Showing posts with label Hacking. Show all posts
Showing posts with label Hacking. Show all posts

Saturday, December 8, 2012

How to hack Facebook user ID's using the API

How to obtain a user's ID from their username

There are many ways to do this such as simply get the URL of the user's photo. Here is how to do it with curl and the Facebook API:

Example Facebook Page:
https://www.facebook.com/burrowsapps

Username:
burrowsapps

Use the Facebook API:
https://graph.facebook.com/

Open Terminal:
curl "https://graph.facebook.com/burrowsapps"

It should return a JSON string:
{"about":"Burrows Apps - https:\/\/play.google.com\/store\/apps\/developer?id=Burrows+Apps - Applications - http:\/\/www.burrowsapps.com","awards":"http:\/\/www.youtube.com\/watch?v=bpOY-sa1sCI","description":"Programming and Mobile Applications\nSecurity Fixes and Exploits\nCourses Notes and Solutions","is_published":true,"mission":"To provide top of the line mobile applications and support for all users.","products":"Applications: \ncrypTo: https:\/\/play.google.com\/store\/apps\/details?id=burrows.apps.crypto\nRoot Checker: https:\/\/play.google.com\/store\/apps\/details?id=burrows.apps.rootchecker\nApp Manager:\nhttps:\/\/play.google.com\/store\/apps\/details?id=burrows.apps.appmanager\nProjects:\nCourse Notes:\nhttp:\/\/blog.burrowsapps.com\/p\/notes.html","talking_about_count":3,"username":"burrowsapps","website":"http:\/\/www.burrowsapps.com\/","were_here_count":0,"category":"Computers\/technology","id":"140257159405760","name":"BurrowsApps","link":"http:\/\/www.facebook.com\/burrowsapps","likes":56,"cover":{"cover_id":341087719322702,"source":"http:\/\/sphotos-b.xx.fbcdn.net\/hphotos-snc7\/s720x720\/598549_341087719322702_28686629_n.jpg","offset_y":0}}

Look for the "id" object:
"id":"140257159405760"

Check for yourself:
https://www.facebook.com/burrowsapps = https://www.facebook.com/140257159405760

Tuesday, May 8, 2012

How to Reverse Engineer Android Malware

Reverse Engineer Android Malware

Tools you may need for decompiling Android malware:

apktool – a tool used for manipulating .apk files
   Download: http://code.google.com/p/android-apktool/
jad – a Java decompiler (Windows only)
   Download: http://www.varaneckas.com/jad
JD-Core + JD-GUI – another Java decompiler, supporting newer Java versions and features
   Download: http://java.decompiler.free.fr
dex2jar – a tool for converting .dex files to .class files
   Download: http://code.google.com/p/dex2jar/downloads/list (dex2jar)
apkinspector - all in one tool
   Download: http://code.google.com/p/apkinspector/

However, this tutorial is fairly easy and simple and I will only be using dex2jar and jd-gui. This tutorial is a standard for all apps. You can use the same tools and methods to help decompile your applications and other applications, especially malware, in order to see and understand what the code is actually doing.

So, say we have our malicious malware such as "file.apk".

A lot of these tools can be used in Windows as well as Linux, however I happen to be using Windows for this tutorial.
For Linux: sh dex2jar.sh file.apk
For Windows: dex2jar.bat file.apk



This will create the file called file_dex2jar.jar. Now we can easily view our app's code with jd-gui.
Simply just click on the jd-gui and open the file_dex2jar.jar.


 Now we can easily read and see the code.

Further Research/Advanced Topics:

  • Code Obfuscation 
  • Decompiling Manifest Files
  • Obtaining the Resources - images, etc.

For Related Articles:

http://blog.burrowsapps.com/2012/02/hacking-facebook-for-android.html

Friday, April 27, 2012

Android - Text Bomber/Spammer

A Simple Text Spamming App

This is only for proof of concept, please only use for educational purposes only.


Make sure the app contains:

Java Code - SpamActivity.java

XML code - main.xml

Sunday, February 19, 2012

What is Wifi Security?

Everyone's on Wifi
In today's society almost every one has a cell phone and/or laptop or tablet. Either way everyone has used a wifi connection at least once before. Wifi is available almost anywhere you go, in cafes, restaurants and of course, our homes.

