INCREASE INSTAGRAM FOLLOWERS and USE OF XSSPY

Increase INSTAGRAM Followers and Use of XSSPY

==============================================

This article is only for educational purposes. Any actions or activities related to the material contained on this Website are solely your responsibility.  Misuse of the information on this website can result in criminal charges brought against the persons in question.

======================================

                                       First

For Android/Termux

Step 1:

Open termux and type ‘ pkg install git ‘.Now type ‘ git clone 

Step 2:

https://github.com/thelinuxchoice/inshackle.git ‘.

Step 3:

Type ‘ cd unshackle ‘ > ‘ ls ‘.

Step 4:

To run the script type ‘ bash inshackle.sh ‘.

Step 5:

Pick any you like to you. you need to give your username and password to use the services provided

Let me know in the comments if you have any problems Plesae

=============================

Second

XSSPY (Web Application XSS Scanner)

XssPy is a python tool for finding Cross-Site Scripting vulnerabilities in websites. It uses small yet effective payloads to search for XSS vulnerabilities.

The tool has been tested parallel with paid Vulnerability Scanners and most of the scanners failed to detect the vulnerabilities that the tool was able to find.

 The tool comes with Same Functions : 

Short Scanning

Comprehensive Scanning

Finding subdomains

 Checking every input on every page

Requirements:

Android

Termux (Play Store)

Mobile data / wifi connection

Requirements for Pc/Laptop

Kali Linux

wifi connection

For Android

1. First type "pkg install python2 git "
2. Now type "git clone https://github.com/faizann24/XssPy.git "
3. Now type " cd XssPy "
4. Now type  " pip install mechanize "
5. Type " chmod +x XssPy.py "  (give it permissions for execution)
6. The last step to start XssPy is " python XssPy.py -h "
7. Now to scan a website type " python XssPy.py -u anywebsite.com/xyz  "and follow the instructions.

For PC / Laptop

Type in the terminal

git clone https://github.com/faizann24/XssPy/     /opt/xsspy

Note:

The tool works on Python 2.7 and you should have mechanize installed. If mechanize is not installed, type “pip install mechanize” in the terminal.

You will also need the mechanize distribution, you can install it with pip: pip install mechanize

Read More

Denial of Service

Denial of Service

Both local and remote denial-of-service (DoS) attacks against antivirus software are possible; indeed, one of the most common attacks is aimed at disabling AV protection.
"A DoS is an attack launched against software or against a machine running some software, with the aim of making the targeted software or machine unavailable."

Local Denial-of-Service Attacks

A local denial of service is a DoS attack that can be launched only from the same machine on which the targeted antivirus software is installed. There are common types of DoS Attacks.

• Compression Bombs

A simple, well-known, and widely available local denial-of-service attack against antivirus software is the compression bomb, also referred to as a zip bomb or the “zip of death.”

Creating a Simple Compression Bomb

In this section, you create a simple compression bomb using common standard Unix and Linux tools. First you need to create a big zero-filled file with the command dd:

dd if=/dev/zero bs=1024M count=1 > file

After creating this “dummy” file, you need to compress it. You can use any compression tool and format, such as GZip or BZip2. The following command creates a max 2GB dummy file and then directly compresses it with BZip2, resulting in a 1522-byte-long compressed file:

dd if=/dev/zero bs=2048M count=1 | bzip2 -9 > file.bz2

You can quickly check the resulting size by using the wc tool:

$ LANG=C dd if=/dev/zero bs=2048M count=1 | bzip2 -9 | wc -c 0+1 records in

0+1 records out 

2147479552 bytes (2.1 GB) copied, 15.619 s, 137 MB/s

1522

This is a really simple compression bomb attack.

==================================

Bugs in File Format Parsers

File format parser bugs can also be used locally to prevent an antivirus scanner from detecting malware. A non-trivial example of this is when the malware drops a malformed file that is known to trigger the bug in the antivirus file parser and cause it to die or become stuck (for example, an infinite loop).

