Bypassing AMSI via COM Server Hijacking.pdf
769.2 KB
Bypassing AMSI via COM Server Hijacking Microsoftβs Antimalware Scan Interface (AMSI) was introduced in Windows 10 as a standard interface that provides the ability for AV engines to apply signatures to buers both in memory and on disk. This gives AV products the ability to βhookβ right before script interpretation, meaning that any obfuscation or encryption has gone through their respective deobfuscation and decryption routines. If desired, you can read more on AMSI here and here. This post will highlight a way to bypass AMSI by hijacking the AMSI COM server, analyze how Microsoft xed it in build #16232 and then how to bypass that x.
FULL METHODE
FULL METHODE
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦xsser - Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications..->
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
On Debian-based systems (ex: Ubuntu), run:
1) sudo apt-get install python3-pycurl python3-bs4
2) python3-geoip python3-gi python3-cairocffi
3) python3-selenium firefoxdriver
βOn other systems such as: Kali, Ubuntu, ArchLinux, ParrotSec, Fedora, etc... also run:
sudo pip3 install pycurl bs4 pygeoip gobject cairocffi selenium
π¦XSSer runs on many platforms. It requires Python (3.x) and the following libraries:
- python3-pycurl - Python bindings to libcurl (Python 3)
- python3-bs4 - error-tolerant HTML parser for Python 3
- python3-geoip - Python3 bindings for the GeoIP IP-to-country resolver library
- python3-gi - Python 3 bindings for gobject-introspection libraries
- python3-cairocffi - cffi-based cairo bindings for Python (Python3)
- python3-selenium - Python3 bindings for Selenium
- firefoxdriver - Firefox WebDriver support
check picture and this git link for more usage
https://github.com/epsylon/xsser
β git topic
use for learn
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦xsser - Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications..->
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
On Debian-based systems (ex: Ubuntu), run:
1) sudo apt-get install python3-pycurl python3-bs4
2) python3-geoip python3-gi python3-cairocffi
3) python3-selenium firefoxdriver
βOn other systems such as: Kali, Ubuntu, ArchLinux, ParrotSec, Fedora, etc... also run:
sudo pip3 install pycurl bs4 pygeoip gobject cairocffi selenium
π¦XSSer runs on many platforms. It requires Python (3.x) and the following libraries:
- python3-pycurl - Python bindings to libcurl (Python 3)
- python3-bs4 - error-tolerant HTML parser for Python 3
- python3-geoip - Python3 bindings for the GeoIP IP-to-country resolver library
- python3-gi - Python 3 bindings for gobject-introspection libraries
- python3-cairocffi - cffi-based cairo bindings for Python (Python3)
- python3-selenium - Python3 bindings for Selenium
- firefoxdriver - Firefox WebDriver support
check picture and this git link for more usage
https://github.com/epsylon/xsser
β git topic
use for learn
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - epsylon/xsser: Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilitiesβ¦
Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. - epsylon/xsser
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦#Methode MySQL Row Count: How to get the number of rows in MySQL :
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦#Methode MySQL Row Count: How to get the number of rows in MySQL :
To get the number of rows in one table, you use the COUNT (*) statement in SELECT like this:enjoyβ€οΈππ»
SELECT
COUNT (*)
FROM
table_name;
2) For example, to get the number of rows in the grayex table in the sample database, use the following statement:
SELECT
COUNT (*)
FROM
andreyex;
+ ---------- +
| COUNT (*) |
+ ---------- +
| 35 |
+ ---------- +
1 row in set (0.01 sec)
4) Getting the number of MySQL rows in two or more tables, to get the number of rows across multiple tables, you use the UNION statement to combine the result sets returned by each individual SELECT statement.
5) For example, to get the number of rows of gray and trainings tables in one query, use the following statement.
SELECT
'andreyex' tablename,
COUNT (*) rows
FROM
andreyex
UNION
SELECT
'trainings' tablename,
COUNT (*) rows
FROM
trainings;
+ ----------- + ------ +
| tablename | rows |
+ ----------- + ------ +
| andreyex | 34 |
| trainings | 451 |
+ ----------- + ------ +
2 rows in set (0.01 sec)
6) Getting the number of MySQL rows of all tables in a specific database, to get the row count of all tables in a specific database like classicmodels you use the following steps:
First, get all the table names in the database
Second, create an SQL statement that includes all SELECT COUNT (*) FROM table_name statements for all UNION delimited tables.
