• Content count

  • Joined

  • Last visited

  • Days Won


coded32 last won the day on June 11 2010

coded32 had the most liked content!

Community Reputation

-1 Noobie

About coded32

  • Rank
    I broke 10 posts and all I got was this lousy title!
  • Birthday 05/26/1992

Profile Information

  • Gender
  • Interests
    Artical and TUT Writing, SE and WEP Cracking......Programming Pyth0n and Java Drive-By !
  • Country
  • Location
    Silic0n N3Rv3RS sect0r #eeff0000x ffee000ee

Contact Methods

  • Website URL
  • Yahoo
  1. I am Just Trying to collect all The Resources I can and Finish up with a Good collected Working Tutorial so all can Learn, Other all the Philes are Scattered, and YES There are more that 8 Alias by which I go ! and Certainly many of the philes have been Written by Me !
  2. please do Review the Thread !
  3. The Thread is UPDATED again.........! Enjoy.......
  4. MIT Huh ?.....You took computer science ? "M.I.T. engineers in the 1950s and 1960s first popularized the term and concept of hacking. Starting at the model train club and later in the mainframe computer rooms, the so-called "hacks" perpetrated by these hackers were intended to be harmless technical experiments and fun learning activities. " But hey, its your tutorial. Ill just sit here with some popcorn. Cant wait for the origins of carding, phreaking and the demoscene links sections Offcourse Yeah....I will keep Updating the THREAd and keep Suggesting like you DID ..I appreciate it a Lot. Thanks to Help all the n00b's out...I will Add the other Sections soon !
  5. Hello Friends out There....! I am coded32 (A White Hat). I write E-Zine Articles and I have been Informed about this Forum from I used to MOD 3 Sites( Which Sadly has been Closed by Now :(x)
  6. I'm very happy, can you tell me the anthropological significance of lolcats in the community? Damn, This means you are JUST not a Information Lover !
  7. you know it's not Heaven so expect Hell !

