🔒 Closed Mega h(a)cking tutorial! [biggest on phc] great introduction!

Status
Not open for further replies.

Strawberrry

Forum Veteran
Mega H(ac)king Tutorial (PLEASE NOTE THAT THE CENSORED WORDS OR (*****) stands for h(a)ck/h(a)cking since PHC doesn't allow those words because im still not used to it)

The h(a)cker manifesto: You do not have permission to view the full content of this post. Log in or register now.

This tutorial is not for any particular types of häçker – whether Blackhat or Whitehat. This tutorial is merely here to inform you. I have tried to include every topic I could think of or find into this MEGA häçkING GUIDE!

I do not have the time or space to go into detail on every piece of software I mention, but I will mention them all anyway so that you can do your own research into them if you are interested.

PLEASE REPLY AND SAY THANKS TO KEEP THIS THREAD ALIVE. I SPENT HOURS WRITING THIS, BUT IT ONLY TAKES 10 SECONDS TO SAY THANKS!

Before we start, I must say that the best Operating System to use for häçking is (IMO) Kali Linux. This is the replacement for backtrack, which was also very good. Backtrack and Kali both come with heaps and heaps of useful tools installed by default. I personally have Kali Linux installed on a flash drive so I can just boot it up wherever I go. You should become very familiar with linux distros and their usage, especially the command line, because many tools involve using the command line. Click here for a good tutorial series.

XpEeYA0.webp
AV – Antivirus is software installed on most computers to protect the computer from viruses
Backdoor – A program running on a host that we “own” so that we can connect to it at a later time even if the vulnerability is patched. For example, cryptcat is a backdoor with a nearly undetectable.
Crypter - A program used to encrypt/disguise a malicious program (like a RAT or other virus) so that antivirus software cannot detect it as a virus.
Cookies – files stored on your computer that are used by a webpage to track you, authenticate you and remember you. s†éáling session cookies is a type of attack to access sites as someone else (by s†éáling their session cookie, the site thinks that you are them). You can remove unwanted cookies through your browsers settings and with flash cookie remover (flash cookies are stored separately to browser cookies).
Ddos/Dos - Distributed denial of service attack / Denial of service attack respectively. This is the term given to the flooding of hosts with packets of data from multiple sources / a single source and the server basically overloads. Ddos attacks are much more effective than Dos attacks.
DNS – Dynamic Name Server. This is a server which is used to find the IP address of hosts from their domain name – like an electronic phone book. DNS use uses port 53 for lookups.
E-Wh(o)ring – Not exactly häçking, this is a money making method. The name is pretty self-explanatory – online prostitution. But the e-whoring section is located inside beginner häçking, so I thought I would mention it here. A tip for running multiple skype accounts at once: run the second one with a command line and use the /secondary tag.
Embedded System – A mini computer embedded inside something like a car, ATM (95% of ATMs run windows XP), etc. We can “häçk” these by getting the firmware off it (from the manufacturer’s website or from hardware debugging like jtag). Once we have the firmware, we can decompile it and find exploits similar to how we crack software. Embedded systems are also harder to häçk from the point of view that we can only sometimes achieve a connection to them over which we can actually attack them (e.g. we can’t remotely attack a non-networked vending machine). Videos: häçking an ATM, häçking surveillance cameras.
FTP - File Transfer Protocol. An FTP server is a server used to store and send files.
FUD - Fully UnDetectable. A program which is FUD cannot be detected by ANY anti-virus program. UD - UnDetectable. A program which is UD is mostly undetectable but can be detected by some anti-virus programs. There are 2 types of detection: runtime and scantime. If a program is only FUD at scantime, it means that it can be detected as a virus when it is executed.
Hexadecimal – the base 16 number system which is commonly used to represent binary bytes in 2 digit codes (e.g. 00101010 binary = 42 decimal = 2A hexadecimal). You should familiarise yourself with the 3 different bases, especially for cracking and writing exploits.
Honeypot - A honeypot is a computer system that looks enticing to a häçker. It looks important and vulnerable, enough that the häçker attempts to break in. It is used to entrap häçkers and as a way to study the techniques of häçkers by the security community.
IDS – Intrusion Detection System. This is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. We need to be careful to avoid detection by an IDS if we are attacking a network/computer. An example is Snort.
IP address - The address used to identify your network while on the Internet. Every computer has a different IP address, and therefore every IP address is unique.
JDB - Java Driveby. A malicious java applet embedded in a webpage, which will attempt to execute something (e.g. a virus) on a visitor’s computer. The victim is presented with a 'allow plugin to run' notification before the driveby can execute. This is a common spreading technique for RATs. Setup tutorial for a JDB.
********* - A program which logs the keystrokes of a computer. Here is a tutorial on how to code a ********* in VB.
OS - Operating system. Common operating systems brands include Windows, Apple (OSX), Linux (many variations, open source), openBSD, etc.
Pentest – Penetration test. This is what “white hat häçkers” perform, häçking into networks and systems to find vulnerabilities, and then reporting their findings to the company in order to help them improve their security.
Pivoting – Moving from one “owned” box on a network to attack others, in an attempt to “own” the entire network. Meterpreter can be used to do this very well.
Programming Languages – Structured languages that can be compiled into a program. Coding knowledge is essential to cracking software and creating exploits, etc – especially scripting ability in a language like perl. Other common languages include c/c++, Java, C#, F#, VB, Haskell, Scala, D, PHP, SQL, HTML (not actually a programming language), javascript, python, ruby, etc.
Proxy - A proxy is a host which redirects traffic through it. Proxy servers can be used for both anonymity and to control traffic/block sites. Most schools use a proxy server to control the sites accessed.
RAT - Remote Administration Tool/Trojan. RATs are a type of virus which can be used to control a computer remotely as well as other functionality. RATs are very popular häçking tools because once a user is infected you have a lot of control over their system. Used commonly with crypters.
Silent JDB – This is the same as a JDB, but there are no popups or notifications to the user when the applet is executed.
Spammer – Software which sends heaps of text messages or emails to a single address to either really annoy them or the equivalent of a DOS.
Spoofing – Making something look different to what it is. We can spoof email addresses and dns addresses in order to trick users into thinking an email came from another address, or that they are visiting a legitimate website, when instead they are looking at something the attacker has created.
SOCKS - Socket Secure is an Internet protocol that routes network packets between a client and server through a proxy server. It is a lower level protocol than HTTP (hypertext transfer protocol).
VPN - Virtual Private Network. A network between systems which doesn’t physically exist – it only exists over existing connections like the internet. A VPN can be used for anonymity, because you can use it to redirect your traffic through an anonymous proxy elsewhere in the world.
VPS - A virtual private server is a virtual machine sold as a service by an Internet hosting service. A VPS runs its own copy of an operating system, and customers have superuser-level access to that operating system instance, so can install almost any software that runs on that OS. Typically, you would set up some form of redirection/routing/forwarding on the server to use it as a proxy.