Third, execute the SQL statement using the prepared statement
First, to get all the table names in a database, you query the following from the information_schema database:
SELECT
table_name
FROM
information_schema.tables
WHERE
table_schema = 'classicmodels'
AND table_type = 'BASE TABLE';
+ -------------- +
| TABLE_NAME |
+ -------------- +
| andreyex |
| trainings |
| sites |
+ -------------- +
3 rows in set (0.02 sec)
Second, to build the SQL statement, we use the GROUP_CONCAT and CONCAT functions as follows:
SELECT
CONCAT (GROUP_CONCAT (CONCAT ('SELECT \' ',
table_name,
'\' table_name, COUNT (*) rows FROM ',
table_name)
SEPARATOR 'UNION'),
'ORDER BY table_name')
INTO @sql
FROM
table_list;
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦2020 new update faraday - Collaborative Penetration Test and Vulnerability Management Platform
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) download https://github.com/infobyte/faraday/releases
2) Install postgresql >= 9.6 (locally or in a remote server). In order to install PostgreSQL, you can run the following command:
$ sudo apt install postgresql
3) After the installation is completed, verify that PostgreSQL version is higher or equal than 9.6 by running:
$ psql -c "SELECT version()" postgres
4) Go to your Download directory and run the following command:
$ sudo apt install ./yourInstallFileName.deb
5) If PostgreSQL is running in a remote machine please follow these instructions. If, instead, it is running locally, simply run:
$ sudo faraday-manage initdb
6) Start Faraday's server by running:
$ systemctl start faraday-server
7) To know how to run Faraday's multiple commands, please follow this link.
https://github.com/infobyte/faraday/wiki/How-to-run-Faraday
β git topic
use for learn
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦2020 new update faraday - Collaborative Penetration Test and Vulnerability Management Platform
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) download https://github.com/infobyte/faraday/releases
2) Install postgresql >= 9.6 (locally or in a remote server). In order to install PostgreSQL, you can run the following command:
$ sudo apt install postgresql
3) After the installation is completed, verify that PostgreSQL version is higher or equal than 9.6 by running:
$ psql -c "SELECT version()" postgres
4) Go to your Download directory and run the following command:
$ sudo apt install ./yourInstallFileName.deb
5) If PostgreSQL is running in a remote machine please follow these instructions. If, instead, it is running locally, simply run:
$ sudo faraday-manage initdb
6) Start Faraday's server by running:
$ systemctl start faraday-server
7) To know how to run Faraday's multiple commands, please follow this link.
https://github.com/infobyte/faraday/wiki/How-to-run-Faraday
β git topic
use for learn
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
Releases Β· infobyte/faraday
Open Source Vulnerability Management Platform. Contribute to infobyte/faraday development by creating an account on GitHub.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦#webhacking another Wordpress XMLRPC System Multicall Brute Force Exploit :
HOW IT WORK'S ?
This is an exploit for Wordpress xmlrpc.php System Multicall function affecting the most current version of Wordpress (3.5.1). The exploit works by sending 1,000+ auth attempts per request to xmlrpc.php in order to "brute force" valid Wordpress users and will iterate through whole wordlists until a valid user response is acquired. It will then selectively acquire and display the valid username and password to login.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone https://github.com/1N3/Wordpress-XMLRPC-Brute-Force-Exploit.git
2) ./wp-xml-brute http://target.com/xmlrpc.php passwords.txt username1 username2 username3...
THAT'S ALL :)
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦#webhacking another Wordpress XMLRPC System Multicall Brute Force Exploit :
HOW IT WORK'S ?
This is an exploit for Wordpress xmlrpc.php System Multicall function affecting the most current version of Wordpress (3.5.1). The exploit works by sending 1,000+ auth attempts per request to xmlrpc.php in order to "brute force" valid Wordpress users and will iterate through whole wordlists until a valid user response is acquired. It will then selectively acquire and display the valid username and password to login.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) git clone https://github.com/1N3/Wordpress-XMLRPC-Brute-Force-Exploit.git
2) ./wp-xml-brute http://target.com/xmlrpc.php passwords.txt username1 username2 username3...
