WEBSITE HACKING WITH DOT NET NUKE EXPLOIT

In this tutorial I will tell you how hackers use a simple dot net nuke exploit to hack a website, Now the exploit I am talking about is found in hundreds and hundreds on DNN applications and it allows the hacker to upload an image on your server, This type of attack is also called one way Hacking and at the end of article I have also posted some countermeasures to help you defend your self against these kinds of attack.

Google Dork

A google dork is an act of using google provided search terms to obtain a specific result and this DNN vulnerability occurs only in those websites which have “/portals/0″ in their navigation, So goahead and search for inurl:”/portals/0″ where inurl asks the google to display all the url’s who have /portals/0 in their navigation
1.Lets say the vulnerable website is:
 www.vulnerablewebsite.com/portals/0
2.Now we will just add Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx after the url so http://www.vulnerablewebsite.com/portals/0 will become http://www.vulnerablewebsite.com/portals/0Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
3.Now a website is vulnerable to this type of attack you will get a similar windows like the below one:

4.Next enter the following Javascript in the address bar:
javascript:__doPostBack(‘ctlURL$cmdUpload’,”)

What this javascript will do is that it will enable us to upload our image to the server:

5.The hacker could upload any image on victims website.
Countermeasures
1.The easiest method is to rename your fcklinkgallery to some thing else but it will not prevent this attack, but you can protect it from script kiddie’s in this way, A skilled hacker can easily find the renamed file by using some Footprinting methods
2.Another way to prevent this attack is to upgrade to IIS 7 or higher and a DNN version of 4.9.4 or higher

LEARN WEBSITE HACKING AND SECURITY WITH DVWA TOOLS

Lots of readers often ask me How can I be good at website hacking and web application security, The thing is that even if you have an idea of how some popular website application attack work but still you need a safe environment to practice what you have learned because you are not allowed to access any website even for testing purposes unless and until you are not authorized to do that, This is where Damn vulnerable web app(DVWA) comes into play
Basically Damn vulnerable web app(DVWA) PHP/MySQL web app which is Damn vulnerable, DVWA web app allows you to learn and practice web application attacks in a safe environment, It’s latest version is DVWA 1.7.

Vulnerabilities

• SQL Injection
• XSS (Cross Site Scripting)
• LFI (Local File Inclusion)
• RFI (Remote File Inclusion)
• Command Execution
• Upload Script
• Login Brute Force
• Blind SQL Injection 

And much more.

Official warning

It should come as no shock..but this application is damn vulnerable! Do not upload it to your hosting provider’s public html folder or any working web server as it will be hacked. It’s recommend that you download and install XAMP onto a local machine inside your LAN which is used solely for testing.

FREE HACKING TOOLS ESSENTIAL FOR EVERY HACKER

A Hacking tool is a program which helps you in Hacking making it easier for you,Gone are those days when you have to do every thing manually,now a days Hacking tools have made work easier for you,Below i am posting some of Hacking tools essential for every Hacker out there to make the work alot easier,these tools are also actually a Kind of Security tools but it on you how you use them.
Free Essential Hacking tools For every Hacker:

IP Tools:
IP-Tools offers many TCP/IP utilities in one program. This award-winning Free Hacking tool can work under Windows 98/ME, Windows NT 4.0, Windows 2000/XP/2003, Windows Vista and is indispensable for anyone who uses the Internet or Intranet.
It includes the following utilities   

1.Local Info – examines the local host and shows info about processor, memory, Winsock data, etc.   

