ββCatalyst 3550, Catalyst 4000, and Catalyst 6000 series switches can also implement proper traffic classification and isolation on all ports.
2) VLAN attack 2. Double encapsulation 802.1Q / nested VLAN attack
Inside the switch, VLAN numbers and identifications are expressed in a special extended format, the purpose is to keep the forwarding path independent of the end-to-end VLAN without losing any information. Outside the switch, the marking rules are specified by standards such as ISL or 802.1Q.
> ISL belongs to Cisco's proprietary technology and is a compact form of the extended packet header used in the device. Each packet always gets a mark, and there is no risk of logo loss, which can improve security.
> On the other hand, the IEEE committee that developed 802.1Q decided that for backward compatibility, it is best to support intrinsic VLANs, that is, VLANs that are not explicitly related to any tags on the 802.1Q link. This VLAN is used implicitly to receive all untagged traffic on the 802.1Q port.
π¦ This feature is what users want, because with this feature, the 802.1Q port can directly talk to the old 802.3 port by sending and receiving unmarked traffic. However, in all other cases, this feature can be very harmful, because when transmitted over an 802.1Q link, packets associated with the native VLAN will lose their tags, such as their class of service (802.1p bits).
3) Stripped first, then sent back to the attacker 802.1q frame, VLAN A, VLAN B data contains the trunk VLAN B data of the native VLAN A
Note: Only if the trunk's native VLAN is the same as the attacker's, will it take effect.
4) When double-encapsulated 802.1Q packets happen to enter the network from devices with the same VLAN as the eigen VLAN of the trunk, the VLAN IDs of these packets will not be retained end-to-end, because the 802.1Q trunk will always modify the packet, that is, strip its external mark. After removing the external tag, the internal tag will become the unique VLAN identifier of the packet. Therefore, if the packet is double-encapsulated with two different tags, the traffic can jump between different VLANs.
5) This situation will be regarded as a misconfiguration, because the 802.1Q standard does not force users to use the native VLAN in these situations. In fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (setting it to 802.1q-all-tagged mode can achieve the exact same effect). When the local VLAN cannot be cleared, the unused VLAN should be selected as the local VLAN of all trunk roads, and the VLAN cannot be used for any other purpose. Protocols such as STP, DTP (DYNAMIC TRUNK PROTCOL) and UDLD should be the only legal users of the local VLAN, and their traffic should be completely isolated from all data packets.
6) VLAN attack 3. VLAN hopping attack
π¦ The common VLAN attacks are as follows:
instagram.com/UndercodeTesting
π¦ππΌπ'π πππΈβπ :
1) VLAN attack 1.802.1Q and ISL tag attack
A tag attack is a malicious attack. With it, users on one VLAN can illegally access another VLAN. For example, if the switch port is configured as DTP (DYNAMIC TRUNK PROTCOL) auto to receive fake DTP (DYNAMIC TRUNK PROTCOL) packets, it will become a trunk port and may receive traffic to any VLAN. Thus, malicious users can communicate with other VLANs through the controlled ports. Sometimes even if only receiving ordinary packets, the switch port may violate its original intention and operate like an all-round trunk port (for example, receiving packets from other VLANs than the local one). This phenomenon is often referred to as "VLAN leakage."
> For this kind of attack, simply set the DTP (DYNAMIC TRUNK PROTCOL) on all untrusted ports (not meeting the trust condition) to "Off" to prevent this kind of attack. The software and hardware running on the Cisco Catalyst 2950, ββCatalyst 3550, Catalyst 4000, and Catalyst 6000 series switches can also implement proper traffic classification and isolation on all ports.
2) VLAN attack 2. Double encapsulation 802.1Q / nested VLAN attack
Inside the switch, VLAN numbers and identifications are expressed in a special extended format, the purpose is to keep the forwarding path independent of the end-to-end VLAN without losing any information. Outside the switch, the marking rules are specified by standards such as ISL or 802.1Q.
> ISL belongs to Cisco's proprietary technology and is a compact form of the extended packet header used in the device. Each packet always gets a mark, and there is no risk of logo loss, which can improve security.
> On the other hand, the IEEE committee that developed 802.1Q decided that for backward compatibility, it is best to support intrinsic VLANs, that is, VLANs that are not explicitly related to any tags on the 802.1Q link. This VLAN is used implicitly to receive all untagged traffic on the 802.1Q port.
