Thousands of people searches through the internet for the above topic, and apparently they come up with quite nice articles which explains how to hack. Most of those are sending an email to a specific email address of the service provider which is a system account. What you have to do is, send an email from your account with your password and also add the email account to be hacked into it. I’s very easy, they give you the format of the email, you just have to insert the two values and send the email to the system account. And just after you send the email, the system account logs into your account and then do some bullshit(this changes from article to article) and send back the password of other person. Pretty cool isn’t it?

This method is really simple. As I mentioned before, this technique is called social engineering. Once you sent your password, it’s a hack! They have used social engineering to get into your account.

There is one thing you need to keep in mind before searching through the internet for above topics, don’t fall into pitfalls. There are thousands of security experts working on securing the email services, so it’s very unlikely there are flaws on those. In other hand, even if there’s a flaw, who would want to share it? As a matter of fact, just after he shared it the service provider will get alerted and they’ll close the hole, and the founder won’t be able to exploit it any longer.

So, if you really really want to hack into email accounts (I strongly recommend not to), find your own way. The best possible is to use social engineering.

LAMP, a commonly used web development combination. Linux, Apache, MySql and PHP. Since, the language, PHP is designed for web developing, the language is very simple and anyone can learn it easily. And combining it with MySQL allows you to build very powerfull web sites.

There is one dangerous mistake that some people may do. Directly passing the values from the user to the database. How it could be so dangerous? I’ll show you an example.

Let’s say you have a login form and line like this in the action page.

$result=mysql_query(”SELECT * FROM users WHERE username=’”.$_POST['username'].”‘ AND pwd=’”.$_POST['password'].”‘”) ;

Normally, The script will add the values from the user into the sql query. So, It will be something like :

SELECT * FROM users WHERE username=’sandaruwan’ AND pwd=’secret’

There is nothing wrong with it. But let’s say, Instead of typing my username, if i type something like :

sandaruwan’#
What would happen? The script will insert this statement into the query. So, It will be something like :

SELECT * FROM users WHERE username=’sandaruwan’#’ AND pwd=’secret’

The symbol # means, comment out the rest of the query. In that case, the final query is like :

SELECT * FROM users WHERE username=’sandaruwan’

So, no matter what is the password, The script will allow you to login. Very simple!!! but effective.

One day, in an afternoon, when you are relaxing in your home, you get a call from HSBC and they tell you they are rechecking credit cards. “Could you please tell me, your credit card number?”. Just without thinking much, most probably what you’ll do is tell it. And your personal details, etc. So, next month when the bill comes, you know someone has illegally used your credit card.

Basically, that’s social engineering; Gathering information by talking to the people. This is easier than hacking, and probably more effective. Because in a computer system, system admin can patch the vulnerable products but there is no patch for human stupidity.

Just wanted to tell you, “Beware of Social Engineers”.

“That move is not allowed” - most probally you have got this message several times when you are playing freecell. This message is bit of a headache. I wanted get rid of it. With the great help of W32Dasm, it was pretty easy.

The first step was disassembling the game. Then, I searched through the code for “That move….”. It only appeared only once which makes our job much easier. backtrack, backtrack, backtrack, it was really easy. Then I was able to find out a jump : “jbe 01003C2B” at offset 2F7C. Changing those into ‘nop’s will allow you to make any move except the moves on top bars. So, I was going around here and there in the code and managed to change the top bar. Since it is 3:23 AM, I’m not going to explain how to do it. If you want to change the top bars, you can apply the same theory. It is also changing few jumps. Hint : Try to use debugging feature of W32DASM.

When you guys wants to do packet sniffing what do you do? Just running a packet sniffer? That’ll work if your network is connected using a hub. Not in a switched enviroment. So, the solution is arp poisoning.

Arp Poisoning, one great method of hacking. The basic idea behind arp poisoning is changing the packet destination by fooling the computer. In a local area network the computers are uniqly identifical by the MAC address and IP address. The top level software communicate using the IP addresses. So, when a software wants to connect to another machine, it creates a data packet and put the destination IP address. Then, the kernel takes the packet. The kernel have a table called ARP table which have information about ip address againts the mac addresses. So, the kernel looks at the ARP table and then takes the relevent MAC address. If MAC address is not available in the table, it sends an arp request saying “Hey, xxx.xxx.xxx.xxx, send me your MAC address”. So, the other computer sends an arp reply. At that point first computer update it’s arp table. Then the kernel inject that MAC into the packet and give it to the network card. The network card only look at the MAC address. So, the packet’s final destination is the computer pointed by the MAC address; no matter what the ip address is.

