How to Hijack Your Friend’s Browser With This Simple Chrome Extension

Are you tired of sending useful and funny links to your friends and you’re looking for some wicked prank? Well, the crazy Shove Chrome extension is here at your service.
Shove is a Google Chrome extension that allows you to forcibly open the browser tabs on your friend’s computer. This extension surely aims to make the internet a more horrifying, yet crazier place.
But, you don’t need to freak out as this is a strictly opt-in thing. This mean you and your friend – both have to agree to install the Chrome browser extension to spit fury on each other’s computers. But, installing it in your friend’s PC in his/her absence is always an option.
Once the users agree to use the Shove extension, they can open links in each other’s Google Chrome browsers anytime and bombard each other with cat videos on YouTube.
Actually this browser extension is made to share links quickly and start a conversation in the form of videos, songs and GIFs instead of words.
So, install this extension on your friend’s and your PC and start a new kind of link war in each other’s browsers.
Install it from here and don’t blame us when your best friend is eager to kill you.
Did you like the Shove extension for Chrome? Tell us in the comments below.
Continue Reading

5 Free PDF Password Remover Software to Crack Any Protected File

Password protected PDF files add an extra layer of security to your documents. But, what if you forget the PDF password and you urgently need to access its content? Well, you are at right place as in this article, I’m going to tell you about the 5 best PDF password remover software to crack any protected file.
For those who don’t know, a PDF password remover tool is a computer program that is used to remove or bypass the security layers that don’t allow you to open the password protected PDF files.
On the internet, you’ll come across various programs with names PDF password crackers, password recovery tools/software or password reset tools. Don’t worry, all these have different names, but they perform a similar function.
If you search online, you’ll come across plenty of PDF password remover software, but most of them cost you some chunk of money. Here, I’m going to tell you the 5 best and free PDF password remover software that you can use to recover your forgotten password.
Disclaimer: Use these tools to remove the passwords from the files you own and you’ve forgotten their password. Don’t use them for illegal purposes.
I’ll be telling you the benefits and limitations of each tool and which kind of methods these tools employ to break the security of PDF files.:

1. PDFCrack:

PDFCrack is my favorite PDF password remover software. It’s a password recovery tool that recovers the forgotten password and helps you to access the hidden content.
It recovers both the user and owner passwords from the password protected files. For those who don’t know, user passwords just restrict the opening of documents and owner passwords put restrictions like printing, changing, copying, comments etc.
This PDF password remover software works fine with PDF files up to version 1.6 protected with 128-bit RC4 encryption. The PDFCrack software deploys brute-force attack to recover the password.
Our rating: 4.5/5
Download here: PDFCrack

2. PDF Password Remover

PDF Password Remover is a simple tool that removes the PDF owner passwords and works with a simple interface.
The PDF Password Remover software works with PDF files up to version 1.7 level 8 files protected with 128-bit RC4 encryption. This tool is easy to use but it doesn’t work with the PDF files with a user password and higher levels of encryption.
Our rating: 4/5
Download here: PDF Password Remover

3. PDF Unlocker

This PDF password remover software is a basic Windows program designed to unlock a file protected with encryption. This tool is helpful if you just want to break the permission security in the PDF, but it doesn’t remove the user password unless you know it.
PDF Unlocker supports and unlocks PDF files up to version 1.7 level 8 with 128-bit AES encryption.
Actually it’s a PDF password recovery tool as it discovers the actual owner password and you can use a brute-force or a dictionary password attack method.
Our rating: 3.5/5
Download here: PDF Unlocker

4. PDFCrypt

PDFCrypt is the fifth tool on our free PDF password remover software list. It’s a simple command-line PDF password remover tool that performs the task instantly.
It should be noted that it’s a password remover software and it won’t tell you the user or owner password.
Our rating: 3.5/5
Download here: PDFCrypt

5. PDFMate Free PDF Merger

I’ve included this free PDF password remover software as apart from cracking the passwords, it works as a PDF joiner, PDF combiner and an image to PDF converter.
With this free software, you can delete the unwanted pages and rearrange them in the desired order in high speed and accuracy.
The software also works as a PDF encrypter and offers you the option to protect your PDF files and set a password.
Our rating: 3/5
Download here: PDFMate Free PDF Merger
My Recommendation: I recommend using PDFCrack PDF password remover software as it is 100% free and it performs all the desired functions. However, if you don’t want to download the software and do the job online, FreeMyPDF.com is the ultimate website.
Did you find this list helpful? Which tool do you use for PDF password cracking? Tell us in the comments below.
Continue Reading

