Making Facebook Phishing Site Tutorial.

Now in this article i am going to teach you how to set up the Phishing site, which is the Difficult task than making a Phishing site.

NOTE : EDUCATIONAL PURPOSE. CAN BE USED ON ANY WEBSITE.

Step 1: The First Step in Making the site is to regester an account at http://www.000webhost.com/order.php (if you have account than you can skip first 2 steps)

Step 2: Now Goto your email account that you gave and confirm your account with confirmation link


Step 3: Now Download this FILE (http://www.mediafire.com/?klq1vak76bouzrw ) .

Step 4: Now Goto http://members.000webhost.com/ and Log into your account.

Step 5: Now when you are logged into your account click on the Go to Cpanel  in front of your domain that you had registered, and then Go to File Manager under Files and log into it.

.

Step 6: Now Click on the Public_html.

Step 7: Now click on the Upload button, choose the file under the Archives that you have downloaded, to be uploaded.

Step 7: Now any one who visits your site would be taken to the Fake Facebook Login Page. After they enter their Username and Password, they will be taken to another page that will show them error. So there is less chance that it will be detected.




NOTE::: To access the input data ( Usernames and Password ) Goto the Following Address:


http://www.yoursitesadress.p4o.net/lol.html


THE DOWNLOAD LINK TO facebook.zip is http://www.mediafire.com/?svyhib869w1lzhy PS:> If http://www.p4o.net didn’t worked for you, you can use :
www.drivehq.com
www.yourfreehosting.net
www.esmartstart.com

=============================================================
The Input Data (Email and Password) will look like following:

==============================================================
UPDATE:
Now if you have successfully made the Phishing page(site) then you must know that on Facebook you cannot post it, mail it, or sent it in chat. e.g: http://www.yoursite.p4o.net. This is because Facebook dont allow the T35.com sites. So Solution to this problem is to use http://www.dot.tk for the URL hiding.
All you have to do is to Goto http://www.dot.tk , on the main page enter your Phishers address and get a domain for that. Like for http://www.myphisher.p4o.net you gets http://www.myphisher.tk. And facebook will allow you to post it

HOW TO FIND YOUR USERNAME?
Ok guys this is the most asked question of all so here is a simple answer, just look in the following picture of Admin Paned the red shaded area tells you the username of the website

Facebook hacked

Facebook is becoming secured day by day, it daily fixes several bugs found by users. Recently we have noticed that it has also tried to fix the Phishing loophole by validating the previous URL from which the user is arriving to Facebook. It validates from which source user is arriving on Facebook and hence if its a fake Facebook Page, it warns its users that Please Change your Password Immediately as you might be a victim of Phishing. This validation made Facebook account passwords secured from thousands of Novice and Script Kiddie Hackers but L33T  still can’t be stopped, as L33Ts never stop, they keep on moving to new alternatives.

So we moved to advanced mode of Phishing like Tabnabbing, meta refresh trick, browser side bypassing and even manipulating host(hint is sufficient as i will not disclose this one)..when i feel bored i use this technique to hack accounts and passwords of Facebook. Just try to figure out what we can do using Host File 😛 ..Not going to tell more than that…

Ok…. Ok… Lets learn today the technique called Host Name IP mapped based Phishing. You all will be really happy to know that i have written my third white paper on the same topic and you will be more than happy by knowing that this technique of Phishing is invented by Lokesh Singh (:P none other than me…).. So friends lets start our tutorial.

How to hack Facebook account and passwords

Note: This is for Educational Purposes only. Don’t misuse it.:P Please…

Requirements:

1. Facebook latest Phisher or Fake Pages.

Download Latest Facebook Phisher here: Download Now

2. Free Web hosting server to upload those Phish Pages.

3. Spoofing URL using Host name mapping technique.

Let me provide you little background what i will teach you today. I know most of you already know phishing but for first timers, let me explain a bit. Phish Pages means Fake Pages that looks absolutely similar to original pages and the technique of using those Fake pages to hack anyone’s user name and password is called Phishing. And technique which we use to send these fake pages to victim and prompt him to believe that they are real is called Social Engineering. But i think this we already know, what’s new we are going to discuss today.. Ahhh… Just wait and hold your pants tight because today i will be breaking all the policies and ethical norms because until and unless we don’t know how hackers do things we will never able to stand in front of them.