pMPB8EM.webp
This refers to the act of checking out the network, getting familiar with its layout, etc, in order to attack it - in other words, we are just gathering target information. We try to create a complete profile, with domain names, network blocks and individual IP addresses.

There is no one way to footprint. Different situations will take different paths. In general, we try to find:
  • Domain Names (both external and internal)
  • Network blocks
  • Specific IPs (both reachable by internet and unreachable outside the local network)
  • Access control mechanisms
  • System architectures
  • Intrusion detection systems
  • an enumeration of the system (user and group names, system banners, routing tables, SNMP information)
  • Networking protocols

This part of the attack can be both technical and physical. We consult as many sources as possible to glean information about the network.
A good starting point is the targets website – where we can look for email addresses, links to other servers, contact information, etc. It is sometimes easier to download an entire website to view offline than looking at it online, check out my tutorial here. You can use the wget command on linux. FOCA is another tool to use to find some very useful information about websites such as metadata.

Perform whois searches on domains to gain more information, including nameservers, etc. Link. The whois command on linux is also very useful, you can use it to perform very specific searches – for example registrar queries, organizational queries, domain queries, network queries and POC queries.

Use netcraft to find a lot of useful information about a site.
Some tools will help with the footprinting process, for example Spiderfoot.
EDGAR is also a semi-useful resource.

We can also use a security flaw in misconfigured DNS servers called Zone transfers to easily get a lot of information about the system. A zone transfer can give us an entire blueprint of the target network – internal hostnames and IP addreses.
This code demonstrates how to manually request a zone transfer from a misconfigured DNS server:
Code:
[bash]$ nslookup
Default Server: dns.example.com
Address: 192.168.0.1
>> server 192.168.0.1
Default Server: [192.168.0.1]
Address: 192.168.0.1
>> set type=any
>> ls –d Example.com. >> /tmp/dns_zone_transfer
That will save the information in a file called dns_zone_transfer which we can then view to gain more information. We can use commands like grep to find systems in the zone transfer that are potentially vulnerable to attack, and we can find systems with interesting names that may be very useful to us – for example we may find a backup server or something. It is often useful to find “test” systems which are often badly set up, and then rarely used – because they are the perfect place to set up our “camp” in the network.

There are a lot of useful network query tools we can use to gain information as well, including the host command:
Code:
host –l Example.com
Or
Code:
host –l –v –t any Example.com

Also, check out the dig command on Linux which is also a very useful command.
Some other good tools can be downloaded here.

Traceroute is a useful tool which we can use to map out networks. In Linux, this is the traceroute command, and in windows this is the tracert command. By using this command with an IP address of domain name, we can see what route our packet takes to get to a server. We can use the –p –s switches with the command to set a specific port to use – in case only certain ports are allowed through a firewall, etc. Port 53 is the DNS lookup port so that is generally allowed through:
Code:
traceroute –S –p53 10.10.10.2

nlEP6Ql.webp
By now, you should have retrieved a lot of useful information about the target network. We now want to dive a bit deeper to find out more.

Nmap, Hping (which can also be used for DOS attacks with a spoofed IP address), Netdiscover, P0f, and Xprobe2 are among the many tools we can use to gather info on remote targets that can be useful in revealing open ports, running services, and operating systems.

Firstly, we can use the ping command to test if hosts are “alive” – on and responsive. This is slow to test a lot of hosts though, so we can also use “ping sweeps” to test a lot of hosts at once. One way to do this is with fping and gping on linux. Another way is to use a great tool called NMAP. Install nmap, and we can use the nmap command with the –sP switch for ping sweeps:
Code:
nmap –sP 192.168.1.0/24
In that command, we specify the subnet 192.168.1.0/24 which is the IP address range of 192.168.1.0 - 192.168.1.255. Now we have a list of hosts which are alive.

