HACKING TRICKS !

1 . Are Android App Lockers really Secure ?

Android has been a common target for Exploit Community . This Post describes how a few simple steps can be taken to bypass the App Locker .

App Lockers are used by most of us to protect our Androids from unwanted or unauthorized access of our personal information. If you do a quick search of the phrase “app lock” in Google Play Store you will find lots of application provide facility to protect individual and multiple application. But with few steps anyone can bypass the same:

 Here is the steps :

Step 1.  Install any App locker from play store.

 Step 2.  Provide password to the similar App locker.

Now the application protected with app locker require password of app locker. Now perform the following steps to bypass the app locker password.

Step 3.  Now go to setting

Step 4.  Then Application

Step 5 :Select your App Locker.

Step 6.  Now click on Clear data button.

Step 7.  Now click on Force stop button.

Step 8. Finish

Now open any application which is protected with app locker without credential.

This technique has been sitting right under your nose for so long . This is not a vulnerability in Android or the App locker . This is just a trick to show you that you must not completely rely on App Lockers and set a strong Password for your Android Screen Lock as well.

2. GoPhish : Open Source Phishing Toolkit

Everyone needs to conduct phishing attacks to see the organisation’s defence against Phishing during a penetration test . Here is an Open source Solution : GoPhish. 

Gophish is an open source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily set-up and execute phishing engagements and security awareness training.

What is Gophish?

Gophish is a phishing framework that makes the simulation of real-world phishing attacks dead-simple. The idea behind gophish is simple – make industry-grade phishing training available to everyone.

“Available” in this case means two things –

• Affordable – Gophish is currently open-source software that is completely free for anyone to use.
• Accessible – Gophish is written in the Go programming language. This has the benefit that gophish releases are compiled binaries with no dependencies. In a nutshell, this makes installation as simple as “download and run”!

The idea of a phishing simulation platform isn’t new. Let’s take a look at some of the features that really set gophish apart and make it awesome.

Hosted On-Prem

There are many commercial offerings that provide phishing simulation/training. Unfortunately, these are SaaS solutions that require you to hand over your data to someone else.

Gophish, an Open Source Phishing Toolkit is different in that it is meant to be hosted in-house. This keeps you data where it belongs – with you.

GoPhish  Phishing Toolkit

Installing Gophish Using Pre-Built Binaries

Gophish is provided as a pre-built binary for most operating systems. With this being the case, installation is as simple as downloading the ZIP file containing the binary that is built for your OS and extracting the contents.

To install gophish, simply run

go get github.com/gophish/gophish

This downloads gophish into your

$GOPATH.

Next, navigate to

$GOPATH/src/github.com/gophish/gophish

and run the command

go build

This builds a gophish binary in the current directory.

Running Gophish

Now that you have gophish installed, you’re ready to run the software. To launch gophish, simply open a command shell and navigate to the directory the gophish binary is located. Then, execute the gophish binary. You will see some informational output showing both the admin and phishing web servers starting up, as well as the database being created. This output will tell you the port numbers you can use toconnect to the web interfaces.

 $ ./gophish
 worker.go:34: Background Worker Started Successfully - Waitingfor Campaigns
 models.go:64: Database not found... creating db at gophish.db
 gophish.go:49: Admin server started at http://127.0.0.1:3333
 gophish.go:51: Phishing server started at http://0.0.0.0:80

Enjoy !!

#To be used only for Authorized Penetration Testing .

How to Watch Security Cameras on the Internet : Camera hacking is not very new for hacker community . Due to mis-configuration in the Camera security , the cameras that can be accessed over the internet can be viewed by anyone without any Authentication . Though there is no real hacking in this but its somewhat nice to explore .

I would use this to explain the necessity of security configuration for IP cams . The Cams that have been used to provide the security , are now accessible to anyone without any authentication , and have become the biggest security Loophole.

The hacking tutorial section is now full of useless threads,The worst of all most of them are questions and other shits.
So yeah here i am writing a new tutorial trying to make this section back to what it used to be.

====================
Pro Tip :

Secure yourself before doing this.

This is Purely for Educational Purposes and Dangerous . Don’t Access Password Protected Cameras
====================

3. How to Watch Security Cameras on the Internet :

1-Open your browser.
2-Go to http://www.google.com
3-Copy paste a code and put it in google click enter and bam you will get some cameras by clicking on the search links .

