Display results as :
Advanced Search

Latest topics
Call Of Duty IWSun Apr 30, 2017 12:43 amNate
A Brief Hacking IntroSat Apr 29, 2017 11:03 amAdmin
Request Hacking Tutorials HereSat Apr 29, 2017 10:11 amNate
New GTA CarsSat Apr 29, 2017 10:10 amNate
Selling Instagram TurboSat Apr 29, 2017 10:08 amNate
Sell/Trade @H**liganSat Apr 29, 2017 10:07 amNate
Selling 2 kiks and an @Sat Apr 29, 2017 10:05 amNate
@Memcmp's Spam Bot (Project X)Mon Apr 24, 2017 1:53 pmNate
Selling OGS Kiks Mon Apr 24, 2017 1:52 pmNate

View previous topicGo downView next topic
Posts : 2
Points : 1552
Reputation : 6
Join date : 2017-04-24
View user profile

A Brief Hacking Intro

on Mon Apr 24, 2017 7:45 pm
Message reputation : 100% (1 vote)
{ A Brief Hacking Intro ]
A breif introduction to the art of hacking for beginners

Table of Contents:

0x0a/ What's hacking?
0x0b/ JavaScript Tampering
0x0c/ Intro Web Hacking Techniques
0x0d/ Intro Cryptogrgraphy
0x0e/ Outro

--> 0x0a [What's Hacking] <--

To commence, the term “hacker” varies, everyone's definition can marginally be different. Hacking is prominent to as breaking into computer systems and/or websites, messing it all up. Sure, that could be your definition if that what you genuinely believe hacking is to you. Hacking isn't categorically defined, look over the decades, it's perpetually transmuting. People form terms like “hacker” to define their personal style.

However, there are many people who would label themselves of the term “hacker” when it's clear that they don't even comprehend any skills, not even fundamentals. This is reference to the term prominent as “script kiddie”. To get straight to the point, a script kiddie is someone who utilizes other hackers/developers public resources(exploits, implements/programs) without kenning what's going on in the background, genuinely kenning how to develop/comprehend.

Some of these script kiddies will utilize these resources to gain fame from other hackers, you may have seen the many defacements(e.g “Hacked By The Script Kidster “) script kiddies will do, not saying that defacements make you a script kiddie, but many Script Kiddies will depend on public shells(e.g, c99, r57).

Anyhow, there are many other people who feel as if they are a hacker by their lifestyle, many people these days get into hardware hacking, life hacks, or someone who has ingenious quandary solving and out-the-box circumscriptions in a non-malignant way. No matter your views, this guide is a good read.

--> [JavaScript Tampering] <--

The internet has always used HTML, developing & viewing  web pages. Of course, being human we eventually got bored, we got tired of the plain HTML web pages came up with something called JavaScript. An incipiently developed web scripting for 1337 webdevs 🆒 commenced pimping up their web pages. JavaScript sanctioned many things, it opened the gates for people to interact with web pages. Back then, JavaScript then accommodated onto be composed as authentication(until they realized how erroneous they were Sad ), they suddenly realized how facilely JavaScript auth forms could be exploited.
I could go in depth with this but this is just an brief prelude, an example of JS auth form would be such as this;
 function cancer(form)
  if (form.username.value == "admin" && form.password.value == "rootme")
  location = "auth.php?username=admin&password=rootme"
} else {
  alert("Wrong Pass 0.0");
} else {
  alert("Wrong Username 0.0");


So secure :dodgy: huh? Not at all...Hopefully no one authentically does this anymore. A right click --> View Source easily gains someone access to the credentials, or if they(1337 webdev) it's so secure just to tuck it away in a directory & embed via script...but then you can just visit the URL containing the js file. I wouldn't really call this hacking, but now you can visually perceive how insecure it was soon known to be..There is many other JS scripts I could provide as examples but I believe you can see this. I'll be going more in depth in the future.

--> [Intro Web Hacking Techniques] <--

### Defintions ###
# LFI(Local File Inclusion)- To include files that are locally present on the server through exploiting vuln inclusion, #input is not properly sanitized, allowing directory transversal to be performed.
# RFI(Remote File Inclusion)- To include files through exploiting vuln inclusion, an input is not properly sanitized #and allows external URLs to be injected.
# XSS(Cross-Site Scripting)- Malicious scripts injected into vuln inputs. Mulitple types of XSS attacks, but a #possibile attack can effect website vistors.
# SQLi(SQL Injection)- involves insertion or "injection" of a SQL query via input data from client to application. #Successful SQLi can retrieve sensitive data from the database, modify database data, etc.
# Directory Transversal- Allows access to files out of intended directory.
# FPD(Full Path Disclosure)- Enables an attacker to see the path to the webroot file(e.g. /home/www/htdocs/file/)
### END ###
Okay, we have all seen those defacemnts(as I verbalized of earlier), infelicitously script kiddies think their 1337 anonymoose hackers because they utilize public web shells developed by someone ELSE. The individuals who depend on web shells are script kiddies, if that's you, learn something :huh: .

Though, there are those who authentically ken the works...possibly deface them through other denotes such as LFI/RFI, XSS(Cross-Site Scripting) and of course SQL Injection(Structured Query Language Injection).

