HACKERS RULES THE WORLD: 2013

Wednesday 15 May 2013

Gmail SMS Verfication loophole exposed by HackingLoops

Note: If any Google guy is reading this, please raise a CR(change request) to get it fixed as soon as possible.

Gmail is world most famous free email service and its a prominent part of Google but they always pay attention when i expose their loopholes. Like i previously did for GX cookie loophole, which make the hackers to own the users Gmail account from cookies. But Google reaction was quick and they fixed that just 4 business days after i exposed it but that was the temporary solution, they have taken more than month to completely fixed that. So friends, lets me explain you where i have found the new bug, may be all of you know that because its too common service. But you might have missed that. So i will expose it today, so that Google will fix it as soon as possible.

Actually this is not one loophole, there are two big loopholes in SMS verification that i have discovered in Gmail SMS verification and password reset method. So friends from which i start, dangerous one first or mild one first.

ok..ok.. lets save the best one for last.

1. Mobile number as optional Field

As far as i know security norms, Google should make the mobile phone verification mandatory at least at the time of creation of new Gmail account. Following are the benefits of that:

a. Tracing a user will be easier: Hackers uses anonymous or fake Gmail accounts to get keylogger logs and sending fake emails to users. If we have mobile number of the Gmail account user, we can trace him back in just a manner of few seconds.

b. Mobile number and its location should be validated using the Google maps and IP address used for registering the Email account: Hackingloops is suggesting this because as a hacker, i always try to create a spoof account in which almost every detail is wrong. So for complete traceability, it should be validated geographically. I think its not that tough for cool coders to code that stuff.

This loophole is just a minor in its category but it will prove its worth, when some hacker tries to hack anything serious by using a anonymous Gmail account. If Google realizes these things earlier then they can surely put a track on malicious users and can monitor their day to day activity. But as i said until i wont expose the things, they will not fix it. I know everything is not perfect but as a Internet Giant, you guys should be perfect.

2. Forgot Password SMS verification code message

This is extremely dangerous loophole and can be greatly exploited using the Social Engineering technique. Two to three days back, i was talking with one of my client, he was explaining me that his Gmail account has been hacked. He told me that he is aware of all these techniques like Key stroke logging or Phishing that hackers use to hack the email accounts. Below is the scenario between Hackingloops client(Rahul das, works in software firm) and me(Lokesh Singh) explained to me:

Client: My Gmail account has been hacked.
Me(Lokesh): Have you got any email.

Client : Yes, i daily get lot of emails.
Me: I mean any suspicious or unsolicited or Lottery Prize email.

Client : Yes, lot of such emails but i never open any such email and also i haven't open any link from my email.
Me: Ok. Its nice that you are aware of these stuff. May be you have installed some new application or software in your PC or have your hands on some hack tool.

Client: No, i haven't installed anything from last few weeks.
Me: Ok. Then for sure you might have signed up for some new website.

Client : Yes, i signed on one website yesterday and after that only i am unable to login into my account. But i haven't used the same password there that i use for my Gmail.
Me: ok, tell me from where you got to this site means do you find that from Google or somebody has referred that to you.

Client : Yeah, one person having email ID something like earnunlimitedmoney@gmail.com has told me about that site. But today that site is also down.
Me: What was website name.

Client: Something like make money by displaying adds on your website.
Me: ok. Do you know the guy with Email earnmoneyunlimited@gmail.com. means he is friends of your's.

Client: No, i just got his Gtalk invitation, a day back. But i have talked with him personally and he was saying "You will get 50% of my Google Adsense revenue every article you write on my website"
Me: OK, can tell me did he asked anything special like some registration or mobile verification code or anything similar.

Client: Yes, he told me that you will get a Verfication code from Google on your Mobile, that you need to provide me so that i can attach you with my Google Adsense account.
Me: Can you forward me that message.

Now friends, what will be my reaction after seeing that message.. __|__ fk... what the hell... Message was saying "Your Google Verification code is 516826". Now anyone of you guessed it... when we get this message.

ok...ok... i give you time to guess... did you all got it... no...ok.. i will tell you..

Its a Google Verification code which you get when you select FORGOT PASSWORD option and then enters your mobile number to get the password reset code...

This is really a dangerous Loophole...Isn't it ... anybody can be fooled using this trick...

If any Gmail or Google employee or staff member is reading it, please ask your boss to raise a change request for this.

Ok..ok.. i make the situation even more worse... Now hacker has resetted my clients passwords, but he was more smarter than i thought....What he has done he changed all recovery options, even the mobile number. Now my client has no chance to get his credentials back. But it was my clients luck that he told me about the scenario and he got his account back and hacker asked sorry for his activites.. :P I hacked the hackers system(PC) using his IP address which i got through readnotify. I will explain that procedure later someday, because its unethical to hack someone...

