Forwarded from UNDERCODE COMMUNITY (dvm)
What is the Tor Nodes Safety Level in 2024 ?
Final Results
71%
1% unsecure
0%
50%
14%
90% Anonymous
14%
Happy new year (I'm a beginer)😊
What operating system does your AirPods run?
Sounds like a weird question.
Until you realize you have the equivalent processing power of an iPhone 4 in each ear.🙈
Bluetooth audio SoCs are seldom talked about, but a fascinating field.
AirPods specifically run RTKit, a Real-time Operating System targeting small ARM chips, written mostly in C++.
Small Real-time os(s) are often used in audio devices and peripherals, as the slightest hiccup in scheduling would be immediately (aka audibly) obvious. Timings are extremely tight.
Much of the public knowledge about RTKit comes from the Asahi Linux project.
RTKit firmware is actually bundled into iOS updates; a simple extraction of the firmware will show numerous .im4p files (which are really just packed Mach-O).
Sounds like a weird question.
Until you realize you have the equivalent processing power of an iPhone 4 in each ear.🙈
Bluetooth audio SoCs are seldom talked about, but a fascinating field.
AirPods specifically run RTKit, a Real-time Operating System targeting small ARM chips, written mostly in C++.
Small Real-time os(s) are often used in audio devices and peripherals, as the slightest hiccup in scheduling would be immediately (aka audibly) obvious. Timings are extremely tight.
Much of the public knowledge about RTKit comes from the Asahi Linux project.
RTKit firmware is actually bundled into iOS updates; a simple extraction of the firmware will show numerous .im4p files (which are really just packed Mach-O).
Enable Security Defaults in Microsoft Entra ID:
1. Sign in to Microsoft Entra admin center
2. Expand Identity
3. Select Overview
4. Click on Properties
5. Select Manage security defaults
6. Set Security defaults to Enabled
7.Click Save
Note: If your organization uses Conditional Access policies, you are prevented from enabling Security Defaults. You can use Conditional Access to configure custom policies that enable the same behavior 1 as those provided by Security Defaults.
1. Sign in to Microsoft Entra admin center
2. Expand Identity
3. Select Overview
4. Click on Properties
5. Select Manage security defaults
6. Set Security defaults to Enabled
7.Click Save
Note: If your organization uses Conditional Access policies, you are prevented from enabling Security Defaults. You can use Conditional Access to configure custom policies that enable the same behavior 1 as those provided by Security Defaults.
Ethical Hacking in 15 Hours - 2023 Edition
By The Owner of TCM Security:
https://youtu.be/3FNYvj2U0HM?list=PLLKT__MCUeixqHJ1TRqrHsEd6_EdEvo47
By The Owner of TCM Security:
https://youtu.be/3FNYvj2U0HM?list=PLLKT__MCUeixqHJ1TRqrHsEd6_EdEvo47
YouTube
Ethical Hacking in 15 Hours - 2023 Edition - Learn to Hack! (Part 1)
0:00 - Introduction/whoami
6:43 - A Day in the Life of an Ethical Hacker
27:44 - Effective Notekeeping
34:27 - Important Tools
39:51 - Networking Refresher: Introduction
41:06 - IP Addresses
54:18 - MAC Addresses
57:35 - TCP, UDP, & the Three-Way Handshake…
6:43 - A Day in the Life of an Ethical Hacker
27:44 - Effective Notekeeping
34:27 - Important Tools
39:51 - Networking Refresher: Introduction
41:06 - IP Addresses
54:18 - MAC Addresses
57:35 - TCP, UDP, & the Three-Way Handshake…
🦑Biggest collections of free cybersecurity resources, here are some top options:
1. Exploit Databases
Exploit-DB: A massive archive of public exploits and software vulnerabilities.
Packet Storm Security: Exploits, tools, and advisories.
0day.today: Exploits and security-related content (registration may be required).
2. Cybersecurity News and CVE Updates
Undercode: Dedicated to cybersecurity, hacking, and tech news.
DailyCVE: A curated resource for the latest CVEs and vulnerability information.
3. Open Source Intelligence (OSINT) Tools
OSINT Framework: A curated collection of OSINT tools and resources.
Maltego Community Edition: OSINT and link analysis software.
4. Cybersecurity Learning Platforms
Hack The Box: Free labs for ethical hacking and pentesting (community edition).