π¦ This feature is what users want, because with this feature, the 802.1Q port can directly talk to the old 802.3 port by sending and receiving unmarked traffic. However, in all other cases, this feature can be very harmful, because when transmitted over an 802.1Q link, packets associated with the native VLAN will lose their tags, such as their class of service (802.1p bits).
3) Stripped first, then sent back to the attacker 802.1q frame, VLAN A, VLAN B data contains the trunk VLAN B data of the native VLAN A
Note: Only if the trunk's native VLAN is the same as the attacker's, will it take effect.
4) When double-encapsulated 802.1Q packets happen to enter the network from devices with the same VLAN as the eigen VLAN of the trunk, the VLAN IDs of these packets will not be retained end-to-end, because the 802.1Q trunk will always modify the packet, that is, strip its external mark. After removing the external tag, the internal tag will become the unique VLAN identifier of the packet. Therefore, if the packet is double-encapsulated with two different tags, the traffic can jump between different VLANs.
5) This situation will be regarded as a misconfiguration, because the 802.1Q standard does not force users to use the native VLAN in these situations. In fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (setting it to 802.1q-all-tagged mode can achieve the exact same effect). When the local VLAN cannot be cleared, the unused VLAN should be selected as the local VLAN of all trunk roads, and the VLAN cannot be used for any other purpose. Protocols such as STP, DTP (DYNAMIC TRUNK PROTCOL) and UDLD should be the only legal users of the local VLAN, and their traffic should be completely isolated from all data packets.
6) VLAN attack 3. VLAN hopping attack
Virtual local area network (VLAN) is a method of segmenting the broadcast domain. VLANs are also often used to provide additional security for the network because computers on one VLAN cannot talk to users on another VLAN without explicit access. However, VLAN itself is not enough to protect the security of the environment. Malicious hackers can jump from one VLAN to another even if they are not authorized.
7) VLAN hopping (VLAN hopping) relies on the dynamic relay protocol (DTP (DYNAMIC TRUNK PROTCOL)). If there are two interconnected switches, DTP (DYNAMIC TRUNK PROTCOL) can negotiate the two to determine whether they will become 802.1Q trunks. The negotiation process is done by checking the configuration status of the port.
> The VLAN hopping attack makes full use of DTP (DYNAMIC TRUNK PROTCOL). In the VLAN hopping attack, a hacker can deceive the computer and impersonate another switch to send a false DTP (DYNAMIC TRUNK PROTCOL) negotiation message, announcing that it wants to become a relay; the real After receiving this DTP (DYNAMIC TRUNK PROTCOL) message, the switch thought that it should enable the 802.1Q relay function, and once the relay function was enabled, the information flow through all VLANs would be sent to the hacker's computer.
> After the relay is established, the hacker can continue to detect the information flow, or it can specify the VLAN to which the attack traffic is sent by adding 802.1Q information to the frame.
8) VLAN attack 4. VTP attack
VLAN Trunk Protocol (VTP, VLAN Trunk Protocol) is a management protocol that can reduce the number of configurations in the switching environment. As far as VTP is concerned, the switch can be a VTP server, a VTP client, or a VTP transparent switch. Here we focus on the VTP server and the VTP client. Every time the user changes the configuration of the switch working in the VTP server mode, the VTP configuration version number will increase by 1 whether the VLAN is added, modified or removed. After the VTP client sees that the configuration version number is greater than the current version number, It will automatically synchronize with the VTP server.
> A malicious hacker can use VTP for his own purposes and remove all VLANs on the network (except the default VLAN), so that he can enter the same VLAN where every other user is. However, the user may still be on a different network segment, so a malicious hacker needs to change his IP address to enter the same network segment as the host he wants to attack.
> A malicious hacker can make full use of VTP by connecting to the switch and establishing a relay between his computer and the switch. A hacker can send a VTP message to the VTP server whose configuration version number is higher than the current one. This will cause all switches to synchronize with the malicious hacker's computer, thereby removing all non-default VLANs from the VLAN database.
9) So With so many kinds of attacks, we can see how fragile the VLAN we are implementing is, but we are thankful that if the configuration of the switch is incorrect or inappropriate, it may cause unexpected behavior or security problems. So we will tell you the key points you must pay attention to when configuring the switch
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
7) VLAN hopping (VLAN hopping) relies on the dynamic relay protocol (DTP (DYNAMIC TRUNK PROTCOL)). If there are two interconnected switches, DTP (DYNAMIC TRUNK PROTCOL) can negotiate the two to determine whether they will become 802.1Q trunks. The negotiation process is done by checking the configuration status of the port.
