Thursday, 15 December 2011


Bypass/Hack Adf.ly - Url shortener service

we all know, there are tons of ways for making money online. It may be sharecash, self-hosted blog or any other url shortener like Adf.ly. Adf.ly pays bucks for each advertisement seen using your shortened link. The link viewer has to wait for 5 seconds until the advertisement loads and only after 5 seconds, he can view the actual intended page. So, I have today come up with a Adf.ly hack which helps you to bypass Adf.ly advertisement. By using this Adf.ly hack, you don't need to wait for counter to go to zero. You can simply bypass Adf.ly advertisements.I have provided the link for software download .. just read on. 

Bypass/Hack Adf.ly Url shortener advertisements:


To bypass/hack Adf.ly, you need to have Firefox browser with Greasemonkey installed. You can install Greasemonkey firefox addon, if you haven't installed yet.

1. Go to Adf.ly Hacker script page to bypass/hack Adf.ly advertisements.

2. Hit on Install and confirm the script installation in your Greasemonkey.

3. Now, whenever you'll click on any Adf.ly shortened link, you won't see any timer or counter of 5 seconds. The actual intended page will appear.

That's it friends. This was a small hack by which you can
bypass/hack Adf.ly url shortener advertisements and wait times.This hack to bypass adfly has worked perfectly for me, hope it will help you all.

Found this hack working for you??? Share your reactions in comments.

Enjoy hack to bypass Adf.ly advertisements.



Wednesday, 14 December 2011


How to download torrent on your mobile

Hi friends,today iam bring very new trick of "How to Download Torrent files on Your Mobile Phone".Torrent have become part of our daily internet usage. But what if you need to download a Torrent file by a wifi or any network connection outside your home, like in your workplace or college. Well Torrent clients have been around for that from few years and here are some of the popular Torrent clients you can use to download the torrent file using your Mobile Phone.


 Symbian

  • The first and only BitTorrent client for Symbian OS Phones and its free and Open Source.
  • SymTorrent is available for mobile devices based on the S60 Platform 3rd and 5th edition .
  • Capability to start download via the browser.
  • Resumes partial downloaded torrents even after restarting the application.
Java ME Phones

MobTorrent is the first Bittorrent client for Java ME based mobile phones like Nokia S40, Nokia 6500 and supports all Java ME capable phones with the proper JSRs.

iPhone
  • A popular torrent client for iPhone,iPod and iPad’s.
  • Application was actually envisioned as a tool for managing ImageShack‘s torrent download service, but now extended to other torrent sites such as IsoHunt and Mininova.
  • IS Drive costs $4.99 in the Apple App Store, and this service comes loaded with either a monthly or daily fee.
Android


  • Supports all popular clients like µTorrent, Transmission, rTorrent, Vuze, Deluge and BitTorrent 6.
  • Lets you control Speed and performance of the torrent Download.
  • Adding a torrent file is easy via the integrated search, RSS feeds or the barcode scanner.
  • Easy management of torrents through home screen widgets and background alarm service.
Windows Mobile


  • Direct save to file, no more temporary file
  • Full and consolidated file saving modes.
  • Trackerless Torrents (DHT) based on Kademlia
  • Peer Exchange (PEX)
  • Plain Text and RC4 Protocol Encryptions
  • Advanced extensions
  • HTTP Seeding

Tuesday, 13 December 2011


Remotely Connecting to the sql database
SQL Remote Access



You need type the following commands which will allow remote connections.
Step # 1: Login Using SSH (if server is outside your data center)

First, login over ssh to remote MySQL database server:

ssh user@mysql.nixcraft.i

Step # 2: Edit my.cnf File

Once connected you need to edit the MySQL server configuration file my.cnf using a text editor such as vi.

If you are using Debian Linux file is located at /etc/mysql/my.cnf location
If you are using Red Hat Linux/Fedora/Centos Linux file is located at /etc/my.cnf location
If you are using FreeBSD you need to create a file /var/db/mysql/my.cnf

Edit /etc/my.cnf, run:
# vi /etc/my.cnf
Step # 3: Once file opened, locate line that read as follows

[mysqld]

Make sure line skip-networking is commented (or remove line) and add following line

bind-address=YOUR-SERVER-IP

For example, if your MySQL server IP is 65.55.55.2 then entire block should be look like as follows:

[mysqld]
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
language = /usr/share/mysql/English
bind-address = 65.55.55.2
# skip-networking
....
..
....

