▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Modern Encryption Algorithms :
fb.com/UndercodeTesting


1) Digital encryption
AES – AES stands for Advanced Encryption Standard, originally called Rijndael, it’s the specification for encryption published by the National Institute for Standards and Technology (NIST) back in 2001. It puts plaintext through a number of “transformation rounds” determined by key size, each round consists of several processing steps. Let’s not stray too far into the weeds on this one. AES is a common algorithm with SSL/TLS. It replaced the Data Encryption Standard (DES) that was created in 1977.

2) RSA – RSA stands for Rivest-Shamir-Adlemen, after its creators, it is a public key encryption algorithm (asymmetric) that has been around since 1978 and is still widely used today. It uses the factorization of prime numbers to encipher plaintext.

3) [Fun Fact: The unfortunately named Clifford Cocks, a mathematician employed by the GCHQ, a British intelligence agency, invented an equivalent system five years earlier, in 1973, but it wasn’t declassified until 1997.]

4) ECC – ECC stands for Elliptic Curve Cryptography, which relies on the algebraic structure of elliptical curves over finite fields. Although ECC has been around since 1985, it’s only been in use since about 2004. ECC has distinct advantages over RSA and is likely going to play a more prominent role in the future of SSL/TLS.

5) PGP – PGP stands for Pretty Good Privacy, it was created in 1991 by Phil Zimmerman. It’s really more of a collection of algorithms than a single one, all for hashing, data compression and both public and private key cryptography. Each step uses a different algorithm. PGP has been criticized for poor usability, a lack of ubiquity and for the length of its keys.

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Crack hashes in seconds.
t.me/undercodeTesting

🦑 Features

1) Automatic hash type identification

2) Supports MD5, SHA1, SHA256, SHA384, SHA512

3) Can extract & crack hashes from a file

4) Can find hashes from a directory, recursively

5) Multi-threading

🦑𝕀ℕ𝕊𝕋𝔸𝕃𝕃𝕀𝕊𝔸𝕋𝕀𝕆ℕ & ℝ𝕌ℕ :

1) git clone https://github.com/s0md3v/Hash-Buster.git

2) Cracking a single hash
You don't need to specify the hash type. Hash Buster will identify and crack it under 3 seconds.

Usage: buster -s <hash>

3) Finding hashes from a directory
Yep, just specify a directory and Hash Buster will go through all the files and directories present in it, looking for hashes.

Usage: buster -d /root/Documents

4) Cracking hashes from a file
Hash Buster can find your hashes even if they are stored in a file like this

simple@gmail.com:21232f297a57a5a743894a0e4a801fc3
{"json@gmail.com":"d033e22ae348aeb5660fc2140aec35850c4da997"}
surrondedbytext8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918surrondedbytext

Usage: buster -f /root/hashes.txt

5) Specifiying number of threads
Multi-threading can incredibly minimize the overall speed when you have a lot of hashes to crack by making requests in parallel.

> buster -f /root/hashes.txt -t 10

✅verified by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Reverse Engineer References:

http://www.sweetscape.com/010editor/

http://www.hexworkshop.com/

http://ridiculousfish.com/hexfiend/

http://www.hiew.ru/

https://mh-nexus.de/en/hxd/

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Dynamic Analysis-reverse engeneer -finding
t.me/UndercodeTesting

> https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

> https://processhacker.sourceforge.io/

> https://github.com/Rurik/Noriben

> http://www.rohitab.com/apimonitor

> http://www.inetsim.org/

> https://practicalmalwareanalysis.com/fakenet/

> https://github.com/volatilityfoundation/volatility

> https://my.comae.io/login

> https://github.com/504ensicsLabs/LiME

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑REVERSE ENGNEER :
> Volatility Framework - Volatile memory extraction utility framework
=========================================================
twitter.com/UndercodeNews

> The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the
system being investigated but offer visibilty into the runtime state
of the system. The framework is intended to introduce people to the
techniques and complexities associated with extracting digital artifacts
from volatile memory samples and provide a platform for further work into
this exciting area of research.

