Hacking Tools

Hacking Tools 

1. Armitage : Graphical Cyber Attack Management Tool
2. BSQL Hacker : automated SQL Injection Framework Tool
3. BlaZer's Tool Kit - All in One Hacking Tools Pack : Free Download
4. Collection Of Best PHP and ASP shells
5. Collection of best SQL injection Tools
6. Collection of best SQL injection Tools : Part 2
7. Dark-Jumper v5.8 : SQLi, LFi RFi Scanner
8. Free Download : Anti Hacker Toolkit
9. Free Download : Hackers professional toolkit : collection of Hacking tools
10. Free Download : Havij 1.15 pro Final
11. Free Download : Pangolin Professinal Usb Edition
12. Free Download : Wireless Hacking Tools 2011
13. Hack SQLi Vulnrable Websites with SQL map : Automatic SQL Injection Tools
14. Hexjector : Opensource,Cross Platform PHP script to automate Site Pentest for SQL Injection Vulnerabilties.
15. How to hack Websites using Havji (all Versions)
16. Mr.Dark Soul's Wordpress Blog Hacker
17. OpenSCAP : open-source framework
18. PHP Dos/DDOS (Denial Of Service) Attack Script
19. Paki Hacking Tool kit By Dr. Trojan
20. Pangolin : Automatic SQL Injection & PenTesting Tool
21. Pesca 0.75 local stealer Ftp+Mail+Php Uploader + Php logger
22. Remote Administrator with ProRat v1.9
23. SQLYog : MySQL injection Tool
24. Safe3SI : SQLi vulnerabale websites & Database Hacking Tool
25. Web Hacking with DVNA
26. Website Vunerablity Scanner : SQLi | LFI | XSS | Shell Upload
27. website Hacking With Real SQL : Automatic SQL Injection Tool

Hack With Symlink

Hello guys, this article is for the beginners webhackers through this article I m going to teach you all about the Symlink
What is symlink?
Symlink is a method used by hackers to read files from other users on a linux server, only by using a php-shell.
Let me clarify the requirements which are necessary to learn the symlink:
Requirements are:
- One phpshell uploaded in a linux server (Safe MODE = OFF )
- basic phpshell & linux knowledge
- and last but not least brain !
So what are we waiting for let us start with the tutorial.
Where to get a target, if you only have a phpshell uploaded in a linux server that has some sites?
It’s easy first get the IP of the server.
Then go to bing.com and search like that:
Code: ip:xx.xxx.xxx.xxx vbulletin
xxx replace with the ip address of the server , and ‘vbulletin’, you can change to a name of a forum software or a CMS you wish as a target. But for this example I will take vBulletin.
OK, now we got the target site, let’s suppose that its domain name is mytarget.com and it uses vBulletin forum software.
Now starts the real hacking!
Go to your phpshell , and in the ‘Execute command’ field , execute there that command :
Code: ls -la /etc/valiases/mytarget.com
By executing this command, I will get the name of the user (on the linux server) that keeps the website mytarget.com.
It should return with a result similar to that :
>>>>>>>-rw-r–r– 1 target mail 28 May 28 2011 /etc/valiases/mytarget.com
The red colored piece is the user of mytarget.com on the server.
So in our case the username is ‘target’
Many of us know that the configuration file of vBulletin script ,can be found in /includes/config.php.
This is the file we need to read in our case , in order to get access at our target site.
How can we read that file?
Simple, execute that command on the shell :
Code: ln -s /home/target/public_html/includes/config.php symlink.txt
As you can see, we’re writing the content of config.php , into symlink.txt file. After you execute the command , you will se a new file called symlink.txt. Open it and You successfully read the configuration file (symlinked). Now, just get an MySQL connector script coded in PHP , and login with the details you get from configuration file of your target.T hen at the admin table, get the admin’s hash and crack it , or better , change the admin’s email you yours , and then do a forgot password at mytarget.com And then you successfully will get full access in your target site !
That was all very easy all you need is to practice it many times.

