Have you ever wondered where Firefox keeps all of the history it has remembered from your previous browsing sessions… not just URL’s but saved password, form data and certain preference values? The answer, quite simply, is inside of SQLite databases in your Firefox profile folder.
Using an open source program, SQLite Database Browser, you can not only see the structure of the individual databases but browse and, if you are so inclined, manipulate all the data in each of the tables. While this article focuses on Windows, the same basic information should apply to Linux and Mac users as well.

Viewing the Firefox Profile Data

Before getting started, make sure Firefox is closed so there are no problems with locks on any of these files.
Open SQLite Database Browser, click the open icon and navigate to your Firefox Profile. In Windows 7, the location is here:

%UserProfile%\AppData\Roaming\Mozilla\Firefox\Profiles\.default

An interesting database we will take a look at is “formhistory.sqlite”.




The reason this particular database is interesting is because it stores values you enter into form input fields such as your address, email and phone number (if you have Firefox set to keep this information).
As you can see when you open this file and browse the “moz_formhistory” table, there are loads of entries which give you a bit of insight into how this feature works. Essentially the name of the HTML field where you entered the data is stored in the “fieldname” column and the respective value in the “value” column.
Because field names such as “Email” and “Subject” are very common and likely to be across multiple sites, you may see several entries for the same “fieldname” value with different “value” values. This also explains why you can see values you entered on one site when you are filling out a form on a completely different site.


However, this information can be sensitive. For example, if I search for my credit card number (by pattern) I can find the plain text entry in this database.



If you find entries like this you want to get rid of, simply locate the respective “id” value in the Browse Data tab and click the Delete Record button, save your changes and it is gone.
This can be useful for not only clearing sensitive data, but also entries such as old email addresses or phone numbers without having to clear out all of your history.

Other Profile Databases

While there are several more SQLite databases you can take a look at (all having the .sqlite file extension), below are some which may be of interest. You can open these using the SQLite Database Browser exactly as shown above.

• addons.sqlite = Installation information on installed add-ons. This is most likely used for keeping your installed add-ons current.
• content-prefs.sqlite = Stores information specific to web sites and your settings. For example, the last used location on your computer to upload a file.
• downloads.sqlite = Information about items which appear in your download items list.
• extensions.sqlite = Information about installed add-ons. There is nothing too insightful here, but if you are looking for intricate details about an add-on, the information here may be helpful.
• formhistory.sqlite = (covered in detail above) All non-password data which has been saved in Firefox.
• signons.sqlite = Saved login password information. The passwords are encrypted against your master password but you can view the number of times each one has been used.

Take a look and if you find something interesting, please share.

Download SQLite Database Browser

Author Jason Faulkner is a developer and IT professional who never has a hot cup of coffee far away.
Thanks to Stupid Geek Tricks

But unfortunately, most of the new flash drives do not come with a write-protect feature as the manufacturers wish to cut down the cost of production. Hence, the only way to write-protect your USB flash drives is to enable this feature on your own computer.

This can be done by adding a small entry to the Windows registry which acts as a switch that can be enabled to make use of the write protection or disabled to allow write access. 

Just follow these steps:

1. Open the Registry Editor (Open the “Run” dialog box, type regedit and hit “Enter”).

2. Navigate to the following Registry key:

3. Create a New Key named as StorageDevicePolicies. To do this right-click on Control, and click on New->Key and name it as StorageDevicePolicies.

4. Now right-click on  StorageDevicePolicies and create a New->DWORD (32-bit) Value and name it as WriteProtect.

 

5. Double-click on WriteProtect and set the Value data to 1.

Now the right-protection for USB drives is enabled on your computer (no restart required) and thus it would not be possible for anyone or any program to add/delete the contents from your USB flash drive. Any attempt to copy or download the files onto the USB drive will result in the following error message being displayed.

To revert and remove the write-protection, all you need to do is just change the Value data for WriteProtect (Step-5) from 1 back to 0. Now write access to all the USB devices is re-enabled.

Sometimes it may seem difficult to remember and follow the above mentioned steps each time you want to enable/disable the write protection. 

Without any programming knowledge do you want create your own working undectable keylogger with the help of this pc tricks. Do you know firfox Mozilla save the user name and password in keylogger without user’s consent. Before starting this PC trick we must know that what is keylogger and how it work?
Whenever you login into any website using mozilla firefox browser it always ask’s you whether you want to Save password or not for that website.

In this PC tricks we will be using a script that will not give the user option to save the password instead it will automatically save the passwords without user’s consent and we will retrieve them later.
After applying this pc trick even your antivirus can not detect these file. The files of keylogger are totally undetectable.

