Tuesday, 2024-03-19, 11:06 AM
Welcome Guest | RSS
Statistics

Total online: 1
Guests: 1
Users: 0
Site menu
Our Documentations
1* METASPLOIT
Blog Category
# Only for beginners [39]
This category contains some introductions and tutorials about UBUNTU and BACKTRACK for those who just start using LINUX.
# Computer Security [11]
In this category, you will find all courses about the Informatique Security
# LINUX [2]
EVERYTHING ABOUT LINUX - UBUNTU & BACKTRACK - (NEWS, VIDEOS, TUTORIALS, ... )
# BackTrack 5 Tutorials [6]
In this categorie, I will post all tutorials about BackTrack5 (Installation, Configuration, Update, Hacking...)
# TechnicDynamic Tutorials [12]
Technic Dynamic is a source of education focused in the following categories of technology: (Computer - Design - Gadgets - Networking - Security) Link : http://technicdynamic.com
# Vishnuvalentino Tutorials [2]
He is a computer security specialist, and also freelance website designer. Read more : http://vishnuvalentino.com/about/
# Hackers News [6]
All news about the hackers of the world ...
# Tools [18]
All Security Tools
MEMES PICTURES [0]
Entries archive
Shopping


Follow us
facebook
Main » 2012 » March » 28
========================================================
Type : Tutorial
Level : Easy
Purpose : As a website owner you can also aware with this kind of attack to your web server
========================================================

Why I wrote this tutorial about Google Hacking is because there are some people keep messaging me about how to perform Google Hacking…
A lot of people that learn about hacking they just think that hacking was going through a webserver or computer and make defacement or stealing data or erase the victim disk drive by running rm -rf, etc….but I told you that the purpose isn't that…because this method also can be used to secure your website from bad hackers also(you can view the countermeasure part below).

If you just think that it's really cool if you have defaced some website and then put your name on its website such as "Hacked by v4L" and then put the screenshot as a profile picture of your facebook for pride(I've saw this kind of guys…ROFL ) I just suggest forget doing this kind of stupid things, before the interpol caught you 
Google hacking doesn't mean that you can hack into another system instantly(even sometimes you can get through it instantly), because Google Hacking is a trick to gain and reveal some sensitive information..

While you're in Google, it's impossible you find specifications about program that running by someone computer(except he/she wrote it on facebook status or he wrote it somewhere on the net  ), because Google is a Web Search Engine(wikipedia) so Google will only listed a computer/server that act as web server. Do not think too much about complex hacking steps….because before you move to a higher level you need to know the basic things.

In this tutorial actually I will wrote the simple basic thing to perform a Google hacking and also perform a very really basic SQL injection like ' OR 1=1;– …I believe that some of you that read this tutorial even have a great skill in SQL scripting so you can fit it with your needs.

Okay let's start….

intitle : The intitle operator is used to search websites only within the tags, or the actual page title as defined by the website’s author.
inurl : is used to search within a site’s URL itself. This is very useful if you are familiar with a URL string or with standard URL strings used by different content management systems.

We will try to find the administrator log in page address by using some of Google parameter above. Usually the programmer will use word "Administrator Login" , "Admin Login", Super User", "Owner Login", etc…etc as the title of administrator page authentication.



As you can see from picture above there's about 4,310 search result for that query, but you can narrowing your search result by change some parameter, such as change the .com into .nz , .com.au, .co.id, .com.my, .sg, and many more…. While I'm searching about Google Hacking material on the internet, actually I found about more than 10 website that vulnerable with basic SQL injection above…see example below

Before :

 After :

Countermeasure :
1. For webmaster, put this script in your web page between to prevent the search engine crawler indexing your private page
2. Still for webmaster, you also can create or modify a robots.txt file to disallow a user agent crawling some of your web server folder.
example:

User-agent: *
Disallow: /administrator/
Disallow: /user/
Disallow: /modules/

FYI : If you want to know what folder was disallowed by a website, you can look into my simple tools here :
http://vishnuvalentino.com/services/website-information-lookup-beta-v01/
3. Again for programmers, filter the user input and make sure the data was safe to execute by server. Just that….hope it's useful

Category: # Vishnuvalentino Tutorials | Views: 4498 | Added by: Administrator | Date: 2012-03-28 | Comments (0)

Nowadays maybe there's a lot of people know about cracking (network cracking), it is a modification or disable features which are considered undesirable by the person cracking the network. Maybe for some people when they hear about cracking the network it looks like a very hard to do because it involved a high skill programming language or understanding networking.

What is Session Hijacking
Every time you connected to the web application (usually a dynamic web application) you will have a unique ID called "session", this session will identifies you as a valid user and will always valid until you kill the session (log out process) or the session has expired. Some bad people trying to identifies or guessing the session ID value to gain privileges as a valid user in a web application.

Firesheep HTTP Session Hijacking
Firesheep is a firefox extension to do the session hijacking. I was very surprised that this tools can hijack Facebook, Twitter, WordPress, Amazon, etc from the valid user. The most important thing that this tools is very easy to configure and to launch an attack. Just a few step :
1. Download Firesheep
2. Sit on a unencrypted wireless network
3. Turn on your wireless card(support promiscuous mode, such as : atheros, orinocco, etc) and join the network
4. Start capturing with firesheep
5. Just wait until some user authenticate at the facebook, twitter, etc.

Step by Step Firesheep Configuration
1. The picture below is the interface of firesheep(click view –> sidebar –> firesheep) and you can click the red circle for preferences.



2. In this picture you should choose which interface you want to capture the data. for example when you're in a wireless network, you should activate the wireless adapter.



3. This picture below tells you which website session can hijacked handle by this addons.



4. Usually when capturing data, will use TCP port 80, because if it's 443 I think will be encrypted, but I still didn't try for another port :-) .

Read more : http://vishnuvalentino.com/computer/firesheep-http-session-hijacking-tools/
4. Usually when capturing data, will use TCP port 80, because if it's 443 I think will be encrypted, but I still didn't try for another port


5. When you finish, click the "Start Capturing" and wait until someone authenticate some website on the website list.



Prevention:
1. You can use Blacksheep,
2. You can tunnel your internet connection,
3. Don't use "Remember Me" feature in public internet area(Hotspot), and logout after you finish use the internet.
4. Some people says that clear the browser cache and history may be another way, but you can read my other posts why it's not the really good way That's it.

I hope you can use this tutorials in a good way :-) if any question, you can contact me or drop some comment.


Category: # Vishnuvalentino Tutorials | Views: 4704 | Added by: Administrator | Date: 2012-03-28 | Comments (0)

Visitors

Share This On:
Google Translator
Search
Login form
Our poll
Rate my site
Total of answers: 20
Clock & Calendar

«  March 2012  »
SuMoTuWeThFrSa
    123
45678910
11121314151617
18192021222324
25262728293031