Facebook Hacking | Hacking Tools | Facebook Hacking Tool | Twitter Hacking | Crash Website | Hack Gmail Account
Home / Archives for May 2011

"world's funniest condom commercial" a new clickjacking attack in facebook

Posted by Deepanker Verma Tuesday, May 31, 2011 1 comments

"world's funniest condom commercial" a new clickjacking attack in facebook




"The World Funniest Condom Commercial - LOL [link] haha its really so funny ~ Dont Miss it !"
Most of you have seen this message on facebook. If not, you will surely see this in some days. This is a new clickjacking attack. Clicking on this link will lead users to a page on a blogspot page whick displays on YouTube video player. And user'c click is hijacked for clicking on like and share the facebook page. 
Clickjacking attacks are now very common on facebook. I have posted many this type of facebook scams. 
If you want to protect yourself from this attack, use noscript extention of firefox. Which is the best protection available on the internet.
Categories: ,

Protect against Cookiejacking | suggestion from microsoft

Posted by Deepanker Verma Monday, May 30, 2011 0 comments

Protect against Cookiejacking | suggestion from microsoft


Some days ago, a security researcher found a microsoft's latest security risk named cookiejacking which allows cookiestealing. Microsoft is doing all it's research to patch this vulnerability of internet explore. This bug is in all versions of internet explorer. Clickjacking and social engineering techniques are then used to trick users into dragging the contents of the rogue iframes to containers on the same page controlled by the attackers. Read more about cookiejacking attack
Microsoft's Brandon LeBlanc say that the company is working on a patch. He also suggested to use  browser's InPrivate Browsing feature. The private browsing mode prevents access to cookie files already saved on the disk, but more importantly, it stores cookies for the active session in memory. This means that a page crafted for cookiejacking cannot access neither older cookies nor active ones, because there is no path to them.
Categories:

Cyber Law India website database hacked by MaDnI

Posted by Deepanker Verma Sunday, May 29, 2011 0 comments

Cyber Law India website database hacked by MaDnI


Cyber Law India website database hacked by MaDnI. This website was vulnerable to SQL injection attack. Hacker has exposed the detail of database and posted it on a website


http://www.cyberlawonline.in/course-detail.php?id=1

http://www.cyberlawonline.in/blog/?page_id=2


http://www.cyberlawonline.in/

    Server = Apache/2.2
    Version = 5.0.77-log
    Powered by = PHP/5.1.6,PleskLin
    Current User = 465602_cyberlawo@172.17.35.67
Categories: , ,

A new clickjacking attack hitting facebook

Posted by Deepanker Verma Saturday, May 28, 2011 0 comments

A new clickjacking attack hitting facebook


Many times i have posted about clickjacking attack used in facebook. And i think it's not over. A new clickjacking scam is again hitting facebook walls. The spam messages posted by victims of this attack read: "Baby Born Amazing Effect - WebCamera" and contains a link that takes users to a page hosted at blogspot.com.  The page displays a video player thumbnail with a play button, however, trying to click it actually forces the user's browser to Like the page.
If you want to know what clickjacking is, read clickjacking introduction post.
Few days ago, face deployed a new mechanism for protecting clickjacking attack, but that system doesn't seem to work better. This new spreading scam is the example of it's faliure. 
If you are a firefox user, you can protect yourself by using NOSCRIPT extension.
Categories: , ,

Cookiejacking | facebook, twitter, Gmail hacking

Posted by Deepanker Verma Friday, May 27, 2011 0 comments
Cookiejacking | facebook, twitter are at risk again
Microsoft's latest security risk


You know about clickjacking which is mostly used in facebook to hijack user's click. Cookiejack is little different concept.Cookiejacking is a UI redressing attack that allows an attacker to hijack his victim's cookies without any XSS. It works on
  1. Any cookie. 
  2. Any website.

