🦑 BACKDOOR & REVERSE SHELL WITH NETCAT(KALI-PARROT..TOOL) FULL

#SUPPORT & SHARE

T.me/UndercodeTesting

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Best Free SSL Certificate Sources :

> https://letsencrypt.org/

> https://www.comodo.com/

> https://www.cloudflare.com/

> https://www.sslforfree.com/

> https://in.godaddy.com/web-security/ssl-certificate

> https://www.geotrust.com/

> https://www.gogetssl.com/

> https://www.instantssl.com/

> https://www.ssl.com/certificates/free/

written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WHAT IS Process injection :

> This technique involves the execution of malicious code and injecting the same into another running valid process, thereby causing the process to execute the code while preventing suspicion and evading detection.

> This allows the malicious code to run using the process’s memory, resources and elevated privileges. In addition, it allows the code to potentially evade suspicion from security solutions such as host-based firewalls, antivirus, EDRs and so on, as the code is running under a valid process.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Real-world examples of process injections in action
T.me/UndercodeTesting


1) DoublePulsar
An analysis of the kernel mode payload of the famous DoublePulsar code by F-Secure revealed that it utilizes a form of DLL injection to load a DLL into a target process (in this case, lsass.exe) using an Asynchronous Procedure Call (APC). It did not utilize the standard Windows API commands such as LoadLibrary and did not write the DLL to disk, making it stealthier.

2) Cobalt Strike
Cobalt Strike is a penetration testing software that was designed to execute targeted attacks and emulate post-exploitations actions of advanced threat actors through a listener called a beacon.

> Cobalt Strike commands such as keylogger, screenshot and so on were designed to be injected into another process for it to work. The listener is injected into a specific process (a personal favorite is explorer.exe because the process is always running in a GUI environment) and the keystroke logger will monitor all keystrokes via the infected process. It then reports them to the beacon console without writing to disk. This only stops when the process terminates or the keystroke logger job is terminated by the user.

3) Lazarus Group
The Lazarus Group (also known as “Hidden Cobra”) is a threat group headquartered in North Korea whose malicious activities span across multiple years, as far back as 2009. Since 2016, the group has been conducting “FASTCash” attacks — stealing money from ATMs from target banks in Africa and Asia. The target bank’s network is compromised and a malware known as Trojan.Fashcash is deployed on the network.

> An analysis of the malware reveals that malicious Advanced Interactive eXecutive (“AIX”) executable files are injected into legitimate processes on the payment application servers used in handling ATM transactions. The executable allows the group to monitor, intercept and generate responses to fraudulent transaction requests using fake ISO 8583 (standard used for financial transaction messaging) messages. This allows attempts to withdraw cash via an ATM to be successful.

4) APT41
APT41 is a threat group headquartered in China and known for carrying out Chinese state-sponsored espionage campaigns dating as far back as 2012.

> The group is known for its software supply chain attacks, where TTPs developed from accessing video game production environments are utilized. These TTPs are used to compromise software companies and malicious codes are injected into software updates distributed to victim organizations.

5) WINTERLOVE is a backdoor used by the group to load and execute remote code in a running process (e.g., iexplorer.exe) and can be used to enumerate system files and directories.

6) Mitigation/prevention
DLL injection is not necessarily a bad technique as many applications use it for legitimate purposes such as your Antivirus/Endpoint Detection and Response (“EDR”)7 solutions which inject their own codes/agents into running processes in order to monitor the process and detect abnormal activities. Therefore, making it hard to detect especially since it runs under a legitimate process.

🦑Behavior analysis

1) This method can be achieved by configuring your EDRs to detect cross-process events such as injection of code into a running process, duplicate processes running, remote threads and so on.

2) EDRs work by gathering, monitoring and analyzing endpoint activities/events. This gives the security team the necessary visibility to carry out further analysis, detection, investigation and mitigation into advanced cyber threats across all endpoints running an EDR.

3) As part of their response capabilities, EDRs can be configured to block certain types of process injection, depending on the behavior that occurs during the injection process.

Stay home, stay safe

@undercodeTesting
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Buffer Overflow Example :

This is an example of a very bad coding practices that introduces a buffer overflow. The purpose of this code is to serve as a demonstration a

#include <stdio.h>

void secretFunction()
{
printf("Omar's Crappy Function\n");
printf("This is a super secret function!\n");
}

void echo()
{
char buffer[20];

printf("Please enter your name:\n");
scanf("%s", buffer);
printf("You entered: %s\n", buffer);
}

int main()
{
echo();

return 0;
}

> The char buffer[20]; is a really bad idea.

