β β β Uππ»βΊπ«6π¬πβ β β β
π¦Do I need to use Tor with VPN, proxy, SSH?
> This is a common question in different variations. And there is no definite answer to it. Suppose in my country or my Internet service provider is blocking access to the Tor network, then not so much good as the only solution is to use VPN + Tor. At the same time,
> so i must clearly understand the risks of a VPN, which is designed for organizing virtual private networks, and not anonymity. If I DO NOT understand the risks of adding different intermediate nodes, and I just do it because I read something better on some forum, then this is a bad idea: there is no working technology to find out the real IP address of a Tor network user, but VPN βhoneypot "Will know everything about you:
1οΈβ£your real IP address
2οΈβ£what sites did you make requests to
what answers received
3οΈβ£Further translation from the pages of the official Tor Project documentation. I agree with these views, provided that there is trust in the Tor network. I do NOT have 100% trust in the Tor network, but of the other options for hiding my IP, this is the best solution.
π¦Sources:
https://support.torproject.org/faq/faq-5/
https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Do I need to use Tor with VPN, proxy, SSH?
> This is a common question in different variations. And there is no definite answer to it. Suppose in my country or my Internet service provider is blocking access to the Tor network, then not so much good as the only solution is to use VPN + Tor. At the same time,
> so i must clearly understand the risks of a VPN, which is designed for organizing virtual private networks, and not anonymity. If I DO NOT understand the risks of adding different intermediate nodes, and I just do it because I read something better on some forum, then this is a bad idea: there is no working technology to find out the real IP address of a Tor network user, but VPN βhoneypot "Will know everything about you:
1οΈβ£your real IP address
2οΈβ£what sites did you make requests to
what answers received
3οΈβ£Further translation from the pages of the official Tor Project documentation. I agree with these views, provided that there is trust in the Tor network. I do NOT have 100% trust in the Tor network, but of the other options for hiding my IP, this is the best solution.
π¦Sources:
https://support.torproject.org/faq/faq-5/
https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
support.torproject.org
Can I use a VPN with Tor? | Tor Project | Support
Defend yourself against tracking and surveillance. Circumvent censorship. | Can I use a VPN with Tor?
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Anonymity and privacy
> You can very much violate your anonymity by using VPN / SSH in addition to Tor. (Proxies are described below.) But if you know what you are doing, then you can increase anonymity, security, and privacy.
> VPN / SSH providers keep a history of financial transactions and you will leave traces if you do not choose a truly anonymous payment method. VPN / SSH acts as a permanent ingress or as a persistent egress node. This may solve some problems, but create new risks.
> Who is your opponent? Against a global adversary with unlimited resources, adding new intermediate nodes makes passive attacks (a bit) harder, but active attacks become easier as you provide more surface to attack and send more data that you can use.
> Adding hosts strengthens you against collusion between Tor hosts and against blackhack hackers who target the Tor client code (especially if Tor and VPN work on two different systems).
> If the VPN / SSH server is under the control of an attacker, you are weakening the protection provided by Tor. If the server is trustworthy, you can increase the anonymity and / or privacy (depending on the settings) provided by Tor.
> VPN / SSH can also be used to circumvent Tor censorship (if your ISP blocks access to Tor or if the end node blocks connections from the Tor network).
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Anonymity and privacy
> You can very much violate your anonymity by using VPN / SSH in addition to Tor. (Proxies are described below.) But if you know what you are doing, then you can increase anonymity, security, and privacy.
> VPN / SSH providers keep a history of financial transactions and you will leave traces if you do not choose a truly anonymous payment method. VPN / SSH acts as a permanent ingress or as a persistent egress node. This may solve some problems, but create new risks.
> Who is your opponent? Against a global adversary with unlimited resources, adding new intermediate nodes makes passive attacks (a bit) harder, but active attacks become easier as you provide more surface to attack and send more data that you can use.
> Adding hosts strengthens you against collusion between Tor hosts and against blackhack hackers who target the Tor client code (especially if Tor and VPN work on two different systems).
> If the VPN / SSH server is under the control of an attacker, you are weakening the protection provided by Tor. If the server is trustworthy, you can increase the anonymity and / or privacy (depending on the settings) provided by Tor.
> VPN / SSH can also be used to circumvent Tor censorship (if your ISP blocks access to Tor or if the end node blocks connections from the Tor network).