2.Name Scanner – scans all hostnames within a range of IP addresses  

3.Port Scanner – scans network(s) for active TCP based services   

4.Ping Scanner – pings a remote hosts over the network   

5.Telnet – telnet client   

6.HTTP – HTTP client   

7.IP-Monitor – shows network traffic in real time & many more   

8.IP TOOLS has almost all the utilities built into it.So there is no need to use seperate tools for every indivisual process of hacking such as Port scanning,Whois scanning,IP monitor etc.It’s like a hacking tool kit which has all the necessary tools for hacking. Download IP Tools Here

Cain and Abel (sometimes called simply “Cain”) is a Windows password recovery tool. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel is maintained by Massimiliano Montoro.I have made a tutorial on Hack a Computer with Cain and able OR Download Cain and Able Here

Brutus ( Password Cracker):
Brutus is a remote online password cracker for windows, good for HTTP,POP3,FTP,SMB,Telnet and lots others.. it’s also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. Brutus was first made publicly available in October 1998 and since that time there have been at least 70,000 downloads and over 175,000 visitors to this page. Development continues so new releases will be available in the near future. Brutus was written originally to help me check routers etc. for default and common passwords.you can Download Brutus Password Cracker Here

RainbowCrack:
A very nice Hacking tools.Its general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. It cracks hashes with rainbow tables,

Features:
Full time-memory tradeoff tool suites, including rainbow table generation, sort, conversion and lookup
Support rainbow table of any hash algorithm
Support rainbow table of any charset
Support rainbow table in raw file format (.rt) and compact file format (.rtc)
Computation on multi-core processor support
Computation on GPU (via NVIDIA CUDA technology) support
Computation on multi-GPU (via NVIDIA CUDA technology) support
Runs on Windows XP 32-bit, Windows Vista 32-bit and Windows 7 32-bit
Command line and graphics user interface Download Rainbow Cracker Here
LC5(LophtCrack):
Windows password auditing and recovery application L0phtCrack or LC5 attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc). LC5 was discontinued by Symantec in 2006, then re-acquired by the original L0pht guys and reborn as LC6 in 2009.

Download LC5 here

John the Ripper:
A powerful, flexible, and fast multi-platform password hash cracker John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches. You will want to start with some wordlists, which you can find Here and download  john ripper here.

HOW TO CRACK WINDOWS ADMINISTRATION PASSWORD

Some times it necessary to know admin passwords in schools ,collages to log in with admin privileges to do various things

There are many way to crack passwords. But in this tutorial I will explain a very basic method using a single tool to crack windows password . This might come handy in places like schools ,collages where you cant use your live Linux cds , usb ..etc because your being watched
Things we need :
1. Pwdump or Fgdump to extract password hashes

In this tutorial I will be using Pwdump
Extracting Password hashes :-
1. Open My computer and go to C:\Windows\system32 . now place the Pwdump file which we download earlier
2. Now open command prompt and navigate to C:\Windows\system32 \Pwdump

Using c d command and click enter
Example :-
Cd C:\Windows\system32 \Pwdump

3. Now you can see a list of Pwdump commands as shown

 4. Now enter pwdump – localhost >>“ destination of output file “ (for 32 computers) and pwdump -x localhost >> “destination out put file “(for 64 bit computers )

Example :-
Cd C:\Windows\system32 \Pwdump localhost >> C:\hashes.txt
Cd C:\Windows\system32 \Pwdump -x localhost >> C:\hashes.txt

5. Now open  the Out put  file  you can see the names of the different  users with password hashes Now copy the hashes  corresponding to the admin account
Cracking The Hashes

Considering that we are in school/collage were we cant use tools to crack passwords so as an alternative we are using online password cracking sites

1. Go to online password cracking sites like http://www.cracker.offensive-security.com , http://www.onlinehashcrack.com and paste the hash select hash type as LM and click decode

2.By this way we are able to crack windows password using a single tool

Note:- If your not able to crack password hashes online use tools like john the ripper to crack password hashes . You can even copy the hashes and decoded it in your house

FACEBOOK ACCOUNT HACK-WHAT TO DO ?

It would be a Nightmare for anyone whose Facebook account gets Hacked,He would wonder How to get back his Hacked Facebook account,In this article i will tell you some methods through which you can Regain your Hacked Facebook account,

Steps to take when your Facebook account gets Hacked: 

1.Reset Facebook Password with Secondary email address:
When ever you sign up for a Facebook account,they ask for your Secondary email address,In case if you loose your Password you can reset it with your Secondary email address.

