New Post

Rss

Injection Attacks Tutorial - OWASP #1 Vulnerabilty - Part 1

Injection Attacks Tutorial - OWASP #1 Vulnerabilty - Part 1

Injection attacks are most popular attacks among the hackers and also tops OWASP Top 10 Vulnerability list every year. Injection is an entire class of attacks that rely on injecting data into a web application in order to facilitate the execution or interpretation of malicious data in an unexpected manner.

Injection attacks are popular because of its 4 basic things:
1. Easy to exploit
2. Hard to secure(i.e. compromise on dynamic query usage).
3. Coder's negligence ( i.e. deciding character set, stored procedures usage issues, handling escape sequences etc.).
4. Unawareness of Secure Coding Practices among developers.

Injection Attacks
Injection Attacks


So its not wrong to say :
" Security does not suffer because of Hackers, it actually suffers due to lack of secure coding awareness among Coders".

In this article, i will share different types of most common Injection attacks that are quite a bit common among Hackers and their basic introduction. In future, i will share in detail about these Injection techniques and how to prevent these attacks.


What is Injection?

Injection as the word implies, is injecting something extra into the code. Injection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a web application or website.  Injection Attacks are dangerous because they are a open windows to hackers to enter in your system through your Web interface and perform whatever they like i.e. delete tables, modify databases, exposing your users information, or even get hold of your corporate network.

When does an Injection Attack Occurs? Where it usually occurs? and Its Impact.
Injection attacks occurs when an application sends untrusted data ( i.e. data which is not intended to behave as it should or simply we can say data which system is not expecting) to interpreter or compiler. Injection flaws are usually found in SQL, LDAP, Xpath, OS commands(i.e. shell command Injection), XML parsers, SMTP Headers, program arguments, etc. Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover. If your web application uses any of these, then there are chances of SQL Injection.

Different Type of Injection Attacks:

1. SQL Injection ( Blind SQL Injection and SQL Injection)
2. Code Injection (or Remote file Inclusion)
3. Log Injection
4. Directory Traversal (or Path Traversal)
5. XML or xPath Injection
6. SOAP Injection
7. Command Injection
8. LDAP Injection
9. SSI Injection (Server Side Inclusion)
10. Buffer Overflow
11. String Format Attack

We will discuss all above topics in detail in later articles. So keep connected and enjoy learning.
LoopsNetwork - Earn Real Money and Expand Your Social Network

LoopsNetwork - Earn Real Money and Expand Your Social Network

Hello Friends, We have good news for all Hackingloops users that we have at last launched our so waiting LoopsNetwork Project. LoopsNetwork is an Network where you can expand your network with the help of other so like minded people and even Earn Good Money for becoming Part of other members Network. In this article i will try to demonstrate about What is LoopsNetwork? How you can use it to grow your Social Network? How to earn Good Money using LoopsNetwork for free?

LoopsNetwork - Network to Grow your Network and Earn Money
LoopsNetwork - Network to Grow your Network and Earn Money


Join LoopsNetwork now to earn money by clinking below and Expand your Network:

Loops Network | Exchange Network to Earn, Share


Want a Facebook like for a like, Twitter follower for a follower, Youtube view or subscriber for a subscriber, Google + or Circle for a Circle or Want Money for liking anyone's others of your choice? If yes, then LoopsNetwork is made just for you. Are you lacking Facebook followers, or want more Facebook likes, twitter followers or want more twitter followers, Youtube video views or want more Youtube views or simply want to get free Facebook fans, followers, likes, twitter followers, tweets share, StumbleUpon shares, Youtube subscribers, You tube followers or Most Important, want to show your website to other people via TRAFFIC EXCHANGE, then also LoopsNetwork is for you only.



What is LoopsNetwork?


LoopsNetwork is an perfect exchange system which allows you to grow your Network online, become a part of others network, pick and choose who you want to follow, like, view and skip those who you are not interested in and most important earn money for following other people, liking their Facebook, Google, Twitter, Youtube Pages. LoopsNetwork System is very simple to understand. Every time you like, follow, or view another members social media pages you will receive coins which then you can use to get more followers, likes, views or visitors to your website or social media pages.


