Visit us on Google+

Tuesday, September 16, 2014

How to Hack and Exploit Amazon Cloud Servers Infrastructure

How to Hack Amazon Servers Exploit Clouds


Today you will learn about an app that allows you to perform an exploit at the Amazon Cloud Infrastructure. Letting you understand the cloud computing.

It will allow you to setup an environment to perform fingertrips and exploits to the Amazon API.

For being able to do this in a legal environment you will have to use the nimbostratus-target found here:

nimbostratus-target


This process is better known as pivoting in the amazon clouds. The main propose goals are to have a knowledge about the Amazon EC2:

-Allowing to enumerate access to the AWS services for current IAM role.
-Use a poorly configured IAM role to create a new AWS user.
-Allowing you to extract the current AWS credentials from the meta-data , boto.cfg, the environment variables and more.
-Letting you clone the DB to access the information stored in a snapshot.
-Injecting raw Celery task for a pickle attack.


For example, with a instance meta-data you will be able to get inside this information:

-Local IP Address
-User-data
-Instance Profile: with AWS API credentials.
-The Amazon Machine Images , AMI.


The Amazon EC2 instance will generate a script that will be run by the EC2 instance OS as one of the last booting steps. The script that is also called "user data" will be stored by the AWS in the meta data instancing and retrieved by the OS when boots.

At ubuntu the cloud-init daemon will be responsible from retrieving and running the script.

The user data scripts are the common way to configure the Amazon EC2 instances and the common structure are as follows:


-Base package installation and updating
-Installing the Git Client
-Defining variables such as the source code repository URL, branch and SSH keys.
-Download the app source code used in this instance from the repository.
-Compiling and/or deploying the source code
-Starting the required daemons.


As in most of the cases the repository where the instance app source code is private. the SSH keys are used to access to it.
GitHub, BitBucket and other high range usd source  repositories call these "Deploy SSH Keys". These keys used to access the repository are normally hard-coded into the user data script or stored into an alternate location where the script can download those.

For further information and a full explanation follow the links at the end of the article.

Here you have how to start the setup for this app:

Installation

git clone git@github.com:andresriancho/nimbostratus.git
cd nimbostratus
pip install -r requirements.txt

Usage
Providing AWS credentials

With some nimbostratus sub-commands it will require you to provide the AWS credentials. You can manage to get those with the following command line arguments:

    --access-key
    --secret-key
    --token , which is only used when the credentials were extracted from the instance profile.

Dump credentials
This identify the credentials available in this host and prints them out to the console. This is normally the first command you have to run after gaining the access to the EC2 instance.

$ nimbostratus dump-credentials
Found credentials
  Access key: ...
  Secret key: ...

After you manage to the the credentials from EC2 instance you've exploited, you are able to
continue to work from any other host with internet access, just remember: The EC2 instances are in many cases spawned for a specific task and then will be terminated.

VERY IMPORTANT: This procedure will extract info from boto's credential configuration sources and from the instance meta-data. If the system uses other libraries to connect to AWS the specific credentials wont be dumped.

For the full usage tutorial follow this link:

Nimbostratus

You can research now for yourself following these links from the authors:

Pivoting in Amazon Clouds ( PDF )


Also feel free to comment about the Amazon Cloud Exploiting tutorial.

By Dustin Greer.

Thursday, September 11, 2014

Manage free security risk simplified for your business website

Free risk security management for webiste business


The security risk management allows you to avoid making the wrong decision for your business website.

This contains a lot of threats as well like potential virus, malware attacks, spywares and a lot of more.

Main problem with the management is most of the times it needs several tools and is also expensive. Most companies pays to professionals a lot of money and also spends in high cost tools to perform this task.

Some of the people that wants to begin with this task fails at the first attempt as not anyone can afford such costs for a risk management, so they just loses this particular task and face a lot of future mistakes and damages to their business.

For this task there is something called SimpleRisk. An unique invention that allows to perform this activites for free. This could sound too good to be true but in fact is a reality.

This app can be utilized in a few minutes allowing you to do tasks such as plan mitigations, submit the risks, facilitate you the management reviews, project planning priorization and  being able to track the regular reviews.

