article-stack

Mr. Das noticed that his boss entered a 5-6 digit password in his personal management project. Mr. Das noticed only 1^st digit of the password. Next day he made all possible combination with 5-6 digits where the first digit was known. He used brute-force attacker software to generate and apply combination in less time. And he cracked the password.

You are free to customize input characters, password length. For example

For letters 1,3,a,t,u, some possible combinations would be

13atu

13aut

13tau

:

atu31

31tua

:

You can give input characters to limit number of words. You can also limit the length of password like if you keep password length 4 for above example then combination would be;

3au1

3ta1

:

Why do I call it as poor hacking tactics?

A hacker never believes in Hit & Try. They search for a proper method. There is always some logic behind any step they take. I hacked locked folders and locked ZIP files too. But I never used any brute force attacker.

How to protect you from Brute-force and dictionary attack?

You can’t control people to enter password many times. But a programmer can do. Read below mentioned points which would help a programmer and user as well to avoid such attacks.

Programmer’s point of view

• Lock the account after fixed number of failed login attempts.
• Block an IP, where you get many failed login attempts from.
• You may increase interval between two logins.
• Don’t let user set password less than 6 or 8 length.
• Ask users to set password containing alphanumeric & special characters.

User’s point of view

• Password length must be more than 6-8 characters.
• Your password must not be any dictionary word.
• You must use alpha numeric & special characters in your password.
• Don’t use password like your PAN# or mob# or something that can be guessed easily.
• Change password regularly, once in a month or as per your choice.

Remember that brute force & dictionary attacks are not only the way to hack your password. The worst technique for users is keylogger and for programmer is SQL injection.

There is no software which can hack a locked zip files. Some brute force attacker can try for it. But using a bruite-force attacker shall be a stupid step.

This article is limited to not only for registered members but for the visitors who are really interested to know this trick.

What you need to do?
Register yourself – Because you’ll not be able to see contents without login.
Comment – I need to know your interest why do you want to hack a locked zip file.

If i find more than 100 unique comments by registered users then only I’ll tell you this trick. You need not to mention your mail id. I’ll update this article only.

I generally use long password including all sort of characters.
Yesterday I forgot the password of admin section of my site. But I supposed to log in anyhow since I was unable to do any activity. I decided to hack it.

Difficulties which were in front of me

I don’t use password which are common for multiple accounts. So it was very difficult to take idea from other passwords.

Generally all the passwords are 18 characters long. So it was very difficult to guess.

My password contains all alphanumeric characters and special symbol. There were total 1.1962222086548019456196316149566e+56 possibilities, if i try. So even the brute force attack was helpless.

I never use English dictionary word. So it makes dictionary attack disable. For some password I use Hindi dictionary word

If I enter wrong password one time then I would not be able to log in for next 15 mins even with correct password.

If I enter wrong password 3 times then I would not be able to log in for complete day.

SQL injections were effect less since I already had handled them somehow up to some level.

When I started to hack, I was supposed to break some internal security layers. And I had forgotten password for them as well.

But I hacked it….

Of course I’ll not tell you how. But there is a hint. You can find out the way in my previously published four articles. All are interrelated. And only one of them is tagged for hacking. One of them is tagged for online services. and rest you need to find

Do you avoid people to get registered on your site? …… Many people do this because they afraid.

There is common thinking in everyone’s mind that if you want to secure your wordpress blog then you must disable users to get registered on your site.

Registration on a site always attracts hackers. Many plug-ins may secure your blog. But some of them might be proved as a powerful & useful tool for hackers.

Here I am discussing about a plug-in which is very useful in point of security. But I used this to hack my own site.

Let’s do it.

http://localhost/wp-admin/options-general.php?page=WordPressFileMonitor&display=alertDesc

or
< your blog url >/wp-admin/options-general.php?page=WordPressFileMonitor&display=alertDesc

Here you’ll get a page informing you last modified files. You also can remove this information without any administrator permission. So the next time when owner of that site logins to dashboard, shall not be prompt for any modification. Only the problem is that if mail service for this plug-in is already enabled then the owner would be prompted via mails.

