Saturday, 22 August 2015

How To Hack A Website


How To Hack A Website

Customers usually turn to the internet to get information and buy products and services. Towards that end, most organizations have websites.Most websites store valuable information such as credit card numbers, email address and passwords etc. This has made them targets to attackers. Defaced websites can also be used to communicate religious or political ideologies etc.
In this article, we will introduce you toweb servers hacking techniques and how you can protect servers from such attacks.


Topics covered in this tutorial

Web server vulnerabilities

A web server is program that stores files (usually web pages) and makes them accessible via the network or internet. A web server requires both hardware and software. Attackers usually target the exploits in the software to gain authorized entry to the server. Let’s look at some of the common vulnerabilities that attackers take advantage of.
  • Default settings– These settings such as default user id and passwords can be easily guessed by the attackers. Default settings might also allow perform certain tasks such as running commands on the server which can be exploited.
  • Misconfigurationof operating systems and networks – certain configuration such as allowing users to execute commands on the server can be dangerous if the user does not have a good password.
  • Bugs in the operating system and web servers– discovered bugs in the operating system or web server software can also be exploited to gain unauthorized access to the system.
In additional to the above mentioned web server vulnerabilities, the following can also led to unauthorized access
  • Lack of security policy and procedures– lack of a security policy and procedures such as updating antivirus software, patching the operating system and web server software can create security loop holes for attackers.

Types of Web Servers

The following is a list of the common web servers
  • Apache– This is the commonly used web server on the internet. It is cross platform but is it’s usually installed on Linux. Most PHP websites are hosted on apache servers.
  • Internet Information Services (IIS)– It is developed by Microsoft. It runs on windows and is the second most used web server on the internet. Most asp and aspx websites are hosted on IIS servers.
  • Apache Tomcat – Most Java server pages (jsp) websites are hosted on this type of web server.
  • Other web servers – These include Novell's Web Server and IBM’s Lotus Domino servers.

Types of Attacks against Web Servers

Directory traversal attacks– This type of attacks exploits bugs in the web server to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.
  • Denial of Service Attacks– With this type of attack, the web server may crash or become unavailable to the legitimate users.
  • Domain Name System Hijacking – Withthis type of attacker, the DNS setting are changed to point to the attacker’s web server. All traffic that was supposed to be sent to the web server is redirected to the wrong one.
  • Sniffing– Unencrypted data sent over the network may be intercepted and used to gain unauthorized access to the web server.
  • Phishing– With this type of attack, the attack impersonates the websites and directs traffic to the fake website. Unsuspecting users may be tricked into submitting sensitive data such as login details, credit card numbers etc.
  • Pharming– With this type of attack, the attacker compromises the Domain Name System (DNS) servers or on the user computer so that traffic is directed to a malicious site.
  • Defacement– With this type of attack, the attacker replaces the organization’s website with a different page that contains the hacker’s name, images and may include background music and messages.

Effects of successful attacks

  • An organization’s reputation can be ruinedif the attacker edits the website content and includes malicious information or links to a porn website
  • The web server can be used to install malicious software on users who visit the compromised website. The malicious software downloaded onto the visitor’s computer can be a virus, Trojan or botnet software etc.
  • Compromised user data may be used for fraudulent activitieswhich may lead to business loss or lawsuits from the users who entrusted their details with the organization

Web server attack tools

Some of the common web server attack tools include;
  • Metasploit– this is an open source tool for developing, testing and using exploit code. It can be used to discover vulnerabilities in web servers and write exploits that can be used to compromise the server.
  • MPack– this is a web exploitation tool. It was written in PHP and is backed by MySQL as the database engine. Once a web server has been compromised using MPack, all traffic to it is redirected to malicious download websites.
  • Zeus– this tool can be used to turn a compromised computer into a bot or zombie. A bot is a compromised computer which is used to perform internet based attacks. A botnet is a collection of compromised computers. The botnet can then be used in a denial of service attack or sending spam mails.
  • Neosplit – this tool can be used to install programs, delete programs, replicating it etc.

