Off topic"cool" hacks.| Author | Post | |||
moose      |
I don't know if its a hack, but anyway, its a security hole... Last week I was on a LAN-party and a girl said her computer is secure ... she allowed me to try to get her password  Bypass Windows passwords 1. Press "F8" when Windows is starting to get in the safe mode 2. start -> system control -> user accounts -> change pw 3. restart pc alternativ: 1. Start system normal 2. press Ctrl and ALT and twice delete, a little window will be showen 3. enter username: "Administrator", press enter. if the administrator password is set, you could a) use a Linux Boot CD .... but I never tried ... b) delete c:\windows\system32\config\sam ... also never tried  (if you do: all useraccounts will be deleted)c)  ophcrack ... just download iso, boot from cd et voila ... after 5 mins it cracked an easy password ("angel")d) start another system, mount windows partition and replace sam file .... I think this should work ... I'll try this later Bypass BIOS passwords a) remove the battery in your mainboard b) BIOS Backdoor passwordsc) use a "Clear CMOS" Jumper well, I think almost everybody already knows this hole ... but the face of that girl was really nice Ideas for new posts: ping of death, smurf attack, ping flood, Denial-of-service |
|||
Edited by moose on 07.06.2007 13:01:45 | ||||
 04.06.2007 17:29:15 |
|
|||
alt3rn4tiv3             |
Windows Alternate Data Stream (ADS) Ever thought of downloading "HideThisFile" or "HideAllMyPornFolders"? Ever wanted something more than the "hidden" checkbox in Windows? A feature-but-security-threat functionality that comes in NTFS is the Alternate Data Stream. ADS is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. Found in all version of NTFS, ADS capabilities were originally conceived to allow for compatibility with Macintosh's Hierarchical File System (HFS), where file information is sometimes forked into separate resources. So how do we use ADS? Simple - using DOS...  Quote:type c:\quangntenemyspassword.exe > c:\windows\system32\calc.exe:quangntenemyspassword.exe In this example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS quangntenemyspassword.exe. The only indication that the file was changed is the modification time stamp, which is not exactly something people would notice. Then how do we access the files stored via ADS? As you would any other program from DOS - Quote:start c:\windows\system32\calc.exe:quangntenemyspassword.exe This is a common technique that "hackers" have been known to use to hide rootkits and stuff on their victims' computers, so as not to arouse their attention. However, there's no real way of detecting if there is indeed a file stored via ADS. There are tools however, which can help you automatically audit your files, which again, might not be very foolproof. Since I'm pretty busy, I won't elaborate more on it and if you want to learn more, perhaps go google or wiki  |
|||
 05.06.2007 05:21:19 |
|
|||
aceldama |
very interesting topic to raise *alt3rn4tiv3. erm, i'd like to add two things to "enrich" your post: 1) to delete a stream in principal, only when the base file is deleted (in quang's case calc.exe) will the stream be killed. for this same reason, if you want to make a stream that cannot be deleted, stream it to the root directory (eg type "type hideme.exe > c:" to create an invincible/undeletable stream "c::hideme.exe") anyway, to delete a stream you need to take 3 steps: Quote from AceldamA: It should be quite easy to put this in a batch file - saves time:copy [sourcefile] [tempfile] del [sourcefile] ren [tempfile] [sourcefile] 2) to exploit it remotely interestingly enough, this can also be exploited remotely. several webservers (including older versions of Microsoft IIS) can have their file source read via the ":$DATA" stream (yes, that includes the sourcecode of PHP, ASP etc). Normally when you go to a server-side script, you'll access the URL by typing say "hxxp://www.server.com/index.asp", bringing up the processed page. but the data stream can sometimes be read, allowing you to view the source code of the file rather than the processed data it returned. to give you an example, in this case it can be accessed by typing "hxxp://www.server.com/index.asp::$DATA". needless to say, how you use this and what you use it for is entirely up to you.  * edit1 - Sorry about that. honest mistake  * edit2 - so, maybe it was three of you count the undeletable streams... |