Summary of Topics:
- No matter where you are always use HTTPS which is a secure protocol for protecting the data you send and receive on your computer. This is the first line of defence for Data Encryption.
- Attackers can steal/view packets, if they not encrypted, they can read passwords and credit card information in plain text.
- It's always good not to broadcast your SSID, make it slightly harder for the curious.
- Hidden SSIDs are hidden but their BSSIDs aren't.
- Always filter MAC addresses because some people are very curious and like to poke around.
- Attackers can easily spoof accepted MAC addresses.
- Always use WPA2-PSK with AES encryption, this way even if people steal your packets, it will be very hard to read encrypted packets, especially if you are also using HTTPS as well.
- No encryption makes it easy for attackers and WEP is easy to crack.
- Keep good passwords on local computers as well as the router/access points.

Some terms to know(there's more that could be added):
ESSID = Extended Service Set Identification
SSID = Service Set Identification
- This is the name of the network that is being broadcasted
- Ex. "Tom's House"
BSSID = Basic Service Set Identification
- This is the MAC(Media Access Control)
- Ex. "01:23:45:67:89:ab"
WEP = Wired Equivalent Privacy
- Encryption that has 40 and 128 bit keys
WPA = Wi-Fi Protected Access
- Passworded wifi uses TKIP
WPA2-PSK = Wi-Fi Protected Access with Pre-Shared Keys
- Passworded wifi that uses AES and can use TKIP
- Uses "handshakes" for authentication
HTTP = Hypertext Transfer Protocol
- Common used on port 80 for standard web surfing
HTTPS = Hypertext Transfer Protocol Secure
- Secure web surfing that is tunnelled(SSL/TLS) on port 443

When settings up a router we configure the following:

At Home or in the Office (there are more than one way for the methods shown)

1. SSID/ESSID
It doesn't add much security, however I suggest that everyone should hide their router/wifi networks. Simply hiding the broadcast of the SSID from the world will help deter hackers and annoying gamers from wanting break into your router/network to see if they can and poke around or simple just to obtain free Internet. Let alone, this doesn't do much because people can still find and attempt to connect to routers/networks that are hiding their SSID by simply scanning or by turning their wireless cards in monitor mode, you can view network BSSIDs as well as client's MAC addresses:
sudo iwlist wlan0 scan
or
sudo airmon-ng wlan0 start
sudo airodump-ng mon0

2. MAC Address Filtering
Everyone's first line of defence by far should be MAC address filtering. There are two types of MAC address filtering: MAC address control for wifi and wired connections and MAC address filtering for just wireless connections. The most important one to use is MAC address filtering for wifi connections. Someone would have to break into your house or office to use the wired connection anyway and if someone breaks into your facility there are way bigger problems than connecting to a network. MAC address filtering will stop most people who usually poke around at other people's wifi networks. Routers have a list of MAC address that are either "Allowed" or "Denied" to connect to the router. This allows you to simply control who can connect and those who cannot. However, once again, this hardly does much to stop an attacker or someone who simply wants free Internet. If someone is near by, they can simply scan for networks nearby. After scanning nearby networks, attackers can change or "spoof" their MAC address temporarily:
sudo ifconfig wlan0 down
sudo ifconfig wlan0 hw ether 01:23:45:67:89:ab
sudo ifconfig wlan0 up
or another way
sudo ip addr
sudo ip link set dev wlan0 address 01:23:45:67:89:ab
The easiest way it use GNU MAC Changer.
3. Wifi Encryption
Today there are generally three types of encryption for wireless networks: None, WEP(40-bit and 128-bit keys), WPA(WPA-TKIP and WPA2-CCMP). I can't stress this enough to use encryption because attackers do not even need to be on your network to steal your data. If you are not using encryption attackers can simply use tools to capture your wireless packets and steal your data. (more on Packet Analysis) It is also very important that you always use HTTPS when available. Secure sessions are important to prevent session hijacking or phishing websites because it encrypts the data coming in and leaving port 443 instead of using the default port of 80 for HTTP that is not encrypted. So even if the attacker scans for hidden SSIDs and finds some client's MAC addresses that are connected to some routers and spoofs his MAC address in order to connect to the network of his choice, wifi encryption is the next line of defence. While connecting to the network the attacker will be prompted with a password/passphrase in order to actually access and gain Internet access. Obviously these can be guessed or brute-forced, that's why it is very important to have a very hard and obfuscated password.(generate one here Random Password Generator) Create passwords that are very long and use random characters. Since passwords can be brute-forced, it is important to implement "passphrases". A pass phrase a group of a words for a password, which makes it harder to guess because it is longer and uses many words which helps defeat the purpose of brute-forcing(dictionary attack). When choosing an encryption, it is best to go with the latest and greatest WPA2-PSK which is more secure than WPA. WEP, can be easily cracked with tools such as Aircrack and CoWPAtty. Attackers that are not even connected to your network can capture your packets and then crack the WEP key. WPA2 uses a better encryption, AES encryption and isn't crackable because of the handshakes it uses for authentication. Even if the attacker catches your packets and you were using WEP or WPA/WPA2 it would make it very hard for the attacker to read them. To crack WPA2, an attacker would have to capture your packets and then run a dictionary attack which would take a very long time, making WPA2-CCMP(AES encryption) the best standard to use.