We can use ICMP queries to find out a bit more about a system. Use the icmpquery command on linux to find system time and netmask of a router:
Code:
TIME:
icmpquery –t 192.168.0.1
NETMASK:
Icmpquery –m 192.168.0.1

Now we will move on to port scanning. Port scanning uses packets of data sent to ports on a machine to test whether they are “open” or listening for connections on the ports, or whether they are closed. We try to find open ports on machines to see if we can exploit the software running on those ports and gain access to the machine. There are a lot of different types of port scan, including TCP connect, SYN, FIN, XmasTree, Null, ACK, Windows, RPC and UPD scans. One tool that you can use to port scan systems is Netcat – it has been called the swiss army knife of network tools – but once again we can use nmap to scan for ports. Use the nmap –h command for command line help. You will see something like this as a result from a scan:
Code:
C:\Users\whoami>nmap 192.168.1.1
Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-01 21:02 N
Nmap scan report for example.com (192.168.1.1)
Host is up (0.0068s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   filtered ssh
23/tcp   open     telnet
80/tcp   open     http
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
5431/tcp open     park-agent
MAC Address: 00:11:22:33:44:55
Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds

Another aspect of scanning is to detect what OS a computer is running. There are 2 ways to do this: actively and passively. Active OS identification can be detected if the computer you are scanning has intrusion detection software installed, and works by sending packets to it and looking for replies unique to each OS. Passive scanning works by monitoring packets sent by the computer to other devices, and looking for unique OS “fingerprints”. We can use nmap again for active OS identification:
Code:
nmap –O 192.168.1.15

Nmap also has the amazing ability to map out an entire network graphically in the Zenmap GUI - after a scan just choose the topology tab.

Here is a tutorial on a cool tool (Nikto) to scan for vulnerabilities.
Nessus is also a very powerful vulnerability scanning tool. Download here.
Here is an interesting tutorial on coding your own portscanner in perl.
 
kXRZNFP.webp
This is the name given to the process of gathering more information about systems, for example the names or user accounts, software running on the host, etc.

Usually enumeration is approached by taking advantage of security flaws in operating systems, NetBIOS, active directory (ldap), etc, to get information, and by “banner grabbing”.
Banner grabbing just means using telnet or netcat or something similar, and connecting to a target PC, and then recording the message that the host returns to us, because it can give us useful information about the target and the software it is running.

Example of a banner grabbed using telnet 80 (http):
Code:
HTTP/1.1 200 OK
Date: Mon, 16 Jun 2003 02:53:29 GMT
Server: Apache/1.3.3 (Unix) (Red Hat/Linux)
Last-Modified: Wed, 07 Oct 1998 11:18:14 GMT
ETag: "1813-49b-361b4df6"
Accept-Ranges: bytes
Content-Length: 1179
Connection: close
Content-Type: text/html

DQEaob9.webp
Wireshark is one of the top packet sniffing software available for free.
Wireshark can be downloaded from their website.
The wireshark GUI has customisable colours and filters to easily sniff for specific packets. To use wireshark, simply run it, select your network interface to sniff on and click start. Different types of packet are given different colours - by default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic and black identifies TCP packets with problems – but we can change this colour codes (they were actually intended to be changed. Choose “View > Colour Rules…”).

Use the filter to find specific packets, for example to display only DNS packets type dns in the filter, etc. To configure filters, choose “Analyze > Display Filters”.

If you right click on a packet and click “Follow TCP Stream” you can view the entire conversation between 2 hosts. If you select a packet, you can view a lot of details about it. You can also save all the data collected into a file for analysing later.

Wireshark can be used to capture and view all unencrypted data sent over a network. Of course, we can’t capture passwords from HTTPS because they are encrypted, but passwords in HTTP, FTP and more can easily be viewed, as well as everything else.

Ettercap is a program especially great for performing Man In The Middle (MITM) attacks, such as DNS spoofing, ARP cache poisoning, etc. It comes installed by default on Kali but you can download it using this command:
Code:
sudo apt-get install ettercap
sudo apt-get install ettercap-gtk

Ettercap can be used to sniff for packets on a network which can reveal passwords and more. Check out the social engineering section for one use of ettercap. It is pretty self-explanatory to use.

Significantly, we can capture LDAP (Lightweight Directory Access Protocol) Packets over a network while sniffing to find usernames and passwords on the network as they are being authenticated. This is an easy way to get administrator access.

Here is a tutorial on how to use ettercap and urlsnarf to sniff all URLs visited by clients on a network: Link

Other software to check out: xplico can be used for capturing a lot of interesting data on a network. Driftnet is a program which can capture and display images viewed on a network (rather than just data packets).

dGsuUTW.webp
This is where the fun begins. Exploiting is where we actually attack a machine in order to “own” it. We attempt to use weaknesses in the way programs are coded to get us into the computer – that is why we had to scan for open ports and find the software running on them.

The latest vulnerabilities and exploits can be found from Microsoft’s TechNet, and SecurityFocus.

