Category Archives: (N) Hacking TUTS

Web Pentest Lab Setup using bWAPP in Windows 10

bWAPP, or a buggy web application, is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

Some of the vulnerabilities included in bWAPP:

  • SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections
  • Blind SQL and Blind OS Command injection
  • Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)
  • Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
  • Cross-Site Request Forgery (CSRF)
  • AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)
  • Malicious, unrestricted file uploads and backdoor files
  • Authentication, authorization and session management issues
  • Arbitrary file access and directory traversals
  • Local and remote file inclusions (LFI/RFI)
  • Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures
  • HTTP parameter pollution and HTTP response splitting
  • Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion
  • Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
  • HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
  • Unvalidated redirects and forwards, and cookie poisoning
  • Cookie poisoning and insecure cryptographic storage
  • Server Side Request Forgery (SSRF)
  • XML External Entity attacks (XXE)

Download WAMP server here. Select save or run. Click open. After that follow the next steps.

Next you will see the Select Destination Location screen. Click Next to continue.

Next you will see the Ready to install screen. Click Install to continue.

Once the files are extracted, you will be asked to select your default browser. Select your default browser’s .exe file, then click Open to continue.

Once the progress bar is completely green, the PHP Mail Parameters screen will appear. Leave the SMTP server aslocalhost, and change the email address to one of your choosing. Click Next to continue.

Download the latest version of the Software from the here

Extract BWAPP lab setup in the location” C:\wamp\WWW\bWAPP” as is shown below.

Edit the file ‘admin/settings.php’ with your own database connection settings. Leave blank db_password anddb_name options

Browse to the file ‘install.php’ in the directory ‘bWAPP

http://localhost/bWAPP/install.php

Click on ‘here‘ (Click ‘here’ to install bWAPP). The database ‘bWAPP‘ will be created

Again Edit the file ‘admin/settings.php’ and setup the db_name see the screenshot below

Go to the login page. If you browse the bWAPP root folder you will be redirected. http://localhost/bWAPP/

 Login with the default credentials or make a new user.

Default credentials:

User name: bee

Password: bug

How To Enable The Disabled Right Click On Any Website

Bypass Right Click Block
Usually in some websites the content is protected from others to not copy it.So.they will be disabling the right click button on their website not to work,after doing this users cannot copy content from the following websites which are protected.So let’s see how to re-enable those websites which are blocked from copying content.
There are 3 ways of disabling it.
  • Disabling Javascript
  • Adding an extension called “Allow Copy” In Google Chrome
  • Proxy Sites

 

How JavaScript Works?

/The browser fetches a page which might have embedded JavaScript as we saw above, or refers to a separate JavaScript file in which case that file is also fetched by the browser.Next up, depending upon what you want your JavaScript code to do and how you structured it, it will either execute as soon as the file loads or wait for a triggering event (like a click, or load).Finally, when it’s all good, the code is executed line by line. JavaScript is an interpreted language, which means you don’t need to compile the code into another form to execute it. All of the changes you make, instantly take effect./
How to Disable the JavaScript?
/Here is a step-by-step procedure to disable JavaScript on different browsers:/

For Internet Explorer:

If you are using IE, just follow the steps below:
IE Security Settings
  1. /From the menu bar, go to Tools -> Internet Options./
  2. /In the “Internet Options” window, switch to Security tab and click on the button Custom level…/
  3. /From the Security Settings, look for the option Active scripting and select the Disable radio button as shown above and click on “OK”./
  4. /You may even select the Prompt radio button, so that each time a page is loaded, you will have the option to either enable or disable the scripting./

For Google Chrome:

/If you are using Chrome, you can disable the JavaScript by following the steps below:/
    1. /Click on the Chrome “menu” button (on the top right corner) and select Tools./
    2. /From the “Settings” page, click on Show advanced settings./
    3. /Now under Privacy, click on the button Content settings./
Chrome Content Settings
  1. /Under the JavaScript, select the radio button which says “Do not allow any site to run JavaScript” and click on “Done”./

For Mozilla Firefox:

Steps to disable JavaScript on Firefox:
  1. /From the menu bar, click on Tools -> Options./
  2. /From the Options window, switch to Content tab, uncheck the option which says “Enable JavaScript” and click on “OK”./Firefox Content Options
Lets see the second method….
 