Once a hacker has that cookie, he or she can use it to access the same site. So we can say that facebook, twitter, Gmail and many more websites are at risk.
A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.
Cookiejacking leverages on two main issues to perform attack
  1. a 0-day vulnerability affecting every IE version on every Windows OS box 
  2. an advanced Clickjacking approach.
It seems too difficult but Valotta, the researcher said that he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to "undress" a photo of an attractive woman. he published this game online on FaceBook and in less than three days, more than 80 cookies were sent to his server.
But you need to know some facts before performing this attack. First of all, cookies file system path depends on Windows username, so you need to guess your victim's username before starting the attack. 
You can sniff your victim's username by exploiting a feature of IE: by using IE you can access remote SMB resources using UNC paths to reference them. You can do this without restriction in Internet and Intranet zones.
So, if you force your victim's browser to retrieve a resource like it will start a NTLM challenge-response negotiation with the remote server and, as a part of this negotiation, it sends Windows Username in clear plain text. 
So you can just use a script to sniff data on TCP port 445 in order to grab the username. You also need to know which OS version is the victim running, as different OSs store cookies in different folders. But you can guess this by parsing the navigator.userAgent object.


See demo video




Download ppt here
Categories: , ,

fimap | a tool for local an remote file exclusion exploitation

Posted by Deepanker Verma 0 comments

fimap | a tool for local an remote file exclusion exploitation


fimap is a penetrationg tool to  find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. This is a python script. It is very useful tool for website pentesting. Now a days cyber world is really unsecure so website security testing is must. This tool is in development but still it's working. the goal of this tool is to improve the security of a website.


read more
http://code.google.com/p/fimap/


Download here:
http://code.google.com/p/fimap/downloads/list
Categories: , , , , , ,

Captcha Cracked | IT experts developed a software that beat captcha

Posted by Deepanker Verma Thursday, May 26, 2011 0 comments

Captcha Cracked | IT experts developed a software that beat captcha


IT experts developed software that beat Captcha on eBay 82% of the time, Microsoft 48.9%, and Yahoo 45.5%


We all know that captcha is used on many website to protect spams. This is an attempt to ensure that the servie is being used by a human. But Now IT experts have developed a software that can beat captcha. Thi software beat captcha of various website upto a great success. It can also break captcha up to 89%.
Categories: , ,

w3af | Web Application Attack framework

Posted by Deepanker Verma 0 comments

w3af | Web Application Attack framework


w3af is a Web Application Attack and Audit Framework. This opensource project's goal is to create a framework for finding and exploit web application vulnerabilities. This type of tools are very useful for pentesting of web applications. Web developers can check their website before deploying it to web hosts. 


Categories: ,

Download Malware Analyser v3.0 - A Static & Dynamic Malware Analysis Tool

Posted by Deepanker Verma Wednesday, May 25, 2011 0 comments

Download Malware Analyser v3.0 - A Static & Dynamic Malware Analysis Tool


Malware Analyser is freeware tool for malware analysis. It is widely used to perform static and dynamic analysis on malware executables.  This tool can be used to identify potential traces of anti-debug, keyboard hooks, system hooks and DEP setting change calls in the malware.


IN this release dynamic Analysis has been included for file creations (will be improved for other network/registry indicators sooner) . Process dumping feature is also added.


Features
Categories: ,

Impassioned Framework - available to download for free

Posted by Deepanker Verma Tuesday, May 24, 2011 0 comments
Impassioned Framework - available to download for free


Impassioned framework is a browser exploitation kit. Russo is the creator of this subscription-based software vulnerability exploit service. 


BROWSERS / OS AFFECTED:

  • Chrome
  • Firefox
  • Msie 6
  • Msie 7
  • Msie 8
  • Opera
  • Safari



EXPLOITS INCLUDED IN THIS KIT:

  • MS09_002
  • MS09_043
  • MS Dshow
  • iepeers.dll
  • Firefox escape
  • Firefox CompareTo
  • Java Calendar
  • Adobe Reader Lib
  • Adobe Reader newPlayer
  • Adobe Flash 9
  • Adobe Flash 10



Now you can download this kit for free. It is available on various file hosting server.