|||
Edited by aceldama on 06.06.2007 21:16:04 | ||||
 06.06.2007 02:20:43 |
|
|||
|
alt3rn4tiv3 |
Thanks for your addons, but I'm not quang Anyway, here's a little fish for you guys who love "hacking" (DISCLAIMER: I AM NOT RESPONSIBLE FOR ANYTHING YOU DO FROM THE KNOWLEDGE GAINED FROM THIS POST) - LimeWire is a P2P file-sharing program, which most of you should already know of. The catch is this - when setting your sharing folder, the default is set to c:\ drive (Windows), so a lot of files which should not be made accessible are made accessible. For example, you have aim.ini or yahoo.ini or msn.ini which stores your encrypted passwords. Doing a search on LimeWire with those terms will return you tonnes of results which you can happily spend your time decrypting the passwords and pwning some people. Of course, I won't tell you how to decrypt the passwords, since this post is meant for educational purposes only. Of course, these files aren't the only files which are dangerous for others to access. There are limitless possibilities you can do since it's almost like having (albeit read-only) remote access to a system. But then again, I won't elaborate. So where's the educational purpose you ask? It's this - when granting access to foreign networks, make sure you restrict their access. Don't leave everything lying in the sun waiting for Snappy the little crocodile to eat your dinner. |
|||
Edited by alt3rn4tiv3 on 06.06.2007 11:51:45 | ||||
|
06.06.2007 11:50:11 |
|
|||
| unknown user |
. |
|||
| 06.06.2007 13:30:22 |
|
|||
| unknown user |
. |
|||
| 07.06.2007 15:02:16 |
|
|||
|
alt3rn4tiv3 |
Make your effort worth it! A webmaster writes a registration script, login script, sets up a database, writes his services to be usable only when logged in. A user who wants to use the resources registers, activates the account, logs in and searches for the resource again.. Here comes someone who's unwilling to wait and poof! His site's services are accessible without all those hassle. A perfect example - http://www.planetrenders.net/.Now on the left menubar, click on the image listed under "Top Rated Render". You see an image that gives you an alert saying you need to register first to view the full-sized image upon clicking on it. So, view the source! Quote:<img src="albums/userpics/47607/normal_fatestaynight.png" class="image" border="0" alt="Click to view full size image" /> So, looking at the filename normal_fatestaynight.png, one might deduce that the site hosts images via... albums/userpics/{userid}/{image}where {image} refers to a whole possible array of file-naming practices. In this case, I tried changing it to just fatestaynight.png without the normal_ in front, and poof! I got the  full image!Moral of the story? Make sure you thoroughly test your site, and your site's framework. This might not seem like a big deal since the site isn't make money out of the users registered. But imagine ... Okay nevermind. I'll leave it up to your imagination |
|||
|
07.06.2007 15:02:33 |
|
|||
|
aceldama |
getting around rapidshare's download restrictions. not the most briliant add, but useful none the less. it's basically an extention to rhican's "using google as a proxy" hack used in combination with tbs' wiwa article on ip spoofing. rapidshare (and i would assume some other download servers) keeps track of who's downloading what by logging the ips and download size. in effect what we're doing is using a proxy to disguise who we really are, thus fooling the download server. what you'll need:
what you need to do:
why this works: having stripped all the variables google needs, you make it translate from english to english so everything's being done quickly and correctly. furthermore, google doesn't bother resetting the x-forwarded-for header so you end up being who you are pretending to be. try it out by setting it up and checking this URL. you'll get the picture. |
|||
|
14.06.2007 02:35:07 |
|
|||
|
alt3rn4tiv3 |
Interesting way of hacking windows xp / vista / 2k Check this out!It's so detailed I won't bother copying / pasting it |
|||
|
14.06.2007 07:28:01 |
|
|||
occasus     |
Hello Community, I've written the following tutorial for someone else just to make an example about retrieving passwords. Actually it is nothing special and perhaps no one will ever need this info. Anyway I thought to add my modest contribution +---< Title >------------------------------------------------------------------+