🦑The Volatility distribution is available from:
http://www.volatilityfoundation.org/#!releases/component_71401


🦑Volatility should run on any platform that supports
Python (http://www.python.org)

Volatility supports investigations of the following memory images:

Windows:
* 32-bit Windows XP Service Pack 2 and 3
* 32-bit Windows 2003 Server Service Pack 0, 1, 2
* 32-bit Windows Vista Service Pack 0, 1, 2
* 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
* 32-bit Windows 7 Service Pack 0, 1
* 32-bit Windows 8, 8.1, and 8.1 Update 1
* 32-bit Windows 10 (initial support)
* 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows Vista Service Pack 0, 1, 2
* 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2008 R2 Server Service Pack 0 and 1
* 64-bit Windows 7 Service Pack 0 and 1
* 64-bit Windows 8, 8.1, and 8.1 Update 1
* 64-bit Windows Server 2012 and 2012 R2
* 64-bit Windows 10 (including at least 10.0.18362)
* 64-bit Windows Server 2016 (including at least 10.0.18362)

Note: Please see the guidelines at the following link for notes on
compatibility with recently patched Windows 7 (or later) memory samples:

https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles

Linux:
* 32-bit Linux kernels 2.6.11 to 5.5
* 64-bit Linux kernels 2.6.11 to 5.5
* OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc

Mac OSX:
* 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
* 32-bit 10.6.x Snow Leopard
* 64-bit 10.6.x Snow Leopard
* 32-bit 10.7.x Lion
* 64-bit 10.7.x Lion
* 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
* 64-bit 10.9.x Mavericks (there is no 32-bit version)
* 64-bit 10.10.x Yosemite (there is no 32-bit version)
* 64-bit 10.11.x El Capitan (there is no 32-bit version)
* 64-bit 10.12.x Sierra (there is no 32-bit version)
* 64-bit 10.13.x High Sierra (there is no 32-bit version))
* 64-bit 10.14.x Mojave (there is no 32-bit version)
* 64-bit 10.15.x Catalina (there is no 32-bit version)

Volatility does not provide memory sample acquisition
capabilities. For acquisition, there are both free and commercial
solutions available. If you would like suggestions about suitable
acquisition solutions, please contact us at:

volatility (at) volatilityfoundation (dot) org

🦑Volatility supports a variety of sample file formats and the
ability to convert between these formats:

- Raw linear sample (dd)
- Hibernation file (from Windows 7 and earlier)
- Crash dump file
- VirtualBox ELF64 core dump
- VMware saved state and snapshot files
- EWF format (E01)
- LiME format
- Mach-O file format
- QEMU virtual machine dumps
- Firewire
- HPAK (FDPro)

> clone https://github.com/volatilityfoundation/community

🦑Example Data
============

If you want to give Volatility a try, you can download exemplar
memory images from the following url:

https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples

🦑Mailing Lists
=============

Mailing lists to support the users and developers of Volatility
can be found at the following address:

http://lists.volatilesystems.com/mailman/listinfo

Requirements
============
- Python 2.6 or later, but not 3.0. http://www.python.org

Some plugins may have other requirements which can be found at:
https://github.com/volatilityfoundation/volatility/wiki/Installation

Quick Start
===========
1. Unpack the latest version of Volatility from
volatilityfoundation.org

2. To see available options, run "python vol.py -h" or "python vol.py --info"

Example:

$ python vol.py --info
Volatility Foundation Volatility Framework 2.6
🦑STARTING

Example:

1) $ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw
Volatility Foundation Volatility Framework 2.6
Determining profile based on KDBG search...


2) Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64)
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw)
PAE type : PAE
DTB : 0x187000L
KDBG : 0xf800016460a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80001647d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2012-03-24 19:30:53 UTC+0000
Image local date and time : 2012-03-25 03:30:53 +0800

3) If multiple profiles are suggested by imageinfo or kdbgscan, or if you're having trouble analyzing
Windows 7 or later memory samples, please see the guidelines here:

https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles

4) Run some other plugins. -f is a required option for all plugins. Some
also require/accept other options. Run "python vol.py <plugin> -h" for
more information on a particular command. A Command Reference wiki
is also available on the GitHub site:

> https://github.com/volatilityfoundation/volatility/wiki

as well as Basic Usage:

https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage

@uNDERCODEtESTING
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Now you can start reverse engeneer ...

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Usefull Mods Android apps :

1) NETFLIX MOD APK

> https://dl.moddroid.com/Netflix/NETFLIX-SV4-BEE-MAY13.apk

> https://dl.moddroid.com/Netflix/NETFLIX-SV2-VIVA-MAY13.apk

> https://dl.moddroid.com/Netflix/NETFLIX_SV3-SOFA-MAY9.apk

> https://spaces.apkmody.io/download/aUN6bXZQMDkxT2g0L0N3L1paU0kxREFpRFEzSzNlS2xjSmczRThEUlI2Tloyc3R6WWJGbVVzdWtsUlVCMko4Ug==

2) SPOOTIFY MODs Premium

> https://dl.moddroid.com/Spotify%20Music/Spotify-v8.5.56.1186_build_58990703-Mod-V1-armeabi-v7a.apk

> https://dl.moddroid.com/Spotify%20Music/Spotify-v8.5.56.1186_build_58990703-Mod-V2-armeabi-v7a.apk

3) WHATSAPP + OFFICIAL BY FOUAD :

> https://www.fouadmods.com/fouad-whatsapp/

🦑 FOR MORE YOU CAN CLICK HERE


▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Elaborate on the MAC spoofing process :
youtube.com/Undercode

🦑𝕃𝔼𝕋'𝕊 𝕊𝕋𝔸ℝ𝕋 :

A) Principle:

1) Before we start, let ’s briefly understand the switch forwarding process: when a port of the switch receives a data frame, first check the destination MAC address of the changed data frame in the port corresponding to the MAC address table (CAM). If the destination port and the source port are not For the same port, the frame is forwarded from the destination port, and the correspondence between the source port and the source MAC in the MAC address table is updated; if the destination port is the same as the source port, the frame is discarded.

2) There are the following working scenarios:

A 4-port switch with ports Port.A, Port.B, Port.C, and Port.D corresponding to hosts A, B, C, and D, where D is the gateway.

3) When host A sends data to B, host A encapsulates the data frame down according to OSI. During the process, it will find the MAC address of host B according to the IP address and fill it in the destination MAC address in the data frame. Before sending, the MAC layer protocol control circuit of the network card will also make a judgment.

4) If the destination MAC is the same as the MAC of the network card, it will not be sent, otherwise the network card will send this data out. When Port.A receives the data frame, the switch finds that the port number of B's ​​MAC address (data frame destination MAC) is Port.B in the MAC address table according to the above-mentioned inspection process, and the port number of the data source is Port.A, then The switch forwards the data frame from Port.B. Host B receives this data frame.

5) This addressing process can also be summarized as IP-> MAC-> PORT, ARP spoofing deceives the IP / MAC correspondence, and MAC spoofing deceives the MAC / PORT correspondence.

6) The earlier attack method is to flood the MAC address of the switch, which will indeed make the switch work in broadcast mode to achieve the purpose of sniffing, but it will cause the switch to be overloaded, the network will be slow, and packet loss or even paralysis. method.

written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑B)Second, actual combat
( Elaborate on the MAC spoofing process )

The working environment is the above 4 port swith. The software uses cncert's httphijack as an example. The application is to hijack the data of host C from host A.

The following is the hijacking process (da is the destination MAC, sa is the source MAC)

1) A sends any data packets with da = gateway.mac and sa = B.mac to the gateway.

This shows that b.mac corresponds to port.a. In a period of time, the switch will send all the data frames sent to b.mac to the host a. This time continues until host b sends a data packet, or another data packet with da = gateway.mac and sa = b.mac is generated.