Download Here:
http://www.multiupload.com/9ELC2CART6
Categories: , ,

Blackhole Exploit kit 1.0.2 Download for free

Posted by Deepanker Verma 0 comments

Blackhole Exploit kit 1.0.2 Download for free



After the public release of zesus code, now the code of BlackHole exploit is available for download. The blackhole exploit kit us commonly used for drive by download attack.A one-year BlackHole license costs around $1,500, a semi-annual one $1,000 and a quarterly one, $700. Another option is to rent it for 24 hours ($50), one week ($200), two weeks ($300), three weeks ($400) or four weeks ($500). But now it is available for free and link is available on many website on the internet.
Categories: , ,

Sony Music Indonesia Defaced By k4L0ng666

Posted by Deepanker Verma Saturday, May 21, 2011 0 comments

Sony Music Indonesia Defaced By k4L0ng666


website of sony music indonesia is hacked and defaced by k4Long666. After 5 serial attackes on the website, it's 6th attack. You can see deafce page in the above snapshot. You can also navigate to the defaced page by the link given below.


Defaced URL:
http://www.sonymusic.co.id/kiwi.php
Categories: ,

ratproxy - passive web application security assessment tool

Posted by Deepanker Verma Friday, May 20, 2011 0 comments

ratproxy - passive web application security assessment tool

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. The approach taken with ratproxy offers several important advantages over more traditional methods:

Categories: ,

"Facebook dislike button" is a new kind of spam

Posted by Deepanker Verma Wednesday, May 18, 2011 0 comments

"Facebook dislike button" is a new kind of spam

All of us use facebook and want a dislike button too for disliking some posts on facebook. Scammers are now using this need as their spam spreading method on facebook. Facebook scammers are tricking users to paste rogue code into their browser's address bars in order to get a Dislike button added to their options. The spam messages posted by victims read "Facebook now has a dislike button! Click Enable Dislike Button' to turn on the new feature!" The scammers replace share link by a message "Enable Dislike Button".
After clicking the link, this message will share this spam message to all friends of user and also rune some rouge code on his system too.
Categories: ,

pytbull – Intrusion Detection/Prevention System (IDS/IPS) Testing Framework

Posted by Deepanker Verma Tuesday, May 17, 2011 1 comments

pytbull – Intrusion Detection/Prevention System (IDS/IPS) Testing Framework



pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort, Suricata and any IDS/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

Categories: ,

safe3si automatic SQL injection and database takeover tool

Posted by Deepanker Verma 2 comments

safe3si automatic SQL injection and database takeover tool


Safe3SI is one of the most powerful and easy usage penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.


Features
  • Full support for http, https website.
  • Full support for Basic, Digest, NTLM http authentications.
  • Full support for GET, Post, Cookie sql injection.
  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  • Full support for four SQL injection techniques: blind, error-based, UNION query and force guess.
  • Powerful AI engine to automatic recognite injection type, database type, sql injection best way.
  • Support to enumerate databases, tables, columns and data.
  • Support to read,list and write any file from the database server underlying file system when the database software is MySQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is Oracle or Microsoft SQL Server.
  • Support to ip domain query,web path guess,md5 crack etc.
  • Support for sql injection scan.

Download


.NET 2.0 or Abouve needed

http://www.safe3.com.cn/en/Safe3SI-8.1.rar
Categories: , ,

Facebook works with Google, Yahoo and mozilla on secure session cookie

Posted by Deepanker Verma Monday, May 16, 2011 0 comments

Facebook works with Google, Yahoo and mozilla on secure session cookie


After turning on https connection for facebook users, now facebook is working with Google, Yahoo and Mozilla on a secure session cookie specification that will protect session cookie from theft even over non-encrypted connections. This new specification is MAC Access Authentication that provide cryptographic verification for certain portions of HTTP requests. Here MAC is Message Authentication Code. this prevents MAN IN THE MIDDLE attack.
Facebook told developers in a post detailing recent changes to its app platform, "We’re working with Yahoo!, Google and Mozilla on this specification in order to give all websites a way to ensure that session information has not been altered or tampered with". Facebook also asked developers to use SSL connection for apps by october.
Categories: , ,

download clickjacking tool

Posted by Deepanker Verma Sunday, May 15, 2011 0 comments
download clickjacking tool
Clickjacking or click hijacking is a type of attack in which attacker use transparent frame to trick a user to click on a link where user wants to click on another page while user wants to click on top level page. Read more in the older post

Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice.