4. Inside the Network/Router
So say if the attacker simply logged in your router because you have no encryption or cracked your WEP key, he can now see all the computer on the network by scanning the network by using tools such as Nmap:
ifconfig - view internal ip
Ex. "192.168.1.65" - usually means he is the 64th client, being that the router/access point is on 192.168.1.1
nmap 192.168.1.0/24 - the "/24" indicates "192.168.1.1 - 192.168.1.255
or
sudo nbtscan -r 192.168.1.0/24 - scans the local network, shows hostnames
Since the attacker can see everything on the network they can try to attack individual computers, the router itself or just capture packets. Since the attack is on the network, regardless of encryption or not, they are physically on the network and can see what you are doing. If they try to access the router, it is very important that you have strong passwords on the router as well. Since the router is usually on the "192.168.1.1", attackers can type that in the address bar of their browsers and see if there is a router admin page. It is very important to change the default passwords because an attacker can simply just guess or Google the default password. If they still can't get in the easy way, they can try brute forcing the password using tools such as THC Hydra.

Topics to Read:

http://en.wikipedia.org/wiki/MAC_address
http://en.wikipedia.org/wiki/Wireless_cracking
http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
http://en.wikipedia.org/wiki/Packet_analyzer
http://en.wikipedia.org/wiki/Wi-Fi
http://en.wikipedia.org/wiki/IEEE_802.11
http://en.wikipedia.org/wiki/Wireless_security

Saturday, February 11, 2012

How to Spoof Processes

Creating a Fake Process

This can be easily done in plenty of languages, however I believe this is easily implemented in Perl: process.pl
#/usr/bin/perl

$0="Test Process";

while(true) {
sleep(3600);
}
The "$0" is equivalent to "argv[0]" in C and other languages. You can simply change the application name that is running. The loop keeps the process running. You can run your own spoofed process via command line by:
perl process.pl &
The "&" tells Linux to run the process in the background.
You can check the process is running via the command line by:
ps aux | grep "Test";
Example Output:
noname    7769  0.0  0.0  25084  1696 pts/0    S    15:19   0:00 Test Process
noname    7771  0.0  0.0  14560   892 pts/0    S+   15:19   0:00 grep Test
To kill the process via the command line:
kill 7769

Monday, February 6, 2012

How to hack the Facebook for Android App

Source Code
I always liked to poke around at things to see how they worked. A while ago I wanted to look inside some of my favorite apps such as the Facebook for Android app:

This is old, however we felt like making a video. So please comment and add helpful suggestions. And there are more ways than one for doing this.

Decompiling *.apks using Dex2Jar and viewing the compiled *.class files in JD-GUI
Tools:
Dex2Jar - http://code.google.com/p/dex2jar/
JD-GUI - http://java.decompiler.free.fr/?q=jdgui
ApkTool - http://code.google.com/p/android-apktool/

Need:
com.facebook.katana.apk
sh dex2jar.sh com.facebook.katana.apk
 - dumps the compiled java *.class files - creates com.facebook.katana_dex2jar.jar
./jd-gui
 - finally, run jd-gui and click on com.facebook.katana_dex2jar.jar
For the resources, use apktool
./apktool d com.facebook.katana.apk
 - this will dump the source files, the xml and images


Dex2Jar is a very powerful tool that dumps the Java compiled *.class files into a folder and then JD-GUI can easily read the compiled *.class files. From here you can read the source code and do whatever you would like.