You can configure the app in a really wide range and it also performs a dynamic report with the ability for tweaking risk formulas live. This app is continously updated with more features and you can use it for free, that is what it makes it unique for the field.

You can get it here:

RISK MANAGEMENT SIMPLERISK

Feel free to leave comments about this app.

By Dustin Greer.

RELATED POSTS:

Hack Websites with Hypertext Access Exploit
Hack the web by surfing anonymously showing restricted sites


Tuesday, September 9, 2014

The Definitive Carding Tutorial for beginners


When you never heard about the term "carding" you could think it is about something else, but for the hackers this term means the act of using usable credit cards from other holders. This can be also called a financial data hack.

The Carding needs to follow some rules that im about to explain in this tutorial.
First of all you have to get working credit card details but also sites that allows the carding, means that the site has to be "cardable".

A cardable website is one of those that the payment processor is vulnerable enough that you wont have issues by using someone else credit card to make the payment, you just need the full information from the holder and you are set to go.

Some other sites will have higher security and are the most in quantity nowadays. For those you will need to break and confuse the payment processor making it believe you are the real holder. For doing this properly you have to use a SOCKS5 VPN.

For example, lets say you want to purchase something online and your cc info holder city is Los Angeles, you must use a SOCKS5 VPN from this exact city. This will give you an IP close to the IP from your detail, making the bank issuer believe the real holder is doing the transaction.
If you use common VPN, free or for example the TOR browser you will face a void card at first attempt. Most important websites have the security level to be able to block the credit cards when this is caught.

Some will popup a message saying your credit card has been blocked for security reasons, but others wont say anything at all, you will just get it declined or no funds message. When this happens the people that does not knows well how to do carding tries to purchase again at the same site or others, making the card void at last since some will block it eventually or the bank issuer will get informed about the suspicious activities and disable it right away.

You can also get your detail void if you use a paid quality VPN but you select other city or state, since here you will be getting it void by the bank issuer.

The next part is the Verified by VISA (VBV) or MasterCard Secure Code.

When you reach a webiste that needs to approve the transaction by entering the password/digits or receiving a SMS to approve, you could think there is no way to go, but there is one. To be able to use the details at those websites you have to get unrolled credit card info, which means you can enrol the details yourself at the bank issuer website. For this you need SSN, Birthdate, MMN sometimes that obviously you should already have all that info with your credit card detail. When you have all this you will be able to setup yourself the VBV or Mastercard Secure Code password setup, even the SMS by entering your phone number ( of course not yours, some cloned/prepaid one ).

Now that you have got everything working you must follow some rules at the purchasing field.

You cant go and buy stuff for like $ 500 or more at once , since does not matter you are using all the tricks you have to use, we are in the 21 century and the bank issuer will always re check when the holder is doing some unusual transaction amount. This means sometimes when you are using a classic level card you cant go and make a high amount purchase, since the bank knows the holder does not do those kind of transactions normally.

You can also face that you are using a detail that the holder uses from time to time, meaning the bank also knows this holder only uses it to pay for bills, you get the idea.
The only way to get over this is by always purchasing low amounts at different sites and by doing it wisely in time frames.

Some holders are "premium" or "platinum" or high class levels, where you know this just by checking the credit card detail level. With those you are able to do some higher transactions with no problems but again wisely with the time frame when purchasing.

There is another class of credit cards that are only business/enterprises/companies owned. With these you have to be really sure you are using it at the same places from where they are being used normally, easily traceable by knowing where it belongs.

With knowing the rules now you are ready to being with carding. Just be sure you read and follow the steps explained here and you wont go wrong.

Check the blog for further posts about updated cardable sites list.

Feel free to post comments about your carding experiences.

By Dustin Greer.

RELATED POSTS:

Find out credit and debit cards validity with bin checking
How to get real credit card information

Sunday, September 7, 2014

Attack Smartphones Security with Penetration Tools Tutorial


How to hack smartphones with framework penetration tool

Learn how to attack the mobile smartphone security with a penetration tool.

