Vulnerable Web Application for Learning Penetration Testing

A penetration test, occasionally pentest, is a method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats. So Web application Penetration Testing is the security evaluation of Web application or simply known as websites. Many people want to learn about web apps hacking and want to persuade their career as pen-tester but don't have idea about learning and where to test their skill. So I have provided list of vulnerable web apps where you can try you web kung-fu skill or can use any automated tools for pen-test.

Project name	Project home page	Technologies/Frameworks
OWASP bricks	http://sechow.com/bricks/	PHP, MySQL
NOWASP (Mutillidae)	http://sourceforge.net/projects/mutillidae/	PHP, MySQL
DVWA (Damn Vulnerable Web Application)	http://www.dvwa.co.uk	PHP, MySQL
OWASP WebGoat Project	https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project	.NET, J2EE
InsecureWebApp	http://insecurewebapp.sourceforge.net/main/index.html	J2EE (JSP)
exploit.co.il Vulnerable Web App	http://sourceforge.net/projects/exploitcoilvuln/	PHP
hackxor	http://hackxor.sourceforge.net	Perl, MySQL
LAMP Security Training	http://sourceforge.net/projects/lampsecurity/	PHP, MySQL
BodgeIt Store	http://code.google.com/p/bodgeit/	J2EE (JSP)
Moth	http://www.bonsai-sec.com/en/research/moth.php	PHP, MySQL
OWASP Vicnum	http://sourceforge.net/projects/vicnum/	PHP, Perl
Hack Me Bank	http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx	.NET 1.1, MSSQL
Hack Me Bank – Android	http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx	Java 1.6 and up, Android SDK
Hack Me Books	http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx	Java 1.4 and up
Hack Me Casion	http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx	Ruby on Rails
Hack Me Shipping	http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx	ColdFusion, MySQL
Hack Me Travel	http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx	.NET 1.1, C++

Read More

New way of Hacking Facebook "Tab Napping" Be Aware!!

Hacking account of any Facebook users has been the delightful perspective of any normal human beings. And every year hackers around the world invent new techniques to hack Facebook account. Recently the new way of hacking Facebook account is in the hacking scenario and its "Tabnapping"

Tab Napping

A new kind of phishing that is usually created for Facebook users is hitting the internet. This is totally a new kind of phishing which can trick users to fall on its trap.

How does it works?

Tab napping is more sophisticated than the phishing scams we have ever seen so far, and its no longer relies on persuading you to click on a dodgy link. Instead it targets internet users who open lots of tabs on their browser at the same time (for example, by pressing CTRL + T). If we have multiple tabs open and we are reading the page on our current active tab, any of the other inactive browser tabs could be replaced with a fake web page that is set up to obtain your personal data, the web page will look exactly the same as the page you opened in the tab, we probably wont even even know it has been replaced with a fake page. Fraudsters can actually detect when a tab has been left inactive for a while, and spy on your browser history to find out which websites you regularly visit, and therefore which pages to fake.This may surprise us but phishers and fraudsters in general can actually detect when a tab has been left inactive for a period of time, which means they can spy on our browsing history, this tells them which websites and web pages you visit on a regularly basis, so they'll know which bank we use and which email account we use, whatever we view, they'll know about it, which means they'll know which fake pages to make to replace the real pages in your inactive tabs, we've now left our self open to become a victim of tab napping.

Steps for creating Tab Napping

First of all we should have a web site to upload the tab napping files and if  we don't have then we may create in a free web hosting site. 

•  First we have to download the phishing and script here. Download

• Then we have to upload all the files and folders to our website.  

• The website contain a game and have to send website address(your tab napping website where you upload all the files) to our friend or anyone else whose Facebook account we want to hack and tell him/her that if your are intelligent or smart or say anything else then play this game and win it.

•  Actually the game is very difficult and he/she will not win in less time and he/she will go to another tab in browser like Facebook, Google, Youtube, Yahoo etc and when he/she came back to the website , it will be automatically redirected and saying them to logged in with Facebook account to continue...

• When our victim log in with Facebook account then her/his password will saved in our website and he/she will be redirected to main game page.

•  Now just have tp open=======http://www.our-website.com/fb/password.html------and we will see the email and passwords.

This is just an educational blog for those who wants to learn about Information Security. I am not responsible for any kind of damage done by you. Please remain safe and learn more.

Read More

FruityWifi (Wireless Network Auditing Tool) V1.0 released

FruityWifi is a new Wireless Network auditing tool which is based upon the WiFi Pineapple. This application is an open source tool which has been tested in Debian, Kali Linux, Kali Linux ARM (Raspberry Pi), Raspbian (Raspberry Pi). It can be installed in any Debain based system. This tool is developed by xtr4nge.

The Following are the services that are given by the FruityWifi.

• Wireless: Start|Stop wireless access point. (hostapd)
• Supplicant: Connects to the internet using a wireless interface
• Karma: REF: http://www.digininja.org/karma/
• URL Snarf: Start|Stop urlsnarf
• URL Spoof: Start|Stop urlsnarf
• Kismet: Start|Stop kismet
• Squid: Start|Stop squid3
• sslstrip: Start|Stop sslstrip

The FruityWifi is available for download and that's too for free. You can download the tool from here

Download

Installation

The developer xtr4ange has provided manual guide for those who are interested. This link leads to the manual guide provided by developer and if you want to view the steps of installation in video then go to his Youtube channel

Read More