What is New???

We all know that fake pages can only be detected using two techniques:

1. Verifying the URL in the address bar, if its a fake page then URL must be different from original one.

2. Using any web security toolbar that warns users for fake pages like AVG toolbar, Norton Online security toolbar etc..

But what if you open http://www.facebook.com manually in your web browser and fake page opens and URL in the web browser remains http://www.facebook.com only. That means first technique to detect fake page go in vain. Now for second technique, all online web security toolbar detect fake pages by comparing the input  by user in URL address bar and original page URL. If both matches then its not a fake page else its a malware page.

So friends today i will teach you how to make your fake pages open whenever victim opens Facebook in his/her web browser. Ahhh… You will be now thinking its impossible. But as i have told you i have written a white paper on Advanced Phishing techniques. So its 110% possible to load fake web page whenever user opens http://www.facebook.com or any other website like Yahoo, Hotmail or anything… Below are the steps and video for the same.

I had made the video as well as written the steps in detail which will tell you everything step by step.

Steps to Hack Facebook account or Password:

1. Download the Latest Facebook Phisher.

2. Extract the files, you will get below 4 files:

• index.php
• facebook1.php
• passwords.html
• thanks.php

3. Now go to any free web hosting web server to upload these fake pages.

Note all should be uploaded at root means not in any folder. Just at first level directory.

4. Now you need to find the correct IP address of the account you have created on web hosting server.

5. When you get you fake page’s IP address, now what we need to do is that we have to add the entry of the IP address against the http://www.facebook.com in victim’s host file located at below location.

C:\Windows\System32\drivers\etc

6. There are several ways of doing that, i have written my own php scripts for doing the same but i cannot share that with you guys because there are chances of misusing it. So i explain you the logic and rest you need to figure out how you will edit victims host file and append your Fake Page IP address against http://www.facebook.com.

7. Now after doing steps 5 and 6, whenever user open the http://www.facebook.com, your fake Facebook page will open and victim will never be able to visit the original Facebook, so he cannot even been able to change his password…:P

8. I have added an extra logic to my scripts, whenever victim enter the password and hit enter button, i am removing the entry of Fake IP address against http://www.facebook.com from the host file by making it spaces. So it will be for him for one time only which sounds more spoofed. Its just a single line code but i cannot tell you guys because it will make this article completely unethical.

I will teach you techniques but i will not do spoon feeding because if you want to become good hacker then you need to use your brain too. I love to be called Destructive but i do constructive works..:P like this one…rofl…

9. Everything other than this is similar to normal phishing technique..

I hope you all like it… If not here is the video of the complete hack in detail with each and every step shown practically.

Note: In video i am using my localhost as web server which in your case will be uraccountname.my3gb.com or other means where you uploaded your files.

Also you must know 127.0.0.1 is localhost IP address. For you case your webhosting will be the IP address that will be used to map against facebook.

I hope you all love this tutorial 😛 you have to… Because its the best method for hacking anyone’s account..

Hack Websites Using XPath Injection

NOTE: ONLY FOR EDUCATIONAL PURPOSE. IT IS TOTALLY ILLEGAL AND YOU WILL BE PUNISHED. SO DONT TRY.

XPath Injection:

SQL is the most popular type of code injection attack, there are several others that can be just as dangerous to your applications and your data, including LDAP injection and XPath injection. An ‘XPath injection’ attack is similar to an SQL injection attack, but its target is an XML document rather than an SQL database. ‘XPath Injection’ is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.

What is XML?

XML stands for Extensible Markup Language and was designed to describe data. It allows programmers to create their own customized tags to store data. In XML the data is stored in nodes in a tree form. XML Path or XPath language is used for querying information from the nodes of an XML document. Please refer to XML Tutorial for more details on XML.

What is XPath?

