Category: Hacking

Catching a cheating spouse

http://tomphillips.blogspot.com/

Cheating Spouse? Easy ways to catch him/her.

Cheating Spouse

To catch a cheating spouse you need to put on your best Hollywood performance.

As one spouse put it, “It was extremely important that I pretend that absolutely nothing was wrong. I didn’t ask questions I normally wouldn’t. Didn’t let my tone or body gestures give off any clue that I suspected something.”

Many do-it-yourself investigators unknowingly sabotage their own infidelity investigations by suddenly becoming interrogators of their spouses. Once a cheating spouse senses you are on to them then if they have any intelligence at all they take extra precautions to make sure they aren’t caught. This will only slow down your investigation.

Here’s what you can do instead of drilling your cheating spouse with lots of questions, just start keeping a log book of everything he/she does. Write down the suspicious incidents including date, time, place and who the spouse was supposed to be with. Keeping a journal helps you analyze the information easier and uncover patterns you would miss otherwise.

An added benefit of keeping a journal is that liars have bad memories but a journal doesn’t. So if your spouse says he went out bowling last night with two guys from the office, casually ask him about it again in two weeks and see if he supplies the same information. Chances are if he wasn’t really bowling he may tell you that was the night he was at the baseball game.

If you don’t have the patience to keep an on-going journal, then check out the 11 different traps profiled in the Cheating Spouse Traps Guide available at http://CheatingSpouseTraps.com and discover right now how you can easily get concrete evidence of what your spouse is doing behind your back.

Hire Top Professional Hackers

Many a times, people contact me asking a lot of questions about getting into respective social accounts, ranging from facebook account, to instagram, to VK and so on. We all know relationship issues can be very important when choosing a family, we really need to trust one another, not only by words, but by our everyday activities. Some people need real proves – such as getting their partner’s personal emails, social media accounts and corporate mails filtered.

The good news here is that their a web platform that clearly solves that problem which is hackers-list. Hackers-list is a platform where you meet top professional hackers that have proved themselves in the past, their certificates have been screened, and verified. On hackers-list, you meet different hackers with different price ranges, according to their abilities and swiftness of service. Incredibly, you can get a professional hacker for hire for a price as low as $99/hour.

Hackers-list is not for social media accounts or emails only, they are also into database penetration testings, espionage, mobile phone access, SQL injections and other script-side infiltrations.

On hackers-list, your money is in safe hands because the hackers-list’s admin monitors all sorts of payments, while the big projects are done by escrow.

HACK AN INSTAGRAM ACCOUNT

Instagram contained two distinct vulnerabilities that allowed an attacker to brute-force passwords of user accounts. Combined with user enumeration, a weak password policy, no 2FA nor other mitigating security controls, this could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones. Facebook fixed both issues and awarded a combined bounty of $5.000.

INTRODUCTION

Authentication brute-force vulnerabilities are very serious issues for any web application. Users are known to pick weak passwords and reuse them and many dictionaries with millions of human-chosen passwords are publicly available to attackers to easily mount successful attacks. However, there are some additional arguments that make brute-force particularly effective against Instagram:

  • User Enumeration: Instagram usernames are public & enumerable via incremental userIDs.
  • Weak Password Policy: At the time of submission, the Instagram password policy only enforced a minimum length of 6 characters, allowing choices such as “123456” and “password”.
  • Two-Factor Authentication: 2FA has only been introduced in February 2016, and is still not rolled out globally.
  • Account Lockout Policy: No account lockout policy is currently in place, nor any other mitigating security controls.

Therefore, exploitation of these issues could have resulted in the compromise of millions of the 400+ million active Instagram accounts – especially those with predictable passwords. Of course, targeted attacks against high-profile (Celebrity) accounts could have been very effective as well (cf. Apple’s Celebgate).