  8. Ok first of all Many of US are Same Like you.....WE are JUST Forced to Struggle.....I mean sometimes life needs a Little Sugar added to it and although it's added and if you are addicted to salt "You will want salt" not Sugar in general.....The sane goes Happy and be Free to all all aspects and JUSt one more thing ....KEEP Going........! Hackers Unite !
  9. Oh man I told you guys to suggest me new Good suggestions and you Guys are goin to some other TOPIC ! Stop those Shits as "When did Facebook start ?" and get to some good Constructive topic like suggesting me to make this thred more Informative for the n00b's ......
  10. Can you specify what "things illegal" were being done in the name of hacking in the time-frame "just before there was Unix" please? Before Unix there were people who Used "Phreaking" because AT&T Company Existed as a Phone Exchange and a Dial-Up Provider. Peoples are of Every color. They are From a great "Hacker" to a Great "Explorer". Belive me or Not "Anarchists" are everywhere, So were they Back then !
  11. A Guide to Total n00b's in Hacking and Phreaking.... Okay. For a lot of people, they think hacking is a one-thing to learn kinda thing. Well it's not. Hacking, as it's mainly portrayed today, is a skill that involves learning one or two, if not, very many languages communicated between both PC and the internet. Hacking can involve anything from understanding your command-line shell to understanding how Assembly works and using it amongst your C++ software but first, before doing anything else, I'd like to share with you all what "hacking" once was so you understand. Way back, just before there was Unix, people wanted an operating system that was more open to modifications and less proprietary so that they could change anything about their operating systems and the software it worked with to work, exactly or more or less, how they wanted it to. Back in this day, "hackers" were people who would do things illegal but for themselves and their communities. Not to piss off big-time corporations and stealing their software like how today's hackers are portrayed. They were simply programmers and developers all working together. And in this sense, I also include the use of the word hacker back in the day as people getting round their codes to do something they wanted. Do you see where I'm going with this yet? Maybe not so I'll carry on... So the developers had not yet figured out a way of making their software work how they wanted it to, this often led to them "hacking" it so that it did work how they wanted to. By now you should know where I'm going with this. Now today's hackers are commonly portrayed as those who are also wanting to "hack" proprietary software source code to do exactly how they want them to but also, gain access in to servers and other private/proprietary developments and projects made by others which also includes websites, databases, banks, MSN accounts and just about anything else that is not free or legal to get in to. This is also why we say hackers are programmers. See where I went? Well anyway, that's the basics of the real history of hackers but seeming how hackers now use their name with crackers interchangeably we may as well stick to it. The traditional meaning is not coming back nor will it ever. This list is also dedicated to those of you who thinks hacking MSN accounts, etc, is really what it's cracked-up-to-be. Meaning, to show you that it's not what it seems. It's not like you can download software which can grab your friend's account just by talking to them on MSN or anything like that. It's done via phishing, sniffing or something similar. So, I have made this list and will regularly update it with new tutorials and such that will teach you about hacking, this side of the hacker definition. This list will contain anything and everything that you will find useful but only to topics that have been posted on the forum. Thing is, they must be educational in a way that involves codes a little more than using closed-source software to do this and that like SQLi Helper and iStealer. This way, this thread is more educational to those who are taking hacking more seriously and not just wanting simple hacks. You will find simple hacks elsewhere. What is a hacker? A hacker is someone who likes to tinker with electronics or computer systems. Hackers like to explore and learn how computer systems work, finding ways to make them do what they do better, or do things they weren’t intended to do. There are two types of hackers: White Hat – These are considered the good guys. White hat hackers don’t use their skills for illegal purposes. They usually become Computer Security experts and help protect people from the Black Hats. Black Hat – These are considered the bad guys. Black hat hackers usually use their skills maliciously for personal gain. They are the people that hack banks, steal credit cards, and deface websites. These two terms came from the old western movies where the good guys wore white hats and the bad guys wore black hats. Now if you’re thinking, “Oh boy! Being a black hat sounds awesome!”, Then I have a question for you. Does it sound cool to live in a cell the size of your bathroom and be someone’s butt buddy for many years? That’s what I thought. Hacker Hierarchy Script kiddies – These are the wannabe hackers. They are looked down upon in the hacker community because they are the people that make hackers look bad. Script kiddies usually have no hacking skills and use the tools developed by other hackers without any knowledge of what’s happening behind the scenes. Intermediate hackers – These people usually know about computers, networks, and have enough programming knowledge to understand relatively what a script might do, but like the script kiddies they use pre-developed well-known exploits (- a piece of code that takes advantage of a bug or vulnerability in a piece of software that allows you to take control of a computer system) to carry out attacks Elite Hackers – These are the skilled hackers. They are the ones that write the many hacker tools and exploits out there. They can break into systems and hide their tracks or make it look like someone else did it. You should strive to eventually reach this level. Do I Really Need Programming ? You might be asking yourself, do I even need to learn a programming language? The answer to that is both yes and no. It all depends on what your goals are. Nowadays, with all the point and click programs out there, you can be a fairly good ethical hacker without knowing any programming. You can do some effective hacking if you understand all of the security tools very well. Even if you understand what’s going on in the background of these programs, most people will still classify you as a script kiddie. Personally I think you should learn some programming. Even if it’s the very basics, it’ll give you a much better understanding of what’s going on. Also, once you learn how to program well, you’ll be able to develop your own exploits, which is great in many ways: 1. You’ll be considered an elite hacker. 