“XML Path” or “XPath” 1.0 is a language used to refer to parts of an XML document. Path expressions are used to access elements and attributes in an XML document, which return a node-set, a string, a Boolean or a number. It can be used directly to query an XML document by an application, or as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document. Please refer to XPath Tutorial for more details on XPath.

In Detail:

Code Injection is a technique to Inject code into a program or application code by taking advantage of the unchecked assumptions the application makes about its inputs to bypass or modify the originally intended functionality of the code. All code injection attacks work in a same way; an attacker injects malicious code into the application code through an input field of the application. So, to perform such attacks there must be entry points that are not performing adequate validation.
Consider a Web application that uses XPath to query an XML document to retrieve the social security number of a customer by passing name and password values that are supplied by the user of the application. If the application embeds these values directly in the XPath query then it is vulnerable to XPath Injection.

OK, so when to use it? Let us assume we have found a vulnerable site that appears to be vulnerable from our usual quick tests, but when we try to inject using ORDER BY we get no errors generated. We double check using String injection method to make sure that it is not the problem, but still no results. Time to give up? Never, let us now try to see if we might be able to use XPATH injection.

We will start with a quick check to confirm versioning to ensure this method can be used, as it only works on MySQL version >=5.1 (best with errors present). The first check for version and user looks like this:

COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,version(),0x3a,user()))—

RESULT: ’Xpath syntax error: version info:user info’

OK, so now we have confirmation that this method will work as clearly displayed in the errors seen. We now have the version and current user info. Now we will move to checking the table info, like this:

COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,table_name) from information_schema.tables limit 0,1)))–

RESULT: ’Xpath syntax error: <Table Name Found at address used in LIMIT statement>’

This is the biggest problem with XPATH Injection, it gets tricky here. You will need to use the LIMIT statement to sort your results and keep traffic of all of the table names found. This can be very time consuming, but it is key that you use your brain to pick up on any relationships that become obvious as you are sorting through tables, while also keeping an eye out for juicy tables that may warrant further investigation in future steps. I suggest first sorting them to find the lower and upper limits so you know what type of range you are working with (some sites will be only a few and others will have thousands in total – see example below).

Once you have determined the table info, you will need to follow similar steps to pull the column details. It works very similar to tables and looks like this:

COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,column_name) from information_schema.columns limit 0,1)))–

RESULT: ‘Xpath syntax error: <column name found at address used in LIMIT statement>’

This is just as time consuming as the pulling the table names and is a bit tricky as it becomes very hard to tell what columns link to what tables or database for that matter, for this reason it is key to use your brain power to make some logical determinations about what you find. This means you can use your brain to deduce that you have found a table named mysql_auth_users and columns idx, username, and password. It would not be a great stretch to assume these might go together. I tend to use a bit of trial and error on this last part but have found if you just think about it for a minute you can usually make the necessary connections to extract what you want. That being said, extraction of data works the exact same as it does for simple SQLi. You choose the columns you want and indicate what table to pull from and parse the results from the error given. It looks like this:

COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,idx,0x3a,username,0x3a,password) from mysql_auth_usr)))–

RESULT:  Xpath syntax error: ‘:1:admin:password1’

Now you have successfully injected and extracted the data using XPATH injection! Now go pat yourself on the back for learning a new method and enjoy a well-deserved break There are other XPATH queries that can be used but this is the one I have found the best results with. You can also use updatexml(). I will continue to add to this as I investigate this technique more, but this concludes my write up on XPATH injection using the EXTRACTVLAUE() method for now. I hope you have found this interesting and educational and as always until next time Enjoy!

Access Blocked Websites[firefox and google chrome] :-

A cool Firefox and chrome plugin enables users to access the blocked websites or the sites that are blocked in few regions say torrents blocked in India or some websites which are accessible only for US or UK users etc. So today i am going to tell you how to use that Firefox and Chrome plugin to access blocked sites or regional website.

Some websites like Netflix or Hulu are only accessible to US residents, similarly, there are many other websites which may be blocked by your ISP, your school or college, etc. Stealthy is a handy add on(plugin), available for Google Chrome and Firefox, which can solve this problem.

