Using Ardamax Keylogger

Download Ardamax Keylogger 3.8.1 from here: http://www.ardamax.com/ [Register it to get the key]

Once you downloaded Ardamax open "setup_akl.exe".Install Ardamax on your PC (it will record all you'll type until you uninstall it).

Installing Aramax:-

-So, double click on "setup_akl.exe". In the new window (about the License Agreement), click on "I Agree".
-Be sure the 3 boxes are tick and click on "Next".
-Choose a new installation path or leave this one, and click "Install" (Ardamax is now installing).
-Once it's done, untick "View the Quick Tour" and press on "Finish".

Infecting a file

-In the new window, click on "Enter Key" and enter the name and serial, then press "OK".
-If everything went fine, the window should have close and now you'll have to do a right click on the Ardamax icon in the tray bar (in the right bottom corner of your screen), then click on "Remote Installation...".
-A new screen will open and you'll have to click on "Next".
-Tick the "Append keylogger engine to file or another application" and click on "Browse". Now, you'll have to browse for the file or the application you want to infect. It can be anything, and, don't worry, the file won't be infected (Ardamax will make a copy of it and leave the one you chose intact). So, when someone will double click on this file, Ardamax will be install on his PC (He won't see any Ardamax installation or w/e window and probably never know he's infected). Once you choosed the file, click on "Open".
-In the same window ("Appearance"), leave "Installation folder on target computer" the same, and under "Additional components", untick "Log Viewer" (untick all) and click on "Next".
-In "Invisibility" window, leave all options tick, click on "Next".
-Now, click on "Enable..." and in the window that popuped, enter a password. Leave all the options tick, and click on "Next".
-Untick "Check for updates" and click on "Next".
-Leave the 2 options tick, and I suggest to change the "Hidden mode on:" to something easier to remember (such as ctrl+z). Also, I would put a "Self destruct on:" date (you have to tick the box beside the date, scroll down and choose a date) this will uninstall Ardamax on the remote PC on the date you choosed)) such as a week later (or until you're sure you know what you want to). Click on "Next".
-Now, in the new window ("Control"), tick "Send logs every" and, right beside, choose the frequency of the logs you'll receive (usually 1/hour or 1/day is fine).

Using the infected file

A new window popuped, your infected file is there, it's call "Install.exe" and it have the icon you choosed. Don't touch at any other file in this folder, they are useless. I suggest you rename it.
You now have to spread this file and hope someone will download it and double click on it. Once he do this, Ardamax will start recoring and sending logs to your website.
I suggest emailing people and giving them the file, or upload it in forums. Of course you have to put (infect) Ardamax in a file that people are interested to download.
If they decide to scan the file at http://www.virustotal.com, they will know it's infected, though only "Webwasher-Gateway" detect Ardamax in the file as "Riskware.Ardamax.K.Gen" and "Ikarus" detect "Trojan-Dropper.Win32.Agent.bnk".
"Webwasher-Gateway" is the last antivirus VirusTotal use to scan, so if that person is lazy, you should be fine.
Basically, I think people can't get rid of Ardamax unless they re-install Windows, so if you didn't put "Self Destruct" date, you will receive logs for a very long time. 

Hacking Gmail account using GX Cookie

note for information purpose only

Introduction
Hacking web application was always curious for the script kiddies. And hacking free web email account is every geek first attempt. The method which I will describe in this post is not new; the same method can be applied to yahoo and other free web email services too.
The method we will be using is cookie stealing and replaying the same back to the Gmail server. There are many ways you can steal cookie, one of them is XSS (Cross site scripting) discussed by other is earlier post. But we won’t be using any XSS here, in our part of attack we will use some local tool to steal cookie and use that cookie to get an access to Gmail account.
Assumption:

* You are in Local Area Network (LAN) in a switched / wireless environment : example : office , cyber café, Mall etc.
* You know basic networking.

Tool used for this attack:

* Cain & Abel
* Network Miner
* Firefox web browser with Cookie Editor add-ons

Attack in detail:
We assume you are connected to LAN/Wireless network. Our main goal is to capture Gmail GX cookie from the network. We can only capture cookie when someone is actually using his gmail. I’ve noticed normally in lunch time in office, or during shift start people normally check their emails. If you are in cyber café or in Mall then there are more chances of catching people using Gmail.
We will go step by step,
If you are using Wireless network then you can skip this Step A.
A] Using Cain to do ARP poisoning and routing:
Switch allows unicast traffic mainly to pass through its ports. When X and Y are communicating eachother in switch network then Z will not come to know what X & Y are communicating, so inorder to sniff that communication you would have to poison ARP table of switch for X & Y. In Wireless you don’t have to do poisoning because Wireless Access points act like HUB which forwards any communication to all its ports (recipients).