MySQL 1 Liner Hack Gives Root Access Without Password

MySQL 1 Liner Hack Gives Root Access Without Password

The latest news that has hit the streets is the occurence of the easiest hack ever, if you have local shell access (any user privelege level) and you can connect to MySQL – you can get root access to MySQL within a few seconds.
I tried this yesterday on one of my servers on Ubuntu 12.04 running the latest version of MySQL in the repo…and it worked in about 30 seconds. Scary really, you can use this single line of bash to hack MySQL:

while [ 1 ];do mysql -u root --password=123; done

1	while [ 1 ];do mysql -u root --password=123; done

Or the Python version I originally saw:

#!/usr/bin/python import subprocess while 1: subprocess.Popen("mysql -u root mysql --password=blah", shell=True).wait()

1 2 3 4 5

#!/usr/bin/python import subprocess while 1:         subprocess.Popen("mysql -u root mysql --password=blah", shell=True).wait()

Security experts have identified some 879,046 servers vulnerable to a brute force flaw that undermines password controls in MySQL and MariaDB systems.
According to Rapid7 security chief HD Moore, one in every 256 brute force attempts could override authentication controls on the servers and allow any password combination to be accepted. An attacker only needed to know a legitimate username which in most circumstances included the name ‘root’.
The flaw has already been exploited. Moore reported that the flaw (CVE-2012-2122) was already patched for both MySQL and MariaDB, but many MySQL administrators had not fixed the hole in their deployments.
Upon scanning 1.7 million publicly exposed MySQL servers, he found more than half (879,046) vulnerable to the “tragically comedic” flaw.

There’s a lot of vulnerable servers out there, so you better hope they aren’t yours because it’s not hard to scan whole subnets for servers with port 3306 open that accept connections from the outside world.
And if your server is in that state – it’s vulnerable. I just checked the repos for Ubuntu 10.04 LTS and Ubuntu 12.04 LTS and they both have a patched version of MySQL available for download so I suggest you get on your servers and do -

aptitude update; aptitude safe-upgrade

1	aptitude update; aptitude safe-upgrade

If you are using a shitty OS that uses yum or something – figure it out yourself.

Affected versions, listed below, require for memcmp() to return an arbitrary integer outside of the range -128 to 127. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 were vulnerable, Golubchik said.
Moore and other security boffins identified vulnerable versions in Ubuntu 64-bit versions 10.04, 10.10, 11.04, 11.10, and 12.04, OpenSUSE 12.1 64-bit MySQL 5.5.23, and Fedora. Official builds of MariaDB and MySQL were safe, along with Red Hat Enterprise Linux 4, 5 and 6 and some flavours of Debian Linux and Gentoo 64 bit.
A list of accessible MySQL servers found 356,000 deployments running versions of 5.0.x, followed by 285,000 running 5.1.x, and 134,436 running 5.5.x. Another list of MySQL build flavours revealed 43,900 running Ubuntu, 6408 on Debian, and 98,665 on Windows.

Honestly I find that this is a really serious vulnerability, but has a pretty low risk profile. It will only work in cases of badly configured MySQL users where they accept connections from any IP address – user@% type entries in the user table.
NO ONE should be running root@% – so that would mean the attacker would need local shell access. And well if they have that, it’s pretty much game over anyway.

Windows XML Core Services Exploit Attacked In The Wild – CVE-2012-1889

Windows XML Core Services Exploit Attacked In The Wild – CVE-2012-1889

Oh look, another serious flaw in Windows – and this one is really bad because it can be exploited directly in Internet Explorer.
And even worse than that, this vulnerability is actually being exploited in the wild by cybercriminals – this shows it’s no longer a theoretical attack. Plus of course the fact, it’s actually unpatched – so even if you’ve applied all the available Windows updates – it’s still exploitable.