Categories: , ,

facebook deploys a new system to detect and prevent spams

Posted by Deepanker Verma Saturday, May 14, 2011 0 comments

facebook deploys a new system to detect and prevent spams


We hear about a new scam daily on facebook. All technology failed to prevent and stop spams on facebook. Facebook has also tie up with WOT to check a link to be malicious or not. Social netorking website has also deloyed a new mechanism to detect and block spams. New mechanism is designed to prevent clickjacking and rogue code pasting tricks commonly used in survey scams. 
Categories: , ,

"Verify your account" Scammers Use New Trick to Mimic Legit Facebook Links

Posted by Deepanker Verma 0 comments

"Verify your account" Scammers Use New Trick to Mimic Legit Facebook Links


This is a new kind of scam spreading on facebook. Scammers are managing to spread scams on Facebook by using a new trick to make malicious links appear as if they are part of the website's normal user interface. In this scam there is a message "Please do your part in PREVENTING SPAM by VERIFYING YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to the comment below to begin the verification process," Under the message, where the "Like", "Comment" and "Share" links are usually located, there's a link reading "==VERIFY MY ACCOUNT==" using the same styling as the legit ones. On clicking the verifiy link executes the code from external domain which repost the message on users wall automatically.

Categories: , ,

Pakisatini songs website www.songs.pk hacked

Posted by Deepanker Verma Thursday, May 12, 2011 0 comments

Pakisatini songs website www.songs.pk hacked


For indians, songs.pk is one of those famous websites which are usd for downloading latest bollywood and pakisatani songs. www.songs.pk is Hacked. It's FTP has been broken by a hacker. The hacker who hacked this is from Pujab, India. Hacker used some custom exploit to break into the FTP. Songs.pk's three-month global Alexa traffic rank is 799. About 81% of visitors to the site come from India, where it has attained a traffic rank of 60. Now just imagine how much huge traffic this website is getting.


SOURCE: AMARJIT.INFO
Categories:

Backtrack 5 is released and available to download

Posted by Deepanker Verma Wednesday, May 11, 2011 0 comments

Backtrack 5 is released and available to download


If you are interested in hacking and penetration testing, i am sure you know about backtrack. This operating system is used for penetration testing. Now Backtrack 5 is released and available for download. BackTrack is intended for all audiences from the most savvy security professionals to early newcomers to the information security field. BackTrack promotes a quick and easy way to find and update the largest database of security tools collection to-date.
Categories: , ,

Security researchers crack Google chrome's sandbox

Posted by Deepanker Verma Tuesday, May 10, 2011 0 comments

Security researchers crack Google chrome's sandbox


it's a new breaking news about the most secure web browser of the world. In google chrome, there is the architecture of sandbox that separates web code parsing from the operating system and it makes it most secure web browser. Security researchers of outfit VUPEN Security managed to exploit Google Chrome and execute arbitrary code by breaking out of the browser's reputed sandbox. They have also published a video of the exploit they developed in action against Chrome 11.0.696.65 running on a fully patched 64-bit Windows 7 SP1 installation.

Categories:

free download Dos Attacking tool | LOIC 1.0.4

Posted by Deepanker Verma Monday, May 9, 2011 8 comments
free download Dos Attacking tool | LOIC 1.0.4



If you want to attack on a website by Denial of service attack and you are in search of a tool which can help you in this. Today i have a tool which performs a denial-of-service (DoS) attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets.



LOIC basically turns your computer's network connection into a firehose of garbage requests, directed towards a target web server. On its own, one computer rarely generates enough TCP, UDP, or HTTP requests at once to overwhelm a web server—garbage requests can easily ignored while legit requests for web pages are responded to as normal.

But when thousands of users run LOIC at once, the wave of requests become overwhelming, often shutting a web server (or one of its connected machines, like a database server) down completely, or preventing legitimate requests from being answered.


this is a nice tool to perform dos or ddos attack but try it on your own risk. It has no ability to hide your IP address. So attacking on a website may cause a trouble for you.


Download Here
LOIC
Categories: ,

Send Email from any email ID | email spoofer which can cross spam filter

Posted by Deepanker Verma Sunday, May 8, 2011 10 comments

Send Email from any email ID | email spoofer which can cross spam filter



There are many email spoofing websites. You can also host your own fake email sender script too. But this one is something different. You are able to send email from any email id and that will surely be in the sender's inbox not in the spam. I got this spoofing website from one of my friend.