How to use LoopsNetwork to get Free Facebook Likes, Twitter Followers, Google + shares, Youtube views, likes and Followers and Earn Good Money for referring People or by doing any of tasks mentioned?
  1. LoopsNetwork is an network to grow your Online Network by exchanging Facebook likes, fan pages followers, twitter followers, Youtube likes, views and traffic exchange etc.
  2. Everytime you like someones Facebook Page, follow him on twitter, View Youtube Videos or visit traffic exchange, you will earn coins varying from 5-10 coins per like or follow based on your Membership(free or VIP).
  3. Now you can use the coins earned by above method for publicity of your own Website, Video, Fan page, traffic exchange or You can convert these coins into Real Money(600 Coins = 1 USD).
  4. You can buy coins from Buy Coins sections, if you are out of coins and want to spread word about your website.
  5. You will also Earn 0.05$ and 25 coins per referral and 10 % of his/her earnings. More referrals you have more you will earn.
  6. Minimum Withdrawal limit is 2$, which you can withdraw anytime after 3 days of registration.

How to Earn Money using Loops Network?


There are multiple ways to earn money on LoopsNetwork :
a. By referring your friends to LoopsNetwork. For Each referral you earned 10 coins you will get 0.05$ + 25 coins + 10% of his/her earnings.
Also there is Referral Contest running on LoopsNetwork. Top 15 referrals will get the cash Prize, along with one random winner. Top 5 referrers will get 50$ cash reward and rest 10 will get 20$ each. Also random winner will get 100$ award.
b. By earning coins which you will get when you do any of the task:
1. Liking someone's Facebook Page or becoming Fan or follower of someone on Facebook.
2. For following someone on Twitter or by sharing peoples link on your twitter Page.
3. For sharing on Google+ or adding someone to your circle.
4. For Stumbling someone's sumbleupon link on portal.
5. For Traffic Sharing i.e. Viewing Pages of others people.
6. For becoming Youtube subscriber or liking youtube video etc.

You can convert coins anytime on website (600 coins = 1 $). 

c. Completing Surverys or tasks : We will be adding this feature in next few days.


How to Expand your Network using LoopsNetwork?

LoopsNetwork is based chain sharing system, you share someone's , someone shares yours. You like someone's, someone likes yours. That's it. For doing any of these task you will get coins and which you can use to publicize your website or webpage or get more likes or simply convert them to real cash etc.


Why are you waiting guys. Go Ahead and Join LoopsNetwork Today. 




DNSRECON Tool Tutorial Hackingloops | KYB Tutorial 4

DNSRECON Tool Tutorial Hackingloops | KYB Tutorial 4

Welcome friends to KYB (Know your Backtrack) Tutorial 4, today i am going to teach you another interesting DNS Information gathering tool i.e. DNSRECON. DNSRECON like other DNS tools used to enumerate the standard records of a domain like A, NS, SOA, MX etc. So friends lets learn all about DNSRECON Tool on Backtrack 5.


DNSRECON Tool Tutorial Hackingloops | KYB Tutorial 4
Dnsrecon KYB Tutorial 4 : Information gathering tool on Backtrack Linux


Below is the list of things that we can do using DNSRECON Tool:



  • Top level domain expansion ( Zone Walking and Zone Transfer)
  • Reverse Lookup against IP range
  • Perform general DNS query for NS,SOA and MX records (Standard Record Enumeration)
  • Cache snooping against Name Servers
  • Google Scanning for Sub Domains and Host
We can access DNSRECON TOOL over Backtrack by navigating below path:

Backtrack -> Information Gathering -> Network Analysis -> DNS Analysis -> dnsrecon

Lets learn each of above things in detail and how to use DNSRECON tool to achieve the same:

1. Top level domain Expansion:
First of all we all should understand what are top level domains. A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet. For ex: In www.mywebsite.com , .com is  a top level domain. Usually expansion occurs for those websites which uses country codes as their top level domains ex: .in, .uk, .au etc. As the name suggests Top level domain Expansion means to expand your domain from one region to other which is also known as Zone Transfer and in case zones are not correctly configured we can extract almost all internal records of a domain which is also known as Zone Walking. So we can use DNS Recon for multiple purposes i.e. Zone Walking and Zone Transfer. Lets understand both of them in detail i.e. How we will use DNSRECON to exploit both of these features:

a. Zone Transfer : The security problem with DNS zone transfer is that it can be used to decipher the topology of a company’s network. Specifically when a user is trying to perform a zone transfer it sends a DNS query to list all DNS information like name servers,host names,MX and CNAME records, zone serial number, Time to Live records etc. Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays. However DNSRecon provides the ability to perform Zone Transfers and we can use following commands to perform Zone transfer:

./dnsrecon.py -d <mywebsite.com> -a

or you can use below command :

./dnsrecon.py -d <mywebsite.com> -t axfr

2. Reverse Lookup against IP range:
DNSRecon can perform a reverse lookup for PTR (Pointer) records against IPv4 and IPv6 address ranges.To run reverse lookup enumeration the command:


./dnsrecon.py -r <startIP>-<endIP>


For Example :
./dnsrecon.py -r 192.168.5.100-192.168.5.200


Also reverse lookup can be performed against all ranges in SPF records with the command :


./dnsrecon.py -d <domain> -s

3. Domain Brute Force Enumeration:
For performing Domain Brute force technique, we have to give a name list and it will try to resolve the A,AAA and CNAME records against the domain by trying each entry one by one.
In order to perform domain brute force attack user needs to type below command:


./dnsrecon.py -d <domain> -D <namelist> -t brt

For example:
./dnsrecon.py -d hackingloops.com -D namelist.txt -t brt

4. Cache Snooping against name servers:
DNS cache snooping happens when the DNS server has a specific DNS record cached.This DNS record will often reveal plenty of information about the name servers and other DNS information.However DNS cache snooping does not happen quite often because servers normally do not cache DNS records.
The command that can be used to perform cache snooping is as follows:


./dnsrecon.py -t snoop -n server -D <dictionary file>

For example :
./dnsrecon.py -t snoop -n <server IP address> -D dictionary.txt


5. Standard Records Enumeration:
Standard Enumeration is generally used to gather information about NameServers,SOA and MX records. In order to perform standard enumeration you can use below command:


./dnsrecon.py -d <domain>

For example:
./dnsrecon.py -d hackingloops.com

There are lot of other options that DNSRECON tool provides. It is an extremely useful tool to gather plenty of information about DNS records.

Thats all for today. If you have any doubts feel free to ask. Don't forget to join us at Facebook in order to recent updates.
Facebook Smart Status Update Tool by Hackingloops - Ruchify

Facebook Smart Status Update Tool by Hackingloops - Ruchify

Hello Friends, welcome back. Today i am sharing another tool made by Hackingloops to enhance your Facebook experience. This smart text generation tool will allow you to create smart Text to update your status on almost all Social networking website like Facebook, Google+ etc. Well you can use this smart text generator to impress your friends that you can write smart text in a Go. 


Facebook Smart Status Update Tool by Hackingloops - Ruchify
Facebook Smart Text Tool - Ruchify



There are lot many smart text generator tools in market but most of them just allow you to generate one type of text. In this tool, you will not only able to generate the smart text. So friends why you all are waiting, lets give it  a try.



Give it a try to RUCHIFY :-




Enter text you want to Ruchify:








Ruchified Text:


That's all Just copy paste the text into your Facebook chats or status messages and become stylish. So why waiting so much. Enjoy the stylish text and Ruchify your Facebook status.
INTERNET PROTEST GROUPS Will Fight Back FEBRUARY 11TH 2014

INTERNET PROTEST GROUPS Will Fight Back FEBRUARY 11TH 2014


INTERNET PROTEST GROUPS, news websites and user webpages are clubbing together to fight mass surveillance next week on 11 February.
The protestors are uniting under the "Day We Fight Back" banner, and include the American Civil Liberties Union (ACLU), Demand Progress, Mozilla, Reddit, environmental activist group Greenpeace and websites like Boingboing and Technology news website.
The groups are uniting to protest after seven odd months of US National Security Agency (NSA) revelations on the anniversary of persecuted internet activist Aaron Schwartz's passing. The campaign launched in January and now, in the final preparation stages, the protestors are asking more people to participate.
"Today the greatest threat to a free internet, and broader free society, is the National Security Agency's mass spying regime," said David Segal, executive director of Demand Progress. "If Aaron were alive he'd be on the front lines, fighting back against these practices that undermine our ability to engage with each other as genuinely free human beings."
Not participating is Wikileaks, a website that has some common ground with the protestors. However, according to a blog post on the Fight Back website, discussions with Wikipedia have failed to meet on that common ground, and it appears that the organisation will not be participating.