New WordPress Brute Force Attack

Recently, a new brute force attack method for WordPress instances was identified by Sucuri. This latest technique allows attackers to try a large number of WordPress username and password login combinations in a single HTTP request.
The vulnerability can easily be abused by a simple script to try a significant number of username and password combinations with a relatively small number of HTTP requests. The following diagram shows a 4-fold increase in login attempts to HTTP requests, but this can trivially be expanded to a thousand logins.
WordPress XML-RPC Brute Force Amplification Attack
This form of brute force attack is harder to detect, since you won’t necessarily see a flood of requests. Fortunately, all CloudFlare paid customers have the option to enable a Web Application Firewall ruleset to stop this new attack method.

What is XML-RPC?

To understand the vulnerability, it’s important to understand the basics of the XML remote procedure protocol (XML-RPC).
XML-RPC uses XML encoding over HTTP to provide a remote procedure call protocol. It’s commonly used to execute various functions in a WordPress instance for APIs and other automated tasks. Requests that modify, manipulate, or view data using XML-RPC require user credentials with sufficient permissions.
Here is an example that requests a list of the user’s blogs:
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
 <param>
  <value>
   <string>admin</string>
  </value>
 </param>
 <param>
  <value>
   <string>password123</string>
  </value>
 </param>
</params>
</methodCall>
The server responds with an XML message containing the requested information. TheisAdmin name-value pair tells us our credentials were correct:
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<params>
    <param>
      <value>
      <array><data>
      <value><struct>
      <member>
        <name>isAdmin</name>
        <value><boolean>1</boolean></value>
      </member>
      <member>
        <name>url</name>
        <value><string>http://example.com/</string></value>
      </member>
      <member>
        <name>blogid</name>
        <value><string>1</string></value>
      </member>
      <member>
        <name>blogName</name>
        <value><string>testing</string></value>
      </member>
      <member>
        <name>xmlrpc</name>
        <value><string>http://example.com/xmlrpc.php</string></value>
      </member>
      </struct></value>
      </data></array>
      </value>
    </param>
</params>
</methodResponse>
As shown in this request, you must provide proper authentication to get a successful response. You can, in theory, create a script that tries different combinations of the username and password, but that is a noisy option that isn’t very effective and is easily detected (the server logs would show a flood of failed login attempts).
This is where the system.multicall functionality comes into play. You can run multiple methods with a single HTTP request. This is useful for mass editing blogs or deleting large numbers of comments, etc. Any method that requires authentication can be abused to brute force credentials. Here is what a sample XML system.multicall payload would look like:
<?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
  <param><value><array><data>
  <value><struct>
  <member>
    <name>methodName</name>
    <value><string>wp.getUsersBlogs</string></value>
  </member>
  <member>
    <name>params</name><value><array><data>
    <value><array><data>
    <value><string>admin</string></value>
    <value><string>password</string></value>
    </data></array></value>
    </data></array></value>
  </member>
  </struct></value>
  <value><struct>
  <member>
    <name>methodName</name>
    <value><string>wp.getUsersBlogs</string></value>
  </member>
  <member>
    <name>params</name>
    <value><array><data>
    <value><array><data>
      <value><string>admin</string></value>
      <value><string>password</string></value>
      </data></array></value>
    </data></array></value>
  </member>
  </struct></value>
  </data></array></value>
  </param>
</params>
</methodCall>
As you can see, this can lead to very obvious abuse.

Exploitation

During testing, I was able to call the method wp.getUserBlogs 1,000 times in a single HTTP request (limited only by PHP memory issues). If a user creates a simple shell loop that executes one thousand times and runs a PHP script that crafts an HTTP request with one thousand method calls all requiring authentication, then that user would be able to try one million unique logins in a very short period of time.
This makes brute forcing the login very fast and can run down a pretty large wordlist is a short period of time. Also note that the wp.getUserBlogs method isn’t the only RPC call requiring authentication. It’s possible to use any RPC method which requires authentication to attempt logins and brute force the WordPress credentials.

