Please allow me to ask a question that I've always been too ashamed to ask...

When people talk about "hacking" a website, what do they mean?

When I got to a website like UmmahForum, the page just pops up on my screen. I type in my ID and password and I enter the site.

I don't seen any other way of "getting into" the site, much less any way of being able to change anything that appears on the site.

What exactly do hackers do?

Please allow me to ask a question that I've always been too ashamed to ask...

When people talk about "hacking" a website, what do they mean?

When I got to a website like UmmahForum, the page just pops up on my screen. I type in my ID and password and I enter the site.

I don't seen any other way of "getting into" the site, much less any way of being able to change anything that appears on the site.

What exactly do hackers do?

Thats something i've always wondered aswell.. maybe its got something to do with the page source code thingy...

I can't describe it properly so I'll get it off wikipedia :o

Hack

(1) (verb) To write program source code. Also called "hacking." Often refers to writing a small program or adding code to an existing program to solve a problem in a hurry. A hack also implies writing in a programming language rather than a macro language or other high-level language oriented to the user. See hacker.

(2) (noun) Program source code. You might hear a phrase like "nobody has a package to do that, so it must be done through some sort of hack." This means someone has to write programming code to solve the problem, because there is no pre-written routine or function that does it. See hacker.

Hacker:
1.One who is proficient at using or programming a computer; a computer buff.
2.One who uses programming skills to gain illegal access to a computer network or file.

http://img.tfd.com/cde/_TOONHAK.JPG

Hope that helps ? :rolleyes:

one of recent leaked way of Hacking is SQL INJECTION attack, hackers can get secret informations like credit card details, account informations, etc from a secured site/system. Eventhough the sytem or website is secured, hackers can get into some loopholes (weakpoints). Once its done they can control the system changing the admin passwords of the website or system.

for example:

How to Hack Into a Windows XP Computer Without Changing Password (http://www.raymond.cc/blog/archives/2006/09/02/how-to-hack-into-a-windows-xp-computer-without-changing-password/)

SQL injection Basic Tutorial (http://www.governmentsecurity.org/articles/SQLinjectionBasicTutorial.php)

hey cashew, i have mentioned above 2 URLs for just learning/information purposes. dont try it on other websites. :D

Please allow me to ask a question that I've always been too ashamed to ask...

When people talk about "hacking" a website, what do they mean?

When I got to a website like UmmahForum, the page just pops up on my screen. I type in my ID and password and I enter the site.

I don't seen any other way of "getting into" the site, much less any way of being able to change anything that appears on the site.

What exactly do hackers do?
What some people do is get a program or make one themselves and then this program resets things on the other person's cpu so then you can type the new the stuff in and have access. Or knowing someone's IP address can get you easy access.

Please allow me to ask a question that I've always been too ashamed to ask...

When people talk about "hacking" a website, what do they mean?

When I got to a website like UmmahForum, the page just pops up on my screen. I type in my ID and password and I enter the site.

I don't seen any other way of "getting into" the site, much less any way of being able to change anything that appears on the site.

What exactly do hackers do?
There are MANY ways, but all are based on breaches; meaning, the more the system is secured, the less chance an attacker has. But let's look at what a professional hacker would do:

He will start by having the URL of the website and he will try to gather as much info as he can. There are different methods to get the following:
- the IP address of the server
- the location (country, city)
- the name of person, organization, and contanct info of the owner and the administrator
- the type and version of operating system running
- the type and version of web service running

He will make a profile containing all the gathered data. Then, he will expand his information gathering to do the following:

- Special scan to Figure out whether the server is behind a Firewall, router, both, or none.
- Port scan the server to see if there are other services running on the server, other than web server. If there are, he would get their types and versions, too.

Now, the hacker has a 50-page profile containing technical bits and details of the server and the enviroment. Now comes the time of planning the attack.

For every service (type/version) found, the hacker sees if there are any unpatched vulnerabilties reported; a good site of this is www.securityfocus.com. And for every vulnerability, he'll try to get an exploit for it; a good site is www.packetstormsecurity.nl. In many cases, a tool like Metasploit (www.metasploit.org) is sufficient for having the exploit. In cases there is no published exploit, the professional hacker tries to develop one in his underground dark lab. Depending in the skills of the hacker, developing an exploit might take from half an hour to full day. Most hackers prefer to write the exploit in Perl or Shell script; some go for C. An exploit is a peace of code that when gets executed, it tries to get into the vulnerable service running on a specific port, stuff few Assembly code in, and when such Assembly code gets executed in the victim server, it returns a root shell to the attacker, where the attacker can now manipulate the server.
Before the hacker goes and run the exploit, he would do something extra also. Since the service is a web service running a web site, it is good to scan the web application running. A hacker might use automated tools like N-Stealth or N-Stalker; or he can go for manual auditing. Mainly, the attacker is interested in finding holes like:
- Cross Site Scripting (XSS)
- SQL Injection
- Application Buffer Overflow (BO); whether heap-based or stack-based
- Format-string vulnerabilities
- Easily-crackable credentials