> You can compile this code or use the already-compiled binary here.

🦑For 32 bit systems you can use gcc as shown below:

gcc vuln.c -o vuln -fno-stack-protector
For 64 bit systems

gcc vuln.c -o vuln -fno-stack-protector -m32
-fno-stack-protector disabled the stack protection. Smashing the stack is now allowed. -m32 made sure that the compiled binary is 32 bit. You may need to install some additional libraries to compile 32 bit binaries on 64 bit machines.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Modern Encryption Algorithms :
fb.com/UndercodeTesting


1) Digital encryption
AES – AES stands for Advanced Encryption Standard, originally called Rijndael, it’s the specification for encryption published by the National Institute for Standards and Technology (NIST) back in 2001. It puts plaintext through a number of “transformation rounds” determined by key size, each round consists of several processing steps. Let’s not stray too far into the weeds on this one. AES is a common algorithm with SSL/TLS. It replaced the Data Encryption Standard (DES) that was created in 1977.

2) RSA – RSA stands for Rivest-Shamir-Adlemen, after its creators, it is a public key encryption algorithm (asymmetric) that has been around since 1978 and is still widely used today. It uses the factorization of prime numbers to encipher plaintext.

3) [Fun Fact: The unfortunately named Clifford Cocks, a mathematician employed by the GCHQ, a British intelligence agency, invented an equivalent system five years earlier, in 1973, but it wasn’t declassified until 1997.]

4) ECC – ECC stands for Elliptic Curve Cryptography, which relies on the algebraic structure of elliptical curves over finite fields. Although ECC has been around since 1985, it’s only been in use since about 2004. ECC has distinct advantages over RSA and is likely going to play a more prominent role in the future of SSL/TLS.

5) PGP – PGP stands for Pretty Good Privacy, it was created in 1991 by Phil Zimmerman. It’s really more of a collection of algorithms than a single one, all for hashing, data compression and both public and private key cryptography. Each step uses a different algorithm. PGP has been criticized for poor usability, a lack of ubiquity and for the length of its keys.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Crack hashes in seconds.
t.me/undercodeTesting

🦑 Features

1) Automatic hash type identification

2) Supports MD5, SHA1, SHA256, SHA384, SHA512

3) Can extract & crack hashes from a file

4) Can find hashes from a directory, recursively

5) Multi-threading

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ :

1) git clone https://github.com/s0md3v/Hash-Buster.git

2) Cracking a single hash
You don't need to specify the hash type. Hash Buster will identify and crack it under 3 seconds.

Usage: buster -s <hash>

3) Finding hashes from a directory
Yep, just specify a directory and Hash Buster will go through all the files and directories present in it, looking for hashes.

Usage: buster -d /root/Documents

4) Cracking hashes from a file
Hash Buster can find your hashes even if they are stored in a file like this

simple@gmail.com:21232f297a57a5a743894a0e4a801fc3
{"json@gmail.com":"d033e22ae348aeb5660fc2140aec35850c4da997"}
surrondedbytext8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918surrondedbytext

Usage: buster -f /root/hashes.txt

5) Specifiying number of threads
Multi-threading can incredibly minimize the overall speed when you have a lot of hashes to crack by making requests in parallel.

> buster -f /root/hashes.txt -t 10

✅verified by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Reverse Engineer References:

http://www.sweetscape.com/010editor/

http://www.hexworkshop.com/

http://ridiculousfish.com/hexfiend/

http://www.hiew.ru/

https://mh-nexus.de/en/hxd/

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Dynamic Analysis-reverse engeneer -finding
t.me/UndercodeTesting

> https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

> https://processhacker.sourceforge.io/

> https://github.com/Rurik/Noriben

> http://www.rohitab.com/apimonitor

> http://www.inetsim.org/

> https://practicalmalwareanalysis.com/fakenet/

> https://github.com/volatilityfoundation/volatility

> https://my.comae.io/login

> https://github.com/504ensicsLabs/LiME

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑REVERSE ENGNEER :
> Volatility Framework - Volatile memory extraction utility framework
=========================================================
twitter.com/UndercodeNews

> The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the
system being investigated but offer visibilty into the runtime state
of the system. The framework is intended to introduce people to the
techniques and complexities associated with extracting digital artifacts
from volatile memory samples and provide a platform for further work into
this exciting area of research.

