Learn Penetration Testing by Web For Pentesters E-book


After a short break! I'm back, Well recently i've found two ebooks for Web For Pentesters, Really it's an amazing, useful, elegant e-book who really wants to learn Penetration Testing and Ethical hacking. Beginner must download and read it.


Web for Pentesters

There're two part of Web for Pentesters Part 1 and Part 2. Both e-book are written by (pentesterlab.com). Web for Penetration e-book covers important and very easy tutorial for beginners and hackers. Several hacking methods and exploits are shared including Web vulnerabilities hacking tutorial and security researching.


Should I Download it ? Is it Useful to me ?

Well, if it'd be same as some silly e-books, I'd never posted on my blog. This e-book helped me a lot in learning Penetration Testing and Hacking Web Applications. If you're beginner in hacking and seeking for something that would help you to learn real web hacking and methods, I would highly recommend you to download this 3.5 Mb E-books.



NOWASP Mutillidae 30 Web Application Hacking Videos


Hey, buddy don't mind the picture I was just trying to get your attention. Well you might remember that I'd also posted an article : OWASP Web-Goat Pentest lab solution videos, and believe me buddy it just rocked!. So this time I've zipped around 30 web application hacking videos, - Pentest lab NOWASP Mutillidae. So go ahead and download whole stuff.

Web Application Hacking Video Tutorial List :

I would just say these resources are really useful, in fact I've zipped each tutorial in one zip and can be downloaded easily. Well let's take a review on topics. Size 553 MB

Click on Image to Enlarge it

WOW! You know when i got these stuffs, I didn't went out for two days, I learnt each and every method properly. So just thought to share with you.

Note : All tutorials in videos are shown on NOWASP Mutillidae Penetration Testing lab. So if you want to test those attacks, I'll recommend you to get NOWASP Mutillidae Penetest Lab : Click here to get one.

Want to download ? Go ahead :

It's nothing hard to download just click on below's button and you'll be redirected to Google Drive - Click on Download, and remember it might show you warning (We can't scan files for virus), it's because the file is too large, so that's the reason google drive don't scan huge files. But don't worry! it's virus free and Click on Download. *Enjoy*


Thanks for reading my post, If you've any further doubts. Please comment and let me know. Please do share and increase us.

Hacking Website through Shell - File Upload Vulnerability


Hi, readers after a long time - I'm posting something hacky stuff. Well do you know the most easiest & common way to hack a site is Shell Upload. To be honest i'm not going to teach you to hack any site or server, I'm just sharing what I know besides hacking is really very cool, when you learn new things.

What Do I Need ?
Description & Methodologies
      
File Upload Vulnerability, allows an attacker to upload any scripted (static or dynamic) files on target server. (It's really very dangerous) Assume you create a Site in PHP / MySQL. You also create simple Image Uploading Application so users can upload their own image file, but without any validation yours application blindly trusts on users file and upload it on your server.

So what if an evil minded hacker like you determine it and upload .PHP file instead of Image file ?, Well your application will accept it & store it in server, Now an attacker will locate that file into Browser and it will be executed as .PHP scripted file, through this an attacker can also upload malicious shells and get complete access to Database & Server.

Go on & Learn This Holy Hacky Method!


1. Start DVWA, Put Security to Low Level, & Click on Upload.

2. First we'll exploit easy application, that doesn't validates user's file. Well you can also go through 'View Source', to understand how it really works.



3. So first of all let's exploit LOW LEVEL security. There's an application that allows you to upload image file. Click on Browse choose your any PHP or HTML scripted file (Like deface page or HACKED!) well you can also use any Shells like C99. Remember there's no security on EASY Level, it'll blindly trust on your file and upload it on it's server directory. It will be little hard on Medium Level.
Below i'm using simple 'HACKED' page

I've named it w0rm.php on my desktop and here i upload it on dvwa.



4. Click on upload and it'll show you a successfully uploaded message with file directory! wow that's amazing let's locate that file into browser. Copy that directory location and run it in your browser after dvwa path.



Now check the result, poor DVWA... hahaha no issue!

Click on Image to Enlarge it
5. So we've successfully exploited easy level. Well an attacker can also upload dangerous shells that can completely take over server, data and even rooting an entire server. So let's move on little hard stage. (Change Security level to Medium). Now try to upload the same file in Medium Level and observe what's the result. Well you'll get an error message on top - that your image was not uploaded.. Because it's not an image. Now switch to firefox with Tamper Data Addon to modify headers while transmission.