If the web application is well-secured, it is likely that one of the above vulnerabilities exist. Now, the hacker can chose which method to use to launch his attack:

- He can run the exploit against the service/platform and gets a root shell
- He can exploit the vulnerability at the application level

Once he has a root shell, a professional hacker won’t do any silly damage. He will upload the latest and most stealth Rootkit that deletes the logs and covers the tracks. The hacker now owns the server. He can freely expand such compromise to other servers in the organization. He can install key loggers and sniffers; he will get hourly reports of all the activities that go inside the organization. He can get:

- Credit Cards information
- Username/password of highly privileged accounts
- Sensitive information
- Bank accounts

Then, he decides what to do next. He might:
- Sell the credit cards numbers to some Chinese groups
- Transfer money from the CEO bank account to his account
- Halt down the systems, and make a banner on the website to promote his cause
- Use the compromised systems as launching pads to launch attacks against other organization.

And many others.

.

Hacker is the wrong word. Hacker means problem solver and i think in the 80s or something the meaning was changed. But if you are doing ICT and say "Hackers are people who break into other people's PCs or something" you wont get any marks

The right term is: "Gaining unauthorised access to..."

Hacker is the wrong word. Hacker means problem solver and i think in the 80s or something the meaning was changed. But if you are doing ICT and say "Hackers are people who break into other people's PCs or something" you wont get any marks

The right term is: "Gaining unauthorised access to..."

The ICT mark scheme frankly talks a load of *ahem*...its such a load of rubbish its unbelievable. If you want to know anything about computers, DO NOT go by what you're taught in ICT :p

Subhanallah I dropped ICT this year cos I got so sick of how rubbish the curriculum and the mark scheme is...its just ridiculous. Plus its not even a respected subject...its blacklisted by Cambridge and Trinity college and I don't know how many other unis...

-Rashid

P.S. Its not necessarily wrong in this case i.e. about the etymology of hacking but not getting marks is silly. There are MUCH worse examples though which are what really frustrated me...

Whew! Complicated stuff.

So, from what little I understand, what you're saying is that a "hacker" doesn't gain entrance to a website through the public page I see when I go to a website.

Whew! Complicated stuff.

So, from what little I understand, what you're saying is that a "hacker" doesn't gain entrance to a website through the public page I see when I go to a website.
If you notice, I've mentioned two categories: the first is "service" vulnerability, and the second is "application" vulnerability".

In case of "service" vulnerability, it is NOT from the main web page.
In case of "application" vulnerability, it can be from the main web page.

The vulnerabilities like: Cross-Site-Scripting (XSS), SQL Injection, BO, .. can be exploited from the main page if they exist in the web page. Usually in these cases, the hacker can do the following:

Let's say the web application has Buffer Overflow (BO) vulnerability that is on the username/password field; so, the hacker does the following:

Instead of entering normal username/password, he will enter something like this:

username: hacker
password:
\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x 51\x0a\xbb\x61\xd9
\xe7\x77\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x 0b\x51\x50\xbb\x32
\xb3\xe7\x77\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x 03\x31\xd2\x52\x51
\x51\x52\xff\xd0\x31\xd2\x50\xb8\xfd\x98\xe7\x77\x ff\xd0\xe8\xc4\xff
\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x 4e\xe8\xc2\xff\xff
\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x 4e\xe8\xc2\xff\xff
\xff\x48\x65\x79\x4e

Voila, the hacker owns the server now !

.

the right term is "defacer" or "cracker" not hacker

the defacer/cracker is the person who exploit the errors in the software which run a specific website to gain privileges he shouldn't get....or become an admin in some case which allow him to change the contents of the website or deny access to it

the right term is "defacer" or "cracker" not hacker

the defacer/cracker is the person who exploit the errors in the software which run a specific website to gain privileges he shouldn't get....or become an admin in some case which allow him to change the contents of the website or deny access to it

not exactly true..
there;s a whole load!

White Hat
Black Hat
cracker
phiser
etc etc

(TBH can;t be boverd typin much!) :rubeyes:

no no

black hate is the hacker/cracker/defacer who use his/her skill for evil....the white hat is the opposite....he hack for ethical reasons (taking down pedophilia websites for example)

no no

black hate is the hacker/cracker/defacer who use his/her skill for evil....the white hat is the opposite....he hack for ethical reasons (taking down pedophilia websites for example)

yes which is true.. but like i said.. couldn;t be ar*ed typing it all! :D you gotta lay everrryytthinnnggg out for the nOObs! :up:

no no

black hate is the hacker/cracker/defacer who use his/her skill for evil....the white hat is the opposite....he hack for ethical reasons (taking down pedophilia websites for example)

Do people like USG and other Muslim hacker groups count as black or white hat hackers? :nuts:

And isn't the black and white thing a bit racist :p (j/k)

-Rashid