Forwarded from Team ETF (ᴵ ᵃᵐ ᵍʳᵒᵒᵗ)
Day6 :-
#forensics
Browser forensics
Sources :- Github, YouTube, blogs
Today we learn how to steal passwords, cookies etc.. from the browsers like mozilla and chrome.
Tools popularly used for :-
Chrome :- Hindsight
Firefox :- Dumpzilla
Video of using dumpzilla provided ( YT).
For hindsight watch sans video.
#forensics
Browser forensics
Sources :- Github, YouTube, blogs
Today we learn how to steal passwords, cookies etc.. from the browsers like mozilla and chrome.
Tools popularly used for :-
Chrome :- Hindsight
Firefox :- Dumpzilla
Video of using dumpzilla provided ( YT).
For hindsight watch sans video.
Forwarded from Team ETF (ᴵ ᵃᵐ ᵍʳᵒᵒᵗ)
Media is too big
VIEW IN TELEGRAM
Dumpzilla Kali Tool | Extract forensic information from browser in Linux in Hindi | Forensic Tool
Forwarded from Team ETF (ᴵ ᵃᵐ ᵍʳᵒᵒᵗ)
Theory:-
Above mentioned tool will extract the stored data of browsers.
Like
Chrome passwords stored in :-
Windows:-
%APPDATA%\..\Local\Google\Chrome\User Data\Default\Login Data
Firefox passwords stored in :-
Windows:-
C:\Users\xxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxx.default
🛑🛑🛑
Tips :- You can also use these tools in POST EXPLOITATION by modifying it.
Like making it to send mail of collected passwords, cookies of victim when he runs your tool.
🛑🛑🛑
Above mentioned tool will extract the stored data of browsers.
Like
Chrome passwords stored in :-
Windows:-
%APPDATA%\..\Local\Google\Chrome\User Data\Default\Login Data
Firefox passwords stored in :-
Windows:-
C:\Users\xxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxx.default
🛑🛑🛑
Tips :- You can also use these tools in POST EXPLOITATION by modifying it.
Like making it to send mail of collected passwords, cookies of victim when he runs your tool.
🛑🛑🛑
Forwarded from Team ETF (DADOFHACKING)
DAY 6 :
PENTEST SERIES
#ctf
TOPIC : #RECONNAISSANCE AND FOOT PRINTING
FOOT PRINTING METHODOLY
I WILL BE USING FP AS SHORTCUTS FOR FOOT PRINTING
1. FP THROUGH SEARCH ENGINES (DORKS)
2. FP THROUGH SOCIAL NETWORKING SITES
3. FP THROUGH WEBSITES
4. FP THROUGH EMAIL
5. FP THROUGH DNS
6. FP THROUGH SOCIAL ENGINEERING
TOOLS:
1. RECON-NG
2. THE HARVESTER
3 MALTEGO
ETC
BY @DADSBKA
IF U HAVE ANY DOUBTS MESSAGE @HACKERSPOILEDBOT
PENTEST SERIES
#ctf
TOPIC : #RECONNAISSANCE AND FOOT PRINTING
FOOT PRINTING METHODOLY
I WILL BE USING FP AS SHORTCUTS FOR FOOT PRINTING
1. FP THROUGH SEARCH ENGINES (DORKS)
2. FP THROUGH SOCIAL NETWORKING SITES
3. FP THROUGH WEBSITES
4. FP THROUGH EMAIL
5. FP THROUGH DNS
6. FP THROUGH SOCIAL ENGINEERING
TOOLS:
1. RECON-NG
2. THE HARVESTER
3 MALTEGO
ETC
BY @DADSBKA
IF U HAVE ANY DOUBTS MESSAGE @HACKERSPOILEDBOT
Forwarded from Team ETF ([★𝐃𝐕★]⚡Nøøbma𝔰ᴛe𝖗69⚡⚔️฿Ⱡ₳₵₭ ₦ł₦J₳ ₣ØⱤ₵Ɇ⚔️ ł₦Đł₳₦ VɆⱤł₣łɆĐ 『#𝐂𝐄𝐍𝐓𝐔𝐑𝐘™』🛡XLR8VERIFIED🛡 | 𝐃𝐄𝐕𝐈𝐋'𝐒 𝐕𝐄𝐑𝐈𝐅𝐈𝐄𝐃 |#ᴛʜᴇᴅʏɴᴀᴍɪᴄɴᴇᴛᴡᴏʀᴋ)
Day6:
Commonly used terms in Carding.