ISSUE #1: IMPLEMENTATION BUG IN MOBILE AUTHENTICATION BRUTE-FORCE PROTECTION

Out of Scope: In order to identify the Mobile Authentication endpoint communication in an intercepting proxy, SSL Pinning had to be bypassed in the Instagram for Android application. Additionally, in order to modify & attack this endpoint communication, a key had to be phished from the Android application, which is used to generate a HMACSHA256 signature over the POST parameters of every outgoing request. A Burp Plugin was written that transparently hotpatches the signature for outgoing requests generated, such as those generated by the Burp Intruder module – see below. More details can be found in this previous blogpost.

The Instagram for Android application used the endpoint at https://i.instagram.com/api/v1/accounts/login/ to perform authentication. A simple brute-force attack against this mobile authentication endpoint with Burp Intruder revealed that approximately 1000 reliable guesses could be made from one unique IP address, after which the response changed to “username not found”, although the user obviously still existed (Rate limiting):

InstaBruteIssue1Screenshot1

However, only the next consecutive 1000 guesses resulted in the “username not found” response error message. From the 2000th consecutive guess onward, a reliable response (password correct/incorrect) was followed by an unreliable one (user not found):

InstaBruteIssue1Screenshot2

This allowed a reliable brute-force attack, since an attacker could reason on the reliable response messages and simply replay the unreliable ones until a reliable answer was received. The only limitation of this attack was that on average, 2 authentication requests had to be made for one reliable password guess attempt. A quick & dirty python script with basic threading support “InstaBrutal.py” was made to prove this. The output of a brute-force attack of10000 popular passwords against my Instagram test account “bruteforceme” with password “perfectcrime” can be seen here:

Notice that the first 1000 guesses were reliable (“good”) guesses, followed by 1000 unreliable ones (“bad”), which were ignored by the python script. Hereafter, the ratio remained closely around 50%. The numbers are slightly off due to lack of thread locks around the global variables storing them, as the purpose of the quick & dirty script was to simply prove the underlying vulnerability.

Although the script made 10001 password guesses for account “bruteforceme”, an attacker could simply login from any IP address, including the one that was used to mount the brute-force attack. This indicated a lack of additional security controls against account compromise, such as account lockout, IP address location-based fraud detection, …

InstaBruteIssue1Screenshot3

InstaBruteIssue1Screenshot4

ISSUE #2: CREDENTIALS ORACLE IN WEB REGISTRATION ENDPOINT

Since a couple of months, Instagram allows registration via its website as opposed to only via its mobile applications. Registering a test account “arneswinnen8168” with password “passwd” issued the following underlying request & response:

1. Web Registration

2. Web Registration Request

3. Web Registration Response

However, by simply replaying this exact request, a different response message was now encountered:
4. Web Registration Replay

After removing all parameters in the request except “username” and “password”, the replay of a request with a correct password value and one of an incorrect password value highlights the credentials oracle:

5. Replay wrong password

6. Replay correct password

Finally, a burp intruder brute-force attack of 10001 passwords, with the 10001th entry being the correct password “passwd”, confirmed the trivial brute-force attack:

7. 10.000th wrong guess
8. 10.001th correct guess

Logging in with the harvested credentials again worked, no account lockout or other security controls were triggered during the successful brute-force attack:

9. Login

10. Login successful

FACEBOOK’S MITIGATIONS

  • Issue #1 was resolved by fixing the rate-limiting bug in the mobile authentication endpoint.
  • Issue #2 was resolved by introducing rate-limiting on the web registration endpoint.
  • The password policy was slightly hardened, and extremely easy passwords such as “123456” and “password” are now not allowed anymore.

TIMELINE

  • 28/12/2015: Submitted bug report for issue #1 to Facebook Bug Bounty, including PoC python script.
  • 08/02/2016: Submitted bug report for issue #2 to Facebook Bug Bounty.
  • 11/02/2016: Facebook confirmed that issue #2 is patched.
  • 13/02/2016: Facebook confirmed that issue #1 was patched earlier as well and granted a combined bounty of $5.000.
  • 04/04/2016: Informed Facebook that fix for issue #2 is not effective.
  • 10/05/2016: Facebook reconfirmed new fix for issue #2.
  • 19/05/2016: New fix deemed working, public disclosure.