THAT'S ALL :)
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - 1N3/Wordpress-XMLRPC-Brute-Force-Exploit: Wordpress XMLRPC System Multicall Brute Force Exploit (0day) by 1N3 @ CrowdShield
Wordpress XMLRPC System Multicall Brute Force Exploit (0day) by 1N3 @ CrowdShield - 1N3/Wordpress-XMLRPC-Brute-Force-Exploit
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦BEST TORRENTS SITES LIST :
https://1337x.to/
https://www.limetorrents.cc/
https://torrentz2.is/
https://www.torlock.com/
https://eztv.ag/
https://rarbg.to/index31.php
https://www.torrentdownloads.me/
https://torrentgalaxy.to/
https://www.torrentfunk.com/
https://www.skytorrents.to/
https://iptorrents.com/login.php
https://passthepopcorn.me/
https://broadcasthe.net/
https://redacted.ch/
https://bibliotik.me/
https://gazellegames.net/login.php
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦BEST TORRENTS SITES LIST :
https://1337x.to/
https://www.limetorrents.cc/
https://torrentz2.is/
https://www.torlock.com/
https://eztv.ag/
https://rarbg.to/index31.php
https://www.torrentdownloads.me/
https://torrentgalaxy.to/
https://www.torrentfunk.com/
https://www.skytorrents.to/
https://iptorrents.com/login.php
https://passthepopcorn.me/
https://broadcasthe.net/
https://redacted.ch/
https://bibliotik.me/
https://gazellegames.net/login.php
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
www.limetorrents.fun
LimeTorrents - Download Verified Torrents
LimeTorrents is a General Torrents Download indexer with Mostly Verified Torrents like Movies, Games, Music, TV Shows, Anime and More Bittorrent Downloading is free at Limetorrents
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦#PAYLOAD #EXPLOIT
W HA T I S S E C L I S T S:
SecLists is the security tester's tool. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip
2) unzip SecList.zip
3) rm -f SecList.zip
4) -h
NOTE: Downloading this repository is likely to cause a false-positive alarm by your anti-virus or anti-malware software, the filepath should be whitelisted. There is nothing in SecLists that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦#PAYLOAD #EXPLOIT
W HA T I S S E C L I S T S:
SecLists is the security tester's tool. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip
2) unzip SecList.zip
3) rm -f SecList.zip
4) -h
NOTE: Downloading this repository is likely to cause a false-positive alarm by your anti-virus or anti-malware software, the filepath should be whitelisted. There is nothing in SecLists that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Postfix mail forwarding
Postfix is the most commonly used MTA program that can deliver, receive, or route emails. So, if you want to forward emails with your server and domain then using the postfix program, you can set up email forwarding configurations on the domain like kbuzdar@mydomain.com. This article will guide you about how to set up a postfix mail forwarding method on the CentOS server. For all other distributions like Ubuntu and Debian, almost all the steps are the same.
1) Install Postfix
First, ensure that postfix is installed on your system or not.using the following command you can check the installation of postfix:
$ rpm -qa | grep postfix
2) Otherwise, you will install postfix using the following command:
$ sudo dnf install postfix
Once the installation of postfix is complete, now using the following command, you can check the postfix service status:
$ sudo service postfix status
The following output should display on your system.
3) As you can see in the above screenshot, postfix services are active on this system. Now, we can further verify with the help of netstat command that postfix services are running on port 25. Type the following command to do this:
$ sudo netstat -ltnp | grep 25
4) Configuration for postfix email forwarding
Now, start the configuration of postfix for forwarding emails. It is a simple task. First, we need to find the postfix configuration directory path by using the postconf command.
$ postconf | grep config_directory
5) Now, we have an idea that all postfix configuration files located in the directory /etc/postfix, so move inside the directory and edit the βmain.cfβ configuration file.
Open the file in your favorite text editor or which is installed on your system. Here, we are using a vim editor to modify the configuration files.