There is some mobile security apps out there but this one stands out.

SMARTHPHONE PENTEST FRAMEWORK

In security testing tools you are able to do a lot of tasks like assess the security in a matter that allows you to reach private information from the companies.

At this time most important IT and top executives will rely on having constant access to the company data and communications, so it will be expected that employees will also have access to their respective company e-mails and system files at their smartphone mobile devices.

For this scenario the companies normally have two options, giving to their employees a company owned smartphone or allow them to use their personal mobile phone to be used at their network.

This has pro and cons but the most important is the assessing to the security posture of the smarthphone in the workplace, which is a critical issue.

The chosen functionality focuses on unique features to the smarthphones platforms, like the functionality that uses the mobile modem instead the traditional TCP/IP protocol remote shell.

With this tool updates and some new future tools the devs hopes that the penetration testing framework will massively attract the community support such how has been seen with other penetration tools like the Metasploit.

Now we continue to the framework components.

Smarphone testing framework


The framework consists of a management console that is a web based graphical UI, management app and a platform specific payloads or agents.

The management console, GUI and app are used to launch the new remote attacks, gathering info about the smartphones, create the social engineering attacks or just interact with deployed agents.

The management console, GUI and app can also interact with the smartphones via a mobile modem or TCP/IP protocol, in particular agents some receive the commands through SMS and HTTP.

The mobile modem based attacks and commands can be sent through an attached smartphone with management app installed or through the mobile modem connected to the computer with the management console installed.

The TCP/IP protocol based attacks and commands are sent through a web server.

The management console uses a command line interface that will allow to the user interaction with agents, allowing to launch the new attacks, view gathered info and more but without the knowledge of the commands or the exploits, using a series of menus.

The graphical user interface is the same as last one but with the difference that allows the user to interact with a GUI instead using the command line.

The associated app is a smartphone based that will allow the users to do these same functions directly from a mobile smartphone attached to the management console.

Also you can launch attacks or commands to an agent with the mobile modem having this app installed on it.

This penetration testing framework includes a selection of functions for spanning the phases of a penetration test. When given a set of phone numbers the framework will gather information by searching the public records and databases. If the smartphone can be traced on the local network there will be a port scan as well.

The framework will search for vulnerabilites like the default SSH password for jailbroken devices. It provides a selection of remote, client side and social engineering based exploitation attacks.

One example, the smartphone sends a SMS to a potential victim disguised as a common advertisement that comes from vendors with a link, when the users does a click to this link they will be directed to the framework controlled web server that launches a client side attack against the smartphone browser.

You can research yourself with this penetration tool that is actually unique in its kind and pretty powerful.

Feel free to leave comments about this tool.

By Dustin Greer.

RELATED POSTS:

Hacking at Android Mobile Phones using Hackode 
Make FREE CALLS to Any Mobile Or Landline  

Friday, September 5, 2014

Hack Websites with Hypertext Access Exploit


How to hack websites

This time we are giving you something unique that allows to hack websites by bypassing the restrictions from a web application allowing you to see the private directory.

The app is called Hypertext Access Exploit.

This app is a python-based tool that uses an exploit to reach weakness to the .htaccess files allowing you to reach the web directory without authorization.

With this tool you will be able to see the content of a protected directory in a web server ( websites )

The typical usage is as follows:

htexploit -u [URL] [options]


You have these options available:

 -h, --help
    it will show this help message and exit
-m MODULE, --module=MODULE
    Allows you to select the module to run , as default it will detect it.
-u URL, --url=URL
    Allows you to specify the URL you want to scan
-o OUTPUT, --output=OUTPUT
    Allows you to specify the output directory you want to place the results
-w WORDLIST, --wordlist=WORDLIST
    Allows you to specify the word list you want to use
-v, --verbose
    Just do a verbose

You can download this app here:

Hypertext Access Exploit

Feel free to leave comments about this exploit.

By Dustin Greer.

RELATED POSTS:

Manage free security risk simplified for your business website
How to EASILY Hack Email Accounts, Windows Passwords, & Wordpress Websites

Thursday, September 4, 2014

Check your IP Traceroute using Google Maps


IP traceroute checking with google maps

This time we are going to explain how to discover your IP address route over the globe.