6. It's time for little trick : Rename your file with w0rm.php.jpg to confuse interpreter.


7. Up till now we didn't trapped any GET or POST request but now we'll do it, now again try to upload it but before clicking on upload start Tamper Data and click on Start Tamper to trap every request.





8. "Start Tamper" and click on Upload. And suddenly you'll get a pop-up - Click on Tamper : (Now we've to modify POST data)

9. Now Look into POST_DATA - Yes! we've to modify that stuff only, Just go in that text-area and search for your file name - at last change it to w0rm.php from w0rm.php.jpg and click on OK- [That's called BYPASSING application validation]

Click on Image to Enlarge it

10. You'll see a successfully uploaded message, again locate it in your browser and watch.. IT'S HACKED! [Cool isn't it ?]

There is also a method to bypass HARD level - Using Multiple Vulnerabilities - You've to upload .ZIP file, and extract it on server using Command Injection. Click here to learn that method tooThanks for reading my post. Feel free to comment and ask your doubts. 

OWASP Web-Goat Pentest Lab Solution Videos (Hack Training)


Whether you believe or not, but that's true - Every beginner install and create Penetration testing lab but don't know how to hack because the fact is he hasn't learnt everything properly. So  today is really something very special for you guys. We've zipped complete WebGoat Pentest lab video tutorials.

{OWASP WebGoat is very powerful and huge Penetration Testing Lab (Vulnerable Web Application) to learn WebApp Hacking. It's really very awesome in it's own structure and features. Click Here to Get One}

Is that true ? How you got ? Where is it ?

Yes! Well, I've got this in OWASP Site. This is really an awesome resource for beginners to learn Hacking + Penetration Testing - With Solutions, and that's fantastic!. You might have read my article on How to Create an Extreme Penetration Testing Lab Using : OWASP WebGoat. (Lot's of readers asked me for solution videos too, so that's the reason I've hunted this.).

We've Hosted it on Google Drive. It's Size is 387 MB (ZIP). It's really very simple to download it. Click Here to Go on Download Page. Learn & Hack.

How to use it ? isn't it little messy ?

Nope! it's very simple to learn through it, just you'll need a Web-Browser to watch all videos (Video Embed into HTML + SWF). After downloading, Extract ZIP calmly, You'll get a folder named "Viewer" - Go in it - And You'll find index.html (Double Click & Start it in your Favorite browser.)

Next you'll come to see one logo "YGN Ethical Hacker Group" - If you want to read description, then please do nor go on scrolling until you get video tutorial index (Listed with tutorial name and vulnerability).

There will be list like this! 

So, assume that you want to learn SQL Injection so click on Injection Flaws, your browser will automatically take you to Injection Flaws Page.


(Remember not to click on DOWNLOAD, because it's already there in your own computer.) Click on View, wait for 3 Second, and your tutorial will be started.

Thank you for reading my article, If you like it please share it and increase us. More gazing hacky stuff will come soon. Till then cheerio.

Why You Should Learn Programming & Networking


Hi readers, today I'm not gonna share any tutorial or Hack but a short guide, which I've experienced in my learning carrier. Well It's been completely one year! to me in this field (Not Pro, neither Expert!) still a learner. But have you ever thought why experienced Hacker/Researcher always recommend us to learn Programming & Networking before engaging in Hacking ? Well that's what we're supposed to discuss in this post.

When | Where | How | - can I learning Hacking ?

I've started this with the term 'Hacking' - If you're reading this then probably you want to become a Hacker. But do you really think it is so easy to become Hacker ?. Well let it be up to you, so what do i need to become Hacker ?

First of all you must have two things in your soul : Passion & Determination. This all isn't just a words but a power to change everything. If you've passion and determination you can do anything. Well in short You've to do little hard work with little sacrifices. Let's reinforce each question with easy answers and have a little chat.

When Can I Learn Hacking ? (Sounds Like : Eligibility to become Hacker)

Well, up till now even you've realized that becoming hacker isn't that much easy! it requires lots of experience and knowledge in Software, Networking, Programming, Web Application etc. Eligibility ? Did I used any wrong word ? Let it be, there's no age limit to learn Hacking. So what is the eligibility ?

You can start learning Hacking - When you've at least 50% to 60% knowledge in Software and Web Application Programming. The second most important thing you should know Networking - At least 60%.


Why everyone recommend to learn Programming first before Hacking ?

It's simple, tell me how Software, Web Apps are made ? - Programming Languages. Almost every technology runs on Programming Language. So if you want to break (Hack) software, You must know Programming Languages. Because You're going to Hack/Crack it - Simply if you don't know Programming - So how'll you understand how it is made ? How it is working ? What's its weakness point. These questions matters! a lot.