How to avoid attacks on Web server

An organization can adopt the following policy to protect itself against web server attacks.
  • Patch management– this involves installing patches to help secure the server. A patch is an update that fixes a bug in software. The patches can be applied to the operating system and the web server system.
  • Secure installation and configuration of the operating system
  • Secure installation and configuration of the web server software
  • Vulnerability scanning system– these include tools such as Snort, NMap, Scanner Access Now Easy (SANE)
  • Firewalls can be used to stop simple DoS attacks by blocking all traffic coming the identify source IP addresses of the attacker.
  • Antivirus software can be used to remove malicious software on the server
  • Disabling Remote Administration
  • Default accounts and unused accounts must be removedfrom the system
  • Default ports  & settings (like FTP at port  21) should be changed to custom port & settings (FTP port at 5069)

Hacking Activity: Hack a WebServer

In this practical scenario, we are going to look at the anatomy of a web server attack. We will assume we are targeting www.techpanda.org. We are not actually going to hack into it as this is illegal. We will only use the domain for educational purposes.

What we will need

Information gathering

We will need to get the IP address of our target and find other websites that share the same IP address.
We will use an online tool to find the target’s IP address and other websites sharing the IP address
  • Click on Check button
  • You will get the following results

Based on the above results, the IP address of the target is 69.195.124.112
We also found out that there are 403 domains on the same web server.
Our next step is to scan the other websites for SQL injection vulnerabilities. Note: if we can find a SQL vulnerable on the target, then we would directly exploit it without considering other websites.
  • Enter the URL www.bing.com into your web browser. This will only work with bing so don’t use other search engines such as google or yahoo
  • Enter the following search query
ip:69.195.124.112 .php?id=
HERE,
  • “ip:69.195.124.112” limits the search to all the websites hosted on the web server with IP address 69.195.124.112
  • “.php?id=” search for URL GET variables used a parameters for SQL statements.
You will get the following results
As you can see from the above results, all the websites using GET variables as parameters for SQL injection have been listed.
The next logic step would be to scan the listed websites for SQL Injection vulnerabilities. You can do this using manual SQL injection or using tools listed in this article on SQL Injection.

Uploading the PHP Shell

We will not scan any of the websites listed as this is illegal. Let’s assume that we have managed to login into one of them. You will have to upload the PHP shell that you downloaded from http://sourceforge.net/projects/icfdkshell/
  • Open the URL where you uploaded the dk.php file.
  • You will get the following window
  • Clicking the Symlink URL will give you access to the files in the target domain.
Once you have access to the files, you can get login credentials to the database and do whatever you want such as defacement, downloading data such as emails etc.

Summary

  • Web server stored valuable information and are accessible to the public domain. This makes them targets for attackers.
  • The commonly used web servers include Apache and Internet Information Service IIS
  • Attacks against web servers take advantage of the bugs and Misconfiguration in the operating system, web servers and networks
  • Popular web server hacking tools include Neosploit, MPack and ZeuS.
  • A good security policy can reduce the chances of been attacked

Friday, 21 August 2015

How To know someone accessed your computer or not??

How To know someone accessed your computer or not??

Do you have a feeling that someone tried to access your computer when you stepped out for a lunch or quick coffee break? Perhaps your colleague or the person sitting in the next desk tried to log in or play something wicked on your computer while you were away for a quick session.
So, how do you know if someone tried to access your computer in your absence? Well, here is a way by which you get notified every time when such an attempt is made.
MouseLock
The website called MouseLock.co gives a solution here. All you have to do is visit the site’s homepage, sign in to your Gmail account and select your secret point (unlock code) from the screen. Once you do this, you will have to place your mouse cursor into the slot shown and click on it. This will activate the mouse lock feature on your computer screen.
MouseLockED
So, when an unauthorized person tries to move the mouse in your absence, he will be given just a few seconds to select the unlock code. Upon failure to do so, you will get an instant notification about the intrusion in your mailbox.
Email Notification from MouseLock
If you have a webcam attached to your computer, you can even get the photo of the person trying to intrude. This will make it easy for you to figure out who actually was the person.
As this is an easy to use web application, you can use it any time just by loading the MouseLock website without the need to install anything on your computer. Even though MouseLock does not manage to prevent the intrusion, it will give you an instant notification about it, so that you aware of what is happening at your desk when you are away.

How it Works?

MouseLock operates by using the “mouseLeaveEvent” from JQuery to track the mouse movements. On the other hand, it uses the “getUserMedia()” API that is supported by Chrome and Firefox to capture the webcam photographs.

How to Bypass Right Click Block on Any Website??