Here I have accumulated a list of Google Dorks that can be used to explore some of the IP cams that can be accessed Online without any Authentication .

inurl:/view.shtml
 intitle:”Live View / – AXIS” | inurl:view/view.shtml^
 inurl:ViewerFrame?Mode=
 inurl:ViewerFrame?Mode=Refresh
 inurl:axis-cgi/jpg
 inurl:view/index.shtml
 inurl:view/view.shtml
 liveapplet
 intitle:liveapplet
 allintitle:”Network Camera NetworkCamera”
 intitle:axis intitle:”video server”
 intitle:liveapplet inurl:LvAppl
 intitle:”EvoCam” inurl:”webcam.html”
 intitle:”Live NetSnap Cam-Server feed”
 intitle:”Live View / – AXIS 206M”
 intitle:”Live View / – AXIS 206W”
 intitle:”Live View / – AXIS 210″
 inurl:indexFrame.shtml Axis
 intitle:start inurl:cgistart
 intitle:”WJ-NT104 Main Page”
 intitle:snc-z20 inurl:home/
 intitle:snc-cs3 inurl:home/
 intitle:snc-rz30 inurl:home/
 intitle:”sony network camera snc-p1″
 viewnetcam.com
 intitle:”Toshiba Network Camera” user login
 intitle:”i-Catcher Console – Web Monitor”

Here is a Screenshot  :

How to Watch Security Cameras on the Internet

You can modify these dorks as per your needs during a penetration test on an organisation . Consider when you might be doing Penetration testing for a Bank or a multinational that has lots of IP cameras with remote access over internet enabled , this might be the First Loophole to report .

So friends you enjoyed our tutorial “How to Watch Security Cameras on the Internet” .. If yes don’t forget to say thanks.

4. Best Extension Spoofing Technique Tutorial

Ultimate Extension Spoofing Tutorial. NO DOWNLOADS required !! NO external Tool Needed !! Change the extension of your .exe to .pdf .docx , .mp3 !! Real Method ….. !!

This tutorial will show you how to make your .exe (or .com/.scr) files look like .jpeg/.mp3 or any other filetype (my favourite is .pdf and .docx)!

By normally changing the extension to e.g .mp3, will corrupt your file, but with this exploit your file will still be executable!

Also this is no FUD tutorial . This is just a technique to spoof the extension using the loopholes in windows .

Here is a Step by Step Tutorial : 

Extension Spoofing Tutorial

Step 1 : First of all you need the .exe file you want to spoof the extension of . Let this file be resume.exe 

There is no limit that this file must be an .exe . It can also be a resume.scr or resume.com . This technique will work as you want it to . Using this technique you will be able to spoof any extension available on the windows platform to any other extension .

Step 2 : Now lets start the real spoofing extension .

Open the windows Character map by going to start as shown in the Image.

Extension Spoofing Tutorial -1

Step 3 :The next thing we need to here is to scroll down and find the “U+202E: Right-To-Left Override”character:

Refer to the image in case of any confusion . This might be time taking to find for some but if you read the image carefully then you might find this char set easily .

Extension Spoofing Tutorial -2

Step 4 :Now choose to rename your file, and paste the copied character right before the “.scr” (press ctrl+v to paste)

Now exe is same as exe when we apply the char set due to obvious reasons . So I have taken the example of .scr file . This technique works for exe the same way .

Step 5 :Then type “3pm” (without the ” “) and press Enter. Now it should look like this:

resume by RCS.mp3

Done …. That simple to spoof the extension . So you no longer need to pay for extension spoofers now !!!

This is the Simplest Extension Spoofer !!

This is a Free give away technique for penetration testers and ethical hackers purely for educational purposes . Do not Misuse . Hope you all have enjoyed Extension Spoofing Tutorial

How TO Use Whats App Without Phone Number ?

How to use WhatsApp without any Phone Number ? WhatsApp requires your mobile number in order to create a WhatsApp account, if you don’t want to use your phone number for some reasons, you can still use WhatsApp, send/receive messages from it.