#carding
□💳CC: CREDIT CARD. Without this how will you card.😂
□🌐SOCKS5 IP:It is a proxy. It routes your traffic through a proxy server and generates an arbitrary IP address before you reach your destination. To say simply,it changes your IP address like a VPN. But it is much secured and provides good anonymity than a VPN.
□🖥VPS/VM: VPS which everyone calls as RDP is a virtual cloud hosted pc. It is a virtual pc which has different MAC ADDRESS,different RAM,different storage than your computer. You can access a VPS using RDP or a Remote client. To say simply,you are accessing a different pc from your pc
VM(virtual machine) is like a vps,but it is not cloud hosted. It is made with the properties of your computer,means the VM has same MAC ADDRESS which your computer has.
But whatever happens in a VM or VPS wont effect your computer.
□💳6️⃣BIN: BIN(Bank Identification Number) is the first 6digits of a CC number. Every bank has their own BIN. The first digit of the BIN says the provider of the CC
If it starts with 3: It is AMEX Card
If it starts with 4: It is VISA card
If it starts with 5: It is MASTERCARD card
If it starts with 6: It is DISCOVER/RUPAY(in india)
□👨FULLZ: FULLZ means the complete details of a person like CC details,Address,DOB,Phone number,Email address,SSN(Social Security Number is a Number which the US government provides to US citizens)
□🌐🛍911: 911 is a site which sells SOCKS5 proxies. You buy proxies from any site which sells proxies,but 911 proxies have good anonymity and good security than proxies from other sites.
□🌐💳UNICC: UNICC is a CC selling. It is a highly trusted CC selling site. You can buy CC there for less prices. You can even buy FULLZ,CC with FULLZ.
□🌐💲BITCOIN: BTC(BITCOIN) is a Digital currency. Most of the sites like UNICC,911 accepts BTC only to buy CC,proxies. So if you dont have BTC,buy from BTC sellers. You can store your BTC in BTC wallets like Coinbase(most preferred wallet).
□🏡🗺DROP: DROP is an address where your product will be shipped to. Suppose think that you are carding an E-COMMERCE site like bestbuy,amazon with a USA CC. So definitely the shipping address which you type in checkout should be a USA address. Orelse the site will see this SUSPICIOUS and cancels your order.
For the CC owner Shipping address will be the Drop address. But as we wont live with that CC owner we ship that product to another address from where we can get the product. If you have relatives or your house in USA,then you can keep their address. From them you can get your product. If you dont have any relatives then you can get DROP address from dropshipping sites. They will ship the product to you if you keep the DROP address they gave.
🚨🚨🚨These are the most commonly used terms in carding,but there are more terms you need to know. We will post them later. Peace😇
Commonly used terms in Carding.
#carding
□💳CC: CREDIT CARD. Without this how will you card.😂
□🌐SOCKS5 IP:It is a proxy. It routes your traffic through a proxy server and generates an arbitrary IP address before you reach your destination. To say simply,it changes your IP address like a VPN. But it is much secured and provides good anonymity than a VPN.
□🖥VPS/VM: VPS which everyone calls as RDP is a virtual cloud hosted pc. It is a virtual pc which has different MAC ADDRESS,different RAM,different storage than your computer. You can access a VPS using RDP or a Remote client. To say simply,you are accessing a different pc from your pc
VM(virtual machine) is like a vps,but it is not cloud hosted. It is made with the properties of your computer,means the VM has same MAC ADDRESS which your computer has.
But whatever happens in a VM or VPS wont effect your computer.
□💳6️⃣BIN: BIN(Bank Identification Number) is the first 6digits of a CC number. Every bank has their own BIN. The first digit of the BIN says the provider of the CC
If it starts with 3: It is AMEX Card
If it starts with 4: It is VISA card
If it starts with 5: It is MASTERCARD card
If it starts with 6: It is DISCOVER/RUPAY(in india)
□👨FULLZ: FULLZ means the complete details of a person like CC details,Address,DOB,Phone number,Email address,SSN(Social Security Number is a Number which the US government provides to US citizens)
□🌐🛍911: 911 is a site which sells SOCKS5 proxies. You buy proxies from any site which sells proxies,but 911 proxies have good anonymity and good security than proxies from other sites.
□🌐💳UNICC: UNICC is a CC selling. It is a highly trusted CC selling site. You can buy CC there for less prices. You can even buy FULLZ,CC with FULLZ.
□🌐💲BITCOIN: BTC(BITCOIN) is a Digital currency. Most of the sites like UNICC,911 accepts BTC only to buy CC,proxies. So if you dont have BTC,buy from BTC sellers. You can store your BTC in BTC wallets like Coinbase(most preferred wallet).