Common types of vulnerability:
  • OS Vulnerabilities: OS exploits are used to gain access to the system. Most OS holes exist from default configuration, services and applications.
  • Webserver Vulnerabilities: Can gain root access, website defacement, DoS(put the server down), theft or alteration data on server, or further penetration into the network.
  • Database Vulnerabilities
  • TCP Stack Vulnerabilities
  • Application Vulnerabilities. Examples: buffer overflow, weak authentication mechanisms, poor data validation, and poor error checking.

The metasploit framework is one of the best tools you could ever wish for in this section (although it is constantly combatted by antivirus). It is basically a database of hundreds and hundreds of exploits for different operating systems and software. It comes installed by default on Kali linux and backtrack.

There are 2 main parts to exploiting: The Exploit and the Payload. The exploit is the method of gaining some unauthorized ability on the target box (to execute the payload), and the payload is the code which does whatever we want (e.g. give us access). The most common payload to use is the meterpreter which is a bit like a RAT, and gives us a lot of control via the command line. There are reverse and bind payloads - Reverse payloads are left on the attacker machine and they connect back to you (which generally stops the client’s firewall blocking the connection). Payloads can be made persistent by dumping them into registry. For future sessions to be established, you will need to start the listener manually. Bind payloads bind to the victim machine and through them attacker enters. Connection is not reverse but direct (which may be blocked by the clients firewall).

Different exploits depend on the vulnerabilities we have found in a target machine. Here is a tutorial on Metasploit Installation.

Basic usage:
Once we have found a vulnerability, find an exploit for it:
Code:
Show Exploits
Select the exploit using the “use” command:
Code:
use (exploit name)
After setting the exploit itself, you need to see which options it uses. They have to be set manually. Some of them though do not need to be set. You can check if it is required by looking under "Required" option.
Code:
Show Options
Example options required are RHost (remote host, the target), RPort (remote port, set by default), SRVHost and SRVPort.
Set the options like this:
Code:
set rhost 192.168.0.12
We need to set a payload that will be delivered. Find a payload with this command:
Code:
Show Payloads
Then select the payload to use:
Code:
Set Payload (Payload name)
Payloads may require options too, set in the same way as above. For example, a common payload windows/meterpreter/reverse_tcp requires LHost (Local host, our machine) in order to connect back (it is a reverse payload).
Then run the exploit using:
Code:
exploit
If we were using a meterpreter payload like reverse_tcp, we then end up with a meterpreter shell to execute commands on the victim’s machine.

You might also be interested in a GUI for metasploit called Armitage (which also comes installed on Kali by default).

Specific Usage Examples:
Exploiting Internet Explorer 8
Exploiting windows XP
Encoding a payload with metasploit
How to use metasploit to encrypt a virus häçking Windows 7 with a shortcut file
Embedding a backdoor in a PDF file
Remotely viewing webcam and microphone with meterpreter
Example tutorial on exploiting systems over WAN using metasploit
Here is an amazing tutorial on different uses of metasploit

You should also have a good idea about how exploits actually work rather than just using metasploit like a skid. If you learn how to code exploits, you could actually code an exploit noone else has discovered yet (called a 0day). Zero day exploits are worth huge amounts because noone knows about them and therefore noone has patched it. Here is a tutorial on writing buffer overflow exploits yourself

Some other exploitation tools are available too, for example beef (the browser exploitation framework), which you can download here.

Once we have exploited and gained access, we do not always have much access (especially when we use a client-side attack). The next step is privilege escalation. The getsystem command in the meterpreter can escalate privileges, or we can sometimes pivot from an unprivileged system to another on the network with more access. Often, privilege escalation methods are exploits themselves. We try to gain root or administrator access.

When we have access, we can do whatever our initial purpose of attack was – for example s†éáling data
After we have access, we also then install a backdoor or something similar (netcat, meterpreter, command shell, tunnelshell, etc) to ensure we can connect back again later (even if the vulnerability we initially exploited is patched).
Finally, we must erase our presence from logs, remove any software we uploaded, removing our command history, etc, to ensure that we are not caught. The meterpreter has a clearev command that removes the event logs on Windows systems.

WY0SHnU.webp
To exploit systems, we need a connection to them. Usually it is a lot harder to exploit systems over the internet than if we have a direct connection to them via a LAN. Obviously, the only way to häçk into an Ethernet LAN is to walk up and plug in. Here is how to gain access to a wireless LAN.

Wi-Fi can be less secure than wired connections (such as Ethernet) because an intruder does not need a physical connection. Web pages that use SSL are secure but unencrypted internet access can easily be detected by intruders, because all data is being sent flying around the local area and can be intercepted with sniffing. Because of this, Wi-Fi has adopted various encryption technologies. The early encryption WEP, proved easy to break. Higher quality protocols (WPA, WPA2) were added later.

WEP cracking tutorial.

WEP encryption is very weak and easy to crack. Most wireless networks today use stronger encryption – WPA and WPA2. WPA2 uses a stronger encryption algorithm, AES, that's very difficult to crack—but not impossible. When a user connects to a WPA2 Access point, the client and AP use a "4 way handshake" to authenticate the client. This is how we can crack the encryption: if we can capture the 4 way handshake, we can crack the password.

WPA/WPA2 cracking tutorial.

Reaver is a great tool for cracking wireless passwords. Just use a command like this:
Code:
reaver -i mon0 -f -c (Channel #) -b (Target BSSID) -vv -x 60
That will probably take a few hours to finish.