How to Bypass Right Click Block on Any Website


Bypass Right Click Block

You might remember an experience where you tried to right-click on a web page but got a pop-up message saying that the “right-click functionality has been disabled”. Sometimes you may be trying to copy an image or view the source of a web page but when the right-click is disabled, these things would seem impossible. Bank websites and other sites that require a secure transaction such as a payment gateway are the ones to impose this kind of limited functionality on their pages. In this post, I will show you the ways by which you can easily bypass right-click block feature on any website.In order to block the right-click activity, most websites make use of JavaScript which is one of the popular scripting languages used to enhance functionality, improve user experience and provide rich interactive features. In addition to this, it can also be used to strengthen the website’s security by adding some of the simple security features such as disabling right-click, protecting images, hiding or masking parts of a web page and so on.How JavaScript Works?
Before you proceed to the next part which tells you how to disable the JavaScript functionality and bypass any of the restrictions imposed by it, it would be worthwhile for you to take up a minute to understand how JavaScript works.JavaScript is a client side scripting language (in most cases), which means when loaded it runs from your own web browser. Most modern browsers including IE, Firefox, Chrome and others support JavaScript so that they can interpret the code and carry out actions that are defined in the script. In other words, it is your browser which is acting upon the instruction of JavaScript to carry out the defined actions such as blocking the right-click activity. So, disabling the JavaScript support on your browser can be a simple solution to bypass all the restrictions imposed by the website.How to Disable the JavaScript?
Here is a step-by-step procedure to disable JavaScript on different browsers:

For Internet Explorer:

If you are using IE, just follow the steps below:From the menu bar, go to Tools -> Internet Options.In the “Internet Options” window, switch to Security tab and click on the button Custom level…IE Security SettingsFrom the Security Settings, look for the option Active scripting and select the Disable radio button as shown above and click on “OK”.You may even select the Prompt radio button, so that each time a page is loaded, you will have the option to either enable or disable the scripting.

For Google Chrome:

If you are using Chrome, you can disable the JavaScript by following the steps below:Click on the Chrome “menu” button (on the top right corner) and select Tools.From the “Settings” page, click on Show advanced settings…Now under Privacy, click on the button Content settings…Chrome Content SettingsUnder the JavaScript, select the radio button which says “Do not allow any site to run JavaScript” and click on “Done”.

For Mozilla Firefox:

Steps to disable JavaScript on Firefox:From the menu bar, click on Tools -> Options.From the Options window, switch to Content tab, uncheck the option which says “Enable JavaScript” and click on “OK”.Firefox Content OptionsHow to Bypass the Right Click Block?
In order to bypass the right-click block or any other restriction imposed by JavaScript, all you need to do is just disable it in the browser and refresh the same page, so that it now reloads without JavaScript functionality. You are now free to right-click on the page, view its source or even copy any of the images that you may want to. Don’t forget to re-enable the JavaScript once again when your job is over. Otherwise lack of JavaScript support may result in unusual rendering of web pages.

How To Hide Your Ip Address??

How to Hide Your IP Address?

Hide IP AddressEvery computer on the Internet has a unique IP address allotted to it which makes it possible to trace it back to its exact location. Even though the concept of IP address has been designed for its transparency and traceability, in some cases this questions the privacy of the Internet users where one would not like to reveal his/her identity to the outside world.
Well, if you are one such person who is in search of ways to hide your IP address, then you are at the right place. In this post, I will discuss some of the easy and popular ways to mask your IP address so that your identity and privacy is kept safe.

Why Hide IP Address?

The following are some of the common reasons why people want to mask their IP address online:
  1. By hiding the IP address, people can browse websites anonymously without leaving the trace of their identity.
  2. To access websites and portals that are not available to the IP address’s Geo location.
  3. Stay safe from intruders and hackers by showing a fake IP to the world.
  4. Hiding IP means hiding geographical location.
  5. Hiding IP prevents leaving a digital footprint of their online activity.

How to Hide Your IP?