Lets concentrate on loophole, now consider my point:

Don't you think the password reset message should contain the text password reset code is blah blah... I had never thought of such scenario can happen and anybody can exploit this loophole to that extent. Google guys correct these bugs, this doesn't cost you much but a email account costs much for the user who is having a blind faith on you Guys.

Some suggestions by HackingLoops:

1. For Gmail Password Reset:

The message can be something like

" Dear Gmail User(Name),

Your Gmail Password reset verification code is 123456"

"Dear user,

You have requested a password reset for your Google account (email). Your verification code is 123456".

I think both of them are less than 160 chars and can be easily sent to user and :P can be easily configured in Google SMS module.

2. If Google doesn't want to change much of their functionality, then you can use something like:

Dear user(name),

You have requested a Password Reset verification code for account(email). Your code is 123456".

I think friends, you all have recognized what the loopholes are, and surely some of Google Guy must read this, so just wait how soon Google fixes these loophole..

Desktop Lock 7.3.1 Final Business Edition Full Version | 1.4 MB

Posted by Jett Catallorca | at 21:56 No comments

Desktop Lock 7.3.1 Final Business Edition Full Version Free Download | 1.4 MB

Desktop Lock is a computer security protection and access control software product, you can use it to lock computer to prevent people from accessing your private documents and resources. When the computer is locked by Desktop Lock, none can access your documents, browse your computer, or use programs on your computer.

You can lock your computer by one click, or let Desktop Lock to automatically lock your system at any time or when system becomes idle. You can customize the appearances of the locked desktop with the options provided byDesktop Lock. Desktop Lock also supports hotkey to lock the system.

Use Desktop Lock to:

Lock your system to prevent anyone from accessing your private data or using your computer at any time.
Automatically detect the state of your computer, then automatically lock your system if it detected that you have not used the computer (the system becomes idle) for a period of time.
Lock the system and play any audio or video file on the screen, so that people can view the media on your computer but can not control your computer.
Lock the system and run a program on the desktop, then anyone can only use the one and only program on your computer, and can not close the program.
This security software also can be used with any computer that want to show flash or PowerPoint files to others but don't want them to access your computer.
With the new Virtual Screen tool, Desktop Lock can also create virtual desktops and show only the specific programs to users, users only can use the specific programs on your computer.

Here are some key features of "Desktop Lock":

During locking, none can force it to be terminated by using the "Task Manager" or "Ctrl+Alt+Del" key combination.
Supports to lock the system automatically when the system become idle
Supports to automatically lock the system at the specific time
Supports to automatically lock the system after computer booted
Supports to keep locking if anyone forced the locked computer to be restarted by pressing the Power button on the computer tower, or plug off the power supply
Provides more features to allow you to customize your own locked desktop
Supports hotkey to lock system directly
Allows visitors to leave messages during locking
Supports to show the banner during locking with any lock mode
A powerful "Virtual Screen" tool allows you to create virtual desktop
Plays media file during locking, the media file can be any video or audio file that supported by Microsoft Media Player
Supports to specify a program to be automatically run during locking
Desktop Lock can disable screensaver during locking; Desktop Lock will also prevent users from shutting down Windows during locking
Supports schedule feature
Supports multiple monitors
Supports multiple users

Screenshots:

OS : Windows XP, 2003, Vista, 7, 8

Language : English

Install Notes:

1] Install The App

2] Do Not Launch The App

3] Copy Content from Crack Folder to Install Directory

4] Enjoy This Release!!

There are 5 types generaly used to hack acounts....

Types of hacking fb account
There are 5 types generaly used to hack acounts....

1. Facebook Phishing
2. Keylogging
3. Social engineering
4. Primary email address hack
5. Cookie Stealing

Facebook phishing:

I have taken this method first because i think this is the most popular method/way of hacking facebook. I studied various facebook surveys taken on web about hacking facebook. The results of these surveys show "Phishing" as the most used method to hack facebook and to note…"Phishing is favorite method of facebook hackers". So, friends.. beware of facebook Phishing. Facebook staff is working hard to avoid these Facebook phishers. Phishing not only allows you to hack Facebook but also almost any email account. You have to only get the trick used to make a phisher, which i think is very easy. I learnt it without any difficulty. But, remember, this is only for educational purpose. I will not extend this topic over here as i have added more on Phishing in my article How to hack facebook password

Keylogging:

This is my second favorite, as only thing you have to do is remotely install a keylogger application (if you don't have any physical access to victim computer). Keylogging becomes more easy if you have physical access to victim computer as only thing you have to do is install a keylogger and direct it to your destination so that it will send all recorded keystrokes to pointed destination. What a keylogger does is it records the keystrokes into a log file and then you can use these logs to get required Facebook password and thus can hack facebook password. I have posted detailed information of top keyloggers in the trade for more information see my password hacking softwares section

3. Social engineering:

This sounds to be pretty not working at beginning. Even I was neglecting this way. But, once, I thought of using it against my friend on Facebook and i got his Facebook password very easily by this method. I think many of you might be knowing how what this social engineering, For newbies, social engineering is method of retrieving password or answer of security question simply be quering with the victim. You have to be very careful while using this as victim must not be aware of your intention. Just ask him cautiously using your logic.

4.Primary email address hack

If Facebook hacker, by some means, hacks your gmail or yahoo account which you are using as primary email address, then this Facebook hacker can easily hack your Facebook password using "Forgot password" trick. He will simply ask Facebook to send password reset email to your primary email address- which is already hacked. Thus, your Facebook account password will be reset and it will be hacked !!!

So, always remember to protect your Facebook primary email address and try to keep unknown or useless mail id as your primary email address
So far, i found these Facebook hacking methods as best and working ways to hack facebook account passwords. I never encourage hacking Facebook or any email account,,I just wanna make you aware about Facebook dangers online. I will appreciate your effort if you mention any other Facebook hacking method.

5. Facebook Cookie Stealing

I am updating this post with a new method which is being used to hack facebook accounts, which I think is very effective, Facebook cookie stealing is becoming popular day by day.The cookie which facebook uses to authenticate it's users is called "Datr", If an attacker can get hold of your authentication cookies, All he needs to do is to inject those cookies in his browser and he will gain access to your account. This is how a facebook authentication cookie looks like:Read More

Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc;

Hack the Facebook with Backtrack 5

Hack the Facebook with Backtrack 5

Hack Your friends facebook account

Using

Backtrack5

Step 1 : Open set Tool in Backtrack 5 : To open it follow the step shown above .

Step 2 : Time to set the Website Attack Vectors : Below Menu enter your choice : 2.Website Attack Vectors and press Enter .

Step 3 : Select your Attacking Method , Here i choose

3. Credential Harvester Attack Method.

Step 4 : Select Attack Vectors :write 2. Site Cloner and press enter as shown in the image .

Step 5: Enter the Url: To make a clone to facebook login page I entered https://www.facebook.com and press enter . As I press enter it will automatically generate a clone page .

Step 6 : To continue the process you have to put * sign and press enter.

Step 7 : Process will continue as shown in the image above .

Step 8: Open terminal and enter ifconfig command . It will shown your ip address . Now copy the ip address .

Step9 :Open Web Browser and Paste the system ipaddress into Address bar and it will redirect to the facebook login page .

Now Enter your anything to check it will work or not .

FOR EXAMPLE: Here I use

Email : h4x00r

Password:hackingDNA.com

And Press Enter . Let see what happen on the Next step

Step 10 : In step 7 the process start you remember now when you follow step 8 and step 9 ,then it will come up with all the details of Username and Password .

This is how we set a trap and hack victim facebook and password only on Backtrack 5

Enjoy!

INVISIBLE SECRETS 2.1

http://www.mediafire.com/downl

oad.php?ogzmhzzzhhm

BOMB MOBILE PHONE WITH SMS : BEAVER'S SMS BOMBER

http://www.mediafire.com/download.php?mc5dkcwzg2y

BOMB MOBILE PHONE WITH SMS : GLOBAL SMS BOMBER

http://www.mediafire.com/download.php?rfxzf4jcjm2

BOMB MOBILE PHONE WITH SMS : BEAVER'S SMS BOMBER PRO

This program will bomb the victim's mobile phone with tons of SMS. It supports all major networks around the world. But if your network is not in the list, then don't worry, you can also add the carrier network with the help of "custom" option. You can also load list of multiple victims and bomb them simultaneously. The improvement that Beaver has made in this version over his previous SMS Bomber is that you can spoof the email address from which you are bombing the victim's mobile phone. For Example, If there was an error sending the message, it will ask you if you wanna change the E-mail/Password you are using. All credits to Beave

r for this nhttp://www.mediafire.com/download.php?zmd4mtbmtolice program.

EMAIL ACCOUNT HACKING SOFTWARE : VIC SPY KEYLOGGER

Vic Spy Keylogger is a simple keylogger program which records keystrokes and all the computer activity of the user on whose computer it is installed. There is no need to install it, it runs immediately after extraction from archive.