* Start Cain from Start > Program > Cain > Cain
* Click on Start/Stop Sniffer tool icon from the tool bar, we will first scan the network to see what all IPs are used in the network and this list will also help us to launch an attack on the victim.
* Then click on Sniffer Tab then Host Tab below. Right click within that spreadsheet and click on Scan Mac Addresses, from the Target section select

All hosts in my subnet and then press Ok. This will list all host connected in your network. You will notice you won’t see your Physical IP of your machine in that list.
How to check your physical IP ?
> Click on start > Run type cmd and press enter, in the command prompt type

Ipconfig and enter. This should show your IP address assign to your PC.
It will have following outputs:
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : xyz.com
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Main thing to know here is your IP address and your Default Gateway.
Make a note of your IP Address & default gateway. From Cain you will see list of IP addresses, here you have to choose any free IP address which is not used anywhere. We assume IP 192.168.1.10 is not used anywhere in the network.

* Click on Configure > APR > Use Spoofed IP and MAC Address > IP
Type in 192.168.1.10 and from the poisoning section click on “Use ARP request Packets” and click on OK.

* Within the Sniffer Tab , below click on APR Tab, from the left hand side click on APR and now click on the right hand top spreadsheet then click on plus sign tool from top. The moment you click that it will show you list of IP address on left hand side. Here we will target the victim IP address and the default gateway.

The purpose is to do ARP poisoning between victim and the default gateway and route the victim traffic via your machine. From the left side click on Victim IP address, we assume victim is using 192.168.1.15. The moment you click on victim IP you will see remaining list on the right hand side here you have to select default gateway IP address i.e. 192.168.1.1 then click on OK.

* Finally, Click on Start/Stop Sniffer tool menu once again and next click on Start/Stop APR. This will start poisoning victim and default gateway.
Using Network Miner to capture cookie in plain text
We are using Network miner to capture cookie, but Network miner can be used for manythings from capturing text , image, HTTP parameters, files. Network Miner is normally used in Passive reconnaissance to collect IP, domain and OS finger print of the connected device to your machine. If you don’t have Network miner you can use any other sniffer available like Wireshark, Iris network scanner, NetWitness etc.
We are using This tool because of its ease to use.

* Open Network Miner by clicking its exe (pls note it requires .Net framework to work).
* From the “—Select network adaptor in the list—“ click on down arrow and select your adaptor If you are using Ethernet wired network then your adaptor would have Ethernet name and IP address of your machine and if you are using wireless then adaptor name would contain wireless and your IP address. Select the one which you are using and click on start.

Important thing before you start this make sure you are not browsing any websites, or using any Instant Mesaging and you have cleared all cookies from firefox.
* Click on Credential Tab above. This tab will capture all HTTP cookies , pay a close look on “Host” column you should see somewhere mail.google.com. If you could locate mail.google.com entry then in the same entry right click at Username column and click on “copy username” then open notepad and paste the copied content there.
* Remove word wrap from notepad and search for GX in the line. Cookie which you have captured will contain many cookies from gmail each would be separated by semicolon ( GX cookie will start with GX= and will end with semicolon you would have to copy everything between = and semicolon

Example : GX= axcvb1mzdwkfefv ; ßcopy only axcvb1mzdwkfefv
Now we have captured GX cookie its time now to use this cookie and replay the attack and log in to victim email id, for this we will use firefox and cookie editor add-ons.
C] Using Firefox & cookie Editor to replay attack.
* Open Firefox and log in your gmail email account.
* from firefox click on Tools > cookie Editor.
* In the filter box type .google.com and Press Filter and from below list search for cookiename GX. If you locate GX then double click on that GX cookie and then from content box delete everything and paste your captured GX cookie from stepB.4 and click on save and then close.
* From the Address bar of Firefox type mail.google.com and press enter, this should replay victim GX cookie to Gmail server and you would get logged in to victim Gmail email account.
* Sorry! You can’t change password with cookie attack.

How to be saved from this kind of attack?
Google has provided a way out for this attack where you can use secure cookie instead of unsecure cookie. You can enable secure cookie option to always use https from Gmail settings.
Settings > Browser connection > Always use https
   
 

[TUT] HTTP and HTTPS: The Hacking Protocols

Introduction

On the Internet billions of electrons pass along thousands of miles of cable every day to and from destinations around the world and beyond. These electrons carry written messages, visual images, and sound between millions of computers connected to the World Wide Web. Many of the transmissions contain vital and confidential information that can be used for mischief and fraud by hackers if they gain access to them—and many do. How can they still get in, with so much technological progress in firewalls and intrusion detection software? The answer is two numbers: TCP ports 80 and 443.