2. Imagine a black hat discovers a vulnerability and codes an exploit for it that no one else knows about. The black hat would be able to take down thousands of machines before anyone discovers and patches the vulnerability. 3. You will feel so much more satisfied having created your own program or exploit. I promise you this. So my advice is, don’t settle for being a point and click hacker. Take some time to understand even just the basics of programming and an entire new world of hacking will open up to you. Ok Now Let us Come to the Topic Here are The Basics : 1.) What is a IP or an IP Address ? An Internet Protocol (IP) address is a numerical identification and logical address that is assigned to devices participating in a computer network utilizing the Internet Protocol for communication between its nodes. Although IP addresses are stored as binary numbers, they are usually displayed in human-readable notations, such as (for IPv4), and 2001:db8:0:1234:0:567:1:1 (for IPv6). The role of the IP address has been characterized as follows: "A name indicates what we seek. An address indicates where it is. A route indicates how to get there." 2.) Phishing pages Here's a vivid description of a Phish page and how to construct a phish page This phile is by coded32, Please Share it but d8on't mod8ifly it 6without permission. --------------------------------------------------------------- Phishing - The Art of fooling End Users & Anti-Phishing (2-way Authentication System) By coded32 ( --------------------------------------------------------------- ------------------ Table Of Contents ------------------ => Introduction => Phishing Techniques from Attacker's Point of View 1) Simple Phishing (User won't be logged in) 2) Simple Phishing (User will be logged in ) 3) Advanced Phishing 4) Implementing Ajax key-logger on phishing page 5) Phishing with DNS Poisoning 6) XSS aided Phishing => Defence from users point of view 1) Verify the url 2) Verify the SSL Certificate 3) Inbult phishing protection in web browsers 4) Internet Security Programs 5) Using Password managers 6) verifying the IP address of the host => Securing login page from programmers point of view 1) XSS issues 2) Don't use pop-ups 3) Don’t be framed 4) Enforce local referrers 5) Keep the address bar, use SSL 6) Fraudulent domain name => 2 way authentication system 1) Introduction 2) Features 3) Technology Used 4) Working 5) Security 6) Future => Video Demonstration => Summary => References Introduction -------------- Phishing is misrepresentation where the attacker uses social engineering to appear as a trusted identity. They leverage the trust to gain valuable information; usually details of accounts, or enough information to open accounts, obtain loans, or buy goods through e-commerce sites. Up to 5% of users seem to be lured into these attacks, so it can be quite profitable for scammers – many of whom send millions of scam e-mails a day. Phishing Techniques from Attacker's Point of View -------------------------------------------------- 1) Simple Phishing (User won't be logged in) ----------------------------------------- In this phishing attack, attacker will be creating a fake login page similar to the original login page on his server/domain. Once the phishing page is ready Attacker will convince victim to login using that fake login page and when victim will submit username/password in that fake login page that information will be sent to attacker and victim will be redirected to the original sites login page. Now again victim will have to enter username/password to login in that site and this can make victim suspicious, and victim may identify that there was a trap. 2) Simple Phishing (User will be logged in ) ----------------------------------------- In simple phishing attack, attacker will be creating a fake login page similar to the original login page on his server/domain. Once the phishing page is ready Attacker will convince victim to login using that fake login page and when victim will submit username/password in that fake login page that information will be sent to attacker and victim will be logged into original site. This is done by the attacker to make the attack more stealth and attackers use javascript on their phishing pages which makes the user login into the original site without asking the victim to re-enter the username and password. Now this kind of attack is really stealth , as victim is not asked to enter the details again so this easily convinces the victim that details entered by the victim were on original site But what if victim enters wrong information by mistake on phishing page ? 