Here is another easier example of how to implement a file format bug. Imagine you have two files with the following path structure:

base_dir\file-causing-parsing-bug.bin base_dir\sub-folder\real-malware.exe

Attacks against Kernel Drivers

Other typical examples of local DoS attacks against antivirus products are those focused on kernel driver vulnerabilities. Most antivirus products for Windows deploy kernel drivers that can be used to protect the antivirus program from being killed, to prevent a debugger from attaching to their services, to install a file system filter driver for real-time file scanning, or to install an NDIS mini-filter to analyze the network traffic. 

These tricks are a useful way, for example, to reboot the machine after performing some action without asking the user for confirmation or requiring high-level privileges. They can also be used in a multistage exploit. A hypothetical, yet possible, scenario follows: 

1. An attacker abuses a vulnerability that allows one of the following: a file to be copied to a user’s Startup directory, a bug that allows a driver to be installed, or a bug that allows a library to be copied in a location that will later be picked up and loaded in the address space of high-privileged processes after rebooting.

 2. The attacker then uses a kernel driver bug to force the machine to reboot so that the changes take effect.

Local DoS vulnerabilities in antivirus kernel drivers are very prolific; a few vulnerabilities appear each year, affecting a wide range of antivirus products from the most popular to the less known. 

Remote Denial-of-Service Attacks

Remote DoS vulnerabilities can also be discovered in antivirus products, as in any other software with a remote surface that is exposed. A remote denial of service is a DoS attack that can be launched remotely, targeting the antivirus software installed in the victim’s computer. There are many possible remote DoS attack vectors, with the following being the most common:

• Compression bombs, as in the case of local denial of services Bugs in fi le format parsers, as in the case of local denial of services
• Bugs in network protocol parsers.

• Attacks against antivirus network services that listen to network interfaces other than the loopback network interface (localhost IP address, 127.0.0.1)

Read More

Web Application Hacker’s Toolkit

Here We know about same basic of Web Application

A Web Application Hacker’s Toolkit

Some attacks on web applications can be performed using only a standard web browser.
Most Important
The most important item in your toolkit falls into this latter category, and operates as an intercepting web proxy, enabling you to view and modify all of the HTTP messages passing between your browser and the target application. 
Second Main Category
The second main category of tool is the web application scanner.
This is a product designed to automate many of the tasks involved in attacking a web application, 
from initial mapping through to probing for vulnerabilities.

What is Web Browsers?

A web browser is not exactly a hack tool, being the standard means by which web applications are designed to be accessed. 

Internet Explorer 
Microsoft’s Internet Explorer (IE) is currently the most widely used web browser, comprising approximately 60% of the market
 at the time of writing. Virtually all web applications are designed for and tested on IE, making it a good choice for an attacker because most applications’ content and functionality will be correctly displayed and usable within IE. 

Firefox 
Firefox is currently the second most widely used web browser, comprising approximately 35% of the market at the time of writing. The majority of web applications work correctly on Firefox; however, there is no native support for ActiveX controls

Opera
Opera is a relatively little-used browser, having less than 2% of the market share at the time of this writing. Relatively few applications are specifically tested on Opera. 

Integrated Testing Suites
After the essential web browser, the most useful item in your toolkit when attacking a web application is an intercepting proxy.
There are three leading suites in widespread use, which we will examine in this section:
Burp suite

Paros 

WebScarab 

Configuring Your Browser
If you have never set up your browser to use a proxy server, this is trivial to do on any browser. 