HyperText Transfer Protocol (HTTP) and HTTP over SSL (HTTPS), which are run through those ports, respectively, account for a growing number of cyber break-ins. Why? The reason is simple: People have fallen for the biggest scam going. The ruse is shamelessly perpetuated throughout the industry by software vendors and service providers alike. As they state confidently, "Purchase a good firewall and intrusion detection system (IDS) and your security problems will melt away." Anyone with a double digit I.Q. should know that, no matter how many firewalls and IDS systems you have, they will never prevent Web attacks.

Firewalls are useless against Web attacks. That's right. Firewalls are pebble speed bumps in the residential street of the Internet. Why? Because firewalls have to let Web traffic through them. As a result, HTTP/HTTPS leave an attacker almost immune from the effects of firewalls. HTTP is truly a hacker's delight. And whatever can be done over HTTP can usually be done over HTTPS in the encrypted stream of anonymity. In this chapter we discuss both protocols (HTTP and HTTPS), describe how they work, and suggest ways that attackers extend their boundaries.

Protocols of the Web

The World Wide Web is an array of protocols that act like traffic cops for the Internet. Packets can be thought of as cars, trucks, and buses on the information superhighway with protocols being stop signs, traffic lights, and drawbridges. So, by their very definition, protocols play a crucial role in managing the day-to-day activities on the Internet. As a result, they are especially important to hackers who want to take advantage of their flaws (and sometimes their features).

In this chapter we discuss the major protocols of e-commerce and how hackers attempt to alter them for their own gain. We also describe a number of free tools that take advantage of these protocols, automating much of the heavy lifting.

HTTP

Without a doubt, HTTP is the most ubiquitous protocol in use on the Internet. Every Web browser and server must communicate over this protocol in order to exchange information. There have been three major versions of the protocol, all of which maintained the same fundamental structure. HTTP is a request/response stateless protocol that allows computers to talk to each other rather efficiently and carry on conversations lasting hours, days, and weeks at a time.

Although the HTTP/1.0 specification currently in use is a far cry from the original specification proposed by Tim Berners-Lee in March 1990, the fundamental features of HTTP haven't changed all that much. Figure 4-1 highlights the major components of the HTTP protocol and their use.

HTTP/0.9

The first official HTTP specification is typically considered HTTP/0.9. This version and its successor are defined in the Internet Engineering Task Force's (IETF) Request for Comments (RFC) document RFC1945 (http://www.ietf.org/rfc/rfc1945.txt). For four years (1992–1996), HTTP/0.9 found modest use on the Internet despite the Web's infancy at the time. HTTP/0.9 was limited in many ways and didn't cover what we now consider to be required elements of Web interaction.


HTTP/1.0
 
The HTTP/1.0 specification came along just as the Internet started to heat up. Despite its relative age in the technological sense—it was finalized in May 1996—HTTP/1.0 remains the king of the HTTP protocol versions on the Internet. Most Web servers and browsers still use HTTP/1.0 for default communication. As with HTTP/0.9, HTTP/1.0 is covered under RFC 1945.

The underpinnings of the HTTP/1.0 protocol reside with the request/response exchange. This exchange permits information to be sent, parsed, and returned between a client (Web browser) and a server (Web server)—or prevents it.

In general, the HTTP/1.0 URL looks something like this:

http://host 
[ ":" port ] [ absolute_path ]
The host is the hostname desired, the port is the place to put an optional port number, and absolute_path is the resource requested. 

HTTP Response


An HTTP request from a client is handled by the server and responded to accordingly. To respond, the server sends back a series of message components that can be categorized as follows:

· Response code—a numeric code that corresponds to an associated response.

· Header fields—additional information about the response.

· Data—the content or body of the response.

With these three components, the client browser understands the server's response and interacts with the server. Now let's examine each component a little more closely.

Header Fields
 
 The data portion of the client's request or the server's response is really the body of the communication between the two. In the case of a GET method request for the default resource, you would perform the following:

C:\> nc.exe www.example.com 80
GET / HTTP/1.0
Another here
and the default Web page (data or body) would be sent back in a stream.    