🦑The Volatility distribution is available from:
http://www.volatilityfoundation.org/#!releases/component_71401


🦑Volatility should run on any platform that supports
Python (http://www.python.org)

Volatility supports investigations of the following memory images:

Windows:
* 32-bit Windows XP Service Pack 2 and 3
* 32-bit Windows 2003 Server Service Pack 0, 1, 2
* 32-bit Windows Vista Service Pack 0, 1, 2
* 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
* 32-bit Windows 7 Service Pack 0, 1
* 32-bit Windows 8, 8.1, and 8.1 Update 1
* 32-bit Windows 10 (initial support)
* 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows Vista Service Pack 0, 1, 2
* 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2008 R2 Server Service Pack 0 and 1
* 64-bit Windows 7 Service Pack 0 and 1
* 64-bit Windows 8, 8.1, and 8.1 Update 1
* 64-bit Windows Server 2012 and 2012 R2
* 64-bit Windows 10 (including at least 10.0.18362)
* 64-bit Windows Server 2016 (including at least 10.0.18362)

Note: Please see the guidelines at the following link for notes on
compatibility with recently patched Windows 7 (or later) memory samples:

https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles

Linux:
* 32-bit Linux kernels 2.6.11 to 5.5
* 64-bit Linux kernels 2.6.11 to 5.5
* OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc

Mac OSX:
* 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
* 32-bit 10.6.x Snow Leopard
* 64-bit 10.6.x Snow Leopard
* 32-bit 10.7.x Lion
* 64-bit 10.7.x Lion
* 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
* 64-bit 10.9.x Mavericks (there is no 32-bit version)
* 64-bit 10.10.x Yosemite (there is no 32-bit version)
* 64-bit 10.11.x El Capitan (there is no 32-bit version)
* 64-bit 10.12.x Sierra (there is no 32-bit version)
* 64-bit 10.13.x High Sierra (there is no 32-bit version))
* 64-bit 10.14.x Mojave (there is no 32-bit version)
* 64-bit 10.15.x Catalina (there is no 32-bit version)

Volatility does not provide memory sample acquisition
capabilities. For acquisition, there are both free and commercial
solutions available. If you would like suggestions about suitable
acquisition solutions, please contact us at:

volatility (at) volatilityfoundation (dot) org

🦑Volatility supports a variety of sample file formats and the
ability to convert between these formats:

- Raw linear sample (dd)
- Hibernation file (from Windows 7 and earlier)
- Crash dump file
- VirtualBox ELF64 core dump
- VMware saved state and snapshot files
- EWF format (E01)
- LiME format
- Mach-O file format
- QEMU virtual machine dumps
- Firewire
- HPAK (FDPro)

> clone https://github.com/volatilityfoundation/community

🦑Example Data
============

If you want to give Volatility a try, you can download exemplar
memory images from the following url:

https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples

🦑Mailing Lists
=============

Mailing lists to support the users and developers of Volatility
can be found at the following address:

http://lists.volatilesystems.com/mailman/listinfo

Requirements
============
- Python 2.6 or later, but not 3.0. http://www.python.org

Some plugins may have other requirements which can be found at:
https://github.com/volatilityfoundation/volatility/wiki/Installation

Quick Start
===========
1. Unpack the latest version of Volatility from
volatilityfoundation.org

2. To see available options, run "python vol.py -h" or "python vol.py --info"

Example:

$ python vol.py --info
Volatility Foundation Volatility Framework 2.6
🦑STARTING

Example:

1) $ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw
Volatility Foundation Volatility Framework 2.6
Determining profile based on KDBG search...


2) Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64)
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw)
PAE type : PAE
DTB : 0x187000L
KDBG : 0xf800016460a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80001647d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2012-03-24 19:30:53 UTC+0000
Image local date and time : 2012-03-25 03:30:53 +0800

3) If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing
Windows 7 or later memory samples, please see the guidelines here:

https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles

4) Run some other plugins. -f is a required option for all plugins. Some
also require/accept other options. Run "python vol.py <plugin> -h" for
more information on a particular command. A Command Reference wiki
is also available on the GitHub site:

> https://github.com/volatilityfoundation/volatility/wiki

as well as Basic Usage:

https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage

@uNDERCODEtESTING
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Now you can start reverse engeneer ...