An unpatched Windows vulnerability considered a critical threat by security experts is being exploited by cybercriminals.
Microsoft disclosed the flaw in XML Core Services (MSXML) 3.0, 4.0 and 6.0 June 12 during its monthly release of patches. The security advisory, which was separate from the patch release, offered a workaround for vulnerability CVE-2012-1889, but no fix. The vulnerability is easily exploited through Internet Explorer.
Security vendor Sophos reported Tuesday that it discovered over the weekend a web page crafted to take advantage of the flaw. The page was on the site of an unidentified European medical company, which did not know its website had been hijacked, Sophos said.
Cybercriminals often hide malware on legitimate websites for so-called drive-by installs. To lure people to the compromised site, hackers typically use specially crafted email to entice recipients to click on a link to the infected page.
Marcus Carey, a security researcher at Rapid7, said his company was sure cybercriminals everywhere were exploiting the widely known vulnerability. “That vulnerability is definitely being exploited in the wild,” he said Wednesday. Unpatched software flaws that are disclosed publicly become priority No. 1 for cyber-criminals, who know that companies and people are slow to install patches, and even slower to apply workarounds.

This is a serious issue, even when it gets patched it’ll still be a serious issue as people and companies tend to be slow in applying patches and quite often people turn off Windows Update entirely because they find it annoying and quite often the updates cause more problems than they solve (Black screen of death etc).
Plus the fact that it’s easily exploitable in the browser, this is not a complex multi-layered attack or something that needs network exposure to work.
A lot of anti-virus software vendors have issued updates that detect this exploit and will help mitigate against the threat until a proper patch is issued by Microsoft.

The latest vulnerability is particularly serious because it can be easily exploited. “The only thing you have to do is visit a website that’s been compromised, and you’re going to compromise your system,” Carey said. “Anyone running Internet Explorer should be terrified unless they apply the [Microsoft] fix-it.”
MSXML is a set of services used in building Windows-native XML-based applications. The latest flaw affects all releases of Windows and Office 2003 and 2007. A successful attacker could use the vulnerability to gain full user rights to a PC, Microsoft said.
Until a patch is released, the Microsoft workaround is the only way to stymie hackers. Many security vendors have updated their products to detect malicious code that tries to exploit the vulnerability. “Although security software can protect against this vulnerability, let’s hope that Microsoft can release a proper patch sooner rather than later,” Paul Baccas, senior threat researcher at Sophos, said in the company’s blog.
Google reported the vulnerability to Microsoft on May 30 and worked with the software maker.

The vulnerability notation for this is: CVE-2012-1889 – if you want to keep tabs what’s going on with it.

How to Hack a Password on Windows 7 with Software

Believe or not, no matter if you’ve forgotten password for a Windows XP, Vista or even Windows 7 system, there are easy ways to get it back again. The problem is how? You may think of “hack”. Well, indeed, this article will show you how to hack Windows 7 password when you forgot or lost it. However, what I will show you—ways to crack lost Windows 7 computer password are all legal, they are not like what you think illegal “hack”. If you are doubting or even don’t believe, then just read over the passage, you will be persuaded.

Hack password for Windows 7 with professional third-party password recovery utility.
We all know if forget your computer password, Microsoft won’t offer you related service to solve the problem. Well, this really gives promising marketing chances to many software providers—providing the professional third-party password recovery applications. I cannot promise all of the third party password recovery applications are good ones, however, if I choose, I will trust Windows Password Recovery Professional. For no bug, no potential safety hazard, clean, and easy to use, instant to get back password etc., those are all good traits with the utility. Interested in it? Then let’s have a careful look over it!

Guide on how to crack Windows 7 password with Windows Password Recovery Professional.
Step1: Download Windows Password Recovery Professional from SmartKey website.
Step2: Install and launch it to any accessible computer.
Step3: Use a blank and writable CD/DVD/USB to burn Windows 7 password reset disk with the tool.
Step4: Boot the locked computer from CD/DVD/USB.
Step5: Start to remove Windows 7 password with the burned disk.
Step6: Reboot computer and login to the locked PC without password.

No matter how complicated or how long your Windows 7 password is, this application—Windows Password Recovery Professional will instantly hack it within one minute! Only one minute later, you can regain access to your PC without limitation!

Change Windows 7 password with freeware—Ophcrack.
Ophcrack is an open source and free program that bypass Windows passwords by using LM hashes through rainbow tables. The Ophcrack Windows password reset is by far the fastest free Windows 7 password hacker tool available.