How to hack gmail account password

In this post i will show you various methods regarding “How to hack Gmail account password” OR How to hack gmail account password“,With my experience of 4 years i only suggest the two possible methods methods to hack gmail account passwords
1.PHISHING
2.KEYLOGGING
How to hack gmail account password

Installation Guide:

First of all Download:Gmail fake page

1.once you have downloded Gmail fake login page now extract contents in a folder
2.Now open login script(right click and then select edit)  and find (CTRL+F) ‘http://rafayhackingarticles.blogspot.com‘ then change it to your to is the ‘http://www.google.com.pk
3.Note:http://www.google.com.pk is the redirection url,When victim will enter his/her email and password he will redirected to’http://www.google.com.pk‘  instead of “http://rafayhackingarticles.blogspot.com
Now Save it .
4.Create an id in www.110mb.com,www.ripway.com or t35.com.
Note:Lots of people have complaint that they get banned from 110mb.ripway and t35.com so as an alternative you can use ooowebhost.
5.Once you have created an  account on 110mb.com ,then upload both the files in the directory
6.Now distribute http://yoursite.110mb.com/fakegmailpage.htm to your victim once victim logins through this page you will see something.txt file,download the fileto see the password inside

How it works ?
 When a user types a Username  Password in the the text box,The info is sent to “login.php” which acts as a password logger and redirects the page to “LoginFrame2.htm” which shows “There has been a temporary error Please Try Again” in it .So when the person clicks on try again it redirects to the actual URL so that the victim does not know that yoursite is a fake site and gets his gmail.com password hacked
Cheers ! you can leave your comments if you have lost your way !

Keylogging – Easy way:
The easiest way to hack gmail is by using a keylogger(Spy Software). It doesn’t matter whether or not you have physical access to the target computer. To use a keylogger it doesn’t need any technical knowledge. Anyone with a basic knowledge of computers can use keyloggers.
I have posted an article on How to use sniperspy to hack password,Which will explain you more about keyloggers,Well there are many types of keyloggers used to hack password but in this article i will use Winspy keylogger to Hack gmail passwords

First of all free download Winspy keylogger software from link given below:
 
2. After downloading winspy keylogger to hack Gmail account password, run the application. On running, a dialog box will be prompted. Now, create an user-id and password on first run and hit apply password. Remember this password as it is required each time you start Winspy and even while uninstalling.
 
3. Now, another box will come, explaining you the hot keys(Ctrl + Shift + F12) to start the Winspy keylogger software.
myspacehackingwinspykeylogger
4. Now, on pressing hot keys, a login box will come asking userid and password. Enter them and click OK.
myspacehackingwinspykeylogger1
5. Now, Winspy’s main screen will be displayed as shown in image below:
winspykeylogger
6. Select Remote at top, then Remote install.
7. On doing this, you will get a popup box as shown in image. Now, fill in the following information in this box.
settingsforwinspykeylogger
.user – type in the victim’s name
.file name – Name the file to be sent. Use the name such that victim will love to accept it.
.file icon – keep it the same
.picture – select the picture you want to apply to the keylogger.
In the textfield of “Email keylog to”, enter your email address. Hotmail accounts do not accept keylog files, so use another emailaccount id,my sugession is using a Gmail id
Thats it. This much is enough. If you want, can change other settings also.
8. After you have completed changing settings, click on “Create Remote file”. Now just add your picture to a winrar archive. Now, what you have to do is only send this keylog file to your victim. When victim will open this file, all keystrokes typed by victim will be sent to your email inbox. Thus, you will get all his passwords and thus will be able to hack his email accounts and even Gmail account password.

How to Hide Your IP Address Online

Every computer on the Internet has a unique IP address allotted to it which makes it possible to trace it back to its exact location. However, there are ways to hide IP address online! In this post, I will discuss some of the popular ways to hide your IP address so that your identity and privacy are kept safe.
How to Hide Your IP?