CloudFlare Customers Are Protected

When using CloudFlare with a Pro level plan or higher, you have the ability to turn on the Web Application Firewall (WAF) and take advantage of the new WordPress ruleset I created to mitigate this attack—all without any major interaction or supervision on your end.
Our WAF works by checking HTTP requests for consistencies that line up with known attacks and malicious activities. If a request does appear to be malicious, we drop it at the edge so it never even reaches the customer’s origin server.
To enable the rule, navigate to your CloudFlare Firewall dashboard, and reference the rule named “Blocks amplified brute force attempts to xmlrpc.php” with the rule ID WP0018.
Enabling WordPress XML-RPC WAF Rule
That’s all there is to it. Now you are protected from the new WordPress XML-RPC brute force amplification attack.

The Manual Solution

Another way to mitigate this attack is by disabling the ability to call the
system.multicall method in your WordPress installation by editing yourfunctions.php file. Adding the function mmx_remove_xmlrpc_methods() will alleviate the problem, like so:
function mmx_remove_xmlrpc_methods( $methods ) {
    unset( $methods['system.multicall'] );
    return $methods;
}
add_filter( 'xmlrpc_methods', 'mmx_remove_xmlrpc_methods');

Final Thoughts

XML-RPC can be a useful tool for making changes to WordPress and other web applications; however, improper implementation of certain features can result in unintended consequences. Default-on methods like system.multicall andpingback.ping (we have a WAF rule for that one, too) are just a few examples of possible exploits.
Properly configuring the CloudFlare Web Application Firewall for your Internet facing properties will protect you from such attacks with no changes to your server configuration.
Continue Reading

How To: Crack A Password-Protected Website




In this tutorial, I am going to teach you how to crack a password-protected website. To perform the attack, we are going to use the Hydra password cracking utility, which will allow us to brute force both the username and the password.

This tutorial is for BackTrack 5 and Kali Linux users.

Note: It is illegal to perform this attack on any website that you do not own. The information presented in this tutorial is for educational purposes only.

If Hydra is showing the wrong password, try updating Hydra using the following instructions.

HOW TO UPDATE HYDRA

The instructions below will guide you through the steps necessary to update Hydra from it's current version to version 7.5 (or whatever the latest version is).

Step 1: Open a web browser

Step 2: Navigate to "http://www.thc.org/thc-hydra"

Step 3: Click the "hydra-7.5.tar.gz" download link

Note: The download link is at the bottom of the page. There may be a newer version available. If so, use the newest version instead of Hydra 7.5.

Step 4: Save the hydra-7.5.tar.gz file in your Downloads folder

Step 5: Open a terminal

Step 6: Type "cd Downloads"

Step 7: Type "tar zxvf /root/Downloads/hydra-7.5.tar.gz"

Step 8: Type "cd hydra-7.5"

Step 9: Type "./configure"

Step 10: Type "make"

Step 11: Type "make install"

That's it. The update should be finished. Now, start Hydra so you can confirm that the update was successful.
Continue Reading

Kali LInux – Brute Force Gmail Password 100% Working






NOTE: Following materials are for EDUCATIONAL PURPOSES ONLY! HaCoder won’t take response for your actions!
Continue Reading

How To Access Blocked Websites? 6 Easy Ways



Restrictions and bans over websites are always annoying, and governments are now censoring content more than ever. Check out the 6 easy ways to bypass the censorship to access blocked websites.

 given the current stature of the constitutional “Rights” and “Freedoms” conferred upon the public in most of the democracies, censorship and bans on trivial matters often come as a surprise. And in the era of the Internet, harassing the general public is even easier. Be it the controversial net neutrality, or restriction to access to specific websites.
If you also feel stifled by the blocked websites then here are some ways to access blocked websites:

1. Become Anonymous: Use Proxy Websites

A proxy website becomes a moderator between the user and server site. The proxy website camouflages the blocked site from the ISPs and allows you to access blocked websites. To get a proxy website for any blocked site, just perform the Google search.
Eg: Facebook Proxy Server. In case, Facebook is blocked in your institution, or you can go to
http://www.spysurfing.com/
http://proxify.us/p/ and more…

2. Use VPN

VPN or Virtual Proxy Network allows you to connect your device to a secure connection to another network over the internet. VPN enables you to access blocked websites from your home network and puts your IP address in a land far away. You can also download the apps or open the sites blocked in your country.
Check out our How To set-up VPN on Android devices without the need of any software

3. Use IP Rather Than URL

The blocked website sometimes are stored as a list of URLs and using IP of the website might work in few of the cases. To get the IP address for any website, you do a ping domain.com command in Command Prompt.
Using IP is a simple way to access blocked websites in your region. However, if the website had hidden its IP too, then it won’t open with this method.