> The VLAN hopping attack makes full use of DTP (DYNAMIC TRUNK PROTCOL). In the VLAN hopping attack, a hacker can deceive the computer and impersonate another switch to send a false DTP (DYNAMIC TRUNK PROTCOL) negotiation message, announcing that it wants to become a relay; the real After receiving this DTP (DYNAMIC TRUNK PROTCOL) message, the switch thought that it should enable the 802.1Q relay function, and once the relay function was enabled, the information flow through all VLANs would be sent to the hacker's computer.
> After the relay is established, the hacker can continue to detect the information flow, or it can specify the VLAN to which the attack traffic is sent by adding 802.1Q information to the frame.
8) VLAN attack 4. VTP attack
VLAN Trunk Protocol (VTP, VLAN Trunk Protocol) is a management protocol that can reduce the number of configurations in the switching environment. As far as VTP is concerned, the switch can be a VTP server, a VTP client, or a VTP transparent switch. Here we focus on the VTP server and the VTP client. Every time the user changes the configuration of the switch working in the VTP server mode, the VTP configuration version number will increase by 1 whether the VLAN is added, modified or removed. After the VTP client sees that the configuration version number is greater than the current version number, It will automatically synchronize with the VTP server.
> A malicious hacker can use VTP for his own purposes and remove all VLANs on the network (except the default VLAN), so that he can enter the same VLAN where every other user is. However, the user may still be on a different network segment, so a malicious hacker needs to change his IP address to enter the same network segment as the host he wants to attack.
> A malicious hacker can make full use of VTP by connecting to the switch and establishing a relay between his computer and the switch. A hacker can send a VTP message to the VTP server whose configuration version number is higher than the current one. This will cause all switches to synchronize with the malicious hacker's computer, thereby removing all non-default VLANs from the VLAN database.
9) So With so many kinds of attacks, we can see how fragile the VLAN we are implementing is, but we are thankful that if the configuration of the switch is incorrect or inappropriate, it may cause unexpected behavior or security problems. So we will tell you the key points you must pay attention to when configuring the switch
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ARP attack methods and technical summary
1) arp Ddos attack
2)Arp return packet spoofing
3) Arp request spoofing
4) Arp whole network request spoofing
5) Arp man-in-the-middle
6) ArpIP address conflict
7) Arp gateway spoofing
8) Arp switch port forwarding spoofing (the most powerful is the attack method of the illusion network shield skiller.
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ARP attack methods and technical summary
1) arp Ddos attack
2)Arp return packet spoofing
3) Arp request spoofing
4) Arp whole network request spoofing
5) Arp man-in-the-middle
6) ArpIP address conflict
7) Arp gateway spoofing
8) Arp switch port forwarding spoofing (the most powerful is the attack method of the illusion network shield skiller.
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ here dedicate it to everyone. There are still some applications of arp that are discovered by everyone, so will not talk about it in front of everyone.
pinterest.com/undercode_Testing
π¦ππΌπ'π πππΈβπ :
1) The arp --ddos attack is actually sending a large number of normal AR
P request packets continuously, which consumes the host bandwidth. This kind of attack is not too significant in the local area network. The data packet is a normal packet and will not be filtered by the arp firewall and switch.
2) This solution, I do not limit the traffic in some switches, I will not do it, I don't know the feasibility, I personally think it is difficult to protect A ++++
> arp return packet spoofing
3)This kind of spoofing is the most common kind of spoofing. It is to send arp return data packets to the host.This packet uses the IP as the gateway address, and the physical address of the sending end is its own or forged, so that the other party's computer's IP-MAC address There is an error in the table.When the IP message adds this hardware address to the data and sends, it will appear that the correct physical exit address cannot be found.
4) This kind of protection is relatively simple. ARP -S is used to bind the gateway, and there is also arp firewall, but this spoofing may be overwritten by the correct address sent by the router.
> arp request spoofing
> ARP request spoofing is also relatively common. It is arp's request protocol. There is no error in the destination IP and MAC address. The error is that the requester's MAC address is problematic and is not true. This kind of spoofing and return spoofing are only OP values. different.