While compared with other professional Windows password recovery software, of course, Ophcrack, as a freeware, has some limitations. In the test on my Win 7 PC, Ophcrack can recover at most a 10-character password to my administrator account. Well, for the purpose of safety, I do recommend you to use a professional Windows password recovery tool.

Web Scarab 2: Proxy

In this tutorial I’ll tell you about some basic s of HTTP proxy in the WebScarab. HTTP Proxy is very useful when you have to do the Vulnerability assessment of web application, it allows you to record the whole request data packet and respond data packet and after that you can analyze the incoming and outgoing data through HTTP Proxy.
In this tutorial we basically focus on WebScarab, although there are numerous tools in market (e.g. Paros, Burp etc). First-of-all you have to start the WebScarab, by default the listening port is 8008 but you can change also and other settings that you have to do are shown below:

Webscarab Proxy Settings

We’ll also need to configure our browser so that our communication is pointed through the proxy. In recent versions of Firefox the path should be Tools >> Options >> Advanced Tab >> Network Tab >> Settings. Once there you’ll need to highlight “Manual proxy configuration”, then for “HTTP Proxy” type in “localhost” and for port use 8008. You’ll also need to do this for the SSL proxy if the web application uses SSL, as shown in fig:

Firefox Proxy Settings

This tutorial is going to show how WebScarab can walk through web application provided by Foundstone, Following figure shows the login page for this application.

I have already created an account within the application with the username “hacker” and a password of “passwd”. So with WebScarab already running in the background I am going to login to facebook. If you are on the summary tab within WebScarab you will notice requests and responses filling up rows in the bottom pane. WebScarab is logging all communication between you and the web server, this includes all images, CSS files, Javascript files, parameters, etc. The top pane of the summary tab shows you a directory structure of your history through the web application. This summary tab can be seen in Fig.

Webscarab Summary Tab

Now a summary of your history is neat but that only scratches the surface of Webscarab’s functionality. One of the best functions of a HTTP proxy is the ability to intercept requests on the fly or replay those requests at a later time. In order to intercept requests / responses make sure you have checked the “Intercept requests” / “Intercept responses” checkboxes in the Proxy >> Manual Edit tab. These settings can be seen in Fig.

Webscarab Intercept Settings

You may be wondering why you would want to intercept or repeat a HTTP request / response. The simple answer is to learn more about what a website is doing with your input (e.g. SSN, credit card, personal information). Application security folks, developers, or curious people may want to understand more about the web application they’re using. Intercepting a request / response will allow you to see and manipulate communication being sent back and forth. Application security analysts like to replay requests over and over again with different inputs to see what the application will allow as input. This will give security analysts an idea of how secure the application is. Had we intercepted the login process you would have seen the inputs for username and password being sent to the web server. A screen shot of this can be seen in Fig.

Interception of Login Process

You can see in Fig that Webscarab has intercepted both the username “hacker” and password “passwd”. A HTTP proxy is able to see the password even though each character was replaced by an asterisk within the application. At this point you could accept the request or manipulate the parameters. You could try to login as someone at this point even though you initially typed in a different username and password. With a HTTP proxy you could manipulate any request / response not just the login process.

WebScarab 3: Session ID Analysis

In this tutorial we focus on session ID analysis. If you are not familiar with session ID’s I’ll do a quick explanation. HTTP is a stateless protocol, so it’s equivalent to walkie talkies or CB radios. You’ll send a request and wait for a reply, you don’t have a constantly open communication line as you would with a phone. So in order to emulate this open communication the HTTP protocol uses session ID’s, commonly known as cookies. These cookies are simply agreements between you and the web application that you are who you claim to be. Once you have exchanged your cookie with the website you can then talk back and forth as long as the cookie is tied to your communication. So there’s the quick and dirty intro to session ID’s. So the next logical question is how does this session ID process work or even better how should it work? Let’s use a web mail application as an example:

1. You login to your web mail account
2. Your web mail provider sends you a “random” cookie that is tied to your login session
3. Each time you click on a new message within your Inbox your cookie is sent along to validate who you claim to be, that way you’ll get your next message and not another person’s message.