Using Allow Copy Extension In Chrome:
 
Follow the below steps:
 
  • Go to settings in your chrome browser and click on “extensions”.
  • Now Search for “Allow Copy “extension.
  • Add it to chrome browser.
  • Now go to the website where you want to copy the content and click on the icon which was added to the top right corner .
Voila !! you right click is enabled.
Using Proxy Sites:
There are many proxy sites, which let you disable JS while browsing. All you need to use those proxy sites, which offer such features and you can quickly use right-click on click disabled sites.
pROXY disables javascripts
If any doubts please feel free to comment below..

Hide File In Image

HOw Can We Hide The File In Image.

1. Gather the file you wish to bind, and the image file, and place them in a folder. I will be using C:\New Folder

-The image will hereby be referred to in all examples as xyz.jpg
-The file will hereby be referred to in all examples as New Text Document.txt

2. Add the file/files you will be injecting into the image into a WinRar .rar or .zip. From here on this will be referred to as (secret.rar)

3. Open command prompt by going to Start > Run > cmd

4. In Command Prompt, navigate to the folder where your two files are by typing
cd location [ex: cd C:\New Folder]

5. Type [copy /b xyz.jpg + secret.rar xyz.jpg] (remove the brackets)

Congrats, as far as anyone viewing is concerned, this file looks like a JPEG, acts like a JPEG, and is a JPEG, yet it now contains your file.

In order to view/extract your file, there are two options that you can take

a) Change the file extension from xyz.jpg to xyz.rar, then open and your file is there
b) Leave the file extension as is, right click, open with WinRar and your file is there

EnJoy HacKinG…

How To Identify Fake Facebook Accounts

How can you detect the Fake FB Profile. On these days we are getting so many friend request specially by girls, but there is no way to identify that account is fake or original. So don’t worry we are going to tell you simple method to detect fake Facebook account.

So this is a Facebook account which named by Sarikha Agarwal. Now we need to verify this account real or fake, so our first step is going to theimages.google.com and click on camera image.

 

So when you click on search by image you will get popup like below image.

 

 

Now go to that profile, right click on image and click on copy image URL

 


Now profile pic URL has copied.. now again go to images.google.com Tab and paste image URL

 

When you enter then you get related images search…
Now you can better see that this profile is real or fake..So here is a proof that this profile is fake. Enjoy the trick..

Be aware when you will going to add an beautiful or smart unknown person as your friend. So be checked first.. there are lot of fake profiles are create everyday.
This person might be spy on your profile and steal personal information like your photos, etc for their hacking stuffs.. So Be Safe Online..

How To Trace Your Facebook Profile Visitors

Now here we found who recently visited your profile.
Follow below steps for get to know your FB recent visitors
.

Step 1) Go to your Facebook Profile Page.

Step 2) Now Press Ctrl + U from your keyboard for see source code of your profile page.

Step 3) Now press Ctrl + F from your keyboard to open search box.

Step 4) Now search this code {“list”:

Step 5) You find some Facebook Profile Ids are like shown below. Click on example image for zoom.

ScreenShot_20160415011038


Step 6) There are some Facebook Profile Ids of your friends who visited recently.

Step 7) The first one ID’s are showing visits the most number of time.

Step 8) Now if your want to findout, Open a new tab Enter below link :
www.facebook.com/Facebook Profile Id

For Example : www.facebook.com/100011552407944

Enjoy The Trick.. 🙂

How To Hack Whatsapp Working Trick 2018

How To Hack Whatsapp – Today we have a new whatsapp hacking trick by which you can hack anyone whatsapp easily using an android app we given below this is the new hacking trick helps you more to get fun with your friends but please be sure that this trick is only for educational purposes only not to harm or irritate someone, be in mind this is only for educational purposes only don’t harm someone please. so i hope you all wants a trick by which you can hack anyone whatsapp, today we provide a app which sends a sms to your victim and then your victim is unable to use whatsapp, hope it’s really give you a great knowledge.

How To Hack Whatsapp
How To Hack Whatsapp 
What it actually Do To Hack Whatsapp- Some time you send a personal message to your friend and because of something your friendship is break down now you have a fear that your friend show your personal message to all other which you send them in friendship time, so what you have to do just try this trick by this trick helps you to force down your friend to delete your full conversation till that he or she will unable to use whatsapp. use this trick in genuine way only not to put someone in problem, this trick is to increase your knowledge and it is a example only, you can use this whatsapp trick in many ways but in a good manner. hope you are ready to know how to hack whatsapp.