What about Networking ? They recommend Networking too!

Almost everywhere is network! - Softwares are moving on Cloud. Cloud based technology is evolving very fast. Every Web Applications runs on Network - TCP/IP and Servers. It's highly recommended you to learn and understand how those Protocols - and technology communicates with each others on Internet. How Computer Network, Servers, Client communicates with each others.


But From Where Can I Learn Programming/Networking & Hacking ?

If you're asking from where ? well even a small kid will laugh on you. Okay! There're so many resources, sites, wiki, blogs, white/black hat videos, tutorials, forums etc to learn almost everything. If you can't understand - ask for help in learning, explaining or Join any Programming/Hacking/Networking coaching. But there's no need to waste money! just with little effort you can learn in free at your home. Even we share plenty of articles, Tutorials. Join Forums, Get connected to Blogs, read Wiki's, Google each and every query you get into your mind. Read White Papers, Learn Programming from millions of sites - Search on Google. For Networking do same.


Okay Now the final & Most Important query -  How can i learn Hacking ?

This question doesn't make sense, How Can I Learn Hacking. If you're good in Programming and Networking - You can start learning Hacking. It'll be easy and understandable for you. Programming - Networking - Hacking.


We've discussed and answered some important questions, but what is the main thing in this Process ? - Whether you've Passion and Determination or Not. See even i'm learner, I understand how it feels. But never ever give-up! Be confident, Passionate, Inspired and Determined on your task.


Feel free to comment and ask question. This is openly written by our admin Viv, according to his knowledge & experience. Thank you.

An Inspirational Interview with Arul Kumar : Security Researcher


Hello, everyone I'm really very excited to share this inspirational interview. Today we've Interviewed an Independent Security Researcher Arul Kumar (Bug Bounty Hacker) Who've got awarded by Facebook Security Team two times. Recently he'd discovered very critical vulnerability in Facebook that led him to reward of $12,500 USD by Facebook, also lots of respect from society. He's also one of mine best friend.

The News also staring on Times of India Website and others Newspapers.

Click on Image to Enlarge it, or Click here


I'm proud to be his friend and glad to see his success, so we've arranged one inspirational Interview for our readers. Hope you'll like it, Let's start buddyy!.


1. Please Introduce yourself first.

Hi, I am Arul Kumar, 21 years old, From Salem, Tamil Nadu, India. I am an Electronics & Communication Engineer passionate in Ethical Hacking and Penetration Testing.

2. How and Why did you get into Information Security & Hacking Field ?

As I don't have enough resources, I have learned everything at my College Net Lab since 2009. I have spent lot of times in front of System rather than Electronic Hardware. That took much time for me to learn because my internet usage timing is 2 hours/day during college days, and I got my laptop in January 2013 only.

Then I came to know about Bug Bounty Programs because of an Incident, In July 2012 I have read a news from an online portal "Facebook Rewards Hyderabad Youngsters For Finding Bugs". After that I realised that Facebook rewarded two guys named "Harsha Vardhan Boppana & Rishal Dwivedi" who have been listed as White Hat Hacker in Facebook (Hall Of Fame) for finding bugs. That incident inspired me much and finally after some months Information Security became my passion.


3. When did you started Security Researching & Bug Hunting ?

I've been researching and Hunting Bugs since 2013, After getting my Laptop.

4. From Where did you learnt so many things ? Please leak your learning sources

Google is Powerful search engine and school to learn everything from beginning. For Penetration Testing I would recommend OWASP and Irongeek Guides.


5. What is your first finding ? How did you feel at that time ?

My first finding is Open URL Redirection bugs in Facebook unfortunately I got duplication issue for all of my 4 submissions. I got much frustration but I did not gave up, Within 2 days I got another 3 new Open Redirection which become valid after one month and it encouraged me to find more.

6. What is your favorite Vulnerability found by you ? Describe it!

My favorite one is Photo Deletion Bug in Facebook which I found recently. By using that bug, I was able to delete anybody's photo on Facebook without their Permission/Interaction. This is applicable to all of 1+ billion Facebook Users including Mark Zuckerberg. Facebook team appreciated and rewarded me $12,500 (USD) for this finding.

7. What are your Future Plans ?

I'm still learning so I cannot say anything now about my future plans. I wanna do many things to make my homeland (India) Proud.