How to WhatsApp without any Phone Number? Well, here are the steps:

1. Uninstall WhatsApp if already installed in your mobile phone but you can keep WhatsApp images/video files.
2. Download and Install WhatsApp again.
3.  Block your message service by simply shifting to flight mode. Now, open WhatsApp and add your number to it. So, it will not able to send message to server and verify your mobile number.
4. As verification is still incomplete and messages are blocked, Whatsapp will ask you to choose alternative method to verify. Choose ‘Verify through SMS’ and enter your email address. Click ‘Send’ and without waiting for a second, click ‘Cancel’. This terminates the authorization process.
5. Now, you are required to spoof message. Install Spoof Text Message for Android and    Fake-a-Message for iPhone.
6. Go to your Outbox -> Copy the message details to spoofer app -> Send it to spoofed verification.
7. Use these details in your spoofed message: To: +447900347295 From: +(Country code)(mobile number) Message: Your email address
8. A message will be sent to that spoofed number and you can now use this number to connect with friends.

Thank you :)

4. View Hidden Files Created by Malware

Malware infects almost everyone at some point . The malware can be in any form : a Trojan , a Virus . a Worm etc . What files a malware will create and with what attributes completely depends on the Malware family and its behavior . Sometimes there are difficulties in locating the files created / dropped by the malware after the computer has been infected . Well to locate these dropped files , no geeky stuff needs to be done . Here is a Simple Trick :

Requirements :

Command prompt : The command line interpreter built into windows itself . All you need for this tutorial is command prompt .

Tutorial :

In this tutorial for the sake of Simplicity lets take an infected USB and try to clean it . The same method applies to other drives of your computer as well . Take a Screenshot of the files in the USB drive so that latter we know what hidden files we have discovered .

Open Command prompt  ( preferably run as Administrator )

attrib -H -S E:\* /S /D

Description of the Command :

attrib : Displays or changes file attributes.

– : Clears an attribute.

H : Hidden file attribute.

S : System file attribute.

E:\* : Drive of the USB with * as wildcard that means process all files.

/S : Processes matching files in the current folder and all sub folders.

/D : Processes folders as well.

The files that you see now in the USB drive are the files created with a Hidden and System attribute by the Virus quiet commonly . Also there is no reason why one would have files with such attributes on a USB drive , although explicitly done .

What Else can I do to Identify and get Rid of the Virus files :

• Open Process explorer . Monitor what unwanted processes you have running .
• Look for the Processes with similar names to that of the files you have just discovered .
• If needed download the Sys Internals suite of tools for further help . Use the Process monitor in by Sys Internals to analyze the rouge Process .
• Look into the registry for any unwanted startup Entries
• Check Start up configuration of windows using msconfig in Run box.

• Click to share on Facebook (Opens in new window)
• Click to share on Google+ (Opens in new window)
• Click to share on Reddit (Opens in new window)
• Click to share on Tumblr (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Twitter (Opens in new window)
• Click to print (Opens in new window)

5.How to instantly logout of all active online accounts

Hello Friends, today i am going to share a trick which you can use to instantly logout of almost all active online accounts from famous websites which we regularly use. I recently came accross a website which logouts you from more than 30+ famous sites in a single click. This is really helpful, when you have to close all accounts at a go, so that there will be no risk that you have left something opened on your machine.

Superlogout is a website you can use to instantly logout of all active online accounts.

If you visit a Internet Cafe for surfing, use public Wi-Fi or have this odd habit of logging out of all online accounts at the end of each day. We bring to you a website called Superlogout.

Superlogout which can be visited www.superlogout.com is a great tool for people who surf the Internet using public Wi-Fi or Internet Cafes.

Note: Once clicked, this will log you out instantly from all your online accounts

As soon as you visit Superlogout, it will automatically get to work logging you out of a few dozen major services including Amazon, Google, Netflix, Steam, Tumblr, and YouTube.

Once you’re logged out, the site will display a green “OK” next to each service.

For some reasons the developer of Superlogout has not included Facebook, but it’s a quick way to log out of many sites at once.

THANK YOU!! :D

6.Tips to fix Windows 10 slow boot up issues

Fix Windows 10 slow boot up issues : Microsoft has rolled out windows 10 very recently but lot of users are facing slow boot up issues. Today we will learn how to fix Windows 10 slow boot up issues with simple tips and tricks.

Step 1: Run a thorough antivirus scan 

I would advise you to update your antivirus and scan your PC thoroughly. Most you would have performed an upgrade from Windows 7 or 8 to Windows 10. So, there are chances that older malicious programs and virus could be the reason behind Windows 10 slow boot-up issue.