TryHackMe: Interactive hacking and cybersecurity challenges with many free rooms.
OverTheWire: Linux and cybersecurity wargames.
5. Malware and Threat Analysis
VirusShare: Massive collection of malware samples for researchers.
Hybrid Analysis: Free malware analysis service.
ANY.RUN: Free interactive sandbox for analyzing malware.
6. Cybersecurity Tools and Frameworks
Kali Linux: Penetration testing operating system with a large collection of pre-installed tools.
Parrot Security OS: Another Linux distribution for security and privacy.
Metasploit: Penetration testing framework with free options.
7. Online Libraries and Knowledge Bases
MITRE ATT&CK: Knowledge base of adversary tactics and techniques.
CVE Details: Comprehensive vulnerability database.
CyberChef: Cybersecurity and encryption toolkit.
8. Forums and Communities
Reddit: r/cybersecurity: Discussions, resources, and updates.
BleepingComputer: Forums and guides for malware removal and security.
9. Threat Intelligence Platforms
AlienVault OTX: Free threat-sharing platform.
Cisco Talos Intelligence: Free threat intelligence resources.
1. Exploit Databases
Exploit-DB: A massive archive of public exploits and software vulnerabilities.
Packet Storm Security: Exploits, tools, and advisories.
0day.today: Exploits and security-related content (registration may be required).
2. Cybersecurity News and CVE Updates
Undercode: Dedicated to cybersecurity, hacking, and tech news.
DailyCVE: A curated resource for the latest CVEs and vulnerability information.
3. Open Source Intelligence (OSINT) Tools
OSINT Framework: A curated collection of OSINT tools and resources.
Maltego Community Edition: OSINT and link analysis software.
4. Cybersecurity Learning Platforms
Hack The Box: Free labs for ethical hacking and pentesting (community edition).
TryHackMe: Interactive hacking and cybersecurity challenges with many free rooms.
OverTheWire: Linux and cybersecurity wargames.
5. Malware and Threat Analysis
VirusShare: Massive collection of malware samples for researchers.
Hybrid Analysis: Free malware analysis service.
ANY.RUN: Free interactive sandbox for analyzing malware.
6. Cybersecurity Tools and Frameworks
Kali Linux: Penetration testing operating system with a large collection of pre-installed tools.
Parrot Security OS: Another Linux distribution for security and privacy.
Metasploit: Penetration testing framework with free options.
7. Online Libraries and Knowledge Bases
MITRE ATT&CK: Knowledge base of adversary tactics and techniques.
CVE Details: Comprehensive vulnerability database.
CyberChef: Cybersecurity and encryption toolkit.
8. Forums and Communities
Reddit: r/cybersecurity: Discussions, resources, and updates.
BleepingComputer: Forums and guides for malware removal and security.
9. Threat Intelligence Platforms
AlienVault OTX: Free threat-sharing platform.
Cisco Talos Intelligence: Free threat intelligence resources.
Exploit-Db
OffSec’s Exploit Database Archive
The Exploit Database - Exploits, Shellcode, 0days, Remote Exploits, Local Exploits, Web Apps, Vulnerability Reports, Security Articles, Tutorials and more.