The Day We Fight Back group has posted an open letter to Wikipedia trying to change its mind.
"We believe Wikipedia should take part because the project and its crucial mission are threatened by the mass surveillance we now face, and because Wikipedia's participation can have a meaningful impact," it said.
"Wikipedia provides access to material that might be considered subversive, that challenges authority structures, that cuts against what one can learn from government propaganda or mainstream media sources. It is precisely the people who engage in the editing and reading of this sort of material who are the most likely to be chilled - and the most likely to be noticed by the surveillance regime. In other words, the people that Wikipedia most needs to reach are the ones whose freedom is being most threatened."
On the day of action the websites and their users will put out messages and questions about the NSA and surveillance. Internet users are asked to take part by using supportive avatars and sharing memes and tools and passion. 
Posted by:
Vicky singh Rao
How to share remote screens and control PC without any software in Windows

How to share remote screens and control PC without any software in Windows

Remote sharing is nowadays on its peak, people use remote sharing to provide live support or for sharing screens. Most of us always use third party software's for sharing or controlling remote systems using software's like Teamviewer or Radmin etc.  Today i am going to teach you guys how to connect any two or as many as windows PC through remote without using any third party tool like team viewer etc. So lets learn how to share screens without any third party tool.

Windows Remote assistance without any external software
Windows Remote assistance without any external software


As we all knows Windows OS is  full of hidden programs that are only limited to developer or geeks. Today we are going to learn about MSRA (windows remote assistance) executable. MSRA is windows inbuilt remote assistance program using which you can control remote pc's, share remote screens, provide remote support and much more. Lets learn how to use MSRA for remote sharing.

Steps to Share or Control Remote PC using MSRA:


1. First of all click on startup and type command "MSRA" and press enter as shown below:



Type msra in search option
Type msra in search option


2. Now you will see screen like below having title "Windows Remote Assistance" , there are two options displayed:

a. Invite someone you trust to help you : Choose this option if you want to share your screen with someone.
b. Help someone who invited you : Choose this option if you want to control someone others PC remotely.

Click on Option a "Invite someone you trust to help you" to share your screen:



invite someone to provide remote assistance
Select shown option to continue


Once you click the above option then you will see below panel with multiple options:



Options displayed for Windows remote assistance
Options displayed for Windows remote assistance

Now you can see three different options :
a. Send this invitation as file : On clicking this option you can save the invitation file and send it to anyone from which you require help. After saving the file another window will open containing the password. You have to provide that password to person whom you want to connect to your machine.

b. Use email to send an invitation: You can send invitation directly via email but it requires email client on your machine to send email like outlook etc.


c. Use Easy connect: Another method to directly connect two PC is using Easy connect but this require some basic settings at your routers end i.e. If the computer has IPv6 disabled or is behind a NAT router that blocks Teredo traffic, the Easy Connect option will be unavailable.


Now once you have send the  remote assistance invitation file to user, he can connect to your PC by double clicking the invitation file and then entering the password.


Note: You need to enable remote assistance service.


3. Help someone who invited you : By clicking this option you can provide help to anyone who has done the above task. You will need two things : Invitation file and password to connect remote PC.



Woohooo... Did you know there is another smart option by which you can directly connect to any PC using IP address? If not, well lets learn that too. Yup we can also provide windows remote assistance support using IP address too. Here are options.


1. First of all click on startup and type command "MSRA" and press enter.

2. Now you will see screen where two options are displayed, Select "Help someone who invited you".
3. After that you will see some option, click on the bottom one "Advanced connection option for help desk" as shown below :


Select advanced connection option for help desk
Select advanced connection option for help desk


After clicking option you see below panel to enter IP address:


Enter IP address or computer name
Enter IP address or computer name

After entering IP address press Next to connect to IP address. That's all.

Hope you all enjoyed the learning. If you have any queries ask me in form of comments.
Copyright © 2012 Learn How to Hack - Best Online Ethical Hacking Website All Right Reserved
Designed by Hackingloops.