π¦ The protection method is the same as above :
1) arp whole network request spoofing
This kind of spoofing is a further extension of request spoofing and return spoofing.The principle is to change the target address of the Ethernet frame header to FF-FF-FF-FF-FF-FF is to broadcast to all hosts, source address IP address or gateway IP The address and physical address are fake MAC addresses, remember that in the destination IP, it is the 192.168.1.255 multicast address.
> This protection method is the same as above, and the entire network blocking function of software such as network law enforcement is implemented in this way.
2) arp man-in-the-middle
This kind of spoofing is carried out under the switch.Some people say that the data flow under the switching environment is safe.The following attack method is directed at the switch.
> The general process is like this, ABC three computers, A and C communicate normally, B initiates an intermediate attack, B first sends arp spoofing to tell A that I B is C, and then tells C that I B is A. So between A and C B's data transmission process was completely viewed by B, and it was a bit sloppy.This kind of deception also needs a data forwarding mechanism, otherwise the communication between A and C will be broken, such as the P2P terminator is this kind of deception
3) arpIP address conflict
The P address conflict is also caused by the ARP data packet.He just broadcasts the Ethernet frame header address.The source IP address and the destination IP address in the packet are the same.This kind of packet is very common, and everyone may not know it every time. When your PC is turned on, he will broadcast his IP address to see if any computer uses the same IP address. This broadcast is defined as "free arp"
> This kind of broadcast can be filtered directly with the arp firewall. In fact, this kind of packet will not cause a network disconnection, but it will always pop up an annoying dialog box. For example, there is a kind of packet sending such a longhorn network monitoring.
4) arp gateway spoofing
π¦ here dedicate it to everyone. There are still some applications of arp that are discovered by everyone, so will not talk about it in front of everyone.
pinterest.com/undercode_Testing
π¦ππΌπ'π πππΈβπ :
1) The arp --ddos attack is actually sending a large number of normal AR
P request packets continuously, which consumes the host bandwidth. This kind of attack is not too significant in the local area network. The data packet is a normal packet and will not be filtered by the arp firewall and switch.
2) This solution, I do not limit the traffic in some switches, I will not do it, I don't know the feasibility, I personally think it is difficult to protect A ++++
> arp return packet spoofing
3)This kind of spoofing is the most common kind of spoofing. It is to send arp return data packets to the host.This packet uses the IP as the gateway address, and the physical address of the sending end is its own or forged, so that the other party's computer's IP-MAC address There is an error in the table.When the IP message adds this hardware address to the data and sends, it will appear that the correct physical exit address cannot be found.
4) This kind of protection is relatively simple. ARP -S is used to bind the gateway, and there is also arp firewall, but this spoofing may be overwritten by the correct address sent by the router.
> arp request spoofing
> ARP request spoofing is also relatively common. It is arp's request protocol. There is no error in the destination IP and MAC address. The error is that the requester's MAC address is problematic and is not true. This kind of spoofing and return spoofing are only OP values. different.
π¦ The protection method is the same as above :
1) arp whole network request spoofing
This kind of spoofing is a further extension of request spoofing and return spoofing.The principle is to change the target address of the Ethernet frame header to FF-FF-FF-FF-FF-FF is to broadcast to all hosts, source address IP address or gateway IP The address and physical address are fake MAC addresses, remember that in the destination IP, it is the 192.168.1.255 multicast address.
> This protection method is the same as above, and the entire network blocking function of software such as network law enforcement is implemented in this way.
2) arp man-in-the-middle
This kind of spoofing is carried out under the switch.Some people say that the data flow under the switching environment is safe.The following attack method is directed at the switch.
> The general process is like this, ABC three computers, A and C communicate normally, B initiates an intermediate attack, B first sends arp spoofing to tell A that I B is C, and then tells C that I B is A. So between A and C B's data transmission process was completely viewed by B, and it was a bit sloppy.This kind of deception also needs a data forwarding mechanism, otherwise the communication between A and C will be broken, such as the P2P terminator is this kind of deception
3) arpIP address conflict
The P address conflict is also caused by the ARP data packet.He just broadcasts the Ethernet frame header address.The source IP address and the destination IP address in the packet are the same.This kind of packet is very common, and everyone may not know it every time. When your PC is turned on, he will broadcast his IP address to see if any computer uses the same IP address. This broadcast is defined as "free arp"
> This kind of broadcast can be filtered directly with the arp firewall. In fact, this kind of packet will not cause a network disconnection, but it will always pop up an annoying dialog box. For example, there is a kind of packet sending such a longhorn network monitoring.