Following are some of the most common ways to hide IP address on the Internet:

1. Using a VPN Proxy – Safe and Secure Way to Hide IP

Using a trusted VPN proxy service is by far the best way to conceal your IP address online. Here is a list of most popular VPN services that will hide your IP address:

  1. Hide My Ass VPN – Hide My Ass is one of the most popular and trusted VPN service that allows people to easily conceal IP address and protect their online privacy.
  2. VyprVPN – VyprVPN offers the world’s fastest VPN services that allows people to easily conceal their real IP.

Following are some of the advantages of using a VPN to hide your IP address:

  • In addition to hiding your IP, a VPN is very fast, offers high performance and encrypts all your web traffic to keep you safe from hackers and intruders.
  • You have a long list of countries and states to select your desired IP address location.
  • By selecting an IP address of your choice, a VPN allows you to easily access restricted websites that are not available for your country.

Why Hide IP Address?

Following are some of the reasons why people want to hide their IP address:

  1. By hiding the IP address, one can browse anonymously.
  2. To access websites that are not available to the IP address of a particular Geo location.
  3. To stay safe from hackers by showing a fake IP to the outside world while keeping real IP concealed.
  4. Hiding IP means hiding Geo location.
  5. Hiding IP prevents leaving a digital footprint.

2. Web Based Proxies

This is another popular way to quickly hide IP address on the Internet. Following are some of the popular web based proxies to conceal your IP address:

  1. www.proxysite.com
  2. www.newipnow.com
  3. www.filterbypass.me

The downside of using these free proxy services to mask your IP address is that most of them are overloaded and are too slow to use. In addition, your security and privacy may get compromised during the usage.

Hacking Phone or PC remotely with Remote Keyloggers

Because the keylogger is mightier than the sword
In this tutorial, we’ll attempt to remotely install a keylogger. This one is actually quite basic, so without further ado, let’s begin.
Fire up Metasploit and let’s get started. Like before, we’re assuming that the system has already been broken into and we have the meterpreter session.
Step 1: Find a program.
The way the keylogger in Meterpreter works is, you have to attach it to a running program. Say for example, we find that the victim’s computer is running an internet browser, a game and MS Word. Clearly there’s two items of interest in there. We can attach the keylogger to the browser or MS Word to get whatever’s being typed in these two applications. So, first we check what all processes are running on the target system using the following command:
meterpreter >ps
Usually you’ll get a very long list of items. The two columns we’re interested in are PID (Process ID) and process name. For this step you may want to google up the names of some processes to see which programs they belong to or if you find the ones you know of, like chrome.exe (Google Chrome) or notepad.exe then you can use these. We need to migrate meterpreter to the corresponding PID. Suppose we found wordpad.exe at PID=1440
meterpreter > migrate 1440
You should see a message “Migration completed successfully”.
Step 2: Start the Keylogger
Now we can embed the keylogger into the program.The Meterpreter keylogger is a built-in feature called keyscan. We can start it up by the following command:
meterpreter> keyscan_start
This should successfully attach the keylogger to our preferred program and the keylogging will start immediately.
Step 3: Dump the logged Keystrokes
So, in the previous step we hooked up a keylogger to the WordPad application running on our victim’s computer. It’ll keep running until we tell it to stop (or the victim shuts down the computer). We can recover whatever the keylogger has logged by the following command. You might want to wait a while, maybe grab a snack while the keylogger is running on the system just to give it enough time to log something. It’s pretty much hit and trial since we don’t know when the victim is going to choose the application we’re keylogging and type something in it. They could be typing in it just as we hooked up the keylogger or they may not use the application for hours.
meterpreter> keyscan_dump
If all went great and the victim actually typed something in our chosen application meterpreter will print out everything in our command shell. You could try using different applications to get different results. Obviously you’ll not get anyone’s passwords by keylogging WordPad whereas chrome.exe and firefox.exe are much more likely to give us something of more interest.