Facebook Hacking | Hacking Tools | Facebook Hacking Tool | Twitter Hacking | Crash Website | Hack Gmail Account

How to protect your PC's from hackers

Posted by Deepanker Verma Aug 19, 2013 0 comments
In this day and age, where digital security is a puppet in the hands of hackers, protecting data has become a major cause of concern for IT specialists. It is, therefore, instinctive on their part to figure out how to protect private and confidential information in their systems, without burdening with antivirus software and firewalls. Here are a few of these ways:

Windows Updates: Even the best offerings from computer giants have not been able to completely fight off the attempts of rouge developers to break in. In this situation, it has become almost a necessity for users to update their Windows-based system, on a regular basis. An update daily, weekly or even monthly is going to speed up the system and help it counter attacks on its security thereby decreasing the probability of  it, being infected by worms and viruses. Desktop monitoring by hackers is indeed a grand problem.

Software updates: Like the Windows, applications also have to be updated with the latest version. You need to check regularly for wear and tear in the software that your system runs. Web browsers and web-based programs have to be upgraded constantly so hackers do not get their hands on the private and confidential data, stored in your system.

Antivirus Software: If your system is being connected to the internet regularly and you run without antivirus software on it, it is almost impossible for hackers not to get attracted to it. In case you do not have antivirus software, get your hands on one as soon as possible. If you already have one, upgrade it to its latest version and check if the settings are properly defined.

Anti-spyware software: Even though the digital situation looks pretty grim, it still isn’t as bad as the days when Bonzi Buddy and Cool Websearch made PC users have nightmares. This is because of anti-spyware software that have shielded the tech world from malicious attacks on the security.

Swap your Windows-based system for a Macintosh: The whole tech world knows that Mac’s OS X has the largest number of limitations as compared to other computer operating systems. The truth is that most hackers do not bother breaking into a Mac. This is the reason Mac still makes space for itself in the list of secure computer operating systems, despite its shortcomings.

Hacker-Controlled websites: Usually sites that offer free downloads, porn, online games etc. are operated by hackers. It is almost given that you avoid dangerous places especially if you have valuables on your PC. The same goes for the mechanical world. Steer clear of sites that look suspicious or require you to download something which is not needed.

Data Backup: Create a backup for all the important data that you have on your system. Apart from hackers and system crashers, other mishaps may spell out death for your hard drives. A tech storm can easily sweep away every bit of data in your system. It’s always better to be safe than sorry.

This is the guest post by Jessica Carol

Free Download Whitepaper "Intrusion Detection Systems with Snort"

Posted by Deepanker Verma Jul 11, 2013 0 comments
Hello readers, Although I am not active on this blog. But you can enjoy older posts and learn basics of hacking and penetration testing. Today, I have a nice ebook that will help you to understand what is IDS and how to deploy Snort in your network.

Intrusion Detection system is a device or application that monitors all activities of a network or system and warns if any malicious activity has been found. Basically, IDS only monitors and reports intrusion. But some advanced IDS can also prevent the intrusion. There are called Intrusion detection and prevention systems (IDPS).

Download Free Ebook "HackerProof: Your Guide to PC Security"

Posted by Deepanker Verma Jun 10, 2013 0 comments
At HackingTricks, I am not too active because I am busy with my other blogs Techlomedia.in and Usethistip.com. But now I am starting a weekly series in which I will be offering a free hand book on various security domains.
Download Free Ebook "HackerProof: Your Guide to PC Security"

A new Android Malware BadNews Discovered, Downloaded More than 9 Million Times

Posted by Deepanker Verma Apr 21, 2013 0 comments

A new bad news comes in the form of new Android Malware called BadNews. This new malware has been found in more than 9 million downloads. Security Firm Lookout found this malware in 32 apps. Most of these 32 apps were available in Google Play and target Russian users.
A new Android Malware BadNews Discovered, Downloaded More than 9 Million Times

How to Start Web Application Penetration testing With Websecurify

Posted by Deepanker Verma Apr 16, 2013 0 comments

If you are a developer, owner of a software firm or a testing engineer, you must know the importance of security testing. Hackers are everywhere and they always try to intrude in the system, network and applications. If we talk about Web application penetration testing, there are so many tools available. In this post, we will see how to use Websecurify for penetration testing of web applications.