Stealthy allow users to access blocked websites by setting up a working proxy on your browser with a click of a button. What Stealthy does is that it search for different proxies online and use the best one based on your location and setup a new IP so that you can access blocked websites.As with all other extensions, Stealthy once installed, a small red airplane icon will appear right next to your address bar in Google Chrome, which means that Stealthy is disabled. Click on it to enable Stealthy and enter the URL of the website you want to access.

Access blocked or restricted sites using Stealthy

Stealthy provides users with four different options to choose from – Pro USA, Pro UK, Normal and Customized. Under USA, it allows you to use services such as Hulu, Netflix, etc. that are accessible only to USA residents. With UK option, you will be connected to internet as if you were in UK so that you can access UK restricted websites. With Normal, it gets a proxy from a random location to access websites that are blocked in your region but are available in the rest of the world. If you want to use a country specific proxy, use the customized option otherwise you can stick to normal. If you don’t want Stealthy to work on any specific website, you can add them to the Bypass list.

Note : Enabling Stealthy may slow down your internet so it’s better to keep it disabled if you are browsing regular websites.

 

How to download web videos without software

Welcome Back guys , i present you How to download web videos without software . Well this actually is not any sort of hacking its just a concept of temp file ie when we watch any videos , in actual the video is getting downloaded which is unknown to us , so we are going to save the video from that location where it is being temporarily downloaded.

how to save videos watched in google chrome browser.

Please note this is applicable only to Google chrome browser. This would be helpful in case if you haven’t installed any software that governs your download. First u need to UN HIDE all your hidden files and folders by following the video. Once you done that the rest of the process is easy. The very important thing to note is that the file initially will not be supported by any player. So you need to drag the file to VLC media player in order to play. The file with high size is your video file. Do not select the files named as “DATA”. It’s a data file and will not be supported by the player. The cache folder stores data temporarily so it is important to copy the necessary video file to your preferred destination before it is replaced with some other file.

Thank you.

This was simple though many of you might be aware of this but still i felt like sharing it with you all.

keep commenting…………………..

RATs: How to hack computer remotely

Remote Administration Tools-RATs:

RATs also called as Remote Administration tools are popularly used software to control other computer remotely and considering hacking aspects, hack computer remotely. There are many RATs such as:-

– Prorat
– Turkojan
– Yuri RAT and many other.

Working of RATs:

To hack computer remotely using a RAT, you have to create a server and then send this server to victim whose you want to hack computer remotely. Generally, this server is binded to any file say picture or song, so that whenever victim opens this file on his computer, our server is installed and this server opens port of victim computer and by using this opened port, you are able to hack computer remotely.

It is this RAT server that then sends all system information to PRORAT and we can then hack computer remotely using PRORAT.

Things you can do by hacking computer remotely:

Once you gain access to remote computer, you can hack computer remotely and perform any of following:-

# Install a keylogger
# Monitor Chat windows
# Shutdown computer remotely
# Take control of system registry
# Hack locally stored passwords and licence keys
# Download additional malware and servers to gain stronger control
# Control and access all Control Panel options(including add or remove programs)
# Send various Error messages
# Access Printer services
# Erase all disk data by formatting drives
# Open FTP connection and start file transaction

Thus, you are able to hack computer remotely 100%. This software to hack computer remotely is hence very popular.

Disadvantage of remote hacking software RAT:

The main disadvantage of this software to hack computer remotely – RAT is that the server created to hack computer remotely is recognized by most ant viruses as hack tool and hence, ant viruses send alert messages when installing RAT server to hack computer remotely.

But, there are many software’s like Binders or Crypters to hide RAT server and prevent Ant viruses from sending alerts. Even there are software’s like AVkiller which is used to turn antivirus inactive and then our server (used to hack computer remotely) can be installed on victim computer very easily.

Also, you need to port forward your router to enable RAT to hack computer remotely.

This is all about RATs – software to hack computer remotely. In my next article, I will inform about server creation and installation on remote computer to hack computer remotely.

Enjoy n hack computer remotely…

Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.