These are the basic steps. The main thing to remember is that your login credentials are tied to the session ID / cookie. So the key to keeping your conversations private is protecting the session ID and making it hard to guess. Session ID’s are similar to passwords in that regard, you always want to keep them a secret and make them hard to guess. When Webscarab analyzes the session ID it only focuses on if the session is easy or hard to guess (aka randomness). So enough with the chit chat let’s see how Webscarab analyzes session ID’s.

Once again we’re going to be analyzing the login web application. The login page for this application can be seen in Fig.

Login page

So with WebScarab already running in the background I’ll go ahead and login into and click on a few links. Navigating inside the application will generate requests and responses that we can later analyze. Now the login process should generate a session ID but there could be other session ID’s generated within the application that you may want to analyze as well. You could always keep an eye on the summary tab to see if you are capturing cookies. There are other ways to maintain state within a web application but cookies are the most common. When looking at the summary tab for the login process you can see that cookies are being set. This can be seen in the first conversation in the bottom row on Fig.

Login process of login page

So the conversation with the path /account/login is setting a cookie, also the top pane has a check mark indicating that the login URL is setting a cookie as well. This is definitely a good target because we know the functionality of this session ID is to maintain my balance and gambling stats. Some session ID’s can be tough to figure out and sometimes it seems like developers set cookies for no reason. So now let’s walk through the steps to analyze the session ID associated with /account/login.

1. Log out of the current session. I can’t stress this enough, the first time I was using this feature I bumbled around for a couple of hours trying to figure out why it wasn’t analyzing the sessions. Further down in this article I’ll show you a screen shot of what it looks like when you try and analyze the session you are currently logged into.
2. Navigate to the Session ID Analysis tab >> Collection tab within Webscarab. There you will see a drop down list labeled “Previous Requests”, here you can pick a conversation from your history of transactions within the web application to analyze. We already know that we want to analyze the /account/login conversation because we saw that it was setting cookies. If you were unsure which conversation used session ID’s you could click on the “Test” button to verify if session information existed. Fig  shows a screen shot of me choosing the /account/login conversation for analysis.

Choosing conversation in Collection tab

1. After you have chosen your conversation for analysis you will then click on the “Fetch” button to start collecting session ID’s from the web server. The default number of session ID’s collected is set at 100 but you can choose more if you like. My background is math and science so I’m of the opinion that you can never have to many data points. Play with this number if you like, in my experience more samples will do a better job at producing trends and pointing out weaknesses in random number generation. The law of diminishing returns will eventually kick in though. So after you have clicked the “Fetch” button you will need to move over to the “Analysis” tab. When you first click on the “Analysis” tab it may seem like nothing is happening, this is because you need to select your session ID from the “Session Identifier” drop down list. This drop down list can be seen in Fig

 Choosing session in Analysis tab

Once you have selected your session that you are analyzing the table should begin to populate with the number of samples that you chose in the Collection tab. Webscarab takes the session ID’s found within the web application and converts them into numbers so that they can be easily parsed. These numbers are then compared to one another for predictability. Figure 5 below shows what happens when you try to analyze the current session, you’ll get zeros for both the Numeric value and the difference. This is because the session ID / cookie stays the same.

                                                           Analyzing current session

1. The fourth and final step is neatest part of the session ID analysis functionality within Webscarab, the Visualization tab. This tab creates a graph using the numbers from the Analysis tab. This will give you a quick visual representation of how weak or strong the session ID’s are. The graphical analysis of the Hacme Casino session ID’s can be seen below in Fig.

Cookies over time for login page

It appears that the session ID’s created for login page are random or at the very least not easy to guess. Your average malicious user is going to see that the session ID’s are going to be difficult to guess, so they’ll move on and try another vector to get inside the web application. A malicious user will be looking for easy access so they will be looking for session ID’s that are very easy to guess. Fig shows an application that implements session ID’s that are very easy to guess.

Weak cookies over time

This graph was not generated using Foundstone’s login but had a malicious user seen this type of graph it would be very easy for them to guess a session ID and essentially hijack that person’s login account. From the casino example you can see how dangerous weak session ID’s can be. Session ID’s are the “key” to someone’s account information. This is possible due to the stateless nature of HTTP. So a malicious user could hijack your account without ever knowing your username or password.