Features:
  1. Email Doesn't go in spam folder
  2. Instant delivery of emails
  3. With Attachment Support
  4. With HTML Editor
  5. And Many Other Features



Go and send fake mails
http://emkei.cz/


warning: Please do not use this website for any type of cyber crimes. don't use it in illegal works.
Categories: ,

Local File Inclusion Vulnerability Scanner

Posted by Deepanker Verma Saturday, May 7, 2011 2 comments

Local File Inclusion Vulnerability Scanner 



Local File Inclusion is the website vulnerability and can gave attacker the ability to root the website server too.


Description 
The Simple Local File Inclusion Vulnerability Scanner helps you to find LFI vulnerabilities. This is a python script which works as a LFI scanner.


Usage
./lfi_scanner.py –url=


Usage example
./lfi_scanner.py –url=”http://www.example.com/page.php?file=main”


Usage notes
- Always use http://….
- This tool does not work with SEO URLs, such as http://www.example.com/news-about-the-internet/.
- If you only have a SEO URL, try to find out the real URL which contents parameters.


Feature list
- Provides a random user agent for the connection.
- Checks if a connection to the target can be established.
- Tries to catch most errors with error handling.
- Contains a LFI vulnerability scanner.
- Finds out how a possible LFI vulnerability can be exploited (e.g. directory depth).
- Supports nullbytes!
- Supports common *nix targets, but no Windows systems.


Known issues
- This tool is only able to handle “simple” LFI vulnerabilities, but not complex ones.
- Like most other LFI scanners, this tool here also has trouble with handling certain server responses.


Some notes
- Tested with Python 2.6.5.
- Modify, distribute, share and copy the code in any way you like!
- Please note that this tool was created for educational purposes only.
- Do not use this tool in an illegal way. Know and respect your local laws.
- Only use this tool for legal purposes, such as pentesting your own website
- I am not responsible if you cause any damage or break the law.
- Power to teh c0ws!


Download Here:
http://www.xenuser.org/tools/lfi_scanner.py
Categories: , , ,

PacketFence: Open Source NAC (Network Access Control) V.2.2 Released

Posted by Deepanker Verma Friday, May 6, 2011 1 comments

PacketFence: Open Source NAC (Network Access Control) V.2.2 Released



PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Network Access Control (NAC) is an approach to computer network security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement. It's V.2.2 released and ready to download. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks. 

Categories: , , ,

Microsoft Anti-Cross Site Scripting Library V4.0 (AntiXSS v.4.0 Released)

Posted by Deepanker Verma Sunday, May 1, 2011 0 comments

Microsoft Anti-Cross Site Scripting Library V4.0 (AntiXSS v.4.0 Released)


It's a good news for all ASP.NET developers. Microsoft has released v.4.0 of AntiXSS library. XSS is a type of website vulnerability and can be found in many websites. 
The Microsoft Anti-Cross Site Scripting Library V4.0 (AntiXSS V4.0) is an encoding library. This library is designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include:- A customizable safe list for HTML and XML encoding- Performance improvements- Support for Medium Trust ASP.NET applications- HTML Named Entity Support- Invalid Unicode detection- Improved Surrogate Character Support for HTML and XML encoding- LDAP Encoding Improvements- application/x-www-form-urlencoded encoding support 


Supported Operating Systems:Windows 7;Windows Server 2003;Windows Server 2008;Windows Vista;Windows XP
OS: Microsoft WindowsSoftware: .NET Framework 3.5


download here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651
Categories: ,
Featured FREE Resource:
X




Security Tools

Loading...
Share
Get This

About Me

My Photo
Deepanker Verma
I am Deepanker Verma. A computer geek, Security researcher blogger and software developer. I have deep interest and Information security and web development and try to learn new things. you will see my blogs on hackingtricks, TechlomediaWebtips and Usethistip.

I was also honoured by Apple, Ebay, Symantec, PandaSecurity and various other computer software giants for my security work for their company. I also contribute on some opensource projects regularly.

I also own a web app called NoteDIP that allows users to send self-destructive messages with password protection.

You can add me to circles to get my daily tips :)

View my complete profile

Partners

Blog Archive

Copyright © Hacking Tricks. All rights reserved. Blogger template designed by BLog Bamz