Monday 3 November 2014

Best Port Scanner Tools




NMAP

Nmap (“Network Mapper”) is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.


Download

Net Scan tool:
NetScanTools is a collection of over 40 network utilities for Windows, designed with an easy user interface in mind. It includes DNS tools, a ping and port scanner, traceroute, and other utilities.


Download

SuperScan
SuperScan is a powerful TCP port scanner that includes a variety of additional networking tools like ping, traceroute, HTTP HEAD, WHOIS and more. It uses multi-threaded and asynchronous techniques resulting in extremely fast and versatile scanning.


Download


Angry IP Scanner
Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.



It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies.



Download

Sunday 2 November 2014

2014 best top 10 Mobile antiviruses

1.)Mcafee  Mobile security

2.)KasperSky  Mobile security

3.)WebRoot  Mobile security

4.)Eset  Mobile security

5.)BitDefender Mobile security

6.)Fsecure  Mobile security

7.)Trend Micro

8.)Look out  Mobile security

9.)Bull Guard

10.)Net QIN  Mobile security

Clickjacking

Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.


Examples
For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod". However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button. The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button. In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking".

One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page. By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera.

Clickjacking also made the news in the form of a Twitter worm. This clickjacking attack convinced users to click on a button which caused them to re-tweet the location of the malicious page, and propagated massively.


There have also been clickjacking attacks abusing Facebook's "Like" functionality. Attackers can trick logged-in Facebook users to arbitrarily like fan pages, links, groups, etc






Defending against Clickjacking
There are two main ways to prevent clickjacking:

Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
Employing defensive code in the UI to ensure that the current frame is the most top level window
For more information on Clickjacking defense, please see the the Clickjacking Defense Cheat Sheet.

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Cross Site Request Forgery

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of maliciousexploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated For example, one user, Alice, might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references an action on Alice's bank's website (rather than an image file), e.g.

If Alice's bank keeps her authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Alice's browser to load the image will submit the withdrawal form with her cookie, thus authorizing a transaction without Alice's approval.

A cross-site request forgery is a confused deputy attack against a Web browser. The deputy in the bank example is Alice's Web browser which is confused into misusing Alice's authority at Mallory's direction.

The following characteristics are common to CSRF:

Involve sites that rely on a user's identity
Exploit the site's trust in that identity
Trick the user's browser into sending HTTP requests to a target site
Involve HTTP requests that have side effects
At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user's web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action.


CSRF attacks using image tags are often made from Internet forums, where users are allowed to post images but not JavaScript.

Saturday 12 October 2013

WHAT IS DOMAIN NAME HIJACKING ?

When we buy a domain name, we also get a control panel for full control on this domain name. From this control panel we point our domain to the web server where our files are actually host. For ex- I have a domain name abc.com and i bought hosting at a server webhost.com. then for working of our website we need to setup our domain to point to our web hosting server webhost.com. Now how domain hijacked?? For hijacking a domain name, you need to get access the domain name control panel and point out it to your website server from it’s original server. In above example, suppose a person Y wants to hack the domain name abc.com. He will try to get access to the control panel of the domain name abc.com. After doing this he will change it to point ywebhosting.com where Y has hosted his website. Now we can see thaty the original website was on webhost.com but now it changes to ywebhosting.com. All visitors of abc.com will see a different website now. How to get access to the domain control panel?? To hijack a domain name it is necessary to get access to the domain name control panel. For this we need 2 infornmations. Domain name registrar Administrative email associated with this domain This is very easy to get these information about a domain name. Use WHOIS service for this. go to http://whois.domaintools.com/ enter the target URL and lookup. You will get the whois record of the domain name. NOw see the record and find the administrative email address and registrant service provider for this domain name. Now you have both informations about this domain name. The administrative email address of this domain name is the key to hijack this domain name. Now hack this email account. There are lots of ways to hack a mail account. use anyone of your choice. after gaining access to this email id, search in mail for emails from the registrar emails. Surely there will be an email with user name and password. If not then go to the registrar website and click on forgot password link and reset the password of your choice. Now you can login to the control panel of the domain name. Change the settings of this domain name. Domain name is now hijacked …… How to protect your domain name?? For protecting your domain name, protect your administrative email address. Protect your email account from being hacked. Another best way is private domain name registration. In this type of registration, your private information such as administrative address will be hidden to public in whois records. So the private registration provides an extra security and protects your privacy. Private domain registration costs a bit extra amount but is really worth for it’s advantages. Every domain registrar provides an option to go for private registration, so when you purchase a new domain make sure that you select the private registration option.

Wednesday 26 June 2013

DOWNLOAD TOP PENETRATION DISTROS( MADED FOR HACKING )

BACTRACK 5 R3 :-



download link:-DOWNLOAD backtrack5 r3



 KALI LINUX:-




download link:-http://sourceforge.net/projects/kali-linux/files/latest/download