4) arp gateway spoofing
Pinterest
UnderCode TESTING (UNDERCODE_TESTING) - Profile | Pinterest
UnderCode TESTING | πππππ£βπ ππ πππ€π₯πππ βπ ππ‘πππͺ:
Programming, Web & Applications makers, Host, bugs fix, Satellite Reicivers Programming..
Started Since 2011
Programming, Web & Applications makers, Host, bugs fix, Satellite Reicivers Programming..
Started Since 2011
This kind of spoofing is an extension from another method of spoofing. If the client is statically bound to the gateway and you install an arp firewall, you cannot spoof it or disconnect it from the Internet, then we will spoof the gateway. For example, A is the client and B is the server. A has done protection and you want to block him from accessing the Internet, so we deceive B by thinking that B is a computer and send him the false address of A all the time. Be bigger
5) arp switch spoofing {skiller}
This attack method has only been available in the past two years, and it is relatively simple to tell you now. I have never seen this attack method before. The principle may be more difficult to understand, and it is very troublesome to protect. If you attack me, now I can't help it at least.
π¦ The principle is to change the forwarding list of the switch.
1) arp switch spoofing attack ideas
The switch forwards according to the source and destination address frame headers of the Ethernet arp protocol.For example, A is at port 1 of the switch, and the gateway is at port 3.The switch goes out of port 3 according to the destination address sent by A. Why is it In this way, because the switch maintains a dynamic address list inside, there is a comparison table of MAC addresses and physical ports.If this table is static, it is not known whether this attack will take effect.
> First of all, the method I implemented is this, three PCs a, b, c. The attacker is C. If I want to block the host B, send an arp address request packet from B to A on the C computer, this packet is continuous Continuously, then B is blocked, why is that, B's request data can be sent out, the data packet he returns will be transferred to the C computer by the switch, the three-way handshake link is not established successfully, and the network will be Block, we can do a lot of things according to this idea, here is not an example, I am so hungry I don't write about eating.
π¦ Continue when you are full ...
Seeing here, my friends are a little dazed. In fact, it is very simple. Using Fengyun firewall is a wise choice. The above normal methods of deception must first know your IP and MAC. After opening Fengyun's security mode, it will only respond to the gateway. The request is like it does not exist for other hosts on the LAN. If the other party wants to ping and you want ARP scanning, you are in vain. If you do nβt think you do nβt exist, you ca nβt talk about the attack. ..
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
5) arp switch spoofing {skiller}
This attack method has only been available in the past two years, and it is relatively simple to tell you now. I have never seen this attack method before. The principle may be more difficult to understand, and it is very troublesome to protect. If you attack me, now I can't help it at least.
π¦ The principle is to change the forwarding list of the switch.
1) arp switch spoofing attack ideas
The switch forwards according to the source and destination address frame headers of the Ethernet arp protocol.For example, A is at port 1 of the switch, and the gateway is at port 3.The switch goes out of port 3 according to the destination address sent by A. Why is it In this way, because the switch maintains a dynamic address list inside, there is a comparison table of MAC addresses and physical ports.If this table is static, it is not known whether this attack will take effect.
> First of all, the method I implemented is this, three PCs a, b, c. The attacker is C. If I want to block the host B, send an arp address request packet from B to A on the C computer, this packet is continuous Continuously, then B is blocked, why is that, B's request data can be sent out, the data packet he returns will be transferred to the C computer by the switch, the three-way handshake link is not established successfully, and the network will be Block, we can do a lot of things according to this idea, here is not an example, I am so hungry I don't write about eating.
π¦ Continue when you are full ...
Seeing here, my friends are a little dazed. In fact, it is very simple. Using Fengyun firewall is a wise choice. The above normal methods of deception must first know your IP and MAC. After opening Fengyun's security mode, it will only respond to the gateway. The request is like it does not exist for other hosts on the LAN. If the other party wants to ping and you want ARP scanning, you are in vain. If you do nβt think you do nβt exist, you ca nβt talk about the attack. ..
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦What is Hakku Framework?