How To Hack Whatsapp Working Trick Steps :

1. Firstly Download- Whatsapp Boomber
2. Now Install it and Open in your Android Device.
3. No Select Power Bomb Select 16x if you Destroy fully your friend’s whatsapp.
4. After Selecting You will enter to your Whatsapp Select The Contact on which you need to Hack.
5. Paste The Message and Send It To Your Friend, Boom!! Now he or she will unable to use whatsapp properly till he or she delet your full conversation.

What is ShellShock ?

ShellShock is a security vulnerability which affects many versions of Unix like Operating Systems like Linux and results in allowing attackers to gain control over a system illegitimately.
ShellShock Vulnerability
In Unix, Shell is a command processor using which commands are executed in the Opetating Systems. Bash is one such command processor. It is mainly used in text windows, but many applications also can use it to execute required commands.
Environment Variables are variables whose values are used to affect the way the running processes will behave in the computer. For example, an application process may prefer to store temporary files in a folder. For that purpose, the running process will check the value of the Environment Variable called TEMP and store the files there.
Using ShellShock vulnerability, an attacker can attach malicious code to some Environment Variable in Bash and run it to gain control over the system.
Consequences
Many a times Web Servers use Bash to execute commands. So, the attackers can exploit this vulnerability to execute malicious commands in a Web Server. And, the results of that may be as serious as exposing sensitive files like password files to the attackers or downloading malicious files to the Web Servers.
Even other devices like Linux based routers that use CGI for Web Interfaces are vulnerable to tthis attack. Attackers can exploit ShellShock vulnerability and use CGI to execute malicious commands in those devices.
IoT (Internet of Things) devices also may be vulnerable to this attack if they are using Bash.
OpenSSH Servers are also vulnerable to this attack. Attackers can gain unrestricted shell access of the server exploiting ShellShock.
Other than that, Computers running Mac OS X, DHCP Clients, Qmail Serverand IBM HMC restricted shell are also vulnerable to this attack.
Prevention
There are a number of reports of exploitation of this vulnerability by the attackers. But, the good news is that a number of Operating Systems vendors who are affected by this vulnerability have already issued patches. Website owners and business owners should apply those latest security patches to their Operating Systems to avoid ShellShock Attack.
However, users are also advised to apply recent security patches for their web enabled devices like routers, IoT devices and embedded devices etc to prevent this attack.
So, beware of various security vulnerabilities, so that you can protect yourself in a better way. And, stay safe, stay secured.

What is a TCP Sequence Prediction Attack ?

TCP protocol is a connection-oriented protocol. When two hosts communicate with each other using TCP protocol, they first establish a connection between them. And then, the transfer of data packets begin. A data packet is sent by the sender, the receiver receives it and sends an acknowledgement. The sender gets the acknowledgement and transfers the next data packet.
When data packets are transferred over the TCP connection, usually each packet contains a sequence number. This sequence number helps in keeping track of data packets received and acknowledged.
Sometimes, attackers exploit this concept of sequence numbers of TCP packets and perpetrate attacks for malicious purposes. This type of attacks are called TCP Sequence Prediction Attacks.