Where,

bind-address : IP address to bind to.
skip-networking : Don’t listen for TCP/IP connections at all. All interaction with mysqld must be made via Unix sockets. This option is highly recommended for systems where only local requests are allowed. Since you need to allow remote connection this line should be removed from my.cnf or put it in comment state.

Step# 4 Save and Close the file

Restart the mysql server, enter:
# /etc/init.d/mysql restart
Step # 5 Grant access to remote IP address

Connect to mysql server:
$ mysql -u root -p mysql
Grant access to a new database

If you want to add a new database called foo for user bar and remote IP 202.54.10.20 then you need to type the following commands at mysql> prompt:mysql> CREATE DATABASE foo;
mysql> GRANT ALL ON foo.* TO bar@'202.54.10.20' IDENTIFIED BY 'PASSWORD';
How Do I Grant Access To An Existing Database?

Let us assume that you are always making connection from remote IP called 202.54.10.20 for database called webdb for user webadmin, To grant access to this IP address type the following command At mysql> prompt for existing database, enter:
mysql> update db set Host='202.54.10.20' where Db='webdb';
mysql> update user set Host='202.54.10.20' where user='webadmin';
Step # 5: Logout of MySQL

Type exit command to logout mysql:mysql> exit
Step # 6: Open port 3306

You need to open TCP port 3306 using iptables or BSD pf firewall.
A sample iptables rule to open Linux iptables firewall

/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 3306 -j ACCEPT

OR only allow remote connection from your web server located at 10.5.1.3:

/sbin/iptables -A INPUT -i eth0 -s 10.5.1.3 -p tcp --destination-port 3306 -j ACCEPT

OR only allow remote connection from your lan subnet 192.168.1.0/24:

/sbin/iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 3306 -j ACCEPT

Finally save all rules:
# service iptables save
A sample FreeBSD / OpenBSD pf rule ( /etc/pf.conf)

pass in on $ext_if proto tcp from any to any port 3306

OR allow only access from your web server located at 10.5.1.3:

pass in on $ext_if proto tcp from 10.5.1.3 to any port 3306 flags S/SA synproxy state

Step # 7: Test it

From your remote system or your desktop type the following command:
$ mysql -u webadmin –h 65.55.55.2 –p
Where,

-u webadmin: webadmin is MySQL username
-h IP or hostname: 65.55.55.2 is MySQL server IP address or hostname (FQDN)
-p : Prompt for password

You can also use telnet to connect to port 3306 for testing purpose:
$ telnet 65.55.55.2 3306


Monday, 12 December 2011


Profiling basename filtering in php


Most of us think game over when we see a url that cointains a file reference, like http://localhost/basename.php?file=hello.php. Lets say that you were doing a penetration test where you are trying not to trigger any IDS alerts. How can you determine if the script filters the page variable using basename? Here are some simple steps that should go undetected.

Lets say that the scripts in this fictional url are as follows:
[basename.php]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
        <title>Basename poc file</title>
</head>
<body>
<?php
if (file_exists(basename($_GET['file']))) {
        include(basename($_GET['file']));
} else {
        echo "404 - File not found";
}
?>
</body>
</html>

The first test we take is to determine what a negative response would be, we'll visit http://localhost/basename.php?file=hello.wisconsin, this nets us a custom 404 error. Now that we have a false contition the next test is simply http://localhost/basename.php?file=a/b/c/hello.php. If this gives us the same output as http://localhost/basename.php?file=hello.php the script is using basename (or a similar technique) to extrace the filename. If you get a negative response the script appears to be vulnerable to directory traversal/LFI/RFI. Better encode your next attack to avoid triggering the IDS.

Happy hacking!
(And yes, this is the February tutorial running late).

source:By Eldar Marcussen




Sunday, 11 December 2011


How to crack Windows Passwords

The LM hash is the old style hash used in Microsoft OS before NT 3.1 ; NT 3.1 to XP SP2 supports LM hashes for backward compatibility and is enabled by default. Vista and Seven support LM hash but is disabled by default. NTLM was introduced in NT 3.1, and supports password lengths greater than 14.
If LM hashes are enabled on your system (Win XP and lower), a hash will look like:
Administrator:500:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537:::

If LM hashes are disabled on your system (Win Vista, 7+), a hash will look like:
Administrator:500:NO PASSWORD*********************:0CB6948805F797BF2A82807973B89537:::

The first field is the username. The second field is the unique Security IDentifier for that username. The third field is the LM hash and the forth is the NTLM hash.