3) Advanced Phishing ------------------ In Advanced phishing attack, attacker will be creating a fake login page similar to the original login page on his server/domain. Once the phishing page is ready Attacker will convince victim to login using that fake login page and when victim will submit username/password in that fake login page , that information will further be verified by the server side scripting if the username/password are accurate or wrong and in case details entered by victim are wrong then victim will be again redirected to phishing page and if the details entered by the victim are correct then that information will be sent to attacker and victim will be logged into original site. Now even if the victim had entered the wrong information on the phishing page . Victim will be again directed on the phishing page and will be asked to enter the correct information which further convinces the victim that the login page is original. Now what if victim has typed username/password on the phishing page but before submitting victim realizes that it's a trap then all the information entered by the victim will be lost. 4) Implementing Ajax keylogger on phishing page -------------------------------------------- In this Attack, Attacker uses Ajax keylogger on the phishing page. As we have discussed in the scenario above, to overcome that problem Attackers use AJAX keylogger on their phishing page which saves the keys on the server as user types them and even if the victim don't submit them but just type them still that information is trapped by the attacker and can be further misused. 5) DNS Poisioning aided Phishing ----------------------------- In this attack, attacker posions the dns of the victim and whenever victim makes a request to the dns victim is given IP address of the Attacker's server where phishing page is hosted, So even if the victim has entered the right Domain name but still victim lands up on the phishing page and the attacker is able to steal the information of the victim. Now in this kind of attack Attacker doesn't even gives a chance to the victim to be suspicious. 6) XSS aided Phishing ------------------ In this attack, attacker finds a vulnerable link in the original website like<script>window"";</script> now this link seems to belong to however when the victim will click on this link , victim will land on the phishing page made by the attacker. So, these are the few ways which can be used by attackers to attack on end-users and making them victim of phishing. Defence from users point of view -------------------------------- 1) Verify the URL -------------- Before entering any information on the page, make sure that URL on the top of the browser is correct even if you find the look and feel of the page is quite similar to the real login page but make sure to verify that the URL on the top of the browser belongs to the right domain name. Some times it can be tricky like there can be a phishing page of on another domain like or something similar. So, you should closely observer the URL on the top of page. 2) Verify the SSL Certificate -------------------------- Make sure to verify the SSL Certificate over the domain is there and do belongs to the right Certifying Authority. For example login page of orkut have a ssl certificate of thawte. You can also check the "Lock" icon There is a de facto standard among web browsers to display a "lock" icon somewhere in the window of the browser (NOT in the web page display area!) For example, Microsoft Internet Explorer displays the lock icon in the lower-right of the browser window and As another example, Mozilla's FireFox Web Browser displays the lock icon in the lower-left corner. 3) Inbult phishing protection in web browsers ------------------------------------------ Many web browser and added plug-ins today provide you with the security feature which identifies the phishing link and warns you when you visit those links. This security feature is only functional on those links which have been reported by some other user. For example, in case of Mozilla Firefox, Firefox 3 or later contains built-in Phishing and Malware Protection to help keep you safe online. These features will warn you when a page you visit has been reported as a Web Forgery of a legitimate site (sometimes called “phishing” pages) or as an Attack Site designed to harm your computer (otherwise known as malware). 4) Internet Security Programs -------------------------- Many anti-viruses today have phishing protection and works in the similar way as explained above. For example, in case of Norton, Norton Internet Security 2010 Blocks phishing websites and authenticates trusted sites 5) Password managers can be used. ------------------------------ You can further use various password managers that are available as password manager will only work on the real websites and not on the phishing websites. For example, in case of passpet, Passpet have Convenient Password Management and Phishing Protection 6) Verifying the IP address of the host ------------------------------------ In case you you are suspicious about a page but the URL seems to be correct then you should verify the IP address of that domain , you may be a victim of DNS poisoning. These were the few security measures , by which you can protect yourself from becoming a victim of phishing. Securing login page from programmers point of view -------------------------------------------------- 1) Fix all your XSS vulnerabilities -------------------------------- If you are having a login authentication on your website then make sure your website is not vulnerable to XSS attacks as Attacker can use XSS Vulnerability in your website to exploit users of your website. (Can steal cookie , can redirect your users to legitimate phishing page) 2) Do not use pop-ups ------------------ Attackers most commonly use the technique of pop-ups to setup hoaxes of phishing like they whenever they redirect victim to phishing page they pop-up a message saying something "Session Expired, Log in" and they make it similar to the original website which further convinces victim to fill in the information. So, you should remove pop-ups from your website and can inform your end-users that you don't use any pop-ups and in case they come across any pop-up in your website they should report it to Website Administrator. 3) Don’t be framed --------------- Frames are a popular method of hiding attack content due to their uniform browser support and easy coding style, Make sure that your website can't be framed like attacker can include your web-page in a iframe and can ask easily trick victims to steal their information. You can further use frame-busters to protect your website from being framed. 