A really l33t häçk is to setup a fake access point with the exact same ESSID and BSSID and channel as a legitimate one, and then boost the signal strength of yours. By default, clients will connect to the access point with the best signal strength – AKA yours! You can then easily sniff all traffic, s†éál credentials, spoof addresses, etc! I explain how to do this in my DOS attack on a router in a later post. Check the Denial of Service section for the link.

Complete collection of wireless manipulation, attacks, tools & guidance.

7LiW0Hz.webp
Website exploitation is a specific case of exploitation, where we attack vulnerabilities in webpages hosted on webservers.

There are numerous different methods to directly attack a website. We can use this to modify/deface websites, gain access to privileged areas, s†éál usernames and passwords, take control of the webserver, etc. I have provided a lot of links in this section because there are already a lot of good tutorials on most website exploitation methods.

Cross Site Scripting (XSS):
XSS enables attackers to inject client-side script (like javascript code) into Web pages viewed by other users.
Tutorial.
Similar to this is cross frame scripting (XFS).

SQL Injection:
SQL injection basically takes advantage of weaknesses in the way a page deals with an SQL database, to get around authentication or to access/modify/delete databases. You need to be familiar with SQL commands to use it well, plus you must have a good understanding of how websites are coded (in HTML/php).
tutorials Tutorial 1, Tutorial 2.

There are also tools available which can perform SQL injection automatically, like Havij. This can be very useful for beginners, but it will never be able to be creative like a true häçker will be.

Shells:
After using SQL injection to find admin passwords for example, we then find the login page for the administrator. You can use admin finding tools for this. Log in, and then you can deface the site, etc. Usually we would upload a shell to the webserver somewhere so we can execute commands remotely. The most common shell is the c99 shell, which gives us heaps of abilities. There is even a c99 shell uploaded to häçkforums under the extras section https://häçkforums.net/images/smilies/smile.gif.

Remote File Inclusion (RFI):
Remote file inclusion, as its name suggests, allows an attacker to include a remote file (usually through a script on the web server). The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file or more serious events such as code execution on the web server, code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS), Denial of service (DoS) or data theft/manipulation.
Remote File Inclusion (RFI) tutorial.

Local File Inclusion (LFI):
Local File Inclusion is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included. The vulnerability is also due to the use of user-supplied input without proper validation.
Local File Inclusion (LFI) tutorial.

Tamperdata is a useful plugin for firefox which allows you to view and edit HTTP headers on a site. Firebug also allows you to perform a lot of useful functions on a webpage.

vFL6agq.webp
Most secure programs do not store passwords in plaintext, rather they encrypt them to a hash (a string of numbers and letters). This makes it much harder to discover the password. A common example of this is windows, where all user passwords are stored as hashes in the SAM file. There are numerous programs available to “dump” the hashes, for example pwdump, but the hashes are no use to us – we want the passwords themselves! We must crack the hash. Some encryption algorithms are reversible (here is a good site for reversible encryption/decryption), but others are not.

The common methods for cracking irreversible hashes are:
  • Dictionary attacks (testing whether words from a common password list generate the same hash)
  • Rainbow tables (a precomputed table of hashes)
  • Brute force attacks (trying every possible combination of characters until the correct password is found).

Dictionary and Rainbow table attacks are much faster than brute force, but their reliability is dependent on the size of the dictionary/table. Large tables can be huge in size, for example 20GB or more. Crunch is a tool you can use to generate your own wordlists for dictionary attacks.Popular brute force tools include THC Hydra and Brutus. Hashcat is a cool tool you can check out for cracking hashes with the CPU and GPU.

Here is a tutorial on some ways to crack hashes.

There is a useful operating system/program called OPHCrack which you can boot from a flash drive or CD onto a windows computer, and use rainbow tables to attempt to crack the passwords on the computer.

There are also some websites available to crack hashes online, but because they are a free service, they do not dedicate huge amounts of processing power to cracking the hash and may not be successful on more complex passwords. Example: OnlineHashCrack

A really easy way to get administrator access to a windows computer is to boot up linux on it from a flash drive, go to the windows folder, and create a copy of cmd. Rename the copy utilman, replacing the old utilman (you might want to keep a backup for later). Then, on windows, simply open up Ease of Access utilities on the logon screen and you will in fact get a cmd window with admin access. From there, create a new account using the net user /ADD command, and then add it to the net localgroup Administrators /ADD. Easy!
If you just want cmd access on a computer, simply make a batch file with cmd or command as the only text inside it, and then run it!

Cryptography is a complex subject, but very interesting, and it is the basis for cryptocurrencies like bitcoin, and the basis for crypters!

u0iFG53.webp
*********s:
*********s are simple programs which silently log keystrokes in the background on an infected computer. They can be used to s†éál passwords, banking information, etc from victims. For this reason, they are very popular. *********s are a type of spyware. Some example *********s are Syslogger and Project Neptune. Use KeyScrambler to prevent *********s from monitoring your keystrokes.