2) The host A receives the data sent by the gateway to B, and then forwards it to B after recording or modification. Before forwarding, it sends a broadcast requesting B.MAC. This packet is normal
MAC information: da = FFFFFFFFFF, sa = a.mac.

This data frame indicates that a.mac corresponds to port.a, and at the same time it will stimulate the host b to respond to a response packet.

MAC information is: da = a.mac, sa = b.mac

This data frame indicates that b.mac corresponds to port.b

At this point, the correspondence has been restored, the host A can successfully forward the hijacked data to B

3) Forward the hijacked data to B to complete a hijacking

C) Attack characteristics

1) Due to the time segmentation characteristics of this attack method, the greater the traffic of the other party, the lower the frequency of hijacking and the more stable the network.

2) Strong concealment, based on the particularity and working essence of 1, it can work in the environment of ARP firewall and two-way binding.

Fourth, how to protect

Advanced switches can use ip + mac + port binding to control automatic learning of CAM tables. There is currently no software to protect against such attacks

🦑Five, use tools

1)httphijack beta 2 Description: http session hijacking

2)ssclone Description: Session replication software in exchange environment (gmail, qqmail, sohumail ...)

3)skiller Description: under flow control

written by undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 The common VLAN attacks are as follows:
instagram.com/UndercodeTesting

🦑𝕃𝔼𝕋'𝕊 𝕊𝕋𝔸ℝ𝕋 :

1) VLAN attack 1.802.1Q and ISL tag attack

A tag attack is a malicious attack. With it, users on one VLAN can illegally access another VLAN. For example, if the switch port is configured as DTP (DYNAMIC TRUNK PROTCOL) auto to receive fake DTP (DYNAMIC TRUNK PROTCOL) packets, it will become a trunk port and may receive traffic to any VLAN. Thus, malicious users can communicate with other VLANs through the controlled ports. Sometimes even if only receiving ordinary packets, the switch port may violate its original intention and operate like an all-round trunk port (for example, receiving packets from other VLANs than the local one). This phenomenon is often referred to as "VLAN leakage."

> For this kind of attack, simply set the DTP (DYNAMIC TRUNK PROTCOL) on all untrusted ports (not meeting the trust condition) to "Off" to prevent this kind of attack. The software and hardware running on the Cisco Catalyst 2950, ​​Catalyst 3550, Catalyst 4000, and Catalyst 6000 series switches can also implement proper traffic classification and isolation on all ports.

2) VLAN attack 2. Double encapsulation 802.1Q / nested VLAN attack

Inside the switch, VLAN numbers and identifications are expressed in a special extended format, the purpose is to keep the forwarding path independent of the end-to-end VLAN without losing any information. Outside the switch, the marking rules are specified by standards such as ISL or 802.1Q.

> ISL belongs to Cisco's proprietary technology and is a compact form of the extended packet header used in the device. Each packet always gets a mark, and there is no risk of logo loss, which can improve security.

> On the other hand, the IEEE committee that developed 802.1Q decided that for backward compatibility, it is best to support intrinsic VLANs, that is, VLANs that are not explicitly related to any tags on the 802.1Q link. This VLAN is used implicitly to receive all untagged traffic on the 802.1Q port.

🦑 This feature is what users want, because with this feature, the 802.1Q port can directly talk to the old 802.3 port by sending and receiving unmarked traffic. However, in all other cases, this feature can be very harmful, because when transmitted over an 802.1Q link, packets associated with the native VLAN will lose their tags, such as their class of service (802.1p bits).

3) Stripped first, then sent back to the attacker 802.1q frame, VLAN A, VLAN B data contains the trunk VLAN B data of the native VLAN A

Note: Only if the trunk's native VLAN is the same as the attacker's, will it take effect.