Popular online Document Sharing website Scribd Hacked

Posted by Deepanker Verma Apr 5, 2013 0 comments

World's most popular online document sharing website Scribd is the latest member of cyber attacker. Company has posted a security announcement in which it claims that attackers try to access users' information. Company is also asking users to change their passwords. Scribd has already sent mail to all affected users.

“Earlier this week, Scribd’s Operations team discovered and blocked suspicious activity on Scribd’s network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users,” Scribd posted in security announcement.

“Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords,” It added.

Scribd store password in strong hashing encryption, so it is very hard for attackers to see actual passwords of users. But company do not want to take chances. This is why it is asking users to change their passwords.

If you have not received any security email from the company, you can manually check whether your account was hacked or not by using the link below. Visit the link and enter your email address. 

http://www.scribd.com/password/check

I also suggest users to have habit of selecting strong passwords. Read how to select a smart password and protect your accounts from being hacked.

Methods of Finding Admin Login Page of a Website

Posted by Deepanker Verma Mar 17, 2013 0 comments

Sometimes it is hard to find admin login pages on the website because they are not linked with main website. Once I found SQL injection vulnerability in a website and easily got the admin user name, password. Next step was finding the admin login page and try the password. But it took hours to get the page.
Methods of finding  Login page of a website

WordPress Security Scanning With WpScan Android App

Posted by Deepanker Verma Mar 15, 2013 0 comments

With the increasing popularity of Android devices, security companies are developing penetration testing tools for this platform. If you own a WordPress website, now you can scan it for known security vulnerabilities with WpScan Android app. 
WordPress Security Scanning With WpScan Android App

Evernote Hacked, Emails and Encrypted Passwords Leaked

Posted by Deepanker Verma Mar 3, 2013 0 comments

Few hours ago, Popular tech company Evernote has also confirmed that hackers have broken into their systems. Company revealed that hackers have access the emails addresses and encrypted passwords.
Evernote Hacked, Emails and Encrypted Password Leaked


Which Tool Should I use for Pentesting And How?

Posted by Deepanker Verma Feb 23, 2013 0 comments

Penetration testing is the process of finding of security vulnerabilities in web application. It can also be seen as security testing. To make the testing process simple, there are many manual tools and automatic tools available. By using these tools, we can find vulnerabilities faster than manual testing methods. 
There are so many penetration testing tools available. You can find most of the tools here on Security testing tools collection.

As there are many opensource, free and premium tools available, it is hard to select best tool that will work for you. Here I am listing few penetration tools here along with process explanation.

Powerfuzzer
Official web site: http://www.powerfuzzer.com/
License: Open Source (GNU General Public License)

Additional Information: No changes made since 2009

Usage and capabilities:

So the first tool I am going to describe is the Powerfuzzer v1 Beta. The reason why I chose this tool to be the first one is because it’s the simplest tool to use which makes it an excellent tool for starters.


Figure 1. User interface of Powerfuzzer v1 Beta

As you can see, its usage is straight forward. You have the “Target URL” which is the site that will be tested and “Exclude URL/s or dir” which is the part where you can exclude directories or links that you don’t want to be tested like some scripts for deleting users, etc. Then you have the part for “Credentials” if you have some parts of your web application that requires a username, password or a session. “Proxy” is used to make the testing anonymous. Next is the “Timeout” option where you set the timeout between requests. “Verbosity” is the part where you select the “strength” of the testing, like number of requests, tests and etc. According to the official website, this tool detects the following types of vulnerabilities:

  • -          Injections (SQL, LDAP, code, commands, and XPATH)
  • -          CRLF
  • -          HTTP 500 statuses (usually indicative of a possible misconfiguration/security flaw incl. buffer overflow)

-           
The scan report (the results of the scanning) is displayed as simple as possible like in the following picture. As you can see, if a vulnerability is found, it is described in the following format: “ in with parameters coming from .”

Figure 2.Displaying the results when the scanning is finished

Pros:
  • -          Very simple usage
  • -          Pretty powerful for fast testing
  • -          Doesn’t require any experience for using


Cons:
  • -          The options are placed randomly across the tool.
  • -          Report is not very detailed and it doesn’t group the results.
  • -          The tool hasn’t been updated since 2009.

