Web Jacking Attack Method

The Web Jacking Attack Vector is another phishing technique that can be used in social engineering engagements.Attackers that are using this method are creating a fake website and when the victim opens the link a page appears with the message that the website has moved and they need to click another link.If the victim clicks the link that looks real he will redirected to a fake page.

The social engineering toolkit has already import this kind of attack.So we are going to use the SET in order to implement this method.We are opening SET and we select the option 2 which is the Website Attack Vectors.

We will see a list with the available web attack methods.The attack that we are going to use is of course the Web Jacking Attack so we select option number 6.


In the next menu we have 3 options:

•     Web Templates
•     Site Cloner
•     Custom Import

We will select the site cloner in order to clone the website of our interest.Remember that this type of attack works with the credential harvester method so we need to choose a website that it has username and password fields in order the attack to have success.For this scenario as you can see in the image below we have select to clone Facebook because of its popularity.

Now it is time to send our the link with our IP address to the victim.Lets see what the victim will see if he opens the link.

As you can see a message will appear informing the user that the website has moved to a new location.The link on the message seems valid so any unsuspicious users will click on the link.At that time a new page will load into the victim’s browser which it will be fake and is running on our web server.

If the victim enters his credentials into the fake Facebook page that looks like the real one then we will be able to capture his username and password.The next image is showing that:

- - - - - - - - - - - - - - - - - - - - - - - - - - - -  VIDEO - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

How to use Credential Harvester Attack Method over Internet

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

Tools : SET TOOL KIT

OS : Backtrack 5

The credential harvester attack method is used when you don’t want to specifically get a shell but perform phishing attacks in order to obtain username and passwords from the system. In this attack vector, a website will be cloned, and when the victim enters in their user credentials, the usernames and passwords will be posted back to your machine and the victim will be redirected back to the legitimate site.

TUTORIAL VIDEO :

Recover Email Password using SMS

 

First of all..I would like to say that Gmail is out of Beta..yep..After a long time when they have integrated the best of world in their email system,it was the right time to rip off the tag,and they did it.Further,with the world going mobile,they took some of the steps to better enhance the security even a notch above than other email services. It helps to know that even the best of us forget our passwords from time to time and In fact,the sheer amount of people visit Gmail help center everyday just to recover their passwords. To help with these situations, Google went a step ahead by adding the ability to recover your password via text message.

In order to access this feature,sign in to your account and select ' Change Password Recovery Options ' enter your cell phone number and click ' Save '
The Next time you forget your password, enter your username on the password-assistance page, and Google will text you a recovery code. No need to check another email account or even leave the page.
In general, it's a good idea to add as many password recovery options to your Google Account as possible, like a secondary email address and security question. And don't forget to keep them up-to-date.
Afterall,we all make mistakes :P

Dark Mailer- Fast Bulk Email Software

Dark Mailer is a super fast bulk email software that sends out at speeds greater than 50,000 emails per hour on a dedicated mailing server. Dark Mailer has the capability to use Proxies and Relays and also to send directly. Some of the features include:

• Anonymous Mailing using Proxies
• Message Randomization to bypass Spam Filters
• Speeds over 500K emails per hour on Turbo Mode
• Up to 1000 Threads

The software taps into a network of zombie computers and is able to send 50,000 e-mail messages per hour from a regular cable modem connection. It affords near-total anonymity because of the networking and is often used by spammers. It currently does not have an official website for downloading.

Robert Soloway, one of Internet's biggest spammers, used it. On July 23, 2008, the 29-year-old Solway was sentenced to nearly four years in prison and ordered to forfeit more than $708,000 in income. Prosecutors had asked for a 9-year sentence. He has also lost civil suits for spamming, and owes civil penalties totaling more than US $17 million.

Note: Some Antivirus classified this as hack.tool or Mass.flooder
Download Dark Mailer

Gmail Hacking | Twitter Hacking: Hack with Cookiejacking

 

Independent researcher Rosario Valotta demonstrated his “cookiejacking” proof of concept last week at the Hack in the Box security conference in Amsterdam. It exploits a flaw that's present in all current versions of IE to steal session cookies that Facebook and other websites issue once a user has entered a valid password and corresponding user name. The cookie acts as a digital credential that allows the user to access a specific account.The proof of concept code specifically targets cookies issued by Facebook, Twitter and Google Mail, but Valotta said the technique can be used on virtually any website and affects all versions of Windows.

“You can steal any cookie,” he told The Register. “There is a huge customer base affected (any IE, any Win version).”

The attack exploits a vulnerability in the IE security zones feature that allows users to segregate trustworthy websites from those they don't know or don't ever want to access. By embedding a special iframe tag in a malicious website, an attacker can circumvent this cross zone interaction and cause the browser to expose cookies stored on the victim's computer.

The exploit requires the attacker to accomplish a variety of difficult tasks, including knowing where on a hard drive cookies are stored (it can be slightly different for various versions of Windows) and knowing the victim's Windows username.

Valotta's exploit incorporates techniques developed by researchers including one by Jorge Medina that manipulates file-sharing functionality built into IE to transmit the Windows username in plain text. It also borrows an advanced form of clickjacking, known as drag & drop content extraction, which was demonstrated last year by Paul Stone.

                                A video of Valotta's attack in action is below.

Click here to watch video tutorial

How to protect your email id and facebook from hackers

Everybody use email accounts and social networking websites such as orkut, twitter and facebook. There are many important informations of a person in these email accounts and social networking website. so it is important to protect these account from hackers. Because hackers always try to get others account to get those secret and personal data for bad purpose. If use your email id for business and other services then it's a great loss and trouble for you. So always try to be safe from hackers

Follow these simple steps i am writing below to protect yourself from being hacked.

Never share your password to anyone.

1. Don't use password as your nick name, phone no. or pet names..
   
2. Use the combination of lower case, uper case, numbers and special characters for passwords.
   
3. Never click on any suspected link comes in a mail from unknown sender.
   
4. Never give your passwords to any 3rd party websites for any service.
   
5. Use different passwords for different accounts.
   
6. Check the website url every time before login. EX: check url to be http://www.facebook.com before login to face account. Never login to website such as http://www.facebook.otherwebsit.com (MOST IMPORTANT)
   
7. Use secondary email address and mobile phone numbers with secret questions for account recovery.
   
8. Never use any javascript code in url while login to any of your email or any other website account. It may be a cookie stealer script.
9. use latest antivirus and antimalware softwares with firewall on.

These are some steps which you can follow for safe surfing over the internet.