Some of the most common ways to hide IP and safeguard your online identity are discussed below:

1. Using a VPN Proxy – The Safe and Secure Way to Hide Your IP

Using a trusted VPN service is the best way to conceal your IP address during your online activities. Here is a list of most popular and highly reliable VPN services that you can go for:

  • Hide My Ass VPN – Hide My Ass is one of the most popular and trusted VPN service that allows people to easily conceal their IP address and protect their online privacy.
  • VyprVPN – VyprVPN offers the world’s fastest VPN services to make it possible for its clients easily conceal their real IP and supports wide range of operating systems including Windows, Mac, Android and iOS.
The following are some of the advantages of using a VPN service over any other method of concealing your IP address:
  1. In addition to hiding your IP, a VPN service encrypts all your web traffic to keep you safe from hackers and intruders.
  2. Unlike other IP hiding methods (discussed in the latter part of this article) which affects your speed of browsing, a VPN service keeps your Internet speed fast without affecting its performance.
  3. You have a long list of countries and states to select your IP address from as your place of origin. For example, if you are originally from United Kingdom, you may choose an IP address that belong to United States so that the websites that you visit will see you as from US and not UK.
  4. By selecting an IP address of your choice, you can easily bypass location blocks and even access restricted websites that are not available for your country.

2. Website Based Proxy Servers

This is another popular way to quickly mask IP address on the Internet. Since it is a web based service, users need not have to install any piece of software program on their computer. The following are some of the popular websites that offer free services to obscure your IP address:
The downside of using these free services to mask your IP address is that most of them become overloaded and are too slow to use. In addition, some of them will not offer a secured connection (SSL) and you will often be presented with annoying ads and pop-ups during the course of your browsing.

3. Browser Configured Proxy Servers

There are hundreds of freely available open proxies that can be found on the Internet. You can obtain the IP address of one of those freely available proxy servers and configure your browser to start hiding your original IP address. However, as they are openly available to public, most of them are either dead or perform too slow under normal conditions.

Which Service to Choose?

I have made my sincere attempt to present readers with all the available options to successfully hide the IP address on their computers. If you only want to conceal your IP address for a specific amount of time and are not concerned with the performance, go for the free web based services. On the other hand, if you have the necessity to hide your IP on a regular basis, need high security and performance, go for paid VPN services like Hide My Ass or VyprVPN.

Monday, 17 August 2015

How To Hack Facebook Password

Yes! How To Hack Facebook Password?
                                       And How To Prevent It


Method 1: Reset the Password

The easiest way to "hack" into someone's Facebook is through resetting the password. This could be easier done by people who are friends with the person they're trying to hack.

The first step would be to get your friend's Facebook email login. If you don't already know it, try looking on their Facebook page in the Contact Info section.
Next, click on Forgotten your password? and type in the victim's email. Their account should come up. Click This is my account.
It will ask if you would like to reset the password via the victim's emails. This doesn't help, so press No longer have access to these?
It will now ask How can we reach you? Type in an email that you have that also isn't linked to any other Facebook account.
It will now ask you a question. If you're close friends with the victim, that's great. If you don't know too much about them, make an educated guess. If you figure it out, you can change the password. Now you have to wait 24 hours to login to their account.
If you don't figure out the question, you can click on Recover your account with help from friends. This allows you to choose between three and five friends.

It will send them passwords, which you may ask them for, and then type into the next page. You can either create three to five fake Facebook accounts and add your friend (especially if they just add anyone), or you can choose three to five close friends of yours that would be willing to give you the password.

How to Protect Yourself
Use an email address specifically for your Facebook and don't put that email address on your profile.
When choosing a security question and answer, make it difficult. Make it so that no one can figure it out by simply going through your Facebook. No pet names, no anniversaries—not even third grade teacher's names. It's as easy as looking through a yearbook.
Learn about recovering your account from friends. You can select the three friends you want the password sent to. That way you can protect yourself from a friend and other mutual friends ganging up on you to get into your account.

Method 2: Use a Keylogger

Software Keylogger


A software keylogger is a program that can record each stroke on the keyboard that the user makes, most often without their knowledge. The software has to be downloaded manually on the victim's computer. It will automatically start capturing keystrokes as soon as the computer is turned on and remain undetected in the background. The software can be programmed to send you a summary of all the keystrokes via email.

CNET has Free Keylogger, which as the title suggests, is free. If this isn't what you're looking for, you can search for other free keyloggers or pay for one.


Hardware Keylogger


These work the same way as the software keylogger, except that a USB drive with the software needs to be connected to the victim's computer. The USB drive will save a summary of the keystrokes, so it's as simple as plugging it to your own computer and extracting the data. You can look through Keelog for prices, but it's bit higher than buying the software since you have the buy the USB drive with the program already on it.