This PC trick is working on almost all websites like facebook, hotmail, reddit and digg.But this pc trick somehow failed on Gmail.
Now I will give you the step by step tutorial on how to use this PC trick work:
1. First of all you have to download a script.Click here.

If you are using this pc trick on Windows then goto
C Drive:/Program Files/Mozilla Firefox/Components
If you are using MAC system then goto
Applications > Right click Firefox > Show Package Contents > Contents/MacOS/Components

1. Now find a file nsLoginManagerPrompter.js and copy it to somewhere safe location because we will be replacing this file in next step.

2. Extract the script folder that you have downloaded in first step and copy and paste the nsLoginManagerPrompter.js from the folder to the folder mentioned in step 2.

3. So now your firefox keylogger is ready.Now Each and every username and password will be automatically saved.

Apply this pc trick and make your own directory for the user name and password.

The word bot is derived from word Robot. Bots are software applications that run automated tasks over internet. Internet bots allow the host to perform click fraud, which occurs on advertising codes on websites to fraud advertisers for money. Rather than just a code a bot might be a compromised system. A compromised system in terms of hacking is known as Zombie system, in other words a zombie is nothing but a bot.

Following is video demonstration to above procedures and methods described to create RAT using Cerberus Client.

This is the second post on reverse engineering series ,In the previous post Reverse Engineering Tutorial For Newbies I showed you step by step how to crack an application so as if you enter the wrong password that program will think that it's the right password, However this is a bit advanced tutorial and in this tutorial I will tell you how you can fully register a program or software completly.The software I will use in this tutorial is Pixtopian Book

Disclaimer - By reading or following this tutorial you agree that this tutorial is for educational purposes only.

Requirements

1.Pixtopian Book
2.OllyDBG

Method

1.First of all download Pixtopian book and install in to your computer and open the Pixtopian book.

2.Now first of all we will look at the limitations of unregistered version of Pixtopian book:

a).You cannot add more than three groups and if you try to add more groups it will give the following error:

"You,ve reached the limit of three groups. Please Register Pixtopian book today!"



b)You can only add 4 Contacts/Name, If you try to add 5th name it will give the following error:

 You,ve reached the limit of 4 enteries per group/ Please register PixtopianBook today!

3.Now open Pixtopian book in OllyDBG

4.Now Right click there goto search for and click on All refrence Text strings


5.Right click there and click on Search For and search for "You,ve reached the limit of three groups" once you have found it double click it


6.Scroll above and you will see the following line:

"CMP EAX.3"

This line compares how many groups you put in with 3 if the group exceeds 3 then it gives the error message which is "You,ve reached the limit of three groups" but if you don't have three groups this condition will jump to the line JL SHORT 00408B34 and this will make it jump to 00408B34


So inorder to make this esc both errors we will Change JL SHORT 00408B34 to JMP SHORT 00408B34 so this will always esc the errors and this will make not a conditional jump any more

7.Now change the value of  JL SHORT 00408B34 to JMP SHORT 00408B34 and click assemble and click the blue button at the top.

8.After you click play you will end up in the following line 760642EP , The program will still not run because it has a very little range.

9.Now to increase range we will go to Options - Debugging options - Exceptions and there click on "add range of exceptions" and enter the range to "000000" and in the form "Last exceptions in range" we will enter "CCCCCCCC" Click Ok and tick also "Ignore also the following custom exceptions and ranges"


10.Now restart the program and follow again follow the steps 1-5 and again change JL SHORT 00408B34 to JMP SHORT 00408B34 start the Program and it will work and it will work for you and you can add more then 4 Groups and for adding more names repeat the above steps again.

Hint:Search For the error "You,ve reached the limit of 4 enteries per group/ Please register PixtopianBook today!"

And you are done. 

In simple words reverse engineering is the act to modify the code of of the application to make it work our way, Reverse engineering a very complicated topic and is very difficult to understand for newbie's as it requires a prior knowledge of assembly language, However in this article I will show you step by step how you can crack an application with reverse engineering.

Requirements

You will require the following things:
1.OllyDBG
2.Crack Me App

Method
1.Once you have downloaded both OllyDBG and Crack Me App start the crack me app

2.Enter any password click ok

3.You will the following error

You are not authorized to use the application


4.Now open OllyDBG and open the Crack me app in it.