Step 2: Disable software and services from Startup 

open the Task Manager by using the famous Ctrl, Shift and Esc – or by right-clicking on the Task Bar.

In the Task Manager, click on the Startup tab and disable the items with Highrating in the Startup impact rating.

However, you are advised to keep your antivirus software enabled.

Note that you can disable your Nvidia and AMD graphics driver from the startup without affecting the graphics performance of yours system.

Step 3: Enable FastStartup 

In Windows 10, Microsoft enables the fast boot-up option and shutdown times using the special Hybrid Startup and Shutdown option. These options put the system into hibernation state and fixes the Windows 10 slow boot-up issue.

To make this change, you can either ask Cortana to “Open power options“- or you can launch the Control Panel and then head to the Power Options. 

Under the Power Options, click on  Choose What The Power Button Does from the left-hand side, then click Change Settings That Are Currently Unavailable.

Now you will be greeted with the list of options that were previously hidden. Here tick on the checkbox that says Turn On Fast Startup and save the changes.

Step 4: Use the Delayed Start for services

After step 3, restart your Windows 10 PC and press Windows Key+R to reveal the Run box.

Here type services.msc and hit Enter.

This will open a list of services that you need to scan to find the services that seem to be causing the Windows 10 slow boot-up issue.

Right-click on those, open them, and change the setting from default to delayed start. Now, click save and exit the window.

This is it. Now you can restart your PC to witness a lot faster boot-up.

Thank You!! [J-BOY] :)

7.Remove all empty folders from your computer

Most of our users have requested us about how to improve performance of system. Today i will share a way to improve system performance. Today we will learn how to remove all empty folders from your computer. Why do you wanna have empty folders for no use? They only degrade performance by adding additional load to indexing.

You can download software if you are tired to search and remove all empty folders. This program does a great job by deleting all empty folders and saving our time.

The software scans the computer for empty folders and also provides results in tree format, we can even analyze icon description as well as a color description (example:red: will be deleted, blue: protected and gray: will not be deleted)

Step1: Download, install, and run Remove Empty Folders.

Step2: Now click Browse… button and specify the target location

Step3: Click Scan button and wait for couple of seconds (depends upon our computer speed)

Step4: On right side of the software you can see the list of empty folders

Step5: Right-click on a folder to Open in Explorer, Protect or Add to Ignore list 

Step6: Click Delete folders to delete all the empty folders.

You can also skip the directories or ignore the files from the settings dialog :

Block WhatsApp photos from Gallery

Pictures that you receive on WhatsApp are automatically stored in your phone’s Gallery, exposing them to anyone who browses photos on your phone.

In iPhone, go to the phone’s Settings menu>>Privacy>>Photos>>and then uncheck it After that WhatsApp will restrict this.

For Android users it’s a bit complicated.

Using a file explorer app such as ES File Explorer,

Go to WhatsApp’s Images and Videos folders and create a file within each called .nomedia. This will stop Android Gallery app from scanning the folder.

If not download KeepSafe app from the play store and hide the selected pics and videos.

Restrict access to your profile picture

Set profile picture sharing to contacts only>>in the Privacy menu to restrict your WhatsApp profile photo from unknown users and the people who are not in your contacts.

Beware of WhatsApp scams

WhatsApp will never contact users through the app and does not send emails about chats, voice messages, payment, changes, photos, or videos, unless you contact their help and support.

Anyone offering a free subscription, claiming to be from WhatsApp or encouraging you to follow links in order to safeguard your account is definitely a scam and should not be trusted. These links could lead to websites that install malware and spyware or track your personal details.

7.Deactivate WhatsApp if you lose your phone

If you lose your smartphone, immediately activate WhatsApp with the same phone number on a different phone, with a replacement SIM.

One of the basic security measures that WhatsApp takes is that the app can only be used by one number on one device at a time, so by doing so you instantly block it from being used on your old phone. If that’s not possible, WhatsApp can also deactivate your account.

 Keep the WhatsApp app locked

WhatsApp doesn’t offer a built-in password or pin, you can use third party apps like Messenger and Chat Lock, Lock for WhatsApp and Secure Chat if you use an Android phone. This will help you from exposing your private chats, photos and videos from others who steal your smartphone or take it from you.

Hide the ‘last seen’ timestamp

WhatsApp’s much disliked last seen feature can also be disabled, it could help prevent your stalker know what time you were last online.