How to Protect Yourself
Use a firewall. Keyloggers usually send information through the internet, so a firewall will monitor your computer's online activity and sniff out anything suspicious.
Install a password manager. Keyloggers can't steal what you don't type. Password mangers automatically fill out important forms without you having to type anything in.
Update your software. Once a company knows of any exploits in their software, they work on an update. Stay behind and you could be susceptible.
Change passwords. If you still don't feel protected, you can change your password bi-weekly. It may seem drastic, but it renders any information a hacker stole useless.

Method 3: Phishing

This option is much more difficult than the rest, but it is also the most common method to hack someone's account. The most popular type of phishing involves creating a fake login page. The page can be sent via email to your victim and will look exactly like the Facebook login page. If the victim logs in, the information will be sent to you instead of to Facebook. This process is difficult because you will need to create a web hosting account and a fake login page.


The easiest way to do this would be to follow our guide on how to clone a website to make an exact copy of the facebook login page. Then you'll just need to tweak the submit form to copy / store / email the login details a victim enters. If you need help with the exact steps, there are detailed instructions available by Alex Long here on Null Byte. Users are very careful now with logging into Facebook through other links, though, and email phishing filters are getting better every day, so that only adds to this already difficult process. But, it's still possible, especially if you clone the entire Facebook website.

How to Protect Yourself
Don't click on links through email. If an email tells you to login to Facebook through a link, be wary. First check the URL (Here's a great guide on what to look out for). If you're still doubtful, go directly to the main website and login the way you usually do.
Phishing isn't only done through email. It can be any link on any website / chat room / text message / etc. Even ads that pop up can be malicious. Don't click on any sketchy looking links that ask for your information.
Use anti-virus & web security software, like Norton or McAfee.

Method 4: Stealing Cookies

Cookies allow a website to store information on a user's hard drive and later retrieve it. These cookies contain important information used to track a session that a hacker can sniff out and steal if they are on the same Wi-Fi network as the victim. They don't actually get the login passwords, but they can still access the victim's account by cloning the cookies, tricking Facebook into thinking the hacker's browser is already authenticated.
Firesheep is a Firefox add-on that sniffs web traffic on an open Wi-Fi connection. It collects the cookies and stores them in a tab on the side of the browser.

From there, the hacker can click on the saved cookies and access the victim's account, as long as the victim is still logged in. Once the victim logs out, it is impossible for the hacker to access the account.


A Couple More Facebook Hacks
For those with a bit more technical skill, check out the Same Origin Policy Facebook hack and the somewhat easier, Facebook Password Extractor. We will continue add more Facebook hacks in the near future, so keep coming back here.

How to Protect Yourself
On Facebook, go to your Account Settings and check under Security. Make sure Secure Browsing is enabled. Firesheep can't sniff out cookies over encrypted connections like HTTPS, so try to steer away from HTTP.
Full time SSL. Use Firefox add-ons such as HTTPS-Everywhere or Force-TLS.
Log off a website when you're done. Firesheep can't stay logged in to your account if you log off.
Use only trustworthy Wi-Fi networks. A hacker can be sitting across from you at Starbucks and looking through your email without you knowing it.
Use a VPN. These protect against any sidejacking from the same WiFi network, no matter what website you're on as all your network traffic will be encrypted all the way to your VPN provider.
Protecting Yourself: Less Is More
Social networking websites are great ways to stay connected with old friends and meet new people. Creating an event, sending a birthday greeting and telling your parents you love them are all a couple of clicks away.

Facebook isn't something you need to steer away from, but you do need to be aware of your surroundings and make smart decisions about what you put up on your profile. The less information you give out on Facebook for everyone to see, the more difficult you make it for hackers.

If your Facebook account ever gets hacked, check out our guide on getting your hacked Facebook account back for information on restoring your account.

Bonus: If you're interested in who's checking you out, there are some ways you can (kindof) track who's viewed your Facebook profile.

More Password-Hacking Guides
For more info on cracking passwords, check out our guides on hacking Linux passwords, hacking Windows passwords, and our super-easy beginner's guide on hacking Wi-Fi passwords (or for newer wireless routers, how to crack WPA2-PSK wifi passwords).
(THIS IS FOR EDUCATIONAL PURPOSE ONLY)