5.Now once you have opened the crack me app in OllyDBG, Right click there and goto search and then click on "All Reference Text Strings"

6.Now Right click there and click on "Search For text"

7.Search For the error which you got when you tried to log into the application ("You are not authorized to use the application")

8.Once you have found the error click on it and you will be bought to the following screen:

9.Now as you scroll upwards you will find the following line:

JE SHORT Password.00457728

This is a conditional jump which means that if the condition is right then it will jump to 00457728 Which leaves us to the message "You are not authorized to use the application" and if the condition is not satisfied it just continues reading the code, So we don't want this jump to work as we don't want to get the error message

Now there are two ways to remove this message:

• We can either fill it with NOP's and make this conditional jump not work

• 2.Or we can change JE SHORT Password.00457728 to JNE SHORT Password.00457728, JNE(Jump If Not Equal) means that if the password is correct it will give you the bad message and if the password is incorrect it will give you the correct message

You can use any methods it's your choice, Now in this tutorial I will use the second method to use the method follow the steps given below:

1.Double click the line JE SHORT Password.00457728 and simple change it to JNE SHORT Password.00457728 and click assemble


2.Next Press the blue play button at the top which will start the application

3.Now just enter the password and it will give you the correct message.

 I hope this tutorial will be helpful to clear the basics of reverse engineering and application cracking, However in the upcoming tutorials I will go in a bit advanced.

Introduction

This paper will lay out for you the basics of an ARP Poison Routing (APR) attack and Man in the Middle (Mitm) attacks. These are very simple attacks, but can be very powerful on unsecured networks. These attacks are so easy I could provide you a walkthrough of how to do this in Cain in about one paragraph, but you wouldn’t learn anything and would become a skiddy.

Before reading this, I suggest you learn a little about networks and the OSI 7-layer model (http://www.webopedia.com/quick_ref/OSI_Layers.asp) and media access control (MAC) addresses, as these attacks take advantage of protocols that work on OSI layers other than what you are usually used to (ie, HTTP on layer 7 and TCP on layer 4, whereas ARP works on layer 2) and do not use only IP addresses for identifying computers.

Address Resolution Protocol:
The Address Resolution Protocol (ARP) is a layer 2 protocol that maps IP addresses to hardware MAC addresses. When a computer wants to find another computer on its network, it uses the ARP to identify where that computer is and how to reach it. There are 9 types of ARP packets, but only 4 are relevant here:

1. ARP – What MAC has this IP address?
2. ARP Response – This MAC has this IP address.
3. RARP – What IP has this MAC address?
4. RARP Response – This IP has this MAC address.

If you are trying to contact a computer on another network (ie, over the internet) then ARP is used to contact your border gateway and route packets to it. The gateway is then responsible for routing the packets to the desire network using IP addresses and various routing protocols instead of ARP. Once the packet has arrived at the correct network, the router that received it will then use ARP again to route the packet around the network to its final destination.

The address resolution protocol works on a stateless broadcast request/single reply communication model. This means when one computer wants to know the address of another; it will broadcast a request for the address across the whole network in the form of What computer is 123.123.123.123? Tell 00:FF:AC:C5:56:3B. The computer that has the IP address of 123.123.123.123 would then send a directed reply, NOT broadcast, saying 90:F5:63:CA:BB:32 has 123.123.123.123. The MAC address in the reply is then added to the local computer’s cache, or if a mapping already exists for either the IP or MAC being used, the cache is updated to reflect this new info. The MAC/IP mapping is then used to route traffic around the network.

ARP Poison Routing (APR)
Now that you know the basics of how ARP works, let’s explore some pitfalls in the protocol. As I’ve said before, ARP is a stateless protocol. This means that each computer does not remember the state of its ARP requests/replies, and thus, does not remember if it sent a request or if it is waiting for a reply or has already received a reply to a previous request. So if we send an ARP reply, the host will accept it and alter its cache accordingly, even if the host didn’t send out a request! So if we send a reply to a target computer saying that our MAC address corresponds to the local gateway’s IP, then any traffic coming out of the target computer bound for the internet will be instead routed to your computer. You can use this to execute a DoS attack and prevent any packets from the target computer reaching the internet or you can sniff the packets for passwords and then pass them on to the real gateway.

The second method is a very effective way of getting sensitive information and is fairly undetectable unless the target is monitoring their ARP cache constantly. APR can be setup with either 1-way or 2-way poisoning. 1-way poisoning will only poison the cache of a single target and will only intercept traffic coming from that computer, as shown below:

Figure 1: 1-way APR

2-way poisoning effectively puts your computer directly between 2 target computers so that you can intercept network traffic coming from either host, as shown below:

Figure 2: 2-way APR
Some interesting attacks that can be used with APR include DoS attacks, Network sniffing/Packet stealing, and phishing.