-           
N-Stalker
-          Official web site: http://www.nstalker.com/
-          License: Enterprise, Infrastructure and Free edition
-          Additional Information: Lots and lots of tools in one
-           
Usage and capabilities:

Figure 3. User interface of N-Stalker

When you see this tool, you can conclude that it is made professionally for professional use. From the main screen, you can see that everything is nicely grouped and organized which makes penetration testing easy even for beginners. Because there are a lot of offered options, I will only explain the parts that look interesting to me such as the scanning process, the policy editor and the report manager.


Figure 4. Selected option from the menu – Policy Editor

I’ll start with the Policy Editor, because before performing a scan, you need to set a Policy with well defined rules. When you start the Policy Editor, you will see a nice tree of rules shown on the left side and its description displayed on the right side.

Figure 5. Options of Policy editor

The description of the current rule is pretty good and detailed and it is composed of: name of the vulnerability, level of severity, vulnerability class, target server, common references, description, solution/fix for the vulnerability and URL references.


Figure 6.Description of a rule

Figure 7. Create, close and save options

When you are finished setting the rules for the policy, you can also give it its own name (usually I name it after the target that I scan).


Figure 8. Create, close and save options

So, the next option that I will explain will be the scanning.When you start the Scan Wizard (you can do that by clicking the top-left button Start), the following screen will appear (Figure 7). Here you can add your application URL then choose the Scan Policy which will define what kind of test you will perform, or you can choose a previous Scan Session. The Load Spider Data option will not be described since it’s not available for the free version of N-Stalker.

After setting up the target, the next step is to Optimize Settings. Here you can find a lot of options where you can customize your scan policy even more. There are options where you can set information about Authentication (if there is any authentication set on your web application), False-Positive mechanism where you can set rules for skipping links that have some file extensions, info pages for displaying status of the web application (like 404, 403 and etc.) or set up a regular expression for a filter. The Engine is an option where you can define the settings for the web spider and Miscellaneous is the part where you set which host is allowed to be scanned or not.

You can try these options by yourself; I will just continue with the optimization, so click Optimize and see what will happen.


Figure 9.Options for the step Optimizing Settings

When you are finished with the optimization proccess, the next step is the summary step, where you can see detailed information about the scan session that will be performed.

Figure 10.Summary of the defined setting for the scan session

When you start with the scanning (you can do that by clicking the button of top-left Start Scan), you will notice that the scanning environment is really something special. That’s because of the Website Tree tab and the Scanner Events tab where every action is nicely grouped and where the directory of the scanned web application can easily be viewed. The Website Tree is the grouping made for the files that the application is composed of (but not all files of the application, because sometimes there could be a scenario where there are defined rules for access restriction). Then there’s the Scanner Events – the event viewer for the results of the scanning and the Scanner Dashboard where you can see the information for a chosen event from the Scanner Events tab.

Figure 11.Performing a scan

When you have finished with the scanning process, the Results Wizard will appear and here you can choose to save or discard the results of the scanning session.


Figure 12.Finishing touch of the scanning process

When you’re finished with the session, open the Report Manager. On the left side on the Available Scan Session tab, choose the report of the scan session that you have saved. Here is my favorite part: right click on the result and choose Technical Report -> Generate PDF. When you have finished generating the PDF, open it and you’ll see that this is an awesome feature of N-Stalker. The report is well organized, very detailed, the results are nicely grouped, and even the scanning policy is part of the report where you can see what rules you have used. That’s all for N-Stalker.

Pros:
  • -          So many tools
  • -          Great policy management
  • -          Detailed and professional report
  • -          Great community


Cons:
  • -          Annoying advertising window
  • -          The interface of N-Stalker is very similar to the software from Microsoft Office.
  • -          The free version is useless; see the options that are offered in the free version –http://www.nstalker.com/products/compare-editions/security-checks/.
  • -          The enterprise edition has a very expensive price for unlimited website license – $5,000 (should be named Overpriced Edition).


w3af


-          Official web site: http://w3af.sourceforge.net
-          License: Open Source (GNU General Public License)
-          Additional Information: On the official website, every plugin is described in detail. w00t!
-          Tested version: v1.2 Revision:6647
-           
Usage and capabilities:

The first time you open w3af, you will find it pretty confusing because all the options displayed at the top are icons that do not have text on them to describe what kind of tools they are. With a mouse-over though, you will find the description of these icons but that’s not a pretty good thing to do (especially when you are doing the same thing multiple times). I hope that the developers will change this.