Extracting the hashes from the SAM (locally)

On Windows, use fgdump (doc & usage) or pwdump, or creddump (python based).
On Linux (or Live system such as Backtrack) you can use creddump (python based), or Samdump2 :
bt ~ # samdump2 /mnt/XXX/WINDOWS/system32/config/system /mnt/XXX/WINDOWS/system32/config/sam
 
samdump2 2.0.1 by Objectif Securite (http://www.objectif-securite.ch)
original author: ncuomo@studenti.unina.it
 
Administrateur:500:01fc5a6be7bc6929aad3b435b51404ee:0cb6948805f797bf2a82807973b89537:::

You can then post the hashes to  cracking system in order to get the plain text.
other simple way is to use 
ophcrack (google it and get the idea)

Extracting Windows Password hashes remotely

Man In the Middle attack

You can use ettercap and the man in the middle attacks to sniff the username and password of a user over the network. You can read ettercap tutorials. There so much that ettercap can do and there are many tutorials covering how to use it !

Metasploit / hashdump

Metasploit is great. Documentation is at http://www.metasploit.com/framework/support/. Once you have compromised the computer using metasploit you can extract the hashes doing :
use priv
hashdump

Dump Tools

fgdump or pwdump6 can also remotely dump hashes :
C:\> fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser [-p password]
or
C:\> pwdump6.exe -u AnAdministrativeUser [-p password]  192.168.0.10
Here, AnAdministrativeUser's account will be used to perform the password dump. Keep in mind that any user used to perform password dumps needs administrative credentials. In this scenario, you will be prompted for the password before the password dump starts.
fgdump hashes are stored in *.pwdump file ; pwdump6 will dump the SAM to the screen.
You can then post the hashes to our cracking system in order to get the plain text.


Saturday, 10 December 2011


Theory basic of password hashing
Hashing passwords is a defense against a specific attack. The attack is: stealing a copy of the entire password file (users table, ldap db, etc), downloading it to one's computer, and attempting to retrieve the users' passwords. The goal of the attack is: to find users who reuse their usernames and passwords across websites, and log into those users' email, bank, social-network, and other accounts.
The hashing-passwords defense works like this: the passwords are not stored directly, and any attempt to retrieve the original passwords requires the attacker to perform an extremely large amount of work, at least compared with the work required to check whether a password the user enters when logging in matches the password on file. There are multiple variations on this defense, including choosing better hashes, salting the hashes, iterating the hashes, etc., the purpose of them being to make the defense better than otherwise and to defend against variants of the attack which are capable of getting around the simpler defenses.
The hashing-passwords defense is not a defense against just any attack. For example, it doesn't help against an attack where the attacker gains arbitrary write access to the database, rewrites all users' passwords to his own, and logs in to all the users' accounts on that website. The defense only defends against the offline password-stealing attack.
So you need to be aware of the different types of attacks, and to defend against each of them using a defense which works against that type of attack.


Crack password using Graphics card


WEP encryption takes like 2-5 min to crack even on any mini-laptop, you don't need much computing power for that.


However, using the GPU when cracking WPA/WPA2-PSK can reduce the time drastically. 
Here's some software


that does just that. 

Also, a lot of 2Wire routers are vulnerable to more things than I can think of. 
Hkm did a lot of research on them, you should check out his defcon presentation http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-pedro-hkm-joaquin-attacks_against_2wire.pdf 

might help.



Friday, 9 December 2011


THC SSL DoS/DDoS Tool



THC-SSL-DOS is a tool to verify the performance of SSL. Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed.
This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.
Usage
./thc-ssl-dos 127.3.133.7 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err
Comparing flood DDoS vs. SSL-Exhaustion attack
A traditional flood DDoS attack cannot be mounted from a single DSL connection. This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server.
This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link. Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes. The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).
Tips & Tricks for Whitehats
  1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
  2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
  3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, … or the secure database port).
Counter measurements
No real solutions exists. The following steps can mitigate (but not solve) the problem:
  1. Disable SSL-Renegotiation
  2. Invest into SSL Accelerator
Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.
You can download THC-SSL-DOS here:
Windows: thc-ssl-dos-1.4-win-bin.zip
Linux: thc-ssl-dos-1.4.tar.gz

Source: http://www.thc.org/thc-ssl-dos/