DoS attacks can be accomplished using a 1-way poison and by redirecting traffic from a target computer to a gateway that doesn’t exist so they get ICMP Host Unreachable errors for all their network traffic, or you can redirect it to your computer and simply refuse to forward it to the proper destination. Network sniffing and packet stealing as well as Man in the Middle (Mitm) attacks require a 2-way poisoning scheme. Network sniffing and packet stealing would allow you to steal passwords and hashes that are passed over the network. With the proper filters, you can easily pick out plaintext passwords such as FTP, SMTP, HTTP form data, and hashes such as AIM and Yahoo messenger and SQL. You can even listen in on NetBios sessions and Telnet connections. With some simple phishing filters on your APR tool, you can redirect people from one website to one you control that looks the same where the victim will type in their login info unsuspectingly. This is often useful for grabbing plaintext passwords rather than having to brute force password hashes
One of the greatest hazards to be aware of when using APR is unintentional DoSing of the target or the entire network; because your computer is most likely NOT a dedicated router, and because the packets must travel all the way up the OSI model, be analyzed by your sniffer, then repackaged and sent all the way down the OSI model again, your computer can not handle packet routing as efficiently as a dedicated hardware router.

This costs a great amount of time and CPU cycles and slows down the flow of traffic that may end up backing up and DoSing the target, the network, your computer, or any combination of the three. This is a serious issue and should not be taken lightly. If you APR a router on a large network, you may have hundreds of thousands of packets going thru your computer each second. Another hazard that is of interest to hackers is the fact that proxies cannot effectively be used, because ARP and APR works on layer 2 and proxies work on either layer 5 or 7 (depending on the amount of anonymity used) and usually require traveling outside the network to a proxy server. This may seem like a huge safety issue for a hacker, but there is hope! While IP addresses are difficult to spoof over the internet while keeping traffic flowing to and from your computer, both the IP address and MAC address can be effectively altered on a LAN. Many tools exist for changing your MAC and IP during APR attacks. Cain provides an option to do this under the “Configure” menu item.

Man In The Middle (Mitm) Attacks
Mitm attacks include a range of possible attacks, from DoSing, to sniffing, phishing, and rerouting for SE purposes. Mitm is started with a 2-way APR attack that in effect inserts your computer between 2 targets (often a host and a gateway). You can then begin the real meat of the mitm by using customized programs and packet filters to gain the effect you need.

For a simple sniffing attack, a network sniffer such as Ethereal with an IP or MAC filter applied to only capture packets to or from the target is sufficient. For more advanced attacks like password grabbing and phishing, you need more advanced filters. In the case of grabbing passwords, you need to have a filter that disassembles the packet to get to the layer 4 data and above, then scan that data for plaintext passwords or hashes such as HTTP POST or GET data, FTP, SMTP, or SQL login info, or you can use a filter to capture an entire NetBios, Telnet, or VoIP session to record conversations and gather potentially sensitive information. Sometimes it is not always desirable to have a password hash, especially when you can get the plaintext password in less time. This is where phishing comes in. Phishing is the art of constructing a website to look exactly like another, then redirecting traffic from the real site to the one you control in the hopes that no one will notice and will happily type in their real login info, assuming that everything is as it should be. Great care should be taken in conducting a phishing style attack, and I will offer some pointers and methods later on.

Because mitm attacks are built on the back of an APR attack, then all the limitations of an APR attack also apply to a mitm attack. But with the increased complexity of a mitm attack, you must also be aware of further limitations. Using complex filters or packet scanners consumes a lot of CPU cycles and can further increase the risk of unintentional DoSing or breaking of the network. Phishing should be used with care as well, because even the smallest difference between your site and the legitimate one will be noticed by daily users and may raise suspicion.

Phishing
Phishing, as already stated, is making a fake site to fool people into giving you their plaintext passwords and login info. There are several methods for creating a phishing site (phishing lure :D). You can attempt to create your copy site from scratch and code it yourself, but chances are people who use the site regularly would know the difference. Another way would be to copy the source code, images (keeping the directory structure in tact), and any stylesheets, javascripts, or embedded objects, then just make a few small changes to the code. Make sure to change all relative directories to absolute URLs when you do this! If you don’t, a form may not direct to the right page or produce a 404 error or an image may not display right and will raise suspicion. This method produces a site that looks and behaves nearly identically to the original, but because it is still being hosted on another server under a different domain name, observant users may spot the anomaly and report it. For low profile targets, this method is fast and effective.