itsourcecode Banking Management System admin_class.php username sql injection cve
https://vuldb.com/?ctiid.269168
https://vuldb.com/?ctiid.269168
🦑Free Limited, Summarised Hacking Videos
https://www.udemy.com/tutorial/microsoft-security-fundamentals/honeypots/
https://www.udemy.com/tutorial/the-complete-ceh-exam-prep-course-become-an-ethical-hacker/most-powerful-hacking-tool-on-the-internet-today/
https://www.udemy.com/tutorial/penetration-testing/basic-terminology-such-as-white-hat-grey-hat-and-black-hat-hacking/
https://www.udemy.com/course/spring-boot-tutorial-for-beginners/?couponCode=BFCPSALE24
https://www.udemy.com/tutorial/real-world-ethical-hacking/overview-what-is-ethical-hacking/
https://www.udemy.com/tutorial/learn-python-and-ethical-hacking-from-scratch/how-to-bypass-https/
https://www.udemy.com/tutorial/hands-on-complete-penetration-testing-and-ethical-hacking/foca-fingerprinting-organisations-with-collected-archives/
https://www.udemy.com/tutorial/ethical-hacking-with-metasploit-exploit-post-exploit/win8-add-vmware/
https://www.udemy.com/tutorial/operating-systems-from-scratch-part1/introduction-to-computer-systems/
https://www.udemy.com/tutorial/the-complete-nmap-ethical-hacking-course-network-security/what-is-nmap/
https://www.udemy.com/tutorial/the-absolute-beginners-guide-to-information-cyber-security/the-trinity-of-it-security-cia/
https://www.udemy.com/tutorial/network-infrastructure-hacking/introduction-to-ethical-hacking-footprinting-and-reconnaissance/
https://www.udemy.com/tutorial/microsoft-security-fundamentals/honeypots/
https://www.udemy.com/tutorial/the-complete-ceh-exam-prep-course-become-an-ethical-hacker/most-powerful-hacking-tool-on-the-internet-today/
https://www.udemy.com/tutorial/penetration-testing/basic-terminology-such-as-white-hat-grey-hat-and-black-hat-hacking/
https://www.udemy.com/course/spring-boot-tutorial-for-beginners/?couponCode=BFCPSALE24
https://www.udemy.com/tutorial/real-world-ethical-hacking/overview-what-is-ethical-hacking/
https://www.udemy.com/tutorial/learn-python-and-ethical-hacking-from-scratch/how-to-bypass-https/
https://www.udemy.com/tutorial/hands-on-complete-penetration-testing-and-ethical-hacking/foca-fingerprinting-organisations-with-collected-archives/
https://www.udemy.com/tutorial/ethical-hacking-with-metasploit-exploit-post-exploit/win8-add-vmware/
https://www.udemy.com/tutorial/operating-systems-from-scratch-part1/introduction-to-computer-systems/
https://www.udemy.com/tutorial/the-complete-nmap-ethical-hacking-course-network-security/what-is-nmap/
https://www.udemy.com/tutorial/the-absolute-beginners-guide-to-information-cyber-security/the-trinity-of-it-security-cia/
https://www.udemy.com/tutorial/network-infrastructure-hacking/introduction-to-ethical-hacking-footprinting-and-reconnaissance/
Udemy
What is a Honeypot | Free Video Tutorial | Udemy
Learn the Fundamentals of Information Security for the Windows Operating System | Learn from instructors on any topic
2024 list, Receive sms online/ Virtual Phone Numbers:
1.textrapp.com
2.quackr.io (Good for Gmail/Google)
3.https://anonymsms.com/
4. https://receive-smss.live/ (May work for Telegram account, depends on the number)
5.https://smsreceivefree.com/
6.https://tempsmss.com/
7.https://www.receivesms.co/
8.https://sms24.me
9.https://receive-smss.com/
10.https://freephonenum.com/
11.https://smsget.net (Only Russian numbers)
12.https://mytempsms.com/
Remember that free websites might be a little risky if you want to verify a personal account or a financial account because the sms received to that simcard is public to everyone.
Paid websites
1. https://smspinverify.com/ (They offer cheap prices for Google Voice ($0.78) and have multiple options for this service. Moreover, they have simcards from US, UK, Canada, India, Russia and more than 50 countries and accept Binance Pay, Cryptocurrency, Visa/MasterCard and other payment methods less popular. Works great for the most popular services and it is very cheap. Their API is basic but works good. 10/10.)
2. https://majorphones.com/ (They have a new beta version and offer high quality numbers of USA/UK only. They accept Amazon Pay (VISA/MasterCard)/cryptocurrency/Binance Pay/PerfectMoney/Payeer and others. Moreover, they are now offering long-term numbers, more commonly known as rental numbers, for 7/15/30 days, depending on the country (USA/UK). Their API is only available if you request it to their customer support, so I couldn't test it. 10/10.)
3. https://verifywithsms.com/ (They offer only short-term numbers from USA and UK, the prices are a little high but works good and they accept only cryptocurrency. Don't have an API. 8/10.)
4. https://www.textverified.com/ (They offer only short and long term numbers from USA, most numbers work good but they are expensive. Plus, they accept VISA/Mastercard and crypto only. Very good API, robust. 7.5/10.)