Hakku is simple framework that has been made for penetration testing tools. Hakku framework offers simple structure, basic CLI, and useful features for penetration testing tools developing. Hakku is on early stages and may be unstable, so please download the released versions from github or sourceforge, don't just clone github repository except you don't want stability, you want to try out latest features, or you just want to develop Hakku. Hakku is under MIT license, in other words you can do what you ever want with the source code.
Fb.com/UndercodeTesting
π¦FEATURES :
apache_users
arp_dos
arp_monitor
arp_spoof
bluetooth_pod
cloudflare_resolver
dhcp_dos
dir_scanner
dns_spoof
email_bomber
hostname_resolver
mac_spoof
mitm
network_kill
pma_scanner
port_scanner
proxy_scout
whois
web_killer
web_scout
wifi_jammer
zip_cracker
rar_cracker
wordlist_gen
π¦ OS support
==========
Linux supported, and developed on/for linux
OS X support not planned
Windows support not planned
π¦πβπππΈπππππΈπππβ & βπβ :
1) git clone https://github.com/4shadoww/hakkuframework.git
2) cd hakkuframework
3) sudo ./install -i
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦What is Hakku Framework?
Hakku is simple framework that has been made for penetration testing tools. Hakku framework offers simple structure, basic CLI, and useful features for penetration testing tools developing. Hakku is on early stages and may be unstable, so please download the released versions from github or sourceforge, don't just clone github repository except you don't want stability, you want to try out latest features, or you just want to develop Hakku. Hakku is under MIT license, in other words you can do what you ever want with the source code.
Fb.com/UndercodeTesting
π¦FEATURES :
apache_users
arp_dos
arp_monitor
arp_spoof
bluetooth_pod
cloudflare_resolver
dhcp_dos
dir_scanner
dns_spoof
email_bomber
hostname_resolver
mac_spoof
mitm
network_kill
pma_scanner
port_scanner
proxy_scout
whois
web_killer
web_scout
wifi_jammer
zip_cracker
rar_cracker
wordlist_gen
π¦ OS support
==========
Linux supported, and developed on/for linux
OS X support not planned
Windows support not planned
π¦πβπππΈπππππΈπππβ & βπβ :
1) git clone https://github.com/4shadoww/hakkuframework.git
2) cd hakkuframework
3) sudo ./install -i
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Facebook
Log in or sign up to view
See posts, photos and more on Facebook.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦common methods of taking webshell in the background :
t.me/UndercodeTesting
1) Direct upload to get webshell
> This kind of program for php and jsp is relatively common. MolyX BOARD is one of them. Upload the .php type directly in the mood icon management. Although there is no prompt, it is actually successful. The uploaded file url should be http: // forums / images Under / smiles /, the jsp system vulnerability of Lianzhong game station and Netease can upload the jsp file directly.
> The file name is the original file name, and the .php file can be uploaded directly in the backend of bo-blog. There is a prompt for the path of the uploaded file. And the upfile.asp vulnerability that was very popular a year ago (Dynamic Web 5.0 and 6.0, many early whole-site systems), due to the inefficient filtering of uploaded files, users can directly upload webshell to any writable directory on the website, so as to get The site's administrator controls permissions.
2) Second, add and modify the upload type
> Now many script program upload modules are not only allowed to upload legal file types, but most systems are allowed to add upload types, bbsxp background can add asa | asP type, ewebeditor background can also add asa type, after modification, we can directly I uploaded the asa suffixed webshell, and there is a case where the .asp is filtered. You can add the .aspasp file type to upload and get the webshell.
> In the background of the php system, we can add the upload type of .php.g1f, which is a feature of php, as long as the last one is not a known file type, php will normally run php.g1f as .php, thus You can also get a shell successfully. LeadBbs3.14 get webshell in the background: add asp to the upload type. Note that there is a space after the asp, and then upload the ASP horse in the foreground, of course, add a space in the back!
3) Three, use the background management function to write to the webshell
> The uploading vulnerability is basically completed, so we can write the webshell by modifying the relevant files after entering the background. Typical comparisons are dvbbs6.0, and leadbbs2.88, etc., directly modify the configuration file in the background, write the file with the suffix asp. Another method for LeadBbs3.14 to get a webshell in the background is to add a new friendship link and write the ice horse minimum horse on the site name. Enter some characters before and after the minimum horse, http: \\ website \ inc \ IncHtm \ BoardLink.asp is the shell we want.