You can disable or restrict who sees your ‘last seen’ time in WhatsApp’s Profile>> Privacy menu, in Android,

iOS, Windows or Blackberry. However, if you turn it off, you won’t be able to see other users’ ‘last seen’ times either.

 Be careful of what you talk about

You should not share confidential information, addresses, phone numbers, email addresses, bank or credit card details, or passport or other identification details on WhatsApp.

A man in the middle attack could lead to this information being compromised. WhatsApp has introduced end-to-end encryption for its Android users but other platforms are still vulnerable.

That’s all for today! We will discuss more whatsapp tips and tricks in future articles.

8.Immediate Self Destruction On Kali Linux in Emergency

Vanshit Malhotra August 22, 2015 Hacking Tricks, Penetration Testing, Security Tips, System Hacking

During a penetration test , one needs to download and store the confidential data related to an organisation . Kali Linux comes with an Option to be Installed with full disk encryption .Hence its advisable to have a full disk encryption enabled on the Kali Linux machine in order to protect the sensitive information .

Full disk encryption is easy to setup in Kali Linux. A detailed doccumentation of how to install a Kali Volume with Full Disk Encryption can be found here .

The Kali installer comes with a straightforward process for setting up encrypted partitions with LVM and LUKS. Once encrypted, the Kali operating system requires a password at boot time to allow the OS to boot and decrypt your drive, thus protecting this data in case your laptop is stolen.

One can manage decryption keys and partitions by using the cryptsetup utility.

Nuking  Kali Linux Installation for emergencies 

Often one might need to destroy all the contents of the encrypted hard-drive in certain scenarios to avoid data leakage of sensitive information. Kali linux makers have introduced the option . Kali Linux now allows to gave a Boot Password the would allow the destruction , rather than decryption of the data on your drive .

This is done by adding the  Nuke Password  to the cryptosystem . This Nuke Password when used will delete all the keyslots and makes the data on the hard-drive inaccessible .

The Kali Linux has not yet officially introduce the feature in the version releases and hence one must use this feature at their own risk (hackingloops.com holds no liabilities) .

If you wish to try this feature , the following are the build Instructions .
One can start by running the LVM encrypted installation in Kali Linux and set a Decryption Password . Once this is completed , download the crypto setup package source and apply the Kali Linux patch on it .

Proceed as folllows :

root@kali:~# apt-get source cryptsetup
 root@kali:~# git clone https://github.com/offensive-security/cryptsetup-nuke-keys
 root@kali:~# cd cryptsetup-1.6.1/
 root@kali:~/cryptsetup-1.6.1# patch -p1 < ../cryptsetup-nuke-keys/cryptsetup_1.6.1+nuke_keys.diff
 patching file lib/libcryptsetup.h
 patching file lib/luks1/keymanage.c
 patching file lib/setup.c
 patching file src/cryptsetup.c
 root@kali:~/cryptsetup-1.6.1# dpkg-buildpackage -b -uc

This will build and install the cryptosystem packages in order to get the Nuke option implemented .

root@kali:~/cryptsetup-1.6.1# ls -l ../*crypt*.deb
 -rw-r--r-- 1 root root 149430 Jan 4 21:34 ../cryptsetup_1.6.1-1kali0_amd64.deb
 -rw-r--r-- 1 root root 250616 Jan 4 21:34 ../cryptsetup-bin_1.6.1-1kali0_amd64.deb
 -rw-r--r-- 1 root root 105226 Jan 4 21:34 ../libcryptsetup4_1.6.1-1kali0_amd64.deb
 -rw-r--r-- 1 root root 49580 Jan 4 21:34 ../libcryptsetup-dev_1.6.1-1kali0_amd64.deb
 root@kali:~/cryptsetup-1.6.1# dpkg -i ../libcryptsetup*.deb
 root@kali:~/cryptsetup-1.6.1# dpkg -i ../cryptsetup*.deb

Now that our patched cryptsetup package has been installed, we can go ahead and add a “nuke” key to our setup:

root@kali:~# cryptsetup luksAddNuke /dev/sda5
 Enter any existing passphrase: (existing passphrase)
 Enter new passphrase for key slot: (nuke passphrase)

On any subsequent reboots, you will be asked for the LUKS decryption password each time as usual. If for whatever reason, you were to enter the nuke password, the saved keys would be purged rendering the data inaccessible.