| |
| Get program access password for "Revealer Free Edition v1.2" |
+------------------------------------------------------------------------------+
+---< Description >------------------------------------------------------------+
| |
| Revealer Free Edition is a free and reliable keylogger monitoring tool that |
| logs everything that is typed on your computer, it records every keystroke |
| including passwords and conversations (one side only) in common instant |
| messengers. |
| http://www.revealerkeylogger.com/Revealer_Free_Edition_1.2.zip |
+------------------------------------------------------------------------------+
+---< Tools >------------------------------------------------------------------+
| |
| * frhed (http://www.rs.e-technik.tu-darmstadt.de/applets/frhed-v1.1.zip) |
| * Filemon (http://download.sysinternals.com/Files/Filemon.zip) |
+------------------------------------------------------------------------------+
+---< Tutorial >---------------------------------------------------------------+
| |
| Using frhed open the cfg.dat file which is located in the main Revealer dir. |
| It's made by the following 38 bytes: |
| |
| 06 6c ce 9d 3b 8b db 9c 3a bb d7 c2 99 bc f2 4b f9 92 ce 51 3b 8b db 9c 3a |
| bb d7 c2 99 bc f2 4b f9 92 ce 51 3b 8b |
| |
| Let's begin by starting revealer.exe. After that, stop monitoring and go to |
| "Options" -> "General settings". If you try, you will notice that you can't |
| insert a password longer than 8 digits. I will insert "01234567" w/o quotes. |
| Now, before cliking "Ok" run FileMon, start capturing, clik "Ok", stop |
| capturing and you will now see that he did write mainly on one file: the |
| cfg.dat. Perfect let's open it again w/ frhed: |
| |
| 06 6c ce 9d 0b 8b ea 9c 08 bb e4 c2 ad bc c7 4b cf 92 f9 51 3b 8b db 9c 3a |
| bb d7 c2 99 bc f2 4b f9 92 ce 51 3b 8b |
| |
| After analysing the two strings of bytes you will notice that exactly 8 |
| bytes have been changed. The offsets are: x04, x06, x08, x0a, x0c, x0e, x10 |
| and x12. Let's start with the first byte, which has changed... Before it was |
| 3b, now it is 0b. XOR this two values: |
| 3b XOR 0b = 30 which is 48 in decimal and its value is "0" |
| db XOR ea = 31 ("1") |
| 3a XOR 08 = 32 ("2") |
| d7 XOR e4 = 33 ("3") |
| 99 XOR ad = 34 ("4") |
| f2 XOR c7 = 35 ("5") |
| f9 XOR cf = 36 ("6") |
| ce XOR f9 = 37 ("7") |
| |
| So as you see the bytes are changed only at those offsets. Now let's change |
| the password into "pass" w/o quotes. If you do the same procedure as before |
| you will see how the bytes are changed again in the cfg.dat file. Now pay |
| attention: this time we put a password of only 4 digits. The bytes at offset |
| x04, x06, x08 and x0a got other values and the bytes at offset x0c, x0e, |
| x10 and x12 become again the default values before any change in the file. |
+------------------------------------------------------------------------------+
+---< Conclusion >-------------------------------------------------------------+
| |
| * The password lenght is max 8 digits. |
| * Revealer stores the password in the cfg.dat file in the main dir. |
| * The offsets are always the same, with the default values: |
| 0x04 -> 3b |
| 0x06 -> db |
| 0x08 -> 3a |
| 0x0a -> d7 |
| 0x0c -> 99 |
| 0x0e -> f2 |
| 0x10 -> f9 |
| 0x12 -> ce |
| * The default values are taken to xor the inserted password :) |
+------------------------------------------------------------------------------+
+--< Thanks >------------------------------------------------------------------+
| |
| I would like to thank all the people who always help me, answer my questions |
| and all communities where I am longer than a week ;) |
| This is not a great tutorial, but if there is even only one person how liked |
| this tutorial I will be happier than what you can think of ;) |
| |
| Best Regards |
| occasus |
+------------------------------------------------------------------------------+I also would like to ask the Admins, if it is possible to create "<code>" tag or a monospace font for the forum/pm. Edited by alt3rn4tiv3: there is already one glad to see you back btw |
|||
Edited by alt3rn4tiv3 on 14.06.2007 09:35:06 | ||||
 14.06.2007 09:18:03 |
|
|||
private message
EMail
Website