$ vi /etc/postfix/main.cf
6) Now, you need to add the following lines at the end of the βmain.cfβ file.
virtual_alias_domains = mydomain.com theanotherdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual
7) Reload the postfix
After doing some necessary changes in the postfix configuration files, reload or restart the postfix configurations by using the following command:
$ sudo /etc/init.d/postfix reload
# or
$ sudo service postfix reload
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Postfix mail forwarding
Postfix is the most commonly used MTA program that can deliver, receive, or route emails. So, if you want to forward emails with your server and domain then using the postfix program, you can set up email forwarding configurations on the domain like kbuzdar@mydomain.com. This article will guide you about how to set up a postfix mail forwarding method on the CentOS server. For all other distributions like Ubuntu and Debian, almost all the steps are the same.
1) Install Postfix
First, ensure that postfix is installed on your system or not.using the following command you can check the installation of postfix:
$ rpm -qa | grep postfix
2) Otherwise, you will install postfix using the following command:
$ sudo dnf install postfix
Once the installation of postfix is complete, now using the following command, you can check the postfix service status:
$ sudo service postfix status
The following output should display on your system.
3) As you can see in the above screenshot, postfix services are active on this system. Now, we can further verify with the help of netstat command that postfix services are running on port 25. Type the following command to do this:
$ sudo netstat -ltnp | grep 25
4) Configuration for postfix email forwarding
Now, start the configuration of postfix for forwarding emails. It is a simple task. First, we need to find the postfix configuration directory path by using the postconf command.
$ postconf | grep config_directory
5) Now, we have an idea that all postfix configuration files located in the directory /etc/postfix, so move inside the directory and edit the βmain.cfβ configuration file.
Open the file in your favorite text editor or which is installed on your system. Here, we are using a vim editor to modify the configuration files.
$ vi /etc/postfix/main.cf
6) Now, you need to add the following lines at the end of the βmain.cfβ file.
virtual_alias_domains = mydomain.com theanotherdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual
7) Reload the postfix
After doing some necessary changes in the postfix configuration files, reload or restart the postfix configurations by using the following command:
$ sudo /etc/init.d/postfix reload
# or
$ sudo service postfix reload
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Blind Attacking Framework :
F E A T U R E S :
- blind attacking makes every vulnerable & exposed host to the internet a targeted one , hence increases the awareness of potential threats
- the best way to prevent knowlege abuse under the hood is sharing it with everyone
- it will always add new to the community and will never be a replica
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) fire up a terminal and sudo apt-get update && apt-get upgrade && apt-get dist-upgrade
2) install [ requests , httplib , urllib , time , bs4 "BeautifulSoup" , colored , selenium , sys ] python modules
python BAF_0.1.0.py
3) use BAF authentication to atomatically authenticate with shodan via premium account to get access to all search results or enter your shodan's account username and pass for custom account login
4) choose 1 , let it do it's job , press y , close the previous tab , press y ,close the previous tabs ...etc till u have the vulnerable cams only
5) choose 2 , enter what do u want to search for (ie: NSA) , when it's done , refer to the targets text file , it will contain the targets ip:port
that's all
6) DON'T close a loading webpage
beta versions will make automated browser open for better understanding ,but you can close the webcam tabs freely
enjoyβ€οΈππ»
β git TOPIC
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Blind Attacking Framework :
F E A T U R E S :
- blind attacking makes every vulnerable & exposed host to the internet a targeted one , hence increases the awareness of potential threats
- the best way to prevent knowlege abuse under the hood is sharing it with everyone
- it will always add new to the community and will never be a replica
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1) fire up a terminal and sudo apt-get update && apt-get upgrade && apt-get dist-upgrade
2) install [ requests , httplib , urllib , time , bs4 "BeautifulSoup" , colored , selenium , sys ] python modules
python BAF_0.1.0.py
3) use BAF authentication to atomatically authenticate with shodan via premium account to get access to all search results or enter your shodan's account username and pass for custom account login
4) choose 1 , let it do it's job , press y , close the previous tab , press y ,close the previous tabs ...etc till u have the vulnerable cams only
5) choose 2 , enter what do u want to search for (ie: NSA) , when it's done , refer to the targets text file , it will contain the targets ip:port
that's all
6) DON'T close a loading webpage
beta versions will make automated browser open for better understanding ,but you can close the webcam tabs freely
enjoyβ€οΈππ»
β git TOPIC
@undercodeTesting
@UndercodeHacking
@UndercodeSecurity
β β β Uππ»βΊπ«Δπ¬πβ β β β