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
Microsoft Office β DDE Attacks.pdf
693.1 KB
MS OFFICE DDE ATTACK -TUTORIAL
β β β Uππ»βΊπ«6π¬πβ β β β
π¦VPN / SSH vs proxy :
> The connection between you and the VPN / SSH is encrypted, but not always.
> On the other hand, the connection between you and OpenProxy is not encrypted. The "SSL proxy" in most cases is the only http proxy that supports the connect method. The connect method was originally designed so that you can use SSL connections to web servers, but other interesting things are possible, such as connecting to IRC, SSH, etc.
> Another disadvantage of http (s) proxies is that some of them, even depending on your network settings, even pass your IP through the βhttp forwarded forβ header . (Such proxies are also called βnon-anonymous proxies.β Although the word βanonymousβ should be understood with caution in any case, OpenProxy alone is much worse than Tor.)
π¦VPN vs SSH or proxy :
> VPN works at the network level. The SSH tunnel can offer socks5 proxies. Proxies work at the application level. These technical details create their own problems when combined with Tor.
> The problem for many VPN users is the complicated setup. They connect to the VPN on a machine that has direct access to the Internet.
> VPN user may forget to connect to VPN first
Without special precautions, when a VPN connection is disconnected (VPN server reboot, network problems, VPN process failure, etc.), direct connections without VPN will be performed.
To solve this problem, you can try something like VPN-Firewall.
> When working at the application level (using socks5 SSH tunnels or proxy servers), the problem is that many applications do not comply with the proxy server settings.
> The most secure solution to resolve these problems is to use a transparent proxy, which is possible for VPN, SSH and proxies.
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
π¦VPN / SSH vs proxy :
> The connection between you and the VPN / SSH is encrypted, but not always.
> On the other hand, the connection between you and OpenProxy is not encrypted. The "SSL proxy" in most cases is the only http proxy that supports the connect method. The connect method was originally designed so that you can use SSL connections to web servers, but other interesting things are possible, such as connecting to IRC, SSH, etc.
> Another disadvantage of http (s) proxies is that some of them, even depending on your network settings, even pass your IP through the βhttp forwarded forβ header . (Such proxies are also called βnon-anonymous proxies.β Although the word βanonymousβ should be understood with caution in any case, OpenProxy alone is much worse than Tor.)
π¦VPN vs SSH or proxy :
> VPN works at the network level. The SSH tunnel can offer socks5 proxies. Proxies work at the application level. These technical details create their own problems when combined with Tor.
> The problem for many VPN users is the complicated setup. They connect to the VPN on a machine that has direct access to the Internet.
> VPN user may forget to connect to VPN first
Without special precautions, when a VPN connection is disconnected (VPN server reboot, network problems, VPN process failure, etc.), direct connections without VPN will be performed.
To solve this problem, you can try something like VPN-Firewall.
> When working at the application level (using socks5 SSH tunnels or proxy servers), the problem is that many applications do not comply with the proxy server settings.
> The most secure solution to resolve these problems is to use a transparent proxy, which is possible for VPN, SSH and proxies.
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
My Top 5 Web Hacking Tools.pdf
320.5 KB
TOP 5 WEB HACKING TOOLS & METHODES VIA PICTURES
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Top 2020 #MITM tools :
BetterCAP | MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials and much more.
Burp Suite | GUI based tool for testing Web application security.
Ettercap | Ettercap is a comprehensive suite for man in the middle attacks
Evilginx | Man-in-the-middle attack framework used for phishing credentials and session cookies of any web service.
MITMf | Framework for Man-In-The-Middle attacks
mitmproxy | An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Top 2020 #MITM tools :
BetterCAP | MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials and much more.
Burp Suite | GUI based tool for testing Web application security.
Ettercap | Ettercap is a comprehensive suite for man in the middle attacks
Evilginx | Man-in-the-middle attack framework used for phishing credentials and session cookies of any web service.
MITMf | Framework for Man-In-The-Middle attacks
mitmproxy | An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
portswigger.net
Burp - Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger offers tools for web application security, testing, & scanning. Choose from a range of security tools, & identify the very latest vulnerabilities.
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Some popular Search Engine for leaks & bugs.. for Penetration Tester
Spyse | Spyse collects valuable data from all open source internet and stores it in its own database to provide instant access to the data.