4) Enforce local referrers ------------------------ Local referrers should be enforced so that attacker has to host images and other content on attacker's server This technique is commonly known as anti-leeching . If Attacker will be using images from their own server then there are few chances that they can create some differences which can help end-users to identify hoaxes. 5) Keep the address bar, use SSL ----------------------------- Do not lock the address bar as many websites lock the address bar so that users can not tamper data in the URL however this creates a problem for users as they are not able to bookmark login page by which they can further become the victim of phishing. Make sure to use SSL if you are having some sensitive informations of users in your database. As this can protect your website users from sniffing and can protect your users from phishing as they can easily identify phishing page by verifying that certificate in Address bar. 6) Fraudulent Domain Name ---------------------- If you feel like that attackers are there who might be making hoaxes for your websites end users then make sure to take control of fraudulent domain names. Let's say you have a domain name which deals in sensitive data and have many users across the globe then there are good number of chances that attacker will book domain name like to attack users and to steal their username and passwords. 2 way authentication system --------------------------- Introduction ------------ 2 way authentication means that before end-user enters the login information on the login page that particular login page authenticates to the end-user that it's not fake. So, let's take a scenario in which user have to enter Username and Password , So how can user identify whether he/she is accessing th right page or not. So over here we can introduce third term that is PassPhrase that is whenever user will enter the username in the login page, passphrase will be displayed to the user which is already known to the user (Most probably entered by the user at the time of registration) . Features ------- 2 way authentication should be securely developed as it will be targeted by the attackers to bypass 2 way authentication one way or other. So the passphrase chosen in 2 way authentication should be from the users side and users should be intimated that only when they see the correct passphrase then only they should enter their password. Technology Used --------------- This kind of authentication system can be built by using Ajax and any server side language and database that is compatible with AJAX. However I have used PHP/MYSQL/Javascript. Working ------- When new user will register then we can ask the user for passphrase and will be storing that in our database along with the username and password (or say encrypted password) . Now whenever the user will login and will type username on the login page then on the backend JavaScript will request the server to provide the corresponding passphrase, if there is no passphrase corresponding username then instead we will display some random text so that automated scripts can be failed to identify the correct username And once user will get the correct passphrase on the login page then user can type in the correct passphrase to login and can further authenticate to the website. We have to make sure that only the authenticated requests can see the passphrase and automated tools should not be able to gather the passphrase. Security -------- In this way we can develop a secure login pages in which users themselves can identify if they are on phishing page or on the original page. Of-course it is not 100% secure but can be treated as more secure as compared to traditional login pages and can highly reduce the cases of phishing if implemented in a secure way on widely used websites. Future ------ 2-way authentication can be made more secure by adding up more security features. We will be looking forward to make it more secure and will be working on it as open source 2-way authentication system. Video Demonstration ------------------- I have tried to demonstrate some of the attacks and 2-way authentication system in this video. You can access this video at youtube in the following link Summary -------- In this paper we have discussed various techniques by which attacker use phishing to attack end users. Further we have explored various way by which users can defend themselves from becoming the prey of phishing attack. Then we discusses how programmers can make their login pages secure to prevent phishing and in the end we discussed about 2 way authentication , It's working, features and future. References ---------- 3.)The Difference Between a DoS and a DDoS Attack DoS: a DoS Attack is a Denial of Service attack- it involves using one computer / Internet connection to flood a server with packets (TCP / UDP) - The Objective of this attack is to 'overload' the servers bandwidth / other resources, This will cause a Denial of Service to anyone else that tries to use the server for whatever reason (HTTP [Website]).etc - hence the name Denial of Service Attack. DDoS: Yes, There IS a difference- a DDoS Attack (or Distributed Denial of Service Attack) is pretty much the same as a DoS- but the difference in results is massive; as its name suggests the DDoS attack is executed using a distributed computing method often referred to as a 'botnet army', the creation process of which involves infecting computers with a form of malware that gives the botnet owner access to the computer somewhat- this cold be anything from simply using the computers connection to flood to total control of the computer - these attacks affect the victims computer -> server more than a regular DoS- because multiple connections are being used against ONE connection, Think of it like a fight, if there is a 1-on-1 fight; the chance of the good guy winning is far higher than if he was being beaten up by severalthousand tough-guys.Tongue Here is Digital Example Explained By Image okay for n0w This THREAD is in Construction...I will Update it Soon but Please do come UP with New Suggestions.... The categories are listed below; they may not contain much now but, it will get bigger sooner or later.