This hack will help you to collect more information about the site like latest changes, posts in draft, plug-in recently installed, theme, and various path along with file name.

If you are developing wordpress blog, you might need to do testing for registered users like

• Whether non registered users are able to view blocked posts
• Whether restricted contents are visible to members only.
• Which are options on dashboard accessible to various users?
• etc

Better you do all testing locally including user registration.
To register a user on local copy of your wordpress, either you need to configure SMTP server locally. So mails can be send from your machine. Or you can go for a very small trick mentioned below.

Before reading this article, you are required to install Xampp on your PC. This will automatically install other needful components. Then you would have to do some changes in php.ini that i am describing below.

Initial settings:

Locate php.ini which should exist on following path. I am assuming that you had installed Xampp on C drive.

C:\\php\php.ini
C:\\php\php5.ini
C:\\apache\bin\php.ini

Editing php.ini:
- Open php.ini file and uncomment the php_smtp.dll extension. This is required when sending emails to a remote server.
- Scroll down and find the following lines:

[mail function]
; For Win32 only.
;SMTP = localhost
;smtp_port = 25

; For Win32 only.
;sendmail_from = me@example.com

- From the lines above, uncomment SMTP, smtp_port and sendmail_from
directives, then add SMTP server, SMTP port number and your preferred email address to SMTP, smtp_port and sendmail_from directives respectively, your final code should be similar to the one below:

[mail function]
; For Win32 only.
SMTP = mail.server.com
smtp_port = 25

; For Win32 only.
sendmail_from = something@server.com

- Replace mail.server.com and something@server.com with correct values. The default
- Restart your server. That you can do from xampp controller.

Now you just need some application that can send e-mail from your PC. You can use wordpress for the same.

I seen many people asking site owners about their CMS platform.
It is easier to know it yourself. There is a fixed path pattern of every CMS. If a site is using wordpress CMS then path pattern should be like,

Domain Name/wp-admin

If you get wordpress login page by entering above path then you surely can say that site is built on wordpress CMS. But wordpress provides an easier way to change the path of wordpress installation directory. This option is available in wordpress dashboard under settings option. If a user had changed the path then it is really difficult to guess the path. Specially when site owner restricts crawler to index their site contents. In this case below google search will not help you

inurl:wp-admin site:article-stack.com

Well! it is pretty easy to know wordpress installation directory path. Use the below path

Domain Name/robots.txt

You’ll get a text file containing path as follow

Sitemap: Domain Name/sitemap-web.xml

User-Agent: *
Disallow: /wp/wp-admin/
:
Disallow: /go/
Disallow: /forums/profile/

If robots.txt revealing the path you are trying to hide then you must know why robots.txt is imported for your site.

In case of above example, wordpress installation directory is Domain Name/wp/

Well!! You’ll find many of valid invalid circumstances where you need to open locked folder & files. Here I am explaining how can you break any folder/ file security software without having any technical or hacking knowledge. Most of the techniques are applicable only on PC SECURITY software. But some of them you can apply on other locking software as well.

Yesterday while writing an article over how to hack PC Security? & How to hack winzip? i committed spelling mistake. I found that MS Office 2007 was not having any perfect solution for that spelling as you can find in given screen shot. But when i searched for right word in wordweb, i found single & correct spelling.

I surprised after hearing that youtube is redirecting their users to some adult sites. Hackers placed some JavaScript and HTML code in the comments section of targeted videos. When someone starts watching targeted video, code would run automatically and redirects visitor to some adult sites.
Google says the problem was fixed within only two hours of being reported, according to the BBC.

“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com,” a spokesperson said.

“Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours.

“The thing with a cross-site scripting attack is that it will appear that it is a message being posted by that website, which gives it a certain legitimacy, Graham Cluley of security firm Sophos told BBC News.

“It could be used to show a message that tells you to update your password; it could link to a malicious website; or it could attempt to phish you.”