RATs:
RATs (Remote Administration Tools / Remote Access Trojans) are more complex programs which attempt hide themselves on an infected computer while providing a lot of functionality to the owner. There are 2 parts to a RAT – the client and the server. The server is the software which is installed onto victim computers while the client is used by the owner to access the servers, retrieve files, view the webcam, control the computer remotely and more. Most RATs also include a *********. RATs are a type of trojan. Common RATs include Darkcomet (free), Cerberus (free), Imminent Monitor (ρáíd), and Netwire (ρáíd). Here is a great tutorial on setting up the most popular free RAT – Darkcomet 5.3.1.

Tips on keeping infected users for longer: User dynamic IP addresses with no-ip, make sure the server is FUD and configured correctly, and maybe even infect boxes with multiple RATs at once.
Here is a tutorial I wrote on spreading a RAT.

Crypters:
Crypters are software that are used to encrypt/disguise a RAT, ********* or other virus to ensure that antivirus software does not detect it. The best way to get a crypter is buy a private one or code your own. Crypters must usually be purchased privately, for example in the buyers’ bay of HF, because public crypters usually become detected very soon after their release. If you want to code your own, there are a lot of useful tutorials on häçkforums. Check out the c++ section, because it is one of the most popular languages for coding crypters in.

Antivirus is the RATters worst enemy. Here is a useful script which is designed to kill antivirus software. Just put that code into notepad, and save it with a .bat extension. When this is run, it will kill antivirus software on the computer. It is quite an old script, I didn’t write it, and so all credits go to the writer. You can add to it more if you want to make it more functional. Getting a user to run this on their computer before downloading a RAT or ********* is a very powerful combination – an alternative to a crypter.

There are other types of malicious programs coded for different purposes, which include:
Adware: Adware (short for advertising-supported software) is a type of malware that automatically delivers advertisements.
Ransomware: Ransomware is a form of malware that essentially holds a computer system captive while demanding a ransom. The malware restricts user access to the computer either by encrypting files on the hard drive (a cryptolocker) or locking down the system and displaying messages that are intended to force the user to pay the malware creator to remove the restrictions and regain access to their computer.
Rootkits: A Rootkit is software which usually edits some core files of an operating system, in order to hide itself and malware. Rootkits can be very hard to get rid of, because they can be embedded extremely deep in the OS.
Trojans: A Trojan horse, commonly known as a “Trojan,” is a type of malware that disguises itself as a normal file or program to trick users into downloading and installing malware.
Virus: A virus is a form of malware that is capable of copying itself and spreading to other computers. Viruses often spread to other computers by attaching themselves to various programs and executing code when a user launches one of those infected programs.
Bacteria: A program which replicates itself in order to fill up memory, RAM and CPU.
Worm: Computer worms are among the most common types of malware. They spread over computer networks by exploiting operating system vulnerabilities, and execute a “payload” on infected computers which does something malicious.
Another type of malicious program is a Bot, which can be used to automatically perform tasks such as spam, etc.

TIP TO AVOID INFECTION: If you are downloading suspicious files, use a virtual machine or sandboxie to run the program in, and keep your computer safe from infection.
 
FO7lV3l.webp
This is the name given to many different forms of non-technical häçking methods. Social Engineering usually involves tricking people – because often people are the weakest link in any secure organisation.

“Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.” – Wikipedia.

Basically, we can use information about a company to trick employees into thinking we are IT staff, and ask them for things like passwords in order to “check security” or “perform essential updates on their computers”. Believe it or not, watching someone type in their password is social engineering. This is called Shoulder surfing.

Social engineering also includes “dumpster diving” (which is the act of searching through a company’s rubbish for useful information that can help our attacks) and phishing attacks (which are usually legitimate looking emails sent out to trick users into giving attackers their passwords or bank details). Another form of social engineering is using the “forgot my password” links on most websites to try and gain control of someone else’s account.

Phishing is a major component of social engineering attacks.
We can perform phishing attacks by creating an email that looks legitimate – make it look like it originated from a company or bank. Then, we spoof the address that the email came from, so that the receiver of the email sees a legitimate address. Spoofing addresses is very easy and can be done in most everyday email clients. It is easy to check the real sender of an email if the receiver knows what they are doing, because the email headers will show that the real origin of the email. But this will trick most people. On the email, we just write some message which will invoke the user to click on a link and enter their password – the link will lead them to a fake site we have setup to record the passwords/details they enter.

ORD5qc8.webp
All websites visited on the internet usually look like You do not have permission to view the full content of this post. Log in or register now.. But the computer doesn’t know how to find this – instead it only knows how to deal with numbers. So it uses a Dynamic Name Server to translate example.com into an IP address like Link.

pxWWew3.webp
Often, nobody really thinks about häçking phones and tablets. But mobile devices can be very interesting things to crack, because they provide us with locations, contacts, etc, and many people use them every day for browsing the internet.
A very useful tool is the Smartphone pentest framework, which we can use to “own” many devices. Here is a good tutorial if you are interested.

There are some other good smartphone RATs available now. Check out AndroRAT for example (here is a tutorial). It is well known though, so if the victim has mobile AV then it won’t work. It is much less common for people to have mobile antivirus than to have AV on a computer though https://häçkforums.net/images/smilies/smile.gif.

There are also software called s†éálers, which are designed to s†éál contacts, files, passwords, browsing history, and everything else, off a phone, for example Razstealer (which is the only s†éáler I know of).

sgrKf1F.webp
This is a common attack performed on routers, websites and servers. This is the same as using stressers or booters to crash a router or webserver.

