Appin Information Security & Ethical Hacking Blog

Hi Guys…

Today in this short tutorial i m gonna tell you a way, a java script using which you can know password behind asterisks/ stars on web pages.

javascript:(function(){var s,F,j,f,i; s = “”; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == “password”) s += f[i].value + “\n”; } } if (s) alert(“Passwords in forms on this page:\n\n” + s); else alert(“There are no passwords in forms on this page.”);})();

How to use this Code:
1. Just open any web browser, and open any website for which username and passwords are stored already on the computer you are using.
lets say www.gmail.com

2. Now if any username and password are stored on ur system for gmail, then it will be visible in login area, as username and ***** stars in place of password.

3. Now if you want to see the hidden password behind these stars, then just copy the given javacode above and replace it with url of gmail in addressbar of ur browser. and press enter.

4. As you follow the 3rd step, the passwords will show you in a alert box

please comment…….

Remote file inclusion is basically a one of the most common vulnerability found in web application. This type of vulnerability allows the Hacker or attacker to add a remote file on the web server. If the attacker gets successful in performing the attack he/she will gain access to the web server and hence can execute any command on it.

Searching the Vulnerability

Remote File inclusion vulnerability is usually occurred in those sites which have a navigation similar to the below one

www.Targetsite.com/index.php?page=Anything

To find the vulnerability the hacker will most commonly  use the following Google Dork

“inurl:index.php?page=”

This will show all the pages which has “index.php?page=” in their URL, Now to test whether the website is vulnerable to Remote file Inclusion or not the hacker use the following command

www.Victimsite.com/index.php?page=www.google.com

Lets say that the target website is http://www.cbspk.com

So the hacker url will become

http://www.cbspk.com/v2/index.php?page=http://www.google.com

If after executing the command the homepage of the google shows up then then the website is vulnerable to this attack if it does not come up then you should look for a new target. In my case after executing the above command in the address bar Google homepage shows up indicating that the website is vulnerable to this attack.

Friends, If your Friend remain invible from you…. and say that they dont come online……
Then they have to fear now coz there is a way by which u can find that they are online or not……. Now no need to ask from your friend that they came online or not…….

There r many sites which proclaims that they can track invisible user on yahoo…… But according to my personal experiance, they give wrong result many times…..

try thes web site

http://www.imvisible.info/

http://www.viprasys.org/scan/

http://www.yahoo-status.com/

http://www.ydetector.com/

Many times this problem comes on many systems, that when the user prompt to open Task manager or Registry then it says”Task manager/ Regedit is Disabled by Your Administrator”….. Even when they login from the Administrator Account…
Here is the solution for that:

1. Go to Start> Run and write ‘GPEDIT.MSC’ and Press Enter

2. To Access Registry Edit Again:
Go to User Configuration > Administrative Templates > System
Then In the right pane, find “Prevent Access to Registry Editing Tools” and double-click on it to change. and then Select Disabled or Not Configured and Press OK.

3. To Access Task Manager:

Go to User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options> Remove Task Manager
Then In the right pane, find “Remove Task Manager Option” and double-click on it to change. and then Select Disabled or Not Configured and Press OK.

4. Now close Group Policy and restart your computer. Now you can access both registry edit and Task Manager on your system.

You can hack a certain site using C99.php shell by uploading it to web server. Unfortunately I cannot post the source code of c99 shell here but I will provide tips on how to find c99 shell script. The c99.php is detected as harmful to your pc scanned by various anti-virus but basically it doesn’t harm your pc anyway, it’s just a hack script which is applicable only to web server running Php under Linux platform or maybe on Windows server (haven’t tried yet) but 99% works on Linux servers.

You can find c99 shell using Google by using a ‘Google Dork’, just type [allinurl: c99.php"] without the brackets Google will provide your results which links to c99.php shell. I advise that you copy the c99.php code and save it as “c99.php” and upload it to web host. To be able to use the c99 shell script just access it via URL (i.e. www.somesite.com/c99.php) or similar to this and voila! You can retrieve/modify password, upload file, modify, etc..

But before you access the file make sure you have your proxy setup to avoid getting caught. It is unwise to access directly the exploit without protecting yourself first!

APPLY SOON!!JOB POSTING DATE: 22.12.10    JOB TITLE: Software DeveloperREQUIREMENT: The candidate should have completed the Application Programming long term (6 months) course from Appin with a no due payment.STATUS: Full timeSALARY INFORMATION:  80,000 – 1,25,000(Package is not a bar for capable candidates)LOCATION: Tirunelveli, TuticorinKEY SKILLS REQUIRED: Strong programming in .Net / Java / PHPEDUCATION: UG – B.Sc – Computers, B.Tech/B.E. – Computers, Electronics/Telecommunication PG – M.Sc – Computers, MCA – ComputersCOMPANY NAME: Mani India technologies (P) ltdWEBSITE: http://maniindiatech.com/EXECUTIVE NAME: Mr. VijayADDRESS: Mani India technologies (P) ltd6/1209 B, Mani Towers, 3rd St, 4th CrIndra NagarKovilpattiTUTICORIN, Tamilnadu, India 628503  EMAIL ADDRESS: jobs@maniindiatech.comTELEPHONE: 04632-224733Kindly send your updated resume only to the email id mentioned aboveor directly walk-in.