2.Secret Answer:
Yes you can also reset a Facebook password with a Secret Answer which you provided to the Facebook while Signing up For a Facebook account


3.Contacting Facebook:
Lastly if Hacker has changed your Secondary Email address and Secret Question then you have only one way left i.e. Contacting Facebook team for the issue.

 Below i am also writting some ways to Protect your Facebook account from getting Hacked

Protect your Facebook account from getting Hacked:

1.Use Strong Passwords:
In order to keep your Facebook account From Getting Cracked with a Brute force,Dictionary or Rainbow tables you need to keep Strong password usually more than 10 letters or else it will be damn easy for the Hacker to Hack a Facbebook password

2.Use Phishing filter:
Phishing filter is a sheild which protects you from Fake login pages,These fake login pages are made to steal your passwords and Phishing filter will prevent you from logging into these kinds of pages

Learn More about Phishing

3.Use a good Antivirus and Antispyware:Yes,this is the most crucial step in all the above mentioned,It is highly recommended that you use a Good antivirus and antispyware program,I would recommend Kaspersky as an antivirus and as an spyware spyware cease and dont forget to update them regularly,Remember one trojan takes it all.

4.Use a Good antilogger:
Antilogger is a program which lets you know if a keylogger is present on your computer,Keylogger is a spyware program which helps you track of what is happening on your Computer.

5.Use a Good Firewall:
If you want to prevent a Hacker to enter in your Computer and Hack your Facebook password than you must use a good firewall,I  personally Recommend Zonealaram firewall.Firewall is a Hindrance in Hacking,A hacker may bypass antivirus but its very difficult for a Hacker to bypass a Firewall

Hope Methods will help you to prevent your Facebook account from getting hacked,It is higly recommended that you must follow all the above Methods to ensure maximum security.

HOW TO VIEW PRIVATE LOCKED PROFILE

Learn how to view private facebook profiles
In post i will tell you how to view private facebook profiles,This latest hack proves that anyone in the world is able to view anyone’s private tagged pictures,This is why facebook is not privite is still open even after such publicity all over the web.Major security threat.
Have you ever wanted to see pictures of an enemy but you couldn’t because her or his facebook account was set to private. Well thats all going to change because I will show you very simple way to view private facebook profiles

Method:
1. Login in your Facebook Account
http://www.facebook.com
2. Search for the person
3. Find the persons ID # by Clicking on Send messages

 5. Copy and Replace the ID # to the link
http://www.facebook.com/photo.php?pid=1234567&id=%5BPerson’s ID]&op=1&view=all&subj=[Person’s ID]
6. Copy and paste the link in your browser
7. You should be able to see 10-20 pictures before facebook denies you access.

HOW TO HACK FACEBOOK-FACEBOOK HACKS

 

The scripts in these hacks to hack facebook require Firefox. Firefox is a free web-browsing program similar to Internet Explorer with additional security features and options.After you install Firefox, you’ll need Greasemonkey. Greasemonkey is a Firefox extension which lets you to add bits of DHTML (“user scripts”) to any web page to change its behavior. In much the same way that user CSS lets you take control of a web page’s style, user scripts let you easily control any aspect of a web page’s design or interaction. Greasemonkey is free. You can download it here: Download Greasemonkey (note: this link will not work in Internet Explorer – you must have Firefox installed to install and use Greasemonkey. If you don’t have Firefox, you can download it here for free.) 

 

After you’ve installed Firefox and Greasemonkey, you can install these scripts:

 

• AutoLogin: Facebook autologin automatically logs you in to Facebook (it stops asking you to log in every time!)
• Change the color of Facebook: This script changes the default color of your Facebook. By modifying the code you can make it whatever color scheme you want.

 

How to access Facebook if your school blocks it?

Many schools and businesses use a firewall to block access to websites like Facebook, Friendster, Hi5, MSN Spaces, Hotmail, Yahoo email, and other email sites, making it difficult (but not impossible) to access them.