A flood of data is sent to the server in a short time frame, to overload the server so that it becomes unresponsive to any requests – even legitimate ones. You can use this to take down websites, and crash company mailservers, etc. After a successful denial of service attack, all visitors to the site will see a 404 webpage error. An example is a SYN flood (although most modern machines will deal with SYN floods without causing issues).

To perform a DOS attack, we can use our computer – which is usually ineffective, like one person trying to break down a brick wall by throwing chocolate bars at it. We can use the ping command from command prompt for this, we can refresh the page repeatedly (using an autorefresher), or we can use specially designed software like Goodbye. Another way of DOSing a webserver is sending input to a text file that is millions of characters long.

Ping Attack:

1.Open cmd and type:
Code:
ping example.com

2.Use the IP address that shows up in the next command:
Code:
So you would type this in ur cmd: ping 10.10.10.10 -t -l 3600
(Where 10.10.10.10 is the IP and 3600 is the time.)
3.Allow the process to finish. Now just visit the site to see if it is down

Here is a tutorial on one way to easily DOS a router: Link.

A DDOS involves more than one attacking computer. This is usually performed using a Botnet – a group of computers all under your control by a RAT or something similar. You can use the RAT to force all your slave computers to send heaps of packets of data to the target server to crash it. The bigger the botnet, the more efficient/effective the attack will be.

PiTVa18.webp
A lot of software requires a license to be purchased before you can use the software, or to use the software for longer than a trial period. This is where software cracking comes in. Cracking software involves decompiling it (or somehow getting its source code) and then finding a way around the licencing/registration process (this is also known as reverse engineering). This is quite an advanced topic, because you usually need good understanding of Assembly language, etc, and a good understanding of how to get around licences. From cracking, we get all the lovely free cracked software and games you find on piratebay, so it is a very useful ability to have!

We can use hex viewing/editing software like ollydb. Tutorial on basic usage of ollydbg to crack a program here.

If you want to view files/resources that a program accesses, you can use processmonitor and apply a filter to just see results from certain software.

There are some software which you can sometimes use, like CrackedDLL which you just run in the installation folder and it will crack the software for you.

Another cool program you can try is RunAsDate, which allows you to run a program and trick it into thinking it is a different date, in order to extend a trial period infinitely.

zDh6y9L.webp
To avoid being doxed, you should put as little info about yourself as possible on the internet. To remove your information from the internet, you can contact google (especially if you are under 18), and here are some sites to contact:
Spokeo is actually REALLY quick by deleting your information. A few of my friends have reported there links and got it deleted within 30 minutes.
Intelius is a bit more strict when it comes to just removing your information. You will have to scan a valid ID of yourself and send it to them in order to get what you want removed in order to get yourself removed from Intelius.

PROXIES: When you visit a website, it has access to a lot of information about you, like your IP address and the browser you are using. A proxy is basically a tunnel, which reroutes your traffic through it so that no one can trace its initial origin. You can use proxies for your everyday browsing by finding one online (HideMyAss proxy list). For Google Chrome, go 'Tools'-->'Advanced'-->'LAN options'-->'Proxy settings'. Type in the proxy then select the appropriate settings (e.g. HTTPS or Socks5). Then you need to restart Chrome (just close it then open it again). Go to What'sMyIP to check if the proxy is working properly. If it is, it should display a different IP to your actual one.

SOCKS proxy: This is a different type of proxy. It uses the SOCKS protocol instead of just forwarding HTTP requests, because SOCKS protocol acts at a lower level. The client contact the SOCKS proxy server and, by exchanging messages defined by the SOCKS protocol, negotiates a proxy connection. When a connection is established, the client communicates with the SOCKS server using the SOCKS protocol. The external server communicates with the SOCKS server as if it were the actual client.

VPNs: A virtual private network is a network that doesn’t physically exist – it is usually created over the internet or another network. VPNs allow you to tunnel your connections securely, and can be used for anonymity. There are both free (BestCanadaVPN, HideMe.RU,HotspotShield) and ρáíd (HideMyAss, NVPN, OpenVPN) VPNs. You can purchase VPN access in the buyers’ bay too. A good VPN will be fast, have a lot of servers in different locations, and will not log your activity. To connect to a VPN, create a new network connection under the network and sharing center, and choose “Use my internet (VPN)”. Then type in the address of the VPN you want to use, and your username and password. You can also use VPNs on mobiles, e.g. apple: "General"-->"Network"-->"VPN" Now tap the "Add VPN configuration" button. Fill in the data you can get from the VPN.

SSH is another way you can tunnel web connections. The ssh command is built into linux but you can use ssh on windows with PuTTY.

You should try to block skype resolvers, because skype resolving is a common method for attackers or people trying to dox you get your IP address. Changing your IP can sometimes be done in your routers control panel, or by shutting down the router for a while so your ISP assigns you a new IP. If your pc is directly connected to the internet, you can use the ipconfig /release command in cmd. You can refresh your dynamic IP also by clicking on TCP/IP properties in network connections, giving yourself a custom IP (anything you want, it doesn’t matter) and then removing it again to automatically get a new one. You can also spoof your MAC address. I explain one way to do this on Linux in my wireless cracking tutorials above.