8. What is your advice to New Bug Hunters / Beginners in Hacking field ?

Hey, You should ask this question to Experts. Still I am a beginner. Anyways! according to my experience, I would say Just use Google and your brain. You should take Everything as reference which you have learned from Google. Try to learn everything by raising questions yourself like How? Why ? What ? on every methodologies. If you really wanna see real hacking watch out security conference presentation and videos from Defcon, Blackhat and so on.

After Some Years, I hope that Bug Bounty Program will be more Competitive and become Worth. Because we cannot imagine anything without Vulnerability. So Hunt bugs for fun & Knowledge so never aim for money, and also automated tools will never help you to find bugs in big sites which will not improve you in gaining knowledge. If you are really honest with your task you will get success. Never give up if you failed at beginning & be patient. Still many critical bugs in big sites are hidden but not yet discovered.


9. What do you think about Hack w0rm Blog ?

Kudos to your huge efforts. Hackw0rm is really different than other blog and it brings tutorials from basics with well explained manner. I would suggest Hackw0rm blog who want to learn about basics of Pentesting & Hacking, Keep it up your good work.

10. We Appreciate your Advice, Is there anything else you want to mention  ?

I would like to thank each & every soul who inspired and supported me to get into Information Security field. From this Bug Bounty Program, I have got many good friends around the world. Thank you Vivek and Hackw0rm team for giving me the opportunity to share my experience with all of you. Thanks Everyone.

Thank you Arul bro for your precious time, Bucket full of love to you from my side and Best of Luck for your future life. Also Thanks for recommending our blog to Beginners! I appreciate it. You can also follow Arul Kumar on Twitter & Facebook.

Thanks for reading my post, If you've any kind of doubts please leave your comment and let me know. Don't forget to share this amazing inspirational interview.

Download & Learn any Programming, Networking & Technology


           Hello buddies! after a long time i'm writing something on Hackw0rm Blog, This might be the best resource of learning Programming, Networking, and Telecom Technology I'm sharing with you. Well, through this you can learn many interesting computer technologies, programming languages with examples. It's really worthy for you, so let's review and download it.

What is it Exactly ? and What can I learn through this ?

I'm sure you guys have definitely got this question in your head, well it's complete offline site of Tutorials Point and W3schools. Tutorials Point is one of the best site to learn Programming, Networking, Telecom Technology and many more interesting stuffs! but the problem is we require an internet connection to connect to live site, so somehow i obtained it's complete offline site with thousands of Programming and Networking tutorials that is really very worthy for geeks! 100% Pure Technological Useful Resource ever.

And I'm pretty sure you know what is W3schools, well it's an another biggest online programming school but same you'll require an internet connection to read tutorials and learn. But if you don't want to waste your internet and keep complete site every-time in your pocket or home. So i guess there won't be better idea than this.

You can learn following Programming languages through this :

Web Programming : HTML, HTML 5, CSS, JavaScript, AJAX, jQuery, PHP, Advance Scripting, ASP.NET, Apache Server Handling, RSS, Perl, XML, DHTML, XHTML, JSP, SQL, MySQL, Web Technology and Services etc.

Software Programming & Others : C and C++ Programming, Python, Java, Ruby, Ruby on Rails, DLL Programming, Perl, JDBC, LDAP, SQL, Prototype, UNIX, UDDI, SOAP, Socket Programming, UML, WSDL, CGI and Perl, Radius, DB Programming, TK, +XML etc

Networking & Telecom Technology : Complete Computer Networking, TCP/IP, HTTP, Internet Protocol, Telecom Technologies like : Wi-fi, i-mode, GPRS, GSM, WAP, WML, WiMAX, Telecom Billing, etc.

There is many more things that are not mentioned but this will be the best resource to learn so much things. No More Googling and Searching Just download and learn everything from one Kit!

How to Download this Complete Kit and Start Learning :

Well it's really very simple to Download complete it, Just click on below Download button and download it from Google Drive. Note the Size of Complete Kit is 420+ MB but we've highly compressed it in just 122 MB Zip file.



Download and Uncompress file - Again you'll get another two compressed file named with tutorialspoint and w3schools. It is recommended to run w3schools in Apache server to get complete access to offline site and real experience. And Tutorials point doesn't require any server you can just open its folder and double click on index.html and start learning everything. Please make sure you've wamp or XAMPP server to run w3schools offline site because it is programmed in asp so it's compulsory to have web server for it. If you're using wamp server the place entire folder into www folder and if you're using XAMPP server then place entire w3schools folder in htdocs folder.

Thank you for reading my post, If you've any kind of problem related to this content please comment and let us know. If you liked our blog and post please share it and increase us :