This is normally made by interest ends but a hacker must see whats going on in the IP traceroute before doing anything at all.

This is good to know if you are a beginner hacker or you just want to know how your computer is connecting through the world wide web to reach a specific site or IP.

We start simple with one that works just fine for 50 searches everyday for free:

HACKTARGET IP-TRACE

This online traceroute checking allows you understand the network TTL ( the time to live ) . Where packets reach the hops router in the network the Time to Live raises. Those packets are normally ICMP/UDP and there is also other version using TCP.

What you have to learn that by using this you see how using different protocols is good since at some networks the firewall or router itself could block the packets showing you the wrong path across the net.

If you use different protocols you will get rid of systems blocking other kind of packets.

Now we move on to another tracer.

TRACEROUTE-ONLINE


This checker will also provide to you with a google map showoff for the hops in the network path.
Just keep in mind that Geo Location is not exact, you need something else so if you are going to check exact location using this, you are at the wrong place.


TRACEROUTE MONITIS

This one in particular also uses google map but it looks a bit better. It also allows you to monitor a site or IP 24/7 for free. Is a good way to monitor an entire site traceroute all the time, if that is what you are looking for.

We will add more later, feel free to comment and add any other tracers that can provide more usual info.

By Dustin Greer.

RELATED POSTS:

Best Proxy Services for Hackers
Hack the web by surfing anonymously showing restricted sites

Tuesday, September 2, 2014

Best Proxy Services for Hackers

VPN Proxy for hacking


When you need to be safe, anonymous and also untracked you must be sure you are using a quality proxy service. For any person that wants the best safety online is a must, but for hacker this is a rule, so we are going to post here some of the best Proxy Services available to date.



  • HMA VPN


 This proxy uses more than 55,000 IPs, about 60 servers across the world and it also uses a 128-bit encryption to get you the best quality possible. With HMA VPN you are also able to use 3 virtual private network connections.

It also works on Apple and Android devices apart from also being provided to the desktop PC.



  • PURE VPN


This proxy allows you to use 5 devices connected with the same account, meaning you have 5 VPN for the price of only one.

It also povides you with their Split-Tunneling allowing you to use the VPN and normal browsing whenever you want, saving you time and speed for your needs.

It also offers you a switch that will kill any connection as soon as you disconnect, meaning you are safe all the time does not matter if you are not browsing.

This one uses 256-bit data encryption, giving you the best security.



  • IP VANISH


This proxy calls it self  the only tier-1 VPN service worldwide. 

It has the most fastest secure connections and best pricing. Their network uses more than 14,000 IPs with about 135 servers at the most important countries in the world. 

It also provides safety for mobile devices, as well it allows you to use Skype or any Voip service changing the country, meaning you will get lower bills. 


This proxy also disables the Deep Packet checking some ISPs does blocking your internet speed.


Soon we will add some more to the list.

Feel free to comment what are the best proxy services for you.

By Dustin Greer.

RELATED POSTS:


Check your IP Traceroute using Google Maps
Hack the web by surfing anonymously showing restricted sites
 

Monday, September 1, 2014

Find out credit and debit cards validity with bin checking

Check credit card working validity

This tutorial will explain how to check credit and debit cards validity using the BIN Checking algorithm online.

With this method you will be able to get some information about a real card including the bank issuer,card level, ISO Country and some more.

This is a good way to see if the card you have in hands is correct or a fake number.

One of the online databases for BIN Checking is : BINBASE

Here you only need to enter the first 5 digits of your card followed by a captcha code.

One example using an Italian Debit Card from the POSTE ITALIANE ( BANCO POSTA ) Bank:

Card number: 4023600562238503
You just enter the first 5 digits: 40236

BINBASE results:

------------------------------------------------------------------
Card Brand: VISA
Issuing Bank: POSTE ITALIANE S.P.A. ( BANCO POSTA )
Card Type (Credit/Debit) : DEBIT
Card Level: ELECTRON
ISO Country Name: ITA
ISO Country A2 Code: IT
ISO Country A3 Code: ITA
ISO Country Number: 380
Bank Website:
Bank Phone:
------------------------------------------------------------------

Some bin's lookups wont show the bank website or phone and some will do.