Wednesday, February 1, 2012

How to capture packets using Wireshark/Aircrack/TCPDump

Capturing Packets
Analyzing packets is very important in order to see where your data is being sent and received. Here are some good tools and commands to get you going:

Wireshark: www.wireshark.org/
Install: sudo apt-get install wireshark
Different filters:
port 80
http contains msg_text
ip.addr == 192.168.2.8
ip.dst == 192.168.2.8
ip.src == 192.168.2.8
tcp.port == 80 || http
http.request.method == "GET"
http.request.method == "POST"

Aircrack suite: www.aircrack-ng.org/
Install: sudo apt-get install aircrack-ng
Different examples:
sudo airmon-ng start wlan0
sudo airodump-ng mon0 -w OUTPUTFILE

Analyzing Packets:
TCP Dump: www.tcpdump.org/
Install: sudo apt-get install tcpdump
Different examples:
tcpdump -ttttnnr tcp_dump.pcap
tcpdump -qns 0 -A -r blah.pcap
tcpick -C -yP -r tcp_dump.pcap
tcpdump -qns 0 -A -r tcp_dump.pcap
tcpdump -qns 0 -X -r tcp_dump.pcap

Saturday, December 10, 2011

How to hack Facebook accounts with a Phishing Scam

Facebook phishing scam

Its so amazing how easily people's emails and passwords are stolen in a matter of seconds. Phishing scams happen all the time, however the "frfacebook.fr" phishing scam went on for sometime, stealing hundreds of people's account information.

Most phishing scams involve Social Engineering, in which the attacker must talk the victim into doing at least one step in order for them to steal their information. In these Facebook phishing scams, they are much easier because Facebook is very social as it is. This particular Facebook scam simply posted the user's credentials in plain text in a text file located on the website.

So, I figured I would create my own to show how easy it really is.
Things you need: website, html, php
-extra: able to create long subdomains
1. Get the source code of the Facebook homepage: 
   curl -s -L facebook.com > index.html
2. Create a sub-domain on your website or buy a website name
3. I simply created a sub-domain called "facebook.com"
   This sub-domain adds on to your real domain. 
   Ex. facebook.com.(your domain).com
4. Now create Facebook-like folders that resemble legitimate 
   Facebook url
      I copied how Facebook did the groups folder and numbering. 
      Ex. facebook.com.(domain).com/groups/(15 digit number)/
5. The last step is to actually retrieve the data. Since php 
   is installed on my server, i created a login php script called
   "index.php" that takes the posts and saves them to a .txt file.
7. For the source code, submit form:
   a. change the action to action="/PATH/TO/PHP/SCRIPT/"
      - best to name the script index.php
   b. change the text field "name" of the email field to something 
      simple "VICTIM_EMAIL"
   c. then change the password field "name" to "VICTIM_PASS"
8. Make sure you have the "pass.txt" for the dumped passes in the 
   specified directory
9. Script I used (index.php): 
In the script above, the header() function redirects the real Facebook url I want my victim to get to after I took their email and pass. This way they believe they were logged out when they clicked the link and will most likely just "sign" back in.



The final result: facebook.com.(domain).com/groups/(15 digit number)/index.php.
Simply give the victim the url without the "index.php" and check the "pass.txt" for the results.

Monday, November 21, 2011

How to hack MasteringEngineering with unlimited Attempts

Extra Tries and Answers
Ok, we all have been screwed over mastering engineering because of drawing vectors or simply being a decimal point off. Every time you enter an answer and accidentally get it wrong it says how many attempts you have left and takes points away each time. Im sick and tired of this crap.
Go to the Main Page:
http://session.masteringengineering.com/myct/courseHome?start=1

Click on your assignment, the box with all the questions will pop up.

Put your cursor on each link and read the link, their are unique IDs 
for every problem.

Ex. http://session.masteringengineering.com/myct/itemView?
assignmentProblemID=1565835&frame=banner

To "rework" and have unlimited tries until how to really work the 
problem, copy and paste the URL in the address bar and change the 
URL from:
http://session.masteringengineering.com/myct/itemView?
assignmentProblemID=1565835&frame=banner

to the new URL:
http://session.masteringengineering.com/myct/itemView?
assignmentProblemID=1565968&rework=1

The "1565968" problem ID is not unique and can be shared with others
doing the same problems.