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Usefull Mods Android apps :

1) NETFLIX MOD APK

> https://dl.moddroid.com/Netflix/NETFLIX-SV4-BEE-MAY13.apk

> https://dl.moddroid.com/Netflix/NETFLIX-SV2-VIVA-MAY13.apk

> https://dl.moddroid.com/Netflix/NETFLIX_SV3-SOFA-MAY9.apk

> https://spaces.apkmody.io/download/aUN6bXZQMDkxT2g0L0N3L1paU0kxREFpRFEzSzNlS2xjSmczRThEUlI2Tloyc3R6WWJGbVVzdWtsUlVCMko4Ug==

2) SPOOTIFY MODs Premium

> https://dl.moddroid.com/Spotify%20Music/Spotify-v8.5.56.1186_build_58990703-Mod-V1-armeabi-v7a.apk

> https://dl.moddroid.com/Spotify%20Music/Spotify-v8.5.56.1186_build_58990703-Mod-V2-armeabi-v7a.apk

3) WHATSAPP + OFFICIAL BY FOUAD :

> https://www.fouadmods.com/fouad-whatsapp/

🦑 FOR MORE YOU CAN CLICK HERE


▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Elaborate on the MAC spoofing process :
youtube.com/Undercode

🦑𝕃𝔼𝕋'𝕊 𝕊𝕋𝔸ℝ𝕋 :

A) Principle:

1) Before we start, let ’s briefly understand the switch forwarding process: when a port of the switch receives a data frame, first check the destination MAC address of the changed data frame in the port corresponding to the MAC address table (CAM). If the destination port and the source port are not For the same port, the frame is forwarded from the destination port, and the correspondence between the source port and the source MAC in the MAC address table is updated; if the destination port is the same as the source port, the frame is discarded.

2) There are the following working scenarios:

A 4-port switch with ports Port.A, Port.B, Port.C, and Port.D corresponding to hosts A, B, C, and D, where D is the gateway.

3) When host A sends data to B, host A encapsulates the data frame down according to OSI. During the process, it will find the MAC address of host B according to the IP address and fill it in the destination MAC address in the data frame. Before sending, the MAC layer protocol control circuit of the network card will also make a judgment.

4) If the destination MAC is the same as the MAC of the network card, it will not be sent, otherwise the network card will send this data out. When Port.A receives the data frame, the switch finds that the port number of B's ​​MAC address (data frame destination MAC) is Port.B in the MAC address table according to the above-mentioned inspection process, and the port number of the data source is Port.A, then The switch forwards the data frame from Port.B. Host B receives this data frame.

5) This addressing process can also be summarized as IP-> MAC-> PORT, ARP spoofing deceives the IP / MAC correspondence, and MAC spoofing deceives the MAC / PORT correspondence.

6) The earlier attack method is to flood the MAC address of the switch, which will indeed make the switch work in broadcast mode to achieve the purpose of sniffing, but it will cause the switch to be overloaded, the network will be slow, and packet loss or even paralysis. method.

written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑B)Second, actual combat
( Elaborate on the MAC spoofing process )

The working environment is the above 4 port swith. The software uses cncert's httphijack as an example. The application is to hijack the data of host C from host A.

The following is the hijacking process (da is the destination MAC, sa is the source MAC)

1) A sends any data packets with da = gateway.mac and sa = B.mac to the gateway.

This shows that b.mac corresponds to port.a. In a period of time, the switch will send all the data frames sent to b.mac to the host a. This time continues until host b sends a data packet, or another data packet with da = gateway.mac and sa = b.mac is generated.

2) The host A receives the data sent by the gateway to B, and then forwards it to B after recording or modification. Before forwarding, it sends a broadcast requesting B.MAC. This packet is normal
MAC information: da = FFFFFFFFFF, sa = a.mac.

This data frame indicates that a.mac corresponds to port.a, and at the same time it will stimulate the host b to respond to a response packet.

MAC information is: da = a.mac, sa = b.mac

This data frame indicates that b.mac corresponds to port.b

At this point, the correspondence has been restored, the host A can successfully forward the hijacked data to B

3) Forward the hijacked data to B to complete a hijacking

C) Attack characteristics

1) Due to the time segmentation characteristics of this attack method, the greater the traffic of the other party, the lower the frequency of hijacking and the more stable the network.

2) Strong concealment, based on the particularity and working essence of 1, it can work in the environment of ARP firewall and two-way binding.

Fourth, how to protect

Advanced switches can use ip + mac + port binding to control automatic learning of CAM tables. There is currently no software to protect against such attacks

🦑Five, use tools

1)httphijack beta 2 Description: http session hijacking

2)ssclone Description: Session replication software in exchange environment (gmail, qqmail, sohumail ...)

3)skiller Description: under flow control

written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