4. Change Network Proxy In Browsers

Your college or institute might be having more than one proxy for its network. So, it happens that some websites are restricted on one proxy, but accessible in another. So, you can give a try to proxy surfing to access blocked websites in your college.
Change the advanced settings of your Firefox browser and select the Manual Proxy. Put the bypass proxy under HTTP proxy.

5. Use Google Translate

Institutes or even countries sometimes don’t ban Google Translate. So, you can bypass the restriction by converting the blocked website into some other language that you may know. Try Google Translate and see for yourself. It is yet another simple way to access blocked websites.

6. Bypass via Extensions

If the websites that are blocked by your institute or office are dynamic in nature such as Facebook or YouTube, then should give a try to these extensions. Hola and ProxMate are some extensions that you can use to access blocked websites.

These are some of the most effective and easy to use methods to circumvent the censorship that has been put on your favorite websites. Let us know which one do you prefer to access blocked websites in your region.
Continue Reading

Hack LinkedIn to See Who Visited Your Website

Be honest, the page you visit most on Linkedin is the ‘Who’s viewed your profile’ page. It’s ok, it’s the page we all visit most. And I would not be surprised if it’s one of the biggest drivers of upgrades for Linkedin. It was on one of these visits where I started wishing I could get the same information for our website at work. Google analytics is great but the data is all anonymous. Well I figured out you can.

The hack

The solution is actually amazingly simple and low tech. I took my ‘Who’s viewed your profile’ page and embedded it on my webpage using a 1×1 pixel iframe. So at the bottom of every page on the website is a little window that also loads my linkedin profile page. If a visitor views a page on my website, linkedin also thinks they viewed my profile. If they have logged in to linkedin recently, they will be recorded on the ‘Who’s viewed your profile’ page. The code looks like this:
<iframe src="LINK TO YOUR LINKEDIN PROFILE" height="1" width="1" frameBorder="0"></iframe>
That’s the hack at its most basic. Now it’s not perfect. Linkedin is obviously doing some filtering of this so you get a load more users set as anonymous and profiles where you just get Job title or Company. But even this data is very valuable.
Tips:
  • To make sure the data is clean, and does not include people who are visiting my profile from other sources I created a fake Linkedin profile and made sure to add no profile information so it would not show up in linkedin searches. I am sure this is against the Linkedin terms of service so be careful.
  • Then to view more than 3 profiles I upgraded the account to a jobseekers plan which is the cheapest one available.
  • Make sure to put the iframe at the bottom of your page html so it loads last. You want visitors to see the information they came for and do not want this slowing down the page.

Export the data

Google Chrome have a great scraper extension. Visit ‘Who’s viewed your profile’, select the information you want to export on one profile.
Right click and select ‘Scrape similar…’
You can then export all the profiles to a spreadsheet.

How sales follow up with this data:

When sales see a suitable company in the list, they search for the most suitable manager over that department. They then reach out with a message along these lines (taken from Hubspot guide):
Hi [NAME],
Some of [your COMPANY NAME] colleagues have been looking at our performance management resources and I wanted to reach out to you.
We work with many companies like yours and would like to offer you a call with our performance management consultant. We can talk through the most effective ways to boost the performance of your team.
Work Compass has a software platform that helps companies do three things –
1. Help managers become GREAT managers.
2. Ensure staff get the right things get done well and on time.
3. Give fair and structured feedback to staff to ensure they are more engaged and effective.
If you’d like, I’m happy to set up a time to provide you with some advice.
I look forward to hearing from you.
Kind regards,
Colm

How marketing uses this data:

I get to see the type of people my marketing is attracting. Companies and Job titles. Over a few months I built up a great profile of the job titles visiting our website and the company type, size and industry they are coming from. If this is not the target customer we want we need to change our marketing.

Be quick

I suggest trying this soon before Linkedin put a stop to it.
Continue Reading
Subscribe to: Posts (Atom)