Purpose of TCP Sequence Prediction Attack
Suppose, two hosts A and B are communicating to each other using a TCP connection. An attacker can perpetrate this attack to inject a counterfeit data packet to host A, impersonating to be host B. So, host A will think the data packets are coming from trusted host B, though they are actually coming from the attacker. The attacker can even close the connection to host A prematurely or do other mischiefs hiding his own identity.
Why Sequence Number Prediction of TCP Packets
Suppose, host A and host B are communicating with each other using a TCP connection. An attacker is listening to their communication. If the attacker wants to send a counterfeit data packet to host A impersonating to be host B, he cannot simply send it to host A, using host B’s identity. Because, each data packet has a sequence number, which is checked in every packet transfer. So, the attacker has to predict that sequence number and include that in the counterfeit data packet as well. And, hence the sequence number prediction.
How TCP Sequence Prediction Attacks Are Performed
The attacker typically follows these steps to perpetrate the TCP Sequence Attack.
  • Suppose, host A and host B are communicating with each other using TCP connection. The attacker is listening to the conversation and wants to send counterfeit packets to host A, impersonating to be host B.
  • The attacker tracks the sequence number of each data packet. He predicts the sequence number that the counterfeit data packet should have and makes the packet.
  • The attacker starts sending those packets to host A, spoofing the IP address of the victim host B.
  • At this point, host B may send the actual packet to host A. And, that would create confusion to host A, as it will receive both the packets.
  • So, to avoid that, the attacker performs a DoS attack to host B at the same time. As a result, host B cannot send the intended data packets to host A. And, instead the attacker can easily impersonate to be host B.
  • Now, the attacker can introduce counterfeit data packets to host A impersonating host B, close the TCP connection prematurely or do other mischief.
How to prevent TCP Sequence Prediction Attack
There are a few prevention mechanisms that can be taken.
  • Instead of a predicted sequence number, a random sequence number can be used to track the data packets. In that way, it will be difficult for the attacker to predict the sequence number and perpetrate the attack.
  • Instead of a sequence number, other information like time-stamps, timing differences or information from lower protocol layers can be used in the data packets. This can prove much difficult for the attackers to guess and perform such attacks.
  • We can configure the router or firewall not to allow packets to come in from external sources with having an internal IP address. Though this may not completely fix the attacks, but it can prevent the attacks to a great extent.

Thanks For Reading If You Like It Then Comment It

Turn on Windows “God Mode” on the Desktop

Windows 8 has countless settings you can hack, tweak, and customize. Many of them are accessible via the Control Panel and other scattered locations throughout Windows. It can be time-consuming to find them all, and the likelihood is that you’ll never remember where they all live. That means that many tweaks and hacks are far away, and some you’ll never even find.
There’s a simple solution: Use what some people call “God Mode.” Despite its name, it’s not really a separate mode. Instead, it’s a hidden folder that gives you fast access to all those settings. All you have to do is bring it out of hiding and place it on the Desktop.
To do it, right-click the Desktop and select New→Folder (Figure 3-10). Rename the folder GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}.

ScreenShot_20160402185717
Creating a new folder on the desktop
The folder icon changes, and it has the name GodMode

ScreenShot_20160402185757

The God Mode folder on the Desktop
Note: The “God.Mode” text isn’t what turns the folder into a special folder—it’s the {ED7BA470-8E54-465E-825C-99712043E01C}.You can use any text before the curly brackets you want. So if you wanted the folder to be called Fred.Folder, you could do that as well by renaming it like this: Fred.Folder{ED7BA470-8E54-465E-825C-99712043E01C}. It would show up as FredFolder on the Desktop, but still have the same features.
Double-click the icon, and you’ll come to a folder that has many dozens of tweaks, settings, and hacks . They’re organized by category, and you can expand or shrink each category by clicking the small triangle next to each. Each category displays a number next to it, showing how many settings there are.

ScreenShot_20160402190017

Hacking the Hack
In the God Mode folder, you can create shortcuts to any of the items in the Quick Launch folder, in the Start Menu folder, and in the Power User Menu folder. That way they’re always within easy reach

 

Speed Up Boot Time

Hack Your BIOS for Faster Startups
When you turn on your PC, it goes through a set of startup procedures in its BIOS before it gets around to starting Windows.

So, if you speed up those initial startup procedures, you’ll make your system start faster.
You can speed up your startup procedures by changing the BIOS with the built-in setup utility.

How you run this utility varies from PC to PC, but you typically get to it by pressing either the Delete, F1, F2, or F10 key during startup. You’ll come to a menu with a variety of choices.

Here are the choices to make for faster system startups: Quick Power On Self Test (POST) When you choose this option, your system runs an abbreviated POST rather than the normal, lengthy one.

Change Your Boot Order If you change the boot order so that your BIOS checks the hard disk first for booting, it won’t check any other devices, and will speed up your startup time.

Boot Up Floppy Seek Disable this option. When it’s enabled, your system spends a few extra seconds looking for your floppy drive—a relatively pointless procedure, especially considering how infrequently you use your floppy drive.

Boot Delay Some systems let you delay booting after you turn on your PC so that your hard drive gets a chance to start spinning before bootup. Most likely, you don’t need to have this boot delay, so turn it off. If you run into problems, however, you can turn it back on.