Figure 13.w3af interface

We will begin with the Profiles tab that serves like a policy of rules defined for the scanning. You can create, delete or modify a Profile. The grouping is nicely organized but the title of the profile lacks description.


Figure 14.Grouping of the profiles

When you select a profile, the pair Plugin and Active will notify you which tools and type of tools are selected for the current scanning session. Again the grouping is nicely done, but this tab lacks in description so I am looking forward to the developers to consider improving this.

Figure 15.Scanning options for the profiles

Figure 16. Defining the target that will be scanned

In the Target bar, just input the URL of your web application and click start in order to start the scanning process.


Figure 17. Creating a profile wizard

To create a profile for a scanning session, start the wizard by clicking the first icon on the top bar. To be honest, the wizard is excellent. In the first step, you select what kind of wizard, infrastructure or short,will be used. The next thing is to define the target that will be scanned.

Figure 18. Defining the target

Figure 19. Selecting type of plugin/s

After defining the target’s link, you choose which type of plugins will be included for your scanning sessions.

Figure 20. Selecting type of plugin/s


Figure 21. Naming the profile

The last step is to define the name of the profile (I just skipped some). After you finished creating the profile, start the scanning session and see what will happen.

Figure 22. Display of logs

The log tab is the place where you can view additional information about the current scanning session.

Figure 23. Display of the scanned URLs

In the Results tab, you can view the directory tree of your application which looks pretty awesome.

Figure 24. Exploiting the vulnerabilities found

And the last part is the Exploit tab where you can exploit the vulnerabilities that have been found.

Pros:
  • -          Clear and concise user guide
  • -          Lots of plugins
  • -          On the official web site, every plugin is described in detail.
  • -          Scanned URLs are nicely displayed.


Cons:
  • -          Need some time to get used to it
  • -          Unhandled exception was raised – you will probably find the Bug Detected screen annoying.

Conclusion

You can make a conclusion for a tool after you experienced using it. I hope you liked my selection of tools for penetration testing. I don’t want to offend anybody with this review; it’s just my point of view that every tool could be improved and become even better. Hope you liked my selection of tools and see you in the next edition.

Dame Jovanoski is a security researcher for InfoSec Institute. InfoSec Institute is a computer security training company that provides popular CEH v8 Ethical Hacking Boot Camps. 

References
https://addons.mozilla.org/en-US/firefox/collections/michel-chamberland/pentesterstools/
http://www.lo0.ro/2011/top-10-web-application-penetration-testing-tools-actually-11/
http://www.webresourcesdepot.com/10-free-web-application-security-testing-tools/
http://www.smashingapps.com/2012/06/05/8-useful-and-free-web-application-security-testing-tools.html
http://www.websecurify.com/
http://www-142.ibm.com/software/products/us/en/category/SWI10

Twitter Hacked, Change your Password Now

Posted by Deepanker Verma Feb 2, 2013 0 comments

Its a bad news for Twitter users. Today, Twitter has announced that some hackers gained access to its network and compromised few user accounts. According to Twitter, 250,000 Twitter accounts may be compromised. Twitter has also started sending notification emails to all compromised account users.

If you are a regular Twitter user, I will advise you to change your Twitter password now. 

“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users,” Twitter announced in a blog post.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Twitter quoted to a news agencies. “The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked.” 

Nothing about this hack was explained in the announcement. But few researcher claimed that this hack had been performed by using Java Vulnerability produced earlier this month. A Twitter employee’s home or work computer was compromised through a vulnerability in Java.  

Twitter users have to face this kind of breaches every year. I also advised users to follow all security tips to protect their account from hackers.

Password Cracking With Cain & Able Password Cracker

Posted by Deepanker Verma Jan 26, 2013 0 comments

If you have few knowledge about password cracking and know few password crackers, I am sure you already know about Cain and Able. Cain and Able is one of the most popular password cracking tools. You can learn more about this tool in our security tools gallery.

Officially, Cain and Able is a password recovery tool available for Windows operating systems and supports all available version of Windows. It allow users to crack various types of passwords.To crack the password, it uses various methods that includes Brute-Force, cracking encryption using Dictionary, sniffing on network, decoding scrambled passwords, revealing password boxes, uncovering cached passwords, recovering wireless network keys and analyzing routing protocols. There are few other methods and more is being added in each new version of the tool.
Featured FREE Resource:




Security Tools

Share
Get This

About Me

My Photo
Deepanker Verma
View my complete profile

Partners