Censys | Censys continually monitors every reachable server and device on the Internet, so you can search for and analyze them in real time
Shodan | Shodan is the world's first search engine for Internet-connected devices.
WiGLE | Maps and database of 802.11 wireless networks, with statistics, submitted by wardrivers, netstumblers, and net huggers.
Zoomeye | search engine for cyberspace that lets the user find specific network components(ip, services, etc.)
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Some popular Search Engine for leaks & bugs.. for Penetration Tester
Spyse | Spyse collects valuable data from all open source internet and stores it in its own database to provide instant access to the data.
Censys | Censys continually monitors every reachable server and device on the Internet, so you can search for and analyze them in real time
Shodan | Shodan is the world's first search engine for Internet-connected devices.
WiGLE | Maps and database of 802.11 wireless networks, with statistics, submitted by wardrivers, netstumblers, and net huggers.
Zoomeye | search engine for cyberspace that lets the user find specific network components(ip, services, etc.)
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Source Code Analysis & decryption Tools
pyup | Automated Security and Dependency Updates
RIPS | PHP Security Analysis
Retire.js | detecting the use of JavaScript libraries with known vulnerabilities
Snyk | find & fix vulnerabilities in dependencies, supports various languages
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Source Code Analysis & decryption Tools
pyup | Automated Security and Dependency Updates
RIPS | PHP Security Analysis
Retire.js | detecting the use of JavaScript libraries with known vulnerabilities
Snyk | find & fix vulnerabilities in dependencies, supports various languages
β β β Uππ»βΊπ«6π¬πβ β β β
Getsafety
Safety | Software Supply Chain Firewall & Security
Prevent vulnerable and malicious packages from entering your software supply chain with Safety's AI-powered platform. Protection for Python, Java, and JavaScript ecosystems.
Tracking Users_ From Cookies to DeviceFingerprinting.pdf
320.4 KB
Tracking via cookies methode
β β β Uππ»βΊπ«6π¬πβ β β β
π¦DANGEROUS EXPLOIT TOOLS-USE CVE:
LinEnum | Scripted Local Linux Enumeration & Privilege Escalation Checks
CVE-2017-5123 | Linux Kernel 4.14.0-rc4+ - 'waitid()' Local Privilege Escalation
Oracle Privilege Escalation via Deserialization | CVE-2018-3004 Oracle Privilege Escalation via Deserialization
linux-exploit-suggester | The tool is meant to assist the security analyst in his testing for privilege escalation opportunities on Linux machine
BeRoot Project | BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.
yodo: Local Privilege Escalation | yodo proves how easy it is to become root via limited sudo permissions, via dirty COW or using Pa(th)zuzu.
Share usβ€οΈππ»
β GIT SOURCES 2020
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
π¦DANGEROUS EXPLOIT TOOLS-USE CVE:
LinEnum | Scripted Local Linux Enumeration & Privilege Escalation Checks
CVE-2017-5123 | Linux Kernel 4.14.0-rc4+ - 'waitid()' Local Privilege Escalation
Oracle Privilege Escalation via Deserialization | CVE-2018-3004 Oracle Privilege Escalation via Deserialization
linux-exploit-suggester | The tool is meant to assist the security analyst in his testing for privilege escalation opportunities on Linux machine
BeRoot Project | BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.
yodo: Local Privilege Escalation | yodo proves how easy it is to become root via limited sudo permissions, via dirty COW or using Pa(th)zuzu.
Share usβ€οΈππ»
β GIT SOURCES 2020
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
GitHub
GitHub - rebootuser/LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks
Scripted Local Linux Enumeration & Privilege Escalation Checks - rebootuser/LinEnum
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Why Use Password Managers ?
#FastTips
The main rules for the safe use of passwords:
>the password must be complex (i.e. include 4 groups of
>characters - uppercase and lowercase letters, numbers, special
>characters - and not consist of words or a combination of them that can be found in the dictionary)
>you cannot use the same password on different sites and services, because compromising your password, for example, on a poorly protected site / forum, can give an attacker access to your mail, cloud storage, social networks, network folder, etc.
>passwords should not be stored on a computer in text files, as well as in public places (a sticker with a password on a computer is also bad)
>Under these conditions, you need to remember a large number of complex passwords, which is practically impossible. Therefore, many users do not comply with these conditions (which is bad), and those who comply are forced to write passwords, for example, to a text file (if the file is not encrypted, then this is also bad).