This trick is always used when you are getting a lot of cards everyday and also used to check wrong numbers at your data.

It can also be used to discover new numbers algorithms for card levels , some of the most wanted cards uses non common numbers combinations for the first 5 digits, this is where hackers gets to play.

We hope this is good information for you, feel free to leave any comments about your bin lookups.

By Dustin Greer.

RELATED POSTS:

The Definitive Carding Tutorial for beginners

Sunday, August 31, 2014

Hacking at Android Mobile Phones using Hackode

There is a lot of ways to hack something but here you will know how to use mobile phones using the Android OS to do some hacking tasks.

We are going to post from time to time different apps that will let you break security using mobile phones.

If you are not ready aware the hackers can use binary code hacking to attack mobile applications at the google play store. This can be done by several ways like faking the security rules, disabling the requirements originally needed to purchase the app or just making an app clone just to get customers buying yours when in fact it looks like if you are purchasing something else.

You can also get inside the mobile phones by including a hacked script that will just get you all the users credentials, information and even financial assets.

There is a lot of tricks you can do by hacking a mobile phone and with the Android OS this is more easy than you all may think.

The first tool.

HACKODE


Android Mobile Hacking App


This app lets you do several tasks including reconnaissance, Google Hacking, DNS lookup and a bunch more.

You will find a lot of tools inside this app like:
  • Whois
  • Scanning
  • Ping
  • Reconnaissance
  • Traceroute
  • DNS lookup
  • IP
  • Google Hacking
  • Google Dorks
  • MX Records
  • DNS Dig
  • Exploits
  • Security Rss Feed
You are free to test it out by yourself and if you are new into this field you can just test it over and when you have acquired the skills, you will be doing mobile phone hacking for real.

You can get HACKODE app here:

We will post more mobile phone hacking apps soon, stay tuned.

Feel free to leave comments about your experience with this app.

Friday, August 29, 2014

Hack the web by surfing anonymously showing restricted sites


Hack the web surfing anonymously

This tutorial will explain how to hack the web by surfing anonymously all the websites.

With this method you will be able to get inside the websites that Google and other search engines are not showing you, since those are hidden or restricted sites that are blocked from the common search engines bots.

Apart from discovering new websites you will also see data that is being forbidden to you and this is the best part for all the hackers out there.

You will be able to see the web how you are supposed to see it, freely, without any restriction.

Of course with this method you will probably discover websites that are not safe enough for any audience so try to do this at your own risk.

This is called the Deep Web since its exactly the deepest way to enter the world wide web letting you see everything that is there.

To accomplish this task you cant use the normal web browsers like Firefox , IE, Chrome, Opera or any of those, since they are using scripts that wont show you anything restricted.

To discover the whole web you have to use TOR browser, normally called the Onion Router. You can easily find it with a search. Download the TOR bundle and just start to browse with it.

You will find troubles by using TOR and google for example, since sometimes it will say to you there is a weird connection going on and it will show up a CAPTCHA to enter , since this is one of their security measures to avoid bots or anonymous traffic, but you just enter the captcha and you are set.

This method allows you to find websites that are restricted by other browsers , but it also lets you surf completely anonymous. This is something that is a must do for the hackers and is also being used by other people that does not want to be tracked in any way, this includes illegal acts and also includes money laundering and anonymous business.

The anonymous business procedures are a lot but these days one of the most used is the Bitcoin ( BTC ) . As this is an encrypted digital currency it allows you to transact completely untracked and if you use the TOR browser you are literally impossible to track.

With this method you can also do a lot of more stuff that im aware you are figuring it out.

This century things have changed a lot in terms of sociability and the world wide web is a must, but of course there is hidden information you wont be able to see if you do not learn how to see it.

We are here to give you the chance to change that.

Feel free to leave comments about this anytime.

By Dustin Greer.

RELATED POSTS:

Hack Websites with Hypertext Access Exploit