5. https://5sim.net/ (They offer very very cheap numbers (+$0.1) but have poor quality, a lot of numbers are reused but eventually work. Worst is nothing. They accept VISA/Mastercard, cryptocurrency, what's great is that they offer +176 countries. API with some errors and doesn't have some functionalities 6/10.)
6. https://www.smscodes.io/ (They offer 0.5$ of bonus when you sign up and the prices go from 0.1$, they support voice verification (BIG DEAL), the problem is with the payment methods: cryptocurrency and other less known payment methods, the numbers have regular quality but works for most services. 9/10.)
7. smspva.com (They offer a lot of companies but this service in particular is too bad, in some cases they do not give a refund for numbers that dont work, most numbers are reused and for long-term numbers you must wait +30 min to activate the number, in conclusion this service is very very bad, not recommended. 3/10.)
8. Non-Voip.com (they offer USA & UK numbers with good quality at a cheap price. Their API sucks and customer support may be a little slow, I used it mostly for Telegram accounts. Bad API, you can't cancel a number and get a refund. 5/10.
Source: blackhatworld Forum
1.textrapp.com
2.quackr.io (Good for Gmail/Google)
3.https://anonymsms.com/
4. https://receive-smss.live/ (May work for Telegram account, depends on the number)
5.https://smsreceivefree.com/
6.https://tempsmss.com/
7.https://www.receivesms.co/
8.https://sms24.me
9.https://receive-smss.com/
10.https://freephonenum.com/
11.https://smsget.net (Only Russian numbers)
12.https://mytempsms.com/
Remember that free websites might be a little risky if you want to verify a personal account or a financial account because the sms received to that simcard is public to everyone.
Paid websites
1. https://smspinverify.com/ (They offer cheap prices for Google Voice ($0.78) and have multiple options for this service. Moreover, they have simcards from US, UK, Canada, India, Russia and more than 50 countries and accept Binance Pay, Cryptocurrency, Visa/MasterCard and other payment methods less popular. Works great for the most popular services and it is very cheap. Their API is basic but works good. 10/10.)
2. https://majorphones.com/ (They have a new beta version and offer high quality numbers of USA/UK only. They accept Amazon Pay (VISA/MasterCard)/cryptocurrency/Binance Pay/PerfectMoney/Payeer and others. Moreover, they are now offering long-term numbers, more commonly known as rental numbers, for 7/15/30 days, depending on the country (USA/UK). Their API is only available if you request it to their customer support, so I couldn't test it. 10/10.)
3. https://verifywithsms.com/ (They offer only short-term numbers from USA and UK, the prices are a little high but works good and they accept only cryptocurrency. Don't have an API. 8/10.)
4. https://www.textverified.com/ (They offer only short and long term numbers from USA, most numbers work good but they are expensive. Plus, they accept VISA/Mastercard and crypto only. Very good API, robust. 7.5/10.)
5. https://5sim.net/ (They offer very very cheap numbers (+$0.1) but have poor quality, a lot of numbers are reused but eventually work. Worst is nothing. They accept VISA/Mastercard, cryptocurrency, what's great is that they offer +176 countries. API with some errors and doesn't have some functionalities 6/10.)
6. https://www.smscodes.io/ (They offer 0.5$ of bonus when you sign up and the prices go from 0.1$, they support voice verification (BIG DEAL), the problem is with the payment methods: cryptocurrency and other less known payment methods, the numbers have regular quality but works for most services. 9/10.)
7. smspva.com (They offer a lot of companies but this service in particular is too bad, in some cases they do not give a refund for numbers that dont work, most numbers are reused and for long-term numbers you must wait +30 min to activate the number, in conclusion this service is very very bad, not recommended. 3/10.)
8. Non-Voip.com (they offer USA & UK numbers with good quality at a cheap price. Their API sucks and customer support may be a little slow, I used it mostly for Telegram accounts. Bad API, you can't cancel a number and get a refund. 5/10.
Source: blackhatworld Forum
AnonymSMS
Receive SMS Online 24/7, Secure Verification - AnonymSMS
Totally free online service whereby you can Receive SMS Online, without the need of inputting your own mobile/cell number.
🔥 Bypass AV / EDR Tested🔥
✔ The Invoke-ASAMSI script is a tool that takes advantage of the native features of PowerShell and .NET functions using reflection, to modify the memory of amsi.dll, disable its malware scanning and be able to execute malicious scripts and code.