π¦A password manager can help in this situation - a program that stores your password in encrypted form. That is, instead of many passwords, you only need to remember one master password.
written by undercode
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Why Use Password Managers ?
#FastTips
The main rules for the safe use of passwords:
>the password must be complex (i.e. include 4 groups of
>characters - uppercase and lowercase letters, numbers, special
>characters - and not consist of words or a combination of them that can be found in the dictionary)
>you cannot use the same password on different sites and services, because compromising your password, for example, on a poorly protected site / forum, can give an attacker access to your mail, cloud storage, social networks, network folder, etc.
>passwords should not be stored on a computer in text files, as well as in public places (a sticker with a password on a computer is also bad)
>Under these conditions, you need to remember a large number of complex passwords, which is practically impossible. Therefore, many users do not comply with these conditions (which is bad), and those who comply are forced to write passwords, for example, to a text file (if the file is not encrypted, then this is also bad).
π¦A password manager can help in this situation - a program that stores your password in encrypted form. That is, instead of many passwords, you only need to remember one master password.
written by undercode
β β β Uππ»βΊπ«6π¬πβ β β β
Google hacking (dorking) tutorial #1.pdf
261.2 KB
The most requested tutorial
Forwarded from UNDERCODE SECURITY
Termux Tutorials by Techncyber.pdf
1.3 MB
Termux command tutorial & tools
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦TERMUX Parrot Shell :
Beautify your Termux App
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
> or use Single Command
8οΈβ£apt update && apt install git -y && git clone https://github.com/htr-tech/termux-shell.git && cd termux-shell && chmod +x * && sh install.sh
enjoyβ€οΈππ»
β β β Uππ»βΊπ«6π¬πβ β β β
π¦TERMUX Parrot Shell :
Beautify your Termux App
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1οΈβ£apt updatethat's all
2οΈβ£apt install git -y
3οΈβ£git clone https://github.com/htr-tech/termux-shell.git
4οΈβ£cd termux-shell
5οΈβ£chmod +x *
6οΈβ£bash install.sh
7οΈβ£exit
> or use Single Command
8οΈβ£apt update && apt install git -y && git clone https://github.com/htr-tech/termux-shell.git && cd termux-shell && chmod +x * && sh install.sh
enjoyβ€οΈππ»
β β β Uππ»βΊπ«6π¬πβ β β β
GitHub
GitHub - htr-tech/termux-shell: Beautify your Termux App with this Shell π
Beautify your Termux App with this Shell π. Contribute to htr-tech/termux-shell development by creating an account on GitHub.
Forwarded from UNDERCODE HACKING
Get info from gmail & google .pdf
1.4 MB
β β β Uππ»βΊπ«6π¬πβ β β β
π¦SOME CARDING #TERMS:
1. CC (Credit Card)
2. CCN (Credit Card Number) β Includes the number of the card and expiration date, no name or address.
3. CVV (Credit Verification Value) / (Card Security Code) / CVV2- The number on the back of the card used for verification purposes. 3 digit number for visa/mc and 4 digit for AMEX (American Express) (There is also CVV1 which is a verification number that is written into the magstripe on the back of the card that is read when the card is swiped)
4. SSN (Social Security Number) β one of the details of CC holder , used to bypass security measures
5. MMN (Mothers Maiden Name) β Comes in handy when bypassing security measures on VBV/MCSC. One of your security question.
6. DOB β Date of Birth β Used to bypass some security measures.
7. COB (Change of Billing) β Some stores will only ship large/high priced items if the shipping and billing info match, these can be obtained through some cvv sellers, usually in the form of a βFullsβ
8. Fulls βYou listen many times βFulls/ Fullzβ. It is nothing but CC Details with more info eg. security question answers, SSN, DOB, MMN, etc. which can be usedfor COB, etc.
9. AVS (Address Verification Service) β System that checks the billing address entered against the credit card companyβs records..
10. VBV (Verified by Visa) β Extra verification process initially added by visa, there are different types of authentication used, most notably would be a password, date of birth, social security number, or mothers maiden name.
11. MCSC (MasterCard SecureCode) β MC (MasterCard) adopted this process after VBV came out, basically the same thing but with mastercards.