4) Fourth, use the background management to write webshell to the configuration file
Use the "" "": "" // "and other symbols to construct the configuration file of the minimum horse writing program, joekoe forum, XX student records, boiling outlook news system, COCOON Counter statistical program, etc., and many php programs , COCOON Counter statistical program example, add cnhacker at 263 dot net ": eval request (chr (35)) // in the management mailbox, in the preparation file is webmail =" cnhacker at 263 dot net \ ": eval request (chr (35)) // ",
5) Five, asp + mssql system
It is necessary to mention the mssql version of the moving network, but it can be directly submitted locally for backup. First upload a fake picture with asp code in the post, and then remember the upload path. Write a locally submitted form, the code is as follows:
6) Save as .htm to execute locally. Fill in the upload path of the fake image in the "location of the uploaded file", fill in the relative path of the WebShell you want to back up in the "location to be copied to", and submit to get our lovely WebShell, the recovery code is similar to this, Just modify the relevant places.
> I haven't encountered a relatively powerful asp program background that executes the mssql command in the background. The database restoration and backup of the dynamic network is a decoration. I can't execute the sql command to back up the webshell. I can only execute some simple query commands.
π¦common methods of taking webshell in the background :
t.me/UndercodeTesting
1) Direct upload to get webshell
> This kind of program for php and jsp is relatively common. MolyX BOARD is one of them. Upload the .php type directly in the mood icon management. Although there is no prompt, it is actually successful. The uploaded file url should be http: // forums / images Under / smiles /, the jsp system vulnerability of Lianzhong game station and Netease can upload the jsp file directly.
> The file name is the original file name, and the .php file can be uploaded directly in the backend of bo-blog. There is a prompt for the path of the uploaded file. And the upfile.asp vulnerability that was very popular a year ago (Dynamic Web 5.0 and 6.0, many early whole-site systems), due to the inefficient filtering of uploaded files, users can directly upload webshell to any writable directory on the website, so as to get The site's administrator controls permissions.
2) Second, add and modify the upload type
> Now many script program upload modules are not only allowed to upload legal file types, but most systems are allowed to add upload types, bbsxp background can add asa | asP type, ewebeditor background can also add asa type, after modification, we can directly I uploaded the asa suffixed webshell, and there is a case where the .asp is filtered. You can add the .aspasp file type to upload and get the webshell.
> In the background of the php system, we can add the upload type of .php.g1f, which is a feature of php, as long as the last one is not a known file type, php will normally run php.g1f as .php, thus You can also get a shell successfully. LeadBbs3.14 get webshell in the background: add asp to the upload type. Note that there is a space after the asp, and then upload the ASP horse in the foreground, of course, add a space in the back!
3) Three, use the background management function to write to the webshell
> The uploading vulnerability is basically completed, so we can write the webshell by modifying the relevant files after entering the background. Typical comparisons are dvbbs6.0, and leadbbs2.88, etc., directly modify the configuration file in the background, write the file with the suffix asp. Another method for LeadBbs3.14 to get a webshell in the background is to add a new friendship link and write the ice horse minimum horse on the site name. Enter some characters before and after the minimum horse, http: \\ website \ inc \ IncHtm \ BoardLink.asp is the shell we want.
4) Fourth, use the background management to write webshell to the configuration file
Use the "" "": "" // "and other symbols to construct the configuration file of the minimum horse writing program, joekoe forum, XX student records, boiling outlook news system, COCOON Counter statistical program, etc., and many php programs , COCOON Counter statistical program example, add cnhacker at 263 dot net ": eval request (chr (35)) // in the management mailbox, in the preparation file is webmail =" cnhacker at 263 dot net \ ": eval request (chr (35)) // ",
5) Five, asp + mssql system
It is necessary to mention the mssql version of the moving network, but it can be directly submitted locally for backup. First upload a fake picture with asp code in the post, and then remember the upload path. Write a locally submitted form, the code is as follows:
6) Save as .htm to execute locally. Fill in the upload path of the fake image in the "location of the uploaded file", fill in the relative path of the WebShell you want to back up in the "location to be copied to", and submit to get our lovely WebShell, the recovery code is similar to this, Just modify the relevant places.
> I haven't encountered a relatively powerful asp program background that executes the mssql command in the background. The database restoration and backup of the dynamic network is a decoration. I can't execute the sql command to back up the webshell. I can only execute some simple query commands.