Then perform the steps required for your browser:

Internet Explorer
In Internet Explorer, go to Tools ➪ Internet Options ➪ Connections ➪ LAN settings. Ensure that the Automatically Detect Settings and Use Automatic Configuration Script boxes are not checked. Ensure that the Use a Proxy Server for Your LAN box is checked. In the Address field, enter localhost and in the Port field enter the port used by your proxy.  Click on the Advanced button, and ensure that the Use the Same Proxy Server for All Protocols box is checked. If the hostname of  the application you are attacking is matched by any of the expressions in the Do Not Use Proxy Server for Addresses Beginning With box, remove these expressions.
 Click OK on all the dialogs to confirm the new configuration.

Web Application Spiders
Web application spiders work in a similar way to traditional web spiders — by requesting web pages, parsing these for links to other pages, and then requesting those pages, continuing recursively until all of a site’s content has been discovered.
To accommodate the differences between functional web applications and traditional web sites, application spiders must go beyond this core function and address various other challenges, such as the following:

>> Forms-based navigation, using drop-down lists, text input, and other methods.

>> JavaScript-based navigation, such as dynamically generated menus.Multistage functions requiring actions to be performed in a defined sequence.

>> Authentication and sessions.

>> The use of parameter-based identifiers, rather than the URL, to specify different content and functionality.
The appearance of tokens and other volatile parameters within the URL query string, leading to problems identifying unique content.

>> Checking for the robots.txt file, which is intended to provide a blacklist of URLs that should not be spidered, but which an attacking spider can use to discover additional content.
Automatic retrieval of the root of all enumerated directories. This can be useful to check for directory listings or default content (see Chapter 17).

>> Automatic processing and use of cookies issued by the application, to enable spidering to be performed in the context of an authenticated session.

>> Automatic testing of session-dependence of individual pages. This involves requesting each page both with and without any cookies that have been received. If the same content is retrieved, then the page does not require a session or authentication. This can be useful when probing for some kinds of access control flaw (see Chapter 8).

>>  Automatic use of the correct Referer header when issuing requests. Some applications may check the contents of this header, and this function ensures that the spider behaves as far as possible like an ordinary browser. 

>> Control of other HTTP headers used in automated spidering.

>> Control over the speed and order of automated spider requests, to avoid overwhelming the target, and if necessary behave in a stealthy manner.
                                                     Burp suite     Paros      WebScarab 

Application Fuzzers and Scanners
While it is possible to perform a successful attack using only manual techniques, to become a truly accomplished web application hacker, you need to make use of automation in your attacks, to enhance their speed and effectiveness. 

The following features are implemented in the different tool suites:

>> Automated scans to detect common vulnerabilities.

>> Manually configured scanning for common vulnerabilities.

>> A set of built-in attack payloads and versatile functions to generate arbitrary payloads in user-defined ways — for example, based on malformed encoding, character substitution, brute force, data retrieved in a previous attack, and so on.

>> Ability to save scan response data to use in reports or incorporate into further attacks.

>> Customizable functions for viewing and analyzing responses — for example, based on the appearance of specific expressions or the attack payload itself.

>> Functions for extracting useful data from the application’s responses — for example, by parsing out the username and password fields in a My Details page.

>> Functions for analyzing cookies and other tokens for any sequences.

Read More

Metasploit (Top Hacking Tool)

A.o.A

Metasploit

Introduction to Metasploit

Metasploit is a free open-source software that could be used to automate lots of complex tasks. Since Metasploit is a huge framework, it won’t be possible for me to cover every aspect of it here, but I will try to cover the essentials and will do my best to get you get going with Metasploit. Metasploit is the Swiss army knife penetration testing and is something that you can use not only for network exploitation but for web exploitation too................

History of Metasploit 

Metasploit was initially started by HD More in 2003. He named it the “Metasploit Project.” Initially it was started as a public resource for exploit development; however, later it was turned into the “Metasploit Framework.” The first two versions of the Metasploit Framework were coded in Perl..

If you want to free download So, click on Metasploit

Note: In Kali Linux , Back|Track 5 and other Hacking OS  this available in tool list.

How to open ?

Step 1:

Open terminal in (Kali Linux and Back|Track5).

Step 2:

Type this command " msfconsole".