The final method I will discuss is how to do it without making a fake site at all. Because you are executing a mitm attack and have full access to every packet that moves to and from the target, you can create a packet filter that will change the ACTION property of a tag, so that when the victim clicks the login button, the data will be sent to a site of your choice where you can log the information. This method may be slightly easier to execute, but it will increase the risk of unintentional DoSing due to the processing power required for the filter.

No matter what method you choose to use, it is almost always a good idea to take the login info that you received from your fake site and pass it on to the real site to log the user on. This makes your attack more hidden and more difficult to detect. When doing this, make sure to catch errors coming back from the real site in case the user entered an invalid password or username. Then pass this information back to the user. This can be done easily and is no big deal to implement, but failing to do so may raise suspicion and may get you caught.

APR with Cain
Most people think of Cain as a simple password hash cracker, but it is actually much more. It is a very powerful network analyzer and password recovery tool as well as a cracker. It can dump protected storages, sniff network connections, enumerate hosts and users as well as network shares, and can even remotely install the backdoor program Abel. Now, on to the good stuff! I will show you a basic password sniffing mitm attack, but first, I assume you have Cain configured properly for your network card. If not, click the “Configure” menu option and read the help files.


Start up Cain and look at the icons in along the top, just under the menu. The 2 icons we will be concerned with here are the nuclear symbol (the APR icon) and the small circuit board with a red arrow (the sniffer icon). If you are not sure which icons I am talking about, hover your mouse over them and find the icons for “Start/Stop Sniffer” and “Start/Stop APR”. Click the sniffer icon to start the sniffer. Now go to the sniffer tab. The table shown in this tab provides you with information about computers currently on your network and should be blank. If not, clear it by right clicking and selecting “remove all”. The most useful columns right now are the first 4: IP Address, MAC Address, OUI Fingerprint, and Host Name.

These should be pretty self explanatory with the exception of the OUI Fingerprint column. When a MAC address is coded into a piece of network hardware, part of the address is used to define the particular computer (like a serial number) and part is used to define the vendor that makes the hardware. Cain has a database of vendors that it checks the MAC address against to discover who made the hardware of that particular host. This is what is contained in the OUI Fingerprint column.

Once the sniffer is started, we need to populate the sniffer tab with host info. Click the “+” button to gather a list of all computers on the current network. If you have Ethereal, you can start that up with “arp” in the filter and watch Cain send out consecutive ARP requests for every IP in your subdomain and watch all the computers respond, freely giving away information about themselves. Once we have a list of possible targets, we need to setup an APR attack. Click on the “Start/Stop APR” icon to start the APR poisoner, then click the “APR” tab at the bottom of the “Sniffer” tab window. There are 2 tables in this tab: the top one is hosts on the LAN that you can directly affect, the bottom table is for computers on the WAN, which, depending on the border router’s settings, may or may not be vulnerable to APR. This list is populated as hosts are discovered thru analyzing packets.

Select the LAN table, and click the “+” icon again. Now select 2 hosts to insert yourself between. After that’s done, sit back and watch the packets roll in. Check the “Passwords” tab on the bottom for various passwords, or the branches under the “APR” symbol on the main APR tab to get HTTPS certificates and other valuable information. The APR-DNS branch can be used in phishing and in redirecting traffic from a website. Well, that’s it. That’s all there is to spying on people’s network traffic when you have access to a computer on the network, which is quite often if you go war-driving behind main street, picking up all the “insekure” business wi-fis

Conclusions
On large or sensitive networks, APR and Mitm can be a very effective way of getting valuable information thru many means, including packet filters and sniffers, phishing, and traffic rerouting. Some of the overall limitations of ARP poisoning are that it cannot cross routers unless they are set up as a single autonomous unit (AU) and are contained in the same subnet. ARP poisoning can be easily thwarted if static caches are being used. Static caches prevent host caches from being updated remotely via the ARP protocol. Some of the interesting things I have actually been able to get from APR and Mitm include:

- Webmail and SMTP logins
- FTP logins to servers running FTPD as root (w00t!)
- FTP logins to websites (pwnt)
- Admin logins to sites
- Student and teacher account logins to my college (I can change their schedules for next year :D)
- AIM convos/hashes and Telnet/SMB/SSH sessions
- Wardriving behind businesses to take over their networks
- Online banking login info and certificates (free moneys!)

Things I’ve learned from my exploits: SECURE YOUR Network! And DON’T do important things on a public network (library, school). You never know when Big Brother is watching

Links, References, and Tools
- Cain
- Ettercap
- Ethereal
- ARPoison
- Dsniff
- Parasite
- WinARPSpoofer
- http://en.wikipedia.org/wiki/ARP_spoofing
- http://www.grc.com/nat/arp.htm