4) When double-encapsulated 802.1Q packets happen to enter the network from devices with the same VLAN as the eigen VLAN of the trunk, the VLAN IDs of these packets will not be retained end-to-end, because the 802.1Q trunk will always modify the packet, that is, strip its external mark. After removing the external tag, the internal tag will become the unique VLAN identifier of the packet. Therefore, if the packet is double-encapsulated with two different tags, the traffic can jump between different VLANs.

5) This situation will be regarded as a misconfiguration, because the 802.1Q standard does not force users to use the native VLAN in these situations. In fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (setting it to 802.1q-all-tagged mode can achieve the exact same effect). When the local VLAN cannot be cleared, the unused VLAN should be selected as the local VLAN of all trunk roads, and the VLAN cannot be used for any other purpose. Protocols such as STP, DTP (DYNAMIC TRUNK PROTCOL) and UDLD should be the only legal users of the local VLAN, and their traffic should be completely isolated from all data packets.

6) VLAN attack 3. VLAN hopping attack

Virtual local area network (VLAN) is a method of segmenting the broadcast domain. VLANs are also often used to provide additional security for the network because computers on one VLAN cannot talk to users on another VLAN without explicit access. However, VLAN itself is not enough to protect the security of the environment. Malicious hackers can jump from one VLAN to another even if they are not authorized.

7) VLAN hopping (VLAN hopping) relies on the dynamic relay protocol (DTP (DYNAMIC TRUNK PROTCOL)). If there are two interconnected switches, DTP (DYNAMIC TRUNK PROTCOL) can negotiate the two to determine whether they will become 802.1Q trunks. The negotiation process is done by checking the configuration status of the port.

> The VLAN hopping attack makes full use of DTP (DYNAMIC TRUNK PROTCOL). In the VLAN hopping attack, a hacker can deceive the computer and impersonate another switch to send a false DTP (DYNAMIC TRUNK PROTCOL) negotiation message, announcing that it wants to become a relay; the real After receiving this DTP (DYNAMIC TRUNK PROTCOL) message, the switch thought that it should enable the 802.1Q relay function, and once the relay function was enabled, the information flow through all VLANs would be sent to the hacker's computer.

> After the relay is established, the hacker can continue to detect the information flow, or it can specify the VLAN to which the attack traffic is sent by adding 802.1Q information to the frame.

8) VLAN attack 4. VTP attack

VLAN Trunk Protocol (VTP, VLAN Trunk Protocol) is a management protocol that can reduce the number of configurations in the switching environment. As far as VTP is concerned, the switch can be a VTP server, a VTP client, or a VTP transparent switch. Here we focus on the VTP server and the VTP client. Every time the user changes the configuration of the switch working in the VTP server mode, the VTP configuration version number will increase by 1 whether the VLAN is added, modified or removed. After the VTP client sees that the configuration version number is greater than the current version number, It will automatically synchronize with the VTP server.

> A malicious hacker can use VTP for his own purposes and remove all VLANs on the network (except the default VLAN), so that he can enter the same VLAN where every other user is. However, the user may still be on a different network segment, so a malicious hacker needs to change his IP address to enter the same network segment as the host he wants to attack.

> A malicious hacker can make full use of VTP by connecting to the switch and establishing a relay between his computer and the switch. A hacker can send a VTP message to the VTP server whose configuration version number is higher than the current one. This will cause all switches to synchronize with the malicious hacker's computer, thereby removing all non-default VLANs from the VLAN database.

9) So With so many kinds of attacks, we can see how fragile the VLAN we are implementing is, but we are thankful that if the configuration of the switch is incorrect or inappropriate, it may cause unexpected behavior or security problems. So we will tell you the key points you must pay attention to when configuring the switch

written by Undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑ARP attack methods and technical summary

1) arp Ddos attack

2)Arp return packet spoofing

3) Arp request spoofing

4) Arp whole network request spoofing

5) Arp man-in-the-middle

6) ArpIP address conflict

7) Arp gateway spoofing

8) Arp switch port forwarding spoofing (the most powerful is the attack method of the illusion network shield skiller.

written by Undercode
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