*** File Inclusion ***
File Inclusions tend to start from vulnerable PHP

This could either result to LFI or RFI, the php code accepts anything provided to the variable "site" and will attempt to execute/load onto the page.  Let me explain it a little;

You've most likely seen URLs constructed something like this. Utilizing directory transversal and FPD(Full Path Disclosure) can possibily help you in LFI attacks.
Possibily adding a backtrack may result to DT.[]=info.php
Warning function(array) [function.function]: failed to open stream: No such file or directory in /home/hosting/domains/website/data/index.php

//LFI & DP

Now, you can try accessing files you wouldn't have privelages(LFI) to, since we are forcing the server to request them.\\

// RFI

RFI isn't to much different, instead of accessing local files, you'll be making the server read a remote file.

*** XSS ***
Time to expound XSS or known as Cross-Site Scripting. This exploitation method majority of the time, is injection of JavaScript & HTML/CSS into a page where it will be executed. In most cases, it is utilized to purloin cookie data to perform session hijacking, user redirects(-->phishing), much more.

There are 3 types of XSS:

Stored XSS(Sedulous)- Malicious input is stored on the server, as in database, message form, logs, comments, etc. The Attacker can retrieve stored data from web app, additionally attack payloads could be sempiternally stored in victims browser

Reflected XSS(Non-Assiduous)- Malicious input is returned by a web app in error, search result, or any other replication that includes some input provided by user for a request made to render the browser, without permanently storing user data provided.

DOM Predicated XSS-DOM Predicated XSS is a form of XSS where the entire tainted data flow from source to sink takes place in the browser, i.e., the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser

The result of an XSS Susceptibility can lead to user session information, information such as keystrokes, browser payloads, phising, and much more. HTML & JavaScript can be utilized in an XSS attack. HTML sanctions placing fake input data, page data showed via iframe tag, redirect users with HTML meta refresh, much more. JavaScript is prominent & used within XSS attacks, more popular approaches would be; retrieving document cookies to get the utilizer session information(Session Hijacking),EventListener can target utilizer's interactions(e.g, Keyboard,Mouse), there is an illimitable amount of things you can do. Your ingeniousness is the constraint.

**HTML 1337 Search**
<title>1337 Search</title>

 <form method="get" action="search.php">
 <input type="text" name="search" size="25" />
 <input type="submit" class="button1337" value="Submit" />


**PHP Search.php**
echo $_GET ['search'];

I'll use this as an example, assuming the script is stored on the server if we typed root in the search it'll return;

It'll result to show rooted, now let's try injecting someone JavaScript instead;

<script>alert("ROOT ME");</script><script>alert("ROOT ME");</script>

This will let us know if it's vulnerable or not, it will pop up "root me".
If there is no popup, don't worry that means the website probably uses techniques to filter requests to avoid the XSS. There's many ways to bypass these filters, such as maguc qoutes bypass, hex encoding, obfuscation. I won't be going indepth with everything, as this is just an introduction.

**Magic Quotes Bypass**
There is a setting in PHP.ini called "magic_qoutes_gpc", if turned on it causes ebery ',",\ to be escaped with a backslash automatically. It helps avoid XSS flaws, but still exploitable.

When it's "ON" you can use a JavaScript function called String.fromCharCode(), convert your text in decimal characters and utilize it in handling.
Utilizing "root me" without quotes will result:
String.fromCharCode(114, 111, 111, 116, 32, 109, 101)
<script>alert(String.fromCharCode(114, 111, 111, 116, 32, 109, 101));>/script><script>alert(String.fromCharCode(114, 111, 111, 116, 32, 109, 101));>/script>

**Hex Encoding**
Hex encoding can be useful, Utilizig this will encode your script, on first site you can't look to see what the code will cause.
<script>alert("ROOT ME");</script>

That's all we will get into with XSS for now Smile .

--> [Cryptography] <--

I'm going to give a brief introduction to Crypto, there are many encryption methods I'm going to go over the few mundane ones.

You maysee many of these hashes coming across databases with passwords, or even messages may be hashed. Many forms of hashes can facilely be converted, if not you have to crack the hash via brute force attack(upon many other things).

There are variants of encryptions; Symmetric Encryption(1Key) & Asymmetric Encryption(2Keys). Then hashes are 1 way encryptions.

I'll only be going over Hashes in this prelude.

** Hashes **
Hashes are one-way encryptions. Either a message or password is encrypted where it can't be inverted or unencrypted. You may be wondering, what's the cogency of having something that can't be unencrypted. Well, Each text is encrypted that engenders a unique hash. Hashes are(mostly) at a fine-tuned length(e.g, MD5 always 32 chars).

Popular encryption methods are:
AES(Advanced Entyption Standard)
DES(Data Encryption Standard)
RSA(Name of the creators)
MD5(Message Digest -5)
SHA-1(Secure Hash Algorithm)

I'll be making future threads to go indepth in crypto for you.

--> [Outo] <--

Outro, don't be a script kiddie. I hope this gave you insight, I'll probably be updating this often  for a couple days. I indited this up expeditiously to provide everyone with a brief introduction into Hacking, I could indite up pages & pages, but this is just a start of your path. I'll be going in depth with ENORMOUS amounts of areas within hacking including; Anonymity & Security, WebDev/Scripting, Web Exploitation, Social Engineering, Linux/Unix Exploitation, upon much more to come.

- Christos
Admin Of This Site
Admin Of This Site
Posts : 9
Points : 10001656
Reputation : 1
Join date : 2017-04-14
Age : 27
Location : Russia
View user profile

Re: A Brief Hacking Intro

on Sat Apr 29, 2017 11:03 am
Nice Introduction. You're rep will go up because of this. <3
View previous topicBack to topView next topic
Permissions in this forum:
You cannot reply to topics in this forum