1.LAUNCH INTERNET EXPLORER

2.CLICK ON VIEW AND THEN INTERNET OPTIONS.

3.CLICK ON ADVANCED TAB.

4.SCROLL DOWN TO THE SECURITY SECTION.YOU CAN ENABLE AND DISABLE BY CLICKING ON THE APPROPRIATE RADIO BUTTONS.

GO TO THE GOOGLE

IN GOOGLE WRITE GOOGLE MY WAY

THEN CLICK ON I M FEELING LUCKY

THEN U WILL SEE THE DESIGN PAGE OF GOOGLE

WRITE WHATEVER U WANT TO GIVE THE NAME OF GOOGLE

THEN CLICK ON MAKE IT

AND FINAL STEP CLICK ON GO ,,GOO

Careers in Information Security

• Network Security Systems Manager
• Network Security Systems Administrator
• Network Security Engineer
• Systems/Applications Security Executive
• Web Security Administrator
• Web Security Manager
• Security Auditor
• Ethical Hacker
• Data Security Specialist
• Chief Information Security Officer

There are really only two steps involved in protecting yourself against social engineers who try to charm, intimidate, or trick you into giving them information or against phishers who try to steal your personal information :

Being aware of what is going on

You should be suspicious of people who ask you for your account name and password, computer name, IP Address, Employee ID number, or other information that could be misused. You should be espcially suspicious if they attempt to charm you or intimidate you. Refer them to the IT department. If they claim to be from the IT Department or check it out with your supervisor.

If they claim to be a manager or officer in your organisation and you do not recognize their name, voice, or face, explain that you are concerned about protecting the security of the network and that you need to verify their identy before you can give them sensitivie information.

If you receive E-MAIL that claims to be from your bank, ISP, or an organisation with which you do business that requests information about your account, do not respond via E-mail or a web page. Instead, call the organisation and ask if the E-mail request is legitmate (do not use any telphone number listed in the e-mail; look up the number separately). Most organisation do not use e-mail for such correspondence. Do not click on links contained in e-mail to visit an organisation’s website. Instead, manually type in the url for the organisation’s home page and navigate from there to your account logon site.

Protecting your Password and logging on Security

Hackers who know your password do not have to resort to technological exploits; they can log on and do anything that you can do on the computer or network. Keeping your password secret is one of the most important things you can do to protect against security breaches.

• Do not use personal information for your password. Social security numbers, driver’s license number, phone numbers, birth dates, spouse names, and pet names are all factual information that can be found out by others.
• Do not use words that are in the dictionary, including words in foreign languages, Dictionary attacks try these words and combination of them.
• Do use a combination of uppercase and lowercase letters, numbers and symbols.
• Do not substitute numbers for letters to make a words (for example, s0ph1st1cated). Hackers are aware of this tricks.

Generally, longer passwords are harder to crack because a brute force attack must try more combination before finding a correct one. Windows XP allows up to 128 character passwords although the Welcome screen only displays 12 character at the password prompt. You can switch to the classec logon screen, or just keep typing the characters after the password field appears to stop accepting them.

• Do not use sample passwords that you see in security articles or books, even if they are exceptionally complex.
• Do use a combination of letters, numbers, and symbols that have meaning to you so you — but no one else – will be able to easily remember the password. For example, mfc!rB&G might mean — my favorite colours (!) are blue and green ||to you, but to anyone else it looks like a random combination of characters.
• Do select a password that you can type quickly, to minimize the chance of some discovering it by watching over your shoulder when you type it. However, do not use common key sequences such as qwerty.

Keeping Password Secure

After you create a strong password, you must keept it secure. Tips for keeping passwordsecure include the following :

• Never share you password with anyone else.
• Do not write your password down. this the reason why you need to create a password that is easy for you to remember. If you disregard this advice and do write it down, keep the written in a locked off-site container.
• Do change your password on a regular basis, even if your network policies do not require you to do so. Always change your password if you suspect it might have been compromised ( for example, if someone was standing over you when you typed it ).
• Do not use the same password for multiple purposes. For example, some people might use the same number combination for their ATM PIN, network  logon password, E-mail password, and for all protected web sites. If this password is cracked, all of your accounts and activities will be compromised.
• Do not save your passwords in a file on your computer that can be read by others. Do not use features that allow you to remember passwords for critical applications or senstive web sites.