HTTP/1.1


Released as an official specification in 2001, HTTP/1.1 is the latest incarnation of the HTTP protocol and is widely used. The IETF's RFC 2616 details the particulars of this latest version and highlights the additional functionality from HTTP/1.0. The primary failings of HTTP/1.0, and therefore the need for 1.1, include no hierarchical proxy support, little support for caching, and no proper handling of persistent connections and virtual hosts.

The HTTP/1.1 URL looks like this: 
http://host [ ":" port] [ absolute_path [ "?" query ]]

HTTP Response
 
As in HTTP/1.0 responses, HTTP/1.1 requests from a client are handled by the server and responded to accordingly. HTTP/1.1 can be categorized as follows:

· Response Code—a numeric code that corresponds to an associated response.

· Header fields—additional information about the response.

· Data—the content or body of the response

Response Codes
 
The HTTP/1.1 specification added numerous response codes to the list, but the heart of the response codes didn't change. So, to understand the specifics of the HTTP/1.1 response codes, be sure to refer to the HTTP/1.0 protocol discussed earlier. 

The easiest way to watch SSL work is with a network packet analyzer. Using Snort (http://www.snort.org), you can observe how traffic over TCP port 80 can be seen and recorded:


04/14-22:43:39.781452 192.168.0.5:80 -> 192.168.0.3:2590
TCP TTL:128 TOS:0x0 ID:18197 IpLen:20 DgmLen:344 DF
***AP*** Seq: 0x22AA9B72 Ack: 0xFDC79BB8 Win: 0x445F TcpLen: 20
0x0000: 00 06 5B 30 04 0C 00 20 78 0D 1F 4C 08 00 45 00 ..[0... x..L..E.
0x0010: 01 58 47 15 40 00 80 06 31 32 C0 A8 00 05 C0 A8 .XG.@...12......
0x0020: 00 03 00 50 0A 1E 22 AA 9B 72 FD C7 9B B8 50 18 ...P.."..r....P.
0x0030: 44 5F 33 9A 00 00 48 54 54 50 2F 31 2E 31 20 32 D_3...HTTP/1.1 2
0x0040: 30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 4D 6F 6E 00 OK..Date: Mon
0x0050: 2C 20 31 35 20 41 70 72 20 32 30 30 32 20 30 36 , 15 Apr 2002 06
0x0060: 3A 31 31 3A 35 33 20 47 4D 54 0D 0A 53 65 72 76 :11:53 GMT..Serv
0x0070: 65 72 3A 20 41 70 61 63 68 65 2F 31 2E 33 2E 31 er: Apache/1.3.1
0x0080: 32 20 28 57 69 6E 33 32 29 20 41 70 61 63 68 65 2 (Win32) Apache
0x0090: 4A 53 65 72 76 2F 31 2E 31 20 6D 6F 64 5F 73 73 JServ/1.1 mod_ss
0x00A0: 6C 2F 32 2E 36 2E 34 20 4F 70 65 6E 53 53 4C 2F l/2.6.4 OpenSSL/
0x00B0: 30 2E 39 2E 35 61 20 6D 6F 64 5F 70 65 72 6C 2F 0.9.5a mod_perl/
0x00C0: 31 2E 32 32 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 1.22..Last-Modif
0x00D0: 69 65 64 3A 20 4D 6F 6E 2C 20 30 38 20 41 70 72 ied: Mon, 08 Apr
0x00E0: 20 32 30 30 32 20 30 31 3A 33 34 3A 35 35 20 47 2002 01:34:55 G
0x00F0: 4D 54 0D 0A 45 54 61 67 3A 20 22 30 2D 38 34 62 MT..ETag: "0-84b
0x0100: 2D 33 63 62 30 66 33 62 66 22 0D 0A 41 63 63 65 -3cb0f3bf"..Acce
0x0110: 70 74 2D 52 61 6E 67 65 73 3A 20 62 79 74 65 73 pt-Ranges: bytes
0x0120: 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 ..Content-Length
0x0130: 3A 20 32 31 32 33 0D 0A 43 6F 6E 6E 65 63 74 69 : 2123..Connecti
0x0140: 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74 65 on: close..Conte
0x0150: 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 nt-Type: text/ht
0x0160: 6D 6C 0D 0A 0D 0A

The packet being returned from the server displays the normal output to a HEAD request of the server. Now let's look at the same packet running over SSL:


04/14-22:46:51.135042 192.168.0.5:443 -> 192.168.0.3:2592
TCP TTL:128 TOS:0x0 ID:18212 IpLen:20 DgmLen:339 DF
***AP*** Seq: 0x25992D24 Ack: 0xB641BA Win: 0x4266 TcpLen: 20
0x0000: 00 06 5B 30 04 0C 00 20 78 0D 1F 4C 08 00 45 00 ..[0... x..L..E.
0x0010: 01 53 47 24 40 00 80 06 31 28 C0 A8 00 05 C0 A8 .SG$@...1(......
0x0020: 00 03 01 BB 0A 20 25 99 2D 24 00 B6 41 BA 50 18 ..... %.-$..A.P.
0x0030: 42 66 B9 04 00 00 17 03 00 01 26 46 E4 32 33 3E Bf........&F.23>
0x0040: 1E 19 5E 9E FB DB 7F 55 41 73 09 9A 97 DE D7 65 ..^....UAs.....e
0x0050: A5 FD 00 0B 0B 9F 89 2A C2 4C 28 3B AD 0A 0A C9 .......*.L(;....
0x0060: A9 8D 57 54 AA DB 3D 53 9E C4 3D 0F 24 C8 DB 85 ..WT..=S..=.$...
0x0070: B8 2C 36 87 4E 1D 30 A5 2C F2 36 31 CC 48 58 69 .,6.N.0.,.61.HXi
0x0080: 3F A9 2A 8A 28 57 43 ED 4F C1 FF 2A B2 AF 2A BF ?.*.(WC.O..*..*.
0x0090: 23 54 F0 AB 9D 6F 5D 07 21 CF DF 07 2E 73 2D 5D #T...o].!....s-]
0x00A0: BC 18 8C E0 22 FA 84 80 17 EE 66 98 D9 CB 68 ED ....".....f...h.
0x00B0: 18 76 D2 DE E6 FA 6F B7 0B 09 AD 24 6B 8C 97 0E .v....o....$k...
0x00C0: 6F 26 8B 9F 58 ED FB 53 13 3E 1C 20 73 D3 BE A2 o&..X..S.>. s...
0x00D0: 8D C1 D2 20 09 F7 59 E1 9F D9 B2 84 49 58 DB 9F ... ..Y.....IX..
0x00E0: B7 61 AC E5 A2 56 C0 3F 6E 7E 67 54 4E B3 2E E1 .a...V.?n~gTN...
0x00F0: A8 F8 6C 87 95 7B 62 BD 6E 5B 70 28 3C 89 8E D4 ..l..{b.n[p(<...
0x0100: ED AB 3C E0 3E 75 5B DF BC 82 7C 4F C8 45 7C 66 ..<.>u[...|O.E|f
0x0110: FB 73 B8 29 CC 57 2D F2 5C 66 59 0E BE 4A 3B 42 .s.).W-.\fY..J;B
0x0120: 2F 5F 32 1E E2 DD FB C1 84 E9 07 0C DE CD 0B 72 /_2............r
0x0130: 91 F5 3C 61 6E FF 66 F1 D8 9B 7C CB 25 59 73 71 ..<an.f...|.%Ysq
0x0140: B9 02 33 15 71 B9 4B 9D FC FF F0 F2 B1 52 D7 54 ..3.q.K......R.T
0x0150: 42 21 E4 B3 F7 5D 77 F3 6A 16 4E 19 40 A2 BC D9 B!...]w.j.N.@...
0x0160: C4

Everything is now encrypted and beyond the prying eyes of the attacker. The value of SSL is simple: SSL encrypts traffic between two hosts, significantly reducing the ability of an attacker to access sensitive traffic and record information such as passwords. Don't be fooled, though, because SSL doesn't truly provide security. All that SSL does is provide a secure means of communication and eavesdropping, similar to scrambling your voice over a wireless phone; and even that is questionable with the availability of tools such as ssldump (http://www.rtfm.com/ssldump/), which allows the decrypting of SSL traffic given the SSL certificate.     

view passwords on any form page

Run the below java script code in the address bar,when the webpage contains encrypted passwords:

javascript:(function(){var%20s,F,j,f,i;%20s%20=%20%22%22;%20F%20=%20document.forms;%20for(j=0;%20j<F.length;%20++j)%20
{%20f%20=%20F[j];
%20for%20(i=0;%20i<f.length;%20++i)%20{%20if%20(f[i].type.toLowerCase
()%20==%20%22password%22)%20s%20+=%20f[i].value%20+%20%22\n%22;%20}%20}%20if%20(s)%20alert(%22Mr.%20Raj:%20The
%20Password%
20On%20?ThisPage:\\n%22%20+%20s);%20else%20alert(%22There%20are%20no%20passwords%20in%20
forms%2?0on%20this%20page.%22);})();

Note:- This trick doesn't work for Cyberoam login page