✔ I have also included how we can dump the LSASS together with Nanodump, demonstrating that with public tools and customizing them a little you can do good evasion.
🔥Source Link -->
https://lnkd.in/gMeFQCks
The Script:
https://github.com/ASP4RUX/Invoke-AMSI
✔ The Invoke-ASAMSI script is a tool that takes advantage of the native features of PowerShell and .NET functions using reflection, to modify the memory of amsi.dll, disable its malware scanning and be able to execute malicious scripts and code.
✔ I have also included how we can dump the LSASS together with Nanodump, demonstrating that with public tools and customizing them a little you can do good evasion.
🔥Source Link -->
https://lnkd.in/gMeFQCks
The Script:
https://github.com/ASP4RUX/Invoke-AMSI
lnkd.in
LinkedIn
This link will take you to a page that’s not on LinkedIn
Have you ever heard about BadUSB?
A BadUSB refers to a type of malicious attack that exploits the firmware of USB devices. This makes the attack particularly dangerous and stealthy because the BadUSB emulates a HID (Human Interface Device), which is inherently trusted by the operating system. Once connected, the attack begins as the BadUSB starts injecting commands, typing at a speed of up to 1000wpm, allowing it to execute malicious actions almost instantly.
Attack Scenario
In a busy office, an employee steps away from their desk, leaving their laptop unlocked.
The attack exploits the unlocked system's trust in peripherals, allowing the malicious USB to execute commands without the user’s awareness, compromising the company’s security within seconds.
Example of Actions
Backdoor Installation: The USB types out commands to open a PowerShell terminal and install a hidden backdoor, granting the attacker remote access to the system.
Credential Theft: It retrieves saved passwords or authentication tokens from the system and sends them to an external server.
Network Reconnaissance: It runs scripts to map the internal network, identifying key servers and vulnerable devices.
Data Exfiltration: Sensitive company files are quickly zipped and emailed or uploaded to a remote server.
Prevention Technique
To reduce the chances of success for a BadUSB attack, you can configure User Account Control to require a password for administrative actions. This limits the potential damage a malicious USB can cause.
Steps
1. Press the Windows Key, then type regedt in the search bar to open the Registry Editor.
2. Navigate to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. Find the registry entry named ConsentPromptBehaviorAdmin.
4. By default, its value is set to “5” (prompt for consent without password). Change this value to “1”. This setting forces the system to prompt for the administrator's password every time a process or command requires elevated privileges.
From now on, any action that requires admin rights will trigger a password prompt, significantly reducing the success rate of a BadUSB attack.
Source: linkedin
A BadUSB refers to a type of malicious attack that exploits the firmware of USB devices. This makes the attack particularly dangerous and stealthy because the BadUSB emulates a HID (Human Interface Device), which is inherently trusted by the operating system. Once connected, the attack begins as the BadUSB starts injecting commands, typing at a speed of up to 1000wpm, allowing it to execute malicious actions almost instantly.
Attack Scenario
In a busy office, an employee steps away from their desk, leaving their laptop unlocked.
The attack exploits the unlocked system's trust in peripherals, allowing the malicious USB to execute commands without the user’s awareness, compromising the company’s security within seconds.
Example of Actions
Backdoor Installation: The USB types out commands to open a PowerShell terminal and install a hidden backdoor, granting the attacker remote access to the system.
Credential Theft: It retrieves saved passwords or authentication tokens from the system and sends them to an external server.
Network Reconnaissance: It runs scripts to map the internal network, identifying key servers and vulnerable devices.
Data Exfiltration: Sensitive company files are quickly zipped and emailed or uploaded to a remote server.
Prevention Technique
To reduce the chances of success for a BadUSB attack, you can configure User Account Control to require a password for administrative actions. This limits the potential damage a malicious USB can cause.
Steps
1. Press the Windows Key, then type regedt in the search bar to open the Registry Editor.
2. Navigate to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. Find the registry entry named ConsentPromptBehaviorAdmin.
4. By default, its value is set to “5” (prompt for consent without password). Change this value to “1”. This setting forces the system to prompt for the administrator's password every time a process or command requires elevated privileges.
From now on, any action that requires admin rights will trigger a password prompt, significantly reducing the success rate of a BadUSB attack.
Source: linkedin