 

If your school or office firewall blocks access to Facebook, Friendster, Hi5, Gmail, or Yahoo email you may be able to use a few internet privacy tricks get get around the firewalls and access any website you want.

 

The easy way: Try Firefox to get around the firewall

 

“Firefox has built-in proxy connection settings”

 

Try the built-in proxy connection settings with an Anonymizer service to access Facebook from school or work

 

Firefox is not affected by many network restrictions that system administrators may automatically apply to Internet Explorer every time you use it. More importantly, Firefox has built-in proxy-connection settings, which when used with settings that you can get from an anonymous web surfing or anonymizer service, can allow you to get to virtually any website you want even if it is blocked by a firewall. Firefox has several other features such as Google-integration for faster searches, automatic pop-up blockers and more. Firefox is free.

 

To hack Facebook from work or school, even through a firewall by using an Anonymizer or Private web surfing site

 For years internet privacy experts have been using anonymizers, private web-surfing services

HACK FACEBOOK ACCOUNT-FACEBOOK FREEZER

Today i thought to tell you a method to hack a facebook account,This is not actually hacking facebook account but preventing the victim to login into his facebook account.


Principle behind working:

Facebook has security feature in which after 25 or so logins the account is temporarily disabled,to enablethe account the account owner must reset his/her account

Thus, even when victim tries to login his Facebook account using correct password, he is not able to login to his Facebook account, thus you can hack Facebook account thanks to Facebook Freezer. 

This Facebook Freezer works cool on windows xp and windows vista (even supports earlier version of windows).

Hack Facebook account – Facebook freezer

1.Download Facebook freezer to hack facebook account.
 
2.Now extract the files into a folder
 
3.Now, run FacebookFreezer.exe file to get this:

4.Simply enter email id of victim whose you wanna hack Facebook account using Facebook freezer and hit “Freeze“.

5.That’s it. You will now be able to hack Facebook account using this Facebook freezer. This freezing will continue until you hit “Stop Freezing”.
This will not hack facebook account for you but it will prevent the victim to login into hisher account.

What is Hacking ?

Introduction to Hacking and Hackers!!

This is My First Tutorial Of Hacking . In this tutorial I will Tell you what is hacking.. ethical hacking security…who are hackers…why we do hacking…and Introduction to some basic terms…
First of all I will try Explain what the Hacking really is…

What Is Hacking??

Technically, a hacker is someone who is enthusiastic about computer programming and all things relating to the technical workings of a computer.Everyone here thinks that hacking is just stealing of data and information illegally but this perception is absolutely wrong

“Hacking is unauthorized use of computer and network resources. (The term “hacker” originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.)” – wikipedia

Hacking definition by me –

“Hacking is art of Exploiting and finding loop holes in the security and use them to benefit the others” 🙂

WHO ARE HACKERS ??

Everybody here thinks that hackers are criminals of the virtual world (i.e Cyber World ). But this thought is also wrong. Hackers are not always criminals.. It doesn’t have any doubt that Hackers are extremely genius peoples in the field of Computers…

Hackers are categorized in to three Parts :-

1.White Hat Hacker : – A white hat hacker or “Ethical Hacker” is a white hat because he/she doesn’t destroy/exploit systems he/she has broken into. and instead somehow notifies the admin of the cracked systems security holes and flaws.

2.Black Hat Hacker : – A black hat or “CRACKER” on the other hand is a hacking into systems (usually) only to destroy something or to steal information like bank information.

3.Grey Hat Hacker : – the grey hat is just in between them in some way maybe not always leaving a note to the admin telling about the flaws in the system or the loop hole he/she used. or maybe just peeking abit in the logs.

Some Terms in Hacking you have to be know :-

Threat –An action or event that might compromise security. A threat is a potential violation of
security.

Vulnerability –Existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system.

Exploit –A defined way to breach the security of an system through vulnerability. i.e Use the vulnerability to damage the database or system.