□🏡🗺DROP: DROP is an address where your product will be shipped to. Suppose think that you are carding an E-COMMERCE site like bestbuy,amazon with a USA CC. So definitely the shipping address which you type in checkout should be a USA address. Orelse the site will see this SUSPICIOUS and cancels your order.
For the CC owner Shipping address will be the Drop address. But as we wont live with that CC owner we ship that product to another address from where we can get the product. If you have relatives or your house in USA,then you can keep their address. From them you can get your product. If you dont have any relatives then you can get DROP address from dropshipping sites. They will ship the product to you if you keep the DROP address they gave.
🚨🚨🚨These are the most commonly used terms in carding,but there are more terms you need to know. We will post them later. Peace😇
Forwarded from Team ETF (ᴵ ᵃᵐ ᵍʳᵒᵒᵗ)
Day7 :-
#forensics
𝘿𝙚𝙩𝙚𝙘𝙩 🇩🇩🇴🇸, 🇵🇮🇳🇬 𝙚𝙩𝙘... 𝙪𝙨𝙞𝙣𝙜 🇸🇳🇴🇷🇹
Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.
My OS :- ubuntu
Let my ip address be 192.168.1.103
🅢🅔🅣🅤🅟:- ( will be easy in future )
First you need to make some changes in configuration of snort.
𝚜𝚞𝚍𝚘 𝚐𝚎𝚍𝚒𝚝 /𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚜𝚗𝚘𝚛𝚝.𝚌𝚘𝚗𝚏
Now, change HOME_NET IP address to your ip range.
Like,
𝚒𝚙𝚟𝚊𝚛 𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝟷𝟿𝟸.𝟷𝟼𝟾.𝟷.𝟶/𝟸𝟺
Now go to
/𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚛𝚞𝚕𝚎𝚜/𝚕𝚘𝚌𝚊𝚕.𝚛𝚞𝚕𝚎𝚜
and add the rules given below
( Watch rules writing in the image. )
🅓🅔🅣🅔🅒🅣 🅟🅘🅝🅖 🅢🅒🅐🅝
𝙍𝙪𝙡𝙚:-
𝚊𝚕𝚎𝚛𝚝 𝚒𝚌𝚖𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝚊𝚗𝚢 (𝚖𝚜𝚐:"𝙿𝚒𝚗𝚐 𝚍𝚎𝚝𝚎𝚌𝚝𝚎𝚍"; 𝚜𝚒𝚍:𝟷𝟶𝟶𝟶𝟶𝟶𝟷; 𝚛𝚎𝚟:𝟷; 𝚌𝚕𝚊𝚜𝚜𝚝𝚢𝚙𝚎:𝚒𝚌𝚖𝚙-𝚎𝚟𝚎𝚗𝚝;)
alert ---> show alert
ICMP ---> It's a protocol used to report error in ipv4
-> :- to
$HOME_NET ---> destination ip
msg ---> shows message which you write
sid ---> keyword is used to uniquely identify Snort rules. This information allows output plugins to identify rules easily.
100 - 1,000,000 Rules already registered . So u need to use greater than this id like 1,000,123.
rev ---> keyword is used to uniquely identify revisions of Snort rules