Thursday, September 8, 2011

How to change your MAC Address

Media Access Control address(MAC)

Linux in General (3 Possible Ways):
sudo ifconfig wlan0 down
- turn device off
sudo ifconfig wlan0 hw ether XX:XX:XX:XX:XX:XX
- set the mac you want
sudo ifconfig wlan0 up
- turn device on
sudo ip addr
- show config
sudo ip link set dev wlan0 address XX:XX:XX:XX:XX:XX
- set the mac you want
sudo pico /etc/network/interfaces
- edit your network devices
- add hwaddress ether XX:XX:XX:XX:XX:XX to your device

After you change your MAC address, run sudo /etc/init.d/networking stop then sudo /etc/init.d/networking start

GNU Mac Changer: www.alobbs.com/macchanger
Install: Install: sudo apt-get install macchanger

macchanger -s wlan0
- shows the current mac on the device

macchanger -mac wlan0 XX:XX:XX:XX:XX:XX
- set the mac you want

You might want to add a script in the /etc/rc.local to automatically change your MAC Address everytime on boot.

Monday, August 29, 2011

How to hack Scribd to download documents for free

How to download documents for free
I was looking at an online document that SOMEONE ELSE UPLOADED and it was very helpful, so I wanted to download it. Scribd however, wanted to charge a daily fee of around $5 dollars to download the content, when it clearly says someone uploaded it.

Here was the document that I wanted: http://www.scribd.com/doc/90924585/The-Dark-Monk-Excerpt-by-Oliver-Potzsch 
For Public ID's(2012):
*document ID* = 90924585

http://www.scribd.com/mobile/documents/*document ID*/
or 
http://www.scribd.com/mobile/documents/*document ID*/download
Insert the number id in the here ^
Sometimes using the first download link is better because it creates a download button. It should should show a download link.  

Update(2/18/12): For Private ID's:

Example URLs:
http://www.scribd.com/doc/39976170/Anthro-2B-Midterm-Study-Guide http://www.scribd.com/doc/33840335

Right-click > View Page Source > Save as to a document on your computer *Make sure you do this to get the entire "Generated Source" (I used Mozilla FireFox)

 I saved this as "doc.html" Open the file "doc.html" > Search for "page.u" You should see something like "// page.uuid : 3kw800775slntll" 
page.uuid = "3kw800775slntll"
Now search for the page.uuid or "3kw800775slntll" and you should see something like: "http://html2.scribdassets.com/3kw800775slntll/pages/542-d2422da938.jsonp"

The URL can range from "html1.scribdassets.com" to "html4.scribdassets.com".

Here is a simple Linux Bash Script to download the images:
Make SURE you change the *page.uuid* to your page.uuid.
cat "doc.html" | grep pages | cut -d"/" -f6 | cut -d. -f1 | grep -vi scrib | while read ID; do wget "http://htmlimg1.scribdassets.com/*page.uuid*/images/$ID.jpg"; done;
However, once you find the page.uuid, you can substitute it in the URL. "http://htmlimg1.scribdassets.com/*page.uuid*/images/$ID.jpg"

Update(2/25/12): For Protect(Preview) ID's:

When there are previews on Scribd, they are trying to selling a document and other allow users to few select pages.  Downloading these would be illegal and the script above only downloads the images of the "protected" documents.



Monday, July 18, 2011

How to hack WebAssign for eBooks

If you use WebAssign, sometimes they give you the button to the "Read It" which shows the section of the book. However, you might be able to read the any part of the book..

If the URL looks like:
https://www.webassign.net/v4cgi/extra/bc_enhanced/index.tpl?asset=read_it&asset_url=/bc_enhanced/SerPSE8_w_player/read_it/serpse8.32.02.swf&UserPass=

Change the URL, "serpse8.32.02"
The "32" is the "chapter" and then the "02" is the "section number".
chapter.section

Saturday, June 4, 2011

How to Hack WebAssign's Watch It

If you use WebAssign, sometimes they give you the button to the "Watch It" which are very helpful. However, you might be able to find the watch it to more than just the problems they give you..

If the URL looks like:
http://www.cengage.com/physics/book_content/1439048622_serway/SerPSE8e_w_player/SerPSE8e_21_033.html

or

http://www.webassign.net/v4cgi/extra/bc_enhanced/index.tpl?asset=watch_it_player&asset_url=/bc_enhanced/SerPSE8_w_player/SerPSE8_25_033.html&UserPass=

Change the URL "SerPSE8_21_033.html"
The "21" is the "chapter" and then the "33" is the "problem number".