Attack –An assault on system security that derives from an intelligent threat. An attack is any action that violates security.

Target of Evaluation – An IT system, product, or component that is identified/subjected as requiring security evaluation.

Security – A state of well-being of information and infrastructures in which the possibility of successful yet undetected theft, tampering, and disruption of information and services is kept low or tolerable.

That’s all for today I think You all would have like this and want to see more.. I will regularly post material. THANKS FOR READING !!

Have Fun and keep Hacking 🙂

HOW TO HACK A GMAIL ACCOUNT OR PASSWORD

As i always start my tutorial with brief introduction about the topic, so let’s discuss again what actually is phishing.

What is Phishing?

Phishing in normal words is a word derived from the word fishing. As in fishing we make a trap for the fish to get caught similarly in case of Phishing we make a trap to hack the user password. Phish basically means fake, things that are deviating from original product. Technically Phishing is a technique to hack victims account password using the phish or fake pages. In phishing we sent the fake page links to the victim in spoofed manner so that we will not able to recognize that the page is real or fake. Now when victim enters his credentials in the fake page two different process occurs simultaneously. First it writes a log file having username and password and second process redirects the user to the original website page with username entered and displaying password is incorrect. 

How to recognize Phish Pages?

There are two ways to recognize the Phish pages and both depends on the awareness of the user. There are some other ways also to protect yourself from Phishing but as we Prevention is better that cure. If you know how its done then surely you will also know what are its loopholes and how can we detect it.

Ways to recognize Phish Page:

1. Check the Address bar, if the URL you are visiting does not match with the original website link then its a fake page.

2. If you are a great coder or understands HTML well then you can easily revert back the attack and check the hackers hacked log file. But if you by mistake entered your own details it cannot be deleted. For this you need to use IDM and run the website grabber. There in log file you can see all details of the accounts that hacker has hacked.

What’s new features in this Gmail phisher?

Since its a new phisher so friends there should be something new in it. Isn’t it. Yups, what do you think i have added in this phisher. 

I have added few awesome features in this phisher and list is below:

1. Incorrect password shown page bug removed

Previously what happens when user login using phisher it redirects to the original page and displays password is incorrect. But now it doesn’t show that but even do more smarter thing… As for phishing account we have to sent the email to victim, and now if victim has read the mail that means he is already login so what i have done i have utilized the cookie hack and result is guess what, when victim login using fake page he login’s in to his own original account without even showing any message or anything. Technically its called Tabnabbing another name of advanced Phishing.

2. Log File Contains more additional Information

I am sure you will love this information what more log file contains. Previously it only contains the username and password. Now log file contains all the cookie details along with IP address of the victim. And now why it becomes more significant. Previously what happens some good people means people that know phishing technique login’s through the Phish page but enters the wrong credentials and use some abusive words in login. Now when they type that also i will get their Magic cookie or simply called session cookie and IP address that i can use to hack their PC and account.

Steps to Hack Gmail Account Password Online:

 1. Download the Gmail Phisher (Click here to Download).

2. Extract the rar file and now you will get three files namely:

• Index.htm
• Isoftdl_log.txt
• next.php

3. Now go to Free Hosting website (click here to go to free hosting website) and register a new account on it.

4. After registering Go to File Manager on the website and Create a new directory name it as Gmail of whatever you want.

5. Now double Click on the directory to open it and click on Upload. Now browse the three different files one by one from three upload boxes and click on upload.

6. Now Open the Index.htm page and you will see your fake page which looks absolutely similar to Gmail original page. Below is the Snapshot of Fake Gmail Page:

                              How to hack Gmail account password online : Fake Page

7. You can directly send the above URL  to the victim but its quite detectable. So we need to spoof it. So that become little bit difficult for victim to recognize it. For that visit tk domain maker website(click here to visit).

 8. Now Send the Spoofed link in the mail to the victim

9. Now when user login using the fake page the data in log file is written which will look like below:

                                         How to hack gmail password : Log file

10. That’s all friends now you have the user name password of the victim.