classtype:icmp-event ---> Categorizes the rule as an “icmp-event”, one of the predefined Snort categories. This option helps with rule organization.
𝘿𝙚𝙩𝙚𝙘𝙩𝙞𝙣𝙜
𝚜𝚞𝚍𝚘 𝚜𝚗𝚘𝚛𝚝 -𝙰 𝚌𝚘𝚗𝚜𝚘𝚕𝚎 -𝚚 -𝚌 /𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚜𝚗𝚘𝚛𝚝.𝚌𝚘𝚗𝚏 -𝚒 𝚎𝚑𝚝𝟶
-A console ----> shows standard output alert
-q ----> quite mode
-i ----> interface
-c ----> config
🅓🅔🅣🅔🅒🅣 🅣🅒🅟 🅢🅒🅐🅝
𝙍𝙪𝙡𝙚:-
𝚊𝚕𝚎𝚛𝚝 𝚝𝚌𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝚊𝚗𝚢 (𝚖𝚜𝚐: "𝚃𝙲𝙿 𝚂𝚌𝚊𝚗 𝙳𝚎𝚝𝚎𝚌𝚝𝚎𝚍"; 𝚜𝚒𝚍:𝟷𝟶𝟶𝟶𝟶𝟶𝟶𝟻; 𝚛𝚎𝚟:𝟸; )
🅓🅔🅣🅔🅒🅣 🅓🅞🅢 🅐🅣🅣🅐🅒🅚
𝙍𝙪𝙡𝙚:-
𝚊𝚕𝚎𝚛𝚝 𝚝𝚌𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝟾𝟶 (𝚏𝚕𝚊𝚐𝚜: 𝚂; 𝚖𝚜𝚐:"𝙿𝚘𝚜𝚜𝚒𝚋𝚕𝚎 𝙳𝚘𝚂 𝙰𝚝𝚝𝚊𝚌𝚔 𝚃𝚢𝚙𝚎 : 𝚂𝚈𝙽 𝚏𝚕𝚘𝚘𝚍"; 𝚏𝚕𝚘𝚠:𝚜𝚝𝚊𝚝𝚎𝚕𝚎𝚜𝚜; 𝚜𝚒𝚍:𝟹; 𝚍𝚎𝚝𝚎𝚌𝚝𝚒𝚘𝚗_𝚏𝚒𝚕𝚝𝚎𝚛:𝚝𝚛𝚊𝚌𝚔 𝚋𝚢_𝚍𝚜𝚝, 𝚌𝚘𝚞𝚗𝚝 𝟸𝟶, 𝚜𝚎𝚌𝚘𝚗𝚍𝚜 𝟷𝟶;)
#reference__researchgate-website
𝙀𝙭𝙩𝙧𝙖
Ping scan :- nmap 192.168.1.103
Tcp scan :- nmap -sT 192.168.1.103
Dos :- Use any tools😐
Written by :- I am groot [ @Etf_Zan ]
#forensics
𝘿𝙚𝙩𝙚𝙘𝙩 🇩🇩🇴🇸, 🇵🇮🇳🇬 𝙚𝙩𝙘... 𝙪𝙨𝙞𝙣𝙜 🇸🇳🇴🇷🇹
Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.
My OS :- ubuntu
Let my ip address be 192.168.1.103
🅢🅔🅣🅤🅟:- ( will be easy in future )
First you need to make some changes in configuration of snort.
𝚜𝚞𝚍𝚘 𝚐𝚎𝚍𝚒𝚝 /𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚜𝚗𝚘𝚛𝚝.𝚌𝚘𝚗𝚏
Now, change HOME_NET IP address to your ip range.
Like,
𝚒𝚙𝚟𝚊𝚛 𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝟷𝟿𝟸.𝟷𝟼𝟾.𝟷.𝟶/𝟸𝟺
Now go to
/𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚛𝚞𝚕𝚎𝚜/𝚕𝚘𝚌𝚊𝚕.𝚛𝚞𝚕𝚎𝚜
and add the rules given below
( Watch rules writing in the image. )
🅓🅔🅣🅔🅒🅣 🅟🅘🅝🅖 🅢🅒🅐🅝
𝙍𝙪𝙡𝙚:-
𝚊𝚕𝚎𝚛𝚝 𝚒𝚌𝚖𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝚊𝚗𝚢 (𝚖𝚜𝚐:"𝙿𝚒𝚗𝚐 𝚍𝚎𝚝𝚎𝚌𝚝𝚎𝚍"; 𝚜𝚒𝚍:𝟷𝟶𝟶𝟶𝟶𝟶𝟷; 𝚛𝚎𝚟:𝟷; 𝚌𝚕𝚊𝚜𝚜𝚝𝚢𝚙𝚎:𝚒𝚌𝚖𝚙-𝚎𝚟𝚎𝚗𝚝;)
alert ---> show alert
ICMP ---> It's a protocol used to report error in ipv4
-> :- to
$HOME_NET ---> destination ip
msg ---> shows message which you write
sid ---> keyword is used to uniquely identify Snort rules. This information allows output plugins to identify rules easily.
100 - 1,000,000 Rules already registered . So u need to use greater than this id like 1,000,123.
rev ---> keyword is used to uniquely identify revisions of Snort rules
classtype:icmp-event ---> Categorizes the rule as an “icmp-event”, one of the predefined Snort categories. This option helps with rule organization.