Now think like this. Let’s say there are three computers. A,B and C. You are in the computer A and your MAC address is 00:00:00:FF:FF:FF. So, we want to track messages between computer B and C. What we have to do is create two fake arp replies. One is saying “I’m computer B, my MAC address is 00:00:00:FF:FF:FF” and other saying “I’m computer C, my MAC address is 00:00:00:FF:FF:FF”. So, you keep broadcasting both messages, the first message to the computer C and other to the computer B. Then you have to put an ip forwarding program and configure it to redirect the packets to it’s original destination. Now all packets go through your computer. It’s time to sniff.

You can also do some other interesting stuffs. If you want to ban someone from the network, what you have to do is send an arp reply to the gateway saying “Hey, I’m computer X, my MAC address is 00:00:00:00:00:00″. Since there is no MAC address like that, messages from the gateway won’t reach the computer. Ya, finally, you banned them.

Admin password, the dream of everyone. Specially, when you are in an environment where you are not the system administrator. Today, what I’m going to show you is how to take Windows Administrator passwords. You might have even noticed, if we can find out where windows stores the password, we can just look at it. But unfortunately, it is not that easy.

Windows stores the passwords in the Windows\System32\Config\SAM file. But windows prevent you from accessing that file. So, the answer is LINUX. Take a Knoppix CD, put it into your CDROM and restart the machine. Make sure your first boot device is CD-Rom. Then, it’ll boot into the Linux. Then the best option would be a USB pen. Just mount it and copy the SAM file into it. And make sure you also copy the Windows\System3\Config\System file. Then, restart again, you need Windows now.

Now you have to take a key called syskey from the system file. There are some windows utilities to do that, but I can’t remember the names. Anyway, once after you get it, you can use that key to decrypt the SAM file. Now the password!!! NO!! It’s not.

Again you have some hashes. What do we do now? Now, you have the time consuming part. You have to download and run John the ripper on these hashes. Please note this may take few hours, depending on the length of the password.

After that ***you*** are the system admin!!!

Minesweeper, a really simple nice game. Probably one and only bug free Microsoft software. I think, all of you have played Microsoft minesweeper at least once. Basic idea is to recognize the mined squares.

When, I was playing this game, I wanted to **cheat**. But how ? Not like, downloading simple cheat codes/ trainers and running them. I need another way. A way which I can have fun. There were two ways. The easier way was, changing the “best times” in the registry. It was fairly simple. You just have to change the registry values. Then, the next method was, changing the code. But the Microsoft is close sourced. The game is compiled. How can I change the code? Confused? I’ll show you how.

So, every time you write a code in c++/vb/pascal… and compile it, the compiler converts it into the assembler code, then to the machine code. The assembler code and machine code is very similar. Conversions between those two languages are simple process although it is almost impossible to convert assembler code in to a c++ code.

Anyway, There are some programs called disassembles, which you can disassemble any compiled exe file to assembler code. For a first time user, the assembler code might be like Greek. But once you get into it, the assembler language is not very hard. Then, you need to understand the code and changing the appropriate hex values. You need bit of experience for this.

So, after disassembling the code, I was going through it. My first idea was to track the timer and then track where they are increasing the time. There is a timer api, and it post a WM_TIMER message. So, I played around the WM_TIMER. But it was rather hard.

After spending about a half an hour around that, I found another approach. In every second, a tick sound is played. So, I went through the list of imported functions and managed to find out PlaySound api is imported. Then, It was used it three different positions. Bomb, Winner and tick sounds. So, after spending another few minutes, I found which one belongs to the tick sound. As a programmer, I can say, most probably, the sound is played after the time variable increased. So, I backtracked. Then it was fairly easy to find out the place.

There was an instruction at 1002FF5: inc dword ptr [100579C]. That was the place. Once after I managed to change all of those instructions to 90 (nop), the timer stopped.