Here you see Metasploit is open.........

You Also Find This In Kali Linux and Back|Track5 Toolbar

Metasploit Commands

There are same basic and use full Commands  

Help

This will display all the core commands. MSfupdate

This will automatically download any latest update, including latest exploits, payloads, etc. It is one the first commands I run whenever I start Metasploit.

==============================================

Show exploits

This command would load all the exploits that are currently available in the Metasploit Framework.

===============================================

Show payloads

This command will load up all the payloads that are currently available in the Metasploit Framework. Speaking of payloads, in Metasploit, generally, you would use the following two payloads:

===============================================

Bind shell

When you initiate a connection to the victim Reverse shell

This is very helpful when our victim is behind a NAT and we cannot connect to him directly. In this case, bind shell won’t be of much helpful.

================================================

Show auxiliary

You might be familiar with auxiliary modules as we have already used them. The auxiliary modules contain fingerprinting and enumeration tools, brute forcing tools, and various types of scanners. 

================================================

Show post

This would display all the modules we can use after we have compromised a target.

===============================================

Search 

Metasploit has a search feature with which we could search for specific exploits, payload, auxiliary modules, etc

Exp:

search name

1: search window  payload

2: search android  payload

===============================================

Use 

The “use” command would load a particular auxiliary/exploit module.

Exp:

use auxiliary/dos/windows/ftp/filezilla_admin_user

==============================================

Show Options 
This command “show options” would display all the options that are required.
===============================================

Set/Unset

The "set" command could be used to set RHOST, RPORT, payload, and other various functions.

===============================================

run/exploit

The run command would run an auxiliary module, whereas an exploit command would run an exploit. The exploit command is an alias of the run command.

===============================================

We also open Nmap in Metasploit by this command "nmap" So Nmap will open   

===============================================

===============================================

Hack window 7

Here I have a most use full vulnerability "ms08_067"

Check any system using this command :

 nmap --script=vuln <target ip>

Here We See This device is vulnerable Its mean

we perform attack on this device.................

Have You any Problem Please comment

Read More

SQL Injection Tools

 SQL Injection Tools

There are many tools which we discuss

BSQL Hacker is an automated SQL Injection Tool designed to exploit SQL injection vulnerabilities in virtually any database.

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

Marathon Tool is a malicious user

 can send heavy queries to perform a Time-Based 

Blind SQL Injection attack

Note:: You download this tools by click them..........

SQL Queries

SQL is a domain-specific language used in programming and designed for managing data held in a relational database management system, or for stream processing in a relational data stream management system.

Work OF SQL Query

Injection of SQL query will be executed on the server and replied by the

response.

SELECT * FROM [Orders]

These commands will reveal all information stored in the database "Orders"

table. If an organization maintains records of their orders into a database, all

information kept in this database table will be extracted by the command. 

SQL Delete Query

The DELETE statement is used to delete existing records in a table. To

understand, consider a table “Customers” in a database. The following

information is the table “Customers” is containing.

HERE 

You can see that an attacker perform SQL Injection attack on a website 

Here You can See when An attacker attack on a website he get same information like this 

===================================

For Android 

===================================

Tools

1. 
2.  

This is most use full tools which  I use personally

==================================

In the last we read same Evasion Techniques

Evading IDS

In order to secure database, isolated deployment in a secure network location with an intrusion detection system (IDS) is recommended. IDS keep monitoring the network and host traffic as well as a database application. The attacker has to evade IDS to access the database, for this, it uses different evading techniques. For example, IDS using Signature-based Detection system In compare the input strings against the signature to detect intrusion. Now all you have to do is to evade the signature-based detection.

Types of Signature Evasion Techniques

• In-line Comment
• Char Encoding
• String Concatenation 
• obfuscated Codes
• Manipulating White Spasea
• Hex Encoding 
• Sophisticated Matches 

What is  SQL Injection ???????????

Read More