Ensure you have very strong passwords. Don’t write your passwords down, because then you are vulnerable to physical social engineering attacks. You can use an encrypted password safe if you need to store passwords, but it is better to keep them in your head. Try to avoid using the same password for everything.

Browser plugins like noscript, zenmap, adblock, disconnect/DoNotTrackMe/TrackMeNot, ghostery, Override User Agent, RefControl, BetterPrivacy, and HTTPS everywhere are great plugins to have to protect your privacy and browse safely.

Encrypt your computer using Truecrypt, to prevent anyone physically accessing your files without your permission. Truecrypt provides a lot of other useful functions, such as decoy OS, etc. Deepfreeze is a useful program which “freezes” your computer in a state to prevent unwanted changes occuring.

TOR (The Onion Router) is a free open source browser which uses a free, secure, anonymous method of connecting to websites. All your traffic is sent to random “nodes” around the world so that you cannot be traced. There are hundreds of nodes and so the path your connection takes changes all the time. TOR slows down your browsing a bit and some sites will not let you access them through tor (like google - use duckduckgo instead. Duckduckgo is actualyl better because it doesn't track you like google does.), but you get a lot of anonymity with it. You can carry tor on a flash drive too.

A cool trick to make a folder invisible on windows (although it is still pretty easy to find), is to rename it to a special blank character generated with Alt+0160. Then, change the icon to one of the blank icons. Most n00bs will never be able to find the folder. To hide a RAR file inside an image, use cmd and run this command: “copy /b picture.jpg + secret.rar newpicture.jpg”. If you open the picture with an archive utility like winrar you will see all the hidden files.

Anti-Forensics Tips.

qV711j9.webp
Dorks are strings that are commonly found in exploitable URLs, and so they are very useful to search for on google. For example, searching for inurl:"CgiStart?page=" will give a lot of results containing the text CgiStart?page= in their url, which are usually web accessible webcameras. This lets us find random cameras around the world we can view without authentication. Dorks are commonly used to find pages that are vulnerable to SQL injection, etc.

Here are a couple of huge lists of dorks for finding sqli vulnerabilities:
One
Two

And here is a list of dorks for finding unsecure webcameras around the world https://häçkforums.net/images/smilies/smile.gif.

If you are interested, shodan is really good – we can use shodan for finding a lot more than just webcameras though. We can find routers, traffic lights and other really interesting things to attack.

L2LH4qL.webp
Doxing is a technique of gathering as much information about someone as possible. Its name is derived from “Documents”.

Commonly, we find their IP address – usually with a skype resolver if we know there skype name, or with an IP address logger to which we send them the link (example: WhatsTheirIP).

We also find their real name. We then try to find as much other info as possible, such as country (even the exact address if possible), relatives, other accounts on other sites, email addresses, etc.

Useful tools include Google, Social Media, Skype resolvers, and whois searches on IP addresses.

TIP: record all the information you can find in a text file. Have a look at the Anonymity section for info on how to avoid being doxed – to remove your info from the web.

WG0CACd.webp
Digital forensics include these topics:
  • Recovering deleted files, including emails
  • Determine what computer, device, and/or software created the malicious file, software, and/or attack
  • Trail the source IP and/or MAC address of the attack
  • Track the source of malware by its signature and components
  • Determine the time, place, and device that took a picture
  • Track the location of a cell phone enabled device (with or without GPS enabled)
  • Determine the time a file was modified, accessed or created (MAC)
  • Crack passwords on encrypted hard drives, files, or communication
  • Determine which websites the perpetrator visited and what files he downloaded
  • Determine what commands and software the suspect has utilized
  • Extract critical information from volatile memory
  • Determine who häçked the wireless network and who the unauthorized users are

A common method of forensics is to create a complete digital image of a drive, in order to delve into it and recover interesting data (that is why you should encrypt your drives).

jiAfmFr.webp
Watch videos, read about past häçkers and their accomplishments, read source code of exploits, try to häçk into something (not illegally https://häçkforums.net/images/smilies/tongue.gif), read anything else you can find about häçking, security and computers, and be creative!

A really interesting thing to check out is the defcon and blackhat conference videos for the past few years. All the coolest, latest häçking stuff gets announced there, so it is definitely inspiring and informative to watch the videos. A popular one was the seminar by Barnaby Jack at defcon 18 on häçking ATMs – mentioned in the terminology section above

EXTRA BONUS TIPS
  • There is an ability on windows 7 to create a godmode control panel, by creating a new folder and renaming it to “Godmode.{ED7BA470-8E54-465E-825C-99712043E01C}” (without quotes).
  • A better alternative to use than taskmanager is Processhäçker.
  • CCleaner is a great utility to clean up your PC. Download here.
  • Another great piece of software that deserves a mention is Cain & Abel. Check it out.
 
boss salamat sa post dami natutunan :) keep posting about security and awareness
pede po ba mahinge email address mo baka may useful script ka for corporate automation and security remediation.

Salamats
 
Status
Not open for further replies.

About this Thread

  • 43
    Replies
  • 3K
    Views
  • 32
    Participants
Last reply from:
docjrmn

Online now

Members online
1,087
Guests online
2,276
Total visitors
3,363

Forum statistics

Threads
2,288,883
Posts
29,054,869
Members
1,214,351
Latest member
birhamhamin
Back
Top