𝘿𝙚𝙩𝙚𝙘𝙩𝙞𝙣𝙜
𝚜𝚞𝚍𝚘 𝚜𝚗𝚘𝚛𝚝 -𝙰 𝚌𝚘𝚗𝚜𝚘𝚕𝚎 -𝚚 -𝚌 /𝚎𝚝𝚌/𝚜𝚗𝚘𝚛𝚝/𝚜𝚗𝚘𝚛𝚝.𝚌𝚘𝚗𝚏 -𝚒 𝚎𝚑𝚝𝟶
-A console ----> shows standard output alert
-q ----> quite mode
-i ----> interface
-c ----> config
🅓🅔🅣🅔🅒🅣 🅣🅒🅟 🅢🅒🅐🅝
𝙍𝙪𝙡𝙚:-
𝚊𝚕𝚎𝚛𝚝 𝚝𝚌𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝚊𝚗𝚢 (𝚖𝚜𝚐: "𝚃𝙲𝙿 𝚂𝚌𝚊𝚗 𝙳𝚎𝚝𝚎𝚌𝚝𝚎𝚍"; 𝚜𝚒𝚍:𝟷𝟶𝟶𝟶𝟶𝟶𝟶𝟻; 𝚛𝚎𝚟:𝟸; )
🅓🅔🅣🅔🅒🅣 🅓🅞🅢 🅐🅣🅣🅐🅒🅚
𝙍𝙪𝙡𝙚:-
𝚊𝚕𝚎𝚛𝚝 𝚝𝚌𝚙 𝚊𝚗𝚢 𝚊𝚗𝚢 -> $𝙷𝙾𝙼𝙴_𝙽𝙴𝚃 𝟾𝟶 (𝚏𝚕𝚊𝚐𝚜: 𝚂; 𝚖𝚜𝚐:"𝙿𝚘𝚜𝚜𝚒𝚋𝚕𝚎 𝙳𝚘𝚂 𝙰𝚝𝚝𝚊𝚌𝚔 𝚃𝚢𝚙𝚎 : 𝚂𝚈𝙽 𝚏𝚕𝚘𝚘𝚍"; 𝚏𝚕𝚘𝚠:𝚜𝚝𝚊𝚝𝚎𝚕𝚎𝚜𝚜; 𝚜𝚒𝚍:𝟹; 𝚍𝚎𝚝𝚎𝚌𝚝𝚒𝚘𝚗_𝚏𝚒𝚕𝚝𝚎𝚛:𝚝𝚛𝚊𝚌𝚔 𝚋𝚢_𝚍𝚜𝚝, 𝚌𝚘𝚞𝚗𝚝 𝟸𝟶, 𝚜𝚎𝚌𝚘𝚗𝚍𝚜 𝟷𝟶;)
#reference__researchgate-website
𝙀𝙭𝙩𝙧𝙖
Ping scan :- nmap 192.168.1.103
Tcp scan :- nmap -sT 192.168.1.103
Dos :- Use any tools😐
Written by :- I am groot [ @Etf_Zan ]
Forwarded from Team ETF (ᴵ ᵃᵐ ᵍʳᵒᵒᵗ)
Day8:-
#forensics
Well we have have learnt about snort yesterday ,on how to write your own snort rules as well as using it.
To detect ARP SPOOF,
You can use any tools from github or create your own using scapy.
Easy way:- just by looking MAC address.
Today we learn about some basics of windows registry.
Source :- YT ( 13 cubed )
I won't be covering this, u can learn in 13 cubed yt channel for more about windows forensics
#forensics
Well we have have learnt about snort yesterday ,on how to write your own snort rules as well as using it.
To detect ARP SPOOF,
You can use any tools from github or create your own using scapy.
Easy way:- just by looking MAC address.
Today we learn about some basics of windows registry.
Source :- YT ( 13 cubed )
I won't be covering this, u can learn in 13 cubed yt channel for more about windows forensics
Forwarded from Team ETF (Groot)
#forensics
Today we will discuss about malware forensics.
Here we will find the malware in our pc.
Tool :- volatility ( open source github )
Today we will discuss about malware forensics.
Here we will find the malware in our pc.
Tool :- volatility ( open source github )
Forwarded from Team ETF (Groot)
Explanation:-
There are two types of scan in volatility to detect profile.
1. By imageinfo ( above picture )
2. Kdbg scan ( tmrw I will discuss this)
Here in the above figure we can see that there we scanned using imageinfo, and it detected some of the profiles ( which os memory fike it is ).
Profile :- WinXPSP2x86 ( see highlighted)
Possible doubts :-
1.Here we have used memory dump of cridex.vmem
.vmem -> virtualbox memory
cridex is the one of the malware name
2. I already thought you earlier how to get memory file.
Error:-
There's installation error in my tool. Probably you won't get failed error while running tool.
There are two types of scan in volatility to detect profile.
1. By imageinfo ( above picture )
2. Kdbg scan ( tmrw I will discuss this)
Here in the above figure we can see that there we scanned using imageinfo, and it detected some of the profiles ( which os memory fike it is ).
Profile :- WinXPSP2x86 ( see highlighted)
Possible doubts :-
1.Here we have used memory dump of cridex.vmem
.vmem -> virtualbox memory
cridex is the one of the malware name
2. I already thought you earlier how to get memory file.
Error:-
There's installation error in my tool. Probably you won't get failed error while running tool.