12. POS (Point of Sale) β Terminal at a physical shop where the card is swiped/read
13. Dump β The information that is written onto the magnetic stripe on the back of the card, the only way to get these is with a skimmer, comes in different βtracksβ which i will not be explaining β a dump would look like
14. Skimmer β A device that is normally attached to an atm where you insert your card, which records your card information (there are other varients, that is the most common)
15. Embosser β A device that βstampsβ the cards to produce the raised lettering
16. Tipper β A device that adds the gold/silver accents to the embossed characters
17. MSR (Magnetic Stripe Reader/Writer) Used in the carding scene for writing dumps (and drivers license, student ID) info to blank cards or giftcards (if you want to use blank white cards, you will need a printer for the card template, embosser/tipper also, which can get costly to buy)
18. BIN (Bank Identification Number) β The first 6 digits of a card number (this will be gone over in more detail later on)
19. Novs (Novelty ID / Fake ID) β Commonly used for signing at drops, store pickups, WU Drops, Bank Drops, etc.
20. VPN (Virtual Private Network ) β This will change your IP to wherever the location is of the VPN server. This is used with a application rather than through your browser as with socks. Watch out as some VPN providers will keep logs. But it leaks our DNS info so it is not safe
21. BTC (Bitcoin) β It is a digital currency. Used for buying anything in digital world. You need it to buy CC, SOCKS, VPN etc. You have to exchange your local currency (INR/Dollar etc) to BTC.
#WIKI SOURCES
β β β Uππ»βΊπ«6π¬πβ β β β
π¦SOME CARDING #TERMS:
1. CC (Credit Card)
2. CCN (Credit Card Number) β Includes the number of the card and expiration date, no name or address.
3. CVV (Credit Verification Value) / (Card Security Code) / CVV2- The number on the back of the card used for verification purposes. 3 digit number for visa/mc and 4 digit for AMEX (American Express) (There is also CVV1 which is a verification number that is written into the magstripe on the back of the card that is read when the card is swiped)
4. SSN (Social Security Number) β one of the details of CC holder , used to bypass security measures
5. MMN (Mothers Maiden Name) β Comes in handy when bypassing security measures on VBV/MCSC. One of your security question.
6. DOB β Date of Birth β Used to bypass some security measures.
7. COB (Change of Billing) β Some stores will only ship large/high priced items if the shipping and billing info match, these can be obtained through some cvv sellers, usually in the form of a βFullsβ
8. Fulls βYou listen many times βFulls/ Fullzβ. It is nothing but CC Details with more info eg. security question answers, SSN, DOB, MMN, etc. which can be usedfor COB, etc.
9. AVS (Address Verification Service) β System that checks the billing address entered against the credit card companyβs records..
10. VBV (Verified by Visa) β Extra verification process initially added by visa, there are different types of authentication used, most notably would be a password, date of birth, social security number, or mothers maiden name.
11. MCSC (MasterCard SecureCode) β MC (MasterCard) adopted this process after VBV came out, basically the same thing but with mastercards.
12. POS (Point of Sale) β Terminal at a physical shop where the card is swiped/read
13. Dump β The information that is written onto the magnetic stripe on the back of the card, the only way to get these is with a skimmer, comes in different βtracksβ which i will not be explaining β a dump would look like
14. Skimmer β A device that is normally attached to an atm where you insert your card, which records your card information (there are other varients, that is the most common)
15. Embosser β A device that βstampsβ the cards to produce the raised lettering
16. Tipper β A device that adds the gold/silver accents to the embossed characters
17. MSR (Magnetic Stripe Reader/Writer) Used in the carding scene for writing dumps (and drivers license, student ID) info to blank cards or giftcards (if you want to use blank white cards, you will need a printer for the card template, embosser/tipper also, which can get costly to buy)
18. BIN (Bank Identification Number) β The first 6 digits of a card number (this will be gone over in more detail later on)
19. Novs (Novelty ID / Fake ID) β Commonly used for signing at drops, store pickups, WU Drops, Bank Drops, etc.
20. VPN (Virtual Private Network ) β This will change your IP to wherever the location is of the VPN server. This is used with a application rather than through your browser as with socks. Watch out as some VPN providers will keep logs. But it leaks our DNS info so it is not safe
21. BTC (Bitcoin) β It is a digital currency. Used for buying anything in digital world. You need it to buy CC, SOCKS, VPN etc. You have to exchange your local currency (INR/Dollar etc) to BTC.
#WIKI SOURCES
β β β Uππ»βΊπ«6π¬πβ β β β